rpms/openssl
8
1
Fork 1
Code Issues Pull Requests Releases Activity

Compare commits

base: rpms:c8
Branches Tags
rpms:c8
rpms:c9
rpms:c10s
rpms:a10s
rpms:c9-beta
rpms:c8s
rpms:c9s
rpms:a9
rpms:c8-beta
rpms:imports/c9/openssl-3.2.2-6.el9_5
rpms:imports/c10s/openssl-3.2.2-14.el10
rpms:changed/a10s/openssl-3.2.2-13.el10.alma.1
rpms:imports/c10s/openssl-3.2.2-13.el10
rpms:imports/c8/openssl-1.1.1k-14.el8_6
rpms:imports/c9-beta/openssl-3.2.2-6.el9_5
rpms:imports/c9-beta/openssl-3.2.2-6.el9
rpms:imports/c9/openssl-3.0.7-28.el9_4
rpms:changed/a10s/openssl-3.2.2-12.el10.alma.1
rpms:imports/c10s/openssl-3.2.2-12.el10
rpms:changed/a9/openssl-3.0.7-27.el9.alma.1
rpms:changed/a10s/openssl-3.2.2-10.el10.alma.1
rpms:imports/c10s/openssl-3.2.2-10.el10
rpms:changed/a10s/openssl-3.2.2-7.el10.alma.1
rpms:changed/a10s/openssl-3.2.2-3.el10.alma.1
rpms:imports/c10s/openssl-3.2.2-7.el10
rpms:imports/c10s/openssl-3.2.2-3.el10
rpms:imports/c9/openssl-3.0.7-27.el9
rpms:imports/c9/openssl-3.0.7-25.el9_3
rpms:imports/c8/openssl-1.1.1k-12.el8_9
rpms:imports/c9/openssl-3.0.7-24.el9
rpms:imports/c9-beta/openssl-3.0.7-24.el9
rpms:imports/c9/openssl-3.0.7-17.el9_2
rpms:imports/c9/openssl-3.0.7-16.el9_2
rpms:imports/c9/openssl-3.0.7-6.el9_2
rpms:imports/c9-beta/openssl-3.0.7-5.el9
rpms:imports/c8-beta/openssl-1.1.1k-9.el8
rpms:imports/c8/openssl-1.1.1k-9.el8_7
rpms:imports/c9/openssl-3.0.1-47.el9_1
rpms:imports/c8s/openssl-1.1.1k-9.el8
rpms:imports/c9/openssl-3.0.1-43.el9_0
rpms:imports/c9-beta/openssl-3.0.1-41.el9_0
rpms:imports/c8-beta/openssl-1.1.1k-7.el8_6
rpms:imports/c9/openssl-3.0.1-41.el9_0
rpms:imports/c8/openssl-1.1.1k-7.el8_6
rpms:imports/c8s/openssl-1.1.1k-7.el8_6
rpms:imports/c9/openssl-3.0.1-23.el9_0
rpms:imports/c9/openssl-3.0.1-20.el9_0
rpms:imports/c9-beta/openssl-3.0.1-20.el9_0
rpms:imports/c8-beta/openssl-1.1.1k-5.el8_5
rpms:imports/c8/openssl-1.1.1k-6.el8_5
rpms:imports/c9-beta/openssl-3.0.1-5.el9
rpms:imports/c9-beta/openssl-3.0.0-6.el9
rpms:imports/c9-beta/openssl-3.0.0-5.el9
rpms:imports/c8/openssl-1.1.1k-5.el8_5
rpms:imports/c9-beta/openssl-3.0.0-4.el9
rpms:imports/c9-beta/openssl-3.0.0-0.beta2.7.el9
rpms:imports/c8s/openssl-1.1.1k-5.el8_5
rpms:imports/c8/openssl-1.1.1k-4.el8
rpms:imports/c8-beta/openssl-1.1.1k-4.el8
rpms:imports/c8-beta/openssl-1.1.1g-12.el8_3
rpms:imports/c8-beta/openssl-1.1.1g-9.el8
rpms:imports/c8-beta/openssl-1.1.1c-12.el8
rpms:imports/c8-beta/openssl-1.1.1c-1.el8
rpms:imports/c8s/openssl-1.1.1k-4.el8
rpms:imports/c8s/openssl-1.1.1k-1.el8
rpms:imports/c8s/openssl-1.1.1g-12.el8_3
rpms:imports/c8s/openssl-1.1.1g-11.el8
rpms:imports/c8s/openssl-1.1.1g-9.el8
rpms:imports/c8/openssl-1.1.1g-15.el8_3
rpms:imports/c8/openssl-1.1.1g-12.el8_3
rpms:imports/c8/openssl-1.1.1g-11.el8
rpms:imports/c8/openssl-1.1.1c-15.el8
rpms:imports/c8/openssl-1.1.1c-2.el8_1.1
..
compare: rpms:imports/c8/openssl-1.1.1g-11.el8
Branches Tags
rpms:c9
rpms:c10s
rpms:a10s
rpms:c8
rpms:c9-beta
rpms:c8s
rpms:c9s
rpms:a9
rpms:c8-beta
rpms:imports/c9/openssl-3.2.2-6.el9_5
rpms:imports/c10s/openssl-3.2.2-14.el10
rpms:changed/a10s/openssl-3.2.2-13.el10.alma.1
rpms:imports/c10s/openssl-3.2.2-13.el10
rpms:imports/c8/openssl-1.1.1k-14.el8_6
rpms:imports/c9-beta/openssl-3.2.2-6.el9_5
rpms:imports/c9-beta/openssl-3.2.2-6.el9
rpms:imports/c9/openssl-3.0.7-28.el9_4
rpms:changed/a10s/openssl-3.2.2-12.el10.alma.1
rpms:imports/c10s/openssl-3.2.2-12.el10
rpms:changed/a9/openssl-3.0.7-27.el9.alma.1
rpms:changed/a10s/openssl-3.2.2-10.el10.alma.1
rpms:imports/c10s/openssl-3.2.2-10.el10
rpms:changed/a10s/openssl-3.2.2-7.el10.alma.1
rpms:changed/a10s/openssl-3.2.2-3.el10.alma.1
rpms:imports/c10s/openssl-3.2.2-7.el10
rpms:imports/c10s/openssl-3.2.2-3.el10
rpms:imports/c9/openssl-3.0.7-27.el9
rpms:imports/c9/openssl-3.0.7-25.el9_3
rpms:imports/c8/openssl-1.1.1k-12.el8_9
rpms:imports/c9/openssl-3.0.7-24.el9
rpms:imports/c9-beta/openssl-3.0.7-24.el9
rpms:imports/c9/openssl-3.0.7-17.el9_2
rpms:imports/c9/openssl-3.0.7-16.el9_2
rpms:imports/c9/openssl-3.0.7-6.el9_2
rpms:imports/c9-beta/openssl-3.0.7-5.el9
rpms:imports/c8-beta/openssl-1.1.1k-9.el8
rpms:imports/c8/openssl-1.1.1k-9.el8_7
rpms:imports/c9/openssl-3.0.1-47.el9_1
rpms:imports/c8s/openssl-1.1.1k-9.el8
rpms:imports/c9/openssl-3.0.1-43.el9_0
rpms:imports/c9-beta/openssl-3.0.1-41.el9_0
rpms:imports/c8-beta/openssl-1.1.1k-7.el8_6
rpms:imports/c9/openssl-3.0.1-41.el9_0
rpms:imports/c8/openssl-1.1.1k-7.el8_6
rpms:imports/c8s/openssl-1.1.1k-7.el8_6
rpms:imports/c9/openssl-3.0.1-23.el9_0
rpms:imports/c9/openssl-3.0.1-20.el9_0
rpms:imports/c9-beta/openssl-3.0.1-20.el9_0
rpms:imports/c8-beta/openssl-1.1.1k-5.el8_5
rpms:imports/c8/openssl-1.1.1k-6.el8_5
rpms:imports/c9-beta/openssl-3.0.1-5.el9
rpms:imports/c9-beta/openssl-3.0.0-6.el9
rpms:imports/c9-beta/openssl-3.0.0-5.el9
rpms:imports/c8/openssl-1.1.1k-5.el8_5
rpms:imports/c9-beta/openssl-3.0.0-4.el9
rpms:imports/c9-beta/openssl-3.0.0-0.beta2.7.el9
rpms:imports/c8s/openssl-1.1.1k-5.el8_5
rpms:imports/c8/openssl-1.1.1k-4.el8
rpms:imports/c8-beta/openssl-1.1.1k-4.el8
rpms:imports/c8-beta/openssl-1.1.1g-12.el8_3
rpms:imports/c8-beta/openssl-1.1.1g-9.el8
rpms:imports/c8-beta/openssl-1.1.1c-12.el8
rpms:imports/c8-beta/openssl-1.1.1c-1.el8
rpms:imports/c8s/openssl-1.1.1k-4.el8
rpms:imports/c8s/openssl-1.1.1k-1.el8
rpms:imports/c8s/openssl-1.1.1g-12.el8_3
rpms:imports/c8s/openssl-1.1.1g-11.el8
rpms:imports/c8s/openssl-1.1.1g-9.el8
rpms:imports/c8/openssl-1.1.1g-15.el8_3
rpms:imports/c8/openssl-1.1.1g-12.el8_3
rpms:imports/c8/openssl-1.1.1g-11.el8
rpms:imports/c8/openssl-1.1.1c-15.el8
rpms:imports/c8/openssl-1.1.1c-2.el8_1.1

No commits in common. "c8" and "imports/c8/openssl-1.1.1g-11.el8" have entirely different histories.
c8 ... imports/c8

38 changed files with 1007 additions and 9865 deletions
Show Stats Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/openssl-1.1.1k-hobbled.tar.xz SOURCES/openssl-1.1.1g-hobbled.tar.xz

2
.openssl.metadata
View File

@ -1 +1 @@
6fde639a66329f2cd9135eb192f2228f2a402c0e SOURCES/openssl-1.1.1k-hobbled.tar.xz b55517bdc9aa61627a9896c1a3a156d5f6a4348f SOURCES/openssl-1.1.1g-hobbled.tar.xz

84
SOURCES/ectest.c
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
@ -1425,87 +1425,6 @@ static int ec_point_hex2point_test(int id)
return ret; return ret;
} }
/*
* check the EC_METHOD respects the supplied EC_GROUP_set_generator G
*/
static int custom_generator_test(int id)
{
int ret = 0, nid, bsize;
EC_GROUP *group = NULL;
EC_POINT *G2 = NULL, *Q1 = NULL, *Q2 = NULL;
BN_CTX *ctx = NULL;
BIGNUM *k = NULL;
unsigned char *b1 = NULL, *b2 = NULL;
/* Do some setup */
nid = curves[id].nid;
TEST_note("Curve %s", OBJ_nid2sn(nid));
if (!TEST_ptr(ctx = BN_CTX_new()))
return 0;
BN_CTX_start(ctx);
if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)))
goto err;
/* expected byte length of encoded points */
bsize = (EC_GROUP_get_degree(group) + 7) / 8;
bsize = 2 * bsize + 1;
if (!TEST_ptr(k = BN_CTX_get(ctx))
/* fetch a testing scalar k != 0,1 */
|| !TEST_true(BN_rand(k, EC_GROUP_order_bits(group) - 1,
BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
/* make k even */
|| !TEST_true(BN_clear_bit(k, 0))
|| !TEST_ptr(G2 = EC_POINT_new(group))
|| !TEST_ptr(Q1 = EC_POINT_new(group))
/* Q1 := kG */
|| !TEST_true(EC_POINT_mul(group, Q1, k, NULL, NULL, ctx))
/* pull out the bytes of that */
|| !TEST_int_eq(EC_POINT_point2oct(group, Q1,
POINT_CONVERSION_UNCOMPRESSED, NULL,
0, ctx), bsize)
|| !TEST_ptr(b1 = OPENSSL_malloc(bsize))
|| !TEST_int_eq(EC_POINT_point2oct(group, Q1,
POINT_CONVERSION_UNCOMPRESSED, b1,
bsize, ctx), bsize)
/* new generator is G2 := 2G */
|| !TEST_true(EC_POINT_dbl(group, G2, EC_GROUP_get0_generator(group),
ctx))
|| !TEST_true(EC_GROUP_set_generator(group, G2,
EC_GROUP_get0_order(group),
EC_GROUP_get0_cofactor(group)))
|| !TEST_ptr(Q2 = EC_POINT_new(group))
|| !TEST_true(BN_rshift1(k, k))
/* Q2 := k/2 G2 */
|| !TEST_true(EC_POINT_mul(group, Q2, k, NULL, NULL, ctx))
|| !TEST_int_eq(EC_POINT_point2oct(group, Q2,
POINT_CONVERSION_UNCOMPRESSED, NULL,
0, ctx), bsize)
|| !TEST_ptr(b2 = OPENSSL_malloc(bsize))
|| !TEST_int_eq(EC_POINT_point2oct(group, Q2,
POINT_CONVERSION_UNCOMPRESSED, b2,
bsize, ctx), bsize)
/* Q1 = kG = k/2 G2 = Q2 should hold */
|| !TEST_int_eq(CRYPTO_memcmp(b1, b2, bsize), 0))
goto err;
ret = 1;
err:
BN_CTX_end(ctx);
EC_POINT_free(Q1);
EC_POINT_free(Q2);
EC_POINT_free(G2);
EC_GROUP_free(group);
BN_CTX_free(ctx);
OPENSSL_free(b1);
OPENSSL_free(b2);
return ret;
}
#endif /* OPENSSL_NO_EC */ #endif /* OPENSSL_NO_EC */
int setup_tests(void) int setup_tests(void)
@ -1533,7 +1452,6 @@ int setup_tests(void)
ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len); ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len);
ADD_ALL_TESTS(ec_point_hex2point_test, crv_len); ADD_ALL_TESTS(ec_point_hex2point_test, crv_len);
ADD_ALL_TESTS(custom_generator_test, crv_len);
#endif /* OPENSSL_NO_EC */ #endif /* OPENSSL_NO_EC */
return 1; return 1;
} }

11
SOURCES/openssl-1.1.0-issuer-hash.patch Normal file
View File

@ -0,0 +1,11 @@
diff -up openssl-1.1.0-pre5/crypto/x509/x509_cmp.c.issuer-hash openssl-1.1.0-pre5/crypto/x509/x509_cmp.c
--- openssl-1.1.0-pre5/crypto/x509/x509_cmp.c.issuer-hash 2016-07-18 15:16:32.788881100 +0200
+++ openssl-1.1.0-pre5/crypto/x509/x509_cmp.c 2016-07-18 15:17:16.671871840 +0200
@@ -87,6 +87,7 @@ unsigned long X509_issuer_and_serial_has
if (ctx == NULL)
goto err;
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0);
if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL))
goto err;

31
SOURCES/openssl-1.1.1-addrconfig.patch
View File

@ -1,31 +0,0 @@
From a3f4cd5019b60649f6eb216ebe99caa43cd96f8e Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Mon, 26 Apr 2021 14:40:17 +0200
Subject: [PATCH] BIO_lookup_ex: use AI_ADDRCONFIG only if explicit host name
is given
The flag only affects which record types are queried (A or AAAA, or
both), and when node is NULL, it prevents getaddrinfo returning the
right address associated with the loopback interface.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
crypto/bio/b_addr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/bio/b_addr.c b/crypto/bio/b_addr.c
index b023bbda40..ea15601f3d 100644
--- a/crypto/bio/b_addr.c
+++ b/crypto/bio/b_addr.c
@@ -689,7 +689,7 @@ int BIO_lookup_ex(const char *host, const char *service, int lookup_type,
hints.ai_protocol = protocol;
# ifdef AI_ADDRCONFIG
# ifdef AF_UNSPEC
- if (family == AF_UNSPEC)
+ if (host != NULL && family == AF_UNSPEC)
# endif
hints.ai_flags |= AI_ADDRCONFIG;
# endif
--
2.30.2

2392
SOURCES/openssl-1.1.1-arm-update.patch
View File

File diff suppressed because it is too large Load Diff

36
SOURCES/openssl-1.1.1-cleanup-peer-point-reneg.patch
View File

@ -1,36 +0,0 @@
diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl/statem/extensions.c
--- openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg 2021-03-25 14:28:38.000000000 +0100
+++ openssl-1.1.1k/ssl/statem/extensions.c 2021-06-24 16:16:19.526181743 +0200
@@ -42,6 +42,7 @@ static int tls_parse_certificate_authori
#ifndef OPENSSL_NO_SRP
static int init_srp(SSL *s, unsigned int context);
#endif
+static int init_ec_point_formats(SSL *s, unsigned int context);
static int init_etm(SSL *s, unsigned int context);
static int init_ems(SSL *s, unsigned int context);
static int final_ems(SSL *s, unsigned int context, int sent);
@@ -158,7 +159,7 @@ static const EXTENSION_DEFINITION ext_de
TLSEXT_TYPE_ec_point_formats,
SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
| SSL_EXT_TLS1_2_AND_BELOW_ONLY,
- NULL, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
+ init_ec_point_formats, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
final_ec_pt_formats
},
@@ -1164,6 +1165,15 @@ static int init_srp(SSL *s, unsigned int
}
#endif
+static int init_ec_point_formats(SSL *s, unsigned int context)
+{
+ OPENSSL_free(s->ext.peer_ecpointformats);
+ s->ext.peer_ecpointformats = NULL;
+ s->ext.peer_ecpointformats_len = 0;
+
+ return 1;
+}
+
static int init_etm(SSL *s, unsigned int context)
{
s->ext.use_etm = 0;

179
SOURCES/openssl-1.1.1-cve-2022-0778.patch
View File

@ -1,179 +0,0 @@
From 3118eb64934499d93db3230748a452351d1d9a65 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Mon, 28 Feb 2022 18:26:21 +0100
Subject: [PATCH] Fix possible infinite loop in BN_mod_sqrt()
The calculation in some cases does not finish for non-prime p.
This fixes CVE-2022-0778.
Based on patch by David Benjamin <davidben@google.com>.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
---
crypto/bn/bn_sqrt.c | 30 ++++++++++++++++++------------
1 file changed, 18 insertions(+), 12 deletions(-)
From b5fcb7e133725b8b2eb66f63f5142710ed63a6d1 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Mon, 28 Feb 2022 18:26:30 +0100
Subject: [PATCH] Add documentation of BN_mod_sqrt()
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
---
doc/man3/BN_add.pod | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
From 3ef5c3034e5c545f34d6929568f3f2b10ac4bdf0 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Mon, 28 Feb 2022 18:26:35 +0100
Subject: [PATCH] Add a negative testcase for BN_mod_sqrt
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
---
test/bntest.c | 11 ++++++++++-
test/recipes/10-test_bn_data/bnmod.txt | 12 ++++++++++++
2 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c
index 1723d5ded5a8..53b0f559855c 100644
--- a/crypto/bn/bn_sqrt.c
+++ b/crypto/bn/bn_sqrt.c
@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
/*
* Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks
* algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number
- * Theory", algorithm 1.5.1). 'p' must be prime!
+ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or
+ * an incorrect "result" will be returned.
*/
{
BIGNUM *ret = in;
@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
goto vrfy;
}
- /* find smallest i such that b^(2^i) = 1 */
- i = 1;
- if (!BN_mod_sqr(t, b, p, ctx))
- goto end;
- while (!BN_is_one(t)) {
- i++;
- if (i == e) {
- BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
- goto end;
+ /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */
+ for (i = 1; i < e; i++) {
+ if (i == 1) {
+ if (!BN_mod_sqr(t, b, p, ctx))
+ goto end;
+
+ } else {
+ if (!BN_mod_mul(t, t, t, p, ctx))
+ goto end;
}
- if (!BN_mod_mul(t, t, t, p, ctx))
- goto end;
+ if (BN_is_one(t))
+ break;
+ }
+ /* If not found, a is not a square or p is not prime. */
+ if (i >= e) {
+ BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
+ goto end;
}
/* t := y^2^(e - i - 1) */
diff --git a/doc/man3/BN_add.pod b/doc/man3/BN_add.pod
index dccd4790ede7..1f5e37a4d183 100644
--- a/doc/man3/BN_add.pod
+++ b/doc/man3/BN_add.pod
@@ -3,7 +3,7 @@
=head1 NAME
BN_add, BN_sub, BN_mul, BN_sqr, BN_div, BN_mod, BN_nnmod, BN_mod_add,
-BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_exp, BN_mod_exp, BN_gcd -
+BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_mod_sqrt, BN_exp, BN_mod_exp, BN_gcd -
arithmetic operations on BIGNUMs
=head1 SYNOPSIS
@@ -36,6 +36,8 @@ arithmetic operations on BIGNUMs
int BN_mod_sqr(BIGNUM *r, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
+ BIGNUM *BN_mod_sqrt(BIGNUM *in, BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
+
int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx);
int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
@@ -87,6 +89,12 @@ L<BN_mod_mul_reciprocal(3)>.
BN_mod_sqr() takes the square of I<a> modulo B<m> and places the
result in I<r>.
+BN_mod_sqrt() returns the modular square root of I<a> such that
+C<in^2 = a (mod p)>. The modulus I<p> must be a
+prime, otherwise an error or an incorrect "result" will be returned.
+The result is stored into I<in> which can be NULL. The result will be
+newly allocated in that case.
+
BN_exp() raises I<a> to the I<p>-th power and places the result in I<r>
(C<r=a^p>). This function is faster than repeated applications of
BN_mul().
@@ -108,7 +116,10 @@ the arguments.
=head1 RETURN VALUES
-For all functions, 1 is returned for success, 0 on error. The return
+The BN_mod_sqrt() returns the result (possibly incorrect if I<p> is
+not a prime), or NULL.
+
+For all remaining functions, 1 is returned for success, 0 on error. The return
value should always be checked (e.g., C<if (!BN_add(r,a,b)) goto err;>).
The error codes can be obtained by L<ERR_get_error(3)>.
diff --git a/test/bntest.c b/test/bntest.c
index 390dd800733e..1cab660bcafb 100644
--- a/test/bntest.c
+++ b/test/bntest.c
@@ -1729,8 +1729,17 @@ static int file_modsqrt(STANZA *s)
|| !TEST_ptr(ret2 = BN_new()))
goto err;
+ if (BN_is_negative(mod_sqrt)) {
+ /* A negative testcase */
+ if (!TEST_ptr_null(BN_mod_sqrt(ret, a, p, ctx)))
+ goto err;
+
+ st = 1;
+ goto err;
+ }
+
/* There are two possible answers. */
- if (!TEST_true(BN_mod_sqrt(ret, a, p, ctx))
+ if (!TEST_ptr(BN_mod_sqrt(ret, a, p, ctx))
|| !TEST_true(BN_sub(ret2, p, ret)))
goto err;
diff --git a/test/recipes/10-test_bn_data/bnmod.txt b/test/recipes/10-test_bn_data/bnmod.txt
index 5ea4d031f271..e28cc6bfb02e 100644
--- a/test/recipes/10-test_bn_data/bnmod.txt
+++ b/test/recipes/10-test_bn_data/bnmod.txt
@@ -2799,3 +2799,15 @@ P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
ModSqrt = a1d52989f12f204d3d2167d9b1e6c8a6174c0c786a979a5952383b7b8bd186
A = 2eee37cf06228a387788188e650bc6d8a2ff402931443f69156a29155eca07dcb45f3aac238d92943c0c25c896098716baa433f25bd696a142f5a69d5d937e81
P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
+
+# Negative testcases for BN_mod_sqrt()
+
+# This one triggers an infinite loop with unfixed implementation
+# It should just fail.
+ModSqrt = -1
+A = 20a7ee
+P = 460201
+
+ModSqrt = -1
+A = 65bebdb00a96fc814ec44b81f98b59fba3c30203928fa5214c51e0a97091645280c947b005847f239758482b9bfc45b066fde340d1fe32fc9c1bf02e1b2d0ed
+P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f

74
SOURCES/openssl-1.1.1-cve-2022-1292.patch
View File

@ -1,74 +0,0 @@
From e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Tue, 26 Apr 2022 12:40:24 +0200
Subject: [PATCH] c_rehash: Do not use shell to invoke openssl
Except on VMS where it is safe.
This fixes CVE-2022-1292.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23]
---
tools/c_rehash.in | 29 +++++++++++++++++++++++++----
1 file changed, 25 insertions(+), 4 deletions(-)
diff --git a/tools/c_rehash.in b/tools/c_rehash.in
index fa7c6c9fef91..83c1cc80e08a 100644
--- a/tools/c_rehash.in
+++ b/tools/c_rehash.in
@@ -152,6 +152,23 @@ sub check_file {
return ($is_cert, $is_crl);
}
+sub compute_hash {
+ my $fh;
+ if ( $^O eq "VMS" ) {
+ # VMS uses the open through shell
+ # The file names are safe there and list form is unsupported
+ if (!open($fh, "-|", join(' ', @_))) {
+ print STDERR "Cannot compute hash on '$fname'\n";
+ return;
+ }
+ } else {
+ if (!open($fh, "-|", @_)) {
+ print STDERR "Cannot compute hash on '$fname'\n";
+ return;
+ }
+ }
+ return (<$fh>, <$fh>);
+}
# Link a certificate to its subject name hash value, each hash is of
# the form <hash>.<n> where n is an integer. If the hash value already exists
@@ -161,10 +178,12 @@ sub check_file {
sub link_hash_cert {
my $fname = $_[0];
- $fname =~ s/\"/\\\"/g;
- my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
+ my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
+ "-fingerprint", "-noout",
+ "-in", $fname);
chomp $hash;
chomp $fprint;
+ return if !$hash;
$fprint =~ s/^.*=//;
$fprint =~ tr/://d;
my $suffix = 0;
@@ -202,10 +221,12 @@ sub link_hash_cert {
sub link_hash_crl {
my $fname = $_[0];
- $fname =~ s/'/'\\''/g;
- my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
+ my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
+ "-fingerprint", "-noout",
+ "-in", $fname);
chomp $hash;
chomp $fprint;
+ return if !$hash;
$fprint =~ s/^.*=//;
$fprint =~ tr/://d;
my $suffix = 0;

255
SOURCES/openssl-1.1.1-cve-2022-2068.patch
View File

@ -1,255 +0,0 @@
From 9639817dac8bbbaa64d09efad7464ccc405527c7 Mon Sep 17 00:00:00 2001
From: Daniel Fiala <daniel@openssl.org>
Date: Sun, 29 May 2022 20:11:24 +0200
Subject: [PATCH] Fix file operations in c_rehash.
CVE-2022-2068
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/9639817dac8bbbaa64d09efad7464ccc405527c7]
---
tools/c_rehash.in | 216 +++++++++++++++++++++++-----------------------
1 file changed, 107 insertions(+), 109 deletions(-)
diff --git a/tools/c_rehash.in b/tools/c_rehash.in
index cfd18f5da110..9d2a6f6db73b 100644
--- a/tools/c_rehash.in
+++ b/tools/c_rehash.in
@@ -104,52 +104,78 @@ foreach (@dirlist) {
}
exit($errorcount);
+sub copy_file {
+ my ($src_fname, $dst_fname) = @_;
+
+ if (open(my $in, "<", $src_fname)) {
+ if (open(my $out, ">", $dst_fname)) {
+ print $out $_ while (<$in>);
+ close $out;
+ } else {
+ warn "Cannot open $dst_fname for write, $!";
+ }
+ close $in;
+ } else {
+ warn "Cannot open $src_fname for read, $!";
+ }
+}
+
sub hash_dir {
- my %hashlist;
- print "Doing $_[0]\n";
- chdir $_[0];
- opendir(DIR, ".");
- my @flist = sort readdir(DIR);
- closedir DIR;
- if ( $removelinks ) {
- # Delete any existing symbolic links
- foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
- if (-l $_) {
- print "unlink $_" if $verbose;
- unlink $_ || warn "Can't unlink $_, $!\n";
- }
- }
- }
- FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
- # Check to see if certificates and/or CRLs present.
- my ($cert, $crl) = check_file($fname);
- if (!$cert && !$crl) {
- print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
- next;
- }
- link_hash_cert($fname) if ($cert);
- link_hash_crl($fname) if ($crl);
- }
+ my $dir = shift;
+ my %hashlist;
+
+ print "Doing $dir\n";
+
+ if (!chdir $dir) {
+ print STDERR "WARNING: Cannot chdir to '$dir', $!\n";
+ return;
+ }
+
+ opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n";
+ my @flist = sort readdir(DIR);
+ closedir DIR;
+ if ( $removelinks ) {
+ # Delete any existing symbolic links
+ foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
+ if (-l $_) {
+ print "unlink $_\n" if $verbose;
+ unlink $_ || warn "Can't unlink $_, $!\n";
+ }
+ }
+ }
+ FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
+ # Check to see if certificates and/or CRLs present.
+ my ($cert, $crl) = check_file($fname);
+ if (!$cert && !$crl) {
+ print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
+ next;
+ }
+ link_hash_cert($fname) if ($cert);
+ link_hash_crl($fname) if ($crl);
+ }
+
+ chdir $pwd;
}
sub check_file {
- my ($is_cert, $is_crl) = (0,0);
- my $fname = $_[0];
- open IN, $fname;
- while(<IN>) {
- if (/^-----BEGIN (.*)-----/) {
- my $hdr = $1;
- if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
- $is_cert = 1;
- last if ($is_crl);
- } elsif ($hdr eq "X509 CRL") {
- $is_crl = 1;
- last if ($is_cert);
- }
- }
- }
- close IN;
- return ($is_cert, $is_crl);
+ my ($is_cert, $is_crl) = (0,0);
+ my $fname = $_[0];
+
+ open(my $in, "<", $fname);
+ while(<$in>) {
+ if (/^-----BEGIN (.*)-----/) {
+ my $hdr = $1;
+ if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
+ $is_cert = 1;
+ last if ($is_crl);
+ } elsif ($hdr eq "X509 CRL") {
+ $is_crl = 1;
+ last if ($is_cert);
+ }
+ }
+ }
+ close $in;
+ return ($is_cert, $is_crl);
}
sub compute_hash {
@@ -177,76 +203,48 @@ sub compute_hash {
# certificate fingerprints
sub link_hash_cert {
- my $fname = $_[0];
- my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
- "-fingerprint", "-noout",
- "-in", $fname);
- chomp $hash;
- chomp $fprint;
- return if !$hash;
- $fprint =~ s/^.*=//;
- $fprint =~ tr/://d;
- my $suffix = 0;
- # Search for an unused hash filename
- while(exists $hashlist{"$hash.$suffix"}) {
- # Hash matches: if fingerprint matches its a duplicate cert
- if ($hashlist{"$hash.$suffix"} eq $fprint) {
- print STDERR "WARNING: Skipping duplicate certificate $fname\n";
- return;
- }
- $suffix++;
- }
- $hash .= ".$suffix";
- if ($symlink_exists) {
- print "link $fname -> $hash\n" if $verbose;
- symlink $fname, $hash || warn "Can't symlink, $!";
- } else {
- print "copy $fname -> $hash\n" if $verbose;
- if (open($in, "<", $fname)) {
- if (open($out,">", $hash)) {
- print $out $_ while (<$in>);
- close $out;
- } else {
- warn "can't open $hash for write, $!";
- }
- close $in;
- } else {
- warn "can't open $fname for read, $!";
- }
- }
- $hashlist{$hash} = $fprint;
+ link_hash($_[0], 'cert');
}
# Same as above except for a CRL. CRL links are of the form <hash>.r<n>
sub link_hash_crl {
- my $fname = $_[0];
- my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
- "-fingerprint", "-noout",
- "-in", $fname);
- chomp $hash;
- chomp $fprint;
- return if !$hash;
- $fprint =~ s/^.*=//;
- $fprint =~ tr/://d;
- my $suffix = 0;
- # Search for an unused hash filename
- while(exists $hashlist{"$hash.r$suffix"}) {
- # Hash matches: if fingerprint matches its a duplicate cert
- if ($hashlist{"$hash.r$suffix"} eq $fprint) {
- print STDERR "WARNING: Skipping duplicate CRL $fname\n";
- return;
- }
- $suffix++;
- }
- $hash .= ".r$suffix";
- if ($symlink_exists) {
- print "link $fname -> $hash\n" if $verbose;
- symlink $fname, $hash || warn "Can't symlink, $!";
- } else {
- print "cp $fname -> $hash\n" if $verbose;
- system ("cp", $fname, $hash);
- warn "Can't copy, $!" if ($? >> 8) != 0;
- }
- $hashlist{$hash} = $fprint;
+ link_hash($_[0], 'crl');
+}
+
+sub link_hash {
+ my ($fname, $type) = @_;
+ my $is_cert = $type eq 'cert';
+
+ my ($hash, $fprint) = compute_hash($openssl,
+ $is_cert ? "x509" : "crl",
+ $is_cert ? $x509hash : $crlhash,
+ "-fingerprint", "-noout",
+ "-in", $fname);
+ chomp $hash;
+ chomp $fprint;
+ return if !$hash;
+ $fprint =~ s/^.*=//;
+ $fprint =~ tr/://d;
+ my $suffix = 0;
+ # Search for an unused hash filename
+ my $crlmark = $is_cert ? "" : "r";
+ while(exists $hashlist{"$hash.$crlmark$suffix"}) {
+ # Hash matches: if fingerprint matches its a duplicate cert
+ if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) {
+ my $what = $is_cert ? 'certificate' : 'CRL';
+ print STDERR "WARNING: Skipping duplicate $what $fname\n";
+ return;
+ }
+ $suffix++;
+ }
+ $hash .= ".$crlmark$suffix";
+ if ($symlink_exists) {
+ print "link $fname -> $hash\n" if $verbose;
+ symlink $fname, $hash || warn "Can't symlink, $!";
+ } else {
+ print "copy $fname -> $hash\n" if $verbose;
+ copy_file($fname, $hash);
+ }
+ $hashlist{$hash} = $fprint;
}

152
SOURCES/openssl-1.1.1-cve-2022-2097.patch
View File

@ -1,152 +0,0 @@
From 919925673d6c9cfed3c1085497f5dfbbed5fc431 Mon Sep 17 00:00:00 2001
From: Alex Chernyakhovsky <achernya@google.com>
Date: Thu, 16 Jun 2022 12:00:22 +1000
Subject: [PATCH] Fix AES OCB encrypt/decrypt for x86 AES-NI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path
that performs operations on 6 16-byte blocks concurrently (the
"grandloop") and then proceeds to handle the "short" tail (which can
be anywhere from 0 to 5 blocks) that remain.
As part of initialization, the assembly initializes $len to the true
length, less 96 bytes and converts it to a pointer so that the $inp
can be compared to it. Each iteration of "grandloop" checks to see if
there's a full 96-byte chunk to process, and if so, continues. Once
this has been exhausted, it falls through to "short", which handles
the remaining zero to five blocks.
Unfortunately, the jump at the end of "grandloop" had a fencepost
error, doing a `jb` ("jump below") rather than `jbe` (jump below or
equal). This should be `jbe`, as $inp is pointing to the *end* of the
chunk currently being handled. If $inp == $len, that means that
there's a whole 96-byte chunk waiting to be handled. If $inp > $len,
then there's 5 or fewer 16-byte blocks left to be handled, and the
fall-through is intended.
The net effect of `jb` instead of `jbe` is that the last 16-byte block
of the last 96-byte chunk was completely omitted. The contents of
`out` in this position were never written to. Additionally, since
those bytes were never processed, the authentication tag generated is
also incorrect.
The same fencepost error, and identical logic, exists in both
aesni_ocb_encrypt and aesni_ocb_decrypt.
This addresses CVE-2022-2097.
Co-authored-by: Alejandro Sedeño <asedeno@google.com>
Co-authored-by: David Benjamin <davidben@google.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/919925673d6c9cfed3c1085497f5dfbbed5fc431]
---
crypto/aes/asm/aesni-x86.pl | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl
index fe2b26542ab6..812758e02e04 100644
--- a/crypto/aes/asm/aesni-x86.pl
+++ b/crypto/aes/asm/aesni-x86.pl
@@ -2027,7 +2027,7 @@ sub aesni_generate6
&movdqu (&QWP(-16*2,$out,$inp),$inout4);
&movdqu (&QWP(-16*1,$out,$inp),$inout5);
&cmp ($inp,$len); # done yet?
- &jb (&label("grandloop"));
+ &jbe (&label("grandloop"));
&set_label("short");
&add ($len,16*6);
@@ -2453,7 +2453,7 @@ sub aesni_generate6
&pxor ($rndkey1,$inout5);
&movdqu (&QWP(-16*1,$out,$inp),$inout5);
&cmp ($inp,$len); # done yet?
- &jb (&label("grandloop"));
+ &jbe (&label("grandloop"));
&set_label("short");
&add ($len,16*6);
From 9131afdca30b6d1650af9ea6179569a80ab8cb06 Mon Sep 17 00:00:00 2001
From: Alex Chernyakhovsky <achernya@google.com>
Date: Thu, 16 Jun 2022 12:02:37 +1000
Subject: [PATCH] AES OCB test vectors
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add test vectors for AES OCB for x86 AES-NI multiple of 96 byte issue.
Co-authored-by: Alejandro Sedeño <asedeno@google.com>
Co-authored-by: David Benjamin <davidben@google.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/9131afdca30b6d1650af9ea6179569a80ab8cb06]
---
test/recipes/30-test_evp_data/evpciph.txt | 50 +++++++++++++++++++++++
1 file changed, 50 insertions(+)
diff --git a/test/recipes/30-test_evp_data/evpciph.txt b/test/recipes/30-test_evp_data/evpciph.txt
index 1c02ea1e9c2d..e12670d9a4b4 100644
--- a/test/recipes/30-test_evp_data/evpciph.txt
+++ b/test/recipes/30-test_evp_data/evpciph.txt
@@ -1188,6 +1188,56 @@ Ciphertext = 09A4FD29DE949D9A9AA9924248422097AD4883B4713E6C214FF6567ADA08A967B21
Operation = DECRYPT
Result = CIPHERFINAL_ERROR
+#Test vectors generated to validate aesni_ocb_encrypt on x86
+Cipher = aes-128-ocb
+Key = 000102030405060708090A0B0C0D0E0F
+IV = 000000000001020304050607
+Tag = C14DFF7D62A13C4A3422456207453190
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B819333
+
+Cipher = aes-128-ocb
+Key = 000102030405060708090A0B0C0D0E0F
+IV = 000000000001020304050607
+Tag = D47D84F6FF912C79B6A4223AB9BE2DB8
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC204
+
+Cipher = aes-128-ocb
+Key = 000102030405060708090A0B0C0D0E0F
+IV = 000000000001020304050607
+Tag = 41970D13737B7BD1B5FBF49ED4412CA5
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91
+
+Cipher = aes-128-ocb
+Key = 000102030405060708090A0B0C0D0E0F
+IV = 000000000001020304050607
+Tag = BE0228651ED4E48A11BDED68D953F3A0
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F
+
+Cipher = aes-128-ocb
+Key = 000102030405060708090A0B0C0D0E0F
+IV = 000000000001020304050607
+Tag = 17BC6E10B16E5FDC52836E7D589518C7
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B
+
+Cipher = aes-128-ocb
+Key = 000102030405060708090A0B0C0D0E0F
+IV = 000000000001020304050607
+Tag = E84AAC18666116990A3A37B3A5FC55BD
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED
+
+Cipher = aes-128-ocb
+Key = 000102030405060708090A0B0C0D0E0F
+IV = 000000000001020304050607
+Tag = 3E5EA7EE064FE83B313E28D411E91EAD
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED48D9E09F452F8E6FBEB76A3DED47611C
+
Title = AES XTS test vectors from IEEE Std 1619-2007
# Using the same key twice for encryption is always banned.

805
SOURCES/openssl-1.1.1-cve-2022-4304-RSA-oracle.patch
View File

@ -1,805 +0,0 @@
From 43d8f88511991533f53680a751e9326999a6a31f Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 20 Jan 2023 15:26:54 +0000
Subject: [PATCH 1/6] Fix Timing Oracle in RSA decryption
A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network in a Bleichenbacher style attack. To achieve a successful
decryption an attacker would have to be able to send a very large number
of trial messages for decryption. The vulnerability affects all RSA
padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
Patch written by Dmitry Belyavsky and Hubert Kario
CVE-2022-4304
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
---
crypto/bn/bn_blind.c | 14 -
crypto/bn/bn_err.c | 2 +
crypto/bn/bn_local.h | 14 +
crypto/bn/build.info | 3 +-
crypto/bn/rsa_sup_mul.c | 614 ++++++++++++++++++++++++++++++++++++++++
crypto/err/openssl.txt | 3 +-
crypto/rsa/rsa_ossl.c | 17 +-
include/crypto/bn.h | 5 +
include/openssl/bnerr.h | 1 +
9 files changed, 653 insertions(+), 20 deletions(-)
create mode 100644 crypto/bn/rsa_sup_mul.c
diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c
index 76fc7ebcff..6e9d239321 100644
--- a/crypto/bn/bn_blind.c
+++ b/crypto/bn/bn_blind.c
@@ -13,20 +13,6 @@
#define BN_BLINDING_COUNTER 32
-struct bn_blinding_st {
- BIGNUM *A;
- BIGNUM *Ai;
- BIGNUM *e;
- BIGNUM *mod; /* just a reference */
- CRYPTO_THREAD_ID tid;
- int counter;
- unsigned long flags;
- BN_MONT_CTX *m_ctx;
- int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
- const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
- CRYPTO_RWLOCK *lock;
-};
-
BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
{
BN_BLINDING *ret = NULL;
diff --git a/crypto/bn/bn_err.c b/crypto/bn/bn_err.c
index dd87c152cf..3dd8d9a568 100644
--- a/crypto/bn/bn_err.c
+++ b/crypto/bn/bn_err.c
@@ -73,6 +73,8 @@ static const ERR_STRING_DATA BN_str_functs[] = {
{ERR_PACK(ERR_LIB_BN, BN_F_BN_SET_WORDS, 0), "bn_set_words"},
{ERR_PACK(ERR_LIB_BN, BN_F_BN_STACK_PUSH, 0), "BN_STACK_push"},
{ERR_PACK(ERR_LIB_BN, BN_F_BN_USUB, 0), "BN_usub"},
+ {ERR_PACK(ERR_LIB_BN, BN_F_OSSL_BN_RSA_DO_UNBLIND, 0),
+ "ossl_bn_rsa_do_unblind"},
{0, NULL}
};
diff --git a/crypto/bn/bn_local.h b/crypto/bn/bn_local.h
index 62a969b134..4d8cb64675 100644
--- a/crypto/bn/bn_local.h
+++ b/crypto/bn/bn_local.h
@@ -283,6 +283,20 @@ struct bn_gencb_st {
} cb;
};
+struct bn_blinding_st {
+ BIGNUM *A;
+ BIGNUM *Ai;
+ BIGNUM *e;
+ BIGNUM *mod; /* just a reference */
+ CRYPTO_THREAD_ID tid;
+ int counter;
+ unsigned long flags;
+ BN_MONT_CTX *m_ctx;
+ int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+ const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+ CRYPTO_RWLOCK *lock;
+};
+
/*-
* BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions
*
diff --git a/crypto/bn/build.info b/crypto/bn/build.info
index b9ed5322fa..c9fe2fdada 100644
--- a/crypto/bn/build.info
+++ b/crypto/bn/build.info
@@ -5,7 +5,8 @@ SOURCE[../../libcrypto]=\
bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c \
{- $target{bn_asm_src} -} \
bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \
- bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c
+ bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c \
+ rsa_sup_mul.c
INCLUDE[bn_exp.o]=..
diff --git a/crypto/bn/rsa_sup_mul.c b/crypto/bn/rsa_sup_mul.c
new file mode 100644
index 0000000000..acafefd5fe
--- /dev/null
+++ b/crypto/bn/rsa_sup_mul.c
@@ -0,0 +1,614 @@
+#include <openssl/e_os2.h>
+#include <stddef.h>
+#include <sys/types.h>
+#include <string.h>
+#include <openssl/bn.h>
+#include <openssl/err.h>
+#include <openssl/rsaerr.h>
+#include "internal/numbers.h"
+#include "internal/constant_time.h"
+#include "bn_local.h"
+
+# if BN_BYTES == 8
+typedef uint64_t limb_t;
+# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16
+/* nonstandard; implemented by gcc on 64-bit platforms */
+typedef __uint128_t limb2_t;
+# define HAVE_LIMB2_T
+# endif
+# define LIMB_BIT_SIZE 64
+# define LIMB_BYTE_SIZE 8
+# elif BN_BYTES == 4
+typedef uint32_t limb_t;
+typedef uint64_t limb2_t;
+# define LIMB_BIT_SIZE 32
+# define LIMB_BYTE_SIZE 4
+# define HAVE_LIMB2_T
+# else
+# error "Not supported"
+# endif
+
+/*
+ * For multiplication we're using schoolbook multiplication,
+ * so if we have two numbers, each with 6 "digits" (words)
+ * the multiplication is calculated as follows:
+ * A B C D E F
+ * x I J K L M N
+ * --------------
+ * N*F
+ * N*E
+ * N*D
+ * N*C
+ * N*B
+ * N*A
+ * M*F
+ * M*E
+ * M*D
+ * M*C
+ * M*B
+ * M*A
+ * L*F
+ * L*E
+ * L*D
+ * L*C
+ * L*B
+ * L*A
+ * K*F
+ * K*E
+ * K*D
+ * K*C
+ * K*B
+ * K*A
+ * J*F
+ * J*E
+ * J*D
+ * J*C
+ * J*B
+ * J*A
+ * I*F
+ * I*E
+ * I*D
+ * I*C
+ * I*B
+ * + I*A
+ * ==========================
+ * N*B N*D N*F
+ * + N*A N*C N*E
+ * + M*B M*D M*F
+ * + M*A M*C M*E
+ * + L*B L*D L*F
+ * + L*A L*C L*E
+ * + K*B K*D K*F
+ * + K*A K*C K*E
+ * + J*B J*D J*F
+ * + J*A J*C J*E
+ * + I*B I*D I*F
+ * + I*A I*C I*E
+ *
+ * 1+1 1+3 1+5
+ * 1+0 1+2 1+4
+ * 0+1 0+3 0+5
+ * 0+0 0+2 0+4
+ *
+ * 0 1 2 3 4 5 6
+ * which requires n^2 multiplications and 2n full length additions
+ * as we can keep every other result of limb multiplication in two separate
+ * limbs
+ */
+
+#if defined HAVE_LIMB2_T
+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
+{
+ limb2_t t;
+ /*
+ * this is idiomatic code to tell compiler to use the native mul
+ * those three lines will actually compile to single instruction
+ */
+
+ t = (limb2_t)a * b;
+ *hi = t >> LIMB_BIT_SIZE;
+ *lo = (limb_t)t;
+}
+#elif (BN_BYTES == 8) && (defined _MSC_VER)
+/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */
+#pragma intrinsic(_umul128)
+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
+{
+ *lo = _umul128(a, b, hi);
+}
+#else
+/*
+ * if the compiler doesn't have either a 128bit data type nor a "return
+ * high 64 bits of multiplication"
+ */
+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
+{
+ limb_t a_low = (limb_t)(uint32_t)a;
+ limb_t a_hi = a >> 32;
+ limb_t b_low = (limb_t)(uint32_t)b;
+ limb_t b_hi = b >> 32;
+
+ limb_t p0 = a_low * b_low;
+ limb_t p1 = a_low * b_hi;
+ limb_t p2 = a_hi * b_low;
+ limb_t p3 = a_hi * b_hi;
+
+ uint32_t cy = (uint32_t)(((p0 >> 32) + (uint32_t)p1 + (uint32_t)p2) >> 32);
+
+ *lo = p0 + (p1 << 32) + (p2 << 32);
+ *hi = p3 + (p1 >> 32) + (p2 >> 32) + cy;
+}
+#endif
+
+/* add two limbs with carry in, return carry out */
+static ossl_inline limb_t _add_limb(limb_t *ret, limb_t a, limb_t b, limb_t carry)
+{
+ limb_t carry1, carry2, t;
+ /*
+ * `c = a + b; if (c < a)` is idiomatic code that makes compilers
+ * use add with carry on assembly level
+ */
+
+ *ret = a + carry;
+ if (*ret < a)
+ carry1 = 1;
+ else
+ carry1 = 0;
+
+ t = *ret;
+ *ret = t + b;
+ if (*ret < t)
+ carry2 = 1;
+ else
+ carry2 = 0;
+
+ return carry1 + carry2;
+}
+
+/*
+ * add two numbers of the same size, return overflow
+ *
+ * add a to b, place result in ret; all arrays need to be n limbs long
+ * return overflow from addition (0 or 1)
+ */
+static ossl_inline limb_t add(limb_t *ret, limb_t *a, limb_t *b, size_t n)
+{
+ limb_t c = 0;
+ ossl_ssize_t i;
+
+ for(i = n - 1; i > -1; i--)
+ c = _add_limb(&ret[i], a[i], b[i], c);
+
+ return c;
+}
+
+/*
+ * return number of limbs necessary for temporary values
+ * when multiplying numbers n limbs large
+ */
+static ossl_inline size_t mul_limb_numb(size_t n)
+{
+ return 2 * n * 2;
+}
+
+/*
+ * multiply two numbers of the same size
+ *
+ * multiply a by b, place result in ret; a and b need to be n limbs long
+ * ret needs to be 2*n limbs long, tmp needs to be mul_limb_numb(n) limbs
+ * long
+ */
+static void limb_mul(limb_t *ret, limb_t *a, limb_t *b, size_t n, limb_t *tmp)
+{
+ limb_t *r_odd, *r_even;
+ size_t i, j, k;
+
+ r_odd = tmp;
+ r_even = &tmp[2 * n];
+
+ memset(ret, 0, 2 * n * sizeof(limb_t));
+
+ for (i = 0; i < n; i++) {
+ for (k = 0; k < i + n + 1; k++) {
+ r_even[k] = 0;
+ r_odd[k] = 0;
+ }
+ for (j = 0; j < n; j++) {
+ /*
+ * place results from even and odd limbs in separate arrays so that
+ * we don't have to calculate overflow every time we get individual
+ * limb multiplication result
+ */
+ if (j % 2 == 0)
+ _mul_limb(&r_even[i + j], &r_even[i + j + 1], a[i], b[j]);
+ else
+ _mul_limb(&r_odd[i + j], &r_odd[i + j + 1], a[i], b[j]);
+ }
+ /*
+ * skip the least significant limbs when adding multiples of
+ * more significant limbs (they're zero anyway)
+ */
+ add(ret, ret, r_even, n + i + 1);
+ add(ret, ret, r_odd, n + i + 1);
+ }
+}
+
+/* modifies the value in place by performing a right shift by one bit */
+static ossl_inline void rshift1(limb_t *val, size_t n)
+{
+ limb_t shift_in = 0, shift_out = 0;
+ size_t i;
+
+ for (i = 0; i < n; i++) {
+ shift_out = val[i] & 1;
+ val[i] = shift_in << (LIMB_BIT_SIZE - 1) | (val[i] >> 1);
+ shift_in = shift_out;
+ }
+}
+
+/* extend the LSB of flag to all bits of limb */
+static ossl_inline limb_t mk_mask(limb_t flag)
+{
+ flag |= flag << 1;
+ flag |= flag << 2;
+ flag |= flag << 4;
+ flag |= flag << 8;
+ flag |= flag << 16;
+#if (LIMB_BYTE_SIZE == 8)
+ flag |= flag << 32;
+#endif
+ return flag;
+}
+
+/*
+ * copy from either a or b to ret based on flag
+ * when flag == 0, then copies from b
+ * when flag == 1, then copies from a
+ */
+static ossl_inline void cselect(limb_t flag, limb_t *ret, limb_t *a, limb_t *b, size_t n)
+{
+ /*
+ * would be more efficient with non volatile mask, but then gcc
+ * generates code with jumps
+ */
+ volatile limb_t mask;
+ size_t i;
+
+ mask = mk_mask(flag);
+ for (i = 0; i < n; i++) {
+#if (LIMB_BYTE_SIZE == 8)
+ ret[i] = constant_time_select_64(mask, a[i], b[i]);
+#else
+ ret[i] = constant_time_select_32(mask, a[i], b[i]);
+#endif
+ }
+}
+
+static limb_t _sub_limb(limb_t *ret, limb_t a, limb_t b, limb_t borrow)
+{
+ limb_t borrow1, borrow2, t;
+ /*
+ * while it doesn't look constant-time, this is idiomatic code
+ * to tell compilers to use the carry bit from subtraction
+ */
+
+ *ret = a - borrow;
+ if (*ret > a)
+ borrow1 = 1;
+ else
+ borrow1 = 0;
+
+ t = *ret;
+ *ret = t - b;
+ if (*ret > t)
+ borrow2 = 1;
+ else
+ borrow2 = 0;
+
+ return borrow1 + borrow2;
+}
+
+/*
+ * place the result of a - b into ret, return the borrow bit.
+ * All arrays need to be n limbs long
+ */
+static limb_t sub(limb_t *ret, limb_t *a, limb_t *b, size_t n)
+{
+ limb_t borrow = 0;
+ ossl_ssize_t i;
+
+ for (i = n - 1; i > -1; i--)
+ borrow = _sub_limb(&ret[i], a[i], b[i], borrow);
+
+ return borrow;
+}
+
+/* return the number of limbs necessary to allocate for the mod() tmp operand */
+static ossl_inline size_t mod_limb_numb(size_t anum, size_t modnum)
+{
+ return (anum + modnum) * 3;
+}
+
+/*
+ * calculate a % mod, place the result in ret
+ * size of a is defined by anum, size of ret and mod is modnum,
+ * size of tmp is returned by mod_limb_numb()
+ */
+static void mod(limb_t *ret, limb_t *a, size_t anum, limb_t *mod,
+ size_t modnum, limb_t *tmp)
+{
+ limb_t *atmp, *modtmp, *rettmp;
+ limb_t res;
+ size_t i;
+
+ memset(tmp, 0, mod_limb_numb(anum, modnum) * LIMB_BYTE_SIZE);
+
+ atmp = tmp;
+ modtmp = &tmp[anum + modnum];
+ rettmp = &tmp[(anum + modnum) * 2];
+
+ for (i = modnum; i <modnum + anum; i++)
+ atmp[i] = a[i-modnum];
+
+ for (i = 0; i < modnum; i++)
+ modtmp[i] = mod[i];
+
+ for (i = 0; i < anum * LIMB_BIT_SIZE; i++) {
+ rshift1(modtmp, anum + modnum);
+ res = sub(rettmp, atmp, modtmp, anum+modnum);
+ cselect(res, atmp, atmp, rettmp, anum+modnum);
+ }
+
+ memcpy(ret, &atmp[anum], sizeof(limb_t) * modnum);
+}
+
+/* necessary size of tmp for a _mul_add_limb() call with provided anum */
+static ossl_inline size_t _mul_add_limb_numb(size_t anum)
+{
+ return 2 * (anum + 1);
+}
+
+/* multiply a by m, add to ret, return carry */
+static limb_t _mul_add_limb(limb_t *ret, limb_t *a, size_t anum,
+ limb_t m, limb_t *tmp)
+{
+ limb_t carry = 0;
+ limb_t *r_odd, *r_even;
+ size_t i;
+
+ memset(tmp, 0, sizeof(limb_t) * (anum + 1) * 2);
+
+ r_odd = tmp;
+ r_even = &tmp[anum + 1];
+
+ for (i = 0; i < anum; i++) {
+ /*
+ * place the results from even and odd limbs in separate arrays
+ * so that we have to worry about carry just once
+ */
+ if (i % 2 == 0)
+ _mul_limb(&r_even[i], &r_even[i + 1], a[i], m);
+ else
+ _mul_limb(&r_odd[i], &r_odd[i + 1], a[i], m);
+ }
+ /* assert: add() carry here will be equal zero */
+ add(r_even, r_even, r_odd, anum + 1);
+ /*
+ * while here it will not overflow as the max value from multiplication
+ * is -2 while max overflow from addition is 1, so the max value of
+ * carry is -1 (i.e. max int)
+ */
+ carry = add(ret, ret, &r_even[1], anum) + r_even[0];
+
+ return carry;
+}
+
+static ossl_inline size_t mod_montgomery_limb_numb(size_t modnum)
+{
+ return modnum * 2 + _mul_add_limb_numb(modnum);
+}
+
+/*
+ * calculate a % mod, place result in ret
+ * assumes that a is in Montgomery form with the R (Montgomery modulus) being
+ * smallest power of two big enough to fit mod and that's also a power
+ * of the count of number of bits in limb_t (B).
+ * For calculation, we also need n', such that mod * n' == -1 mod B.
+ * anum must be <= 2 * modnum
+ * ret needs to be modnum words long
+ * tmp needs to be mod_montgomery_limb_numb(modnum) limbs long
+ */
+static void mod_montgomery(limb_t *ret, limb_t *a, size_t anum, limb_t *mod,
+ size_t modnum, limb_t ni0, limb_t *tmp)
+{
+ limb_t carry, v;
+ limb_t *res, *rp, *tmp2;
+ ossl_ssize_t i;
+
+ res = tmp;
+ /*
+ * for intermediate result we need an integer twice as long as modulus
+ * but keep the input in the least significant limbs
+ */
+ memset(res, 0, sizeof(limb_t) * (modnum * 2));
+ memcpy(&res[modnum * 2 - anum], a, sizeof(limb_t) * anum);
+ rp = &res[modnum];
+ tmp2 = &res[modnum * 2];
+
+ carry = 0;
+
+ /* add multiples of the modulus to the value until R divides it cleanly */
+ for (i = modnum; i > 0; i--, rp--) {
+ v = _mul_add_limb(rp, mod, modnum, rp[modnum - 1] * ni0, tmp2);
+ v = v + carry + rp[-1];
+ carry |= (v != rp[-1]);
+ carry &= (v <= rp[-1]);
+ rp[-1] = v;
+ }
+
+ /* perform the final reduction by mod... */
+ carry -= sub(ret, rp, mod, modnum);
+
+ /* ...conditionally */
+ cselect(carry, ret, rp, ret, modnum);
+}
+
+/* allocated buffer should be freed afterwards */
+static void BN_to_limb(const BIGNUM *bn, limb_t *buf, size_t limbs)
+{
+ int i;
+ int real_limbs = (BN_num_bytes(bn) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
+ limb_t *ptr = buf + (limbs - real_limbs);
+
+ for (i = 0; i < real_limbs; i++)
+ ptr[i] = bn->d[real_limbs - i - 1];
+}
+
+#if LIMB_BYTE_SIZE == 8
+static ossl_inline uint64_t be64(uint64_t host)
+{
+ const union {
+ long one;
+ char little;
+ } is_endian = { 1 };
+
+ if (is_endian.little) {
+ uint64_t big = 0;
+
+ big |= (host & 0xff00000000000000) >> 56;
+ big |= (host & 0x00ff000000000000) >> 40;
+ big |= (host & 0x0000ff0000000000) >> 24;
+ big |= (host & 0x000000ff00000000) >> 8;
+ big |= (host & 0x00000000ff000000) << 8;
+ big |= (host & 0x0000000000ff0000) << 24;
+ big |= (host & 0x000000000000ff00) << 40;
+ big |= (host & 0x00000000000000ff) << 56;
+ return big;
+ } else {
+ return host;
+ }
+}
+
+#else
+/* Not all platforms have htobe32(). */
+static ossl_inline uint32_t be32(uint32_t host)
+{
+ const union {
+ long one;
+ char little;
+ } is_endian = { 1 };
+
+ if (is_endian.little) {
+ uint32_t big = 0;
+
+ big |= (host & 0xff000000) >> 24;
+ big |= (host & 0x00ff0000) >> 8;
+ big |= (host & 0x0000ff00) << 8;
+ big |= (host & 0x000000ff) << 24;
+ return big;
+ } else {
+ return host;
+ }
+}
+#endif
+
+/*
+ * We assume that intermediate, possible_arg2, blinding, and ctx are used
+ * similar to BN_BLINDING_invert_ex() arguments.
+ * to_mod is RSA modulus.
+ * buf and num is the serialization buffer and its length.
+ *
+ * Here we use classic/Montgomery multiplication and modulo. After the calculation finished
+ * we serialize the new structure instead of BIGNUMs taking endianness into account.
+ */
+int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate,
+ const BN_BLINDING *blinding,
+ const BIGNUM *possible_arg2,
+ const BIGNUM *to_mod, BN_CTX *ctx,
+ unsigned char *buf, int num)
+{
+ limb_t *l_im = NULL, *l_mul = NULL, *l_mod = NULL;
+ limb_t *l_ret = NULL, *l_tmp = NULL, l_buf;
+ size_t l_im_count = 0, l_mul_count = 0, l_size = 0, l_mod_count = 0;
+ size_t l_tmp_count = 0;
+ int ret = 0;
+ size_t i;
+ unsigned char *tmp;
+ const BIGNUM *arg1 = intermediate;
+ const BIGNUM *arg2 = (possible_arg2 == NULL) ? blinding->Ai : possible_arg2;
+
+ l_im_count = (BN_num_bytes(arg1) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
+ l_mul_count = (BN_num_bytes(arg2) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
+ l_mod_count = (BN_num_bytes(to_mod) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
+
+ l_size = l_im_count > l_mul_count ? l_im_count : l_mul_count;
+ l_im = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE);
+ l_mul = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE);
+ l_mod = OPENSSL_zalloc(l_mod_count * LIMB_BYTE_SIZE);
+
+ if ((l_im == NULL) || (l_mul == NULL) || (l_mod == NULL))
+ goto err;
+
+ BN_to_limb(arg1, l_im, l_size);
+ BN_to_limb(arg2, l_mul, l_size);
+ BN_to_limb(to_mod, l_mod, l_mod_count);
+
+ l_ret = OPENSSL_malloc(2 * l_size * LIMB_BYTE_SIZE);
+
+ if (blinding->m_ctx != NULL) {
+ l_tmp_count = mul_limb_numb(l_size) > mod_montgomery_limb_numb(l_mod_count) ?
+ mul_limb_numb(l_size) : mod_montgomery_limb_numb(l_mod_count);
+ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE);
+ } else {
+ l_tmp_count = mul_limb_numb(l_size) > mod_limb_numb(2 * l_size, l_mod_count) ?
+ mul_limb_numb(l_size) : mod_limb_numb(2 * l_size, l_mod_count);
+ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE);
+ }
+
+ if ((l_ret == NULL) || (l_tmp == NULL))
+ goto err;
+
+ if (blinding->m_ctx != NULL) {
+ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp);
+ mod_montgomery(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count,
+ blinding->m_ctx->n0[0], l_tmp);
+ } else {
+ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp);
+ mod(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, l_tmp);
+ }
+
+ /* modulus size in bytes can be equal to num but after limbs conversion it becomes bigger */
+ if (num < BN_num_bytes(to_mod)) {
+ BNerr(BN_F_OSSL_BN_RSA_DO_UNBLIND, ERR_R_PASSED_INVALID_ARGUMENT);
+ goto err;
+ }
+
+ memset(buf, 0, num);
+ tmp = buf + num - BN_num_bytes(to_mod);
+ for (i = 0; i < l_mod_count; i++) {
+#if LIMB_BYTE_SIZE == 8
+ l_buf = be64(l_ret[i]);
+#else
+ l_buf = be32(l_ret[i]);
+#endif
+ if (i == 0) {
+ int delta = LIMB_BYTE_SIZE - ((l_mod_count * LIMB_BYTE_SIZE) - num);
+
+ memcpy(tmp, ((char *)&l_buf) + LIMB_BYTE_SIZE - delta, delta);
+ tmp += delta;
+ } else {
+ memcpy(tmp, &l_buf, LIMB_BYTE_SIZE);
+ tmp += LIMB_BYTE_SIZE;
+ }
+ }
+ ret = num;
+
+ err:
+ OPENSSL_free(l_im);
+ OPENSSL_free(l_mul);
+ OPENSSL_free(l_mod);
+ OPENSSL_free(l_tmp);
+ OPENSSL_free(l_ret);
+
+ return ret;
+}
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 9f91a4a811..ba3a46d5b9 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -1,4 +1,4 @@
-# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -232,6 +232,7 @@ BN_F_BN_RSHIFT:146:BN_rshift
BN_F_BN_SET_WORDS:144:bn_set_words
BN_F_BN_STACK_PUSH:148:BN_STACK_push
BN_F_BN_USUB:115:BN_usub
+BN_F_OSSL_BN_RSA_DO_UNBLIND:151:ossl_bn_rsa_do_unblind
BUF_F_BUF_MEM_GROW:100:BUF_MEM_grow
BUF_F_BUF_MEM_GROW_CLEAN:105:BUF_MEM_grow_clean
BUF_F_BUF_MEM_NEW:101:BUF_MEM_new
diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c
index b52a66f6a6..6c3c0cf78d 100644
--- a/crypto/rsa/rsa_ossl.c
+++ b/crypto/rsa/rsa_ossl.c
@@ -465,11 +465,20 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
BN_free(d);
}
- if (blinding)
- if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
+ if (blinding) {
+ /*
+ * ossl_bn_rsa_do_unblind() combines blinding inversion and
+ * 0-padded BN BE serialization
+ */
+ j = ossl_bn_rsa_do_unblind(ret, blinding, unblind, rsa->n, ctx,
+ buf, num);
+ if (j == 0)
goto err;
-
- j = BN_bn2binpad(ret, buf, num);
+ } else {
+ j = BN_bn2binpad(ret, buf, num);
+ if (j < 0)
+ goto err;
+ }
switch (padding) {
case RSA_PKCS1_PADDING:
diff --git a/include/crypto/bn.h b/include/crypto/bn.h
index 60afda1dad..b5f36fb25a 100644
--- a/include/crypto/bn.h
+++ b/include/crypto/bn.h
@@ -86,5 +86,10 @@ int bn_lshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);
int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);
int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
const BIGNUM *d, BN_CTX *ctx);
+int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate,
+ const BN_BLINDING *blinding,
+ const BIGNUM *possible_arg2,
+ const BIGNUM *to_mod, BN_CTX *ctx,
+ unsigned char *buf, int num);
#endif
diff --git a/include/openssl/bnerr.h b/include/openssl/bnerr.h
index 9f3c7cfaab..a0752cea52 100644
--- a/include/openssl/bnerr.h
+++ b/include/openssl/bnerr.h
@@ -72,6 +72,7 @@ int ERR_load_BN_strings(void);
# define BN_F_BN_SET_WORDS 144
# define BN_F_BN_STACK_PUSH 148
# define BN_F_BN_USUB 115
+# define BN_F_OSSL_BN_RSA_DO_UNBLIND 151
/*
* BN reason codes.
--
2.39.1

103
SOURCES/openssl-1.1.1-cve-2022-4450-PEM-bio.patch
View File

@ -1,103 +0,0 @@
From bbcf509bd046b34cca19c766bbddc31683d0858b Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Tue, 13 Dec 2022 14:54:55 +0000
Subject: [PATCH 2/6] Avoid dangling ptrs in header and data params for
PEM_read_bio_ex
In the event of a failure in PEM_read_bio_ex() we free the buffers we
allocated for the header and data buffers. However we were not clearing
the ptrs stored in *header and *data. Since, on success, the caller is
responsible for freeing these ptrs this can potentially lead to a double
free if the caller frees them even on failure.
Thanks to Dawei Wang for reporting this issue.
Based on a proposed patch by Kurt Roeckx.
CVE-2022-4450
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
---
crypto/pem/pem_lib.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
index d416d939ea..328c30cdbb 100644
--- a/crypto/pem/pem_lib.c
+++ b/crypto/pem/pem_lib.c
@@ -957,7 +957,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
*data = pem_malloc(len, flags);
if (*header == NULL || *data == NULL) {
pem_free(*header, flags, 0);
+ *header = NULL;
pem_free(*data, flags, 0);
+ *data = NULL;
goto end;
}
BIO_read(headerB, *header, headerlen);
--
2.39.1
From 2bd611267868a008afa576846ba71566bd0d4d15 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Tue, 13 Dec 2022 15:02:26 +0000
Subject: [PATCH 3/6] Add a test for CVE-2022-4450
Call PEM_read_bio_ex() and expect a failure. There should be no dangling
ptrs and therefore there should be no double free if we free the ptrs on
error.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
---
test/pemtest.c | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/test/pemtest.c b/test/pemtest.c
index 3203d976be..edeb0a1205 100644
--- a/test/pemtest.c
+++ b/test/pemtest.c
@@ -83,9 +83,39 @@ static int test_invalid(void)
return 1;
}
+static int test_empty_payload(void)
+{
+ BIO *b;
+ static char *emptypay =
+ "-----BEGIN CERTIFICATE-----\n"
+ "-\n" /* Base64 EOF character */
+ "-----END CERTIFICATE-----";
+ char *name = NULL, *header = NULL;
+ unsigned char *data = NULL;
+ long len;
+ int ret = 0;
+
+ b = BIO_new_mem_buf(emptypay, strlen(emptypay));
+ if (!TEST_ptr(b))
+ return 0;
+
+ /* Expected to fail because the payload is empty */
+ if (!TEST_false(PEM_read_bio_ex(b, &name, &header, &data, &len, 0)))
+ goto err;
+
+ ret = 1;
+ err:
+ OPENSSL_free(name);
+ OPENSSL_free(header);
+ OPENSSL_free(data);
+ BIO_free(b);
+ return ret;
+}
+
int setup_tests(void)
{
ADD_ALL_TESTS(test_b64, OSSL_NELEM(b64_pem_data));
ADD_TEST(test_invalid);
+ ADD_TEST(test_empty_payload);
return 1;
}
--
2.39.1

186
SOURCES/openssl-1.1.1-cve-2023-0215-BIO-UAF.patch
View File

@ -1,186 +0,0 @@
From c3829dd8825c654652201e16f8a0a0c46ee3f344 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 14 Dec 2022 16:18:14 +0000
Subject: [PATCH 4/6] Fix a UAF resulting from a bug in BIO_new_NDEF
If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will
be part of an invalid BIO chain. This causes a "use after free" when the
BIO is eventually freed.
Based on an original patch by Viktor Dukhovni and an idea from Theo
Buehler.
Thanks to Octavio Galland for reporting this issue.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
---
crypto/asn1/bio_ndef.c | 39 ++++++++++++++++++++++++++++++++-------
1 file changed, 32 insertions(+), 7 deletions(-)
diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c
index 760e4846a4..f8d4b1b9aa 100644
--- a/crypto/asn1/bio_ndef.c
+++ b/crypto/asn1/bio_ndef.c
@@ -49,12 +49,19 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg);
static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen,
void *parg);
+/*
+ * On success, the returned BIO owns the input BIO as part of its BIO chain.
+ * On failure, NULL is returned and the input BIO is owned by the caller.
+ *
+ * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream()
+ */
BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
{
NDEF_SUPPORT *ndef_aux = NULL;
BIO *asn_bio = NULL;
const ASN1_AUX *aux = it->funcs;
ASN1_STREAM_ARG sarg;
+ BIO *pop_bio = NULL;
if (!aux || !aux->asn1_cb) {
ASN1err(ASN1_F_BIO_NEW_NDEF, ASN1_R_STREAMING_NOT_SUPPORTED);
@@ -69,21 +76,39 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
out = BIO_push(asn_bio, out);
if (out == NULL)
goto err;
+ pop_bio = asn_bio;
- BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free);
- BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free);
+ if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0
+ || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0
+ || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0)
+ goto err;
/*
- * Now let callback prepends any digest, cipher etc BIOs ASN1 structure
- * needs.
+ * Now let the callback prepend any digest, cipher, etc., that the BIO's
+ * ASN1 structure needs.
*/
sarg.out = out;
sarg.ndef_bio = NULL;
sarg.boundary = NULL;
- if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0)
+ /*
+ * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the
+ * middle of some partially built, but not returned BIO chain.
+ */
+ if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) {
+ /*
+ * ndef_aux is now owned by asn_bio so we must not free it in the err
+ * clean up block
+ */
+ ndef_aux = NULL;
goto err;
+ }
+
+ /*
+ * We must not fail now because the callback has prepended additional
+ * BIOs to the chain
+ */
ndef_aux->val = val;
ndef_aux->it = it;
@@ -91,11 +116,11 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
ndef_aux->boundary = sarg.boundary;
ndef_aux->out = out;
- BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux);
-
return sarg.ndef_bio;
err:
+ /* BIO_pop() is NULL safe */
+ (void)BIO_pop(pop_bio);
BIO_free(asn_bio);
OPENSSL_free(ndef_aux);
return NULL;
--
2.39.1
From f040f2577891d2bdb7610566c172233844cf673a Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 14 Dec 2022 17:15:18 +0000
Subject: [PATCH 5/6] Check CMS failure during BIO setup with -stream is
handled correctly
Test for the issue fixed in the previous commit
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
---
test/recipes/80-test_cms.t | 15 +++++++++++++--
test/smime-certs/badrsa.pem | 18 ++++++++++++++++++
2 files changed, 31 insertions(+), 2 deletions(-)
create mode 100644 test/smime-certs/badrsa.pem
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
index 5dc6a3aebe..ec11bfc253 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -13,7 +13,7 @@ use warnings;
use POSIX;
use File::Spec::Functions qw/catfile/;
use File::Compare qw/compare_text/;
-use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file/;
+use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file with/;
use OpenSSL::Test::Utils;
setup("test_cms");
@@ -27,7 +27,7 @@ my $smcont = srctop_file("test", "smcont.txt");
my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
= disabled qw/des dh dsa ec ec2m rc2 zlib/;
-plan tests => 6;
+plan tests => 7;
my @smime_pkcs7_tests = (
@@ -584,3 +584,14 @@ sub check_availability {
return "";
}
+
+# Check that we get the expected failure return code
+with({ exit_checker => sub { return shift == 6; } },
+ sub {
+ ok(run(app(['openssl', 'cms', '-encrypt',
+ '-in', srctop_file("test", "smcont.txt"),
+ '-stream', '-recip',
+ srctop_file("test/smime-certs", "badrsa.pem"),
+ ])),
+ "Check failure during BIO setup with -stream is handled correctly");
+ });
diff --git a/test/smime-certs/badrsa.pem b/test/smime-certs/badrsa.pem
new file mode 100644
index 0000000000..f824fc2267
--- /dev/null
+++ b/test/smime-certs/badrsa.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIDbTCCAlWgAwIBAgIToTV4Z0iuK08vZP20oTh//hC8BDANBgkqhkiG9w0BAQ0FADAtMSswKQYD
+VfcDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoY
+DzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOw
+I2juwdRrjFBmXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A
+/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6s
+yTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0
+zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSxgCAwEAAaOBlzCB
+lDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAww
+CgYIKwYBBQUHAwQwDwYDVR0PAQH/BAUDAwfAADAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm
+ZnMwHwYDVR0jBBgwFoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBABbW
+eonR6TMTckehDKNOabwaCIcekahAIL6l9tTzUX5ew6ufiAPlC6I/zQlmUaU0iSyFDG1NW14kNbFt
+5CAokyLhMtE4ASHBIHbiOp/ZSbUBTVYJZB61ot7w1/ol5QECSs08b8zrxIncf+t2DHGuVEy/Qq1d
+rBz8d4ay8zpqAE1tUyL5Da6ZiKUfWwZQXSI/JlbjQFzYQqTRDnzHWrg1xPeMTO1P2/cplFaseTiv
+yk4cYwOp/W9UAWymOZXF8WcJYCIUXkdcG/nEZxr057KlScrJmFXOoh7Y+8ON4iWYYcAfiNgpUFo/
+j8BAwrKKaFvdlZS9k1Ypb2+UQY75mKJE9Bg=
+-----END CERTIFICATE-----
--
2.39.1

63
SOURCES/openssl-1.1.1-cve-2023-0286-X400.patch
View File

@ -1,63 +0,0 @@
From 2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9 Mon Sep 17 00:00:00 2001
From: Hugo Landau <hlandau@openssl.org>
Date: Tue, 17 Jan 2023 17:45:42 +0000
Subject: [PATCH 6/6] CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address
(1.1.1)
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
---
CHANGES | 18 +++++++++++++++++-
crypto/x509v3/v3_genn.c | 2 +-
include/openssl/x509v3.h | 2 +-
test/v3nametest.c | 8 ++++++++
4 files changed, 27 insertions(+), 3 deletions(-)
diff --git a/crypto/x509v3/v3_genn.c b/crypto/x509v3/v3_genn.c
index 87a5eff47c..e54ddc55c9 100644
--- a/crypto/x509v3/v3_genn.c
+++ b/crypto/x509v3/v3_genn.c
@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
return -1;
switch (a->type) {
case GEN_X400:
- result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
+ result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
break;
case GEN_EDIPARTY:
diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
index 90fa3592ce..e61c0f29d4 100644
--- a/include/openssl/x509v3.h
+++ b/include/openssl/x509v3.h
@@ -136,7 +136,7 @@ typedef struct GENERAL_NAME_st {
OTHERNAME *otherName; /* otherName */
ASN1_IA5STRING *rfc822Name;
ASN1_IA5STRING *dNSName;
- ASN1_TYPE *x400Address;
+ ASN1_STRING *x400Address;
X509_NAME *directoryName;
EDIPARTYNAME *ediPartyName;
ASN1_IA5STRING *uniformResourceIdentifier;
diff --git a/test/v3nametest.c b/test/v3nametest.c
index d1852190b8..37819da8fd 100644
--- a/test/v3nametest.c
+++ b/test/v3nametest.c
@@ -646,6 +646,14 @@ static struct gennamedata {
0xb7, 0x09, 0x02, 0x02
},
15
+ }, {
+ /*
+ * Regression test for CVE-2023-0286.
+ */
+ {
+ 0xa3, 0x00
+ },
+ 2
}
};
--
2.39.1

127
SOURCES/openssl-1.1.1-cve-2023-3446.patch
View File

@ -1,127 +0,0 @@
From 8780a896543a654e757db1b9396383f9d8095528 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Thu, 6 Jul 2023 16:36:35 +0100
Subject: [PATCH] Fix DH_check() excessive time with over sized modulus
The DH_check() function checks numerous aspects of the key or parameters
that have been supplied. Some of those checks use the supplied modulus
value even if it is excessively large.
There is already a maximum DH modulus size (10,000 bits) over which
OpenSSL will not generate or derive keys. DH_check() will however still
perform various tests for validity on such a large modulus. We introduce a
new maximum (32,768) over which DH_check() will just fail.
An application that calls DH_check() and supplies a key or parameters
obtained from an untrusted source could be vulnerable to a Denial of
Service attack.
The function DH_check() is itself called by a number of other OpenSSL
functions. An application calling any of those other functions may
similarly be affected. The other functions affected by this are
DH_check_ex() and EVP_PKEY_param_check().
CVE-2023-3446
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21452)
Upstream-Status: Backport [8780a896543a654e757db1b9396383f9d8095528]
---
crypto/dh/dh_check.c | 6 ++++++
crypto/dh/dh_err.c | 3 ++-
crypto/err/openssl.txt | 3 ++-
include/openssl/dh.h | 3 +++
include/openssl/dherr.h | 3 ++-
5 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
index 4ac169e75c..e5f9dd5030 100644
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -101,6 +101,12 @@ int DH_check(const DH *dh, int *ret)
BN_CTX *ctx = NULL;
BIGNUM *t1 = NULL, *t2 = NULL;
+ /* Don't do any checks at all with an excessively large modulus */
+ if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
+ DHerr(DH_F_DH_CHECK, DH_R_MODULUS_TOO_LARGE);
+ return 0;
+ }
+
if (!DH_check_params(dh, ret))
return 0;
diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
index 7285587b4a..92800d3fcc 100644
--- a/crypto/dh/dh_err.c
+++ b/crypto/dh/dh_err.c
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -18,6 +18,7 @@ static const ERR_STRING_DATA DH_str_functs[] = {
{ERR_PACK(ERR_LIB_DH, DH_F_DHPARAMS_PRINT_FP, 0), "DHparams_print_fp"},
{ERR_PACK(ERR_LIB_DH, DH_F_DH_BUILTIN_GENPARAMS, 0),
"dh_builtin_genparams"},
+ {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK, 0), "DH_check"},
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_EX, 0), "DH_check_ex"},
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PARAMS_EX, 0), "DH_check_params_ex"},
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY_EX, 0), "DH_check_pub_key_ex"},
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 9f91a4a811..c0a3cd720b 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -402,6 +402,7 @@ CT_F_SCT_SET_VERSION:104:SCT_set_version
DH_F_COMPUTE_KEY:102:compute_key
DH_F_DHPARAMS_PRINT_FP:101:DHparams_print_fp
DH_F_DH_BUILTIN_GENPARAMS:106:dh_builtin_genparams
+DH_F_DH_CHECK:126:DH_check
DH_F_DH_CHECK_EX:121:DH_check_ex
DH_F_DH_CHECK_PARAMS_EX:122:DH_check_params_ex
DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pub_key_ex
diff --git a/include/openssl/dh.h b/include/openssl/dh.h
index 3527540cdd..892e31559d 100644
--- a/include/openssl/dh.h
+++ b/include/openssl/dh.h
@@ -29,6 +29,9 @@ extern "C" {
# ifndef OPENSSL_DH_MAX_MODULUS_BITS
# define OPENSSL_DH_MAX_MODULUS_BITS 10000
# endif
+# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
+# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768
+# endif
# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN 2048
diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
index 916b3bed0b..528c819856 100644
--- a/include/openssl/dherr.h
+++ b/include/openssl/dherr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -30,6 +30,7 @@ int ERR_load_DH_strings(void);
# define DH_F_COMPUTE_KEY 102
# define DH_F_DHPARAMS_PRINT_FP 101
# define DH_F_DH_BUILTIN_GENPARAMS 106
+# define DH_F_DH_CHECK 126
# define DH_F_DH_CHECK_EX 121
# define DH_F_DH_CHECK_PARAMS_EX 122
# define DH_F_DH_CHECK_PUB_KEY_EX 123
--
2.41.0

60
SOURCES/openssl-1.1.1-cve-2023-3817.patch
View File

@ -1,60 +0,0 @@
From 91ddeba0f2269b017dc06c46c993a788974b1aa5 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Fri, 21 Jul 2023 11:39:41 +0200
Subject: [PATCH] DH_check(): Do not try checking q properties if it is
obviously invalid
If |q| >= |p| then the q value is obviously wrong as q
is supposed to be a prime divisor of p-1.
We check if p is overly large so this added test implies that
q is not large either when performing subsequent tests using that
q value.
Otherwise if it is too large these additional checks of the q value
such as the primality test can then trigger DoS by doing overly long
computations.
Fixes CVE-2023-3817
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21551)
Upstream-Status: Backport [91ddeba0f2269b017dc06c46c993a788974b1aa5]
---
crypto/dh/dh_check.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
index 2001d2e7cb..9ae96991eb 100644
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -105,7 +105,7 @@ int DH_check_ex(const DH *dh)
/* Note: according to documentation - this only checks the params */
int DH_check(const DH *dh, int *ret)
{
- int ok = 0, r;
+ int ok = 0, r, q_good = 0;
BN_CTX *ctx = NULL;
BIGNUM *t1 = NULL, *t2 = NULL;
@@ -130,7 +130,14 @@ int DH_check(const DH *dh, int *ret)
if (t2 == NULL)
goto err;
- if (dh->q) {
+ if (dh->q != NULL) {
+ if (BN_ucmp(dh->p, dh->q) > 0)
+ q_good = 1;
+ else
+ *ret |= DH_CHECK_INVALID_Q_VALUE;
+ }
+
+ if (q_good) {
if (BN_cmp(dh->g, BN_value_one()) <= 0)
*ret |= DH_NOT_SUITABLE_GENERATOR;
else if (BN_cmp(dh->g, dh->p) >= 0)
--
2.41.0

154
SOURCES/openssl-1.1.1-cve-2023-5678.patch
View File

@ -1,154 +0,0 @@
From 0814467cc1b6a2839877277d3efa69cdd4582dd7 Mon Sep 17 00:00:00 2001
From: Richard Levitte <levitte@openssl.org>
Date: Fri, 20 Oct 2023 09:18:19 +0200
Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet
We already check for an excessively large P in DH_generate_key(), but not in
DH_check_pub_key(), and none of them check for an excessively large Q.
This change adds all the missing excessive size checks of P and Q.
It's to be noted that behaviours surrounding excessively sized P and Q
differ. DH_check() raises an error on the excessively sized P, but only
sets a flag for the excessively sized Q. This behaviour is mimicked in
DH_check_pub_key().
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22518)
(cherry picked from commit ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)
Backported-by: Clemens Lang <cllang@redhat.com>
---
crypto/dh/dh_check.c | 17 +++++++++++++++++
crypto/dh/dh_err.c | 1 +
crypto/dh/dh_key.c | 10 ++++++++++
crypto/err/openssl.txt | 1 +
include/openssl/dh.h | 6 ++++--
include/openssl/dherr.h | 1 +
6 files changed, 34 insertions(+), 2 deletions(-)
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
index ae1b03bc92..424a3bb4cd 100644
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -198,10 +198,27 @@ int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
BN_CTX *ctx = NULL;
*ret = 0;
+
ctx = BN_CTX_new();
if (ctx == NULL)
goto err;
BN_CTX_start(ctx);
+
+ /* Don't do any checks at all with an excessively large modulus */
+ if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
+ DHerr(DH_F_DH_CHECK, DH_R_MODULUS_TOO_LARGE);
+ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID;
+ goto err;
+ }
+ if (dh->q != NULL && BN_ucmp(dh->p, dh->q) < 0) {
+ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID;
+ /* This may look strange here, but returning 1 after setting ret is
+ * correct. See also the behavior of the pub_key^q == 1 mod p check
+ * further down, which behaves in the same way. */
+ ok = 1;
+ goto err;
+ }
+
tmp = BN_CTX_get(ctx);
if (tmp == NULL || !BN_set_word(tmp, 1))
goto err;
diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
index 92800d3fcc..b3b1e7a706 100644
--- a/crypto/dh/dh_err.c
+++ b/crypto/dh/dh_err.c
@@ -87,6 +87,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = {
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
"parameter encoding error"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),
"unable to check generator"},
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
index 117f2fa883..9f5e6f6d4c 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -140,6 +140,11 @@ static int generate_key(DH *dh)
return 0;
}
+ if (dh->q != NULL && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) {
+ DHerr(DH_F_GENERATE_KEY, DH_R_Q_TOO_LARGE);
+ return 0;
+ }
+
ctx = BN_CTX_new();
if (ctx == NULL)
goto err;
@@ -250,6 +255,12 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE);
goto err;
}
+
+ if (dh->q != NULL && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) {
+ DHerr(DH_F_COMPUTE_KEY, DH_R_Q_TOO_LARGE);
+ goto err;
+ }
+
#ifdef OPENSSL_FIPS
if (FIPS_mode()
&& (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index c0a3cd720b..5e0ff47516 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -2151,6 +2151,7 @@DH_R_NO_PARAMETERS_SET:107:no parameters set
DH_R_NO_PRIVATE_VALUE:100:no private value
DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
DH_R_PEER_KEY_ERROR:111:peer key error
+DH_R_Q_TOO_LARGE:130:q too large
DH_R_SHARED_INFO_ERROR:113:shared info error
DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
DSA_R_BAD_Q_VALUE:102:bad q value
diff --git a/include/openssl/dh.h b/include/openssl/dh.h
index 6c6ff3636a..b7df43b44f 100644
--- a/include/openssl/dh.h
+++ b/include/openssl/dh.h
@@ -72,14 +72,16 @@ DECLARE_ASN1_ITEM(DHparams)
/* #define DH_GENERATOR_3 3 */
# define DH_GENERATOR_5 5
-/* DH_check error codes */
+/* DH_check error codes, some of them shared with DH_check_pub_key */
# define DH_CHECK_P_NOT_PRIME 0x01
# define DH_CHECK_P_NOT_SAFE_PRIME 0x02
# define DH_UNABLE_TO_CHECK_GENERATOR 0x04
# define DH_NOT_SUITABLE_GENERATOR 0x08
# define DH_CHECK_Q_NOT_PRIME 0x10
-# define DH_CHECK_INVALID_Q_VALUE 0x20
+# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */
# define DH_CHECK_INVALID_J_VALUE 0x40
+/* DH_MODULUS_TOO_SMALL is 0x80 upstream */
+# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */
/* DH_check_pub_key error codes */
# define DH_CHECK_PUBKEY_TOO_SMALL 0x01
diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
index 528c819856..d66c35aa8e 100644
--- a/include/openssl/dherr.h
+++ b/include/openssl/dherr.h
@@ -87,6 +87,7 @@ int ERR_load_DH_strings(void);
# define DH_R_NON_FIPS_METHOD 202
# define DH_R_PARAMETER_ENCODING_ERROR 105
# define DH_R_PEER_KEY_ERROR 111
+# define DH_R_Q_TOO_LARGE 130
# define DH_R_SHARED_INFO_ERROR 113
# define DH_R_UNABLE_TO_CHECK_GENERATOR 121
--
2.41.0

34
SOURCES/openssl-1.1.1-detected-addr-ipv6.patch
View File

@ -1,34 +0,0 @@
diff -up openssl-1.1.1k/apps/s_socket.c.addr-ipv6 openssl-1.1.1k/apps/s_socket.c
--- openssl-1.1.1k/apps/s_socket.c.addr-ipv6 2021-07-16 15:14:08.491986682 +0200
+++ openssl-1.1.1k/apps/s_socket.c 2021-07-16 15:23:21.271329197 +0200
@@ -214,6 +214,8 @@ int do_server(int *accept_sock, const ch
const BIO_ADDRINFO *next;
int sock_family, sock_type, sock_protocol, sock_port;
const BIO_ADDR *sock_address;
+ int sock_family_fallback = AF_UNSPEC;
+ const BIO_ADDR *sock_address_fallback = NULL;
int sock_options = BIO_SOCK_REUSEADDR;
int ret = 0;
@@ -244,6 +246,10 @@ int do_server(int *accept_sock, const ch
&& BIO_ADDRINFO_protocol(next) == sock_protocol) {
if (sock_family == AF_INET
&& BIO_ADDRINFO_family(next) == AF_INET6) {
+ /* In case AF_INET6 is returned but not supported by the
+ * kernel, retry with the first detected address family */
+ sock_family_fallback = sock_family;
+ sock_address_fallback = sock_address;
sock_family = AF_INET6;
sock_address = BIO_ADDRINFO_address(next);
} else if (sock_family == AF_INET6
@@ -253,6 +259,10 @@ int do_server(int *accept_sock, const ch
}
asock = BIO_socket(sock_family, sock_type, sock_protocol, 0);
+ if (asock == INVALID_SOCKET && sock_family_fallback != AF_UNSPEC) {
+ asock = BIO_socket(sock_family_fallback, sock_type, sock_protocol, 0);
+ sock_address = sock_address_fallback;
+ }
if (asock == INVALID_SOCKET
|| !BIO_listen(asock, sock_address, sock_options)) {
BIO_ADDRINFO_free(res);

84
SOURCES/openssl-1.1.1-ec-curves.patch
View File

@ -1,6 +1,6 @@
diff -up openssl-1.1.1h/apps/speed.c.curves openssl-1.1.1h/apps/speed.c diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
--- openssl-1.1.1h/apps/speed.c.curves 2020-09-22 14:55:07.000000000 +0200 --- openssl-1.1.1c/apps/speed.c.curves 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1h/apps/speed.c 2020-11-06 13:27:15.659288431 +0100 +++ openssl-1.1.1c/apps/speed.c 2019-05-29 15:36:53.332224470 +0200
@@ -490,90 +490,30 @@ static double rsa_results[RSA_NUM][2]; @@ -490,90 +490,30 @@ static double rsa_results[RSA_NUM][2];
#endif /* OPENSSL_NO_RSA */ #endif /* OPENSSL_NO_RSA */
@ -92,7 +92,7 @@ diff -up openssl-1.1.1h/apps/speed.c.curves openssl-1.1.1h/apps/speed.c
{"ecdhx25519", R_EC_X25519}, {"ecdhx25519", R_EC_X25519},
{"ecdhx448", R_EC_X448} {"ecdhx448", R_EC_X448}
}; };
@@ -1502,31 +1442,10 @@ int speed_main(int argc, char **argv) @@ -1504,31 +1444,10 @@ int speed_main(int argc, char **argv)
unsigned int bits; unsigned int bits;
} test_curves[] = { } test_curves[] = {
/* Prime Curves */ /* Prime Curves */
@ -124,7 +124,7 @@ diff -up openssl-1.1.1h/apps/speed.c.curves openssl-1.1.1h/apps/speed.c
/* Other and ECDH only ones */ /* Other and ECDH only ones */
{"X25519", NID_X25519, 253}, {"X25519", NID_X25519, 253},
{"X448", NID_X448, 448} {"X448", NID_X448, 448}
@@ -2026,9 +1945,9 @@ int speed_main(int argc, char **argv) @@ -2028,9 +1947,9 @@ int speed_main(int argc, char **argv)
# endif # endif
# ifndef OPENSSL_NO_EC # ifndef OPENSSL_NO_EC
@ -137,7 +137,7 @@ diff -up openssl-1.1.1h/apps/speed.c.curves openssl-1.1.1h/apps/speed.c
ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2; ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2;
ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2; ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2;
if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0) if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0)
@@ -2040,7 +1959,7 @@ int speed_main(int argc, char **argv) @@ -2042,7 +1961,7 @@ int speed_main(int argc, char **argv)
} }
} }
} }
@ -146,7 +146,7 @@ diff -up openssl-1.1.1h/apps/speed.c.curves openssl-1.1.1h/apps/speed.c
ecdsa_c[R_EC_K163][0] = count / 1000; ecdsa_c[R_EC_K163][0] = count / 1000;
ecdsa_c[R_EC_K163][1] = count / 1000 / 2; ecdsa_c[R_EC_K163][1] = count / 1000 / 2;
for (i = R_EC_K233; i <= R_EC_K571; i++) { for (i = R_EC_K233; i <= R_EC_K571; i++) {
@@ -2071,8 +1990,8 @@ int speed_main(int argc, char **argv) @@ -2073,8 +1992,8 @@ int speed_main(int argc, char **argv)
} }
# endif # endif
@ -157,7 +157,7 @@ diff -up openssl-1.1.1h/apps/speed.c.curves openssl-1.1.1h/apps/speed.c
ecdh_c[i][0] = ecdh_c[i - 1][0] / 2; ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0) if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0)
ecdh_doit[i] = 0; ecdh_doit[i] = 0;
@@ -2082,7 +2001,7 @@ int speed_main(int argc, char **argv) @@ -2084,7 +2003,7 @@ int speed_main(int argc, char **argv)
} }
} }
} }
@ -166,9 +166,9 @@ diff -up openssl-1.1.1h/apps/speed.c.curves openssl-1.1.1h/apps/speed.c
ecdh_c[R_EC_K163][0] = count / 1000; ecdh_c[R_EC_K163][0] = count / 1000;
for (i = R_EC_K233; i <= R_EC_K571; i++) { for (i = R_EC_K233; i <= R_EC_K571; i++) {
ecdh_c[i][0] = ecdh_c[i - 1][0] / 2; ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
diff -up openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves openssl-1.1.1h/crypto/ec/ecp_smpl.c diff -up openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves openssl-1.1.1c/crypto/ec/ecp_smpl.c
--- openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves 2020-09-22 14:55:07.000000000 +0200 --- openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves 2019-05-28 15:12:21.000000000 +0200
+++ openssl-1.1.1h/crypto/ec/ecp_smpl.c 2020-11-06 13:27:15.659288431 +0100 +++ openssl-1.1.1c/crypto/ec/ecp_smpl.c 2019-05-29 15:30:09.071349520 +0200
@@ -145,6 +145,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO @@ -145,6 +145,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
return 0; return 0;
} }
@ -181,9 +181,9 @@ diff -up openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves openssl-1.1.1h/crypto/ec/ecp
if (ctx == NULL) { if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new(); ctx = new_ctx = BN_CTX_new();
if (ctx == NULL) if (ctx == NULL)
diff -up openssl-1.1.1h/test/ecdsatest.h.curves openssl-1.1.1h/test/ecdsatest.h diff -up openssl-1.1.1c/test/ecdsatest.h.curves openssl-1.1.1c/test/ecdsatest.h
--- openssl-1.1.1h/test/ecdsatest.h.curves 2020-11-06 13:27:15.627288114 +0100 --- openssl-1.1.1c/test/ecdsatest.h.curves 2019-05-29 15:30:09.010350595 +0200
+++ openssl-1.1.1h/test/ecdsatest.h 2020-11-06 13:27:15.660288441 +0100 +++ openssl-1.1.1c/test/ecdsatest.h 2019-05-29 15:41:24.586444294 +0200
@@ -32,23 +32,6 @@ typedef struct { @@ -32,23 +32,6 @@ typedef struct {
} ecdsa_cavs_kat_t; } ecdsa_cavs_kat_t;
@ -208,59 +208,3 @@ diff -up openssl-1.1.1h/test/ecdsatest.h.curves openssl-1.1.1h/test/ecdsatest.h
/* prime KATs from NIST CAVP */ /* prime KATs from NIST CAVP */
{NID_secp224r1, NID_sha224, {NID_secp224r1, NID_sha224,
"699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1" "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"
--- openssl-1.1.1h/test/recipes/15-test_genec.t.ec-curves 2020-11-06 13:58:36.402895540 +0100
+++ openssl-1.1.1h/test/recipes/15-test_genec.t 2020-11-06 13:59:38.508484498 +0100
@@ -20,45 +20,11 @@ plan skip_all => "This test is unsupport
if disabled("ec");
my @prime_curves = qw(
- secp112r1
- secp112r2
- secp128r1
- secp128r2
- secp160k1
- secp160r1
- secp160r2
- secp192k1
- secp224k1
secp224r1
secp256k1
secp384r1
secp521r1
- prime192v1
- prime192v2
- prime192v3
- prime239v1
- prime239v2
- prime239v3
prime256v1
- wap-wsg-idm-ecid-wtls6
- wap-wsg-idm-ecid-wtls7
- wap-wsg-idm-ecid-wtls8
- wap-wsg-idm-ecid-wtls9
- wap-wsg-idm-ecid-wtls12
- brainpoolP160r1
- brainpoolP160t1
- brainpoolP192r1
- brainpoolP192t1
- brainpoolP224r1
- brainpoolP224t1
- brainpoolP256r1
- brainpoolP256t1
- brainpoolP320r1
- brainpoolP320t1
- brainpoolP384r1
- brainpoolP384t1
- brainpoolP512r1
- brainpoolP512t1
);
my @binary_curves = qw(
@@ -115,7 +81,6 @@ push(@other_curves, 'SM2')
if !disabled("sm2");
my @curve_aliases = qw(
- P-192
P-224
P-256
P-384

262
SOURCES/openssl-1.1.1-evp-kdf.patch
View File

@ -1,7 +1,7 @@
diff -up openssl-1.1.1j/crypto/err/openssl.txt.evp-kdf openssl-1.1.1j/crypto/err/openssl.txt diff -up openssl-1.1.1e/crypto/err/openssl.txt.evp-kdf openssl-1.1.1e/crypto/err/openssl.txt
--- openssl-1.1.1j/crypto/err/openssl.txt.evp-kdf 2021-02-16 16:24:01.000000000 +0100 --- openssl-1.1.1e/crypto/err/openssl.txt.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1j/crypto/err/openssl.txt 2021-03-03 14:10:13.729466935 +0100 +++ openssl-1.1.1e/crypto/err/openssl.txt 2020-03-19 16:04:11.299063517 +0100
@@ -748,6 +748,9 @@ EVP_F_EVP_DIGESTINIT_EX:128:EVP_DigestIn @@ -747,6 +747,9 @@ EVP_F_EVP_DIGESTINIT_EX:128:EVP_DigestIn
EVP_F_EVP_ENCRYPTDECRYPTUPDATE:219:evp_EncryptDecryptUpdate EVP_F_EVP_ENCRYPTDECRYPTUPDATE:219:evp_EncryptDecryptUpdate
EVP_F_EVP_ENCRYPTFINAL_EX:127:EVP_EncryptFinal_ex EVP_F_EVP_ENCRYPTFINAL_EX:127:EVP_EncryptFinal_ex
EVP_F_EVP_ENCRYPTUPDATE:167:EVP_EncryptUpdate EVP_F_EVP_ENCRYPTUPDATE:167:EVP_EncryptUpdate
@ -11,7 +11,7 @@ diff -up openssl-1.1.1j/crypto/err/openssl.txt.evp-kdf openssl-1.1.1j/crypto/err
EVP_F_EVP_MD_CTX_COPY_EX:110:EVP_MD_CTX_copy_ex EVP_F_EVP_MD_CTX_COPY_EX:110:EVP_MD_CTX_copy_ex
EVP_F_EVP_MD_SIZE:162:EVP_MD_size EVP_F_EVP_MD_SIZE:162:EVP_MD_size
EVP_F_EVP_OPENINIT:102:EVP_OpenInit EVP_F_EVP_OPENINIT:102:EVP_OpenInit
@@ -810,12 +813,31 @@ EVP_F_PKCS5_PBE_KEYIVGEN:117:PKCS5_PBE_k @@ -809,12 +812,31 @@ EVP_F_PKCS5_PBE_KEYIVGEN:117:PKCS5_PBE_k
EVP_F_PKCS5_V2_PBE_KEYIVGEN:118:PKCS5_v2_PBE_keyivgen EVP_F_PKCS5_V2_PBE_KEYIVGEN:118:PKCS5_v2_PBE_keyivgen
EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN:164:PKCS5_v2_PBKDF2_keyivgen EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN:164:PKCS5_v2_PBKDF2_keyivgen
EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN:180:PKCS5_v2_scrypt_keyivgen EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN:180:PKCS5_v2_scrypt_keyivgen
@ -43,7 +43,7 @@ diff -up openssl-1.1.1j/crypto/err/openssl.txt.evp-kdf openssl-1.1.1j/crypto/err
KDF_F_PKEY_HKDF_CTRL_STR:103:pkey_hkdf_ctrl_str KDF_F_PKEY_HKDF_CTRL_STR:103:pkey_hkdf_ctrl_str
KDF_F_PKEY_HKDF_DERIVE:102:pkey_hkdf_derive KDF_F_PKEY_HKDF_DERIVE:102:pkey_hkdf_derive
KDF_F_PKEY_HKDF_INIT:108:pkey_hkdf_init KDF_F_PKEY_HKDF_INIT:108:pkey_hkdf_init
@@ -827,6 +849,7 @@ KDF_F_PKEY_SCRYPT_SET_MEMBUF:107:pkey_sc @@ -826,6 +848,7 @@ KDF_F_PKEY_SCRYPT_SET_MEMBUF:107:pkey_sc
KDF_F_PKEY_TLS1_PRF_CTRL_STR:100:pkey_tls1_prf_ctrl_str KDF_F_PKEY_TLS1_PRF_CTRL_STR:100:pkey_tls1_prf_ctrl_str
KDF_F_PKEY_TLS1_PRF_DERIVE:101:pkey_tls1_prf_derive KDF_F_PKEY_TLS1_PRF_DERIVE:101:pkey_tls1_prf_derive
KDF_F_PKEY_TLS1_PRF_INIT:110:pkey_tls1_prf_init KDF_F_PKEY_TLS1_PRF_INIT:110:pkey_tls1_prf_init
@ -51,15 +51,15 @@ diff -up openssl-1.1.1j/crypto/err/openssl.txt.evp-kdf openssl-1.1.1j/crypto/err
KDF_F_TLS1_PRF_ALG:111:tls1_prf_alg KDF_F_TLS1_PRF_ALG:111:tls1_prf_alg
OBJ_F_OBJ_ADD_OBJECT:105:OBJ_add_object OBJ_F_OBJ_ADD_OBJECT:105:OBJ_add_object
OBJ_F_OBJ_ADD_SIGID:107:OBJ_add_sigid OBJ_F_OBJ_ADD_SIGID:107:OBJ_add_sigid
@@ -2284,6 +2307,7 @@ EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_K @@ -2277,6 +2300,7 @@ EVP_R_ONLY_ONESHOT_SUPPORTED:177:only on
EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:150:\
operation not supported for this keytype operation not supported for this keytype
EVP_R_OPERATON_NOT_INITIALIZED:151:operaton not initialized EVP_R_OPERATON_NOT_INITIALIZED:151:operaton not initialized
EVP_R_OUTPUT_WOULD_OVERFLOW:184:output would overflow
+EVP_R_PARAMETER_TOO_LARGE:187:parameter too large +EVP_R_PARAMETER_TOO_LARGE:187:parameter too large
EVP_R_PARTIALLY_OVERLAPPING:162:partially overlapping buffers EVP_R_PARTIALLY_OVERLAPPING:162:partially overlapping buffers
EVP_R_PBKDF2_ERROR:181:pbkdf2 error EVP_R_PBKDF2_ERROR:181:pbkdf2 error
EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED:179:\ EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED:179:\
@@ -2320,6 +2344,7 @@ KDF_R_MISSING_SEED:106:missing seed @@ -2313,6 +2337,7 @@ KDF_R_MISSING_SEED:106:missing seed
KDF_R_UNKNOWN_PARAMETER_TYPE:103:unknown parameter type KDF_R_UNKNOWN_PARAMETER_TYPE:103:unknown parameter type
KDF_R_VALUE_ERROR:108:value error KDF_R_VALUE_ERROR:108:value error
KDF_R_VALUE_MISSING:102:value missing KDF_R_VALUE_MISSING:102:value missing
@ -67,9 +67,9 @@ diff -up openssl-1.1.1j/crypto/err/openssl.txt.evp-kdf openssl-1.1.1j/crypto/err
OBJ_R_OID_EXISTS:102:oid exists OBJ_R_OID_EXISTS:102:oid exists
OBJ_R_UNKNOWN_NID:101:unknown nid OBJ_R_UNKNOWN_NID:101:unknown nid
OCSP_R_CERTIFICATE_VERIFY_ERROR:101:certificate verify error OCSP_R_CERTIFICATE_VERIFY_ERROR:101:certificate verify error
diff -up openssl-1.1.1j/crypto/evp/build.info.evp-kdf openssl-1.1.1j/crypto/evp/build.info diff -up openssl-1.1.1e/crypto/evp/build.info.evp-kdf openssl-1.1.1e/crypto/evp/build.info
--- openssl-1.1.1j/crypto/evp/build.info.evp-kdf 2021-02-16 16:24:01.000000000 +0100 --- openssl-1.1.1e/crypto/evp/build.info.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1j/crypto/evp/build.info 2021-03-03 14:08:02.490294839 +0100 +++ openssl-1.1.1e/crypto/evp/build.info 2020-03-19 16:04:11.300063500 +0100
@@ -9,7 +9,8 @@ SOURCE[../../libcrypto]=\ @@ -9,7 +9,8 @@ SOURCE[../../libcrypto]=\
p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \ p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \
bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \ bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \
@ -80,9 +80,9 @@ diff -up openssl-1.1.1j/crypto/evp/build.info.evp-kdf openssl-1.1.1j/crypto/evp/
e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \ e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \
e_aes_cbc_hmac_sha1.c e_aes_cbc_hmac_sha256.c e_rc4_hmac_md5.c \ e_aes_cbc_hmac_sha1.c e_aes_cbc_hmac_sha256.c e_rc4_hmac_md5.c \
e_chacha20_poly1305.c cmeth_lib.c e_chacha20_poly1305.c cmeth_lib.c
diff -up openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c.evp-kdf openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c diff -up openssl-1.1.1e/crypto/evp/e_chacha20_poly1305.c.evp-kdf openssl-1.1.1e/crypto/evp/e_chacha20_poly1305.c
--- openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 --- openssl-1.1.1e/crypto/evp/e_chacha20_poly1305.c.evp-kdf 2020-03-19 16:04:11.300063500 +0100
+++ openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c 2021-03-03 14:08:02.490294839 +0100 +++ openssl-1.1.1e/crypto/evp/e_chacha20_poly1305.c 2020-03-19 16:16:46.497967633 +0100
@@ -14,9 +14,9 @@ @@ -14,9 +14,9 @@
# include <openssl/evp.h> # include <openssl/evp.h>
@ -94,9 +94,9 @@ diff -up openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c.evp-kdf openssl-1.1.1j/
typedef struct { typedef struct {
union { union {
diff -up openssl-1.1.1j/crypto/evp/encode.c.evp-kdf openssl-1.1.1j/crypto/evp/encode.c diff -up openssl-1.1.1e/crypto/evp/encode.c.evp-kdf openssl-1.1.1e/crypto/evp/encode.c
--- openssl-1.1.1j/crypto/evp/encode.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 --- openssl-1.1.1e/crypto/evp/encode.c.evp-kdf 2020-03-19 16:04:11.301063483 +0100
+++ openssl-1.1.1j/crypto/evp/encode.c 2021-03-03 14:08:02.491294847 +0100 +++ openssl-1.1.1e/crypto/evp/encode.c 2020-03-19 16:14:13.147628683 +0100
@@ -11,8 +11,8 @@ @@ -11,8 +11,8 @@
#include <limits.h> #include <limits.h>
#include "internal/cryptlib.h" #include "internal/cryptlib.h"
@ -107,9 +107,9 @@ diff -up openssl-1.1.1j/crypto/evp/encode.c.evp-kdf openssl-1.1.1j/crypto/evp/en
static unsigned char conv_ascii2bin(unsigned char a, static unsigned char conv_ascii2bin(unsigned char a,
const unsigned char *table); const unsigned char *table);
diff -up openssl-1.1.1j/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1j/crypto/evp/evp_err.c diff -up openssl-1.1.1e/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1e/crypto/evp/evp_err.c
--- openssl-1.1.1j/crypto/evp/evp_err.c.evp-kdf 2021-03-03 14:08:02.469294651 +0100 --- openssl-1.1.1e/crypto/evp/evp_err.c.evp-kdf 2020-03-19 16:04:11.218064919 +0100
+++ openssl-1.1.1j/crypto/evp/evp_err.c 2021-03-03 14:12:08.272351600 +0100 +++ openssl-1.1.1e/crypto/evp/evp_err.c 2020-03-19 16:04:11.302063465 +0100
@@ -60,6 +60,9 @@ static const ERR_STRING_DATA EVP_str_fun @@ -60,6 +60,9 @@ static const ERR_STRING_DATA EVP_str_fun
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTFINAL_EX, 0), {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTFINAL_EX, 0),
"EVP_EncryptFinal_ex"}, "EVP_EncryptFinal_ex"},
@ -135,18 +135,18 @@ diff -up openssl-1.1.1j/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1j/crypto/evp/e
{ERR_PACK(ERR_LIB_EVP, EVP_F_UPDATE, 0), "update"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_UPDATE, 0), "update"},
{0, NULL} {0, NULL}
}; };
@@ -243,6 +248,8 @@ static const ERR_STRING_DATA EVP_str_rea @@ -241,6 +246,8 @@ static const ERR_STRING_DATA EVP_str_rea
"operation not supported for this keytype"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OPERATON_NOT_INITIALIZED),
"operaton not initialized"}, "operaton not initialized"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OUTPUT_WOULD_OVERFLOW),
"output would overflow"},
+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARAMETER_TOO_LARGE), + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARAMETER_TOO_LARGE),
+ "parameter too large"}, + "parameter too large"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARTIALLY_OVERLAPPING), {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARTIALLY_OVERLAPPING),
"partially overlapping buffers"}, "partially overlapping buffers"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PBKDF2_ERROR), "pbkdf2 error"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PBKDF2_ERROR), "pbkdf2 error"},
diff -up openssl-1.1.1j/crypto/evp/evp_local.h.evp-kdf openssl-1.1.1j/crypto/evp/evp_local.h diff -up openssl-1.1.1e/crypto/evp/evp_local.h.evp-kdf openssl-1.1.1e/crypto/evp/evp_local.h
--- openssl-1.1.1j/crypto/evp/evp_local.h.evp-kdf 2021-03-03 14:08:02.362293695 +0100 --- openssl-1.1.1e/crypto/evp/evp_local.h.evp-kdf 2020-03-19 16:04:10.657074629 +0100
+++ openssl-1.1.1j/crypto/evp/evp_local.h 2021-03-03 14:08:02.491294847 +0100 +++ openssl-1.1.1e/crypto/evp/evp_local.h 2020-03-19 16:04:20.722900404 +0100
@@ -41,6 +41,11 @@ struct evp_cipher_ctx_st { @@ -41,6 +41,11 @@ struct evp_cipher_ctx_st {
unsigned char final[EVP_MAX_BLOCK_LENGTH]; /* possible final block */ unsigned char final[EVP_MAX_BLOCK_LENGTH]; /* possible final block */
} /* EVP_CIPHER_CTX */ ; } /* EVP_CIPHER_CTX */ ;
@ -159,9 +159,9 @@ diff -up openssl-1.1.1j/crypto/evp/evp_local.h.evp-kdf openssl-1.1.1j/crypto/evp
int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass,
int passlen, ASN1_TYPE *param, int passlen, ASN1_TYPE *param,
const EVP_CIPHER *c, const EVP_MD *md, const EVP_CIPHER *c, const EVP_MD *md,
diff -up openssl-1.1.1j/crypto/evp/evp_pbe.c.evp-kdf openssl-1.1.1j/crypto/evp/evp_pbe.c diff -up openssl-1.1.1e/crypto/evp/evp_pbe.c.evp-kdf openssl-1.1.1e/crypto/evp/evp_pbe.c
--- openssl-1.1.1j/crypto/evp/evp_pbe.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 --- openssl-1.1.1e/crypto/evp/evp_pbe.c.evp-kdf 2020-03-19 16:04:20.723900386 +0100
+++ openssl-1.1.1j/crypto/evp/evp_pbe.c 2021-03-03 14:08:02.491294847 +0100 +++ openssl-1.1.1e/crypto/evp/evp_pbe.c 2020-03-19 16:11:56.425001210 +0100
@@ -12,6 +12,7 @@ @@ -12,6 +12,7 @@
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/pkcs12.h> #include <openssl/pkcs12.h>
@ -170,9 +170,9 @@ diff -up openssl-1.1.1j/crypto/evp/evp_pbe.c.evp-kdf openssl-1.1.1j/crypto/evp/e
#include "evp_local.h" #include "evp_local.h"
/* Password based encryption (PBE) functions */ /* Password based encryption (PBE) functions */
diff -up openssl-1.1.1j/crypto/evp/kdf_lib.c.evp-kdf openssl-1.1.1j/crypto/evp/kdf_lib.c diff -up openssl-1.1.1e/crypto/evp/kdf_lib.c.evp-kdf openssl-1.1.1e/crypto/evp/kdf_lib.c
--- openssl-1.1.1j/crypto/evp/kdf_lib.c.evp-kdf 2021-03-03 14:08:02.491294847 +0100 --- openssl-1.1.1e/crypto/evp/kdf_lib.c.evp-kdf 2020-03-19 16:04:20.723900386 +0100
+++ openssl-1.1.1j/crypto/evp/kdf_lib.c 2021-03-03 14:08:02.491294847 +0100 +++ openssl-1.1.1e/crypto/evp/kdf_lib.c 2020-03-19 16:04:20.723900386 +0100
@@ -0,0 +1,165 @@ @@ -0,0 +1,165 @@
+/* +/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@ -339,9 +339,9 @@ diff -up openssl-1.1.1j/crypto/evp/kdf_lib.c.evp-kdf openssl-1.1.1j/crypto/evp/k
+ return ctx->kmeth->derive(ctx->impl, key, keylen); + return ctx->kmeth->derive(ctx->impl, key, keylen);
+} +}
+ +
diff -up openssl-1.1.1j/crypto/evp/p5_crpt2.c.evp-kdf openssl-1.1.1j/crypto/evp/p5_crpt2.c diff -up openssl-1.1.1e/crypto/evp/p5_crpt2.c.evp-kdf openssl-1.1.1e/crypto/evp/p5_crpt2.c
--- openssl-1.1.1j/crypto/evp/p5_crpt2.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 --- openssl-1.1.1e/crypto/evp/p5_crpt2.c.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1j/crypto/evp/p5_crpt2.c 2021-03-03 14:08:02.491294847 +0100 +++ openssl-1.1.1e/crypto/evp/p5_crpt2.c 2020-03-19 16:17:48.822886126 +0100
@@ -1,5 +1,5 @@ @@ -1,5 +1,5 @@
/* /*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. - * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
@ -490,9 +490,9 @@ diff -up openssl-1.1.1j/crypto/evp/p5_crpt2.c.evp-kdf openssl-1.1.1j/crypto/evp/
} }
int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen, int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
diff -up openssl-1.1.1j/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1j/crypto/evp/pbe_scrypt.c diff -up openssl-1.1.1e/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1e/crypto/evp/pbe_scrypt.c
--- openssl-1.1.1j/crypto/evp/pbe_scrypt.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 --- openssl-1.1.1e/crypto/evp/pbe_scrypt.c.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1j/crypto/evp/pbe_scrypt.c 2021-03-03 14:08:02.491294847 +0100 +++ openssl-1.1.1e/crypto/evp/pbe_scrypt.c 2020-03-19 16:04:20.725900352 +0100
@@ -7,135 +7,12 @@ @@ -7,135 +7,12 @@
* https://www.openssl.org/source/license.html * https://www.openssl.org/source/license.html
*/ */
@ -763,9 +763,9 @@ diff -up openssl-1.1.1j/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1j/crypto/ev
} }
+ +
#endif #endif
diff -up openssl-1.1.1j/crypto/evp/pkey_kdf.c.evp-kdf openssl-1.1.1j/crypto/evp/pkey_kdf.c diff -up openssl-1.1.1e/crypto/evp/pkey_kdf.c.evp-kdf openssl-1.1.1e/crypto/evp/pkey_kdf.c
--- openssl-1.1.1j/crypto/evp/pkey_kdf.c.evp-kdf 2021-03-03 14:08:02.491294847 +0100 --- openssl-1.1.1e/crypto/evp/pkey_kdf.c.evp-kdf 2020-03-19 16:04:20.726900334 +0100
+++ openssl-1.1.1j/crypto/evp/pkey_kdf.c 2021-03-03 14:08:02.491294847 +0100 +++ openssl-1.1.1e/crypto/evp/pkey_kdf.c 2020-03-19 16:04:20.725900352 +0100
@@ -0,0 +1,255 @@ @@ -0,0 +1,255 @@
+/* +/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@ -1022,17 +1022,17 @@ diff -up openssl-1.1.1j/crypto/evp/pkey_kdf.c.evp-kdf openssl-1.1.1j/crypto/evp/
+ pkey_kdf_ctrl_str + pkey_kdf_ctrl_str
+}; +};
+ +
diff -up openssl-1.1.1j/crypto/kdf/build.info.evp-kdf openssl-1.1.1j/crypto/kdf/build.info diff -up openssl-1.1.1e/crypto/kdf/build.info.evp-kdf openssl-1.1.1e/crypto/kdf/build.info
--- openssl-1.1.1j/crypto/kdf/build.info.evp-kdf 2021-02-16 16:24:01.000000000 +0100 --- openssl-1.1.1e/crypto/kdf/build.info.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1j/crypto/kdf/build.info 2021-03-03 14:08:02.491294847 +0100 +++ openssl-1.1.1e/crypto/kdf/build.info 2020-03-19 16:04:32.347699194 +0100
@@ -1,3 +1,3 @@ @@ -1,3 +1,3 @@
LIBS=../../libcrypto LIBS=../../libcrypto
SOURCE[../../libcrypto]=\ SOURCE[../../libcrypto]=\
- tls1_prf.c kdf_err.c hkdf.c scrypt.c - tls1_prf.c kdf_err.c hkdf.c scrypt.c
+ tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c + tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c
diff -up openssl-1.1.1j/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1j/crypto/kdf/hkdf.c diff -up openssl-1.1.1e/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1e/crypto/kdf/hkdf.c
--- openssl-1.1.1j/crypto/kdf/hkdf.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 --- openssl-1.1.1e/crypto/kdf/hkdf.c.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1j/crypto/kdf/hkdf.c 2021-03-03 14:08:02.492294856 +0100 +++ openssl-1.1.1e/crypto/kdf/hkdf.c 2020-03-19 16:06:59.757147720 +0100
@@ -8,32 +8,33 @@ @@ -8,32 +8,33 @@
*/ */
@ -1498,9 +1498,9 @@ diff -up openssl-1.1.1j/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1j/crypto/kdf/hkdf
err: err:
OPENSSL_cleanse(prev, sizeof(prev)); OPENSSL_cleanse(prev, sizeof(prev));
diff -up openssl-1.1.1j/crypto/kdf/kdf_err.c.evp-kdf openssl-1.1.1j/crypto/kdf/kdf_err.c diff -up openssl-1.1.1e/crypto/kdf/kdf_err.c.evp-kdf openssl-1.1.1e/crypto/kdf/kdf_err.c
--- openssl-1.1.1j/crypto/kdf/kdf_err.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 --- openssl-1.1.1e/crypto/kdf/kdf_err.c.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1j/crypto/kdf/kdf_err.c 2021-03-03 14:08:02.492294856 +0100 +++ openssl-1.1.1e/crypto/kdf/kdf_err.c 2020-03-19 16:04:32.349699159 +0100
@@ -1,6 +1,6 @@ @@ -1,6 +1,6 @@
/* /*
* Generated by util/mkerr.pl DO NOT EDIT * Generated by util/mkerr.pl DO NOT EDIT
@ -1556,9 +1556,9 @@ diff -up openssl-1.1.1j/crypto/kdf/kdf_err.c.evp-kdf openssl-1.1.1j/crypto/kdf/k
{0, NULL} {0, NULL}
}; };
diff -up openssl-1.1.1j/crypto/kdf/kdf_local.h.evp-kdf openssl-1.1.1j/crypto/kdf/kdf_local.h diff -up openssl-1.1.1e/crypto/kdf/kdf_local.h.evp-kdf openssl-1.1.1e/crypto/kdf/kdf_local.h
--- openssl-1.1.1j/crypto/kdf/kdf_local.h.evp-kdf 2021-03-03 14:08:02.492294856 +0100 --- openssl-1.1.1e/crypto/kdf/kdf_local.h.evp-kdf 2020-03-19 16:04:32.349699159 +0100
+++ openssl-1.1.1j/crypto/kdf/kdf_local.h 2021-03-03 14:08:02.492294856 +0100 +++ openssl-1.1.1e/crypto/kdf/kdf_local.h 2020-03-19 16:04:32.349699159 +0100
@@ -0,0 +1,22 @@ @@ -0,0 +1,22 @@
+/* +/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@ -1582,9 +1582,9 @@ diff -up openssl-1.1.1j/crypto/kdf/kdf_local.h.evp-kdf openssl-1.1.1j/crypto/kdf
+ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), + int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
+ int cmd, const char *md_name); + int cmd, const char *md_name);
+ +
diff -up openssl-1.1.1j/crypto/kdf/kdf_util.c.evp-kdf openssl-1.1.1j/crypto/kdf/kdf_util.c diff -up openssl-1.1.1e/crypto/kdf/kdf_util.c.evp-kdf openssl-1.1.1e/crypto/kdf/kdf_util.c
--- openssl-1.1.1j/crypto/kdf/kdf_util.c.evp-kdf 2021-03-03 14:08:02.492294856 +0100 --- openssl-1.1.1e/crypto/kdf/kdf_util.c.evp-kdf 2020-03-19 16:04:32.350699142 +0100
+++ openssl-1.1.1j/crypto/kdf/kdf_util.c 2021-03-03 14:08:02.492294856 +0100 +++ openssl-1.1.1e/crypto/kdf/kdf_util.c 2020-03-19 16:04:32.350699142 +0100
@@ -0,0 +1,73 @@ @@ -0,0 +1,73 @@
+/* +/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@ -1659,9 +1659,9 @@ diff -up openssl-1.1.1j/crypto/kdf/kdf_util.c.evp-kdf openssl-1.1.1j/crypto/kdf/
+ return call_ctrl(ctrl, impl, cmd, md); + return call_ctrl(ctrl, impl, cmd, md);
+} +}
+ +
diff -up openssl-1.1.1j/crypto/kdf/pbkdf2.c.evp-kdf openssl-1.1.1j/crypto/kdf/pbkdf2.c diff -up openssl-1.1.1e/crypto/kdf/pbkdf2.c.evp-kdf openssl-1.1.1e/crypto/kdf/pbkdf2.c
--- openssl-1.1.1j/crypto/kdf/pbkdf2.c.evp-kdf 2021-03-03 14:08:02.492294856 +0100 --- openssl-1.1.1e/crypto/kdf/pbkdf2.c.evp-kdf 2020-03-19 16:04:32.374698727 +0100
+++ openssl-1.1.1j/crypto/kdf/pbkdf2.c 2021-03-03 14:08:02.492294856 +0100 +++ openssl-1.1.1e/crypto/kdf/pbkdf2.c 2020-03-19 16:04:32.374698727 +0100
@@ -0,0 +1,264 @@ @@ -0,0 +1,264 @@
+/* +/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@ -1927,9 +1927,9 @@ diff -up openssl-1.1.1j/crypto/kdf/pbkdf2.c.evp-kdf openssl-1.1.1j/crypto/kdf/pb
+ HMAC_CTX_free(hctx_tpl); + HMAC_CTX_free(hctx_tpl);
+ return ret; + return ret;
+} +}
diff -up openssl-1.1.1j/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1j/crypto/kdf/scrypt.c diff -up openssl-1.1.1e/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1e/crypto/kdf/scrypt.c
--- openssl-1.1.1j/crypto/kdf/scrypt.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 --- openssl-1.1.1e/crypto/kdf/scrypt.c.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1j/crypto/kdf/scrypt.c 2021-03-03 14:08:02.492294856 +0100 +++ openssl-1.1.1e/crypto/kdf/scrypt.c 2020-03-19 16:11:06.215872475 +0100
@@ -8,25 +8,35 @@ @@ -8,25 +8,35 @@
*/ */
@ -2517,9 +2517,9 @@ diff -up openssl-1.1.1j/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1j/crypto/kdf/sc
+} +}
#endif #endif
diff -up openssl-1.1.1j/crypto/kdf/tls1_prf.c.evp-kdf openssl-1.1.1j/crypto/kdf/tls1_prf.c diff -up openssl-1.1.1e/crypto/kdf/tls1_prf.c.evp-kdf openssl-1.1.1e/crypto/kdf/tls1_prf.c
--- openssl-1.1.1j/crypto/kdf/tls1_prf.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 --- openssl-1.1.1e/crypto/kdf/tls1_prf.c.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1j/crypto/kdf/tls1_prf.c 2021-03-03 14:08:02.492294856 +0100 +++ openssl-1.1.1e/crypto/kdf/tls1_prf.c 2020-03-19 16:10:32.317460707 +0100
@@ -8,11 +8,15 @@ @@ -8,11 +8,15 @@
*/ */
@ -2802,9 +2802,9 @@ diff -up openssl-1.1.1j/crypto/kdf/tls1_prf.c.evp-kdf openssl-1.1.1j/crypto/kdf/
OPENSSL_clear_free(tmp, olen); OPENSSL_clear_free(tmp, olen);
return 0; return 0;
} }
diff -up openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod.evp-kdf openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod diff -up openssl-1.1.1e/doc/man3/EVP_KDF_CTX.pod.evp-kdf openssl-1.1.1e/doc/man3/EVP_KDF_CTX.pod
--- openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod.evp-kdf 2021-03-03 14:08:02.492294856 +0100 --- openssl-1.1.1e/doc/man3/EVP_KDF_CTX.pod.evp-kdf 2020-03-19 16:04:32.377698675 +0100
+++ openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod 2021-03-03 14:08:02.492294856 +0100 +++ openssl-1.1.1e/doc/man3/EVP_KDF_CTX.pod 2020-03-19 16:04:32.377698675 +0100
@@ -0,0 +1,217 @@ @@ -0,0 +1,217 @@
+=pod +=pod
+ +
@ -3023,9 +3023,9 @@ diff -up openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod.evp-kdf openssl-1.1.1j/doc/man3
+L<https://www.openssl.org/source/license.html>. +L<https://www.openssl.org/source/license.html>.
+ +
+=cut +=cut
diff -up openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod.evp-kdf openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod diff -up openssl-1.1.1e/doc/man7/EVP_KDF_HKDF.pod.evp-kdf openssl-1.1.1e/doc/man7/EVP_KDF_HKDF.pod
--- openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod.evp-kdf 2021-03-03 14:08:02.493294865 +0100 --- openssl-1.1.1e/doc/man7/EVP_KDF_HKDF.pod.evp-kdf 2020-03-19 16:04:32.377698675 +0100
+++ openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod 2021-03-03 14:08:02.493294865 +0100 +++ openssl-1.1.1e/doc/man7/EVP_KDF_HKDF.pod 2020-03-19 16:04:32.377698675 +0100
@@ -0,0 +1,180 @@ @@ -0,0 +1,180 @@
+=pod +=pod
+ +
@ -3207,9 +3207,9 @@ diff -up openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod.evp-kdf openssl-1.1.1j/doc/man
+L<https://www.openssl.org/source/license.html>. +L<https://www.openssl.org/source/license.html>.
+ +
+=cut +=cut
diff -up openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod diff -up openssl-1.1.1e/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf openssl-1.1.1e/doc/man7/EVP_KDF_PBKDF2.pod
--- openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf 2021-03-03 14:08:02.493294865 +0100 --- openssl-1.1.1e/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf 2020-03-19 16:04:32.378698658 +0100
+++ openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod 2021-03-03 14:08:02.493294865 +0100 +++ openssl-1.1.1e/doc/man7/EVP_KDF_PBKDF2.pod 2020-03-19 16:04:32.378698658 +0100
@@ -0,0 +1,78 @@ @@ -0,0 +1,78 @@
+=pod +=pod
+ +
@ -3289,9 +3289,9 @@ diff -up openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf openssl-1.1.1j/doc/m
+L<https://www.openssl.org/source/license.html>. +L<https://www.openssl.org/source/license.html>.
+ +
+=cut +=cut
diff -up openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod diff -up openssl-1.1.1e/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf openssl-1.1.1e/doc/man7/EVP_KDF_SCRYPT.pod
--- openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf 2021-03-03 14:08:02.493294865 +0100 --- openssl-1.1.1e/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf 2020-03-19 16:04:32.378698658 +0100
+++ openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod 2021-03-03 14:08:02.493294865 +0100 +++ openssl-1.1.1e/doc/man7/EVP_KDF_SCRYPT.pod 2020-03-19 16:04:32.378698658 +0100
@@ -0,0 +1,149 @@ @@ -0,0 +1,149 @@
+=pod +=pod
+ +
@ -3442,9 +3442,9 @@ diff -up openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf openssl-1.1.1j/doc/m
+L<https://www.openssl.org/source/license.html>. +L<https://www.openssl.org/source/license.html>.
+ +
+=cut +=cut
diff -up openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod diff -up openssl-1.1.1e/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf openssl-1.1.1e/doc/man7/EVP_KDF_TLS1_PRF.pod
--- openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf 2021-03-03 14:08:02.493294865 +0100 --- openssl-1.1.1e/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf 2020-03-19 16:04:32.378698658 +0100
+++ openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod 2021-03-03 14:08:02.493294865 +0100 +++ openssl-1.1.1e/doc/man7/EVP_KDF_TLS1_PRF.pod 2020-03-19 16:04:32.378698658 +0100
@@ -0,0 +1,142 @@ @@ -0,0 +1,142 @@
+=pod +=pod
+ +
@ -3588,9 +3588,9 @@ diff -up openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf openssl-1.1.1j/doc
+L<https://www.openssl.org/source/license.html>. +L<https://www.openssl.org/source/license.html>.
+ +
+=cut +=cut
diff -up openssl-1.1.1j/include/crypto/evp.h.evp-kdf openssl-1.1.1j/include/crypto/evp.h diff -up openssl-1.1.1e/include/crypto/evp.h.evp-kdf openssl-1.1.1e/include/crypto/evp.h
--- openssl-1.1.1j/include/crypto/evp.h.evp-kdf 2021-02-16 16:24:01.000000000 +0100 --- openssl-1.1.1e/include/crypto/evp.h.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1j/include/crypto/evp.h 2021-03-03 14:08:02.493294865 +0100 +++ openssl-1.1.1e/include/crypto/evp.h 2020-03-19 16:04:32.347699194 +0100
@@ -112,6 +112,24 @@ extern const EVP_PKEY_METHOD hkdf_pkey_m @@ -112,6 +112,24 @@ extern const EVP_PKEY_METHOD hkdf_pkey_m
extern const EVP_PKEY_METHOD poly1305_pkey_meth; extern const EVP_PKEY_METHOD poly1305_pkey_meth;
extern const EVP_PKEY_METHOD siphash_pkey_meth; extern const EVP_PKEY_METHOD siphash_pkey_meth;
@ -3616,10 +3616,10 @@ diff -up openssl-1.1.1j/include/crypto/evp.h.evp-kdf openssl-1.1.1j/include/cryp
struct evp_md_st { struct evp_md_st {
int type; int type;
int pkey_type; int pkey_type;
diff -up openssl-1.1.1j/include/openssl/evperr.h.evp-kdf openssl-1.1.1j/include/openssl/evperr.h diff -up openssl-1.1.1e/include/openssl/evperr.h.evp-kdf openssl-1.1.1e/include/openssl/evperr.h
--- openssl-1.1.1j/include/openssl/evperr.h.evp-kdf 2021-03-03 14:08:02.477294722 +0100 --- openssl-1.1.1e/include/openssl/evperr.h.evp-kdf 2020-03-19 16:04:11.250064365 +0100
+++ openssl-1.1.1j/include/openssl/evperr.h 2021-03-03 14:13:37.587003722 +0100 +++ openssl-1.1.1e/include/openssl/evperr.h 2020-03-19 16:04:32.379698640 +0100
@@ -56,6 +56,9 @@ int ERR_load_EVP_strings(void); @@ -58,6 +58,9 @@ int ERR_load_EVP_strings(void);
# define EVP_F_EVP_ENCRYPTDECRYPTUPDATE 219 # define EVP_F_EVP_ENCRYPTDECRYPTUPDATE 219
# define EVP_F_EVP_ENCRYPTFINAL_EX 127 # define EVP_F_EVP_ENCRYPTFINAL_EX 127
# define EVP_F_EVP_ENCRYPTUPDATE 167 # define EVP_F_EVP_ENCRYPTUPDATE 167
@ -3629,7 +3629,7 @@ diff -up openssl-1.1.1j/include/openssl/evperr.h.evp-kdf openssl-1.1.1j/include/
# define EVP_F_EVP_MD_CTX_COPY_EX 110 # define EVP_F_EVP_MD_CTX_COPY_EX 110
# define EVP_F_EVP_MD_SIZE 162 # define EVP_F_EVP_MD_SIZE 162
# define EVP_F_EVP_OPENINIT 102 # define EVP_F_EVP_OPENINIT 102
@@ -118,11 +121,13 @@ int ERR_load_EVP_strings(void); @@ -120,11 +123,13 @@ int ERR_load_EVP_strings(void);
# define EVP_F_PKCS5_V2_PBE_KEYIVGEN 118 # define EVP_F_PKCS5_V2_PBE_KEYIVGEN 118
# define EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN 164 # define EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN 164
# define EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN 180 # define EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN 180
@ -3643,17 +3643,17 @@ diff -up openssl-1.1.1j/include/openssl/evperr.h.evp-kdf openssl-1.1.1j/include/
# define EVP_F_UPDATE 173 # define EVP_F_UPDATE 173
/* /*
@@ -179,6 +184,7 @@ int ERR_load_EVP_strings(void); @@ -181,6 +186,7 @@ int ERR_load_EVP_strings(void);
# define EVP_R_ONLY_ONESHOT_SUPPORTED 177 # define EVP_R_ONLY_ONESHOT_SUPPORTED 177
# define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150 # define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150
# define EVP_R_OPERATON_NOT_INITIALIZED 151 # define EVP_R_OPERATON_NOT_INITIALIZED 151
+# define EVP_R_PARAMETER_TOO_LARGE 187 +# define EVP_R_PARAMETER_TOO_LARGE 187
# define EVP_R_OUTPUT_WOULD_OVERFLOW 184
# define EVP_R_PARTIALLY_OVERLAPPING 162 # define EVP_R_PARTIALLY_OVERLAPPING 162
# define EVP_R_PBKDF2_ERROR 181 # define EVP_R_PBKDF2_ERROR 181
diff -up openssl-1.1.1j/include/openssl/kdferr.h.evp-kdf openssl-1.1.1j/include/openssl/kdferr.h # define EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED 179
--- openssl-1.1.1j/include/openssl/kdferr.h.evp-kdf 2021-02-16 16:24:01.000000000 +0100 diff -up openssl-1.1.1e/include/openssl/kdferr.h.evp-kdf openssl-1.1.1e/include/openssl/kdferr.h
+++ openssl-1.1.1j/include/openssl/kdferr.h 2021-03-03 14:08:02.493294865 +0100 --- openssl-1.1.1e/include/openssl/kdferr.h.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/include/openssl/kdferr.h 2020-03-19 16:04:32.379698640 +0100
@@ -23,6 +23,23 @@ int ERR_load_KDF_strings(void); @@ -23,6 +23,23 @@ int ERR_load_KDF_strings(void);
/* /*
* KDF function codes. * KDF function codes.
@ -3693,9 +3693,9 @@ diff -up openssl-1.1.1j/include/openssl/kdferr.h.evp-kdf openssl-1.1.1j/include/
+# define KDF_R_WRONG_OUTPUT_BUFFER_SIZE 112 +# define KDF_R_WRONG_OUTPUT_BUFFER_SIZE 112
#endif #endif
diff -up openssl-1.1.1j/include/openssl/kdf.h.evp-kdf openssl-1.1.1j/include/openssl/kdf.h diff -up openssl-1.1.1e/include/openssl/kdf.h.evp-kdf openssl-1.1.1e/include/openssl/kdf.h
--- openssl-1.1.1j/include/openssl/kdf.h.evp-kdf 2021-02-16 16:24:01.000000000 +0100 --- openssl-1.1.1e/include/openssl/kdf.h.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1j/include/openssl/kdf.h 2021-03-03 14:08:02.493294865 +0100 +++ openssl-1.1.1e/include/openssl/kdf.h 2020-03-19 16:04:32.380698623 +0100
@@ -10,10 +10,50 @@ @@ -10,10 +10,50 @@
#ifndef HEADER_KDF_H #ifndef HEADER_KDF_H
# define HEADER_KDF_H # define HEADER_KDF_H
@ -3774,9 +3774,9 @@ diff -up openssl-1.1.1j/include/openssl/kdf.h.evp-kdf openssl-1.1.1j/include/ope
} }
# endif # endif
#endif #endif
diff -up openssl-1.1.1j/include/openssl/ossl_typ.h.evp-kdf openssl-1.1.1j/include/openssl/ossl_typ.h diff -up openssl-1.1.1e/include/openssl/ossl_typ.h.evp-kdf openssl-1.1.1e/include/openssl/ossl_typ.h
--- openssl-1.1.1j/include/openssl/ossl_typ.h.evp-kdf 2021-02-16 16:24:01.000000000 +0100 --- openssl-1.1.1e/include/openssl/ossl_typ.h.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1j/include/openssl/ossl_typ.h 2021-03-03 14:08:02.493294865 +0100 +++ openssl-1.1.1e/include/openssl/ossl_typ.h 2020-03-19 16:04:32.381698606 +0100
@@ -97,6 +97,8 @@ typedef struct evp_pkey_asn1_method_st E @@ -97,6 +97,8 @@ typedef struct evp_pkey_asn1_method_st E
typedef struct evp_pkey_method_st EVP_PKEY_METHOD; typedef struct evp_pkey_method_st EVP_PKEY_METHOD;
typedef struct evp_pkey_ctx_st EVP_PKEY_CTX; typedef struct evp_pkey_ctx_st EVP_PKEY_CTX;
@ -3786,9 +3786,9 @@ diff -up openssl-1.1.1j/include/openssl/ossl_typ.h.evp-kdf openssl-1.1.1j/includ
typedef struct evp_Encode_Ctx_st EVP_ENCODE_CTX; typedef struct evp_Encode_Ctx_st EVP_ENCODE_CTX;
typedef struct hmac_ctx_st HMAC_CTX; typedef struct hmac_ctx_st HMAC_CTX;
diff -up openssl-1.1.1j/test/build.info.evp-kdf openssl-1.1.1j/test/build.info diff -up openssl-1.1.1e/test/build.info.evp-kdf openssl-1.1.1e/test/build.info
--- openssl-1.1.1j/test/build.info.evp-kdf 2021-02-16 16:24:01.000000000 +0100 --- openssl-1.1.1e/test/build.info.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1j/test/build.info 2021-03-03 14:08:02.493294865 +0100 +++ openssl-1.1.1e/test/build.info 2020-03-19 16:04:32.381698606 +0100
@@ -44,7 +44,8 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I @@ -44,7 +44,8 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I
ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \ ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \
bio_callback_test bio_memleak_test \ bio_callback_test bio_memleak_test \
@ -3810,9 +3810,9 @@ diff -up openssl-1.1.1j/test/build.info.evp-kdf openssl-1.1.1j/test/build.info
SOURCE[x509_time_test]=x509_time_test.c SOURCE[x509_time_test]=x509_time_test.c
INCLUDE[x509_time_test]=../include INCLUDE[x509_time_test]=../include
DEPEND[x509_time_test]=../libcrypto libtestutil.a DEPEND[x509_time_test]=../libcrypto libtestutil.a
diff -up openssl-1.1.1j/test/evp_kdf_test.c.evp-kdf openssl-1.1.1j/test/evp_kdf_test.c diff -up openssl-1.1.1e/test/evp_kdf_test.c.evp-kdf openssl-1.1.1e/test/evp_kdf_test.c
--- openssl-1.1.1j/test/evp_kdf_test.c.evp-kdf 2021-03-03 14:08:02.494294874 +0100 --- openssl-1.1.1e/test/evp_kdf_test.c.evp-kdf 2020-03-19 16:04:32.382698588 +0100
+++ openssl-1.1.1j/test/evp_kdf_test.c 2021-03-03 14:08:02.494294874 +0100 +++ openssl-1.1.1e/test/evp_kdf_test.c 2020-03-19 16:04:32.382698588 +0100
@@ -0,0 +1,237 @@ @@ -0,0 +1,237 @@
+/* +/*
+ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
@ -4051,9 +4051,9 @@ diff -up openssl-1.1.1j/test/evp_kdf_test.c.evp-kdf openssl-1.1.1j/test/evp_kdf_
+#endif +#endif
+ return 1; + return 1;
+} +}
diff -up openssl-1.1.1j/test/evp_test.c.evp-kdf openssl-1.1.1j/test/evp_test.c diff -up openssl-1.1.1e/test/evp_test.c.evp-kdf openssl-1.1.1e/test/evp_test.c
--- openssl-1.1.1j/test/evp_test.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 --- openssl-1.1.1e/test/evp_test.c.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1j/test/evp_test.c 2021-03-03 14:08:02.494294874 +0100 +++ openssl-1.1.1e/test/evp_test.c 2020-03-19 16:04:32.383698571 +0100
@@ -1705,13 +1705,14 @@ static const EVP_TEST_METHOD encode_test @@ -1705,13 +1705,14 @@ static const EVP_TEST_METHOD encode_test
encode_test_run, encode_test_run,
}; };
@ -4265,9 +4265,9 @@ diff -up openssl-1.1.1j/test/evp_test.c.evp-kdf openssl-1.1.1j/test/evp_test.c
&keypair_test_method, &keypair_test_method,
&keygen_test_method, &keygen_test_method,
&mac_test_method, &mac_test_method,
diff -up openssl-1.1.1j/test/pkey_meth_kdf_test.c.evp-kdf openssl-1.1.1j/test/pkey_meth_kdf_test.c diff -up openssl-1.1.1e/test/pkey_meth_kdf_test.c.evp-kdf openssl-1.1.1e/test/pkey_meth_kdf_test.c
--- openssl-1.1.1j/test/pkey_meth_kdf_test.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 --- openssl-1.1.1e/test/pkey_meth_kdf_test.c.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1j/test/pkey_meth_kdf_test.c 2021-03-03 14:08:02.494294874 +0100 +++ openssl-1.1.1e/test/pkey_meth_kdf_test.c 2020-03-19 16:04:32.386698519 +0100
@@ -1,5 +1,5 @@ @@ -1,5 +1,5 @@
/* /*
- * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. - * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
@ -4471,9 +4471,9 @@ diff -up openssl-1.1.1j/test/pkey_meth_kdf_test.c.evp-kdf openssl-1.1.1j/test/pk
} }
#endif #endif
diff -up openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt diff -up openssl-1.1.1e/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf openssl-1.1.1e/test/recipes/30-test_evp_data/evpkdf.txt
--- openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf 2021-02-16 16:24:01.000000000 +0100 --- openssl-1.1.1e/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt 2021-03-03 14:08:02.494294874 +0100 +++ openssl-1.1.1e/test/recipes/30-test_evp_data/evpkdf.txt 2020-03-19 16:04:32.388698484 +0100
@@ -1,5 +1,5 @@ @@ -1,5 +1,5 @@
# #
-# Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved. -# Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved.
@ -4872,9 +4872,9 @@ diff -up openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf openssl
+Ctrl.digest = digest:sha512 +Ctrl.digest = digest:sha512
+Output = 00ef42cdbfc98d29db20976608e455567fdddf14 +Output = 00ef42cdbfc98d29db20976608e455567fdddf14
+ +
diff -up openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt diff -up openssl-1.1.1e/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf openssl-1.1.1e/test/recipes/30-test_evp_data/evppkey_kdf.txt
--- openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf 2021-03-03 14:08:02.494294874 +0100 --- openssl-1.1.1e/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf 2020-03-19 16:04:32.389698467 +0100
+++ openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt 2021-03-03 14:08:02.494294874 +0100 +++ openssl-1.1.1e/test/recipes/30-test_evp_data/evppkey_kdf.txt 2020-03-19 16:04:32.389698467 +0100
@@ -0,0 +1,305 @@ @@ -0,0 +1,305 @@
+# +#
+# Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
@ -5181,9 +5181,9 @@ diff -up openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf op
+Ctrl.p = p:1 +Ctrl.p = p:1
+Result = INTERNAL_ERROR +Result = INTERNAL_ERROR
+ +
diff -up openssl-1.1.1j/test/recipes/30-test_evp_kdf.t.evp-kdf openssl-1.1.1j/test/recipes/30-test_evp_kdf.t diff -up openssl-1.1.1e/test/recipes/30-test_evp_kdf.t.evp-kdf openssl-1.1.1e/test/recipes/30-test_evp_kdf.t
--- openssl-1.1.1j/test/recipes/30-test_evp_kdf.t.evp-kdf 2021-03-03 14:08:02.494294874 +0100 --- openssl-1.1.1e/test/recipes/30-test_evp_kdf.t.evp-kdf 2020-03-19 16:04:32.390698450 +0100
+++ openssl-1.1.1j/test/recipes/30-test_evp_kdf.t 2021-03-03 14:08:02.494294874 +0100 +++ openssl-1.1.1e/test/recipes/30-test_evp_kdf.t 2020-03-19 16:04:32.390698450 +0100
@@ -0,0 +1,13 @@ @@ -0,0 +1,13 @@
+#! /usr/bin/env perl +#! /usr/bin/env perl
+# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
@ -5198,9 +5198,9 @@ diff -up openssl-1.1.1j/test/recipes/30-test_evp_kdf.t.evp-kdf openssl-1.1.1j/te
+use OpenSSL::Test::Simple; +use OpenSSL::Test::Simple;
+ +
+simple_test("test_evp_kdf", "evp_kdf_test"); +simple_test("test_evp_kdf", "evp_kdf_test");
diff -up openssl-1.1.1j/test/recipes/30-test_evp.t.evp-kdf openssl-1.1.1j/test/recipes/30-test_evp.t diff -up openssl-1.1.1e/test/recipes/30-test_evp.t.evp-kdf openssl-1.1.1e/test/recipes/30-test_evp.t
--- openssl-1.1.1j/test/recipes/30-test_evp.t.evp-kdf 2021-02-16 16:24:01.000000000 +0100 --- openssl-1.1.1e/test/recipes/30-test_evp.t.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1j/test/recipes/30-test_evp.t 2021-03-03 14:08:02.495294883 +0100 +++ openssl-1.1.1e/test/recipes/30-test_evp.t 2020-03-19 16:04:32.390698450 +0100
@@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT data_file/ @@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT data_file/
setup("test_evp"); setup("test_evp");
@ -5210,10 +5210,10 @@ diff -up openssl-1.1.1j/test/recipes/30-test_evp.t.evp-kdf openssl-1.1.1j/test/r
"evpcase.txt", "evpccmcavs.txt" ); "evpcase.txt", "evpccmcavs.txt" );
plan tests => scalar(@files); plan tests => scalar(@files);
diff -up openssl-1.1.1j/util/libcrypto.num.evp-kdf openssl-1.1.1j/util/libcrypto.num diff -up openssl-1.1.1e/util/libcrypto.num.evp-kdf openssl-1.1.1e/util/libcrypto.num
--- openssl-1.1.1j/util/libcrypto.num.evp-kdf 2021-03-03 14:08:02.481294758 +0100 --- openssl-1.1.1e/util/libcrypto.num.evp-kdf 2020-03-19 16:04:11.263064140 +0100
+++ openssl-1.1.1j/util/libcrypto.num 2021-03-03 14:08:02.495294883 +0100 +++ openssl-1.1.1e/util/libcrypto.num 2020-03-19 16:04:32.392698415 +0100
@@ -4626,3 +4626,11 @@ FIPS_drbg_get_strength @@ -4622,3 +4622,11 @@ FIPS_drbg_get_strength
FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION: FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION:
FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION: FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION:
FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION: FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION:
@ -5225,9 +5225,9 @@ diff -up openssl-1.1.1j/util/libcrypto.num.evp-kdf openssl-1.1.1j/util/libcrypto
+EVP_KDF_ctrl_str 6595 1_1_1b EXIST::FUNCTION: +EVP_KDF_ctrl_str 6595 1_1_1b EXIST::FUNCTION:
+EVP_KDF_size 6596 1_1_1b EXIST::FUNCTION: +EVP_KDF_size 6596 1_1_1b EXIST::FUNCTION:
+EVP_KDF_derive 6597 1_1_1b EXIST::FUNCTION: +EVP_KDF_derive 6597 1_1_1b EXIST::FUNCTION:
diff -up openssl-1.1.1j/util/private.num.evp-kdf openssl-1.1.1j/util/private.num diff -up openssl-1.1.1e/util/private.num.evp-kdf openssl-1.1.1e/util/private.num
--- openssl-1.1.1j/util/private.num.evp-kdf 2021-02-16 16:24:01.000000000 +0100 --- openssl-1.1.1e/util/private.num.evp-kdf 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1j/util/private.num 2021-03-03 14:08:02.495294883 +0100 +++ openssl-1.1.1e/util/private.num 2020-03-19 16:04:32.393698398 +0100
@@ -21,6 +21,7 @@ CRYPTO_EX_dup @@ -21,6 +21,7 @@ CRYPTO_EX_dup
CRYPTO_EX_free datatype CRYPTO_EX_free datatype
CRYPTO_EX_new datatype CRYPTO_EX_new datatype

224
SOURCES/openssl-1.1.1-fips-dh.patch
View File

@ -1,6 +1,6 @@
diff -up openssl-1.1.1j/crypto/bn/bn_const.c.fips-dh openssl-1.1.1j/crypto/bn/bn_const.c diff -up openssl-1.1.1g/crypto/bn/bn_const.c.fips-dh openssl-1.1.1g/crypto/bn/bn_const.c
--- openssl-1.1.1j/crypto/bn/bn_const.c.fips-dh 2021-02-16 16:24:01.000000000 +0100 --- openssl-1.1.1g/crypto/bn/bn_const.c.fips-dh 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1j/crypto/bn/bn_const.c 2021-03-03 14:23:27.403092418 +0100 +++ openssl-1.1.1g/crypto/bn/bn_const.c 2020-07-17 10:36:29.245788441 +0200
@@ -1,13 +1,17 @@ @@ -1,13 +1,17 @@
/* /*
- * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved. - * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved.
@ -477,9 +477,9 @@ diff -up openssl-1.1.1j/crypto/bn/bn_const.c.fips-dh openssl-1.1.1j/crypto/bn/bn
- return BN_bin2bn(RFC3526_PRIME_8192, sizeof(RFC3526_PRIME_8192), bn); - return BN_bin2bn(RFC3526_PRIME_8192, sizeof(RFC3526_PRIME_8192), bn);
+ return COPY_BN(bn, _bignum_modp_8192_p); + return COPY_BN(bn, _bignum_modp_8192_p);
} }
diff -up openssl-1.1.1j/crypto/bn/bn_dh.c.fips-dh openssl-1.1.1j/crypto/bn/bn_dh.c diff -up openssl-1.1.1g/crypto/bn/bn_dh.c.fips-dh openssl-1.1.1g/crypto/bn/bn_dh.c
--- openssl-1.1.1j/crypto/bn/bn_dh.c.fips-dh 2021-02-16 16:24:01.000000000 +0100 --- openssl-1.1.1g/crypto/bn/bn_dh.c.fips-dh 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1j/crypto/bn/bn_dh.c 2021-03-03 14:23:27.404092427 +0100 +++ openssl-1.1.1g/crypto/bn/bn_dh.c 2020-07-17 10:36:29.246788449 +0200
@@ -1,7 +1,7 @@ @@ -1,7 +1,7 @@
/* /*
- * Copyright 2014-2017 The OpenSSL Project Authors. All Rights Reserved. - * Copyright 2014-2017 The OpenSSL Project Authors. All Rights Reserved.
@ -1956,9 +1956,9 @@ diff -up openssl-1.1.1j/crypto/bn/bn_dh.c.fips-dh openssl-1.1.1j/crypto/bn/bn_dh
-#endif -#endif
+#endif /* OPENSSL_NO_DH */ +#endif /* OPENSSL_NO_DH */
diff -up openssl-1.1.1j/crypto/dh/dh_check.c.fips-dh openssl-1.1.1j/crypto/dh/dh_check.c diff -up openssl-1.1.1g/crypto/dh/dh_check.c.fips-dh openssl-1.1.1g/crypto/dh/dh_check.c
--- openssl-1.1.1j/crypto/dh/dh_check.c.fips-dh 2021-02-16 16:24:01.000000000 +0100 --- openssl-1.1.1g/crypto/dh/dh_check.c.fips-dh 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1j/crypto/dh/dh_check.c 2021-03-03 14:23:27.404092427 +0100 +++ openssl-1.1.1g/crypto/dh/dh_check.c 2020-07-17 10:36:29.246788449 +0200
@@ -10,6 +10,7 @@ @@ -10,6 +10,7 @@
#include <stdio.h> #include <stdio.h>
#include "internal/cryptlib.h" #include "internal/cryptlib.h"
@ -2043,9 +2043,9 @@ diff -up openssl-1.1.1j/crypto/dh/dh_check.c.fips-dh openssl-1.1.1j/crypto/dh/dh
+ return dh_check_pub_key_int(dh, q, pub_key, ret); + return dh_check_pub_key_int(dh, q, pub_key, ret);
+} +}
+ +
diff -up openssl-1.1.1j/crypto/dh/dh_gen.c.fips-dh openssl-1.1.1j/crypto/dh/dh_gen.c diff -up openssl-1.1.1g/crypto/dh/dh_gen.c.fips-dh openssl-1.1.1g/crypto/dh/dh_gen.c
--- openssl-1.1.1j/crypto/dh/dh_gen.c.fips-dh 2021-03-03 14:23:27.338091859 +0100 --- openssl-1.1.1g/crypto/dh/dh_gen.c.fips-dh 2020-07-17 10:36:29.182787923 +0200
+++ openssl-1.1.1j/crypto/dh/dh_gen.c 2021-03-03 14:23:27.404092427 +0100 +++ openssl-1.1.1g/crypto/dh/dh_gen.c 2020-07-17 10:36:29.246788449 +0200
@@ -27,8 +27,7 @@ int DH_generate_parameters_ex(DH *ret, i @@ -27,8 +27,7 @@ int DH_generate_parameters_ex(DH *ret, i
BN_GENCB *cb) BN_GENCB *cb)
{ {
@ -2075,10 +2075,10 @@ diff -up openssl-1.1.1j/crypto/dh/dh_gen.c.fips-dh openssl-1.1.1j/crypto/dh/dh_g
ctx = BN_CTX_new(); ctx = BN_CTX_new();
if (ctx == NULL) if (ctx == NULL)
goto err; goto err;
diff -up openssl-1.1.1j/crypto/dh/dh_key.c.fips-dh openssl-1.1.1j/crypto/dh/dh_key.c diff -up openssl-1.1.1g/crypto/dh/dh_key.c.fips-dh openssl-1.1.1g/crypto/dh/dh_key.c
--- openssl-1.1.1j/crypto/dh/dh_key.c.fips-dh 2021-03-03 14:23:27.338091859 +0100 --- openssl-1.1.1g/crypto/dh/dh_key.c.fips-dh 2020-07-17 10:36:29.182787923 +0200
+++ openssl-1.1.1j/crypto/dh/dh_key.c 2021-03-03 14:51:36.235296236 +0100 +++ openssl-1.1.1g/crypto/dh/dh_key.c 2020-07-17 11:00:07.783777846 +0200
@@ -120,10 +120,18 @@ static int generate_key(DH *dh) @@ -100,10 +100,18 @@ static int generate_key(DH *dh)
BIGNUM *pub_key = NULL, *priv_key = NULL; BIGNUM *pub_key = NULL, *priv_key = NULL;
#ifdef OPENSSL_FIPS #ifdef OPENSSL_FIPS
@ -2101,7 +2101,7 @@ diff -up openssl-1.1.1j/crypto/dh/dh_key.c.fips-dh openssl-1.1.1j/crypto/dh/dh_k
} }
#endif #endif
@@ -159,7 +167,15 @@ static int generate_key(DH *dh) @@ -139,7 +147,15 @@ static int generate_key(DH *dh)
} }
if (generate_new_key) { if (generate_new_key) {
@ -2118,7 +2118,7 @@ diff -up openssl-1.1.1j/crypto/dh/dh_key.c.fips-dh openssl-1.1.1j/crypto/dh/dh_k
do { do {
if (!BN_priv_rand_range(priv_key, dh->q)) if (!BN_priv_rand_range(priv_key, dh->q))
goto err; goto err;
@@ -195,6 +211,15 @@ static int generate_key(DH *dh) @@ -175,6 +191,15 @@ static int generate_key(DH *dh)
} }
/* We MUST free prk before any further use of priv_key */ /* We MUST free prk before any further use of priv_key */
BN_clear_free(prk); BN_clear_free(prk);
@ -2134,7 +2134,7 @@ diff -up openssl-1.1.1j/crypto/dh/dh_key.c.fips-dh openssl-1.1.1j/crypto/dh/dh_k
} }
dh->pub_key = pub_key; dh->pub_key = pub_key;
@@ -217,6 +242,7 @@ static int compute_key(unsigned char *ke @@ -197,6 +222,7 @@ static int compute_key(unsigned char *ke
BN_CTX *ctx = NULL; BN_CTX *ctx = NULL;
BN_MONT_CTX *mont = NULL; BN_MONT_CTX *mont = NULL;
BIGNUM *tmp; BIGNUM *tmp;
@ -2142,7 +2142,7 @@ diff -up openssl-1.1.1j/crypto/dh/dh_key.c.fips-dh openssl-1.1.1j/crypto/dh/dh_k
int ret = -1; int ret = -1;
int check_result; int check_result;
@@ -263,6 +289,18 @@ static int compute_key(unsigned char *ke @@ -243,6 +269,18 @@ static int compute_key(unsigned char *ke
DHerr(DH_F_COMPUTE_KEY, ERR_R_BN_LIB); DHerr(DH_F_COMPUTE_KEY, ERR_R_BN_LIB);
goto err; goto err;
} }
@ -2159,11 +2159,11 @@ diff -up openssl-1.1.1j/crypto/dh/dh_key.c.fips-dh openssl-1.1.1j/crypto/dh/dh_k
+ goto err; + goto err;
+ } + }
ret = BN_bn2binpad(tmp, key, BN_num_bytes(dh->p)); ret = BN_bn2bin(tmp, key);
err: err:
diff -up openssl-1.1.1j/crypto/dh/dh_lib.c.fips-dh openssl-1.1.1j/crypto/dh/dh_lib.c diff -up openssl-1.1.1g/crypto/dh/dh_lib.c.fips-dh openssl-1.1.1g/crypto/dh/dh_lib.c
--- openssl-1.1.1j/crypto/dh/dh_lib.c.fips-dh 2021-02-16 16:24:01.000000000 +0100 --- openssl-1.1.1g/crypto/dh/dh_lib.c.fips-dh 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1j/crypto/dh/dh_lib.c 2021-03-03 14:23:27.405092436 +0100 +++ openssl-1.1.1g/crypto/dh/dh_lib.c 2020-07-17 10:36:29.246788449 +0200
@@ -8,6 +8,7 @@ @@ -8,6 +8,7 @@
*/ */
@ -2193,9 +2193,9 @@ diff -up openssl-1.1.1j/crypto/dh/dh_lib.c.fips-dh openssl-1.1.1j/crypto/dh/dh_l
dh->length = BN_num_bits(q); dh->length = BN_num_bits(q);
} }
diff -up openssl-1.1.1j/crypto/dh/dh_local.h.fips-dh openssl-1.1.1j/crypto/dh/dh_local.h diff -up openssl-1.1.1g/crypto/dh/dh_local.h.fips-dh openssl-1.1.1g/crypto/dh/dh_local.h
--- openssl-1.1.1j/crypto/dh/dh_local.h.fips-dh 2021-03-03 14:23:27.202090689 +0100 --- openssl-1.1.1g/crypto/dh/dh_local.h.fips-dh 2020-07-17 10:36:28.968786163 +0200
+++ openssl-1.1.1j/crypto/dh/dh_local.h 2021-03-03 14:23:27.405092436 +0100 +++ openssl-1.1.1g/crypto/dh/dh_local.h 2020-07-17 10:36:29.246788449 +0200
@@ -35,6 +35,7 @@ struct dh_st { @@ -35,6 +35,7 @@ struct dh_st {
const DH_METHOD *meth; const DH_METHOD *meth;
ENGINE *engine; ENGINE *engine;
@ -2215,9 +2215,9 @@ diff -up openssl-1.1.1j/crypto/dh/dh_local.h.fips-dh openssl-1.1.1j/crypto/dh/dh
+/* FIPS mode only check which requires nid set and looks up q based on it. */ +/* FIPS mode only check which requires nid set and looks up q based on it. */
+int dh_check_pub_key_full(const DH *dh, const BIGNUM *pub_key, int *ret); +int dh_check_pub_key_full(const DH *dh, const BIGNUM *pub_key, int *ret);
+ +
diff -up openssl-1.1.1j/crypto/dh/dh_rfc7919.c.fips-dh openssl-1.1.1j/crypto/dh/dh_rfc7919.c diff -up openssl-1.1.1g/crypto/dh/dh_rfc7919.c.fips-dh openssl-1.1.1g/crypto/dh/dh_rfc7919.c
--- openssl-1.1.1j/crypto/dh/dh_rfc7919.c.fips-dh 2021-02-16 16:24:01.000000000 +0100 --- openssl-1.1.1g/crypto/dh/dh_rfc7919.c.fips-dh 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1j/crypto/dh/dh_rfc7919.c 2021-03-03 14:23:27.405092436 +0100 +++ openssl-1.1.1g/crypto/dh/dh_rfc7919.c 2020-07-17 10:36:29.246788449 +0200
@@ -7,6 +7,8 @@ @@ -7,6 +7,8 @@
* https://www.openssl.org/source/license.html * https://www.openssl.org/source/license.html
*/ */
@ -2387,10 +2387,10 @@ diff -up openssl-1.1.1j/crypto/dh/dh_rfc7919.c.fips-dh openssl-1.1.1j/crypto/dh/
+ return dh_match_group(dh, q, NULL) != NID_undef; + return dh_match_group(dh, q, NULL) != NID_undef;
+} +}
+ +
diff -up openssl-1.1.1j/crypto/ec/ec_key.c.fips-dh openssl-1.1.1j/crypto/ec/ec_key.c diff -up openssl-1.1.1g/crypto/ec/ec_key.c.fips-dh openssl-1.1.1g/crypto/ec/ec_key.c
--- openssl-1.1.1j/crypto/ec/ec_key.c.fips-dh 2021-03-03 14:23:27.339091868 +0100 --- openssl-1.1.1g/crypto/ec/ec_key.c.fips-dh 2020-07-17 11:00:53.958175227 +0200
+++ openssl-1.1.1j/crypto/ec/ec_key.c 2021-03-03 14:23:27.405092436 +0100 +++ openssl-1.1.1g/crypto/ec/ec_key.c 2020-07-20 13:24:03.941107320 +0200
@@ -281,9 +281,18 @@ int ec_key_simple_generate_key(EC_KEY *e @@ -280,9 +280,18 @@ int ec_key_simple_generate_key(EC_KEY *e
if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, ctx)) if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, ctx))
goto err; goto err;
@ -2410,7 +2410,7 @@ diff -up openssl-1.1.1j/crypto/ec/ec_key.c.fips-dh openssl-1.1.1j/crypto/ec/ec_k
ok = 1; ok = 1;
err: err:
@@ -297,8 +306,23 @@ int ec_key_simple_generate_key(EC_KEY *e @@ -296,8 +305,23 @@ int ec_key_simple_generate_key(EC_KEY *e
int ec_key_simple_generate_public_key(EC_KEY *eckey) int ec_key_simple_generate_public_key(EC_KEY *eckey)
{ {
@ -2435,9 +2435,9 @@ diff -up openssl-1.1.1j/crypto/ec/ec_key.c.fips-dh openssl-1.1.1j/crypto/ec/ec_k
} }
int EC_KEY_check_key(const EC_KEY *eckey) int EC_KEY_check_key(const EC_KEY *eckey)
diff -up openssl-1.1.1j/crypto/evp/p_lib.c.fips-dh openssl-1.1.1j/crypto/evp/p_lib.c diff -up openssl-1.1.1g/crypto/evp/p_lib.c.fips-dh openssl-1.1.1g/crypto/evp/p_lib.c
--- openssl-1.1.1j/crypto/evp/p_lib.c.fips-dh 2021-02-16 16:24:01.000000000 +0100 --- openssl-1.1.1g/crypto/evp/p_lib.c.fips-dh 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1j/crypto/evp/p_lib.c 2021-03-03 14:23:27.405092436 +0100 +++ openssl-1.1.1g/crypto/evp/p_lib.c 2020-07-17 10:36:29.247788458 +0200
@@ -540,7 +540,8 @@ EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *p @@ -540,7 +540,8 @@ EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *p
int EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key) int EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key)
@ -2448,9 +2448,9 @@ diff -up openssl-1.1.1j/crypto/evp/p_lib.c.fips-dh openssl-1.1.1j/crypto/evp/p_l
int ret = EVP_PKEY_assign(pkey, type, key); int ret = EVP_PKEY_assign(pkey, type, key);
if (ret) if (ret)
diff -up openssl-1.1.1j/crypto/objects/obj_dat.h.fips-dh openssl-1.1.1j/crypto/objects/obj_dat.h diff -up openssl-1.1.1g/crypto/objects/obj_dat.h.fips-dh openssl-1.1.1g/crypto/objects/obj_dat.h
--- openssl-1.1.1j/crypto/objects/obj_dat.h.fips-dh 2021-03-03 14:23:27.394092341 +0100 --- openssl-1.1.1g/crypto/objects/obj_dat.h.fips-dh 2020-07-17 10:36:29.239788392 +0200
+++ openssl-1.1.1j/crypto/objects/obj_dat.h 2021-03-03 14:23:27.406092444 +0100 +++ openssl-1.1.1g/crypto/objects/obj_dat.h 2020-07-17 10:36:29.247788458 +0200
@@ -1078,7 +1078,7 @@ static const unsigned char so[7762] = { @@ -1078,7 +1078,7 @@ static const unsigned char so[7762] = {
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D, /* [ 7753] OBJ_hmacWithSHA512_256 */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D, /* [ 7753] OBJ_hmacWithSHA512_256 */
}; };
@ -2512,9 +2512,9 @@ diff -up openssl-1.1.1j/crypto/objects/obj_dat.h.fips-dh openssl-1.1.1j/crypto/o
481, /* "nSRecord" */ 481, /* "nSRecord" */
173, /* "name" */ 173, /* "name" */
681, /* "onBasis" */ 681, /* "onBasis" */
diff -up openssl-1.1.1j/crypto/objects/objects.txt.fips-dh openssl-1.1.1j/crypto/objects/objects.txt diff -up openssl-1.1.1g/crypto/objects/objects.txt.fips-dh openssl-1.1.1g/crypto/objects/objects.txt
--- openssl-1.1.1j/crypto/objects/objects.txt.fips-dh 2021-03-03 14:23:27.395092350 +0100 --- openssl-1.1.1g/crypto/objects/objects.txt.fips-dh 2020-07-17 10:36:29.239788392 +0200
+++ openssl-1.1.1j/crypto/objects/objects.txt 2021-03-03 14:23:27.406092444 +0100 +++ openssl-1.1.1g/crypto/objects/objects.txt 2020-07-17 10:36:29.247788458 +0200
@@ -1657,6 +1657,13 @@ id-pkinit 5 : pkInit @@ -1657,6 +1657,13 @@ id-pkinit 5 : pkInit
: ffdhe4096 : ffdhe4096
: ffdhe6144 : ffdhe6144
@ -2529,9 +2529,9 @@ diff -up openssl-1.1.1j/crypto/objects/objects.txt.fips-dh openssl-1.1.1j/crypto
# OIDs for DSTU-4145/DSTU-7564 (http://zakon2.rada.gov.ua/laws/show/z0423-17) # OIDs for DSTU-4145/DSTU-7564 (http://zakon2.rada.gov.ua/laws/show/z0423-17)
diff -up openssl-1.1.1j/crypto/objects/obj_mac.num.fips-dh openssl-1.1.1j/crypto/objects/obj_mac.num diff -up openssl-1.1.1g/crypto/objects/obj_mac.num.fips-dh openssl-1.1.1g/crypto/objects/obj_mac.num
--- openssl-1.1.1j/crypto/objects/obj_mac.num.fips-dh 2021-03-03 14:23:27.395092350 +0100 --- openssl-1.1.1g/crypto/objects/obj_mac.num.fips-dh 2020-07-17 10:36:29.239788392 +0200
+++ openssl-1.1.1j/crypto/objects/obj_mac.num 2021-03-03 14:23:27.406092444 +0100 +++ openssl-1.1.1g/crypto/objects/obj_mac.num 2020-07-17 10:36:29.248788466 +0200
@@ -1196,3 +1196,9 @@ sshkdf 1195 @@ -1196,3 +1196,9 @@ sshkdf 1195
kbkdf 1196 kbkdf 1196
krb5kdf 1197 krb5kdf 1197
@ -2542,9 +2542,9 @@ diff -up openssl-1.1.1j/crypto/objects/obj_mac.num.fips-dh openssl-1.1.1j/crypto
+modp_4096 1202 +modp_4096 1202
+modp_6144 1203 +modp_6144 1203
+modp_8192 1204 +modp_8192 1204
diff -up openssl-1.1.1j/doc/man3/DH_new_by_nid.pod.fips-dh openssl-1.1.1j/doc/man3/DH_new_by_nid.pod diff -up openssl-1.1.1g/doc/man3/DH_new_by_nid.pod.fips-dh openssl-1.1.1g/doc/man3/DH_new_by_nid.pod
--- openssl-1.1.1j/doc/man3/DH_new_by_nid.pod.fips-dh 2021-02-16 16:24:01.000000000 +0100 --- openssl-1.1.1g/doc/man3/DH_new_by_nid.pod.fips-dh 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1j/doc/man3/DH_new_by_nid.pod 2021-03-03 14:23:27.406092444 +0100 +++ openssl-1.1.1g/doc/man3/DH_new_by_nid.pod 2020-07-17 10:36:29.248788466 +0200
@@ -8,13 +8,15 @@ DH_new_by_nid, DH_get_nid - get or find @@ -8,13 +8,15 @@ DH_new_by_nid, DH_get_nid - get or find
#include <openssl/dh.h> #include <openssl/dh.h>
@ -2563,9 +2563,9 @@ diff -up openssl-1.1.1j/doc/man3/DH_new_by_nid.pod.fips-dh openssl-1.1.1j/doc/ma
DH_get_nid() determines if the parameters contained in B<dh> match DH_get_nid() determines if the parameters contained in B<dh> match
any named set. It returns the NID corresponding to the matching parameters or any named set. It returns the NID corresponding to the matching parameters or
diff -up openssl-1.1.1j/doc/man3/EVP_PKEY_CTX_ctrl.pod.fips-dh openssl-1.1.1j/doc/man3/EVP_PKEY_CTX_ctrl.pod diff -up openssl-1.1.1g/doc/man3/EVP_PKEY_CTX_ctrl.pod.fips-dh openssl-1.1.1g/doc/man3/EVP_PKEY_CTX_ctrl.pod
--- openssl-1.1.1j/doc/man3/EVP_PKEY_CTX_ctrl.pod.fips-dh 2021-02-16 16:24:01.000000000 +0100 --- openssl-1.1.1g/doc/man3/EVP_PKEY_CTX_ctrl.pod.fips-dh 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1j/doc/man3/EVP_PKEY_CTX_ctrl.pod 2021-03-03 14:23:27.406092444 +0100 +++ openssl-1.1.1g/doc/man3/EVP_PKEY_CTX_ctrl.pod 2020-07-17 10:36:29.248788466 +0200
@@ -294,10 +294,11 @@ The EVP_PKEY_CTX_set_dh_pad() macro sets @@ -294,10 +294,11 @@ The EVP_PKEY_CTX_set_dh_pad() macro sets
If B<pad> is zero (the default) then no padding is performed. If B<pad> is zero (the default) then no padding is performed.
@ -2582,9 +2582,9 @@ diff -up openssl-1.1.1j/doc/man3/EVP_PKEY_CTX_ctrl.pod.fips-dh openssl-1.1.1j/do
The nid parameter and the rfc5114 parameter are mutually exclusive. The nid parameter and the rfc5114 parameter are mutually exclusive.
The EVP_PKEY_CTX_set_dh_rfc5114() and EVP_PKEY_CTX_set_dhx_rfc5114() macros are The EVP_PKEY_CTX_set_dh_rfc5114() and EVP_PKEY_CTX_set_dhx_rfc5114() macros are
diff -up openssl-1.1.1j/include/crypto/bn_dh.h.fips-dh openssl-1.1.1j/include/crypto/bn_dh.h diff -up openssl-1.1.1g/include/crypto/bn_dh.h.fips-dh openssl-1.1.1g/include/crypto/bn_dh.h
--- openssl-1.1.1j/include/crypto/bn_dh.h.fips-dh 2021-02-16 16:24:01.000000000 +0100 --- openssl-1.1.1g/include/crypto/bn_dh.h.fips-dh 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1j/include/crypto/bn_dh.h 2021-03-03 14:23:27.406092444 +0100 +++ openssl-1.1.1g/include/crypto/bn_dh.h 2020-07-17 10:36:29.248788466 +0200
@@ -1,7 +1,7 @@ @@ -1,7 +1,7 @@
/* /*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
@ -2633,9 +2633,9 @@ diff -up openssl-1.1.1j/include/crypto/bn_dh.h.fips-dh openssl-1.1.1j/include/cr
+extern const BIGNUM _bignum_modp_4096_q; +extern const BIGNUM _bignum_modp_4096_q;
+extern const BIGNUM _bignum_modp_6144_q; +extern const BIGNUM _bignum_modp_6144_q;
+extern const BIGNUM _bignum_modp_8192_q; +extern const BIGNUM _bignum_modp_8192_q;
diff -up openssl-1.1.1j/include/openssl/obj_mac.h.fips-dh openssl-1.1.1j/include/openssl/obj_mac.h diff -up openssl-1.1.1g/include/openssl/obj_mac.h.fips-dh openssl-1.1.1g/include/openssl/obj_mac.h
--- openssl-1.1.1j/include/openssl/obj_mac.h.fips-dh 2021-03-03 14:23:27.396092358 +0100 --- openssl-1.1.1g/include/openssl/obj_mac.h.fips-dh 2020-07-17 10:36:29.240788400 +0200
+++ openssl-1.1.1j/include/openssl/obj_mac.h 2021-03-03 14:23:27.407092453 +0100 +++ openssl-1.1.1g/include/openssl/obj_mac.h 2020-07-17 10:36:29.248788466 +0200
@@ -5115,6 +5115,24 @@ @@ -5115,6 +5115,24 @@
#define SN_ffdhe8192 "ffdhe8192" #define SN_ffdhe8192 "ffdhe8192"
#define NID_ffdhe8192 1130 #define NID_ffdhe8192 1130
@ -2661,10 +2661,10 @@ diff -up openssl-1.1.1j/include/openssl/obj_mac.h.fips-dh openssl-1.1.1j/include
#define SN_ISO_UA "ISO-UA" #define SN_ISO_UA "ISO-UA"
#define NID_ISO_UA 1150 #define NID_ISO_UA 1150
#define OBJ_ISO_UA OBJ_member_body,804L #define OBJ_ISO_UA OBJ_member_body,804L
diff -up openssl-1.1.1j/ssl/s3_lib.c.fips-dh openssl-1.1.1j/ssl/s3_lib.c diff -up openssl-1.1.1g/ssl/s3_lib.c.fips-dh openssl-1.1.1g/ssl/s3_lib.c
--- openssl-1.1.1j/ssl/s3_lib.c.fips-dh 2021-03-03 14:23:27.354091997 +0100 --- openssl-1.1.1g/ssl/s3_lib.c.fips-dh 2020-07-17 10:36:29.199788063 +0200
+++ openssl-1.1.1j/ssl/s3_lib.c 2021-03-03 14:23:27.407092453 +0100 +++ openssl-1.1.1g/ssl/s3_lib.c 2020-07-17 10:36:29.248788466 +0200
@@ -4849,13 +4849,51 @@ int ssl_derive(SSL *s, EVP_PKEY *privkey @@ -4858,13 +4858,51 @@ int ssl_derive(SSL *s, EVP_PKEY *privkey
EVP_PKEY *ssl_dh_to_pkey(DH *dh) EVP_PKEY *ssl_dh_to_pkey(DH *dh)
{ {
EVP_PKEY *ret; EVP_PKEY *ret;
@ -2716,15 +2716,91 @@ diff -up openssl-1.1.1j/ssl/s3_lib.c.fips-dh openssl-1.1.1j/ssl/s3_lib.c
return ret; return ret;
} }
#endif #endif
diff -up openssl-1.1.1j/ssl/t1_lib.c.fips-dh openssl-1.1.1j/ssl/t1_lib.c diff -up openssl-1.1.1g/ssl/t1_lib.c.fips-dh openssl-1.1.1g/ssl/t1_lib.c
--- openssl-1.1.1j/ssl/t1_lib.c.fips-dh 2021-03-03 14:23:27.401092401 +0100 --- openssl-1.1.1g/ssl/t1_lib.c.fips-dh 2020-07-17 10:36:29.243788425 +0200
+++ openssl-1.1.1j/ssl/t1_lib.c 2021-03-03 14:23:27.407092453 +0100 +++ openssl-1.1.1g/ssl/t1_lib.c 2020-07-17 10:36:29.249788474 +0200
@@ -2542,7 +2542,7 @@ DH *ssl_get_auto_dh(SSL *s) @@ -2511,46 +2511,48 @@ int SSL_check_chain(SSL *s, X509 *x, EVP
p = BN_get_rfc3526_prime_4096(NULL); #ifndef OPENSSL_NO_DH
else if (dh_secbits >= 128) DH *ssl_get_auto_dh(SSL *s)
p = BN_get_rfc3526_prime_3072(NULL); {
- else if (dh_secbits >= 112) + DH *dhp = NULL;
+ BIGNUM *p = NULL, *g = NULL;
int dh_secbits = 80;
- if (s->cert->dh_tmp_auto == 2)
- return DH_get_1024_160();
- if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
- if (s->s3->tmp.new_cipher->strength_bits == 256)
- dh_secbits = 128;
- else
- dh_secbits = 80;
- } else {
- if (s->s3->tmp.cert == NULL)
- return NULL;
- dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
+ if (s->cert->dh_tmp_auto != 2) {
+ if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
+ if (s->s3->tmp.new_cipher->strength_bits == 256)
+ dh_secbits = 128;
+ else
+ dh_secbits = 80;
+ } else {
+ if (s->s3->tmp.cert == NULL)
+ return NULL;
+ dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
+ }
}
- if (dh_secbits >= 128) {
- DH *dhp = DH_new();
- BIGNUM *p, *g;
- if (dhp == NULL)
- return NULL;
- g = BN_new();
- if (g == NULL || !BN_set_word(g, 2)) {
- DH_free(dhp);
- BN_free(g);
- return NULL;
- }
- if (dh_secbits >= 192)
- p = BN_get_rfc3526_prime_8192(NULL);
- else
- p = BN_get_rfc3526_prime_3072(NULL);
- if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
- DH_free(dhp);
- BN_free(p);
- BN_free(g);
- return NULL;
- }
- return dhp;
+ dhp = DH_new();
+ if (dhp == NULL)
+ return NULL;
+ g = BN_new();
+ if (g == NULL || !BN_set_word(g, 2)) {
+ DH_free(dhp);
+ BN_free(g);
+ return NULL;
+ }
+ if (dh_secbits >= 192)
+ p = BN_get_rfc3526_prime_8192(NULL);
+ else if (dh_secbits >= 152)
+ p = BN_get_rfc3526_prime_4096(NULL);
+ else if (dh_secbits >= 128)
+ p = BN_get_rfc3526_prime_3072(NULL);
+ else if (dh_secbits >= 112 || FIPS_mode()) + else if (dh_secbits >= 112 || FIPS_mode())
p = BN_get_rfc3526_prime_2048(NULL); + p = BN_get_rfc3526_prime_2048(NULL);
else + else
p = BN_get_rfc2409_prime_1024(NULL); + p = BN_get_rfc2409_prime_1024(NULL);
+ if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
+ DH_free(dhp);
+ BN_free(p);
+ BN_free(g);
+ return NULL;
}
- if (dh_secbits >= 112)
- return DH_get_2048_224();
- return DH_get_1024_160();
+ return dhp;
}
#endif

50
SOURCES/openssl-1.1.1-fips-post-rand.patch
View File

@ -1,6 +1,6 @@
diff -up openssl-1.1.1i/crypto/fips/fips.c.fips-post-rand openssl-1.1.1i/crypto/fips/fips.c diff -up openssl-1.1.1e/crypto/fips/fips.c.fips-post-rand openssl-1.1.1e/crypto/fips/fips.c
--- openssl-1.1.1i/crypto/fips/fips.c.fips-post-rand 2020-12-09 10:26:41.634106328 +0100 --- openssl-1.1.1e/crypto/fips/fips.c.fips-post-rand 2020-03-17 18:06:16.822418854 +0100
+++ openssl-1.1.1i/crypto/fips/fips.c 2020-12-09 10:26:41.652106475 +0100 +++ openssl-1.1.1e/crypto/fips/fips.c 2020-03-17 18:06:16.861418172 +0100
@@ -68,6 +68,7 @@ @@ -68,6 +68,7 @@
# include <openssl/fips.h> # include <openssl/fips.h>
@ -51,10 +51,10 @@ diff -up openssl-1.1.1i/crypto/fips/fips.c.fips-post-rand openssl-1.1.1i/crypto/
ret = 1; ret = 1;
goto end; goto end;
} }
diff -up openssl-1.1.1i/crypto/rand/drbg_lib.c.fips-post-rand openssl-1.1.1i/crypto/rand/drbg_lib.c diff -up openssl-1.1.1e/crypto/rand/drbg_lib.c.fips-post-rand openssl-1.1.1e/crypto/rand/drbg_lib.c
--- openssl-1.1.1i/crypto/rand/drbg_lib.c.fips-post-rand 2020-12-08 14:20:59.000000000 +0100 --- openssl-1.1.1e/crypto/rand/drbg_lib.c.fips-post-rand 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1i/crypto/rand/drbg_lib.c 2020-12-09 10:26:41.652106475 +0100 +++ openssl-1.1.1e/crypto/rand/drbg_lib.c 2020-03-17 18:07:35.305045521 +0100
@@ -1005,6 +1005,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg @@ -1009,6 +1009,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg
return min_entropy > min_entropylen ? min_entropy : min_entropylen; return min_entropy > min_entropylen ? min_entropy : min_entropylen;
} }
@ -75,9 +75,9 @@ diff -up openssl-1.1.1i/crypto/rand/drbg_lib.c.fips-post-rand openssl-1.1.1i/cry
/* Implements the default OpenSSL RAND_add() method */ /* Implements the default OpenSSL RAND_add() method */
static int drbg_add(const void *buf, int num, double randomness) static int drbg_add(const void *buf, int num, double randomness)
{ {
diff -up openssl-1.1.1i/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1i/crypto/rand/rand_unix.c diff -up openssl-1.1.1e/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1e/crypto/rand/rand_unix.c
--- openssl-1.1.1i/crypto/rand/rand_unix.c.fips-post-rand 2020-12-08 14:20:59.000000000 +0100 --- openssl-1.1.1e/crypto/rand/rand_unix.c.fips-post-rand 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1i/crypto/rand/rand_unix.c 2020-12-09 10:36:59.531221903 +0100 +++ openssl-1.1.1e/crypto/rand/rand_unix.c 2020-03-17 18:09:01.503537189 +0100
@@ -17,10 +17,12 @@ @@ -17,10 +17,12 @@
#include <openssl/crypto.h> #include <openssl/crypto.h>
#include "rand_local.h" #include "rand_local.h"
@ -91,7 +91,7 @@ diff -up openssl-1.1.1i/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1i/cr
# ifdef DEVRANDOM_WAIT # ifdef DEVRANDOM_WAIT
# include <sys/shm.h> # include <sys/shm.h>
# include <sys/utsname.h> # include <sys/utsname.h>
@@ -344,7 +346,7 @@ static ssize_t sysctl_random(char *buf, @@ -342,7 +344,7 @@ static ssize_t sysctl_random(char *buf,
* syscall_random(): Try to get random data using a system call * syscall_random(): Try to get random data using a system call
* returns the number of bytes returned in buf, or < 0 on error. * returns the number of bytes returned in buf, or < 0 on error.
*/ */
@ -100,15 +100,15 @@ diff -up openssl-1.1.1i/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1i/cr
{ {
/* /*
* Note: 'buflen' equals the size of the buffer which is used by the * Note: 'buflen' equals the size of the buffer which is used by the
@@ -369,6 +371,7 @@ static ssize_t syscall_random(void *buf, @@ -364,6 +366,7 @@ static ssize_t syscall_random(void *buf,
* Note: Sometimes getentropy() can be provided but not implemented * - Linux since 3.17 with glibc 2.25
* internally. So we need to check errno for ENOSYS * - FreeBSD since 12.0 (1200061)
*/ */
+# if 0 +# if 0
# if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux) # if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
extern int getentropy(void *buffer, size_t length) __attribute__((weak)); extern int getentropy(void *buffer, size_t length) __attribute__((weak));
@@ -394,10 +397,10 @@ static ssize_t syscall_random(void *buf, @@ -385,10 +388,10 @@ static ssize_t syscall_random(void *buf,
if (p_getentropy.p != NULL) if (p_getentropy.p != NULL)
return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1; return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
# endif # endif
@ -122,7 +122,7 @@ diff -up openssl-1.1.1i/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1i/cr
# elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND) # elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
return sysctl_random(buf, buflen); return sysctl_random(buf, buflen);
# else # else
@@ -633,6 +636,9 @@ size_t rand_pool_acquire_entropy(RAND_PO @@ -623,6 +626,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
size_t entropy_available; size_t entropy_available;
# if defined(OPENSSL_RAND_SEED_GETRANDOM) # if defined(OPENSSL_RAND_SEED_GETRANDOM)
@ -132,7 +132,7 @@ diff -up openssl-1.1.1i/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1i/cr
{ {
size_t bytes_needed; size_t bytes_needed;
unsigned char *buffer; unsigned char *buffer;
@@ -643,7 +649,7 @@ size_t rand_pool_acquire_entropy(RAND_PO @@ -633,7 +639,7 @@ size_t rand_pool_acquire_entropy(RAND_PO
bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
while (bytes_needed != 0 && attempts-- > 0) { while (bytes_needed != 0 && attempts-- > 0) {
buffer = rand_pool_add_begin(pool, bytes_needed); buffer = rand_pool_add_begin(pool, bytes_needed);
@ -141,7 +141,7 @@ diff -up openssl-1.1.1i/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1i/cr
if (bytes > 0) { if (bytes > 0) {
rand_pool_add_end(pool, bytes, 8 * bytes); rand_pool_add_end(pool, bytes, 8 * bytes);
bytes_needed -= bytes; bytes_needed -= bytes;
@@ -678,8 +684,10 @@ size_t rand_pool_acquire_entropy(RAND_PO @@ -668,8 +674,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
int attempts = 3; int attempts = 3;
const int fd = get_random_device(i); const int fd = get_random_device(i);
@ -153,7 +153,7 @@ diff -up openssl-1.1.1i/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1i/cr
while (bytes_needed != 0 && attempts-- > 0) { while (bytes_needed != 0 && attempts-- > 0) {
buffer = rand_pool_add_begin(pool, bytes_needed); buffer = rand_pool_add_begin(pool, bytes_needed);
@@ -742,7 +750,9 @@ size_t rand_pool_acquire_entropy(RAND_PO @@ -732,7 +740,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
return entropy_available; return entropy_available;
} }
# endif # endif
@ -164,9 +164,9 @@ diff -up openssl-1.1.1i/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1i/cr
return rand_pool_entropy_available(pool); return rand_pool_entropy_available(pool);
# endif # endif
} }
diff -up openssl-1.1.1i/include/crypto/fips.h.fips-post-rand openssl-1.1.1i/include/crypto/fips.h diff -up openssl-1.1.1e/include/crypto/fips.h.fips-post-rand openssl-1.1.1e/include/crypto/fips.h
--- openssl-1.1.1i/include/crypto/fips.h.fips-post-rand 2020-12-09 10:26:41.639106369 +0100 --- openssl-1.1.1e/include/crypto/fips.h.fips-post-rand 2020-03-17 18:06:16.831418696 +0100
+++ openssl-1.1.1i/include/crypto/fips.h 2020-12-09 10:26:41.657106516 +0100 +++ openssl-1.1.1e/include/crypto/fips.h 2020-03-17 18:06:16.861418172 +0100
@@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void); @@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void);
int FIPS_selftest_drbg(void); int FIPS_selftest_drbg(void);
int FIPS_selftest_cmac(void); int FIPS_selftest_cmac(void);
@ -176,9 +176,9 @@ diff -up openssl-1.1.1i/include/crypto/fips.h.fips-post-rand openssl-1.1.1i/incl
int fips_pkey_signature_test(EVP_PKEY *pkey, int fips_pkey_signature_test(EVP_PKEY *pkey,
const unsigned char *tbs, int tbslen, const unsigned char *tbs, int tbslen,
const unsigned char *kat, const unsigned char *kat,
diff -up openssl-1.1.1i/include/crypto/rand.h.fips-post-rand openssl-1.1.1i/include/crypto/rand.h diff -up openssl-1.1.1e/include/crypto/rand.h.fips-post-rand openssl-1.1.1e/include/crypto/rand.h
--- openssl-1.1.1i/include/crypto/rand.h.fips-post-rand 2020-12-08 14:20:59.000000000 +0100 --- openssl-1.1.1e/include/crypto/rand.h.fips-post-rand 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1i/include/crypto/rand.h 2020-12-09 10:26:41.657106516 +0100 +++ openssl-1.1.1e/include/crypto/rand.h 2020-03-17 18:07:35.303045555 +0100
@@ -24,6 +24,7 @@ @@ -24,6 +24,7 @@
typedef struct rand_pool_st RAND_POOL; typedef struct rand_pool_st RAND_POOL;

985
SOURCES/openssl-1.1.1-fips.patch
View File

File diff suppressed because it is too large Load Diff

255
SOURCES/openssl-1.1.1-fix-ssl-select-next-proto.patch
View File

@ -1,255 +0,0 @@
From d1d4b56fe0c9a4200276d630f62108e1165e0990 Mon Sep 17 00:00:00 2001
From: Maurizio Barbaro <mbarbaro@redhat.com>
Date: Mon, 16 Sep 2024 10:53:53 +0200
Subject: [PATCH] Backport openssl: SSL_select_next_proto buffer overread from 3.2
Ensure that the provided client list is non-NULL and starts with a valid
entry. When called from the ALPN callback the client list should already
have been validated by OpenSSL so this should not cause a problem. When
called from the NPN callback the client list is locally configured and
will not have already been validated. Therefore SSL_select_next_proto
should not assume that it is correctly formatted.
We implement stricter checking of the client protocol list. We also do the
same for the server list while we are about it.
CVE-2024-5535
From: Matt Caswell <matt@openssl.org>
Date: Fri, 31 May 2024 11:14:33 +0100
Merged from: https://github.com/openssl/openssl/pull/24717.
Backported-by: Maurizio Barbaro <mbarbaro@redhat.com>
we did't ported test changes because rely on internal testing framework.
---
doc/man3/SSL_CTX_set_alpn_select_cb.pod | 28 +++++++----
ssl/ssl_lib.c | 64 +++++++++++++++----------
ssl/statem/extensions_clnt.c | 30 +++++++++++-
ssl/statem/extensions_srvr.c | 3 +-
4 files changed, 89 insertions(+), 36 deletions(-)
diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
index e90caec..a3f8dfd 100644
--- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod
+++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
@@ -43,7 +43,7 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated
const unsigned char *server,
unsigned int server_len,
const unsigned char *client,
- unsigned int client_len)
+ unsigned int client_len);
void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
unsigned *len);
@@ -52,7 +52,8 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated
SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to
set the list of protocols available to be negotiated. The B<protos> must be in
protocol-list format, described below. The length of B<protos> is specified in
-B<protos_len>.
+B<protos_len>. Setting B<protos_len> to 0 clears any existing list of ALPN
+protocols and no ALPN extension will be sent to the server.
SSL_CTX_set_alpn_select_cb() sets the application callback B<cb> used by a
server to select which protocol to use for the incoming connection. When B<cb>
@@ -73,9 +74,16 @@ B<server_len> and B<client>, B<client_len> must be in the protocol-list format
described below. The first item in the B<server>, B<server_len> list that
matches an item in the B<client>, B<client_len> list is selected, and returned
in B<out>, B<outlen>. The B<out> value will point into either B<server> or
-B<client>, so it should be copied immediately. If no match is found, the first
-item in B<client>, B<client_len> is returned in B<out>, B<outlen>. This
-function can also be used in the NPN callback.
+B<client>, so it should be copied immediately. The client list must include at
+least one valid (nonempty) protocol entry in the list.
+
+The SSL_select_next_proto() helper function can be useful from either the ALPN
+callback or the NPN callback (described below). If no match is found, the first
+item in B<client>, B<client_len> is returned in B<out>, B<outlen> and
+B<OPENSSL_NPN_NO_OVERLAP> is returned. This can be useful when implementating
+the NPN callback. In the ALPN case, the value returned in B<out> and B<outlen>
+must be ignored if B<OPENSSL_NPN_NO_OVERLAP> has been returned from
+SSL_select_next_proto().
SSL_CTX_set_next_proto_select_cb() sets a callback B<cb> that is called when a
client needs to select a protocol from the server's provided list, and a
@@ -85,9 +93,10 @@ must be set to point to the selected protocol (which may be within B<in>).
The length of the protocol name must be written into B<outlen>. The
server's advertised protocols are provided in B<in> and B<inlen>. The
callback can assume that B<in> is syntactically valid. The client must
-select a protocol. It is fatal to the connection if this callback returns
-a value other than B<SSL_TLSEXT_ERR_OK>. The B<arg> parameter is the pointer
-set via SSL_CTX_set_next_proto_select_cb().
+select a protocol (although it may be an empty, zero length protocol). It is
+fatal to the connection if this callback returns a value other than
+B<SSL_TLSEXT_ERR_OK> or if the zero length protocol is selected. The B<arg>
+parameter is the pointer set via SSL_CTX_set_next_proto_select_cb().
SSL_CTX_set_next_protos_advertised_cb() sets a callback B<cb> that is called
when a TLS server needs a list of supported protocols for Next Protocol
@@ -149,7 +158,8 @@ A match was found and is returned in B<out>, B<outlen>.
=item OPENSSL_NPN_NO_OVERLAP
No match was found. The first item in B<client>, B<client_len> is returned in
-B<out>, B<outlen>.
+B<out>, B<outlen> (or B<NULL> and 0 in the case where the first entry in
+B<client> is invalid).
=back
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index c71c686..21e6c45 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2739,38 +2739,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
unsigned int server_len,
const unsigned char *client, unsigned int client_len)
{
- unsigned int i, j;
- const unsigned char *result;
- int status = OPENSSL_NPN_UNSUPPORTED;
+ PACKET cpkt, csubpkt, spkt, ssubpkt;
+ if (!PACKET_buf_init(&cpkt, client, client_len)
+ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
+ || PACKET_remaining(&csubpkt) == 0) {
+ *out = NULL;
+ *outlen = 0;
+ return OPENSSL_NPN_NO_OVERLAP;
+ }
+
+ /*
+ * Set the default opportunistic protocol. Will be overwritten if we find
+ * a match.
+ */
+ *out = (unsigned char *)PACKET_data(&csubpkt);
+ *outlen = (unsigned char)PACKET_remaining(&csubpkt);
/*
* For each protocol in server preference order, see if we support it.
*/
- for (i = 0; i < server_len;) {
- for (j = 0; j < client_len;) {
- if (server[i] == client[j] &&
- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
- /* We found a match */
- result = &server[i];
- status = OPENSSL_NPN_NEGOTIATED;
- goto found;
+ if (PACKET_buf_init(&spkt, server, server_len)) {
+ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
+ if (PACKET_remaining(&ssubpkt) == 0)
+ continue; /* Invalid - ignore it */
+ if (PACKET_buf_init(&cpkt, client, client_len)) {
+ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
+ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
+ PACKET_remaining(&ssubpkt))) {
+ /* We found a match */
+ *out = (unsigned char *)PACKET_data(&ssubpkt);
+ *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
+ return OPENSSL_NPN_NEGOTIATED;
+ }
+ }
+ /* Ignore spurious trailing bytes in the client list */
+ } else {
+ /* This should never happen */
+ return OPENSSL_NPN_NO_OVERLAP;
}
- j += client[j];
- j++;
}
- i += server[i];
- i++;
+ /* Ignore spurious trailing bytes in the server list */
}
- /* There's no overlap between our protocols and the server's list. */
- result = client;
- status = OPENSSL_NPN_NO_OVERLAP;
-
- found:
- *out = (unsigned char *)result + 1;
- *outlen = result[0];
- return status;
-}
+ /*
+ * There's no overlap between our protocols and the server's list. We use
+ * the default opportunistic protocol selected earlier
+ */
+ return OPENSSL_NPN_NO_OVERLAP;
+ }
#ifndef OPENSSL_NO_NEXTPROTONEG
/*
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index ce8a757..cfde733 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -1585,8 +1585,8 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
if (s->ctx->ext.npn_select_cb(s, &selected, &selected_len,
PACKET_data(pkt),
PACKET_remaining(pkt),
- s->ctx->ext.npn_select_cb_arg) !=
- SSL_TLSEXT_ERR_OK) {
+ s->ctx->ext.npn_select_cb_arg) != SSL_TLSEXT_ERR_OK
+ || selected_len == 0) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_STOC_NPN,
SSL_R_BAD_EXTENSION);
return 0;
@@ -1617,6 +1617,8 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx)
{
size_t len;
+ PACKET confpkt, protpkt;
+ int valid = 0;
/* We must have requested it. */
if (!s->s3->alpn_sent) {
@@ -1637,6 +1639,30 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
SSL_R_BAD_EXTENSION);
return 0;
}
+
+ /* It must be a protocol that we sent */
+ if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
+ ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) {
+ if (PACKET_remaining(&protpkt) != len)
+ continue;
+ if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) {
+ /* Valid protocol found */
+ valid = 1;
+ break;
+ }
+ }
+
+ if (!valid) {
+ /* The protocol sent from the server does not match one we advertised */
+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
+ SSL_R_BAD_EXTENSION);
+ return 0;
+ }
+
OPENSSL_free(s->s3->alpn_selected);
s->s3->alpn_selected = OPENSSL_malloc(len);
if (s->s3->alpn_selected == NULL) {
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 3c7395c..4e3cbf8 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -1559,9 +1559,10 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
return EXT_RETURN_FAIL;
}
s->s3->npn_seen = 1;
+ return EXT_RETURN_SENT;
}
- return EXT_RETURN_SENT;
+ return EXT_RETURN_NOT_SENT;
}
#endif
--
2.46.0

14
SOURCES/openssl-1.1.1-ignore-bound.patch Normal file
View File

@ -0,0 +1,14 @@
Do not return failure when setting version bound on fixed protocol
version method.
diff -up openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound openssl-1.1.1-pre8/ssl/statem/statem_lib.c
--- openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound 2018-06-20 16:48:13.000000000 +0200
+++ openssl-1.1.1-pre8/ssl/statem/statem_lib.c 2018-08-13 11:07:52.826304045 +0200
@@ -1595,7 +1595,7 @@ int ssl_set_version_bound(int method_ver
* methods are not subject to controls that disable individual protocol
* versions.
*/
- return 0;
+ return 1;
case TLS_ANY_VERSION:
if (version < SSL3_VERSION || version > TLS_MAX_VERSION)

316
SOURCES/openssl-1.1.1-kdf-selftest.patch
View File

@ -10,30 +10,10 @@ diff -up openssl-1.1.1g/crypto/fips/build.info.kdf-selftest openssl-1.1.1g/crypt
PROGRAMS_NO_INST=\ PROGRAMS_NO_INST=\
fips_standalone_hmac fips_standalone_hmac
diff -up openssl-1.1.1g/crypto/fips/fips_err.h.kdf-selftest openssl-1.1.1g/crypto/fips/fips_err.h
--- openssl-1.1.1g/crypto/fips/fips_err.h.kdf-selftest 2020-07-14 15:27:51.681785958 +0200
+++ openssl-1.1.1g/crypto/fips/fips_err.h 2020-10-22 14:07:13.645614388 +0200
@@ -108,9 +108,16 @@ static ERR_STRING_DATA FIPS_str_functs[]
{ERR_FUNC(FIPS_F_FIPS_SELFTEST_DES), "FIPS_selftest_des"},
{ERR_FUNC(FIPS_F_FIPS_SELFTEST_DSA), "FIPS_selftest_dsa"},
{ERR_FUNC(FIPS_F_FIPS_SELFTEST_ECDSA), "FIPS_selftest_ecdsa"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HKDF), "FIPS_selftest_hkdf"},
{ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_KBKDF), "FIPS_selftest_kbkdf"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_KRB5KDF), "FIPS_selftest_krb5kdf"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_PBKDF2), "FIPS_selftest_pbkdf2"},
{ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"},
{ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA2), "FIPS_selftest_sha2"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SSHKDF), "FIPS_selftest_sshkdf"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SSKDF), "FIPS_selftest_sskdf"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_TLS1_PRF), "FIPS_selftest_tls1_prf"},
{ERR_FUNC(FIPS_F_OSSL_ECDSA_SIGN_SIG), "ossl_ecdsa_sign_sig"},
{ERR_FUNC(FIPS_F_OSSL_ECDSA_VERIFY_SIG), "ossl_ecdsa_verify_sig"},
{ERR_FUNC(FIPS_F_RSA_BUILTIN_KEYGEN), "rsa_builtin_keygen"},
diff -up openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c.kdf-selftest openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c diff -up openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c.kdf-selftest openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c
--- openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c.kdf-selftest 2020-10-22 16:25:33.211248158 +0200 --- openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c.kdf-selftest 2020-06-03 16:08:36.337849577 +0200
+++ openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c 2020-10-22 16:56:54.652267521 +0200 +++ openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c 2020-06-03 16:08:36.337849577 +0200
@@ -0,0 +1,377 @@ @@ -0,0 +1,117 @@
+/* +/*
+ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved.
@ -53,173 +33,7 @@ diff -up openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c.kdf-selftest openssl-1.1
+#include <openssl/kdf.h> +#include <openssl/kdf.h>
+ +
+#ifdef OPENSSL_FIPS +#ifdef OPENSSL_FIPS
+static int FIPS_selftest_tls1_prf(void) +int FIPS_selftest_pbkdf2(void)
+{
+ int ret = 0;
+ EVP_KDF_CTX *kctx;
+ unsigned char out[16];
+
+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_TLS1_PRF)) == NULL) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_TLS_SECRET,
+ "secret", (size_t)6) <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_TLS_SEED, "seed", (size_t)4) <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
+ goto err;
+ }
+
+ {
+ const unsigned char expected[sizeof(out)] = {
+ 0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0,
+ 0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc
+ };
+ if (memcmp(out, expected, sizeof(expected))) {
+ goto err;
+ }
+ }
+ ret = 1;
+
+err:
+ if (!ret)
+ FIPSerr(FIPS_F_FIPS_SELFTEST_TLS1_PRF, FIPS_R_SELFTEST_FAILED);
+ EVP_KDF_CTX_free(kctx);
+ return ret;
+}
+
+static int FIPS_selftest_hkdf(void)
+{
+ int ret = 0;
+ EVP_KDF_CTX *kctx;
+ unsigned char out[10];
+
+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_HKDF)) == NULL) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", (size_t)6) <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_HKDF_INFO,
+ "label", (size_t)5) <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
+ goto err;
+ }
+
+ {
+ const unsigned char expected[sizeof(out)] = {
+ 0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13
+ };
+ if (memcmp(out, expected, sizeof(expected))) {
+ goto err;
+ }
+ }
+ ret = 1;
+err:
+ if (!ret)
+ FIPSerr(FIPS_F_FIPS_SELFTEST_HKDF, FIPS_R_SELFTEST_FAILED);
+ EVP_KDF_CTX_free(kctx);
+ return ret;
+}
+
+static int FIPS_selftest_sshkdf(void)
+{
+ int ret = 0;
+ EVP_KDF_CTX *kctx;
+ unsigned char out[32];
+ const unsigned char input_key[] = {
+ 0x00, 0x00, 0x00, 0x80, 0x0f, 0xaa, 0x17, 0x2b,
+ 0x8c, 0x28, 0x7e, 0x37, 0x2b, 0xb2, 0x36, 0xad,
+ 0x34, 0xc7, 0x33, 0x69, 0x5c, 0x13, 0xd7, 0x7f,
+ 0x88, 0x2a, 0xdc, 0x0f, 0x47, 0xe5, 0xa7, 0xf6,
+ 0xa3, 0xde, 0x07, 0xef, 0xb1, 0x01, 0x20, 0x7a,
+ 0xa5, 0xd6, 0x65, 0xb6, 0x19, 0x82, 0x6f, 0x75,
+ 0x65, 0x91, 0xf6, 0x53, 0x10, 0xbb, 0xd2, 0xc9,
+ 0x2c, 0x93, 0x84, 0xe6, 0xc6, 0xa6, 0x7b, 0x42,
+ 0xde, 0xc3, 0x82, 0xfd, 0xb2, 0x4c, 0x59, 0x1d,
+ 0x79, 0xff, 0x5e, 0x47, 0x73, 0x7b, 0x0f, 0x5b,
+ 0x84, 0x79, 0x69, 0x4c, 0x3a, 0xdc, 0x19, 0x40,
+ 0x17, 0x04, 0x91, 0x2b, 0xbf, 0xec, 0x27, 0x04,
+ 0xd4, 0xd5, 0xbe, 0xbb, 0xfc, 0x1a, 0x7f, 0xc7,
+ 0x96, 0xe2, 0x77, 0x63, 0x4e, 0x40, 0x85, 0x18,
+ 0x51, 0xa1, 0x87, 0xec, 0x2d, 0x37, 0xed, 0x3f,
+ 0x35, 0x1c, 0x45, 0x96, 0xa5, 0xa0, 0x89, 0x29,
+ 0x16, 0xb4, 0xc5, 0x5f
+ };
+ const unsigned char xcghash[] = {
+ 0xa3, 0x47, 0xf5, 0xf1, 0xe1, 0x91, 0xc3, 0x5f,
+ 0x21, 0x2c, 0x93, 0x24, 0xd5, 0x86, 0x7e, 0xfd,
+ 0xf8, 0x30, 0x26, 0xbe, 0x62, 0xc2, 0xb1, 0x6a,
+ 0xe0, 0x06, 0xed, 0xb3, 0x37, 0x8d, 0x40, 0x06
+ };
+ const unsigned char session_id[] = {
+ 0x90, 0xbe, 0xfc, 0xef, 0x3f, 0xf8, 0xf9, 0x20,
+ 0x67, 0x4a, 0x9f, 0xab, 0x94, 0x19, 0x8c, 0xf3,
+ 0xfd, 0x9d, 0xca, 0x24, 0xa2, 0x1d, 0x3c, 0x9d,
+ 0xba, 0x39, 0x4d, 0xaa, 0xfb, 0xc6, 0x21, 0xed
+ };
+
+
+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF)) == NULL) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key,
+ sizeof(input_key)) <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, xcghash,
+ sizeof(xcghash)) <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID, session_id,
+ sizeof(session_id)) <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, (int)'F') <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
+ goto err;
+ }
+
+ {
+ const unsigned char expected[sizeof(out)] = {
+ 0x14, 0x7a, 0x77, 0x14, 0x45, 0x12, 0x3f, 0x84,
+ 0x6d, 0x8a, 0xe5, 0x14, 0xd7, 0xff, 0x9b, 0x3c,
+ 0x93, 0xb2, 0xbc, 0xeb, 0x7c, 0x7c, 0x95, 0x00,
+ 0x94, 0x21, 0x61, 0xb8, 0xe2, 0xd0, 0x11, 0x0f
+ };
+ if (memcmp(out, expected, sizeof(expected))) {
+ goto err;
+ }
+ }
+ ret = 1;
+
+err:
+ if (!ret)
+ FIPSerr(FIPS_F_FIPS_SELFTEST_SSHKDF, FIPS_R_SELFTEST_FAILED);
+ EVP_KDF_CTX_free(kctx);
+ return ret;
+}
+
+static int FIPS_selftest_pbkdf2(void)
+{ +{
+ int ret = 0; + int ret = 0;
+ EVP_KDF_CTX *kctx; + EVP_KDF_CTX *kctx;
@ -266,16 +80,16 @@ diff -up openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c.kdf-selftest openssl-1.1
+ +
+/* Test vector from RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos +/* Test vector from RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos
+ * 5) appendix A. */ + * 5) appendix A. */
+static int FIPS_selftest_kbkdf(void) +int FIPS_selftest_kbkdf(void)
+{ +{
+ int ret = 0; + int ret = 0;
+ EVP_KDF_CTX *kctx; + EVP_KDF_CTX *kctx;
+ char *label = "prf", *prf_input = "test"; + char *label = "prf", *prf_input = "test";
+ const unsigned char input_key[] = { + static unsigned char input_key[] = {
+ 0x37, 0x05, 0xD9, 0x60, 0x80, 0xC1, 0x77, 0x28, + 0x37, 0x05, 0xD9, 0x60, 0x80, 0xC1, 0x77, 0x28,
+ 0xA0, 0xE8, 0x00, 0xEA, 0xB6, 0xE0, 0xD2, 0x3C, + 0xA0, 0xE8, 0x00, 0xEA, 0xB6, 0xE0, 0xD2, 0x3C,
+ }; + };
+ const unsigned char output[] = { + static unsigned char output[] = {
+ 0x9D, 0x18, 0x86, 0x16, 0xF6, 0x38, 0x52, 0xFE, + 0x9D, 0x18, 0x86, 0x16, 0xF6, 0x38, 0x52, 0xFE,
+ 0x86, 0x91, 0x5B, 0xB8, 0x40, 0xB4, 0xA8, 0x86, + 0x86, 0x91, 0x5B, 0xB8, 0x40, 0xB4, 0xA8, 0x86,
+ 0xFF, 0x3E, 0x6B, 0xB0, 0xF8, 0x19, 0xB4, 0x9B, + 0xFF, 0x3E, 0x6B, 0xB0, 0xF8, 0x19, 0xB4, 0x9B,
@ -304,110 +118,16 @@ diff -up openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c.kdf-selftest openssl-1.1
+ ret = EVP_KDF_derive(kctx, result, sizeof(result)) > 0 + ret = EVP_KDF_derive(kctx, result, sizeof(result)) > 0
+ && memcmp(result, output, sizeof(output)) == 0; + && memcmp(result, output, sizeof(output)) == 0;
+err: +err:
+
+ if (!ret) + if (!ret)
+ FIPSerr(FIPS_F_FIPS_SELFTEST_KBKDF, FIPS_R_SELFTEST_FAILED); + FIPSerr(FIPS_F_FIPS_SELFTEST_KBKDF, FIPS_R_SELFTEST_FAILED);
+ EVP_KDF_CTX_free(kctx); + EVP_KDF_CTX_free(kctx);
+ return ret; + return ret;
+} +}
+ +
+static int FIPS_selftest_krb5kdf(void)
+{
+ int ret = 0;
+ EVP_KDF_CTX *kctx;
+ unsigned char out[16];
+ const unsigned char key[] = {
+ 0x42, 0x26, 0x3C, 0x6E, 0x89, 0xF4, 0xFC, 0x28,
+ 0xB8, 0xDF, 0x68, 0xEE, 0x09, 0x79, 0x9F, 0x15
+ };
+ const unsigned char constant[] = {
+ 0x00, 0x00, 0x00, 0x02, 0x99
+ };
+ const unsigned char expected[sizeof(out)] = {
+ 0x34, 0x28, 0x0A, 0x38, 0x2B, 0xC9, 0x27, 0x69,
+ 0xB2, 0xDA, 0x2F, 0x9E, 0xF0, 0x66, 0x85, 0x4B
+ };
+
+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KRB5KDF)) == NULL) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CIPHER, EVP_aes_128_cbc()) <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, key, sizeof(key)) <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT, constant, sizeof(constant)) <= 0) {
+ goto err;
+ }
+
+ ret =
+ EVP_KDF_derive(kctx, out, sizeof(out)) > 0
+ && memcmp(out, expected, sizeof(expected)) == 0;
+
+err:
+ if (!ret)
+ FIPSerr(FIPS_F_FIPS_SELFTEST_KRB5KDF, FIPS_R_SELFTEST_FAILED);
+ EVP_KDF_CTX_free(kctx);
+ return ret;
+}
+
+static int FIPS_selftest_sskdf(void)
+{
+ int ret = 0;
+ EVP_KDF_CTX *kctx;
+ const unsigned char z[] = {
+ 0x6d,0xbd,0xc2,0x3f,0x04,0x54,0x88,0xe4,0x06,0x27,0x57,0xb0,0x6b,0x9e,
+ 0xba,0xe1,0x83,0xfc,0x5a,0x59,0x46,0xd8,0x0d,0xb9,0x3f,0xec,0x6f,0x62,
+ 0xec,0x07,0xe3,0x72,0x7f,0x01,0x26,0xae,0xd1,0x2c,0xe4,0xb2,0x62,0xf4,
+ 0x7d,0x48,0xd5,0x42,0x87,0xf8,0x1d,0x47,0x4c,0x7c,0x3b,0x18,0x50,0xe9
+ };
+ const unsigned char other[] = {
+ 0xa1,0xb2,0xc3,0xd4,0xe5,0x43,0x41,0x56,0x53,0x69,0x64,0x3c,0x83,0x2e,
+ 0x98,0x49,0xdc,0xdb,0xa7,0x1e,0x9a,0x31,0x39,0xe6,0x06,0xe0,0x95,0xde,
+ 0x3c,0x26,0x4a,0x66,0xe9,0x8a,0x16,0x58,0x54,0xcd,0x07,0x98,0x9b,0x1e,
+ 0xe0,0xec,0x3f,0x8d,0xbe
+ };
+ const unsigned char expected[] = {
+ 0xa4,0x62,0xde,0x16,0xa8,0x9d,0xe8,0x46,0x6e,0xf5,0x46,0x0b,0x47,0xb8
+ };
+ unsigned char out[14];
+
+ kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS);
+
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha224()) <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, z, sizeof(z)) <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSKDF_INFO, other,
+ sizeof(other)) <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
+ goto err;
+ }
+
+ if (memcmp(out, expected, sizeof(expected)))
+ goto err;
+ ret = 1;
+
+err:
+ if (!ret)
+ FIPSerr(FIPS_F_FIPS_SELFTEST_SSKDF, FIPS_R_SELFTEST_FAILED);
+ EVP_KDF_CTX_free(kctx);
+ return ret;
+}
+
+int FIPS_selftest_kdf(void) +int FIPS_selftest_kdf(void)
+{ +{
+ return FIPS_selftest_tls1_prf() + return FIPS_selftest_pbkdf2() && FIPS_selftest_kbkdf();
+ && FIPS_selftest_hkdf()
+ && FIPS_selftest_sshkdf()
+ && FIPS_selftest_pbkdf2()
+ && FIPS_selftest_kbkdf()
+ && FIPS_selftest_krb5kdf()
+ && FIPS_selftest_sskdf();
+} +}
+ +
+#endif +#endif
@ -426,31 +146,25 @@ diff -up openssl-1.1.1g/crypto/fips/fips_post.c.kdf-selftest openssl-1.1.1g/cryp
diff -up openssl-1.1.1g/include/crypto/fips.h.kdf-selftest openssl-1.1.1g/include/crypto/fips.h diff -up openssl-1.1.1g/include/crypto/fips.h.kdf-selftest openssl-1.1.1g/include/crypto/fips.h
--- openssl-1.1.1g/include/crypto/fips.h.kdf-selftest 2020-06-03 16:08:36.330849519 +0200 --- openssl-1.1.1g/include/crypto/fips.h.kdf-selftest 2020-06-03 16:08:36.330849519 +0200
+++ openssl-1.1.1g/include/crypto/fips.h 2020-06-03 16:08:36.338849585 +0200 +++ openssl-1.1.1g/include/crypto/fips.h 2020-06-03 16:08:36.338849585 +0200
@@ -72,6 +72,7 @@ void FIPS_drbg_stick(int onoff); @@ -72,6 +72,9 @@ void FIPS_drbg_stick(int onoff);
int FIPS_selftest_hmac(void); int FIPS_selftest_hmac(void);
int FIPS_selftest_drbg(void); int FIPS_selftest_drbg(void);
int FIPS_selftest_cmac(void); int FIPS_selftest_cmac(void);
+int FIPS_selftest_kbkdf(void);
+int FIPS_selftest_pbkdf2(void);
+int FIPS_selftest_kdf(void); +int FIPS_selftest_kdf(void);
int fips_in_post(void); int fips_in_post(void);
diff -up openssl-1.1.1g/include/openssl/fips.h.kdf-selftest openssl-1.1.1g/include/openssl/fips.h diff -up openssl-1.1.1g/include/openssl/fips.h.kdf-selftest openssl-1.1.1g/include/openssl/fips.h
--- openssl-1.1.1g/include/openssl/fips.h.kdf-selftest 2020-07-14 15:27:51.685785988 +0200 --- openssl-1.1.1g/include/openssl/fips.h.kdf-selftest 2020-06-03 16:08:36.282849124 +0200
+++ openssl-1.1.1g/include/openssl/fips.h 2020-10-22 14:03:28.868575785 +0200 +++ openssl-1.1.1g/include/openssl/fips.h 2020-06-03 16:08:36.338849585 +0200
@@ -122,9 +122,16 @@ extern "C" { @@ -123,6 +123,8 @@ extern "C" {
# define FIPS_F_FIPS_SELFTEST_DES 111
# define FIPS_F_FIPS_SELFTEST_DSA 112 # define FIPS_F_FIPS_SELFTEST_DSA 112
# define FIPS_F_FIPS_SELFTEST_ECDSA 133 # define FIPS_F_FIPS_SELFTEST_ECDSA 133
+# define FIPS_F_FIPS_SELFTEST_HKDF 153
# define FIPS_F_FIPS_SELFTEST_HMAC 113 # define FIPS_F_FIPS_SELFTEST_HMAC 113
+# define FIPS_F_FIPS_SELFTEST_KBKDF 151 +# define FIPS_F_FIPS_SELFTEST_KBKDF 151
+# define FIPS_F_FIPS_SELFTEST_KRB5KDF 154
+# define FIPS_F_FIPS_SELFTEST_PBKDF2 152 +# define FIPS_F_FIPS_SELFTEST_PBKDF2 152
# define FIPS_F_FIPS_SELFTEST_SHA1 115 # define FIPS_F_FIPS_SELFTEST_SHA1 115
# define FIPS_F_FIPS_SELFTEST_SHA2 105 # define FIPS_F_FIPS_SELFTEST_SHA2 105
+# define FIPS_F_FIPS_SELFTEST_SSHKDF 155
+# define FIPS_F_FIPS_SELFTEST_SSKDF 156
+# define FIPS_F_FIPS_SELFTEST_TLS1_PRF 157
# define FIPS_F_OSSL_ECDSA_SIGN_SIG 143 # define FIPS_F_OSSL_ECDSA_SIGN_SIG 143
# define FIPS_F_OSSL_ECDSA_VERIFY_SIG 148
# define FIPS_F_RSA_BUILTIN_KEYGEN 116

1141
SOURCES/openssl-1.1.1-pkcs1-implicit-rejection.patch
View File

File diff suppressed because it is too large Load Diff

319
SOURCES/openssl-1.1.1-read-buff.patch
View File

@ -1,319 +0,0 @@
diff -up openssl-1.1.1k/crypto/asn1/t_spki.c.read-buff openssl-1.1.1k/crypto/asn1/t_spki.c
--- openssl-1.1.1k/crypto/asn1/t_spki.c.read-buff 2021-11-11 15:38:39.678509348 +0100
+++ openssl-1.1.1k/crypto/asn1/t_spki.c 2021-11-11 15:40:59.647922530 +0100
@@ -38,7 +38,7 @@ int NETSCAPE_SPKI_print(BIO *out, NETSCA
}
chal = spki->spkac->challenge;
if (chal->length)
- BIO_printf(out, " Challenge String: %s\n", chal->data);
+ BIO_printf(out, " Challenge String: %.*s\n", chal->length, chal->data);
i = OBJ_obj2nid(spki->sig_algor.algorithm);
BIO_printf(out, " Signature Algorithm: %s",
(i == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(i));
diff -up openssl-1.1.1k/crypto/ec/ec_asn1.c.read-buff openssl-1.1.1k/crypto/ec/ec_asn1.c
--- openssl-1.1.1k/crypto/ec/ec_asn1.c.read-buff 2021-11-11 15:36:43.782339219 +0100
+++ openssl-1.1.1k/crypto/ec/ec_asn1.c 2021-11-11 15:37:43.064937758 +0100
@@ -761,7 +761,10 @@ EC_GROUP *EC_GROUP_new_from_ecparameters
ret->seed_len = params->curve->seed->length;
}
- if (!params->order || !params->base || !params->base->data) {
+ if (params->order == NULL
+ || params->base == NULL
+ || params->base->data == NULL
+ || params->base->length == 0) {
ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_ASN1_ERROR);
goto err;
}
diff -up openssl-1.1.1k/crypto/x509/t_x509.c.read-buff openssl-1.1.1k/crypto/x509/t_x509.c
--- openssl-1.1.1k/crypto/x509/t_x509.c.read-buff 2021-11-12 12:54:15.665091764 +0100
+++ openssl-1.1.1k/crypto/x509/t_x509.c 2021-11-12 12:56:10.897782587 +0100
@@ -365,9 +365,9 @@ int X509_aux_print(BIO *out, X509 *x, in
BIO_puts(out, "\n");
} else
BIO_printf(out, "%*sNo Rejected Uses.\n", indent, "");
- alias = X509_alias_get0(x, NULL);
+ alias = X509_alias_get0(x, &i);
if (alias)
- BIO_printf(out, "%*sAlias: %s\n", indent, "", alias);
+ BIO_printf(out, "%*sAlias: %.*s\n", indent, "", i, alias);
keyid = X509_keyid_get0(x, &keyidlen);
if (keyid) {
BIO_printf(out, "%*sKey Id: ", indent, "");
diff -up openssl-1.1.1k/crypto/x509v3/v3_cpols.c.read-buff openssl-1.1.1k/crypto/x509v3/v3_cpols.c
--- openssl-1.1.1k/crypto/x509v3/v3_cpols.c.read-buff 2021-11-12 12:40:51.415811428 +0100
+++ openssl-1.1.1k/crypto/x509v3/v3_cpols.c 2021-11-12 12:50:06.062808372 +0100
@@ -422,7 +422,8 @@ static void print_qualifiers(BIO *out, S
qualinfo = sk_POLICYQUALINFO_value(quals, i);
switch (OBJ_obj2nid(qualinfo->pqualid)) {
case NID_id_qt_cps:
- BIO_printf(out, "%*sCPS: %s\n", indent, "",
+ BIO_printf(out, "%*sCPS: %.*s\n", indent, "",
+ qualinfo->d.cpsuri->length,
qualinfo->d.cpsuri->data);
break;
@@ -447,7 +448,8 @@ static void print_notice(BIO *out, USERN
if (notice->noticeref) {
NOTICEREF *ref;
ref = notice->noticeref;
- BIO_printf(out, "%*sOrganization: %s\n", indent, "",
+ BIO_printf(out, "%*sOrganization: %.*s\n", indent, "",
+ ref->organization->length,
ref->organization->data);
BIO_printf(out, "%*sNumber%s: ", indent, "",
sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : "");
@@ -470,7 +472,8 @@ static void print_notice(BIO *out, USERN
BIO_puts(out, "\n");
}
if (notice->exptext)
- BIO_printf(out, "%*sExplicit Text: %s\n", indent, "",
+ BIO_printf(out, "%*sExplicit Text: %.*s\n", indent, "",
+ notice->exptext->length,
notice->exptext->data);
}
diff -up openssl-1.1.1k/crypto/x509v3/v3_ncons.c.read-buff openssl-1.1.1k/crypto/x509v3/v3_ncons.c
--- openssl-1.1.1k/crypto/x509v3/v3_ncons.c.read-buff 2021-11-11 15:56:12.675140779 +0100
+++ openssl-1.1.1k/crypto/x509v3/v3_ncons.c 2021-11-12 12:38:24.781856836 +0100
@@ -63,8 +63,30 @@ ASN1_SEQUENCE(NAME_CONSTRAINTS) = {
IMPLEMENT_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
IMPLEMENT_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
+#define IA5_OFFSET_LEN(ia5base, offset) \
+ ((ia5base)->length - ((unsigned char *)(offset) - (ia5base)->data))
+
+/* Like memchr but for ASN1_IA5STRING. Additionally you can specify the
+ * starting point to search from
+ */
+# define ia5memchr(str, start, c) memchr(start, c, IA5_OFFSET_LEN(str, start))
+
+/* Like memrrchr but for ASN1_IA5STRING */
+static char *ia5memrchr(ASN1_IA5STRING *str, int c)
+{
+ int i;
+
+ for (i = str->length; i > 0 && str->data[i - 1] != c; i--);
+
+ if (i == 0)
+ return NULL;
+
+ return (char *)&str->data[i - 1];
+}
+
/*
- * We cannot use strncasecmp here because that applies locale specific rules.
+ * We cannot use strncasecmp here because that applies locale specific rules. It
+ * also doesn't work with ASN1_STRINGs that may have embedded NUL characters.
* For example in Turkish 'I' is not the uppercase character for 'i'. We need to
* do a simple ASCII case comparison ignoring the locale (that is why we use
* numeric constants below).
@@ -89,20 +111,12 @@ static int ia5ncasecmp(const char *s1, c
/* c1 > c2 */
return 1;
- } else if (*s1 == 0) {
- /* If we get here we know that *s2 == 0 too */
- return 0;
}
}
return 0;
}
-static int ia5casecmp(const char *s1, const char *s2)
-{
- return ia5ncasecmp(s1, s2, SIZE_MAX);
-}
-
static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
{
@@ -337,7 +351,7 @@ static int cn2dnsid(ASN1_STRING *cn, uns
--utf8_length;
/* Reject *embedded* NULs */
- if ((size_t)utf8_length != strlen((char *)utf8_value)) {
+ if (memchr(utf8_value, 0, utf8_length) != NULL) {
OPENSSL_free(utf8_value);
return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
}
@@ -537,7 +551,7 @@ static int nc_dns(ASN1_IA5STRING *dns, A
char *baseptr = (char *)base->data;
char *dnsptr = (char *)dns->data;
/* Empty matches everything */
- if (!*baseptr)
+ if (base->length == 0)
return X509_V_OK;
/*
* Otherwise can add zero or more components on the left so compare RHS
@@ -549,7 +563,7 @@ static int nc_dns(ASN1_IA5STRING *dns, A
return X509_V_ERR_PERMITTED_VIOLATION;
}
- if (ia5casecmp(baseptr, dnsptr))
+ if (ia5ncasecmp(baseptr, dnsptr, base->length))
return X509_V_ERR_PERMITTED_VIOLATION;
return X509_V_OK;
@@ -560,16 +574,17 @@ static int nc_email(ASN1_IA5STRING *eml,
{
const char *baseptr = (char *)base->data;
const char *emlptr = (char *)eml->data;
+ const char *baseat = ia5memrchr(base, '@');
+ const char *emlat = ia5memrchr(eml, '@');
+ size_t basehostlen, emlhostlen;
- const char *baseat = strchr(baseptr, '@');
- const char *emlat = strchr(emlptr, '@');
if (!emlat)
return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
/* Special case: initial '.' is RHS match */
- if (!baseat && (*baseptr == '.')) {
+ if (!baseat && base->length > 0 && (*baseptr == '.')) {
if (eml->length > base->length) {
emlptr += eml->length - base->length;
- if (ia5casecmp(baseptr, emlptr) == 0)
+ if (ia5ncasecmp(baseptr, emlptr, base->length) == 0)
return X509_V_OK;
}
return X509_V_ERR_PERMITTED_VIOLATION;
@@ -589,8 +604,10 @@ static int nc_email(ASN1_IA5STRING *eml,
baseptr = baseat + 1;
}
emlptr = emlat + 1;
+ basehostlen = IA5_OFFSET_LEN(base, baseptr);
+ emlhostlen = IA5_OFFSET_LEN(eml, emlptr);
/* Just have hostname left to match: case insensitive */
- if (ia5casecmp(baseptr, emlptr))
+ if (basehostlen != emlhostlen || ia5ncasecmp(baseptr, emlptr, emlhostlen))
return X509_V_ERR_PERMITTED_VIOLATION;
return X509_V_OK;
@@ -601,10 +618,14 @@ static int nc_uri(ASN1_IA5STRING *uri, A
{
const char *baseptr = (char *)base->data;
const char *hostptr = (char *)uri->data;
- const char *p = strchr(hostptr, ':');
+ const char *p = ia5memchr(uri, (char *)uri->data, ':');
int hostlen;
+
/* Check for foo:// and skip past it */
- if (!p || (p[1] != '/') || (p[2] != '/'))
+ if (p == NULL
+ || IA5_OFFSET_LEN(uri, p) < 3
+ || p[1] != '/'
+ || p[2] != '/')
return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
hostptr = p + 3;
@@ -612,13 +633,13 @@ static int nc_uri(ASN1_IA5STRING *uri, A
/* Look for a port indicator as end of hostname first */
- p = strchr(hostptr, ':');
+ p = ia5memchr(uri, hostptr, ':');
/* Otherwise look for trailing slash */
- if (!p)
- p = strchr(hostptr, '/');
+ if (p == NULL)
+ p = ia5memchr(uri, hostptr, '/');
- if (!p)
- hostlen = strlen(hostptr);
+ if (p == NULL)
+ hostlen = IA5_OFFSET_LEN(uri, hostptr);
else
hostlen = p - hostptr;
@@ -626,7 +647,7 @@ static int nc_uri(ASN1_IA5STRING *uri, A
return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
/* Special case: initial '.' is RHS match */
- if (*baseptr == '.') {
+ if (base->length > 0 && *baseptr == '.') {
if (hostlen > base->length) {
p = hostptr + hostlen - base->length;
if (ia5ncasecmp(p, baseptr, base->length) == 0)
diff -up openssl-1.1.1k/crypto/x509v3/v3_pci.c.read-buff openssl-1.1.1k/crypto/x509v3/v3_pci.c
--- openssl-1.1.1k/crypto/x509v3/v3_pci.c.read-buff 2021-11-12 12:39:06.649337807 +0100
+++ openssl-1.1.1k/crypto/x509v3/v3_pci.c 2021-11-12 12:40:07.955201861 +0100
@@ -77,7 +77,8 @@ static int i2r_pci(X509V3_EXT_METHOD *me
i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
BIO_puts(out, "\n");
if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
- BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",
+ BIO_printf(out, "%*sPolicy Text: %.*s\n", indent, "",
+ pci->proxyPolicy->policy->length,
pci->proxyPolicy->policy->data);
return 1;
}
diff -up openssl-1.1.1k/crypto/x509v3/v3_utl.c.read-buff openssl-1.1.1k/crypto/x509v3/v3_utl.c
--- openssl-1.1.1k/crypto/x509v3/v3_utl.c.read-buff 2021-11-11 15:46:16.797124581 +0100
+++ openssl-1.1.1k/crypto/x509v3/v3_utl.c 2021-11-11 15:50:36.696748621 +0100
@@ -502,18 +502,26 @@ static int append_ia5(STACK_OF(OPENSSL_S
/* First some sanity checks */
if (email->type != V_ASN1_IA5STRING)
return 1;
- if (!email->data || !email->length)
+ if (email->data == NULL || email->length == 0)
+ return 1;
+ if (memchr(email->data, 0, email->length) != NULL)
return 1;
if (*sk == NULL)
*sk = sk_OPENSSL_STRING_new(sk_strcmp);
if (*sk == NULL)
return 0;
+
+ emtmp = OPENSSL_strndup((char *)email->data, email->length);
+ if (emtmp == NULL)
+ return 0;
+
/* Don't add duplicates */
- if (sk_OPENSSL_STRING_find(*sk, (char *)email->data) != -1)
+ if (sk_OPENSSL_STRING_find(*sk, emtmp) != -1) {
+ OPENSSL_free(emtmp);
return 1;
- emtmp = OPENSSL_strdup((char *)email->data);
- if (emtmp == NULL || !sk_OPENSSL_STRING_push(*sk, emtmp)) {
- OPENSSL_free(emtmp); /* free on push failure */
+ }
+ if (!sk_OPENSSL_STRING_push(*sk, emtmp)) {
+ OPENSSL_free(emtmp); /* free on push failure */
X509_email_free(*sk);
*sk = NULL;
return 0;
diff -up openssl-1.1.1k/test/x509_time_test.c.read-buff openssl-1.1.1k/test/x509_time_test.c
--- openssl-1.1.1k/test/x509_time_test.c.read-buff 2021-11-11 15:53:59.112792286 +0100
+++ openssl-1.1.1k/test/x509_time_test.c 2021-11-11 15:55:18.148590259 +0100
@@ -330,10 +330,12 @@ static int test_x509_time(int idx)
/* if t is not NULL but expected_string is NULL, it is an 'OK' case too */
if (t != NULL && x509_format_tests[idx].expected_string) {
- if (!TEST_str_eq((const char *)t->data,
- x509_format_tests[idx].expected_string)) {
- TEST_info("test_x509_time(%d) failed: expected_string %s, got %s\n",
- idx, x509_format_tests[idx].expected_string, t->data);
+ if (!TEST_mem_eq((const char *)t->data, t->length,
+ x509_format_tests[idx].expected_string,
+ strlen(x509_format_tests[idx].expected_string))) {
+ TEST_info("test_x509_time(%d) failed: expected_string %s, got %.*s\n",
+ idx, x509_format_tests[idx].expected_string, t->length,
+ t->data);
goto out;
}
}
diff -up openssl-1.1.1k/crypto/x509v3/v3_ncons.c.read-buff openssl-1.1.1k/crypto/x509v3/v3_ncons.c
--- openssl-1.1.1k/crypto/x509v3/v3_ncons.c.read-buff 2021-11-12 18:19:14.742820536 +0100
+++ openssl-1.1.1k/crypto/x509v3/v3_ncons.c 2021-11-12 18:20:09.663327518 +0100
@@ -553,6 +553,10 @@ static int nc_dns(ASN1_IA5STRING *dns, A
/* Empty matches everything */
if (base->length == 0)
return X509_V_OK;
+
+ if (dns->length < base->length)
+ return X509_V_ERR_PERMITTED_VIOLATION;
+
/*
* Otherwise can add zero or more components on the left so compare RHS
* and if dns is longer and expect '.' as preceding character.

44
SOURCES/openssl-1.1.1-reneg-no-extms.patch Normal file
View File

@ -0,0 +1,44 @@
diff -up openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms openssl-1.1.1g/include/openssl/ssl3.h
--- openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/include/openssl/ssl3.h 2020-06-05 15:20:22.090682776 +0200
@@ -292,6 +292,9 @@ extern "C" {
# define TLS1_FLAGS_STATELESS 0x0800
+/* Set if extended master secret extension required on renegotiation */
+# define TLS1_FLAGS_REQUIRED_EXTMS 0x1000
+
# define SSL3_MT_HELLO_REQUEST 0
# define SSL3_MT_CLIENT_HELLO 1
# define SSL3_MT_SERVER_HELLO 2
diff -up openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms openssl-1.1.1g/ssl/statem/extensions.c
--- openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/ssl/statem/extensions.c 2020-06-05 15:22:19.677653437 +0200
@@ -1168,14 +1168,26 @@ static int init_etm(SSL *s, unsigned int
static int init_ems(SSL *s, unsigned int context)
{
- if (!s->server)
+ if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
+ s->s3->flags |= TLS1_FLAGS_REQUIRED_EXTMS;
+ }
return 1;
}
static int final_ems(SSL *s, unsigned int context, int sent)
{
+ /*
+ * Check extended master secret extension is not dropped on
+ * renegotiation.
+ */
+ if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)
+ && (s->s3->flags & TLS1_FLAGS_REQUIRED_EXTMS)) {
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
+ SSL_R_INCONSISTENT_EXTMS);
+ return 0;
+ }
if (!s->server && s->hit) {
/*
* Check extended master secret extension is consistent with

1176
SOURCES/openssl-1.1.1-replace-expired-certs.patch
View File

File diff suppressed because it is too large Load Diff

497
SOURCES/openssl-1.1.1-s390x-aes-tests.patch
View File

@ -1,497 +0,0 @@
diff -up openssl-1.1.1k/test/evp_extra_test.c.s390x-test-aes openssl-1.1.1k/test/evp_extra_test.c
--- openssl-1.1.1k/test/evp_extra_test.c.s390x-test-aes 2021-07-16 17:33:04.663181698 +0200
+++ openssl-1.1.1k/test/evp_extra_test.c 2021-07-16 17:49:27.780439742 +0200
@@ -320,6 +320,97 @@ static const unsigned char pExampleECPar
};
#endif
+static const unsigned char kCFBDefaultKey[] = {
+ 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, 0xAB, 0xF7, 0x15, 0x88,
+ 0x09, 0xCF, 0x4F, 0x3C
+};
+
+static const unsigned char kGCMDefaultKey[32] = { 0 };
+
+static const unsigned char kGCMResetKey[] = {
+ 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c, 0x6d, 0x6a, 0x8f, 0x94,
+ 0x67, 0x30, 0x83, 0x08, 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+ 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08
+};
+
+static const unsigned char iCFBIV[] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B,
+ 0x0C, 0x0D, 0x0E, 0x0F
+};
+
+static const unsigned char iGCMDefaultIV[12] = { 0 };
+
+static const unsigned char iGCMResetIV1[] = {
+ 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad
+};
+
+static const unsigned char iGCMResetIV2[] = {
+ 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88
+};
+
+static const unsigned char cfbPlaintext[] = {
+ 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 0xE9, 0x3D, 0x7E, 0x11,
+ 0x73, 0x93, 0x17, 0x2A
+};
+
+static const unsigned char gcmDefaultPlaintext[16] = { 0 };
+
+static const unsigned char gcmResetPlaintext[] = {
+ 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5, 0xa5, 0x59, 0x09, 0xc5,
+ 0xaf, 0xf5, 0x26, 0x9a, 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
+ 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72, 0x1c, 0x3c, 0x0c, 0x95,
+ 0x95, 0x68, 0x09, 0x53, 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
+ 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57, 0xba, 0x63, 0x7b, 0x39
+};
+
+static const unsigned char cfbCiphertext[] = {
+ 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, 0x33, 0x34, 0x49, 0xF8,
+ 0xE8, 0x3C, 0xFB, 0x4A
+};
+
+static const unsigned char gcmDefaultCiphertext[] = {
+ 0xce, 0xa7, 0x40, 0x3d, 0x4d, 0x60, 0x6b, 0x6e, 0x07, 0x4e, 0xc5, 0xd3,
+ 0xba, 0xf3, 0x9d, 0x18
+};
+
+static const unsigned char gcmResetCiphertext1[] = {
+ 0xc3, 0x76, 0x2d, 0xf1, 0xca, 0x78, 0x7d, 0x32, 0xae, 0x47, 0xc1, 0x3b,
+ 0xf1, 0x98, 0x44, 0xcb, 0xaf, 0x1a, 0xe1, 0x4d, 0x0b, 0x97, 0x6a, 0xfa,
+ 0xc5, 0x2f, 0xf7, 0xd7, 0x9b, 0xba, 0x9d, 0xe0, 0xfe, 0xb5, 0x82, 0xd3,
+ 0x39, 0x34, 0xa4, 0xf0, 0x95, 0x4c, 0xc2, 0x36, 0x3b, 0xc7, 0x3f, 0x78,
+ 0x62, 0xac, 0x43, 0x0e, 0x64, 0xab, 0xe4, 0x99, 0xf4, 0x7c, 0x9b, 0x1f
+};
+
+static const unsigned char gcmResetCiphertext2[] = {
+ 0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07, 0xf4, 0x7f, 0x37, 0xa3,
+ 0x2a, 0x84, 0x42, 0x7d, 0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9,
+ 0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa, 0x8c, 0xb0, 0x8e, 0x48,
+ 0x59, 0x0d, 0xbb, 0x3d, 0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38,
+ 0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a, 0xbc, 0xc9, 0xf6, 0x62
+};
+
+static const unsigned char gcmAAD[] = {
+ 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfe, 0xed, 0xfa, 0xce,
+ 0xde, 0xad, 0xbe, 0xef, 0xab, 0xad, 0xda, 0xd2
+};
+
+static const unsigned char gcmDefaultTag[] = {
+ 0xd0, 0xd1, 0xc8, 0xa7, 0x99, 0x99, 0x6b, 0xf0, 0x26, 0x5b, 0x98, 0xb5,
+ 0xd4, 0x8a, 0xb9, 0x19
+};
+
+static const unsigned char gcmResetTag1[] = {
+ 0x3a, 0x33, 0x7d, 0xbf, 0x46, 0xa7, 0x92, 0xc4, 0x5e, 0x45, 0x49, 0x13,
+ 0xfe, 0x2e, 0xa8, 0xf2
+};
+
+static const unsigned char gcmResetTag2[] = {
+ 0x76, 0xfc, 0x6e, 0xce, 0x0f, 0x4e, 0x17, 0x68, 0xcd, 0xdf, 0x88, 0x53,
+ 0xbb, 0x2d, 0x55, 0x1b
+};
+
+
+
typedef struct APK_DATA_st {
const unsigned char *kder;
size_t size;
@@ -330,6 +421,385 @@ typedef struct APK_DATA_st {
int type; /* 0 for private, 1 for public, 2 for params */
} APK_DATA;
+typedef struct {
+ const char *cipher;
+ const unsigned char *key;
+ const unsigned char *iv;
+ const unsigned char *input;
+ const unsigned char *expected;
+ const unsigned char *tag;
+ size_t ivlen; /* 0 if we do not need to set a specific IV len */
+ size_t inlen;
+ size_t expectedlen;
+ size_t taglen;
+ int keyfirst;
+ int initenc;
+ int finalenc;
+} EVP_INIT_TEST_st;
+
+static const EVP_INIT_TEST_st evp_init_tests[] = {
+ {
+ "aes-128-cfb", kCFBDefaultKey, iCFBIV, cfbPlaintext,
+ cfbCiphertext, NULL, 0, sizeof(cfbPlaintext), sizeof(cfbCiphertext),
+ 0, 1, 0, 1
+ },
+ {
+ "aes-256-gcm", kGCMDefaultKey, iGCMDefaultIV, gcmDefaultPlaintext,
+ gcmDefaultCiphertext, gcmDefaultTag, sizeof(iGCMDefaultIV),
+ sizeof(gcmDefaultPlaintext), sizeof(gcmDefaultCiphertext),
+ sizeof(gcmDefaultTag), 1, 0, 1
+ },
+ {
+ "aes-128-cfb", kCFBDefaultKey, iCFBIV, cfbPlaintext,
+ cfbCiphertext, NULL, 0, sizeof(cfbPlaintext), sizeof(cfbCiphertext),
+ 0, 0, 0, 1
+ },
+ {
+ "aes-256-gcm", kGCMDefaultKey, iGCMDefaultIV, gcmDefaultPlaintext,
+ gcmDefaultCiphertext, gcmDefaultTag, sizeof(iGCMDefaultIV),
+ sizeof(gcmDefaultPlaintext), sizeof(gcmDefaultCiphertext),
+ sizeof(gcmDefaultTag), 0, 0, 1
+ },
+ {
+ "aes-128-cfb", kCFBDefaultKey, iCFBIV, cfbCiphertext,
+ cfbPlaintext, NULL, 0, sizeof(cfbCiphertext), sizeof(cfbPlaintext),
+ 0, 1, 1, 0
+ },
+ {
+ "aes-256-gcm", kGCMDefaultKey, iGCMDefaultIV, gcmDefaultCiphertext,
+ gcmDefaultPlaintext, gcmDefaultTag, sizeof(iGCMDefaultIV),
+ sizeof(gcmDefaultCiphertext), sizeof(gcmDefaultPlaintext),
+ sizeof(gcmDefaultTag), 1, 1, 0
+ },
+ {
+ "aes-128-cfb", kCFBDefaultKey, iCFBIV, cfbCiphertext,
+ cfbPlaintext, NULL, 0, sizeof(cfbCiphertext), sizeof(cfbPlaintext),
+ 0, 0, 1, 0
+ },
+ {
+ "aes-256-gcm", kGCMDefaultKey, iGCMDefaultIV, gcmDefaultCiphertext,
+ gcmDefaultPlaintext, gcmDefaultTag, sizeof(iGCMDefaultIV),
+ sizeof(gcmDefaultCiphertext), sizeof(gcmDefaultPlaintext),
+ sizeof(gcmDefaultTag), 0, 1, 0
+ }
+};
+
+static int evp_init_seq_set_iv(EVP_CIPHER_CTX *ctx, const EVP_INIT_TEST_st *t)
+{
+ int res = 0;
+
+ if (t->ivlen != 0) {
+ if (!TEST_true(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, t->ivlen, NULL)))
+ goto err;
+ }
+ if (!TEST_true(EVP_CipherInit_ex(ctx, NULL, NULL, NULL, t->iv, -1)))
+ goto err;
+ res = 1;
+ err:
+ return res;
+}
+
+/*
+ * Test step-wise cipher initialization via EVP_CipherInit_ex where the
+ * arguments are given one at a time and a final adjustment to the enc
+ * parameter sets the correct operation.
+ */
+static int test_evp_init_seq(int idx)
+{
+ int outlen1, outlen2;
+ int testresult = 0;
+ unsigned char outbuf[1024];
+ unsigned char tag[16];
+ const EVP_INIT_TEST_st *t = &evp_init_tests[idx];
+ EVP_CIPHER_CTX *ctx = NULL;
+ const EVP_CIPHER *type = NULL;
+ size_t taglen = sizeof(tag);
+ char *errmsg = NULL;
+
+ ctx = EVP_CIPHER_CTX_new();
+ if (ctx == NULL) {
+ errmsg = "CTX_ALLOC";
+ goto err;
+ }
+ if (!TEST_ptr(type = EVP_get_cipherbyname(t->cipher))) {
+ errmsg = "GET_CIPHERBYNAME";
+ goto err;
+ }
+ if (!TEST_true(EVP_CipherInit_ex(ctx, type, NULL, NULL, NULL, t->initenc))) {
+ errmsg = "EMPTY_ENC_INIT";
+ goto err;
+ }
+ if (!TEST_true(EVP_CIPHER_CTX_set_padding(ctx, 0))) {
+ errmsg = "PADDING";
+ goto err;
+ }
+ if (t->keyfirst && !TEST_true(EVP_CipherInit_ex(ctx, NULL, NULL, t->key, NULL, -1))) {
+ errmsg = "KEY_INIT (before iv)";
+ goto err;
+ }
+ if (!evp_init_seq_set_iv(ctx, t)) {
+ errmsg = "IV_INIT";
+ goto err;
+ }
+ if (t->keyfirst == 0 && !TEST_true(EVP_CipherInit_ex(ctx, NULL, NULL, t->key, NULL, -1))) {
+ errmsg = "KEY_INIT (after iv)";
+ goto err;
+ }
+ if (!TEST_true(EVP_CipherInit_ex(ctx, NULL, NULL, NULL, NULL, t->finalenc))) {
+ errmsg = "FINAL_ENC_INIT";
+ goto err;
+ }
+ if (!TEST_true(EVP_CipherUpdate(ctx, outbuf, &outlen1, t->input, t->inlen))) {
+ errmsg = "CIPHER_UPDATE";
+ goto err;
+ }
+ if (t->finalenc == 0 && t->tag != NULL) {
+ /* Set expected tag */
+ if (!TEST_true(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG,
+ t->taglen, (void *)t->tag))) {
+ errmsg = "SET_TAG";
+ goto err;
+ }
+ }
+ if (!TEST_true(EVP_CipherFinal_ex(ctx, outbuf + outlen1, &outlen2))) {
+ errmsg = "CIPHER_FINAL";
+ goto err;
+ }
+ if (!TEST_mem_eq(t->expected, t->expectedlen, outbuf, outlen1 + outlen2)) {
+ errmsg = "WRONG_RESULT";
+ goto err;
+ }
+ if (t->finalenc != 0 && t->tag != NULL) {
+ if (!TEST_true(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag))) {
+ errmsg = "GET_TAG";
+ goto err;
+ }
+ if (!TEST_mem_eq(t->tag, t->taglen, tag, taglen)) {
+ errmsg = "TAG_ERROR";
+ goto err;
+ }
+ }
+ testresult = 1;
+ err:
+ if (errmsg != NULL)
+ TEST_info("evp_init_test %d: %s", idx, errmsg);
+ EVP_CIPHER_CTX_free(ctx);
+ return testresult;
+}
+
+typedef struct {
+ const unsigned char *input;
+ const unsigned char *expected;
+ size_t inlen;
+ size_t expectedlen;
+ int enc;
+} EVP_RESET_TEST_st;
+
+static const EVP_RESET_TEST_st evp_reset_tests[] = {
+ {
+ cfbPlaintext, cfbCiphertext,
+ sizeof(cfbPlaintext), sizeof(cfbCiphertext), 1
+ },
+ {
+ cfbCiphertext, cfbPlaintext,
+ sizeof(cfbCiphertext), sizeof(cfbPlaintext), 0
+ }
+};
+
+/*
+ * Test a reset of a cipher via EVP_CipherInit_ex after the cipher has already
+ * been used.
+ */
+static int test_evp_reset(int idx)
+{
+ const EVP_RESET_TEST_st *t = &evp_reset_tests[idx];
+ int outlen1, outlen2;
+ int testresult = 0;
+ unsigned char outbuf[1024];
+ EVP_CIPHER_CTX *ctx = NULL;
+ const EVP_CIPHER *type = NULL;
+ char *errmsg = NULL;
+
+ if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())) {
+ errmsg = "CTX_ALLOC";
+ goto err;
+ }
+ if (!TEST_ptr(type = EVP_get_cipherbyname("aes-128-cfb"))) {
+ errmsg = "GET_CIPHERBYNAME";
+ goto err;
+ }
+ if (!TEST_true(EVP_CipherInit_ex(ctx, type, NULL, kCFBDefaultKey, iCFBIV, t->enc))) {
+ errmsg = "CIPHER_INIT";
+ goto err;
+ }
+ if (!TEST_true(EVP_CIPHER_CTX_set_padding(ctx, 0))) {
+ errmsg = "PADDING";
+ goto err;
+ }
+ if (!TEST_true(EVP_CipherUpdate(ctx, outbuf, &outlen1, t->input, t->inlen))) {
+ errmsg = "CIPHER_UPDATE";
+ goto err;
+ }
+ if (!TEST_true(EVP_CipherFinal_ex(ctx, outbuf + outlen1, &outlen2))) {
+ errmsg = "CIPHER_FINAL";
+ goto err;
+ }
+ if (!TEST_mem_eq(t->expected, t->expectedlen, outbuf, outlen1 + outlen2)) {
+ errmsg = "WRONG_RESULT";
+ goto err;
+ }
+ if (!TEST_true(EVP_CipherInit_ex(ctx, NULL, NULL, NULL, NULL, -1))) {
+ errmsg = "CIPHER_REINIT";
+ goto err;
+ }
+ if (!TEST_true(EVP_CipherUpdate(ctx, outbuf, &outlen1, t->input, t->inlen))) {
+ errmsg = "CIPHER_UPDATE (reinit)";
+ goto err;
+ }
+ if (!TEST_true(EVP_CipherFinal_ex(ctx, outbuf + outlen1, &outlen2))) {
+ errmsg = "CIPHER_FINAL (reinit)";
+ goto err;
+ }
+ if (!TEST_mem_eq(t->expected, t->expectedlen, outbuf, outlen1 + outlen2)) {
+ errmsg = "WRONG_RESULT (reinit)";
+ goto err;
+ }
+ testresult = 1;
+ err:
+ if (errmsg != NULL)
+ TEST_info("test_evp_reset %d: %s", idx, errmsg);
+ EVP_CIPHER_CTX_free(ctx);
+ return testresult;
+}
+
+typedef struct {
+ const unsigned char *iv1;
+ const unsigned char *iv2;
+ const unsigned char *expected1;
+ const unsigned char *expected2;
+ const unsigned char *tag1;
+ const unsigned char *tag2;
+ size_t ivlen1;
+ size_t ivlen2;
+ size_t expectedlen1;
+ size_t expectedlen2;
+} TEST_GCM_IV_REINIT_st;
+
+static const TEST_GCM_IV_REINIT_st gcm_reinit_tests[] = {
+ {
+ iGCMResetIV1, iGCMResetIV2, gcmResetCiphertext1, gcmResetCiphertext2,
+ gcmResetTag1, gcmResetTag2, sizeof(iGCMResetIV1), sizeof(iGCMResetIV2),
+ sizeof(gcmResetCiphertext1), sizeof(gcmResetCiphertext2)
+ },
+ {
+ iGCMResetIV2, iGCMResetIV1, gcmResetCiphertext2, gcmResetCiphertext1,
+ gcmResetTag2, gcmResetTag1, sizeof(iGCMResetIV2), sizeof(iGCMResetIV1),
+ sizeof(gcmResetCiphertext2), sizeof(gcmResetCiphertext1)
+ }
+};
+
+static int test_gcm_reinit(int idx)
+{
+ int outlen1, outlen2, outlen3;
+ int testresult = 0;
+ unsigned char outbuf[1024];
+ unsigned char tag[16];
+ const TEST_GCM_IV_REINIT_st *t = &gcm_reinit_tests[idx];
+ EVP_CIPHER_CTX *ctx = NULL;
+ const EVP_CIPHER *type = NULL;
+ size_t taglen = sizeof(tag);
+ char *errmsg = NULL;
+
+ if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())) {
+ errmsg = "CTX_ALLOC";
+ goto err;
+ }
+ if (!TEST_ptr(type = EVP_get_cipherbyname("aes-256-gcm"))) {
+ errmsg = "GET_CIPHERBYNAME";
+ goto err;
+ }
+ if (!TEST_true(EVP_CipherInit_ex(ctx, type, NULL, NULL, NULL, 1))) {
+ errmsg = "ENC_INIT";
+ goto err;
+ }
+ if (!TEST_true(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, t->ivlen1, NULL))) {
+ errmsg = "SET_IVLEN1";
+ goto err;
+ }
+ if (!TEST_true(EVP_CipherInit_ex(ctx, NULL, NULL, kGCMResetKey, t->iv1, 1))) {
+ errmsg = "SET_IV1";
+ goto err;
+ }
+ if (!TEST_true(EVP_CipherUpdate(ctx, NULL, &outlen3, gcmAAD, sizeof(gcmAAD)))) {
+ errmsg = "AAD1";
+ goto err;
+ }
+ EVP_CIPHER_CTX_set_padding(ctx, 0);
+ if (!TEST_true(EVP_CipherUpdate(ctx, outbuf, &outlen1, gcmResetPlaintext,
+ sizeof(gcmResetPlaintext)))) {
+ errmsg = "CIPHER_UPDATE1";
+ goto err;
+ }
+ if (!TEST_true(EVP_CipherFinal_ex(ctx, outbuf + outlen1, &outlen2))) {
+ errmsg = "CIPHER_FINAL1";
+ goto err;
+ }
+ if (!TEST_mem_eq(t->expected1, t->expectedlen1, outbuf, outlen1 + outlen2)) {
+ errmsg = "WRONG_RESULT1";
+ goto err;
+ }
+ if (!TEST_true(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag))) {
+ errmsg = "GET_TAG1";
+ goto err;
+ }
+ if (!TEST_mem_eq(t->tag1, taglen, tag, taglen)) {
+ errmsg = "TAG_ERROR1";
+ goto err;
+ }
+ /* Now reinit */
+ if (!TEST_true(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, t->ivlen2, NULL))) {
+ errmsg = "SET_IVLEN2";
+ goto err;
+ }
+ if (!TEST_true(EVP_CipherInit_ex(ctx, NULL, NULL, NULL, t->iv2, -1))) {
+ errmsg = "SET_IV2";
+ goto err;
+ }
+ if (!TEST_true(EVP_CipherUpdate(ctx, NULL, &outlen3, gcmAAD, sizeof(gcmAAD)))) {
+ errmsg = "AAD2";
+ goto err;
+ }
+ if (!TEST_true(EVP_CipherUpdate(ctx, outbuf, &outlen1, gcmResetPlaintext,
+ sizeof(gcmResetPlaintext)))) {
+ errmsg = "CIPHER_UPDATE2";
+ goto err;
+ }
+ if (!TEST_true(EVP_CipherFinal_ex(ctx, outbuf + outlen1, &outlen2))) {
+ errmsg = "CIPHER_FINAL2";
+ goto err;
+ }
+ if (!TEST_mem_eq(t->expected2, t->expectedlen2, outbuf, outlen1 + outlen2)) {
+ errmsg = "WRONG_RESULT2";
+ goto err;
+ }
+ if (!TEST_true(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag))) {
+ errmsg = "GET_TAG2";
+ goto err;
+ }
+ if (!TEST_mem_eq(t->tag2, taglen, tag, taglen)) {
+ errmsg = "TAG_ERROR2";
+ goto err;
+ }
+ testresult = 1;
+ err:
+ if (errmsg != NULL)
+ TEST_info("evp_init_test %d: %s", idx, errmsg);
+ EVP_CIPHER_CTX_free(ctx);
+ return testresult;
+}
+
+
+
static APK_DATA keydata[] = {
{kExampleRSAKeyDER, sizeof(kExampleRSAKeyDER), EVP_PKEY_RSA},
{kExampleRSAKeyPKCS8, sizeof(kExampleRSAKeyPKCS8), EVP_PKEY_RSA},
@@ -1208,6 +1678,8 @@ int setup_tests(void)
#ifndef OPENSSL_NO_DH
ADD_TEST(test_EVP_PKEY_set1_DH);
#endif
-
+ ADD_ALL_TESTS(test_evp_init_seq, OSSL_NELEM(evp_init_tests));
+ ADD_ALL_TESTS(test_evp_reset, OSSL_NELEM(evp_reset_tests));
+ ADD_ALL_TESTS(test_gcm_reinit, OSSL_NELEM(gcm_reinit_tests));
return 1;
}

381
SOURCES/openssl-1.1.1-s390x-aes.patch
View File

@ -1,381 +0,0 @@
diff -up openssl-1.1.1k/crypto/evp/e_aes.c.s390x-aes openssl-1.1.1k/crypto/evp/e_aes.c
--- openssl-1.1.1k/crypto/evp/e_aes.c.s390x-aes 2021-07-16 11:03:14.362127435 +0200
+++ openssl-1.1.1k/crypto/evp/e_aes.c 2021-07-16 15:00:42.531477251 +0200
@@ -1168,9 +1168,9 @@ typedef struct {
static int s390x_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc);
-# define S390X_aes_128_cbc_CAPABLE 1 /* checked by callee */
-# define S390X_aes_192_cbc_CAPABLE 1
-# define S390X_aes_256_cbc_CAPABLE 1
+# define S390X_aes_128_cbc_CAPABLE 0 /* checked by callee */
+# define S390X_aes_192_cbc_CAPABLE 0
+# define S390X_aes_256_cbc_CAPABLE 0
# define S390X_AES_CBC_CTX EVP_AES_KEY
# define s390x_aes_cbc_init_key aes_init_key
@@ -1190,11 +1190,10 @@ static int s390x_aes_ecb_init_key(EVP_CI
S390X_AES_ECB_CTX *cctx = EVP_C_DATA(S390X_AES_ECB_CTX, ctx);
const int keylen = EVP_CIPHER_CTX_key_length(ctx);
- cctx->fc = S390X_AES_FC(keylen);
- if (!enc)
- cctx->fc |= S390X_DECRYPT;
+ cctx->fc = S390X_AES_FC(keylen) | (enc ? 0 : S390X_DECRYPT);
- memcpy(cctx->km.param.k, key, keylen);
+ if (key != NULL)
+ memcpy(cctx->km.param.k, key, keylen);
return 1;
}
@@ -1222,14 +1221,17 @@ static int s390x_aes_ofb_init_key(EVP_CI
const unsigned char *ivec, int enc)
{
S390X_AES_OFB_CTX *cctx = EVP_C_DATA(S390X_AES_OFB_CTX, ctx);
- const unsigned char *iv = EVP_CIPHER_CTX_original_iv(ctx);
+ const unsigned char *oiv = EVP_CIPHER_CTX_original_iv(ctx);
const int keylen = EVP_CIPHER_CTX_key_length(ctx);
const int ivlen = EVP_CIPHER_CTX_iv_length(ctx);
- memcpy(cctx->kmo.param.cv, iv, ivlen);
- memcpy(cctx->kmo.param.k, key, keylen);
cctx->fc = S390X_AES_FC(keylen);
+
+ if (key != NULL)
+ memcpy(cctx->kmo.param.k, key, keylen);
+
cctx->res = 0;
+ memcpy(cctx->kmo.param.cv, oiv, ivlen);
return 1;
}
@@ -1287,18 +1289,18 @@ static int s390x_aes_cfb_init_key(EVP_CI
const unsigned char *ivec, int enc)
{
S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
- const unsigned char *iv = EVP_CIPHER_CTX_original_iv(ctx);
+ const unsigned char *oiv = EVP_CIPHER_CTX_original_iv(ctx);
const int keylen = EVP_CIPHER_CTX_key_length(ctx);
const int ivlen = EVP_CIPHER_CTX_iv_length(ctx);
- cctx->fc = S390X_AES_FC(keylen);
- cctx->fc |= 16 << 24; /* 16 bytes cipher feedback */
- if (!enc)
- cctx->fc |= S390X_DECRYPT;
+ cctx->fc = S390X_AES_FC(keylen)| (enc ? 0 : S390X_DECRYPT)
+ | (16 << 24); /* 16 bytes cipher feedback */
+
+ if (key != NULL)
+ memcpy(cctx->kmf.param.k, key, keylen);
cctx->res = 0;
- memcpy(cctx->kmf.param.cv, iv, ivlen);
- memcpy(cctx->kmf.param.k, key, keylen);
+ memcpy(cctx->kmf.param.cv, oiv, ivlen);
return 1;
}
@@ -1360,17 +1362,18 @@ static int s390x_aes_cfb8_init_key(EVP_C
const unsigned char *ivec, int enc)
{
S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
- const unsigned char *iv = EVP_CIPHER_CTX_original_iv(ctx);
+ const unsigned char *oiv = EVP_CIPHER_CTX_original_iv(ctx);
const int keylen = EVP_CIPHER_CTX_key_length(ctx);
const int ivlen = EVP_CIPHER_CTX_iv_length(ctx);
- cctx->fc = S390X_AES_FC(keylen);
- cctx->fc |= 1 << 24; /* 1 byte cipher feedback */
- if (!enc)
- cctx->fc |= S390X_DECRYPT;
+ cctx->fc = S390X_AES_FC(keylen) | (enc ? 0 : S390X_DECRYPT)
+ | (1 << 24); /* 1 byte cipher feedback flag */
+
+ if (key != NULL)
+ memcpy(cctx->kmf.param.k, key, keylen);
- memcpy(cctx->kmf.param.cv, iv, ivlen);
- memcpy(cctx->kmf.param.k, key, keylen);
+ cctx->res = 0;
+ memcpy(cctx->kmf.param.cv, oiv, ivlen);
return 1;
}
@@ -1393,9 +1396,9 @@ static int s390x_aes_cfb8_cipher(EVP_CIP
static int s390x_aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
const unsigned char *in, size_t len);
-# define S390X_aes_128_ctr_CAPABLE 1 /* checked by callee */
-# define S390X_aes_192_ctr_CAPABLE 1
-# define S390X_aes_256_ctr_CAPABLE 1
+# define S390X_aes_128_ctr_CAPABLE 0 /* checked by callee */
+# define S390X_aes_192_ctr_CAPABLE 0
+# define S390X_aes_256_ctr_CAPABLE 0
# define S390X_AES_CTR_CTX EVP_AES_KEY
# define s390x_aes_ctr_init_key aes_init_key
@@ -1563,8 +1566,7 @@ static int s390x_aes_gcm(S390X_AES_GCM_C
/*-
* Initialize context structure. Code is big-endian.
*/
-static void s390x_aes_gcm_setiv(S390X_AES_GCM_CTX *ctx,
- const unsigned char *iv)
+static void s390x_aes_gcm_setiv(S390X_AES_GCM_CTX *ctx)
{
ctx->kma.param.t.g[0] = 0;
ctx->kma.param.t.g[1] = 0;
@@ -1575,12 +1577,11 @@ static void s390x_aes_gcm_setiv(S390X_AE
ctx->kreslen = 0;
if (ctx->ivlen == 12) {
- memcpy(&ctx->kma.param.j0, iv, ctx->ivlen);
+ memcpy(&ctx->kma.param.j0, ctx->iv, ctx->ivlen);
ctx->kma.param.j0.w[3] = 1;
ctx->kma.param.cv.w = 1;
} else {
/* ctx->iv has the right size and is already padded. */
- memcpy(ctx->iv, iv, ctx->ivlen);
s390x_kma(ctx->iv, S390X_gcm_ivpadlen(ctx->ivlen), NULL, 0, NULL,
ctx->fc, &ctx->kma.param);
ctx->fc |= S390X_KMA_HS;
@@ -1694,7 +1695,7 @@ static int s390x_aes_gcm_ctrl(EVP_CIPHER
if (gctx->iv_gen == 0 || gctx->key_set == 0)
return 0;
- s390x_aes_gcm_setiv(gctx, gctx->iv);
+ s390x_aes_gcm_setiv(gctx);
if (arg <= 0 || arg > gctx->ivlen)
arg = gctx->ivlen;
@@ -1714,7 +1715,7 @@ static int s390x_aes_gcm_ctrl(EVP_CIPHER
return 0;
memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
- s390x_aes_gcm_setiv(gctx, gctx->iv);
+ s390x_aes_gcm_setiv(gctx);
gctx->iv_set = 1;
return 1;
@@ -1770,43 +1771,35 @@ static int s390x_aes_gcm_ctrl(EVP_CIPHER
}
/*-
- * Set key and/or iv. Returns 1 on success. Otherwise 0 is returned.
+ * Set key or iv or enc/dec. Returns 1 on success. Otherwise 0 is returned.
*/
static int s390x_aes_gcm_init_key(EVP_CIPHER_CTX *ctx,
const unsigned char *key,
const unsigned char *iv, int enc)
{
S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, ctx);
- int keylen;
+ const int keylen = EVP_CIPHER_CTX_key_length(ctx);
- if (iv == NULL && key == NULL)
- return 1;
+ gctx->fc = S390X_AES_FC(keylen) | (enc ? 0 : S390X_DECRYPT);
if (key != NULL) {
- keylen = EVP_CIPHER_CTX_key_length(ctx);
+ gctx->fc &= ~S390X_KMA_HS;
memcpy(&gctx->kma.param.k, key, keylen);
-
- gctx->fc = S390X_AES_FC(keylen);
- if (!enc)
- gctx->fc |= S390X_DECRYPT;
-
- if (iv == NULL && gctx->iv_set)
- iv = gctx->iv;
-
- if (iv != NULL) {
- s390x_aes_gcm_setiv(gctx, iv);
- gctx->iv_set = 1;
- }
gctx->key_set = 1;
- } else {
- if (gctx->key_set)
- s390x_aes_gcm_setiv(gctx, iv);
- else
- memcpy(gctx->iv, iv, gctx->ivlen);
-
- gctx->iv_set = 1;
+ }
+ if (iv != NULL) {
+ memcpy(gctx->iv, iv, gctx->ivlen);
gctx->iv_gen = 0;
+ gctx->iv_set = 1;
}
+
+ if (gctx->key_set && gctx->iv_set)
+ s390x_aes_gcm_setiv(gctx);
+
+ gctx->fc &= ~(S390X_KMA_LPC | S390X_KMA_LAAD);
+ gctx->areslen = 0;
+ gctx->mreslen = 0;
+ gctx->kreslen = 0;
return 1;
}
@@ -1895,7 +1888,6 @@ static int s390x_aes_gcm_cipher(EVP_CIPH
/* recall that we already did en-/decrypt gctx->mres
* and returned it to caller... */
OPENSSL_cleanse(tmp, gctx->mreslen);
- gctx->iv_set = 0;
enc = EVP_CIPHER_CTX_encrypting(ctx);
if (enc) {
@@ -1929,8 +1921,8 @@ static int s390x_aes_gcm_cleanup(EVP_CIP
}
# define S390X_AES_XTS_CTX EVP_AES_XTS_CTX
-# define S390X_aes_128_xts_CAPABLE 1 /* checked by callee */
-# define S390X_aes_256_xts_CAPABLE 1
+# define S390X_aes_128_xts_CAPABLE 0 /* checked by callee */
+# define S390X_aes_256_xts_CAPABLE 0
# define s390x_aes_xts_init_key aes_xts_init_key
static int s390x_aes_xts_init_key(EVP_CIPHER_CTX *ctx,
@@ -2134,9 +2126,10 @@ static int s390x_aes_ccm_tls_cipher(EVP_
const unsigned char *in, size_t len)
{
S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx);
- unsigned char *ivec = EVP_CIPHER_CTX_iv_noconst(ctx);
+ const unsigned char *ivec = EVP_CIPHER_CTX_iv(ctx);
unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
const int enc = EVP_CIPHER_CTX_encrypting(ctx);
+ unsigned char iv[EVP_MAX_IV_LENGTH];
if (out != in
|| len < (EVP_CCM_TLS_EXPLICIT_IV_LEN + (size_t)cctx->aes.ccm.m))
@@ -2152,8 +2145,9 @@ static int s390x_aes_ccm_tls_cipher(EVP_
* Get explicit iv (sequence number). We already have fixed iv
* (server/client_write_iv) here.
*/
- memcpy(ivec + EVP_CCM_TLS_FIXED_IV_LEN, in, EVP_CCM_TLS_EXPLICIT_IV_LEN);
- s390x_aes_ccm_setiv(cctx, ivec, len);
+ memcpy(iv, ivec, sizeof(iv));
+ memcpy(iv + EVP_CCM_TLS_FIXED_IV_LEN, in, EVP_CCM_TLS_EXPLICIT_IV_LEN);
+ s390x_aes_ccm_setiv(cctx, iv, len);
/* Process aad (sequence number|type|version|length) */
s390x_aes_ccm_aad(cctx, buf, cctx->aes.ccm.tls_aad_len);
@@ -2180,42 +2174,34 @@ static int s390x_aes_ccm_tls_cipher(EVP_
}
/*-
- * Set key and flag field and/or iv. Returns 1 if successful. Otherwise 0 is
- * returned.
+ * Set key or iv or enc/dec. Returns 1 if successful.
+ * Otherwise 0 is returned.
*/
static int s390x_aes_ccm_init_key(EVP_CIPHER_CTX *ctx,
const unsigned char *key,
const unsigned char *iv, int enc)
{
S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx);
- unsigned char *ivec;
- int keylen;
+ const int keylen = EVP_CIPHER_CTX_key_length(ctx);
+ unsigned char *ivec = EVP_CIPHER_CTX_iv_noconst(ctx);
- if (iv == NULL && key == NULL)
- return 1;
+ cctx->aes.ccm.fc = S390X_AES_FC(keylen);
if (key != NULL) {
- keylen = EVP_CIPHER_CTX_key_length(ctx);
- cctx->aes.ccm.fc = S390X_AES_FC(keylen);
memcpy(cctx->aes.ccm.kmac_param.k, key, keylen);
-
- /* Store encoded m and l. */
- cctx->aes.ccm.nonce.b[0] = ((cctx->aes.ccm.l - 1) & 0x7)
- | (((cctx->aes.ccm.m - 2) >> 1) & 0x7) << 3;
- memset(cctx->aes.ccm.nonce.b + 1, 0,
- sizeof(cctx->aes.ccm.nonce.b));
- cctx->aes.ccm.blocks = 0;
-
cctx->aes.ccm.key_set = 1;
}
-
if (iv != NULL) {
- ivec = EVP_CIPHER_CTX_iv_noconst(ctx);
memcpy(ivec, iv, 15 - cctx->aes.ccm.l);
-
cctx->aes.ccm.iv_set = 1;
}
+ /* Store encoded m and l. */
+ cctx->aes.ccm.nonce.b[0] = ((cctx->aes.ccm.l - 1) & 0x7)
+ | (((cctx->aes.ccm.m - 2) >> 1) & 0x7) << 3;
+ memset(cctx->aes.ccm.nonce.b + 1, 0, sizeof(cctx->aes.ccm.nonce.b) - 1);
+ cctx->aes.ccm.blocks = 0;
+ cctx->aes.ccm.len_set = 0;
return 1;
}
@@ -2230,8 +2216,9 @@ static int s390x_aes_ccm_cipher(EVP_CIPH
{
S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx);
const int enc = EVP_CIPHER_CTX_encrypting(ctx);
+ const unsigned char *ivec = EVP_CIPHER_CTX_iv(ctx);
+ unsigned char *buf;
int rv;
- unsigned char *buf, *ivec;
if (!cctx->aes.ccm.key_set)
return -1;
@@ -2253,7 +2240,6 @@ static int s390x_aes_ccm_cipher(EVP_CIPH
if (out == NULL) {
/* Update(): Pass message length. */
if (in == NULL) {
- ivec = EVP_CIPHER_CTX_iv_noconst(ctx);
s390x_aes_ccm_setiv(cctx, ivec, len);
cctx->aes.ccm.len_set = 1;
@@ -2279,7 +2265,6 @@ static int s390x_aes_ccm_cipher(EVP_CIPH
* In case message length was not previously set explicitly via
* Update(), set it now.
*/
- ivec = EVP_CIPHER_CTX_iv_noconst(ctx);
s390x_aes_ccm_setiv(cctx, ivec, len);
cctx->aes.ccm.len_set = 1;
@@ -2304,9 +2289,6 @@ static int s390x_aes_ccm_cipher(EVP_CIPH
if (rv == -1)
OPENSSL_cleanse(out, len);
- cctx->aes.ccm.iv_set = 0;
- cctx->aes.ccm.tag_set = 0;
- cctx->aes.ccm.len_set = 0;
return rv;
}
}
@@ -2414,9 +2396,6 @@ static int s390x_aes_ccm_ctrl(EVP_CIPHER
return 0;
memcpy(ptr, cctx->aes.ccm.kmac_param.icv.b, cctx->aes.ccm.m);
- cctx->aes.ccm.tag_set = 0;
- cctx->aes.ccm.iv_set = 0;
- cctx->aes.ccm.len_set = 0;
return 1;
case EVP_CTRL_COPY:
@@ -2453,7 +2432,7 @@ static const EVP_CIPHER s390x_aes_##keyl
nid##_##keylen##_##nmode,blocksize, \
keylen / 8, \
ivlen, \
- flags | EVP_CIPH_##MODE##_MODE, \
+ flags | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_##MODE##_MODE, \
s390x_aes_##mode##_init_key, \
s390x_aes_##mode##_cipher, \
NULL, \
@@ -2490,7 +2469,7 @@ static const EVP_CIPHER s390x_aes_##keyl
blocksize, \
(EVP_CIPH_##MODE##_MODE == EVP_CIPH_XTS_MODE ? 2 : 1) * keylen / 8, \
ivlen, \
- flags | EVP_CIPH_##MODE##_MODE, \
+ flags | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_##MODE##_MODE, \
s390x_aes_##mode##_init_key, \
s390x_aes_##mode##_cipher, \
s390x_aes_##mode##_cleanup, \

108
SOURCES/openssl-1.1.1-servername-cb.patch
View File

@ -1,108 +0,0 @@
diff -up openssl-1.1.1k/ssl/statem/statem_lib.c.servername-cb openssl-1.1.1k/ssl/statem/statem_lib.c
--- openssl-1.1.1k/ssl/statem/statem_lib.c.servername-cb 2021-07-16 16:03:04.200024170 +0200
+++ openssl-1.1.1k/ssl/statem/statem_lib.c 2021-07-16 16:08:04.076630415 +0200
@@ -1504,8 +1504,8 @@ static int ssl_method_error(const SSL *s
/*
* Only called by servers. Returns 1 if the server has a TLSv1.3 capable
- * certificate type, or has PSK or a certificate callback configured, or has
- * a servername callback configured. Otherwise returns 0.
+ * certificate type, or has PSK or a certificate callback configured. Otherwise
+ * returns 0.
*/
static int is_tls13_capable(const SSL *s)
{
@@ -1515,17 +1515,6 @@ static int is_tls13_capable(const SSL *s
EC_KEY *eckey;
#endif
- if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL))
- return 0;
-
- /*
- * A servername callback can change the available certs, so if a servername
- * cb is set then we just assume TLSv1.3 will be ok
- */
- if (s->ctx->ext.servername_cb != NULL
- || s->session_ctx->ext.servername_cb != NULL)
- return 1;
-
#ifndef OPENSSL_NO_PSK
if (s->psk_server_callback != NULL)
return 1;
diff -up openssl-1.1.1k/test/sslapitest.c.servername-cb openssl-1.1.1k/test/sslapitest.c
--- openssl-1.1.1k/test/sslapitest.c.servername-cb 2021-07-16 16:08:20.094823046 +0200
+++ openssl-1.1.1k/test/sslapitest.c 2021-07-16 16:09:25.708612095 +0200
@@ -6658,62 +6658,6 @@ static int test_ssl_dup(void)
}
#endif
-#ifndef OPENSSL_NO_TLS1_3
-/*
- * Test that setting an SNI callback works with TLSv1.3. Specifically we check
- * that it works even without a certificate configured for the original
- * SSL_CTX
- */
-static int test_sni_tls13(void)
-{
- SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
- SSL *clientssl = NULL, *serverssl = NULL;
- int testresult = 0;
-
- /* Reset callback counter */
- snicb = 0;
-
- /* Create an initial SSL_CTX with no certificate configured */
- sctx = SSL_CTX_new(TLS_server_method());
- if (!TEST_ptr(sctx))
- goto end;
- /* Require TLSv1.3 as a minimum */
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_3_VERSION, 0, &sctx2, &cctx, cert,
- privkey)))
- goto end;
-
- /* Set up SNI */
- if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
- || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
- goto end;
-
- /*
- * Connection should still succeed because the final SSL_CTX has the right
- * certificates configured.
- */
- if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
- &clientssl, NULL, NULL))
- || !TEST_true(create_ssl_connection(serverssl, clientssl,
- SSL_ERROR_NONE)))
- goto end;
-
- /* We should have had the SNI callback called exactly once */
- if (!TEST_int_eq(snicb, 1))
- goto end;
-
- testresult = 1;
-
-end:
- SSL_free(serverssl);
- SSL_free(clientssl);
- SSL_CTX_free(sctx2);
- SSL_CTX_free(sctx);
- SSL_CTX_free(cctx);
- return testresult;
-}
-#endif
-
int setup_tests(void)
{
if (!TEST_ptr(certsdir = test_get_argument(0))
@@ -6837,9 +6781,6 @@ int setup_tests(void)
#ifndef OPENSSL_NO_TLS1_2
ADD_TEST(test_ssl_dup);
#endif
-#ifndef OPENSSL_NO_TLS1_3
- ADD_TEST(test_sni_tls13);
-#endif
return 1;
}

43
SOURCES/openssl-1.1.1-tls13-curves.patch
View File

@ -1,43 +0,0 @@
diff -up openssl-1.1.1g/ssl/ssl_local.h.tls13-curves openssl-1.1.1g/ssl/ssl_local.h
--- openssl-1.1.1g/ssl/ssl_local.h.tls13-curves 2021-04-26 17:11:17.851072025 +0200
+++ openssl-1.1.1g/ssl/ssl_local.h 2021-04-26 17:12:11.551756124 +0200
@@ -1517,6 +1517,7 @@ typedef struct tls_group_info_st {
# define TLS_CURVE_CHAR2 0x1
# define TLS_CURVE_CUSTOM 0x2
# define TLS_CURVE_FIPS 0x80
+# define TLS_CURVE_TLS1_3 0x100
typedef struct cert_pkey_st CERT_PKEY;
diff -up openssl-1.1.1g/ssl/t1_lib.c.tls13-curves openssl-1.1.1g/ssl/t1_lib.c
--- openssl-1.1.1g/ssl/t1_lib.c.tls13-curves 2021-04-26 17:11:30.237999157 +0200
+++ openssl-1.1.1g/ssl/t1_lib.c 2021-04-26 17:13:51.161170191 +0200
@@ -161,14 +161,14 @@ static const TLS_GROUP_INFO nid_list[] =
{NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
{NID_secp224r1, 112, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp224r1 (21) */
{NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
- {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp256r1 (23) */
- {NID_secp384r1, 192, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp384r1 (24) */
- {NID_secp521r1, 256, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp521r1 (25) */
+ {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME | TLS_CURVE_FIPS | TLS_CURVE_TLS1_3}, /* secp256r1 (23) */
+ {NID_secp384r1, 192, TLS_CURVE_PRIME | TLS_CURVE_FIPS | TLS_CURVE_TLS1_3}, /* secp384r1 (24) */
+ {NID_secp521r1, 256, TLS_CURVE_PRIME | TLS_CURVE_FIPS | TLS_CURVE_TLS1_3}, /* secp521r1 (25) */
{NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
{NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
{NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
- {EVP_PKEY_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */
- {EVP_PKEY_X448, 224, TLS_CURVE_CUSTOM}, /* X448 (30) */
+ {EVP_PKEY_X25519, 128, TLS_CURVE_CUSTOM | TLS_CURVE_TLS1_3}, /* X25519 (29) */
+ {EVP_PKEY_X448, 224, TLS_CURVE_CUSTOM | TLS_CURVE_TLS1_3}, /* X448 (30) */
};
static const unsigned char ecformats_default[] = {
@@ -260,6 +260,8 @@ int tls_curve_allowed(SSL *s, uint16_t c
# endif
if (FIPS_mode() && !(cinfo->flags & TLS_CURVE_FIPS))
return 0;
+ if (s->version >= TLS1_3_VERSION && !(cinfo->flags & TLS_CURVE_TLS1_3))
+ return 0;
ctmp[0] = curve >> 8;
ctmp[1] = curve & 0xff;
return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp);

44
SOURCES/openssl-1.1.1-ts-sha256-default.patch
View File

@ -1,17 +1,8 @@
diff -up openssl-1.1.1h/apps/openssl.cnf.ts-sha256-default openssl-1.1.1h/apps/openssl.cnf diff --git a/apps/ts.c b/apps/ts.c
--- openssl-1.1.1h/apps/openssl.cnf.ts-sha256-default 2020-11-06 11:07:28.850100899 +0100 index 63c5210183..4ef8a72eef 100644
+++ openssl-1.1.1h/apps/openssl.cnf 2020-11-06 11:11:28.042913791 +0100 --- a/apps/ts.c
@@ -364,5 +348,5 @@ tsa_name = yes # Must the TSA name be i +++ b/apps/ts.c
# (optional, default: no) @@ -425,7 +425,7 @@ static TS_REQ *create_query(BIO *data_bio, const char *digest, const EVP_MD *md,
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)
-ess_cert_id_alg = sha1 # algorithm to compute certificate
+ess_cert_id_alg = sha256 # algorithm to compute certificate
# identifier (optional, default: sha1)
diff -up openssl-1.1.1h/apps/ts.c.ts-sha256-default openssl-1.1.1h/apps/ts.c
--- openssl-1.1.1h/apps/ts.c.ts-sha256-default 2020-09-22 14:55:07.000000000 +0200
+++ openssl-1.1.1h/apps/ts.c 2020-11-06 11:07:28.883101220 +0100
@@ -423,7 +423,7 @@ static TS_REQ *create_query(BIO *data_bi
ASN1_OBJECT *policy_obj = NULL; ASN1_OBJECT *policy_obj = NULL;
ASN1_INTEGER *nonce_asn1 = NULL; ASN1_INTEGER *nonce_asn1 = NULL;
@ -20,22 +11,11 @@ diff -up openssl-1.1.1h/apps/ts.c.ts-sha256-default openssl-1.1.1h/apps/ts.c
goto err; goto err;
if ((ts_req = TS_REQ_new()) == NULL) if ((ts_req = TS_REQ_new()) == NULL)
goto err; goto err;
diff -up openssl-1.1.1h/crypto/ts/ts_conf.c.ts-sha256-default openssl-1.1.1h/crypto/ts/ts_conf.c diff --git a/doc/man1/ts.pod b/doc/man1/ts.pod
--- openssl-1.1.1h/crypto/ts/ts_conf.c.ts-sha256-default 2020-11-06 12:03:51.226372867 +0100 index 078905a845..83b8fe4350 100644
+++ openssl-1.1.1h/crypto/ts/ts_conf.c 2020-11-06 12:04:01.713488990 +0100 --- a/doc/man1/ts.pod
@@ -476,7 +476,7 @@ int TS_CONF_set_ess_cert_id_digest(CONF +++ b/doc/man1/ts.pod
const char *md = NCONF_get_string(conf, section, ENV_ESS_CERT_ID_ALG); @@ -517,7 +517,7 @@ included. Default is no. (Optional)
if (md == NULL)
- md = "sha1";
+ md = "sha256";
cert_md = EVP_get_digestbyname(md);
if (cert_md == NULL) {
diff -up openssl-1.1.1h/doc/man1/ts.pod.ts-sha256-default openssl-1.1.1h/doc/man1/ts.pod
--- openssl-1.1.1h/doc/man1/ts.pod.ts-sha256-default 2020-09-22 14:55:07.000000000 +0200
+++ openssl-1.1.1h/doc/man1/ts.pod 2020-11-06 11:07:28.883101220 +0100
@@ -518,7 +518,7 @@ included. Default is no. (Optional)
=item B<ess_cert_id_alg> =item B<ess_cert_id_alg>
This option specifies the hash function to be used to calculate the TSA's This option specifies the hash function to be used to calculate the TSA's
@ -44,7 +24,7 @@ diff -up openssl-1.1.1h/doc/man1/ts.pod.ts-sha256-default openssl-1.1.1h/doc/man
=back =back
@@ -530,7 +530,7 @@ openssl/apps/openssl.cnf will do. @@ -529,7 +529,7 @@ openssl/apps/openssl.cnf will do.
=head2 Time Stamp Request =head2 Time Stamp Request
@ -53,7 +33,7 @@ diff -up openssl-1.1.1h/doc/man1/ts.pod.ts-sha256-default openssl-1.1.1h/doc/man
without nonce and policy and no certificate is required in the response: without nonce and policy and no certificate is required in the response:
openssl ts -query -data design1.txt -no_nonce \ openssl ts -query -data design1.txt -no_nonce \
@@ -546,12 +546,12 @@ To print the content of the previous req @@ -545,12 +545,12 @@ To print the content of the previous request in human readable format:
openssl ts -query -in design1.tsq -text openssl ts -query -in design1.tsq -text

12
SOURCES/openssl-1.1.1-version-override.patch
View File

@ -1,12 +1,12 @@
diff -up openssl-1.1.1i/include/openssl/opensslv.h.version-override openssl-1.1.1i/include/openssl/opensslv.h diff -up openssl-1.1.1g/include/openssl/opensslv.h.version-override openssl-1.1.1g/include/openssl/opensslv.h
--- openssl-1.1.1i/include/openssl/opensslv.h.version-override 2020-12-09 10:25:12.042374409 +0100 --- openssl-1.1.1g/include/openssl/opensslv.h.version-override 2020-04-23 13:29:37.802673513 +0200
+++ openssl-1.1.1i/include/openssl/opensslv.h 2020-12-09 10:26:00.362769170 +0100 +++ openssl-1.1.1g/include/openssl/opensslv.h 2020-04-23 13:30:13.064008458 +0200
@@ -40,7 +40,7 @@ extern "C" { @@ -40,7 +40,7 @@ extern "C" {
* major minor fix final patch/beta) * major minor fix final patch/beta)
*/ */
# define OPENSSL_VERSION_NUMBER 0x101010bfL # define OPENSSL_VERSION_NUMBER 0x1010107fL
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1k 25 Mar 2021" -# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1g 21 Apr 2020"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1k FIPS 25 Mar 2021" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1g FIPS 21 Apr 2020"
/*- /*-
* The macros below are to be used for shared library (.so, .dll, ...) * The macros below are to be used for shared library (.so, .dll, ...)

159
SPECS/openssl.spec
View File

@ -21,8 +21,8 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 1.1.1k Version: 1.1.1g
Release: 14%{?dist} Release: 11%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below. # tarball with the hobble-openssl script which is included below.
@ -42,7 +42,8 @@ Patch1: openssl-1.1.1-build.patch
Patch2: openssl-1.1.1-defaults.patch Patch2: openssl-1.1.1-defaults.patch
Patch3: openssl-1.1.1-no-html.patch Patch3: openssl-1.1.1-no-html.patch
Patch4: openssl-1.1.1-man-rename.patch Patch4: openssl-1.1.1-man-rename.patch
# Bug fixes
Patch21: openssl-1.1.0-issuer-hash.patch
# Functionality changes # Functionality changes
Patch31: openssl-1.1.1-conf-paths.patch Patch31: openssl-1.1.1-conf-paths.patch
Patch32: openssl-1.1.1-version-add-engines.patch Patch32: openssl-1.1.1-version-add-engines.patch
@ -53,6 +54,7 @@ Patch38: openssl-1.1.1-no-weak-verify.patch
Patch40: openssl-1.1.1-sslv3-keep-abi.patch Patch40: openssl-1.1.1-sslv3-keep-abi.patch
Patch41: openssl-1.1.1-system-cipherlist.patch Patch41: openssl-1.1.1-system-cipherlist.patch
Patch42: openssl-1.1.1-fips.patch Patch42: openssl-1.1.1-fips.patch
Patch43: openssl-1.1.1-ignore-bound.patch
Patch44: openssl-1.1.1-version-override.patch Patch44: openssl-1.1.1-version-override.patch
Patch45: openssl-1.1.1-weak-ciphers.patch Patch45: openssl-1.1.1-weak-ciphers.patch
Patch46: openssl-1.1.1-seclevel.patch Patch46: openssl-1.1.1-seclevel.patch
@ -67,41 +69,14 @@ Patch62: openssl-1.1.1-fips-curves.patch
Patch65: openssl-1.1.1-fips-drbg-selftest.patch Patch65: openssl-1.1.1-fips-drbg-selftest.patch
Patch66: openssl-1.1.1-fips-dh.patch Patch66: openssl-1.1.1-fips-dh.patch
Patch67: openssl-1.1.1-kdf-selftest.patch Patch67: openssl-1.1.1-kdf-selftest.patch
Patch68: openssl-1.1.1-reneg-no-extms.patch
Patch69: openssl-1.1.1-alpn-cb.patch Patch69: openssl-1.1.1-alpn-cb.patch
Patch70: openssl-1.1.1-rewire-fips-drbg.patch Patch70: openssl-1.1.1-rewire-fips-drbg.patch
Patch76: openssl-1.1.1-cleanup-peer-point-reneg.patch
Patch77: openssl-1.1.1-s390x-aes.patch
Patch78: openssl-1.1.1-detected-addr-ipv6.patch
Patch79: openssl-1.1.1-servername-cb.patch
Patch80: openssl-1.1.1-s390x-aes-tests.patch
# Backported fixes including security fixes # Backported fixes including security fixes
Patch52: openssl-1.1.1-s390x-update.patch Patch52: openssl-1.1.1-s390x-update.patch
Patch53: openssl-1.1.1-fips-crng-test.patch Patch53: openssl-1.1.1-fips-crng-test.patch
Patch55: openssl-1.1.1-arm-update.patch Patch55: openssl-1.1.1-arm-update.patch
Patch56: openssl-1.1.1-s390x-ecc.patch Patch56: openssl-1.1.1-s390x-ecc.patch
Patch74: openssl-1.1.1-addrconfig.patch
Patch75: openssl-1.1.1-tls13-curves.patch
Patch81: openssl-1.1.1-read-buff.patch
Patch82: openssl-1.1.1-cve-2022-0778.patch
Patch83: openssl-1.1.1-replace-expired-certs.patch
Patch84: openssl-1.1.1-cve-2022-1292.patch
Patch85: openssl-1.1.1-cve-2022-2068.patch
Patch86: openssl-1.1.1-cve-2022-2097.patch
#OpenSSL 1.1.1t CVEs
Patch101: openssl-1.1.1-cve-2022-4304-RSA-oracle.patch
Patch102: openssl-1.1.1-cve-2022-4450-PEM-bio.patch
Patch103: openssl-1.1.1-cve-2023-0215-BIO-UAF.patch
Patch104: openssl-1.1.1-cve-2023-0286-X400.patch
# OpenSSL 1.1.1v CVEs
Patch105: openssl-1.1.1-cve-2023-3446.patch
Patch106: openssl-1.1.1-cve-2023-3817.patch
Patch107: openssl-1.1.1-cve-2023-5678.patch
# Backport from OpenSSL 3.2/RHEL 9
# Proper fix for CVE-2020-25659
Patch108: openssl-1.1.1-pkcs1-implicit-rejection.patch
# Backport from OpenSSL 3.2
# Fix for CVE-2024-5535
Patch109: openssl-1.1.1-fix-ssl-select-next-proto.patch
License: OpenSSL and ASL 2.0 License: OpenSSL and ASL 2.0
URL: http://www.openssl.org/ URL: http://www.openssl.org/
@ -185,6 +160,8 @@ cp %{SOURCE13} test/
%patch3 -p1 -b .no-html %{?_rawbuild} %patch3 -p1 -b .no-html %{?_rawbuild}
%patch4 -p1 -b .man-rename %patch4 -p1 -b .man-rename
%patch21 -p1 -b .issuer-hash
%patch31 -p1 -b .conf-paths %patch31 -p1 -b .conf-paths
%patch32 -p1 -b .version-add-engines %patch32 -p1 -b .version-add-engines
%patch33 -p1 -b .dgst %patch33 -p1 -b .dgst
@ -194,6 +171,7 @@ cp %{SOURCE13} test/
%patch40 -p1 -b .sslv3-abi %patch40 -p1 -b .sslv3-abi
%patch41 -p1 -b .system-cipherlist %patch41 -p1 -b .system-cipherlist
%patch42 -p1 -b .fips %patch42 -p1 -b .fips
%patch43 -p1 -b .ignore-bound
%patch44 -p1 -b .version-override %patch44 -p1 -b .version-override
%patch45 -p1 -b .weak-ciphers %patch45 -p1 -b .weak-ciphers
%patch46 -p1 -b .seclevel %patch46 -p1 -b .seclevel
@ -212,30 +190,10 @@ cp %{SOURCE13} test/
%patch65 -p1 -b .drbg-selftest %patch65 -p1 -b .drbg-selftest
%patch66 -p1 -b .fips-dh %patch66 -p1 -b .fips-dh
%patch67 -p1 -b .kdf-selftest %patch67 -p1 -b .kdf-selftest
%patch68 -p1 -b .reneg-no-extms
%patch69 -p1 -b .alpn-cb %patch69 -p1 -b .alpn-cb
%patch70 -p1 -b .rewire-fips-drbg %patch70 -p1 -b .rewire-fips-drbg
%patch74 -p1 -b .addrconfig
%patch75 -p1 -b .tls13-curves
%patch76 -p1 -b .cleanup-reneg
%patch77 -p1 -b .s390x-aes
%patch78 -p1 -b .addr-ipv6
%patch79 -p1 -b .servername-cb
%patch80 -p1 -b .s390x-test-aes
%patch81 -p1 -b .read-buff
%patch82 -p1 -b .cve-2022-0778
%patch83 -p1 -b .replace-expired-certs
%patch84 -p1 -b .cve-2022-1292
%patch85 -p1 -b .cve-2022-2068
%patch86 -p1 -b .cve-2022-2097
%patch101 -p1 -b .cve-2022-4304
%patch102 -p1 -b .cve-2022-4450
%patch103 -p1 -b .cve-2023-0215
%patch104 -p1 -b .cve-2023-0286
%patch105 -p1 -b .cve-2023-3446
%patch106 -p1 -b .cve-2023-3817
%patch107 -p1 -b .cve-2023-5678
%patch108 -p1 -b .pkcs15imprejection
%patch109 -p1 -b .cve-2024-5535
%build %build
# Figure out which flags we want to use. # Figure out which flags we want to use.
@ -519,101 +477,6 @@ export LD_LIBRARY_PATH
%postun libs -p /sbin/ldconfig %postun libs -p /sbin/ldconfig
%changelog %changelog
* Tue Sep 17 2024 Maurizio Barbaro <mbarbaro@redhat.com> - 1:1.1.1k-14
- Backport fix SSL_select_next proto from OpenSSL 3.2
Fix CVE-2024-5535
Resolves: RHEL-45654
* Thu Nov 30 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-12
- Backport implicit rejection mechanism for RSA PKCS#1 v1.5 to RHEL-8 series
(a proper fix for CVE-2020-25659)
Resolves: RHEL-17694
* Wed Nov 15 2023 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-11
- Fix CVE-2023-5678: Generating excessively long X9.42 DH keys or checking
excessively long X9.42 DH keys or parameters may be very slow
Resolves: RHEL-16536
* Thu Oct 19 2023 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-10
- Fix CVE-2023-3446: Excessive time spent checking DH keys and parameters
Resolves: RHEL-14243
- Fix CVE-2023-3817: Excessive time spent checking DH q parameter value
Resolves: RHEL-14237
* Thu May 04 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-9
- Fixed Timing Oracle in RSA Decryption
Resolves: CVE-2022-4304
- Fixed Double free after calling PEM_read_bio_ex
Resolves: CVE-2022-4450
- Fixed Use-after-free following BIO_new_NDEF
Resolves: CVE-2023-0215
* Wed Feb 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-8
- Fixed X.400 address type confusion in X.509 GeneralName
Resolves: CVE-2023-0286
* Tue Jul 05 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-7
- Fix CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86
Resolves: CVE-2022-2097
- Update expired certificates used in the testsuite
Resolves: rhbz#2100554
- Fix CVE-2022-1292: openssl: c_rehash script allows command injection
Resolves: rhbz#2090371
- Fix CVE-2022-2068: the c_rehash script allows command injection
Resolves: rhbz#2098278
* Wed Mar 23 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-6
- Fixes CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
- Resolves: rhbz#2067145
* Tue Nov 16 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-5
- Fixes CVE-2021-3712 openssl: Read buffer overruns processing ASN.1 strings
- Resolves: rhbz#2005402
* Fri Jul 16 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-4
- Fixes bugs in s390x AES code.
- Uses the first detected address family if IPv6 is not available
- Reverts the changes in https://github.com/openssl/openssl/pull/13305
as it introduces a regression if server has a DSA key pair, the handshake fails
when the protocol is not explicitly set to TLS 1.2. However, if the patch is reverted,
it has an effect on the "ssl_reject_handshake" feature in nginx. Although, this feature
will continue to work, TLS 1.3 protocol becomes unavailable/disabled. This is already
known - https://trac.nginx.org/nginx/ticket/2071#comment:1
As per https://github.com/openssl/openssl/issues/16075#issuecomment-879939938, nginx
could early callback instead of servername callback.
- Resolves: rhbz#1978214
- Related: rhbz#1934534
* Thu Jun 24 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-3
- Cleansup the peer point formats on renegotiation
- Resolves rhbz#1965362
* Wed Jun 23 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-2
- Fixes FIPS_selftest to work in FIPS mode. Resolves: rhbz#1940085
- Using safe primes for FIPS DH self-test
* Mon May 24 2021 Sahana Prasad <sahana@redhat.com> 1.1.1k-1
- Update to version 1.1.1k
* Mon Apr 26 2021 Daiki Ueno <dueno@redhat.com> 1.1.1g-16
- Use AI_ADDRCONFIG only when explicit host name is given
- Allow only curves defined in RFC 8446 in TLS 1.3
* Fri Apr 16 2021 Dmitry Belyavski <dbelyavs@redhat.com> 1.1.1g-15
- Remove 2-key 3DES test from FIPS_selftest
* Mon Mar 29 2021 Sahana Prasad <sahana@redhat.com> 1.1.1g-14
- Fix CVE-2021-3450 openssl: CA certificate check bypass with
X509_V_FLAG_X509_STRICT
- Fix CVE-2021-3449 NULL pointer deref in signature_algorithms processing
* Fri Dec 4 2020 Sahana Prasad <sahana@redhat.com> 1.1.1g-13
- Fix CVE-2020-1971 ediparty null pointer dereference
* Fri Oct 23 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-12
- Implemented new FIPS requirements in regards to KDF and DH selftests
- Disallow certificates with explicit EC parameters
* Mon Jul 20 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-11 * Mon Jul 20 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-11
- Further changes for SP 800-56A rev3 requirements - Further changes for SP 800-56A rev3 requirements