Compare commits
No commits in common. "c9" and "c8" have entirely different histories.
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
SOURCES/openssl-3.2.2.tar.gz
|
SOURCES/openssl-1.1.1k-hobbled.tar.xz
|
||||||
|
@ -1 +1 @@
|
|||||||
b12311372a0277ca0eb218a68a7fd9f5ce66d162 SOURCES/openssl-3.2.2.tar.gz
|
6fde639a66329f2cd9135eb192f2228f2a402c0e SOURCES/openssl-1.1.1k-hobbled.tar.xz
|
||||||
|
@ -1,33 +0,0 @@
|
|||||||
From 603a35802319c0459737e3f067369ceb990fe2e6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
|
||||||
Date: Thu, 24 Sep 2020 09:01:41 +0200
|
|
||||||
Subject: Aarch64 and ppc64le use lib64
|
|
||||||
|
|
||||||
(Was openssl-1.1.1-build.patch)
|
|
||||||
---
|
|
||||||
Configurations/10-main.conf | 2 ++
|
|
||||||
1 file changed, 2 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
|
|
||||||
index d7580bf3e1..a7dbfd7f40 100644
|
|
||||||
--- a/Configurations/10-main.conf
|
|
||||||
+++ b/Configurations/10-main.conf
|
|
||||||
@@ -723,6 +723,7 @@ my %targets = (
|
|
||||||
lib_cppflags => add("-DL_ENDIAN"),
|
|
||||||
asm_arch => 'ppc64',
|
|
||||||
perlasm_scheme => "linux64le",
|
|
||||||
+ multilib => "64",
|
|
||||||
},
|
|
||||||
|
|
||||||
"linux-armv4" => {
|
|
||||||
@@ -765,6 +766,7 @@ my %targets = (
|
|
||||||
inherit_from => [ "linux-generic64" ],
|
|
||||||
asm_arch => 'aarch64',
|
|
||||||
perlasm_scheme => "linux64",
|
|
||||||
+ multilib => "64",
|
|
||||||
},
|
|
||||||
"linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32
|
|
||||||
inherit_from => [ "linux-generic32" ],
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,26 +0,0 @@
|
|||||||
From 3d5755df8d09ca841c0aca2d7344db060f6cc97f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
|
||||||
Date: Thu, 24 Sep 2020 09:05:55 +0200
|
|
||||||
Subject: Do not install html docs
|
|
||||||
|
|
||||||
(was openssl-1.1.1-no-html.patch)
|
|
||||||
---
|
|
||||||
Configurations/unix-Makefile.tmpl | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
|
|
||||||
index 342e46d24d..9f369edf0e 100644
|
|
||||||
--- a/Configurations/unix-Makefile.tmpl
|
|
||||||
+++ b/Configurations/unix-Makefile.tmpl
|
|
||||||
@@ -611,7 +611,7 @@ install_sw: install_dev install_engines install_modules install_runtime
|
|
||||||
|
|
||||||
uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev ## Uninstall the software and libraries
|
|
||||||
|
|
||||||
-install_docs: install_man_docs install_html_docs ## Install manpages and HTML documentation
|
|
||||||
+install_docs: install_man_docs ## Install manpages
|
|
||||||
|
|
||||||
uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and HTML documentation
|
|
||||||
$(RM) -r "$(DESTDIR)$(DOCDIR)"
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,78 +0,0 @@
|
|||||||
From 6790960076742a9053c624e26fbb87fcd5789e27 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
|
||||||
Date: Thu, 24 Sep 2020 09:17:26 +0200
|
|
||||||
Subject: Override default paths for the CA directory tree
|
|
||||||
|
|
||||||
Also add default section to load crypto-policies configuration
|
|
||||||
for TLS.
|
|
||||||
|
|
||||||
It needs to be reverted before running tests.
|
|
||||||
|
|
||||||
(was openssl-1.1.1-conf-paths.patch)
|
|
||||||
---
|
|
||||||
apps/CA.pl.in | 2 +-
|
|
||||||
apps/openssl.cnf | 20 ++++++++++++++++++--
|
|
||||||
2 files changed, 19 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/apps/CA.pl.in b/apps/CA.pl.in
|
|
||||||
index c0afb96716..d6a5fabd16 100644
|
|
||||||
--- a/apps/CA.pl.in
|
|
||||||
+++ b/apps/CA.pl.in
|
|
||||||
@@ -29,7 +29,7 @@ my $X509 = "$openssl x509";
|
|
||||||
my $PKCS12 = "$openssl pkcs12";
|
|
||||||
|
|
||||||
# Default values for various configuration settings.
|
|
||||||
-my $CATOP = "./demoCA";
|
|
||||||
+my $CATOP = "/etc/pki/CA";
|
|
||||||
my $CAKEY = "cakey.pem";
|
|
||||||
my $CAREQ = "careq.pem";
|
|
||||||
my $CACERT = "cacert.pem";
|
|
||||||
diff -up openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls openssl-3.0.0-alpha16/apps/openssl.cnf
|
|
||||||
--- openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls 2021-07-06 13:41:39.204978272 +0200
|
|
||||||
+++ openssl-3.0.0-alpha16/apps/openssl.cnf 2021-07-06 13:49:50.362857683 +0200
|
|
||||||
@@ -53,6 +53,13 @@ tsa_policy3 = 1.2.3.4.5.7
|
|
||||||
|
|
||||||
[openssl_init]
|
|
||||||
providers = provider_sect
|
|
||||||
+# Load default TLS policy configuration
|
|
||||||
+ssl_conf = ssl_module
|
|
||||||
+alg_section = evp_properties
|
|
||||||
+
|
|
||||||
+[ evp_properties ]
|
|
||||||
+#This section is intentionally added empty here
|
|
||||||
+#to be tuned on particular systems
|
|
||||||
|
|
||||||
# List of providers to load
|
|
||||||
[provider_sect]
|
|
||||||
@@ -64,6 +66,13 @@ default = default_sect
|
|
||||||
[default_sect]
|
|
||||||
# activate = 1
|
|
||||||
|
|
||||||
+[ ssl_module ]
|
|
||||||
+
|
|
||||||
+system_default = crypto_policy
|
|
||||||
+
|
|
||||||
+[ crypto_policy ]
|
|
||||||
+
|
|
||||||
+.include = /etc/crypto-policies/back-ends/opensslcnf.config
|
|
||||||
|
|
||||||
####################################################################
|
|
||||||
[ ca ]
|
|
||||||
@@ -72,7 +81,7 @@ default_ca = CA_default # The default c
|
|
||||||
####################################################################
|
|
||||||
[ CA_default ]
|
|
||||||
|
|
||||||
-dir = ./demoCA # Where everything is kept
|
|
||||||
+dir = /etc/pki/CA # Where everything is kept
|
|
||||||
certs = $dir/certs # Where the issued certs are kept
|
|
||||||
crl_dir = $dir/crl # Where the issued crl are kept
|
|
||||||
database = $dir/index.txt # database index file.
|
|
||||||
@@ -304,7 +313,7 @@ default_tsa = tsa_config1 # the default
|
|
||||||
[ tsa_config1 ]
|
|
||||||
|
|
||||||
# These are used by the TSA reply generation only.
|
|
||||||
-dir = ./demoCA # TSA root directory
|
|
||||||
+dir = /etc/pki/CA # TSA root directory
|
|
||||||
serial = $dir/tsaserial # The current serial number (mandatory)
|
|
||||||
crypto_device = builtin # OpenSSL engine to use for signing
|
|
||||||
signer_cert = $dir/tsacert.pem # The TSA signing certificate
|
|
@ -1,28 +0,0 @@
|
|||||||
From 3d8fa9859501b07e02b76b5577e2915d5851e927 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
|
||||||
Date: Thu, 24 Sep 2020 09:27:18 +0200
|
|
||||||
Subject: apps/ca: fix md option help text
|
|
||||||
|
|
||||||
upstreamable
|
|
||||||
|
|
||||||
(was openssl-1.1.1-apps-dgst.patch)
|
|
||||||
---
|
|
||||||
apps/ca.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/apps/ca.c b/apps/ca.c
|
|
||||||
index 0f21b4fa1c..3d4b2c1673 100755
|
|
||||||
--- a/apps/ca.c
|
|
||||||
+++ b/apps/ca.c
|
|
||||||
@@ -209,7 +209,7 @@ const OPTIONS ca_options[] = {
|
|
||||||
{"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"},
|
|
||||||
|
|
||||||
OPT_SECTION("Signing"),
|
|
||||||
- {"md", OPT_MD, 's', "Digest to use, such as sha256"},
|
|
||||||
+ {"md", OPT_MD, 's', "Digest to use, such as sha256; see openssl help for list"},
|
|
||||||
{"keyfile", OPT_KEYFILE, 's', "The CA private key"},
|
|
||||||
{"keyform", OPT_KEYFORM, 'f',
|
|
||||||
"Private key file format (ENGINE, other values ignored)"},
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,29 +0,0 @@
|
|||||||
From 3f9deff30ae6efbfe979043b00cdf649b39793c0 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
|
||||||
Date: Thu, 24 Sep 2020 09:51:34 +0200
|
|
||||||
Subject: Disable signature verification with totally unsafe hash algorithms
|
|
||||||
|
|
||||||
(was openssl-1.1.1-no-weak-verify.patch)
|
|
||||||
---
|
|
||||||
crypto/asn1/a_verify.c | 5 +++++
|
|
||||||
1 file changed, 5 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
|
|
||||||
index b7eed914b0..af62f0ef08 100644
|
|
||||||
--- a/crypto/asn1/a_verify.c
|
|
||||||
+++ b/crypto/asn1/a_verify.c
|
|
||||||
@@ -152,6 +152,11 @@ int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg,
|
|
||||||
ERR_raise(ERR_LIB_ASN1, ERR_R_EVP_LIB);
|
|
||||||
if (ret <= 1)
|
|
||||||
goto err;
|
|
||||||
+ } else if ((mdnid == NID_md5
|
|
||||||
+ && ossl_safe_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) ||
|
|
||||||
+ mdnid == NID_md4 || mdnid == NID_md2 || mdnid == NID_sha) {
|
|
||||||
+ ERR_raise(ERR_LIB_ASN1, ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
|
|
||||||
+ goto err;
|
|
||||||
} else {
|
|
||||||
const EVP_MD *type = NULL;
|
|
||||||
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,77 +0,0 @@
|
|||||||
From 5b2ec9a54037d7b007324bf53e067e73511cdfe4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
|
||||||
Date: Thu, 26 Nov 2020 14:00:16 +0100
|
|
||||||
Subject: Add FIPS_mode() compatibility macro
|
|
||||||
|
|
||||||
The macro calls EVP_default_properties_is_fips_enabled() on the
|
|
||||||
default context.
|
|
||||||
---
|
|
||||||
include/openssl/crypto.h.in | 1 +
|
|
||||||
include/openssl/fips.h | 25 +++++++++++++++++++++++++
|
|
||||||
test/property_test.c | 13 +++++++++++++
|
|
||||||
3 files changed, 39 insertions(+)
|
|
||||||
create mode 100644 include/openssl/fips.h
|
|
||||||
|
|
||||||
diff --git a/include/openssl/fips.h b/include/openssl/fips.h
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000000..c64f0f8e8f
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/include/openssl/fips.h
|
|
||||||
@@ -0,0 +1,26 @@
|
|
||||||
+/*
|
|
||||||
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
|
|
||||||
+ *
|
|
||||||
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
||||||
+ * this file except in compliance with the License. You can obtain a copy
|
|
||||||
+ * in the file LICENSE in the source distribution or at
|
|
||||||
+ * https://www.openssl.org/source/license.html
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#ifndef OPENSSL_FIPS_H
|
|
||||||
+# define OPENSSL_FIPS_H
|
|
||||||
+# pragma once
|
|
||||||
+
|
|
||||||
+# include <openssl/evp.h>
|
|
||||||
+# include <openssl/macros.h>
|
|
||||||
+
|
|
||||||
+# ifdef __cplusplus
|
|
||||||
+extern "C" {
|
|
||||||
+# endif
|
|
||||||
+
|
|
||||||
+# define FIPS_mode() EVP_default_properties_is_fips_enabled(NULL)
|
|
||||||
+
|
|
||||||
+# ifdef __cplusplus
|
|
||||||
+}
|
|
||||||
+# endif
|
|
||||||
+#endif
|
|
||||||
diff -up openssl-3.0.0-beta1/test/property_test.c.fips-macro openssl-3.0.0-beta1/test/property_test.c
|
|
||||||
--- openssl-3.0.0-beta1/test/property_test.c.fips-macro 2021-06-29 12:14:58.851557698 +0200
|
|
||||||
+++ openssl-3.0.0-beta1/test/property_test.c 2021-06-29 12:17:14.630143832 +0200
|
|
||||||
@@ -488,6 +488,19 @@ static int test_property_list_to_string(
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#include <openssl/fips.h>
|
|
||||||
+static int test_downstream_FIPS_mode(void)
|
|
||||||
+{
|
|
||||||
+ int ret = 0;
|
|
||||||
+
|
|
||||||
+ ret = TEST_true(EVP_set_default_properties(NULL, "fips=yes"))
|
|
||||||
+ && TEST_true(FIPS_mode())
|
|
||||||
+ && TEST_true(EVP_set_default_properties(NULL, "fips=no"))
|
|
||||||
+ && TEST_false(FIPS_mode());
|
|
||||||
+
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
int setup_tests(void)
|
|
||||||
{
|
|
||||||
ADD_TEST(test_property_string);
|
|
||||||
@@ -500,6 +512,7 @@ int setup_tests(void)
|
|
||||||
ADD_TEST(test_property);
|
|
||||||
ADD_TEST(test_query_cache_stochastic);
|
|
||||||
ADD_TEST(test_fips_mode);
|
|
||||||
+ ADD_TEST(test_downstream_FIPS_mode);
|
|
||||||
ADD_ALL_TESTS(test_property_list_to_string, OSSL_NELEM(to_string_tests));
|
|
||||||
return 1;
|
|
||||||
}
|
|
@ -1,86 +0,0 @@
|
|||||||
From aa3aebf132959e7e44876042efaf9ff24ffe0f2b Mon Sep 17 00:00:00 2001
|
|
||||||
From: rpm-build <rpm-build>
|
|
||||||
Date: Mon, 31 Jul 2023 09:41:27 +0200
|
|
||||||
Subject: [PATCH 09/35] 0009-Add-Kernel-FIPS-mode-flag-support.patch
|
|
||||||
|
|
||||||
Patch-name: 0009-Add-Kernel-FIPS-mode-flag-support.patch
|
|
||||||
Patch-id: 9
|
|
||||||
Patch-status: |
|
|
||||||
# Add check to see if fips flag is enabled in kernel
|
|
||||||
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
|
||||||
---
|
|
||||||
crypto/context.c | 36 ++++++++++++++++++++++++++++++++++++
|
|
||||||
include/internal/provider.h | 3 +++
|
|
||||||
2 files changed, 39 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/crypto/context.c b/crypto/context.c
|
|
||||||
index e294ea1512..51002ba79a 100644
|
|
||||||
--- a/crypto/context.c
|
|
||||||
+++ b/crypto/context.c
|
|
||||||
@@ -16,6 +16,41 @@
|
|
||||||
#include "crypto/decoder.h"
|
|
||||||
#include "crypto/context.h"
|
|
||||||
|
|
||||||
+# include <sys/types.h>
|
|
||||||
+# include <sys/stat.h>
|
|
||||||
+# include <fcntl.h>
|
|
||||||
+# include <unistd.h>
|
|
||||||
+# include <openssl/evp.h>
|
|
||||||
+
|
|
||||||
+# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
|
|
||||||
+
|
|
||||||
+static int kernel_fips_flag;
|
|
||||||
+
|
|
||||||
+static void read_kernel_fips_flag(void)
|
|
||||||
+{
|
|
||||||
+ char buf[2] = "0";
|
|
||||||
+ int fd;
|
|
||||||
+
|
|
||||||
+ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
|
|
||||||
+ buf[0] = '1';
|
|
||||||
+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
|
|
||||||
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
|
|
||||||
+ close(fd);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (buf[0] == '1') {
|
|
||||||
+ kernel_fips_flag = 1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int ossl_get_kernel_fips_flag()
|
|
||||||
+{
|
|
||||||
+ return kernel_fips_flag;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+
|
|
||||||
struct ossl_lib_ctx_st {
|
|
||||||
CRYPTO_RWLOCK *lock, *rand_crngt_lock;
|
|
||||||
OSSL_EX_DATA_GLOBAL global;
|
|
||||||
@@ -336,6 +371,7 @@ static int default_context_inited = 0;
|
|
||||||
|
|
||||||
DEFINE_RUN_ONCE_STATIC(default_context_do_init)
|
|
||||||
{
|
|
||||||
+ read_kernel_fips_flag();
|
|
||||||
if (!CRYPTO_THREAD_init_local(&default_context_thread_local, NULL))
|
|
||||||
goto err;
|
|
||||||
|
|
||||||
diff --git a/include/internal/provider.h b/include/internal/provider.h
|
|
||||||
index 18937f84c7..1446bf7afb 100644
|
|
||||||
--- a/include/internal/provider.h
|
|
||||||
+++ b/include/internal/provider.h
|
|
||||||
@@ -112,6 +112,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx,
|
|
||||||
const OSSL_DISPATCH *in);
|
|
||||||
void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx);
|
|
||||||
|
|
||||||
+/* FIPS flag access */
|
|
||||||
+int ossl_get_kernel_fips_flag(void);
|
|
||||||
+
|
|
||||||
# ifdef __cplusplus
|
|
||||||
}
|
|
||||||
# endif
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
@ -1,279 +0,0 @@
|
|||||||
From 4a275f852b61238161c053774736dc07b3ade200 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
|
||||||
Date: Mon, 21 Aug 2023 11:46:40 +0200
|
|
||||||
Subject: [PATCH 11/48] 0011-Remove-EC-curves.patch
|
|
||||||
|
|
||||||
Patch-name: 0011-Remove-EC-curves.patch
|
|
||||||
Patch-id: 11
|
|
||||||
Patch-status: |
|
|
||||||
# remove unsupported EC curves
|
|
||||||
---
|
|
||||||
apps/speed.c | 8 +---
|
|
||||||
crypto/evp/ec_support.c | 87 ------------------------------------
|
|
||||||
test/acvp_test.inc | 9 ----
|
|
||||||
test/ecdsatest.h | 17 -------
|
|
||||||
test/recipes/15-test_genec.t | 27 -----------
|
|
||||||
5 files changed, 1 insertion(+), 147 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/apps/speed.c b/apps/speed.c
|
|
||||||
index cace25eda1..d527f12f18 100644
|
|
||||||
--- a/apps/speed.c
|
|
||||||
+++ b/apps/speed.c
|
|
||||||
@@ -385,7 +385,7 @@ static double ffdh_results[FFDH_NUM][1]; /* 1 op: derivation */
|
|
||||||
#endif /* OPENSSL_NO_DH */
|
|
||||||
|
|
||||||
enum ec_curves_t {
|
|
||||||
- R_EC_P160, R_EC_P192, R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521,
|
|
||||||
+ R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521,
|
|
||||||
#ifndef OPENSSL_NO_EC2M
|
|
||||||
R_EC_K163, R_EC_K233, R_EC_K283, R_EC_K409, R_EC_K571,
|
|
||||||
R_EC_B163, R_EC_B233, R_EC_B283, R_EC_B409, R_EC_B571,
|
|
||||||
@@ -395,8 +395,6 @@ enum ec_curves_t {
|
|
||||||
};
|
|
||||||
/* list of ecdsa curves */
|
|
||||||
static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = {
|
|
||||||
- {"ecdsap160", R_EC_P160},
|
|
||||||
- {"ecdsap192", R_EC_P192},
|
|
||||||
{"ecdsap224", R_EC_P224},
|
|
||||||
{"ecdsap256", R_EC_P256},
|
|
||||||
{"ecdsap384", R_EC_P384},
|
|
||||||
@@ -423,8 +421,6 @@ static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = {
|
|
||||||
};
|
|
||||||
/* list of ecdh curves, extension of |ecdsa_choices| list above */
|
|
||||||
static const OPT_PAIR ecdh_choices[EC_NUM] = {
|
|
||||||
- {"ecdhp160", R_EC_P160},
|
|
||||||
- {"ecdhp192", R_EC_P192},
|
|
||||||
{"ecdhp224", R_EC_P224},
|
|
||||||
{"ecdhp256", R_EC_P256},
|
|
||||||
{"ecdhp384", R_EC_P384},
|
|
||||||
@@ -1442,8 +1438,6 @@ int speed_main(int argc, char **argv)
|
|
||||||
*/
|
|
||||||
static const EC_CURVE ec_curves[EC_NUM] = {
|
|
||||||
/* Prime Curves */
|
|
||||||
- {"secp160r1", NID_secp160r1, 160},
|
|
||||||
- {"nistp192", NID_X9_62_prime192v1, 192},
|
|
||||||
{"nistp224", NID_secp224r1, 224},
|
|
||||||
{"nistp256", NID_X9_62_prime256v1, 256},
|
|
||||||
{"nistp384", NID_secp384r1, 384},
|
|
||||||
diff --git a/crypto/evp/ec_support.c b/crypto/evp/ec_support.c
|
|
||||||
index 1ec10143d2..82b95294b4 100644
|
|
||||||
--- a/crypto/evp/ec_support.c
|
|
||||||
+++ b/crypto/evp/ec_support.c
|
|
||||||
@@ -20,89 +20,15 @@ typedef struct ec_name2nid_st {
|
|
||||||
static const EC_NAME2NID curve_list[] = {
|
|
||||||
/* prime field curves */
|
|
||||||
/* secg curves */
|
|
||||||
- {"secp112r1", NID_secp112r1 },
|
|
||||||
- {"secp112r2", NID_secp112r2 },
|
|
||||||
- {"secp128r1", NID_secp128r1 },
|
|
||||||
- {"secp128r2", NID_secp128r2 },
|
|
||||||
- {"secp160k1", NID_secp160k1 },
|
|
||||||
- {"secp160r1", NID_secp160r1 },
|
|
||||||
- {"secp160r2", NID_secp160r2 },
|
|
||||||
- {"secp192k1", NID_secp192k1 },
|
|
||||||
- {"secp224k1", NID_secp224k1 },
|
|
||||||
{"secp224r1", NID_secp224r1 },
|
|
||||||
{"secp256k1", NID_secp256k1 },
|
|
||||||
{"secp384r1", NID_secp384r1 },
|
|
||||||
{"secp521r1", NID_secp521r1 },
|
|
||||||
/* X9.62 curves */
|
|
||||||
- {"prime192v1", NID_X9_62_prime192v1 },
|
|
||||||
- {"prime192v2", NID_X9_62_prime192v2 },
|
|
||||||
- {"prime192v3", NID_X9_62_prime192v3 },
|
|
||||||
- {"prime239v1", NID_X9_62_prime239v1 },
|
|
||||||
- {"prime239v2", NID_X9_62_prime239v2 },
|
|
||||||
- {"prime239v3", NID_X9_62_prime239v3 },
|
|
||||||
{"prime256v1", NID_X9_62_prime256v1 },
|
|
||||||
/* characteristic two field curves */
|
|
||||||
/* NIST/SECG curves */
|
|
||||||
- {"sect113r1", NID_sect113r1 },
|
|
||||||
- {"sect113r2", NID_sect113r2 },
|
|
||||||
- {"sect131r1", NID_sect131r1 },
|
|
||||||
- {"sect131r2", NID_sect131r2 },
|
|
||||||
- {"sect163k1", NID_sect163k1 },
|
|
||||||
- {"sect163r1", NID_sect163r1 },
|
|
||||||
- {"sect163r2", NID_sect163r2 },
|
|
||||||
- {"sect193r1", NID_sect193r1 },
|
|
||||||
- {"sect193r2", NID_sect193r2 },
|
|
||||||
- {"sect233k1", NID_sect233k1 },
|
|
||||||
- {"sect233r1", NID_sect233r1 },
|
|
||||||
- {"sect239k1", NID_sect239k1 },
|
|
||||||
- {"sect283k1", NID_sect283k1 },
|
|
||||||
- {"sect283r1", NID_sect283r1 },
|
|
||||||
- {"sect409k1", NID_sect409k1 },
|
|
||||||
- {"sect409r1", NID_sect409r1 },
|
|
||||||
- {"sect571k1", NID_sect571k1 },
|
|
||||||
- {"sect571r1", NID_sect571r1 },
|
|
||||||
- /* X9.62 curves */
|
|
||||||
- {"c2pnb163v1", NID_X9_62_c2pnb163v1 },
|
|
||||||
- {"c2pnb163v2", NID_X9_62_c2pnb163v2 },
|
|
||||||
- {"c2pnb163v3", NID_X9_62_c2pnb163v3 },
|
|
||||||
- {"c2pnb176v1", NID_X9_62_c2pnb176v1 },
|
|
||||||
- {"c2tnb191v1", NID_X9_62_c2tnb191v1 },
|
|
||||||
- {"c2tnb191v2", NID_X9_62_c2tnb191v2 },
|
|
||||||
- {"c2tnb191v3", NID_X9_62_c2tnb191v3 },
|
|
||||||
- {"c2pnb208w1", NID_X9_62_c2pnb208w1 },
|
|
||||||
- {"c2tnb239v1", NID_X9_62_c2tnb239v1 },
|
|
||||||
- {"c2tnb239v2", NID_X9_62_c2tnb239v2 },
|
|
||||||
- {"c2tnb239v3", NID_X9_62_c2tnb239v3 },
|
|
||||||
- {"c2pnb272w1", NID_X9_62_c2pnb272w1 },
|
|
||||||
- {"c2pnb304w1", NID_X9_62_c2pnb304w1 },
|
|
||||||
- {"c2tnb359v1", NID_X9_62_c2tnb359v1 },
|
|
||||||
- {"c2pnb368w1", NID_X9_62_c2pnb368w1 },
|
|
||||||
- {"c2tnb431r1", NID_X9_62_c2tnb431r1 },
|
|
||||||
- /*
|
|
||||||
- * the WAP/WTLS curves [unlike SECG, spec has its own OIDs for curves
|
|
||||||
- * from X9.62]
|
|
||||||
- */
|
|
||||||
- {"wap-wsg-idm-ecid-wtls1", NID_wap_wsg_idm_ecid_wtls1 },
|
|
||||||
- {"wap-wsg-idm-ecid-wtls3", NID_wap_wsg_idm_ecid_wtls3 },
|
|
||||||
- {"wap-wsg-idm-ecid-wtls4", NID_wap_wsg_idm_ecid_wtls4 },
|
|
||||||
- {"wap-wsg-idm-ecid-wtls5", NID_wap_wsg_idm_ecid_wtls5 },
|
|
||||||
- {"wap-wsg-idm-ecid-wtls6", NID_wap_wsg_idm_ecid_wtls6 },
|
|
||||||
- {"wap-wsg-idm-ecid-wtls7", NID_wap_wsg_idm_ecid_wtls7 },
|
|
||||||
- {"wap-wsg-idm-ecid-wtls8", NID_wap_wsg_idm_ecid_wtls8 },
|
|
||||||
- {"wap-wsg-idm-ecid-wtls9", NID_wap_wsg_idm_ecid_wtls9 },
|
|
||||||
- {"wap-wsg-idm-ecid-wtls10", NID_wap_wsg_idm_ecid_wtls10 },
|
|
||||||
- {"wap-wsg-idm-ecid-wtls11", NID_wap_wsg_idm_ecid_wtls11 },
|
|
||||||
- {"wap-wsg-idm-ecid-wtls12", NID_wap_wsg_idm_ecid_wtls12 },
|
|
||||||
- /* IPSec curves */
|
|
||||||
- {"Oakley-EC2N-3", NID_ipsec3 },
|
|
||||||
- {"Oakley-EC2N-4", NID_ipsec4 },
|
|
||||||
/* brainpool curves */
|
|
||||||
- {"brainpoolP160r1", NID_brainpoolP160r1 },
|
|
||||||
- {"brainpoolP160t1", NID_brainpoolP160t1 },
|
|
||||||
- {"brainpoolP192r1", NID_brainpoolP192r1 },
|
|
||||||
- {"brainpoolP192t1", NID_brainpoolP192t1 },
|
|
||||||
- {"brainpoolP224r1", NID_brainpoolP224r1 },
|
|
||||||
- {"brainpoolP224t1", NID_brainpoolP224t1 },
|
|
||||||
{"brainpoolP256r1", NID_brainpoolP256r1 },
|
|
||||||
{"brainpoolP256t1", NID_brainpoolP256t1 },
|
|
||||||
{"brainpoolP320r1", NID_brainpoolP320r1 },
|
|
||||||
@@ -111,8 +37,6 @@ static const EC_NAME2NID curve_list[] = {
|
|
||||||
{"brainpoolP384t1", NID_brainpoolP384t1 },
|
|
||||||
{"brainpoolP512r1", NID_brainpoolP512r1 },
|
|
||||||
{"brainpoolP512t1", NID_brainpoolP512t1 },
|
|
||||||
- /* SM2 curve */
|
|
||||||
- {"SM2", NID_sm2 },
|
|
||||||
};
|
|
||||||
|
|
||||||
const char *OSSL_EC_curve_nid2name(int nid)
|
|
||||||
@@ -150,17 +74,6 @@ int ossl_ec_curve_name2nid(const char *name)
|
|
||||||
/* Functions to translate between common NIST curve names and NIDs */
|
|
||||||
|
|
||||||
static const EC_NAME2NID nist_curves[] = {
|
|
||||||
- {"B-163", NID_sect163r2},
|
|
||||||
- {"B-233", NID_sect233r1},
|
|
||||||
- {"B-283", NID_sect283r1},
|
|
||||||
- {"B-409", NID_sect409r1},
|
|
||||||
- {"B-571", NID_sect571r1},
|
|
||||||
- {"K-163", NID_sect163k1},
|
|
||||||
- {"K-233", NID_sect233k1},
|
|
||||||
- {"K-283", NID_sect283k1},
|
|
||||||
- {"K-409", NID_sect409k1},
|
|
||||||
- {"K-571", NID_sect571k1},
|
|
||||||
- {"P-192", NID_X9_62_prime192v1},
|
|
||||||
{"P-224", NID_secp224r1},
|
|
||||||
{"P-256", NID_X9_62_prime256v1},
|
|
||||||
{"P-384", NID_secp384r1},
|
|
||||||
diff --git a/test/acvp_test.inc b/test/acvp_test.inc
|
|
||||||
index ad11d3ae1e..894a0bff9d 100644
|
|
||||||
--- a/test/acvp_test.inc
|
|
||||||
+++ b/test/acvp_test.inc
|
|
||||||
@@ -211,15 +211,6 @@ static const unsigned char ecdsa_sigver_s1[] = {
|
|
||||||
0xB1, 0xAC,
|
|
||||||
};
|
|
||||||
static const struct ecdsa_sigver_st ecdsa_sigver_data[] = {
|
|
||||||
- {
|
|
||||||
- "SHA-1",
|
|
||||||
- "P-192",
|
|
||||||
- ITM(ecdsa_sigver_msg0),
|
|
||||||
- ITM(ecdsa_sigver_pub0),
|
|
||||||
- ITM(ecdsa_sigver_r0),
|
|
||||||
- ITM(ecdsa_sigver_s0),
|
|
||||||
- PASS,
|
|
||||||
- },
|
|
||||||
{
|
|
||||||
"SHA2-512",
|
|
||||||
"P-521",
|
|
||||||
diff --git a/test/ecdsatest.h b/test/ecdsatest.h
|
|
||||||
index 63fe319025..06b5c0aac5 100644
|
|
||||||
--- a/test/ecdsatest.h
|
|
||||||
+++ b/test/ecdsatest.h
|
|
||||||
@@ -32,23 +32,6 @@ typedef struct {
|
|
||||||
} ecdsa_cavs_kat_t;
|
|
||||||
|
|
||||||
static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = {
|
|
||||||
- /* prime KATs from X9.62 */
|
|
||||||
- {NID_X9_62_prime192v1, NID_sha1,
|
|
||||||
- "616263", /* "abc" */
|
|
||||||
- "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb",
|
|
||||||
- "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e"
|
|
||||||
- "5ca5c0d69716dfcb3474373902",
|
|
||||||
- "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e",
|
|
||||||
- "885052380ff147b734c330c43d39b2c4a89f29b0f749fead",
|
|
||||||
- "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"},
|
|
||||||
- {NID_X9_62_prime239v1, NID_sha1,
|
|
||||||
- "616263", /* "abc" */
|
|
||||||
- "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d",
|
|
||||||
- "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e"
|
|
||||||
- "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee",
|
|
||||||
- "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af",
|
|
||||||
- "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0",
|
|
||||||
- "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"},
|
|
||||||
/* prime KATs from NIST CAVP */
|
|
||||||
{NID_secp224r1, NID_sha224,
|
|
||||||
"699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"
|
|
||||||
diff --git a/test/recipes/15-test_genec.t b/test/recipes/15-test_genec.t
|
|
||||||
index 2dfed387ca..c733b68f83 100644
|
|
||||||
--- a/test/recipes/15-test_genec.t
|
|
||||||
+++ b/test/recipes/15-test_genec.t
|
|
||||||
@@ -41,37 +41,11 @@ plan skip_all => "This test is unsupported in a no-ec build"
|
|
||||||
if disabled("ec");
|
|
||||||
|
|
||||||
my @prime_curves = qw(
|
|
||||||
- secp112r1
|
|
||||||
- secp112r2
|
|
||||||
- secp128r1
|
|
||||||
- secp128r2
|
|
||||||
- secp160k1
|
|
||||||
- secp160r1
|
|
||||||
- secp160r2
|
|
||||||
- secp192k1
|
|
||||||
- secp224k1
|
|
||||||
secp224r1
|
|
||||||
secp256k1
|
|
||||||
secp384r1
|
|
||||||
secp521r1
|
|
||||||
- prime192v1
|
|
||||||
- prime192v2
|
|
||||||
- prime192v3
|
|
||||||
- prime239v1
|
|
||||||
- prime239v2
|
|
||||||
- prime239v3
|
|
||||||
prime256v1
|
|
||||||
- wap-wsg-idm-ecid-wtls6
|
|
||||||
- wap-wsg-idm-ecid-wtls7
|
|
||||||
- wap-wsg-idm-ecid-wtls8
|
|
||||||
- wap-wsg-idm-ecid-wtls9
|
|
||||||
- wap-wsg-idm-ecid-wtls12
|
|
||||||
- brainpoolP160r1
|
|
||||||
- brainpoolP160t1
|
|
||||||
- brainpoolP192r1
|
|
||||||
- brainpoolP192t1
|
|
||||||
- brainpoolP224r1
|
|
||||||
- brainpoolP224t1
|
|
||||||
brainpoolP256r1
|
|
||||||
brainpoolP256t1
|
|
||||||
brainpoolP320r1
|
|
||||||
@@ -136,7 +110,6 @@ push(@other_curves, 'SM2')
|
|
||||||
if !disabled("sm2");
|
|
||||||
|
|
||||||
my @curve_aliases = qw(
|
|
||||||
- P-192
|
|
||||||
P-224
|
|
||||||
P-256
|
|
||||||
P-384
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,210 +0,0 @@
|
|||||||
diff -up openssl-3.0.1/crypto/ec/ec_asn1.c.disable_explicit_ec openssl-3.0.1/crypto/ec/ec_asn1.c
|
|
||||||
--- openssl-3.0.1/crypto/ec/ec_asn1.c.disable_explicit_ec 2022-03-22 13:10:45.718077845 +0100
|
|
||||||
+++ openssl-3.0.1/crypto/ec/ec_asn1.c 2022-03-22 13:12:46.626599016 +0100
|
|
||||||
@@ -895,6 +895,12 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **
|
|
||||||
if (params->type == ECPKPARAMETERS_TYPE_EXPLICIT)
|
|
||||||
group->decoded_from_explicit_params = 1;
|
|
||||||
|
|
||||||
+ if (EC_GROUP_check_named_curve(group, 0, NULL) == NID_undef) {
|
|
||||||
+ EC_GROUP_free(group);
|
|
||||||
+ ECPKPARAMETERS_free(params);
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (a) {
|
|
||||||
EC_GROUP_free(*a);
|
|
||||||
*a = group;
|
|
||||||
@@ -954,6 +959,11 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (EC_GROUP_check_named_curve(ret->group, 0, NULL) == NID_undef) {
|
|
||||||
+ ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP);
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
ret->version = priv_key->version;
|
|
||||||
|
|
||||||
if (priv_key->privateKey) {
|
|
||||||
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
|
|
||||||
index a84e088c19..6c37bf78ae 100644
|
|
||||||
--- a/crypto/ec/ec_lib.c
|
|
||||||
+++ b/crypto/ec/ec_lib.c
|
|
||||||
@@ -1724,6 +1724,11 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
if (named_group == group) {
|
|
||||||
+ if (EC_GROUP_check_named_curve(group, 0, NULL) == NID_undef) {
|
|
||||||
+ ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP);
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+#if 0
|
|
||||||
/*
|
|
||||||
* If we did not find a named group then the encoding should be explicit
|
|
||||||
* if it was specified
|
|
||||||
@@ -1739,6 +1744,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE);
|
|
||||||
+#endif
|
|
||||||
} else {
|
|
||||||
EC_GROUP_free(group);
|
|
||||||
group = named_group;
|
|
||||||
diff --git a/test/ectest.c b/test/ectest.c
|
|
||||||
index 4890b0555e..e11aec5b3b 100644
|
|
||||||
--- a/test/ectest.c
|
|
||||||
+++ b/test/ectest.c
|
|
||||||
@@ -2301,10 +2301,11 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx,
|
|
||||||
if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))
|
|
||||||
|| !TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL))
|
|
||||||
|| !TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0)
|
|
||||||
- || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkeyparam,
|
|
||||||
+ || !TEST_int_le(EVP_PKEY_fromdata(pctx, &pkeyparam,
|
|
||||||
EVP_PKEY_KEY_PARAMETERS, params), 0))
|
|
||||||
goto err;
|
|
||||||
-
|
|
||||||
+/* As creating the key should fail, the rest of the test is pointless */
|
|
||||||
+# if 0
|
|
||||||
/*- Check that all the set values are retrievable -*/
|
|
||||||
|
|
||||||
/* There should be no match to a group name since the generator changed */
|
|
||||||
@@ -2433,6 +2434,7 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx,
|
|
||||||
#endif
|
|
||||||
)
|
|
||||||
goto err;
|
|
||||||
+#endif
|
|
||||||
ret = 1;
|
|
||||||
err:
|
|
||||||
BN_free(order_out);
|
|
||||||
@@ -2714,21 +2716,21 @@ static int custom_params_test(int id)
|
|
||||||
|
|
||||||
/* Compute keyexchange in both directions */
|
|
||||||
if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL))
|
|
||||||
- || !TEST_int_eq(EVP_PKEY_derive_init(pctx1), 1)
|
|
||||||
- || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1)
|
|
||||||
+ || !TEST_int_le(EVP_PKEY_derive_init(pctx1), 0)
|
|
||||||
+/* || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1)
|
|
||||||
|| !TEST_int_eq(EVP_PKEY_derive(pctx1, NULL, &sslen), 1)
|
|
||||||
|| !TEST_int_gt(bsize, sslen)
|
|
||||||
- || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1))
|
|
||||||
+ || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1)*/)
|
|
||||||
goto err;
|
|
||||||
if (!TEST_ptr(pctx2 = EVP_PKEY_CTX_new(pkey2, NULL))
|
|
||||||
- || !TEST_int_eq(EVP_PKEY_derive_init(pctx2), 1)
|
|
||||||
- || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1)
|
|
||||||
+ || !TEST_int_le(EVP_PKEY_derive_init(pctx2), 1)
|
|
||||||
+/* || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1)
|
|
||||||
|| !TEST_int_eq(EVP_PKEY_derive(pctx2, NULL, &t), 1)
|
|
||||||
|| !TEST_int_gt(bsize, t)
|
|
||||||
|| !TEST_int_le(sslen, t)
|
|
||||||
- || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1))
|
|
||||||
+ || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1) */)
|
|
||||||
goto err;
|
|
||||||
-
|
|
||||||
+#if 0
|
|
||||||
/* Both sides should expect the same shared secret */
|
|
||||||
if (!TEST_mem_eq(buf1, sslen, buf2, t))
|
|
||||||
goto err;
|
|
||||||
@@ -2780,7 +2782,7 @@ static int custom_params_test(int id)
|
|
||||||
/* compare with previous result */
|
|
||||||
|| !TEST_mem_eq(buf1, t, buf2, sslen))
|
|
||||||
goto err;
|
|
||||||
-
|
|
||||||
+#endif
|
|
||||||
ret = 1;
|
|
||||||
|
|
||||||
err:
|
|
||||||
diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/test/endecode_test.c
|
|
||||||
--- openssl-3.0.1/test/endecode_test.c.disable_explicit_ec 2022-03-21 16:55:46.005558779 +0100
|
|
||||||
+++ openssl-3.0.1/test/endecode_test.c 2022-03-21 16:56:12.636792762 +0100
|
|
||||||
@@ -57,7 +57,7 @@ static BN_CTX *bnctx = NULL;
|
|
||||||
static OSSL_PARAM_BLD *bld_prime_nc = NULL;
|
|
||||||
static OSSL_PARAM_BLD *bld_prime = NULL;
|
|
||||||
static OSSL_PARAM *ec_explicit_prime_params_nc = NULL;
|
|
||||||
-static OSSL_PARAM *ec_explicit_prime_params_explicit = NULL;
|
|
||||||
+/*static OSSL_PARAM *ec_explicit_prime_params_explicit = NULL;*/
|
|
||||||
|
|
||||||
# ifndef OPENSSL_NO_EC2M
|
|
||||||
static OSSL_PARAM_BLD *bld_tri_nc = NULL;
|
|
||||||
@@ -990,9 +990,9 @@ IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC")
|
|
||||||
DOMAIN_KEYS(ECExplicitPrimeNamedCurve);
|
|
||||||
IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC", 1)
|
|
||||||
IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve, "EC")
|
|
||||||
-DOMAIN_KEYS(ECExplicitPrime2G);
|
|
||||||
-IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)
|
|
||||||
-IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")
|
|
||||||
+/*DOMAIN_KEYS(ECExplicitPrime2G);*/
|
|
||||||
+/*IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)*/
|
|
||||||
+/*IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")*/
|
|
||||||
# ifndef OPENSSL_NO_EC2M
|
|
||||||
DOMAIN_KEYS(ECExplicitTriNamedCurve);
|
|
||||||
IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC", 1)
|
|
||||||
@@ -1318,7 +1318,7 @@ int setup_tests(void)
|
|
||||||
|| !create_ec_explicit_prime_params_namedcurve(bld_prime_nc)
|
|
||||||
|| !create_ec_explicit_prime_params(bld_prime)
|
|
||||||
|| !TEST_ptr(ec_explicit_prime_params_nc = OSSL_PARAM_BLD_to_param(bld_prime_nc))
|
|
||||||
- || !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime))
|
|
||||||
+/* || !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime))*/
|
|
||||||
# ifndef OPENSSL_NO_EC2M
|
|
||||||
|| !TEST_ptr(bld_tri_nc = OSSL_PARAM_BLD_new())
|
|
||||||
|| !TEST_ptr(bld_tri = OSSL_PARAM_BLD_new())
|
|
||||||
@@ -1346,7 +1346,7 @@ int setup_tests(void)
|
|
||||||
TEST_info("Generating EC keys...");
|
|
||||||
MAKE_DOMAIN_KEYS(EC, "EC", EC_params);
|
|
||||||
MAKE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve, "EC", ec_explicit_prime_params_nc);
|
|
||||||
- MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);
|
|
||||||
+/* MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);*/
|
|
||||||
# ifndef OPENSSL_NO_EC2M
|
|
||||||
MAKE_DOMAIN_KEYS(ECExplicitTriNamedCurve, "EC", ec_explicit_tri_params_nc);
|
|
||||||
MAKE_DOMAIN_KEYS(ECExplicitTri2G, "EC", ec_explicit_tri_params_explicit);
|
|
||||||
@@ -1389,8 +1389,8 @@ int setup_tests(void)
|
|
||||||
ADD_TEST_SUITE_LEGACY(EC);
|
|
||||||
ADD_TEST_SUITE(ECExplicitPrimeNamedCurve);
|
|
||||||
ADD_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve);
|
|
||||||
- ADD_TEST_SUITE(ECExplicitPrime2G);
|
|
||||||
- ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G);
|
|
||||||
+/* ADD_TEST_SUITE(ECExplicitPrime2G);*/
|
|
||||||
+/* ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G);*/
|
|
||||||
# ifndef OPENSSL_NO_EC2M
|
|
||||||
ADD_TEST_SUITE(ECExplicitTriNamedCurve);
|
|
||||||
ADD_TEST_SUITE_LEGACY(ECExplicitTriNamedCurve);
|
|
||||||
@@ -1427,7 +1427,7 @@ void cleanup_tests(void)
|
|
||||||
{
|
|
||||||
#ifndef OPENSSL_NO_EC
|
|
||||||
OSSL_PARAM_free(ec_explicit_prime_params_nc);
|
|
||||||
- OSSL_PARAM_free(ec_explicit_prime_params_explicit);
|
|
||||||
+/* OSSL_PARAM_free(ec_explicit_prime_params_explicit);*/
|
|
||||||
OSSL_PARAM_BLD_free(bld_prime_nc);
|
|
||||||
OSSL_PARAM_BLD_free(bld_prime);
|
|
||||||
# ifndef OPENSSL_NO_EC2M
|
|
||||||
@@ -1449,7 +1449,7 @@ void cleanup_tests(void)
|
|
||||||
#ifndef OPENSSL_NO_EC
|
|
||||||
FREE_DOMAIN_KEYS(EC);
|
|
||||||
FREE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve);
|
|
||||||
- FREE_DOMAIN_KEYS(ECExplicitPrime2G);
|
|
||||||
+/* FREE_DOMAIN_KEYS(ECExplicitPrime2G);*/
|
|
||||||
# ifndef OPENSSL_NO_EC2M
|
|
||||||
FREE_DOMAIN_KEYS(ECExplicitTriNamedCurve);
|
|
||||||
FREE_DOMAIN_KEYS(ECExplicitTri2G);
|
|
||||||
diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_ecdsa.txt.disable_explicit_ec openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
|
|
||||||
--- openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_ecdsa.txt.disable_explicit_ec 2022-03-25 11:20:50.920949208 +0100
|
|
||||||
+++ openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_ecdsa.txt 2022-03-25 11:21:13.177147598 +0100
|
|
||||||
@@ -121,18 +121,6 @@ AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEB
|
|
||||||
3ev1gTwRBduzqqlwd54AUSgI+pjttW8zrWNitO8H1sf59MPWOESKxNtZ1+Nl
|
|
||||||
-----END PRIVATE KEY-----
|
|
||||||
|
|
||||||
-PrivateKey = EC_EXPLICIT
|
|
||||||
------BEGIN PRIVATE KEY-----
|
|
||||||
-MIIBeQIBADCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAAB
|
|
||||||
-AAAAAAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA
|
|
||||||
-///////////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMV
|
|
||||||
-AMSdNgiG5wSTamZ44ROdJreBn36QBEEE5JcIvn36opqjEm/k59Al40rBAxWM2TPG
|
|
||||||
-l0L13Je51zHpfXQ9Z2o7IQicMXP4wSfJ0qCgg2bgydqoxlYrlLGuVQIhAP////8A
|
|
||||||
-AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgec92jwduadCk
|
|
||||||
-OjoNRI+YT5Be5TkzZXzYCyTLkMOikDmhRANCAATtECEhQbLEaiUj/Wu0qjcr81lL
|
|
||||||
-46dx5zYgArz/iaSNJ3W80oO+F7v04jlQ7wxQzg96R0bwKiMeq5CcW9ZFt6xg
|
|
||||||
------END PRIVATE KEY-----
|
|
||||||
-
|
|
||||||
PrivateKey = B-163
|
|
||||||
-----BEGIN PRIVATE KEY-----
|
|
||||||
MGMCAQAwEAYHKoZIzj0CAQYFK4EEAA8ETDBKAgEBBBUDnQW0mLiHVha/jqFznX/K
|
|
@ -1,37 +0,0 @@
|
|||||||
diff -up ./test/recipes/15-test_ec.t.skip-tests ./test/recipes/15-test_ec.t
|
|
||||||
--- ./test/recipes/15-test_ec.t.skip-tests 2023-03-14 13:42:38.865508269 +0100
|
|
||||||
+++ ./test/recipes/15-test_ec.t 2023-03-14 13:43:36.237021635 +0100
|
|
||||||
@@ -90,7 +90,7 @@ subtest 'Ed448 conversions -- public key
|
|
||||||
|
|
||||||
subtest 'Check loading of fips and non-fips keys' => sub {
|
|
||||||
plan skip_all => "FIPS is disabled"
|
|
||||||
- if $no_fips;
|
|
||||||
+ if 1; #Red Hat specific, original value is $no_fips;
|
|
||||||
|
|
||||||
plan tests => 2;
|
|
||||||
|
|
||||||
diff -up ./test/recipes/65-test_cmp_protect.t.skip-tests ./test/recipes/65-test_cmp_protect.t
|
|
||||||
--- ./test/recipes/65-test_cmp_protect.t.skip-tests 2023-03-14 10:13:11.342056559 +0100
|
|
||||||
+++ ./test/recipes/65-test_cmp_protect.t 2023-03-14 10:14:42.643873496 +0100
|
|
||||||
@@ -27,7 +27,7 @@ plan skip_all => "This test is not suppo
|
|
||||||
plan skip_all => "This test is not supported in a shared library build on Windows"
|
|
||||||
if $^O eq 'MSWin32' && !disabled("shared");
|
|
||||||
|
|
||||||
-plan tests => 2 + ($no_fips ? 0 : 1); #fips test
|
|
||||||
+plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test
|
|
||||||
|
|
||||||
my @basic_cmd = ("cmp_protect_test",
|
|
||||||
data_file("prot_RSA.pem"),
|
|
||||||
diff --git a/test/recipes/65-test_cmp_vfy.t b/test/recipes/65-test_cmp_vfy.t
|
|
||||||
index f722800e27..26a01786bb 100644
|
|
||||||
--- a/test/recipes/65-test_cmp_vfy.t
|
|
||||||
+++ b/test/recipes/65-test_cmp_vfy.t
|
|
||||||
@@ -27,7 +27,7 @@ plan skip_all => "This test is not supported in a no-cmp build"
|
|
||||||
plan skip_all => "This test is not supported in a no-ec build"
|
|
||||||
if disabled("ec");
|
|
||||||
|
|
||||||
-plan tests => 2 + ($no_fips ? 0 : 1); #fips test
|
|
||||||
+plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test
|
|
||||||
|
|
||||||
my @basic_cmd = ("cmp_vfy_test",
|
|
||||||
data_file("server.crt"), data_file("client.crt"),
|
|
@ -1,80 +0,0 @@
|
|||||||
diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.cnf
|
|
||||||
--- openssl-3.0.0/apps/openssl.cnf.legacy-prov 2021-09-09 12:06:40.895793297 +0200
|
|
||||||
+++ openssl-3.0.0/apps/openssl.cnf 2021-09-09 12:12:33.947482500 +0200
|
|
||||||
@@ -42,14 +42,6 @@ tsa_policy1 = 1.2.3.4.1
|
|
||||||
tsa_policy2 = 1.2.3.4.5.6
|
|
||||||
tsa_policy3 = 1.2.3.4.5.7
|
|
||||||
|
|
||||||
-# For FIPS
|
|
||||||
-# Optionally include a file that is generated by the OpenSSL fipsinstall
|
|
||||||
-# application. This file contains configuration data required by the OpenSSL
|
|
||||||
-# fips provider. It contains a named section e.g. [fips_sect] which is
|
|
||||||
-# referenced from the [provider_sect] below.
|
|
||||||
-# Refer to the OpenSSL security policy for more information.
|
|
||||||
-# .include fipsmodule.cnf
|
|
||||||
-
|
|
||||||
[openssl_init]
|
|
||||||
providers = provider_sect
|
|
||||||
# Load default TLS policy configuration
|
|
||||||
@@ -42,23 +42,27 @@ [ evp_properties ]
|
|
||||||
#This section is intentionally added empty here
|
|
||||||
#to be tuned on particular systems
|
|
||||||
|
|
||||||
-# List of providers to load
|
|
||||||
-[provider_sect]
|
|
||||||
-default = default_sect
|
|
||||||
-# The fips section name should match the section name inside the
|
|
||||||
-# included fipsmodule.cnf.
|
|
||||||
-# fips = fips_sect
|
|
||||||
+# Uncomment the sections that start with ## below to enable the legacy provider.
|
|
||||||
+# Loading the legacy provider enables support for the following algorithms:
|
|
||||||
+# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
|
|
||||||
+# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED
|
|
||||||
+# Key Derivation Function (KDF): PBKDF1
|
|
||||||
+# In general it is not recommended to use the above mentioned algorithms for
|
|
||||||
+# security critical operations, as they are cryptographically weak or vulnerable
|
|
||||||
+# to side-channel attacks and as such have been deprecated.
|
|
||||||
|
|
||||||
-# If no providers are activated explicitly, the default one is activated implicitly.
|
|
||||||
-# See man 7 OSSL_PROVIDER-default for more details.
|
|
||||||
-#
|
|
||||||
-# If you add a section explicitly activating any other provider(s), you most
|
|
||||||
-# probably need to explicitly activate the default provider, otherwise it
|
|
||||||
-# becomes unavailable in openssl. As a consequence applications depending on
|
|
||||||
-# OpenSSL may not work correctly which could lead to significant system
|
|
||||||
-# problems including inability to remotely access the system.
|
|
||||||
-[default_sect]
|
|
||||||
-# activate = 1
|
|
||||||
+[provider_sect]
|
|
||||||
+default = default_sect
|
|
||||||
+##legacy = legacy_sect
|
|
||||||
+##
|
|
||||||
+[default_sect]
|
|
||||||
+activate = 1
|
|
||||||
+
|
|
||||||
+##[legacy_sect]
|
|
||||||
+##activate = 1
|
|
||||||
+
|
|
||||||
+#Place the third party provider configuration files into this folder
|
|
||||||
+.include /etc/pki/tls/openssl.d
|
|
||||||
|
|
||||||
[ ssl_module ]
|
|
||||||
|
|
||||||
diff -up openssl-3.0.0/doc/man5/config.pod.legacy-prov openssl-3.0.0/doc/man5/config.pod
|
|
||||||
--- openssl-3.0.0/doc/man5/config.pod.legacy-prov 2021-09-09 12:09:38.079040853 +0200
|
|
||||||
+++ openssl-3.0.0/doc/man5/config.pod 2021-09-09 12:11:56.646224876 +0200
|
|
||||||
@@ -273,6 +273,14 @@ significant.
|
|
||||||
All parameters in the section as well as sub-sections are made
|
|
||||||
available to the provider.
|
|
||||||
|
|
||||||
+=head3 Loading the legacy provider
|
|
||||||
+
|
|
||||||
+Uncomment the sections that start with ## in openssl.cnf
|
|
||||||
+to enable the legacy provider.
|
|
||||||
+Note: In general it is not recommended to use the above mentioned algorithms for
|
|
||||||
+security critical operations, as they are cryptographically weak or vulnerable
|
|
||||||
+to side-channel attacks and as such have been deprecated.
|
|
||||||
+
|
|
||||||
=head3 Default provider and its activation
|
|
||||||
|
|
||||||
If no providers are activated explicitly, the default one is activated implicitly.
|
|
@ -1,18 +0,0 @@
|
|||||||
diff -up openssl-3.0.0/apps/openssl.cnf.xxx openssl-3.0.0/apps/openssl.cnf
|
|
||||||
--- openssl-3.0.0/apps/openssl.cnf.xxx 2021-11-23 16:29:50.618691603 +0100
|
|
||||||
+++ openssl-3.0.0/apps/openssl.cnf 2021-11-23 16:28:16.872882099 +0100
|
|
||||||
@@ -55,11 +55,11 @@ providers = provider_sect
|
|
||||||
# to side-channel attacks and as such have been deprecated.
|
|
||||||
|
|
||||||
[provider_sect]
|
|
||||||
-default = default_sect
|
|
||||||
+##default = default_sect
|
|
||||||
##legacy = legacy_sect
|
|
||||||
##
|
|
||||||
-[default_sect]
|
|
||||||
-activate = 1
|
|
||||||
+##[default_sect]
|
|
||||||
+##activate = 1
|
|
||||||
|
|
||||||
##[legacy_sect]
|
|
||||||
##activate = 1
|
|
@ -1,81 +0,0 @@
|
|||||||
From 2c110cf5551a3869514e697d8dc06682b62ca57d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
|
||||||
Date: Mon, 21 Aug 2023 11:59:02 +0200
|
|
||||||
Subject: [PATCH 16/48] 0032-Force-fips.patch
|
|
||||||
|
|
||||||
Patch-name: 0032-Force-fips.patch
|
|
||||||
Patch-id: 32
|
|
||||||
Patch-status: |
|
|
||||||
# We load FIPS provider and set FIPS properties implicitly
|
|
||||||
---
|
|
||||||
crypto/provider_conf.c | 28 +++++++++++++++++++++++++++-
|
|
||||||
1 file changed, 27 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c
|
|
||||||
index 058fb58837..5274265a70 100644
|
|
||||||
--- a/crypto/provider_conf.c
|
|
||||||
+++ b/crypto/provider_conf.c
|
|
||||||
@@ -10,6 +10,8 @@
|
|
||||||
#include <string.h>
|
|
||||||
#include <openssl/trace.h>
|
|
||||||
#include <openssl/err.h>
|
|
||||||
+#include <openssl/evp.h>
|
|
||||||
+#include <unistd.h>
|
|
||||||
#include <openssl/conf.h>
|
|
||||||
#include <openssl/safestack.h>
|
|
||||||
#include <openssl/provider.h>
|
|
||||||
@@ -169,7 +171,7 @@ static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name,
|
|
||||||
if (path != NULL)
|
|
||||||
ossl_provider_set_module_path(prov, path);
|
|
||||||
|
|
||||||
- ok = provider_conf_params(prov, NULL, NULL, value, cnf);
|
|
||||||
+ ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;
|
|
||||||
|
|
||||||
if (ok == 1) {
|
|
||||||
if (!ossl_provider_activate(prov, 1, 0)) {
|
|
||||||
@@ -268,6 +268,8 @@ static int provider_conf_activate(OSSL_L
|
|
||||||
|
|
||||||
if (ok <= 0)
|
|
||||||
ossl_provider_free(prov);
|
|
||||||
+ } else {
|
|
||||||
+ ok = 1;
|
|
||||||
}
|
|
||||||
CRYPTO_THREAD_unlock(pcgbl->lock);
|
|
||||||
|
|
||||||
@@ -309,6 +311,33 @@ static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf)
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (ossl_get_kernel_fips_flag() != 0) { /* XXX from provider_conf_load */
|
|
||||||
+ OSSL_LIB_CTX *libctx = NCONF_get0_libctx((CONF *)cnf);
|
|
||||||
+# define FIPS_LOCAL_CONF OPENSSLDIR "/fips_local.cnf"
|
|
||||||
+
|
|
||||||
+ if (access(FIPS_LOCAL_CONF, R_OK) == 0) {
|
|
||||||
+ CONF *fips_conf = NCONF_new_ex(libctx, NCONF_default());
|
|
||||||
+ if (NCONF_load(fips_conf, FIPS_LOCAL_CONF, NULL) <= 0)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ if (provider_conf_load(libctx, "fips", "fips_sect", fips_conf) != 1) {
|
|
||||||
+ NCONF_free(fips_conf);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ NCONF_free(fips_conf);
|
|
||||||
+ } else {
|
|
||||||
+ if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1)
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ /* provider_conf_load can return 1 even when the test is failed so check explicitly */
|
|
||||||
+ if (OSSL_PROVIDER_available(libctx, "fips") != 1)
|
|
||||||
+ return 0;
|
|
||||||
+ if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1)
|
|
||||||
+ return 0;
|
|
||||||
+ if (EVP_default_properties_enable_fips(libctx, 1) != 1)
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,396 +0,0 @@
|
|||||||
From 831d0025257fd3746ab3fe30c05dbbfc0043f78e Mon Sep 17 00:00:00 2001
|
|
||||||
From: rpm-build <rpm-build>
|
|
||||||
Date: Wed, 6 Mar 2024 19:17:15 +0100
|
|
||||||
Subject: [PATCH 16/49] 0033-FIPS-embed-hmac.patch
|
|
||||||
|
|
||||||
Patch-name: 0033-FIPS-embed-hmac.patch
|
|
||||||
Patch-id: 33
|
|
||||||
Patch-status: |
|
|
||||||
# # Embed HMAC into the fips.so
|
|
||||||
# Modify fips self test as per
|
|
||||||
# https://github.com/simo5/openssl/commit/9b95ef8bd2f5ac862e5eee74c724b535f1a8578a
|
|
||||||
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
|
|
||||||
---
|
|
||||||
providers/fips/self_test.c | 204 ++++++++++++++++++++++++--
|
|
||||||
test/fipsmodule.cnf | 2 +
|
|
||||||
test/recipes/00-prep_fipsmodule_cnf.t | 2 +-
|
|
||||||
test/recipes/01-test_fipsmodule_cnf.t | 2 +-
|
|
||||||
test/recipes/03-test_fipsinstall.t | 2 +-
|
|
||||||
test/recipes/30-test_defltfips.t | 2 +-
|
|
||||||
test/recipes/80-test_ssl_new.t | 2 +-
|
|
||||||
test/recipes/90-test_sslapi.t | 2 +-
|
|
||||||
8 files changed, 200 insertions(+), 18 deletions(-)
|
|
||||||
create mode 100644 test/fipsmodule.cnf
|
|
||||||
|
|
||||||
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
|
|
||||||
index b8dc9817b2..28f536d13c 100644
|
|
||||||
--- a/providers/fips/self_test.c
|
|
||||||
+++ b/providers/fips/self_test.c
|
|
||||||
@@ -230,11 +230,133 @@ err:
|
|
||||||
return ok;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#define HMAC_LEN 32
|
|
||||||
+/*
|
|
||||||
+ * The __attribute__ ensures we've created the .rodata1 section
|
|
||||||
+ * static ensures it's zero filled
|
|
||||||
+*/
|
|
||||||
+static const unsigned char __attribute__ ((section (".rodata1"))) fips_hmac_container[HMAC_LEN] = {0};
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify
|
|
||||||
* the result matches the expected value.
|
|
||||||
* Return 1 if verified, or 0 if it fails.
|
|
||||||
*/
|
|
||||||
+
|
|
||||||
+#ifndef __USE_GNU
|
|
||||||
+#define __USE_GNU
|
|
||||||
+#include <dlfcn.h>
|
|
||||||
+#undef __USE_GNU
|
|
||||||
+#else
|
|
||||||
+#include <dlfcn.h>
|
|
||||||
+#endif
|
|
||||||
+#include <link.h>
|
|
||||||
+
|
|
||||||
+static int verify_integrity_rodata(OSSL_CORE_BIO *bio,
|
|
||||||
+ OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
|
|
||||||
+ unsigned char *expected, size_t expected_len,
|
|
||||||
+ OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
|
|
||||||
+ const char *event_type)
|
|
||||||
+{
|
|
||||||
+ int ret = 0, status;
|
|
||||||
+ unsigned char out[MAX_MD_SIZE];
|
|
||||||
+ unsigned char buf[INTEGRITY_BUF_SIZE];
|
|
||||||
+ size_t bytes_read = 0, out_len = 0;
|
|
||||||
+ EVP_MAC *mac = NULL;
|
|
||||||
+ EVP_MAC_CTX *ctx = NULL;
|
|
||||||
+ OSSL_PARAM params[2], *p = params;
|
|
||||||
+ Dl_info info;
|
|
||||||
+ void *extra_info = NULL;
|
|
||||||
+ struct link_map *lm = NULL;
|
|
||||||
+ unsigned long paddr;
|
|
||||||
+ unsigned long off = 0;
|
|
||||||
+
|
|
||||||
+ if (expected_len != HMAC_LEN)
|
|
||||||
+ goto err;
|
|
||||||
+
|
|
||||||
+ if (!integrity_self_test(ev, libctx))
|
|
||||||
+ goto err;
|
|
||||||
+
|
|
||||||
+ OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
|
|
||||||
+
|
|
||||||
+ if (!dladdr1 ((const void *)fips_hmac_container,
|
|
||||||
+ &info, &extra_info, RTLD_DL_LINKMAP))
|
|
||||||
+ goto err;
|
|
||||||
+ lm = extra_info;
|
|
||||||
+ paddr = (unsigned long)fips_hmac_container - lm->l_addr;
|
|
||||||
+
|
|
||||||
+ mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
|
|
||||||
+ if (mac == NULL)
|
|
||||||
+ goto err;
|
|
||||||
+ ctx = EVP_MAC_CTX_new(mac);
|
|
||||||
+ if (ctx == NULL)
|
|
||||||
+ goto err;
|
|
||||||
+
|
|
||||||
+ *p++ = OSSL_PARAM_construct_utf8_string("digest", DIGEST_NAME, 0);
|
|
||||||
+ *p = OSSL_PARAM_construct_end();
|
|
||||||
+
|
|
||||||
+ if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
|
|
||||||
+ goto err;
|
|
||||||
+
|
|
||||||
+ while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
|
|
||||||
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
|
|
||||||
+ if (status != 1)
|
|
||||||
+ break;
|
|
||||||
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
|
||||||
+ goto err;
|
|
||||||
+ off += bytes_read;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (off < paddr) {
|
|
||||||
+ int delta = paddr - off;
|
|
||||||
+ status = read_ex_cb(bio, buf, delta, &bytes_read);
|
|
||||||
+ if (status != 1)
|
|
||||||
+ goto err;
|
|
||||||
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
|
||||||
+ goto err;
|
|
||||||
+ off += bytes_read;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* read away the buffer */
|
|
||||||
+ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
|
|
||||||
+ if (status != 1)
|
|
||||||
+ goto err;
|
|
||||||
+
|
|
||||||
+ /* check that it is the expect bytes, no point in continuing otherwise */
|
|
||||||
+ if (memcmp(expected, buf, HMAC_LEN) != 0)
|
|
||||||
+ goto err;
|
|
||||||
+
|
|
||||||
+ /* replace in-file HMAC buffer with the original zeros */
|
|
||||||
+ memset(buf, 0, HMAC_LEN);
|
|
||||||
+ if (!EVP_MAC_update(ctx, buf, HMAC_LEN))
|
|
||||||
+ goto err;
|
|
||||||
+ off += HMAC_LEN;
|
|
||||||
+
|
|
||||||
+ while (bytes_read > 0) {
|
|
||||||
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
|
|
||||||
+ if (status != 1)
|
|
||||||
+ break;
|
|
||||||
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
|
||||||
+ goto err;
|
|
||||||
+ off += bytes_read;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
|
|
||||||
+ goto err;
|
|
||||||
+
|
|
||||||
+ OSSL_SELF_TEST_oncorrupt_byte(ev, out);
|
|
||||||
+ if (expected_len != out_len
|
|
||||||
+ || memcmp(expected, out, out_len) != 0)
|
|
||||||
+ goto err;
|
|
||||||
+ ret = 1;
|
|
||||||
+err:
|
|
||||||
+ OPENSSL_cleanse(out, MAX_MD_SIZE);
|
|
||||||
+ OSSL_SELF_TEST_onend(ev, ret);
|
|
||||||
+ EVP_MAC_CTX_free(ctx);
|
|
||||||
+ EVP_MAC_free(mac);
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
|
|
||||||
unsigned char *expected, size_t expected_len,
|
|
||||||
OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
|
|
||||||
@@ -247,12 +369,23 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
|
|
||||||
EVP_MAC *mac = NULL;
|
|
||||||
EVP_MAC_CTX *ctx = NULL;
|
|
||||||
OSSL_PARAM params[2], *p = params;
|
|
||||||
+ Dl_info info;
|
|
||||||
+ void *extra_info = NULL;
|
|
||||||
+ struct link_map *lm = NULL;
|
|
||||||
+ unsigned long paddr;
|
|
||||||
+ unsigned long off = 0;
|
|
||||||
|
|
||||||
if (!integrity_self_test(ev, libctx))
|
|
||||||
goto err;
|
|
||||||
|
|
||||||
OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
|
|
||||||
|
|
||||||
+ if (!dladdr1 ((const void *)fips_hmac_container,
|
|
||||||
+ &info, &extra_info, RTLD_DL_LINKMAP))
|
|
||||||
+ goto err;
|
|
||||||
+ lm = extra_info;
|
|
||||||
+ paddr = (unsigned long)fips_hmac_container - lm->l_addr;
|
|
||||||
+
|
|
||||||
mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
|
|
||||||
if (mac == NULL)
|
|
||||||
goto err;
|
|
||||||
@@ -266,13 +399,42 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
|
|
||||||
if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
|
|
||||||
goto err;
|
|
||||||
|
|
||||||
- while (1) {
|
|
||||||
- status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
|
|
||||||
+ while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
|
|
||||||
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
|
|
||||||
if (status != 1)
|
|
||||||
break;
|
|
||||||
if (!EVP_MAC_update(ctx, buf, bytes_read))
|
|
||||||
goto err;
|
|
||||||
+ off += bytes_read;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ if (off + INTEGRITY_BUF_SIZE > paddr) {
|
|
||||||
+ int delta = paddr - off;
|
|
||||||
+ status = read_ex_cb(bio, buf, delta, &bytes_read);
|
|
||||||
+ if (status != 1)
|
|
||||||
+ goto err;
|
|
||||||
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
|
||||||
+ goto err;
|
|
||||||
+ off += bytes_read;
|
|
||||||
+
|
|
||||||
+ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
|
|
||||||
+ memset(buf, 0, HMAC_LEN);
|
|
||||||
+ if (status != 1)
|
|
||||||
+ goto err;
|
|
||||||
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
|
||||||
+ goto err;
|
|
||||||
+ off += bytes_read;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ while (bytes_read > 0) {
|
|
||||||
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
|
|
||||||
+ if (status != 1)
|
|
||||||
+ break;
|
|
||||||
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
|
||||||
+ goto err;
|
|
||||||
+ off += bytes_read;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
|
|
||||||
goto err;
|
|
||||||
|
|
||||||
@@ -282,6 +444,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
|
|
||||||
goto err;
|
|
||||||
ret = 1;
|
|
||||||
err:
|
|
||||||
+ OPENSSL_cleanse(out, sizeof(out));
|
|
||||||
OSSL_SELF_TEST_onend(ev, ret);
|
|
||||||
EVP_MAC_CTX_free(ctx);
|
|
||||||
EVP_MAC_free(mac);
|
|
||||||
@@ -335,8 +498,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (st == NULL
|
|
||||||
- || st->module_checksum_data == NULL) {
|
|
||||||
+ if (st == NULL) {
|
|
||||||
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
@@ -345,8 +507,14 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
|
||||||
if (ev == NULL)
|
|
||||||
goto end;
|
|
||||||
|
|
||||||
- module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
|
|
||||||
- &checksum_len);
|
|
||||||
+ if (st->module_checksum_data == NULL) {
|
|
||||||
+ module_checksum = fips_hmac_container;
|
|
||||||
+ checksum_len = sizeof(fips_hmac_container);
|
|
||||||
+ } else {
|
|
||||||
+ module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
|
|
||||||
+ &checksum_len);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (module_checksum == NULL) {
|
|
||||||
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
|
|
||||||
goto end;
|
|
||||||
@@ -354,14 +522,27 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
|
||||||
bio_module = (*st->bio_new_file_cb)(st->module_filename, "rb");
|
|
||||||
|
|
||||||
/* Always check the integrity of the fips module */
|
|
||||||
- if (bio_module == NULL
|
|
||||||
- || !verify_integrity(bio_module, st->bio_read_ex_cb,
|
|
||||||
- module_checksum, checksum_len, st->libctx,
|
|
||||||
- ev, OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
|
|
||||||
+ if (bio_module == NULL) {
|
|
||||||
ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE);
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
-
|
|
||||||
+ if (st->module_checksum_data == NULL) {
|
|
||||||
+ if (!verify_integrity_rodata(bio_module, st->bio_read_ex_cb,
|
|
||||||
+ module_checksum, checksum_len,
|
|
||||||
+ st->libctx, ev,
|
|
||||||
+ OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
|
|
||||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE);
|
|
||||||
+ goto end;
|
|
||||||
+ }
|
|
||||||
+ } else {
|
|
||||||
+ if (!verify_integrity(bio_module, st->bio_read_ex_cb,
|
|
||||||
+ module_checksum, checksum_len,
|
|
||||||
+ st->libctx, ev,
|
|
||||||
+ OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
|
|
||||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE);
|
|
||||||
+ goto end;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
/* This will be NULL during installation - so the self test KATS will run */
|
|
||||||
if (st->indicator_data != NULL) {
|
|
||||||
/*
|
|
||||||
@@ -420,7 +601,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
|
||||||
end:
|
|
||||||
EVP_RAND_free(testrand);
|
|
||||||
OSSL_SELF_TEST_free(ev);
|
|
||||||
- OPENSSL_free(module_checksum);
|
|
||||||
OPENSSL_free(indicator_checksum);
|
|
||||||
|
|
||||||
if (st != NULL) {
|
|
||||||
diff --git a/test/fipsmodule.cnf b/test/fipsmodule.cnf
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000000..f05d0dedbe
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/test/fipsmodule.cnf
|
|
||||||
@@ -0,0 +1,2 @@
|
|
||||||
+[fips_sect]
|
|
||||||
+activate = 1
|
|
||||||
diff --git a/test/recipes/00-prep_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t
|
|
||||||
index 4e3a6d85e8..e8255ba974 100644
|
|
||||||
--- a/test/recipes/00-prep_fipsmodule_cnf.t
|
|
||||||
+++ b/test/recipes/00-prep_fipsmodule_cnf.t
|
|
||||||
@@ -20,7 +20,7 @@ use lib srctop_dir('Configurations');
|
|
||||||
use lib bldtop_dir('.');
|
|
||||||
use platform;
|
|
||||||
|
|
||||||
-my $no_check = disabled("fips");
|
|
||||||
+my $no_check = 1;
|
|
||||||
plan skip_all => "FIPS module config file only supported in a fips build"
|
|
||||||
if $no_check;
|
|
||||||
|
|
||||||
diff --git a/test/recipes/01-test_fipsmodule_cnf.t b/test/recipes/01-test_fipsmodule_cnf.t
|
|
||||||
index ce594817d5..00cebacff8 100644
|
|
||||||
--- a/test/recipes/01-test_fipsmodule_cnf.t
|
|
||||||
+++ b/test/recipes/01-test_fipsmodule_cnf.t
|
|
||||||
@@ -23,7 +23,7 @@ use lib srctop_dir('Configurations');
|
|
||||||
use lib bldtop_dir('.');
|
|
||||||
use platform;
|
|
||||||
|
|
||||||
-my $no_check = disabled("fips");
|
|
||||||
+my $no_check = 1;
|
|
||||||
plan skip_all => "Test only supported in a fips build"
|
|
||||||
if $no_check;
|
|
||||||
plan tests => 1;
|
|
||||||
diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t
|
|
||||||
index b8b136d110..8242f4ebc3 100644
|
|
||||||
--- a/test/recipes/03-test_fipsinstall.t
|
|
||||||
+++ b/test/recipes/03-test_fipsinstall.t
|
|
||||||
@@ -22,7 +22,7 @@ use lib srctop_dir('Configurations');
|
|
||||||
use lib bldtop_dir('.');
|
|
||||||
use platform;
|
|
||||||
|
|
||||||
-plan skip_all => "Test only supported in a fips build" if disabled("fips");
|
|
||||||
+plan skip_all => "Test only supported in a fips build" if 1;
|
|
||||||
|
|
||||||
# Compatible options for pedantic FIPS compliance
|
|
||||||
my @pedantic_okay =
|
|
||||||
diff --git a/test/recipes/30-test_defltfips.t b/test/recipes/30-test_defltfips.t
|
|
||||||
index c8f145405b..56a2ec5dc4 100644
|
|
||||||
--- a/test/recipes/30-test_defltfips.t
|
|
||||||
+++ b/test/recipes/30-test_defltfips.t
|
|
||||||
@@ -24,7 +24,7 @@ use lib bldtop_dir('.');
|
|
||||||
plan skip_all => "Configuration loading is turned off"
|
|
||||||
if disabled("autoload-config");
|
|
||||||
|
|
||||||
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
|
||||||
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
|
|
||||||
|
|
||||||
plan tests =>
|
|
||||||
($no_fips ? 1 : 5);
|
|
||||||
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
|
|
||||||
index 195b85ea8c..92d48dbf7d 100644
|
|
||||||
--- a/test/recipes/80-test_ssl_new.t
|
|
||||||
+++ b/test/recipes/80-test_ssl_new.t
|
|
||||||
@@ -27,7 +27,7 @@ setup("test_ssl_new");
|
|
||||||
use lib srctop_dir('Configurations');
|
|
||||||
use lib bldtop_dir('.');
|
|
||||||
|
|
||||||
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
|
||||||
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
|
|
||||||
|
|
||||||
$ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
|
|
||||||
|
|
||||||
diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t
|
|
||||||
index 18d9f3d204..71780d8caa 100644
|
|
||||||
--- a/test/recipes/90-test_sslapi.t
|
|
||||||
+++ b/test/recipes/90-test_sslapi.t
|
|
||||||
@@ -17,7 +17,7 @@ setup("test_sslapi");
|
|
||||||
setup("test_sslapi");
|
|
||||||
}
|
|
||||||
|
|
||||||
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
|
||||||
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
|
|
||||||
my $fipsmodcfg_filename = "fipsmodule.cnf";
|
|
||||||
my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename);
|
|
||||||
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
@ -1,473 +0,0 @@
|
|||||||
From a9825123e7ab3474d2794a5706d9bed047959c9c Mon Sep 17 00:00:00 2001
|
|
||||||
From: rpm-build <rpm-build>
|
|
||||||
Date: Mon, 31 Jul 2023 09:41:28 +0200
|
|
||||||
Subject: [PATCH 18/35] 0034.fipsinstall_disable.patch
|
|
||||||
|
|
||||||
Patch-name: 0034.fipsinstall_disable.patch
|
|
||||||
Patch-id: 34
|
|
||||||
Patch-status: |
|
|
||||||
# Comment out fipsinstall command-line utility
|
|
||||||
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
|
||||||
---
|
|
||||||
apps/fipsinstall.c | 3 +
|
|
||||||
doc/man1/openssl-fipsinstall.pod.in | 272 +---------------------------
|
|
||||||
doc/man1/openssl.pod | 4 -
|
|
||||||
doc/man5/config.pod | 1 -
|
|
||||||
doc/man5/fips_config.pod | 104 +----------
|
|
||||||
doc/man7/OSSL_PROVIDER-FIPS.pod | 1 -
|
|
||||||
6 files changed, 10 insertions(+), 375 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c
|
|
||||||
index e1ef645b60..db92cb5fb2 100644
|
|
||||||
--- a/apps/fipsinstall.c
|
|
||||||
+++ b/apps/fipsinstall.c
|
|
||||||
@@ -375,6 +375,9 @@ int fipsinstall_main(int argc, char **argv)
|
|
||||||
EVP_MAC *mac = NULL;
|
|
||||||
CONF *conf = NULL;
|
|
||||||
|
|
||||||
+ BIO_printf(bio_err, "This command is not enabled in the Red Hat Enterprise Linux OpenSSL build, please consult Red Hat documentation to learn how to enable FIPS mode\n");
|
|
||||||
+ return 1;
|
|
||||||
+
|
|
||||||
if ((opts = sk_OPENSSL_STRING_new_null()) == NULL)
|
|
||||||
goto end;
|
|
||||||
|
|
||||||
diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in
|
|
||||||
index b1768b7f91..b6b00e27d8 100644
|
|
||||||
--- a/doc/man1/openssl-fipsinstall.pod.in
|
|
||||||
+++ b/doc/man1/openssl-fipsinstall.pod.in
|
|
||||||
@@ -8,275 +8,9 @@ openssl-fipsinstall - perform FIPS configuration installation
|
|
||||||
=head1 SYNOPSIS
|
|
||||||
|
|
||||||
B<openssl fipsinstall>
|
|
||||||
-[B<-help>]
|
|
||||||
-[B<-in> I<configfilename>]
|
|
||||||
-[B<-out> I<configfilename>]
|
|
||||||
-[B<-module> I<modulefilename>]
|
|
||||||
-[B<-provider_name> I<providername>]
|
|
||||||
-[B<-section_name> I<sectionname>]
|
|
||||||
-[B<-verify>]
|
|
||||||
-[B<-mac_name> I<macname>]
|
|
||||||
-[B<-macopt> I<nm>:I<v>]
|
|
||||||
-[B<-noout>]
|
|
||||||
-[B<-quiet>]
|
|
||||||
-[B<-pedantic>]
|
|
||||||
-[B<-no_conditional_errors>]
|
|
||||||
-[B<-no_security_checks>]
|
|
||||||
-[B<-ems_check>]
|
|
||||||
-[B<-no_drbg_truncated_digests>]
|
|
||||||
-[B<-self_test_onload>]
|
|
||||||
-[B<-self_test_oninstall>]
|
|
||||||
-[B<-corrupt_desc> I<selftest_description>]
|
|
||||||
-[B<-corrupt_type> I<selftest_type>]
|
|
||||||
-[B<-config> I<parent_config>]
|
|
||||||
-
|
|
||||||
-=head1 DESCRIPTION
|
|
||||||
-
|
|
||||||
-This command is used to generate a FIPS module configuration file.
|
|
||||||
-This configuration file can be used each time a FIPS module is loaded
|
|
||||||
-in order to pass data to the FIPS module self tests. The FIPS module always
|
|
||||||
-verifies its MAC, but optionally only needs to run the KAT's once,
|
|
||||||
-at installation.
|
|
||||||
-
|
|
||||||
-The generated configuration file consists of:
|
|
||||||
-
|
|
||||||
-=over 4
|
|
||||||
-
|
|
||||||
-=item - A MAC of the FIPS module file.
|
|
||||||
-
|
|
||||||
-=item - A test status indicator.
|
|
||||||
-
|
|
||||||
-This indicates if the Known Answer Self Tests (KAT's) have successfully run.
|
|
||||||
-
|
|
||||||
-=item - A MAC of the status indicator.
|
|
||||||
-
|
|
||||||
-=item - A control for conditional self tests errors.
|
|
||||||
-
|
|
||||||
-By default if a continuous test (e.g a key pair test) fails then the FIPS module
|
|
||||||
-will enter an error state, and no services or cryptographic algorithms will be
|
|
||||||
-able to be accessed after this point.
|
|
||||||
-The default value of '1' will cause the fips module error state to be entered.
|
|
||||||
-If the value is '0' then the module error state will not be entered.
|
|
||||||
-Regardless of whether the error state is entered or not, the current operation
|
|
||||||
-(e.g. key generation) will return an error. The user is responsible for retrying
|
|
||||||
-the operation if the module error state is not entered.
|
|
||||||
-
|
|
||||||
-=item - A control to indicate whether run-time security checks are done.
|
|
||||||
-
|
|
||||||
-This indicates if run-time checks related to enforcement of security parameters
|
|
||||||
-such as minimum security strength of keys and approved curve names are used.
|
|
||||||
-The default value of '1' will perform the checks.
|
|
||||||
-If the value is '0' the checks are not performed and FIPS compliance must
|
|
||||||
-be done by procedures documented in the relevant Security Policy.
|
|
||||||
-
|
|
||||||
-=back
|
|
||||||
-
|
|
||||||
-This file is described in L<fips_config(5)>.
|
|
||||||
-
|
|
||||||
-=head1 OPTIONS
|
|
||||||
-
|
|
||||||
-=over 4
|
|
||||||
-
|
|
||||||
-=item B<-help>
|
|
||||||
-
|
|
||||||
-Print a usage message.
|
|
||||||
-
|
|
||||||
-=item B<-module> I<filename>
|
|
||||||
-
|
|
||||||
-Filename of the FIPS module to perform an integrity check on.
|
|
||||||
-The path provided in the filename is used to load the module when it is
|
|
||||||
-activated, and this overrides the environment variable B<OPENSSL_MODULES>.
|
|
||||||
-
|
|
||||||
-=item B<-out> I<configfilename>
|
|
||||||
-
|
|
||||||
-Filename to output the configuration data to; the default is standard output.
|
|
||||||
-
|
|
||||||
-=item B<-in> I<configfilename>
|
|
||||||
-
|
|
||||||
-Input filename to load configuration data from.
|
|
||||||
-Must be used if the B<-verify> option is specified.
|
|
||||||
-
|
|
||||||
-=item B<-verify>
|
|
||||||
-
|
|
||||||
-Verify that the input configuration file contains the correct information.
|
|
||||||
-
|
|
||||||
-=item B<-provider_name> I<providername>
|
|
||||||
-
|
|
||||||
-Name of the provider inside the configuration file.
|
|
||||||
-The default value is C<fips>.
|
|
||||||
-
|
|
||||||
-=item B<-section_name> I<sectionname>
|
|
||||||
-
|
|
||||||
-Name of the section inside the configuration file.
|
|
||||||
-The default value is C<fips_sect>.
|
|
||||||
-
|
|
||||||
-=item B<-mac_name> I<name>
|
|
||||||
-
|
|
||||||
-Specifies the name of a supported MAC algorithm which will be used.
|
|
||||||
-The MAC mechanisms that are available will depend on the options
|
|
||||||
-used when building OpenSSL.
|
|
||||||
-To see the list of supported MAC's use the command
|
|
||||||
-C<openssl list -mac-algorithms>. The default is B<HMAC>.
|
|
||||||
-
|
|
||||||
-=item B<-macopt> I<nm>:I<v>
|
|
||||||
-
|
|
||||||
-Passes options to the MAC algorithm.
|
|
||||||
-A comprehensive list of controls can be found in the EVP_MAC implementation
|
|
||||||
-documentation.
|
|
||||||
-Common control strings used for this command are:
|
|
||||||
-
|
|
||||||
-=over 4
|
|
||||||
-
|
|
||||||
-=item B<key>:I<string>
|
|
||||||
-
|
|
||||||
-Specifies the MAC key as an alphanumeric string (use if the key contains
|
|
||||||
-printable characters only).
|
|
||||||
-The string length must conform to any restrictions of the MAC algorithm.
|
|
||||||
-A key must be specified for every MAC algorithm.
|
|
||||||
-If no key is provided, the default that was specified when OpenSSL was
|
|
||||||
-configured is used.
|
|
||||||
-
|
|
||||||
-=item B<hexkey>:I<string>
|
|
||||||
-
|
|
||||||
-Specifies the MAC key in hexadecimal form (two hex digits per byte).
|
|
||||||
-The key length must conform to any restrictions of the MAC algorithm.
|
|
||||||
-A key must be specified for every MAC algorithm.
|
|
||||||
-If no key is provided, the default that was specified when OpenSSL was
|
|
||||||
-configured is used.
|
|
||||||
-
|
|
||||||
-=item B<digest>:I<string>
|
|
||||||
-
|
|
||||||
-Used by HMAC as an alphanumeric string (use if the key contains printable
|
|
||||||
-characters only).
|
|
||||||
-The string length must conform to any restrictions of the MAC algorithm.
|
|
||||||
-To see the list of supported digests, use the command
|
|
||||||
-C<openssl list -digest-commands>.
|
|
||||||
-The default digest is SHA-256.
|
|
||||||
-
|
|
||||||
-=back
|
|
||||||
-
|
|
||||||
-=item B<-noout>
|
|
||||||
-
|
|
||||||
-Disable logging of the self tests.
|
|
||||||
-
|
|
||||||
-=item B<-pedantic>
|
|
||||||
-
|
|
||||||
-Configure the module so that it is strictly FIPS compliant rather
|
|
||||||
-than being backwards compatible. This enables conditional errors,
|
|
||||||
-security checks etc. Note that any previous configuration options will
|
|
||||||
-be overwritten and any subsequent configuration options that violate
|
|
||||||
-FIPS compliance will result in an error.
|
|
||||||
-
|
|
||||||
-=item B<-no_conditional_errors>
|
|
||||||
-
|
|
||||||
-Configure the module to not enter an error state if a conditional self test
|
|
||||||
-fails as described above.
|
|
||||||
-
|
|
||||||
-=item B<-no_security_checks>
|
|
||||||
-
|
|
||||||
-Configure the module to not perform run-time security checks as described above.
|
|
||||||
-
|
|
||||||
-Enabling the configuration option "no-fips-securitychecks" provides another way to
|
|
||||||
-turn off the check at compile time.
|
|
||||||
-
|
|
||||||
-=item B<-ems_check>
|
|
||||||
-
|
|
||||||
-Configure the module to enable a run-time Extended Master Secret (EMS) check
|
|
||||||
-when using the TLS1_PRF KDF algorithm. This check is disabled by default.
|
|
||||||
-See RFC 7627 for information related to EMS.
|
|
||||||
-
|
|
||||||
-=item B<-no_drbg_truncated_digests>
|
|
||||||
-
|
|
||||||
-Configure the module to not allow truncated digests to be used with Hash and
|
|
||||||
-HMAC DRBGs. See FIPS 140-3 IG D.R for details.
|
|
||||||
-
|
|
||||||
-=item B<-self_test_onload>
|
|
||||||
-
|
|
||||||
-Do not write the two fields related to the "test status indicator" and
|
|
||||||
-"MAC status indicator" to the output configuration file. Without these fields
|
|
||||||
-the self tests KATS will run each time the module is loaded. This option could be
|
|
||||||
-used for cross compiling, since the self tests need to run at least once on each
|
|
||||||
-target machine. Once the self tests have run on the target machine the user
|
|
||||||
-could possibly then add the 2 fields into the configuration using some other
|
|
||||||
-mechanism.
|
|
||||||
-
|
|
||||||
-This is the default.
|
|
||||||
-
|
|
||||||
-=item B<-self_test_oninstall>
|
|
||||||
-
|
|
||||||
-The converse of B<-self_test_oninstall>. The two fields related to the
|
|
||||||
-"test status indicator" and "MAC status indicator" are written to the
|
|
||||||
-output configuration file.
|
|
||||||
-
|
|
||||||
-=item B<-quiet>
|
|
||||||
-
|
|
||||||
-Do not output pass/fail messages. Implies B<-noout>.
|
|
||||||
-
|
|
||||||
-=item B<-corrupt_desc> I<selftest_description>,
|
|
||||||
-B<-corrupt_type> I<selftest_type>
|
|
||||||
-
|
|
||||||
-The corrupt options can be used to test failure of one or more self tests by
|
|
||||||
-name.
|
|
||||||
-Either option or both may be used to select the tests to corrupt.
|
|
||||||
-Refer to the entries for B<st-desc> and B<st-type> in L<OSSL_PROVIDER-FIPS(7)> for
|
|
||||||
-values that can be used.
|
|
||||||
-
|
|
||||||
-=item B<-config> I<parent_config>
|
|
||||||
-
|
|
||||||
-Test that a FIPS provider can be loaded from the specified configuration file.
|
|
||||||
-A previous call to this application needs to generate the extra configuration
|
|
||||||
-data that is included by the base C<parent_config> configuration file.
|
|
||||||
-See L<config(5)> for further information on how to set up a provider section.
|
|
||||||
-All other options are ignored if '-config' is used.
|
|
||||||
-
|
|
||||||
-=back
|
|
||||||
-
|
|
||||||
-=head1 NOTES
|
|
||||||
-
|
|
||||||
-Self tests results are logged by default if the options B<-quiet> and B<-noout>
|
|
||||||
-are not specified, or if either of the options B<-corrupt_desc> or
|
|
||||||
-B<-corrupt_type> are used.
|
|
||||||
-If the base configuration file is set up to autoload the fips module, then the
|
|
||||||
-fips module will be loaded and self tested BEFORE the fipsinstall application
|
|
||||||
-has a chance to set up its own self test callback. As a result of this the self
|
|
||||||
-test output and the options B<-corrupt_desc> and B<-corrupt_type> will be ignored.
|
|
||||||
-For normal usage the base configuration file should use the default provider
|
|
||||||
-when generating the fips configuration file.
|
|
||||||
-
|
|
||||||
-The B<-self_test_oninstall> option was added and the
|
|
||||||
-B<-self_test_onload> option was made the default in OpenSSL 3.1.
|
|
||||||
-
|
|
||||||
-The command and all remaining options were added in OpenSSL 3.0.
|
|
||||||
-
|
|
||||||
-=head1 EXAMPLES
|
|
||||||
-
|
|
||||||
-Calculate the mac of a FIPS module F<fips.so> and run a FIPS self test
|
|
||||||
-for the module, and save the F<fips.cnf> configuration file:
|
|
||||||
-
|
|
||||||
- openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips
|
|
||||||
-
|
|
||||||
-Verify that the configuration file F<fips.cnf> contains the correct info:
|
|
||||||
-
|
|
||||||
- openssl fipsinstall -module ./fips.so -in fips.cnf -provider_name fips -verify
|
|
||||||
-
|
|
||||||
-Corrupt any self tests which have the description C<SHA1>:
|
|
||||||
-
|
|
||||||
- openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips \
|
|
||||||
- -corrupt_desc 'SHA1'
|
|
||||||
-
|
|
||||||
-Validate that the fips module can be loaded from a base configuration file:
|
|
||||||
-
|
|
||||||
- export OPENSSL_CONF_INCLUDE=<path of configuration files>
|
|
||||||
- export OPENSSL_MODULES=<provider-path>
|
|
||||||
- openssl fipsinstall -config' 'default.cnf'
|
|
||||||
-
|
|
||||||
-
|
|
||||||
-=head1 SEE ALSO
|
|
||||||
-
|
|
||||||
-L<config(5)>,
|
|
||||||
-L<fips_config(5)>,
|
|
||||||
-L<OSSL_PROVIDER-FIPS(7)>,
|
|
||||||
-L<EVP_MAC(3)>
|
|
||||||
+This command is disabled.
|
|
||||||
+Please consult Red Hat Enterprise Linux documentation to learn how to correctly
|
|
||||||
+enable FIPS mode on Red Hat Enterprise
|
|
||||||
|
|
||||||
=head1 COPYRIGHT
|
|
||||||
|
|
||||||
diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod
|
|
||||||
index d9c22a580f..d5ec3b9a6a 100644
|
|
||||||
--- a/doc/man1/openssl.pod
|
|
||||||
+++ b/doc/man1/openssl.pod
|
|
||||||
@@ -135,10 +135,6 @@ Engine (loadable module) information and manipulation.
|
|
||||||
|
|
||||||
Error Number to Error String Conversion.
|
|
||||||
|
|
||||||
-=item B<fipsinstall>
|
|
||||||
-
|
|
||||||
-FIPS configuration installation.
|
|
||||||
-
|
|
||||||
=item B<gendsa>
|
|
||||||
|
|
||||||
Generation of DSA Private Key from Parameters. Superseded by
|
|
||||||
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
|
|
||||||
index 714a10437b..bd05736220 100644
|
|
||||||
--- a/doc/man5/config.pod
|
|
||||||
+++ b/doc/man5/config.pod
|
|
||||||
@@ -573,7 +573,6 @@ configuration files using that syntax will have to be modified.
|
|
||||||
=head1 SEE ALSO
|
|
||||||
|
|
||||||
L<openssl-x509(1)>, L<openssl-req(1)>, L<openssl-ca(1)>,
|
|
||||||
-L<openssl-fipsinstall(1)>,
|
|
||||||
L<ASN1_generate_nconf(3)>,
|
|
||||||
L<EVP_set_default_properties(3)>,
|
|
||||||
L<CONF_modules_load(3)>,
|
|
||||||
diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod
|
|
||||||
index 2255464304..1c15e32a5c 100644
|
|
||||||
--- a/doc/man5/fips_config.pod
|
|
||||||
+++ b/doc/man5/fips_config.pod
|
|
||||||
@@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration
|
|
||||||
|
|
||||||
=head1 DESCRIPTION
|
|
||||||
|
|
||||||
-A separate configuration file, using the OpenSSL L<config(5)> syntax,
|
|
||||||
-is used to hold information about the FIPS module. This includes a digest
|
|
||||||
-of the shared library file, and status about the self-testing.
|
|
||||||
-This data is used automatically by the module itself for two
|
|
||||||
-purposes:
|
|
||||||
-
|
|
||||||
-=over 4
|
|
||||||
-
|
|
||||||
-=item - Run the startup FIPS self-test known answer tests (KATS).
|
|
||||||
-
|
|
||||||
-This is normally done once, at installation time, but may also be set up to
|
|
||||||
-run each time the module is used.
|
|
||||||
-
|
|
||||||
-=item - Verify the module's checksum.
|
|
||||||
-
|
|
||||||
-This is done each time the module is used.
|
|
||||||
-
|
|
||||||
-=back
|
|
||||||
-
|
|
||||||
-This file is generated by the L<openssl-fipsinstall(1)> program, and
|
|
||||||
-used internally by the FIPS module during its initialization.
|
|
||||||
-
|
|
||||||
-The following options are supported. They should all appear in a section
|
|
||||||
-whose name is identified by the B<fips> option in the B<providers>
|
|
||||||
-section, as described in L<config(5)/Provider Configuration Module>.
|
|
||||||
-
|
|
||||||
-=over 4
|
|
||||||
-
|
|
||||||
-=item B<activate>
|
|
||||||
-
|
|
||||||
-If present, the module is activated. The value assigned to this name is not
|
|
||||||
-significant.
|
|
||||||
-
|
|
||||||
-=item B<install-version>
|
|
||||||
-
|
|
||||||
-A version number for the fips install process. Should be 1.
|
|
||||||
-
|
|
||||||
-=item B<conditional-errors>
|
|
||||||
-
|
|
||||||
-The FIPS module normally enters an internal error mode if any self test fails.
|
|
||||||
-Once this error mode is active, no services or cryptographic algorithms are
|
|
||||||
-accessible from this point on.
|
|
||||||
-Continuous tests are a subset of the self tests (e.g., a key pair test during key
|
|
||||||
-generation, or the CRNG output test).
|
|
||||||
-Setting this value to C<0> allows the error mode to not be triggered if any
|
|
||||||
-continuous test fails. The default value of C<1> will trigger the error mode.
|
|
||||||
-Regardless of the value, the operation (e.g., key generation) that called the
|
|
||||||
-continuous test will return an error code if its continuous test fails. The
|
|
||||||
-operation may then be retried if the error mode has not been triggered.
|
|
||||||
-
|
|
||||||
-=item B<security-checks>
|
|
||||||
-
|
|
||||||
-This indicates if run-time checks related to enforcement of security parameters
|
|
||||||
-such as minimum security strength of keys and approved curve names are used.
|
|
||||||
-A value of '1' will perform the checks, otherwise if the value is '0' the checks
|
|
||||||
-are not performed and FIPS compliance must be done by procedures documented in
|
|
||||||
-the relevant Security Policy.
|
|
||||||
-
|
|
||||||
-=item B<module-mac>
|
|
||||||
-
|
|
||||||
-The calculated MAC of the FIPS provider file.
|
|
||||||
-
|
|
||||||
-=item B<install-status>
|
|
||||||
-
|
|
||||||
-An indicator that the self-tests were successfully run.
|
|
||||||
-This should only be written after the module has
|
|
||||||
-successfully passed its self tests during installation.
|
|
||||||
-If this field is not present, then the self tests will run when the module
|
|
||||||
-loads.
|
|
||||||
-
|
|
||||||
-=item B<install-mac>
|
|
||||||
-
|
|
||||||
-A MAC of the value of the B<install-status> option, to prevent accidental
|
|
||||||
-changes to that value.
|
|
||||||
-It is written-to at the same time as B<install-status> is updated.
|
|
||||||
-
|
|
||||||
-=back
|
|
||||||
-
|
|
||||||
-For example:
|
|
||||||
-
|
|
||||||
- [fips_sect]
|
|
||||||
- activate = 1
|
|
||||||
- install-version = 1
|
|
||||||
- conditional-errors = 1
|
|
||||||
- security-checks = 1
|
|
||||||
- module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC
|
|
||||||
- install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C
|
|
||||||
- install-status = INSTALL_SELF_TEST_KATS_RUN
|
|
||||||
-
|
|
||||||
-=head1 NOTES
|
|
||||||
-
|
|
||||||
-When using the FIPS provider, it is recommended that the
|
|
||||||
-B<config_diagnostics> option is enabled to prevent accidental use of
|
|
||||||
-non-FIPS validated algorithms via broken or mistaken configuration.
|
|
||||||
-See L<config(5)>.
|
|
||||||
-
|
|
||||||
-=head1 SEE ALSO
|
|
||||||
-
|
|
||||||
-L<config(5)>
|
|
||||||
-L<openssl-fipsinstall(1)>
|
|
||||||
+This command is disabled in Red Hat Enterprise Linux. The FIPS provider is
|
|
||||||
+automatically loaded when the system is booted in FIPS mode, or when the
|
|
||||||
+environment variable B<OPENSSL_FORCE_FIPS_MODE> is set. See the documentation
|
|
||||||
+for more information.
|
|
||||||
|
|
||||||
=head1 HISTORY
|
|
||||||
|
|
||||||
diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod
|
|
||||||
index 4f908888ba..ef00247770 100644
|
|
||||||
--- a/doc/man7/OSSL_PROVIDER-FIPS.pod
|
|
||||||
+++ b/doc/man7/OSSL_PROVIDER-FIPS.pod
|
|
||||||
@@ -444,7 +444,6 @@ want to operate in a FIPS approved manner. The algorithms are:
|
|
||||||
|
|
||||||
=head1 SEE ALSO
|
|
||||||
|
|
||||||
-L<openssl-fipsinstall(1)>,
|
|
||||||
L<fips_config(5)>,
|
|
||||||
L<OSSL_SELF_TEST_set_callback(3)>,
|
|
||||||
L<OSSL_SELF_TEST_new(3)>,
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,13 +0,0 @@
|
|||||||
diff -up openssl-3.0.0/apps/speed.c.beldmit openssl-3.0.0/apps/speed.c
|
|
||||||
--- openssl-3.0.0/apps/speed.c.beldmit 2021-12-21 15:14:04.210431584 +0100
|
|
||||||
+++ openssl-3.0.0/apps/speed.c 2021-12-21 15:46:05.554085125 +0100
|
|
||||||
@@ -547,6 +547,9 @@ static int EVP_MAC_loop(int algindex, vo
|
|
||||||
for (count = 0; COND(c[algindex][testnum]); count++) {
|
|
||||||
size_t outl;
|
|
||||||
|
|
||||||
+ if (mctx == NULL)
|
|
||||||
+ return -1;
|
|
||||||
+
|
|
||||||
if (!EVP_MAC_init(mctx, NULL, 0, NULL)
|
|
||||||
|| !EVP_MAC_update(mctx, buf, lengths[testnum])
|
|
||||||
|| !EVP_MAC_final(mctx, mac, &outl, sizeof(mac)))
|
|
@ -1,402 +0,0 @@
|
|||||||
From b300beb172d5813b01b93bfd62fe191f8187fe1e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
|
||||||
Date: Mon, 21 Aug 2023 12:05:23 +0200
|
|
||||||
Subject: [PATCH 20/48] 0044-FIPS-140-3-keychecks.patch
|
|
||||||
|
|
||||||
Patch-name: 0044-FIPS-140-3-keychecks.patch
|
|
||||||
Patch-id: 44
|
|
||||||
Patch-status: |
|
|
||||||
# Extra public/private key checks required by FIPS-140-3
|
|
||||||
---
|
|
||||||
crypto/dh/dh_key.c | 26 ++++++++++
|
|
||||||
.../implementations/exchange/ecdh_exch.c | 19 ++++++++
|
|
||||||
providers/implementations/keymgmt/ec_kmgmt.c | 24 +++++++++-
|
|
||||||
providers/implementations/keymgmt/rsa_kmgmt.c | 18 +++++++
|
|
||||||
.../implementations/signature/ecdsa_sig.c | 37 +++++++++++++--
|
|
||||||
providers/implementations/signature/rsa_sig.c | 47 +++++++++++++++++--
|
|
||||||
6 files changed, 162 insertions(+), 9 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
|
|
||||||
index 4e9705beef..83773cceea 100644
|
|
||||||
--- a/crypto/dh/dh_key.c
|
|
||||||
+++ b/crypto/dh/dh_key.c
|
|
||||||
@@ -43,6 +43,9 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
|
|
||||||
BN_MONT_CTX *mont = NULL;
|
|
||||||
BIGNUM *z = NULL, *pminus1;
|
|
||||||
int ret = -1;
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ int validate = 0;
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
|
|
||||||
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
|
|
||||||
@@ -54,6 +57,13 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ if (DH_check_pub_key(dh, pub_key, &validate) <= 0) {
|
|
||||||
+ ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
ctx = BN_CTX_new_ex(dh->libctx);
|
|
||||||
if (ctx == NULL)
|
|
||||||
goto err;
|
|
||||||
@@ -262,6 +272,9 @@ static int generate_key(DH *dh)
|
|
||||||
#endif
|
|
||||||
BN_CTX *ctx = NULL;
|
|
||||||
BIGNUM *pub_key = NULL, *priv_key = NULL;
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ int validate = 0;
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
|
|
||||||
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
|
|
||||||
@@ -354,8 +367,21 @@ static int generate_key(DH *dh)
|
|
||||||
if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key))
|
|
||||||
goto err;
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ if (DH_check_pub_key(dh, pub_key, &validate) <= 0) {
|
|
||||||
+ ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID);
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
dh->pub_key = pub_key;
|
|
||||||
dh->priv_key = priv_key;
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ if (ossl_dh_check_pairwise(dh) <= 0) {
|
|
||||||
+ abort();
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
dh->dirty_cnt++;
|
|
||||||
ok = 1;
|
|
||||||
err:
|
|
||||||
diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c
|
|
||||||
index 43caedb6df..73873f9758 100644
|
|
||||||
--- a/providers/implementations/exchange/ecdh_exch.c
|
|
||||||
+++ b/providers/implementations/exchange/ecdh_exch.c
|
|
||||||
@@ -489,6 +489,25 @@ int ecdh_plain_derive(void *vpecdhctx, unsigned char *secret,
|
|
||||||
}
|
|
||||||
|
|
||||||
ppubkey = EC_KEY_get0_public_key(pecdhctx->peerk);
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ {
|
|
||||||
+ BN_CTX *bn_ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(privk));
|
|
||||||
+ int check = 0;
|
|
||||||
+
|
|
||||||
+ if (bn_ctx == NULL) {
|
|
||||||
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
|
|
||||||
+ goto end;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ check = ossl_ec_key_public_check(pecdhctx->peerk, bn_ctx);
|
|
||||||
+ BN_CTX_free(bn_ctx);
|
|
||||||
+
|
|
||||||
+ if (check <= 0) {
|
|
||||||
+ ERR_raise(ERR_LIB_PROV, EC_R_INVALID_PEER_KEY);
|
|
||||||
+ goto end;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL);
|
|
||||||
|
|
||||||
diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
|
|
||||||
index a37cbbdba8..bca3f3c674 100644
|
|
||||||
--- a/providers/implementations/keymgmt/ec_kmgmt.c
|
|
||||||
+++ b/providers/implementations/keymgmt/ec_kmgmt.c
|
|
||||||
@@ -989,8 +989,17 @@ struct ec_gen_ctx {
|
|
||||||
EC_GROUP *gen_group;
|
|
||||||
unsigned char *dhkem_ikm;
|
|
||||||
size_t dhkem_ikmlen;
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ void *ecdsa_sig_ctx;
|
|
||||||
+#endif
|
|
||||||
};
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+void *ecdsa_newctx(void *provctx, const char *propq);
|
|
||||||
+void ecdsa_freectx(void *vctx);
|
|
||||||
+int do_ec_pct(void *, const char *, void *);
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
static void *ec_gen_init(void *provctx, int selection,
|
|
||||||
const OSSL_PARAM params[])
|
|
||||||
{
|
|
||||||
@@ -1009,6 +1018,10 @@ static void *ec_gen_init(void *provctx, int selection,
|
|
||||||
gctx = NULL;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ if (gctx != NULL)
|
|
||||||
+ gctx->ecdsa_sig_ctx = ecdsa_newctx(provctx, NULL);
|
|
||||||
+#endif
|
|
||||||
return gctx;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1279,6 +1292,12 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
|
|
||||||
|
|
||||||
if (gctx->ecdh_mode != -1)
|
|
||||||
ret = ret && ossl_ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode);
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ /* Pairwise consistency test */
|
|
||||||
+ if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0
|
|
||||||
+ && do_ec_pct(gctx->ecdsa_sig_ctx, "sha256", ec) != 1)
|
|
||||||
+ abort();
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
if (gctx->group_check != NULL)
|
|
||||||
ret = ret && ossl_ec_set_check_group_type_from_name(ec,
|
|
||||||
@@ -1348,7 +1367,10 @@ static void ec_gen_cleanup(void *genctx)
|
|
||||||
|
|
||||||
if (gctx == NULL)
|
|
||||||
return;
|
|
||||||
-
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ ecdsa_freectx(gctx->ecdsa_sig_ctx);
|
|
||||||
+ gctx->ecdsa_sig_ctx = NULL;
|
|
||||||
+#endif
|
|
||||||
OPENSSL_clear_free(gctx->dhkem_ikm, gctx->dhkem_ikmlen);
|
|
||||||
EC_GROUP_free(gctx->gen_group);
|
|
||||||
BN_free(gctx->p);
|
|
||||||
diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c
|
|
||||||
index 3ba12c4889..ff49f8fcd8 100644
|
|
||||||
--- a/providers/implementations/keymgmt/rsa_kmgmt.c
|
|
||||||
+++ b/providers/implementations/keymgmt/rsa_kmgmt.c
|
|
||||||
@@ -434,6 +434,7 @@ struct rsa_gen_ctx {
|
|
||||||
#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
|
|
||||||
/* ACVP test parameters */
|
|
||||||
OSSL_PARAM *acvp_test_params;
|
|
||||||
+ void *prov_rsa_ctx;
|
|
||||||
#endif
|
|
||||||
};
|
|
||||||
|
|
||||||
@@ -447,6 +448,12 @@ static int rsa_gencb(int p, int n, BN_GENCB *cb)
|
|
||||||
return gctx->cb(params, gctx->cbarg);
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+void *rsa_newctx(void *provctx, const char *propq);
|
|
||||||
+void rsa_freectx(void *vctx);
|
|
||||||
+int do_rsa_pct(void *, const char *, void *);
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
static void *gen_init(void *provctx, int selection, int rsa_type,
|
|
||||||
const OSSL_PARAM params[])
|
|
||||||
{
|
|
||||||
@@ -474,6 +481,10 @@ static void *gen_init(void *provctx, int selection, int rsa_type,
|
|
||||||
|
|
||||||
if (!rsa_gen_set_params(gctx, params))
|
|
||||||
goto err;
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ if (gctx != NULL)
|
|
||||||
+ gctx->prov_rsa_ctx = rsa_newctx(provctx, NULL);
|
|
||||||
+#endif
|
|
||||||
return gctx;
|
|
||||||
|
|
||||||
err:
|
|
||||||
@@ -630,6 +641,11 @@ static void *rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
|
|
||||||
|
|
||||||
rsa = rsa_tmp;
|
|
||||||
rsa_tmp = NULL;
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ /* Pairwise consistency test */
|
|
||||||
+ if (do_rsa_pct(gctx->prov_rsa_ctx, "sha256", rsa) != 1)
|
|
||||||
+ abort();
|
|
||||||
+#endif
|
|
||||||
err:
|
|
||||||
BN_GENCB_free(gencb);
|
|
||||||
RSA_free(rsa_tmp);
|
|
||||||
@@ -645,6 +661,8 @@ static void rsa_gen_cleanup(void *genctx)
|
|
||||||
#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
|
|
||||||
ossl_rsa_acvp_test_gen_params_free(gctx->acvp_test_params);
|
|
||||||
gctx->acvp_test_params = NULL;
|
|
||||||
+ rsa_freectx(gctx->prov_rsa_ctx);
|
|
||||||
+ gctx->prov_rsa_ctx = NULL;
|
|
||||||
#endif
|
|
||||||
BN_clear_free(gctx->pub_exp);
|
|
||||||
OPENSSL_free(gctx);
|
|
||||||
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
|
|
||||||
index 865d49d100..ebeb30e002 100644
|
|
||||||
--- a/providers/implementations/signature/ecdsa_sig.c
|
|
||||||
+++ b/providers/implementations/signature/ecdsa_sig.c
|
|
||||||
@@ -32,7 +32,7 @@
|
|
||||||
#include "crypto/ec.h"
|
|
||||||
#include "prov/der_ec.h"
|
|
||||||
|
|
||||||
-static OSSL_FUNC_signature_newctx_fn ecdsa_newctx;
|
|
||||||
+OSSL_FUNC_signature_newctx_fn ecdsa_newctx;
|
|
||||||
static OSSL_FUNC_signature_sign_init_fn ecdsa_sign_init;
|
|
||||||
static OSSL_FUNC_signature_verify_init_fn ecdsa_verify_init;
|
|
||||||
static OSSL_FUNC_signature_sign_fn ecdsa_sign;
|
|
||||||
@@ -43,7 +43,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn ecdsa_digest_sign_final;
|
|
||||||
static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_verify_init;
|
|
||||||
static OSSL_FUNC_signature_digest_verify_update_fn ecdsa_digest_signverify_update;
|
|
||||||
static OSSL_FUNC_signature_digest_verify_final_fn ecdsa_digest_verify_final;
|
|
||||||
-static OSSL_FUNC_signature_freectx_fn ecdsa_freectx;
|
|
||||||
+OSSL_FUNC_signature_freectx_fn ecdsa_freectx;
|
|
||||||
static OSSL_FUNC_signature_dupctx_fn ecdsa_dupctx;
|
|
||||||
static OSSL_FUNC_signature_get_ctx_params_fn ecdsa_get_ctx_params;
|
|
||||||
static OSSL_FUNC_signature_gettable_ctx_params_fn ecdsa_gettable_ctx_params;
|
|
||||||
@@ -104,7 +104,7 @@ typedef struct {
|
|
||||||
unsigned int nonce_type;
|
|
||||||
} PROV_ECDSA_CTX;
|
|
||||||
|
|
||||||
-static void *ecdsa_newctx(void *provctx, const char *propq)
|
|
||||||
+void *ecdsa_newctx(void *provctx, const char *propq)
|
|
||||||
{
|
|
||||||
PROV_ECDSA_CTX *ctx;
|
|
||||||
|
|
||||||
@@ -370,7 +370,7 @@ int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig,
|
|
||||||
return ecdsa_verify(ctx, sig, siglen, digest, (size_t)dlen);
|
|
||||||
}
|
|
||||||
|
|
||||||
-static void ecdsa_freectx(void *vctx)
|
|
||||||
+void ecdsa_freectx(void *vctx)
|
|
||||||
{
|
|
||||||
PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
|
|
||||||
|
|
||||||
@@ -581,6 +581,35 @@ static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx)
|
|
||||||
return EVP_MD_settable_ctx_params(ctx->md);
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+int do_ec_pct(void *vctx, const char *mdname, void *ec)
|
|
||||||
+{
|
|
||||||
+ static const unsigned char data[32];
|
|
||||||
+ unsigned char sigbuf[256];
|
|
||||||
+ size_t siglen = sizeof(sigbuf);
|
|
||||||
+
|
|
||||||
+ if (ecdsa_digest_sign_init(vctx, mdname, ec, NULL) <= 0)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ if (ecdsa_digest_sign_final(vctx, sigbuf, &siglen, sizeof(sigbuf)) <= 0)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ if (ecdsa_digest_verify_init(vctx, mdname, ec, NULL) <= 0)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ if (ecdsa_digest_verify_final(vctx, sigbuf, siglen) <= 0)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
const OSSL_DISPATCH ossl_ecdsa_signature_functions[] = {
|
|
||||||
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx },
|
|
||||||
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init },
|
|
||||||
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
|
|
||||||
index cd5de6bd51..d4261e8f7d 100644
|
|
||||||
--- a/providers/implementations/signature/rsa_sig.c
|
|
||||||
+++ b/providers/implementations/signature/rsa_sig.c
|
|
||||||
@@ -34,7 +34,7 @@
|
|
||||||
|
|
||||||
#define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
|
|
||||||
|
|
||||||
-static OSSL_FUNC_signature_newctx_fn rsa_newctx;
|
|
||||||
+OSSL_FUNC_signature_newctx_fn rsa_newctx;
|
|
||||||
static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
|
|
||||||
static OSSL_FUNC_signature_verify_init_fn rsa_verify_init;
|
|
||||||
static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init;
|
|
||||||
@@ -47,7 +47,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final;
|
|
||||||
static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init;
|
|
||||||
static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_signverify_update;
|
|
||||||
static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final;
|
|
||||||
-static OSSL_FUNC_signature_freectx_fn rsa_freectx;
|
|
||||||
+OSSL_FUNC_signature_freectx_fn rsa_freectx;
|
|
||||||
static OSSL_FUNC_signature_dupctx_fn rsa_dupctx;
|
|
||||||
static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params;
|
|
||||||
static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params;
|
|
||||||
@@ -170,7 +170,7 @@ static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen)
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static void *rsa_newctx(void *provctx, const char *propq)
|
|
||||||
+void *rsa_newctx(void *provctx, const char *propq)
|
|
||||||
{
|
|
||||||
PROV_RSA_CTX *prsactx = NULL;
|
|
||||||
char *propq_copy = NULL;
|
|
||||||
@@ -977,7 +977,7 @@ int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,
|
|
||||||
return rsa_verify(vprsactx, sig, siglen, digest, (size_t)dlen);
|
|
||||||
}
|
|
||||||
|
|
||||||
-static void rsa_freectx(void *vprsactx)
|
|
||||||
+void rsa_freectx(void *vprsactx)
|
|
||||||
{
|
|
||||||
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
|
|
||||||
|
|
||||||
@@ -1455,6 +1455,45 @@ static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx)
|
|
||||||
return EVP_MD_settable_ctx_params(prsactx->md);
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+int do_rsa_pct(void *vctx, const char *mdname, void *rsa)
|
|
||||||
+{
|
|
||||||
+ static const unsigned char data[32];
|
|
||||||
+ unsigned char *sigbuf = NULL;
|
|
||||||
+ size_t siglen = 0;
|
|
||||||
+ int ret = 0;
|
|
||||||
+
|
|
||||||
+ if (rsa_digest_sign_init(vctx, mdname, rsa, NULL) <= 0)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ if (rsa_digest_sign_final(vctx, NULL, &siglen, 0) <= 0)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ if ((sigbuf = OPENSSL_malloc(siglen)) == NULL)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ if (rsa_digest_sign_final(vctx, sigbuf, &siglen, siglen) <= 0)
|
|
||||||
+ goto err;
|
|
||||||
+
|
|
||||||
+ if (rsa_digest_verify_init(vctx, mdname, rsa, NULL) <= 0)
|
|
||||||
+ goto err;
|
|
||||||
+
|
|
||||||
+ if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
|
|
||||||
+ goto err;
|
|
||||||
+
|
|
||||||
+ if (rsa_digest_verify_final(vctx, sigbuf, siglen) <= 0)
|
|
||||||
+ goto err;
|
|
||||||
+ ret = 1;
|
|
||||||
+
|
|
||||||
+ err:
|
|
||||||
+ OPENSSL_free(sigbuf);
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
const OSSL_DISPATCH ossl_rsa_signature_functions[] = {
|
|
||||||
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx },
|
|
||||||
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },
|
|
||||||
diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
|
|
||||||
index e0d139d..35f23b2 100644
|
|
||||||
--- a/crypto/rsa/rsa_gen.c
|
|
||||||
+++ b/crypto/rsa/rsa_gen.c
|
|
||||||
@@ -463,6 +463,9 @@ static int rsa_keygen(OSSL_LIB_CTX *libctx, RSA *rsa, int bits, int primes,
|
|
||||||
rsa->dmp1 = NULL;
|
|
||||||
rsa->dmq1 = NULL;
|
|
||||||
rsa->iqmp = NULL;
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ abort();
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return ok;
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,779 +0,0 @@
|
|||||||
From e25b25227043a2b2cf156527c31d7686a4265bf3 Mon Sep 17 00:00:00 2001
|
|
||||||
From: rpm-build <rpm-build>
|
|
||||||
Date: Wed, 6 Mar 2024 19:17:15 +0100
|
|
||||||
Subject: [PATCH 20/49] 0045-FIPS-services-minimize.patch
|
|
||||||
|
|
||||||
Patch-name: 0045-FIPS-services-minimize.patch
|
|
||||||
Patch-id: 45
|
|
||||||
Patch-status: |
|
|
||||||
# # Minimize fips services
|
|
||||||
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
|
|
||||||
---
|
|
||||||
apps/ecparam.c | 7 +++
|
|
||||||
apps/req.c | 2 +-
|
|
||||||
providers/common/capabilities.c | 2 +-
|
|
||||||
providers/fips/fipsprov.c | 44 +++++++++++--------
|
|
||||||
providers/fips/self_test_data.inc | 9 +++-
|
|
||||||
providers/implementations/signature/rsa_sig.c | 26 +++++++++++
|
|
||||||
ssl/ssl_ciph.c | 3 ++
|
|
||||||
test/acvp_test.c | 2 +
|
|
||||||
test/endecode_test.c | 4 ++
|
|
||||||
test/evp_libctx_test.c | 9 +++-
|
|
||||||
test/recipes/15-test_gendsa.t | 2 +-
|
|
||||||
test/recipes/20-test_cli_fips.t | 3 +-
|
|
||||||
test/recipes/30-test_evp.t | 20 ++++-----
|
|
||||||
.../30-test_evp_data/evpmac_common.txt | 22 ++++++++++
|
|
||||||
test/recipes/80-test_cms.t | 22 +++++-----
|
|
||||||
test/recipes/80-test_ssl_old.t | 2 +-
|
|
||||||
16 files changed, 128 insertions(+), 51 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/apps/ecparam.c b/apps/ecparam.c
|
|
||||||
index 71f93c4ca5..347bf62d5c 100644
|
|
||||||
--- a/apps/ecparam.c
|
|
||||||
+++ b/apps/ecparam.c
|
|
||||||
@@ -79,6 +79,13 @@ static int list_builtin_curves(BIO *out)
|
|
||||||
const char *comment = curves[n].comment;
|
|
||||||
const char *sname = OBJ_nid2sn(curves[n].nid);
|
|
||||||
|
|
||||||
+ if (((curves[n].nid == NID_secp256k1) || (curves[n].nid == NID_brainpoolP256r1)
|
|
||||||
+ || (curves[n].nid == NID_brainpoolP256t1) || (curves[n].nid == NID_brainpoolP320r1)
|
|
||||||
+ || (curves[n].nid == NID_brainpoolP320t1) || (curves[n].nid == NID_brainpoolP384r1)
|
|
||||||
+ || (curves[n].nid == NID_brainpoolP384t1) || (curves[n].nid == NID_brainpoolP512r1)
|
|
||||||
+ || (curves[n].nid == NID_brainpoolP512t1)) && EVP_default_properties_is_fips_enabled(NULL))
|
|
||||||
+ continue;
|
|
||||||
+
|
|
||||||
if (comment == NULL)
|
|
||||||
comment = "CURVE DESCRIPTION NOT AVAILABLE";
|
|
||||||
if (sname == NULL)
|
|
||||||
diff --git a/apps/req.c b/apps/req.c
|
|
||||||
index 8995453dca..cb38e6aa64 100644
|
|
||||||
--- a/apps/req.c
|
|
||||||
+++ b/apps/req.c
|
|
||||||
@@ -268,7 +268,7 @@ int req_main(int argc, char **argv)
|
|
||||||
unsigned long chtype = MBSTRING_ASC, reqflag = 0;
|
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_DES
|
|
||||||
- cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
|
|
||||||
+ cipher = (EVP_CIPHER *)EVP_aes_256_cbc();
|
|
||||||
#endif
|
|
||||||
|
|
||||||
opt_set_unknown_name("digest");
|
|
||||||
diff --git a/providers/common/capabilities.c b/providers/common/capabilities.c
|
|
||||||
index f7234615e4..0d4c0e3388 100644
|
|
||||||
--- a/providers/common/capabilities.c
|
|
||||||
+++ b/providers/common/capabilities.c
|
|
||||||
@@ -189,9 +189,9 @@ static const OSSL_PARAM param_group_list[][10] = {
|
|
||||||
TLS_GROUP_ENTRY("brainpoolP256r1", "brainpoolP256r1", "EC", 25),
|
|
||||||
TLS_GROUP_ENTRY("brainpoolP384r1", "brainpoolP384r1", "EC", 26),
|
|
||||||
TLS_GROUP_ENTRY("brainpoolP512r1", "brainpoolP512r1", "EC", 27),
|
|
||||||
-# endif
|
|
||||||
TLS_GROUP_ENTRY("x25519", "X25519", "X25519", 28),
|
|
||||||
TLS_GROUP_ENTRY("x448", "X448", "X448", 29),
|
|
||||||
+# endif
|
|
||||||
# ifndef FIPS_MODULE
|
|
||||||
TLS_GROUP_ENTRY("brainpoolP256r1tls13", "brainpoolP256r1", "EC", 30),
|
|
||||||
TLS_GROUP_ENTRY("brainpoolP384r1tls13", "brainpoolP384r1", "EC", 31),
|
|
||||||
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
|
|
||||||
index 7ec409710b..ec5bdd5a69 100644
|
|
||||||
--- a/providers/fips/fipsprov.c
|
|
||||||
+++ b/providers/fips/fipsprov.c
|
|
||||||
@@ -199,13 +199,13 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[])
|
|
||||||
OSSL_LIB_CTX_FIPS_PROV_INDEX);
|
|
||||||
|
|
||||||
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
|
|
||||||
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
|
|
||||||
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider"))
|
|
||||||
return 0;
|
|
||||||
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
|
|
||||||
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
|
|
||||||
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VERSION))
|
|
||||||
return 0;
|
|
||||||
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
|
|
||||||
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
|
|
||||||
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VERSION))
|
|
||||||
return 0;
|
|
||||||
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
|
|
||||||
if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))
|
|
||||||
@@ -298,10 +298,11 @@ static const OSSL_ALGORITHM fips_digests[] = {
|
|
||||||
* KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
|
|
||||||
* KMAC128 and KMAC256.
|
|
||||||
*/
|
|
||||||
- { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
|
|
||||||
+ /* We don't certify KECCAK in our FIPS provider */
|
|
||||||
+ /* { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
|
|
||||||
ossl_keccak_kmac_128_functions },
|
|
||||||
{ PROV_NAMES_KECCAK_KMAC_256, FIPS_DEFAULT_PROPERTIES,
|
|
||||||
- ossl_keccak_kmac_256_functions },
|
|
||||||
+ ossl_keccak_kmac_256_functions }, */
|
|
||||||
{ NULL, NULL, NULL }
|
|
||||||
};
|
|
||||||
|
|
||||||
@@ -360,8 +361,9 @@ static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = {
|
|
||||||
ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions,
|
|
||||||
ossl_cipher_capable_aes_cbc_hmac_sha256),
|
|
||||||
#ifndef OPENSSL_NO_DES
|
|
||||||
- UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
|
|
||||||
- UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),
|
|
||||||
+ /* We don't certify 3DES in our FIPS provider */
|
|
||||||
+ /* UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
|
|
||||||
+ UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), */
|
|
||||||
#endif /* OPENSSL_NO_DES */
|
|
||||||
{ { NULL, NULL, NULL }, NULL }
|
|
||||||
};
|
|
||||||
@@ -373,8 +375,9 @@ static const OSSL_ALGORITHM fips_macs[] = {
|
|
||||||
#endif
|
|
||||||
{ PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions },
|
|
||||||
{ PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions },
|
|
||||||
- { PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions },
|
|
||||||
- { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions },
|
|
||||||
+ /* We don't certify KMAC in our FIPS provider */
|
|
||||||
+ /*{ PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions },
|
|
||||||
+ { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, */
|
|
||||||
{ NULL, NULL, NULL }
|
|
||||||
};
|
|
||||||
|
|
||||||
@@ -410,8 +413,9 @@ static const OSSL_ALGORITHM fips_keyexch[] = {
|
|
||||||
#ifndef OPENSSL_NO_EC
|
|
||||||
{ PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions },
|
|
||||||
# ifndef OPENSSL_NO_ECX
|
|
||||||
- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions },
|
|
||||||
- { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },
|
|
||||||
+ /* We don't certify Edwards curves in our FIPS provider */
|
|
||||||
+ /*{ PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions },
|
|
||||||
+ { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },*/
|
|
||||||
# endif
|
|
||||||
#endif
|
|
||||||
{ PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES,
|
|
||||||
@@ -422,14 +426,16 @@ static const OSSL_ALGORITHM fips_keyexch[] = {
|
|
||||||
|
|
||||||
static const OSSL_ALGORITHM fips_signature[] = {
|
|
||||||
#ifndef OPENSSL_NO_DSA
|
|
||||||
- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },
|
|
||||||
+ /* We don't certify DSA in our FIPS provider */
|
|
||||||
+ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },*/
|
|
||||||
#endif
|
|
||||||
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions },
|
|
||||||
#ifndef OPENSSL_NO_EC
|
|
||||||
# ifndef OPENSSL_NO_ECX
|
|
||||||
- { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES,
|
|
||||||
+ /* We don't certify Edwards curves in our FIPS provider */
|
|
||||||
+ /* { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES,
|
|
||||||
ossl_ed25519_signature_functions },
|
|
||||||
- { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },
|
|
||||||
+ { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },*/
|
|
||||||
# endif
|
|
||||||
{ PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions },
|
|
||||||
#endif
|
|
||||||
@@ -460,8 +466,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
|
|
||||||
PROV_DESCS_DHX },
|
|
||||||
#endif
|
|
||||||
#ifndef OPENSSL_NO_DSA
|
|
||||||
- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
|
|
||||||
- PROV_DESCS_DSA },
|
|
||||||
+ /* We don't certify DSA in our FIPS provider */
|
|
||||||
+ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
|
|
||||||
+ PROV_DESCS_DSA }, */
|
|
||||||
#endif
|
|
||||||
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions,
|
|
||||||
PROV_DESCS_RSA },
|
|
||||||
@@ -471,14 +478,15 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
|
|
||||||
{ PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions,
|
|
||||||
PROV_DESCS_EC },
|
|
||||||
# ifndef OPENSSL_NO_ECX
|
|
||||||
- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions,
|
|
||||||
+ /* We don't certify Edwards curves in our FIPS provider */
|
|
||||||
+ /* { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions,
|
|
||||||
PROV_DESCS_X25519 },
|
|
||||||
{ PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions,
|
|
||||||
PROV_DESCS_X448 },
|
|
||||||
{ PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_keymgmt_functions,
|
|
||||||
PROV_DESCS_ED25519 },
|
|
||||||
{ PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_keymgmt_functions,
|
|
||||||
- PROV_DESCS_ED448 },
|
|
||||||
+ PROV_DESCS_ED448 }, */
|
|
||||||
# endif
|
|
||||||
#endif
|
|
||||||
{ PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions,
|
|
||||||
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
|
|
||||||
index 2057378d3d..4b80bb70b9 100644
|
|
||||||
--- a/providers/fips/self_test_data.inc
|
|
||||||
+++ b/providers/fips/self_test_data.inc
|
|
||||||
@@ -177,6 +177,7 @@ static const ST_KAT_DIGEST st_kat_digest_tests[] =
|
|
||||||
/*- CIPHER TEST DATA */
|
|
||||||
|
|
||||||
/* DES3 test data */
|
|
||||||
+#if 0
|
|
||||||
static const unsigned char des_ede3_cbc_pt[] = {
|
|
||||||
0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
|
|
||||||
0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
|
|
||||||
@@ -197,7 +198,7 @@ static const unsigned char des_ede3_cbc_ct[] = {
|
|
||||||
0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F,
|
|
||||||
0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7
|
|
||||||
};
|
|
||||||
-
|
|
||||||
+#endif
|
|
||||||
/* AES-256 GCM test data */
|
|
||||||
static const unsigned char aes_256_gcm_key[] = {
|
|
||||||
0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c,
|
|
||||||
@@ -1454,8 +1455,9 @@ static const ST_KAT_PARAM ecdsa_bin_key[] = {
|
|
||||||
# endif /* OPENSSL_NO_EC2M */
|
|
||||||
#endif /* OPENSSL_NO_EC */
|
|
||||||
|
|
||||||
-#ifndef OPENSSL_NO_DSA
|
|
||||||
/* dsa 2048 */
|
|
||||||
+#if 0
|
|
||||||
+#ifndef OPENSSL_NO_DSA
|
|
||||||
static const unsigned char dsa_p[] = {
|
|
||||||
0xa2, 0x9b, 0x88, 0x72, 0xce, 0x8b, 0x84, 0x23,
|
|
||||||
0xb7, 0xd5, 0xd2, 0x1d, 0x4b, 0x02, 0xf5, 0x7e,
|
|
||||||
@@ -1590,6 +1592,7 @@ static const ST_KAT_PARAM dsa_key[] = {
|
|
||||||
ST_KAT_PARAM_END()
|
|
||||||
};
|
|
||||||
#endif /* OPENSSL_NO_DSA */
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
/* Hash DRBG inputs for signature KATs */
|
|
||||||
static const unsigned char sig_kat_entropyin[] = {
|
|
||||||
@@ -1642,6 +1645,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
|
|
||||||
},
|
|
||||||
# endif
|
|
||||||
#endif /* OPENSSL_NO_EC */
|
|
||||||
+#if 0
|
|
||||||
#ifndef OPENSSL_NO_DSA
|
|
||||||
{
|
|
||||||
OSSL_SELF_TEST_DESC_SIGN_DSA,
|
|
||||||
@@ -1654,6 +1658,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
|
|
||||||
ITM(dsa_expected_sig)
|
|
||||||
},
|
|
||||||
#endif /* OPENSSL_NO_DSA */
|
|
||||||
+#endif
|
|
||||||
};
|
|
||||||
|
|
||||||
static const ST_KAT_ASYM_CIPHER st_kat_asym_cipher_tests[] = {
|
|
||||||
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
|
|
||||||
index 22d93ead53..c1405f47ea 100644
|
|
||||||
--- a/providers/implementations/signature/rsa_sig.c
|
|
||||||
+++ b/providers/implementations/signature/rsa_sig.c
|
|
||||||
@@ -686,6 +686,19 @@ static int rsa_verify_recover(void *vprsactx,
|
|
||||||
{
|
|
||||||
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
|
|
||||||
int ret;
|
|
||||||
+# ifdef FIPS_MODULE
|
|
||||||
+ size_t rsabits = RSA_bits(prsactx->rsa);
|
|
||||||
+
|
|
||||||
+ if (rsabits < 2048) {
|
|
||||||
+ if (rsabits != 1024
|
|
||||||
+ && rsabits != 1280
|
|
||||||
+ && rsabits != 1536
|
|
||||||
+ && rsabits != 1792) {
|
|
||||||
+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+# endif
|
|
||||||
|
|
||||||
if (!ossl_prov_is_running())
|
|
||||||
return 0;
|
|
||||||
@@ -774,6 +787,19 @@ static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen,
|
|
||||||
{
|
|
||||||
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
|
|
||||||
size_t rslen;
|
|
||||||
+# ifdef FIPS_MODULE
|
|
||||||
+ size_t rsabits = RSA_bits(prsactx->rsa);
|
|
||||||
+
|
|
||||||
+ if (rsabits < 2048) {
|
|
||||||
+ if (rsabits != 1024
|
|
||||||
+ && rsabits != 1280
|
|
||||||
+ && rsabits != 1536
|
|
||||||
+ && rsabits != 1792) {
|
|
||||||
+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+# endif
|
|
||||||
|
|
||||||
if (!ossl_prov_is_running())
|
|
||||||
return 0;
|
|
||||||
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
|
|
||||||
index 33c23efb0d..113c204716 100644
|
|
||||||
--- a/ssl/ssl_ciph.c
|
|
||||||
+++ b/ssl/ssl_ciph.c
|
|
||||||
@@ -356,6 +356,9 @@ int ssl_load_ciphers(SSL_CTX *ctx)
|
|
||||||
ctx->disabled_mkey_mask = 0;
|
|
||||||
ctx->disabled_auth_mask = 0;
|
|
||||||
|
|
||||||
+ if (EVP_default_properties_is_fips_enabled(ctx->libctx))
|
|
||||||
+ ctx->disabled_mkey_mask |= SSL_kRSA | SSL_kRSAPSK;
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* We ignore any errors from the fetches below. They are expected to fail
|
|
||||||
* if these algorithms are not available.
|
|
||||||
diff --git a/test/acvp_test.c b/test/acvp_test.c
|
|
||||||
index 45509095af..4a67519bb4 100644
|
|
||||||
--- a/test/acvp_test.c
|
|
||||||
+++ b/test/acvp_test.c
|
|
||||||
@@ -1478,6 +1478,7 @@ int setup_tests(void)
|
|
||||||
OSSL_NELEM(dh_safe_prime_keyver_data));
|
|
||||||
#endif /* OPENSSL_NO_DH */
|
|
||||||
|
|
||||||
+#if 0 /* Red Hat FIPS provider doesn't have fips=yes property on DSA */
|
|
||||||
#ifndef OPENSSL_NO_DSA
|
|
||||||
ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data));
|
|
||||||
ADD_ALL_TESTS(dsa_paramgen_test, OSSL_NELEM(dsa_paramgen_data));
|
|
||||||
@@ -1485,6 +1486,7 @@ int setup_tests(void)
|
|
||||||
ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data));
|
|
||||||
ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data));
|
|
||||||
#endif /* OPENSSL_NO_DSA */
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_EC
|
|
||||||
ADD_ALL_TESTS(ecdsa_keygen_test, OSSL_NELEM(ecdsa_keygen_data));
|
|
||||||
diff --git a/test/endecode_test.c b/test/endecode_test.c
|
|
||||||
index b53b7b715b..885e49a47c 100644
|
|
||||||
--- a/test/endecode_test.c
|
|
||||||
+++ b/test/endecode_test.c
|
|
||||||
@@ -1419,6 +1419,7 @@ int setup_tests(void)
|
|
||||||
* so no legacy tests.
|
|
||||||
*/
|
|
||||||
#endif
|
|
||||||
+ if (is_fips == 0) {
|
|
||||||
#ifndef OPENSSL_NO_DSA
|
|
||||||
ADD_TEST_SUITE(DSA);
|
|
||||||
ADD_TEST_SUITE_PARAMS(DSA);
|
|
||||||
@@ -1429,6 +1430,7 @@ int setup_tests(void)
|
|
||||||
ADD_TEST_SUITE_PROTECTED_PVK(DSA);
|
|
||||||
# endif
|
|
||||||
#endif
|
|
||||||
+ }
|
|
||||||
#ifndef OPENSSL_NO_EC
|
|
||||||
ADD_TEST_SUITE(EC);
|
|
||||||
ADD_TEST_SUITE_PARAMS(EC);
|
|
||||||
@@ -1443,10 +1445,12 @@ int setup_tests(void)
|
|
||||||
ADD_TEST_SUITE(ECExplicitTri2G);
|
|
||||||
ADD_TEST_SUITE_LEGACY(ECExplicitTri2G);
|
|
||||||
# endif
|
|
||||||
+ if (is_fips == 0) {
|
|
||||||
ADD_TEST_SUITE(ED25519);
|
|
||||||
ADD_TEST_SUITE(ED448);
|
|
||||||
ADD_TEST_SUITE(X25519);
|
|
||||||
ADD_TEST_SUITE(X448);
|
|
||||||
+ }
|
|
||||||
/*
|
|
||||||
* ED25519, ED448, X25519 and X448 have no support for
|
|
||||||
* PEM_write_bio_PrivateKey_traditional(), so no legacy tests.
|
|
||||||
diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c
|
|
||||||
index 2448c35a14..a7913cda4c 100644
|
|
||||||
--- a/test/evp_libctx_test.c
|
|
||||||
+++ b/test/evp_libctx_test.c
|
|
||||||
@@ -21,6 +21,7 @@
|
|
||||||
*/
|
|
||||||
#include "internal/deprecated.h"
|
|
||||||
#include <assert.h>
|
|
||||||
+#include <string.h>
|
|
||||||
#include <openssl/evp.h>
|
|
||||||
#include <openssl/provider.h>
|
|
||||||
#include <openssl/dsa.h>
|
|
||||||
@@ -726,7 +727,9 @@ int setup_tests(void)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DH)
|
|
||||||
- ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3);
|
|
||||||
+ if (strcmp(prov_name, "fips") != 0) {
|
|
||||||
+ ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3);
|
|
||||||
+ }
|
|
||||||
#endif
|
|
||||||
#ifndef OPENSSL_NO_DH
|
|
||||||
ADD_ALL_TESTS(test_dh_safeprime_param_keygen, 3 * 3 * 3);
|
|
||||||
@@ -746,7 +749,9 @@ int setup_tests(void)
|
|
||||||
ADD_TEST(kem_invalid_keytype);
|
|
||||||
#endif
|
|
||||||
#ifndef OPENSSL_NO_DES
|
|
||||||
- ADD_TEST(test_cipher_tdes_randkey);
|
|
||||||
+ if (strcmp(prov_name, "fips") != 0) {
|
|
||||||
+ ADD_TEST(test_cipher_tdes_randkey);
|
|
||||||
+ }
|
|
||||||
#endif
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
diff --git a/test/recipes/15-test_gendsa.t b/test/recipes/15-test_gendsa.t
|
|
||||||
index 4bc460784b..93052eb3e7 100644
|
|
||||||
--- a/test/recipes/15-test_gendsa.t
|
|
||||||
+++ b/test/recipes/15-test_gendsa.t
|
|
||||||
@@ -24,7 +24,7 @@ use lib bldtop_dir('.');
|
|
||||||
plan skip_all => "This test is unsupported in a no-dsa build"
|
|
||||||
if disabled("dsa");
|
|
||||||
|
|
||||||
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
|
||||||
+my $no_fips = 1;
|
|
||||||
|
|
||||||
plan tests =>
|
|
||||||
($no_fips ? 0 : 2) # FIPS related tests
|
|
||||||
diff --git a/test/recipes/20-test_cli_fips.t b/test/recipes/20-test_cli_fips.t
|
|
||||||
index d4b4d4ca51..031814e8ff 100644
|
|
||||||
--- a/test/recipes/20-test_cli_fips.t
|
|
||||||
+++ b/test/recipes/20-test_cli_fips.t
|
|
||||||
@@ -278,8 +278,7 @@ SKIP: {
|
|
||||||
}
|
|
||||||
|
|
||||||
SKIP : {
|
|
||||||
- skip "FIPS DSA tests because of no dsa in this build", 1
|
|
||||||
- if disabled("dsa");
|
|
||||||
+ skip "FIPS DSA tests because of no dsa in this build", 1;
|
|
||||||
|
|
||||||
subtest DSA => sub {
|
|
||||||
my $testtext_prefix = 'DSA';
|
|
||||||
diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t
|
|
||||||
index eddca5c58e..36a192d041 100644
|
|
||||||
--- a/test/recipes/30-test_evp.t
|
|
||||||
+++ b/test/recipes/30-test_evp.t
|
|
||||||
@@ -46,10 +46,8 @@ my @files = qw(
|
|
||||||
evpciph_aes_cts.txt
|
|
||||||
evpciph_aes_wrap.txt
|
|
||||||
evpciph_aes_stitched.txt
|
|
||||||
- evpciph_des3_common.txt
|
|
||||||
evpkdf_hkdf.txt
|
|
||||||
evpkdf_kbkdf_counter.txt
|
|
||||||
- evpkdf_kbkdf_kmac.txt
|
|
||||||
evpkdf_pbkdf1.txt
|
|
||||||
evpkdf_pbkdf2.txt
|
|
||||||
evpkdf_ss.txt
|
|
||||||
@@ -69,15 +67,6 @@ push @files, qw(
|
|
||||||
evppkey_ffdhe.txt
|
|
||||||
evppkey_dh.txt
|
|
||||||
) unless $no_dh;
|
|
||||||
-push @files, qw(
|
|
||||||
- evpkdf_x942_des.txt
|
|
||||||
- evpmac_cmac_des.txt
|
|
||||||
- ) unless $no_des;
|
|
||||||
-push @files, qw(evppkey_dsa.txt) unless $no_dsa;
|
|
||||||
-push @files, qw(
|
|
||||||
- evppkey_ecx.txt
|
|
||||||
- evppkey_mismatch_ecx.txt
|
|
||||||
- ) unless $no_ecx;
|
|
||||||
push @files, qw(
|
|
||||||
evppkey_ecc.txt
|
|
||||||
evppkey_ecdh.txt
|
|
||||||
@@ -97,6 +86,7 @@ my @defltfiles = qw(
|
|
||||||
evpciph_cast5.txt
|
|
||||||
evpciph_chacha.txt
|
|
||||||
evpciph_des.txt
|
|
||||||
+ evpciph_des3_common.txt
|
|
||||||
evpciph_idea.txt
|
|
||||||
evpciph_rc2.txt
|
|
||||||
evpciph_rc4.txt
|
|
||||||
@@ -121,13 +111,19 @@ my @defltfiles = qw(
|
|
||||||
evpmd_whirlpool.txt
|
|
||||||
evppbe_scrypt.txt
|
|
||||||
evppbe_pkcs12.txt
|
|
||||||
+ evpkdf_kbkdf_kmac.txt
|
|
||||||
evppkey_kdf_scrypt.txt
|
|
||||||
evppkey_kdf_tls1_prf.txt
|
|
||||||
evppkey_rsa.txt
|
|
||||||
);
|
|
||||||
+push @defltfiles, qw(evppkey_dsa.txt) unless $no_dsa;
|
|
||||||
+push @defltfiles, qw(evppkey_ecx.txt) unless $no_ec;
|
|
||||||
+push @defltfiles, qw(
|
|
||||||
+ evpkdf_x942_des.txt
|
|
||||||
+ evpmac_cmac_des.txt
|
|
||||||
+ ) unless $no_des;
|
|
||||||
push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec;
|
|
||||||
push @defltfiles, qw(evppkey_ecdsa_rfc6979.txt) unless $no_ec;
|
|
||||||
-push @defltfiles, qw(evppkey_dsa_rfc6979.txt) unless $no_dsa;
|
|
||||||
push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2;
|
|
||||||
push @defltfiles, qw(evpciph_aes_gcm_siv.txt) unless $no_siv;
|
|
||||||
push @defltfiles, qw(evpciph_aes_siv.txt) unless $no_siv;
|
|
||||||
diff --git a/test/recipes/30-test_evp_data/evpmac_common.txt b/test/recipes/30-test_evp_data/evpmac_common.txt
|
|
||||||
index e47023aae6..96a8febeef 100644
|
|
||||||
--- a/test/recipes/30-test_evp_data/evpmac_common.txt
|
|
||||||
+++ b/test/recipes/30-test_evp_data/evpmac_common.txt
|
|
||||||
@@ -363,6 +363,7 @@ IV = 7AE8E2CA4EC500012E58495C
|
|
||||||
Input = 68F2E77696CE7AE8E2CA4EC588E541002E58495C08000F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D0007
|
|
||||||
Result = MAC_INIT_ERROR
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Title = KMAC Tests (From NIST)
|
|
||||||
MAC = KMAC128
|
|
||||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
||||||
@@ -373,12 +374,14 @@ Ctrl = xof:0
|
|
||||||
OutputSize = 32
|
|
||||||
BlockSize = 168
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
MAC = KMAC128
|
|
||||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
||||||
Input = 00010203
|
|
||||||
Custom = "My Tagged Application"
|
|
||||||
Output = 3B1FBA963CD8B0B59E8C1A6D71888B7143651AF8BA0A7070C0979E2811324AA5
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
MAC = KMAC128
|
|
||||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
||||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
||||||
@@ -386,6 +389,7 @@ Custom = "My Tagged Application"
|
|
||||||
Output = 1F5B4E6CCA02209E0DCB5CA635B89A15E271ECC760071DFD805FAA38F9729230
|
|
||||||
Ctrl = size:32
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
MAC = KMAC256
|
|
||||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
||||||
Input = 00010203
|
|
||||||
@@ -394,12 +398,14 @@ Output = 20C570C31346F703C9AC36C61C03CB64C3970D0CFC787E9B79599D273A68D2F7F69D4CC
|
|
||||||
OutputSize = 64
|
|
||||||
BlockSize = 136
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
MAC = KMAC256
|
|
||||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
||||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
||||||
Custom = ""
|
|
||||||
Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
MAC = KMAC256
|
|
||||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
||||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
||||||
@@ -409,12 +415,14 @@ Ctrl = size:64
|
|
||||||
|
|
||||||
Title = KMAC XOF Tests (From NIST)
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
MAC = KMAC128
|
|
||||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
||||||
Input = 00010203
|
|
||||||
Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35
|
|
||||||
XOF = 1
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
MAC = KMAC128
|
|
||||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
||||||
Input = 00010203
|
|
||||||
@@ -422,6 +430,7 @@ Custom = "My Tagged Application"
|
|
||||||
Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
|
|
||||||
XOF = 1
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
MAC = KMAC128
|
|
||||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
||||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
||||||
@@ -430,6 +439,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F
|
|
||||||
XOF = 1
|
|
||||||
Ctrl = size:32
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
MAC = KMAC256
|
|
||||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
||||||
Input = 00010203
|
|
||||||
@@ -437,6 +447,7 @@ Custom = "My Tagged Application"
|
|
||||||
Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
|
|
||||||
XOF = 1
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
MAC = KMAC256
|
|
||||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
||||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
||||||
@@ -444,6 +455,7 @@ Custom = ""
|
|
||||||
Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
|
|
||||||
XOF = 1
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
MAC = KMAC256
|
|
||||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
||||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
||||||
@@ -454,6 +466,7 @@ XOF = 1
|
|
||||||
|
|
||||||
Title = KMAC long customisation string (from NIST ACVP)
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
MAC = KMAC256
|
|
||||||
Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
|
|
||||||
Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
|
|
||||||
@@ -464,12 +477,14 @@ XOF = 1
|
|
||||||
|
|
||||||
Title = KMAC XOF Tests via ctrl (From NIST)
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
MAC = KMAC128
|
|
||||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
||||||
Input = 00010203
|
|
||||||
Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35
|
|
||||||
Ctrl = xof:1
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
MAC = KMAC128
|
|
||||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
||||||
Input = 00010203
|
|
||||||
@@ -477,6 +492,7 @@ Custom = "My Tagged Application"
|
|
||||||
Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
|
|
||||||
Ctrl = xof:1
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
MAC = KMAC128
|
|
||||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
||||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
||||||
@@ -485,6 +501,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F
|
|
||||||
Ctrl = xof:1
|
|
||||||
Ctrl = size:32
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
MAC = KMAC256
|
|
||||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
||||||
Input = 00010203
|
|
||||||
@@ -492,6 +509,7 @@ Custom = "My Tagged Application"
|
|
||||||
Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
|
|
||||||
Ctrl = xof:1
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
MAC = KMAC256
|
|
||||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
||||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
||||||
@@ -499,6 +517,7 @@ Custom = ""
|
|
||||||
Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
|
|
||||||
Ctrl = xof:1
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
MAC = KMAC256
|
|
||||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
||||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
||||||
@@ -509,6 +528,7 @@ Ctrl = xof:1
|
|
||||||
|
|
||||||
Title = KMAC long customisation string via ctrl (from NIST ACVP)
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
MAC = KMAC256
|
|
||||||
Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
|
|
||||||
Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
|
|
||||||
@@ -519,6 +539,7 @@ Ctrl = xof:1
|
|
||||||
|
|
||||||
Title = KMAC long customisation string negative test
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
MAC = KMAC128
|
|
||||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
||||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
||||||
@@ -527,6 +548,7 @@ Result = MAC_INIT_ERROR
|
|
||||||
|
|
||||||
Title = KMAC output is too large
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
MAC = KMAC256
|
|
||||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
|
||||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
|
||||||
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
|
|
||||||
index 6a9792128b..4e368c730b 100644
|
|
||||||
--- a/test/recipes/80-test_cms.t
|
|
||||||
+++ b/test/recipes/80-test_cms.t
|
|
||||||
@@ -96,7 +96,7 @@ my @smime_pkcs7_tests = (
|
|
||||||
\&final_compare
|
|
||||||
],
|
|
||||||
|
|
||||||
- [ "signed content DER format, DSA key",
|
|
||||||
+ [ "signed content DER format, DSA key, no Red Hat FIPS",
|
|
||||||
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
|
|
||||||
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
|
|
||||||
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
|
|
||||||
@@ -104,7 +104,7 @@ my @smime_pkcs7_tests = (
|
|
||||||
\&final_compare
|
|
||||||
],
|
|
||||||
|
|
||||||
- [ "signed detached content DER format, DSA key",
|
|
||||||
+ [ "signed detached content DER format, DSA key, no Red Hat FIPS",
|
|
||||||
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
|
||||||
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
|
|
||||||
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
|
|
||||||
@@ -113,7 +113,7 @@ my @smime_pkcs7_tests = (
|
|
||||||
\&final_compare
|
|
||||||
],
|
|
||||||
|
|
||||||
- [ "signed detached content DER format, add RSA signer (with DSA existing)",
|
|
||||||
+ [ "signed detached content DER format, add RSA signer (with DSA existing), no Red Hat FIPS",
|
|
||||||
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
|
||||||
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
|
|
||||||
[ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER",
|
|
||||||
@@ -124,7 +124,7 @@ my @smime_pkcs7_tests = (
|
|
||||||
\&final_compare
|
|
||||||
],
|
|
||||||
|
|
||||||
- [ "signed content test streaming BER format, DSA key",
|
|
||||||
+ [ "signed content test streaming BER format, DSA key, no Red Hat FIPS",
|
|
||||||
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
|
||||||
"-nodetach", "-stream",
|
|
||||||
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
|
|
||||||
@@ -133,7 +133,7 @@ my @smime_pkcs7_tests = (
|
|
||||||
\&final_compare
|
|
||||||
],
|
|
||||||
|
|
||||||
- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys",
|
|
||||||
+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
|
|
||||||
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
|
||||||
"-nodetach", "-stream",
|
|
||||||
"-signer", $smrsa1,
|
|
||||||
@@ -146,7 +146,7 @@ my @smime_pkcs7_tests = (
|
|
||||||
\&final_compare
|
|
||||||
],
|
|
||||||
|
|
||||||
- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes",
|
|
||||||
+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes, no Red Hat FIPS",
|
|
||||||
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
|
||||||
"-noattr", "-nodetach", "-stream",
|
|
||||||
"-signer", $smrsa1,
|
|
||||||
@@ -176,7 +176,7 @@ my @smime_pkcs7_tests = (
|
|
||||||
\&zero_compare
|
|
||||||
],
|
|
||||||
|
|
||||||
- [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys",
|
|
||||||
+ [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
|
|
||||||
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
|
|
||||||
"-signer", $smrsa1,
|
|
||||||
"-signer", catfile($smdir, "smrsa2.pem"),
|
|
||||||
@@ -188,7 +188,7 @@ my @smime_pkcs7_tests = (
|
|
||||||
\&final_compare
|
|
||||||
],
|
|
||||||
|
|
||||||
- [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys",
|
|
||||||
+ [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
|
|
||||||
[ "{cmd1}", @prov, "-sign", "-in", $smcont,
|
|
||||||
"-signer", $smrsa1,
|
|
||||||
"-signer", catfile($smdir, "smrsa2.pem"),
|
|
||||||
@@ -250,7 +250,7 @@ my @smime_pkcs7_tests = (
|
|
||||||
|
|
||||||
my @smime_cms_tests = (
|
|
||||||
|
|
||||||
- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid",
|
|
||||||
+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid, no Red Hat FIPS",
|
|
||||||
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
|
||||||
"-nodetach", "-keyid",
|
|
||||||
"-signer", $smrsa1,
|
|
||||||
@@ -263,7 +263,7 @@ my @smime_cms_tests = (
|
|
||||||
\&final_compare
|
|
||||||
],
|
|
||||||
|
|
||||||
- [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys",
|
|
||||||
+ [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
|
|
||||||
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
|
|
||||||
"-signer", $smrsa1,
|
|
||||||
"-signer", catfile($smdir, "smrsa2.pem"),
|
|
||||||
@@ -373,7 +373,7 @@ my @smime_cms_tests = (
|
|
||||||
\&final_compare
|
|
||||||
],
|
|
||||||
|
|
||||||
- [ "encrypted content test streaming PEM format, triple DES key",
|
|
||||||
+ [ "encrypted content test streaming PEM format, triple DES key, no Red Hat FIPS",
|
|
||||||
[ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
|
|
||||||
"-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
|
|
||||||
"-stream", "-out", "{output}.cms" ],
|
|
||||||
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
|
|
||||||
index 50b74a1e29..e2dcb68fb5 100644
|
|
||||||
--- a/test/recipes/80-test_ssl_old.t
|
|
||||||
+++ b/test/recipes/80-test_ssl_old.t
|
|
||||||
@@ -436,7 +436,7 @@ sub testssl {
|
|
||||||
my @exkeys = ();
|
|
||||||
my $ciphers = '-PSK:-SRP:@SECLEVEL=0';
|
|
||||||
|
|
||||||
- if (!$no_dsa) {
|
|
||||||
+ if (!$no_dsa && $provider ne "fips") {
|
|
||||||
push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey;
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
@ -1,57 +0,0 @@
|
|||||||
From ba6e65e2f7e7fe8d9cd62e1e7e345bc41dda424f Mon Sep 17 00:00:00 2001
|
|
||||||
From: rpm-build <rpm-build>
|
|
||||||
Date: Thu, 19 Oct 2023 13:12:40 +0200
|
|
||||||
Subject: [PATCH 21/46] 0047-FIPS-early-KATS.patch
|
|
||||||
|
|
||||||
Patch-name: 0047-FIPS-early-KATS.patch
|
|
||||||
Patch-id: 47
|
|
||||||
Patch-status: |
|
|
||||||
# # Execute KATS before HMAC verification
|
|
||||||
From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911
|
|
||||||
---
|
|
||||||
providers/fips/self_test.c | 22 ++++++++++------------
|
|
||||||
1 file changed, 10 insertions(+), 12 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
|
|
||||||
index e3a629018a..3c09bd8638 100644
|
|
||||||
--- a/providers/fips/self_test.c
|
|
||||||
+++ b/providers/fips/self_test.c
|
|
||||||
@@ -401,6 +401,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
|
||||||
if (ev == NULL)
|
|
||||||
goto end;
|
|
||||||
|
|
||||||
+ /*
|
|
||||||
+ * Run the KAT's before HMAC verification according to FIPS-140-3 requirements
|
|
||||||
+ */
|
|
||||||
+ if (kats_already_passed == 0) {
|
|
||||||
+ if (!SELF_TEST_kats(ev, st->libctx)) {
|
|
||||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
|
|
||||||
+ goto end;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (st->module_checksum_data == NULL) {
|
|
||||||
module_checksum = fips_hmac_container;
|
|
||||||
checksum_len = sizeof(fips_hmac_container);
|
|
||||||
@@ -451,18 +461,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- /*
|
|
||||||
- * Only runs the KAT's during installation OR on_demand().
|
|
||||||
- * NOTE: If the installation option 'self_test_onload' is chosen then this
|
|
||||||
- * path will always be run, since kats_already_passed will always be 0.
|
|
||||||
- */
|
|
||||||
- if (on_demand_test || kats_already_passed == 0) {
|
|
||||||
- if (!SELF_TEST_kats(ev, st->libctx)) {
|
|
||||||
- ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
|
|
||||||
- goto end;
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
/* Verify that the RNG has been restored properly */
|
|
||||||
rng = ossl_rand_get0_private_noncreating(st->libctx);
|
|
||||||
if (rng != NULL)
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,509 +0,0 @@
|
|||||||
From 4f9167db05cade673f98f1a00efd57136e97b460 Mon Sep 17 00:00:00 2001
|
|
||||||
From: rpm-build <rpm-build>
|
|
||||||
Date: Wed, 6 Mar 2024 19:17:15 +0100
|
|
||||||
Subject: [PATCH 22/49] 0049-Allow-disabling-of-SHA1-signatures.patch
|
|
||||||
|
|
||||||
Patch-name: 0049-Allow-disabling-of-SHA1-signatures.patch
|
|
||||||
Patch-id: 49
|
|
||||||
Patch-status: |
|
|
||||||
# # Selectively disallow SHA1 signatures rhbz#2070977
|
|
||||||
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
|
|
||||||
---
|
|
||||||
crypto/context.c | 14 ++++
|
|
||||||
crypto/evp/evp_cnf.c | 13 +++
|
|
||||||
crypto/evp/m_sigver.c | 79 +++++++++++++++++++
|
|
||||||
crypto/evp/pmeth_lib.c | 15 ++++
|
|
||||||
doc/man5/config.pod | 13 +++
|
|
||||||
include/crypto/context.h | 3 +
|
|
||||||
include/internal/cryptlib.h | 3 +-
|
|
||||||
include/internal/sslconf.h | 4 +
|
|
||||||
providers/common/securitycheck.c | 20 +++++
|
|
||||||
providers/common/securitycheck_default.c | 9 ++-
|
|
||||||
providers/implementations/signature/dsa_sig.c | 11 ++-
|
|
||||||
.../implementations/signature/ecdsa_sig.c | 4 +
|
|
||||||
providers/implementations/signature/rsa_sig.c | 20 ++++-
|
|
||||||
ssl/t1_lib.c | 8 ++
|
|
||||||
util/libcrypto.num | 2 +
|
|
||||||
15 files changed, 209 insertions(+), 9 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/crypto/context.c b/crypto/context.c
|
|
||||||
index fb4816d89b..c04920fe14 100644
|
|
||||||
--- a/crypto/context.c
|
|
||||||
+++ b/crypto/context.c
|
|
||||||
@@ -83,6 +83,8 @@ struct ossl_lib_ctx_st {
|
|
||||||
void *fips_prov;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+ void *legacy_digest_signatures;
|
|
||||||
+
|
|
||||||
unsigned int ischild:1;
|
|
||||||
};
|
|
||||||
|
|
||||||
@@ -223,6 +225,10 @@ static int context_init(OSSL_LIB_CTX *ctx)
|
|
||||||
goto err;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+ ctx->legacy_digest_signatures = ossl_ctx_legacy_digest_signatures_new(ctx);
|
|
||||||
+ if (ctx->legacy_digest_signatures == NULL)
|
|
||||||
+ goto err;
|
|
||||||
+
|
|
||||||
/* Low priority. */
|
|
||||||
#ifndef FIPS_MODULE
|
|
||||||
ctx->child_provider = ossl_child_prov_ctx_new(ctx);
|
|
||||||
@@ -366,6 +372,11 @@ static void context_deinit_objs(OSSL_LIB_CTX *ctx)
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+ if (ctx->legacy_digest_signatures != NULL) {
|
|
||||||
+ ossl_ctx_legacy_digest_signatures_free(ctx->legacy_digest_signatures);
|
|
||||||
+ ctx->legacy_digest_signatures = NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* Low priority. */
|
|
||||||
#ifndef FIPS_MODULE
|
|
||||||
if (ctx->child_provider != NULL) {
|
|
||||||
@@ -663,6 +674,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index)
|
|
||||||
return ctx->fips_prov;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+ case OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX:
|
|
||||||
+ return ctx->legacy_digest_signatures;
|
|
||||||
+
|
|
||||||
default:
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c
|
|
||||||
index 0e7fe64cf9..b9d3b6d226 100644
|
|
||||||
--- a/crypto/evp/evp_cnf.c
|
|
||||||
+++ b/crypto/evp/evp_cnf.c
|
|
||||||
@@ -10,6 +10,7 @@
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <openssl/crypto.h>
|
|
||||||
#include "internal/cryptlib.h"
|
|
||||||
+#include "internal/sslconf.h"
|
|
||||||
#include <openssl/conf.h>
|
|
||||||
#include <openssl/x509.h>
|
|
||||||
#include <openssl/x509v3.h>
|
|
||||||
@@ -57,6 +58,18 @@ static int alg_module_init(CONF_IMODULE *md, const CONF *cnf)
|
|
||||||
ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
+ } else if (strcmp(oval->name, "rh-allow-sha1-signatures") == 0) {
|
|
||||||
+ int m;
|
|
||||||
+
|
|
||||||
+ /* Detailed error already reported. */
|
|
||||||
+ if (!X509V3_get_value_bool(oval, &m))
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ if (!ossl_ctx_legacy_digest_signatures_allowed_set(
|
|
||||||
+ NCONF_get0_libctx((CONF *)cnf), m > 0, 0)) {
|
|
||||||
+ ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
} else {
|
|
||||||
ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,
|
|
||||||
"name=%s, value=%s", oval->name, oval->value);
|
|
||||||
diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
|
|
||||||
index 3a979f4bd4..fd3a4b79df 100644
|
|
||||||
--- a/crypto/evp/m_sigver.c
|
|
||||||
+++ b/crypto/evp/m_sigver.c
|
|
||||||
@@ -15,6 +15,73 @@
|
|
||||||
#include "internal/provider.h"
|
|
||||||
#include "internal/numbers.h" /* includes SIZE_MAX */
|
|
||||||
#include "evp_local.h"
|
|
||||||
+#include "crypto/context.h"
|
|
||||||
+
|
|
||||||
+typedef struct ossl_legacy_digest_signatures_st {
|
|
||||||
+ int allowed;
|
|
||||||
+} OSSL_LEGACY_DIGEST_SIGNATURES;
|
|
||||||
+
|
|
||||||
+void ossl_ctx_legacy_digest_signatures_free(void *vldsigs)
|
|
||||||
+{
|
|
||||||
+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs = vldsigs;
|
|
||||||
+
|
|
||||||
+ if (ldsigs != NULL) {
|
|
||||||
+ OPENSSL_free(ldsigs);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx)
|
|
||||||
+{
|
|
||||||
+ OSSL_LEGACY_DIGEST_SIGNATURES* ldsigs = OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES));
|
|
||||||
+ /* Warning: This patch differs from the same patch in CentOS and RHEL here,
|
|
||||||
+ * because the default on Fedora is to allow SHA-1 and support disabling
|
|
||||||
+ * it, while CentOS/RHEL disable it by default and allow enabling it. */
|
|
||||||
+ ldsigs->allowed = 0;
|
|
||||||
+ return ldsigs;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static OSSL_LEGACY_DIGEST_SIGNATURES *ossl_ctx_legacy_digest_signatures(
|
|
||||||
+ OSSL_LIB_CTX *libctx, int loadconfig)
|
|
||||||
+{
|
|
||||||
+#ifndef FIPS_MODULE
|
|
||||||
+ if (loadconfig && !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL))
|
|
||||||
+ return NULL;
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+ return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig)
|
|
||||||
+{
|
|
||||||
+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs
|
|
||||||
+ = ossl_ctx_legacy_digest_signatures(libctx, loadconfig);
|
|
||||||
+
|
|
||||||
+ #ifndef FIPS_MODULE
|
|
||||||
+ if (ossl_safe_getenv("OPENSSL_ENABLE_SHA1_SIGNATURES") != NULL)
|
|
||||||
+ /* used in tests */
|
|
||||||
+ return 1;
|
|
||||||
+ #endif
|
|
||||||
+
|
|
||||||
+ /* Warning: This patch differs from the same patch in CentOS and RHEL here,
|
|
||||||
+ * because the default on Fedora is to allow SHA-1 and support disabling
|
|
||||||
+ * it, while CentOS/RHEL disable it by default and allow enabling it. */
|
|
||||||
+ return ldsigs != NULL ? ldsigs->allowed : 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow,
|
|
||||||
+ int loadconfig)
|
|
||||||
+{
|
|
||||||
+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs
|
|
||||||
+ = ossl_ctx_legacy_digest_signatures(libctx, loadconfig);
|
|
||||||
+
|
|
||||||
+ if (ldsigs == NULL) {
|
|
||||||
+ ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ldsigs->allowed = allow;
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
|
|
||||||
#ifndef FIPS_MODULE
|
|
||||||
|
|
||||||
@@ -253,6 +320,18 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (ctx->reqdigest != NULL
|
|
||||||
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
|
|
||||||
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
|
|
||||||
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_hkdf)) {
|
|
||||||
+ int mdnid = EVP_MD_nid(ctx->reqdigest);
|
|
||||||
+ if (!ossl_ctx_legacy_digest_signatures_allowed(locpctx->libctx, 0)
|
|
||||||
+ && (mdnid == NID_sha1 || mdnid == NID_md5_sha1)) {
|
|
||||||
+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (ver) {
|
|
||||||
if (signature->digest_verify_init == NULL) {
|
|
||||||
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
|
|
||||||
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
|
|
||||||
index 268b1617e3..248f655d0f 100644
|
|
||||||
--- a/crypto/evp/pmeth_lib.c
|
|
||||||
+++ b/crypto/evp/pmeth_lib.c
|
|
||||||
@@ -33,6 +33,7 @@
|
|
||||||
#include "internal/ffc.h"
|
|
||||||
#include "internal/numbers.h"
|
|
||||||
#include "internal/provider.h"
|
|
||||||
+#include "internal/sslconf.h"
|
|
||||||
#include "evp_local.h"
|
|
||||||
|
|
||||||
#ifndef FIPS_MODULE
|
|
||||||
@@ -951,6 +952,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,
|
|
||||||
return -2;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx)
|
|
||||||
+ && md != NULL
|
|
||||||
+ && ctx->pkey != NULL
|
|
||||||
+ && !EVP_PKEY_is_a(ctx->pkey, SN_hmac)
|
|
||||||
+ && !EVP_PKEY_is_a(ctx->pkey, SN_tls1_prf)
|
|
||||||
+ && !EVP_PKEY_is_a(ctx->pkey, SN_hkdf)) {
|
|
||||||
+ int mdnid = EVP_MD_nid(md);
|
|
||||||
+ if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
|
|
||||||
+ && !ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0)) {
|
|
||||||
+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (fallback)
|
|
||||||
return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md));
|
|
||||||
|
|
||||||
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
|
|
||||||
index bd05736220..ed34ff4b9c 100644
|
|
||||||
--- a/doc/man5/config.pod
|
|
||||||
+++ b/doc/man5/config.pod
|
|
||||||
@@ -304,6 +304,17 @@ Within the algorithm properties section, the following names have meaning:
|
|
||||||
The value may be anything that is acceptable as a property query
|
|
||||||
string for EVP_set_default_properties().
|
|
||||||
|
|
||||||
+=item B<rh-allow-sha1-signatures>
|
|
||||||
+
|
|
||||||
+The value is a boolean that can be B<yes> or B<no>. If the value is not set,
|
|
||||||
+it behaves as if it was set to B<no>.
|
|
||||||
+
|
|
||||||
+When set to B<no>, any attempt to create or verify a signature with a SHA1
|
|
||||||
+digest will fail. For compatibility with older versions of OpenSSL, set this
|
|
||||||
+option to B<yes>. This setting also affects TLS, where signature algorithms
|
|
||||||
+that use SHA1 as digest will no longer be supported if this option is set to
|
|
||||||
+B<no>.
|
|
||||||
+
|
|
||||||
=item B<fips_mode> (deprecated)
|
|
||||||
|
|
||||||
The value is a boolean that can be B<yes> or B<no>. If the value is
|
|
||||||
diff --git a/include/crypto/context.h b/include/crypto/context.h
|
|
||||||
index 7369a730fb..55b74238c8 100644
|
|
||||||
--- a/include/crypto/context.h
|
|
||||||
+++ b/include/crypto/context.h
|
|
||||||
@@ -46,3 +46,6 @@ void ossl_release_default_drbg_ctx(void);
|
|
||||||
#if defined(OPENSSL_THREADS)
|
|
||||||
void ossl_threads_ctx_free(void *);
|
|
||||||
#endif
|
|
||||||
+
|
|
||||||
+void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *);
|
|
||||||
+void ossl_ctx_legacy_digest_signatures_free(void *);
|
|
||||||
diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h
|
|
||||||
index 64851fd8ed..8e01a77ddc 100644
|
|
||||||
--- a/include/internal/cryptlib.h
|
|
||||||
+++ b/include/internal/cryptlib.h
|
|
||||||
@@ -117,7 +117,8 @@ typedef struct ossl_ex_data_global_st {
|
|
||||||
# define OSSL_LIB_CTX_CHILD_PROVIDER_INDEX 18
|
|
||||||
# define OSSL_LIB_CTX_THREAD_INDEX 19
|
|
||||||
# define OSSL_LIB_CTX_DECODER_CACHE_INDEX 20
|
|
||||||
-# define OSSL_LIB_CTX_MAX_INDEXES 20
|
|
||||||
+# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX 21
|
|
||||||
+# define OSSL_LIB_CTX_MAX_INDEXES 21
|
|
||||||
|
|
||||||
OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx);
|
|
||||||
int ossl_lib_ctx_is_default(OSSL_LIB_CTX *ctx);
|
|
||||||
diff --git a/include/internal/sslconf.h b/include/internal/sslconf.h
|
|
||||||
index fd7f7e3331..05464b0655 100644
|
|
||||||
--- a/include/internal/sslconf.h
|
|
||||||
+++ b/include/internal/sslconf.h
|
|
||||||
@@ -18,4 +18,8 @@ int conf_ssl_name_find(const char *name, size_t *idx);
|
|
||||||
void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr,
|
|
||||||
char **arg);
|
|
||||||
|
|
||||||
+/* Methods to support disabling all signatures with legacy digests */
|
|
||||||
+int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig);
|
|
||||||
+int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow,
|
|
||||||
+ int loadconfig);
|
|
||||||
#endif
|
|
||||||
diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
|
|
||||||
index 0d3acdbe56..fe694c4e96 100644
|
|
||||||
--- a/providers/common/securitycheck.c
|
|
||||||
+++ b/providers/common/securitycheck.c
|
|
||||||
@@ -19,6 +19,7 @@
|
|
||||||
#include <openssl/core_names.h>
|
|
||||||
#include <openssl/obj_mac.h>
|
|
||||||
#include "prov/securitycheck.h"
|
|
||||||
+#include "internal/sslconf.h"
|
|
||||||
|
|
||||||
/*
|
|
||||||
* FIPS requires a minimum security strength of 112 bits (for encryption or
|
|
||||||
@@ -243,6 +244,15 @@ int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md,
|
|
||||||
mdnid = -1; /* disallowed by security checks */
|
|
||||||
}
|
|
||||||
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
|
|
||||||
+
|
|
||||||
+#ifndef FIPS_MODULE
|
|
||||||
+ if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
|
|
||||||
+ /* SHA1 is globally disabled, check whether we want to locally allow
|
|
||||||
+ * it. */
|
|
||||||
+ if (mdnid == NID_sha1 && !sha1_allowed)
|
|
||||||
+ mdnid = -1;
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
return mdnid;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c
|
|
||||||
index 246323493e..2ca7a59f39 100644
|
|
||||||
--- a/providers/common/securitycheck_default.c
|
|
||||||
+++ b/providers/common/securitycheck_default.c
|
|
||||||
@@ -15,6 +15,7 @@
|
|
||||||
#include <openssl/obj_mac.h>
|
|
||||||
#include "prov/securitycheck.h"
|
|
||||||
#include "internal/nelem.h"
|
|
||||||
+#include "internal/sslconf.h"
|
|
||||||
|
|
||||||
/* Disable the security checks in the default provider */
|
|
||||||
int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
|
|
||||||
@@ -29,9 +30,10 @@ int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx)
|
|
||||||
}
|
|
||||||
|
|
||||||
int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
|
|
||||||
- ossl_unused int sha1_allowed)
|
|
||||||
+ int sha1_allowed)
|
|
||||||
{
|
|
||||||
int mdnid;
|
|
||||||
+ int ldsigs_allowed;
|
|
||||||
|
|
||||||
static const OSSL_ITEM name_to_nid[] = {
|
|
||||||
{ NID_md5, OSSL_DIGEST_NAME_MD5 },
|
|
||||||
@@ -42,8 +44,11 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
|
|
||||||
{ NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 },
|
|
||||||
};
|
|
||||||
|
|
||||||
- mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, 1);
|
|
||||||
+ ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx, 0);
|
|
||||||
+ mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, sha1_allowed || ldsigs_allowed);
|
|
||||||
if (mdnid == NID_undef)
|
|
||||||
mdnid = ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid));
|
|
||||||
+ if (mdnid == NID_md5_sha1 && !ldsigs_allowed)
|
|
||||||
+ mdnid = -1;
|
|
||||||
return mdnid;
|
|
||||||
}
|
|
||||||
diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
|
|
||||||
index b89a0f6836..e0c26a13e4 100644
|
|
||||||
--- a/providers/implementations/signature/dsa_sig.c
|
|
||||||
+++ b/providers/implementations/signature/dsa_sig.c
|
|
||||||
@@ -125,12 +125,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
|
|
||||||
mdprops = ctx->propq;
|
|
||||||
|
|
||||||
if (mdname != NULL) {
|
|
||||||
- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
|
|
||||||
WPACKET pkt;
|
|
||||||
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
|
|
||||||
- int md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
|
|
||||||
- sha1_allowed);
|
|
||||||
+ int md_nid;
|
|
||||||
size_t mdname_len = strlen(mdname);
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
|
|
||||||
+#else
|
|
||||||
+ int sha1_allowed = 0;
|
|
||||||
+#endif
|
|
||||||
+ md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
|
|
||||||
+ sha1_allowed);
|
|
||||||
|
|
||||||
if (md == NULL || md_nid < 0) {
|
|
||||||
if (md == NULL)
|
|
||||||
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
|
|
||||||
index f158105e71..62355b89fe 100644
|
|
||||||
--- a/providers/implementations/signature/ecdsa_sig.c
|
|
||||||
+++ b/providers/implementations/signature/ecdsa_sig.c
|
|
||||||
@@ -247,7 +247,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
|
|
||||||
"%s could not be fetched", mdname);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
|
|
||||||
+#else
|
|
||||||
+ sha1_allowed = 0;
|
|
||||||
+#endif
|
|
||||||
md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
|
|
||||||
sha1_allowed);
|
|
||||||
if (md_nid < 0) {
|
|
||||||
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
|
|
||||||
index c1405f47ea..aeda1a7758 100644
|
|
||||||
--- a/providers/implementations/signature/rsa_sig.c
|
|
||||||
+++ b/providers/implementations/signature/rsa_sig.c
|
|
||||||
@@ -25,6 +25,7 @@
|
|
||||||
#include "internal/cryptlib.h"
|
|
||||||
#include "internal/nelem.h"
|
|
||||||
#include "internal/sizes.h"
|
|
||||||
+#include "internal/sslconf.h"
|
|
||||||
#include "crypto/rsa.h"
|
|
||||||
#include "prov/providercommon.h"
|
|
||||||
#include "prov/implementations.h"
|
|
||||||
@@ -33,6 +34,7 @@
|
|
||||||
#include "prov/securitycheck.h"
|
|
||||||
|
|
||||||
#define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
|
|
||||||
+#define RSA_DEFAULT_DIGEST_NAME_NONLEGACY OSSL_DIGEST_NAME_SHA2_256
|
|
||||||
|
|
||||||
OSSL_FUNC_signature_newctx_fn rsa_newctx;
|
|
||||||
static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
|
|
||||||
@@ -301,10 +303,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
|
|
||||||
|
|
||||||
if (mdname != NULL) {
|
|
||||||
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
|
|
||||||
+ int md_nid;
|
|
||||||
+ size_t mdname_len = strlen(mdname);
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
|
|
||||||
- int md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
|
|
||||||
+#else
|
|
||||||
+ int sha1_allowed = 0;
|
|
||||||
+#endif
|
|
||||||
+ md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
|
|
||||||
sha1_allowed);
|
|
||||||
- size_t mdname_len = strlen(mdname);
|
|
||||||
|
|
||||||
if (md == NULL
|
|
||||||
|| md_nid <= 0
|
|
||||||
@@ -1392,8 +1399,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
|
|
||||||
prsactx->pad_mode = pad_mode;
|
|
||||||
|
|
||||||
if (prsactx->md == NULL && pmdname == NULL
|
|
||||||
- && pad_mode == RSA_PKCS1_PSS_PADDING)
|
|
||||||
+ && pad_mode == RSA_PKCS1_PSS_PADDING) {
|
|
||||||
pmdname = RSA_DEFAULT_DIGEST_NAME;
|
|
||||||
+#ifndef FIPS_MODULE
|
|
||||||
+ if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) {
|
|
||||||
+ pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
|
|
||||||
if (pmgf1mdname != NULL
|
|
||||||
&& !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))
|
|
||||||
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
|
|
||||||
index 631e1fdef9..05dd7c5595 100644
|
|
||||||
--- a/ssl/t1_lib.c
|
|
||||||
+++ b/ssl/t1_lib.c
|
|
||||||
@@ -20,6 +20,7 @@
|
|
||||||
#include <openssl/bn.h>
|
|
||||||
#include <openssl/provider.h>
|
|
||||||
#include <openssl/param_build.h>
|
|
||||||
+#include "internal/sslconf.h"
|
|
||||||
#include "internal/nelem.h"
|
|
||||||
#include "internal/sizes.h"
|
|
||||||
#include "internal/tlsgroups.h"
|
|
||||||
@@ -1506,6 +1507,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
|
|
||||||
uint16_t *tls12_sigalgs_list = NULL;
|
|
||||||
EVP_PKEY *tmpkey = EVP_PKEY_new();
|
|
||||||
int ret = 0;
|
|
||||||
+ int ldsigs_allowed;
|
|
||||||
|
|
||||||
if (ctx == NULL)
|
|
||||||
goto err;
|
|
||||||
@@ -1521,6 +1523,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
|
|
||||||
goto err;
|
|
||||||
|
|
||||||
ERR_set_mark();
|
|
||||||
+ ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0);
|
|
||||||
/* First fill cache and tls12_sigalgs list from legacy algorithm list */
|
|
||||||
for (i = 0, lu = sigalg_lookup_tbl;
|
|
||||||
i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) {
|
|
||||||
@@ -1542,6 +1545,11 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
|
|
||||||
cache[i].enabled = 0;
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
+ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)
|
|
||||||
+ && !ldsigs_allowed) {
|
|
||||||
+ cache[i].enabled = 0;
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
if (!EVP_PKEY_set_type(tmpkey, lu->sig)) {
|
|
||||||
cache[i].enabled = 0;
|
|
||||||
diff --git a/util/libcrypto.num b/util/libcrypto.num
|
|
||||||
index ef97803327..8046454025 100644
|
|
||||||
--- a/util/libcrypto.num
|
|
||||||
+++ b/util/libcrypto.num
|
|
||||||
@@ -5536,3 +5536,5 @@ X509_STORE_CTX_set_get_crl 5663 3_2_0 EXIST::FUNCTION:
|
|
||||||
X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION:
|
|
||||||
OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION:
|
|
||||||
BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK
|
|
||||||
+ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
|
|
||||||
+ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
@ -1,95 +0,0 @@
|
|||||||
diff -up openssl-3.0.1/crypto/pkcs12/p12_key.c.pkc12_fips openssl-3.0.1/crypto/pkcs12/p12_key.c
|
|
||||||
--- openssl-3.0.1/crypto/pkcs12/p12_key.c.pkc12_fips 2022-02-21 12:35:24.829893907 +0100
|
|
||||||
+++ openssl-3.0.1/crypto/pkcs12/p12_key.c 2022-02-21 13:01:22.711622967 +0100
|
|
||||||
@@ -85,17 +85,41 @@ int PKCS12_key_gen_uni_ex(unsigned char
|
|
||||||
EVP_KDF *kdf;
|
|
||||||
EVP_KDF_CTX *ctx;
|
|
||||||
OSSL_PARAM params[6], *p = params;
|
|
||||||
+ char *adjusted_propq = NULL;
|
|
||||||
|
|
||||||
if (n <= 0)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
- kdf = EVP_KDF_fetch(libctx, "PKCS12KDF", propq);
|
|
||||||
- if (kdf == NULL)
|
|
||||||
+ if (ossl_get_kernel_fips_flag()) {
|
|
||||||
+ const char *nofips = "-fips";
|
|
||||||
+ size_t len = propq ? strlen(propq) + 1 + strlen(nofips) + 1 :
|
|
||||||
+ strlen(nofips) + 1;
|
|
||||||
+ char *ptr = NULL;
|
|
||||||
+
|
|
||||||
+ adjusted_propq = OPENSSL_zalloc(len);
|
|
||||||
+ if (adjusted_propq != NULL) {
|
|
||||||
+ ptr = adjusted_propq;
|
|
||||||
+ if (propq) {
|
|
||||||
+ memcpy(ptr, propq, strlen(propq));
|
|
||||||
+ ptr += strlen(propq);
|
|
||||||
+ *ptr = ',';
|
|
||||||
+ ptr++;
|
|
||||||
+ }
|
|
||||||
+ memcpy(ptr, nofips, strlen(nofips));
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ kdf = adjusted_propq ? EVP_KDF_fetch(libctx, "PKCS12KDF", adjusted_propq) : EVP_KDF_fetch(libctx, "PKCS12KDF", propq);
|
|
||||||
+ if (kdf == NULL) {
|
|
||||||
+ OPENSSL_free(adjusted_propq);
|
|
||||||
return 0;
|
|
||||||
+ }
|
|
||||||
ctx = EVP_KDF_CTX_new(kdf);
|
|
||||||
EVP_KDF_free(kdf);
|
|
||||||
- if (ctx == NULL)
|
|
||||||
+ if (ctx == NULL) {
|
|
||||||
+ OPENSSL_free(adjusted_propq);
|
|
||||||
return 0;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
|
|
||||||
(char *)EVP_MD_get0_name(md_type),
|
|
||||||
@@ -127,6 +149,7 @@ int PKCS12_key_gen_uni_ex(unsigned char
|
|
||||||
} OSSL_TRACE_END(PKCS12_KEYGEN);
|
|
||||||
}
|
|
||||||
EVP_KDF_CTX_free(ctx);
|
|
||||||
+ OPENSSL_free(adjusted_propq);
|
|
||||||
return res;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff -up openssl-3.0.1/apps/pkcs12.c.pkc12_fips_apps openssl-3.0.1/apps/pkcs12.c
|
|
||||||
--- openssl-3.0.1/apps/pkcs12.c.pkc12_fips_apps 2022-02-21 16:37:07.908923682 +0100
|
|
||||||
+++ openssl-3.0.1/apps/pkcs12.c 2022-02-21 17:38:44.555345633 +0100
|
|
||||||
@@ -765,15 +765,34 @@ int pkcs12_main(int argc, char **argv)
|
|
||||||
}
|
|
||||||
if (macver) {
|
|
||||||
EVP_KDF *pkcs12kdf;
|
|
||||||
+ char *adjusted_propq = NULL;
|
|
||||||
+ const char *nofips = "-fips";
|
|
||||||
+ size_t len = app_get0_propq() ? strlen(app_get0_propq()) + 1 + strlen(nofips) + 1 :
|
|
||||||
+ strlen(nofips) + 1;
|
|
||||||
+ char *ptr = NULL;
|
|
||||||
+
|
|
||||||
+ adjusted_propq = OPENSSL_zalloc(len);
|
|
||||||
+ if (adjusted_propq != NULL) {
|
|
||||||
+ ptr = adjusted_propq;
|
|
||||||
+ if (app_get0_propq()) {
|
|
||||||
+ memcpy(ptr, app_get0_propq(), strlen(app_get0_propq()));
|
|
||||||
+ ptr += strlen(app_get0_propq());
|
|
||||||
+ *ptr = ',';
|
|
||||||
+ ptr++;
|
|
||||||
+ }
|
|
||||||
+ memcpy(ptr, nofips, strlen(nofips));
|
|
||||||
+ }
|
|
||||||
|
|
||||||
pkcs12kdf = EVP_KDF_fetch(app_get0_libctx(), "PKCS12KDF",
|
|
||||||
- app_get0_propq());
|
|
||||||
+ adjusted_propq ? adjusted_propq : app_get0_propq());
|
|
||||||
if (pkcs12kdf == NULL) {
|
|
||||||
BIO_printf(bio_err, "Error verifying PKCS12 MAC; no PKCS12KDF support.\n");
|
|
||||||
BIO_printf(bio_err, "Use -nomacver if MAC verification is not required.\n");
|
|
||||||
+ OPENSSL_free(adjusted_propq);
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
EVP_KDF_free(pkcs12kdf);
|
|
||||||
+ OPENSSL_free(adjusted_propq);
|
|
||||||
/* If we enter empty password try no password first */
|
|
||||||
if (!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) {
|
|
||||||
/* If mac and crypto pass the same set it to NULL too */
|
|
@ -1,205 +0,0 @@
|
|||||||
From c63599ee9708d543205a9173207ee7167315c624 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Clemens Lang <cllang@redhat.com>
|
|
||||||
Date: Tue, 1 Mar 2022 15:44:18 +0100
|
|
||||||
Subject: [PATCH] Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes
|
|
||||||
|
|
||||||
References: rhbz#2055796
|
|
||||||
---
|
|
||||||
crypto/x509/x509_vfy.c | 19 ++++++++++-
|
|
||||||
doc/man5/config.pod | 7 +++-
|
|
||||||
ssl/t1_lib.c | 64 ++++++++++++++++++++++++++++-------
|
|
||||||
test/recipes/25-test_verify.t | 7 ++--
|
|
||||||
4 files changed, 79 insertions(+), 18 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
|
|
||||||
index ff3ca83de6..a549c1c111 100644
|
|
||||||
--- a/crypto/x509/x509_vfy.c
|
|
||||||
+++ b/crypto/x509/x509_vfy.c
|
|
||||||
@@ -25,6 +25,7 @@
|
|
||||||
#include <openssl/objects.h>
|
|
||||||
#include <openssl/core_names.h>
|
|
||||||
#include "internal/dane.h"
|
|
||||||
+#include "internal/sslconf.h"
|
|
||||||
#include "crypto/x509.h"
|
|
||||||
#include "x509_local.h"
|
|
||||||
|
|
||||||
@@ -3440,14 +3441,30 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert)
|
|
||||||
{
|
|
||||||
int secbits = -1;
|
|
||||||
int level = ctx->param->auth_level;
|
|
||||||
+ int nid;
|
|
||||||
+ OSSL_LIB_CTX *libctx = NULL;
|
|
||||||
|
|
||||||
if (level <= 0)
|
|
||||||
return 1;
|
|
||||||
if (level > NUM_AUTH_LEVELS)
|
|
||||||
level = NUM_AUTH_LEVELS;
|
|
||||||
|
|
||||||
- if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
|
|
||||||
+ if (ctx->libctx)
|
|
||||||
+ libctx = ctx->libctx;
|
|
||||||
+ else if (cert->libctx)
|
|
||||||
+ libctx = cert->libctx;
|
|
||||||
+ else
|
|
||||||
+ libctx = OSSL_LIB_CTX_get0_global_default();
|
|
||||||
+
|
|
||||||
+ if (!X509_get_signature_info(cert, &nid, NULL, &secbits, NULL))
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
+ if (nid == NID_sha1
|
|
||||||
+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
|
|
||||||
+ && ctx->param->auth_level < 3)
|
|
||||||
+ /* When rh-allow-sha1-signatures = yes and security level <= 2,
|
|
||||||
+ * explicitly allow SHA1 for backwards compatibility. */
|
|
||||||
+ return 1;
|
|
||||||
+
|
|
||||||
return secbits >= minbits_table[level - 1];
|
|
||||||
}
|
|
||||||
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
|
|
||||||
index aa1be5ca7f..aa69e2b844 100644
|
|
||||||
--- a/doc/man5/config.pod
|
|
||||||
+++ b/doc/man5/config.pod
|
|
||||||
@@ -305,7 +305,12 @@ When set to B<no>, any attempt to create or verify a signature with a SHA1
|
|
||||||
digest will fail. For compatibility with older versions of OpenSSL, set this
|
|
||||||
option to B<yes>. This setting also affects TLS, where signature algorithms
|
|
||||||
that use SHA1 as digest will no longer be supported if this option is set to
|
|
||||||
-B<no>.
|
|
||||||
+B<no>. Note that enabling B<rh-allow-sha1-signatures> will allow TLS signature
|
|
||||||
+algorithms that use SHA1 in security level 2, despite the definition of
|
|
||||||
+security level 2 of 112 bits of security, which SHA1 does not meet. Because
|
|
||||||
+TLS 1.1 or lower use MD5-SHA1 as pseudorandom function (PRF) to derive key
|
|
||||||
+material, disabling B<rh-allow-sha1-signatures> requires the use of TLS 1.2 or
|
|
||||||
+newer.
|
|
||||||
|
|
||||||
=item B<fips_mode> (deprecated)
|
|
||||||
|
|
||||||
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
|
|
||||||
index 4b74ee1a34..5f089de107 100644
|
|
||||||
--- a/ssl/t1_lib.c
|
|
||||||
+++ b/ssl/t1_lib.c
|
|
||||||
@@ -20,6 +20,7 @@
|
|
||||||
#include <openssl/bn.h>
|
|
||||||
#include <openssl/provider.h>
|
|
||||||
#include <openssl/param_build.h>
|
|
||||||
+#include "crypto/x509.h"
|
|
||||||
#include "internal/sslconf.h"
|
|
||||||
#include "internal/nelem.h"
|
|
||||||
#include "internal/sizes.h"
|
|
||||||
@@ -1561,19 +1562,27 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
|
|
||||||
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
- /*
|
|
||||||
- * Make sure security callback allows algorithm. For historical
|
|
||||||
- * reasons we have to pass the sigalg as a two byte char array.
|
|
||||||
- */
|
|
||||||
- sigalgstr[0] = (sig >> 8) & 0xff;
|
|
||||||
- sigalgstr[1] = sig & 0xff;
|
|
||||||
- secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu);
|
|
||||||
- if (secbits == 0 ||
|
|
||||||
- !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
|
|
||||||
- md != NULL ? EVP_MD_get_type(md) : NID_undef,
|
|
||||||
- (void *)sigalgstr)) {
|
|
||||||
- SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
|
|
||||||
- return 0;
|
|
||||||
+
|
|
||||||
+ if (lu->hash == NID_sha1
|
|
||||||
+ && ossl_ctx_legacy_digest_signatures_allowed(s->session_ctx->libctx, 0)
|
|
||||||
+ && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 3) {
|
|
||||||
+ /* when rh-allow-sha1-signatures = yes and security level <= 2,
|
|
||||||
+ * explicitly allow SHA1 for backwards compatibility */
|
|
||||||
+ } else {
|
|
||||||
+ /*
|
|
||||||
+ * Make sure security callback allows algorithm. For historical
|
|
||||||
+ * reasons we have to pass the sigalg as a two byte char array.
|
|
||||||
+ */
|
|
||||||
+ sigalgstr[0] = (sig >> 8) & 0xff;
|
|
||||||
+ sigalgstr[1] = sig & 0xff;
|
|
||||||
+ secbits = sigalg_security_bits(s->session_ctx, lu);
|
|
||||||
+ if (secbits == 0 ||
|
|
||||||
+ !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
|
|
||||||
+ md != NULL ? EVP_MD_get_type(md) : NID_undef,
|
|
||||||
+ (void *)sigalgstr)) {
|
|
||||||
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
/* Store the sigalg the peer uses */
|
|
||||||
s->s3.tmp.peer_sigalg = lu;
|
|
||||||
@@ -2106,6 +2115,14 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (lu->hash == NID_sha1
|
|
||||||
+ && ossl_ctx_legacy_digest_signatures_allowed(s->session_ctx->libctx, 0)
|
|
||||||
+ && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 3) {
|
|
||||||
+ /* when rh-allow-sha1-signatures = yes and security level <= 2,
|
|
||||||
+ * explicitly allow SHA1 for backwards compatibility */
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* Finally see if security callback allows it */
|
|
||||||
secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu);
|
|
||||||
sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
|
|
||||||
@@ -2977,6 +2994,8 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
|
|
||||||
{
|
|
||||||
/* Lookup signature algorithm digest */
|
|
||||||
int secbits, nid, pknid;
|
|
||||||
+ OSSL_LIB_CTX *libctx = NULL;
|
|
||||||
+
|
|
||||||
|
|
||||||
/* Don't check signature if self signed */
|
|
||||||
if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
|
|
||||||
@@ -2985,6 +3004,25 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
|
|
||||||
/* If digest NID not defined use signature NID */
|
|
||||||
if (nid == NID_undef)
|
|
||||||
nid = pknid;
|
|
||||||
+
|
|
||||||
+ if (x && x->libctx)
|
|
||||||
+ libctx = x->libctx;
|
|
||||||
+ else if (ctx && ctx->libctx)
|
|
||||||
+ libctx = ctx->libctx;
|
|
||||||
+ else if (s && s->session_ctx && s->session_ctx->libctx)
|
|
||||||
+ libctx = s->session_ctx->libctx;
|
|
||||||
+ else
|
|
||||||
+ libctx = OSSL_LIB_CTX_get0_global_default();
|
|
||||||
+
|
|
||||||
+ if (nid == NID_sha1
|
|
||||||
+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
|
|
||||||
+ && ((s != NULL && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 3)
|
|
||||||
+ || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 3)
|
|
||||||
+ ))
|
|
||||||
+ /* When rh-allow-sha1-signatures = yes and security level <= 2,
|
|
||||||
+ * explicitly allow SHA1 for backwards compatibility. */
|
|
||||||
+ return 1;
|
|
||||||
+
|
|
||||||
if (s != NULL)
|
|
||||||
return ssl_security(s, op, secbits, nid, x);
|
|
||||||
else
|
|
||||||
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
|
|
||||||
index 700bbd849c..2de1d76b5e 100644
|
|
||||||
--- a/test/recipes/25-test_verify.t
|
|
||||||
+++ b/test/recipes/25-test_verify.t
|
|
||||||
@@ -29,7 +29,7 @@ sub verify {
|
|
||||||
run(app([@args]));
|
|
||||||
}
|
|
||||||
|
|
||||||
-plan tests => 193;
|
|
||||||
+plan tests => 192;
|
|
||||||
|
|
||||||
# Canonical success
|
|
||||||
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
|
|
||||||
@@ -387,8 +387,9 @@ ok(verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "0"
|
|
||||||
ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ),
|
|
||||||
"CA with PSS signature using SHA256");
|
|
||||||
|
|
||||||
-ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"),
|
|
||||||
- "Reject PSS signature using SHA1 and auth level 1");
|
|
||||||
+## rh-allow-sha1-signatures=yes allows this to pass despite -auth_level 1
|
|
||||||
+#ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"),
|
|
||||||
+# "Reject PSS signature using SHA1 and auth level 1");
|
|
||||||
|
|
||||||
ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
|
|
||||||
"PSS signature using SHA256 and auth level 2");
|
|
||||||
--
|
|
||||||
2.35.1
|
|
@ -1,53 +0,0 @@
|
|||||||
diff -up openssl-3.0.3/util/libcrypto.num.locale openssl-3.0.3/util/libcrypto.num
|
|
||||||
--- openssl-3.0.3/util/libcrypto.num.locale 2022-06-01 12:35:52.667498724 +0200
|
|
||||||
+++ openssl-3.0.3/util/libcrypto.num 2022-06-01 12:36:08.112633093 +0200
|
|
||||||
@@ -5425,5 +5425,7 @@ ASN1_item_d2i_ex
|
|
||||||
X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION:
|
|
||||||
OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION:
|
|
||||||
BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK
|
|
||||||
+OPENSSL_strcasecmp ? 3_0_1 EXIST::FUNCTION:
|
|
||||||
+OPENSSL_strncasecmp ? 3_0_1 EXIST::FUNCTION:
|
|
||||||
ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
|
|
||||||
ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
|
|
||||||
diff -up openssl-3.0.7/crypto/o_str.c.cmp openssl-3.0.7/crypto/o_str.c
|
|
||||||
--- openssl-3.0.7/crypto/o_str.c.cmp 2022-11-25 12:50:22.449760653 +0100
|
|
||||||
+++ openssl-3.0.7/crypto/o_str.c 2022-11-25 12:51:19.416350584 +0100
|
|
||||||
@@ -342,7 +342,12 @@ int openssl_strerror_r(int errnum, char
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
-int OPENSSL_strcasecmp(const char *s1, const char *s2)
|
|
||||||
+int
|
|
||||||
+#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
|
|
||||||
+__attribute__ ((symver ("OPENSSL_strcasecmp@@OPENSSL_3.0.3"),
|
|
||||||
+ symver ("OPENSSL_strcasecmp@OPENSSL_3.0.1")))
|
|
||||||
+#endif
|
|
||||||
+OPENSSL_strcasecmp(const char *s1, const char *s2)
|
|
||||||
{
|
|
||||||
int t;
|
|
||||||
|
|
||||||
@@ -352,7 +354,12 @@ int OPENSSL_strcasecmp(const char *s1, c
|
|
||||||
return t;
|
|
||||||
}
|
|
||||||
|
|
||||||
-int OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n)
|
|
||||||
+int
|
|
||||||
+#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
|
|
||||||
+__attribute__ ((symver ("OPENSSL_strncasecmp@@OPENSSL_3.0.3"),
|
|
||||||
+ symver ("OPENSSL_strncasecmp@OPENSSL_3.0.1")))
|
|
||||||
+#endif
|
|
||||||
+OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n)
|
|
||||||
{
|
|
||||||
int t;
|
|
||||||
size_t i;
|
|
||||||
diff -up openssl-3.0.7/test/recipes/01-test_symbol_presence.t.cmp openssl-3.0.7/test/recipes/01-test_symbol_presence.t
|
|
||||||
--- openssl-3.0.7/test/recipes/01-test_symbol_presence.t.cmp 2022-11-25 18:19:05.669769076 +0100
|
|
||||||
+++ openssl-3.0.7/test/recipes/01-test_symbol_presence.t 2022-11-25 18:31:20.993392678 +0100
|
|
||||||
@@ -77,6 +80,7 @@ foreach my $libname (@libnames) {
|
|
||||||
s| .*||;
|
|
||||||
# Drop OpenSSL dynamic version information if there is any
|
|
||||||
s|\@\@.+$||;
|
|
||||||
+ s|\@.+$||;
|
|
||||||
# Return the result
|
|
||||||
$_
|
|
||||||
}
|
|
@ -1,949 +0,0 @@
|
|||||||
From 012e319b3d5b936a9208b1c75c13d9c4a2d0cc04 Mon Sep 17 00:00:00 2001
|
|
||||||
From: rpm-build <rpm-build>
|
|
||||||
Date: Wed, 6 Mar 2024 19:17:15 +0100
|
|
||||||
Subject: [PATCH 24/49] 0058-FIPS-limit-rsa-encrypt.patch
|
|
||||||
|
|
||||||
Patch-name: 0058-FIPS-limit-rsa-encrypt.patch
|
|
||||||
Patch-id: 58
|
|
||||||
Patch-status: |
|
|
||||||
# # https://bugzilla.redhat.com/show_bug.cgi?id=2053289
|
|
||||||
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
|
|
||||||
---
|
|
||||||
providers/common/securitycheck.c | 1 +
|
|
||||||
.../implementations/asymciphers/rsa_enc.c | 35 +++++
|
|
||||||
.../30-test_evp_data/evppkey_rsa_common.txt | 140 +++++++++++++-----
|
|
||||||
test/recipes/80-test_cms.t | 5 +-
|
|
||||||
test/recipes/80-test_ssl_old.t | 27 +++-
|
|
||||||
5 files changed, 168 insertions(+), 40 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
|
|
||||||
index fe694c4e96..f635b5aec8 100644
|
|
||||||
--- a/providers/common/securitycheck.c
|
|
||||||
+++ b/providers/common/securitycheck.c
|
|
||||||
@@ -27,6 +27,7 @@
|
|
||||||
* Set protect = 1 for encryption or signing operations, or 0 otherwise. See
|
|
||||||
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf.
|
|
||||||
*/
|
|
||||||
+/* Red Hat build implements some extra limitations in providers/implementations/asymciphers/rsa_enc.c */
|
|
||||||
int ossl_rsa_check_key(OSSL_LIB_CTX *ctx, const RSA *rsa, int operation)
|
|
||||||
{
|
|
||||||
int protect = 0;
|
|
||||||
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
|
|
||||||
index 71bfa344d4..d548560f1f 100644
|
|
||||||
--- a/providers/implementations/asymciphers/rsa_enc.c
|
|
||||||
+++ b/providers/implementations/asymciphers/rsa_enc.c
|
|
||||||
@@ -135,6 +135,17 @@ static int rsa_decrypt_init(void *vprsactx, void *vrsa,
|
|
||||||
return rsa_init(vprsactx, vrsa, params, EVP_PKEY_OP_DECRYPT);
|
|
||||||
}
|
|
||||||
|
|
||||||
+# ifdef FIPS_MODULE
|
|
||||||
+static int fips_padding_allowed(const PROV_RSA_CTX *prsactx)
|
|
||||||
+{
|
|
||||||
+ if (prsactx->pad_mode == RSA_PKCS1_PADDING || prsactx->pad_mode == RSA_NO_PADDING
|
|
||||||
+ || prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
+# endif
|
|
||||||
+
|
|
||||||
static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
|
|
||||||
size_t outsize, const unsigned char *in, size_t inlen)
|
|
||||||
{
|
|
||||||
@@ -144,6 +155,18 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
|
|
||||||
if (!ossl_prov_is_running())
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
+# ifdef FIPS_MODULE
|
|
||||||
+ if (fips_padding_allowed(prsactx) == 0) {
|
|
||||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (RSA_bits(prsactx->rsa) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) {
|
|
||||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+# endif
|
|
||||||
+
|
|
||||||
if (out == NULL) {
|
|
||||||
size_t len = RSA_size(prsactx->rsa);
|
|
||||||
|
|
||||||
@@ -206,6 +229,18 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen,
|
|
||||||
if (!ossl_prov_is_running())
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
+# ifdef FIPS_MODULE
|
|
||||||
+ if (fips_padding_allowed(prsactx) == 0) {
|
|
||||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (RSA_bits(prsactx->rsa) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) {
|
|
||||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+# endif
|
|
||||||
+
|
|
||||||
if (prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING) {
|
|
||||||
if (out == NULL) {
|
|
||||||
*outlen = SSL_MAX_MASTER_KEY_LENGTH;
|
|
||||||
diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
|
|
||||||
index 76ddc1ec60..62d55308b0 100644
|
|
||||||
--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
|
|
||||||
+++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
|
|
||||||
@@ -248,13 +248,13 @@ Input = 64b0e9f9892371110c40ba5739dc0974002aa6e6160b481447c6819947c2d3b537a6e377
|
|
||||||
Output = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
|
|
||||||
|
|
||||||
# RSA decrypt
|
|
||||||
-
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt = RSA-2048
|
|
||||||
Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78
|
|
||||||
Output = "Hello World"
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
+Availablein = default
|
|
||||||
# Note: disable the Bleichenbacher workaround to see if it passes
|
|
||||||
Decrypt = RSA-2048
|
|
||||||
Ctrl = rsa_pkcs1_implicit_rejection:0
|
|
||||||
@@ -262,7 +262,7 @@ Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C70
|
|
||||||
Output = "Hello World"
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
+Availablein = default
|
|
||||||
# Corrupted ciphertext
|
|
||||||
# Note: output is generated synthethically by the Bleichenbacher workaround
|
|
||||||
Decrypt = RSA-2048
|
|
||||||
@@ -270,7 +270,7 @@ Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C70
|
|
||||||
Output = 4cbb988d6a46228379132b0b5f8c249b3860043848c93632fb982c807c7c82fffc7a9ef83f4908f890373ac181ffea6381e103bcaa27e65638b6ecebef38b59ed4226a9d12af675cfcb634d8c40e7a7aff
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
+Availablein = default
|
|
||||||
# Corrupted ciphertext
|
|
||||||
# Note: disable the Bleichenbacher workaround to see if it fails
|
|
||||||
Decrypt = RSA-2048
|
|
||||||
@@ -345,82 +345,90 @@ PrivPubKeyPair = RSA-2048-2:RSA-2048-2-PUBLIC
|
|
||||||
# RSA decrypt
|
|
||||||
|
|
||||||
# a random positive test case
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt = RSA-2048-2
|
|
||||||
Input = 8bfe264e85d3bdeaa6b8851b8e3b956ee3d226fd3f69063a86880173a273d9f283b2eebdd1ed35f7e02d91c571981b6737d5320bd8396b0f3ad5b019daec1b0aab3cbbc026395f4fd14f13673f2dfc81f9b660ec26ac381e6db3299b4e460b43fab9955df2b3cfaa20e900e19c856238fd371899c2bf2ce8c868b76754e5db3b036533fd603746be13c10d4e3e6022ebc905d20c2a7f32b215a4cd53b3f44ca1c327d2c2b651145821c08396c89071f665349c25e44d2733cd9305985ceef6430c3cf57af5fa224089221218fa34737c79c446d28a94c41c96e4e92ac53fbcf384dea8419ea089f8784445a492c812eb0d409467f75afd7d4d1078886205a066
|
|
||||||
Output = "lorem ipsum dolor sit amet"
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
+Availablein = default
|
|
||||||
# a random negative test case decrypting to empty
|
|
||||||
Decrypt = RSA-2048-2
|
|
||||||
Input = 20aaa8adbbc593a924ba1c5c7990b5c2242ae4b99d0fe636a19a4cf754edbcee774e472fe028160ed42634f8864900cb514006da642cae6ae8c7d087caebcfa6dad1551301e130344989a1d462d4164505f6393933450c67bc6d39d8f5160907cabc251b737925a1cf21e5c6aa5781b7769f6a2a583d97cce008c0f8b6add5f0b2bd80bee60237aa39bb20719fe75749f4bc4e42466ef5a861ae3a92395c7d858d430bfe38040f445ea93fa2958b503539800ffa5ce5f8cf51fa8171a91f36cb4f4575e8de6b4d3f096ee140b938fd2f50ee13f0d050222e2a72b0a3069ff3a6738e82c87090caa5aed4fcbe882c49646aa250b98f12f83c8d528113614a29e7
|
|
||||||
Output =
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
+Availablein = default
|
|
||||||
# invalid decrypting to max length message
|
|
||||||
Decrypt = RSA-2048-2
|
|
||||||
Input = 48cceab10f39a4db32f60074feea473cbcdb7accf92e150417f76b44756b190e843e79ec12aa85083a21f5437e7bad0a60482e601198f9d86923239c8786ee728285afd0937f7dde12717f28389843d7375912b07b991f4fdb0190fced8ba665314367e8c5f9d2981d0f5128feeb46cb50fc237e64438a86df198dd0209364ae3a842d77532b66b7ef263b83b1541ed671b120dfd660462e2107a4ee7b964e734a7bd68d90dda61770658a3c242948532da32648687e0318286473f675b412d6468f013f14d760a358dfcad3cda2afeec5e268a37d250c37f722f468a70dfd92d7294c3c1ee1e7f8843b7d16f9f37ef35748c3ae93aa155cdcdfeb4e78567303
|
|
||||||
Output = 22d850137b9eebe092b24f602dc5bb7918c16bd89ddbf20467b119d205f9c2e4bd7d2592cf1e532106e0f33557565923c73a02d4f09c0c22bea89148183e60317f7028b3aa1f261f91c979393101d7e15f4067e63979b32751658ef769610fe97cf9cef3278b3117d384051c3b1d82c251c2305418c8f6840530e631aad63e70e20e025bcd8efb54c92ec6d3b106a2f8e64eeff7d38495b0fc50c97138af4b1c0a67a1c4e27b077b8439332edfa8608dfeae653cd6a628ac550395f7e74390e42c11682234870925eeaa1fa71b76cf1f2ee3bda69f6717033ff8b7c95c9799e7a3bea5e7e4a1c359772fb6b1c6e6c516661dfe30c3
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
# invalid decrypting to message with length specified by second to last value from PRF
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt = RSA-2048-2
|
|
||||||
Input = 1439e08c3f84c1a7fec74ce07614b20e01f6fa4e8c2a6cffdc3520d8889e5d9a950c6425798f85d4be38d300ea5695f13ecd4cb389d1ff5b82484b494d6280ab7fa78e645933981cb934cce8bfcd114cc0e6811eefa47aae20af638a1cd163d2d3366186d0a07df0c81f6c9f3171cf3561472e98a6006bf75ddb457bed036dcce199369de7d94ef2c68e8467ee0604eea2b3009479162a7891ba5c40cab17f49e1c438cb6eaea4f76ce23cce0e483ff0e96fa790ea15be67671814342d0a23f4a20262b6182e72f3a67cd289711503c85516a9ed225422f98b116f1ab080a80abd6f0216df88d8cfd67c139243be8dd78502a7aaf6bc99d7da71bcdf627e7354
|
|
||||||
Output = 0f9b
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
+Availablein = default
|
|
||||||
# invalid decrypting to message with length specified by third to last value from PRF
|
|
||||||
Decrypt = RSA-2048-2
|
|
||||||
Input = 1690ebcceece2ce024f382e467cf8510e74514120937978576caf684d4a02ad569e8d76cbe365a060e00779de2f0865ccf0d923de3b4783a4e2c74f422e2f326086c390b658ba47f31ab013aa80f468c71256e5fa5679b24e83cd82c3d1e05e398208155de2212993cd2b8bab6987cf4cc1293f19909219439d74127545e9ed8a706961b8ee2119f6bfacafbef91b75a789ba65b8b833bc6149cf49b5c4d2c6359f62808659ba6541e1cd24bf7f7410486b5103f6c0ea29334ea6f4975b17387474fe920710ea61568d7b7c0a7916acf21665ad5a31c4eabcde44f8fb6120d8457afa1f3c85d517cda364af620113ae5a3c52a048821731922737307f77a1081
|
|
||||||
Output = 4f02
|
|
||||||
|
|
||||||
# positive test with 11 byte long value
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt = RSA-2048-2
|
|
||||||
Input = 6213634593332c485cef783ea2846e3d6e8b0e005cd8293eaebbaa5079712fd681579bdfbbda138ae4d9d952917a03c92398ec0cb2bb0c6b5a8d55061fed0d0d8d72473563152648cfe640b335dc95331c21cb133a91790fa93ae44497c128708970d2beeb77e8721b061b1c44034143734a77be8220877415a6dba073c3871605380542a9f25252a4babe8331cdd53cf828423f3cc70b560624d0581fb126b2ed4f4ed358f0eb8065cf176399ac1a846a31055f9ae8c9c24a1ba050bc20842125bc1753158f8065f3adb9cc16bfdf83816bdf38b624f12022c5a6fbfe29bc91542be8c0208a770bcd677dc597f5557dc2ce28a11bf3e3857f158717a33f6592
|
|
||||||
Output = "lorem ipsum"
|
|
||||||
|
|
||||||
# positive test with 11 byte long value and zero padded ciphertext
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt = RSA-2048-2
|
|
||||||
Input = 00a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b
|
|
||||||
Output = "lorem ipsum"
|
|
||||||
|
|
||||||
# positive test with 11 byte long value and zero truncated ciphertext
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt = RSA-2048-2
|
|
||||||
Input = a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b
|
|
||||||
Output = "lorem ipsum"
|
|
||||||
|
|
||||||
# positive test with 11 byte long value and double zero padded ciphertext
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt = RSA-2048-2
|
|
||||||
Input = 00001f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc
|
|
||||||
Output = "lorem ipsum"
|
|
||||||
|
|
||||||
# positive test with 11 byte long value and double zero truncated ciphertext
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt = RSA-2048-2
|
|
||||||
Input = 1f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc
|
|
||||||
Output = "lorem ipsum"
|
|
||||||
|
|
||||||
# positive that generates a 0 byte long synthetic message internally
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt = RSA-2048-2
|
|
||||||
Input = b5e49308f6e9590014ffaffc5b8560755739dd501f1d4e9227a7d291408cf4b753f292322ff8bead613bf2caa181b221bc38caf6392deafb28eb21ad60930841ed02fd6225cc9c463409adbe7d8f32440212fbe3881c51375bb09565efb22e62b071472fb38676e5b4e23a0617db5d14d93519ac0007a30a9c822eb31c38b57fcb1be29608fcf1ca2abdcaf5d5752bbc2b5ac7dba5afcff4a5641da360dd01f7112539b1ed46cdb550a3b1006559b9fe1891030ec80f0727c42401ddd6cbb5e3c80f312df6ec89394c5a7118f573105e7ab00fe57833c126141b50a935224842addfb479f75160659ba28877b512bb9a93084ad8bec540f92640f63a11a010e0
|
|
||||||
Output = "lorem ipsum"
|
|
||||||
|
|
||||||
# positive that generates a 245 byte long synthetic message internally
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt = RSA-2048-2
|
|
||||||
Input = 1ea0b50ca65203d0a09280d39704b24fe6e47800189db5033f202761a78bafb270c5e25abd1f7ecc6e7abc4f26d1b0cd9b8c648d529416ee64ccbdd7aa72a771d0353262b543f0e436076f40a1095f5c7dfd10dcf0059ccb30e92dfa5e0156618215f1c3ff3aa997a9d999e506924f5289e3ac72e5e2086cc7b499d71583ed561028671155db4005bee01800a7cdbdae781dd32199b8914b5d4011dd6ff11cd26d46aad54934d293b0bc403dd211bf13b5a5c6836a5e769930f437ffd8634fb7371776f4bc88fa6c271d8aa6013df89ae6470154497c4ac861be2a1c65ebffec139bf7aaba3a81c7c5cdd84da9af5d3edfb957848074686b5837ecbcb6a41c50
|
|
||||||
Output = "lorem ipsum"
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
+Availablein = default
|
|
||||||
# a random negative test that generates an 11 byte long message
|
|
||||||
Decrypt = RSA-2048-2
|
|
||||||
Input = 5f02f4b1f46935c742ebe62b6f05aa0a3286aab91a49b34780adde6410ab46f7386e05748331864ac98e1da63686e4babe3a19ed40a7f5ceefb89179596aab07ab1015e03b8f825084dab028b6731288f2e511a4b314b6ea3997d2e8fe2825cef8897cbbdfb6c939d441d6e04948414bb69e682927ef8576c9a7090d4aad0e74c520d6d5ce63a154720f00b76de8cc550b1aa14f016d63a7b6d6eaa1f7dbe9e50200d3159b3d099c900116bf4eba3b94204f18b1317b07529751abf64a26b0a0bf1c8ce757333b3d673211b67cc0653f2fe2620d57c8b6ee574a0323a167eab1106d9bc7fd90d415be5f1e9891a0e6c709f4fc0404e8226f8477b4e939b36eb2
|
|
||||||
Output = af9ac70191c92413cb9f2d
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
+Availablein = default
|
|
||||||
# an otherwise correct plaintext, but with wrong first byte
|
|
||||||
# (0x01 instead of 0x00), generates a random 11 byte long plaintext
|
|
||||||
Decrypt = RSA-2048-2
|
|
||||||
@@ -428,7 +436,7 @@ Input = 9b2ec9c0c917c98f1ad3d0119aec6be51ae3106e9af1914d48600ab6a2c0c0c8ae02a2dc
|
|
||||||
Output = a1f8c9255c35cfba403ccc
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
+Availablein = default
|
|
||||||
# an otherwise correct plaintext, but with wrong second byte
|
|
||||||
# (0x01 instead of 0x02), generates a random 11 byte long plaintext
|
|
||||||
Decrypt = RSA-2048-2
|
|
||||||
@@ -436,7 +444,7 @@ Input = 782c2b59a21a511243820acedd567c136f6d3090c115232a82a5efb0b178285f55b5ec2d
|
|
||||||
Output = e6d700309ca0ed62452254
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
+Availablein = default
|
|
||||||
# an invalid ciphertext, with a zero byte in first byte of
|
|
||||||
# ciphertext, decrypts to a random 11 byte long synthetic
|
|
||||||
# plaintext
|
|
||||||
@@ -445,7 +453,7 @@ Input = 0096136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2a
|
|
||||||
Output = ba27b1842e7c21c0e7ef6a
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
+Availablein = default
|
|
||||||
# an invalid ciphertext, with a zero byte removed from first byte of
|
|
||||||
# ciphertext, decrypts to a random 11 byte long synthetic
|
|
||||||
# plaintext
|
|
||||||
@@ -454,7 +462,7 @@ Input = 96136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3
|
|
||||||
Output = ba27b1842e7c21c0e7ef6a
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
+Availablein = default
|
|
||||||
# an invalid ciphertext, with two zero bytes in first bytes of
|
|
||||||
# ciphertext, decrypts to a random 11 byte long synthetic
|
|
||||||
# plaintext
|
|
||||||
@@ -463,7 +471,7 @@ Input = 0000587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f
|
|
||||||
Output = d5cf555b1d6151029a429a
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
+Availablein = default
|
|
||||||
# an invalid ciphertext, with two zero bytes removed from first bytes of
|
|
||||||
# ciphertext, decrypts to a random 11 byte long synthetic
|
|
||||||
# plaintext
|
|
||||||
@@ -472,7 +480,7 @@ Input = 587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c
|
|
||||||
Output = d5cf555b1d6151029a429a
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
+Availablein = default
|
|
||||||
# and invalid ciphertext, otherwise valid but starting with 000002, decrypts
|
|
||||||
# to random 11 byte long synthetic plaintext
|
|
||||||
Decrypt = RSA-2048-2
|
|
||||||
@@ -480,7 +488,7 @@ Input = 1786550ce8d8433052e01ecba8b76d3019f1355b212ac9d0f5191b023325a7e7714b7802
|
|
||||||
Output = 3d4a054d9358209e9cbbb9
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
+Availablein = default
|
|
||||||
# negative test with otherwise valid padding but a zero byte in first byte
|
|
||||||
# of padding
|
|
||||||
Decrypt = RSA-2048-2
|
|
||||||
@@ -488,7 +496,7 @@ Input = 179598823812d2c58a7eb50521150a48bcca8b4eb53414018b6bca19f4801456c5e36a94
|
|
||||||
Output = 1f037dd717b07d3e7f7359
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
+Availablein = default
|
|
||||||
# negative test with otherwise valid padding but a zero byte at the eighth
|
|
||||||
# byte of padding
|
|
||||||
Decrypt = RSA-2048-2
|
|
||||||
@@ -496,7 +504,7 @@ Input = a7a340675a82c30e22219a55bc07cdf36d47d01834c1834f917f18b517419ce9de2a9646
|
|
||||||
Output = 63cb0bf65fc8255dd29e17
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
+Availablein = default
|
|
||||||
# negative test with an otherwise valid plaintext but with missing separator
|
|
||||||
# byte
|
|
||||||
Decrypt = RSA-2048-2
|
|
||||||
@@ -551,53 +559,58 @@ PrivPubKeyPair = RSA-2049:RSA-2049-PUBLIC
|
|
||||||
# RSA decrypt
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
+Availablein = default
|
|
||||||
# malformed that generates length specified by 3rd last value from PRF
|
|
||||||
Decrypt = RSA-2049
|
|
||||||
Input = 00b26f6404b82649629f2704494282443776929122e279a9cf30b0c6fe8122a0a9042870d97cc8ef65490fe58f031eb2442352191f5fbc311026b5147d32df914599f38b825ebb824af0d63f2d541a245c5775d1c4b78630e4996cc5fe413d38455a776cf4edcc0aa7fccb31c584d60502ed2b77398f536e137ff7ba6430e9258e21c2db5b82f5380f566876110ac4c759178900fbad7ab70ea07b1daf7a1639cbb4196543a6cbe8271f35dddb8120304f6eef83059e1c5c5678710f904a6d760c4d1d8ad076be17904b9e69910040b47914a0176fb7eea0c06444a6c4b86d674d19a556a1de5490373cb01ce31bbd15a5633362d3d2cd7d4af1b4c5121288b894
|
|
||||||
Output = 42
|
|
||||||
|
|
||||||
# simple positive test case
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt = RSA-2049
|
|
||||||
Input = 013300edbf0bb3571e59889f7ed76970bf6d57e1c89bbb6d1c3991d9df8e65ed54b556d928da7d768facb395bbcc81e9f8573b45cf8195dbd85d83a59281cddf4163aec11b53b4140053e3bd109f787a7c3cec31d535af1f50e0598d85d96d91ea01913d07097d25af99c67464ebf2bb396fb28a9233e56f31f7e105d71a23e9ef3b736d1e80e713d1691713df97334779552fc94b40dd733c7251bc522b673d3ec9354af3dd4ad44fa71c0662213a57ada1d75149697d0eb55c053aaed5ffd0b815832f454179519d3736fb4faf808416071db0d0f801aca8548311ee708c131f4be658b15f6b54256872c2903ac708bd43b017b073b5707bc84c2cd9da70e967
|
|
||||||
Output = "lorem ipsum"
|
|
||||||
|
|
||||||
# positive test case with null padded ciphertext
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt = RSA-2049
|
|
||||||
Input = 0002aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162
|
|
||||||
Output = "lorem ipsum"
|
|
||||||
|
|
||||||
# positive test case with null truncated ciphertext
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt = RSA-2049
|
|
||||||
Input = 02aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162
|
|
||||||
Output = "lorem ipsum"
|
|
||||||
|
|
||||||
# positive test case with double null padded ciphertext
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt = RSA-2049
|
|
||||||
Input = 0000f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052
|
|
||||||
Output = "lorem ipsum"
|
|
||||||
|
|
||||||
# positive test case with double null truncated ciphertext
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt = RSA-2049
|
|
||||||
Input = f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052
|
|
||||||
Output = "lorem ipsum"
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
+Availablein = default
|
|
||||||
# a random negative test case that generates an 11 byte long message
|
|
||||||
Decrypt = RSA-2049
|
|
||||||
Input = 00f910200830fc8fff478e99e145f1474b312e2512d0f90b8cef77f8001d09861688c156d1cbaf8a8957f7ebf35f724466952d0524cad48aad4fba1e45ce8ea27e8f3ba44131b7831b62d60c0762661f4c1d1a88cd06263a259abf1ba9e6b0b172069afb86a7e88387726f8ab3adb30bfd6b3f6be6d85d5dfd044e7ef052395474a9cbb1c3667a92780b43a22693015af6c513041bdaf87d43b24ddd244e791eeaea1066e1f4917117b3a468e22e0f7358852bb981248de4d720add2d15dccba6280355935b67c96f9dcb6c419cc38ab9f6fba2d649ef2066e0c34c9f788ae49babd9025fa85b21113e56ce4f43aa134c512b030dd7ac7ce82e76f0be9ce09ebca
|
|
||||||
Output = 1189b6f5498fd6df532b00
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
+Availablein = default
|
|
||||||
# otherwise correct plaintext, but with wrong first byte (0x01 instead of 0x00)
|
|
||||||
Decrypt = RSA-2049
|
|
||||||
Input = 002c9ddc36ba4cf0038692b2d3a1c61a4bb3786a97ce2e46a3ba74d03158aeef456ce0f4db04dda3fe062268a1711250a18c69778a6280d88e133a16254e1f0e30ce8dac9b57d2e39a2f7d7be3ee4e08aec2fdbe8dadad7fdbf442a29a8fb40857407bf6be35596b8eefb5c2b3f58b894452c2dc54a6123a1a38d642e23751746597e08d71ac92704adc17803b19e131b4d1927881f43b0200e6f95658f559f912c889b4cd51862784364896cd6e8618f485a992f82997ad6a0917e32ae5872eaf850092b2d6c782ad35f487b79682333c1750c685d7d32ab3e1538f31dcaa5e7d5d2825875242c83947308dcf63ba4bfff20334c9c140c837dbdbae7a8dee72ff
|
|
||||||
Output = f6d0f5b78082fe61c04674
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
+Availablein = default
|
|
||||||
# otherwise correct plaintext, but with wrong second byte (0x01 instead of 0x02)
|
|
||||||
Decrypt = RSA-2049
|
|
||||||
Input = 00c5d77826c1ab7a34d6390f9d342d5dbe848942e2618287952ba0350d7de6726112e9cebc391a0fae1839e2bf168229e3e0d71d4161801509f1f28f6e1487ca52df05c466b6b0a6fbbe57a3268a970610ec0beac39ec0fa67babce1ef2a86bf77466dc127d7d0d2962c20e66593126f276863cd38dc6351428f884c1384f67cad0a0ffdbc2af16711fb68dc559b96b37b4f04cd133ffc7d79c43c42ca4948fa895b9daeb853150c8a5169849b730cc77d68b0217d6c0e3dbf38d751a1998186633418367e7576530566c23d6d4e0da9b038d0bb5169ce40133ea076472d055001f0135645940fd08ea44269af2604c8b1ba225053d6db9ab43577689401bdc0f3
|
|
||||||
@@ -661,14 +674,14 @@ ooCElYcob01/JWzoXl61Z5sdrMH5CVZJty5foHKusAN5AgMBAAE=
|
|
||||||
PrivPubKeyPair = RSA-3072:RSA-3072-PUBLIC
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
+Availablein = default
|
|
||||||
# a random invalid ciphertext that generates an empty synthetic one
|
|
||||||
Decrypt = RSA-3072
|
|
||||||
Input = 5e956cd9652f4a2ece902931013e09662b6a9257ad1e987fb75f73a0606df2a4b04789770820c2e02322c4e826f767bd895734a01e20609c3be4517a7a2a589ea1cdc137beb73eb38dac781b52e863de9620f79f9b90fd5b953651fcbfef4a9f1cc07421d511a87dd6942caab6a5a0f4df473e62defb529a7de1509ab99c596e1dff1320402298d8be73a896cc86c38ae3f2f576e9ea70cc28ad575cb0f854f0be43186baa9c18e29c47c6ca77135db79c811231b7c1730955887d321fdc06568382b86643cf089b10e35ab23e827d2e5aa7b4e99ff2e914f302351819eb4d1693243b35f8bf1d42d08f8ec4acafa35f747a4a975a28643ec630d8e4fa5be59d81995660a14bb64c1fea5146d6b11f92da6a3956dd5cb5e0d747cf2ea23f81617769185336263d46ef4c144b754de62a6337342d6c85a95f19f015724546ee3fc4823eca603dbc1dc01c2d5ed50bd72d8e96df2dc048edde0081284068283fc5e73a6139851abf2f29977d0b3d160c883a42a37efba1be05c1a0b1741d7ddf59
|
|
||||||
Output =
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
+Availablein = default
|
|
||||||
# a random invalid that has PRF output with a length one byte too long
|
|
||||||
# in the last value
|
|
||||||
Decrypt = RSA-3072
|
|
||||||
@@ -676,46 +689,51 @@ Input = 7db0390d75fcf9d4c59cf27b264190d856da9abd11e92334d0e5f71005cfed865a711dfa
|
|
||||||
Output = 56a3bea054e01338be9b7d7957539c
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
+Availablein = default
|
|
||||||
# a random invalid that generates a synthetic of maximum size
|
|
||||||
Decrypt = RSA-3072
|
|
||||||
Input = 1715065322522dff85049800f6a29ab5f98c465020467414b2a44127fe9446da47fa18047900f99afe67c2df6f50160bb8e90bff296610fde632b3859d4d0d2e644f23835028c46cca01b84b88231d7e03154edec6627bcba23de76740d839851fa12d74c8f92e540c73fe837b91b7d699b311997d5f0f7864c486d499c3a79c111faaacbe4799597a25066c6200215c3d158f3817c1aa57f18bdaad0be1658da9da93f5cc6c3c4dd72788af57adbb6a0c26f42d32d95b8a4f95e8c6feb2f8a5d53b19a50a0b7cbc25e055ad03e5ace8f3f7db13e57759f67b65d143f08cca15992c6b2aae643390483de111c2988d4e76b42596266005103c8de6044fb7398eb3c28a864fa672de5fd8774510ff45e05969a11a4c7d3f343e331190d2dcf24fb9154ba904dc94af98afc5774a9617d0418fe6d13f8245c7d7626c176138dd698a23547c25f27c2b98ea4d8a45c7842b81888e4cc14e5b72e9cf91f56956c93dbf2e5f44a8282a7813157fc481ff1371a0f66b31797e81ebdb09a673d4db96d6
|
|
||||||
Output = 7b036fcd6243900e4236c894e2462c17738acc87e01a76f4d95cb9a328d9acde81650283b8e8f60a217e3bdee835c7b222ad4c85d0acdb9a309bd2a754609a65dec50f3aa04c6d5891034566b9563d42668ede1f8992b17753a2132e28970584e255efc8b45a41c5dbd7567f014acec5fe6fdb6d484790360a913ebb9defcd74ff377f2a8ba46d2ed85f733c9a3da08eb57ecedfafda806778f03c66b2c5d2874cec1c291b2d49eb194c7b5d0dd2908ae90f4843268a2c45563092ade08acb6ab481a08176102fc803fbb2f8ad11b0e1531bd37df543498daf180b12017f4d4d426ca29b4161075534bfb914968088a9d13785d0adc0e2580d3548494b2a9e91605f2b27e6cc701c796f0de7c6f471f6ab6cb9272a1ed637ca32a60d117505d82af3c1336104afb537d01a8f70b510e1eebf4869cb976c419473795a66c7f5e6e20a8094b1bb603a74330c537c5c0698c31538bd2e138c1275a1bdf24c5fa8ab3b7b526324e7918a382d1363b3d463764222150e04
|
|
||||||
|
|
||||||
# a positive test case that decrypts to 9 byte long value
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt = RSA-3072
|
|
||||||
Input = 6c60845a854b4571f678941ae35a2ac03f67c21e21146f9db1f2306be9f136453b86ad55647d4f7b5c9e62197aaff0c0e40a3b54c4cde14e774b1c5959b6c2a2302896ffae1f73b00b862a20ff4304fe06cea7ff30ecb3773ca9af27a0b54547350d7c07dfb0a39629c7e71e83fc5af9b2adbaf898e037f1de696a3f328cf45af7ec9aff7173854087fb8fbf34be981efbd8493f9438d1b2ba2a86af082662aa46ae9adfbec51e5f3d9550a4dd1dcb7c8969c9587a6edc82a8cabbc785c40d9fbd12064559fb769450ac3e47e87bc046148130d7eaa843e4b3ccef3675d0630500803cb7ffee3882378c1a404e850c3e20707bb745e42b13c18786c4976076ed9fa8fd0ff15e571bef02cbbe2f90c908ac3734a433b73e778d4d17fcc28f49185ebc6e8536a06d293202d94496453bfdf1c2c7833a3f99fa38ca8a81f42eaa529d603b890308a319c0ab63a35ff8ebac965f6278f5a7e5d622be5d5fe55f0ca3ec993d55430d2bf59c5d3e860e90c16d91a04596f6fdf60d89ed95d88c036dde
|
|
||||||
Output = "forty two"
|
|
||||||
|
|
||||||
# a positive test case with null padded ciphertext
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt = RSA-3072
|
|
||||||
Input = 00f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727
|
|
||||||
Output = "forty two"
|
|
||||||
|
|
||||||
# a positive test case with null truncated ciphertext
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt = RSA-3072
|
|
||||||
Input = f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727
|
|
||||||
Output = "forty two"
|
|
||||||
|
|
||||||
# a positive test case with double null padded ciphertext
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt = RSA-3072
|
|
||||||
Input = 00001ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0
|
|
||||||
Output = "forty two"
|
|
||||||
|
|
||||||
# a positive test case with double null truncated ciphertext
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt = RSA-3072
|
|
||||||
Input = 1ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0
|
|
||||||
Output = "forty two"
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
+Availablein = default
|
|
||||||
# a random negative test case that generates a 9 byte long message
|
|
||||||
Decrypt = RSA-3072
|
|
||||||
Input = 5c8555f5cef627c15d37f85c7f5fd6e499264ea4b8e3f9112023aeb722eb38d8eac2be3751fd5a3785ab7f2d59fa3728e5be8c3de78a67464e30b21ee23b5484bb3cd06d0e1c6ad25649c8518165653eb80488bfb491b20c04897a6772f69292222fc5ef50b5cf9efc6d60426a449b6c489569d48c83488df629d695653d409ce49a795447fcec2c58a1a672e4a391401d428baaf781516e11e323d302fcf20f6eab2b2dbe53a48c987e407c4d7e1cb41131329138313d330204173a4f3ff06c6fadf970f0ed1005d0b27e35c3d11693e0429e272d583e57b2c58d24315c397856b34485dcb077665592b747f889d34febf2be8fce66c265fd9fc3575a6286a5ce88b4b413a08efc57a07a8f57a999605a837b0542695c0d189e678b53662ecf7c3d37d9dbeea585eebfaf79141118e06762c2381fe27ca6288edddc19fd67cd64f16b46e06d8a59ac530f22cd83cc0bc4e37feb52015cbb2283043ccf5e78a4eb7146827d7a466b66c8a4a4826c1bad68123a7f2d00fc1736525ff90c058f56
|
|
||||||
Output = 257906ca6de8307728
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
+Availablein = default
|
|
||||||
# a random negative test case that generates a 9 byte long message based on
|
|
||||||
# second to last value from PRF
|
|
||||||
Decrypt = RSA-3072
|
|
||||||
@@ -723,7 +741,7 @@ Input = 758c215aa6acd61248062b88284bf43c13cb3b3d02410be4238607442f1c0216706e21a0
|
|
||||||
Output = 043383c929060374ed
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
+Availablein = default
|
|
||||||
# a random negative test that generates message based on 3rd last value from
|
|
||||||
# PRF
|
|
||||||
Decrypt = RSA-3072
|
|
||||||
@@ -731,35 +749,35 @@ Input = 7b22d5e62d287968c6622171a1f75db4b0fd15cdf3134a1895d235d56f8d8fe619f2bf48
|
|
||||||
Output = 70263fa6050534b9e0
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
+Availablein = default
|
|
||||||
# an otherwise valid plaintext, but with wrong first byte (0x01 instead of 0x00)
|
|
||||||
Decrypt = RSA-3072
|
|
||||||
Input = 6db80adb5ff0a768caf1378ecc382a694e7d1bde2eff4ba12c48aaf794ded7a994a5b2b57acec20dbec4ae385c9dd531945c0f197a5496908725fc99d88601a17d3bb0b2d38d2c1c3100f39955a4cb3dbed5a38bf900f23d91e173640e4ec655c84fdfe71fcdb12a386108fcf718c9b7af37d39703e882436224c877a2235e8344fba6c951eb7e2a4d1d1de81fb463ac1b880f6cc0e59ade05c8ce35179ecd09546731fc07b141d3d6b342a97ae747e61a9130f72d37ac5a2c30215b6cbd66c7db893810df58b4c457b4b54f34428247d584e0fa71062446210db08254fb9ead1ba1a393c724bd291f0cf1a7143f32df849051dc896d7d176fef3b57ab6dffd626d0c3044e9edb2e3d012ace202d2581df01bec7e9aa0727a6650dd373d374f0bc0f4a611f8139dfe97d63e70c6188f4df5b672e47c51d8aa567097293fbff127c75ec690b43407578b73c85451710a0cece58fd497d7f7bd36a8a92783ef7dc6265dff52aac8b70340b996508d39217f2783ce6fc91a1cc94bb2ac487b84f62
|
|
||||||
Output = 6d8d3a094ff3afff4c
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
+Availablein = default
|
|
||||||
# an otherwise valid plaintext, but with wrong second byte (0x01 instead of 0x02)
|
|
||||||
Decrypt = RSA-3072
|
|
||||||
Input = 417328c034458563079a4024817d0150340c34e25ae16dcad690623f702e5c748a6ebb3419ff48f486f83ba9df35c05efbd7f40613f0fc996c53706c30df6bba6dcd4a40825f96133f3c21638a342bd4663dffbd0073980dac47f8c1dd8e97ce1412e4f91f2a8adb1ac2b1071066efe8d718bbb88ca4a59bd61500e826f2365255a409bece0f972df97c3a55e09289ef5fa815a2353ef393fd1aecfc888d611c16aec532e5148be15ef1bf2834b8f75bb26db08b66d2baad6464f8439d1986b533813321dbb180080910f233bcc4dd784fb21871aef41be08b7bfad4ecc3b68f228cb5317ac6ec1227bc7d0e452037ba918ee1da9fdb8393ae93b1e937a8d4691a17871d5092d2384b6190a53df888f65b951b05ed4ad57fe4b0c6a47b5b22f32a7f23c1a234c9feb5d8713d949686760680da4db454f4acad972470033472b9864d63e8d23eefc87ebcf464ecf33f67fbcdd48eab38c5292586b36aef5981ed2fa07b2f9e23fc57d9eb71bfff4111c857e9fff23ceb31e72592e70c874b4936
|
|
||||||
Output = c6ae80ffa80bc184b0
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
+Availablein = default
|
|
||||||
# an otherwise valid plaintext, but with zero byte in first byte of padding
|
|
||||||
Decrypt = RSA-3072
|
|
||||||
Input = 8542c626fe533467acffcd4e617692244c9b5a3bf0a215c5d64891ced4bf4f9591b4b2aedff9843057986d81631b0acb3704ec2180e5696e8bd15b217a0ec36d2061b0e2182faa3d1c59bd3f9086a10077a3337a3f5da503ec3753535ffd25b837a12f2541afefd0cffb0224b8f874e4bed13949e105c075ed44e287c5ae03b155e06b90ed247d2c07f1ef3323e3508cce4e4074606c54172ad74d12f8c3a47f654ad671104bf7681e5b061862747d9afd37e07d8e0e2291e01f14a95a1bb4cbb47c304ef067595a3947ee2d722067e38a0f046f43ec29cac6a8801c6e3e9a2331b1d45a7aa2c6af3205be382dd026e389614ee095665a611ab2e8dced2ee1c9d08ac9de11aef5b3803fc9a9ce8231ec87b5fed386fb92ee3db995a89307bcba844bd0a691c29ae51216e949dfc813133cb06a07265fd807bcb3377f6adb0a481d9b7f442003115895939773e6b95371c4febef29edae946fa245e7c50729e2e558cfaad773d1fd5f67b457a6d9d17a847c6fcbdb103a86f35f228cefc06cea0
|
|
||||||
Output = a8a9301daa01bb25c7
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
+Availablein = default
|
|
||||||
# an otherwise valid plaintext, but with zero byte in eight byte of padding
|
|
||||||
Decrypt = RSA-3072
|
|
||||||
Input = 449dfa237a70a99cb0351793ec8677882021c2aa743580bf6a0ea672055cffe8303ac42855b1d1f3373aae6af09cb9074180fc963e9d1478a4f98b3b4861d3e7f0aa8560cf603711f139db77667ca14ba3a1acdedfca9ef4603d6d7eb0645bfc805304f9ad9d77d34762ce5cd84bd3ec9d35c30e3be72a1e8d355d5674a141b5530659ad64ebb6082e6f73a80832ab6388912538914654d34602f4b3b1c78589b4a5d964b2efcca1dc7004c41f6cafcb5a7159a7fc7c0398604d0edbd4c8f4f04067da6a153a05e7cbeea13b5ee412400ef7d4f3106f4798da707ec37a11286df2b7a204856d5ff773613fd1e453a7114b78e347d3e8078e1cb3276b3562486ba630bf719697e0073a123c3e60ebb5c7a1ccff4279faffa2402bc1109f8d559d6766e73591943dfcf25ba10c3762f02af85187799b8b4b135c3990793a6fd32642f1557405ba55cc7cf7336a0e967073c5fa50743f9cc5e3017c172d9898d2af83345e71b3e0c22ab791eacb6484a32ec60ebc226ec9deaee91b1a0560c2b571
|
|
||||||
Output = 6c716fe01d44398018
|
|
||||||
|
|
||||||
# The old FIPS provider doesn't include the workaround (#13817)
|
|
||||||
-FIPSversion = >=3.2.0
|
|
||||||
+Availablein = default
|
|
||||||
# an otherwise valid plaintext, but with null separator missing
|
|
||||||
Decrypt = RSA-3072
|
|
||||||
Input = a7a5c99e50da48769ecb779d9abe86ef9ec8c38c6f43f17c7f2d7af608a4a1bd6cf695b47e97c191c61fb5a27318d02f495a176b9fae5a55b5d3fabd1d8aae4957e3879cb0c60f037724e11be5f30f08fc51c033731f14b44b414d11278cd3dba7e1c8bfe208d2b2bb7ec36366dacb6c88b24cd79ab394adf19dbbc21dfa5788bacbadc6a62f79cf54fd8cf585c615b5c0eb94c35aa9de25321c8ffefb8916bbaa2697cb2dd82ee98939df9b6704cee77793edd2b4947d82e00e5749664970736c59a84197bd72b5c71e36aae29cd39af6ac73a368edbc1ca792e1309f442aafcd77c992c88f8e4863149f221695cb7b0236e75b2339a02c4ea114854372c306b9412d8eedb600a31532002f2cea07b4df963a093185e4607732e46d753b540974fb5a5c3f9432df22e85bb17611370966c5522fd23f2ad3484341ba7fd8885fc8e6d379a611d13a2aca784fba2073208faad2137bf1979a0fa146c1880d4337db3274269493bab44a1bcd0681f7227ffdf589c2e925ed9d36302509d1109ba4
|
|
||||||
@@ -1106,36 +1124,42 @@ vcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mNXb79cyY+NygUJ0OBgWbtfdY2
|
|
||||||
h90qjKHS9PvY4Q==
|
|
||||||
-----END PRIVATE KEY-----
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-1
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=354fe67b4a126d5d35fe36c777791a3f7ba13def484e2d3908aff722fad468fb21696de95d0be911c2d3174f8afcc201035f7b6d8e69402de5451618c21a535fa9d7bfc5b8dd9fc243f8cf927db31322d6e881eaa91a996170e657a05a266426d98c88003f8477c1227094a0d9fa1e8c4024309ce1ecccb5210035d47ac72e8a
|
|
||||||
Output=6628194e12073db03ba94cda9ef9532397d50dba79b987004afefe34
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-1
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=640db1acc58e0568fe5407e5f9b701dff8c3c91e716c536fc7fcec6cb5b71c1165988d4a279e1577d730fc7a29932e3f00c81515236d8d8e31017a7a09df4352d904cdeb79aa583adcc31ea698a4c05283daba9089be5491f67c1a4ee48dc74bbbe6643aef846679b4cb395a352d5ed115912df696ffe0702932946d71492b44
|
|
||||||
Output=750c4047f547e8e41411856523298ac9bae245efaf1397fbe56f9dd5
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-1
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=423736ed035f6026af276c35c0b3741b365e5f76ca091b4e8c29e2f0befee603595aa8322d602d2e625e95eb81b2f1c9724e822eca76db8618cf09c5343503a4360835b5903bc637e3879fb05e0ef32685d5aec5067cd7cc96fe4b2670b6eac3066b1fcf5686b68589aafb7d629b02d8f8625ca3833624d4800fb081b1cf94eb
|
|
||||||
Output=d94ae0832e6445ce42331cb06d531a82b1db4baad30f746dc916df24d4e3c2451fff59a6423eb0e1d02d4fe646cf699dfd818c6e97b051
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-1
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=45ead4ca551e662c9800f1aca8283b0525e6abae30be4b4aba762fa40fd3d38e22abefc69794f6ebbbc05ddbb11216247d2f412fd0fba87c6e3acd888813646fd0e48e785204f9c3f73d6d8239562722dddd8771fec48b83a31ee6f592c4cfd4bc88174f3b13a112aae3b9f7b80e0fc6f7255ba880dc7d8021e22ad6a85f0755
|
|
||||||
Output=52e650d98e7f2a048b4f86852153b97e01dd316f346a19f67a85
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-1
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=36f6e34d94a8d34daacba33a2139d00ad85a9345a86051e73071620056b920e219005855a213a0f23897cdcd731b45257c777fe908202befdd0b58386b1244ea0cf539a05d5d10329da44e13030fd760dcd644cfef2094d1910d3f433e1c7c6dd18bc1f2df7f643d662fb9dd37ead9059190f4fa66ca39e869c4eb449cbdc439
|
|
||||||
Output=8da89fd9e5f974a29feffb462b49180f6cf9e802
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-1
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
@@ -1160,36 +1184,42 @@ SwGNdhGLJDiac1Dsg2sAY6IXISNv2O222JtR5+64e2EbcTLLfqc1bCMVHB53UVB8
|
|
||||||
eG2e4XlBcKjI6A==
|
|
||||||
-----END PRIVATE KEY-----
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-2
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=0181af8922b9fcb4d79d92ebe19815992fc0c1439d8bcd491398a0f4ad3a329a5bd9385560db532683c8b7da04e4b12aed6aacdf471c34c9cda891addcc2df3456653aa6382e9ae59b54455257eb099d562bbe10453f2b6d13c59c02e10f1f8abb5da0d0570932dacf2d0901db729d0fefcc054e70968ea540c81b04bcaefe720e
|
|
||||||
Output=8ff00caa605c702830634d9a6c3d42c652b58cf1d92fec570beee7
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-2
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=018759ff1df63b2792410562314416a8aeaf2ac634b46f940ab82d64dbf165eee33011da749d4bab6e2fcd18129c9e49277d8453112b429a222a8471b070993998e758861c4d3f6d749d91c4290d332c7a4ab3f7ea35ff3a07d497c955ff0ffc95006b62c6d296810d9bfab024196c7934012c2df978ef299aba239940cba10245
|
|
||||||
Output=2d
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-2
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=018802bab04c60325e81c4962311f2be7c2adce93041a00719c88f957575f2c79f1b7bc8ced115c706b311c08a2d986ca3b6a9336b147c29c6f229409ddec651bd1fdd5a0b7f610c9937fdb4a3a762364b8b3206b4ea485fd098d08f63d4aa8bb2697d027b750c32d7f74eaf5180d2e9b66b17cb2fa55523bc280da10d14be2053
|
|
||||||
Output=74fc88c51bc90f77af9d5e9a4a70133d4b4e0b34da3c37c7ef8e
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-2
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=00a4578cbc176318a638fba7d01df15746af44d4f6cd96d7e7c495cbf425b09c649d32bf886da48fbaf989a2117187cafb1fb580317690e3ccd446920b7af82b31db5804d87d01514acbfa9156e782f867f6bed9449e0e9a2c09bcecc6aa087636965e34b3ec766f2fe2e43018a2fddeb140616a0e9d82e5331024ee0652fc7641
|
|
||||||
Output=a7eb2a5036931d27d4e891326d99692ffadda9bf7efd3e34e622c4adc085f721dfe885072c78a203b151739be540fa8c153a10f00a
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-2
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=00ebc5f5fda77cfdad3c83641a9025e77d72d8a6fb33a810f5950f8d74c73e8d931e8634d86ab1246256ae07b6005b71b7f2fb98351218331ce69b8ffbdc9da08bbc9c704f876deb9df9fc2ec065cad87f9090b07acc17aa7f997b27aca48806e897f771d95141fe4526d8a5301b678627efab707fd40fbebd6e792a25613e7aec
|
|
||||||
Output=2ef2b066f854c33f3bdcbb5994a435e73d6c6c
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-2
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
@@ -1214,36 +1244,42 @@ iUGx07dw5a0x7jc7KKzaaf+bb0D+V4ufGvuFg2+WJ9N6z/c8J3nmNLsmARwsj38z
|
|
||||||
Ya4qnqZe1onjY5o=
|
|
||||||
-----END PRIVATE KEY-----
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-3
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=026a0485d96aebd96b4382085099b962e6a2bdec3d90c8db625e14372de85e2d5b7baab65c8faf91bb5504fb495afce5c988b3f6a52e20e1d6cbd3566c5cd1f2b8318bb542cc0ea25c4aab9932afa20760eaddec784396a07ea0ef24d4e6f4d37e5052a7a31e146aa480a111bbe926401307e00f410033842b6d82fe5ce4dfae80
|
|
||||||
Output=087820b569e8fa8d
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-3
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=024db89c7802989be0783847863084941bf209d761987e38f97cb5f6f1bc88da72a50b73ebaf11c879c4f95df37b850b8f65d7622e25b1b889e80fe80baca2069d6e0e1d829953fc459069de98ea9798b451e557e99abf8fe3d9ccf9096ebbf3e5255d3b4e1c6d2ecadf067a359eea86405acd47d5e165517ccafd47d6dbee4bf5
|
|
||||||
Output=4653acaf171960b01f52a7be63a3ab21dc368ec43b50d82ec3781e04
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-3
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=0239bce681032441528877d6d1c8bb28aa3bc97f1df584563618995797683844ca86664732f4bed7a0aab083aaabfb7238f582e30958c2024e44e57043b97950fd543da977c90cdde5337d618442f99e60d7783ab59ce6dd9d69c47ad1e962bec22d05895cff8d3f64ed5261d92b2678510393484990ba3f7f06818ae6ffce8a3a
|
|
||||||
Output=d94cd0e08fa404ed89
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-3
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=02994c62afd76f498ba1fd2cf642857fca81f4373cb08f1cbaee6f025c3b512b42c3e8779113476648039dbe0493f9246292fac28950600e7c0f32edf9c81b9dec45c3bde0cc8d8847590169907b7dc5991ceb29bb0714d613d96df0f12ec5d8d3507c8ee7ae78dd83f216fa61de100363aca48a7e914ae9f42ddfbe943b09d9a0
|
|
||||||
Output=6cc641b6b61e6f963974dad23a9013284ef1
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-3
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=0162042ff6969592a6167031811a239834ce638abf54fec8b99478122afe2ee67f8c5b18b0339805bfdbc5a4e6720b37c59cfba942464c597ff532a119821545fd2e59b114e61daf71820529f5029cf524954327c34ec5e6f5ba7efcc4de943ab8ad4ed787b1454329f70db798a3a8f4d92f8274e2b2948ade627ce8ee33e43c60
|
|
||||||
Output=df5151832b61f4f25891fb4172f328d2eddf8371ffcfdbe997939295f30eca6918017cfda1153bf7a6af87593223
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-3
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
@@ -1268,36 +1304,42 @@ s/XkIiO6MDAcQabYfLtw4wy308Z9JUc9sfbL8D4/kSbj6XloJ5qGWywrQmUkz8Uq
|
|
||||||
aD0x7TDrmEvkEro=
|
|
||||||
-----END PRIVATE KEY-----
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-4
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=04cce19614845e094152a3fe18e54e3330c44e5efbc64ae16886cb1869014cc5781b1f8f9e045384d0112a135ca0d12e9c88a8e4063416deaae3844f60d6e96fe155145f4525b9a34431ca3766180f70e15a5e5d8e8b1a516ff870609f13f896935ced188279a58ed13d07114277d75c6568607e0ab092fd803a223e4a8ee0b1a8
|
|
||||||
Output=4a86609534ee434a6cbca3f7e962e76d455e3264c19f605f6e5ff6137c65c56d7fb344cd52bc93374f3d166c9f0c6f9c506bad19330972d2
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-4
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=0097b698c6165645b303486fbf5a2a4479c0ee85889b541a6f0b858d6b6597b13b854eb4f839af03399a80d79bda6578c841f90d645715b280d37143992dd186c80b949b775cae97370e4ec97443136c6da484e970ffdb1323a20847821d3b18381de13bb49aaea66530c4a4b8271f3eae172cd366e07e6636f1019d2a28aed15e
|
|
||||||
Output=b0adc4f3fe11da59ce992773d9059943c03046497ee9d9f9a06df1166db46d98f58d27ec074c02eee6cbe2449c8b9fc5080c5c3f4433092512ec46aa793743c8
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-4
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=0301f935e9c47abcb48acbbe09895d9f5971af14839da4ff95417ee453d1fd77319072bb7297e1b55d7561cd9d1bb24c1a9a37c619864308242804879d86ebd001dce5183975e1506989b70e5a83434154d5cbfd6a24787e60eb0c658d2ac193302d1192c6e622d4a12ad4b53923bca246df31c6395e37702c6a78ae081fb9d065
|
|
||||||
Output=bf6d42e701707b1d0206b0c8b45a1c72641ff12889219a82bdea965b5e79a96b0d0163ed9d578ec9ada20f2fbcf1ea3c4089d83419ba81b0c60f3606da99
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-4
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=02d110ad30afb727beb691dd0cf17d0af1a1e7fa0cc040ec1a4ba26a42c59d0a796a2e22c8f357ccc98b6519aceb682e945e62cb734614a529407cd452bee3e44fece8423cc19e55548b8b994b849c7ecde4933e76037e1d0ce44275b08710c68e430130b929730ed77e09b015642c5593f04e4ffb9410798102a8e96ffdfe11e4
|
|
||||||
Output=fb2ef112f5e766eb94019297934794f7be2f6fc1c58e
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-4
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=00dbb8a7439d90efd919a377c54fae8fe11ec58c3b858362e23ad1b8a44310799066b99347aa525691d2adc58d9b06e34f288c170390c5f0e11c0aa3645959f18ee79e8f2be8d7ac5c23d061f18dd74b8c5f2a58fcb5eb0c54f99f01a83247568292536583340948d7a8c97c4acd1e98d1e29dc320e97a260532a8aa7a758a1ec2
|
|
||||||
Output=28ccd447bb9e85166dabb9e5b7d1adadc4b9d39f204e96d5e440ce9ad928bc1c2284
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-4
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
@@ -1322,36 +1364,42 @@ OPlAQGLrhaQpJFILOPW7iGoBlvSLuNzqYP2SzAJ/GOeBWKNKXF1fhgoPbAQHGn0B
|
|
||||||
MSwGUGLx60i3nRyDyw==
|
|
||||||
-----END PRIVATE KEY-----
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-5
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=036046a4a47d9ed3ba9a89139c105038eb7492b05a5d68bfd53accff4597f7a68651b47b4a4627d927e485eed7b4566420e8b409879e5d606eae251d22a5df799f7920bfc117b992572a53b1263146bcea03385cc5e853c9a101c8c3e1bda31a519807496c6cb5e5efb408823a352b8fa0661fb664efadd593deb99fff5ed000e5
|
|
||||||
Output=af71a901e3a61d3132f0fc1fdb474f9ea6579257ffc24d164170145b3dbde8
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-5
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=03d6eb654edce615bc59f455265ed4e5a18223cbb9be4e4069b473804d5de96f54dcaaa603d049c5d94aa1470dfcd2254066b7c7b61ff1f6f6770e3215c51399fd4e34ec5082bc48f089840ad04354ae66dc0f1bd18e461a33cc1258b443a2837a6df26759aa2302334986f87380c9cc9d53be9f99605d2c9a97da7b0915a4a7ad
|
|
||||||
Output=a3b844a08239a8ac41605af17a6cfda4d350136585903a417a79268760519a4b4ac3303ec73f0f87cfb32399
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-5
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=0770952181649f9f9f07ff626ff3a22c35c462443d905d456a9fd0bff43cac2ca7a9f554e9478b9acc3ac838b02040ffd3e1847de2e4253929f9dd9ee4044325a9b05cabb808b2ee840d34e15d105a3f1f7b27695a1a07a2d73fe08ecaaa3c9c9d4d5a89ff890d54727d7ae40c0ec1a8dd86165d8ee2c6368141016a48b55b6967
|
|
||||||
Output=308b0ecbd2c76cb77fc6f70c5edd233fd2f20929d629f026953bb62a8f4a3a314bde195de85b5f816da2aab074d26cb6acddf323ae3b9c678ac3cf12fbdde7
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-5
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=0812b76768ebcb642d040258e5f4441a018521bd96687e6c5e899fcd6c17588ff59a82cc8ae03a4b45b31299af1788c329f7dcd285f8cf4ced82606b97612671a45bedca133442144d1617d114f802857f0f9d739751c57a3f9ee400912c61e2e6992be031a43dd48fa6ba14eef7c422b5edc4e7afa04fdd38f402d1c8bb719abf
|
|
||||||
Output=15c5b9ee1185
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-5
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=07b60e14ec954bfd29e60d0047e789f51d57186c63589903306793ced3f68241c743529aba6a6374f92e19e0163efa33697e196f7661dfaaa47aac6bde5e51deb507c72c589a2ca1693d96b1460381249b2cdb9eac44769f2489c5d3d2f99f0ee3c7ee5bf64a5ac79c42bd433f149be8cb59548361640595513c97af7bc2509723
|
|
||||||
Output=21026e6800c7fa728fcaaba0d196ae28d7a2ac4ffd8abce794f0985f60c8a6737277365d3fea11db8923a2029a
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-5
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
@@ -1376,36 +1424,42 @@ xT1F29tenZbQ/s9Cdd8JdLxKBza0p0wyaQU++2hqziQG4iyeBY3bSuVAYnri/bCC
|
|
||||||
Yejn5Ly8mU2q+jBcRQ==
|
|
||||||
-----END PRIVATE KEY-----
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-6
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=0630eebcd2856c24f798806e41f9e67345eda9ceda386acc9facaea1eeed06ace583709718d9d169fadf414d5c76f92996833ef305b75b1e4b95f662a20faedc3bae0c4827a8bf8a88edbd57ec203a27a841f02e43a615bab1a8cac0701de34debdef62a088089b55ec36ea7522fd3ec8d06b6a073e6df833153bc0aefd93bd1a3
|
|
||||||
Output=4046ca8baa3347ca27f49e0d81f9cc1d71be9ba517d4
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-6
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=0ebc37376173a4fd2f89cc55c2ca62b26b11d51c3c7ce49e8845f74e7607317c436bc8d23b9667dfeb9d087234b47bc6837175ae5c0559f6b81d7d22416d3e50f4ac533d8f0812f2db9e791fe9c775ac8b6ad0f535ad9ceb23a4a02014c58ab3f8d3161499a260f39348e714ae2a1d3443208fd8b722ccfdfb393e98011f99e63f
|
|
||||||
Output=5cc72c60231df03b3d40f9b57931bc31109f972527f28b19e7480c7288cb3c92b22512214e4be6c914792ddabdf57faa8aa7
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-6
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=0a98bf1093619394436cf68d8f38e2f158fde8ea54f3435f239b8d06b8321844202476aeed96009492480ce3a8d705498c4c8c68f01501dc81db608f60087350c8c3b0bd2e9ef6a81458b7c801b89f2e4fe99d4900ba6a4b5e5a96d865dc676c7755928794130d6280a8160a190f2df3ea7cf9aa0271d88e9e6905ecf1c5152d65
|
|
||||||
Output=b20e651303092f4bccb43070c0f86d23049362ed96642fc5632c27db4a52e3d831f2ab068b23b149879c002f6bf3feee97591112562c
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-6
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=008e7a67cacfb5c4e24bec7dee149117f19598ce8c45808fef88c608ff9cd6e695263b9a3c0ad4b8ba4c95238e96a8422b8535629c8d5382374479ad13fa39974b242f9a759eeaf9c83ad5a8ca18940a0162ba755876df263f4bd50c6525c56090267c1f0e09ce0899a0cf359e88120abd9bf893445b3cae77d3607359ae9a52f8
|
|
||||||
Output=684e3038c5c041f7
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-6
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=00003474416c7b68bdf961c385737944d7f1f40cb395343c693cc0b4fe63b31fedf1eaeeac9ccc0678b31dc32e0977489514c4f09085f6298a9653f01aea4045ff582ee887be26ae575b73eef7f3774921e375a3d19adda0ca31aa1849887c1f42cac9677f7a2f4e923f6e5a868b38c084ef187594dc9f7f048fea2e02955384ab
|
|
||||||
Output=32488cb262d041d6e4dd35f987bf3ca696db1f06ac29a44693
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-6
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
@@ -1430,36 +1484,42 @@ tu4XIedy0DiaVZw9PN+VUNRXxGsDe3RkGx1SFmr4ohPIOWIGzfukQi8Y1vYdvLXS
|
|
||||||
FMlxv0gq65dqc3DC
|
|
||||||
-----END PRIVATE KEY-----
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-7
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=1688e4ce7794bba6cb7014169ecd559cede2a30b56a52b68d9fe18cf1973ef97b2a03153951c755f6294aa49adbdb55845ab6875fb3986c93ecf927962840d282f9e54ce8b690f7c0cb8bbd73440d9571d1b16cd9260f9eab4783cc482e5223dc60973871783ec27b0ae0fd47732cbc286a173fc92b00fb4ba6824647cd93c85c1
|
|
||||||
Output=47aae909
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-7
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=1052ed397b2e01e1d0ee1c50bf24363f95e504f4a03434a08fd822574ed6b9736edbb5f390db10321479a8a139350e2bd4977c3778ef331f3e78ae118b268451f20a2f01d471f5d53c566937171b2dbc2d4bde459a5799f0372d6574239b2323d245d0bb81c286b63c89a361017337e4902f88a467f4c7f244bfd5ab46437ff3b6
|
|
||||||
Output=1d9b2e2223d9bc13bfb9f162ce735db48ba7c68f6822a0a1a7b6ae165834e7
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-7
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=2155cd843ff24a4ee8badb7694260028a490813ba8b369a4cbf106ec148e5298707f5965be7d101c1049ea8584c24cd63455ad9c104d686282d3fb803a4c11c1c2e9b91c7178801d1b6640f003f5728df007b8a4ccc92bce05e41a27278d7c85018c52414313a5077789001d4f01910b72aad05d220aa14a58733a7489bc54556b
|
|
||||||
Output=d976fc
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-7
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=0ab14c373aeb7d4328d0aaad8c094d88b9eb098b95f21054a29082522be7c27a312878b637917e3d819e6c3c568db5d843802b06d51d9e98a2be0bf40c031423b00edfbff8320efb9171bd2044653a4cb9c5122f6c65e83cda2ec3c126027a9c1a56ba874d0fea23f380b82cf240b8cf540004758c4c77d934157a74f3fc12bfac
|
|
||||||
Output=d4738623df223aa43843df8467534c41d013e0c803c624e263666b239bde40a5f29aeb8de79e3daa61dd0370f49bd4b013834b98212aef6b1c5ee373b3cb
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-7
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=028387a318277434798b4d97f460068df5298faba5041ba11761a1cb7316b24184114ec500257e2589ed3b607a1ebbe97a6cc2e02bf1b681f42312a33b7a77d8e7855c4a6de03e3c04643f786b91a264a0d6805e2cea91e68177eb7a64d9255e4f27e713b7ccec00dc200ebd21c2ea2bb890feae4942df941dc3f97890ed347478
|
|
||||||
Output=bb47231ca5ea1d3ad46c99345d9a8a61
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-7
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
@@ -1484,36 +1544,42 @@ njraT2MgdSwJ2AX/fR8a4NAXru7pzvoNfdf/d15EtXgyL2QF1iEdoZUZZmqof9xM
|
|
||||||
2MiPa249Z+lh3Luj0A==
|
|
||||||
-----END PRIVATE KEY-----
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-8
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=09b3683d8a2eb0fb295b62ed1fb9290b714457b7825319f4647872af889b30409472020ad12912bf19b11d4819f49614824ffd84d09c0a17e7d17309d12919790410aa2995699f6a86dbe3242b5acc23af45691080d6b1ae810fb3e3057087f0970092ce00be9562ff4053b6262ce0caa93e13723d2e3a5ba075d45f0d61b54b61
|
|
||||||
Output=050b755e5e6880f7b9e9d692a74c37aae449b31bfea6deff83747a897f6c2c825bb1adbf850a3c96994b5de5b33cbc7d4a17913a7967
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-8
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=2ecf15c97c5a15b1476ae986b371b57a24284f4a162a8d0c8182e7905e792256f1812ba5f83f1f7a130e42dcc02232844edc14a31a68ee97ae564a383a3411656424c5f62ddb646093c367be1fcda426cf00a06d8acb7e57776fbbd855ac3df506fc16b1d7c3f2110f3d8068e91e186363831c8409680d8da9ecd8cf1fa20ee39d
|
|
||||||
Output=4eb68dcd93ca9b19df111bd43608f557026fe4aa1d5cfac227a3eb5ab9548c18a06dded23f81825986b2fcd71109ecef7eff88873f075c2aa0c469f69c92bc
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-8
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=4bc89130a5b2dabb7c2fcf90eb5d0eaf9e681b7146a38f3173a3d9cfec52ea9e0a41932e648a9d69344c50da763f51a03c95762131e8052254dcd2248cba40fd31667786ce05a2b7b531ac9dac9ed584a59b677c1a8aed8c5d15d68c05569e2be780bf7db638fd2bfd2a85ab276860f3777338fca989ffd743d13ee08e0ca9893f
|
|
||||||
Output=8604ac56328c1ab5ad917861
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-8
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=2e456847d8fc36ff0147d6993594b9397227d577752c79d0f904fcb039d4d812fea605a7b574dd82ca786f93752348438ee9f5b5454985d5f0e1699e3e7ad175a32e15f03deb042ab9fe1dd9db1bb86f8c089ccb45e7ef0c5ee7ca9b7290ca6b15bed47039788a8a93ff83e0e8d6244c71006362deef69b6f416fb3c684383fbd0
|
|
||||||
Output=fdda5fbf6ec361a9d9a4ac68af216a0686f438b1e0e5c36b955f74e107f39c0dddcc
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-8
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=1fb9356fd5c4b1796db2ebf7d0d393cc810adf6145defc2fce714f79d93800d5e2ac211ea8bbecca4b654b94c3b18b30dd576ce34dc95436ef57a09415645923359a5d7b4171ef22c24670f1b229d3603e91f76671b7df97e7317c97734476d5f3d17d21cf82b5ba9f83df2e588d36984fd1b584468bd23b2e875f32f68953f7b2
|
|
||||||
Output=4a5f4914bee25de3c69341de07
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-8
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
@@ -1544,36 +1610,42 @@ Z7CDuaemy2HkLbNiuMmJbbcGTgKtWuYVh9oVtGSckFlJCf6zfby2VL63Jo7IAeWo
|
|
||||||
tKo5Eb69iFQvBb4=
|
|
||||||
-----END PRIVATE KEY-----
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-9
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=267bcd118acab1fc8ba81c85d73003cb8610fa55c1d97da8d48a7c7f06896a4db751aa284255b9d36ad65f37653d829f1b37f97b8001942545b2fc2c55a7376ca7a1be4b1760c8e05a33e5aa2526b8d98e317088e7834c755b2a59b12631a182c05d5d43ab1779264f8456f515ce57dfdf512d5493dab7b7338dc4b7d78db9c091ac3baf537a69fc7f549d979f0eff9a94fda4169bd4d1d19a69c99e33c3b55490d501b39b1edae118ff6793a153261584d3a5f39f6e682e3d17c8cd1261fa72
|
|
||||||
Output=f735fd55ba92592c3b52b8f9c4f69aaa1cbef8fe88add095595412467f9cf4ec0b896c59eda16210e7549c8abb10cdbc21a12ec9b6b5b8fd2f10399eb6
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-9
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=93ac9f0671ec29acbb444effc1a5741351d60fdb0e393fbf754acf0de49761a14841df7772e9bc82773966a1584c4d72baea00118f83f35cca6e537cbd4d811f5583b29783d8a6d94cd31be70d6f526c10ff09c6fa7ce069795a3fcd0511fd5fcb564bcc80ea9c78f38b80012539d8a4ddf6fe81e9cddb7f50dbbbbcc7e5d86097ccf4ec49189fb8bf318be6d5a0715d516b49af191258cd32dc833ce6eb4673c03a19bbace88cc54895f636cc0c1ec89096d11ce235a265ca1764232a689ae8
|
|
||||||
Output=81b906605015a63aabe42ddf11e1978912f5404c7474b26dce3ed482bf961ecc818bf420c54659
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-9
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=81ebdd95054b0c822ef9ad7693f5a87adfb4b4c4ce70df2df84ed49c04da58ba5fc20a19e1a6e8b7a3900b22796dc4e869ee6b42792d15a8eceb56c09c69914e813cea8f6931e4b8ed6f421af298d595c97f4789c7caa612c7ef360984c21b93edc5401068b5af4c78a8771b984d53b8ea8adf2f6a7d4a0ba76c75e1dd9f658f20ded4a46071d46d7791b56803d8fea7f0b0f8e41ae3f09383a6f9585fe7753eaaffd2bf94563108beecc207bbb535f5fcc705f0dde9f708c62f49a9c90371d3
|
|
||||||
Output=fd326429df9b890e09b54b18b8f34f1e24
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-9
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=bcc35f94cde66cb1136625d625b94432a35b22f3d2fa11a613ff0fca5bd57f87b902ccdc1cd0aebcb0715ee869d1d1fe395f6793003f5eca465059c88660d446ff5f0818552022557e38c08a67ead991262254f10682975ec56397768537f4977af6d5f6aaceb7fb25dec5937230231fd8978af49119a29f29e424ab8272b47562792d5c94f774b8829d0b0d9f1a8c9eddf37574d5fa248eefa9c5271fc5ec2579c81bdd61b410fa61fe36e424221c113addb275664c801d34ca8c6351e4a858
|
|
||||||
Output=f1459b5f0c92f01a0f723a2e5662484d8f8c0a20fc29dad6acd43bb5f3effdf4e1b63e07fdfe6628d0d74ca19bf2d69e4a0abf86d293925a796772f8088e
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-9
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=232afbc927fa08c2f6a27b87d4a5cb09c07dc26fae73d73a90558839f4fd66d281b87ec734bce237ba166698ed829106a7de6942cd6cdce78fed8d2e4d81428e66490d036264cef92af941d3e35055fe3981e14d29cbb9a4f67473063baec79a1179f5a17c9c1832f2838fd7d5e59bb9659d56dce8a019edef1bb3accc697cc6cc7a778f60a064c7f6f5d529c6210262e003de583e81e3167b89971fb8c0e15d44fffef89b53d8d64dd797d159b56d2b08ea5307ea12c241bd58d4ee278a1f2e
|
|
||||||
Output=53e6e8c729d6f9c319dd317e74b0db8e4ccca25f3c8305746e137ac63a63ef3739e7b595abb96e8d55e54f7bd41ab433378ffb911d
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Decrypt=RSA-OAEP-9
|
|
||||||
Ctrl = rsa_padding_mode:oaep
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
|
|
||||||
index 4e368c730b..879d5d76eb 100644
|
|
||||||
--- a/test/recipes/80-test_cms.t
|
|
||||||
+++ b/test/recipes/80-test_cms.t
|
|
||||||
@@ -235,7 +235,7 @@ my @smime_pkcs7_tests = (
|
|
||||||
\&final_compare
|
|
||||||
],
|
|
||||||
|
|
||||||
- [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients",
|
|
||||||
+ [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients, no Red Hat FIPS",
|
|
||||||
[ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
|
|
||||||
"-aes256", "-stream", "-out", "{output}.cms",
|
|
||||||
$smrsa1,
|
|
||||||
@@ -1118,6 +1118,9 @@ sub check_availability {
|
|
||||||
return "$tnam: skipped, DSA disabled\n"
|
|
||||||
if ($no_dsa && $tnam =~ / DSA/);
|
|
||||||
|
|
||||||
+ return "$tnam: skipped, Red Hat FIPS\n"
|
|
||||||
+ if ($tnam =~ /no Red Hat FIPS/);
|
|
||||||
+
|
|
||||||
return "";
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
|
|
||||||
index e2dcb68fb5..0775112b40 100644
|
|
||||||
--- a/test/recipes/80-test_ssl_old.t
|
|
||||||
+++ b/test/recipes/80-test_ssl_old.t
|
|
||||||
@@ -493,6 +493,18 @@ sub testssl {
|
|
||||||
# the default choice if TLSv1.3 enabled
|
|
||||||
my $flag = $protocol eq "-tls1_3" ? "" : $protocol;
|
|
||||||
my $ciphersuites = "";
|
|
||||||
+ my %redhat_skip_cipher = map {$_ => 1} qw(
|
|
||||||
+AES256-GCM-SHA384:@SECLEVEL=0
|
|
||||||
+AES256-CCM8:@SECLEVEL=0
|
|
||||||
+AES256-CCM:@SECLEVEL=0
|
|
||||||
+AES128-GCM-SHA256:@SECLEVEL=0
|
|
||||||
+AES128-CCM8:@SECLEVEL=0
|
|
||||||
+AES128-CCM:@SECLEVEL=0
|
|
||||||
+AES256-SHA256:@SECLEVEL=0
|
|
||||||
+AES128-SHA256:@SECLEVEL=0
|
|
||||||
+AES256-SHA:@SECLEVEL=0
|
|
||||||
+AES128-SHA:@SECLEVEL=0
|
|
||||||
+ );
|
|
||||||
foreach my $cipher (@{$ciphersuites{$protocol}}) {
|
|
||||||
if ($protocol eq "-ssl3" && $cipher =~ /ECDH/ ) {
|
|
||||||
note "*****SKIPPING $protocol $cipher";
|
|
||||||
@@ -504,11 +516,16 @@ sub testssl {
|
|
||||||
} else {
|
|
||||||
$cipher = $cipher.':@SECLEVEL=0';
|
|
||||||
}
|
|
||||||
- ok(run(test([@ssltest, @exkeys, "-cipher",
|
|
||||||
- $cipher,
|
|
||||||
- "-ciphersuites", $ciphersuites,
|
|
||||||
- $flag || ()])),
|
|
||||||
- "Testing $cipher");
|
|
||||||
+ if ($provider eq "fips" && exists $redhat_skip_cipher{$cipher}) {
|
|
||||||
+ note "*****SKIPPING $cipher in Red Hat FIPS mode";
|
|
||||||
+ ok(1);
|
|
||||||
+ } else {
|
|
||||||
+ ok(run(test([@ssltest, @exkeys, "-cipher",
|
|
||||||
+ $cipher,
|
|
||||||
+ "-ciphersuites", $ciphersuites,
|
|
||||||
+ $flag || ()])),
|
|
||||||
+ "Testing $cipher");
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
next if $protocol eq "-tls1_3";
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
@ -1,570 +0,0 @@
|
|||||||
From 5f4f350ce797a7cd2fdca84c474ee196da9d6fae Mon Sep 17 00:00:00 2001
|
|
||||||
From: Clemens Lang <cllang@redhat.com>
|
|
||||||
Date: Wed, 18 May 2022 17:25:59 +0200
|
|
||||||
Subject: [PATCH] Deny SHA-1 signature verification in FIPS provider
|
|
||||||
|
|
||||||
For RHEL, we already disable SHA-1 signatures by default in the default
|
|
||||||
provider, so it is unexpected that the FIPS provider would have a more
|
|
||||||
lenient configuration in this regard. Additionally, we do not think
|
|
||||||
continuing to accept SHA-1 signatures is a good idea due to the
|
|
||||||
published chosen-prefix collision attacks.
|
|
||||||
|
|
||||||
As a consequence, disable verification of SHA-1 signatures in the FIPS
|
|
||||||
provider.
|
|
||||||
|
|
||||||
This requires adjusting a few tests that would otherwise fail:
|
|
||||||
- 30-test_acvp: Remove the test vectors that use SHA-1.
|
|
||||||
- 30-test_evp: Mark tests in evppkey_rsa_common.txt and
|
|
||||||
evppkey_ecdsa.txt that use SHA-1 digests as "Availablein = default",
|
|
||||||
which will not run them when the FIPS provider is enabled.
|
|
||||||
- 80-test_cms: Re-create all certificates in test/smime-certificates
|
|
||||||
with SHA256 signatures while keeping the same private keys. These
|
|
||||||
certificates were signed with SHA-1 and thus fail verification in the
|
|
||||||
FIPS provider.
|
|
||||||
Fix some other tests by explicitly running them in the default
|
|
||||||
provider, where SHA-1 is available.
|
|
||||||
- 80-test_ssl_old: Skip tests that rely on SSLv3 and SHA-1 when run with
|
|
||||||
the FIPS provider.
|
|
||||||
|
|
||||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
|
||||||
---
|
|
||||||
providers/implementations/signature/dsa_sig.c | 4 --
|
|
||||||
.../implementations/signature/ecdsa_sig.c | 4 --
|
|
||||||
providers/implementations/signature/rsa_sig.c | 8 +--
|
|
||||||
test/acvp_test.inc | 20 -------
|
|
||||||
.../30-test_evp_data/evppkey_ecdsa.txt | 7 +++
|
|
||||||
.../30-test_evp_data/evppkey_rsa_common.txt | 51 +++++++++++++++-
|
|
||||||
test/recipes/80-test_cms.t | 4 +-
|
|
||||||
test/recipes/80-test_ssl_old.t | 4 ++
|
|
||||||
test/smime-certs/smdh.pem | 18 +++---
|
|
||||||
test/smime-certs/smdsa1.pem | 60 +++++++++----------
|
|
||||||
test/smime-certs/smdsa2.pem | 60 +++++++++----------
|
|
||||||
test/smime-certs/smdsa3.pem | 60 +++++++++----------
|
|
||||||
test/smime-certs/smec1.pem | 30 +++++-----
|
|
||||||
test/smime-certs/smec2.pem | 30 +++++-----
|
|
||||||
test/smime-certs/smec3.pem | 30 +++++-----
|
|
||||||
test/smime-certs/smroot.pem | 38 ++++++------
|
|
||||||
test/smime-certs/smrsa1.pem | 38 ++++++------
|
|
||||||
test/smime-certs/smrsa2.pem | 38 ++++++------
|
|
||||||
test/smime-certs/smrsa3.pem | 38 ++++++------
|
|
||||||
19 files changed, 286 insertions(+), 256 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
|
|
||||||
index fa3822f39f..c365d7b13a 100644
|
|
||||||
--- a/providers/implementations/signature/dsa_sig.c
|
|
||||||
+++ b/providers/implementations/signature/dsa_sig.c
|
|
||||||
@@ -128,11 +128,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
|
|
||||||
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
|
|
||||||
int md_nid;
|
|
||||||
size_t mdname_len = strlen(mdname);
|
|
||||||
-#ifdef FIPS_MODULE
|
|
||||||
- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
|
|
||||||
-#else
|
|
||||||
int sha1_allowed = 0;
|
|
||||||
-#endif
|
|
||||||
md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
|
|
||||||
sha1_allowed);
|
|
||||||
|
|
||||||
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
|
|
||||||
index 99b228e82c..44a22832ec 100644
|
|
||||||
--- a/providers/implementations/signature/ecdsa_sig.c
|
|
||||||
+++ b/providers/implementations/signature/ecdsa_sig.c
|
|
||||||
@@ -237,11 +237,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
|
|
||||||
"%s could not be fetched", mdname);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
-#ifdef FIPS_MODULE
|
|
||||||
- sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
|
|
||||||
-#else
|
|
||||||
sha1_allowed = 0;
|
|
||||||
-#endif
|
|
||||||
md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
|
|
||||||
sha1_allowed);
|
|
||||||
if (md_nid < 0) {
|
|
||||||
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
|
|
||||||
index f66d7705c3..34f45175e8 100644
|
|
||||||
--- a/providers/implementations/signature/rsa_sig.c
|
|
||||||
+++ b/providers/implementations/signature/rsa_sig.c
|
|
||||||
@@ -292,11 +292,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
|
|
||||||
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
|
|
||||||
int md_nid;
|
|
||||||
size_t mdname_len = strlen(mdname);
|
|
||||||
-#ifdef FIPS_MODULE
|
|
||||||
- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
|
|
||||||
-#else
|
|
||||||
int sha1_allowed = 0;
|
|
||||||
-#endif
|
|
||||||
md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
|
|
||||||
sha1_allowed);
|
|
||||||
|
|
||||||
@@ -1355,8 +1351,10 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
|
|
||||||
|
|
||||||
if (prsactx->md == NULL && pmdname == NULL
|
|
||||||
&& pad_mode == RSA_PKCS1_PSS_PADDING) {
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
|
|
||||||
+#else
|
|
||||||
pmdname = RSA_DEFAULT_DIGEST_NAME;
|
|
||||||
-#ifndef FIPS_MODULE
|
|
||||||
if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) {
|
|
||||||
pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
|
|
||||||
}
|
|
||||||
diff --git a/test/acvp_test.inc b/test/acvp_test.inc
|
|
||||||
index ad11d3ae1e..73b24bdb0c 100644
|
|
||||||
--- a/test/acvp_test.inc
|
|
||||||
+++ b/test/acvp_test.inc
|
|
||||||
@@ -1841,17 +1841,6 @@ static const struct rsa_sigver_st rsa_sigver_data[] = {
|
|
||||||
NO_PSS_SALT_LEN,
|
|
||||||
FAIL
|
|
||||||
},
|
|
||||||
- {
|
|
||||||
- "x931",
|
|
||||||
- 3072,
|
|
||||||
- "SHA1",
|
|
||||||
- ITM(rsa_sigverx931_0_msg),
|
|
||||||
- ITM(rsa_sigverx931_0_n),
|
|
||||||
- ITM(rsa_sigverx931_0_e),
|
|
||||||
- ITM(rsa_sigverx931_0_sig),
|
|
||||||
- NO_PSS_SALT_LEN,
|
|
||||||
- PASS
|
|
||||||
- },
|
|
||||||
{
|
|
||||||
"x931",
|
|
||||||
3072,
|
|
||||||
diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
|
|
||||||
index f36982845d..51e507a61c 100644
|
|
||||||
--- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
|
|
||||||
+++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
|
|
||||||
@@ -37,12 +37,14 @@ PrivPubKeyPair = P-256:P-256-PUBLIC
|
|
||||||
|
|
||||||
Title = ECDSA tests
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Verify = P-256
|
|
||||||
Ctrl = digest:SHA1
|
|
||||||
Input = "0123456789ABCDEF1234"
|
|
||||||
Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
|
|
||||||
|
|
||||||
# Digest too long
|
|
||||||
+Availablein = default
|
|
||||||
Verify = P-256
|
|
||||||
Ctrl = digest:SHA1
|
|
||||||
Input = "0123456789ABCDEF12345"
|
|
||||||
@@ -50,6 +52,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e
|
|
||||||
Result = VERIFY_ERROR
|
|
||||||
|
|
||||||
# Digest too short
|
|
||||||
+Availablein = default
|
|
||||||
Verify = P-256
|
|
||||||
Ctrl = digest:SHA1
|
|
||||||
Input = "0123456789ABCDEF123"
|
|
||||||
@@ -57,6 +60,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e
|
|
||||||
Result = VERIFY_ERROR
|
|
||||||
|
|
||||||
# Digest invalid
|
|
||||||
+Availablein = default
|
|
||||||
Verify = P-256
|
|
||||||
Ctrl = digest:SHA1
|
|
||||||
Input = "0123456789ABCDEF1235"
|
|
||||||
@@ -64,6 +68,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e
|
|
||||||
Result = VERIFY_ERROR
|
|
||||||
|
|
||||||
# Invalid signature
|
|
||||||
+Availablein = default
|
|
||||||
Verify = P-256
|
|
||||||
Ctrl = digest:SHA1
|
|
||||||
Input = "0123456789ABCDEF1234"
|
|
||||||
@@ -79,12 +84,14 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e
|
|
||||||
Result = VERIFY_ERROR
|
|
||||||
|
|
||||||
# BER signature
|
|
||||||
+Availablein = default
|
|
||||||
Verify = P-256
|
|
||||||
Ctrl = digest:SHA1
|
|
||||||
Input = "0123456789ABCDEF1234"
|
|
||||||
Output = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000
|
|
||||||
Result = VERIFY_ERROR
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Verify = P-256-PUBLIC
|
|
||||||
Ctrl = digest:SHA1
|
|
||||||
Input = "0123456789ABCDEF1234"
|
|
||||||
diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
|
|
||||||
index b8d8bb2993..8dd566067b 100644
|
|
||||||
--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
|
|
||||||
+++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
|
|
||||||
@@ -96,6 +96,7 @@ NDL6WCBbets=
|
|
||||||
|
|
||||||
Title = RSA tests
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Verify = RSA-2048
|
|
||||||
Ctrl = digest:SHA1
|
|
||||||
Input = "0123456789ABCDEF1234"
|
|
||||||
@@ -112,24 +113,28 @@ Ctrl = digest:SHA512-224
|
|
||||||
Input = "0123456789ABCDEF123456789ABC"
|
|
||||||
Output = 5f720e9488139bb21e1c2f027fd5ce5993e6d31c5a8faaee833487b3a944d66891178868ace8070cad3ee2ffbe54aa4885a15fd1a7cc5166970fe1fd8c0423e72bd3e3b56fc4a53ed80aaaeca42497f0ec3c62113edc05cd006608f5eef7ce3ad4cba1069f68731dd28a524a1f93fcdc5547112d48d45586dd943ba0d443be9635720d8a61697c54c96627f0d85c5fbeaa3b4af86a65cf2fc3800dd5de34c046985f25d0efc0bb6edccc1d08b3a4fb9c8faffe181c7e68b31e374ad1440a4a664eec9ca0dc53a9d2f5bc7d9940d866f64201bcbc63612754df45727ea24b531d7de83d1bb707444859fa35521320c33bf6f4dbeb6fb56e653adbf7af15843f17
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
VerifyRecover = RSA-2048
|
|
||||||
Ctrl = digest:SHA1
|
|
||||||
Input = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
|
|
||||||
Output = "0123456789ABCDEF1234"
|
|
||||||
|
|
||||||
# Leading zero in the signature
|
|
||||||
+Availablein = default
|
|
||||||
Verify = RSA-2048
|
|
||||||
Ctrl = digest:SHA1
|
|
||||||
Input = "0123456789ABCDEF1234"
|
|
||||||
Output = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
|
|
||||||
Result = VERIFY_ERROR
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
VerifyRecover = RSA-2048
|
|
||||||
Ctrl = digest:SHA1
|
|
||||||
Input = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
|
|
||||||
Result = KEYOP_ERROR
|
|
||||||
|
|
||||||
# Mismatched digest
|
|
||||||
+Availablein = default
|
|
||||||
Verify = RSA-2048
|
|
||||||
Ctrl = digest:SHA1
|
|
||||||
Input = "0123456789ABCDEF1233"
|
|
||||||
@@ -137,6 +142,7 @@ Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2
|
|
||||||
Result = VERIFY_ERROR
|
|
||||||
|
|
||||||
# Corrupted signature
|
|
||||||
+Availablein = default
|
|
||||||
Verify = RSA-2048
|
|
||||||
Ctrl = digest:SHA1
|
|
||||||
Input = "0123456789ABCDEF1233"
|
|
||||||
@@ -144,6 +150,7 @@ Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2
|
|
||||||
Result = VERIFY_ERROR
|
|
||||||
|
|
||||||
# parameter is not NULLt
|
|
||||||
+Availablein = default
|
|
||||||
Verify = RSA-2048
|
|
||||||
Ctrl = digest:sha1
|
|
||||||
Input = "0123456789ABCDEF1234"
|
|
||||||
@@ -151,42 +158,49 @@ Output = 3ec3fc29eb6e122bd7aa361cd09fe1bcbe85311096a7b9e4799cedfb2351ce0ab7fe4e7
|
|
||||||
Result = VERIFY_ERROR
|
|
||||||
|
|
||||||
# embedded digest too long
|
|
||||||
+Availablein = default
|
|
||||||
Verify = RSA-2048
|
|
||||||
Ctrl = digest:sha1
|
|
||||||
Input = "0123456789ABCDEF1234"
|
|
||||||
Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
|
|
||||||
Result = VERIFY_ERROR
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
VerifyRecover = RSA-2048
|
|
||||||
Ctrl = digest:sha1
|
|
||||||
Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
|
|
||||||
Result = KEYOP_ERROR
|
|
||||||
|
|
||||||
# embedded digest too short
|
|
||||||
+Availablein = default
|
|
||||||
Verify = RSA-2048
|
|
||||||
Ctrl = digest:sha1
|
|
||||||
Input = "0123456789ABCDEF1234"
|
|
||||||
Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
|
|
||||||
Result = VERIFY_ERROR
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
VerifyRecover = RSA-2048
|
|
||||||
Ctrl = digest:sha1
|
|
||||||
Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
|
|
||||||
Result = KEYOP_ERROR
|
|
||||||
|
|
||||||
# Garbage after DigestInfo
|
|
||||||
+Availablein = default
|
|
||||||
Verify = RSA-2048
|
|
||||||
Ctrl = digest:sha1
|
|
||||||
Input = "0123456789ABCDEF1234"
|
|
||||||
Output = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274
|
|
||||||
Result = VERIFY_ERROR
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
VerifyRecover = RSA-2048
|
|
||||||
Ctrl = digest:sha1
|
|
||||||
Input = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274
|
|
||||||
Result = KEYOP_ERROR
|
|
||||||
|
|
||||||
# invalid tag for parameter
|
|
||||||
+Availablein = default
|
|
||||||
Verify = RSA-2048
|
|
||||||
Ctrl = digest:sha1
|
|
||||||
Input = "0123456789ABCDEF1234"
|
|
||||||
@@ -195,6 +209,7 @@ Result = VERIFY_ERROR
|
|
||||||
|
|
||||||
# Verify using public key
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Verify = RSA-2048-PUBLIC
|
|
||||||
Ctrl = digest:SHA1
|
|
||||||
Input = "0123456789ABCDEF1234"
|
|
||||||
@@ -370,6 +385,8 @@ Input="0123456789ABCDEF0123456789ABCDEF"
|
|
||||||
Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A
|
|
||||||
|
|
||||||
# Verify using salt length auto detect
|
|
||||||
+# In the FIPS provider on RHEL-9, the default digest for PSS signatures is SHA-256
|
|
||||||
+Availablein = default
|
|
||||||
Verify = RSA-2048-PUBLIC
|
|
||||||
Ctrl = rsa_padding_mode:pss
|
|
||||||
Ctrl = rsa_pss_saltlen:auto
|
|
||||||
@@ -404,6 +421,10 @@ Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DD
|
|
||||||
Result = VERIFY_ERROR
|
|
||||||
|
|
||||||
# Verify using default parameters, explicitly setting parameters
|
|
||||||
+# NOTE: RSA-PSS-DEFAULT contains a restriction to use SHA1 as digest, which
|
|
||||||
+# RHEL-9 does not support in FIPS mode; all these tests are thus marked
|
|
||||||
+# Availablein = default.
|
|
||||||
+Availablein = default
|
|
||||||
Verify = RSA-PSS-DEFAULT
|
|
||||||
Ctrl = rsa_padding_mode:pss
|
|
||||||
Ctrl = rsa_pss_saltlen:20
|
|
||||||
@@ -412,6 +433,7 @@ Input="0123456789ABCDEF0123"
|
|
||||||
Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF
|
|
||||||
|
|
||||||
# Verify explicitly setting parameters "digest" salt length
|
|
||||||
+Availablein = default
|
|
||||||
Verify = RSA-PSS-DEFAULT
|
|
||||||
Ctrl = rsa_padding_mode:pss
|
|
||||||
Ctrl = rsa_pss_saltlen:digest
|
|
||||||
@@ -420,18 +442,21 @@ Input="0123456789ABCDEF0123"
|
|
||||||
Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF
|
|
||||||
|
|
||||||
# Verify using salt length larger than minimum
|
|
||||||
+Availablein = default
|
|
||||||
Verify = RSA-PSS-DEFAULT
|
|
||||||
Ctrl = rsa_pss_saltlen:30
|
|
||||||
Input="0123456789ABCDEF0123"
|
|
||||||
Output = 6BF7EDC63A0BA184EEEC7F3020FEC8F5EBF38C2B76481881F48BCCE5796E7AB294548BA9AE810457C7723CABD1BDE94CF59CF7C0FC7461B22760C8ED703DD98E97BFDD61FA8D1181C411F6DEE5FF159F4850746D78EDEE385A363DC28E2CB373D5CAD7953F3BD5E639BE345732C03A1BDEA268814DA036EB1891C82D4012F3B903D86636055F87B96FC98806AD1B217685A4D754046A5DE0B0D7870664BE07902153EC85BA457BE7D7F89D7FE0F626D02A9CBBB2BB479DDA1A5CAE75247FB7BF6BFB15C1D3FD9E6B1573CCDBC72011C3B97716058BB11C7EA2E4E56ADAFE1F5DE6A7FD405AC5890100F9C3408EFFB5C73BF73F48177FF743B4B819D0699D507B
|
|
||||||
|
|
||||||
# Verify using maximum salt length
|
|
||||||
+Availablein = default
|
|
||||||
Verify = RSA-PSS-DEFAULT
|
|
||||||
Ctrl = rsa_pss_saltlen:max
|
|
||||||
Input="0123456789ABCDEF0123"
|
|
||||||
Output = 4470DCFE812DEE2E58E4301D4ED274AB348FE040B724B2CD1D8CD0914BFF375F0B86FCB32BFA8AEA9BD22BD7C4F1ADD4F3D215A5CFCC99055BAFECFC23800E9BECE19A08C66BEBC5802122D13A732E5958FC228DCC0B49B5B4B1154F032D8FA2F3564AA949C1310CC9266B0C47F86D449AC9D2E7678347E7266E2D7C888CCE1ADF44A109A293F8516AE2BD94CE220F26E137DB8E7A66BB9FCE052CDC1D0BE24D8CEBB20D10125F26B069F117044B9E1D16FDDAABCA5340AE1702F37D0E1C08A2E93801C0A41035C6C73DA02A0E32227EAFB0B85E79107B59650D0EE7DC32A6772CCCE90F06369B2880FE87ED76997BA61F5EA818091EE88F8B0D6F24D02A3FC6
|
|
||||||
|
|
||||||
# Attempt to change salt length below minimum
|
|
||||||
+Availablein = default
|
|
||||||
Verify = RSA-PSS-DEFAULT
|
|
||||||
Ctrl = rsa_pss_saltlen:0
|
|
||||||
Result = PKEY_CTRL_ERROR
|
|
||||||
@@ -439,21 +464,25 @@ Result = PKEY_CTRL_ERROR
|
|
||||||
# Attempt to change padding mode
|
|
||||||
# Note this used to return PKEY_CTRL_INVALID
|
|
||||||
# but it is limited because setparams only returns 0 or 1.
|
|
||||||
+Availablein = default
|
|
||||||
Verify = RSA-PSS-DEFAULT
|
|
||||||
Ctrl = rsa_padding_mode:pkcs1
|
|
||||||
Result = PKEY_CTRL_ERROR
|
|
||||||
|
|
||||||
# Attempt to change digest
|
|
||||||
+Availablein = default
|
|
||||||
Verify = RSA-PSS-DEFAULT
|
|
||||||
Ctrl = digest:sha256
|
|
||||||
Result = PKEY_CTRL_ERROR
|
|
||||||
|
|
||||||
# Invalid key: rejected when we try to init
|
|
||||||
+Availablein = default
|
|
||||||
Verify = RSA-PSS-BAD
|
|
||||||
Result = KEYOP_INIT_ERROR
|
|
||||||
Reason = invalid salt length
|
|
||||||
|
|
||||||
# Invalid key: rejected when we try to init
|
|
||||||
+Availablein = default
|
|
||||||
Verify = RSA-PSS-BAD2
|
|
||||||
Result = KEYOP_INIT_ERROR
|
|
||||||
Reason = invalid salt length
|
|
||||||
@@ -472,36 +501,42 @@ CAltWyuLbfXWce9jd8CSHLI8Jwpw4lmOb/idGfEFrMLT8Ms18pKA4Thrb2TE7yLh
|
|
||||||
4fINDOjP+yJJvZohNwIDAQAB
|
|
||||||
-----END PUBLIC KEY-----
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Verify=RSA-PSS-1
|
|
||||||
Ctrl = rsa_padding_mode:pss
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=cd8b6538cb8e8de566b68bd067569dbf1ee2718e
|
|
||||||
Output=9074308fb598e9701b2294388e52f971faac2b60a5145af185df5287b5ed2887e57ce7fd44dc8634e407c8e0e4360bc226f3ec227f9d9e54638e8d31f5051215df6ebb9c2f9579aa77598a38f914b5b9c1bd83c4e2f9f382a0d0aa3542ffee65984a601bc69eb28deb27dca12c82c2d4c3f66cd500f1ff2b994d8a4e30cbb33c
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Verify=RSA-PSS-1
|
|
||||||
Ctrl = rsa_padding_mode:pss
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=e35befc17a1d160b9ce35fbd8eb16e7ee491d3fd
|
|
||||||
Output=3ef7f46e831bf92b32274142a585ffcefbdca7b32ae90d10fb0f0c729984f04ef29a9df0780775ce43739b97838390db0a5505e63de927028d9d29b219ca2c4517832558a55d694a6d25b9dab66003c4cccd907802193be5170d26147d37b93590241be51c25055f47ef62752cfbe21418fafe98c22c4d4d47724fdb5669e843
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Verify=RSA-PSS-1
|
|
||||||
Ctrl = rsa_padding_mode:pss
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=0652ec67bcee30f9d2699122b91c19abdba89f91
|
|
||||||
Output=666026fba71bd3e7cf13157cc2c51a8e4aa684af9778f91849f34335d141c00154c4197621f9624a675b5abc22ee7d5baaffaae1c9baca2cc373b3f33e78e6143c395a91aa7faca664eb733afd14d8827259d99a7550faca501ef2b04e33c23aa51f4b9e8282efdb728cc0ab09405a91607c6369961bc8270d2d4f39fce612b1
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Verify=RSA-PSS-1
|
|
||||||
Ctrl = rsa_padding_mode:pss
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=39c21c4cceda9c1adf839c744e1212a6437575ec
|
|
||||||
Output=4609793b23e9d09362dc21bb47da0b4f3a7622649a47d464019b9aeafe53359c178c91cd58ba6bcb78be0346a7bc637f4b873d4bab38ee661f199634c547a1ad8442e03da015b136e543f7ab07c0c13e4225b8de8cce25d4f6eb8400f81f7e1833b7ee6e334d370964ca79fdb872b4d75223b5eeb08101591fb532d155a6de87
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Verify=RSA-PSS-1
|
|
||||||
Ctrl = rsa_padding_mode:pss
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=36dae913b77bd17cae6e7b09453d24544cebb33c
|
|
||||||
Output=1d2aad221ca4d31ddf13509239019398e3d14b32dc34dc5af4aeaea3c095af73479cf0a45e5629635a53a018377615b16cb9b13b3e09d671eb71e387b8545c5960da5a64776e768e82b2c93583bf104c3fdb23512b7b4e89f633dd0063a530db4524b01c3f384c09310e315a79dcd3d684022a7f31c865a664e316978b759fad
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Verify=RSA-PSS-1
|
|
||||||
Ctrl = rsa_padding_mode:pss
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
@@ -517,36 +552,42 @@ swU7R97S7NSkyu/WFIM9yLtiLzF+0Ha4BX/o3j+ESArV6D5KYZBKTySPs5cCc1fh
|
|
||||||
0w5GMTmBXG/U/VrFuBcqRSMOy2MYoE8UVdhOWosCAwEAAQ==
|
|
||||||
-----END PUBLIC KEY-----
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Verify=RSA-PSS-9
|
|
||||||
Ctrl = rsa_padding_mode:pss
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=2715a49b8b0012cd7aee84c116446e6dfe3faec0
|
|
||||||
Output=586107226c3ce013a7c8f04d1a6a2959bb4b8e205ba43a27b50f124111bc35ef589b039f5932187cb696d7d9a32c0c38300a5cdda4834b62d2eb240af33f79d13dfbf095bf599e0d9686948c1964747b67e89c9aba5cd85016236f566cc5802cb13ead51bc7ca6bef3b94dcbdbb1d570469771df0e00b1a8a06777472d2316279edae86474668d4e1efff95f1de61c6020da32ae92bbf16520fef3cf4d88f61121f24bbd9fe91b59caf1235b2a93ff81fc403addf4ebdea84934a9cdaf8e1a9e
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Verify=RSA-PSS-9
|
|
||||||
Ctrl = rsa_padding_mode:pss
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=2dac956d53964748ac364d06595827c6b4f143cd
|
|
||||||
Output=80b6d643255209f0a456763897ac9ed259d459b49c2887e5882ecb4434cfd66dd7e1699375381e51cd7f554f2c271704b399d42b4be2540a0eca61951f55267f7c2878c122842dadb28b01bd5f8c025f7e228418a673c03d6bc0c736d0a29546bd67f786d9d692ccea778d71d98c2063b7a71092187a4d35af108111d83e83eae46c46aa34277e06044589903788f1d5e7cee25fb485e92949118814d6f2c3ee361489016f327fb5bc517eb50470bffa1afa5f4ce9aa0ce5b8ee19bf5501b958
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Verify=RSA-PSS-9
|
|
||||||
Ctrl = rsa_padding_mode:pss
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=28d98c46cccafbd3bc04e72f967a54bd3ea12298
|
|
||||||
Output=484408f3898cd5f53483f80819efbf2708c34d27a8b2a6fae8b322f9240237f981817aca1846f1084daa6d7c0795f6e5bf1af59c38e1858437ce1f7ec419b98c8736adf6dd9a00b1806d2bd3ad0a73775e05f52dfef3a59ab4b08143f0df05cd1ad9d04bececa6daa4a2129803e200cbc77787caf4c1d0663a6c5987b605952019782caf2ec1426d68fb94ed1d4be816a7ed081b77e6ab330b3ffc073820fecde3727fcbe295ee61a050a343658637c3fd659cfb63736de32d9f90d3c2f63eca
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Verify=RSA-PSS-9
|
|
||||||
Ctrl = rsa_padding_mode:pss
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=0866d2ff5a79f25ef668cd6f31b42dee421e4c0e
|
|
||||||
Output=84ebeb481be59845b46468bafb471c0112e02b235d84b5d911cbd1926ee5074ae0424495cb20e82308b8ebb65f419a03fb40e72b78981d88aad143053685172c97b29c8b7bf0ae73b5b2263c403da0ed2f80ff7450af7828eb8b86f0028bd2a8b176a4d228cccea18394f238b09ff758cc00bc04301152355742f282b54e663a919e709d8da24ade5500a7b9aa50226e0ca52923e6c2d860ec50ff480fa57477e82b0565f4379f79c772d5c2da80af9fbf325ece6fc20b00961614bee89a183e
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Verify=RSA-PSS-9
|
|
||||||
Ctrl = rsa_padding_mode:pss
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=6a5b4be4cd36cc97dfde9995efbf8f097a4a991a
|
|
||||||
Output=82102df8cb91e7179919a04d26d335d64fbc2f872c44833943241de8454810274cdf3db5f42d423db152af7135f701420e39b494a67cbfd19f9119da233a23da5c6439b5ba0d2bc373eee3507001378d4a4073856b7fe2aba0b5ee93b27f4afec7d4d120921c83f606765b02c19e4d6a1a3b95fa4c422951be4f52131077ef17179729cddfbdb56950dbaceefe78cb16640a099ea56d24389eef10f8fecb31ba3ea3b227c0a86698bb89e3e9363905bf22777b2a3aa521b65b4cef76d83bde4c
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Verify=RSA-PSS-9
|
|
||||||
Ctrl = rsa_padding_mode:pss
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
@@ -564,36 +605,42 @@ F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5kGWC7IsXS9WNXR89dnxhNyGu
|
|
||||||
BQIDAQAB
|
|
||||||
-----END PUBLIC KEY-----
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Verify=RSA-PSS-10
|
|
||||||
Ctrl = rsa_padding_mode:pss
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=9596bb630cf6a8d4ea4600422b9eba8b13675dd4
|
|
||||||
Output=82c2b160093b8aa3c0f7522b19f87354066c77847abf2a9fce542d0e84e920c5afb49ffdfdace16560ee94a1369601148ebad7a0e151cf16331791a5727d05f21e74e7eb811440206935d744765a15e79f015cb66c532c87a6a05961c8bfad741a9a6657022894393e7223739796c02a77455d0f555b0ec01ddf259b6207fd0fd57614cef1a5573baaff4ec00069951659b85f24300a25160ca8522dc6e6727e57d019d7e63629b8fe5e89e25cc15beb3a647577559299280b9b28f79b0409000be25bbd96408ba3b43cc486184dd1c8e62553fa1af4040f60663de7f5e49c04388e257f1ce89c95dab48a315d9b66b1b7628233876ff2385230d070d07e1666
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Verify=RSA-PSS-10
|
|
||||||
Ctrl = rsa_padding_mode:pss
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=b503319399277fd6c1c8f1033cbf04199ea21716
|
|
||||||
Output=14ae35d9dd06ba92f7f3b897978aed7cd4bf5ff0b585a40bd46ce1b42cd2703053bb9044d64e813d8f96db2dd7007d10118f6f8f8496097ad75e1ff692341b2892ad55a633a1c55e7f0a0ad59a0e203a5b8278aec54dd8622e2831d87174f8caff43ee6c46445345d84a59659bfb92ecd4c818668695f34706f66828a89959637f2bf3e3251c24bdba4d4b7649da0022218b119c84e79a6527ec5b8a5f861c159952e23ec05e1e717346faefe8b1686825bd2b262fb2531066c0de09acde2e4231690728b5d85e115a2f6b92b79c25abc9bd9399ff8bcf825a52ea1f56ea76dd26f43baafa18bfa92a504cbd35699e26d1dcc5a2887385f3c63232f06f3244c3
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Verify=RSA-PSS-10
|
|
||||||
Ctrl = rsa_padding_mode:pss
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=50aaede8536b2c307208b275a67ae2df196c7628
|
|
||||||
Output=6e3e4d7b6b15d2fb46013b8900aa5bbb3939cf2c095717987042026ee62c74c54cffd5d7d57efbbf950a0f5c574fa09d3fc1c9f513b05b4ff50dd8df7edfa20102854c35e592180119a70ce5b085182aa02d9ea2aa90d1df03f2daae885ba2f5d05afdac97476f06b93b5bc94a1a80aa9116c4d615f333b098892b25fface266f5db5a5a3bcc10a824ed55aad35b727834fb8c07da28fcf416a5d9b2224f1f8b442b36f91e456fdea2d7cfe3367268de0307a4c74e924159ed33393d5e0655531c77327b89821bdedf880161c78cd4196b5419f7acc3f13e5ebf161b6e7c6724716ca33b85c2e25640192ac2859651d50bde7eb976e51cec828b98b6563b86bb
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Verify=RSA-PSS-10
|
|
||||||
Ctrl = rsa_padding_mode:pss
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=aa0b72b8b371ddd10c8ae474425ccccf8842a294
|
|
||||||
Output=34047ff96c4dc0dc90b2d4ff59a1a361a4754b255d2ee0af7d8bf87c9bc9e7ddeede33934c63ca1c0e3d262cb145ef932a1f2c0a997aa6a34f8eaee7477d82ccf09095a6b8acad38d4eec9fb7eab7ad02da1d11d8e54c1825e55bf58c2a23234b902be124f9e9038a8f68fa45dab72f66e0945bf1d8bacc9044c6f07098c9fcec58a3aab100c805178155f030a124c450e5acbda47d0e4f10b80a23f803e774d023b0015c20b9f9bbe7c91296338d5ecb471cafb032007b67a60be5f69504a9f01abb3cb467b260e2bce860be8d95bf92c0c8e1496ed1e528593a4abb6df462dde8a0968dffe4683116857a232f5ebf6c85be238745ad0f38f767a5fdbf486fb
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Verify=RSA-PSS-10
|
|
||||||
Ctrl = rsa_padding_mode:pss
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
Input=fad3902c9750622a2bc672622c48270cc57d3ea8
|
|
||||||
Output=7e0935ea18f4d6c1d17ce82eb2b3836c55b384589ce19dfe743363ac9948d1f346b7bfddfe92efd78adb21faefc89ade42b10f374003fe122e67429a1cb8cbd1f8d9014564c44d120116f4990f1a6e38774c194bd1b8213286b077b0499d2e7b3f434ab12289c556684deed78131934bb3dd6537236f7c6f3dcb09d476be07721e37e1ceed9b2f7b406887bd53157305e1c8b4f84d733bc1e186fe06cc59b6edb8f4bd7ffefdf4f7ba9cfb9d570689b5a1a4109a746a690893db3799255a0cb9215d2d1cd490590e952e8c8786aa0011265252470c041dfbc3eec7c3cbf71c24869d115c0cb4a956f56d530b80ab589acfefc690751ddf36e8d383f83cedd2cc
|
|
||||||
|
|
||||||
+Availablein = default
|
|
||||||
Verify=RSA-PSS-10
|
|
||||||
Ctrl = rsa_padding_mode:pss
|
|
||||||
Ctrl = rsa_mgf1_md:sha1
|
|
||||||
@@ -1329,11 +1376,13 @@ Title = RSA FIPS tests
|
|
||||||
|
|
||||||
# FIPS tests
|
|
||||||
|
|
||||||
-# Verifying with SHA1 is permitted in fips mode for older applications
|
|
||||||
+# Verifying with SHA1 is not permitted on RHEL-9 in FIPS mode
|
|
||||||
+Availablein = fips
|
|
||||||
DigestVerify = SHA1
|
|
||||||
Key = RSA-2048
|
|
||||||
Input = "Hello "
|
|
||||||
Output = 87ea0e2226ef35e5a2aec9ca1222fcbe39ba723f05b3203564f671dd3601271806ead3240e61d424359ee3b17bd3e32f54b82df83998a8ac4148410710361de0400f9ddf98278618fbc87747a0531972543e6e5f18ab2fdfbfda02952f6ac69690e43864690af271bf43d4be9705b303d4ff994ab3abd4d5851562b73e59be3edc01cec41a4cc13b68206329bad1a46c6608d3609e951faa321d0fdbc765d54e9a7c59248d2f67913c9903e932b769c9c8a45520cabea06e8c0b231dd3bcc7f7ec55b46b0157ccb5fc5011fa57353cd3df32edcbadcb8d168133cbd0acfb64444cb040e1298f621508a38f79e14ae8c2c5c857f90aa9d24ef5fc07d34bf23859
|
|
||||||
+Result = DIGESTVERIFYINIT_ERROR
|
|
||||||
|
|
||||||
# Verifying with a 1024 bit key is permitted in fips mode for older applications
|
|
||||||
DigestVerify = SHA256
|
|
||||||
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
|
|
||||||
index 48a92f735d..34afe91b88 100644
|
|
||||||
--- a/test/recipes/80-test_cms.t
|
|
||||||
+++ b/test/recipes/80-test_cms.t
|
|
||||||
@@ -162,7 +162,7 @@ my @smime_pkcs7_tests = (
|
|
||||||
[ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1",
|
|
||||||
"-certfile", $smroot,
|
|
||||||
"-signer", $smrsa1, "-out", "{output}.cms" ],
|
|
||||||
- [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
|
|
||||||
+ [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms",
|
|
||||||
"-CAfile", $smroot, "-out", "{output}.txt" ],
|
|
||||||
\&final_compare
|
|
||||||
],
|
|
||||||
@@ -170,7 +170,7 @@ my @smime_pkcs7_tests = (
|
|
||||||
[ "signed zero-length content S/MIME format, RSA key SHA1",
|
|
||||||
[ "{cmd1}", @defaultprov, "-sign", "-in", $smcont_zero, "-md", "sha1",
|
|
||||||
"-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
|
|
||||||
- [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
|
|
||||||
+ [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms",
|
|
||||||
"-CAfile", $smroot, "-out", "{output}.txt" ],
|
|
||||||
\&zero_compare
|
|
||||||
],
|
|
||||||
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
|
|
||||||
index 8c52b637fc..ff75c5b6ec 100644
|
|
||||||
--- a/test/recipes/80-test_ssl_old.t
|
|
||||||
+++ b/test/recipes/80-test_ssl_old.t
|
|
||||||
@@ -394,6 +394,9 @@ sub testssl {
|
|
||||||
'test sslv2/sslv3 with 1024bit DHE via BIO pair');
|
|
||||||
}
|
|
||||||
|
|
||||||
+ SKIP: {
|
|
||||||
+ skip "SSLv3 is not supported by the FIPS provider", 4
|
|
||||||
+ if $provider eq "fips";
|
|
||||||
ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])),
|
|
||||||
'test sslv2/sslv3 with server authentication');
|
|
||||||
ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])),
|
|
||||||
@@ -402,6 +405,7 @@ sub testssl {
|
|
||||||
'test sslv2/sslv3 with both client and server authentication via BIO pair');
|
|
||||||
ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])),
|
|
||||||
'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify');
|
|
||||||
+ }
|
|
||||||
|
|
||||||
SKIP: {
|
|
||||||
skip "No IPv4 available on this machine", 4
|
|
@ -1,466 +0,0 @@
|
|||||||
From e3d6fca1af033d00c47bcd8f9ba28fcf1aa476aa Mon Sep 17 00:00:00 2001
|
|
||||||
From: Clemens Lang <cllang@redhat.com>
|
|
||||||
Date: Tue, 7 Jun 2022 12:02:49 +0200
|
|
||||||
Subject: [PATCH] fips: Expose a FIPS indicator
|
|
||||||
|
|
||||||
FIPS 140-3 requires us to indicate whether an operation was using
|
|
||||||
approved services or not. The FIPS 140-3 implementation guidelines
|
|
||||||
provide two basic approaches to doing this: implicit indicators, and
|
|
||||||
explicit indicators.
|
|
||||||
|
|
||||||
Implicit indicators are basically the concept of "if the operation
|
|
||||||
passes, it was approved". We were originally aiming for implicit
|
|
||||||
indicators in our copy of OpenSSL. However, this proved to be a problem,
|
|
||||||
because we wanted to certify a signature service, and FIPS 140-3
|
|
||||||
requires that a signature service computes the digest to be signed
|
|
||||||
within the boundaries of the FIPS module. Since we were planning to
|
|
||||||
certify fips.so only, this means that EVP_PKEY_sign/EVP_PKEY_verify
|
|
||||||
would have to be blocked. Unfortunately, EVP_SignFinal uses
|
|
||||||
EVP_PKEY_sign internally, but outside of fips.so and thus outside of the
|
|
||||||
FIPS module boundary. This means that using implicit indicators in
|
|
||||||
combination with certifying only fips.so would require us to block both
|
|
||||||
EVP_PKEY_sign and EVP_SignFinal, which are the two APIs currently used
|
|
||||||
by most users of OpenSSL for signatures.
|
|
||||||
|
|
||||||
EVP_DigestSign would be acceptable, but has only been added in 3.0 and
|
|
||||||
is thus not yet widely used.
|
|
||||||
|
|
||||||
As a consequence, we've decided to introduce explicit indicators so that
|
|
||||||
EVP_PKEY_sign and EVP_SignFinal can continue to work for now, but
|
|
||||||
FIPS-aware applications can query the explicit indicator to check
|
|
||||||
whether the operation was approved.
|
|
||||||
|
|
||||||
To avoid affecting the ABI and public API too much, this is implemented
|
|
||||||
as an exported symbol in fips.so and a private header, so applications
|
|
||||||
that wish to use this will have to dlopen(3) fips.so, locate the
|
|
||||||
function using dlsym(3), and then call it. These applications will have
|
|
||||||
to build against the private header in order to use the returned
|
|
||||||
pointer.
|
|
||||||
|
|
||||||
Modify util/mkdef.pl to support exposing a symbol only for a specific
|
|
||||||
provider identified by its name and path.
|
|
||||||
|
|
||||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
|
||||||
---
|
|
||||||
doc/build.info | 6 ++
|
|
||||||
doc/man7/fips_module_indicators.pod | 154 ++++++++++++++++++++++++++++
|
|
||||||
providers/fips/fipsprov.c | 71 +++++++++++++
|
|
||||||
providers/fips/indicator.h | 66 ++++++++++++
|
|
||||||
util/mkdef.pl | 25 ++++-
|
|
||||||
util/providers.num | 1 +
|
|
||||||
6 files changed, 322 insertions(+), 1 deletion(-)
|
|
||||||
create mode 100644 doc/man7/fips_module_indicators.pod
|
|
||||||
create mode 100644 providers/fips/indicator.h
|
|
||||||
|
|
||||||
diff --git a/doc/build.info b/doc/build.info
|
|
||||||
index b0aa4297a4..af235113bb 100644
|
|
||||||
--- a/doc/build.info
|
|
||||||
+++ b/doc/build.info
|
|
||||||
@@ -4389,6 +4389,10 @@ DEPEND[html/man7/fips_module.html]=man7/fips_module.pod
|
|
||||||
GENERATE[html/man7/fips_module.html]=man7/fips_module.pod
|
|
||||||
DEPEND[man/man7/fips_module.7]=man7/fips_module.pod
|
|
||||||
GENERATE[man/man7/fips_module.7]=man7/fips_module.pod
|
|
||||||
+DEPEND[html/man7/fips_module_indicators.html]=man7/fips_module_indicators.pod
|
|
||||||
+GENERATE[html/man7/fips_module_indicators.html]=man7/fips_module_indicators.pod
|
|
||||||
+DEPEND[man/man7/fips_module_indicators.7]=man7/fips_module_indicators.pod
|
|
||||||
+GENERATE[man/man7/fips_module_indicators.7]=man7/fips_module_indicators.pod
|
|
||||||
DEPEND[html/man7/life_cycle-cipher.html]=man7/life_cycle-cipher.pod
|
|
||||||
GENERATE[html/man7/life_cycle-cipher.html]=man7/life_cycle-cipher.pod
|
|
||||||
DEPEND[man/man7/life_cycle-cipher.7]=man7/life_cycle-cipher.pod
|
|
||||||
@@ -4631,6 +4635,7 @@ html/man7/ct.html \
|
|
||||||
html/man7/des_modes.html \
|
|
||||||
html/man7/evp.html \
|
|
||||||
html/man7/fips_module.html \
|
|
||||||
+html/man7/fips_module_indicators.html \
|
|
||||||
html/man7/life_cycle-cipher.html \
|
|
||||||
html/man7/life_cycle-digest.html \
|
|
||||||
html/man7/life_cycle-kdf.html \
|
|
||||||
@@ -4754,6 +4759,7 @@ man/man7/ct.7 \
|
|
||||||
man/man7/des_modes.7 \
|
|
||||||
man/man7/evp.7 \
|
|
||||||
man/man7/fips_module.7 \
|
|
||||||
+man/man7/fips_module_indicators.7 \
|
|
||||||
man/man7/life_cycle-cipher.7 \
|
|
||||||
man/man7/life_cycle-digest.7 \
|
|
||||||
man/man7/life_cycle-kdf.7 \
|
|
||||||
diff --git a/doc/man7/fips_module_indicators.pod b/doc/man7/fips_module_indicators.pod
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000000..23db2b395c
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/doc/man7/fips_module_indicators.pod
|
|
||||||
@@ -0,0 +1,154 @@
|
|
||||||
+=pod
|
|
||||||
+
|
|
||||||
+=head1 NAME
|
|
||||||
+
|
|
||||||
+fips_module_indicators - Red Hat OpenSSL FIPS module indicators guide
|
|
||||||
+
|
|
||||||
+=head1 DESCRIPTION
|
|
||||||
+
|
|
||||||
+This guide documents how the Red Hat Enterprise Linux 9 OpenSSL FIPS provider
|
|
||||||
+implements Approved Security Service Indicators according to the FIPS 140-3
|
|
||||||
+Implementation Guidelines, section 2.4.C. See
|
|
||||||
+L<https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf>
|
|
||||||
+for the FIPS 140-3 Implementation Guidelines.
|
|
||||||
+
|
|
||||||
+For all approved services except signatures, the Red Hat OpenSSL FIPS provider
|
|
||||||
+uses the return code as the indicator as understood by FIPS 140-3. That means
|
|
||||||
+that every operation that succeeds denotes use of an approved security service.
|
|
||||||
+Operations that do not succeed may not have been approved security services, or
|
|
||||||
+may have been used incorrectly.
|
|
||||||
+
|
|
||||||
+For signatures, an explicit indicator API is available to determine whether
|
|
||||||
+a selected operation is an approved security service, in combination with the
|
|
||||||
+return code of the operation. For a signature operation to be approved, the
|
|
||||||
+explicit indicator must claim it as approved, and it must succeed.
|
|
||||||
+
|
|
||||||
+=head2 Querying the explicit indicator
|
|
||||||
+
|
|
||||||
+The Red Hat OpenSSL FIPS provider exports a symbol named
|
|
||||||
+I<redhat_ossl_query_fipsindicator> that provides information on which signature
|
|
||||||
+operations are approved security functions. To use this function, either link
|
|
||||||
+against I<fips.so> directly, or load it at runtime using dlopen(3) and
|
|
||||||
+dlsym(3).
|
|
||||||
+
|
|
||||||
+ #include <openssl/core_dispatch.h>
|
|
||||||
+ #include "providers/fips/indicator.h"
|
|
||||||
+
|
|
||||||
+ void *provider = dlopen("/usr/lib64/ossl-modules/fips.so", RTLD_LAZY);
|
|
||||||
+ if (provider == NULL) {
|
|
||||||
+ fprintf(stderr, "%s\n", dlerror());
|
|
||||||
+ // handle error
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ const OSSL_RH_FIPSINDICATOR_ALORITHM *(*redhat_ossl_query_fipsindicator)(int) \
|
|
||||||
+ = dlsym(provider, "redhat_ossl_query_fipsindicator");
|
|
||||||
+ if (redhat_ossl_query_fipsindicator == NULL) {
|
|
||||||
+ fprintf(stderr, "%s\n", dlerror());
|
|
||||||
+ fprintf(stderr, "Does your copy of fips.so have the required Red Hat"
|
|
||||||
+ " patches?\n");
|
|
||||||
+ // handle error
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+Note that this uses the I<providers/fips/indicator.h> header, which is not
|
|
||||||
+public. Install the I<openssl-debugsource> package from the I<BaseOS-debuginfo>
|
|
||||||
+repository using I<dnf debuginfo-install openssl> and include
|
|
||||||
+I</usr/src/debug/openssl-3.*/> in the compiler's include path.
|
|
||||||
+
|
|
||||||
+I<redhat_ossl_query_fipsindicator> expects an operation ID as its only
|
|
||||||
+argument. Currently, the only supported operation ID is I<OSSL_OP_SIGNATURE> to
|
|
||||||
+obtain the indicators for signature operations. On success, the return value is
|
|
||||||
+a pointer to an array of I<OSSL_RH_FIPSINDICATOR_STRUCT>s. On failure, NULL is
|
|
||||||
+returned. The last entry in the array is indicated by I<algorithm_names> being
|
|
||||||
+NULL.
|
|
||||||
+
|
|
||||||
+ typedef struct ossl_rh_fipsindicator_algorithm_st {
|
|
||||||
+ const char *algorithm_names; /* key */
|
|
||||||
+ const char *property_definition; /* key */
|
|
||||||
+ const OSSL_RH_FIPSINDICATOR_DISPATCH *indicators;
|
|
||||||
+ } OSSL_RH_FIPSINDICATOR_ALGORITHM;
|
|
||||||
+
|
|
||||||
+ typedef struct ossl_rh_fipsindicator_dispatch_st {
|
|
||||||
+ int function_id;
|
|
||||||
+ int approved;
|
|
||||||
+ } OSSL_RH_FIPSINDICATOR_DISPATCH;
|
|
||||||
+
|
|
||||||
+The I<algorithm_names> field is a colon-separated list of algorithm names from
|
|
||||||
+one of the I<PROV_NAMES_...> constants, e.g., I<PROV_NAMES_RSA>. strtok(3) can
|
|
||||||
+be used to locate the appropriate entry. See the example below, where
|
|
||||||
+I<algorithm> contains the algorithm name to search for:
|
|
||||||
+
|
|
||||||
+ const OSSL_RH_FIPSINDICATOR_DISPATCH *indicator_dispatch = NULL;
|
|
||||||
+ const OSSL_RH_FIPSINDICATOR_ALGORITHM *indicator =
|
|
||||||
+ redhat_ossl_query_fipsindicator(operation_id);
|
|
||||||
+ if (indicator == NULL) {
|
|
||||||
+ fprintf(stderr, "No indicator for operation, probably using implicit"
|
|
||||||
+ " indicators.\n");
|
|
||||||
+ // handle error
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ for (; indicator->algorithm_names != NULL; ++indicator) {
|
|
||||||
+ char *algorithm_names = strdup(indicator->algorithm_names);
|
|
||||||
+ if (algorithm_names == NULL) {
|
|
||||||
+ perror("strdup(3)");
|
|
||||||
+ // handle error
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ const char *algorithm_name = strtok(algorithm_names, ":");
|
|
||||||
+ for (; algorithm_name != NULL; algorithm_name = strtok(NULL, ":")) {
|
|
||||||
+ if (strcasecmp(algorithm_name, algorithm) == 0) {
|
|
||||||
+ indicator_dispatch = indicator->indicators;
|
|
||||||
+ free(algorithm_names);
|
|
||||||
+ algorithm_names = NULL;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ free(algorithm_names);
|
|
||||||
+ }
|
|
||||||
+ if (indicator_dispatch == NULL) {
|
|
||||||
+ fprintf(stderr, "No indicator for algorithm %s.\n", algorithm);
|
|
||||||
+ // handle error
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+If an appropriate I<OSSL_RH_FIPSINDICATOR_DISPATCH> array is available for the
|
|
||||||
+given algorithm name, it maps function IDs to their approval status. The last
|
|
||||||
+entry is indicated by a zero I<function_id>. I<approved> is
|
|
||||||
+I<OSSL_RH_FIPSINDICATOR_APPROVED> if the operation is an approved security
|
|
||||||
+service, or part of an approved security service, or
|
|
||||||
+I<OSSL_RH_FIPSINDICATOR_UNAPPROVED> otherwise. Any other value is invalid.
|
|
||||||
+Function IDs are I<OSSL_FUNC_*> constants from I<openssl/core_dispatch.h>,
|
|
||||||
+e.g., I<OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE> or I<OSSL_FUNC_SIGNATURE_SIGN>.
|
|
||||||
+
|
|
||||||
+Assuming I<function_id> is the function in question, the following code can be
|
|
||||||
+used to query the approval status:
|
|
||||||
+
|
|
||||||
+ for (; indicator_dispatch->function_id != 0; ++indicator_dispatch) {
|
|
||||||
+ if (indicator_dispatch->function_id == function_id) {
|
|
||||||
+ switch (indicator_dispatch->approved) {
|
|
||||||
+ case OSSL_RH_FIPSINDICATOR_APPROVED:
|
|
||||||
+ // approved security service
|
|
||||||
+ break;
|
|
||||||
+ case OSSL_RH_FIPSINDICATOR_UNAPPROVED:
|
|
||||||
+ // unapproved security service
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ // invalid result
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+=head1 SEE ALSO
|
|
||||||
+
|
|
||||||
+L<fips_module(7)>, L<provider(7)>
|
|
||||||
+
|
|
||||||
+=head1 COPYRIGHT
|
|
||||||
+
|
|
||||||
+Copyright 2022 Red Hat, Inc. All Rights Reserved.
|
|
||||||
+
|
|
||||||
+Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
||||||
+this file except in compliance with the License. You can obtain a copy
|
|
||||||
+in the file LICENSE in the source distribution or at
|
|
||||||
+L<https://www.openssl.org/source/license.html>.
|
|
||||||
+
|
|
||||||
+=cut
|
|
||||||
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
|
|
||||||
index de391ce067..1cfd71c5cf 100644
|
|
||||||
--- a/providers/fips/fipsprov.c
|
|
||||||
+++ b/providers/fips/fipsprov.c
|
|
||||||
@@ -23,6 +23,7 @@
|
|
||||||
#include "self_test.h"
|
|
||||||
#include "crypto/context.h"
|
|
||||||
#include "internal/core.h"
|
|
||||||
+#include "indicator.h"
|
|
||||||
|
|
||||||
static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes";
|
|
||||||
static const char FIPS_UNAPPROVED_PROPERTIES[] = "provider=fips,fips=no";
|
|
||||||
@@ -425,6 +426,68 @@ static const OSSL_ALGORITHM fips_signature[] = {
|
|
||||||
{ NULL, NULL, NULL }
|
|
||||||
};
|
|
||||||
|
|
||||||
+static const OSSL_RH_FIPSINDICATOR_DISPATCH redhat_rsa_signature_indicators[] = {
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_NEWCTX, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_SIGN_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_SIGN, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_VERIFY, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_FREECTX, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_DUPCTX, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { 0, OSSL_RH_FIPSINDICATOR_UNAPPROVED }
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static const OSSL_RH_FIPSINDICATOR_DISPATCH redhat_ecdsa_signature_indicators[] = {
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_NEWCTX, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_SIGN_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_SIGN, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_VERIFY, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_FREECTX, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_DUPCTX, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
|
||||||
+ { 0, OSSL_RH_FIPSINDICATOR_UNAPPROVED }
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static const OSSL_RH_FIPSINDICATOR_ALGORITHM redhat_indicator_fips_signature[] = {
|
|
||||||
+ { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES,
|
|
||||||
+ redhat_rsa_signature_indicators },
|
|
||||||
+#ifndef OPENSSL_NO_EC
|
|
||||||
+ { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES,
|
|
||||||
+ redhat_ecdsa_signature_indicators },
|
|
||||||
+#endif
|
|
||||||
+ { NULL, NULL, NULL }
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
static const OSSL_ALGORITHM fips_asym_cipher[] = {
|
|
||||||
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_asym_cipher_functions },
|
|
||||||
{ NULL, NULL, NULL }
|
|
||||||
@@ -527,6 +590,14 @@ static void fips_deinit_casecmp(void) {
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
+const OSSL_RH_FIPSINDICATOR_ALGORITHM *redhat_ossl_query_fipsindicator(int operation_id) {
|
|
||||||
+ switch (operation_id) {
|
|
||||||
+ case OSSL_OP_SIGNATURE:
|
|
||||||
+ return redhat_indicator_fips_signature;
|
|
||||||
+ }
|
|
||||||
+ return NULL;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static void fips_teardown(void *provctx)
|
|
||||||
{
|
|
||||||
OSSL_LIB_CTX_free(PROV_LIBCTX_OF(provctx));
|
|
||||||
diff --git a/providers/fips/indicator.h b/providers/fips/indicator.h
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000000..b323efe44c
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/providers/fips/indicator.h
|
|
||||||
@@ -0,0 +1,66 @@
|
|
||||||
+/*
|
|
||||||
+ * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
|
|
||||||
+ *
|
|
||||||
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
||||||
+ * this file except in compliance with the License. You can obtain a copy
|
|
||||||
+ * in the file LICENSE in the source distribution or at
|
|
||||||
+ * https://www.openssl.org/source/license.html
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#ifndef OPENSSL_FIPS_INDICATOR_H
|
|
||||||
+# define OPENSSL_FIPS_INDICATOR_H
|
|
||||||
+# pragma once
|
|
||||||
+
|
|
||||||
+# ifdef __cplusplus
|
|
||||||
+extern "C" {
|
|
||||||
+# endif
|
|
||||||
+
|
|
||||||
+# define OSSL_RH_FIPSINDICATOR_UNAPPROVED (0)
|
|
||||||
+# define OSSL_RH_FIPSINDICATOR_APPROVED (1)
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * FIPS indicator dispatch table element. function_id numbers and the
|
|
||||||
+ * functions are defined in core_dispatch.h, see macros with
|
|
||||||
+ * 'OSSL_CORE_MAKE_FUNC' in their names.
|
|
||||||
+ *
|
|
||||||
+ * An array of these is always terminated by function_id == 0
|
|
||||||
+ */
|
|
||||||
+typedef struct ossl_rh_fipsindicator_dispatch_st {
|
|
||||||
+ int function_id;
|
|
||||||
+ int approved;
|
|
||||||
+} OSSL_RH_FIPSINDICATOR_DISPATCH;
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Type to tie together algorithm names, property definition string and the
|
|
||||||
+ * algorithm implementation's FIPS indicator status in the form of a FIPS
|
|
||||||
+ * indicator dispatch table.
|
|
||||||
+ *
|
|
||||||
+ * An array of these is always terminated by algorithm_names == NULL
|
|
||||||
+ */
|
|
||||||
+typedef struct ossl_rh_fipsindicator_algorithm_st {
|
|
||||||
+ const char *algorithm_names; /* key */
|
|
||||||
+ const char *property_definition; /* key */
|
|
||||||
+ const OSSL_RH_FIPSINDICATOR_DISPATCH *indicators;
|
|
||||||
+} OSSL_RH_FIPSINDICATOR_ALGORITHM;
|
|
||||||
+
|
|
||||||
+/**
|
|
||||||
+ * Query FIPS indicator status for the given operation. Possible values for
|
|
||||||
+ * 'operation_id' are currently only OSSL_OP_SIGNATURE, as all other algorithms
|
|
||||||
+ * use implicit indicators. The return value is an array of
|
|
||||||
+ * OSSL_RH_FIPSINDICATOR_ALGORITHMs, terminated by an entry with
|
|
||||||
+ * algorithm_names == NULL. 'algorithm_names' is a colon-separated list of
|
|
||||||
+ * algorithm names, 'property_definition' a comma-separated list of properties,
|
|
||||||
+ * and 'indicators' is a list of OSSL_RH_FIPSINDICATOR_DISPATCH structs. This
|
|
||||||
+ * list is terminated by function_id == 0. 'function_id' is one of the
|
|
||||||
+ * OSSL_FUNC_* constants, e.g., OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL.
|
|
||||||
+ *
|
|
||||||
+ * If there is no entry in the returned struct for the given operation_id,
|
|
||||||
+ * algorithm name, or function_id, the algorithm is unapproved.
|
|
||||||
+ */
|
|
||||||
+const OSSL_RH_FIPSINDICATOR_ALGORITHM *redhat_ossl_query_fipsindicator(int operation_id);
|
|
||||||
+
|
|
||||||
+# ifdef __cplusplus
|
|
||||||
+}
|
|
||||||
+# endif
|
|
||||||
+
|
|
||||||
+#endif
|
|
||||||
diff --git a/util/mkdef.pl b/util/mkdef.pl
|
|
||||||
index a1c76f7c97..eda39b71ee 100755
|
|
||||||
--- a/util/mkdef.pl
|
|
||||||
+++ b/util/mkdef.pl
|
|
||||||
@@ -149,7 +149,8 @@ $ordinal_opts{filter} =
|
|
||||||
return
|
|
||||||
$item->exists()
|
|
||||||
&& platform_filter($item)
|
|
||||||
- && feature_filter($item);
|
|
||||||
+ && feature_filter($item)
|
|
||||||
+ && fips_filter($item, $name);
|
|
||||||
};
|
|
||||||
my $ordinals = OpenSSL::Ordinals->new(from => $ordinals_file);
|
|
||||||
|
|
||||||
@@ -205,6 +206,28 @@ sub feature_filter {
|
|
||||||
return $verdict;
|
|
||||||
}
|
|
||||||
|
|
||||||
+sub fips_filter {
|
|
||||||
+ my $item = shift;
|
|
||||||
+ my $name = uc(shift);
|
|
||||||
+ my @features = ( $item->features() );
|
|
||||||
+
|
|
||||||
+ # True if no features are defined
|
|
||||||
+ return 1 if scalar @features == 0;
|
|
||||||
+
|
|
||||||
+ my @matches = grep(/^ONLY_.*$/, @features);
|
|
||||||
+ if (@matches) {
|
|
||||||
+ # There is at least one only_* flag on this symbol, check if any of
|
|
||||||
+ # them match the name
|
|
||||||
+ for (@matches) {
|
|
||||||
+ if ($_ eq "ONLY_${name}") {
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
sub sorter_unix {
|
|
||||||
my $by_name = OpenSSL::Ordinals::by_name();
|
|
||||||
my %weight = (
|
|
||||||
diff --git a/util/providers.num b/util/providers.num
|
|
||||||
index 4e2fa81b98..77879d0e5f 100644
|
|
||||||
--- a/util/providers.num
|
|
||||||
+++ b/util/providers.num
|
|
||||||
@@ -1 +1,2 @@
|
|
||||||
OSSL_provider_init 1 * EXIST::FUNCTION:
|
|
||||||
+redhat_ossl_query_fipsindicator 1 * EXIST::FUNCTION:ONLY_PROVIDERS/FIPS
|
|
||||||
--
|
|
||||||
2.35.3
|
|
||||||
|
|
@ -1,371 +0,0 @@
|
|||||||
From 4a2239bd7d444c30c55b20ea8b4aeadafdfe1afd Mon Sep 17 00:00:00 2001
|
|
||||||
From: Clemens Lang <cllang@redhat.com>
|
|
||||||
Date: Fri, 22 Jul 2022 13:59:37 +0200
|
|
||||||
Subject: [PATCH] FIPS: Use OAEP in KATs, support fixed OAEP seed
|
|
||||||
|
|
||||||
Review by our lab for FIPS 140-3 certification expects the RSA
|
|
||||||
encryption and decryption tests to use a supported padding mode, not raw
|
|
||||||
RSA signatures. Switch to RSA-OAEP for the self tests to fulfill that.
|
|
||||||
|
|
||||||
The FIPS 140-3 Implementation Guidance specifies in section 10.3.A
|
|
||||||
"Cryptographic Algorithm Self-Test Requirements" that a self-test may be
|
|
||||||
a known-answer test, a comparison test, or a fault-detection test.
|
|
||||||
|
|
||||||
Comparison tests are not an option, because they would require
|
|
||||||
a separate implementation of RSA-OAEP, which we do not have. Fault
|
|
||||||
detection tests require implementing fault detection mechanisms into the
|
|
||||||
cryptographic algorithm implementation, we we also do not have.
|
|
||||||
|
|
||||||
As a consequence, a known-answer test must be used to test RSA
|
|
||||||
encryption and decryption, but RSA encryption with OAEP padding is not
|
|
||||||
deterministic, and thus encryption will always yield different results
|
|
||||||
that could not be compared to known answers. For this reason, this
|
|
||||||
change explicitly sets the seed in OAEP (see RFC 8017 section 7.1.1),
|
|
||||||
which is the source of randomness for RSA-OAEP, to a fixed value. This
|
|
||||||
setting is only available during self-test execution, and the parameter
|
|
||||||
set using EVP_PKEY_CTX_set_params() will be ignored otherwise.
|
|
||||||
|
|
||||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
|
||||||
---
|
|
||||||
crypto/rsa/rsa_local.h | 8 ++
|
|
||||||
crypto/rsa/rsa_oaep.c | 34 ++++++--
|
|
||||||
providers/fips/self_test_data.inc | 83 +++++++++++--------
|
|
||||||
providers/fips/self_test_kats.c | 7 ++
|
|
||||||
.../implementations/asymciphers/rsa_enc.c | 41 +++++++++-
|
|
||||||
util/perl/OpenSSL/paramnames.pm | 1 +
|
|
||||||
6 files changed, 126 insertions(+), 44 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/crypto/rsa/rsa_local.h b/crypto/rsa/rsa_local.h
|
|
||||||
index ea70da05ad..dde57a1a0e 100644
|
|
||||||
--- a/crypto/rsa/rsa_local.h
|
|
||||||
+++ b/crypto/rsa/rsa_local.h
|
|
||||||
@@ -193,4 +193,12 @@ int ossl_rsa_padding_add_PKCS1_type_2_ex(OSSL_LIB_CTX *libctx, unsigned char *to
|
|
||||||
int tlen, const unsigned char *from,
|
|
||||||
int flen);
|
|
||||||
|
|
||||||
+int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx,
|
|
||||||
+ unsigned char *to, int tlen,
|
|
||||||
+ const unsigned char *from, int flen,
|
|
||||||
+ const unsigned char *param,
|
|
||||||
+ int plen, const EVP_MD *md,
|
|
||||||
+ const EVP_MD *mgf1md,
|
|
||||||
+ const char *redhat_st_seed);
|
|
||||||
+
|
|
||||||
#endif /* OSSL_CRYPTO_RSA_LOCAL_H */
|
|
||||||
diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
|
|
||||||
index d9be1a4f98..b2f7f7dc4b 100644
|
|
||||||
--- a/crypto/rsa/rsa_oaep.c
|
|
||||||
+++ b/crypto/rsa/rsa_oaep.c
|
|
||||||
@@ -44,6 +44,10 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
|
|
||||||
param, plen, NULL, NULL);
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+extern int REDHAT_FIPS_asym_cipher_st;
|
|
||||||
+#endif /* FIPS_MODULE */
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* Perform the padding as per NIST 800-56B 7.2.2.3
|
|
||||||
* from (K) is the key material.
|
|
||||||
@@ -51,12 +55,13 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
|
|
||||||
* Step numbers are included here but not in the constant time inverse below
|
|
||||||
* to avoid complicating an already difficult enough function.
|
|
||||||
*/
|
|
||||||
-int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
|
|
||||||
- unsigned char *to, int tlen,
|
|
||||||
- const unsigned char *from, int flen,
|
|
||||||
- const unsigned char *param,
|
|
||||||
- int plen, const EVP_MD *md,
|
|
||||||
- const EVP_MD *mgf1md)
|
|
||||||
+int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx,
|
|
||||||
+ unsigned char *to, int tlen,
|
|
||||||
+ const unsigned char *from, int flen,
|
|
||||||
+ const unsigned char *param,
|
|
||||||
+ int plen, const EVP_MD *md,
|
|
||||||
+ const EVP_MD *mgf1md,
|
|
||||||
+ const char *redhat_st_seed)
|
|
||||||
{
|
|
||||||
int rv = 0;
|
|
||||||
int i, emlen = tlen - 1;
|
|
||||||
@@ -107,6 +112,11 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
|
|
||||||
db[emlen - flen - mdlen - 1] = 0x01;
|
|
||||||
memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen);
|
|
||||||
/* step 3d: generate random byte string */
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ if (redhat_st_seed != NULL && REDHAT_FIPS_asym_cipher_st) {
|
|
||||||
+ memcpy(seed, redhat_st_seed, mdlen);
|
|
||||||
+ } else
|
|
||||||
+#endif
|
|
||||||
if (RAND_bytes_ex(libctx, seed, mdlen, 0) <= 0)
|
|
||||||
goto err;
|
|
||||||
|
|
||||||
@@ -138,6 +148,18 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
|
|
||||||
+int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
|
|
||||||
+ unsigned char *to, int tlen,
|
|
||||||
+ const unsigned char *from, int flen,
|
|
||||||
+ const unsigned char *param,
|
|
||||||
+ int plen, const EVP_MD *md,
|
|
||||||
+ const EVP_MD *mgf1md)
|
|
||||||
+{
|
|
||||||
+ return ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(libctx, to, tlen, from,
|
|
||||||
+ flen, param, plen, md,
|
|
||||||
+ mgf1md, NULL);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
|
|
||||||
const unsigned char *from, int flen,
|
|
||||||
const unsigned char *param, int plen,
|
|
||||||
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
|
|
||||||
index 4e30ec56dd..0103c87528 100644
|
|
||||||
--- a/providers/fips/self_test_data.inc
|
|
||||||
+++ b/providers/fips/self_test_data.inc
|
|
||||||
@@ -1294,15 +1294,22 @@ static const ST_KAT_PARAM rsa_priv_key[] = {
|
|
||||||
ST_KAT_PARAM_END()
|
|
||||||
};
|
|
||||||
|
|
||||||
-/*-
|
|
||||||
- * Using OSSL_PKEY_RSA_PAD_MODE_NONE directly in the expansion of the
|
|
||||||
- * ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient
|
|
||||||
- * HP/UX PA-RISC compilers.
|
|
||||||
- */
|
|
||||||
-static const char pad_mode_none[] = OSSL_PKEY_RSA_PAD_MODE_NONE;
|
|
||||||
-
|
|
||||||
+/*-
|
|
||||||
+ * Using OSSL_PKEY_RSA_PAD_MODE_OAEP directly in the expansion of the
|
|
||||||
+ * ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient
|
|
||||||
+ * HP/UX PA-RISC compilers.
|
|
||||||
+ */
|
|
||||||
+static const char pad_mode_oaep[] = OSSL_PKEY_RSA_PAD_MODE_OAEP;
|
|
||||||
+static const char oaep_fixed_seed[] = {
|
|
||||||
+ 0xf6, 0x10, 0xef, 0x0a, 0x97, 0xbf, 0x91, 0x25,
|
|
||||||
+ 0x97, 0xcf, 0x8e, 0x0a, 0x75, 0x51, 0x2f, 0xab,
|
|
||||||
+ 0x2e, 0x4b, 0x2c, 0xe6
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
static const ST_KAT_PARAM rsa_enc_params[] = {
|
|
||||||
- ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_none),
|
|
||||||
+ ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_oaep),
|
|
||||||
+ ST_KAT_PARAM_OCTET(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED,
|
|
||||||
+ oaep_fixed_seed),
|
|
||||||
ST_KAT_PARAM_END()
|
|
||||||
};
|
|
||||||
|
|
||||||
@@ -1335,43 +1348,43 @@ static const unsigned char rsa_expected_sig[256] = {
|
|
||||||
0x2c, 0x68, 0xf0, 0x37, 0xa9, 0xd2, 0x56, 0xd6
|
|
||||||
};
|
|
||||||
|
|
||||||
-static const unsigned char rsa_asym_plaintext_encrypt[256] = {
|
|
||||||
+static const unsigned char rsa_asym_plaintext_encrypt[208] = {
|
|
||||||
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
|
|
||||||
0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
|
|
||||||
};
|
|
||||||
static const unsigned char rsa_asym_expected_encrypt[256] = {
|
|
||||||
- 0x54, 0xac, 0x23, 0x96, 0x1d, 0x82, 0x5d, 0x8b,
|
|
||||||
- 0x8f, 0x36, 0x33, 0xd0, 0xf4, 0x02, 0xa2, 0x61,
|
|
||||||
- 0xb1, 0x13, 0xd4, 0x4a, 0x46, 0x06, 0x37, 0x3c,
|
|
||||||
- 0xbf, 0x40, 0x05, 0x3c, 0xc6, 0x3b, 0x64, 0xdc,
|
|
||||||
- 0x22, 0x22, 0xaf, 0x36, 0x79, 0x62, 0x45, 0xf0,
|
|
||||||
- 0x97, 0x82, 0x22, 0x44, 0x86, 0x4a, 0x7c, 0xfa,
|
|
||||||
- 0xac, 0x03, 0x21, 0x84, 0x3f, 0x31, 0xad, 0x2a,
|
|
||||||
- 0xa4, 0x6e, 0x7a, 0xc5, 0x93, 0xf3, 0x0f, 0xfc,
|
|
||||||
- 0xf1, 0x62, 0xce, 0x82, 0x12, 0x45, 0xc9, 0x35,
|
|
||||||
- 0xb0, 0x7a, 0xcd, 0x99, 0x8c, 0x91, 0x6b, 0x5a,
|
|
||||||
- 0xd3, 0x46, 0xdb, 0xf9, 0x9e, 0x52, 0x49, 0xbd,
|
|
||||||
- 0x1e, 0xe8, 0xda, 0xac, 0x61, 0x47, 0xc2, 0xda,
|
|
||||||
- 0xfc, 0x1e, 0xfb, 0x74, 0xd7, 0xd6, 0xc1, 0x18,
|
|
||||||
- 0x86, 0x3e, 0x20, 0x9c, 0x7a, 0xe1, 0x04, 0xb7,
|
|
||||||
- 0x38, 0x43, 0xb1, 0x4e, 0xa0, 0xd8, 0xc1, 0x39,
|
|
||||||
- 0x4d, 0xe1, 0xd3, 0xb0, 0xb3, 0xf1, 0x82, 0x87,
|
|
||||||
- 0x1f, 0x74, 0xb5, 0x69, 0xfd, 0x33, 0xd6, 0x21,
|
|
||||||
- 0x7c, 0x61, 0x60, 0x28, 0xca, 0x70, 0xdb, 0xa0,
|
|
||||||
- 0xbb, 0xc8, 0x73, 0xa9, 0x82, 0xf8, 0x6b, 0xd8,
|
|
||||||
- 0xf0, 0xc9, 0x7b, 0x20, 0xdf, 0x9d, 0xfb, 0x8c,
|
|
||||||
- 0xd4, 0xa2, 0x89, 0xe1, 0x9b, 0x04, 0xad, 0xaa,
|
|
||||||
- 0x11, 0x6c, 0x8f, 0xce, 0x83, 0x29, 0x56, 0x69,
|
|
||||||
- 0xbb, 0x00, 0x3b, 0xef, 0xca, 0x2d, 0xcd, 0x52,
|
|
||||||
- 0xc8, 0xf1, 0xb3, 0x9b, 0xb4, 0x4f, 0x6d, 0x9c,
|
|
||||||
- 0x3d, 0x69, 0xcc, 0x6d, 0x1f, 0x38, 0x4d, 0xe6,
|
|
||||||
- 0xbb, 0x0c, 0x87, 0xdc, 0x5f, 0xa9, 0x24, 0x93,
|
|
||||||
- 0x03, 0x46, 0xa2, 0x33, 0x6c, 0xf4, 0xd8, 0x5d,
|
|
||||||
- 0x68, 0xf3, 0xd3, 0xe0, 0xf2, 0x30, 0xdb, 0xf5,
|
|
||||||
- 0x4f, 0x0f, 0xad, 0xc7, 0xd0, 0xaa, 0x47, 0xd9,
|
|
||||||
- 0x9f, 0x85, 0x1b, 0x2e, 0x6c, 0x3c, 0x57, 0x04,
|
|
||||||
- 0x29, 0xf4, 0xf5, 0x66, 0x7d, 0x93, 0x4a, 0xaa,
|
|
||||||
- 0x05, 0x52, 0x55, 0xc1, 0xc6, 0x06, 0x90, 0xab,
|
|
||||||
+ 0x6c, 0x21, 0xc1, 0x9e, 0x94, 0xee, 0xdf, 0x74,
|
|
||||||
+ 0x3a, 0x3c, 0x7c, 0x04, 0x1a, 0x53, 0x9e, 0x7c,
|
|
||||||
+ 0x42, 0xac, 0x7e, 0x28, 0x9a, 0xb7, 0xe2, 0x4e,
|
|
||||||
+ 0x87, 0xd4, 0x00, 0x69, 0x71, 0xf0, 0x3e, 0x0b,
|
|
||||||
+ 0xc1, 0xda, 0xd6, 0xbd, 0x21, 0x39, 0x4f, 0x25,
|
|
||||||
+ 0x22, 0x1f, 0x76, 0x0d, 0x62, 0x1f, 0xa2, 0x89,
|
|
||||||
+ 0xdb, 0x38, 0x32, 0x88, 0x21, 0x1d, 0x89, 0xf1,
|
|
||||||
+ 0xe0, 0x14, 0xd4, 0xb7, 0x90, 0xfc, 0xbc, 0x50,
|
|
||||||
+ 0xb0, 0x8d, 0x5c, 0x2f, 0x49, 0x9e, 0x90, 0x17,
|
|
||||||
+ 0x9e, 0x60, 0x9f, 0xe1, 0x77, 0x4f, 0x11, 0xa2,
|
|
||||||
+ 0xcf, 0x16, 0x65, 0x2d, 0x4a, 0x2c, 0x12, 0xcb,
|
|
||||||
+ 0x1e, 0x3c, 0x29, 0x8b, 0xdc, 0x27, 0x06, 0x9d,
|
|
||||||
+ 0xf4, 0x0d, 0xe1, 0xc9, 0xeb, 0x14, 0x6a, 0x7e,
|
|
||||||
+ 0xfd, 0xa7, 0xa8, 0xa7, 0x51, 0x82, 0x62, 0x0f,
|
|
||||||
+ 0x29, 0x8d, 0x8c, 0x5e, 0xf2, 0xb8, 0xcd, 0xd3,
|
|
||||||
+ 0x51, 0x92, 0xa7, 0x25, 0x39, 0x9d, 0xdd, 0x06,
|
|
||||||
+ 0xff, 0xb1, 0xb0, 0xd5, 0x61, 0x03, 0x8f, 0x25,
|
|
||||||
+ 0x5c, 0x49, 0x12, 0xc1, 0x50, 0x67, 0x61, 0x78,
|
|
||||||
+ 0xb3, 0xe3, 0xc4, 0xf6, 0x36, 0x16, 0xa9, 0x04,
|
|
||||||
+ 0x91, 0x0a, 0x4b, 0x27, 0x28, 0x97, 0x50, 0x7c,
|
|
||||||
+ 0x65, 0x2d, 0xd0, 0x08, 0x71, 0x84, 0xe7, 0x47,
|
|
||||||
+ 0x79, 0x83, 0x91, 0x46, 0xd9, 0x8f, 0x79, 0xce,
|
|
||||||
+ 0x49, 0xcb, 0xcd, 0x8b, 0x34, 0xac, 0x61, 0xe0,
|
|
||||||
+ 0xe6, 0x55, 0xbf, 0x10, 0xe4, 0xac, 0x9a, 0xd6,
|
|
||||||
+ 0xed, 0xc1, 0xc2, 0xb6, 0xb6, 0xf7, 0x41, 0x99,
|
|
||||||
+ 0xde, 0xfa, 0xde, 0x11, 0x16, 0xa2, 0x18, 0x30,
|
|
||||||
+ 0x30, 0xdc, 0x95, 0x76, 0x2f, 0x46, 0x43, 0x20,
|
|
||||||
+ 0xc4, 0xe7, 0x50, 0xb9, 0x1e, 0xcd, 0x69, 0xbb,
|
|
||||||
+ 0x29, 0x94, 0x27, 0x9c, 0xc9, 0xab, 0xb4, 0x27,
|
|
||||||
+ 0x8b, 0x4d, 0xe1, 0xcb, 0xc1, 0x04, 0x2c, 0x66,
|
|
||||||
+ 0x41, 0x3a, 0x4d, 0xeb, 0x61, 0x4c, 0x77, 0x5a,
|
|
||||||
+ 0xee, 0xb0, 0xca, 0x99, 0x0e, 0x7f, 0xbe, 0x06
|
|
||||||
};
|
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_EC
|
|
||||||
diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
|
|
||||||
index 064794d9bf..b6d5e8e134 100644
|
|
||||||
--- a/providers/fips/self_test_kats.c
|
|
||||||
+++ b/providers/fips/self_test_kats.c
|
|
||||||
@@ -647,14 +647,21 @@ static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+int REDHAT_FIPS_asym_cipher_st = 0;
|
|
||||||
+
|
|
||||||
static int self_test_asym_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
|
|
||||||
{
|
|
||||||
int i, ret = 1;
|
|
||||||
|
|
||||||
+ REDHAT_FIPS_asym_cipher_st = 1;
|
|
||||||
+
|
|
||||||
for (i = 0; i < (int)OSSL_NELEM(st_kat_asym_cipher_tests); ++i) {
|
|
||||||
if (!self_test_asym_cipher(&st_kat_asym_cipher_tests[i], st, libctx))
|
|
||||||
ret = 0;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ REDHAT_FIPS_asym_cipher_st = 0;
|
|
||||||
+
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
|
|
||||||
index 00cf65fcd6..83be3d8ede 100644
|
|
||||||
--- a/providers/implementations/asymciphers/rsa_enc.c
|
|
||||||
+++ b/providers/implementations/asymciphers/rsa_enc.c
|
|
||||||
@@ -30,6 +30,9 @@
|
|
||||||
#include "prov/implementations.h"
|
|
||||||
#include "prov/providercommon.h"
|
|
||||||
#include "prov/securitycheck.h"
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+# include "crypto/rsa/rsa_local.h"
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
#include <stdlib.h>
|
|
||||||
|
|
||||||
@@ -75,6 +78,9 @@ typedef struct {
|
|
||||||
/* TLS padding */
|
|
||||||
unsigned int client_version;
|
|
||||||
unsigned int alt_version;
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ char *redhat_st_oaep_seed;
|
|
||||||
+#endif /* FIPS_MODULE */
|
|
||||||
/* PKCS#1 v1.5 decryption mode */
|
|
||||||
unsigned int implicit_rejection;
|
|
||||||
} PROV_RSA_CTX;
|
|
||||||
@@ -190,12 +196,21 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
ret =
|
|
||||||
- ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(prsactx->libctx, tbuf,
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(
|
|
||||||
+#else
|
|
||||||
+ ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(
|
|
||||||
+#endif
|
|
||||||
+ prsactx->libctx, tbuf,
|
|
||||||
rsasize, in, inlen,
|
|
||||||
prsactx->oaep_label,
|
|
||||||
prsactx->oaep_labellen,
|
|
||||||
prsactx->oaep_md,
|
|
||||||
- prsactx->mgf1_md);
|
|
||||||
+ prsactx->mgf1_md
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ , prsactx->redhat_st_oaep_seed
|
|
||||||
+#endif
|
|
||||||
+ );
|
|
||||||
|
|
||||||
if (!ret) {
|
|
||||||
OPENSSL_free(tbuf);
|
|
||||||
@@ -326,6 +341,9 @@ static void rsa_freectx(void *vprsactx)
|
|
||||||
EVP_MD_free(prsactx->oaep_md);
|
|
||||||
EVP_MD_free(prsactx->mgf1_md);
|
|
||||||
OPENSSL_free(prsactx->oaep_label);
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ OPENSSL_free(prsactx->redhat_st_oaep_seed);
|
|
||||||
+#endif /* FIPS_MODULE */
|
|
||||||
|
|
||||||
OPENSSL_free(prsactx);
|
|
||||||
}
|
|
||||||
@@ -445,6 +463,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
|
|
||||||
NULL, 0),
|
|
||||||
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL),
|
|
||||||
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0),
|
|
||||||
+#endif /* FIPS_MODULE */
|
|
||||||
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL),
|
|
||||||
OSSL_PARAM_END
|
|
||||||
};
|
|
||||||
@@ -454,6 +475,10 @@ static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx,
|
|
||||||
return known_gettable_ctx_params;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+extern int REDHAT_FIPS_asym_cipher_st;
|
|
||||||
+#endif /* FIPS_MODULE */
|
|
||||||
+
|
|
||||||
static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
|
|
||||||
{
|
|
||||||
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
|
|
||||||
@@ -563,6 +588,18 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
|
|
||||||
prsactx->oaep_labellen = tmp_labellen;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED);
|
|
||||||
+ if (p != NULL && REDHAT_FIPS_asym_cipher_st) {
|
|
||||||
+ void *tmp_oaep_seed = NULL;
|
|
||||||
+
|
|
||||||
+ if (!OSSL_PARAM_get_octet_string(p, &tmp_oaep_seed, 0, NULL))
|
|
||||||
+ return 0;
|
|
||||||
+ OPENSSL_free(prsactx->redhat_st_oaep_seed);
|
|
||||||
+ prsactx->redhat_st_oaep_seed = (char *)tmp_oaep_seed;
|
|
||||||
+ }
|
|
||||||
+#endif /* FIPS_MODULE */
|
|
||||||
+
|
|
||||||
p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION);
|
|
||||||
if (p != NULL) {
|
|
||||||
unsigned int client_version;
|
|
||||||
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
|
|
||||||
index c37ed7815f..70f7c50fe4 100644
|
|
||||||
--- a/util/perl/OpenSSL/paramnames.pm
|
|
||||||
+++ b/util/perl/OpenSSL/paramnames.pm
|
|
||||||
@@ -401,6 +401,7 @@ my %params = (
|
|
||||||
'ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION' => "tls-client-version",
|
|
||||||
'ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION' => "tls-negotiated-version",
|
|
||||||
'ASYM_CIPHER_PARAM_IMPLICIT_REJECTION' => "implicit-rejection",
|
|
||||||
+ 'ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED' => "redhat-kat-oaep-seed",
|
|
||||||
|
|
||||||
# Encoder / decoder parameters
|
|
||||||
|
|
||||||
--
|
|
||||||
2.37.1
|
|
||||||
|
|
@ -1,317 +0,0 @@
|
|||||||
From dc41625dc4a793f0e21188165711181ca085339b Mon Sep 17 00:00:00 2001
|
|
||||||
From: rpm-build <rpm-build>
|
|
||||||
Date: Wed, 6 Mar 2024 19:17:16 +0100
|
|
||||||
Subject: [PATCH 28/49]
|
|
||||||
0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
|
|
||||||
|
|
||||||
Patch-name: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
|
|
||||||
Patch-id: 74
|
|
||||||
Patch-status: |
|
|
||||||
# [PATCH 29/46]
|
|
||||||
# 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
|
|
||||||
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
|
|
||||||
---
|
|
||||||
crypto/evp/m_sigver.c | 54 ++++++++++++++++++++++++++++-----
|
|
||||||
providers/fips/self_test_kats.c | 43 +++++++++++++++-----------
|
|
||||||
2 files changed, 73 insertions(+), 24 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
|
|
||||||
index fd3a4b79df..3e9f33c26c 100644
|
|
||||||
--- a/crypto/evp/m_sigver.c
|
|
||||||
+++ b/crypto/evp/m_sigver.c
|
|
||||||
@@ -90,6 +90,7 @@ static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen)
|
|
||||||
ERR_raise(ERR_LIB_EVP, EVP_R_ONLY_ONESHOT_SUPPORTED);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
+#endif /* !defined(FIPS_MODULE) */
|
|
||||||
|
|
||||||
/*
|
|
||||||
* If we get the "NULL" md then the name comes back as "UNDEF". We want to use
|
|
||||||
@@ -125,8 +126,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
|
||||||
reinit = 0;
|
|
||||||
if (e == NULL)
|
|
||||||
ctx->pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, props);
|
|
||||||
+#ifndef FIPS_MODULE
|
|
||||||
else
|
|
||||||
ctx->pctx = EVP_PKEY_CTX_new(pkey, e);
|
|
||||||
+#endif /* !defined(FIPS_MODULE) */
|
|
||||||
}
|
|
||||||
if (ctx->pctx == NULL)
|
|
||||||
return 0;
|
|
||||||
@@ -136,8 +139,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
|
||||||
locpctx = ctx->pctx;
|
|
||||||
ERR_set_mark();
|
|
||||||
|
|
||||||
+#ifndef FIPS_MODULE
|
|
||||||
if (evp_pkey_ctx_is_legacy(locpctx))
|
|
||||||
goto legacy;
|
|
||||||
+#endif /* !defined(FIPS_MODULE) */
|
|
||||||
|
|
||||||
/* do not reinitialize if pkey is set or operation is different */
|
|
||||||
if (reinit
|
|
||||||
@@ -222,8 +227,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
|
||||||
signature =
|
|
||||||
evp_signature_fetch_from_prov((OSSL_PROVIDER *)tmp_prov,
|
|
||||||
supported_sig, locpctx->propquery);
|
|
||||||
+#ifndef FIPS_MODULE
|
|
||||||
if (signature == NULL)
|
|
||||||
goto legacy;
|
|
||||||
+#endif /* !defined(FIPS_MODULE) */
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
if (signature == NULL)
|
|
||||||
@@ -307,6 +314,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
|
||||||
ctx->fetched_digest = EVP_MD_fetch(locpctx->libctx, mdname, props);
|
|
||||||
if (ctx->fetched_digest != NULL) {
|
|
||||||
ctx->digest = ctx->reqdigest = ctx->fetched_digest;
|
|
||||||
+#ifndef FIPS_MODULE
|
|
||||||
} else {
|
|
||||||
/* legacy engine support : remove the mark when this is deleted */
|
|
||||||
ctx->reqdigest = ctx->digest = EVP_get_digestbyname(mdname);
|
|
||||||
@@ -315,11 +323,13 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
|
||||||
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
+#endif /* !defined(FIPS_MODULE) */
|
|
||||||
}
|
|
||||||
(void)ERR_pop_to_mark();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifndef FIPS_MODULE
|
|
||||||
if (ctx->reqdigest != NULL
|
|
||||||
&& !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
|
|
||||||
&& !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
|
|
||||||
@@ -331,6 +341,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+#endif /* !defined(FIPS_MODULE) */
|
|
||||||
|
|
||||||
if (ver) {
|
|
||||||
if (signature->digest_verify_init == NULL) {
|
|
||||||
@@ -363,6 +374,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
|
||||||
EVP_KEYMGMT_free(tmp_keymgmt);
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
+#ifndef FIPS_MODULE
|
|
||||||
legacy:
|
|
||||||
/*
|
|
||||||
* If we don't have the full support we need with provided methods,
|
|
||||||
@@ -434,6 +446,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
|
||||||
ctx->pctx->flag_call_digest_custom = 1;
|
|
||||||
|
|
||||||
ret = 1;
|
|
||||||
+#endif /* !defined(FIPS_MODULE) */
|
|
||||||
|
|
||||||
end:
|
|
||||||
#ifndef FIPS_MODULE
|
|
||||||
@@ -476,7 +489,6 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
|
||||||
return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 1,
|
|
||||||
NULL);
|
|
||||||
}
|
|
||||||
-#endif /* FIPS_MDOE */
|
|
||||||
|
|
||||||
int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
|
|
||||||
{
|
|
||||||
@@ -548,24 +560,31 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
|
|
||||||
return EVP_DigestUpdate(ctx, data, dsize);
|
|
||||||
}
|
|
||||||
|
|
||||||
-#ifndef FIPS_MODULE
|
|
||||||
int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
|
|
||||||
size_t *siglen)
|
|
||||||
{
|
|
||||||
- int sctx = 0, r = 0;
|
|
||||||
- EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx;
|
|
||||||
+ int r = 0;
|
|
||||||
+#ifndef FIPS_MODULE
|
|
||||||
+ int sctx = 0;
|
|
||||||
+ EVP_PKEY_CTX *dctx = NULL;
|
|
||||||
+#endif /* !defined(FIPS_MODULE) */
|
|
||||||
+ EVP_PKEY_CTX *pctx = ctx->pctx;
|
|
||||||
+
|
|
||||||
|
|
||||||
if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) {
|
|
||||||
ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifndef FIPS_MODULE
|
|
||||||
if (pctx == NULL
|
|
||||||
|| pctx->operation != EVP_PKEY_OP_SIGNCTX
|
|
||||||
|| pctx->op.sig.algctx == NULL
|
|
||||||
|| pctx->op.sig.signature == NULL)
|
|
||||||
goto legacy;
|
|
||||||
+#endif /* !defined(FIPS_MODULE) */
|
|
||||||
|
|
||||||
+#ifndef FIPS_MODULE
|
|
||||||
if (sigret != NULL && (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) {
|
|
||||||
/* try dup */
|
|
||||||
dctx = EVP_PKEY_CTX_dup(pctx);
|
|
||||||
@@ -580,7 +599,14 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
|
|
||||||
else
|
|
||||||
EVP_PKEY_CTX_free(dctx);
|
|
||||||
return r;
|
|
||||||
+#else
|
|
||||||
+ r = pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx,
|
|
||||||
+ sigret, siglen,
|
|
||||||
+ sigret == NULL ? 0 : *siglen);
|
|
||||||
+ return r;
|
|
||||||
+#endif /* !defined(FIPS_MODULE) */
|
|
||||||
|
|
||||||
+#ifndef FIPS_MODULE
|
|
||||||
legacy:
|
|
||||||
if (pctx == NULL || pctx->pmeth == NULL) {
|
|
||||||
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
|
|
||||||
@@ -653,6 +679,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return 1;
|
|
||||||
+#endif /* !defined(FIPS_MODULE) */
|
|
||||||
}
|
|
||||||
|
|
||||||
int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
|
|
||||||
@@ -691,23 +718,30 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
|
|
||||||
int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
|
|
||||||
size_t siglen)
|
|
||||||
{
|
|
||||||
- unsigned char md[EVP_MAX_MD_SIZE];
|
|
||||||
int r = 0;
|
|
||||||
+#ifndef FIPS_MODULE
|
|
||||||
+ unsigned char md[EVP_MAX_MD_SIZE];
|
|
||||||
unsigned int mdlen = 0;
|
|
||||||
int vctx = 0;
|
|
||||||
- EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx;
|
|
||||||
+ EVP_PKEY_CTX *dctx = NULL;
|
|
||||||
+#endif /* !defined(FIPS_MODULE) */
|
|
||||||
+ EVP_PKEY_CTX *pctx = ctx->pctx;
|
|
||||||
+
|
|
||||||
|
|
||||||
if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) {
|
|
||||||
ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifndef FIPS_MODULE
|
|
||||||
if (pctx == NULL
|
|
||||||
|| pctx->operation != EVP_PKEY_OP_VERIFYCTX
|
|
||||||
|| pctx->op.sig.algctx == NULL
|
|
||||||
|| pctx->op.sig.signature == NULL)
|
|
||||||
goto legacy;
|
|
||||||
+#endif /* !defined(FIPS_MODULE) */
|
|
||||||
|
|
||||||
+#ifndef FIPS_MODULE
|
|
||||||
if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) {
|
|
||||||
/* try dup */
|
|
||||||
dctx = EVP_PKEY_CTX_dup(pctx);
|
|
||||||
@@ -721,7 +755,13 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
|
|
||||||
else
|
|
||||||
EVP_PKEY_CTX_free(dctx);
|
|
||||||
return r;
|
|
||||||
+#else
|
|
||||||
+ r = pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx,
|
|
||||||
+ sig, siglen);
|
|
||||||
+ return r;
|
|
||||||
+#endif /* !defined(FIPS_MODULE) */
|
|
||||||
|
|
||||||
+#ifndef FIPS_MODULE
|
|
||||||
legacy:
|
|
||||||
if (pctx == NULL || pctx->pmeth == NULL) {
|
|
||||||
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
|
|
||||||
@@ -762,6 +802,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
|
|
||||||
if (vctx || !r)
|
|
||||||
return r;
|
|
||||||
return EVP_PKEY_verify(pctx, sig, siglen, md, mdlen);
|
|
||||||
+#endif /* !defined(FIPS_MODULE) */
|
|
||||||
}
|
|
||||||
|
|
||||||
int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
|
|
||||||
@@ -794,4 +835,3 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
|
|
||||||
return -1;
|
|
||||||
return EVP_DigestVerifyFinal(ctx, sigret, siglen);
|
|
||||||
}
|
|
||||||
-#endif /* FIPS_MODULE */
|
|
||||||
diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
|
|
||||||
index 4ea10670c0..5eb27c8ed2 100644
|
|
||||||
--- a/providers/fips/self_test_kats.c
|
|
||||||
+++ b/providers/fips/self_test_kats.c
|
|
||||||
@@ -450,10 +450,13 @@ static int self_test_sign(const ST_KAT_SIGN *t,
|
|
||||||
int ret = 0;
|
|
||||||
OSSL_PARAM *params = NULL, *params_sig = NULL;
|
|
||||||
OSSL_PARAM_BLD *bld = NULL;
|
|
||||||
+ EVP_MD *md = NULL;
|
|
||||||
+ EVP_MD_CTX *ctx = NULL;
|
|
||||||
EVP_PKEY_CTX *sctx = NULL, *kctx = NULL;
|
|
||||||
EVP_PKEY *pkey = NULL;
|
|
||||||
- unsigned char sig[256];
|
|
||||||
BN_CTX *bnctx = NULL;
|
|
||||||
+ const char *msg = "Hello World!";
|
|
||||||
+ unsigned char sig[256];
|
|
||||||
size_t siglen = sizeof(sig);
|
|
||||||
static const unsigned char dgst[] = {
|
|
||||||
0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
|
|
||||||
@@ -487,23 +490,26 @@ static int self_test_sign(const ST_KAT_SIGN *t,
|
|
||||||
|| EVP_PKEY_fromdata(kctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
|
|
||||||
goto err;
|
|
||||||
|
|
||||||
- /* Create a EVP_PKEY_CTX to use for the signing operation */
|
|
||||||
- sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL);
|
|
||||||
- if (sctx == NULL
|
|
||||||
- || EVP_PKEY_sign_init(sctx) <= 0)
|
|
||||||
- goto err;
|
|
||||||
-
|
|
||||||
- /* set signature parameters */
|
|
||||||
- if (!OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_SIGNATURE_PARAM_DIGEST,
|
|
||||||
- t->mdalgorithm,
|
|
||||||
- strlen(t->mdalgorithm) + 1))
|
|
||||||
- goto err;
|
|
||||||
+ /* Create a EVP_MD_CTX to use for the signature operation, assign signature
|
|
||||||
+ * parameters and sign */
|
|
||||||
params_sig = OSSL_PARAM_BLD_to_param(bld);
|
|
||||||
- if (EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
|
|
||||||
+ md = EVP_MD_fetch(libctx, "SHA256", NULL);
|
|
||||||
+ ctx = EVP_MD_CTX_new();
|
|
||||||
+ if (md == NULL || ctx == NULL)
|
|
||||||
+ goto err;
|
|
||||||
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT);
|
|
||||||
+ if (EVP_DigestSignInit(ctx, &sctx, md, NULL, pkey) <= 0
|
|
||||||
+ || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0
|
|
||||||
+ || EVP_DigestSign(ctx, sig, &siglen, (const unsigned char *)msg, strlen(msg)) <= 0
|
|
||||||
+ || EVP_MD_CTX_reset(ctx) <= 0)
|
|
||||||
goto err;
|
|
||||||
|
|
||||||
- if (EVP_PKEY_sign(sctx, sig, &siglen, dgst, sizeof(dgst)) <= 0
|
|
||||||
- || EVP_PKEY_verify_init(sctx) <= 0
|
|
||||||
+ /* sctx is not freed automatically inside the FIPS module */
|
|
||||||
+ EVP_PKEY_CTX_free(sctx);
|
|
||||||
+ sctx = NULL;
|
|
||||||
+
|
|
||||||
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT);
|
|
||||||
+ if (EVP_DigestVerifyInit(ctx, &sctx, md, NULL, pkey) <= 0
|
|
||||||
|| EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
|
|
||||||
goto err;
|
|
||||||
|
|
||||||
@@ -513,14 +519,17 @@ static int self_test_sign(const ST_KAT_SIGN *t,
|
|
||||||
goto err;
|
|
||||||
|
|
||||||
OSSL_SELF_TEST_oncorrupt_byte(st, sig);
|
|
||||||
- if (EVP_PKEY_verify(sctx, sig, siglen, dgst, sizeof(dgst)) <= 0)
|
|
||||||
+ if (EVP_DigestVerify(ctx, sig, siglen, (const unsigned char *)msg, strlen(msg)) <= 0)
|
|
||||||
goto err;
|
|
||||||
ret = 1;
|
|
||||||
err:
|
|
||||||
BN_CTX_free(bnctx);
|
|
||||||
EVP_PKEY_free(pkey);
|
|
||||||
- EVP_PKEY_CTX_free(kctx);
|
|
||||||
+ EVP_MD_free(md);
|
|
||||||
+ EVP_MD_CTX_free(ctx);
|
|
||||||
+ /* sctx is not freed automatically inside the FIPS module */
|
|
||||||
EVP_PKEY_CTX_free(sctx);
|
|
||||||
+ EVP_PKEY_CTX_free(kctx);
|
|
||||||
OSSL_PARAM_free(params);
|
|
||||||
OSSL_PARAM_free(params_sig);
|
|
||||||
OSSL_PARAM_BLD_free(bld);
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
@ -1,378 +0,0 @@
|
|||||||
From e385647549c467fe263b68b72dd21bdfb875ee88 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Clemens Lang <cllang@redhat.com>
|
|
||||||
Date: Fri, 22 Jul 2022 17:51:16 +0200
|
|
||||||
Subject: [PATCH 2/2] FIPS: Use FFDHE2048 in self test
|
|
||||||
|
|
||||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
|
||||||
---
|
|
||||||
providers/fips/self_test_data.inc | 342 +++++++++++++++---------------
|
|
||||||
1 file changed, 172 insertions(+), 170 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
|
|
||||||
index a29cc650b5..1b5623833f 100644
|
|
||||||
--- a/providers/fips/self_test_data.inc
|
|
||||||
+++ b/providers/fips/self_test_data.inc
|
|
||||||
@@ -821,188 +821,190 @@ static const ST_KAT_DRBG st_kat_drbg_tests[] =
|
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_DH
|
|
||||||
/* DH KAT */
|
|
||||||
+/* RFC7919 FFDHE2048 p */
|
|
||||||
static const unsigned char dh_p[] = {
|
|
||||||
- 0xdc, 0xca, 0x15, 0x11, 0xb2, 0x31, 0x32, 0x25,
|
|
||||||
- 0xf5, 0x21, 0x16, 0xe1, 0x54, 0x27, 0x89, 0xe0,
|
|
||||||
- 0x01, 0xf0, 0x42, 0x5b, 0xcc, 0xc7, 0xf3, 0x66,
|
|
||||||
- 0xf7, 0x40, 0x64, 0x07, 0xf1, 0xc9, 0xfa, 0x8b,
|
|
||||||
- 0xe6, 0x10, 0xf1, 0x77, 0x8b, 0xb1, 0x70, 0xbe,
|
|
||||||
- 0x39, 0xdb, 0xb7, 0x6f, 0x85, 0xbf, 0x24, 0xce,
|
|
||||||
- 0x68, 0x80, 0xad, 0xb7, 0x62, 0x9f, 0x7c, 0x6d,
|
|
||||||
- 0x01, 0x5e, 0x61, 0xd4, 0x3f, 0xa3, 0xee, 0x4d,
|
|
||||||
- 0xe1, 0x85, 0xf2, 0xcf, 0xd0, 0x41, 0xff, 0xde,
|
|
||||||
- 0x9d, 0x41, 0x84, 0x07, 0xe1, 0x51, 0x38, 0xbb,
|
|
||||||
- 0x02, 0x1d, 0xae, 0xb3, 0x5f, 0x76, 0x2d, 0x17,
|
|
||||||
- 0x82, 0xac, 0xc6, 0x58, 0xd3, 0x2b, 0xd4, 0xb0,
|
|
||||||
- 0x23, 0x2c, 0x92, 0x7d, 0xd3, 0x8f, 0xa0, 0x97,
|
|
||||||
- 0xb3, 0xd1, 0x85, 0x9f, 0xa8, 0xac, 0xaf, 0xb9,
|
|
||||||
- 0x8f, 0x06, 0x66, 0x08, 0xfc, 0x64, 0x4e, 0xc7,
|
|
||||||
- 0xdd, 0xb6, 0xf0, 0x85, 0x99, 0xf9, 0x2a, 0xc1,
|
|
||||||
- 0xb5, 0x98, 0x25, 0xda, 0x84, 0x32, 0x07, 0x7d,
|
|
||||||
- 0xef, 0x69, 0x56, 0x46, 0x06, 0x3c, 0x20, 0x82,
|
|
||||||
- 0x3c, 0x95, 0x07, 0xab, 0x6f, 0x01, 0x76, 0xd4,
|
|
||||||
- 0x73, 0x0d, 0x99, 0x0d, 0xbb, 0xe6, 0x36, 0x1c,
|
|
||||||
- 0xd8, 0xb2, 0xb9, 0x4d, 0x3d, 0x2f, 0x32, 0x9b,
|
|
||||||
- 0x82, 0x09, 0x9b, 0xd6, 0x61, 0xf4, 0x29, 0x50,
|
|
||||||
- 0xf4, 0x03, 0xdf, 0x3e, 0xde, 0x62, 0xa3, 0x31,
|
|
||||||
- 0x88, 0xb0, 0x27, 0x98, 0xba, 0x82, 0x3f, 0x44,
|
|
||||||
- 0xb9, 0x46, 0xfe, 0x9d, 0xf6, 0x77, 0xa0, 0xc5,
|
|
||||||
- 0xa1, 0x23, 0x8e, 0xaa, 0x97, 0xb7, 0x0f, 0x80,
|
|
||||||
- 0xda, 0x8c, 0xac, 0x88, 0xe0, 0x92, 0xb1, 0x12,
|
|
||||||
- 0x70, 0x60, 0xff, 0xbf, 0x45, 0x57, 0x99, 0x94,
|
|
||||||
- 0x01, 0x1d, 0xc2, 0xfa, 0xa5, 0xe7, 0xf6, 0xc7,
|
|
||||||
- 0x62, 0x45, 0xe1, 0xcc, 0x31, 0x22, 0x31, 0xc1,
|
|
||||||
- 0x7d, 0x1c, 0xa6, 0xb1, 0x90, 0x07, 0xef, 0x0d,
|
|
||||||
- 0xb9, 0x9f, 0x9c, 0xb6, 0x0e, 0x1d, 0x5f, 0x69
|
|
||||||
-};
|
|
||||||
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
||||||
+ 0xad, 0xf8, 0x54, 0x58, 0xa2, 0xbb, 0x4a, 0x9a,
|
|
||||||
+ 0xaf, 0xdc, 0x56, 0x20, 0x27, 0x3d, 0x3c, 0xf1,
|
|
||||||
+ 0xd8, 0xb9, 0xc5, 0x83, 0xce, 0x2d, 0x36, 0x95,
|
|
||||||
+ 0xa9, 0xe1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xfb,
|
|
||||||
+ 0xcc, 0x93, 0x9d, 0xce, 0x24, 0x9b, 0x3e, 0xf9,
|
|
||||||
+ 0x7d, 0x2f, 0xe3, 0x63, 0x63, 0x0c, 0x75, 0xd8,
|
|
||||||
+ 0xf6, 0x81, 0xb2, 0x02, 0xae, 0xc4, 0x61, 0x7a,
|
|
||||||
+ 0xd3, 0xdf, 0x1e, 0xd5, 0xd5, 0xfd, 0x65, 0x61,
|
|
||||||
+ 0x24, 0x33, 0xf5, 0x1f, 0x5f, 0x06, 0x6e, 0xd0,
|
|
||||||
+ 0x85, 0x63, 0x65, 0x55, 0x3d, 0xed, 0x1a, 0xf3,
|
|
||||||
+ 0xb5, 0x57, 0x13, 0x5e, 0x7f, 0x57, 0xc9, 0x35,
|
|
||||||
+ 0x98, 0x4f, 0x0c, 0x70, 0xe0, 0xe6, 0x8b, 0x77,
|
|
||||||
+ 0xe2, 0xa6, 0x89, 0xda, 0xf3, 0xef, 0xe8, 0x72,
|
|
||||||
+ 0x1d, 0xf1, 0x58, 0xa1, 0x36, 0xad, 0xe7, 0x35,
|
|
||||||
+ 0x30, 0xac, 0xca, 0x4f, 0x48, 0x3a, 0x79, 0x7a,
|
|
||||||
+ 0xbc, 0x0a, 0xb1, 0x82, 0xb3, 0x24, 0xfb, 0x61,
|
|
||||||
+ 0xd1, 0x08, 0xa9, 0x4b, 0xb2, 0xc8, 0xe3, 0xfb,
|
|
||||||
+ 0xb9, 0x6a, 0xda, 0xb7, 0x60, 0xd7, 0xf4, 0x68,
|
|
||||||
+ 0x1d, 0x4f, 0x42, 0xa3, 0xde, 0x39, 0x4d, 0xf4,
|
|
||||||
+ 0xae, 0x56, 0xed, 0xe7, 0x63, 0x72, 0xbb, 0x19,
|
|
||||||
+ 0x0b, 0x07, 0xa7, 0xc8, 0xee, 0x0a, 0x6d, 0x70,
|
|
||||||
+ 0x9e, 0x02, 0xfc, 0xe1, 0xcd, 0xf7, 0xe2, 0xec,
|
|
||||||
+ 0xc0, 0x34, 0x04, 0xcd, 0x28, 0x34, 0x2f, 0x61,
|
|
||||||
+ 0x91, 0x72, 0xfe, 0x9c, 0xe9, 0x85, 0x83, 0xff,
|
|
||||||
+ 0x8e, 0x4f, 0x12, 0x32, 0xee, 0xf2, 0x81, 0x83,
|
|
||||||
+ 0xc3, 0xfe, 0x3b, 0x1b, 0x4c, 0x6f, 0xad, 0x73,
|
|
||||||
+ 0x3b, 0xb5, 0xfc, 0xbc, 0x2e, 0xc2, 0x20, 0x05,
|
|
||||||
+ 0xc5, 0x8e, 0xf1, 0x83, 0x7d, 0x16, 0x83, 0xb2,
|
|
||||||
+ 0xc6, 0xf3, 0x4a, 0x26, 0xc1, 0xb2, 0xef, 0xfa,
|
|
||||||
+ 0x88, 0x6b, 0x42, 0x38, 0x61, 0x28, 0x5c, 0x97,
|
|
||||||
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
|
|
||||||
+};
|
|
||||||
+/* RFC7919 FFDHE2048 q */
|
|
||||||
static const unsigned char dh_q[] = {
|
|
||||||
- 0x89, 0x8b, 0x22, 0x67, 0x17, 0xef, 0x03, 0x9e,
|
|
||||||
- 0x60, 0x3e, 0x82, 0xe5, 0xc7, 0xaf, 0xe4, 0x83,
|
|
||||||
- 0x74, 0xac, 0x5f, 0x62, 0x5c, 0x54, 0xf1, 0xea,
|
|
||||||
- 0x11, 0xac, 0xb5, 0x7d
|
|
||||||
-};
|
|
||||||
+ 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
||||||
+ 0xd6, 0xfc, 0x2a, 0x2c, 0x51, 0x5d, 0xa5, 0x4d,
|
|
||||||
+ 0x57, 0xee, 0x2b, 0x10, 0x13, 0x9e, 0x9e, 0x78,
|
|
||||||
+ 0xec, 0x5c, 0xe2, 0xc1, 0xe7, 0x16, 0x9b, 0x4a,
|
|
||||||
+ 0xd4, 0xf0, 0x9b, 0x20, 0x8a, 0x32, 0x19, 0xfd,
|
|
||||||
+ 0xe6, 0x49, 0xce, 0xe7, 0x12, 0x4d, 0x9f, 0x7c,
|
|
||||||
+ 0xbe, 0x97, 0xf1, 0xb1, 0xb1, 0x86, 0x3a, 0xec,
|
|
||||||
+ 0x7b, 0x40, 0xd9, 0x01, 0x57, 0x62, 0x30, 0xbd,
|
|
||||||
+ 0x69, 0xef, 0x8f, 0x6a, 0xea, 0xfe, 0xb2, 0xb0,
|
|
||||||
+ 0x92, 0x19, 0xfa, 0x8f, 0xaf, 0x83, 0x37, 0x68,
|
|
||||||
+ 0x42, 0xb1, 0xb2, 0xaa, 0x9e, 0xf6, 0x8d, 0x79,
|
|
||||||
+ 0xda, 0xab, 0x89, 0xaf, 0x3f, 0xab, 0xe4, 0x9a,
|
|
||||||
+ 0xcc, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xbb,
|
|
||||||
+ 0xf1, 0x53, 0x44, 0xed, 0x79, 0xf7, 0xf4, 0x39,
|
|
||||||
+ 0x0e, 0xf8, 0xac, 0x50, 0x9b, 0x56, 0xf3, 0x9a,
|
|
||||||
+ 0x98, 0x56, 0x65, 0x27, 0xa4, 0x1d, 0x3c, 0xbd,
|
|
||||||
+ 0x5e, 0x05, 0x58, 0xc1, 0x59, 0x92, 0x7d, 0xb0,
|
|
||||||
+ 0xe8, 0x84, 0x54, 0xa5, 0xd9, 0x64, 0x71, 0xfd,
|
|
||||||
+ 0xdc, 0xb5, 0x6d, 0x5b, 0xb0, 0x6b, 0xfa, 0x34,
|
|
||||||
+ 0x0e, 0xa7, 0xa1, 0x51, 0xef, 0x1c, 0xa6, 0xfa,
|
|
||||||
+ 0x57, 0x2b, 0x76, 0xf3, 0xb1, 0xb9, 0x5d, 0x8c,
|
|
||||||
+ 0x85, 0x83, 0xd3, 0xe4, 0x77, 0x05, 0x36, 0xb8,
|
|
||||||
+ 0x4f, 0x01, 0x7e, 0x70, 0xe6, 0xfb, 0xf1, 0x76,
|
|
||||||
+ 0x60, 0x1a, 0x02, 0x66, 0x94, 0x1a, 0x17, 0xb0,
|
|
||||||
+ 0xc8, 0xb9, 0x7f, 0x4e, 0x74, 0xc2, 0xc1, 0xff,
|
|
||||||
+ 0xc7, 0x27, 0x89, 0x19, 0x77, 0x79, 0x40, 0xc1,
|
|
||||||
+ 0xe1, 0xff, 0x1d, 0x8d, 0xa6, 0x37, 0xd6, 0xb9,
|
|
||||||
+ 0x9d, 0xda, 0xfe, 0x5e, 0x17, 0x61, 0x10, 0x02,
|
|
||||||
+ 0xe2, 0xc7, 0x78, 0xc1, 0xbe, 0x8b, 0x41, 0xd9,
|
|
||||||
+ 0x63, 0x79, 0xa5, 0x13, 0x60, 0xd9, 0x77, 0xfd,
|
|
||||||
+ 0x44, 0x35, 0xa1, 0x1c, 0x30, 0x94, 0x2e, 0x4b,
|
|
||||||
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
|
|
||||||
+};
|
|
||||||
+/* RFC7919 FFDHE2048 g */
|
|
||||||
static const unsigned char dh_g[] = {
|
|
||||||
- 0x5e, 0xf7, 0xb8, 0x8f, 0x2d, 0xf6, 0x01, 0x39,
|
|
||||||
- 0x35, 0x1d, 0xfb, 0xfe, 0x12, 0x66, 0x80, 0x5f,
|
|
||||||
- 0xdf, 0x35, 0x6c, 0xdf, 0xd1, 0x3a, 0x4d, 0xa0,
|
|
||||||
- 0x05, 0x0c, 0x7e, 0xde, 0x24, 0x6d, 0xf5, 0x9f,
|
|
||||||
- 0x6a, 0xbf, 0x96, 0xad, 0xe5, 0xf2, 0xb2, 0x8f,
|
|
||||||
- 0xfe, 0x88, 0xd6, 0xbc, 0xe7, 0xf7, 0x89, 0x4a,
|
|
||||||
- 0x3d, 0x53, 0x5f, 0xc8, 0x21, 0x26, 0xdd, 0xd4,
|
|
||||||
- 0x24, 0x87, 0x2e, 0x16, 0xb8, 0x38, 0xdf, 0x8c,
|
|
||||||
- 0x51, 0xe9, 0x01, 0x6f, 0x88, 0x9c, 0x7c, 0x20,
|
|
||||||
- 0x3e, 0x98, 0xa8, 0xb6, 0x31, 0xf9, 0xc7, 0x25,
|
|
||||||
- 0x63, 0xd3, 0x8a, 0x49, 0x58, 0x9a, 0x07, 0x53,
|
|
||||||
- 0xd3, 0x58, 0xe7, 0x83, 0x31, 0x8c, 0xef, 0xd9,
|
|
||||||
- 0x67, 0x7c, 0x7b, 0x2d, 0xbb, 0x77, 0xd6, 0xdc,
|
|
||||||
- 0xe2, 0xa1, 0x96, 0x37, 0x95, 0xca, 0x64, 0xb9,
|
|
||||||
- 0x2d, 0x1c, 0x9a, 0xac, 0x6d, 0x0e, 0x8d, 0x43,
|
|
||||||
- 0x1d, 0xe5, 0xe5, 0x00, 0x60, 0xdf, 0xf7, 0x86,
|
|
||||||
- 0x89, 0xc9, 0xec, 0xa1, 0xc1, 0x24, 0x8c, 0x16,
|
|
||||||
- 0xed, 0x09, 0xc7, 0xad, 0x41, 0x2a, 0x17, 0x40,
|
|
||||||
- 0x6d, 0x2b, 0x52, 0x5a, 0xa1, 0xca, 0xbb, 0x23,
|
|
||||||
- 0x7b, 0x97, 0x34, 0xec, 0x7b, 0x8c, 0xe3, 0xfa,
|
|
||||||
- 0xe0, 0x2f, 0x29, 0xc5, 0xef, 0xed, 0x30, 0xd6,
|
|
||||||
- 0x91, 0x87, 0xda, 0x10, 0x9c, 0x2c, 0x9f, 0xe2,
|
|
||||||
- 0xaa, 0xdb, 0xb0, 0xc2, 0x2a, 0xf5, 0x4c, 0x61,
|
|
||||||
- 0x66, 0x55, 0x00, 0x0c, 0x43, 0x1c, 0x6b, 0x4a,
|
|
||||||
- 0x37, 0x97, 0x63, 0xb0, 0xa9, 0x16, 0x58, 0xef,
|
|
||||||
- 0xc8, 0x4e, 0x8b, 0x06, 0x35, 0x8c, 0x8b, 0x4f,
|
|
||||||
- 0x21, 0x37, 0x10, 0xfd, 0x10, 0x17, 0x2c, 0xf3,
|
|
||||||
- 0x9b, 0x83, 0x0c, 0x2d, 0xd8, 0x4a, 0x0c, 0x8a,
|
|
||||||
- 0xb8, 0x25, 0x16, 0xec, 0xab, 0x99, 0x5f, 0xa4,
|
|
||||||
- 0x21, 0x5e, 0x02, 0x3e, 0x4e, 0xcf, 0x80, 0x74,
|
|
||||||
- 0xc3, 0x9d, 0x6c, 0x88, 0xb7, 0x0d, 0x1e, 0xe4,
|
|
||||||
- 0xe9, 0x6f, 0xdc, 0x20, 0xea, 0x11, 0x5c, 0x32
|
|
||||||
+ 0x02
|
|
||||||
};
|
|
||||||
static const unsigned char dh_priv[] = {
|
|
||||||
- 0x14, 0x33, 0xe0, 0xb5, 0xa9, 0x17, 0xb6, 0x0a,
|
|
||||||
- 0x30, 0x23, 0xf2, 0xf8, 0xaa, 0x2c, 0x2d, 0x70,
|
|
||||||
- 0xd2, 0x96, 0x8a, 0xba, 0x9a, 0xea, 0xc8, 0x15,
|
|
||||||
- 0x40, 0xb8, 0xfc, 0xe6
|
|
||||||
+ 0x01, 0xdc, 0x2a, 0xb9, 0x87, 0x71, 0x57, 0x0f,
|
|
||||||
+ 0xcd, 0x93, 0x65, 0x4c, 0xa1, 0xd6, 0x56, 0x6d,
|
|
||||||
+ 0xc5, 0x35, 0xd5, 0xcb, 0x4c, 0xb8, 0xad, 0x8d,
|
|
||||||
+ 0x6c, 0xdc, 0x5d, 0x6e, 0x94
|
|
||||||
};
|
|
||||||
static const unsigned char dh_pub[] = {
|
|
||||||
- 0x95, 0xdd, 0x33, 0x8d, 0x29, 0xe5, 0x71, 0x04,
|
|
||||||
- 0x92, 0xb9, 0x18, 0x31, 0x7b, 0x72, 0xa3, 0x69,
|
|
||||||
- 0x36, 0xe1, 0x95, 0x1a, 0x2e, 0xe5, 0xa5, 0x59,
|
|
||||||
- 0x16, 0x99, 0xc0, 0x48, 0x6d, 0x0d, 0x4f, 0x9b,
|
|
||||||
- 0xdd, 0x6d, 0x5a, 0x3f, 0x6b, 0x98, 0x89, 0x0c,
|
|
||||||
- 0x62, 0xb3, 0x76, 0x52, 0xd3, 0x6e, 0x71, 0x21,
|
|
||||||
- 0x11, 0xe6, 0x8a, 0x73, 0x55, 0x37, 0x25, 0x06,
|
|
||||||
- 0x99, 0xef, 0xe3, 0x30, 0x53, 0x73, 0x91, 0xfb,
|
|
||||||
- 0xc2, 0xc5, 0x48, 0xbc, 0x5a, 0xc3, 0xe5, 0xb2,
|
|
||||||
- 0x33, 0x86, 0xc3, 0xee, 0xf5, 0xeb, 0x43, 0xc0,
|
|
||||||
- 0x99, 0xd7, 0x0a, 0x52, 0x02, 0x68, 0x7e, 0x83,
|
|
||||||
- 0x96, 0x42, 0x48, 0xfc, 0xa9, 0x1f, 0x40, 0x90,
|
|
||||||
- 0x8e, 0x8f, 0xb3, 0x31, 0x93, 0x15, 0xf6, 0xd2,
|
|
||||||
- 0x60, 0x6d, 0x7f, 0x7c, 0xd5, 0x2c, 0xc6, 0xe7,
|
|
||||||
- 0xc5, 0x84, 0x3a, 0xfb, 0x22, 0x51, 0x9c, 0xf0,
|
|
||||||
- 0xf0, 0xf9, 0xd3, 0xa0, 0xa4, 0xe8, 0xc8, 0x88,
|
|
||||||
- 0x99, 0xef, 0xed, 0xe7, 0x36, 0x43, 0x51, 0xfb,
|
|
||||||
- 0x6a, 0x36, 0x3e, 0xe7, 0x17, 0xe5, 0x44, 0x5a,
|
|
||||||
- 0xda, 0xb4, 0xc9, 0x31, 0xa6, 0x48, 0x39, 0x97,
|
|
||||||
- 0xb8, 0x7d, 0xad, 0x83, 0x67, 0x7e, 0x4d, 0x1d,
|
|
||||||
- 0x3a, 0x77, 0x75, 0xe0, 0xf6, 0xd0, 0x0f, 0xdf,
|
|
||||||
- 0x73, 0xc7, 0xad, 0x80, 0x1e, 0x66, 0x5a, 0x0e,
|
|
||||||
- 0x5a, 0x79, 0x6d, 0x0a, 0x03, 0x80, 0xa1, 0x9f,
|
|
||||||
- 0xa1, 0x82, 0xef, 0xc8, 0xa0, 0x4f, 0x5e, 0x4d,
|
|
||||||
- 0xb9, 0x0d, 0x1a, 0x86, 0x37, 0xf9, 0x5d, 0xb1,
|
|
||||||
- 0x64, 0x36, 0xbd, 0xc8, 0xf3, 0xfc, 0x09, 0x6c,
|
|
||||||
- 0x4f, 0xf7, 0xf2, 0x34, 0xbe, 0x8f, 0xef, 0x47,
|
|
||||||
- 0x9a, 0xc4, 0xb0, 0xdc, 0x4b, 0x77, 0x26, 0x3e,
|
|
||||||
- 0x07, 0xd9, 0x95, 0x9d, 0xe0, 0xf1, 0xbf, 0x3f,
|
|
||||||
- 0x0a, 0xe3, 0xd9, 0xd5, 0x0e, 0x4b, 0x89, 0xc9,
|
|
||||||
- 0x9e, 0x3e, 0xa1, 0x21, 0x73, 0x43, 0xdd, 0x8c,
|
|
||||||
- 0x65, 0x81, 0xac, 0xc4, 0x95, 0x9c, 0x91, 0xd3
|
|
||||||
+ 0x00, 0xc4, 0x82, 0x14, 0x69, 0x16, 0x4c, 0x05,
|
|
||||||
+ 0x55, 0x2a, 0x7e, 0x55, 0x6d, 0x02, 0xbb, 0x7f,
|
|
||||||
+ 0xcc, 0x63, 0x74, 0xee, 0xcb, 0xb4, 0x98, 0x43,
|
|
||||||
+ 0x0e, 0x29, 0x43, 0x0d, 0x44, 0xc7, 0xf1, 0x23,
|
|
||||||
+ 0x81, 0xca, 0x1c, 0x5c, 0xc3, 0xff, 0x01, 0x4a,
|
|
||||||
+ 0x1a, 0x03, 0x9e, 0x5f, 0xd1, 0x4e, 0xa0, 0x0b,
|
|
||||||
+ 0xb9, 0x5c, 0x0d, 0xef, 0x14, 0x01, 0x62, 0x3c,
|
|
||||||
+ 0x8a, 0x8e, 0x60, 0xbb, 0x39, 0xd6, 0x38, 0x63,
|
|
||||||
+ 0xb7, 0x65, 0xd0, 0x0b, 0x1a, 0xaf, 0x53, 0x38,
|
|
||||||
+ 0x10, 0x0f, 0x3e, 0xeb, 0x9d, 0x0c, 0x24, 0xf6,
|
|
||||||
+ 0xe3, 0x70, 0x08, 0x8a, 0x4d, 0x01, 0xf8, 0x7a,
|
|
||||||
+ 0x87, 0x49, 0x64, 0x72, 0xb1, 0x75, 0x3b, 0x94,
|
|
||||||
+ 0xc8, 0x09, 0x2d, 0x6a, 0x63, 0xd8, 0x9a, 0x92,
|
|
||||||
+ 0xb9, 0x5b, 0x1a, 0xc3, 0x47, 0x0b, 0x63, 0x44,
|
|
||||||
+ 0x3b, 0xe3, 0xc0, 0x09, 0xc9, 0xf9, 0x02, 0x53,
|
|
||||||
+ 0xd8, 0xfb, 0x06, 0x44, 0xdb, 0xdf, 0xe8, 0x13,
|
|
||||||
+ 0x2b, 0x40, 0x6a, 0xd4, 0x13, 0x4e, 0x52, 0x30,
|
|
||||||
+ 0xd6, 0xc1, 0xd8, 0x59, 0x9d, 0x59, 0xba, 0x1b,
|
|
||||||
+ 0xbf, 0xaa, 0x6f, 0xe9, 0x3d, 0xfd, 0xff, 0x01,
|
|
||||||
+ 0x0b, 0x54, 0xe0, 0x6a, 0x4e, 0x27, 0x2b, 0x3d,
|
|
||||||
+ 0xe8, 0xef, 0xb0, 0xbe, 0x52, 0xc3, 0x52, 0x18,
|
|
||||||
+ 0x6f, 0xa3, 0x27, 0xab, 0x6c, 0x12, 0xc3, 0x81,
|
|
||||||
+ 0xcb, 0xae, 0x23, 0x11, 0xa0, 0x5d, 0xc3, 0x6f,
|
|
||||||
+ 0x23, 0x17, 0x40, 0xb3, 0x05, 0x4f, 0x5d, 0xb7,
|
|
||||||
+ 0x34, 0xbe, 0x87, 0x2c, 0xa9, 0x9e, 0x98, 0x39,
|
|
||||||
+ 0xbf, 0x2e, 0x9d, 0xad, 0x4f, 0x70, 0xad, 0xed,
|
|
||||||
+ 0x1b, 0x5e, 0x47, 0x90, 0x49, 0x2e, 0x61, 0x71,
|
|
||||||
+ 0x5f, 0x07, 0x0b, 0x35, 0x04, 0xfc, 0x53, 0xce,
|
|
||||||
+ 0x58, 0x60, 0x6c, 0x5b, 0x8b, 0xfe, 0x70, 0x04,
|
|
||||||
+ 0x2a, 0x6a, 0x98, 0x0a, 0xd0, 0x80, 0xae, 0x69,
|
|
||||||
+ 0x95, 0xf9, 0x99, 0x18, 0xfc, 0xe4, 0x8e, 0xed,
|
|
||||||
+ 0x61, 0xd9, 0x02, 0x9d, 0x4e, 0x05, 0xe9, 0xf2,
|
|
||||||
+ 0x32
|
|
||||||
};
|
|
||||||
static const unsigned char dh_peer_pub[] = {
|
|
||||||
- 0x1f, 0xc1, 0xda, 0x34, 0x1d, 0x1a, 0x84, 0x6a,
|
|
||||||
- 0x96, 0xb7, 0xbe, 0x24, 0x34, 0x0f, 0x87, 0x7d,
|
|
||||||
- 0xd0, 0x10, 0xaa, 0x03, 0x56, 0xd5, 0xad, 0x58,
|
|
||||||
- 0xaa, 0xe9, 0xc7, 0xb0, 0x8f, 0x74, 0x9a, 0x32,
|
|
||||||
- 0x23, 0x51, 0x10, 0xb5, 0xd8, 0x8e, 0xb5, 0xdb,
|
|
||||||
- 0xfa, 0x97, 0x8d, 0x27, 0xec, 0xc5, 0x30, 0xf0,
|
|
||||||
- 0x2d, 0x31, 0x14, 0x00, 0x5b, 0x64, 0xb1, 0xc0,
|
|
||||||
- 0xe0, 0x24, 0xcb, 0x8a, 0xe2, 0x16, 0x98, 0xbc,
|
|
||||||
- 0xa9, 0xe6, 0x0d, 0x42, 0x80, 0x86, 0x22, 0xf1,
|
|
||||||
- 0x81, 0xc5, 0x6e, 0x1d, 0xe7, 0xa9, 0x6e, 0x6e,
|
|
||||||
- 0xfe, 0xe9, 0xd6, 0x65, 0x67, 0xe9, 0x1b, 0x97,
|
|
||||||
- 0x70, 0x42, 0xc7, 0xe3, 0xd0, 0x44, 0x8f, 0x05,
|
|
||||||
- 0xfb, 0x77, 0xf5, 0x22, 0xb9, 0xbf, 0xc8, 0xd3,
|
|
||||||
- 0x3c, 0xc3, 0xc3, 0x1e, 0xd3, 0xb3, 0x1f, 0x0f,
|
|
||||||
- 0xec, 0xb6, 0xdb, 0x4f, 0x6e, 0xa3, 0x11, 0xe7,
|
|
||||||
- 0x7a, 0xfd, 0xbc, 0xd4, 0x7a, 0xee, 0x1b, 0xb1,
|
|
||||||
- 0x50, 0xf2, 0x16, 0x87, 0x35, 0x78, 0xfb, 0x96,
|
|
||||||
- 0x46, 0x8e, 0x8f, 0x9f, 0x3d, 0xe8, 0xef, 0xbf,
|
|
||||||
- 0xce, 0x75, 0x62, 0x4b, 0x1d, 0xf0, 0x53, 0x22,
|
|
||||||
- 0xa3, 0x4f, 0x14, 0x63, 0xe8, 0x39, 0xe8, 0x98,
|
|
||||||
- 0x4c, 0x4a, 0xd0, 0xa9, 0x6e, 0x1a, 0xc8, 0x42,
|
|
||||||
- 0xe5, 0x31, 0x8c, 0xc2, 0x3c, 0x06, 0x2a, 0x8c,
|
|
||||||
- 0xa1, 0x71, 0xb8, 0xd5, 0x75, 0x98, 0x0d, 0xde,
|
|
||||||
- 0x7f, 0xc5, 0x6f, 0x15, 0x36, 0x52, 0x38, 0x20,
|
|
||||||
- 0xd4, 0x31, 0x92, 0xbf, 0xd5, 0x1e, 0x8e, 0x22,
|
|
||||||
- 0x89, 0x78, 0xac, 0xa5, 0xb9, 0x44, 0x72, 0xf3,
|
|
||||||
- 0x39, 0xca, 0xeb, 0x99, 0x31, 0xb4, 0x2b, 0xe3,
|
|
||||||
- 0x01, 0x26, 0x8b, 0xc9, 0x97, 0x89, 0xc9, 0xb2,
|
|
||||||
- 0x55, 0x71, 0xc3, 0xc0, 0xe4, 0xcb, 0x3f, 0x00,
|
|
||||||
- 0x7f, 0x1a, 0x51, 0x1c, 0xbb, 0x53, 0xc8, 0x51,
|
|
||||||
- 0x9c, 0xdd, 0x13, 0x02, 0xab, 0xca, 0x6c, 0x0f,
|
|
||||||
- 0x34, 0xf9, 0x67, 0x39, 0xf1, 0x7f, 0xf4, 0x8b
|
|
||||||
+ 0x00, 0xef, 0x15, 0x02, 0xf5, 0x56, 0xa3, 0x79,
|
|
||||||
+ 0x40, 0x58, 0xbc, 0xeb, 0x56, 0xad, 0xcb, 0xda,
|
|
||||||
+ 0x8c, 0xda, 0xb8, 0xd1, 0xda, 0x6f, 0x25, 0x29,
|
|
||||||
+ 0x9e, 0x43, 0x76, 0x2d, 0xb2, 0xd8, 0xbc, 0x84,
|
|
||||||
+ 0xbc, 0x85, 0xd0, 0x94, 0x8d, 0x44, 0x27, 0x57,
|
|
||||||
+ 0xe4, 0xdf, 0xc1, 0x78, 0x42, 0x8f, 0x08, 0xf5,
|
|
||||||
+ 0x74, 0xfe, 0x02, 0x56, 0xd2, 0x09, 0xc8, 0x68,
|
|
||||||
+ 0xef, 0xed, 0x18, 0xc9, 0xfd, 0x2e, 0x95, 0x6c,
|
|
||||||
+ 0xba, 0x6c, 0x00, 0x0e, 0xf5, 0xd1, 0x1b, 0xf6,
|
|
||||||
+ 0x15, 0x14, 0x5b, 0x67, 0x22, 0x7c, 0x6a, 0x20,
|
|
||||||
+ 0x76, 0x43, 0x51, 0xef, 0x5e, 0x1e, 0xf9, 0x2d,
|
|
||||||
+ 0xd6, 0xb4, 0xc5, 0xc6, 0x18, 0x33, 0xd1, 0xa3,
|
|
||||||
+ 0x3b, 0xe6, 0xdd, 0x57, 0x9d, 0xad, 0x13, 0x7a,
|
|
||||||
+ 0x53, 0xde, 0xb3, 0x97, 0xc0, 0x7e, 0xd7, 0x77,
|
|
||||||
+ 0x6b, 0xf8, 0xbd, 0x13, 0x70, 0x8c, 0xba, 0x73,
|
|
||||||
+ 0x80, 0xb3, 0x80, 0x6f, 0xfb, 0x1c, 0xda, 0x53,
|
|
||||||
+ 0x4d, 0x3c, 0x8a, 0x2e, 0xa1, 0x37, 0xce, 0xb1,
|
|
||||||
+ 0xde, 0x45, 0x97, 0x58, 0x65, 0x4d, 0xcf, 0x05,
|
|
||||||
+ 0xbb, 0xc3, 0xd7, 0x38, 0x6d, 0x0a, 0x59, 0x7a,
|
|
||||||
+ 0x99, 0x15, 0xb7, 0x9a, 0x3d, 0xfd, 0x61, 0xe5,
|
|
||||||
+ 0x1a, 0xa2, 0xcc, 0xf6, 0xfe, 0xb1, 0xee, 0xe9,
|
|
||||||
+ 0xa9, 0xe2, 0xeb, 0x06, 0xbc, 0x14, 0x6e, 0x91,
|
|
||||||
+ 0x0d, 0xf1, 0xe3, 0xbb, 0xe0, 0x7e, 0x1d, 0x31,
|
|
||||||
+ 0x79, 0xf1, 0x6d, 0x5f, 0xcb, 0xaf, 0xb2, 0x4f,
|
|
||||||
+ 0x22, 0x12, 0xbf, 0x72, 0xbd, 0xd0, 0x30, 0xe4,
|
|
||||||
+ 0x1c, 0x35, 0x96, 0x61, 0x98, 0x39, 0xfb, 0x7e,
|
|
||||||
+ 0x6d, 0x66, 0xc4, 0x69, 0x41, 0x0d, 0x0d, 0x59,
|
|
||||||
+ 0xbb, 0xa7, 0xbf, 0x34, 0xe0, 0x39, 0x36, 0x84,
|
|
||||||
+ 0x5e, 0x0e, 0x03, 0x2d, 0xcf, 0xaa, 0x02, 0x8a,
|
|
||||||
+ 0xba, 0x59, 0x88, 0x47, 0xc4, 0x4d, 0xd7, 0xbd,
|
|
||||||
+ 0x78, 0x76, 0x24, 0xf1, 0x45, 0x56, 0x44, 0xc2,
|
|
||||||
+ 0x4a, 0xc2, 0xd5, 0x3a, 0x59, 0x40, 0xab, 0x87,
|
|
||||||
+ 0x64
|
|
||||||
};
|
|
||||||
|
|
||||||
static const unsigned char dh_secret_expected[] = {
|
|
||||||
- 0x08, 0xff, 0x33, 0xbb, 0x2e, 0xcf, 0xf4, 0x9a,
|
|
||||||
- 0x7d, 0x4a, 0x79, 0x12, 0xae, 0xb1, 0xbb, 0x6a,
|
|
||||||
- 0xb5, 0x11, 0x64, 0x1b, 0x4a, 0x76, 0x77, 0x0c,
|
|
||||||
- 0x8c, 0xc1, 0xbc, 0xc2, 0x33, 0x34, 0x3d, 0xfe,
|
|
||||||
- 0x70, 0x0d, 0x11, 0x81, 0x3d, 0x2c, 0x9e, 0xd2,
|
|
||||||
- 0x3b, 0x21, 0x1c, 0xa9, 0xe8, 0x78, 0x69, 0x21,
|
|
||||||
- 0xed, 0xca, 0x28, 0x3c, 0x68, 0xb1, 0x61, 0x53,
|
|
||||||
- 0xfa, 0x01, 0xe9, 0x1a, 0xb8, 0x2c, 0x90, 0xdd,
|
|
||||||
- 0xab, 0x4a, 0x95, 0x81, 0x67, 0x70, 0xa9, 0x87,
|
|
||||||
- 0x10, 0xe1, 0x4c, 0x92, 0xab, 0x83, 0xb6, 0xe4,
|
|
||||||
- 0x6e, 0x1e, 0x42, 0x6e, 0xe8, 0x52, 0x43, 0x0d,
|
|
||||||
- 0x61, 0x87, 0xda, 0xa3, 0x72, 0x0a, 0x6b, 0xcd,
|
|
||||||
- 0x73, 0x23, 0x5c, 0x6b, 0x0f, 0x94, 0x1f, 0x33,
|
|
||||||
- 0x64, 0xf5, 0x04, 0x20, 0x55, 0x1a, 0x4b, 0xfe,
|
|
||||||
- 0xaf, 0xe2, 0xbc, 0x43, 0x85, 0x05, 0xa5, 0x9a,
|
|
||||||
- 0x4a, 0x40, 0xda, 0xca, 0x7a, 0x89, 0x5a, 0x73,
|
|
||||||
- 0xdb, 0x57, 0x5c, 0x74, 0xc1, 0x3a, 0x23, 0xad,
|
|
||||||
- 0x88, 0x32, 0x95, 0x7d, 0x58, 0x2d, 0x38, 0xf0,
|
|
||||||
- 0xa6, 0x16, 0x5f, 0xb0, 0xd7, 0xe9, 0xb8, 0x79,
|
|
||||||
- 0x9e, 0x42, 0xfd, 0x32, 0x20, 0xe3, 0x32, 0xe9,
|
|
||||||
- 0x81, 0x85, 0xa0, 0xc9, 0x42, 0x97, 0x57, 0xb2,
|
|
||||||
- 0xd0, 0xd0, 0x2c, 0x17, 0xdb, 0xaa, 0x1f, 0xf6,
|
|
||||||
- 0xed, 0x93, 0xd7, 0xe7, 0x3e, 0x24, 0x1e, 0xae,
|
|
||||||
- 0xd9, 0x0c, 0xaf, 0x39, 0x4d, 0x2b, 0xc6, 0x57,
|
|
||||||
- 0x0f, 0x18, 0xc8, 0x1f, 0x2b, 0xe5, 0xd0, 0x1a,
|
|
||||||
- 0x2c, 0xa9, 0x9f, 0xf1, 0x42, 0xb5, 0xd9, 0x63,
|
|
||||||
- 0xf9, 0xf5, 0x00, 0x32, 0x5e, 0x75, 0x56, 0xf9,
|
|
||||||
- 0x58, 0x49, 0xb3, 0xff, 0xc7, 0x47, 0x94, 0x86,
|
|
||||||
- 0xbe, 0x1d, 0x45, 0x96, 0xa3, 0x10, 0x6b, 0xd5,
|
|
||||||
- 0xcb, 0x4f, 0x61, 0xc5, 0x7e, 0xc5, 0xf1, 0x00,
|
|
||||||
- 0xfb, 0x7a, 0x0c, 0x82, 0xa1, 0x0b, 0x82, 0x52,
|
|
||||||
- 0x6a, 0x97, 0xd1, 0xd9, 0x7d, 0x98, 0xea, 0xf6
|
|
||||||
+ 0x56, 0x13, 0xe3, 0x12, 0x6b, 0x5f, 0x67, 0xe5,
|
|
||||||
+ 0x08, 0xe5, 0x35, 0x0e, 0x11, 0x90, 0x9d, 0xf5,
|
|
||||||
+ 0x1a, 0x24, 0xfa, 0x42, 0xd1, 0x4a, 0x50, 0x93,
|
|
||||||
+ 0x5b, 0xf4, 0x11, 0x6f, 0xd0, 0xc3, 0xc5, 0xa5,
|
|
||||||
+ 0x80, 0xae, 0x01, 0x3d, 0x66, 0x92, 0xc0, 0x3e,
|
|
||||||
+ 0x5f, 0xe9, 0x75, 0xb6, 0x5b, 0x37, 0x82, 0x39,
|
|
||||||
+ 0x72, 0x66, 0x0b, 0xa2, 0x73, 0x94, 0xe5, 0x04,
|
|
||||||
+ 0x7c, 0x0c, 0x19, 0x9a, 0x03, 0x53, 0xc4, 0x9d,
|
|
||||||
+ 0xc1, 0x0f, 0xc3, 0xec, 0x0e, 0x2e, 0xa3, 0x7c,
|
|
||||||
+ 0x07, 0x0e, 0xaf, 0x18, 0x1d, 0xc7, 0x8b, 0x47,
|
|
||||||
+ 0x4b, 0x94, 0x05, 0x6d, 0xec, 0xdd, 0xa1, 0xae,
|
|
||||||
+ 0x7b, 0x21, 0x86, 0x53, 0xd3, 0x62, 0x38, 0x08,
|
|
||||||
+ 0xea, 0xda, 0xdc, 0xb2, 0x5a, 0x7c, 0xef, 0x19,
|
|
||||||
+ 0xf8, 0x29, 0xef, 0xf8, 0xd0, 0xfb, 0xde, 0xe8,
|
|
||||||
+ 0xb8, 0x2f, 0xb3, 0xa1, 0x16, 0xa2, 0xd0, 0x8f,
|
|
||||||
+ 0x48, 0xdc, 0x7d, 0xcb, 0xee, 0x5c, 0x06, 0x1e,
|
|
||||||
+ 0x2a, 0x66, 0xe8, 0x1f, 0xdb, 0x18, 0xe9, 0xd2,
|
|
||||||
+ 0xfd, 0xa2, 0x4e, 0x39, 0xa3, 0x2e, 0x88, 0x3d,
|
|
||||||
+ 0x7d, 0xac, 0x15, 0x18, 0x25, 0xe6, 0xba, 0xd4,
|
|
||||||
+ 0x0e, 0x89, 0x26, 0x60, 0x8f, 0xdc, 0x4a, 0xb4,
|
|
||||||
+ 0x49, 0x8f, 0x98, 0xe8, 0x62, 0x8c, 0xc6, 0x66,
|
|
||||||
+ 0x20, 0x4c, 0xe1, 0xed, 0xfc, 0x01, 0x88, 0x46,
|
|
||||||
+ 0xa7, 0x67, 0x48, 0x39, 0xc5, 0x22, 0x95, 0xa0,
|
|
||||||
+ 0x23, 0xb9, 0xd1, 0xed, 0x87, 0xcf, 0xa7, 0x70,
|
|
||||||
+ 0x1c, 0xac, 0xd3, 0xaf, 0x5c, 0x26, 0x50, 0x3c,
|
|
||||||
+ 0xe4, 0x23, 0xb6, 0xcc, 0xd7, 0xc5, 0xda, 0x2f,
|
|
||||||
+ 0xf4, 0x45, 0xf1, 0xe4, 0x40, 0xb5, 0x0a, 0x25,
|
|
||||||
+ 0x86, 0xe6, 0xde, 0x11, 0x3c, 0x46, 0x16, 0xbc,
|
|
||||||
+ 0x41, 0xc2, 0x28, 0x19, 0x81, 0x5a, 0x46, 0x02,
|
|
||||||
+ 0x87, 0xd0, 0x15, 0x0c, 0xd2, 0xfe, 0x75, 0x04,
|
|
||||||
+ 0x82, 0xd2, 0x0a, 0xb7, 0xbc, 0xc5, 0x6c, 0xb1,
|
|
||||||
+ 0x41, 0xa8, 0x2b, 0x28, 0xbb, 0x86, 0x0c, 0x89
|
|
||||||
};
|
|
||||||
|
|
||||||
static const ST_KAT_PARAM dh_group[] = {
|
|
||||||
--
|
|
||||||
2.35.3
|
|
||||||
|
|
@ -1,298 +0,0 @@
|
|||||||
diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/rand/prov_seed.c
|
|
||||||
--- openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand 2022-08-04 12:17:52.148556301 +0200
|
|
||||||
+++ openssl-3.0.1/crypto/rand/prov_seed.c 2022-08-04 12:19:41.783533552 +0200
|
|
||||||
@@ -20,7 +20,14 @@ size_t ossl_rand_get_entropy(ossl_unused
|
|
||||||
size_t entropy_available;
|
|
||||||
RAND_POOL *pool;
|
|
||||||
|
|
||||||
- pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
|
|
||||||
+ /*
|
|
||||||
+ * OpenSSL still implements an internal entropy pool of
|
|
||||||
+ * some size that is hashed to get seed data.
|
|
||||||
+ * Note that this is a conditioning step for which SP800-90C requires
|
|
||||||
+ * 64 additional bits from the entropy source to claim the requested
|
|
||||||
+ * amount of entropy.
|
|
||||||
+ */
|
|
||||||
+ pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len);
|
|
||||||
if (pool == NULL) {
|
|
||||||
ERR_raise(ERR_LIB_RAND, ERR_R_RAND_LIB);
|
|
||||||
return 0;
|
|
||||||
diff -up openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand openssl-3.0.1/providers/implementations/rands/crngt.c
|
|
||||||
--- openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand 2022-08-04 11:56:10.100950299 +0200
|
|
||||||
+++ openssl-3.0.1/providers/implementations/rands/crngt.c 2022-08-04 11:59:11.241564925 +0200
|
|
||||||
@@ -139,7 +139,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG
|
|
||||||
* to the nearest byte. If the entropy is of less than full quality,
|
|
||||||
* the amount required should be scaled up appropriately here.
|
|
||||||
*/
|
|
||||||
- bytes_needed = (entropy + 7) / 8;
|
|
||||||
+ /*
|
|
||||||
+ * FIPS 140-3: the yet draft SP800-90C requires requested entropy
|
|
||||||
+ * + 128 bits during initial seeding
|
|
||||||
+ */
|
|
||||||
+ bytes_needed = (entropy + 128 + 7) / 8;
|
|
||||||
if (bytes_needed < min_len)
|
|
||||||
bytes_needed = min_len;
|
|
||||||
if (bytes_needed > max_len)
|
|
||||||
diff -up openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand openssl-3.0.1/providers/implementations/rands/drbg.c
|
|
||||||
--- openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand 2022-08-03 12:14:39.409370134 +0200
|
|
||||||
+++ openssl-3.0.1/providers/implementations/rands/drbg.c 2022-08-03 12:19:06.320700346 +0200
|
|
||||||
@@ -575,6 +575,9 @@ int ossl_prov_drbg_reseed(PROV_DRBG *drb
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ prediction_resistance = 1;
|
|
||||||
+#endif
|
|
||||||
/* Reseed using our sources in addition */
|
|
||||||
entropylen = get_entropy(drbg, &entropy, drbg->strength,
|
|
||||||
drbg->min_entropylen, drbg->max_entropylen,
|
|
||||||
@@ -669,8 +669,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d
|
|
||||||
reseed_required = 1;
|
|
||||||
}
|
|
||||||
if (drbg->parent != NULL
|
|
||||||
- && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter)
|
|
||||||
+ && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) {
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ /* Red Hat patches provide chain reseeding when necessary so just sync counters*/
|
|
||||||
+ drbg->parent_reseed_counter = get_parent_reseed_count(drbg);
|
|
||||||
+#else
|
|
||||||
reseed_required = 1;
|
|
||||||
+#endif
|
|
||||||
+ }
|
|
||||||
|
|
||||||
if (reseed_required || prediction_resistance) {
|
|
||||||
if (!ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, NULL,
|
|
||||||
diff -up openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg openssl-3.0.7/providers/implementations/rands/drbg_local.h
|
|
||||||
--- openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg 2023-03-13 12:17:47.705538612 +0100
|
|
||||||
+++ openssl-3.0.7/providers/implementations/rands/drbg_local.h 2023-03-13 12:18:03.060702092 +0100
|
|
||||||
@@ -38,7 +38,7 @@
|
|
||||||
*
|
|
||||||
* The value is in bytes.
|
|
||||||
*/
|
|
||||||
-#define CRNGT_BUFSIZ 16
|
|
||||||
+#define CRNGT_BUFSIZ 32
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Maximum input size for the DRBG (entropy, nonce, personalization string)
|
|
||||||
diff -up openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c
|
|
||||||
--- openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand 2022-08-03 11:09:01.301637515 +0200
|
|
||||||
+++ openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c 2022-08-03 11:13:00.058688605 +0200
|
|
||||||
@@ -48,6 +48,8 @@
|
|
||||||
# include <fcntl.h>
|
|
||||||
# include <unistd.h>
|
|
||||||
# include <sys/time.h>
|
|
||||||
+# include <sys/random.h>
|
|
||||||
+# include <openssl/evp.h>
|
|
||||||
|
|
||||||
static uint64_t get_time_stamp(void);
|
|
||||||
|
|
||||||
@@ -339,70 +341,8 @@ static ssize_t syscall_random(void *buf, size_t buflen)
|
|
||||||
* which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion
|
|
||||||
* between size_t and ssize_t is safe even without a range check.
|
|
||||||
*/
|
|
||||||
-
|
|
||||||
- /*
|
|
||||||
- * Do runtime detection to find getentropy().
|
|
||||||
- *
|
|
||||||
- * Known OSs that should support this:
|
|
||||||
- * - Darwin since 16 (OSX 10.12, IOS 10.0).
|
|
||||||
- * - Solaris since 11.3
|
|
||||||
- * - OpenBSD since 5.6
|
|
||||||
- * - Linux since 3.17 with glibc 2.25
|
|
||||||
- * - FreeBSD since 12.0 (1200061)
|
|
||||||
- *
|
|
||||||
- * Note: Sometimes getentropy() can be provided but not implemented
|
|
||||||
- * internally. So we need to check errno for ENOSYS
|
|
||||||
- */
|
|
||||||
-# if !defined(__DragonFly__) && !defined(__NetBSD__)
|
|
||||||
-# if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
|
|
||||||
- extern int getentropy(void *buffer, size_t length) __attribute__((weak));
|
|
||||||
-
|
|
||||||
- if (getentropy != NULL) {
|
|
||||||
- if (getentropy(buf, buflen) == 0)
|
|
||||||
- return (ssize_t)buflen;
|
|
||||||
- if (errno != ENOSYS)
|
|
||||||
- return -1;
|
|
||||||
- }
|
|
||||||
-# elif defined(OPENSSL_APPLE_CRYPTO_RANDOM)
|
|
||||||
-
|
|
||||||
- if (CCRandomGenerateBytes(buf, buflen) == kCCSuccess)
|
|
||||||
- return (ssize_t)buflen;
|
|
||||||
-
|
|
||||||
- return -1;
|
|
||||||
-# else
|
|
||||||
- union {
|
|
||||||
- void *p;
|
|
||||||
- int (*f)(void *buffer, size_t length);
|
|
||||||
- } p_getentropy;
|
|
||||||
-
|
|
||||||
- /*
|
|
||||||
- * We could cache the result of the lookup, but we normally don't
|
|
||||||
- * call this function often.
|
|
||||||
- */
|
|
||||||
- ERR_set_mark();
|
|
||||||
- p_getentropy.p = DSO_global_lookup("getentropy");
|
|
||||||
- ERR_pop_to_mark();
|
|
||||||
- if (p_getentropy.p != NULL)
|
|
||||||
- return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
|
|
||||||
-# endif
|
|
||||||
-# endif /* !__DragonFly__ */
|
|
||||||
-
|
|
||||||
- /* Linux supports this since version 3.17 */
|
|
||||||
-# if defined(__linux) && defined(__NR_getrandom)
|
|
||||||
- return syscall(__NR_getrandom, buf, buflen, 0);
|
|
||||||
-# elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
|
|
||||||
- return sysctl_random(buf, buflen);
|
|
||||||
-# elif (defined(__DragonFly__) && __DragonFly_version >= 500700) \
|
|
||||||
- || (defined(__NetBSD__) && __NetBSD_Version >= 1000000000)
|
|
||||||
- return getrandom(buf, buflen, 0);
|
|
||||||
-# elif defined(__wasi__)
|
|
||||||
- if (getentropy(buf, buflen) == 0)
|
|
||||||
- return (ssize_t)buflen;
|
|
||||||
- return -1;
|
|
||||||
-# else
|
|
||||||
- errno = ENOSYS;
|
|
||||||
- return -1;
|
|
||||||
-# endif
|
|
||||||
+ int realbuflen = buflen > 32 ? 32 : buflen; /* Red Hat uses downstream patch to always seed from getrandom() */
|
|
||||||
+ return EVP_default_properties_is_fips_enabled(NULL) ? getrandom(buf, realbuflen, GRND_RANDOM) : getrandom(buf, buflen, 0);
|
|
||||||
}
|
|
||||||
# endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */
|
|
||||||
|
|
||||||
diff -up openssl-3.2.1/providers/implementations/rands/seed_src.c.xxx openssl-3.2.1/providers/implementations/rands/seed_src.c
|
|
||||||
--- openssl-3.2.1/providers/implementations/rands/seed_src.c.xxx 2024-04-10 13:14:38.984033920 +0200
|
|
||||||
+++ openssl-3.2.1/providers/implementations/rands/seed_src.c 2024-04-10 13:15:20.565045748 +0200
|
|
||||||
@@ -102,7 +102,14 @@ static int seed_src_generate(void *vseed
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
- pool = ossl_rand_pool_new(strength, 1, outlen, outlen);
|
|
||||||
+ /*
|
|
||||||
+ * OpenSSL still implements an internal entropy pool of
|
|
||||||
+ * some size that is hashed to get seed data.
|
|
||||||
+ * Note that this is a conditioning step for which SP800-90C requires
|
|
||||||
+ * 64 additional bits from the entropy source to claim the requested
|
|
||||||
+ * amount of entropy.
|
|
||||||
+ */
|
|
||||||
+ pool = ossl_rand_pool_new(strength + 64, 1, outlen, outlen);
|
|
||||||
if (pool == NULL) {
|
|
||||||
ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB);
|
|
||||||
return 0;
|
|
||||||
@@ -189,7 +189,14 @@ static size_t seed_get_seed(void *vseed,
|
|
||||||
size_t i;
|
|
||||||
RAND_POOL *pool;
|
|
||||||
|
|
||||||
- pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
|
|
||||||
+ /*
|
|
||||||
+ * OpenSSL still implements an internal entropy pool of
|
|
||||||
+ * some size that is hashed to get seed data.
|
|
||||||
+ * Note that this is a conditioning step for which SP800-90C requires
|
|
||||||
+ * 64 additional bits from the entropy source to claim the requested
|
|
||||||
+ * amount of entropy.
|
|
||||||
+ */
|
|
||||||
+ pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len);
|
|
||||||
if (pool == NULL) {
|
|
||||||
ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB);
|
|
||||||
return 0;
|
|
||||||
diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
|
|
||||||
index 14999540ab..b05b84717b 100644
|
|
||||||
--- a/crypto/rand/rand_lib.c
|
|
||||||
+++ b/crypto/rand/rand_lib.c
|
|
||||||
@@ -11,6 +11,7 @@
|
|
||||||
#define OPENSSL_SUPPRESS_DEPRECATED
|
|
||||||
|
|
||||||
#include <openssl/err.h>
|
|
||||||
+#include <openssl/evp.h>
|
|
||||||
#include <openssl/opensslconf.h>
|
|
||||||
#include <openssl/core_names.h>
|
|
||||||
#include "internal/cryptlib.h"
|
|
||||||
@@ -723,15 +723,7 @@ EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB_CTX *ctx)
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
-#ifndef FIPS_MODULE
|
|
||||||
- if (dgbl->seed == NULL) {
|
|
||||||
- ERR_set_mark();
|
|
||||||
- dgbl->seed = rand_new_seed(ctx);
|
|
||||||
- ERR_pop_to_mark();
|
|
||||||
- }
|
|
||||||
-#endif
|
|
||||||
-
|
|
||||||
- ret = dgbl->primary = rand_new_drbg(ctx, dgbl->seed,
|
|
||||||
+ ret = dgbl->primary = rand_new_drbg(ctx, NULL,
|
|
||||||
PRIMARY_RESEED_INTERVAL,
|
|
||||||
PRIMARY_RESEED_TIME_INTERVAL, 1);
|
|
||||||
/*
|
|
||||||
@@ -766,7 +766,7 @@ EVP_RAND_CTX *RAND_get0_public(OSSL_LIB_
|
|
||||||
if (CRYPTO_THREAD_get_local(&dgbl->private) == NULL
|
|
||||||
&& !ossl_init_thread_start(NULL, ctx, rand_delete_thread_state))
|
|
||||||
return NULL;
|
|
||||||
- rand = rand_new_drbg(ctx, primary, SECONDARY_RESEED_INTERVAL,
|
|
||||||
+ rand = rand_new_drbg(ctx, NULL, SECONDARY_RESEED_INTERVAL,
|
|
||||||
SECONDARY_RESEED_TIME_INTERVAL, 0);
|
|
||||||
CRYPTO_THREAD_set_local(&dgbl->public, rand);
|
|
||||||
}
|
|
||||||
@@ -799,7 +799,7 @@ EVP_RAND_CTX *RAND_get0_private(OSSL_LIB
|
|
||||||
if (CRYPTO_THREAD_get_local(&dgbl->public) == NULL
|
|
||||||
&& !ossl_init_thread_start(NULL, ctx, rand_delete_thread_state))
|
|
||||||
return NULL;
|
|
||||||
- rand = rand_new_drbg(ctx, primary, SECONDARY_RESEED_INTERVAL,
|
|
||||||
+ rand = rand_new_drbg(ctx, NULL, SECONDARY_RESEED_INTERVAL,
|
|
||||||
SECONDARY_RESEED_TIME_INTERVAL, 0);
|
|
||||||
CRYPTO_THREAD_set_local(&dgbl->private, rand);
|
|
||||||
}
|
|
||||||
diff -up openssl-3.2.1/test/drbgtest.c.xxx openssl-3.2.1/test/drbgtest.c
|
|
||||||
--- openssl-3.2.1/test/drbgtest.c.xxx 2024-05-02 15:37:23.550979597 +0200
|
|
||||||
+++ openssl-3.2.1/test/drbgtest.c 2024-05-02 15:45:37.189979881 +0200
|
|
||||||
@@ -218,7 +218,7 @@ static int test_drbg_reseed(int expect_s
|
|
||||||
reseed_when = time(NULL);
|
|
||||||
|
|
||||||
/* Generate random output from the public and private DRBG */
|
|
||||||
- before_reseed = expect_primary_reseed == 1 ? reseed_when : 0;
|
|
||||||
+ before_reseed = 0;
|
|
||||||
if (!TEST_int_eq(rand_bytes((unsigned char*)public_random,
|
|
||||||
RANDOM_SIZE), expect_success)
|
|
||||||
|| !TEST_int_eq(rand_priv_bytes((unsigned char*) private_random,
|
|
||||||
@@ -232,8 +232,8 @@ static int test_drbg_reseed(int expect_s
|
|
||||||
*/
|
|
||||||
|
|
||||||
/* Test whether reseeding succeeded as expected */
|
|
||||||
- if (!TEST_int_eq(state(primary), expected_state)
|
|
||||||
- || !TEST_int_eq(state(public), expected_state)
|
|
||||||
+ if (/*!TEST_int_eq(state(primary), expected_state)
|
|
||||||
+ ||*/ !TEST_int_eq(state(public), expected_state)
|
|
||||||
|| !TEST_int_eq(state(private), expected_state))
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
@@ -246,16 +246,16 @@ static int test_drbg_reseed(int expect_s
|
|
||||||
if (expect_public_reseed >= 0) {
|
|
||||||
/* Test whether public DRBG was reseeded as expected */
|
|
||||||
if (!TEST_int_ge(reseed_counter(public), public_reseed)
|
|
||||||
- || !TEST_uint_ge(reseed_counter(public),
|
|
||||||
- reseed_counter(primary)))
|
|
||||||
+ /*|| !TEST_uint_ge(reseed_counter(public),
|
|
||||||
+ reseed_counter(primary))*/)
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (expect_private_reseed >= 0) {
|
|
||||||
/* Test whether public DRBG was reseeded as expected */
|
|
||||||
if (!TEST_int_ge(reseed_counter(private), private_reseed)
|
|
||||||
- || !TEST_uint_ge(reseed_counter(private),
|
|
||||||
- reseed_counter(primary)))
|
|
||||||
+ /*|| !TEST_uint_ge(reseed_counter(private),
|
|
||||||
+ reseed_counter(primary))*/)
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -577,8 +577,8 @@ static int test_rand_reseed(void)
|
|
||||||
if (!TEST_ptr_ne(public, private)
|
|
||||||
|| !TEST_ptr_ne(public, primary)
|
|
||||||
|| !TEST_ptr_ne(private, primary)
|
|
||||||
- || !TEST_ptr_eq(prov_rand(public)->parent, prov_rand(primary))
|
|
||||||
- || !TEST_ptr_eq(prov_rand(private)->parent, prov_rand(primary)))
|
|
||||||
+ /*|| !TEST_ptr_eq(prov_rand(public)->parent, prov_rand(primary))
|
|
||||||
+ || !TEST_ptr_eq(prov_rand(private)->parent, prov_rand(primary))*/)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
/* Disable CRNG testing for the primary DRBG */
|
|
@ -1,76 +0,0 @@
|
|||||||
diff -up openssl-3.0.1/crypto/ffc/ffc_params.c.fipszero openssl-3.0.1/crypto/ffc/ffc_params.c
|
|
||||||
--- openssl-3.0.1/crypto/ffc/ffc_params.c.fipszero 2022-08-05 13:11:27.211413931 +0200
|
|
||||||
+++ openssl-3.0.1/crypto/ffc/ffc_params.c 2022-08-05 13:11:34.151475891 +0200
|
|
||||||
@@ -27,10 +27,10 @@ void ossl_ffc_params_init(FFC_PARAMS *pa
|
|
||||||
|
|
||||||
void ossl_ffc_params_cleanup(FFC_PARAMS *params)
|
|
||||||
{
|
|
||||||
- BN_free(params->p);
|
|
||||||
- BN_free(params->q);
|
|
||||||
- BN_free(params->g);
|
|
||||||
- BN_free(params->j);
|
|
||||||
+ BN_clear_free(params->p);
|
|
||||||
+ BN_clear_free(params->q);
|
|
||||||
+ BN_clear_free(params->g);
|
|
||||||
+ BN_clear_free(params->j);
|
|
||||||
OPENSSL_free(params->seed);
|
|
||||||
ossl_ffc_params_init(params);
|
|
||||||
}
|
|
||||||
diff -up openssl-3.0.1/crypto/rsa/rsa_lib.c.fipszero openssl-3.0.1/crypto/rsa/rsa_lib.c
|
|
||||||
--- openssl-3.0.1/crypto/rsa/rsa_lib.c.fipszero 2022-08-05 13:08:31.875848536 +0200
|
|
||||||
+++ openssl-3.0.1/crypto/rsa/rsa_lib.c 2022-08-05 13:09:35.438416025 +0200
|
|
||||||
@@ -155,8 +155,8 @@ void RSA_free(RSA *r)
|
|
||||||
CRYPTO_THREAD_lock_free(r->lock);
|
|
||||||
CRYPTO_FREE_REF(&r->references);
|
|
||||||
|
|
||||||
- BN_free(r->n);
|
|
||||||
- BN_free(r->e);
|
|
||||||
+ BN_clear_free(r->n);
|
|
||||||
+ BN_clear_free(r->e);
|
|
||||||
BN_clear_free(r->d);
|
|
||||||
BN_clear_free(r->p);
|
|
||||||
BN_clear_free(r->q);
|
|
||||||
diff -up openssl-3.0.1/providers/implementations/kdfs/hkdf.c.fipszero openssl-3.0.1/providers/implementations/kdfs/hkdf.c
|
|
||||||
--- openssl-3.0.1/providers/implementations/kdfs/hkdf.c.fipszero 2022-08-05 13:14:58.827303241 +0200
|
|
||||||
+++ openssl-3.0.1/providers/implementations/kdfs/hkdf.c 2022-08-05 13:16:24.530068399 +0200
|
|
||||||
@@ -116,7 +116,7 @@ static void kdf_hkdf_reset(void *vctx)
|
|
||||||
void *provctx = ctx->provctx;
|
|
||||||
|
|
||||||
ossl_prov_digest_reset(&ctx->digest);
|
|
||||||
- OPENSSL_free(ctx->salt);
|
|
||||||
+ OPENSSL_clear_free(ctx->salt, ctx->salt_len);
|
|
||||||
OPENSSL_free(ctx->prefix);
|
|
||||||
OPENSSL_free(ctx->label);
|
|
||||||
OPENSSL_clear_free(ctx->data, ctx->data_len);
|
|
||||||
diff -up openssl-3.0.1/providers/implementations/kdfs/pbkdf2.c.fipszero openssl-3.0.1/providers/implementations/kdfs/pbkdf2.c
|
|
||||||
--- openssl-3.0.1/providers/implementations/kdfs/pbkdf2.c.fipszero 2022-08-05 13:12:40.552068717 +0200
|
|
||||||
+++ openssl-3.0.1/providers/implementations/kdfs/pbkdf2.c 2022-08-05 13:13:34.324548799 +0200
|
|
||||||
@@ -83,7 +83,7 @@ static void *kdf_pbkdf2_new(void *provct
|
|
||||||
static void kdf_pbkdf2_cleanup(KDF_PBKDF2 *ctx)
|
|
||||||
{
|
|
||||||
ossl_prov_digest_reset(&ctx->digest);
|
|
||||||
- OPENSSL_free(ctx->salt);
|
|
||||||
+ OPENSSL_clear_free(ctx->salt, ctx->salt_len);
|
|
||||||
OPENSSL_clear_free(ctx->pass, ctx->pass_len);
|
|
||||||
memset(ctx, 0, sizeof(*ctx));
|
|
||||||
}
|
|
||||||
diff -up openssl-3.0.1/crypto/ec/ec_lib.c.fipszero openssl-3.0.1/crypto/ec/ec_lib.c
|
|
||||||
--- openssl-3.0.1/crypto/ec/ec_lib.c.fipszero 2022-08-05 13:48:32.221345774 +0200
|
|
||||||
+++ openssl-3.0.1/crypto/ec/ec_lib.c 2022-08-05 13:49:16.138741452 +0200
|
|
||||||
@@ -744,12 +744,16 @@ EC_POINT *EC_POINT_new(const EC_GROUP *g
|
|
||||||
|
|
||||||
void EC_POINT_free(EC_POINT *point)
|
|
||||||
{
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ EC_POINT_clear_free(point);
|
|
||||||
+#else
|
|
||||||
if (point == NULL)
|
|
||||||
return;
|
|
||||||
|
|
||||||
if (point->meth->point_finish != 0)
|
|
||||||
point->meth->point_finish(point);
|
|
||||||
OPENSSL_free(point);
|
|
||||||
+#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
void EC_POINT_clear_free(EC_POINT *point)
|
|
@ -1,911 +0,0 @@
|
|||||||
From 2290280617183863eb15425b8925765966723725 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Clemens Lang <cllang@redhat.com>
|
|
||||||
Date: Thu, 11 Aug 2022 09:27:12 +0200
|
|
||||||
Subject: KDF: Add FIPS indicators
|
|
||||||
|
|
||||||
FIPS requires a number of restrictions on the parameters of the various
|
|
||||||
key derivation functions implemented in OpenSSL. The KDFs that use
|
|
||||||
digest algorithms usually should not allow SHAKE (due to FIPS 140-3 IG
|
|
||||||
C.C). Additionally, some application-specific KDFs have further
|
|
||||||
restrictions defined in SP 800-135r1.
|
|
||||||
|
|
||||||
Generally, all KDFs shall use a key-derivation key length of at least
|
|
||||||
112 bits due to SP 800-131Ar2 section 8. Additionally any use of a KDF
|
|
||||||
to generate and output length of less than 112 bits will also set the
|
|
||||||
indicator to unapproved.
|
|
||||||
|
|
||||||
Add explicit indicators to all KDFs usable in FIPS mode except for
|
|
||||||
PBKDF2 (which has its specific FIPS limits already implemented). The
|
|
||||||
indicator can be queried using EVP_KDF_CTX_get_params() after setting
|
|
||||||
the required parameters and keys for the KDF.
|
|
||||||
|
|
||||||
Our FIPS provider implements SHA1, SHA2 (both -256 and -512, and the
|
|
||||||
truncated variants -224 and -384) and SHA3 (-256 and -512, and the
|
|
||||||
truncated versions -224 and -384), as well as SHAKE-128 and -256.
|
|
||||||
|
|
||||||
The SHAKE functions are generally not allowed in KDFs. For the rest, the
|
|
||||||
support matrix is:
|
|
||||||
|
|
||||||
KDF | SHA-1 | SHA-2 | SHA-2 truncated | SHA-3 | SHA-3 truncated
|
|
||||||
==========================================================================
|
|
||||||
KBKDF | x | x | x | x | x
|
|
||||||
HKDF | x | x | x | x | x
|
|
||||||
TLS1PRF | | SHA-{256,384,512} only | |
|
|
||||||
SSHKDF | x | x | x | |
|
|
||||||
SSKDF | x | x | x | x | x
|
|
||||||
X9.63KDF | | x | x | x | x
|
|
||||||
X9.42-ASN1 | x | x | x | x | x
|
|
||||||
TLS1.3PRF | | SHA-{256,384} only | |
|
|
||||||
|
|
||||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
|
||||||
Resolves: rhbz#2160733 rhbz#2164763
|
|
||||||
Related: rhbz#2114772 rhbz#2141695
|
|
||||||
---
|
|
||||||
include/crypto/evp.h | 7 ++
|
|
||||||
include/openssl/kdf.h | 4 +
|
|
||||||
providers/implementations/kdfs/hkdf.c | 100 +++++++++++++++++++++-
|
|
||||||
providers/implementations/kdfs/kbkdf.c | 82 ++++++++++++++++--
|
|
||||||
providers/implementations/kdfs/sshkdf.c | 75 +++++++++++++++-
|
|
||||||
providers/implementations/kdfs/sskdf.c | 100 +++++++++++++++++++++-
|
|
||||||
providers/implementations/kdfs/tls1_prf.c | 74 +++++++++++++++-
|
|
||||||
providers/implementations/kdfs/x942kdf.c | 66 +++++++++++++-
|
|
||||||
util/perl/OpenSSL/paramnames.pm | 1 +
|
|
||||||
9 files changed, 487 insertions(+), 22 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/include/crypto/evp.h b/include/crypto/evp.h
|
|
||||||
index e70d8e9e84..76fb990de4 100644
|
|
||||||
--- a/include/crypto/evp.h
|
|
||||||
+++ b/include/crypto/evp.h
|
|
||||||
@@ -219,6 +219,13 @@ struct evp_mac_st {
|
|
||||||
OSSL_FUNC_mac_set_ctx_params_fn *set_ctx_params;
|
|
||||||
};
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+/* According to NIST Special Publication 800-131Ar2, Section 8: Deriving
|
|
||||||
+ * Additional Keys from a Cryptographic Key, "[t]he length of the
|
|
||||||
+ * key-derivation key [i.e., the input key] shall be at least 112 bits". */
|
|
||||||
+# define EVP_KDF_FIPS_MIN_KEY_LEN (112 / 8)
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
struct evp_kdf_st {
|
|
||||||
OSSL_PROVIDER *prov;
|
|
||||||
int name_id;
|
|
||||||
diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h
|
|
||||||
index 0983230a48..86171635ea 100644
|
|
||||||
--- a/include/openssl/kdf.h
|
|
||||||
+++ b/include/openssl/kdf.h
|
|
||||||
@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf,
|
|
||||||
# define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1
|
|
||||||
# define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2
|
|
||||||
|
|
||||||
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
|
|
||||||
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED 1
|
|
||||||
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
|
|
||||||
+
|
|
||||||
#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65
|
|
||||||
#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66
|
|
||||||
#define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67
|
|
||||||
diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
|
|
||||||
index dfa7786bde..f01e40ff5a 100644
|
|
||||||
--- a/providers/implementations/kdfs/hkdf.c
|
|
||||||
+++ b/providers/implementations/kdfs/hkdf.c
|
|
||||||
@@ -42,6 +42,7 @@ static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params;
|
|
||||||
static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params;
|
|
||||||
static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params;
|
|
||||||
static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params;
|
|
||||||
+static OSSL_FUNC_kdf_newctx_fn kdf_tls1_3_new;
|
|
||||||
static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive;
|
|
||||||
static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params;
|
|
||||||
static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params;
|
|
||||||
@@ -85,6 +86,10 @@ typedef struct {
|
|
||||||
size_t data_len;
|
|
||||||
unsigned char *info;
|
|
||||||
size_t info_len;
|
|
||||||
+ int is_tls13;
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ int fips_indicator;
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
} KDF_HKDF;
|
|
||||||
|
|
||||||
static void *kdf_hkdf_new(void *provctx)
|
|
||||||
@@ -170,6 +175,11 @@ static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
|
||||||
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
+
|
|
||||||
switch (ctx->mode) {
|
|
||||||
case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND:
|
|
||||||
default:
|
|
||||||
@@ -318,22 +318,85 @@ static int kdf_hkdf_get_ctx_params(void
|
|
||||||
{
|
|
||||||
KDF_HKDF *ctx = (KDF_HKDF *)vctx;
|
|
||||||
OSSL_PARAM *p;
|
|
||||||
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
|
||||||
|
|
||||||
if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
|
||||||
size_t sz = kdf_hkdf_size(ctx);
|
|
||||||
|
|
||||||
+ any_valid = 1;
|
|
||||||
if (sz == 0)
|
|
||||||
return 0;
|
|
||||||
return OSSL_PARAM_set_size_t(p, sz);
|
|
||||||
}
|
|
||||||
if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) {
|
|
||||||
+ any_valid = 1;
|
|
||||||
if (ctx->info == NULL || ctx->info_len == 0) {
|
|
||||||
p->return_size = 0;
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len);
|
|
||||||
}
|
|
||||||
- return -2;
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR))
|
|
||||||
+ != NULL) {
|
|
||||||
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
|
||||||
+ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
|
|
||||||
+
|
|
||||||
+ any_valid = 1;
|
|
||||||
+
|
|
||||||
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
|
|
||||||
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
|
|
||||||
+ * the key-derivation key [i.e., the input key] shall be at least 112
|
|
||||||
+ * bits". */
|
|
||||||
+ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN)
|
|
||||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+
|
|
||||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
|
||||||
+ * Verification Program, Section D.B and NIST Special Publication
|
|
||||||
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
|
|
||||||
+ * strength < 112 bits is legacy use only, so all derived keys should
|
|
||||||
+ * be longer than that. If a derived key has ever been shorter than
|
|
||||||
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
|
|
||||||
+ * should also set the returned FIPS indicator to unapproved. */
|
|
||||||
+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
|
|
||||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+
|
|
||||||
+ if (ctx->is_tls13) {
|
|
||||||
+ if (md != NULL
|
|
||||||
+ && !EVP_MD_is_a(md, "SHA2-256")
|
|
||||||
+ && !EVP_MD_is_a(md, "SHA2-384")) {
|
|
||||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic
|
|
||||||
+ * Module Validation Program, Section 2.4.B, (5): "The TLS 1.3
|
|
||||||
+ * key derivation function documented in Section 7.1 of RFC
|
|
||||||
+ * 8446. This is considered an approved CVL because the
|
|
||||||
+ * underlying functions performed within the TLS 1.3 KDF map to
|
|
||||||
+ * NIST approved standards, namely: SP 800-133rev2 (Section 6.3
|
|
||||||
+ * Option #3), SP 800-56Crev2, and SP 800-108."
|
|
||||||
+ *
|
|
||||||
+ * RFC 8446 appendix B.4 only lists SHA-256 and SHA-384. */
|
|
||||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+ }
|
|
||||||
+ } else {
|
|
||||||
+ if (md != NULL
|
|
||||||
+ && (EVP_MD_is_a(md, "SHAKE-128") ||
|
|
||||||
+ EVP_MD_is_a(md, "SHAKE-256"))) {
|
|
||||||
+ /* HKDF is a SP 800-56Cr2 TwoStep KDF, for which all SHA-1,
|
|
||||||
+ * SHA-2 and SHA-3 are approved. SHAKE is not approved, because
|
|
||||||
+ * of FIPS 140-3 IG, section C.C: "The SHAKE128 and SHAKE256
|
|
||||||
+ * extendable-output functions may only be used as the
|
|
||||||
+ * standalone algorithms." */
|
|
||||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
+
|
|
||||||
+ if (!any_valid)
|
|
||||||
+ return -2;
|
|
||||||
+
|
|
||||||
+ return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
|
|
||||||
@@ -348,6 +421,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
|
|
||||||
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
|
||||||
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
|
||||||
OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0),
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
OSSL_PARAM_END
|
|
||||||
};
|
|
||||||
return known_gettable_ctx_params;
|
|
||||||
@@ -677,6 +753,17 @@ static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx,
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static void *kdf_tls1_3_new(void *provctx)
|
|
||||||
+{
|
|
||||||
+ KDF_HKDF *hkdf = kdf_hkdf_new(provctx);
|
|
||||||
+
|
|
||||||
+ if (hkdf != NULL)
|
|
||||||
+ hkdf->is_tls13 = 1;
|
|
||||||
+
|
|
||||||
+ return hkdf;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+
|
|
||||||
static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
|
|
||||||
const OSSL_PARAM params[])
|
|
||||||
{
|
|
||||||
@@ -692,6 +779,11 @@ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
|
||||||
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
+
|
|
||||||
switch (ctx->mode) {
|
|
||||||
default:
|
|
||||||
return 0;
|
|
||||||
@@ -769,7 +861,7 @@ static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx,
|
|
||||||
}
|
|
||||||
|
|
||||||
const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = {
|
|
||||||
- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new },
|
|
||||||
+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_tls1_3_new },
|
|
||||||
{ OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_hkdf_dup },
|
|
||||||
{ OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free },
|
|
||||||
{ OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset },
|
|
||||||
diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c
|
|
||||||
index a542f84dfa..6b6dfb94ac 100644
|
|
||||||
--- a/providers/implementations/kdfs/kbkdf.c
|
|
||||||
+++ b/providers/implementations/kdfs/kbkdf.c
|
|
||||||
@@ -59,6 +59,9 @@ typedef struct {
|
|
||||||
kbkdf_mode mode;
|
|
||||||
EVP_MAC_CTX *ctx_init;
|
|
||||||
|
|
||||||
+ /* HMAC digest algorithm, if any; used to compute FIPS indicator */
|
|
||||||
+ PROV_DIGEST digest;
|
|
||||||
+
|
|
||||||
/* Names are lowercased versions of those found in SP800-108. */
|
|
||||||
int r;
|
|
||||||
unsigned char *ki;
|
|
||||||
@@ -73,6 +76,9 @@ typedef struct {
|
|
||||||
int use_l;
|
|
||||||
int is_kmac;
|
|
||||||
int use_separator;
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ int fips_indicator;
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
} KBKDF;
|
|
||||||
|
|
||||||
/* Definitions needed for typechecking. */
|
|
||||||
@@ -138,6 +144,7 @@ static void kbkdf_reset(void *vctx)
|
|
||||||
void *provctx = ctx->provctx;
|
|
||||||
|
|
||||||
EVP_MAC_CTX_free(ctx->ctx_init);
|
|
||||||
+ ossl_prov_digest_reset(&ctx->digest);
|
|
||||||
OPENSSL_clear_free(ctx->context, ctx->context_len);
|
|
||||||
OPENSSL_clear_free(ctx->label, ctx->label_len);
|
|
||||||
OPENSSL_clear_free(ctx->ki, ctx->ki_len);
|
|
||||||
@@ -240,6 +247,11 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
|
||||||
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
+
|
|
||||||
h = EVP_MAC_CTX_get_mac_size(ctx->ctx_init);
|
|
||||||
if (h == 0)
|
|
||||||
goto done;
|
|
||||||
@@ -297,6 +309,9 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE);
|
|
||||||
if (p != NULL
|
|
||||||
&& OPENSSL_strncasecmp("counter", p->data, p->data_size) == 0) {
|
|
||||||
@@ -363,20 +378,77 @@ static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx,
|
|
||||||
static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
|
||||||
{
|
|
||||||
OSSL_PARAM *p;
|
|
||||||
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
|
||||||
|
|
||||||
p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE);
|
|
||||||
- if (p == NULL)
|
|
||||||
+ if (p != NULL) {
|
|
||||||
+ any_valid = 1;
|
|
||||||
+
|
|
||||||
+ /* KBKDF can produce results as large as you like. */
|
|
||||||
+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
|
|
||||||
+ if (p != NULL) {
|
|
||||||
+ KBKDF *ctx = (KBKDF *)vctx;
|
|
||||||
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
|
||||||
+
|
|
||||||
+ any_valid = 1;
|
|
||||||
+
|
|
||||||
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
|
|
||||||
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
|
|
||||||
+ * the key-derivation key [i.e., the input key] shall be at least 112
|
|
||||||
+ * bits". */
|
|
||||||
+ if (ctx->ki_len < EVP_KDF_FIPS_MIN_KEY_LEN)
|
|
||||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+
|
|
||||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
|
||||||
+ * Verification Program, Section D.B and NIST Special Publication
|
|
||||||
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
|
|
||||||
+ * strength < 112 bits is legacy use only, so all derived keys should
|
|
||||||
+ * be longer than that. If a derived key has ever been shorter than
|
|
||||||
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
|
|
||||||
+ * should also set the returned FIPS indicator to unapproved. */
|
|
||||||
+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
|
|
||||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+
|
|
||||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
|
||||||
+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
|
|
||||||
+ * extendable-output functions may only be used as the standalone
|
|
||||||
+ * algorithms." Note that the digest is only used when the MAC
|
|
||||||
+ * algorithm is HMAC. */
|
|
||||||
+ if (ctx->ctx_init != NULL
|
|
||||||
+ && EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->ctx_init), OSSL_MAC_NAME_HMAC)) {
|
|
||||||
+ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
|
|
||||||
+ if (md != NULL
|
|
||||||
+ && (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256"))) {
|
|
||||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+ if (!any_valid)
|
|
||||||
return -2;
|
|
||||||
|
|
||||||
- /* KBKDF can produce results as large as you like. */
|
|
||||||
- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
|
|
||||||
+ return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
static const OSSL_PARAM *kbkdf_gettable_ctx_params(ossl_unused void *ctx,
|
|
||||||
ossl_unused void *provctx)
|
|
||||||
{
|
|
||||||
- static const OSSL_PARAM known_gettable_ctx_params[] =
|
|
||||||
- { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_END };
|
|
||||||
+ static const OSSL_PARAM known_gettable_ctx_params[] = {
|
|
||||||
+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
+ OSSL_PARAM_END
|
|
||||||
+ };
|
|
||||||
return known_gettable_ctx_params;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c
|
|
||||||
index c592ba72f1..4a52b38266 100644
|
|
||||||
--- a/providers/implementations/kdfs/sshkdf.c
|
|
||||||
+++ b/providers/implementations/kdfs/sshkdf.c
|
|
||||||
@@ -48,6 +48,9 @@ typedef struct {
|
|
||||||
char type; /* X */
|
|
||||||
unsigned char *session_id;
|
|
||||||
size_t session_id_len;
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ int fips_indicator;
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
} KDF_SSHKDF;
|
|
||||||
|
|
||||||
static void *kdf_sshkdf_new(void *provctx)
|
|
||||||
@@ -126,6 +129,12 @@ static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
|
||||||
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
|
||||||
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
+
|
|
||||||
return SSHKDF(md, ctx->key, ctx->key_len,
|
|
||||||
ctx->xcghash, ctx->xcghash_len,
|
|
||||||
ctx->session_id, ctx->session_id_len,
|
|
||||||
@@ -194,10 +203,67 @@ static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *ctx,
|
|
||||||
static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
|
||||||
{
|
|
||||||
OSSL_PARAM *p;
|
|
||||||
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
|
||||||
|
|
||||||
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
|
|
||||||
- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
|
|
||||||
- return -2;
|
|
||||||
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
|
||||||
+ any_valid = 1;
|
|
||||||
+
|
|
||||||
+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
|
|
||||||
+ if (p != NULL) {
|
|
||||||
+ KDF_SSHKDF *ctx = vctx;
|
|
||||||
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
|
||||||
+
|
|
||||||
+ any_valid = 1;
|
|
||||||
+
|
|
||||||
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
|
|
||||||
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
|
|
||||||
+ * the key-derivation key [i.e., the input key] shall be at least 112
|
|
||||||
+ * bits". */
|
|
||||||
+ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN)
|
|
||||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+
|
|
||||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
|
||||||
+ * Verification Program, Section D.B and NIST Special Publication
|
|
||||||
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
|
|
||||||
+ * strength < 112 bits is legacy use only, so all derived keys should
|
|
||||||
+ * be longer than that. If a derived key has ever been shorter than
|
|
||||||
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
|
|
||||||
+ * should also set the returned FIPS indicator to unapproved. */
|
|
||||||
+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
|
|
||||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+
|
|
||||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
|
||||||
+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
|
|
||||||
+ * extendable-output functions may only be used as the standalone
|
|
||||||
+ * algorithms."
|
|
||||||
+ *
|
|
||||||
+ * Additionally, SP 800-135r1 section 5.2 specifies that the hash
|
|
||||||
+ * function used in SSHKDF "is one of the hash functions specified in
|
|
||||||
+ * FIPS 180-3.", which rules out SHA-3 and truncated variants of SHA-2.
|
|
||||||
+ * */
|
|
||||||
+ if (ctx->digest.md != NULL
|
|
||||||
+ && !EVP_MD_is_a(ctx->digest.md, "SHA-1")
|
|
||||||
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-224")
|
|
||||||
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256")
|
|
||||||
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384")
|
|
||||||
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) {
|
|
||||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+ if (!any_valid)
|
|
||||||
+ return -2;
|
|
||||||
+
|
|
||||||
+ return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
|
|
||||||
@@ -205,6 +271,9 @@ static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
|
|
||||||
{
|
|
||||||
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
|
||||||
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
OSSL_PARAM_END
|
|
||||||
};
|
|
||||||
return known_gettable_ctx_params;
|
|
||||||
diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c
|
|
||||||
index eb54972e1c..23865cd70f 100644
|
|
||||||
--- a/providers/implementations/kdfs/sskdf.c
|
|
||||||
+++ b/providers/implementations/kdfs/sskdf.c
|
|
||||||
@@ -64,6 +64,10 @@ typedef struct {
|
|
||||||
size_t salt_len;
|
|
||||||
size_t out_len; /* optional KMAC parameter */
|
|
||||||
int is_kmac;
|
|
||||||
+ int is_x963kdf;
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ int fips_indicator;
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
} KDF_SSKDF;
|
|
||||||
|
|
||||||
#define SSKDF_MAX_INLEN (1<<30)
|
|
||||||
@@ -73,6 +77,7 @@ typedef struct {
|
|
||||||
static const unsigned char kmac_custom_str[] = { 0x4B, 0x44, 0x46 };
|
|
||||||
|
|
||||||
static OSSL_FUNC_kdf_newctx_fn sskdf_new;
|
|
||||||
+static OSSL_FUNC_kdf_newctx_fn x963kdf_new;
|
|
||||||
static OSSL_FUNC_kdf_dupctx_fn sskdf_dup;
|
|
||||||
static OSSL_FUNC_kdf_freectx_fn sskdf_free;
|
|
||||||
static OSSL_FUNC_kdf_reset_fn sskdf_reset;
|
|
||||||
@@ -296,6 +301,16 @@ static void *sskdf_new(void *provctx)
|
|
||||||
return ctx;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static void *x963kdf_new(void *provctx)
|
|
||||||
+{
|
|
||||||
+ KDF_SSKDF *ctx = sskdf_new(provctx);
|
|
||||||
+
|
|
||||||
+ if (ctx)
|
|
||||||
+ ctx->is_x963kdf = 1;
|
|
||||||
+
|
|
||||||
+ return ctx;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static void sskdf_reset(void *vctx)
|
|
||||||
{
|
|
||||||
KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
|
|
||||||
@@ -361,6 +376,11 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
|
||||||
}
|
|
||||||
md = ossl_prov_digest_md(&ctx->digest);
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
|
||||||
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
+
|
|
||||||
if (ctx->macctx != NULL) {
|
|
||||||
/* H(x) = KMAC or H(x) = HMAC */
|
|
||||||
int ret;
|
|
||||||
@@ -442,6 +462,11 @@ static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
|
||||||
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
+
|
|
||||||
return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len,
|
|
||||||
ctx->info, ctx->info_len, 1, key, keylen);
|
|
||||||
}
|
|
||||||
@@ -514,10 +539,74 @@ static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
|
||||||
{
|
|
||||||
KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
|
|
||||||
OSSL_PARAM *p;
|
|
||||||
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
|
||||||
+
|
|
||||||
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
|
||||||
+ any_valid = 1;
|
|
||||||
+
|
|
||||||
+ if (!OSSL_PARAM_set_size_t(p, sskdf_size(ctx)))
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
|
|
||||||
- return OSSL_PARAM_set_size_t(p, sskdf_size(ctx));
|
|
||||||
- return -2;
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
|
|
||||||
+ if (p != NULL) {
|
|
||||||
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
|
||||||
+
|
|
||||||
+ any_valid = 1;
|
|
||||||
+
|
|
||||||
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
|
|
||||||
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
|
|
||||||
+ * the key-derivation key [i.e., the input key] shall be at least 112
|
|
||||||
+ * bits". */
|
|
||||||
+ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN)
|
|
||||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+
|
|
||||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
|
||||||
+ * Verification Program, Section D.B and NIST Special Publication
|
|
||||||
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
|
|
||||||
+ * strength < 112 bits is legacy use only, so all derived keys should
|
|
||||||
+ * be longer than that. If a derived key has ever been shorter than
|
|
||||||
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
|
|
||||||
+ * should also set the returned FIPS indicator to unapproved. */
|
|
||||||
+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
|
|
||||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+
|
|
||||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
|
||||||
+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
|
|
||||||
+ * extendable-output functions may only be used as the standalone
|
|
||||||
+ * algorithms." */
|
|
||||||
+ if (ctx->macctx == NULL
|
|
||||||
+ || (ctx->macctx != NULL &&
|
|
||||||
+ EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx), OSSL_MAC_NAME_HMAC))) {
|
|
||||||
+ if (ctx->digest.md != NULL
|
|
||||||
+ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") ||
|
|
||||||
+ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) {
|
|
||||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Table H-3 in ANS X9.63-2001 says that 160-bit hash functions
|
|
||||||
+ * should only be used for 80-bit key agreement, but FIPS 140-3
|
|
||||||
+ * requires a security strength of 112 bits, so SHA-1 cannot be
|
|
||||||
+ * used with X9.63. See the discussion in
|
|
||||||
+ * https://github.com/usnistgov/ACVP/issues/1403#issuecomment-1435300395.
|
|
||||||
+ */
|
|
||||||
+ if (ctx->is_x963kdf
|
|
||||||
+ && ctx->digest.md != NULL
|
|
||||||
+ && EVP_MD_is_a(ctx->digest.md, "SHA-1")) {
|
|
||||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+ if (!any_valid)
|
|
||||||
+ return -2;
|
|
||||||
+
|
|
||||||
+ return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
|
|
||||||
@@ -525,6 +614,9 @@ static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
|
|
||||||
{
|
|
||||||
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
|
||||||
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0),
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
OSSL_PARAM_END
|
|
||||||
};
|
|
||||||
return known_gettable_ctx_params;
|
|
||||||
@@ -545,7 +637,7 @@ const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = {
|
|
||||||
};
|
|
||||||
|
|
||||||
const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = {
|
|
||||||
- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new },
|
|
||||||
+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))x963kdf_new },
|
|
||||||
{ OSSL_FUNC_KDF_DUPCTX, (void(*)(void))sskdf_dup },
|
|
||||||
{ OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free },
|
|
||||||
{ OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset },
|
|
||||||
diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c
|
|
||||||
index a4d64b9352..f6782a6ca2 100644
|
|
||||||
--- a/providers/implementations/kdfs/tls1_prf.c
|
|
||||||
+++ b/providers/implementations/kdfs/tls1_prf.c
|
|
||||||
@@ -93,6 +93,13 @@ typedef struct {
|
|
||||||
/* Buffer of concatenated seed data */
|
|
||||||
unsigned char seed[TLS1_PRF_MAXBUF];
|
|
||||||
size_t seedlen;
|
|
||||||
+
|
|
||||||
+ /* MAC digest algorithm; used to compute FIPS indicator */
|
|
||||||
+ PROV_DIGEST digest;
|
|
||||||
+
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ int fips_indicator;
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
} TLS1_PRF;
|
|
||||||
|
|
||||||
static void *kdf_tls1_prf_new(void *provctx)
|
|
||||||
@@ -129,6 +136,7 @@ static void kdf_tls1_prf_reset(void *vctx)
|
|
||||||
EVP_MAC_CTX_free(ctx->P_sha1);
|
|
||||||
OPENSSL_clear_free(ctx->sec, ctx->seclen);
|
|
||||||
OPENSSL_cleanse(ctx->seed, ctx->seedlen);
|
|
||||||
+ ossl_prov_digest_reset(&ctx->digest);
|
|
||||||
memset(ctx, 0, sizeof(*ctx));
|
|
||||||
ctx->provctx = provctx;
|
|
||||||
}
|
|
||||||
@@ -157,6 +165,10 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,
|
|
||||||
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
|
||||||
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
|
|
||||||
/*
|
|
||||||
* The seed buffer is prepended with a label.
|
|
||||||
@@ -191,6 +203,9 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) {
|
|
||||||
OPENSSL_clear_free(ctx->sec, ctx->seclen);
|
|
||||||
ctx->sec = NULL;
|
|
||||||
@@ -232,10 +247,60 @@ static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params(
|
|
||||||
static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
|
||||||
{
|
|
||||||
OSSL_PARAM *p;
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ TLS1_PRF *ctx = vctx;
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
|
||||||
+
|
|
||||||
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
|
||||||
+ any_valid = 1;
|
|
||||||
+
|
|
||||||
+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
|
|
||||||
+ if (p != NULL) {
|
|
||||||
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
|
||||||
+
|
|
||||||
+ any_valid = 1;
|
|
||||||
+
|
|
||||||
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
|
|
||||||
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
|
|
||||||
+ * the key-derivation key [i.e., the input key] shall be at least 112
|
|
||||||
+ * bits". */
|
|
||||||
+ if (ctx->seclen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
|
||||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+
|
|
||||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
|
||||||
+ * Verification Program, Section D.B and NIST Special Publication
|
|
||||||
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
|
|
||||||
+ * strength < 112 bits is legacy use only, so all derived keys should
|
|
||||||
+ * be longer than that. If a derived key has ever been shorter than
|
|
||||||
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
|
|
||||||
+ * should also set the returned FIPS indicator to unapproved. */
|
|
||||||
+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
|
|
||||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+
|
|
||||||
+ /* SP 800-135r1 section 4.2.2 says TLS 1.2 KDF is approved when "(3)
|
|
||||||
+ * P_HASH uses either SHA-256, SHA-384 or SHA-512." */
|
|
||||||
+ if (ctx->digest.md != NULL
|
|
||||||
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256")
|
|
||||||
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384")
|
|
||||||
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) {
|
|
||||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
|
|
||||||
- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
|
|
||||||
- return -2;
|
|
||||||
+ if (!any_valid)
|
|
||||||
+ return -2;
|
|
||||||
+
|
|
||||||
+ return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
|
|
||||||
@@ -243,6 +308,9 @@ static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
|
|
||||||
{
|
|
||||||
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
|
||||||
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0),
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
OSSL_PARAM_END
|
|
||||||
};
|
|
||||||
return known_gettable_ctx_params;
|
|
||||||
diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c
|
|
||||||
index b1bc6f7e1b..8173fc2cc7 100644
|
|
||||||
--- a/providers/implementations/kdfs/x942kdf.c
|
|
||||||
+++ b/providers/implementations/kdfs/x942kdf.c
|
|
||||||
@@ -13,11 +13,13 @@
|
|
||||||
#include <openssl/core_dispatch.h>
|
|
||||||
#include <openssl/err.h>
|
|
||||||
#include <openssl/evp.h>
|
|
||||||
+#include <openssl/kdf.h>
|
|
||||||
#include <openssl/params.h>
|
|
||||||
#include <openssl/proverr.h>
|
|
||||||
#include "internal/packet.h"
|
|
||||||
#include "internal/der.h"
|
|
||||||
#include "internal/nelem.h"
|
|
||||||
+#include "crypto/evp.h"
|
|
||||||
#include "prov/provider_ctx.h"
|
|
||||||
#include "prov/providercommon.h"
|
|
||||||
#include "prov/implementations.h"
|
|
||||||
@@ -47,6 +50,9 @@ typedef struct {
|
|
||||||
const unsigned char *cek_oid;
|
|
||||||
size_t cek_oid_len;
|
|
||||||
int use_keybits;
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ int fips_indicator;
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
} KDF_X942;
|
|
||||||
|
|
||||||
/*
|
|
||||||
@@ -460,6 +466,10 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
|
||||||
ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
|
||||||
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len,
|
|
||||||
der, der_len, ctr, key, keylen);
|
|
||||||
OPENSSL_free(der);
|
|
||||||
@@ -563,10 +573,58 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
|
||||||
{
|
|
||||||
KDF_X942 *ctx = (KDF_X942 *)vctx;
|
|
||||||
OSSL_PARAM *p;
|
|
||||||
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
|
||||||
|
|
||||||
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
|
|
||||||
- return OSSL_PARAM_set_size_t(p, x942kdf_size(ctx));
|
|
||||||
- return -2;
|
|
||||||
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
|
||||||
+ any_valid = 1;
|
|
||||||
+
|
|
||||||
+ if (!OSSL_PARAM_set_size_t(p, x942kdf_size(ctx)))
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
|
|
||||||
+ if (p != NULL) {
|
|
||||||
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
|
||||||
+
|
|
||||||
+ any_valid = 1;
|
|
||||||
+
|
|
||||||
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
|
|
||||||
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
|
|
||||||
+ * the key-derivation key [i.e., the input key] shall be at least 112
|
|
||||||
+ * bits". */
|
|
||||||
+ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN)
|
|
||||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+
|
|
||||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
|
||||||
+ * Verification Program, Section D.B and NIST Special Publication
|
|
||||||
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
|
|
||||||
+ * strength < 112 bits is legacy use only, so all derived keys should
|
|
||||||
+ * be longer than that. If a derived key has ever been shorter than
|
|
||||||
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
|
|
||||||
+ * should also set the returned FIPS indicator to unapproved. */
|
|
||||||
+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
|
|
||||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+
|
|
||||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
|
||||||
+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
|
|
||||||
+ * extendable-output functions may only be used as the standalone
|
|
||||||
+ * algorithms." */
|
|
||||||
+ if (ctx->digest.md != NULL
|
|
||||||
+ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") ||
|
|
||||||
+ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) {
|
|
||||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+ if (!any_valid)
|
|
||||||
+ return -2;
|
|
||||||
+
|
|
||||||
+ return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
|
|
||||||
@@ -574,6 +632,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
|
|
||||||
{
|
|
||||||
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
|
||||||
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0),
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
OSSL_PARAM_END
|
|
||||||
};
|
|
||||||
return known_gettable_ctx_params;
|
|
||||||
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
|
|
||||||
index 70f7c50fe4..6618122417 100644
|
|
||||||
--- a/util/perl/OpenSSL/paramnames.pm
|
|
||||||
+++ b/util/perl/OpenSSL/paramnames.pm
|
|
||||||
@@ -183,6 +183,7 @@ my %params = (
|
|
||||||
'KDF_PARAM_X942_SUPP_PUBINFO' => "supp-pubinfo",
|
|
||||||
'KDF_PARAM_X942_SUPP_PRIVINFO' => "supp-privinfo",
|
|
||||||
'KDF_PARAM_X942_USE_KEYBITS' => "use-keybits",
|
|
||||||
+ 'KDF_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
|
|
||||||
'KDF_PARAM_HMACDRBG_ENTROPY' => "entropy",
|
|
||||||
'KDF_PARAM_HMACDRBG_NONCE' => "nonce",
|
|
||||||
'KDF_PARAM_THREADS' => "threads", # uint32_t
|
|
||||||
--
|
|
||||||
2.39.2
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
@ -1,288 +0,0 @@
|
|||||||
From 4de5fa26873297f5c2eeed53e5c988437f837f55 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Clemens Lang <cllang@redhat.com>
|
|
||||||
Date: Thu, 17 Nov 2022 13:53:31 +0100
|
|
||||||
Subject: [PATCH] signature: Remove X9.31 padding from FIPS prov
|
|
||||||
|
|
||||||
The current draft of FIPS 186-5 [1] no longer contains specifications
|
|
||||||
for X9.31 signature padding. Instead, it contains the following
|
|
||||||
information in Appendix E:
|
|
||||||
|
|
||||||
> ANSI X9.31 was withdrawn, so X9.31 RSA signatures were removed from
|
|
||||||
> this standard.
|
|
||||||
|
|
||||||
Since this situation is unlikely to change in future revisions of the
|
|
||||||
draft, and future FIPS 140-3 validations of the provider will require
|
|
||||||
X9.31 to be disabled or marked as not approved with an explicit
|
|
||||||
indicator, disallow this padding mode now.
|
|
||||||
|
|
||||||
Remove the X9.31 tests from the acvp test, since they will always fail
|
|
||||||
now.
|
|
||||||
|
|
||||||
[1]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5-draft.pdf
|
|
||||||
|
|
||||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
|
||||||
---
|
|
||||||
providers/implementations/signature/rsa_sig.c | 6 +
|
|
||||||
test/acvp_test.inc | 214 ------------------
|
|
||||||
2 files changed, 6 insertions(+), 214 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
|
|
||||||
index 34f45175e8..49e7f9158a 100644
|
|
||||||
--- a/providers/implementations/signature/rsa_sig.c
|
|
||||||
+++ b/providers/implementations/signature/rsa_sig.c
|
|
||||||
@@ -1233,7 +1233,13 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
|
|
||||||
err_extra_text = "No padding not allowed with RSA-PSS";
|
|
||||||
goto cont;
|
|
||||||
case RSA_X931_PADDING:
|
|
||||||
+#ifndef FIPS_MODULE
|
|
||||||
err_extra_text = "X.931 padding not allowed with RSA-PSS";
|
|
||||||
+#else /* !defined(FIPS_MODULE) */
|
|
||||||
+ err_extra_text = "X.931 padding no longer allowed in FIPS mode,"
|
|
||||||
+ " since it was removed from FIPS 186-5";
|
|
||||||
+ goto bad_pad;
|
|
||||||
+#endif /* !defined(FIPS_MODULE) */
|
|
||||||
cont:
|
|
||||||
if (RSA_test_flags(prsactx->rsa,
|
|
||||||
RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSA)
|
|
||||||
diff --git a/test/acvp_test.inc b/test/acvp_test.inc
|
|
||||||
index 73b24bdb0c..96a72073f9 100644
|
|
||||||
--- a/test/acvp_test.inc
|
|
||||||
+++ b/test/acvp_test.inc
|
|
||||||
@@ -1204,13 +1204,6 @@ static const struct rsa_siggen_st rsa_siggen_data[] = {
|
|
||||||
ITM(rsa_siggen0_msg),
|
|
||||||
NO_PSS_SALT_LEN,
|
|
||||||
},
|
|
||||||
- {
|
|
||||||
- "x931",
|
|
||||||
- 2048,
|
|
||||||
- "SHA384",
|
|
||||||
- ITM(rsa_siggen0_msg),
|
|
||||||
- NO_PSS_SALT_LEN,
|
|
||||||
- },
|
|
||||||
{
|
|
||||||
"pss",
|
|
||||||
2048,
|
|
||||||
@@ -1622,202 +1615,6 @@ static const unsigned char rsa_sigverpss_1_sig[] = {
|
|
||||||
0x5c, 0xea, 0x8a, 0x92, 0x31, 0xd2, 0x11, 0x4b,
|
|
||||||
};
|
|
||||||
|
|
||||||
-static const unsigned char rsa_sigverx931_0_n[] = {
|
|
||||||
- 0xa0, 0x16, 0x14, 0x80, 0x8b, 0x17, 0x2b, 0xad,
|
|
||||||
- 0xd7, 0x07, 0x31, 0x6d, 0xfc, 0xba, 0x25, 0x83,
|
|
||||||
- 0x09, 0xa0, 0xf7, 0x71, 0xc6, 0x06, 0x22, 0x87,
|
|
||||||
- 0xd6, 0xbd, 0x13, 0xd9, 0xfe, 0x7c, 0xf7, 0xe6,
|
|
||||||
- 0x48, 0xdb, 0x27, 0xd8, 0xa5, 0x49, 0x8e, 0x8c,
|
|
||||||
- 0xea, 0xbe, 0xe0, 0x04, 0x6f, 0x3d, 0x3b, 0x73,
|
|
||||||
- 0xdc, 0xc5, 0xd4, 0xdc, 0x85, 0xef, 0xea, 0x10,
|
|
||||||
- 0x46, 0xf3, 0x88, 0xb9, 0x93, 0xbc, 0xa0, 0xb6,
|
|
||||||
- 0x06, 0x02, 0x82, 0xb4, 0x2d, 0x54, 0xec, 0x79,
|
|
||||||
- 0x50, 0x8a, 0xfc, 0xfa, 0x62, 0x45, 0xbb, 0xd7,
|
|
||||||
- 0x26, 0xcd, 0x88, 0xfa, 0xe8, 0x0f, 0x26, 0x5b,
|
|
||||||
- 0x1f, 0x21, 0x3f, 0x3b, 0x5d, 0x98, 0x3f, 0x02,
|
|
||||||
- 0x8c, 0xa1, 0xbf, 0xc0, 0x70, 0x4d, 0xd1, 0x41,
|
|
||||||
- 0xfd, 0xb9, 0x55, 0x12, 0x90, 0xc8, 0x6e, 0x0f,
|
|
||||||
- 0x19, 0xa8, 0x5c, 0x31, 0xd6, 0x16, 0x0e, 0xdf,
|
|
||||||
- 0x08, 0x84, 0xcd, 0x4b, 0xfd, 0x28, 0x8d, 0x7d,
|
|
||||||
- 0x6e, 0xea, 0xc7, 0x95, 0x4a, 0xc3, 0x84, 0x54,
|
|
||||||
- 0x7f, 0xb0, 0x20, 0x29, 0x96, 0x39, 0x4c, 0x3e,
|
|
||||||
- 0x85, 0xec, 0x22, 0xdd, 0xb9, 0x14, 0xbb, 0x04,
|
|
||||||
- 0x2f, 0x4c, 0x0c, 0xe3, 0xfa, 0xae, 0x47, 0x79,
|
|
||||||
- 0x59, 0x8e, 0x4e, 0x7d, 0x4a, 0x17, 0xae, 0x16,
|
|
||||||
- 0x38, 0x66, 0x4e, 0xff, 0x45, 0x7f, 0xac, 0x5e,
|
|
||||||
- 0x75, 0x9f, 0x51, 0x18, 0xe6, 0xad, 0x6b, 0x8b,
|
|
||||||
- 0x3d, 0x08, 0x4d, 0x9a, 0xd2, 0x11, 0xba, 0xa8,
|
|
||||||
- 0xc3, 0xb5, 0x17, 0xb5, 0xdf, 0xe7, 0x39, 0x89,
|
|
||||||
- 0x27, 0x7b, 0xeb, 0xf4, 0xe5, 0x7e, 0xa9, 0x7b,
|
|
||||||
- 0x39, 0x40, 0x6f, 0xe4, 0x82, 0x14, 0x3d, 0x62,
|
|
||||||
- 0xb6, 0xd4, 0x43, 0xd0, 0x0a, 0x2f, 0xc1, 0x73,
|
|
||||||
- 0x3d, 0x99, 0x37, 0xbe, 0x62, 0x13, 0x6a, 0x8b,
|
|
||||||
- 0xeb, 0xc5, 0x64, 0xd5, 0x2a, 0x8b, 0x4f, 0x7f,
|
|
||||||
- 0x82, 0x48, 0x69, 0x3e, 0x08, 0x1b, 0xb5, 0x77,
|
|
||||||
- 0xd3, 0xdc, 0x1b, 0x2c, 0xe5, 0x59, 0xf6, 0x33,
|
|
||||||
- 0x47, 0xa0, 0x0f, 0xff, 0x8a, 0x6a, 0x1d, 0x66,
|
|
||||||
- 0x24, 0x67, 0x36, 0x7d, 0x21, 0xda, 0xc1, 0xd4,
|
|
||||||
- 0x11, 0x6c, 0xe8, 0x5f, 0xd7, 0x8a, 0x53, 0x5c,
|
|
||||||
- 0xb2, 0xe2, 0xf9, 0x14, 0x29, 0x0f, 0xcf, 0x28,
|
|
||||||
- 0x32, 0x4f, 0xc6, 0x17, 0xf6, 0xbc, 0x0e, 0xb8,
|
|
||||||
- 0x99, 0x7c, 0x14, 0xa3, 0x40, 0x3f, 0xf3, 0xe4,
|
|
||||||
- 0x31, 0xbe, 0x54, 0x64, 0x5a, 0xad, 0x1d, 0xb0,
|
|
||||||
- 0x37, 0xcc, 0xd9, 0x0b, 0xa4, 0xbc, 0xe0, 0x07,
|
|
||||||
- 0x37, 0xd1, 0xe1, 0x65, 0xc6, 0x53, 0xfe, 0x60,
|
|
||||||
- 0x6a, 0x64, 0xa4, 0x01, 0x00, 0xf3, 0x5b, 0x9a,
|
|
||||||
- 0x28, 0x61, 0xde, 0x7a, 0xd7, 0x0d, 0x56, 0x1e,
|
|
||||||
- 0x4d, 0xa8, 0x6a, 0xb5, 0xf2, 0x86, 0x2a, 0x4e,
|
|
||||||
- 0xaa, 0x37, 0x23, 0x5a, 0x3b, 0x69, 0x66, 0x81,
|
|
||||||
- 0xc8, 0x8e, 0x1b, 0x31, 0x0f, 0x28, 0x31, 0x9a,
|
|
||||||
- 0x2d, 0xe5, 0x79, 0xcc, 0xa4, 0xca, 0x60, 0x45,
|
|
||||||
- 0xf7, 0x83, 0x73, 0x5a, 0x01, 0x29, 0xda, 0xf7,
|
|
||||||
-
|
|
||||||
-};
|
|
||||||
-static const unsigned char rsa_sigverx931_0_e[] = {
|
|
||||||
- 0x01, 0x00, 0x01,
|
|
||||||
-};
|
|
||||||
-static const unsigned char rsa_sigverx931_0_msg[] = {
|
|
||||||
- 0x82, 0x2e, 0x41, 0x70, 0x9d, 0x1f, 0xe9, 0x47,
|
|
||||||
- 0xec, 0xf1, 0x79, 0xcc, 0x05, 0xef, 0xdb, 0xcd,
|
|
||||||
- 0xca, 0x8b, 0x8e, 0x61, 0x45, 0xad, 0xa6, 0xd9,
|
|
||||||
- 0xd7, 0x4b, 0x15, 0xf4, 0x92, 0x3a, 0x2a, 0x52,
|
|
||||||
- 0xe3, 0x44, 0x57, 0x2b, 0x74, 0x7a, 0x37, 0x41,
|
|
||||||
- 0x50, 0xcb, 0xcf, 0x13, 0x49, 0xd6, 0x15, 0x54,
|
|
||||||
- 0x97, 0xfd, 0xae, 0x9b, 0xc1, 0xbb, 0xfc, 0x5c,
|
|
||||||
- 0xc1, 0x37, 0x58, 0x17, 0x63, 0x19, 0x9c, 0xcf,
|
|
||||||
- 0xee, 0x9c, 0xe5, 0xbe, 0x06, 0xe4, 0x97, 0x47,
|
|
||||||
- 0xd1, 0x93, 0xa1, 0x2c, 0x59, 0x97, 0x02, 0x01,
|
|
||||||
- 0x31, 0x45, 0x8c, 0xe1, 0x5c, 0xac, 0xe7, 0x5f,
|
|
||||||
- 0x6a, 0x23, 0xda, 0xbf, 0xe4, 0x25, 0xc6, 0x67,
|
|
||||||
- 0xea, 0x5f, 0x73, 0x90, 0x1b, 0x06, 0x0f, 0x41,
|
|
||||||
- 0xb5, 0x6e, 0x74, 0x7e, 0xfd, 0xd9, 0xaa, 0xbd,
|
|
||||||
- 0xe2, 0x8d, 0xad, 0x99, 0xdd, 0x29, 0x70, 0xca,
|
|
||||||
- 0x1b, 0x38, 0x21, 0x55, 0xde, 0x07, 0xaf, 0x00,
|
|
||||||
-
|
|
||||||
-};
|
|
||||||
-static const unsigned char rsa_sigverx931_0_sig[] = {
|
|
||||||
- 0x29, 0xa9, 0x3a, 0x8e, 0x9e, 0x90, 0x1b, 0xdb,
|
|
||||||
- 0xaf, 0x0b, 0x47, 0x5b, 0xb5, 0xc3, 0x8c, 0xc3,
|
|
||||||
- 0x70, 0xbe, 0x73, 0xf9, 0x65, 0x8e, 0xc6, 0x1e,
|
|
||||||
- 0x95, 0x0b, 0xdb, 0x24, 0x76, 0x79, 0xf1, 0x00,
|
|
||||||
- 0x71, 0xcd, 0xc5, 0x6a, 0x7b, 0xd2, 0x8b, 0x18,
|
|
||||||
- 0xc4, 0xdd, 0xf1, 0x2a, 0x31, 0x04, 0x3f, 0xfc,
|
|
||||||
- 0x36, 0x06, 0x20, 0x71, 0x3d, 0x62, 0xf2, 0xb5,
|
|
||||||
- 0x79, 0x0a, 0xd5, 0xd2, 0x81, 0xf1, 0xb1, 0x4f,
|
|
||||||
- 0x9a, 0x17, 0xe8, 0x67, 0x64, 0x48, 0x09, 0x75,
|
|
||||||
- 0xff, 0x2d, 0xee, 0x36, 0xca, 0xca, 0x1d, 0x74,
|
|
||||||
- 0x99, 0xbe, 0x5c, 0x94, 0x31, 0xcc, 0x12, 0xf4,
|
|
||||||
- 0x59, 0x7e, 0x17, 0x00, 0x4f, 0x7b, 0xa4, 0xb1,
|
|
||||||
- 0xda, 0xdb, 0x3e, 0xa4, 0x34, 0x10, 0x4a, 0x19,
|
|
||||||
- 0x0a, 0xd2, 0xa7, 0xa0, 0xc5, 0xe6, 0xef, 0x82,
|
|
||||||
- 0xd4, 0x2e, 0x21, 0xbe, 0x15, 0x73, 0xac, 0xef,
|
|
||||||
- 0x05, 0xdb, 0x6a, 0x8a, 0x1a, 0xcb, 0x8e, 0xa5,
|
|
||||||
- 0xee, 0xfb, 0x28, 0xbf, 0x96, 0xa4, 0x2b, 0xd2,
|
|
||||||
- 0x85, 0x2b, 0x20, 0xc3, 0xaf, 0x9a, 0x32, 0x04,
|
|
||||||
- 0xa0, 0x49, 0x24, 0x47, 0xd0, 0x09, 0xf7, 0xcf,
|
|
||||||
- 0x73, 0xb6, 0xf6, 0x70, 0xda, 0x3b, 0xf8, 0x5a,
|
|
||||||
- 0x28, 0x2e, 0x14, 0x6c, 0x52, 0xbd, 0x2a, 0x7c,
|
|
||||||
- 0x8e, 0xc1, 0xa8, 0x0e, 0xb1, 0x1e, 0x6b, 0x8d,
|
|
||||||
- 0x76, 0xea, 0x70, 0x81, 0xa0, 0x02, 0x63, 0x74,
|
|
||||||
- 0xbc, 0x7e, 0xb9, 0xac, 0x0e, 0x7b, 0x1b, 0x75,
|
|
||||||
- 0x82, 0xe2, 0x98, 0x4e, 0x24, 0x55, 0xd4, 0xbd,
|
|
||||||
- 0x14, 0xde, 0x58, 0x56, 0x3a, 0x5d, 0x4e, 0x57,
|
|
||||||
- 0x0d, 0x54, 0x74, 0xe8, 0x86, 0x8c, 0xcb, 0x07,
|
|
||||||
- 0x9f, 0x0b, 0xfb, 0xc2, 0x08, 0x5c, 0xd7, 0x05,
|
|
||||||
- 0x3b, 0xc8, 0xd2, 0x15, 0x68, 0x8f, 0x3d, 0x3c,
|
|
||||||
- 0x4e, 0x85, 0xa9, 0x25, 0x6f, 0xf5, 0x2e, 0xca,
|
|
||||||
- 0xca, 0xa8, 0x27, 0x89, 0x61, 0x4e, 0x1f, 0x57,
|
|
||||||
- 0x2d, 0x99, 0x10, 0x3f, 0xbc, 0x9e, 0x96, 0x5e,
|
|
||||||
- 0x2f, 0x0a, 0x25, 0xa7, 0x5c, 0xea, 0x65, 0x2a,
|
|
||||||
- 0x22, 0x35, 0xa3, 0xf9, 0x13, 0x89, 0x05, 0x2e,
|
|
||||||
- 0x19, 0x73, 0x1d, 0x70, 0x74, 0x98, 0x15, 0x4b,
|
|
||||||
- 0xab, 0x56, 0x52, 0xe0, 0x01, 0x42, 0x95, 0x6a,
|
|
||||||
- 0x46, 0x2c, 0x78, 0xff, 0x26, 0xbc, 0x48, 0x10,
|
|
||||||
- 0x38, 0x25, 0xab, 0x32, 0x7c, 0x79, 0x7c, 0x5d,
|
|
||||||
- 0x6f, 0x45, 0x54, 0x74, 0x2d, 0x93, 0x56, 0x52,
|
|
||||||
- 0x11, 0x34, 0x1e, 0xe3, 0x4b, 0x6a, 0x17, 0x4f,
|
|
||||||
- 0x37, 0x14, 0x75, 0xac, 0xa3, 0xa1, 0xca, 0xda,
|
|
||||||
- 0x38, 0x06, 0xa9, 0x78, 0xb9, 0x5d, 0xd0, 0x59,
|
|
||||||
- 0x1b, 0x5d, 0x1e, 0xc2, 0x0b, 0xfb, 0x39, 0x37,
|
|
||||||
- 0x44, 0x85, 0xb6, 0x36, 0x06, 0x95, 0xbc, 0x15,
|
|
||||||
- 0x35, 0xb9, 0xe6, 0x27, 0x42, 0xe3, 0xc8, 0xec,
|
|
||||||
- 0x30, 0x37, 0x20, 0x26, 0x9a, 0x11, 0x61, 0xc0,
|
|
||||||
- 0xdb, 0xb2, 0x5a, 0x26, 0x78, 0x27, 0xb9, 0x13,
|
|
||||||
- 0xc9, 0x1a, 0xa7, 0x67, 0x93, 0xe8, 0xbe, 0xcb,
|
|
||||||
-};
|
|
||||||
-
|
|
||||||
-#define rsa_sigverx931_1_n rsa_sigverx931_0_n
|
|
||||||
-#define rsa_sigverx931_1_e rsa_sigverx931_0_e
|
|
||||||
-static const unsigned char rsa_sigverx931_1_msg[] = {
|
|
||||||
- 0x79, 0x02, 0xb9, 0xd2, 0x3e, 0x84, 0x02, 0xc8,
|
|
||||||
- 0x2a, 0x94, 0x92, 0x14, 0x8d, 0xd5, 0xd3, 0x8d,
|
|
||||||
- 0xb2, 0xf6, 0x00, 0x8b, 0x61, 0x2c, 0xd2, 0xf9,
|
|
||||||
- 0xa8, 0xe0, 0x5d, 0xac, 0xdc, 0xa5, 0x34, 0xf3,
|
|
||||||
- 0xda, 0x6c, 0xd4, 0x70, 0x92, 0xfb, 0x40, 0x26,
|
|
||||||
- 0xc7, 0x9b, 0xe8, 0xd2, 0x10, 0x11, 0xcf, 0x7f,
|
|
||||||
- 0x23, 0xd0, 0xed, 0x55, 0x52, 0x6d, 0xd3, 0xb2,
|
|
||||||
- 0x56, 0x53, 0x8d, 0x7c, 0x4c, 0xb8, 0xcc, 0xb5,
|
|
||||||
- 0xfd, 0xd0, 0x45, 0x4f, 0x62, 0x40, 0x54, 0x42,
|
|
||||||
- 0x68, 0xd5, 0xe5, 0xdd, 0xf0, 0x76, 0x94, 0x59,
|
|
||||||
- 0x1a, 0x57, 0x13, 0xb4, 0xc3, 0x70, 0xcc, 0xbd,
|
|
||||||
- 0x4c, 0x2e, 0xc8, 0x6b, 0x9d, 0x68, 0xd0, 0x72,
|
|
||||||
- 0x6a, 0x94, 0xd2, 0x18, 0xb5, 0x3b, 0x86, 0x45,
|
|
||||||
- 0x95, 0xaa, 0x50, 0xda, 0x35, 0xeb, 0x69, 0x44,
|
|
||||||
- 0x1f, 0xf3, 0x3a, 0x51, 0xbb, 0x1d, 0x08, 0x42,
|
|
||||||
- 0x12, 0xd7, 0xd6, 0x21, 0xd8, 0x9b, 0x87, 0x55,
|
|
||||||
-};
|
|
||||||
-
|
|
||||||
-static const unsigned char rsa_sigverx931_1_sig[] = {
|
|
||||||
- 0x3b, 0xba, 0xb3, 0xb1, 0xb2, 0x6a, 0x29, 0xb5,
|
|
||||||
- 0xf9, 0x94, 0xf1, 0x00, 0x5c, 0x16, 0x67, 0x67,
|
|
||||||
- 0x73, 0xd3, 0xde, 0x7e, 0x07, 0xfa, 0xaa, 0x95,
|
|
||||||
- 0xeb, 0x5a, 0x55, 0xdc, 0xb2, 0xa9, 0x70, 0x5a,
|
|
||||||
- 0xee, 0x8f, 0x8d, 0x69, 0x85, 0x2b, 0x00, 0xe3,
|
|
||||||
- 0xdc, 0xe2, 0x73, 0x9b, 0x68, 0xeb, 0x93, 0x69,
|
|
||||||
- 0x08, 0x03, 0x17, 0xd6, 0x50, 0x21, 0x14, 0x23,
|
|
||||||
- 0x8c, 0xe6, 0x54, 0x3a, 0xd9, 0xfc, 0x8b, 0x14,
|
|
||||||
- 0x81, 0xb1, 0x8b, 0x9d, 0xd2, 0xbe, 0x58, 0x75,
|
|
||||||
- 0x94, 0x74, 0x93, 0xc9, 0xbb, 0x4e, 0xf6, 0x1f,
|
|
||||||
- 0x73, 0x7d, 0x1a, 0x5f, 0xbd, 0xbf, 0x59, 0x37,
|
|
||||||
- 0x5b, 0x98, 0x54, 0xad, 0x3a, 0xef, 0xa0, 0xef,
|
|
||||||
- 0xcb, 0xc3, 0xe8, 0x84, 0xd8, 0x3d, 0xf5, 0x60,
|
|
||||||
- 0xb8, 0xc3, 0x8d, 0x1e, 0x78, 0xa0, 0x91, 0x94,
|
|
||||||
- 0xb7, 0xd7, 0xb1, 0xd4, 0xe2, 0xee, 0x81, 0x93,
|
|
||||||
- 0xfc, 0x41, 0xf0, 0x31, 0xbb, 0x03, 0x52, 0xde,
|
|
||||||
- 0x80, 0x20, 0x3a, 0x68, 0xe6, 0xc5, 0x50, 0x1b,
|
|
||||||
- 0x08, 0x3f, 0x40, 0xde, 0xb3, 0xe5, 0x81, 0x99,
|
|
||||||
- 0x7f, 0xdb, 0xb6, 0x5d, 0x61, 0x27, 0xd4, 0xfb,
|
|
||||||
- 0xcd, 0xc5, 0x7a, 0xea, 0xde, 0x7a, 0x66, 0xef,
|
|
||||||
- 0x55, 0x3f, 0x85, 0xea, 0x84, 0xc5, 0x0a, 0xf6,
|
|
||||||
- 0x3c, 0x40, 0x38, 0xf7, 0x6c, 0x66, 0xe5, 0xbe,
|
|
||||||
- 0x61, 0x41, 0xd3, 0xb1, 0x08, 0xe1, 0xb4, 0xf9,
|
|
||||||
- 0x6e, 0xf6, 0x0e, 0x4a, 0x72, 0x6c, 0x61, 0x63,
|
|
||||||
- 0x3e, 0x41, 0x33, 0x94, 0xd6, 0x27, 0xa4, 0xd9,
|
|
||||||
- 0x3a, 0x20, 0x2b, 0x39, 0xea, 0xe5, 0x82, 0x48,
|
|
||||||
- 0xd6, 0x5b, 0x58, 0x85, 0x44, 0xb0, 0xd2, 0xfd,
|
|
||||||
- 0xfb, 0x3e, 0xeb, 0x78, 0xac, 0xbc, 0xba, 0x16,
|
|
||||||
- 0x92, 0x0e, 0x20, 0xc1, 0xb2, 0xd1, 0x92, 0xa8,
|
|
||||||
- 0x00, 0x88, 0xc0, 0x41, 0x46, 0x38, 0xb6, 0x54,
|
|
||||||
- 0x70, 0x0c, 0x00, 0x62, 0x97, 0x6a, 0x8e, 0x66,
|
|
||||||
- 0x5a, 0xa1, 0x6c, 0xf7, 0x6d, 0xc2, 0x27, 0x56,
|
|
||||||
- 0x60, 0x5b, 0x0c, 0x52, 0xac, 0x5c, 0xae, 0x99,
|
|
||||||
- 0x55, 0x11, 0x62, 0x52, 0x09, 0x48, 0x53, 0x90,
|
|
||||||
- 0x3c, 0x0b, 0xd4, 0xdc, 0x7b, 0xe3, 0x4c, 0xe3,
|
|
||||||
- 0xa8, 0x6d, 0xc5, 0xdf, 0xc1, 0x5c, 0x59, 0x25,
|
|
||||||
- 0x99, 0x30, 0xde, 0x57, 0x6a, 0x84, 0x25, 0x34,
|
|
||||||
- 0x3e, 0x64, 0x11, 0xdb, 0x7a, 0x82, 0x8e, 0x70,
|
|
||||||
- 0xd2, 0x5c, 0x0e, 0x81, 0xa0, 0x24, 0x53, 0x75,
|
|
||||||
- 0x98, 0xd6, 0x10, 0x01, 0x6a, 0x14, 0xed, 0xc3,
|
|
||||||
- 0x6f, 0xc4, 0x18, 0xb8, 0xd2, 0x9f, 0x59, 0x53,
|
|
||||||
- 0x81, 0x3a, 0x86, 0x31, 0xfc, 0x9e, 0xbf, 0x6c,
|
|
||||||
- 0x52, 0x93, 0x86, 0x9c, 0xaa, 0x6c, 0x6f, 0x07,
|
|
||||||
- 0x8a, 0x40, 0x33, 0x64, 0xb2, 0x70, 0x48, 0x85,
|
|
||||||
- 0x05, 0x59, 0x65, 0x2d, 0x6b, 0x9a, 0xad, 0xab,
|
|
||||||
- 0x20, 0x7e, 0x02, 0x6d, 0xde, 0xcf, 0x22, 0x0b,
|
|
||||||
- 0xea, 0x6e, 0xbd, 0x1c, 0x39, 0x3a, 0xfd, 0xa4,
|
|
||||||
- 0xde, 0x54, 0xae, 0xde, 0x5e, 0xf7, 0xb0, 0x6d,
|
|
||||||
-};
|
|
||||||
-
|
|
||||||
static const struct rsa_sigver_st rsa_sigver_data[] = {
|
|
||||||
{
|
|
||||||
"pkcs1", /* pkcs1v1.5 */
|
|
||||||
@@ -1841,17 +1638,6 @@ static const struct rsa_sigver_st rsa_sigver_data[] = {
|
|
||||||
NO_PSS_SALT_LEN,
|
|
||||||
FAIL
|
|
||||||
},
|
|
||||||
- {
|
|
||||||
- "x931",
|
|
||||||
- 3072,
|
|
||||||
- "SHA256",
|
|
||||||
- ITM(rsa_sigverx931_1_msg),
|
|
||||||
- ITM(rsa_sigverx931_1_n),
|
|
||||||
- ITM(rsa_sigverx931_1_e),
|
|
||||||
- ITM(rsa_sigverx931_1_sig),
|
|
||||||
- NO_PSS_SALT_LEN,
|
|
||||||
- FAIL
|
|
||||||
- },
|
|
||||||
{
|
|
||||||
"pss",
|
|
||||||
4096,
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
@ -1,123 +0,0 @@
|
|||||||
From e1eba21921ceeffa45ffd2115868c14e4c7fb8d9 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Clemens Lang <cllang@redhat.com>
|
|
||||||
Date: Thu, 17 Nov 2022 18:08:24 +0100
|
|
||||||
Subject: [PATCH] hmac: Add explicit FIPS indicator for key length
|
|
||||||
|
|
||||||
NIST SP 800-131Ar2, table 9 "Approval Status of MAC Algorithms"
|
|
||||||
specifies key lengths < 112 bytes are disallowed for HMAC generation and
|
|
||||||
are legacy use for HMAC verification.
|
|
||||||
|
|
||||||
Add an explicit indicator that will mark shorter key lengths as
|
|
||||||
unsupported. The indicator can be queries from the EVP_MAC_CTX object
|
|
||||||
using EVP_MAC_CTX_get_params() with the
|
|
||||||
OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR
|
|
||||||
parameter.
|
|
||||||
|
|
||||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
|
||||||
---
|
|
||||||
include/crypto/evp.h | 7 +++++++
|
|
||||||
include/openssl/evp.h | 3 +++
|
|
||||||
providers/implementations/macs/hmac_prov.c | 17 +++++++++++++++++
|
|
||||||
4 files changed, 28 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/include/crypto/evp.h b/include/crypto/evp.h
|
|
||||||
index 76fb990de4..1e2240516e 100644
|
|
||||||
--- a/include/crypto/evp.h
|
|
||||||
+++ b/include/crypto/evp.h
|
|
||||||
@@ -196,6 +196,13 @@ const EVP_PKEY_METHOD *ossl_ed448_pkey_method(void);
|
|
||||||
const EVP_PKEY_METHOD *ossl_rsa_pkey_method(void);
|
|
||||||
const EVP_PKEY_METHOD *ossl_rsa_pss_pkey_method(void);
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+/* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms specifies key
|
|
||||||
+ * lengths < 112 bytes are disallowed for HMAC generation and legacy use for
|
|
||||||
+ * HMAC verification. */
|
|
||||||
+# define EVP_HMAC_GEN_FIPS_MIN_KEY_LEN (112 / 8)
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
struct evp_mac_st {
|
|
||||||
OSSL_PROVIDER *prov;
|
|
||||||
int name_id;
|
|
||||||
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
|
|
||||||
index 49e8e1df78..a5e78efd6e 100644
|
|
||||||
--- a/include/openssl/evp.h
|
|
||||||
+++ b/include/openssl/evp.h
|
|
||||||
@@ -1192,6 +1192,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX *libctx,
|
|
||||||
void *arg);
|
|
||||||
|
|
||||||
/* MAC stuff */
|
|
||||||
+# define EVP_MAC_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
|
|
||||||
+# define EVP_MAC_REDHAT_FIPS_INDICATOR_APPROVED 1
|
|
||||||
+# define EVP_MAC_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
|
|
||||||
|
|
||||||
EVP_MAC *EVP_MAC_fetch(OSSL_LIB_CTX *libctx, const char *algorithm,
|
|
||||||
const char *properties);
|
|
||||||
diff --git a/providers/implementations/macs/hmac_prov.c b/providers/implementations/macs/hmac_prov.c
|
|
||||||
index 52ebb08b8f..cf5c3ecbe7 100644
|
|
||||||
--- a/providers/implementations/macs/hmac_prov.c
|
|
||||||
+++ b/providers/implementations/macs/hmac_prov.c
|
|
||||||
@@ -21,6 +21,8 @@
|
|
||||||
#include <openssl/evp.h>
|
|
||||||
#include <openssl/hmac.h>
|
|
||||||
|
|
||||||
+#include "crypto/evp.h"
|
|
||||||
+
|
|
||||||
#include "internal/ssl3_cbc.h"
|
|
||||||
|
|
||||||
#include "prov/implementations.h"
|
|
||||||
@@ -244,6 +246,9 @@ static int hmac_final(void *vmacctx, unsigned char *out, size_t *outl,
|
|
||||||
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
|
||||||
OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL),
|
|
||||||
OSSL_PARAM_size_t(OSSL_MAC_PARAM_BLOCK_SIZE, NULL),
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ OSSL_PARAM_int(OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
OSSL_PARAM_END
|
|
||||||
};
|
|
||||||
static const OSSL_PARAM *hmac_gettable_ctx_params(ossl_unused void *ctx,
|
|
||||||
@@ -265,6 +270,18 @@ static int hmac_get_ctx_params(void *vmacctx, OSSL_PARAM params[])
|
|
||||||
&& !OSSL_PARAM_set_int(p, hmac_block_size(macctx)))
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR)) != NULL) {
|
|
||||||
+ int fips_indicator = EVP_MAC_REDHAT_FIPS_INDICATOR_APPROVED;
|
|
||||||
+ /* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms
|
|
||||||
+ * specifies key lengths < 112 bytes are disallowed for HMAC generation
|
|
||||||
+ * and legacy use for HMAC verification. */
|
|
||||||
+ if (macctx->keylen < EVP_HMAC_GEN_FIPS_MIN_KEY_LEN)
|
|
||||||
+ fips_indicator = EVP_MAC_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+ return OSSL_PARAM_set_int(p, fips_indicator);
|
|
||||||
+ }
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
+
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
|
|
||||||
index 6618122417..8b2d430f17 100644
|
|
||||||
--- a/util/perl/OpenSSL/paramnames.pm
|
|
||||||
+++ b/util/perl/OpenSSL/paramnames.pm
|
|
||||||
@@ -137,12 +137,13 @@ my %params = (
|
|
||||||
# If "engine",or "properties",are specified, they should always be paired
|
|
||||||
# with "cipher",or "digest".
|
|
||||||
|
|
||||||
- 'MAC_PARAM_CIPHER' => '*ALG_PARAM_CIPHER', # utf8 string
|
|
||||||
- 'MAC_PARAM_DIGEST' => '*ALG_PARAM_DIGEST', # utf8 string
|
|
||||||
- 'MAC_PARAM_PROPERTIES' => '*ALG_PARAM_PROPERTIES', # utf8 string
|
|
||||||
- 'MAC_PARAM_SIZE' => "size", # size_t
|
|
||||||
- 'MAC_PARAM_BLOCK_SIZE' => "block-size", # size_t
|
|
||||||
- 'MAC_PARAM_TLS_DATA_SIZE' => "tls-data-size", # size_t
|
|
||||||
+ 'MAC_PARAM_CIPHER' => '*ALG_PARAM_CIPHER', # utf8 string
|
|
||||||
+ 'MAC_PARAM_DIGEST' => '*ALG_PARAM_DIGEST', # utf8 string
|
|
||||||
+ 'MAC_PARAM_PROPERTIES' => '*ALG_PARAM_PROPERTIES', # utf8 string
|
|
||||||
+ 'MAC_PARAM_SIZE' => "size", # size_t
|
|
||||||
+ 'MAC_PARAM_BLOCK_SIZE' => "block-size", # size_t
|
|
||||||
+ 'MAC_PARAM_TLS_DATA_SIZE' => "tls-data-size", # size_t
|
|
||||||
+ 'MAC_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", # size_t
|
|
||||||
|
|
||||||
# KDF / PRF parameters
|
|
||||||
'KDF_PARAM_SECRET' => "secret", # octet string
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
@ -1,86 +0,0 @@
|
|||||||
From 754862899058cfb5f2341c81f9e04dd2f7b37056 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Clemens Lang <cllang@redhat.com>
|
|
||||||
Date: Thu, 17 Nov 2022 18:37:17 +0100
|
|
||||||
Subject: [PATCH] pbkdf2: Set minimum password length of 8 bytes
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
The Implementation Guidance for FIPS 140-3 says in section D.N
|
|
||||||
"Password-Based Key Derivation for Storage Applications" that "the
|
|
||||||
vendor shall document in the module’s Security Policy the length of
|
|
||||||
a password/passphrase used in key derivation and establish an upper
|
|
||||||
bound for the probability of having this parameter guessed at random.
|
|
||||||
This probability shall take into account not only the length of the
|
|
||||||
password/passphrase, but also the difficulty of guessing it. The
|
|
||||||
decision on the minimum length of a password used for key derivation is
|
|
||||||
the vendor’s, but the vendor shall at a minimum informally justify the
|
|
||||||
decision."
|
|
||||||
|
|
||||||
We are choosing a minimum password length of 8 bytes, because NIST's
|
|
||||||
ACVP testing uses passwords as short as 8 bytes, and requiring longer
|
|
||||||
passwords combined with an implicit indicator (i.e., returning an error)
|
|
||||||
would cause the module to fail ACVP testing.
|
|
||||||
|
|
||||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
|
||||||
---
|
|
||||||
providers/implementations/kdfs/pbkdf2.c | 27 ++++++++++++++++++++++++-
|
|
||||||
1 file changed, 26 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
|
|
||||||
index 2a0ae63acc..aa0adce5e6 100644
|
|
||||||
--- a/providers/implementations/kdfs/pbkdf2.c
|
|
||||||
+++ b/providers/implementations/kdfs/pbkdf2.c
|
|
||||||
@@ -35,6 +35,21 @@
|
|
||||||
#define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF
|
|
||||||
#define KDF_PBKDF2_MIN_ITERATIONS 1000
|
|
||||||
#define KDF_PBKDF2_MIN_SALT_LEN (128 / 8)
|
|
||||||
+/* The Implementation Guidance for FIPS 140-3 says in section D.N
|
|
||||||
+ * "Password-Based Key Derivation for Storage Applications" that "the vendor
|
|
||||||
+ * shall document in the module’s Security Policy the length of
|
|
||||||
+ * a password/passphrase used in key derivation and establish an upper bound
|
|
||||||
+ * for the probability of having this parameter guessed at random. This
|
|
||||||
+ * probability shall take into account not only the length of the
|
|
||||||
+ * password/passphrase, but also the difficulty of guessing it. The decision on
|
|
||||||
+ * the minimum length of a password used for key derivation is the vendor’s,
|
|
||||||
+ * but the vendor shall at a minimum informally justify the decision."
|
|
||||||
+ *
|
|
||||||
+ * We are choosing a minimum password length of 8 bytes, because NIST's ACVP
|
|
||||||
+ * testing uses passwords as short as 8 bytes, and requiring longer passwords
|
|
||||||
+ * combined with an implicit indicator (i.e., returning an error) would cause
|
|
||||||
+ * the module to fail ACVP testing. */
|
|
||||||
+#define KDF_PBKDF2_MIN_PASSWORD_LEN (8)
|
|
||||||
|
|
||||||
static OSSL_FUNC_kdf_newctx_fn kdf_pbkdf2_new;
|
|
||||||
static OSSL_FUNC_kdf_dupctx_fn kdf_pbkdf2_dup;
|
|
||||||
@@ -186,9 +201,15 @@ static int kdf_pbkdf2_set_ctx_params(void *vctx, const OSSL_PARAM params[])
|
|
||||||
ctx->lower_bound_checks = pkcs5 == 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL)
|
|
||||||
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL) {
|
|
||||||
+ if (ctx->lower_bound_checks != 0
|
|
||||||
+ && p->data_size < KDF_PBKDF2_MIN_PASSWORD_LEN) {
|
|
||||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
if (!pbkdf2_set_membuf(&ctx->pass, &ctx->pass_len, p))
|
|
||||||
return 0;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) {
|
|
||||||
if (ctx->lower_bound_checks != 0
|
|
||||||
@@ -297,6 +318,10 @@ static int pbkdf2_derive(const char *pass, size_t passlen,
|
|
||||||
}
|
|
||||||
|
|
||||||
if (lower_bound_checks) {
|
|
||||||
+ if (passlen < KDF_PBKDF2_MIN_PASSWORD_LEN) {
|
|
||||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) {
|
|
||||||
ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
|
|
||||||
return 0;
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
@ -1,113 +0,0 @@
|
|||||||
From 52b347703ba2b98a0efee86c1a483c2f0f9f73d6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Clemens Lang <cllang@redhat.com>
|
|
||||||
Date: Wed, 11 Jan 2023 12:52:59 +0100
|
|
||||||
Subject: [PATCH] rsa: Disallow SHAKE in OAEP and PSS in FIPS prov
|
|
||||||
|
|
||||||
According to FIPS 140-3 IG, section C.C, the SHAKE digest algorithms
|
|
||||||
must not be used in higher-level algorithms (such as RSA-OAEP and
|
|
||||||
RSASSA-PSS):
|
|
||||||
|
|
||||||
"To be used in an approved mode of operation, the SHA-3 hash functions
|
|
||||||
may be implemented either as part of an approved higher-level algorithm,
|
|
||||||
for example, a digital signature algorithm, or as the standalone
|
|
||||||
functions. The SHAKE128 and SHAKE256 extendable-output functions may
|
|
||||||
only be used as the standalone algorithms."
|
|
||||||
|
|
||||||
Add a check to prevent their use as message digest in PSS signatures and
|
|
||||||
as MGF1 hash function in both OAEP and PSS.
|
|
||||||
|
|
||||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
|
||||||
---
|
|
||||||
crypto/rsa/rsa_oaep.c | 28 ++++++++++++++++++++++++++++
|
|
||||||
crypto/rsa/rsa_pss.c | 16 ++++++++++++++++
|
|
||||||
2 files changed, 44 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
|
|
||||||
index d9be1a4f98..dfe9c9f0e8 100644
|
|
||||||
--- a/crypto/rsa/rsa_oaep.c
|
|
||||||
+++ b/crypto/rsa/rsa_oaep.c
|
|
||||||
@@ -73,9 +73,23 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
|
|
||||||
return 0;
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256")) {
|
|
||||||
+ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
if (mgf1md == NULL)
|
|
||||||
mgf1md = md;
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ if (EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) {
|
|
||||||
+ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
mdlen = EVP_MD_get_size(md);
|
|
||||||
if (mdlen <= 0) {
|
|
||||||
ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_LENGTH);
|
|
||||||
@@ -181,9 +195,23 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256")) {
|
|
||||||
+ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
if (mgf1md == NULL)
|
|
||||||
mgf1md = md;
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ if (EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) {
|
|
||||||
+ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
mdlen = EVP_MD_get_size(md);
|
|
||||||
|
|
||||||
if (tlen <= 0 || flen <= 0)
|
|
||||||
diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c
|
|
||||||
index 33874bfef8..e8681b0351 100644
|
|
||||||
--- a/crypto/rsa/rsa_pss.c
|
|
||||||
+++ b/crypto/rsa/rsa_pss.c
|
|
||||||
@@ -53,6 +53,14 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
|
|
||||||
if (mgf1Hash == NULL)
|
|
||||||
mgf1Hash = Hash;
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ if (EVP_MD_is_a(Hash, "SHAKE-128") || EVP_MD_is_a(Hash, "SHAKE-256"))
|
|
||||||
+ goto err;
|
|
||||||
+
|
|
||||||
+ if (EVP_MD_is_a(mgf1Hash, "SHAKE-128") || EVP_MD_is_a(mgf1Hash, "SHAKE-256"))
|
|
||||||
+ goto err;
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
hLen = EVP_MD_get_size(Hash);
|
|
||||||
if (hLen < 0)
|
|
||||||
goto err;
|
|
||||||
@@ -164,6 +172,14 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
|
|
||||||
if (mgf1Hash == NULL)
|
|
||||||
mgf1Hash = Hash;
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ if (EVP_MD_is_a(Hash, "SHAKE-128") || EVP_MD_is_a(Hash, "SHAKE-256"))
|
|
||||||
+ goto err;
|
|
||||||
+
|
|
||||||
+ if (EVP_MD_is_a(mgf1Hash, "SHAKE-128") || EVP_MD_is_a(mgf1Hash, "SHAKE-256"))
|
|
||||||
+ goto err;
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
hLen = EVP_MD_get_size(Hash);
|
|
||||||
if (hLen < 0)
|
|
||||||
goto err;
|
|
||||||
--
|
|
||||||
2.39.0
|
|
||||||
|
|
@ -1,138 +0,0 @@
|
|||||||
From a325a23bc83f4efd60130001c417ca5b96bdbff1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Clemens Lang <cllang@redhat.com>
|
|
||||||
Date: Thu, 17 Nov 2022 19:33:02 +0100
|
|
||||||
Subject: [PATCH 1/3] signature: Add indicator for PSS salt length
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
|
|
||||||
5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
|
|
||||||
salt (sLen) shall satisfy 0 ≤ sLen ≤ hLen, where hLen is the length of
|
|
||||||
the hash function output block (in bytes)."
|
|
||||||
|
|
||||||
It is not exactly clear from this text whether hLen refers to the
|
|
||||||
message digest or the hash function used for the mask generation
|
|
||||||
function MGF1. PKCS#1 v2.1 suggests it is the former:
|
|
||||||
|
|
||||||
| Typical salt lengths in octets are hLen (the length of the output of
|
|
||||||
| the hash function Hash) and 0. In both cases the security of
|
|
||||||
| RSASSA-PSS can be closely related to the hardness of inverting RSAVP1.
|
|
||||||
| Bellare and Rogaway [4] give a tight lower bound for the security of
|
|
||||||
| the original RSA-PSS scheme, which corresponds roughly to the former
|
|
||||||
| case, while Coron [12] gives a lower bound for the related Full Domain
|
|
||||||
| Hashing scheme, which corresponds roughly to the latter case. In [13]
|
|
||||||
| Coron provides a general treatment with various salt lengths ranging
|
|
||||||
| from 0 to hLen; see [27] for discussion. See also [31], which adapts
|
|
||||||
| the security proofs in [4][13] to address the differences between the
|
|
||||||
| original and the present version of RSA-PSS as listed in Note 1 above.
|
|
||||||
|
|
||||||
Since OpenSSL defaults to creating signatures with the maximum salt
|
|
||||||
length, blocking the use of longer salts would probably lead to
|
|
||||||
significant problems in practice. Instead, introduce an explicit
|
|
||||||
indicator that can be obtained from the EVP_PKEY_CTX object using
|
|
||||||
EVP_PKEY_CTX_get_params() with the
|
|
||||||
OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR
|
|
||||||
parameter.
|
|
||||||
|
|
||||||
We also add indicator for RSA_NO_PADDING here to avoid patch-over-patch.
|
|
||||||
Dmitry Belyavskiy <dbelyavs@redhat.com>
|
|
||||||
|
|
||||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
|
||||||
---
|
|
||||||
include/openssl/evp.h | 4 ++++
|
|
||||||
providers/implementations/signature/rsa_sig.c | 21 +++++++++++++++++
|
|
||||||
util/perl/OpenSSL/paramnames.pm | 23 ++++++++++---------
|
|
||||||
3 files changed, 37 insertions(+), 11 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
|
|
||||||
index a5e78efd6e..f239200465 100644
|
|
||||||
--- a/include/openssl/evp.h
|
|
||||||
+++ b/include/openssl/evp.h
|
|
||||||
@@ -797,6 +797,10 @@ __owur int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm,
|
|
||||||
__owur int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
|
|
||||||
int *outl);
|
|
||||||
|
|
||||||
+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
|
|
||||||
+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_APPROVED 1
|
|
||||||
+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
|
|
||||||
+
|
|
||||||
__owur int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
|
|
||||||
EVP_PKEY *pkey);
|
|
||||||
__owur int EVP_SignFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
|
|
||||||
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
|
|
||||||
index 49e7f9158a..0c45008a00 100644
|
|
||||||
--- a/providers/implementations/signature/rsa_sig.c
|
|
||||||
+++ b/providers/implementations/signature/rsa_sig.c
|
|
||||||
@@ -1127,6 +1127,24 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR);
|
|
||||||
+ if (p != NULL) {
|
|
||||||
+ int fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_APPROVED;
|
|
||||||
+ if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) {
|
|
||||||
+ if (prsactx->md == NULL) {
|
|
||||||
+ fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_UNDETERMINED;
|
|
||||||
+ } else if (rsa_pss_compute_saltlen(prsactx) > EVP_MD_get_size(prsactx->md)) {
|
|
||||||
+ fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+ }
|
|
||||||
+ } else if (prsactx->pad_mode == RSA_NO_PADDING) {
|
|
||||||
+ if (prsactx->md == NULL) /* Should always be the case */
|
|
||||||
+ fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+ }
|
|
||||||
+ return OSSL_PARAM_set_int(p, fips_indicator);
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1136,6 +1151,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
|
|
||||||
OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
|
|
||||||
OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
|
|
||||||
OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
|
||||||
+#endif
|
|
||||||
OSSL_PARAM_END
|
|
||||||
};
|
|
||||||
|
|
||||||
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
|
|
||||||
index 8b2d430f17..a109e44521 100644
|
|
||||||
--- a/util/perl/OpenSSL/paramnames.pm
|
|
||||||
+++ b/util/perl/OpenSSL/paramnames.pm
|
|
||||||
@@ -377,17 +377,18 @@ my %params = (
|
|
||||||
'EXCHANGE_PARAM_KDF_UKM' => "kdf-ukm",
|
|
||||||
|
|
||||||
# Signature parameters
|
|
||||||
- 'SIGNATURE_PARAM_ALGORITHM_ID' => "algorithm-id",
|
|
||||||
- 'SIGNATURE_PARAM_PAD_MODE' => '*PKEY_PARAM_PAD_MODE',
|
|
||||||
- 'SIGNATURE_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST',
|
|
||||||
- 'SIGNATURE_PARAM_PROPERTIES' => '*PKEY_PARAM_PROPERTIES',
|
|
||||||
- 'SIGNATURE_PARAM_PSS_SALTLEN' => "saltlen",
|
|
||||||
- 'SIGNATURE_PARAM_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST',
|
|
||||||
- 'SIGNATURE_PARAM_MGF1_PROPERTIES' => '*PKEY_PARAM_MGF1_PROPERTIES',
|
|
||||||
- 'SIGNATURE_PARAM_DIGEST_SIZE' => '*PKEY_PARAM_DIGEST_SIZE',
|
|
||||||
- 'SIGNATURE_PARAM_NONCE_TYPE' => "nonce-type",
|
|
||||||
- 'SIGNATURE_PARAM_INSTANCE' => "instance",
|
|
||||||
- 'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string",
|
|
||||||
+ 'SIGNATURE_PARAM_ALGORITHM_ID' => "algorithm-id",
|
|
||||||
+ 'SIGNATURE_PARAM_PAD_MODE' => '*PKEY_PARAM_PAD_MODE',
|
|
||||||
+ 'SIGNATURE_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST',
|
|
||||||
+ 'SIGNATURE_PARAM_PROPERTIES' => '*PKEY_PARAM_PROPERTIES',
|
|
||||||
+ 'SIGNATURE_PARAM_PSS_SALTLEN' => "saltlen",
|
|
||||||
+ 'SIGNATURE_PARAM_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST',
|
|
||||||
+ 'SIGNATURE_PARAM_MGF1_PROPERTIES' => '*PKEY_PARAM_MGF1_PROPERTIES',
|
|
||||||
+ 'SIGNATURE_PARAM_DIGEST_SIZE' => '*PKEY_PARAM_DIGEST_SIZE',
|
|
||||||
+ 'SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
|
|
||||||
+ 'SIGNATURE_PARAM_NONCE_TYPE' => "nonce-type",
|
|
||||||
+ 'SIGNATURE_PARAM_INSTANCE' => "instance",
|
|
||||||
+ 'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string",
|
|
||||||
|
|
||||||
# Asym cipher parameters
|
|
||||||
'ASYM_CIPHER_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST',
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
@ -1,32 +0,0 @@
|
|||||||
diff -up openssl-3.0.1/providers/implementations/kem/rsa_kem.c.encap openssl-3.0.1/providers/implementations/kem/rsa_kem.c
|
|
||||||
--- openssl-3.0.1/providers/implementations/kem/rsa_kem.c.encap 2022-11-22 12:27:30.994530801 +0100
|
|
||||||
+++ openssl-3.0.1/providers/implementations/kem/rsa_kem.c 2022-11-22 12:32:15.916875495 +0100
|
|
||||||
@@ -264,6 +264,14 @@ static int rsasve_generate(PROV_RSA_CTX
|
|
||||||
*secretlen = nlen;
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) {
|
|
||||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* Step (2): Generate a random byte string z of nlen bytes where
|
|
||||||
* 1 < z < n - 1
|
|
||||||
@@ -307,6 +315,13 @@ static int rsasve_recover(PROV_RSA_CTX *
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) {
|
|
||||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
/* Step (2): check the input ciphertext 'inlen' matches the nlen */
|
|
||||||
if (inlen != nlen) {
|
|
||||||
ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH);
|
|
@ -1,344 +0,0 @@
|
|||||||
From 8a2d1b22ede5eeca4d104bb027b84f3ecfc69549 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Clemens Lang <cllang@redhat.com>
|
|
||||||
Date: Thu, 11 May 2023 12:51:59 +0200
|
|
||||||
Subject: [PATCH] DH: Disable FIPS 186-4 type parameters in FIPS mode
|
|
||||||
|
|
||||||
For DH parameter and key pair generation/verification, the DSA
|
|
||||||
procedures specified in FIPS 186-4 are used. With the release of FIPS
|
|
||||||
186-5 and the removal of DSA, the approved status of these groups is in
|
|
||||||
peril. Once the transition for DSA ends (this transition will be 1 year
|
|
||||||
long and start once CMVP has published the guidance), no more
|
|
||||||
submissions claiming DSA will be allowed. Hence, FIPS 186-type
|
|
||||||
parameters will also be automatically non-approved.
|
|
||||||
|
|
||||||
In the FIPS provider, disable validation of any DH parameters that are
|
|
||||||
not well-known groups, and remove DH parameter generation completely.
|
|
||||||
|
|
||||||
Adjust tests to use well-known groups or larger DH groups where this
|
|
||||||
change would now cause failures, and skip tests that are expected to
|
|
||||||
fail due to this change.
|
|
||||||
|
|
||||||
Related: rhbz#2169757, rhbz#2169757
|
|
||||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
|
||||||
---
|
|
||||||
crypto/dh/dh_backend.c | 10 ++++
|
|
||||||
crypto/dh/dh_check.c | 12 ++--
|
|
||||||
crypto/dh/dh_gen.c | 12 +++-
|
|
||||||
crypto/dh/dh_key.c | 13 ++--
|
|
||||||
crypto/dh/dh_pmeth.c | 10 +++-
|
|
||||||
providers/implementations/keymgmt/dh_kmgmt.c | 5 ++
|
|
||||||
test/endecode_test.c | 4 +-
|
|
||||||
test/evp_libctx_test.c | 2 +-
|
|
||||||
test/helpers/predefined_dhparams.c | 62 ++++++++++++++++++++
|
|
||||||
test/helpers/predefined_dhparams.h | 1 +
|
|
||||||
test/recipes/80-test_cms.t | 4 +-
|
|
||||||
test/recipes/80-test_ssl_old.t | 3 +
|
|
||||||
12 files changed, 118 insertions(+), 20 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/crypto/dh/dh_backend.c b/crypto/dh/dh_backend.c
|
|
||||||
index 726843fd30..24c65ca84f 100644
|
|
||||||
--- a/crypto/dh/dh_backend.c
|
|
||||||
+++ b/crypto/dh/dh_backend.c
|
|
||||||
@@ -53,6 +53,16 @@ int ossl_dh_params_fromdata(DH *dh, const OSSL_PARAM params[])
|
|
||||||
if (!dh_ffc_params_fromdata(dh, params))
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ if (!ossl_dh_is_named_safe_prime_group(dh)) {
|
|
||||||
+ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
|
|
||||||
+ "FIPS 186-4 type domain parameters no longer allowed in"
|
|
||||||
+ " FIPS mode, since the required validation routines"
|
|
||||||
+ " were removed from FIPS 186-5");
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
param_priv_len =
|
|
||||||
OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_DH_PRIV_LEN);
|
|
||||||
if (param_priv_len != NULL
|
|
||||||
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
|
|
||||||
index 0b391910d6..75581ca347 100644
|
|
||||||
--- a/crypto/dh/dh_check.c
|
|
||||||
+++ b/crypto/dh/dh_check.c
|
|
||||||
@@ -57,13 +57,15 @@ int DH_check_params(const DH *dh, int *ret)
|
|
||||||
nid = DH_get_nid((DH *)dh);
|
|
||||||
if (nid != NID_undef)
|
|
||||||
return 1;
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
- * OR
|
|
||||||
- * (2b) FFC domain params conform to FIPS-186-4 explicit domain param
|
|
||||||
- * validity tests.
|
|
||||||
+ * FIPS 186-4 explicit domain parameters are no longer supported in FIPS mode.
|
|
||||||
*/
|
|
||||||
- return ossl_ffc_params_FIPS186_4_validate(dh->libctx, &dh->params,
|
|
||||||
- FFC_PARAM_TYPE_DH, ret, NULL);
|
|
||||||
+ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
|
|
||||||
+ "FIPS 186-4 type domain parameters no longer allowed in"
|
|
||||||
+ " FIPS mode, since the required validation routines were"
|
|
||||||
+ " removed from FIPS 186-5");
|
|
||||||
+ return 0;
|
|
||||||
}
|
|
||||||
#else
|
|
||||||
int DH_check_params(const DH *dh, int *ret)
|
|
||||||
diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c
|
|
||||||
index aec6b85316..9c55121067 100644
|
|
||||||
--- a/crypto/dh/dh_gen.c
|
|
||||||
+++ b/crypto/dh/dh_gen.c
|
|
||||||
@@ -38,18 +38,26 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
|
|
||||||
int ossl_dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits,
|
|
||||||
BN_GENCB *cb)
|
|
||||||
{
|
|
||||||
- int ret, res;
|
|
||||||
+ int ret = 0;
|
|
||||||
|
|
||||||
#ifndef FIPS_MODULE
|
|
||||||
+ int res;
|
|
||||||
+
|
|
||||||
if (type == DH_PARAMGEN_TYPE_FIPS_186_2)
|
|
||||||
ret = ossl_ffc_params_FIPS186_2_generate(dh->libctx, &dh->params,
|
|
||||||
FFC_PARAM_TYPE_DH,
|
|
||||||
pbits, qbits, &res, cb);
|
|
||||||
else
|
|
||||||
-#endif
|
|
||||||
ret = ossl_ffc_params_FIPS186_4_generate(dh->libctx, &dh->params,
|
|
||||||
FFC_PARAM_TYPE_DH,
|
|
||||||
pbits, qbits, &res, cb);
|
|
||||||
+#else
|
|
||||||
+ /* In FIPS mode, we no longer support FIPS 186-4 domain parameters */
|
|
||||||
+ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
|
|
||||||
+ "FIPS 186-4 type domain parameters no longer allowed in"
|
|
||||||
+ " FIPS mode, since the required generation routines were"
|
|
||||||
+ " removed from FIPS 186-5");
|
|
||||||
+#endif
|
|
||||||
if (ret > 0)
|
|
||||||
dh->dirty_cnt++;
|
|
||||||
return ret;
|
|
||||||
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
|
|
||||||
index 4e9705beef..14c0b0b6b3 100644
|
|
||||||
--- a/crypto/dh/dh_key.c
|
|
||||||
+++ b/crypto/dh/dh_key.c
|
|
||||||
@@ -308,8 +308,12 @@ static int generate_key(DH *dh)
|
|
||||||
goto err;
|
|
||||||
} else {
|
|
||||||
#ifdef FIPS_MODULE
|
|
||||||
- if (dh->params.q == NULL)
|
|
||||||
- goto err;
|
|
||||||
+ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
|
|
||||||
+ "FIPS 186-4 type domain parameters no longer"
|
|
||||||
+ " allowed in FIPS mode, since the required"
|
|
||||||
+ " generation routines were removed from FIPS"
|
|
||||||
+ " 186-5");
|
|
||||||
+ goto err;
|
|
||||||
#else
|
|
||||||
if (dh->params.q == NULL) {
|
|
||||||
/* secret exponent length, must satisfy 2^(l-1) <= p */
|
|
||||||
@@ -330,9 +334,7 @@ static int generate_key(DH *dh)
|
|
||||||
if (!BN_clear_bit(priv_key, 0))
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
- } else
|
|
||||||
-#endif
|
|
||||||
- {
|
|
||||||
+ } else {
|
|
||||||
/* Do a partial check for invalid p, q, g */
|
|
||||||
if (!ossl_ffc_params_simple_validate(dh->libctx, &dh->params,
|
|
||||||
FFC_PARAM_TYPE_DH, NULL))
|
|
||||||
@@ -348,6 +350,7 @@ static int generate_key(DH *dh)
|
|
||||||
priv_key))
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
+#endif
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c
|
|
||||||
index f201eede0d..30f90d15be 100644
|
|
||||||
--- a/crypto/dh/dh_pmeth.c
|
|
||||||
+++ b/crypto/dh/dh_pmeth.c
|
|
||||||
@@ -305,13 +305,17 @@ static DH *ffc_params_generate(OSSL_LIB_CTX *libctx, DH_PKEY_CTX *dctx,
|
|
||||||
prime_len, subprime_len, &res,
|
|
||||||
pcb);
|
|
||||||
else
|
|
||||||
-# endif
|
|
||||||
- /* For FIPS we always use the DH_PARAMGEN_TYPE_FIPS_186_4 generator */
|
|
||||||
- if (dctx->paramgen_type >= DH_PARAMGEN_TYPE_FIPS_186_2)
|
|
||||||
rv = ossl_ffc_params_FIPS186_4_generate(libctx, &ret->params,
|
|
||||||
FFC_PARAM_TYPE_DH,
|
|
||||||
prime_len, subprime_len, &res,
|
|
||||||
pcb);
|
|
||||||
+# else
|
|
||||||
+ /* In FIPS mode, we no longer support FIPS 186-4 domain parameters */
|
|
||||||
+ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
|
|
||||||
+ "FIPS 186-4 type domain parameters no longer allowed in"
|
|
||||||
+ " FIPS mode, since the required generation routines were"
|
|
||||||
+ " removed from FIPS 186-5");
|
|
||||||
+# endif
|
|
||||||
if (rv <= 0) {
|
|
||||||
DH_free(ret);
|
|
||||||
return NULL;
|
|
||||||
diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
|
|
||||||
index 9a7dde7c66..b3e7bca5ac 100644
|
|
||||||
--- a/providers/implementations/keymgmt/dh_kmgmt.c
|
|
||||||
+++ b/providers/implementations/keymgmt/dh_kmgmt.c
|
|
||||||
@@ -414,6 +414,11 @@ static int dh_validate(const void *keydata, int selection, int checktype)
|
|
||||||
if ((selection & DH_POSSIBLE_SELECTIONS) == 0)
|
|
||||||
return 1; /* nothing to validate */
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ /* In FIPS provider, always check the domain parameters to disallow
|
|
||||||
+ * operations on keys with FIPS 186-4 params. */
|
|
||||||
+ selection |= OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS;
|
|
||||||
+#endif
|
|
||||||
if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) {
|
|
||||||
/*
|
|
||||||
* Both of these functions check parameters. DH_check_params_ex()
|
|
||||||
diff --git a/test/endecode_test.c b/test/endecode_test.c
|
|
||||||
index e3f7b81f69..1b63daaed5 100644
|
|
||||||
--- a/test/endecode_test.c
|
|
||||||
+++ b/test/endecode_test.c
|
|
||||||
@@ -80,10 +80,10 @@ static EVP_PKEY *make_template(const char *type, OSSL_PARAM *genparams)
|
|
||||||
* for testing only. Use a minimum key size of 2048 for security purposes.
|
|
||||||
*/
|
|
||||||
if (strcmp(type, "DH") == 0)
|
|
||||||
- return get_dh512(keyctx);
|
|
||||||
+ return get_dh2048(keyctx);
|
|
||||||
|
|
||||||
if (strcmp(type, "X9.42 DH") == 0)
|
|
||||||
- return get_dhx512(keyctx);
|
|
||||||
+ return get_dhx_ffdhe2048(keyctx);
|
|
||||||
# endif
|
|
||||||
|
|
||||||
/*
|
|
||||||
diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c
|
|
||||||
index 2448c35a14..92d484fb12 100644
|
|
||||||
--- a/test/evp_libctx_test.c
|
|
||||||
+++ b/test/evp_libctx_test.c
|
|
||||||
@@ -188,7 +188,7 @@ static int do_dh_param_keygen(int tstid, const BIGNUM **bn)
|
|
||||||
|
|
||||||
if (!TEST_ptr(gen_ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey_parm, NULL))
|
|
||||||
|| !TEST_int_gt(EVP_PKEY_keygen_init(gen_ctx), 0)
|
|
||||||
- || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey), expected))
|
|
||||||
+ || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey) == 1, expected))
|
|
||||||
goto err;
|
|
||||||
|
|
||||||
if (expected) {
|
|
||||||
diff --git a/test/helpers/predefined_dhparams.c b/test/helpers/predefined_dhparams.c
|
|
||||||
index 4bdadc4143..e5186e4b4a 100644
|
|
||||||
--- a/test/helpers/predefined_dhparams.c
|
|
||||||
+++ b/test/helpers/predefined_dhparams.c
|
|
||||||
@@ -116,6 +116,68 @@ EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx)
|
|
||||||
dhx512_q, sizeof(dhx512_q));
|
|
||||||
}
|
|
||||||
|
|
||||||
+EVP_PKEY *get_dhx_ffdhe2048(OSSL_LIB_CTX *libctx)
|
|
||||||
+{
|
|
||||||
+ /* This is RFC 7919 ffdhe2048, since Red Hat removes support for
|
|
||||||
+ * non-well-known groups in FIPS mode. */
|
|
||||||
+ static unsigned char dhx_p[] = {
|
|
||||||
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xad, 0xf8, 0x54, 0x58,
|
|
||||||
+ 0xa2, 0xbb, 0x4a, 0x9a, 0xaf, 0xdc, 0x56, 0x20, 0x27, 0x3d, 0x3c, 0xf1,
|
|
||||||
+ 0xd8, 0xb9, 0xc5, 0x83, 0xce, 0x2d, 0x36, 0x95, 0xa9, 0xe1, 0x36, 0x41,
|
|
||||||
+ 0x14, 0x64, 0x33, 0xfb, 0xcc, 0x93, 0x9d, 0xce, 0x24, 0x9b, 0x3e, 0xf9,
|
|
||||||
+ 0x7d, 0x2f, 0xe3, 0x63, 0x63, 0x0c, 0x75, 0xd8, 0xf6, 0x81, 0xb2, 0x02,
|
|
||||||
+ 0xae, 0xc4, 0x61, 0x7a, 0xd3, 0xdf, 0x1e, 0xd5, 0xd5, 0xfd, 0x65, 0x61,
|
|
||||||
+ 0x24, 0x33, 0xf5, 0x1f, 0x5f, 0x06, 0x6e, 0xd0, 0x85, 0x63, 0x65, 0x55,
|
|
||||||
+ 0x3d, 0xed, 0x1a, 0xf3, 0xb5, 0x57, 0x13, 0x5e, 0x7f, 0x57, 0xc9, 0x35,
|
|
||||||
+ 0x98, 0x4f, 0x0c, 0x70, 0xe0, 0xe6, 0x8b, 0x77, 0xe2, 0xa6, 0x89, 0xda,
|
|
||||||
+ 0xf3, 0xef, 0xe8, 0x72, 0x1d, 0xf1, 0x58, 0xa1, 0x36, 0xad, 0xe7, 0x35,
|
|
||||||
+ 0x30, 0xac, 0xca, 0x4f, 0x48, 0x3a, 0x79, 0x7a, 0xbc, 0x0a, 0xb1, 0x82,
|
|
||||||
+ 0xb3, 0x24, 0xfb, 0x61, 0xd1, 0x08, 0xa9, 0x4b, 0xb2, 0xc8, 0xe3, 0xfb,
|
|
||||||
+ 0xb9, 0x6a, 0xda, 0xb7, 0x60, 0xd7, 0xf4, 0x68, 0x1d, 0x4f, 0x42, 0xa3,
|
|
||||||
+ 0xde, 0x39, 0x4d, 0xf4, 0xae, 0x56, 0xed, 0xe7, 0x63, 0x72, 0xbb, 0x19,
|
|
||||||
+ 0x0b, 0x07, 0xa7, 0xc8, 0xee, 0x0a, 0x6d, 0x70, 0x9e, 0x02, 0xfc, 0xe1,
|
|
||||||
+ 0xcd, 0xf7, 0xe2, 0xec, 0xc0, 0x34, 0x04, 0xcd, 0x28, 0x34, 0x2f, 0x61,
|
|
||||||
+ 0x91, 0x72, 0xfe, 0x9c, 0xe9, 0x85, 0x83, 0xff, 0x8e, 0x4f, 0x12, 0x32,
|
|
||||||
+ 0xee, 0xf2, 0x81, 0x83, 0xc3, 0xfe, 0x3b, 0x1b, 0x4c, 0x6f, 0xad, 0x73,
|
|
||||||
+ 0x3b, 0xb5, 0xfc, 0xbc, 0x2e, 0xc2, 0x20, 0x05, 0xc5, 0x8e, 0xf1, 0x83,
|
|
||||||
+ 0x7d, 0x16, 0x83, 0xb2, 0xc6, 0xf3, 0x4a, 0x26, 0xc1, 0xb2, 0xef, 0xfa,
|
|
||||||
+ 0x88, 0x6b, 0x42, 0x38, 0x61, 0x28, 0x5c, 0x97, 0xff, 0xff, 0xff, 0xff,
|
|
||||||
+ 0xff, 0xff, 0xff, 0xff
|
|
||||||
+ };
|
|
||||||
+ static unsigned char dhx_g[] = {
|
|
||||||
+ 0x02
|
|
||||||
+ };
|
|
||||||
+ static unsigned char dhx_q[] = {
|
|
||||||
+ 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xd6, 0xfc, 0x2a, 0x2c,
|
|
||||||
+ 0x51, 0x5d, 0xa5, 0x4d, 0x57, 0xee, 0x2b, 0x10, 0x13, 0x9e, 0x9e, 0x78,
|
|
||||||
+ 0xec, 0x5c, 0xe2, 0xc1, 0xe7, 0x16, 0x9b, 0x4a, 0xd4, 0xf0, 0x9b, 0x20,
|
|
||||||
+ 0x8a, 0x32, 0x19, 0xfd, 0xe6, 0x49, 0xce, 0xe7, 0x12, 0x4d, 0x9f, 0x7c,
|
|
||||||
+ 0xbe, 0x97, 0xf1, 0xb1, 0xb1, 0x86, 0x3a, 0xec, 0x7b, 0x40, 0xd9, 0x01,
|
|
||||||
+ 0x57, 0x62, 0x30, 0xbd, 0x69, 0xef, 0x8f, 0x6a, 0xea, 0xfe, 0xb2, 0xb0,
|
|
||||||
+ 0x92, 0x19, 0xfa, 0x8f, 0xaf, 0x83, 0x37, 0x68, 0x42, 0xb1, 0xb2, 0xaa,
|
|
||||||
+ 0x9e, 0xf6, 0x8d, 0x79, 0xda, 0xab, 0x89, 0xaf, 0x3f, 0xab, 0xe4, 0x9a,
|
|
||||||
+ 0xcc, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xbb, 0xf1, 0x53, 0x44, 0xed,
|
|
||||||
+ 0x79, 0xf7, 0xf4, 0x39, 0x0e, 0xf8, 0xac, 0x50, 0x9b, 0x56, 0xf3, 0x9a,
|
|
||||||
+ 0x98, 0x56, 0x65, 0x27, 0xa4, 0x1d, 0x3c, 0xbd, 0x5e, 0x05, 0x58, 0xc1,
|
|
||||||
+ 0x59, 0x92, 0x7d, 0xb0, 0xe8, 0x84, 0x54, 0xa5, 0xd9, 0x64, 0x71, 0xfd,
|
|
||||||
+ 0xdc, 0xb5, 0x6d, 0x5b, 0xb0, 0x6b, 0xfa, 0x34, 0x0e, 0xa7, 0xa1, 0x51,
|
|
||||||
+ 0xef, 0x1c, 0xa6, 0xfa, 0x57, 0x2b, 0x76, 0xf3, 0xb1, 0xb9, 0x5d, 0x8c,
|
|
||||||
+ 0x85, 0x83, 0xd3, 0xe4, 0x77, 0x05, 0x36, 0xb8, 0x4f, 0x01, 0x7e, 0x70,
|
|
||||||
+ 0xe6, 0xfb, 0xf1, 0x76, 0x60, 0x1a, 0x02, 0x66, 0x94, 0x1a, 0x17, 0xb0,
|
|
||||||
+ 0xc8, 0xb9, 0x7f, 0x4e, 0x74, 0xc2, 0xc1, 0xff, 0xc7, 0x27, 0x89, 0x19,
|
|
||||||
+ 0x77, 0x79, 0x40, 0xc1, 0xe1, 0xff, 0x1d, 0x8d, 0xa6, 0x37, 0xd6, 0xb9,
|
|
||||||
+ 0x9d, 0xda, 0xfe, 0x5e, 0x17, 0x61, 0x10, 0x02, 0xe2, 0xc7, 0x78, 0xc1,
|
|
||||||
+ 0xbe, 0x8b, 0x41, 0xd9, 0x63, 0x79, 0xa5, 0x13, 0x60, 0xd9, 0x77, 0xfd,
|
|
||||||
+ 0x44, 0x35, 0xa1, 0x1c, 0x30, 0x94, 0x2e, 0x4b, 0xff, 0xff, 0xff, 0xff,
|
|
||||||
+ 0xff, 0xff, 0xff, 0xff
|
|
||||||
+ };
|
|
||||||
+
|
|
||||||
+ return get_dh_from_pg(libctx, "X9.42 DH",
|
|
||||||
+ dhx_p, sizeof(dhx_p),
|
|
||||||
+ dhx_g, sizeof(dhx_g),
|
|
||||||
+ dhx_q, sizeof(dhx_q));
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libctx)
|
|
||||||
{
|
|
||||||
static unsigned char dh1024_p[] = {
|
|
||||||
diff --git a/test/helpers/predefined_dhparams.h b/test/helpers/predefined_dhparams.h
|
|
||||||
index f0e8709062..2ff6d6e721 100644
|
|
||||||
--- a/test/helpers/predefined_dhparams.h
|
|
||||||
+++ b/test/helpers/predefined_dhparams.h
|
|
||||||
@@ -12,6 +12,7 @@
|
|
||||||
#ifndef OPENSSL_NO_DH
|
|
||||||
EVP_PKEY *get_dh512(OSSL_LIB_CTX *libctx);
|
|
||||||
EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx);
|
|
||||||
+EVP_PKEY *get_dhx_ffdhe2048(OSSL_LIB_CTX *libctx);
|
|
||||||
EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libct);
|
|
||||||
EVP_PKEY *get_dh2048(OSSL_LIB_CTX *libctx);
|
|
||||||
EVP_PKEY *get_dh4096(OSSL_LIB_CTX *libctx);
|
|
||||||
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
|
|
||||||
index cabbe3ecdf..efe56c5665 100644
|
|
||||||
--- a/test/recipes/80-test_cms.t
|
|
||||||
+++ b/test/recipes/80-test_cms.t
|
|
||||||
@@ -627,10 +627,10 @@ my @smime_cms_param_tests = (
|
|
||||||
],
|
|
||||||
|
|
||||||
[ "enveloped content test streaming S/MIME format, X9.42 DH",
|
|
||||||
- [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
|
|
||||||
+ [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
|
|
||||||
"-stream", "-out", "{output}.cms",
|
|
||||||
"-recip", catfile($smdir, "smdh.pem"), "-aes128" ],
|
|
||||||
- [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
|
|
||||||
+ [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
|
|
||||||
"-in", "{output}.cms", "-out", "{output}.txt" ],
|
|
||||||
\&final_compare
|
|
||||||
]
|
|
||||||
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
|
|
||||||
index 8c52b637fc..31ed54621b 100644
|
|
||||||
--- a/test/recipes/80-test_ssl_old.t
|
|
||||||
+++ b/test/recipes/80-test_ssl_old.t
|
|
||||||
@@ -390,6 +390,9 @@ sub testssl {
|
|
||||||
skip "skipping dhe1024dsa test", 1
|
|
||||||
if ($no_dh);
|
|
||||||
|
|
||||||
+ skip "FIPS 186-4 type DH groups are no longer supported by the FIPS provider", 1
|
|
||||||
+ if $provider eq "fips";
|
|
||||||
+
|
|
||||||
ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])),
|
|
||||||
'test sslv2/sslv3 with 1024bit DHE via BIO pair');
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.40.1
|
|
||||||
|
|
@ -1,105 +0,0 @@
|
|||||||
From 589eb3898896c1ac916bc20069ecd5adb8534850 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Clemens Lang <cllang@redhat.com>
|
|
||||||
Date: Fri, 17 Feb 2023 15:31:08 +0100
|
|
||||||
Subject: [PATCH] GCM: Implement explicit FIPS indicator for IV gen
|
|
||||||
|
|
||||||
Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
|
||||||
Verification Program, Section C.H requires guarantees about the
|
|
||||||
uniqueness of key/iv pairs, and proposes a few approaches to ensure
|
|
||||||
this. Provide an indicator for option 2 "The IV may be generated
|
|
||||||
internally at its entirety randomly."
|
|
||||||
|
|
||||||
Resolves: rhbz#2168289
|
|
||||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
|
||||||
---
|
|
||||||
include/openssl/evp.h | 4 +++
|
|
||||||
.../implementations/ciphers/ciphercommon.c | 4 +++
|
|
||||||
.../ciphers/ciphercommon_gcm.c | 25 +++++++++++++++++++
|
|
||||||
util/perl/OpenSSL/paramnames.pm | 5 ++--
|
|
||||||
4 files changed, 36 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
|
|
||||||
index 49e8e1df78..ec2ba46fbd 100644
|
|
||||||
--- a/include/openssl/evp.h
|
|
||||||
+++ b/include/openssl/evp.h
|
|
||||||
@@ -746,6 +746,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags);
|
|
||||||
void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags);
|
|
||||||
int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags);
|
|
||||||
|
|
||||||
+# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
|
|
||||||
+# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED 1
|
|
||||||
+# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
|
|
||||||
+
|
|
||||||
__owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
|
|
||||||
const unsigned char *key, const unsigned char *iv);
|
|
||||||
__owur int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,
|
|
||||||
diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c
|
|
||||||
index fa383165d8..716add7339 100644
|
|
||||||
--- a/providers/implementations/ciphers/ciphercommon.c
|
|
||||||
+++ b/providers/implementations/ciphers/ciphercommon.c
|
|
||||||
@@ -149,6 +149,10 @@ static const OSSL_PARAM cipher_aead_known_gettable_ctx_params[] = {
|
|
||||||
OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
|
|
||||||
OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL),
|
|
||||||
OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN, NULL, 0),
|
|
||||||
+ /* normally we would hide this under an #ifdef FIPS_MODULE, but that does
|
|
||||||
+ * not work in ciphercommon.c because it is compiled only once into
|
|
||||||
+ * libcommon.a */
|
|
||||||
+ OSSL_PARAM_int(OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
|
||||||
OSSL_PARAM_END
|
|
||||||
};
|
|
||||||
const OSSL_PARAM *ossl_cipher_aead_gettable_ctx_params(
|
|
||||||
diff --git a/providers/implementations/ciphers/ciphercommon_gcm.c b/providers/implementations/ciphers/ciphercommon_gcm.c
|
|
||||||
index ed95c97ff4..db7910eb0e 100644
|
|
||||||
--- a/providers/implementations/ciphers/ciphercommon_gcm.c
|
|
||||||
+++ b/providers/implementations/ciphers/ciphercommon_gcm.c
|
|
||||||
@@ -238,6 +238,31 @@ int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ /* We would usually hide this under #ifdef FIPS_MODULE, but
|
|
||||||
+ * ciphercommon_gcm.c is only compiled once into libcommon.a, so ifdefs do
|
|
||||||
+ * not work here. */
|
|
||||||
+ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR);
|
|
||||||
+ if (p != NULL) {
|
|
||||||
+ int fips_indicator = EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED;
|
|
||||||
+
|
|
||||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
|
||||||
+ * Verification Program, Section C.H requires guarantees about the
|
|
||||||
+ * uniqueness of key/iv pairs, and proposes a few approaches to ensure
|
|
||||||
+ * this. This provides an indicator for option 2 "The IV may be
|
|
||||||
+ * generated internally at its entirety randomly." Note that one of the
|
|
||||||
+ * conditions of this option is that "The IV length shall be at least
|
|
||||||
+ * 96 bits (per SP 800-38D)." We do not specically check for this
|
|
||||||
+ * condition here, because gcm_iv_generate will fail in this case. */
|
|
||||||
+ if (ctx->enc && !ctx->iv_gen_rand)
|
|
||||||
+ fips_indicator = EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+
|
|
||||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator)) {
|
|
||||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
|
|
||||||
index a109e44521..64e9809387 100644
|
|
||||||
--- a/util/perl/OpenSSL/paramnames.pm
|
|
||||||
+++ b/util/perl/OpenSSL/paramnames.pm
|
|
||||||
@@ -101,8 +101,9 @@ my %params = (
|
|
||||||
'CIPHER_PARAM_SPEED' => "speed", # uint
|
|
||||||
'CIPHER_PARAM_CTS_MODE' => "cts_mode", # utf8_string
|
|
||||||
# For passing the AlgorithmIdentifier parameter in DER form
|
|
||||||
- 'CIPHER_PARAM_ALGORITHM_ID_PARAMS' => "alg_id_param",# octet_string
|
|
||||||
- 'CIPHER_PARAM_XTS_STANDARD' => "xts_standard",# utf8_string
|
|
||||||
+ 'CIPHER_PARAM_ALGORITHM_ID_PARAMS' => "alg_id_param",# octet_string
|
|
||||||
+ 'CIPHER_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", # int
|
|
||||||
+ 'CIPHER_PARAM_XTS_STANDARD' => "xts_standard",# utf8_string
|
|
||||||
|
|
||||||
'CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT' => "tls1multi_maxsndfrag",# uint
|
|
||||||
'CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE' => "tls1multi_maxbufsz", # size_t
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
@ -1,80 +0,0 @@
|
|||||||
From fa96a2f493276e7a57512e8c3d535052586f1525 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Clemens Lang <cllang@redhat.com>
|
|
||||||
Date: Mon, 6 Mar 2023 12:32:04 +0100
|
|
||||||
Subject: [PATCH 2/2] pbdkf2: Set indicator if pkcs5 param disabled checks
|
|
||||||
|
|
||||||
The pbkdf2 implementation in the FIPS provider supports the checks
|
|
||||||
required by NIST, but allows disabling these checks by setting the
|
|
||||||
OSSL_KDF_PARAM_PKCS5 parameter to 1. The implementation must indicate
|
|
||||||
that the use of this configuration is not approved in FIPS mode. Add an
|
|
||||||
explicit indicator to provide this indication.
|
|
||||||
|
|
||||||
Resolves: rhbz#2175145
|
|
||||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
|
||||||
---
|
|
||||||
providers/implementations/kdfs/pbkdf2.c | 40 +++++++++++++++++++++++--
|
|
||||||
1 file changed, 37 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
|
|
||||||
index aa0adce5e6..6df8c6d321 100644
|
|
||||||
--- a/providers/implementations/kdfs/pbkdf2.c
|
|
||||||
+++ b/providers/implementations/kdfs/pbkdf2.c
|
|
||||||
@@ -251,11 +251,42 @@ static const OSSL_PARAM *kdf_pbkdf2_settable_ctx_params(ossl_unused void *ctx,
|
|
||||||
|
|
||||||
static int kdf_pbkdf2_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
|
||||||
{
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx;
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
OSSL_PARAM *p;
|
|
||||||
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
|
||||||
+
|
|
||||||
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
|
||||||
+ any_valid = 1;
|
|
||||||
+
|
|
||||||
+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR))
|
|
||||||
+ != NULL) {
|
|
||||||
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
|
||||||
+
|
|
||||||
+ /* The lower_bound_checks parameter enables checks required by FIPS. If
|
|
||||||
+ * those checks are disabled, the PBKDF2 implementation will also
|
|
||||||
+ * support non-approved parameters (e.g., salt lengths < 16 bytes, see
|
|
||||||
+ * NIST SP 800-132 section 5.1). */
|
|
||||||
+ if (!ctx->lower_bound_checks)
|
|
||||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
|
|
||||||
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
|
|
||||||
- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
|
|
||||||
- return -2;
|
|
||||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ any_valid = 1;
|
|
||||||
+ }
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
+
|
|
||||||
+ if (!any_valid)
|
|
||||||
+ return -2;
|
|
||||||
+
|
|
||||||
+ return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx,
|
|
||||||
@@ -263,6 +294,9 @@ static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx,
|
|
||||||
{
|
|
||||||
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
|
||||||
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
OSSL_PARAM_END
|
|
||||||
};
|
|
||||||
return known_gettable_ctx_params;
|
|
||||||
--
|
|
||||||
2.39.2
|
|
||||||
|
|
@ -1,156 +0,0 @@
|
|||||||
From ee6e381e4140efd5365ddf27a12055859103cf59 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Clemens Lang <cllang@redhat.com>
|
|
||||||
Date: Fri, 17 Mar 2023 15:39:15 +0100
|
|
||||||
Subject: [PATCH] asymciphers, kem: Add explicit FIPS indicator
|
|
||||||
|
|
||||||
NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
|
|
||||||
confirmation (section 6.4.2.3.2), or assurance from a trusted third
|
|
||||||
party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme and key
|
|
||||||
agreement schemes, but explicit key confirmation is not implemented and
|
|
||||||
cannot be implemented without protocol changes, and the FIPS provider
|
|
||||||
does not implement trusted third party validation, since it relies on
|
|
||||||
its callers to do that. A request for guidance sent to NIST did clarify
|
|
||||||
that OpenSSL can claim KTS-OAEP and RSASVE as approved, but we did add
|
|
||||||
an indicator to mark them as unapproved previously and should thus keep
|
|
||||||
the indicator available.
|
|
||||||
|
|
||||||
This does not affect RSA-OAEP decryption, because it is approved as
|
|
||||||
a component according to the FIPS 140-3 IG, section 2.4.G.
|
|
||||||
|
|
||||||
Resolves: rhbz#2179331
|
|
||||||
Resolves: RHEL-14083
|
|
||||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
|
||||||
---
|
|
||||||
include/openssl/evp.h | 4 +++
|
|
||||||
.../implementations/asymciphers/rsa_enc.c | 22 ++++++++++++++
|
|
||||||
providers/implementations/kem/rsa_kem.c | 30 ++++++++++++++++++-
|
|
||||||
util/perl/OpenSSL/paramnames.pm | 6 ++--
|
|
||||||
4 files changed, 59 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
|
|
||||||
index ec2ba46fbd..3803b03422 100644
|
|
||||||
--- a/include/openssl/evp.h
|
|
||||||
+++ b/include/openssl/evp.h
|
|
||||||
@@ -1764,6 +1764,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void);
|
|
||||||
OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx);
|
|
||||||
# endif
|
|
||||||
|
|
||||||
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
|
|
||||||
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED 1
|
|
||||||
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
|
|
||||||
+
|
|
||||||
EVP_KEYMGMT *EVP_KEYMGMT_fetch(OSSL_LIB_CTX *ctx, const char *algorithm,
|
|
||||||
const char *properties);
|
|
||||||
int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt);
|
|
||||||
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
|
|
||||||
index 568452ec56..2e7ea632d7 100644
|
|
||||||
--- a/providers/implementations/asymciphers/rsa_enc.c
|
|
||||||
+++ b/providers/implementations/asymciphers/rsa_enc.c
|
|
||||||
@@ -462,6 +462,27 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
|
|
||||||
if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->implicit_rejection))
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR);
|
|
||||||
+ if (p != NULL) {
|
|
||||||
+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED;
|
|
||||||
+
|
|
||||||
+ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
|
|
||||||
+ * confirmation (section 6.4.2.3.2), or assurance from a trusted third
|
|
||||||
+ * party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme, but
|
|
||||||
+ * explicit key confirmation is not implemented here and cannot be
|
|
||||||
+ * implemented without protocol changes, and the FIPS provider does not
|
|
||||||
+ * implement trusted third party validation, since it relies on its
|
|
||||||
+ * callers to do that. We must thus mark RSA-OAEP as unapproved until
|
|
||||||
+ * we have received clarification from NIST on how library modules such
|
|
||||||
+ * as OpenSSL should implement TTP validation. */
|
|
||||||
+ fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+
|
|
||||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
+
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -465,6 +483,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
|
|
||||||
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),
|
|
||||||
#ifdef FIPS_MODULE
|
|
||||||
OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0),
|
|
||||||
+ OSSL_PARAM_int(OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
|
||||||
#endif /* FIPS_MODULE */
|
|
||||||
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL),
|
|
||||||
OSSL_PARAM_END
|
|
||||||
diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c
|
|
||||||
index 882cf16125..b4cc0f9237 100644
|
|
||||||
--- a/providers/implementations/kem/rsa_kem.c
|
|
||||||
+++ b/providers/implementations/kem/rsa_kem.c
|
|
||||||
@@ -151,11 +151,39 @@ static int rsakem_decapsulate_init(void *vprsactx, void *vrsa,
|
|
||||||
static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
|
|
||||||
{
|
|
||||||
PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx;
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ OSSL_PARAM *p;
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
+
|
|
||||||
+ if (ctx == NULL)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ p = OSSL_PARAM_locate(params, OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR);
|
|
||||||
+ if (p != NULL) {
|
|
||||||
+ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
|
|
||||||
+ * confirmation (section 6.4.2.3.2), or assurance from a trusted third
|
|
||||||
+ * party (section 6.4.2.3.1) for key agreement or key transport, but
|
|
||||||
+ * explicit key confirmation is not implemented here and cannot be
|
|
||||||
+ * implemented without protocol changes, and the FIPS provider does not
|
|
||||||
+ * implement trusted third party validation, since it relies on its
|
|
||||||
+ * callers to do that. We must thus mark RSASVE unapproved until we
|
|
||||||
+ * have received clarification from NIST on how library modules such as
|
|
||||||
+ * OpenSSL should implement TTP validation. */
|
|
||||||
+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+
|
|
||||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
|
|
||||||
- return ctx != NULL;
|
|
||||||
+ return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
static const OSSL_PARAM known_gettable_rsakem_ctx_params[] = {
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ OSSL_PARAM_int(OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
OSSL_PARAM_END
|
|
||||||
};
|
|
||||||
|
|
||||||
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
|
|
||||||
index 64e9809387..45ab0c8dc4 100644
|
|
||||||
--- a/util/perl/OpenSSL/paramnames.pm
|
|
||||||
+++ b/util/perl/OpenSSL/paramnames.pm
|
|
||||||
@@ -406,6 +406,7 @@ my %params = (
|
|
||||||
'ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION' => "tls-negotiated-version",
|
|
||||||
'ASYM_CIPHER_PARAM_IMPLICIT_REJECTION' => "implicit-rejection",
|
|
||||||
'ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED' => "redhat-kat-oaep-seed",
|
|
||||||
+ 'ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
|
|
||||||
|
|
||||||
# Encoder / decoder parameters
|
|
||||||
|
|
||||||
@@ -438,8 +439,9 @@ my %params = (
|
|
||||||
'SIGNATURE_PARAM_KAT' => "kat",
|
|
||||||
|
|
||||||
# KEM parameters
|
|
||||||
- 'KEM_PARAM_OPERATION' => "operation",
|
|
||||||
- 'KEM_PARAM_IKME' => "ikme",
|
|
||||||
+ 'KEM_PARAM_OPERATION' => "operation",
|
|
||||||
+ 'KEM_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
|
|
||||||
+ 'KEM_PARAM_IKME' => "ikme",
|
|
||||||
|
|
||||||
# Capabilities
|
|
||||||
|
|
||||||
--
|
|
||||||
2.39.2
|
|
||||||
|
|
@ -1,251 +0,0 @@
|
|||||||
From 9b02ad7225b74a5b9088b361caead0a41e570e93 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
|
||||||
Date: Mon, 21 Aug 2023 16:40:56 +0200
|
|
||||||
Subject: [PATCH 48/48] 0114-FIPS-enforce-EMS-support.patch
|
|
||||||
|
|
||||||
Patch-name: 0114-FIPS-enforce-EMS-support.patch
|
|
||||||
Patch-id: 114
|
|
||||||
Patch-status: |
|
|
||||||
# We believe that some changes present in CentOS are not necessary
|
|
||||||
# because ustream has a check for FIPS version
|
|
||||||
---
|
|
||||||
doc/man3/SSL_CONF_cmd.pod | 3 +++
|
|
||||||
doc/man5/fips_config.pod | 13 +++++++++++
|
|
||||||
include/openssl/fips_names.h | 8 +++++++
|
|
||||||
include/openssl/ssl.h.in | 1 +
|
|
||||||
providers/fips/fipsprov.c | 2 +-
|
|
||||||
providers/implementations/kdfs/tls1_prf.c | 22 +++++++++++++++++++
|
|
||||||
ssl/ssl_conf.c | 1 +
|
|
||||||
ssl/statem/extensions_srvr.c | 8 ++++++-
|
|
||||||
ssl/t1_enc.c | 11 ++++++++--
|
|
||||||
.../30-test_evp_data/evpkdf_tls12_prf.txt | 10 +++++++++
|
|
||||||
test/sslapitest.c | 2 +-
|
|
||||||
11 files changed, 76 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
|
|
||||||
index ae6ca43282..b83c04a308 100644
|
|
||||||
--- a/doc/man3/SSL_CONF_cmd.pod
|
|
||||||
+++ b/doc/man3/SSL_CONF_cmd.pod
|
|
||||||
@@ -524,6 +524,9 @@ B<ExtendedMasterSecret>: use extended master secret extension, enabled by
|
|
||||||
default. Inverse of B<SSL_OP_NO_EXTENDED_MASTER_SECRET>: that is,
|
|
||||||
B<-ExtendedMasterSecret> is the same as setting B<SSL_OP_NO_EXTENDED_MASTER_SECRET>.
|
|
||||||
|
|
||||||
+B<RHNoEnforceEMSinFIPS>: allow establishing connections without EMS in FIPS mode.
|
|
||||||
+This is a RedHat-based OS specific option, and normally it should be set up via crypto policies.
|
|
||||||
+
|
|
||||||
B<CANames>: use CA names extension, enabled by
|
|
||||||
default. Inverse of B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>: that is,
|
|
||||||
B<-CANames> is the same as setting B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>.
|
|
||||||
diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod
|
|
||||||
index 1c15e32a5c..f2cedaf88d 100644
|
|
||||||
--- a/doc/man5/fips_config.pod
|
|
||||||
+++ b/doc/man5/fips_config.pod
|
|
||||||
@@ -15,6 +15,19 @@ for more information.
|
|
||||||
|
|
||||||
This functionality was added in OpenSSL 3.0.
|
|
||||||
|
|
||||||
+Red Hat Enterprise Linux uses a supplementary config for FIPS module located in
|
|
||||||
+OpenSSL configuration directory and managed by crypto policies. If present, it
|
|
||||||
+should have format
|
|
||||||
+
|
|
||||||
+ [fips_sect]
|
|
||||||
+ tls1-prf-ems-check = 0
|
|
||||||
+ activate = 1
|
|
||||||
+
|
|
||||||
+The B<tls1-prf-ems-check> option specifies whether FIPS module will require the
|
|
||||||
+presence of extended master secret or not.
|
|
||||||
+
|
|
||||||
+The B<activate> option enforces FIPS provider activation.
|
|
||||||
+
|
|
||||||
=head1 COPYRIGHT
|
|
||||||
|
|
||||||
Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
|
|
||||||
diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h
|
|
||||||
index 5c77f6d691..8cdd5a6bf7 100644
|
|
||||||
--- a/include/openssl/fips_names.h
|
|
||||||
+++ b/include/openssl/fips_names.h
|
|
||||||
@@ -70,6 +70,14 @@ extern "C" {
|
|
||||||
*/
|
|
||||||
# define OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST "drbg-no-trunc-md"
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * A boolean that determines if the runtime FIPS check for TLS1_PRF EMS is performed.
|
|
||||||
+ * This is disabled by default.
|
|
||||||
+ *
|
|
||||||
+ * Type: OSSL_PARAM_UTF8_STRING
|
|
||||||
+ */
|
|
||||||
+# define OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check"
|
|
||||||
+
|
|
||||||
# ifdef __cplusplus
|
|
||||||
}
|
|
||||||
# endif
|
|
||||||
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
|
|
||||||
index 0b6de603e2..26a69ca282 100644
|
|
||||||
--- a/include/openssl/ssl.h.in
|
|
||||||
+++ b/include/openssl/ssl.h.in
|
|
||||||
@@ -415,6 +415,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);
|
|
||||||
* interoperability with CryptoPro CSP 3.x
|
|
||||||
*/
|
|
||||||
# define SSL_OP_CRYPTOPRO_TLSEXT_BUG SSL_OP_BIT(31)
|
|
||||||
+# define SSL_OP_RH_PERMIT_NOEMS_FIPS SSL_OP_BIT(48)
|
|
||||||
/*
|
|
||||||
* Disable RFC8879 certificate compression
|
|
||||||
* SSL_OP_NO_TX_CERTIFICATE_COMPRESSION: don't send compressed certificates,
|
|
||||||
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
|
|
||||||
index 5ff9872bd8..eb9653a9df 100644
|
|
||||||
--- a/providers/fips/fipsprov.c
|
|
||||||
+++ b/providers/fips/fipsprov.c
|
|
||||||
@@ -105,7 +105,7 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx)
|
|
||||||
if (fgbl == NULL)
|
|
||||||
return NULL;
|
|
||||||
init_fips_option(&fgbl->fips_security_checks, 1);
|
|
||||||
- init_fips_option(&fgbl->fips_tls1_prf_ems_check, 0); /* Disabled by default */
|
|
||||||
+ init_fips_option(&fgbl->fips_tls1_prf_ems_check, 1); /* Enabled by default */
|
|
||||||
init_fips_option(&fgbl->fips_restricted_drgb_digests, 0);
|
|
||||||
return fgbl;
|
|
||||||
}
|
|
||||||
diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c
|
|
||||||
index 25a6c79a2e..79bc7a9719 100644
|
|
||||||
--- a/providers/implementations/kdfs/tls1_prf.c
|
|
||||||
+++ b/providers/implementations/kdfs/tls1_prf.c
|
|
||||||
@@ -131,6 +131,7 @@ static void *kdf_tls1_prf_new(void *provctx)
|
|
||||||
static void kdf_tls1_prf_free(void *vctx)
|
|
||||||
{
|
|
||||||
TLS1_PRF *ctx = (TLS1_PRF *)vctx;
|
|
||||||
+ OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
|
|
||||||
|
|
||||||
if (ctx != NULL) {
|
|
||||||
kdf_tls1_prf_reset(ctx);
|
|
||||||
@@ -222,6 +223,27 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /*
|
|
||||||
+ * The seed buffer is prepended with a label.
|
|
||||||
+ * If EMS mode is enforced then the label "master secret" is not allowed,
|
|
||||||
+ * We do the check this way since the PRF is used for other purposes, as well
|
|
||||||
+ * as "extended master secret".
|
|
||||||
+ */
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE
|
|
||||||
+ && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST,
|
|
||||||
+ TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
|
|
||||||
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
+ if (ossl_tls1_prf_ems_check_enabled(libctx)) {
|
|
||||||
+ if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE
|
|
||||||
+ && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST,
|
|
||||||
+ TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) {
|
|
||||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_EMS_NOT_ENABLED);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
return tls1_prf_alg(ctx->P_hash, ctx->P_sha1,
|
|
||||||
ctx->sec, ctx->seclen,
|
|
||||||
ctx->seed, ctx->seedlen,
|
|
||||||
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
|
|
||||||
index 5146cedb96..086db98c33 100644
|
|
||||||
--- a/ssl/ssl_conf.c
|
|
||||||
+++ b/ssl/ssl_conf.c
|
|
||||||
@@ -389,6 +389,7 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)
|
|
||||||
SSL_FLAG_TBL("ClientRenegotiation",
|
|
||||||
SSL_OP_ALLOW_CLIENT_RENEGOTIATION),
|
|
||||||
SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC),
|
|
||||||
+ SSL_FLAG_TBL("RHNoEnforceEMSinFIPS", SSL_OP_RH_PERMIT_NOEMS_FIPS),
|
|
||||||
SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION),
|
|
||||||
SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX),
|
|
||||||
SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA),
|
|
||||||
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
|
|
||||||
index 00b1ee531e..22cdabb308 100644
|
|
||||||
--- a/ssl/statem/extensions_srvr.c
|
|
||||||
+++ b/ssl/statem/extensions_srvr.c
|
|
||||||
@@ -11,6 +11,7 @@
|
|
||||||
#include "../ssl_local.h"
|
|
||||||
#include "statem_local.h"
|
|
||||||
#include "internal/cryptlib.h"
|
|
||||||
+#include <openssl/fips.h>
|
|
||||||
|
|
||||||
#define COOKIE_STATE_FORMAT_VERSION 1
|
|
||||||
|
|
||||||
@@ -1552,8 +1553,13 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
|
|
||||||
unsigned int context,
|
|
||||||
X509 *x, size_t chainidx)
|
|
||||||
{
|
|
||||||
- if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
|
|
||||||
+ if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) {
|
|
||||||
+ if (FIPS_mode() && !(SSL_get_options(SSL_CONNECTION_GET_SSL(s)) & SSL_OP_RH_PERMIT_NOEMS_FIPS) ) {
|
|
||||||
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED);
|
|
||||||
+ return EXT_RETURN_FAIL;
|
|
||||||
+ }
|
|
||||||
return EXT_RETURN_NOT_SENT;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
|
|
||||||
|| !WPACKET_put_bytes_u16(pkt, 0)) {
|
|
||||||
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
|
|
||||||
index 91238e6457..e8ad8ecd9e 100644
|
|
||||||
--- a/ssl/t1_enc.c
|
|
||||||
+++ b/ssl/t1_enc.c
|
|
||||||
@@ -20,6 +20,7 @@
|
|
||||||
#include <openssl/obj_mac.h>
|
|
||||||
#include <openssl/core_names.h>
|
|
||||||
#include <openssl/trace.h>
|
|
||||||
+#include <openssl/fips.h>
|
|
||||||
|
|
||||||
/* seed1 through seed5 are concatenated */
|
|
||||||
static int tls1_PRF(SSL_CONNECTION *s,
|
|
||||||
@@ -75,8 +76,14 @@ static int tls1_PRF(SSL *s,
|
|
||||||
}
|
|
||||||
|
|
||||||
err:
|
|
||||||
- if (fatal)
|
|
||||||
- SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
|
||||||
+ if (fatal) {
|
|
||||||
+ /* The calls to this function are local so it's safe to implement the check */
|
|
||||||
+ if (FIPS_mode() && seed1_len >= TLS_MD_MASTER_SECRET_CONST_SIZE
|
|
||||||
+ && memcmp(seed1, TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
|
|
||||||
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED);
|
|
||||||
+ else
|
|
||||||
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
|
||||||
+ }
|
|
||||||
else
|
|
||||||
ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
|
|
||||||
EVP_KDF_CTX_free(kctx);
|
|
||||||
diff --git a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
|
|
||||||
index 44040ff66b..deb6bf3fcb 100644
|
|
||||||
--- a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
|
|
||||||
+++ b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
|
|
||||||
@@ -22,6 +22,16 @@ Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587c
|
|
||||||
Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
|
|
||||||
Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
|
|
||||||
|
|
||||||
+Availablein = fips
|
|
||||||
+KDF = TLS1-PRF
|
|
||||||
+Ctrl.digest = digest:SHA256
|
|
||||||
+Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc
|
|
||||||
+Ctrl.label = seed:master secret
|
|
||||||
+Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c
|
|
||||||
+Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
|
|
||||||
+Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
|
|
||||||
+Result = KDF_DERIVE_ERROR
|
|
||||||
+
|
|
||||||
FIPSversion = <=3.1.0
|
|
||||||
KDF = TLS1-PRF
|
|
||||||
Ctrl.digest = digest:SHA256
|
|
||||||
diff --git a/test/sslapitest.c b/test/sslapitest.c
|
|
||||||
index 169e3c7466..e67b5bb44c 100644
|
|
||||||
--- a/test/sslapitest.c
|
|
||||||
+++ b/test/sslapitest.c
|
|
||||||
@@ -574,7 +574,7 @@ static int test_client_cert_verify_cb(void)
|
|
||||||
STACK_OF(X509) *server_chain;
|
|
||||||
SSL_CTX *cctx = NULL, *sctx = NULL;
|
|
||||||
SSL *clientssl = NULL, *serverssl = NULL;
|
|
||||||
- int testresult = 0;
|
|
||||||
+ int testresult = 0, status;
|
|
||||||
|
|
||||||
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
|
|
||||||
TLS_client_method(), TLS1_VERSION, 0,
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,85 +0,0 @@
|
|||||||
From ec8e4e25cc5e5c67313c5fd6af94fa248685c3d1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
|
||||||
Date: Thu, 7 Mar 2024 17:37:09 +0100
|
|
||||||
Subject: [PATCH 45/49] 0115-skip-quic-pairwise.patch
|
|
||||||
|
|
||||||
Patch-name: 0115-skip-quic-pairwise.patch
|
|
||||||
Patch-id: 115
|
|
||||||
Patch-status: |
|
|
||||||
# skip quic and pairwise tests temporarily
|
|
||||||
---
|
|
||||||
test/quicapitest.c | 4 +++-
|
|
||||||
test/recipes/01-test_symbol_presence.t | 1 +
|
|
||||||
test/recipes/30-test_pairwise_fail.t | 10 ++++++++--
|
|
||||||
3 files changed, 12 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/test/quicapitest.c b/test/quicapitest.c
|
|
||||||
index 41cf0fc7a8..0fb7492700 100644
|
|
||||||
--- a/test/quicapitest.c
|
|
||||||
+++ b/test/quicapitest.c
|
|
||||||
@@ -2139,7 +2139,9 @@ int setup_tests(void)
|
|
||||||
ADD_TEST(test_cipher_find);
|
|
||||||
ADD_TEST(test_version);
|
|
||||||
#if defined(DO_SSL_TRACE_TEST)
|
|
||||||
- ADD_TEST(test_ssl_trace);
|
|
||||||
+ if (is_fips == 0) {
|
|
||||||
+ ADD_TEST(test_ssl_trace);
|
|
||||||
+ }
|
|
||||||
#endif
|
|
||||||
ADD_TEST(test_quic_forbidden_apis_ctx);
|
|
||||||
ADD_TEST(test_quic_forbidden_apis);
|
|
||||||
diff --git a/test/recipes/30-test_pairwise_fail.t b/test/recipes/30-test_pairwise_fail.t
|
|
||||||
index c837d48fb4..6291c08c49 100644
|
|
||||||
--- a/test/recipes/30-test_pairwise_fail.t
|
|
||||||
+++ b/test/recipes/30-test_pairwise_fail.t
|
|
||||||
@@ -9,7 +9,7 @@
|
|
||||||
use strict;
|
|
||||||
use warnings;
|
|
||||||
|
|
||||||
-use OpenSSL::Test qw(:DEFAULT bldtop_dir srctop_file srctop_dir data_file);
|
|
||||||
+use OpenSSL::Test qw(:DEFAULT bldtop_dir srctop_file srctop_dir data_file with);
|
|
||||||
use OpenSSL::Test::Utils;
|
|
||||||
|
|
||||||
BEGIN {
|
|
||||||
@@ -31,28 +31,37 @@ run(test(["fips_version_test", "-config"
|
|
||||||
SKIP: {
|
|
||||||
skip "Skip RSA test because of no rsa in this build", 1
|
|
||||||
if disabled("rsa");
|
|
||||||
+ with({ exit_checker => sub {my $val = shift; return $val == 134; } },
|
|
||||||
+ sub {
|
|
||||||
ok(run(test(["pairwise_fail_test", "-config", $provconf,
|
|
||||||
"-pairwise", "rsa"])),
|
|
||||||
"fips provider rsa keygen pairwise failure test");
|
|
||||||
+ });
|
|
||||||
}
|
|
||||||
|
|
||||||
SKIP: {
|
|
||||||
skip "Skip EC test because of no ec in this build", 2
|
|
||||||
if disabled("ec");
|
|
||||||
+ with({ exit_checker => sub {my $val = shift; return $val == 134; } },
|
|
||||||
+ sub {
|
|
||||||
ok(run(test(["pairwise_fail_test", "-config", $provconf,
|
|
||||||
"-pairwise", "ec"])),
|
|
||||||
"fips provider ec keygen pairwise failure test");
|
|
||||||
+ });
|
|
||||||
|
|
||||||
skip "FIPS provider version is too old", 1
|
|
||||||
if !$fips_exit;
|
|
||||||
+ with({ exit_checker => sub {my $val = shift; return $val == 134; } },
|
|
||||||
+ sub {
|
|
||||||
ok(run(test(["pairwise_fail_test", "-config", $provconf,
|
|
||||||
"-pairwise", "eckat"])),
|
|
||||||
"fips provider ec keygen kat failure test");
|
|
||||||
+ });
|
|
||||||
}
|
|
||||||
|
|
||||||
SKIP: {
|
|
||||||
skip "Skip DSA tests because of no dsa in this build", 2
|
|
||||||
- if disabled("dsa");
|
|
||||||
+ if 1; #if disabled("dsa");
|
|
||||||
ok(run(test(["pairwise_fail_test", "-config", $provconf,
|
|
||||||
"-pairwise", "dsa", "-dsaparam", data_file("dsaparam.pem")])),
|
|
||||||
"fips provider dsa keygen pairwise failure test");
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
@ -1,84 +0,0 @@
|
|||||||
From a2673b5e2e95bcf54a1746bfd409cca688275e75 Mon Sep 17 00:00:00 2001
|
|
||||||
From: rpm-build <rpm-build>
|
|
||||||
Date: Wed, 6 Mar 2024 19:17:17 +0100
|
|
||||||
Subject: [PATCH 46/49] 0116-version-aliasing.patch
|
|
||||||
|
|
||||||
Patch-name: 0116-version-aliasing.patch
|
|
||||||
Patch-id: 116
|
|
||||||
Patch-status: |
|
|
||||||
# Add version aliasing due to
|
|
||||||
# https://github.com/openssl/openssl/issues/23534
|
|
||||||
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
|
|
||||||
---
|
|
||||||
crypto/evp/digest.c | 7 ++++++-
|
|
||||||
crypto/evp/evp_enc.c | 7 ++++++-
|
|
||||||
test/recipes/01-test_symbol_presence.t | 1 +
|
|
||||||
util/libcrypto.num | 2 ++
|
|
||||||
4 files changed, 15 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
|
|
||||||
index 42331703da..3a280acc0e 100644
|
|
||||||
--- a/crypto/evp/digest.c
|
|
||||||
+++ b/crypto/evp/digest.c
|
|
||||||
@@ -553,7 +553,12 @@ legacy:
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
-EVP_MD_CTX *EVP_MD_CTX_dup(const EVP_MD_CTX *in)
|
|
||||||
+EVP_MD_CTX
|
|
||||||
+#if !defined(FIPS_MODULE)
|
|
||||||
+__attribute__ ((symver ("EVP_MD_CTX_dup@@OPENSSL_3.1.0"),
|
|
||||||
+ symver ("EVP_MD_CTX_dup@OPENSSL_3.2.0")))
|
|
||||||
+#endif
|
|
||||||
+*EVP_MD_CTX_dup(const EVP_MD_CTX *in)
|
|
||||||
{
|
|
||||||
EVP_MD_CTX *out = EVP_MD_CTX_new();
|
|
||||||
|
|
||||||
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
|
|
||||||
index e9faf31057..5a29b8dbb7 100644
|
|
||||||
--- a/crypto/evp/evp_enc.c
|
|
||||||
+++ b/crypto/evp/evp_enc.c
|
|
||||||
@@ -1444,7 +1444,12 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
|
|
||||||
#endif /* FIPS_MODULE */
|
|
||||||
}
|
|
||||||
|
|
||||||
-EVP_CIPHER_CTX *EVP_CIPHER_CTX_dup(const EVP_CIPHER_CTX *in)
|
|
||||||
+EVP_CIPHER_CTX
|
|
||||||
+#if !defined(FIPS_MODULE)
|
|
||||||
+__attribute__ ((symver ("EVP_CIPHER_CTX_dup@@OPENSSL_3.1.0"),
|
|
||||||
+ symver ("EVP_CIPHER_CTX_dup@OPENSSL_3.2.0")))
|
|
||||||
+#endif
|
|
||||||
+*EVP_CIPHER_CTX_dup(const EVP_CIPHER_CTX *in)
|
|
||||||
{
|
|
||||||
EVP_CIPHER_CTX *out = EVP_CIPHER_CTX_new();
|
|
||||||
|
|
||||||
diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t
|
|
||||||
index 222b1886ae..7e2f65cccb 100644
|
|
||||||
--- a/test/recipes/01-test_symbol_presence.t
|
|
||||||
+++ b/test/recipes/01-test_symbol_presence.t
|
|
||||||
@@ -185,6 +185,8 @@ foreach (sort keys %stlibname) {
|
|
||||||
}
|
|
||||||
}
|
|
||||||
my @duplicates = sort grep { $symbols{$_} > 1 } keys %symbols;
|
|
||||||
+@duplicates = grep {($_ ne "OPENSSL_ia32cap_P") && ($_ ne "EVP_CIPHER_CTX_dup") && ($_ ne "EVP_MD_CTX_dup") } @duplicates;
|
|
||||||
+@duplicates = grep {($_ ne "OPENSSL_strcasecmp") && ($_ ne "OPENSSL_strncasecmp") } @duplicates;
|
|
||||||
if (@duplicates) {
|
|
||||||
note "Duplicates:";
|
|
||||||
note join('\n', @duplicates);
|
|
||||||
diff --git a/util/libcrypto.num b/util/libcrypto.num
|
|
||||||
index 8046454025..068e9904e2 100644
|
|
||||||
--- a/util/libcrypto.num
|
|
||||||
+++ b/util/libcrypto.num
|
|
||||||
@@ -5435,7 +5435,9 @@ X509_PUBKEY_set0_public_key 5562 3_2_0 EXIST::FUNCTION:
|
|
||||||
OSSL_STACK_OF_X509_free 5563 3_2_0 EXIST::FUNCTION:
|
|
||||||
OSSL_trace_string 5564 3_2_0 EXIST::FUNCTION:
|
|
||||||
EVP_MD_CTX_dup 5565 3_2_0 EXIST::FUNCTION:
|
|
||||||
+EVP_MD_CTX_dup ? 3_1_0 EXIST::FUNCTION:
|
|
||||||
EVP_CIPHER_CTX_dup 5566 3_2_0 EXIST::FUNCTION:
|
|
||||||
+EVP_CIPHER_CTX_dup ? 3_1_0 EXIST::FUNCTION:
|
|
||||||
BN_signed_bin2bn 5567 3_2_0 EXIST::FUNCTION:
|
|
||||||
BN_signed_bn2bin 5568 3_2_0 EXIST::FUNCTION:
|
|
||||||
BN_signed_lebin2bn 5569 3_2_0 EXIST::FUNCTION:
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
@ -1,318 +0,0 @@
|
|||||||
From 242c746690dd1d0e500fa554c60536877d77776d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Mraz <tomas@openssl.org>
|
|
||||||
Date: Thu, 14 Dec 2023 17:08:56 +0100
|
|
||||||
Subject: [PATCH 47/49] 0117-ignore-unknown-sigalgorithms-groups.patch
|
|
||||||
|
|
||||||
Patch-name: 0117-ignore-unknown-sigalgorithms-groups.patch
|
|
||||||
Patch-id: 117
|
|
||||||
Patch-status: |
|
|
||||||
# https://github.com/openssl/openssl/issues/23050
|
|
||||||
---
|
|
||||||
CHANGES.md | 13 +++++++
|
|
||||||
doc/man3/SSL_CTX_set1_curves.pod | 6 ++-
|
|
||||||
doc/man3/SSL_CTX_set1_sigalgs.pod | 11 +++++-
|
|
||||||
ssl/t1_lib.c | 56 +++++++++++++++++++++-------
|
|
||||||
test/sslapitest.c | 61 +++++++++++++++++++++++++++++++
|
|
||||||
5 files changed, 132 insertions(+), 15 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/CHANGES.md b/CHANGES.md
|
|
||||||
index ca29762ac2..4e21d0ddf9 100644
|
|
||||||
--- a/CHANGES.md
|
|
||||||
+++ b/CHANGES.md
|
|
||||||
@@ -27,6 +27,19 @@ OpenSSL 3.2
|
|
||||||
|
|
||||||
### Changes between 3.2.0 and 3.2.1 [30 Jan 2024]
|
|
||||||
|
|
||||||
+ * Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms
|
|
||||||
+ config options and the respective calls to SSL[_CTX]_set1_sigalgs() and
|
|
||||||
+ SSL[_CTX]_set1_client_sigalgs() that start with `?` character are
|
|
||||||
+ ignored and the configuration will still be used.
|
|
||||||
+
|
|
||||||
+ Similarly unknown entries that start with `?` character in a TLS
|
|
||||||
+ Groups config option or set with SSL[_CTX]_set1_groups_list() are ignored
|
|
||||||
+ and the configuration will still be used.
|
|
||||||
+
|
|
||||||
+ In both cases if the resulting list is empty, an error is returned.
|
|
||||||
+
|
|
||||||
+ *Tomáš Mráz*
|
|
||||||
+
|
|
||||||
* A file in PKCS12 format can contain certificates and keys and may come from
|
|
||||||
an untrusted source. The PKCS12 specification allows certain fields to be
|
|
||||||
NULL, but OpenSSL did not correctly check for this case. A fix has been
|
|
||||||
diff --git a/doc/man3/SSL_CTX_set1_curves.pod b/doc/man3/SSL_CTX_set1_curves.pod
|
|
||||||
index c26ef00306..f0566e148e 100644
|
|
||||||
--- a/doc/man3/SSL_CTX_set1_curves.pod
|
|
||||||
+++ b/doc/man3/SSL_CTX_set1_curves.pod
|
|
||||||
@@ -58,7 +58,8 @@ string B<list>. The string is a colon separated list of group names, for example
|
|
||||||
are B<P-256>, B<P-384>, B<P-521>, B<X25519>, B<X448>, B<brainpoolP256r1tls13>,
|
|
||||||
B<brainpoolP384r1tls13>, B<brainpoolP512r1tls13>, B<ffdhe2048>, B<ffdhe3072>,
|
|
||||||
B<ffdhe4096>, B<ffdhe6144> and B<ffdhe8192>. Support for other groups may be
|
|
||||||
-added by external providers.
|
|
||||||
+added by external providers. If a group name is preceded with the C<?>
|
|
||||||
+character, it will be ignored if an implementation is missing.
|
|
||||||
|
|
||||||
SSL_set1_groups() and SSL_set1_groups_list() are similar except they set
|
|
||||||
supported groups for the SSL structure B<ssl>.
|
|
||||||
@@ -142,6 +143,9 @@ The curve functions were added in OpenSSL 1.0.2. The equivalent group
|
|
||||||
functions were added in OpenSSL 1.1.1. The SSL_get_negotiated_group() function
|
|
||||||
was added in OpenSSL 3.0.0.
|
|
||||||
|
|
||||||
+Support for ignoring unknown groups in SSL_CTX_set1_groups_list() and
|
|
||||||
+SSL_set1_groups_list() was added in OpenSSL 3.3.
|
|
||||||
+
|
|
||||||
=head1 COPYRIGHT
|
|
||||||
|
|
||||||
Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved.
|
|
||||||
diff --git a/doc/man3/SSL_CTX_set1_sigalgs.pod b/doc/man3/SSL_CTX_set1_sigalgs.pod
|
|
||||||
index eb31006346..5b7de7d956 100644
|
|
||||||
--- a/doc/man3/SSL_CTX_set1_sigalgs.pod
|
|
||||||
+++ b/doc/man3/SSL_CTX_set1_sigalgs.pod
|
|
||||||
@@ -33,7 +33,9 @@ signature algorithms for B<ctx> or B<ssl>. The B<str> parameter
|
|
||||||
must be a null terminated string consisting of a colon separated list of
|
|
||||||
elements, where each element is either a combination of a public key
|
|
||||||
algorithm and a digest separated by B<+>, or a TLS 1.3-style named
|
|
||||||
-SignatureScheme such as rsa_pss_pss_sha256.
|
|
||||||
+SignatureScheme such as rsa_pss_pss_sha256. If a list entry is preceded
|
|
||||||
+with the C<?> character, it will be ignored if an implementation is missing.
|
|
||||||
+
|
|
||||||
|
|
||||||
SSL_CTX_set1_client_sigalgs(), SSL_set1_client_sigalgs(),
|
|
||||||
SSL_CTX_set1_client_sigalgs_list() and SSL_set1_client_sigalgs_list() set
|
|
||||||
@@ -106,6 +108,13 @@ using a string:
|
|
||||||
L<ssl(7)>, L<SSL_get_shared_sigalgs(3)>,
|
|
||||||
L<SSL_CONF_CTX_new(3)>
|
|
||||||
|
|
||||||
+=head1 HISTORY
|
|
||||||
+
|
|
||||||
+Support for ignoring unknown signature algorithms in
|
|
||||||
+SSL_CTX_set1_sigalgs_list(), SSL_set1_sigalgs_list(),
|
|
||||||
+SSL_CTX_set1_client_sigalgs_list() and SSL_set1_client_sigalgs_list()
|
|
||||||
+was added in OpenSSL 3.3.
|
|
||||||
+
|
|
||||||
=head1 COPYRIGHT
|
|
||||||
|
|
||||||
Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
|
|
||||||
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
|
|
||||||
index 056aae3863..fe680449c5 100644
|
|
||||||
--- a/ssl/t1_lib.c
|
|
||||||
+++ b/ssl/t1_lib.c
|
|
||||||
@@ -1052,9 +1052,15 @@ static int gid_cb(const char *elem, int len, void *arg)
|
|
||||||
size_t i;
|
|
||||||
uint16_t gid = 0;
|
|
||||||
char etmp[GROUP_NAME_BUFFER_LENGTH];
|
|
||||||
+ int ignore_unknown = 0;
|
|
||||||
|
|
||||||
if (elem == NULL)
|
|
||||||
return 0;
|
|
||||||
+ if (elem[0] == '?') {
|
|
||||||
+ ignore_unknown = 1;
|
|
||||||
+ ++elem;
|
|
||||||
+ --len;
|
|
||||||
+ }
|
|
||||||
if (garg->gidcnt == garg->gidmax) {
|
|
||||||
uint16_t *tmp =
|
|
||||||
OPENSSL_realloc(garg->gid_arr,
|
|
||||||
@@ -1070,13 +1076,14 @@ static int gid_cb(const char *elem, int len, void *arg)
|
|
||||||
|
|
||||||
gid = tls1_group_name2id(garg->ctx, etmp);
|
|
||||||
if (gid == 0) {
|
|
||||||
- ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT,
|
|
||||||
- "group '%s' cannot be set", etmp);
|
|
||||||
- return 0;
|
|
||||||
+ /* Unknown group - ignore, if ignore_unknown */
|
|
||||||
+ return ignore_unknown;
|
|
||||||
}
|
|
||||||
for (i = 0; i < garg->gidcnt; i++)
|
|
||||||
- if (garg->gid_arr[i] == gid)
|
|
||||||
- return 0;
|
|
||||||
+ if (garg->gid_arr[i] == gid) {
|
|
||||||
+ /* Duplicate group - ignore */
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
garg->gid_arr[garg->gidcnt++] = gid;
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
@@ -1097,6 +1104,11 @@ int tls1_set_groups_list(SSL_CTX *ctx, uint16_t **pext, size_t *pextlen,
|
|
||||||
gcb.ctx = ctx;
|
|
||||||
if (!CONF_parse_list(str, ':', 1, gid_cb, &gcb))
|
|
||||||
goto end;
|
|
||||||
+ if (gcb.gidcnt == 0) {
|
|
||||||
+ ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT,
|
|
||||||
+ "No valid groups in '%s'", str);
|
|
||||||
+ goto end;
|
|
||||||
+ }
|
|
||||||
if (pext == NULL) {
|
|
||||||
ret = 1;
|
|
||||||
goto end;
|
|
||||||
@@ -2905,8 +2917,15 @@ static int sig_cb(const char *elem, int len, void *arg)
|
|
||||||
const SIGALG_LOOKUP *s;
|
|
||||||
char etmp[TLS_MAX_SIGSTRING_LEN], *p;
|
|
||||||
int sig_alg = NID_undef, hash_alg = NID_undef;
|
|
||||||
+ int ignore_unknown = 0;
|
|
||||||
+
|
|
||||||
if (elem == NULL)
|
|
||||||
return 0;
|
|
||||||
+ if (elem[0] == '?') {
|
|
||||||
+ ignore_unknown = 1;
|
|
||||||
+ ++elem;
|
|
||||||
+ --len;
|
|
||||||
+ }
|
|
||||||
if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT)
|
|
||||||
return 0;
|
|
||||||
if (len > (int)(sizeof(etmp) - 1))
|
|
||||||
@@ -2931,8 +2950,10 @@ static int sig_cb(const char *elem, int len, void *arg)
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
- if (i == OSSL_NELEM(sigalg_lookup_tbl))
|
|
||||||
- return 0;
|
|
||||||
+ if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
|
|
||||||
+ /* Ignore unknown algorithms if ignore_unknown */
|
|
||||||
+ return ignore_unknown;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
*p = 0;
|
|
||||||
@@ -2940,8 +2961,10 @@ static int sig_cb(const char *elem, int len, void *arg)
|
|
||||||
return 0;
|
|
||||||
get_sigorhash(&sig_alg, &hash_alg, etmp);
|
|
||||||
get_sigorhash(&sig_alg, &hash_alg, p);
|
|
||||||
- if (sig_alg == NID_undef || hash_alg == NID_undef)
|
|
||||||
- return 0;
|
|
||||||
+ if (sig_alg == NID_undef || hash_alg == NID_undef) {
|
|
||||||
+ /* Ignore unknown algorithms if ignore_unknown */
|
|
||||||
+ return ignore_unknown;
|
|
||||||
+ }
|
|
||||||
for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
|
|
||||||
i++, s++) {
|
|
||||||
if (s->hash == hash_alg && s->sig == sig_alg) {
|
|
||||||
@@ -2949,15 +2972,17 @@ static int sig_cb(const char *elem, int len, void *arg)
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
- if (i == OSSL_NELEM(sigalg_lookup_tbl))
|
|
||||||
- return 0;
|
|
||||||
+ if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
|
|
||||||
+ /* Ignore unknown algorithms if ignore_unknown */
|
|
||||||
+ return ignore_unknown;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* Reject duplicates */
|
|
||||||
+ /* Ignore duplicates */
|
|
||||||
for (i = 0; i < sarg->sigalgcnt - 1; i++) {
|
|
||||||
if (sarg->sigalgs[i] == sarg->sigalgs[sarg->sigalgcnt - 1]) {
|
|
||||||
sarg->sigalgcnt--;
|
|
||||||
- return 0;
|
|
||||||
+ return 1;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return 1;
|
|
||||||
@@ -2973,6 +2998,11 @@ int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
|
|
||||||
}
|
|
||||||
if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
|
|
||||||
return 0;
|
|
||||||
+ if (sig.sigalgcnt == 0) {
|
|
||||||
+ ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT,
|
|
||||||
+ "No valid signature algorithms in '%s'", str);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
if (c == NULL)
|
|
||||||
return 1;
|
|
||||||
return tls1_set_raw_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
|
|
||||||
diff --git a/test/sslapitest.c b/test/sslapitest.c
|
|
||||||
index 1c14f93ed1..184a0f1055 100644
|
|
||||||
--- a/test/sslapitest.c
|
|
||||||
+++ b/test/sslapitest.c
|
|
||||||
@@ -39,6 +39,7 @@
|
|
||||||
#include "testutil.h"
|
|
||||||
#include "testutil/output.h"
|
|
||||||
#include "internal/nelem.h"
|
|
||||||
+#include "internal/tlsgroups.h"
|
|
||||||
#include "internal/ktls.h"
|
|
||||||
#include "../ssl/ssl_local.h"
|
|
||||||
#include "../ssl/record/methods/recmethod_local.h"
|
|
||||||
@@ -3147,6 +3148,7 @@ static const sigalgs_list testsigalgs[] = {
|
|
||||||
{validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
|
|
||||||
# endif
|
|
||||||
{NULL, 0, "RSA+SHA256", 1, 1},
|
|
||||||
+ {NULL, 0, "RSA+SHA256:?Invalid", 1, 1},
|
|
||||||
# ifndef OPENSSL_NO_EC
|
|
||||||
{NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
|
|
||||||
{NULL, 0, "ECDSA+SHA512", 1, 0},
|
|
||||||
@@ -9276,6 +9278,64 @@ static int test_servername(int tst)
|
|
||||||
return testresult;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static int test_unknown_sigalgs_groups(void)
|
|
||||||
+{
|
|
||||||
+ int ret = 0;
|
|
||||||
+ SSL_CTX *ctx = NULL;
|
|
||||||
+
|
|
||||||
+ if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
|
|
||||||
+ goto end;
|
|
||||||
+
|
|
||||||
+ if (!TEST_int_gt(SSL_CTX_set1_sigalgs_list(ctx,
|
|
||||||
+ "RSA+SHA256:?nonexistent:?RSA+SHA512"),
|
|
||||||
+ 0))
|
|
||||||
+ goto end;
|
|
||||||
+ if (!TEST_size_t_eq(ctx->cert->conf_sigalgslen, 2)
|
|
||||||
+ || !TEST_int_eq(ctx->cert->conf_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
|
|
||||||
+ || !TEST_int_eq(ctx->cert->conf_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
|
|
||||||
+ goto end;
|
|
||||||
+
|
|
||||||
+ if (!TEST_int_gt(SSL_CTX_set1_client_sigalgs_list(ctx,
|
|
||||||
+ "RSA+SHA256:?nonexistent:?RSA+SHA512"),
|
|
||||||
+ 0))
|
|
||||||
+ goto end;
|
|
||||||
+ if (!TEST_size_t_eq(ctx->cert->client_sigalgslen, 2)
|
|
||||||
+ || !TEST_int_eq(ctx->cert->client_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
|
|
||||||
+ || !TEST_int_eq(ctx->cert->client_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
|
|
||||||
+ goto end;
|
|
||||||
+
|
|
||||||
+ if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
|
|
||||||
+ "nonexistent"),
|
|
||||||
+ 0))
|
|
||||||
+ goto end;
|
|
||||||
+
|
|
||||||
+ if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
|
|
||||||
+ "?nonexistent1:?nonexistent2:?nonexistent3"),
|
|
||||||
+ 0))
|
|
||||||
+ goto end;
|
|
||||||
+
|
|
||||||
+#ifndef OPENSSL_NO_EC
|
|
||||||
+ if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
|
|
||||||
+ "P-256:nonexistent"),
|
|
||||||
+ 0))
|
|
||||||
+ goto end;
|
|
||||||
+
|
|
||||||
+ if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx,
|
|
||||||
+ "P-384:?nonexistent:?P-521"),
|
|
||||||
+ 0))
|
|
||||||
+ goto end;
|
|
||||||
+ if (!TEST_size_t_eq(ctx->ext.supportedgroups_len, 2)
|
|
||||||
+ || !TEST_int_eq(ctx->ext.supportedgroups[0], OSSL_TLS_GROUP_ID_secp384r1)
|
|
||||||
+ || !TEST_int_eq(ctx->ext.supportedgroups[1], OSSL_TLS_GROUP_ID_secp521r1))
|
|
||||||
+ goto end;
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+ ret = 1;
|
|
||||||
+ end:
|
|
||||||
+ SSL_CTX_free(ctx);
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
#if !defined(OPENSSL_NO_EC) \
|
|
||||||
&& (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
|
|
||||||
/*
|
|
||||||
@@ -11519,6 +11579,7 @@ int setup_tests(void)
|
|
||||||
ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
|
|
||||||
#endif
|
|
||||||
ADD_ALL_TESTS(test_servername, 10);
|
|
||||||
+ ADD_TEST(test_unknown_sigalgs_groups);
|
|
||||||
#if !defined(OPENSSL_NO_EC) \
|
|
||||||
&& (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
|
|
||||||
ADD_ALL_TESTS(test_sigalgs_available, 6);
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
@ -1,65 +0,0 @@
|
|||||||
diff -up openssl-3.0.7/apps/cms.c.fips_cms openssl-3.0.7/apps/cms.c
|
|
||||||
--- openssl-3.0.7/apps/cms.c.fips_cms 2023-05-18 14:03:56.360555106 +0200
|
|
||||||
+++ openssl-3.0.7/apps/cms.c 2023-05-18 14:13:33.765183185 +0200
|
|
||||||
@@ -20,6 +20,7 @@
|
|
||||||
#include <openssl/x509_vfy.h>
|
|
||||||
#include <openssl/x509v3.h>
|
|
||||||
#include <openssl/cms.h>
|
|
||||||
+#include <openssl/fips.h>
|
|
||||||
|
|
||||||
static int save_certs(char *signerfile, STACK_OF(X509) *signers);
|
|
||||||
static int cms_cb(int ok, X509_STORE_CTX *ctx);
|
|
||||||
@@ -810,12 +811,16 @@ int cms_main(int argc, char **argv)
|
|
||||||
|
|
||||||
if (operation == SMIME_ENCRYPT) {
|
|
||||||
if (!cipher) {
|
|
||||||
+ if (FIPS_mode()) {
|
|
||||||
+ cipher = (EVP_CIPHER *)EVP_aes_128_cbc();
|
|
||||||
+ } else {
|
|
||||||
#ifndef OPENSSL_NO_DES
|
|
||||||
- cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
|
|
||||||
+ cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
|
|
||||||
#else
|
|
||||||
- BIO_printf(bio_err, "No cipher selected\n");
|
|
||||||
- goto end;
|
|
||||||
+ BIO_printf(bio_err, "No cipher selected\n");
|
|
||||||
+ goto end;
|
|
||||||
#endif
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
if (secret_key && !secret_keyid) {
|
|
||||||
diff -up openssl-3.0.7/crypto/cms/cms_env.c.fips_cms openssl-3.0.7/crypto/cms/cms_env.c
|
|
||||||
--- openssl-3.0.7/crypto/cms/cms_env.c.fips_cms 2023-05-22 10:06:50.276528155 +0200
|
|
||||||
+++ openssl-3.0.7/crypto/cms/cms_env.c 2023-05-22 10:08:58.406073945 +0200
|
|
||||||
@@ -14,6 +14,7 @@
|
|
||||||
#include <openssl/err.h>
|
|
||||||
#include <openssl/cms.h>
|
|
||||||
#include <openssl/evp.h>
|
|
||||||
+#include <openssl/fips.h>
|
|
||||||
#include "internal/sizes.h"
|
|
||||||
#include "crypto/asn1.h"
|
|
||||||
#include "crypto/evp.h"
|
|
||||||
@@ -321,6 +321,10 @@ static int cms_RecipientInfo_ktri_init(C
|
|
||||||
return 0;
|
|
||||||
if (EVP_PKEY_encrypt_init(ktri->pctx) <= 0)
|
|
||||||
return 0;
|
|
||||||
+ if (FIPS_mode()) {
|
|
||||||
+ if (EVP_PKEY_CTX_ctrl_str(ktri->pctx, "rsa_padding_mode", "oaep") <= 0)
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
} else if (!ossl_cms_env_asn1_ctrl(ri, 0))
|
|
||||||
return 0;
|
|
||||||
return 1;
|
|
||||||
@@ -484,6 +489,11 @@ static int cms_RecipientInfo_ktri_encryp
|
|
||||||
|
|
||||||
if (EVP_PKEY_encrypt_init(pctx) <= 0)
|
|
||||||
goto err;
|
|
||||||
+
|
|
||||||
+ if (FIPS_mode()) {
|
|
||||||
+ if (EVP_PKEY_CTX_ctrl_str(pctx, "rsa_padding_mode", "oaep") <= 0)
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
if (EVP_PKEY_encrypt(pctx, NULL, &eklen, ec->key, ec->keylen) <= 0)
|
|
@ -1,16 +0,0 @@
|
|||||||
diff -up openssl-3.2.1/test/sslapitest.c.xxx openssl-3.2.1/test/sslapitest.c
|
|
||||||
--- openssl-3.2.1/test/sslapitest.c.xxx 2024-04-15 10:14:47.292448045 +0200
|
|
||||||
+++ openssl-3.2.1/test/sslapitest.c 2024-04-15 10:15:23.428396994 +0200
|
|
||||||
@@ -1020,9 +1020,10 @@ static int execute_test_large_message(co
|
|
||||||
/* sock must be connected */
|
|
||||||
static int ktls_chk_platform(int sock)
|
|
||||||
{
|
|
||||||
- if (!ktls_enable(sock))
|
|
||||||
+/* if (!ktls_enable(sock))
|
|
||||||
return 0;
|
|
||||||
- return 1;
|
|
||||||
+ return 1; */
|
|
||||||
+ return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int ping_pong_query(SSL *clientssl, SSL *serverssl)
|
|
@ -1,62 +0,0 @@
|
|||||||
From a4daab0c29bce044d385bdeada177a88c32cba4c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Mraz <tomas@openssl.org>
|
|
||||||
Date: Mon, 17 Jun 2024 16:48:26 +0200
|
|
||||||
Subject: [PATCH] Fix regression of EVP_PKEY_CTX_add1_hkdf_info() with older
|
|
||||||
providers
|
|
||||||
|
|
||||||
If there is no get_ctx_params() implemented in the key exchange
|
|
||||||
provider implementation the fallback will not work. Instead
|
|
||||||
check the gettable_ctx_params() to see if the fallback should be
|
|
||||||
performed.
|
|
||||||
|
|
||||||
Fixes #24611
|
|
||||||
|
|
||||||
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
|
|
||||||
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
|
|
||||||
(Merged from https://github.com/openssl/openssl/pull/24661)
|
|
||||||
|
|
||||||
(cherry picked from commit 663dbc9c9c897392a9f9d18aa9a8400ca024dc5d)
|
|
||||||
---
|
|
||||||
crypto/evp/pmeth_lib.c | 11 +++++++++--
|
|
||||||
1 file changed, 9 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
|
|
||||||
index 2caff2cd6d..d15e43be05 100644
|
|
||||||
--- a/crypto/evp/pmeth_lib.c
|
|
||||||
+++ b/crypto/evp/pmeth_lib.c
|
|
||||||
@@ -1026,6 +1026,7 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
|
|
||||||
int datalen)
|
|
||||||
{
|
|
||||||
OSSL_PARAM os_params[2];
|
|
||||||
+ const OSSL_PARAM *gettables;
|
|
||||||
unsigned char *info = NULL;
|
|
||||||
size_t info_len = 0;
|
|
||||||
size_t info_alloc = 0;
|
|
||||||
@@ -1049,6 +1050,12 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /* Check for older provider that doesn't support getting this parameter */
|
|
||||||
+ gettables = EVP_PKEY_CTX_gettable_params(ctx);
|
|
||||||
+ if (gettables == NULL || OSSL_PARAM_locate_const(gettables, param) == NULL)
|
|
||||||
+ return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl,
|
|
||||||
+ data, datalen);
|
|
||||||
+
|
|
||||||
/* Get the original value length */
|
|
||||||
os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0);
|
|
||||||
os_params[1] = OSSL_PARAM_construct_end();
|
|
||||||
@@ -1056,9 +1063,9 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
|
|
||||||
if (!EVP_PKEY_CTX_get_params(ctx, os_params))
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
- /* Older provider that doesn't support getting this parameter */
|
|
||||||
+ /* This should not happen but check to be sure. */
|
|
||||||
if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED)
|
|
||||||
- return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen);
|
|
||||||
+ return 0;
|
|
||||||
|
|
||||||
info_alloc = os_params[0].return_size + datalen;
|
|
||||||
if (info_alloc == 0)
|
|
||||||
--
|
|
||||||
2.45.1
|
|
||||||
|
|
@ -1,109 +0,0 @@
|
|||||||
From 99fb785a5f85315b95288921a321a935ea29a51e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Matt Caswell <matt@openssl.org>
|
|
||||||
Date: Fri, 31 May 2024 11:14:33 +0100
|
|
||||||
Subject: [PATCH 01/10] Fix SSL_select_next_proto
|
|
||||||
|
|
||||||
Ensure that the provided client list is non-NULL and starts with a valid
|
|
||||||
entry. When called from the ALPN callback the client list should already
|
|
||||||
have been validated by OpenSSL so this should not cause a problem. When
|
|
||||||
called from the NPN callback the client list is locally configured and
|
|
||||||
will not have already been validated. Therefore SSL_select_next_proto
|
|
||||||
should not assume that it is correctly formatted.
|
|
||||||
|
|
||||||
We implement stricter checking of the client protocol list. We also do the
|
|
||||||
same for the server list while we are about it.
|
|
||||||
|
|
||||||
CVE-2024-5535
|
|
||||||
|
|
||||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
|
||||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
||||||
(Merged from https://github.com/openssl/openssl/pull/24717)
|
|
||||||
---
|
|
||||||
ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++-------------------
|
|
||||||
1 file changed, 40 insertions(+), 23 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
|
|
||||||
index 016135fe18..cf52b317cf 100644
|
|
||||||
--- a/ssl/ssl_lib.c
|
|
||||||
+++ b/ssl/ssl_lib.c
|
|
||||||
@@ -3518,37 +3518,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
|
|
||||||
unsigned int server_len,
|
|
||||||
const unsigned char *client, unsigned int client_len)
|
|
||||||
{
|
|
||||||
- unsigned int i, j;
|
|
||||||
- const unsigned char *result;
|
|
||||||
- int status = OPENSSL_NPN_UNSUPPORTED;
|
|
||||||
+ PACKET cpkt, csubpkt, spkt, ssubpkt;
|
|
||||||
+
|
|
||||||
+ if (!PACKET_buf_init(&cpkt, client, client_len)
|
|
||||||
+ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
|
|
||||||
+ || PACKET_remaining(&csubpkt) == 0) {
|
|
||||||
+ *out = NULL;
|
|
||||||
+ *outlen = 0;
|
|
||||||
+ return OPENSSL_NPN_NO_OVERLAP;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Set the default opportunistic protocol. Will be overwritten if we find
|
|
||||||
+ * a match.
|
|
||||||
+ */
|
|
||||||
+ *out = (unsigned char *)PACKET_data(&csubpkt);
|
|
||||||
+ *outlen = (unsigned char)PACKET_remaining(&csubpkt);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* For each protocol in server preference order, see if we support it.
|
|
||||||
*/
|
|
||||||
- for (i = 0; i < server_len;) {
|
|
||||||
- for (j = 0; j < client_len;) {
|
|
||||||
- if (server[i] == client[j] &&
|
|
||||||
- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
|
|
||||||
- /* We found a match */
|
|
||||||
- result = &server[i];
|
|
||||||
- status = OPENSSL_NPN_NEGOTIATED;
|
|
||||||
- goto found;
|
|
||||||
+ if (PACKET_buf_init(&spkt, server, server_len)) {
|
|
||||||
+ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
|
|
||||||
+ if (PACKET_remaining(&ssubpkt) == 0)
|
|
||||||
+ continue; /* Invalid - ignore it */
|
|
||||||
+ if (PACKET_buf_init(&cpkt, client, client_len)) {
|
|
||||||
+ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
|
|
||||||
+ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
|
|
||||||
+ PACKET_remaining(&ssubpkt))) {
|
|
||||||
+ /* We found a match */
|
|
||||||
+ *out = (unsigned char *)PACKET_data(&ssubpkt);
|
|
||||||
+ *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
|
|
||||||
+ return OPENSSL_NPN_NEGOTIATED;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ /* Ignore spurious trailing bytes in the client list */
|
|
||||||
+ } else {
|
|
||||||
+ /* This should never happen */
|
|
||||||
+ return OPENSSL_NPN_NO_OVERLAP;
|
|
||||||
}
|
|
||||||
- j += client[j];
|
|
||||||
- j++;
|
|
||||||
}
|
|
||||||
- i += server[i];
|
|
||||||
- i++;
|
|
||||||
+ /* Ignore spurious trailing bytes in the server list */
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* There's no overlap between our protocols and the server's list. */
|
|
||||||
- result = client;
|
|
||||||
- status = OPENSSL_NPN_NO_OVERLAP;
|
|
||||||
-
|
|
||||||
- found:
|
|
||||||
- *out = (unsigned char *)result + 1;
|
|
||||||
- *outlen = result[0];
|
|
||||||
- return status;
|
|
||||||
+ /*
|
|
||||||
+ * There's no overlap between our protocols and the server's list. We use
|
|
||||||
+ * the default opportunistic protocol selected earlier
|
|
||||||
+ */
|
|
||||||
+ return OPENSSL_NPN_NO_OVERLAP;
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_NEXTPROTONEG
|
|
||||||
--
|
|
||||||
2.46.0
|
|
||||||
|
|
@ -1,39 +0,0 @@
|
|||||||
From 015255851371757d54c2560643eb3b3a88123cf1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Matt Caswell <matt@openssl.org>
|
|
||||||
Date: Fri, 31 May 2024 11:18:27 +0100
|
|
||||||
Subject: [PATCH 02/10] More correctly handle a selected_len of 0 when
|
|
||||||
processing NPN
|
|
||||||
|
|
||||||
In the case where the NPN callback returns with SSL_TLEXT_ERR_OK, but
|
|
||||||
the selected_len is 0 we should fail. Previously this would fail with an
|
|
||||||
internal_error alert because calling OPENSSL_malloc(selected_len) will
|
|
||||||
return NULL when selected_len is 0. We make this error detection more
|
|
||||||
explicit and return a handshake failure alert.
|
|
||||||
|
|
||||||
Follow on from CVE-2024-5535
|
|
||||||
|
|
||||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
|
||||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
||||||
(Merged from https://github.com/openssl/openssl/pull/24717)
|
|
||||||
---
|
|
||||||
ssl/statem/extensions_clnt.c | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
|
|
||||||
index 381a6c9d7b..1ab3c13d57 100644
|
|
||||||
--- a/ssl/statem/extensions_clnt.c
|
|
||||||
+++ b/ssl/statem/extensions_clnt.c
|
|
||||||
@@ -1560,8 +1560,8 @@ int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
|
|
||||||
if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_SSL(s),
|
|
||||||
&selected, &selected_len,
|
|
||||||
PACKET_data(pkt), PACKET_remaining(pkt),
|
|
||||||
- sctx->ext.npn_select_cb_arg) !=
|
|
||||||
- SSL_TLSEXT_ERR_OK) {
|
|
||||||
+ sctx->ext.npn_select_cb_arg) != SSL_TLSEXT_ERR_OK
|
|
||||||
+ || selected_len == 0) {
|
|
||||||
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.46.0
|
|
||||||
|
|
@ -1,34 +0,0 @@
|
|||||||
From 6cc511826f09e513b4ec066d9b95acaf4f86d991 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Matt Caswell <matt@openssl.org>
|
|
||||||
Date: Fri, 31 May 2024 11:22:13 +0100
|
|
||||||
Subject: [PATCH 03/10] Use correctly formatted ALPN data in tserver
|
|
||||||
|
|
||||||
The QUIC test server was using incorrectly formatted ALPN data. With the
|
|
||||||
previous implementation of SSL_select_next_proto this went unnoticed. With
|
|
||||||
the new stricter implemenation it was failing.
|
|
||||||
|
|
||||||
Follow on from CVE-2024-5535
|
|
||||||
|
|
||||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
|
||||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
||||||
(Merged from https://github.com/openssl/openssl/pull/24717)
|
|
||||||
---
|
|
||||||
ssl/quic/quic_tserver.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/ssl/quic/quic_tserver.c b/ssl/quic/quic_tserver.c
|
|
||||||
index 86187d06ff..15694e723f 100644
|
|
||||||
--- a/ssl/quic/quic_tserver.c
|
|
||||||
+++ b/ssl/quic/quic_tserver.c
|
|
||||||
@@ -58,7 +58,7 @@ static int alpn_select_cb(SSL *ssl, const unsigned char **out,
|
|
||||||
|
|
||||||
if (srv->args.alpn == NULL) {
|
|
||||||
alpn = alpndeflt;
|
|
||||||
- alpnlen = sizeof(alpn);
|
|
||||||
+ alpnlen = sizeof(alpndeflt);
|
|
||||||
} else {
|
|
||||||
alpn = srv->args.alpn;
|
|
||||||
alpnlen = srv->args.alpnlen;
|
|
||||||
--
|
|
||||||
2.46.0
|
|
||||||
|
|
@ -1,78 +0,0 @@
|
|||||||
From 8e81c57adbbf703dfb63955f65599765fdacc741 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Matt Caswell <matt@openssl.org>
|
|
||||||
Date: Fri, 31 May 2024 11:46:38 +0100
|
|
||||||
Subject: [PATCH 04/10] Clarify the SSL_select_next_proto() documentation
|
|
||||||
|
|
||||||
We clarify the input preconditions and the expected behaviour in the event
|
|
||||||
of no overlap.
|
|
||||||
|
|
||||||
Follow on from CVE-2024-5535
|
|
||||||
|
|
||||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
|
||||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
||||||
(Merged from https://github.com/openssl/openssl/pull/24717)
|
|
||||||
---
|
|
||||||
doc/man3/SSL_CTX_set_alpn_select_cb.pod | 26 +++++++++++++++++--------
|
|
||||||
1 file changed, 18 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
|
|
||||||
index 05fee2fbec..79e1a252f6 100644
|
|
||||||
--- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod
|
|
||||||
+++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
|
|
||||||
@@ -52,7 +52,8 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated
|
|
||||||
SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to
|
|
||||||
set the list of protocols available to be negotiated. The B<protos> must be in
|
|
||||||
protocol-list format, described below. The length of B<protos> is specified in
|
|
||||||
-B<protos_len>.
|
|
||||||
+B<protos_len>. Setting B<protos_len> to 0 clears any existing list of ALPN
|
|
||||||
+protocols and no ALPN extension will be sent to the server.
|
|
||||||
|
|
||||||
SSL_CTX_set_alpn_select_cb() sets the application callback B<cb> used by a
|
|
||||||
server to select which protocol to use for the incoming connection. When B<cb>
|
|
||||||
@@ -73,9 +74,16 @@ B<server_len> and B<client>, B<client_len> must be in the protocol-list format
|
|
||||||
described below. The first item in the B<server>, B<server_len> list that
|
|
||||||
matches an item in the B<client>, B<client_len> list is selected, and returned
|
|
||||||
in B<out>, B<outlen>. The B<out> value will point into either B<server> or
|
|
||||||
-B<client>, so it should be copied immediately. If no match is found, the first
|
|
||||||
-item in B<client>, B<client_len> is returned in B<out>, B<outlen>. This
|
|
||||||
-function can also be used in the NPN callback.
|
|
||||||
+B<client>, so it should be copied immediately. The client list must include at
|
|
||||||
+least one valid (nonempty) protocol entry in the list.
|
|
||||||
+
|
|
||||||
+The SSL_select_next_proto() helper function can be useful from either the ALPN
|
|
||||||
+callback or the NPN callback (described below). If no match is found, the first
|
|
||||||
+item in B<client>, B<client_len> is returned in B<out>, B<outlen> and
|
|
||||||
+B<OPENSSL_NPN_NO_OVERLAP> is returned. This can be useful when implementating
|
|
||||||
+the NPN callback. In the ALPN case, the value returned in B<out> and B<outlen>
|
|
||||||
+must be ignored if B<OPENSSL_NPN_NO_OVERLAP> has been returned from
|
|
||||||
+SSL_select_next_proto().
|
|
||||||
|
|
||||||
SSL_CTX_set_next_proto_select_cb() sets a callback B<cb> that is called when a
|
|
||||||
client needs to select a protocol from the server's provided list, and a
|
|
||||||
@@ -85,9 +93,10 @@ must be set to point to the selected protocol (which may be within B<in>).
|
|
||||||
The length of the protocol name must be written into B<outlen>. The
|
|
||||||
server's advertised protocols are provided in B<in> and B<inlen>. The
|
|
||||||
callback can assume that B<in> is syntactically valid. The client must
|
|
||||||
-select a protocol. It is fatal to the connection if this callback returns
|
|
||||||
-a value other than B<SSL_TLSEXT_ERR_OK>. The B<arg> parameter is the pointer
|
|
||||||
-set via SSL_CTX_set_next_proto_select_cb().
|
|
||||||
+select a protocol (although it may be an empty, zero length protocol). It is
|
|
||||||
+fatal to the connection if this callback returns a value other than
|
|
||||||
+B<SSL_TLSEXT_ERR_OK> or if the zero length protocol is selected. The B<arg>
|
|
||||||
+parameter is the pointer set via SSL_CTX_set_next_proto_select_cb().
|
|
||||||
|
|
||||||
SSL_CTX_set_next_protos_advertised_cb() sets a callback B<cb> that is called
|
|
||||||
when a TLS server needs a list of supported protocols for Next Protocol
|
|
||||||
@@ -154,7 +163,8 @@ A match was found and is returned in B<out>, B<outlen>.
|
|
||||||
=item OPENSSL_NPN_NO_OVERLAP
|
|
||||||
|
|
||||||
No match was found. The first item in B<client>, B<client_len> is returned in
|
|
||||||
-B<out>, B<outlen>.
|
|
||||||
+B<out>, B<outlen> (or B<NULL> and 0 in the case where the first entry in
|
|
||||||
+B<client> is invalid).
|
|
||||||
|
|
||||||
=back
|
|
||||||
|
|
||||||
--
|
|
||||||
2.46.0
|
|
||||||
|
|
@ -1,172 +0,0 @@
|
|||||||
From add5c52a25c549cec4a730cdf96e2252f0a1862d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Matt Caswell <matt@openssl.org>
|
|
||||||
Date: Fri, 31 May 2024 16:35:16 +0100
|
|
||||||
Subject: [PATCH 05/10] Add a test for SSL_select_next_proto
|
|
||||||
|
|
||||||
Follow on from CVE-2024-5535
|
|
||||||
|
|
||||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
|
||||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
||||||
(Merged from https://github.com/openssl/openssl/pull/24717)
|
|
||||||
---
|
|
||||||
test/sslapitest.c | 137 ++++++++++++++++++++++++++++++++++++++++++++++
|
|
||||||
1 file changed, 137 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/test/sslapitest.c b/test/sslapitest.c
|
|
||||||
index ce163322cd..15cb9060cb 100644
|
|
||||||
--- a/test/sslapitest.c
|
|
||||||
+++ b/test/sslapitest.c
|
|
||||||
@@ -11741,6 +11741,142 @@ static int test_multi_resume(int idx)
|
|
||||||
return testresult;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static struct next_proto_st {
|
|
||||||
+ int serverlen;
|
|
||||||
+ unsigned char server[40];
|
|
||||||
+ int clientlen;
|
|
||||||
+ unsigned char client[40];
|
|
||||||
+ int expected_ret;
|
|
||||||
+ size_t selectedlen;
|
|
||||||
+ unsigned char selected[40];
|
|
||||||
+} next_proto_tests[] = {
|
|
||||||
+ {
|
|
||||||
+ 4, { 3, 'a', 'b', 'c' },
|
|
||||||
+ 4, { 3, 'a', 'b', 'c' },
|
|
||||||
+ OPENSSL_NPN_NEGOTIATED,
|
|
||||||
+ 3, { 'a', 'b', 'c' }
|
|
||||||
+ },
|
|
||||||
+ {
|
|
||||||
+ 7, { 3, 'a', 'b', 'c', 2, 'a', 'b' },
|
|
||||||
+ 4, { 3, 'a', 'b', 'c' },
|
|
||||||
+ OPENSSL_NPN_NEGOTIATED,
|
|
||||||
+ 3, { 'a', 'b', 'c' }
|
|
||||||
+ },
|
|
||||||
+ {
|
|
||||||
+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c', },
|
|
||||||
+ 4, { 3, 'a', 'b', 'c' },
|
|
||||||
+ OPENSSL_NPN_NEGOTIATED,
|
|
||||||
+ 3, { 'a', 'b', 'c' }
|
|
||||||
+ },
|
|
||||||
+ {
|
|
||||||
+ 4, { 3, 'a', 'b', 'c' },
|
|
||||||
+ 7, { 3, 'a', 'b', 'c', 2, 'a', 'b', },
|
|
||||||
+ OPENSSL_NPN_NEGOTIATED,
|
|
||||||
+ 3, { 'a', 'b', 'c' }
|
|
||||||
+ },
|
|
||||||
+ {
|
|
||||||
+ 4, { 3, 'a', 'b', 'c' },
|
|
||||||
+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
|
|
||||||
+ OPENSSL_NPN_NEGOTIATED,
|
|
||||||
+ 3, { 'a', 'b', 'c' }
|
|
||||||
+ },
|
|
||||||
+ {
|
|
||||||
+ 7, { 2, 'b', 'c', 3, 'a', 'b', 'c' },
|
|
||||||
+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
|
|
||||||
+ OPENSSL_NPN_NEGOTIATED,
|
|
||||||
+ 3, { 'a', 'b', 'c' }
|
|
||||||
+ },
|
|
||||||
+ {
|
|
||||||
+ 10, { 2, 'b', 'c', 3, 'a', 'b', 'c', 2, 'a', 'b' },
|
|
||||||
+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
|
|
||||||
+ OPENSSL_NPN_NEGOTIATED,
|
|
||||||
+ 3, { 'a', 'b', 'c' }
|
|
||||||
+ },
|
|
||||||
+ {
|
|
||||||
+ 4, { 3, 'b', 'c', 'd' },
|
|
||||||
+ 4, { 3, 'a', 'b', 'c' },
|
|
||||||
+ OPENSSL_NPN_NO_OVERLAP,
|
|
||||||
+ 3, { 'a', 'b', 'c' }
|
|
||||||
+ },
|
|
||||||
+ {
|
|
||||||
+ 0, { 0 },
|
|
||||||
+ 4, { 3, 'a', 'b', 'c' },
|
|
||||||
+ OPENSSL_NPN_NO_OVERLAP,
|
|
||||||
+ 3, { 'a', 'b', 'c' }
|
|
||||||
+ },
|
|
||||||
+ {
|
|
||||||
+ -1, { 0 },
|
|
||||||
+ 4, { 3, 'a', 'b', 'c' },
|
|
||||||
+ OPENSSL_NPN_NO_OVERLAP,
|
|
||||||
+ 3, { 'a', 'b', 'c' }
|
|
||||||
+ },
|
|
||||||
+ {
|
|
||||||
+ 4, { 3, 'a', 'b', 'c' },
|
|
||||||
+ 0, { 0 },
|
|
||||||
+ OPENSSL_NPN_NO_OVERLAP,
|
|
||||||
+ 0, { 0 }
|
|
||||||
+ },
|
|
||||||
+ {
|
|
||||||
+ 4, { 3, 'a', 'b', 'c' },
|
|
||||||
+ -1, { 0 },
|
|
||||||
+ OPENSSL_NPN_NO_OVERLAP,
|
|
||||||
+ 0, { 0 }
|
|
||||||
+ },
|
|
||||||
+ {
|
|
||||||
+ 3, { 3, 'a', 'b', 'c' },
|
|
||||||
+ 4, { 3, 'a', 'b', 'c' },
|
|
||||||
+ OPENSSL_NPN_NO_OVERLAP,
|
|
||||||
+ 3, { 'a', 'b', 'c' }
|
|
||||||
+ },
|
|
||||||
+ {
|
|
||||||
+ 4, { 3, 'a', 'b', 'c' },
|
|
||||||
+ 3, { 3, 'a', 'b', 'c' },
|
|
||||||
+ OPENSSL_NPN_NO_OVERLAP,
|
|
||||||
+ 0, { 0 }
|
|
||||||
+ }
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static int test_select_next_proto(int idx)
|
|
||||||
+{
|
|
||||||
+ struct next_proto_st *np = &next_proto_tests[idx];
|
|
||||||
+ int ret = 0;
|
|
||||||
+ unsigned char *out, *client, *server;
|
|
||||||
+ unsigned char outlen;
|
|
||||||
+ unsigned int clientlen, serverlen;
|
|
||||||
+
|
|
||||||
+ if (np->clientlen == -1) {
|
|
||||||
+ client = NULL;
|
|
||||||
+ clientlen = 0;
|
|
||||||
+ } else {
|
|
||||||
+ client = np->client;
|
|
||||||
+ clientlen = (unsigned int)np->clientlen;
|
|
||||||
+ }
|
|
||||||
+ if (np->serverlen == -1) {
|
|
||||||
+ server = NULL;
|
|
||||||
+ serverlen = 0;
|
|
||||||
+ } else {
|
|
||||||
+ server = np->server;
|
|
||||||
+ serverlen = (unsigned int)np->serverlen;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!TEST_int_eq(SSL_select_next_proto(&out, &outlen, server, serverlen,
|
|
||||||
+ client, clientlen),
|
|
||||||
+ np->expected_ret))
|
|
||||||
+ goto err;
|
|
||||||
+
|
|
||||||
+ if (np->selectedlen == 0) {
|
|
||||||
+ if (!TEST_ptr_null(out) || !TEST_uchar_eq(outlen, 0))
|
|
||||||
+ goto err;
|
|
||||||
+ } else {
|
|
||||||
+ if (!TEST_mem_eq(out, outlen, np->selected, np->selectedlen))
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = 1;
|
|
||||||
+ err:
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
|
|
||||||
|
|
||||||
int setup_tests(void)
|
|
||||||
@@ -12053,6 +12189,7 @@ int setup_tests(void)
|
|
||||||
ADD_ALL_TESTS(test_handshake_retry, 16);
|
|
||||||
ADD_TEST(test_data_retry);
|
|
||||||
ADD_ALL_TESTS(test_multi_resume, 5);
|
|
||||||
+ ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
|
|
||||||
return 1;
|
|
||||||
|
|
||||||
err:
|
|
||||||
--
|
|
||||||
2.46.0
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
@ -1,39 +0,0 @@
|
|||||||
From 53f5677f358c4a4f69830d944ea40e71950673b8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Matt Caswell <matt@openssl.org>
|
|
||||||
Date: Fri, 21 Jun 2024 10:41:55 +0100
|
|
||||||
Subject: [PATCH 07/10] Correct return values for
|
|
||||||
tls_construct_stoc_next_proto_neg
|
|
||||||
|
|
||||||
Return EXT_RETURN_NOT_SENT in the event that we don't send the extension,
|
|
||||||
rather than EXT_RETURN_SENT. This actually makes no difference at all to
|
|
||||||
the current control flow since this return value is ignored in this case
|
|
||||||
anyway. But lets make it correct anyway.
|
|
||||||
|
|
||||||
Follow on from CVE-2024-5535
|
|
||||||
|
|
||||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
|
||||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
||||||
(Merged from https://github.com/openssl/openssl/pull/24717)
|
|
||||||
---
|
|
||||||
ssl/statem/extensions_srvr.c | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
|
|
||||||
index 800654450e..66ed7dacf2 100644
|
|
||||||
--- a/ssl/statem/extensions_srvr.c
|
|
||||||
+++ b/ssl/statem/extensions_srvr.c
|
|
||||||
@@ -1501,9 +1501,10 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL_CONNECTION *s, WPACKET *pkt,
|
|
||||||
return EXT_RETURN_FAIL;
|
|
||||||
}
|
|
||||||
s->s3.npn_seen = 1;
|
|
||||||
+ return EXT_RETURN_SENT;
|
|
||||||
}
|
|
||||||
|
|
||||||
- return EXT_RETURN_SENT;
|
|
||||||
+ return EXT_RETURN_NOT_SENT;
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
--
|
|
||||||
2.46.0
|
|
||||||
|
|
@ -1,62 +0,0 @@
|
|||||||
From 195e15421df113d7283aab2ccff8b8fb06df5465 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Matt Caswell <matt@openssl.org>
|
|
||||||
Date: Fri, 21 Jun 2024 11:51:54 +0100
|
|
||||||
Subject: [PATCH 08/10] Add ALPN validation in the client
|
|
||||||
|
|
||||||
The ALPN protocol selected by the server must be one that we originally
|
|
||||||
advertised. We should verify that it is.
|
|
||||||
|
|
||||||
Follow on from CVE-2024-5535
|
|
||||||
|
|
||||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
|
||||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
||||||
(Merged from https://github.com/openssl/openssl/pull/24717)
|
|
||||||
---
|
|
||||||
ssl/statem/extensions_clnt.c | 24 ++++++++++++++++++++++++
|
|
||||||
1 file changed, 24 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
|
|
||||||
index 1ab3c13d57..ff9c009ee5 100644
|
|
||||||
--- a/ssl/statem/extensions_clnt.c
|
|
||||||
+++ b/ssl/statem/extensions_clnt.c
|
|
||||||
@@ -1590,6 +1590,8 @@ int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
|
|
||||||
X509 *x, size_t chainidx)
|
|
||||||
{
|
|
||||||
size_t len;
|
|
||||||
+ PACKET confpkt, protpkt;
|
|
||||||
+ int valid = 0;
|
|
||||||
|
|
||||||
/* We must have requested it. */
|
|
||||||
if (!s->s3.alpn_sent) {
|
|
||||||
@@ -1608,6 +1610,28 @@ int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
|
|
||||||
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ /* It must be a protocol that we sent */
|
|
||||||
+ if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) {
|
|
||||||
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) {
|
|
||||||
+ if (PACKET_remaining(&protpkt) != len)
|
|
||||||
+ continue;
|
|
||||||
+ if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) {
|
|
||||||
+ /* Valid protocol found */
|
|
||||||
+ valid = 1;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!valid) {
|
|
||||||
+ /* The protocol sent from the server does not match one we advertised */
|
|
||||||
+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
OPENSSL_free(s->s3.alpn_selected);
|
|
||||||
s->s3.alpn_selected = OPENSSL_malloc(len);
|
|
||||||
if (s->s3.alpn_selected == NULL) {
|
|
||||||
--
|
|
||||||
2.46.0
|
|
||||||
|
|
@ -1,267 +0,0 @@
|
|||||||
From 7c95191434415d1c9b7fe9b130df13cce630b6b5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Matt Caswell <matt@openssl.org>
|
|
||||||
Date: Fri, 21 Jun 2024 10:09:41 +0100
|
|
||||||
Subject: [PATCH 09/10] Add explicit testing of ALN and NPN in sslapitest
|
|
||||||
|
|
||||||
We already had some tests elsewhere - but this extends that testing with
|
|
||||||
additional tests.
|
|
||||||
|
|
||||||
Follow on from CVE-2024-5535
|
|
||||||
|
|
||||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
|
||||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
||||||
(Merged from https://github.com/openssl/openssl/pull/24717)
|
|
||||||
---
|
|
||||||
test/sslapitest.c | 229 ++++++++++++++++++++++++++++++++++++++++++++++
|
|
||||||
1 file changed, 229 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/test/sslapitest.c b/test/sslapitest.c
|
|
||||||
index 15cb9060cb..7a55a2b721 100644
|
|
||||||
--- a/test/sslapitest.c
|
|
||||||
+++ b/test/sslapitest.c
|
|
||||||
@@ -11877,6 +11877,231 @@ static int test_select_next_proto(int idx)
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static const unsigned char fooprot[] = {3, 'f', 'o', 'o' };
|
|
||||||
+static const unsigned char barprot[] = {3, 'b', 'a', 'r' };
|
|
||||||
+
|
|
||||||
+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
|
|
||||||
+static int npn_advert_cb(SSL *ssl, const unsigned char **out,
|
|
||||||
+ unsigned int *outlen, void *arg)
|
|
||||||
+{
|
|
||||||
+ int *idx = (int *)arg;
|
|
||||||
+
|
|
||||||
+ switch (*idx) {
|
|
||||||
+ default:
|
|
||||||
+ case 0:
|
|
||||||
+ *out = fooprot;
|
|
||||||
+ *outlen = sizeof(fooprot);
|
|
||||||
+ return SSL_TLSEXT_ERR_OK;
|
|
||||||
+
|
|
||||||
+ case 1:
|
|
||||||
+ *outlen = 0;
|
|
||||||
+ return SSL_TLSEXT_ERR_OK;
|
|
||||||
+
|
|
||||||
+ case 2:
|
|
||||||
+ return SSL_TLSEXT_ERR_NOACK;
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen,
|
|
||||||
+ const unsigned char *in, unsigned int inlen, void *arg)
|
|
||||||
+{
|
|
||||||
+ int *idx = (int *)arg;
|
|
||||||
+
|
|
||||||
+ switch (*idx) {
|
|
||||||
+ case 0:
|
|
||||||
+ case 1:
|
|
||||||
+ *out = (unsigned char *)(fooprot + 1);
|
|
||||||
+ *outlen = *fooprot;
|
|
||||||
+ return SSL_TLSEXT_ERR_OK;
|
|
||||||
+
|
|
||||||
+ case 3:
|
|
||||||
+ *out = (unsigned char *)(barprot + 1);
|
|
||||||
+ *outlen = *barprot;
|
|
||||||
+ return SSL_TLSEXT_ERR_OK;
|
|
||||||
+
|
|
||||||
+ case 4:
|
|
||||||
+ *outlen = 0;
|
|
||||||
+ return SSL_TLSEXT_ERR_OK;
|
|
||||||
+
|
|
||||||
+ default:
|
|
||||||
+ case 2:
|
|
||||||
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Test the NPN callbacks
|
|
||||||
+ * Test 0: advert = foo, select = foo
|
|
||||||
+ * Test 1: advert = <empty>, select = foo
|
|
||||||
+ * Test 2: no advert
|
|
||||||
+ * Test 3: advert = foo, select = bar
|
|
||||||
+ * Test 4: advert = foo, select = <empty> (should fail)
|
|
||||||
+ */
|
|
||||||
+static int test_npn(int idx)
|
|
||||||
+{
|
|
||||||
+ SSL_CTX *sctx = NULL, *cctx = NULL;
|
|
||||||
+ SSL *serverssl = NULL, *clientssl = NULL;
|
|
||||||
+ int testresult = 0;
|
|
||||||
+
|
|
||||||
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
|
|
||||||
+ TLS_client_method(), 0, TLS1_2_VERSION,
|
|
||||||
+ &sctx, &cctx, cert, privkey)))
|
|
||||||
+ goto end;
|
|
||||||
+
|
|
||||||
+ SSL_CTX_set_next_protos_advertised_cb(sctx, npn_advert_cb, &idx);
|
|
||||||
+ SSL_CTX_set_next_proto_select_cb(cctx, npn_select_cb, &idx);
|
|
||||||
+
|
|
||||||
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
|
|
||||||
+ NULL)))
|
|
||||||
+ goto end;
|
|
||||||
+
|
|
||||||
+ if (idx == 4) {
|
|
||||||
+ /* We don't allow empty selection of NPN, so this should fail */
|
|
||||||
+ if (!TEST_false(create_ssl_connection(serverssl, clientssl,
|
|
||||||
+ SSL_ERROR_NONE)))
|
|
||||||
+ goto end;
|
|
||||||
+ } else {
|
|
||||||
+ const unsigned char *prot;
|
|
||||||
+ unsigned int protlen;
|
|
||||||
+
|
|
||||||
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl,
|
|
||||||
+ SSL_ERROR_NONE)))
|
|
||||||
+ goto end;
|
|
||||||
+
|
|
||||||
+ SSL_get0_next_proto_negotiated(serverssl, &prot, &protlen);
|
|
||||||
+ switch (idx) {
|
|
||||||
+ case 0:
|
|
||||||
+ case 1:
|
|
||||||
+ if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
|
|
||||||
+ goto end;
|
|
||||||
+ break;
|
|
||||||
+ case 2:
|
|
||||||
+ if (!TEST_uint_eq(protlen, 0))
|
|
||||||
+ goto end;
|
|
||||||
+ break;
|
|
||||||
+ case 3:
|
|
||||||
+ if (!TEST_mem_eq(prot, protlen, barprot + 1, *barprot))
|
|
||||||
+ goto end;
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ TEST_error("Should not get here");
|
|
||||||
+ goto end;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ testresult = 1;
|
|
||||||
+ end:
|
|
||||||
+ SSL_free(serverssl);
|
|
||||||
+ SSL_free(clientssl);
|
|
||||||
+ SSL_CTX_free(sctx);
|
|
||||||
+ SSL_CTX_free(cctx);
|
|
||||||
+
|
|
||||||
+ return testresult;
|
|
||||||
+}
|
|
||||||
+#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) */
|
|
||||||
+
|
|
||||||
+static int alpn_select_cb2(SSL *ssl, const unsigned char **out,
|
|
||||||
+ unsigned char *outlen, const unsigned char *in,
|
|
||||||
+ unsigned int inlen, void *arg)
|
|
||||||
+{
|
|
||||||
+ int *idx = (int *)arg;
|
|
||||||
+
|
|
||||||
+ switch (*idx) {
|
|
||||||
+ case 0:
|
|
||||||
+ *out = (unsigned char *)(fooprot + 1);
|
|
||||||
+ *outlen = *fooprot;
|
|
||||||
+ return SSL_TLSEXT_ERR_OK;
|
|
||||||
+
|
|
||||||
+ case 2:
|
|
||||||
+ *out = (unsigned char *)(barprot + 1);
|
|
||||||
+ *outlen = *barprot;
|
|
||||||
+ return SSL_TLSEXT_ERR_OK;
|
|
||||||
+
|
|
||||||
+ case 3:
|
|
||||||
+ *outlen = 0;
|
|
||||||
+ return SSL_TLSEXT_ERR_OK;
|
|
||||||
+
|
|
||||||
+ default:
|
|
||||||
+ case 1:
|
|
||||||
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
|
|
||||||
+ }
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Test the ALPN callbacks
|
|
||||||
+ * Test 0: client = foo, select = foo
|
|
||||||
+ * Test 1: client = <empty>, select = none
|
|
||||||
+ * Test 2: client = foo, select = bar (should fail)
|
|
||||||
+ * Test 3: client = foo, select = <empty> (should fail)
|
|
||||||
+ */
|
|
||||||
+static int test_alpn(int idx)
|
|
||||||
+{
|
|
||||||
+ SSL_CTX *sctx = NULL, *cctx = NULL;
|
|
||||||
+ SSL *serverssl = NULL, *clientssl = NULL;
|
|
||||||
+ int testresult = 0;
|
|
||||||
+ const unsigned char *prots = fooprot;
|
|
||||||
+ unsigned int protslen = sizeof(fooprot);
|
|
||||||
+
|
|
||||||
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
|
|
||||||
+ TLS_client_method(), 0, 0,
|
|
||||||
+ &sctx, &cctx, cert, privkey)))
|
|
||||||
+ goto end;
|
|
||||||
+
|
|
||||||
+ SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb2, &idx);
|
|
||||||
+
|
|
||||||
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
|
|
||||||
+ NULL)))
|
|
||||||
+ goto end;
|
|
||||||
+
|
|
||||||
+ if (idx == 1) {
|
|
||||||
+ prots = NULL;
|
|
||||||
+ protslen = 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* SSL_set_alpn_protos returns 0 for success! */
|
|
||||||
+ if (!TEST_false(SSL_set_alpn_protos(clientssl, prots, protslen)))
|
|
||||||
+ goto end;
|
|
||||||
+
|
|
||||||
+ if (idx == 2 || idx == 3) {
|
|
||||||
+ /* We don't allow empty selection of NPN, so this should fail */
|
|
||||||
+ if (!TEST_false(create_ssl_connection(serverssl, clientssl,
|
|
||||||
+ SSL_ERROR_NONE)))
|
|
||||||
+ goto end;
|
|
||||||
+ } else {
|
|
||||||
+ const unsigned char *prot;
|
|
||||||
+ unsigned int protlen;
|
|
||||||
+
|
|
||||||
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl,
|
|
||||||
+ SSL_ERROR_NONE)))
|
|
||||||
+ goto end;
|
|
||||||
+
|
|
||||||
+ SSL_get0_alpn_selected(clientssl, &prot, &protlen);
|
|
||||||
+ switch (idx) {
|
|
||||||
+ case 0:
|
|
||||||
+ if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
|
|
||||||
+ goto end;
|
|
||||||
+ break;
|
|
||||||
+ case 1:
|
|
||||||
+ if (!TEST_uint_eq(protlen, 0))
|
|
||||||
+ goto end;
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ TEST_error("Should not get here");
|
|
||||||
+ goto end;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ testresult = 1;
|
|
||||||
+ end:
|
|
||||||
+ SSL_free(serverssl);
|
|
||||||
+ SSL_free(clientssl);
|
|
||||||
+ SSL_CTX_free(sctx);
|
|
||||||
+ SSL_CTX_free(cctx);
|
|
||||||
+
|
|
||||||
+ return testresult;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
|
|
||||||
|
|
||||||
int setup_tests(void)
|
|
||||||
@@ -12190,6 +12415,10 @@ int setup_tests(void)
|
|
||||||
ADD_TEST(test_data_retry);
|
|
||||||
ADD_ALL_TESTS(test_multi_resume, 5);
|
|
||||||
ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
|
|
||||||
+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
|
|
||||||
+ ADD_ALL_TESTS(test_npn, 5);
|
|
||||||
+#endif
|
|
||||||
+ ADD_ALL_TESTS(test_alpn, 4);
|
|
||||||
return 1;
|
|
||||||
|
|
||||||
err:
|
|
||||||
--
|
|
||||||
2.46.0
|
|
||||||
|
|
@ -1,199 +0,0 @@
|
|||||||
From 301b870546d1c7b2d8f0d66e04a2596142f0399f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Matt Caswell <matt@openssl.org>
|
|
||||||
Date: Fri, 21 Jun 2024 14:29:26 +0100
|
|
||||||
Subject: [PATCH 10/10] Add a test for an empty NextProto message
|
|
||||||
|
|
||||||
It is valid according to the spec for a NextProto message to have no
|
|
||||||
protocols listed in it. The OpenSSL implementation however does not allow
|
|
||||||
us to create such a message. In order to check that we work as expected
|
|
||||||
when communicating with a client that does generate such messages we have
|
|
||||||
to use a TLSProxy test.
|
|
||||||
|
|
||||||
Follow on from CVE-2024-5535
|
|
||||||
|
|
||||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
|
||||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
||||||
(Merged from https://github.com/openssl/openssl/pull/24717)
|
|
||||||
---
|
|
||||||
test/recipes/70-test_npn.t | 73 +++++++++++++++++++++++++++++++++
|
|
||||||
util/perl/TLSProxy/Message.pm | 9 ++++
|
|
||||||
util/perl/TLSProxy/NextProto.pm | 54 ++++++++++++++++++++++++
|
|
||||||
util/perl/TLSProxy/Proxy.pm | 1 +
|
|
||||||
4 files changed, 137 insertions(+)
|
|
||||||
create mode 100644 test/recipes/70-test_npn.t
|
|
||||||
create mode 100644 util/perl/TLSProxy/NextProto.pm
|
|
||||||
|
|
||||||
diff --git a/test/recipes/70-test_npn.t b/test/recipes/70-test_npn.t
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000000..f82e71af6a
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/test/recipes/70-test_npn.t
|
|
||||||
@@ -0,0 +1,73 @@
|
|
||||||
+#! /usr/bin/env perl
|
|
||||||
+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
|
|
||||||
+#
|
|
||||||
+# Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
||||||
+# this file except in compliance with the License. You can obtain a copy
|
|
||||||
+# in the file LICENSE in the source distribution or at
|
|
||||||
+# https://www.openssl.org/source/license.html
|
|
||||||
+
|
|
||||||
+use strict;
|
|
||||||
+use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/;
|
|
||||||
+use OpenSSL::Test::Utils;
|
|
||||||
+
|
|
||||||
+use TLSProxy::Proxy;
|
|
||||||
+
|
|
||||||
+my $test_name = "test_npn";
|
|
||||||
+setup($test_name);
|
|
||||||
+
|
|
||||||
+plan skip_all => "TLSProxy isn't usable on $^O"
|
|
||||||
+ if $^O =~ /^(VMS)$/;
|
|
||||||
+
|
|
||||||
+plan skip_all => "$test_name needs the dynamic engine feature enabled"
|
|
||||||
+ if disabled("engine") || disabled("dynamic-engine");
|
|
||||||
+
|
|
||||||
+plan skip_all => "$test_name needs the sock feature enabled"
|
|
||||||
+ if disabled("sock");
|
|
||||||
+
|
|
||||||
+plan skip_all => "$test_name needs NPN enabled"
|
|
||||||
+ if disabled("nextprotoneg");
|
|
||||||
+
|
|
||||||
+plan skip_all => "$test_name needs TLSv1.2 enabled"
|
|
||||||
+ if disabled("tls1_2");
|
|
||||||
+
|
|
||||||
+my $proxy = TLSProxy::Proxy->new(
|
|
||||||
+ undef,
|
|
||||||
+ cmdstr(app(["openssl"]), display => 1),
|
|
||||||
+ srctop_file("apps", "server.pem"),
|
|
||||||
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
|
|
||||||
+);
|
|
||||||
+
|
|
||||||
+$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
|
|
||||||
+plan tests => 1;
|
|
||||||
+
|
|
||||||
+my $npnseen = 0;
|
|
||||||
+
|
|
||||||
+# Test 1: Check sending an empty NextProto message from the client works. This is
|
|
||||||
+# valid as per the spec, but OpenSSL does not allow you to send it.
|
|
||||||
+# Therefore we must be prepared to receive such a message but we cannot
|
|
||||||
+# generate it except via TLSProxy
|
|
||||||
+$proxy->clear();
|
|
||||||
+$proxy->filter(\&npn_filter);
|
|
||||||
+$proxy->clientflags("-nextprotoneg foo -no_tls1_3");
|
|
||||||
+$proxy->serverflags("-nextprotoneg foo");
|
|
||||||
+$proxy->start();
|
|
||||||
+ok($npnseen && TLSProxy::Message->success(), "Empty NPN message");
|
|
||||||
+
|
|
||||||
+sub npn_filter
|
|
||||||
+{
|
|
||||||
+ my $proxy = shift;
|
|
||||||
+ my $message;
|
|
||||||
+
|
|
||||||
+ # The NextProto message always appears in flight 2
|
|
||||||
+ return if $proxy->flight != 2;
|
|
||||||
+
|
|
||||||
+ foreach my $message (@{$proxy->message_list}) {
|
|
||||||
+ if ($message->mt == TLSProxy::Message::MT_NEXT_PROTO) {
|
|
||||||
+ # Our TLSproxy NextProto message support doesn't support parsing of
|
|
||||||
+ # the message. If we repack it just creates an empty NextProto
|
|
||||||
+ # message - which is exactly the scenario we want to test here.
|
|
||||||
+ $message->repack();
|
|
||||||
+ $npnseen = 1;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
diff --git a/util/perl/TLSProxy/Message.pm b/util/perl/TLSProxy/Message.pm
|
|
||||||
index ce22187569..fb41b2ffc8 100644
|
|
||||||
--- a/util/perl/TLSProxy/Message.pm
|
|
||||||
+++ b/util/perl/TLSProxy/Message.pm
|
|
||||||
@@ -384,6 +384,15 @@ sub create_message
|
|
||||||
[@message_frag_lens]
|
|
||||||
);
|
|
||||||
$message->parse();
|
|
||||||
+ } elsif ($mt == MT_NEXT_PROTO) {
|
|
||||||
+ $message = TLSProxy::NextProto->new(
|
|
||||||
+ $server,
|
|
||||||
+ $data,
|
|
||||||
+ [@message_rec_list],
|
|
||||||
+ $startoffset,
|
|
||||||
+ [@message_frag_lens]
|
|
||||||
+ );
|
|
||||||
+ $message->parse();
|
|
||||||
} else {
|
|
||||||
#Unknown message type
|
|
||||||
$message = TLSProxy::Message->new(
|
|
||||||
diff --git a/util/perl/TLSProxy/NextProto.pm b/util/perl/TLSProxy/NextProto.pm
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000000..0e18347546
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/util/perl/TLSProxy/NextProto.pm
|
|
||||||
@@ -0,0 +1,54 @@
|
|
||||||
+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
|
|
||||||
+#
|
|
||||||
+# Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
||||||
+# this file except in compliance with the License. You can obtain a copy
|
|
||||||
+# in the file LICENSE in the source distribution or at
|
|
||||||
+# https://www.openssl.org/source/license.html
|
|
||||||
+
|
|
||||||
+use strict;
|
|
||||||
+
|
|
||||||
+package TLSProxy::NextProto;
|
|
||||||
+
|
|
||||||
+use vars '@ISA';
|
|
||||||
+push @ISA, 'TLSProxy::Message';
|
|
||||||
+
|
|
||||||
+sub new
|
|
||||||
+{
|
|
||||||
+ my $class = shift;
|
|
||||||
+ my ($server,
|
|
||||||
+ $data,
|
|
||||||
+ $records,
|
|
||||||
+ $startoffset,
|
|
||||||
+ $message_frag_lens) = @_;
|
|
||||||
+
|
|
||||||
+ my $self = $class->SUPER::new(
|
|
||||||
+ $server,
|
|
||||||
+ TLSProxy::Message::MT_NEXT_PROTO,
|
|
||||||
+ $data,
|
|
||||||
+ $records,
|
|
||||||
+ $startoffset,
|
|
||||||
+ $message_frag_lens);
|
|
||||||
+
|
|
||||||
+ return $self;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+sub parse
|
|
||||||
+{
|
|
||||||
+ # We don't support parsing at the moment
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+# This is supposed to reconstruct the on-the-wire message data following changes.
|
|
||||||
+# For now though since we don't support parsing we just create an empty NextProto
|
|
||||||
+# message - this capability is used in test_npn
|
|
||||||
+sub set_message_contents
|
|
||||||
+{
|
|
||||||
+ my $self = shift;
|
|
||||||
+ my $data;
|
|
||||||
+
|
|
||||||
+ $data = pack("C32", 0x00, 0x1e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
||||||
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
||||||
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
||||||
+ 0x00, 0x00, 0x00);
|
|
||||||
+ $self->data($data);
|
|
||||||
+}
|
|
||||||
+1;
|
|
||||||
diff --git a/util/perl/TLSProxy/Proxy.pm b/util/perl/TLSProxy/Proxy.pm
|
|
||||||
index 3de10eccb9..b707722b6b 100644
|
|
||||||
--- a/util/perl/TLSProxy/Proxy.pm
|
|
||||||
+++ b/util/perl/TLSProxy/Proxy.pm
|
|
||||||
@@ -23,6 +23,7 @@ use TLSProxy::CertificateRequest;
|
|
||||||
use TLSProxy::CertificateVerify;
|
|
||||||
use TLSProxy::ServerKeyExchange;
|
|
||||||
use TLSProxy::NewSessionTicket;
|
|
||||||
+use TLSProxy::NextProto;
|
|
||||||
|
|
||||||
my $have_IPv6;
|
|
||||||
my $IP_factory;
|
|
||||||
--
|
|
||||||
2.46.0
|
|
||||||
|
|
@ -1,233 +0,0 @@
|
|||||||
diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c
|
|
||||||
index 1a18174995..a09414c972 100644
|
|
||||||
--- a/crypto/x509/v3_utl.c
|
|
||||||
+++ b/crypto/x509/v3_utl.c
|
|
||||||
@@ -916,36 +916,64 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
|
|
||||||
ASN1_STRING *cstr;
|
|
||||||
|
|
||||||
gen = sk_GENERAL_NAME_value(gens, i);
|
|
||||||
- if ((gen->type == GEN_OTHERNAME) && (check_type == GEN_EMAIL)) {
|
|
||||||
- if (OBJ_obj2nid(gen->d.otherName->type_id) ==
|
|
||||||
- NID_id_on_SmtpUTF8Mailbox) {
|
|
||||||
- san_present = 1;
|
|
||||||
-
|
|
||||||
- /*
|
|
||||||
- * If it is not a UTF8String then that is unexpected and we
|
|
||||||
- * treat it as no match
|
|
||||||
- */
|
|
||||||
- if (gen->d.otherName->value->type == V_ASN1_UTF8STRING) {
|
|
||||||
- cstr = gen->d.otherName->value->value.utf8string;
|
|
||||||
-
|
|
||||||
- /* Positive on success, negative on error! */
|
|
||||||
- if ((rv = do_check_string(cstr, 0, equal, flags,
|
|
||||||
- chk, chklen, peername)) != 0)
|
|
||||||
- break;
|
|
||||||
- }
|
|
||||||
- } else
|
|
||||||
+ switch (gen->type) {
|
|
||||||
+ default:
|
|
||||||
+ continue;
|
|
||||||
+ case GEN_OTHERNAME:
|
|
||||||
+ switch (OBJ_obj2nid(gen->d.otherName->type_id)) {
|
|
||||||
+ default:
|
|
||||||
continue;
|
|
||||||
- } else {
|
|
||||||
- if ((gen->type != check_type) && (gen->type != GEN_OTHERNAME))
|
|
||||||
+ case NID_id_on_SmtpUTF8Mailbox:
|
|
||||||
+ /*-
|
|
||||||
+ * https://datatracker.ietf.org/doc/html/rfc8398#section-3
|
|
||||||
+ *
|
|
||||||
+ * Due to name constraint compatibility reasons described
|
|
||||||
+ * in Section 6, SmtpUTF8Mailbox subjectAltName MUST NOT
|
|
||||||
+ * be used unless the local-part of the email address
|
|
||||||
+ * contains non-ASCII characters. When the local-part is
|
|
||||||
+ * ASCII, rfc822Name subjectAltName MUST be used instead
|
|
||||||
+ * of SmtpUTF8Mailbox. This is compatible with legacy
|
|
||||||
+ * software that supports only rfc822Name (and not
|
|
||||||
+ * SmtpUTF8Mailbox). [...]
|
|
||||||
+ *
|
|
||||||
+ * SmtpUTF8Mailbox is encoded as UTF8String.
|
|
||||||
+ *
|
|
||||||
+ * If it is not a UTF8String then that is unexpected, and
|
|
||||||
+ * we ignore the invalid SAN (neither set san_present nor
|
|
||||||
+ * consider it a candidate for equality). This does mean
|
|
||||||
+ * that the subject CN may be considered, as would be the
|
|
||||||
+ * case when the malformed SmtpUtf8Mailbox SAN is instead
|
|
||||||
+ * simply absent.
|
|
||||||
+ *
|
|
||||||
+ * When CN-ID matching is not desirable, applications can
|
|
||||||
+ * choose to turn it off, doing so is at this time a best
|
|
||||||
+ * practice.
|
|
||||||
+ */
|
|
||||||
+ if (check_type != GEN_EMAIL
|
|
||||||
+ || gen->d.otherName->value->type != V_ASN1_UTF8STRING)
|
|
||||||
+ continue;
|
|
||||||
+ alt_type = 0;
|
|
||||||
+ cstr = gen->d.otherName->value->value.utf8string;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ break;
|
|
||||||
+ case GEN_EMAIL:
|
|
||||||
+ if (check_type != GEN_EMAIL)
|
|
||||||
continue;
|
|
||||||
- }
|
|
||||||
- san_present = 1;
|
|
||||||
- if (check_type == GEN_EMAIL)
|
|
||||||
cstr = gen->d.rfc822Name;
|
|
||||||
- else if (check_type == GEN_DNS)
|
|
||||||
+ break;
|
|
||||||
+ case GEN_DNS:
|
|
||||||
+ if (check_type != GEN_DNS)
|
|
||||||
+ continue;
|
|
||||||
cstr = gen->d.dNSName;
|
|
||||||
- else
|
|
||||||
+ break;
|
|
||||||
+ case GEN_IPADD:
|
|
||||||
+ if (check_type != GEN_IPADD)
|
|
||||||
+ continue;
|
|
||||||
cstr = gen->d.iPAddress;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ san_present = 1;
|
|
||||||
/* Positive on success, negative on error! */
|
|
||||||
if ((rv = do_check_string(cstr, alt_type, equal, flags,
|
|
||||||
chk, chklen, peername)) != 0)
|
|
||||||
diff --git a/test/recipes/25-test_eai_data.t b/test/recipes/25-test_eai_data.t
|
|
||||||
index 522982ddfb..e18735d89a 100644
|
|
||||||
--- a/test/recipes/25-test_eai_data.t
|
|
||||||
+++ b/test/recipes/25-test_eai_data.t
|
|
||||||
@@ -21,16 +21,18 @@ setup("test_eai_data");
|
|
||||||
#./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/utf8_chain.pem test/recipes/25-test_eai_data/ascii_leaf.pem
|
|
||||||
#./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/ascii_chain.pem test/recipes/25-test_eai_data/utf8_leaf.pem
|
|
||||||
|
|
||||||
-plan tests => 12;
|
|
||||||
+plan tests => 16;
|
|
||||||
|
|
||||||
require_ok(srctop_file('test','recipes','tconversion.pl'));
|
|
||||||
my $folder = "test/recipes/25-test_eai_data";
|
|
||||||
|
|
||||||
my $ascii_pem = srctop_file($folder, "ascii_leaf.pem");
|
|
||||||
my $utf8_pem = srctop_file($folder, "utf8_leaf.pem");
|
|
||||||
+my $kdc_pem = srctop_file($folder, "kdc-cert.pem");
|
|
||||||
|
|
||||||
my $ascii_chain_pem = srctop_file($folder, "ascii_chain.pem");
|
|
||||||
my $utf8_chain_pem = srctop_file($folder, "utf8_chain.pem");
|
|
||||||
+my $kdc_chain_pem = srctop_file($folder, "kdc-root-cert.pem");
|
|
||||||
|
|
||||||
my $out;
|
|
||||||
my $outcnt = 0;
|
|
||||||
@@ -56,10 +58,18 @@ SKIP: {
|
|
||||||
|
|
||||||
ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $ascii_pem])));
|
|
||||||
ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $utf8_pem])));
|
|
||||||
+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $kdc_chain_pem, $kdc_pem])));
|
|
||||||
|
|
||||||
ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $utf8_pem])));
|
|
||||||
ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $ascii_pem])));
|
|
||||||
|
|
||||||
+# Check an otherName does not get misparsed as an DNS name, (should trigger ASAN errors if violated).
|
|
||||||
+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_hostname", 'mx1.example.com', "-CAfile", $kdc_chain_pem, $kdc_pem])));
|
|
||||||
+# Check an otherName does not get misparsed as an email address, (should trigger ASAN errors if violated).
|
|
||||||
+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'joe@example.com', "-CAfile", $kdc_chain_pem, $kdc_pem])));
|
|
||||||
+# We expect SmtpUTF8Mailbox to be a UTF8 String, not an IA5String.
|
|
||||||
+ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'moe@example.com', "-CAfile", $kdc_chain_pem, $kdc_pem])));
|
|
||||||
+
|
|
||||||
#Check that we get the expected failure return code
|
|
||||||
with({ exit_checker => sub { return shift == 2; } },
|
|
||||||
sub {
|
|
||||||
diff --git a/test/recipes/25-test_eai_data/kdc-cert.pem b/test/recipes/25-test_eai_data/kdc-cert.pem
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000000..e8a2c6f55d
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/test/recipes/25-test_eai_data/kdc-cert.pem
|
|
||||||
@@ -0,0 +1,21 @@
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIIDbDCCAlSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARSb290
|
|
||||||
+MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAXMRUwEwYDVQQDDAxU
|
|
||||||
+RVNULkVYQU1QTEUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6wfP+
|
|
||||||
+6go79dkpo/dGLMlPZ7Gw/Q6gUYrCWZWUEgEeRVHCrqOlgUEyA+PcWas/XDPUxXry
|
|
||||||
+BQlJHLvlqamAQn8gs4QPBARFYWKNiTVGyaRkgNA1N5gqyZdrP9UE+ZJmdqxRAAe8
|
|
||||||
+vvpGZWSgevPhLUiSCFYDiD0Rtji2Hm3rGUrReQFBQDEw2pNGwz9zIaxUs08kQZcx
|
|
||||||
+Yzyiplz5Oau+R/6sAgUwDlrD9xOlUxx/tA/MSDIfkK8qioU11uUZtO5VjkNQy/bT
|
|
||||||
+7zQMmXxWgm2MIgOs1u4YN7YGOtgqHE9v9iPHHfgrkbQDtVDGQsa8AQEhkUDSCtW9
|
|
||||||
+3VFAKx6dGNXYzFwfAgMBAAGjgcgwgcUwHQYDVR0OBBYEFFR5tZycW19DmtbL4Zqj
|
|
||||||
+te1c2vZLMAkGA1UdIwQCMAAwCQYDVR0TBAIwADCBjQYDVR0RBIGFMIGCoD8GBisG
|
|
||||||
+AQUCAqA1MDOgDhsMVEVTVC5FWEFNUExFoSEwH6ADAgEBoRgwFhsGa3JidGd0GwxU
|
|
||||||
+RVNULkVYQU1QTEWgHQYIKwYBBQUHCAmgERYPbW9lQGV4YW1wbGUuY29tgQ9qb2VA
|
|
||||||
+ZXhhbXBsZS5jb22CD214MS5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA
|
|
||||||
+T0xzVtVpRtaOzIhgzw7XQUdzWD5UEGSJJ1cBCOmKUWwDLTAouCYLFB4TbEE7MMUb
|
|
||||||
+iuMy60bjmVtvfJIXorGUgSadRe5RWJ5DamJWvPA0Q9x7blnEcXqEF+9Td+ypevgU
|
|
||||||
+UYHFmg83OYwxOsFXZ5cRuXMk3WCsDHQIBi6D1L6oDDZ2pfArs5mqm3thQKVlqyl1
|
|
||||||
+El3XRYEdqAz/5eCOFNfwxF0ALxjxVr/Z50StUZU8I7Zfev6+kHhyrR7dqzYJImv9
|
|
||||||
+0fTCOBEMjIETDsrA70OxAMu4V16nrWZdJdvzblS2qrt97Omkj+2kiPAJFB76RpwI
|
|
||||||
+oDQ9fKfUOAmUFth2/R/eGA==
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
diff --git a/test/recipes/25-test_eai_data/kdc-root-cert.pem b/test/recipes/25-test_eai_data/kdc-root-cert.pem
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000000..a74c96bf31
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/test/recipes/25-test_eai_data/kdc-root-cert.pem
|
|
||||||
@@ -0,0 +1,16 @@
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIICnDCCAYQCCQCBswYcrlZSHjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARS
|
|
||||||
+b290MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAPMQ0wCwYDVQQD
|
|
||||||
+DARSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqRj8S4kBbIUj
|
|
||||||
+61kZfi6nE35Q38U140+qt4uAiwAhKumfVHlBM0zQ98WFt5zMHIBQwIb3yjc2zj+0
|
|
||||||
+qzUnQfwm1r/RfcMmBPEti9Ge+aEMSsds2gMXziOFM8wd2aAFPy7UVE0XpEWofsRK
|
|
||||||
+MGi61MKVdPSbGIxBwY9VW38/7D/wf1HtJe7y0xpuecR7GB2XAs+qST59NjuF+7wS
|
|
||||||
+dLM8Hb3TATgeYbXXWsRJgwz+SPzExg5WmLnU+7y4brZ32dHtdSmkRVSgSlaIf7Xj
|
|
||||||
+3Tc6Zi7I+W/JYk7hy1zUexVdWCak4PHcoWrXe0gNNN/t8VfLfMExt5z/HIylXnU7
|
|
||||||
+pGUyqZlTGQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAHpLF1UCRy7b6Hk0rLokxI
|
|
||||||
+lgwiH9BU9mktigAGASvkbllpt+YbUbWnuYAvpHBGiP1qZtfX2r96UrSJaGO9BEzT
|
|
||||||
+Gp9ThnSjoj4Srul0+s/NArU22irFLmDzbalgevAmm9gMGkdqkiIm/mXbwrPj0ncl
|
|
||||||
+KGicevXryVpvaP62eZ8cc3C4p97frMmXxRX8sTdQpD/gRI7prdEILRSKveqT+AEW
|
|
||||||
+7rFGM5AOevb4U8ddop8A3D/kX0wcCAIBF6jCNk3uEJ57jVcagL04kPnVfdRiedTS
|
|
||||||
+vfq1DRNcD29d1H/9u0fHdSn1/+8Ep3X+afQ3C6//5NvOEaXcIGO4QSwkprQydfv8
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
diff --git a/test/recipes/25-test_eai_data/kdc.sh b/test/recipes/25-test_eai_data/kdc.sh
|
|
||||||
new file mode 100755
|
|
||||||
index 0000000000..7a8dbc719f
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/test/recipes/25-test_eai_data/kdc.sh
|
|
||||||
@@ -0,0 +1,41 @@
|
|
||||||
+#! /usr/bin/env bash
|
|
||||||
+
|
|
||||||
+# Create a root CA, signing a leaf cert with a KDC principal otherName SAN, and
|
|
||||||
+# also a non-UTF8 smtpUtf8Mailbox SAN followed by an rfc822Name SAN and a DNS
|
|
||||||
+# name SAN. In the vulnerable EAI code, the KDC principal `otherName` should
|
|
||||||
+# trigger ASAN errors in DNS name checks, while the non-UTF8 `smtpUtf8Mailbox`
|
|
||||||
+# should likewise lead to ASAN issues with email name checks.
|
|
||||||
+
|
|
||||||
+rm -f root-key.pem root-cert.pem
|
|
||||||
+openssl req -nodes -new -newkey rsa:2048 -keyout kdc-root-key.pem \
|
|
||||||
+ -x509 -subj /CN=Root -days 36524 -out kdc-root-cert.pem
|
|
||||||
+
|
|
||||||
+exts=$(
|
|
||||||
+ printf "%s\n%s\n%s\n%s = " \
|
|
||||||
+ "subjectKeyIdentifier = hash" \
|
|
||||||
+ "authorityKeyIdentifier = keyid" \
|
|
||||||
+ "basicConstraints = CA:false" \
|
|
||||||
+ "subjectAltName"
|
|
||||||
+ printf "%s, " "otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name"
|
|
||||||
+ printf "%s, " "otherName:1.3.6.1.5.5.7.8.9;IA5:moe@example.com"
|
|
||||||
+ printf "%s, " "email:joe@example.com"
|
|
||||||
+ printf "%s\n" "DNS:mx1.example.com"
|
|
||||||
+ printf "[kdc_princ_name]\n"
|
|
||||||
+ printf "realm = EXP:0, GeneralString:TEST.EXAMPLE\n"
|
|
||||||
+ printf "principal_name = EXP:1, SEQUENCE:kdc_principal_seq\n"
|
|
||||||
+ printf "[kdc_principal_seq]\n"
|
|
||||||
+ printf "name_type = EXP:0, INTEGER:1\n"
|
|
||||||
+ printf "name_string = EXP:1, SEQUENCE:kdc_principal_components\n"
|
|
||||||
+ printf "[kdc_principal_components]\n"
|
|
||||||
+ printf "princ1 = GeneralString:krbtgt\n"
|
|
||||||
+ printf "princ2 = GeneralString:TEST.EXAMPLE\n"
|
|
||||||
+ )
|
|
||||||
+
|
|
||||||
+printf "%s\n" "$exts"
|
|
||||||
+
|
|
||||||
+openssl req -nodes -new -newkey rsa:2048 -keyout kdc-key.pem \
|
|
||||||
+ -subj "/CN=TEST.EXAMPLE" |
|
|
||||||
+ openssl x509 -req -out kdc-cert.pem \
|
|
||||||
+ -CA "kdc-root-cert.pem" -CAkey "kdc-root-key.pem" \
|
|
||||||
+ -set_serial 2 -days 36524 \
|
|
||||||
+ -extfile <(printf "%s\n" "$exts")
|
|
72
SOURCES/README.FIPS
Normal file
72
SOURCES/README.FIPS
Normal file
@ -0,0 +1,72 @@
|
|||||||
|
User guide for the FIPS Red Hat Enterprise Linux - OpenSSL Module
|
||||||
|
=================================================================
|
||||||
|
|
||||||
|
This package contains libraries which comprise the FIPS 140-2
|
||||||
|
Red Hat Enterprise Linux - OPENSSL Module.
|
||||||
|
|
||||||
|
The module files
|
||||||
|
================
|
||||||
|
/usr/lib[64]/libcrypto.so.1.1.0
|
||||||
|
/usr/lib[64]/libssl.so.1.1.0
|
||||||
|
/usr/lib[64]/.libcrypto.so.1.1.0.hmac
|
||||||
|
/usr/lib[64]/.libssl.so.1.1.0.hmac
|
||||||
|
|
||||||
|
Dependencies
|
||||||
|
============
|
||||||
|
|
||||||
|
The approved mode of operation requires kernel with /dev/urandom RNG running
|
||||||
|
with properties as defined in the security policy of the module. This is
|
||||||
|
provided by kernel packages with validated Red Hat Enterprise Linux Kernel
|
||||||
|
Crytographic Module.
|
||||||
|
|
||||||
|
Installation
|
||||||
|
============
|
||||||
|
|
||||||
|
The RPM package of the module can be installed by standard tools recommended
|
||||||
|
for installation of RPM packages on the Red Hat Enterprise Linux system (yum,
|
||||||
|
rpm, RHN remote management tool).
|
||||||
|
|
||||||
|
The RPM package dracut-fips must be installed for the approved mode of
|
||||||
|
operation.
|
||||||
|
|
||||||
|
Usage and API
|
||||||
|
=============
|
||||||
|
|
||||||
|
The module respects kernel command line FIPS setting. If the kernel command
|
||||||
|
line contains option fips=1 the module will initialize in the FIPS approved
|
||||||
|
mode of operation automatically. To allow for the automatic initialization the
|
||||||
|
application using the module has to call one of the following API calls:
|
||||||
|
|
||||||
|
- void OPENSSL_init_library(void) - this will do only a basic initialization
|
||||||
|
of the library and does initialization of the FIPS approved mode without setting
|
||||||
|
up EVP API with supported algorithms.
|
||||||
|
|
||||||
|
- void OPENSSL_add_all_algorithms(void) - this API function calls
|
||||||
|
OPENSSL_init() implicitly and also adds all approved algorithms to the EVP API
|
||||||
|
in the approved mode
|
||||||
|
|
||||||
|
- void SSL_library_init(void) - it calls OPENSSL_init() implicitly and also
|
||||||
|
adds algorithms which are necessary for TLS protocol support and initializes
|
||||||
|
the SSL library.
|
||||||
|
|
||||||
|
To explicitely put the library to the approved mode the application can call
|
||||||
|
the following function:
|
||||||
|
|
||||||
|
- int FIPS_mode_set(int on) - if called with 1 as a parameter it will switch
|
||||||
|
the library from the non-approved to the approved mode. If any of the selftests
|
||||||
|
and integrity verification tests fail, the library is put into the error state
|
||||||
|
and 0 is returned. If they succeed the return value is 1.
|
||||||
|
|
||||||
|
To query the module whether it is in the approved mode or not:
|
||||||
|
|
||||||
|
- int FIPS_mode(void) - returns 1 if the module is in the approved mode,
|
||||||
|
0 otherwise.
|
||||||
|
|
||||||
|
To query whether the module is in the error state:
|
||||||
|
|
||||||
|
- int FIPS_selftest_failed(void) - returns 1 if the module is in the error
|
||||||
|
state, 0 otherwise.
|
||||||
|
|
||||||
|
To zeroize the FIPS RNG key and internal state the application calls:
|
||||||
|
|
||||||
|
- void RAND_cleanup(void)
|
@ -1,47 +0,0 @@
|
|||||||
/* This file is here to prevent a file conflict on multiarch systems. A
|
|
||||||
* conflict will frequently occur because arch-specific build-time
|
|
||||||
* configuration options are stored (and used, so they can't just be stripped
|
|
||||||
* out) in configuration.h. The original configuration.h has been renamed.
|
|
||||||
* DO NOT INCLUDE THE NEW FILE DIRECTLY -- ALWAYS INCLUDE THIS ONE INSTEAD. */
|
|
||||||
|
|
||||||
#ifdef openssl_conf_multilib_redirection_h
|
|
||||||
#error "Do not define openssl_conf_multilib_redirection_h!"
|
|
||||||
#endif
|
|
||||||
#define openssl_conf_multilib_redirection_h
|
|
||||||
|
|
||||||
#if defined(__i386__)
|
|
||||||
#include "configuration-i386.h"
|
|
||||||
#elif defined(__ia64__)
|
|
||||||
#include "configuration-ia64.h"
|
|
||||||
#elif defined(__mips64) && defined(__MIPSEL__)
|
|
||||||
#include "configuration-mips64el.h"
|
|
||||||
#elif defined(__mips64)
|
|
||||||
#include "configuration-mips64.h"
|
|
||||||
#elif defined(__mips) && defined(__MIPSEL__)
|
|
||||||
#include "configuration-mipsel.h"
|
|
||||||
#elif defined(__mips)
|
|
||||||
#include "configuration-mips.h"
|
|
||||||
#elif defined(__powerpc64__)
|
|
||||||
#include <endian.h>
|
|
||||||
#if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
|
|
||||||
#include "configuration-ppc64.h"
|
|
||||||
#else
|
|
||||||
#include "configuration-ppc64le.h"
|
|
||||||
#endif
|
|
||||||
#elif defined(__powerpc__)
|
|
||||||
#include "configuration-ppc.h"
|
|
||||||
#elif defined(__s390x__)
|
|
||||||
#include "configuration-s390x.h"
|
|
||||||
#elif defined(__s390__)
|
|
||||||
#include "configuration-s390.h"
|
|
||||||
#elif defined(__sparc__) && defined(__arch64__)
|
|
||||||
#include "configuration-sparc64.h"
|
|
||||||
#elif defined(__sparc__)
|
|
||||||
#include "configuration-sparc.h"
|
|
||||||
#elif defined(__x86_64__)
|
|
||||||
#include "configuration-x86_64.h"
|
|
||||||
#else
|
|
||||||
#error "The openssl-devel package does not work your architecture?"
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#undef openssl_conf_multilib_redirection_h
|
|
582
SOURCES/ec_curve.c
Normal file
582
SOURCES/ec_curve.c
Normal file
@ -0,0 +1,582 @@
|
|||||||
|
/*
|
||||||
|
* Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
|
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||||
|
*
|
||||||
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
|
* in the file LICENSE in the source distribution or at
|
||||||
|
* https://www.openssl.org/source/license.html
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <string.h>
|
||||||
|
#include "ec_local.h"
|
||||||
|
#include <openssl/err.h>
|
||||||
|
#include <openssl/obj_mac.h>
|
||||||
|
#include <openssl/opensslconf.h>
|
||||||
|
#include "internal/nelem.h"
|
||||||
|
|
||||||
|
typedef struct {
|
||||||
|
int field_type, /* either NID_X9_62_prime_field or
|
||||||
|
* NID_X9_62_characteristic_two_field */
|
||||||
|
seed_len, param_len;
|
||||||
|
unsigned int cofactor; /* promoted to BN_ULONG */
|
||||||
|
} EC_CURVE_DATA;
|
||||||
|
|
||||||
|
/* the nist prime curves */
|
||||||
|
static const struct {
|
||||||
|
EC_CURVE_DATA h;
|
||||||
|
unsigned char data[20 + 28 * 6];
|
||||||
|
} _EC_NIST_PRIME_224 = {
|
||||||
|
{
|
||||||
|
NID_X9_62_prime_field, 20, 28, 1
|
||||||
|
},
|
||||||
|
{
|
||||||
|
/* seed */
|
||||||
|
0xBD, 0x71, 0x34, 0x47, 0x99, 0xD5, 0xC7, 0xFC, 0xDC, 0x45, 0xB5, 0x9F,
|
||||||
|
0xA3, 0xB9, 0xAB, 0x8F, 0x6A, 0x94, 0x8B, 0xC5,
|
||||||
|
/* p */
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||||
|
0x00, 0x00, 0x00, 0x01,
|
||||||
|
/* a */
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFE,
|
||||||
|
/* b */
|
||||||
|
0xB4, 0x05, 0x0A, 0x85, 0x0C, 0x04, 0xB3, 0xAB, 0xF5, 0x41, 0x32, 0x56,
|
||||||
|
0x50, 0x44, 0xB0, 0xB7, 0xD7, 0xBF, 0xD8, 0xBA, 0x27, 0x0B, 0x39, 0x43,
|
||||||
|
0x23, 0x55, 0xFF, 0xB4,
|
||||||
|
/* x */
|
||||||
|
0xB7, 0x0E, 0x0C, 0xBD, 0x6B, 0xB4, 0xBF, 0x7F, 0x32, 0x13, 0x90, 0xB9,
|
||||||
|
0x4A, 0x03, 0xC1, 0xD3, 0x56, 0xC2, 0x11, 0x22, 0x34, 0x32, 0x80, 0xD6,
|
||||||
|
0x11, 0x5C, 0x1D, 0x21,
|
||||||
|
/* y */
|
||||||
|
0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, 0xdf, 0xe6,
|
||||||
|
0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x07, 0x47, 0x64, 0x44, 0xd5, 0x81, 0x99,
|
||||||
|
0x85, 0x00, 0x7e, 0x34,
|
||||||
|
/* order */
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0x16, 0xA2, 0xE0, 0xB8, 0xF0, 0x3E, 0x13, 0xDD, 0x29, 0x45,
|
||||||
|
0x5C, 0x5C, 0x2A, 0x3D
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
static const struct {
|
||||||
|
EC_CURVE_DATA h;
|
||||||
|
unsigned char data[20 + 48 * 6];
|
||||||
|
} _EC_NIST_PRIME_384 = {
|
||||||
|
{
|
||||||
|
NID_X9_62_prime_field, 20, 48, 1
|
||||||
|
},
|
||||||
|
{
|
||||||
|
/* seed */
|
||||||
|
0xA3, 0x35, 0x92, 0x6A, 0xA3, 0x19, 0xA2, 0x7A, 0x1D, 0x00, 0x89, 0x6A,
|
||||||
|
0x67, 0x73, 0xA4, 0x82, 0x7A, 0xCD, 0xAC, 0x73,
|
||||||
|
/* p */
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
/* a */
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC,
|
||||||
|
/* b */
|
||||||
|
0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, 0x05, 0x6B,
|
||||||
|
0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E, 0xFE, 0x81, 0x41, 0x12,
|
||||||
|
0x03, 0x14, 0x08, 0x8F, 0x50, 0x13, 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D,
|
||||||
|
0x8A, 0x2E, 0xD1, 0x9D, 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF,
|
||||||
|
/* x */
|
||||||
|
0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, 0xC7, 0x1E,
|
||||||
|
0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, 0x8B, 0xA7, 0x9B, 0x98,
|
||||||
|
0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D,
|
||||||
|
0xBF, 0x55, 0x29, 0x6C, 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7,
|
||||||
|
/* y */
|
||||||
|
0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f, 0x5d, 0x9e, 0x98, 0xbf,
|
||||||
|
0x92, 0x92, 0xdc, 0x29, 0xf8, 0xf4, 0x1d, 0xbd, 0x28, 0x9a, 0x14, 0x7c,
|
||||||
|
0xe9, 0xda, 0x31, 0x13, 0xb5, 0xf0, 0xb8, 0xc0, 0x0a, 0x60, 0xb1, 0xce,
|
||||||
|
0x1d, 0x7e, 0x81, 0x9d, 0x7a, 0x43, 0x1d, 0x7c, 0x90, 0xea, 0x0e, 0x5f,
|
||||||
|
/* order */
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xC7, 0x63, 0x4D, 0x81, 0xF4, 0x37, 0x2D, 0xDF, 0x58, 0x1A, 0x0D, 0xB2,
|
||||||
|
0x48, 0xB0, 0xA7, 0x7A, 0xEC, 0xEC, 0x19, 0x6A, 0xCC, 0xC5, 0x29, 0x73
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
static const struct {
|
||||||
|
EC_CURVE_DATA h;
|
||||||
|
unsigned char data[20 + 66 * 6];
|
||||||
|
} _EC_NIST_PRIME_521 = {
|
||||||
|
{
|
||||||
|
NID_X9_62_prime_field, 20, 66, 1
|
||||||
|
},
|
||||||
|
{
|
||||||
|
/* seed */
|
||||||
|
0xD0, 0x9E, 0x88, 0x00, 0x29, 0x1C, 0xB8, 0x53, 0x96, 0xCC, 0x67, 0x17,
|
||||||
|
0x39, 0x32, 0x84, 0xAA, 0xA0, 0xDA, 0x64, 0xBA,
|
||||||
|
/* p */
|
||||||
|
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
/* a */
|
||||||
|
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
|
||||||
|
/* b */
|
||||||
|
0x00, 0x51, 0x95, 0x3E, 0xB9, 0x61, 0x8E, 0x1C, 0x9A, 0x1F, 0x92, 0x9A,
|
||||||
|
0x21, 0xA0, 0xB6, 0x85, 0x40, 0xEE, 0xA2, 0xDA, 0x72, 0x5B, 0x99, 0xB3,
|
||||||
|
0x15, 0xF3, 0xB8, 0xB4, 0x89, 0x91, 0x8E, 0xF1, 0x09, 0xE1, 0x56, 0x19,
|
||||||
|
0x39, 0x51, 0xEC, 0x7E, 0x93, 0x7B, 0x16, 0x52, 0xC0, 0xBD, 0x3B, 0xB1,
|
||||||
|
0xBF, 0x07, 0x35, 0x73, 0xDF, 0x88, 0x3D, 0x2C, 0x34, 0xF1, 0xEF, 0x45,
|
||||||
|
0x1F, 0xD4, 0x6B, 0x50, 0x3F, 0x00,
|
||||||
|
/* x */
|
||||||
|
0x00, 0xC6, 0x85, 0x8E, 0x06, 0xB7, 0x04, 0x04, 0xE9, 0xCD, 0x9E, 0x3E,
|
||||||
|
0xCB, 0x66, 0x23, 0x95, 0xB4, 0x42, 0x9C, 0x64, 0x81, 0x39, 0x05, 0x3F,
|
||||||
|
0xB5, 0x21, 0xF8, 0x28, 0xAF, 0x60, 0x6B, 0x4D, 0x3D, 0xBA, 0xA1, 0x4B,
|
||||||
|
0x5E, 0x77, 0xEF, 0xE7, 0x59, 0x28, 0xFE, 0x1D, 0xC1, 0x27, 0xA2, 0xFF,
|
||||||
|
0xA8, 0xDE, 0x33, 0x48, 0xB3, 0xC1, 0x85, 0x6A, 0x42, 0x9B, 0xF9, 0x7E,
|
||||||
|
0x7E, 0x31, 0xC2, 0xE5, 0xBD, 0x66,
|
||||||
|
/* y */
|
||||||
|
0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a,
|
||||||
|
0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b,
|
||||||
|
0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee,
|
||||||
|
0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad,
|
||||||
|
0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe,
|
||||||
|
0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50,
|
||||||
|
/* order */
|
||||||
|
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFA, 0x51, 0x86,
|
||||||
|
0x87, 0x83, 0xBF, 0x2F, 0x96, 0x6B, 0x7F, 0xCC, 0x01, 0x48, 0xF7, 0x09,
|
||||||
|
0xA5, 0xD0, 0x3B, 0xB5, 0xC9, 0xB8, 0x89, 0x9C, 0x47, 0xAE, 0xBB, 0x6F,
|
||||||
|
0xB7, 0x1E, 0x91, 0x38, 0x64, 0x09
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
static const struct {
|
||||||
|
EC_CURVE_DATA h;
|
||||||
|
unsigned char data[20 + 32 * 6];
|
||||||
|
} _EC_X9_62_PRIME_256V1 = {
|
||||||
|
{
|
||||||
|
NID_X9_62_prime_field, 20, 32, 1
|
||||||
|
},
|
||||||
|
{
|
||||||
|
/* seed */
|
||||||
|
0xC4, 0x9D, 0x36, 0x08, 0x86, 0xE7, 0x04, 0x93, 0x6A, 0x66, 0x78, 0xE1,
|
||||||
|
0x13, 0x9D, 0x26, 0xB7, 0x81, 0x9F, 0x7E, 0x90,
|
||||||
|
/* p */
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
/* a */
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
|
||||||
|
/* b */
|
||||||
|
0x5A, 0xC6, 0x35, 0xD8, 0xAA, 0x3A, 0x93, 0xE7, 0xB3, 0xEB, 0xBD, 0x55,
|
||||||
|
0x76, 0x98, 0x86, 0xBC, 0x65, 0x1D, 0x06, 0xB0, 0xCC, 0x53, 0xB0, 0xF6,
|
||||||
|
0x3B, 0xCE, 0x3C, 0x3E, 0x27, 0xD2, 0x60, 0x4B,
|
||||||
|
/* x */
|
||||||
|
0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8, 0xBC, 0xE6, 0xE5,
|
||||||
|
0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D, 0x81, 0x2D, 0xEB, 0x33, 0xA0,
|
||||||
|
0xF4, 0xA1, 0x39, 0x45, 0xD8, 0x98, 0xC2, 0x96,
|
||||||
|
/* y */
|
||||||
|
0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a,
|
||||||
|
0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce,
|
||||||
|
0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5,
|
||||||
|
/* order */
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84,
|
||||||
|
0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
static const struct {
|
||||||
|
EC_CURVE_DATA h;
|
||||||
|
unsigned char data[0 + 32 * 6];
|
||||||
|
} _EC_SECG_PRIME_256K1 = {
|
||||||
|
{
|
||||||
|
NID_X9_62_prime_field, 0, 32, 1
|
||||||
|
},
|
||||||
|
{
|
||||||
|
/* no seed */
|
||||||
|
/* p */
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
|
||||||
|
/* a */
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||||
|
/* b */
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07,
|
||||||
|
/* x */
|
||||||
|
0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95,
|
||||||
|
0xCE, 0x87, 0x0B, 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9,
|
||||||
|
0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17, 0x98,
|
||||||
|
/* y */
|
||||||
|
0x48, 0x3a, 0xda, 0x77, 0x26, 0xa3, 0xc4, 0x65, 0x5d, 0xa4, 0xfb, 0xfc,
|
||||||
|
0x0e, 0x11, 0x08, 0xa8, 0xfd, 0x17, 0xb4, 0x48, 0xa6, 0x85, 0x54, 0x19,
|
||||||
|
0x9c, 0x47, 0xd0, 0x8f, 0xfb, 0x10, 0xd4, 0xb8,
|
||||||
|
/* order */
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||||
|
0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B,
|
||||||
|
0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
typedef struct _ec_list_element_st {
|
||||||
|
int nid;
|
||||||
|
const EC_CURVE_DATA *data;
|
||||||
|
const EC_METHOD *(*meth) (void);
|
||||||
|
const char *comment;
|
||||||
|
} ec_list_element;
|
||||||
|
|
||||||
|
static const ec_list_element curve_list[] = {
|
||||||
|
/* prime field curves */
|
||||||
|
/* secg curves */
|
||||||
|
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
||||||
|
{NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
|
||||||
|
"NIST/SECG curve over a 224 bit prime field"},
|
||||||
|
#else
|
||||||
|
{NID_secp224r1, &_EC_NIST_PRIME_224.h, 0,
|
||||||
|
"NIST/SECG curve over a 224 bit prime field"},
|
||||||
|
#endif
|
||||||
|
{NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
|
||||||
|
"SECG curve over a 256 bit prime field"},
|
||||||
|
/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
|
||||||
|
{NID_secp384r1, &_EC_NIST_PRIME_384.h, 0,
|
||||||
|
"NIST/SECG curve over a 384 bit prime field"},
|
||||||
|
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
||||||
|
{NID_secp521r1, &_EC_NIST_PRIME_521.h, EC_GFp_nistp521_method,
|
||||||
|
"NIST/SECG curve over a 521 bit prime field"},
|
||||||
|
#else
|
||||||
|
{NID_secp521r1, &_EC_NIST_PRIME_521.h, 0,
|
||||||
|
"NIST/SECG curve over a 521 bit prime field"},
|
||||||
|
#endif
|
||||||
|
/* X9.62 curves */
|
||||||
|
{NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
|
||||||
|
#if defined(ECP_NISTZ256_ASM)
|
||||||
|
EC_GFp_nistz256_method,
|
||||||
|
#elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
||||||
|
EC_GFp_nistp256_method,
|
||||||
|
#else
|
||||||
|
0,
|
||||||
|
#endif
|
||||||
|
"X9.62/SECG curve over a 256 bit prime field"},
|
||||||
|
};
|
||||||
|
|
||||||
|
#define curve_list_length OSSL_NELEM(curve_list)
|
||||||
|
|
||||||
|
static EC_GROUP *ec_group_new_from_data(const ec_list_element curve)
|
||||||
|
{
|
||||||
|
EC_GROUP *group = NULL;
|
||||||
|
EC_POINT *P = NULL;
|
||||||
|
BN_CTX *ctx = NULL;
|
||||||
|
BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL, *order =
|
||||||
|
NULL;
|
||||||
|
int ok = 0;
|
||||||
|
int seed_len, param_len;
|
||||||
|
const EC_METHOD *meth;
|
||||||
|
const EC_CURVE_DATA *data;
|
||||||
|
const unsigned char *params;
|
||||||
|
|
||||||
|
/* If no curve data curve method must handle everything */
|
||||||
|
if (curve.data == NULL)
|
||||||
|
return EC_GROUP_new(curve.meth != NULL ? curve.meth() : NULL);
|
||||||
|
|
||||||
|
if ((ctx = BN_CTX_new()) == NULL) {
|
||||||
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_MALLOC_FAILURE);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
|
||||||
|
data = curve.data;
|
||||||
|
seed_len = data->seed_len;
|
||||||
|
param_len = data->param_len;
|
||||||
|
params = (const unsigned char *)(data + 1); /* skip header */
|
||||||
|
params += seed_len; /* skip seed */
|
||||||
|
|
||||||
|
if ((p = BN_bin2bn(params + 0 * param_len, param_len, NULL)) == NULL
|
||||||
|
|| (a = BN_bin2bn(params + 1 * param_len, param_len, NULL)) == NULL
|
||||||
|
|| (b = BN_bin2bn(params + 2 * param_len, param_len, NULL)) == NULL) {
|
||||||
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (curve.meth != 0) {
|
||||||
|
meth = curve.meth();
|
||||||
|
if (((group = EC_GROUP_new(meth)) == NULL) ||
|
||||||
|
(!(group->meth->group_set_curve(group, p, a, b, ctx)))) {
|
||||||
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
} else if (data->field_type == NID_X9_62_prime_field) {
|
||||||
|
if ((group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) == NULL) {
|
||||||
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#ifndef OPENSSL_NO_EC2M
|
||||||
|
else { /* field_type ==
|
||||||
|
* NID_X9_62_characteristic_two_field */
|
||||||
|
|
||||||
|
if ((group = EC_GROUP_new_curve_GF2m(p, a, b, ctx)) == NULL) {
|
||||||
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
EC_GROUP_set_curve_name(group, curve.nid);
|
||||||
|
|
||||||
|
if ((P = EC_POINT_new(group)) == NULL) {
|
||||||
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ((x = BN_bin2bn(params + 3 * param_len, param_len, NULL)) == NULL
|
||||||
|
|| (y = BN_bin2bn(params + 4 * param_len, param_len, NULL)) == NULL) {
|
||||||
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
if (!EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) {
|
||||||
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
if ((order = BN_bin2bn(params + 5 * param_len, param_len, NULL)) == NULL
|
||||||
|
|| !BN_set_word(x, (BN_ULONG)data->cofactor)) {
|
||||||
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
if (!EC_GROUP_set_generator(group, P, order, x)) {
|
||||||
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
if (seed_len) {
|
||||||
|
if (!EC_GROUP_set_seed(group, params - seed_len, seed_len)) {
|
||||||
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
ok = 1;
|
||||||
|
err:
|
||||||
|
if (!ok) {
|
||||||
|
EC_GROUP_free(group);
|
||||||
|
group = NULL;
|
||||||
|
}
|
||||||
|
EC_POINT_free(P);
|
||||||
|
BN_CTX_free(ctx);
|
||||||
|
BN_free(p);
|
||||||
|
BN_free(a);
|
||||||
|
BN_free(b);
|
||||||
|
BN_free(order);
|
||||||
|
BN_free(x);
|
||||||
|
BN_free(y);
|
||||||
|
return group;
|
||||||
|
}
|
||||||
|
|
||||||
|
EC_GROUP *EC_GROUP_new_by_curve_name(int nid)
|
||||||
|
{
|
||||||
|
size_t i;
|
||||||
|
EC_GROUP *ret = NULL;
|
||||||
|
|
||||||
|
if (nid <= 0)
|
||||||
|
return NULL;
|
||||||
|
|
||||||
|
for (i = 0; i < curve_list_length; i++)
|
||||||
|
if (curve_list[i].nid == nid) {
|
||||||
|
ret = ec_group_new_from_data(curve_list[i]);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (ret == NULL) {
|
||||||
|
ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_UNKNOWN_GROUP);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
|
||||||
|
{
|
||||||
|
size_t i, min;
|
||||||
|
|
||||||
|
if (r == NULL || nitems == 0)
|
||||||
|
return curve_list_length;
|
||||||
|
|
||||||
|
min = nitems < curve_list_length ? nitems : curve_list_length;
|
||||||
|
|
||||||
|
for (i = 0; i < min; i++) {
|
||||||
|
r[i].nid = curve_list[i].nid;
|
||||||
|
r[i].comment = curve_list[i].comment;
|
||||||
|
}
|
||||||
|
|
||||||
|
return curve_list_length;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Functions to translate between common NIST curve names and NIDs */
|
||||||
|
|
||||||
|
typedef struct {
|
||||||
|
const char *name; /* NIST Name of curve */
|
||||||
|
int nid; /* Curve NID */
|
||||||
|
} EC_NIST_NAME;
|
||||||
|
|
||||||
|
static EC_NIST_NAME nist_curves[] = {
|
||||||
|
{"B-163", NID_sect163r2},
|
||||||
|
{"B-233", NID_sect233r1},
|
||||||
|
{"B-283", NID_sect283r1},
|
||||||
|
{"B-409", NID_sect409r1},
|
||||||
|
{"B-571", NID_sect571r1},
|
||||||
|
{"K-163", NID_sect163k1},
|
||||||
|
{"K-233", NID_sect233k1},
|
||||||
|
{"K-283", NID_sect283k1},
|
||||||
|
{"K-409", NID_sect409k1},
|
||||||
|
{"K-571", NID_sect571k1},
|
||||||
|
{"P-192", NID_X9_62_prime192v1},
|
||||||
|
{"P-224", NID_secp224r1},
|
||||||
|
{"P-256", NID_X9_62_prime256v1},
|
||||||
|
{"P-384", NID_secp384r1},
|
||||||
|
{"P-521", NID_secp521r1}
|
||||||
|
};
|
||||||
|
|
||||||
|
const char *EC_curve_nid2nist(int nid)
|
||||||
|
{
|
||||||
|
size_t i;
|
||||||
|
for (i = 0; i < OSSL_NELEM(nist_curves); i++) {
|
||||||
|
if (nist_curves[i].nid == nid)
|
||||||
|
return nist_curves[i].name;
|
||||||
|
}
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
int EC_curve_nist2nid(const char *name)
|
||||||
|
{
|
||||||
|
size_t i;
|
||||||
|
for (i = 0; i < OSSL_NELEM(nist_curves); i++) {
|
||||||
|
if (strcmp(nist_curves[i].name, name) == 0)
|
||||||
|
return nist_curves[i].nid;
|
||||||
|
}
|
||||||
|
return NID_undef;
|
||||||
|
}
|
||||||
|
|
||||||
|
#define NUM_BN_FIELDS 6
|
||||||
|
/*
|
||||||
|
* Validates EC domain parameter data for known named curves.
|
||||||
|
* This can be used when a curve is loaded explicitly (without a curve
|
||||||
|
* name) or to validate that domain parameters have not been modified.
|
||||||
|
*
|
||||||
|
* Returns: The nid associated with the found named curve, or NID_undef
|
||||||
|
* if not found. If there was an error it returns -1.
|
||||||
|
*/
|
||||||
|
int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx)
|
||||||
|
{
|
||||||
|
int ret = -1, nid, len, field_type, param_len;
|
||||||
|
size_t i, seed_len;
|
||||||
|
const unsigned char *seed, *params_seed, *params;
|
||||||
|
unsigned char *param_bytes = NULL;
|
||||||
|
const EC_CURVE_DATA *data;
|
||||||
|
const EC_POINT *generator = NULL;
|
||||||
|
const EC_METHOD *meth;
|
||||||
|
const BIGNUM *cofactor = NULL;
|
||||||
|
/* An array of BIGNUMs for (p, a, b, x, y, order) */
|
||||||
|
BIGNUM *bn[NUM_BN_FIELDS] = {NULL, NULL, NULL, NULL, NULL, NULL};
|
||||||
|
|
||||||
|
meth = EC_GROUP_method_of(group);
|
||||||
|
if (meth == NULL)
|
||||||
|
return -1;
|
||||||
|
/* Use the optional named curve nid as a search field */
|
||||||
|
nid = EC_GROUP_get_curve_name(group);
|
||||||
|
field_type = EC_METHOD_get_field_type(meth);
|
||||||
|
seed_len = EC_GROUP_get_seed_len(group);
|
||||||
|
seed = EC_GROUP_get0_seed(group);
|
||||||
|
cofactor = EC_GROUP_get0_cofactor(group);
|
||||||
|
|
||||||
|
BN_CTX_start(ctx);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* The built-in curves contains data fields (p, a, b, x, y, order) that are
|
||||||
|
* all zero-padded to be the same size. The size of the padding is
|
||||||
|
* determined by either the number of bytes in the field modulus (p) or the
|
||||||
|
* EC group order, whichever is larger.
|
||||||
|
*/
|
||||||
|
param_len = BN_num_bytes(group->order);
|
||||||
|
len = BN_num_bytes(group->field);
|
||||||
|
if (len > param_len)
|
||||||
|
param_len = len;
|
||||||
|
|
||||||
|
/* Allocate space to store the padded data for (p, a, b, x, y, order) */
|
||||||
|
param_bytes = OPENSSL_malloc(param_len * NUM_BN_FIELDS);
|
||||||
|
if (param_bytes == NULL)
|
||||||
|
goto end;
|
||||||
|
|
||||||
|
/* Create the bignums */
|
||||||
|
for (i = 0; i < NUM_BN_FIELDS; ++i) {
|
||||||
|
if ((bn[i] = BN_CTX_get(ctx)) == NULL)
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
/*
|
||||||
|
* Fill in the bn array with the same values as the internal curves
|
||||||
|
* i.e. the values are p, a, b, x, y, order.
|
||||||
|
*/
|
||||||
|
/* Get p, a & b */
|
||||||
|
if (!(EC_GROUP_get_curve(group, bn[0], bn[1], bn[2], ctx)
|
||||||
|
&& ((generator = EC_GROUP_get0_generator(group)) != NULL)
|
||||||
|
/* Get x & y */
|
||||||
|
&& EC_POINT_get_affine_coordinates(group, generator, bn[3], bn[4], ctx)
|
||||||
|
/* Get order */
|
||||||
|
&& EC_GROUP_get_order(group, bn[5], ctx)))
|
||||||
|
goto end;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Convert the bignum array to bytes that are joined together to form
|
||||||
|
* a single buffer that contains data for all fields.
|
||||||
|
* (p, a, b, x, y, order) are all zero padded to be the same size.
|
||||||
|
*/
|
||||||
|
for (i = 0; i < NUM_BN_FIELDS; ++i) {
|
||||||
|
if (BN_bn2binpad(bn[i], ¶m_bytes[i*param_len], param_len) <= 0)
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
for (i = 0; i < curve_list_length; i++) {
|
||||||
|
const ec_list_element curve = curve_list[i];
|
||||||
|
|
||||||
|
data = curve.data;
|
||||||
|
/* Get the raw order byte data */
|
||||||
|
params_seed = (const unsigned char *)(data + 1); /* skip header */
|
||||||
|
params = params_seed + data->seed_len;
|
||||||
|
|
||||||
|
/* Look for unique fields in the fixed curve data */
|
||||||
|
if (data->field_type == field_type
|
||||||
|
&& param_len == data->param_len
|
||||||
|
&& (nid <= 0 || nid == curve.nid)
|
||||||
|
/* check the optional cofactor (ignore if its zero) */
|
||||||
|
&& (BN_is_zero(cofactor)
|
||||||
|
|| BN_is_word(cofactor, (const BN_ULONG)curve.data->cofactor))
|
||||||
|
/* Check the optional seed (ignore if its not set) */
|
||||||
|
&& (data->seed_len == 0 || seed_len == 0
|
||||||
|
|| ((size_t)data->seed_len == seed_len
|
||||||
|
&& memcmp(params_seed, seed, seed_len) == 0))
|
||||||
|
/* Check that the groups params match the built-in curve params */
|
||||||
|
&& memcmp(param_bytes, params, param_len * NUM_BN_FIELDS)
|
||||||
|
== 0) {
|
||||||
|
ret = curve.nid;
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
/* Gets here if the group was not found */
|
||||||
|
ret = NID_undef;
|
||||||
|
end:
|
||||||
|
OPENSSL_free(param_bytes);
|
||||||
|
BN_CTX_end(ctx);
|
||||||
|
return ret;
|
||||||
|
}
|
1546
SOURCES/ectest.c
Normal file
1546
SOURCES/ectest.c
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,26 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
if [ $# -ne 2 ] ; then
|
|
||||||
echo "Usage:"
|
|
||||||
echo " $0 <git-dir> <base-tag>"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
git_dir="$1"
|
|
||||||
base_tag="$2"
|
|
||||||
|
|
||||||
target_dir="$(pwd)"
|
|
||||||
|
|
||||||
pushd "$git_dir" >/dev/null
|
|
||||||
git format-patch -k -o "$target_dir" "$base_tag" >/dev/null
|
|
||||||
popd >/dev/null
|
|
||||||
|
|
||||||
echo "# Patches exported from source git"
|
|
||||||
|
|
||||||
i=1
|
|
||||||
for p in *.patch ; do
|
|
||||||
printf "# "
|
|
||||||
sed '/^Subject:/{s/^Subject: //;p};d' "$p"
|
|
||||||
printf "Patch%s: %s\n" $i "$p"
|
|
||||||
i=$(($i + 1))
|
|
||||||
done
|
|
40
SOURCES/hobble-openssl
Executable file
40
SOURCES/hobble-openssl
Executable file
@ -0,0 +1,40 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
# Quit out if anything fails.
|
||||||
|
set -e
|
||||||
|
|
||||||
|
# Clean out patent-or-otherwise-encumbered code.
|
||||||
|
# MDC-2: 4,908,861 13/03/2007 - expired, we do not remove it but do not enable it anyway
|
||||||
|
# IDEA: 5,214,703 07/01/2012 - expired, we do not remove it anymore
|
||||||
|
# RC5: 5,724,428 01/11/2015 - expired, we do not remove it anymore
|
||||||
|
# EC: ????????? ??/??/2020
|
||||||
|
# SRP: ????????? ??/??/2017 - expired, we do not remove it anymore
|
||||||
|
|
||||||
|
# Remove assembler portions of IDEA, MDC2, and RC5.
|
||||||
|
# (find crypto/rc5/asm -type f | xargs -r rm -fv)
|
||||||
|
|
||||||
|
for c in `find crypto/bn -name "*gf2m.c"`; do
|
||||||
|
echo Destroying $c
|
||||||
|
> $c
|
||||||
|
done
|
||||||
|
|
||||||
|
for c in `find crypto/ec -name "ec2*.c" -o -name "ec_curve.c"`; do
|
||||||
|
echo Destroying $c
|
||||||
|
> $c
|
||||||
|
done
|
||||||
|
|
||||||
|
for c in `find test -name "ectest.c"`; do
|
||||||
|
echo Destroying $c
|
||||||
|
> $c
|
||||||
|
done
|
||||||
|
|
||||||
|
for h in `find crypto ssl apps test -name "*.h"` ; do
|
||||||
|
echo Removing EC2M references from $h
|
||||||
|
cat $h | \
|
||||||
|
awk 'BEGIN {ech=1;} \
|
||||||
|
/^#[ \t]*ifndef.*NO_EC2M/ {ech--; next;} \
|
||||||
|
/^#[ \t]*if/ {if(ech < 1) ech--;} \
|
||||||
|
{if(ech>0) {;print $0};} \
|
||||||
|
/^#[ \t]*endif/ {if(ech < 1) ech++;}' > $h.hobbled && \
|
||||||
|
mv $h.hobbled $h
|
||||||
|
done
|
31
SOURCES/openssl-1.1.1-addrconfig.patch
Normal file
31
SOURCES/openssl-1.1.1-addrconfig.patch
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
From a3f4cd5019b60649f6eb216ebe99caa43cd96f8e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daiki Ueno <dueno@redhat.com>
|
||||||
|
Date: Mon, 26 Apr 2021 14:40:17 +0200
|
||||||
|
Subject: [PATCH] BIO_lookup_ex: use AI_ADDRCONFIG only if explicit host name
|
||||||
|
is given
|
||||||
|
|
||||||
|
The flag only affects which record types are queried (A or AAAA, or
|
||||||
|
both), and when node is NULL, it prevents getaddrinfo returning the
|
||||||
|
right address associated with the loopback interface.
|
||||||
|
|
||||||
|
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
||||||
|
---
|
||||||
|
crypto/bio/b_addr.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/crypto/bio/b_addr.c b/crypto/bio/b_addr.c
|
||||||
|
index b023bbda40..ea15601f3d 100644
|
||||||
|
--- a/crypto/bio/b_addr.c
|
||||||
|
+++ b/crypto/bio/b_addr.c
|
||||||
|
@@ -689,7 +689,7 @@ int BIO_lookup_ex(const char *host, const char *service, int lookup_type,
|
||||||
|
hints.ai_protocol = protocol;
|
||||||
|
# ifdef AI_ADDRCONFIG
|
||||||
|
# ifdef AF_UNSPEC
|
||||||
|
- if (family == AF_UNSPEC)
|
||||||
|
+ if (host != NULL && family == AF_UNSPEC)
|
||||||
|
# endif
|
||||||
|
hints.ai_flags |= AI_ADDRCONFIG;
|
||||||
|
# endif
|
||||||
|
--
|
||||||
|
2.30.2
|
||||||
|
|
27
SOURCES/openssl-1.1.1-alpn-cb.patch
Normal file
27
SOURCES/openssl-1.1.1-alpn-cb.patch
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
commit 9e885a707d604e9528b5491b78fb9c00f41193fc
|
||||||
|
Author: Tomas Mraz <tmraz@fedoraproject.org>
|
||||||
|
Date: Thu Mar 26 15:59:00 2020 +0100
|
||||||
|
|
||||||
|
s_server: Properly indicate ALPN protocol mismatch
|
||||||
|
|
||||||
|
Return SSL_TLSEXT_ERR_ALERT_FATAL from alpn_select_cb so that
|
||||||
|
an alert is sent to the client on ALPN protocol mismatch.
|
||||||
|
|
||||||
|
Fixes: #2708
|
||||||
|
|
||||||
|
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||||
|
(Merged from https://github.com/openssl/openssl/pull/11415)
|
||||||
|
|
||||||
|
diff --git a/apps/s_server.c b/apps/s_server.c
|
||||||
|
index bcc83e562c..591c6c19c5 100644
|
||||||
|
--- a/apps/s_server.c
|
||||||
|
+++ b/apps/s_server.c
|
||||||
|
@@ -707,7 +707,7 @@ static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
|
||||||
|
if (SSL_select_next_proto
|
||||||
|
((unsigned char **)out, outlen, alpn_ctx->data, alpn_ctx->len, in,
|
||||||
|
inlen) != OPENSSL_NPN_NEGOTIATED) {
|
||||||
|
- return SSL_TLSEXT_ERR_NOACK;
|
||||||
|
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!s_quiet) {
|
12
SOURCES/openssl-1.1.1-apps-dgst.patch
Normal file
12
SOURCES/openssl-1.1.1-apps-dgst.patch
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
diff -up openssl-1.1.1b/apps/ca.c.dgst openssl-1.1.1b/apps/ca.c
|
||||||
|
--- openssl-1.1.1b/apps/ca.c.dgst 2019-02-26 15:15:30.000000000 +0100
|
||||||
|
+++ openssl-1.1.1b/apps/ca.c 2019-03-15 15:53:46.622267688 +0100
|
||||||
|
@@ -169,7 +169,7 @@ const OPTIONS ca_options[] = {
|
||||||
|
{"enddate", OPT_ENDDATE, 's',
|
||||||
|
"YYMMDDHHMMSSZ cert notAfter (overrides -days)"},
|
||||||
|
{"days", OPT_DAYS, 'p', "Number of days to certify the cert for"},
|
||||||
|
- {"md", OPT_MD, 's', "md to use; one of md2, md5, sha or sha1"},
|
||||||
|
+ {"md", OPT_MD, 's', "md to use; see openssl help for list"},
|
||||||
|
{"policy", OPT_POLICY, 's', "The CA 'policy' to support"},
|
||||||
|
{"keyfile", OPT_KEYFILE, 's', "Private key"},
|
||||||
|
{"keyform", OPT_KEYFORM, 'f', "Private key file format (PEM or ENGINE)"},
|
3706
SOURCES/openssl-1.1.1-arm-update.patch
Normal file
3706
SOURCES/openssl-1.1.1-arm-update.patch
Normal file
File diff suppressed because it is too large
Load Diff
40
SOURCES/openssl-1.1.1-build.patch
Normal file
40
SOURCES/openssl-1.1.1-build.patch
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
diff -up openssl-1.1.1f/Configurations/10-main.conf.build openssl-1.1.1f/Configurations/10-main.conf
|
||||||
|
--- openssl-1.1.1f/Configurations/10-main.conf.build 2020-03-31 14:17:45.000000000 +0200
|
||||||
|
+++ openssl-1.1.1f/Configurations/10-main.conf 2020-04-07 16:42:10.920546387 +0200
|
||||||
|
@@ -678,6 +678,7 @@ my %targets = (
|
||||||
|
cxxflags => add("-m64"),
|
||||||
|
lib_cppflags => add("-DL_ENDIAN"),
|
||||||
|
perlasm_scheme => "linux64le",
|
||||||
|
+ multilib => "64",
|
||||||
|
},
|
||||||
|
|
||||||
|
"linux-armv4" => {
|
||||||
|
@@ -718,6 +719,7 @@ my %targets = (
|
||||||
|
"linux-aarch64" => {
|
||||||
|
inherit_from => [ "linux-generic64", asm("aarch64_asm") ],
|
||||||
|
perlasm_scheme => "linux64",
|
||||||
|
+ multilib => "64",
|
||||||
|
},
|
||||||
|
"linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32
|
||||||
|
inherit_from => [ "linux-generic32", asm("aarch64_asm") ],
|
||||||
|
diff -up openssl-1.1.1f/Configurations/unix-Makefile.tmpl.build openssl-1.1.1f/Configurations/unix-Makefile.tmpl
|
||||||
|
--- openssl-1.1.1f/Configurations/unix-Makefile.tmpl.build 2020-04-07 16:42:10.920546387 +0200
|
||||||
|
+++ openssl-1.1.1f/Configurations/unix-Makefile.tmpl 2020-04-07 16:44:23.539142108 +0200
|
||||||
|
@@ -823,7 +823,7 @@ uninstall_runtime_libs:
|
||||||
|
install_man_docs:
|
||||||
|
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
|
||||||
|
@$(ECHO) "*** Installing manpages"
|
||||||
|
- $(PERL) $(SRCDIR)/util/process_docs.pl \
|
||||||
|
+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
|
||||||
|
"--destdir=$(DESTDIR)$(MANDIR)" --type=man --suffix=$(MANSUFFIX)
|
||||||
|
|
||||||
|
uninstall_man_docs:
|
||||||
|
@@ -835,7 +835,7 @@ uninstall_man_docs:
|
||||||
|
install_html_docs:
|
||||||
|
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
|
||||||
|
@$(ECHO) "*** Installing HTML manpages"
|
||||||
|
- $(PERL) $(SRCDIR)/util/process_docs.pl \
|
||||||
|
+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
|
||||||
|
"--destdir=$(DESTDIR)$(HTMLDIR)" --type=html
|
||||||
|
|
||||||
|
uninstall_html_docs:
|
36
SOURCES/openssl-1.1.1-cleanup-peer-point-reneg.patch
Normal file
36
SOURCES/openssl-1.1.1-cleanup-peer-point-reneg.patch
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl/statem/extensions.c
|
||||||
|
--- openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg 2021-03-25 14:28:38.000000000 +0100
|
||||||
|
+++ openssl-1.1.1k/ssl/statem/extensions.c 2021-06-24 16:16:19.526181743 +0200
|
||||||
|
@@ -42,6 +42,7 @@ static int tls_parse_certificate_authori
|
||||||
|
#ifndef OPENSSL_NO_SRP
|
||||||
|
static int init_srp(SSL *s, unsigned int context);
|
||||||
|
#endif
|
||||||
|
+static int init_ec_point_formats(SSL *s, unsigned int context);
|
||||||
|
static int init_etm(SSL *s, unsigned int context);
|
||||||
|
static int init_ems(SSL *s, unsigned int context);
|
||||||
|
static int final_ems(SSL *s, unsigned int context, int sent);
|
||||||
|
@@ -158,7 +159,7 @@ static const EXTENSION_DEFINITION ext_de
|
||||||
|
TLSEXT_TYPE_ec_point_formats,
|
||||||
|
SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
|
||||||
|
| SSL_EXT_TLS1_2_AND_BELOW_ONLY,
|
||||||
|
- NULL, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
|
||||||
|
+ init_ec_point_formats, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
|
||||||
|
tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
|
||||||
|
final_ec_pt_formats
|
||||||
|
},
|
||||||
|
@@ -1164,6 +1165,15 @@ static int init_srp(SSL *s, unsigned int
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+static int init_ec_point_formats(SSL *s, unsigned int context)
|
||||||
|
+{
|
||||||
|
+ OPENSSL_free(s->ext.peer_ecpointformats);
|
||||||
|
+ s->ext.peer_ecpointformats = NULL;
|
||||||
|
+ s->ext.peer_ecpointformats_len = 0;
|
||||||
|
+
|
||||||
|
+ return 1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static int init_etm(SSL *s, unsigned int context)
|
||||||
|
{
|
||||||
|
s->ext.use_etm = 0;
|
56
SOURCES/openssl-1.1.1-conf-paths.patch
Normal file
56
SOURCES/openssl-1.1.1-conf-paths.patch
Normal file
@ -0,0 +1,56 @@
|
|||||||
|
diff -up openssl-1.1.1-pre8/apps/CA.pl.in.conf-paths openssl-1.1.1-pre8/apps/CA.pl.in
|
||||||
|
--- openssl-1.1.1-pre8/apps/CA.pl.in.conf-paths 2018-06-20 16:48:09.000000000 +0200
|
||||||
|
+++ openssl-1.1.1-pre8/apps/CA.pl.in 2018-07-25 17:26:58.388624296 +0200
|
||||||
|
@@ -33,7 +33,7 @@ my $X509 = "$openssl x509";
|
||||||
|
my $PKCS12 = "$openssl pkcs12";
|
||||||
|
|
||||||
|
# default openssl.cnf file has setup as per the following
|
||||||
|
-my $CATOP = "./demoCA";
|
||||||
|
+my $CATOP = "/etc/pki/CA";
|
||||||
|
my $CAKEY = "cakey.pem";
|
||||||
|
my $CAREQ = "careq.pem";
|
||||||
|
my $CACERT = "cacert.pem";
|
||||||
|
diff -up openssl-1.1.1-pre8/apps/openssl.cnf.conf-paths openssl-1.1.1-pre8/apps/openssl.cnf
|
||||||
|
--- openssl-1.1.1-pre8/apps/openssl.cnf.conf-paths 2018-07-25 17:26:58.378624057 +0200
|
||||||
|
+++ openssl-1.1.1-pre8/apps/openssl.cnf 2018-07-27 13:20:08.198513471 +0200
|
||||||
|
@@ -23,6 +23,22 @@ oid_section = new_oids
|
||||||
|
# (Alternatively, use a configuration file that has only
|
||||||
|
# X.509v3 extensions in its main [= default] section.)
|
||||||
|
|
||||||
|
+# Load default TLS policy configuration
|
||||||
|
+
|
||||||
|
+openssl_conf = default_modules
|
||||||
|
+
|
||||||
|
+[ default_modules ]
|
||||||
|
+
|
||||||
|
+ssl_conf = ssl_module
|
||||||
|
+
|
||||||
|
+[ ssl_module ]
|
||||||
|
+
|
||||||
|
+system_default = crypto_policy
|
||||||
|
+
|
||||||
|
+[ crypto_policy ]
|
||||||
|
+
|
||||||
|
+.include /etc/crypto-policies/back-ends/opensslcnf.config
|
||||||
|
+
|
||||||
|
[ new_oids ]
|
||||||
|
|
||||||
|
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
|
||||||
|
@@ -43,7 +59,7 @@ default_ca = CA_default # The default c
|
||||||
|
####################################################################
|
||||||
|
[ CA_default ]
|
||||||
|
|
||||||
|
-dir = ./demoCA # Where everything is kept
|
||||||
|
+dir = /etc/pki/CA # Where everything is kept
|
||||||
|
certs = $dir/certs # Where the issued certs are kept
|
||||||
|
crl_dir = $dir/crl # Where the issued crl are kept
|
||||||
|
database = $dir/index.txt # database index file.
|
||||||
|
@@ -329,7 +345,7 @@ default_tsa = tsa_config1 # the default
|
||||||
|
[ tsa_config1 ]
|
||||||
|
|
||||||
|
# These are used by the TSA reply generation only.
|
||||||
|
-dir = ./demoCA # TSA root directory
|
||||||
|
+dir = /etc/pki/CA # TSA root directory
|
||||||
|
serial = $dir/tsaserial # The current serial number (mandatory)
|
||||||
|
crypto_device = builtin # OpenSSL engine to use for signing
|
||||||
|
signer_cert = $dir/tsacert.pem # The TSA signing certificate
|
179
SOURCES/openssl-1.1.1-cve-2022-0778.patch
Normal file
179
SOURCES/openssl-1.1.1-cve-2022-0778.patch
Normal file
@ -0,0 +1,179 @@
|
|||||||
|
From 3118eb64934499d93db3230748a452351d1d9a65 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Mraz <tomas@openssl.org>
|
||||||
|
Date: Mon, 28 Feb 2022 18:26:21 +0100
|
||||||
|
Subject: [PATCH] Fix possible infinite loop in BN_mod_sqrt()
|
||||||
|
|
||||||
|
The calculation in some cases does not finish for non-prime p.
|
||||||
|
|
||||||
|
This fixes CVE-2022-0778.
|
||||||
|
|
||||||
|
Based on patch by David Benjamin <davidben@google.com>.
|
||||||
|
|
||||||
|
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||||
|
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||||
|
---
|
||||||
|
crypto/bn/bn_sqrt.c | 30 ++++++++++++++++++------------
|
||||||
|
1 file changed, 18 insertions(+), 12 deletions(-)
|
||||||
|
|
||||||
|
From b5fcb7e133725b8b2eb66f63f5142710ed63a6d1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Mraz <tomas@openssl.org>
|
||||||
|
Date: Mon, 28 Feb 2022 18:26:30 +0100
|
||||||
|
Subject: [PATCH] Add documentation of BN_mod_sqrt()
|
||||||
|
|
||||||
|
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||||
|
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||||
|
---
|
||||||
|
doc/man3/BN_add.pod | 15 +++++++++++++--
|
||||||
|
1 file changed, 13 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
From 3ef5c3034e5c545f34d6929568f3f2b10ac4bdf0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Mraz <tomas@openssl.org>
|
||||||
|
Date: Mon, 28 Feb 2022 18:26:35 +0100
|
||||||
|
Subject: [PATCH] Add a negative testcase for BN_mod_sqrt
|
||||||
|
|
||||||
|
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||||
|
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||||
|
---
|
||||||
|
test/bntest.c | 11 ++++++++++-
|
||||||
|
test/recipes/10-test_bn_data/bnmod.txt | 12 ++++++++++++
|
||||||
|
2 files changed, 22 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c
|
||||||
|
index 1723d5ded5a8..53b0f559855c 100644
|
||||||
|
--- a/crypto/bn/bn_sqrt.c
|
||||||
|
+++ b/crypto/bn/bn_sqrt.c
|
||||||
|
@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
|
||||||
|
/*
|
||||||
|
* Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks
|
||||||
|
* algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number
|
||||||
|
- * Theory", algorithm 1.5.1). 'p' must be prime!
|
||||||
|
+ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or
|
||||||
|
+ * an incorrect "result" will be returned.
|
||||||
|
*/
|
||||||
|
{
|
||||||
|
BIGNUM *ret = in;
|
||||||
|
@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
|
||||||
|
goto vrfy;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* find smallest i such that b^(2^i) = 1 */
|
||||||
|
- i = 1;
|
||||||
|
- if (!BN_mod_sqr(t, b, p, ctx))
|
||||||
|
- goto end;
|
||||||
|
- while (!BN_is_one(t)) {
|
||||||
|
- i++;
|
||||||
|
- if (i == e) {
|
||||||
|
- BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
|
||||||
|
- goto end;
|
||||||
|
+ /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */
|
||||||
|
+ for (i = 1; i < e; i++) {
|
||||||
|
+ if (i == 1) {
|
||||||
|
+ if (!BN_mod_sqr(t, b, p, ctx))
|
||||||
|
+ goto end;
|
||||||
|
+
|
||||||
|
+ } else {
|
||||||
|
+ if (!BN_mod_mul(t, t, t, p, ctx))
|
||||||
|
+ goto end;
|
||||||
|
}
|
||||||
|
- if (!BN_mod_mul(t, t, t, p, ctx))
|
||||||
|
- goto end;
|
||||||
|
+ if (BN_is_one(t))
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ /* If not found, a is not a square or p is not prime. */
|
||||||
|
+ if (i >= e) {
|
||||||
|
+ BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
|
||||||
|
+ goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* t := y^2^(e - i - 1) */
|
||||||
|
diff --git a/doc/man3/BN_add.pod b/doc/man3/BN_add.pod
|
||||||
|
index dccd4790ede7..1f5e37a4d183 100644
|
||||||
|
--- a/doc/man3/BN_add.pod
|
||||||
|
+++ b/doc/man3/BN_add.pod
|
||||||
|
@@ -3,7 +3,7 @@
|
||||||
|
=head1 NAME
|
||||||
|
|
||||||
|
BN_add, BN_sub, BN_mul, BN_sqr, BN_div, BN_mod, BN_nnmod, BN_mod_add,
|
||||||
|
-BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_exp, BN_mod_exp, BN_gcd -
|
||||||
|
+BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_mod_sqrt, BN_exp, BN_mod_exp, BN_gcd -
|
||||||
|
arithmetic operations on BIGNUMs
|
||||||
|
|
||||||
|
=head1 SYNOPSIS
|
||||||
|
@@ -36,6 +36,8 @@ arithmetic operations on BIGNUMs
|
||||||
|
|
||||||
|
int BN_mod_sqr(BIGNUM *r, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
|
||||||
|
|
||||||
|
+ BIGNUM *BN_mod_sqrt(BIGNUM *in, BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
|
||||||
|
+
|
||||||
|
int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx);
|
||||||
|
|
||||||
|
int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
|
||||||
|
@@ -87,6 +89,12 @@ L<BN_mod_mul_reciprocal(3)>.
|
||||||
|
BN_mod_sqr() takes the square of I<a> modulo B<m> and places the
|
||||||
|
result in I<r>.
|
||||||
|
|
||||||
|
+BN_mod_sqrt() returns the modular square root of I<a> such that
|
||||||
|
+C<in^2 = a (mod p)>. The modulus I<p> must be a
|
||||||
|
+prime, otherwise an error or an incorrect "result" will be returned.
|
||||||
|
+The result is stored into I<in> which can be NULL. The result will be
|
||||||
|
+newly allocated in that case.
|
||||||
|
+
|
||||||
|
BN_exp() raises I<a> to the I<p>-th power and places the result in I<r>
|
||||||
|
(C<r=a^p>). This function is faster than repeated applications of
|
||||||
|
BN_mul().
|
||||||
|
@@ -108,7 +116,10 @@ the arguments.
|
||||||
|
|
||||||
|
=head1 RETURN VALUES
|
||||||
|
|
||||||
|
-For all functions, 1 is returned for success, 0 on error. The return
|
||||||
|
+The BN_mod_sqrt() returns the result (possibly incorrect if I<p> is
|
||||||
|
+not a prime), or NULL.
|
||||||
|
+
|
||||||
|
+For all remaining functions, 1 is returned for success, 0 on error. The return
|
||||||
|
value should always be checked (e.g., C<if (!BN_add(r,a,b)) goto err;>).
|
||||||
|
The error codes can be obtained by L<ERR_get_error(3)>.
|
||||||
|
|
||||||
|
diff --git a/test/bntest.c b/test/bntest.c
|
||||||
|
index 390dd800733e..1cab660bcafb 100644
|
||||||
|
--- a/test/bntest.c
|
||||||
|
+++ b/test/bntest.c
|
||||||
|
@@ -1729,8 +1729,17 @@ static int file_modsqrt(STANZA *s)
|
||||||
|
|| !TEST_ptr(ret2 = BN_new()))
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
+ if (BN_is_negative(mod_sqrt)) {
|
||||||
|
+ /* A negative testcase */
|
||||||
|
+ if (!TEST_ptr_null(BN_mod_sqrt(ret, a, p, ctx)))
|
||||||
|
+ goto err;
|
||||||
|
+
|
||||||
|
+ st = 1;
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* There are two possible answers. */
|
||||||
|
- if (!TEST_true(BN_mod_sqrt(ret, a, p, ctx))
|
||||||
|
+ if (!TEST_ptr(BN_mod_sqrt(ret, a, p, ctx))
|
||||||
|
|| !TEST_true(BN_sub(ret2, p, ret)))
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
diff --git a/test/recipes/10-test_bn_data/bnmod.txt b/test/recipes/10-test_bn_data/bnmod.txt
|
||||||
|
index 5ea4d031f271..e28cc6bfb02e 100644
|
||||||
|
--- a/test/recipes/10-test_bn_data/bnmod.txt
|
||||||
|
+++ b/test/recipes/10-test_bn_data/bnmod.txt
|
||||||
|
@@ -2799,3 +2799,15 @@ P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
|
||||||
|
ModSqrt = a1d52989f12f204d3d2167d9b1e6c8a6174c0c786a979a5952383b7b8bd186
|
||||||
|
A = 2eee37cf06228a387788188e650bc6d8a2ff402931443f69156a29155eca07dcb45f3aac238d92943c0c25c896098716baa433f25bd696a142f5a69d5d937e81
|
||||||
|
P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
|
||||||
|
+
|
||||||
|
+# Negative testcases for BN_mod_sqrt()
|
||||||
|
+
|
||||||
|
+# This one triggers an infinite loop with unfixed implementation
|
||||||
|
+# It should just fail.
|
||||||
|
+ModSqrt = -1
|
||||||
|
+A = 20a7ee
|
||||||
|
+P = 460201
|
||||||
|
+
|
||||||
|
+ModSqrt = -1
|
||||||
|
+A = 65bebdb00a96fc814ec44b81f98b59fba3c30203928fa5214c51e0a97091645280c947b005847f239758482b9bfc45b066fde340d1fe32fc9c1bf02e1b2d0ed
|
||||||
|
+P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
|
74
SOURCES/openssl-1.1.1-cve-2022-1292.patch
Normal file
74
SOURCES/openssl-1.1.1-cve-2022-1292.patch
Normal file
@ -0,0 +1,74 @@
|
|||||||
|
From e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Mraz <tomas@openssl.org>
|
||||||
|
Date: Tue, 26 Apr 2022 12:40:24 +0200
|
||||||
|
Subject: [PATCH] c_rehash: Do not use shell to invoke openssl
|
||||||
|
|
||||||
|
Except on VMS where it is safe.
|
||||||
|
|
||||||
|
This fixes CVE-2022-1292.
|
||||||
|
|
||||||
|
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
|
||||||
|
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||||
|
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23]
|
||||||
|
---
|
||||||
|
tools/c_rehash.in | 29 +++++++++++++++++++++++++----
|
||||||
|
1 file changed, 25 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tools/c_rehash.in b/tools/c_rehash.in
|
||||||
|
index fa7c6c9fef91..83c1cc80e08a 100644
|
||||||
|
--- a/tools/c_rehash.in
|
||||||
|
+++ b/tools/c_rehash.in
|
||||||
|
@@ -152,6 +152,23 @@ sub check_file {
|
||||||
|
return ($is_cert, $is_crl);
|
||||||
|
}
|
||||||
|
|
||||||
|
+sub compute_hash {
|
||||||
|
+ my $fh;
|
||||||
|
+ if ( $^O eq "VMS" ) {
|
||||||
|
+ # VMS uses the open through shell
|
||||||
|
+ # The file names are safe there and list form is unsupported
|
||||||
|
+ if (!open($fh, "-|", join(' ', @_))) {
|
||||||
|
+ print STDERR "Cannot compute hash on '$fname'\n";
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ if (!open($fh, "-|", @_)) {
|
||||||
|
+ print STDERR "Cannot compute hash on '$fname'\n";
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ return (<$fh>, <$fh>);
|
||||||
|
+}
|
||||||
|
|
||||||
|
# Link a certificate to its subject name hash value, each hash is of
|
||||||
|
# the form <hash>.<n> where n is an integer. If the hash value already exists
|
||||||
|
@@ -161,10 +178,12 @@ sub check_file {
|
||||||
|
|
||||||
|
sub link_hash_cert {
|
||||||
|
my $fname = $_[0];
|
||||||
|
- $fname =~ s/\"/\\\"/g;
|
||||||
|
- my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
|
||||||
|
+ my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
|
||||||
|
+ "-fingerprint", "-noout",
|
||||||
|
+ "-in", $fname);
|
||||||
|
chomp $hash;
|
||||||
|
chomp $fprint;
|
||||||
|
+ return if !$hash;
|
||||||
|
$fprint =~ s/^.*=//;
|
||||||
|
$fprint =~ tr/://d;
|
||||||
|
my $suffix = 0;
|
||||||
|
@@ -202,10 +221,12 @@ sub link_hash_cert {
|
||||||
|
|
||||||
|
sub link_hash_crl {
|
||||||
|
my $fname = $_[0];
|
||||||
|
- $fname =~ s/'/'\\''/g;
|
||||||
|
- my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
|
||||||
|
+ my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
|
||||||
|
+ "-fingerprint", "-noout",
|
||||||
|
+ "-in", $fname);
|
||||||
|
chomp $hash;
|
||||||
|
chomp $fprint;
|
||||||
|
+ return if !$hash;
|
||||||
|
$fprint =~ s/^.*=//;
|
||||||
|
$fprint =~ tr/://d;
|
||||||
|
my $suffix = 0;
|
255
SOURCES/openssl-1.1.1-cve-2022-2068.patch
Normal file
255
SOURCES/openssl-1.1.1-cve-2022-2068.patch
Normal file
@ -0,0 +1,255 @@
|
|||||||
|
From 9639817dac8bbbaa64d09efad7464ccc405527c7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Fiala <daniel@openssl.org>
|
||||||
|
Date: Sun, 29 May 2022 20:11:24 +0200
|
||||||
|
Subject: [PATCH] Fix file operations in c_rehash.
|
||||||
|
|
||||||
|
CVE-2022-2068
|
||||||
|
|
||||||
|
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||||
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
||||||
|
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/9639817dac8bbbaa64d09efad7464ccc405527c7]
|
||||||
|
---
|
||||||
|
tools/c_rehash.in | 216 +++++++++++++++++++++++-----------------------
|
||||||
|
1 file changed, 107 insertions(+), 109 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tools/c_rehash.in b/tools/c_rehash.in
|
||||||
|
index cfd18f5da110..9d2a6f6db73b 100644
|
||||||
|
--- a/tools/c_rehash.in
|
||||||
|
+++ b/tools/c_rehash.in
|
||||||
|
@@ -104,52 +104,78 @@ foreach (@dirlist) {
|
||||||
|
}
|
||||||
|
exit($errorcount);
|
||||||
|
|
||||||
|
+sub copy_file {
|
||||||
|
+ my ($src_fname, $dst_fname) = @_;
|
||||||
|
+
|
||||||
|
+ if (open(my $in, "<", $src_fname)) {
|
||||||
|
+ if (open(my $out, ">", $dst_fname)) {
|
||||||
|
+ print $out $_ while (<$in>);
|
||||||
|
+ close $out;
|
||||||
|
+ } else {
|
||||||
|
+ warn "Cannot open $dst_fname for write, $!";
|
||||||
|
+ }
|
||||||
|
+ close $in;
|
||||||
|
+ } else {
|
||||||
|
+ warn "Cannot open $src_fname for read, $!";
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
sub hash_dir {
|
||||||
|
- my %hashlist;
|
||||||
|
- print "Doing $_[0]\n";
|
||||||
|
- chdir $_[0];
|
||||||
|
- opendir(DIR, ".");
|
||||||
|
- my @flist = sort readdir(DIR);
|
||||||
|
- closedir DIR;
|
||||||
|
- if ( $removelinks ) {
|
||||||
|
- # Delete any existing symbolic links
|
||||||
|
- foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
|
||||||
|
- if (-l $_) {
|
||||||
|
- print "unlink $_" if $verbose;
|
||||||
|
- unlink $_ || warn "Can't unlink $_, $!\n";
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
|
||||||
|
- # Check to see if certificates and/or CRLs present.
|
||||||
|
- my ($cert, $crl) = check_file($fname);
|
||||||
|
- if (!$cert && !$crl) {
|
||||||
|
- print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
|
||||||
|
- next;
|
||||||
|
- }
|
||||||
|
- link_hash_cert($fname) if ($cert);
|
||||||
|
- link_hash_crl($fname) if ($crl);
|
||||||
|
- }
|
||||||
|
+ my $dir = shift;
|
||||||
|
+ my %hashlist;
|
||||||
|
+
|
||||||
|
+ print "Doing $dir\n";
|
||||||
|
+
|
||||||
|
+ if (!chdir $dir) {
|
||||||
|
+ print STDERR "WARNING: Cannot chdir to '$dir', $!\n";
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n";
|
||||||
|
+ my @flist = sort readdir(DIR);
|
||||||
|
+ closedir DIR;
|
||||||
|
+ if ( $removelinks ) {
|
||||||
|
+ # Delete any existing symbolic links
|
||||||
|
+ foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
|
||||||
|
+ if (-l $_) {
|
||||||
|
+ print "unlink $_\n" if $verbose;
|
||||||
|
+ unlink $_ || warn "Can't unlink $_, $!\n";
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
|
||||||
|
+ # Check to see if certificates and/or CRLs present.
|
||||||
|
+ my ($cert, $crl) = check_file($fname);
|
||||||
|
+ if (!$cert && !$crl) {
|
||||||
|
+ print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
|
||||||
|
+ next;
|
||||||
|
+ }
|
||||||
|
+ link_hash_cert($fname) if ($cert);
|
||||||
|
+ link_hash_crl($fname) if ($crl);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ chdir $pwd;
|
||||||
|
}
|
||||||
|
|
||||||
|
sub check_file {
|
||||||
|
- my ($is_cert, $is_crl) = (0,0);
|
||||||
|
- my $fname = $_[0];
|
||||||
|
- open IN, $fname;
|
||||||
|
- while(<IN>) {
|
||||||
|
- if (/^-----BEGIN (.*)-----/) {
|
||||||
|
- my $hdr = $1;
|
||||||
|
- if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
|
||||||
|
- $is_cert = 1;
|
||||||
|
- last if ($is_crl);
|
||||||
|
- } elsif ($hdr eq "X509 CRL") {
|
||||||
|
- $is_crl = 1;
|
||||||
|
- last if ($is_cert);
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- close IN;
|
||||||
|
- return ($is_cert, $is_crl);
|
||||||
|
+ my ($is_cert, $is_crl) = (0,0);
|
||||||
|
+ my $fname = $_[0];
|
||||||
|
+
|
||||||
|
+ open(my $in, "<", $fname);
|
||||||
|
+ while(<$in>) {
|
||||||
|
+ if (/^-----BEGIN (.*)-----/) {
|
||||||
|
+ my $hdr = $1;
|
||||||
|
+ if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
|
||||||
|
+ $is_cert = 1;
|
||||||
|
+ last if ($is_crl);
|
||||||
|
+ } elsif ($hdr eq "X509 CRL") {
|
||||||
|
+ $is_crl = 1;
|
||||||
|
+ last if ($is_cert);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ close $in;
|
||||||
|
+ return ($is_cert, $is_crl);
|
||||||
|
}
|
||||||
|
|
||||||
|
sub compute_hash {
|
||||||
|
@@ -177,76 +203,48 @@ sub compute_hash {
|
||||||
|
# certificate fingerprints
|
||||||
|
|
||||||
|
sub link_hash_cert {
|
||||||
|
- my $fname = $_[0];
|
||||||
|
- my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
|
||||||
|
- "-fingerprint", "-noout",
|
||||||
|
- "-in", $fname);
|
||||||
|
- chomp $hash;
|
||||||
|
- chomp $fprint;
|
||||||
|
- return if !$hash;
|
||||||
|
- $fprint =~ s/^.*=//;
|
||||||
|
- $fprint =~ tr/://d;
|
||||||
|
- my $suffix = 0;
|
||||||
|
- # Search for an unused hash filename
|
||||||
|
- while(exists $hashlist{"$hash.$suffix"}) {
|
||||||
|
- # Hash matches: if fingerprint matches its a duplicate cert
|
||||||
|
- if ($hashlist{"$hash.$suffix"} eq $fprint) {
|
||||||
|
- print STDERR "WARNING: Skipping duplicate certificate $fname\n";
|
||||||
|
- return;
|
||||||
|
- }
|
||||||
|
- $suffix++;
|
||||||
|
- }
|
||||||
|
- $hash .= ".$suffix";
|
||||||
|
- if ($symlink_exists) {
|
||||||
|
- print "link $fname -> $hash\n" if $verbose;
|
||||||
|
- symlink $fname, $hash || warn "Can't symlink, $!";
|
||||||
|
- } else {
|
||||||
|
- print "copy $fname -> $hash\n" if $verbose;
|
||||||
|
- if (open($in, "<", $fname)) {
|
||||||
|
- if (open($out,">", $hash)) {
|
||||||
|
- print $out $_ while (<$in>);
|
||||||
|
- close $out;
|
||||||
|
- } else {
|
||||||
|
- warn "can't open $hash for write, $!";
|
||||||
|
- }
|
||||||
|
- close $in;
|
||||||
|
- } else {
|
||||||
|
- warn "can't open $fname for read, $!";
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- $hashlist{$hash} = $fprint;
|
||||||
|
+ link_hash($_[0], 'cert');
|
||||||
|
}
|
||||||
|
|
||||||
|
# Same as above except for a CRL. CRL links are of the form <hash>.r<n>
|
||||||
|
|
||||||
|
sub link_hash_crl {
|
||||||
|
- my $fname = $_[0];
|
||||||
|
- my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
|
||||||
|
- "-fingerprint", "-noout",
|
||||||
|
- "-in", $fname);
|
||||||
|
- chomp $hash;
|
||||||
|
- chomp $fprint;
|
||||||
|
- return if !$hash;
|
||||||
|
- $fprint =~ s/^.*=//;
|
||||||
|
- $fprint =~ tr/://d;
|
||||||
|
- my $suffix = 0;
|
||||||
|
- # Search for an unused hash filename
|
||||||
|
- while(exists $hashlist{"$hash.r$suffix"}) {
|
||||||
|
- # Hash matches: if fingerprint matches its a duplicate cert
|
||||||
|
- if ($hashlist{"$hash.r$suffix"} eq $fprint) {
|
||||||
|
- print STDERR "WARNING: Skipping duplicate CRL $fname\n";
|
||||||
|
- return;
|
||||||
|
- }
|
||||||
|
- $suffix++;
|
||||||
|
- }
|
||||||
|
- $hash .= ".r$suffix";
|
||||||
|
- if ($symlink_exists) {
|
||||||
|
- print "link $fname -> $hash\n" if $verbose;
|
||||||
|
- symlink $fname, $hash || warn "Can't symlink, $!";
|
||||||
|
- } else {
|
||||||
|
- print "cp $fname -> $hash\n" if $verbose;
|
||||||
|
- system ("cp", $fname, $hash);
|
||||||
|
- warn "Can't copy, $!" if ($? >> 8) != 0;
|
||||||
|
- }
|
||||||
|
- $hashlist{$hash} = $fprint;
|
||||||
|
+ link_hash($_[0], 'crl');
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+sub link_hash {
|
||||||
|
+ my ($fname, $type) = @_;
|
||||||
|
+ my $is_cert = $type eq 'cert';
|
||||||
|
+
|
||||||
|
+ my ($hash, $fprint) = compute_hash($openssl,
|
||||||
|
+ $is_cert ? "x509" : "crl",
|
||||||
|
+ $is_cert ? $x509hash : $crlhash,
|
||||||
|
+ "-fingerprint", "-noout",
|
||||||
|
+ "-in", $fname);
|
||||||
|
+ chomp $hash;
|
||||||
|
+ chomp $fprint;
|
||||||
|
+ return if !$hash;
|
||||||
|
+ $fprint =~ s/^.*=//;
|
||||||
|
+ $fprint =~ tr/://d;
|
||||||
|
+ my $suffix = 0;
|
||||||
|
+ # Search for an unused hash filename
|
||||||
|
+ my $crlmark = $is_cert ? "" : "r";
|
||||||
|
+ while(exists $hashlist{"$hash.$crlmark$suffix"}) {
|
||||||
|
+ # Hash matches: if fingerprint matches its a duplicate cert
|
||||||
|
+ if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) {
|
||||||
|
+ my $what = $is_cert ? 'certificate' : 'CRL';
|
||||||
|
+ print STDERR "WARNING: Skipping duplicate $what $fname\n";
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+ $suffix++;
|
||||||
|
+ }
|
||||||
|
+ $hash .= ".$crlmark$suffix";
|
||||||
|
+ if ($symlink_exists) {
|
||||||
|
+ print "link $fname -> $hash\n" if $verbose;
|
||||||
|
+ symlink $fname, $hash || warn "Can't symlink, $!";
|
||||||
|
+ } else {
|
||||||
|
+ print "copy $fname -> $hash\n" if $verbose;
|
||||||
|
+ copy_file($fname, $hash);
|
||||||
|
+ }
|
||||||
|
+ $hashlist{$hash} = $fprint;
|
||||||
|
}
|
152
SOURCES/openssl-1.1.1-cve-2022-2097.patch
Normal file
152
SOURCES/openssl-1.1.1-cve-2022-2097.patch
Normal file
@ -0,0 +1,152 @@
|
|||||||
|
From 919925673d6c9cfed3c1085497f5dfbbed5fc431 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alex Chernyakhovsky <achernya@google.com>
|
||||||
|
Date: Thu, 16 Jun 2022 12:00:22 +1000
|
||||||
|
Subject: [PATCH] Fix AES OCB encrypt/decrypt for x86 AES-NI
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path
|
||||||
|
that performs operations on 6 16-byte blocks concurrently (the
|
||||||
|
"grandloop") and then proceeds to handle the "short" tail (which can
|
||||||
|
be anywhere from 0 to 5 blocks) that remain.
|
||||||
|
|
||||||
|
As part of initialization, the assembly initializes $len to the true
|
||||||
|
length, less 96 bytes and converts it to a pointer so that the $inp
|
||||||
|
can be compared to it. Each iteration of "grandloop" checks to see if
|
||||||
|
there's a full 96-byte chunk to process, and if so, continues. Once
|
||||||
|
this has been exhausted, it falls through to "short", which handles
|
||||||
|
the remaining zero to five blocks.
|
||||||
|
|
||||||
|
Unfortunately, the jump at the end of "grandloop" had a fencepost
|
||||||
|
error, doing a `jb` ("jump below") rather than `jbe` (jump below or
|
||||||
|
equal). This should be `jbe`, as $inp is pointing to the *end* of the
|
||||||
|
chunk currently being handled. If $inp == $len, that means that
|
||||||
|
there's a whole 96-byte chunk waiting to be handled. If $inp > $len,
|
||||||
|
then there's 5 or fewer 16-byte blocks left to be handled, and the
|
||||||
|
fall-through is intended.
|
||||||
|
|
||||||
|
The net effect of `jb` instead of `jbe` is that the last 16-byte block
|
||||||
|
of the last 96-byte chunk was completely omitted. The contents of
|
||||||
|
`out` in this position were never written to. Additionally, since
|
||||||
|
those bytes were never processed, the authentication tag generated is
|
||||||
|
also incorrect.
|
||||||
|
|
||||||
|
The same fencepost error, and identical logic, exists in both
|
||||||
|
aesni_ocb_encrypt and aesni_ocb_decrypt.
|
||||||
|
|
||||||
|
This addresses CVE-2022-2097.
|
||||||
|
|
||||||
|
Co-authored-by: Alejandro Sedeño <asedeno@google.com>
|
||||||
|
Co-authored-by: David Benjamin <davidben@google.com>
|
||||||
|
|
||||||
|
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||||
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||||
|
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/919925673d6c9cfed3c1085497f5dfbbed5fc431]
|
||||||
|
---
|
||||||
|
crypto/aes/asm/aesni-x86.pl | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl
|
||||||
|
index fe2b26542ab6..812758e02e04 100644
|
||||||
|
--- a/crypto/aes/asm/aesni-x86.pl
|
||||||
|
+++ b/crypto/aes/asm/aesni-x86.pl
|
||||||
|
@@ -2027,7 +2027,7 @@ sub aesni_generate6
|
||||||
|
&movdqu (&QWP(-16*2,$out,$inp),$inout4);
|
||||||
|
&movdqu (&QWP(-16*1,$out,$inp),$inout5);
|
||||||
|
&cmp ($inp,$len); # done yet?
|
||||||
|
- &jb (&label("grandloop"));
|
||||||
|
+ &jbe (&label("grandloop"));
|
||||||
|
|
||||||
|
&set_label("short");
|
||||||
|
&add ($len,16*6);
|
||||||
|
@@ -2453,7 +2453,7 @@ sub aesni_generate6
|
||||||
|
&pxor ($rndkey1,$inout5);
|
||||||
|
&movdqu (&QWP(-16*1,$out,$inp),$inout5);
|
||||||
|
&cmp ($inp,$len); # done yet?
|
||||||
|
- &jb (&label("grandloop"));
|
||||||
|
+ &jbe (&label("grandloop"));
|
||||||
|
|
||||||
|
&set_label("short");
|
||||||
|
&add ($len,16*6);
|
||||||
|
From 9131afdca30b6d1650af9ea6179569a80ab8cb06 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alex Chernyakhovsky <achernya@google.com>
|
||||||
|
Date: Thu, 16 Jun 2022 12:02:37 +1000
|
||||||
|
Subject: [PATCH] AES OCB test vectors
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Add test vectors for AES OCB for x86 AES-NI multiple of 96 byte issue.
|
||||||
|
|
||||||
|
Co-authored-by: Alejandro Sedeño <asedeno@google.com>
|
||||||
|
Co-authored-by: David Benjamin <davidben@google.com>
|
||||||
|
|
||||||
|
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||||
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||||
|
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/9131afdca30b6d1650af9ea6179569a80ab8cb06]
|
||||||
|
---
|
||||||
|
test/recipes/30-test_evp_data/evpciph.txt | 50 +++++++++++++++++++++++
|
||||||
|
1 file changed, 50 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/test/recipes/30-test_evp_data/evpciph.txt b/test/recipes/30-test_evp_data/evpciph.txt
|
||||||
|
index 1c02ea1e9c2d..e12670d9a4b4 100644
|
||||||
|
--- a/test/recipes/30-test_evp_data/evpciph.txt
|
||||||
|
+++ b/test/recipes/30-test_evp_data/evpciph.txt
|
||||||
|
@@ -1188,6 +1188,56 @@ Ciphertext = 09A4FD29DE949D9A9AA9924248422097AD4883B4713E6C214FF6567ADA08A967B21
|
||||||
|
Operation = DECRYPT
|
||||||
|
Result = CIPHERFINAL_ERROR
|
||||||
|
|
||||||
|
+#Test vectors generated to validate aesni_ocb_encrypt on x86
|
||||||
|
+Cipher = aes-128-ocb
|
||||||
|
+Key = 000102030405060708090A0B0C0D0E0F
|
||||||
|
+IV = 000000000001020304050607
|
||||||
|
+Tag = C14DFF7D62A13C4A3422456207453190
|
||||||
|
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||||
|
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B819333
|
||||||
|
+
|
||||||
|
+Cipher = aes-128-ocb
|
||||||
|
+Key = 000102030405060708090A0B0C0D0E0F
|
||||||
|
+IV = 000000000001020304050607
|
||||||
|
+Tag = D47D84F6FF912C79B6A4223AB9BE2DB8
|
||||||
|
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F
|
||||||
|
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC204
|
||||||
|
+
|
||||||
|
+Cipher = aes-128-ocb
|
||||||
|
+Key = 000102030405060708090A0B0C0D0E0F
|
||||||
|
+IV = 000000000001020304050607
|
||||||
|
+Tag = 41970D13737B7BD1B5FBF49ED4412CA5
|
||||||
|
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D
|
||||||
|
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91
|
||||||
|
+
|
||||||
|
+Cipher = aes-128-ocb
|
||||||
|
+Key = 000102030405060708090A0B0C0D0E0F
|
||||||
|
+IV = 000000000001020304050607
|
||||||
|
+Tag = BE0228651ED4E48A11BDED68D953F3A0
|
||||||
|
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D
|
||||||
|
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F
|
||||||
|
+
|
||||||
|
+Cipher = aes-128-ocb
|
||||||
|
+Key = 000102030405060708090A0B0C0D0E0F
|
||||||
|
+IV = 000000000001020304050607
|
||||||
|
+Tag = 17BC6E10B16E5FDC52836E7D589518C7
|
||||||
|
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D
|
||||||
|
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B
|
||||||
|
+
|
||||||
|
+Cipher = aes-128-ocb
|
||||||
|
+Key = 000102030405060708090A0B0C0D0E0F
|
||||||
|
+IV = 000000000001020304050607
|
||||||
|
+Tag = E84AAC18666116990A3A37B3A5FC55BD
|
||||||
|
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D
|
||||||
|
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED
|
||||||
|
+
|
||||||
|
+Cipher = aes-128-ocb
|
||||||
|
+Key = 000102030405060708090A0B0C0D0E0F
|
||||||
|
+IV = 000000000001020304050607
|
||||||
|
+Tag = 3E5EA7EE064FE83B313E28D411E91EAD
|
||||||
|
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D
|
||||||
|
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED48D9E09F452F8E6FBEB76A3DED47611C
|
||||||
|
+
|
||||||
|
Title = AES XTS test vectors from IEEE Std 1619-2007
|
||||||
|
|
||||||
|
# Using the same key twice for encryption is always banned.
|
805
SOURCES/openssl-1.1.1-cve-2022-4304-RSA-oracle.patch
Normal file
805
SOURCES/openssl-1.1.1-cve-2022-4304-RSA-oracle.patch
Normal file
@ -0,0 +1,805 @@
|
|||||||
|
From 43d8f88511991533f53680a751e9326999a6a31f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Matt Caswell <matt@openssl.org>
|
||||||
|
Date: Fri, 20 Jan 2023 15:26:54 +0000
|
||||||
|
Subject: [PATCH 1/6] Fix Timing Oracle in RSA decryption
|
||||||
|
|
||||||
|
A timing based side channel exists in the OpenSSL RSA Decryption
|
||||||
|
implementation which could be sufficient to recover a plaintext across
|
||||||
|
a network in a Bleichenbacher style attack. To achieve a successful
|
||||||
|
decryption an attacker would have to be able to send a very large number
|
||||||
|
of trial messages for decryption. The vulnerability affects all RSA
|
||||||
|
padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
|
||||||
|
|
||||||
|
Patch written by Dmitry Belyavsky and Hubert Kario
|
||||||
|
|
||||||
|
CVE-2022-4304
|
||||||
|
|
||||||
|
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||||
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||||
|
---
|
||||||
|
crypto/bn/bn_blind.c | 14 -
|
||||||
|
crypto/bn/bn_err.c | 2 +
|
||||||
|
crypto/bn/bn_local.h | 14 +
|
||||||
|
crypto/bn/build.info | 3 +-
|
||||||
|
crypto/bn/rsa_sup_mul.c | 614 ++++++++++++++++++++++++++++++++++++++++
|
||||||
|
crypto/err/openssl.txt | 3 +-
|
||||||
|
crypto/rsa/rsa_ossl.c | 17 +-
|
||||||
|
include/crypto/bn.h | 5 +
|
||||||
|
include/openssl/bnerr.h | 1 +
|
||||||
|
9 files changed, 653 insertions(+), 20 deletions(-)
|
||||||
|
create mode 100644 crypto/bn/rsa_sup_mul.c
|
||||||
|
|
||||||
|
diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c
|
||||||
|
index 76fc7ebcff..6e9d239321 100644
|
||||||
|
--- a/crypto/bn/bn_blind.c
|
||||||
|
+++ b/crypto/bn/bn_blind.c
|
||||||
|
@@ -13,20 +13,6 @@
|
||||||
|
|
||||||
|
#define BN_BLINDING_COUNTER 32
|
||||||
|
|
||||||
|
-struct bn_blinding_st {
|
||||||
|
- BIGNUM *A;
|
||||||
|
- BIGNUM *Ai;
|
||||||
|
- BIGNUM *e;
|
||||||
|
- BIGNUM *mod; /* just a reference */
|
||||||
|
- CRYPTO_THREAD_ID tid;
|
||||||
|
- int counter;
|
||||||
|
- unsigned long flags;
|
||||||
|
- BN_MONT_CTX *m_ctx;
|
||||||
|
- int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
|
||||||
|
- const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
|
||||||
|
- CRYPTO_RWLOCK *lock;
|
||||||
|
-};
|
||||||
|
-
|
||||||
|
BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
|
||||||
|
{
|
||||||
|
BN_BLINDING *ret = NULL;
|
||||||
|
diff --git a/crypto/bn/bn_err.c b/crypto/bn/bn_err.c
|
||||||
|
index dd87c152cf..3dd8d9a568 100644
|
||||||
|
--- a/crypto/bn/bn_err.c
|
||||||
|
+++ b/crypto/bn/bn_err.c
|
||||||
|
@@ -73,6 +73,8 @@ static const ERR_STRING_DATA BN_str_functs[] = {
|
||||||
|
{ERR_PACK(ERR_LIB_BN, BN_F_BN_SET_WORDS, 0), "bn_set_words"},
|
||||||
|
{ERR_PACK(ERR_LIB_BN, BN_F_BN_STACK_PUSH, 0), "BN_STACK_push"},
|
||||||
|
{ERR_PACK(ERR_LIB_BN, BN_F_BN_USUB, 0), "BN_usub"},
|
||||||
|
+ {ERR_PACK(ERR_LIB_BN, BN_F_OSSL_BN_RSA_DO_UNBLIND, 0),
|
||||||
|
+ "ossl_bn_rsa_do_unblind"},
|
||||||
|
{0, NULL}
|
||||||
|
};
|
||||||
|
|
||||||
|
diff --git a/crypto/bn/bn_local.h b/crypto/bn/bn_local.h
|
||||||
|
index 62a969b134..4d8cb64675 100644
|
||||||
|
--- a/crypto/bn/bn_local.h
|
||||||
|
+++ b/crypto/bn/bn_local.h
|
||||||
|
@@ -283,6 +283,20 @@ struct bn_gencb_st {
|
||||||
|
} cb;
|
||||||
|
};
|
||||||
|
|
||||||
|
+struct bn_blinding_st {
|
||||||
|
+ BIGNUM *A;
|
||||||
|
+ BIGNUM *Ai;
|
||||||
|
+ BIGNUM *e;
|
||||||
|
+ BIGNUM *mod; /* just a reference */
|
||||||
|
+ CRYPTO_THREAD_ID tid;
|
||||||
|
+ int counter;
|
||||||
|
+ unsigned long flags;
|
||||||
|
+ BN_MONT_CTX *m_ctx;
|
||||||
|
+ int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
|
||||||
|
+ const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
|
||||||
|
+ CRYPTO_RWLOCK *lock;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
/*-
|
||||||
|
* BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions
|
||||||
|
*
|
||||||
|
diff --git a/crypto/bn/build.info b/crypto/bn/build.info
|
||||||
|
index b9ed5322fa..c9fe2fdada 100644
|
||||||
|
--- a/crypto/bn/build.info
|
||||||
|
+++ b/crypto/bn/build.info
|
||||||
|
@@ -5,7 +5,8 @@ SOURCE[../../libcrypto]=\
|
||||||
|
bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c \
|
||||||
|
{- $target{bn_asm_src} -} \
|
||||||
|
bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \
|
||||||
|
- bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c
|
||||||
|
+ bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c \
|
||||||
|
+ rsa_sup_mul.c
|
||||||
|
|
||||||
|
INCLUDE[bn_exp.o]=..
|
||||||
|
|
||||||
|
diff --git a/crypto/bn/rsa_sup_mul.c b/crypto/bn/rsa_sup_mul.c
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000..acafefd5fe
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/crypto/bn/rsa_sup_mul.c
|
||||||
|
@@ -0,0 +1,614 @@
|
||||||
|
+#include <openssl/e_os2.h>
|
||||||
|
+#include <stddef.h>
|
||||||
|
+#include <sys/types.h>
|
||||||
|
+#include <string.h>
|
||||||
|
+#include <openssl/bn.h>
|
||||||
|
+#include <openssl/err.h>
|
||||||
|
+#include <openssl/rsaerr.h>
|
||||||
|
+#include "internal/numbers.h"
|
||||||
|
+#include "internal/constant_time.h"
|
||||||
|
+#include "bn_local.h"
|
||||||
|
+
|
||||||
|
+# if BN_BYTES == 8
|
||||||
|
+typedef uint64_t limb_t;
|
||||||
|
+# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16
|
||||||
|
+/* nonstandard; implemented by gcc on 64-bit platforms */
|
||||||
|
+typedef __uint128_t limb2_t;
|
||||||
|
+# define HAVE_LIMB2_T
|
||||||
|
+# endif
|
||||||
|
+# define LIMB_BIT_SIZE 64
|
||||||
|
+# define LIMB_BYTE_SIZE 8
|
||||||
|
+# elif BN_BYTES == 4
|
||||||
|
+typedef uint32_t limb_t;
|
||||||
|
+typedef uint64_t limb2_t;
|
||||||
|
+# define LIMB_BIT_SIZE 32
|
||||||
|
+# define LIMB_BYTE_SIZE 4
|
||||||
|
+# define HAVE_LIMB2_T
|
||||||
|
+# else
|
||||||
|
+# error "Not supported"
|
||||||
|
+# endif
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * For multiplication we're using schoolbook multiplication,
|
||||||
|
+ * so if we have two numbers, each with 6 "digits" (words)
|
||||||
|
+ * the multiplication is calculated as follows:
|
||||||
|
+ * A B C D E F
|
||||||
|
+ * x I J K L M N
|
||||||
|
+ * --------------
|
||||||
|
+ * N*F
|
||||||
|
+ * N*E
|
||||||
|
+ * N*D
|
||||||
|
+ * N*C
|
||||||
|
+ * N*B
|
||||||
|
+ * N*A
|
||||||
|
+ * M*F
|
||||||
|
+ * M*E
|
||||||
|
+ * M*D
|
||||||
|
+ * M*C
|
||||||
|
+ * M*B
|
||||||
|
+ * M*A
|
||||||
|
+ * L*F
|
||||||
|
+ * L*E
|
||||||
|
+ * L*D
|
||||||
|
+ * L*C
|
||||||
|
+ * L*B
|
||||||
|
+ * L*A
|
||||||
|
+ * K*F
|
||||||
|
+ * K*E
|
||||||
|
+ * K*D
|
||||||
|
+ * K*C
|
||||||
|
+ * K*B
|
||||||
|
+ * K*A
|
||||||
|
+ * J*F
|
||||||
|
+ * J*E
|
||||||
|
+ * J*D
|
||||||
|
+ * J*C
|
||||||
|
+ * J*B
|
||||||
|
+ * J*A
|
||||||
|
+ * I*F
|
||||||
|
+ * I*E
|
||||||
|
+ * I*D
|
||||||
|
+ * I*C
|
||||||
|
+ * I*B
|
||||||
|
+ * + I*A
|
||||||
|
+ * ==========================
|
||||||
|
+ * N*B N*D N*F
|
||||||
|
+ * + N*A N*C N*E
|
||||||
|
+ * + M*B M*D M*F
|
||||||
|
+ * + M*A M*C M*E
|
||||||
|
+ * + L*B L*D L*F
|
||||||
|
+ * + L*A L*C L*E
|
||||||
|
+ * + K*B K*D K*F
|
||||||
|
+ * + K*A K*C K*E
|
||||||
|
+ * + J*B J*D J*F
|
||||||
|
+ * + J*A J*C J*E
|
||||||
|
+ * + I*B I*D I*F
|
||||||
|
+ * + I*A I*C I*E
|
||||||
|
+ *
|
||||||
|
+ * 1+1 1+3 1+5
|
||||||
|
+ * 1+0 1+2 1+4
|
||||||
|
+ * 0+1 0+3 0+5
|
||||||
|
+ * 0+0 0+2 0+4
|
||||||
|
+ *
|
||||||
|
+ * 0 1 2 3 4 5 6
|
||||||
|
+ * which requires n^2 multiplications and 2n full length additions
|
||||||
|
+ * as we can keep every other result of limb multiplication in two separate
|
||||||
|
+ * limbs
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#if defined HAVE_LIMB2_T
|
||||||
|
+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
|
||||||
|
+{
|
||||||
|
+ limb2_t t;
|
||||||
|
+ /*
|
||||||
|
+ * this is idiomatic code to tell compiler to use the native mul
|
||||||
|
+ * those three lines will actually compile to single instruction
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+ t = (limb2_t)a * b;
|
||||||
|
+ *hi = t >> LIMB_BIT_SIZE;
|
||||||
|
+ *lo = (limb_t)t;
|
||||||
|
+}
|
||||||
|
+#elif (BN_BYTES == 8) && (defined _MSC_VER)
|
||||||
|
+/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */
|
||||||
|
+#pragma intrinsic(_umul128)
|
||||||
|
+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
|
||||||
|
+{
|
||||||
|
+ *lo = _umul128(a, b, hi);
|
||||||
|
+}
|
||||||
|
+#else
|
||||||
|
+/*
|
||||||
|
+ * if the compiler doesn't have either a 128bit data type nor a "return
|
||||||
|
+ * high 64 bits of multiplication"
|
||||||
|
+ */
|
||||||
|
+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
|
||||||
|
+{
|
||||||
|
+ limb_t a_low = (limb_t)(uint32_t)a;
|
||||||
|
+ limb_t a_hi = a >> 32;
|
||||||
|
+ limb_t b_low = (limb_t)(uint32_t)b;
|
||||||
|
+ limb_t b_hi = b >> 32;
|
||||||
|
+
|
||||||
|
+ limb_t p0 = a_low * b_low;
|
||||||
|
+ limb_t p1 = a_low * b_hi;
|
||||||
|
+ limb_t p2 = a_hi * b_low;
|
||||||
|
+ limb_t p3 = a_hi * b_hi;
|
||||||
|
+
|
||||||
|
+ uint32_t cy = (uint32_t)(((p0 >> 32) + (uint32_t)p1 + (uint32_t)p2) >> 32);
|
||||||
|
+
|
||||||
|
+ *lo = p0 + (p1 << 32) + (p2 << 32);
|
||||||
|
+ *hi = p3 + (p1 >> 32) + (p2 >> 32) + cy;
|
||||||
|
+}
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+/* add two limbs with carry in, return carry out */
|
||||||
|
+static ossl_inline limb_t _add_limb(limb_t *ret, limb_t a, limb_t b, limb_t carry)
|
||||||
|
+{
|
||||||
|
+ limb_t carry1, carry2, t;
|
||||||
|
+ /*
|
||||||
|
+ * `c = a + b; if (c < a)` is idiomatic code that makes compilers
|
||||||
|
+ * use add with carry on assembly level
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+ *ret = a + carry;
|
||||||
|
+ if (*ret < a)
|
||||||
|
+ carry1 = 1;
|
||||||
|
+ else
|
||||||
|
+ carry1 = 0;
|
||||||
|
+
|
||||||
|
+ t = *ret;
|
||||||
|
+ *ret = t + b;
|
||||||
|
+ if (*ret < t)
|
||||||
|
+ carry2 = 1;
|
||||||
|
+ else
|
||||||
|
+ carry2 = 0;
|
||||||
|
+
|
||||||
|
+ return carry1 + carry2;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * add two numbers of the same size, return overflow
|
||||||
|
+ *
|
||||||
|
+ * add a to b, place result in ret; all arrays need to be n limbs long
|
||||||
|
+ * return overflow from addition (0 or 1)
|
||||||
|
+ */
|
||||||
|
+static ossl_inline limb_t add(limb_t *ret, limb_t *a, limb_t *b, size_t n)
|
||||||
|
+{
|
||||||
|
+ limb_t c = 0;
|
||||||
|
+ ossl_ssize_t i;
|
||||||
|
+
|
||||||
|
+ for(i = n - 1; i > -1; i--)
|
||||||
|
+ c = _add_limb(&ret[i], a[i], b[i], c);
|
||||||
|
+
|
||||||
|
+ return c;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * return number of limbs necessary for temporary values
|
||||||
|
+ * when multiplying numbers n limbs large
|
||||||
|
+ */
|
||||||
|
+static ossl_inline size_t mul_limb_numb(size_t n)
|
||||||
|
+{
|
||||||
|
+ return 2 * n * 2;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * multiply two numbers of the same size
|
||||||
|
+ *
|
||||||
|
+ * multiply a by b, place result in ret; a and b need to be n limbs long
|
||||||
|
+ * ret needs to be 2*n limbs long, tmp needs to be mul_limb_numb(n) limbs
|
||||||
|
+ * long
|
||||||
|
+ */
|
||||||
|
+static void limb_mul(limb_t *ret, limb_t *a, limb_t *b, size_t n, limb_t *tmp)
|
||||||
|
+{
|
||||||
|
+ limb_t *r_odd, *r_even;
|
||||||
|
+ size_t i, j, k;
|
||||||
|
+
|
||||||
|
+ r_odd = tmp;
|
||||||
|
+ r_even = &tmp[2 * n];
|
||||||
|
+
|
||||||
|
+ memset(ret, 0, 2 * n * sizeof(limb_t));
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < n; i++) {
|
||||||
|
+ for (k = 0; k < i + n + 1; k++) {
|
||||||
|
+ r_even[k] = 0;
|
||||||
|
+ r_odd[k] = 0;
|
||||||
|
+ }
|
||||||
|
+ for (j = 0; j < n; j++) {
|
||||||
|
+ /*
|
||||||
|
+ * place results from even and odd limbs in separate arrays so that
|
||||||
|
+ * we don't have to calculate overflow every time we get individual
|
||||||
|
+ * limb multiplication result
|
||||||
|
+ */
|
||||||
|
+ if (j % 2 == 0)
|
||||||
|
+ _mul_limb(&r_even[i + j], &r_even[i + j + 1], a[i], b[j]);
|
||||||
|
+ else
|
||||||
|
+ _mul_limb(&r_odd[i + j], &r_odd[i + j + 1], a[i], b[j]);
|
||||||
|
+ }
|
||||||
|
+ /*
|
||||||
|
+ * skip the least significant limbs when adding multiples of
|
||||||
|
+ * more significant limbs (they're zero anyway)
|
||||||
|
+ */
|
||||||
|
+ add(ret, ret, r_even, n + i + 1);
|
||||||
|
+ add(ret, ret, r_odd, n + i + 1);
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/* modifies the value in place by performing a right shift by one bit */
|
||||||
|
+static ossl_inline void rshift1(limb_t *val, size_t n)
|
||||||
|
+{
|
||||||
|
+ limb_t shift_in = 0, shift_out = 0;
|
||||||
|
+ size_t i;
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < n; i++) {
|
||||||
|
+ shift_out = val[i] & 1;
|
||||||
|
+ val[i] = shift_in << (LIMB_BIT_SIZE - 1) | (val[i] >> 1);
|
||||||
|
+ shift_in = shift_out;
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/* extend the LSB of flag to all bits of limb */
|
||||||
|
+static ossl_inline limb_t mk_mask(limb_t flag)
|
||||||
|
+{
|
||||||
|
+ flag |= flag << 1;
|
||||||
|
+ flag |= flag << 2;
|
||||||
|
+ flag |= flag << 4;
|
||||||
|
+ flag |= flag << 8;
|
||||||
|
+ flag |= flag << 16;
|
||||||
|
+#if (LIMB_BYTE_SIZE == 8)
|
||||||
|
+ flag |= flag << 32;
|
||||||
|
+#endif
|
||||||
|
+ return flag;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * copy from either a or b to ret based on flag
|
||||||
|
+ * when flag == 0, then copies from b
|
||||||
|
+ * when flag == 1, then copies from a
|
||||||
|
+ */
|
||||||
|
+static ossl_inline void cselect(limb_t flag, limb_t *ret, limb_t *a, limb_t *b, size_t n)
|
||||||
|
+{
|
||||||
|
+ /*
|
||||||
|
+ * would be more efficient with non volatile mask, but then gcc
|
||||||
|
+ * generates code with jumps
|
||||||
|
+ */
|
||||||
|
+ volatile limb_t mask;
|
||||||
|
+ size_t i;
|
||||||
|
+
|
||||||
|
+ mask = mk_mask(flag);
|
||||||
|
+ for (i = 0; i < n; i++) {
|
||||||
|
+#if (LIMB_BYTE_SIZE == 8)
|
||||||
|
+ ret[i] = constant_time_select_64(mask, a[i], b[i]);
|
||||||
|
+#else
|
||||||
|
+ ret[i] = constant_time_select_32(mask, a[i], b[i]);
|
||||||
|
+#endif
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static limb_t _sub_limb(limb_t *ret, limb_t a, limb_t b, limb_t borrow)
|
||||||
|
+{
|
||||||
|
+ limb_t borrow1, borrow2, t;
|
||||||
|
+ /*
|
||||||
|
+ * while it doesn't look constant-time, this is idiomatic code
|
||||||
|
+ * to tell compilers to use the carry bit from subtraction
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+ *ret = a - borrow;
|
||||||
|
+ if (*ret > a)
|
||||||
|
+ borrow1 = 1;
|
||||||
|
+ else
|
||||||
|
+ borrow1 = 0;
|
||||||
|
+
|
||||||
|
+ t = *ret;
|
||||||
|
+ *ret = t - b;
|
||||||
|
+ if (*ret > t)
|
||||||
|
+ borrow2 = 1;
|
||||||
|
+ else
|
||||||
|
+ borrow2 = 0;
|
||||||
|
+
|
||||||
|
+ return borrow1 + borrow2;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * place the result of a - b into ret, return the borrow bit.
|
||||||
|
+ * All arrays need to be n limbs long
|
||||||
|
+ */
|
||||||
|
+static limb_t sub(limb_t *ret, limb_t *a, limb_t *b, size_t n)
|
||||||
|
+{
|
||||||
|
+ limb_t borrow = 0;
|
||||||
|
+ ossl_ssize_t i;
|
||||||
|
+
|
||||||
|
+ for (i = n - 1; i > -1; i--)
|
||||||
|
+ borrow = _sub_limb(&ret[i], a[i], b[i], borrow);
|
||||||
|
+
|
||||||
|
+ return borrow;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/* return the number of limbs necessary to allocate for the mod() tmp operand */
|
||||||
|
+static ossl_inline size_t mod_limb_numb(size_t anum, size_t modnum)
|
||||||
|
+{
|
||||||
|
+ return (anum + modnum) * 3;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * calculate a % mod, place the result in ret
|
||||||
|
+ * size of a is defined by anum, size of ret and mod is modnum,
|
||||||
|
+ * size of tmp is returned by mod_limb_numb()
|
||||||
|
+ */
|
||||||
|
+static void mod(limb_t *ret, limb_t *a, size_t anum, limb_t *mod,
|
||||||
|
+ size_t modnum, limb_t *tmp)
|
||||||
|
+{
|
||||||
|
+ limb_t *atmp, *modtmp, *rettmp;
|
||||||
|
+ limb_t res;
|
||||||
|
+ size_t i;
|
||||||
|
+
|
||||||
|
+ memset(tmp, 0, mod_limb_numb(anum, modnum) * LIMB_BYTE_SIZE);
|
||||||
|
+
|
||||||
|
+ atmp = tmp;
|
||||||
|
+ modtmp = &tmp[anum + modnum];
|
||||||
|
+ rettmp = &tmp[(anum + modnum) * 2];
|
||||||
|
+
|
||||||
|
+ for (i = modnum; i <modnum + anum; i++)
|
||||||
|
+ atmp[i] = a[i-modnum];
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < modnum; i++)
|
||||||
|
+ modtmp[i] = mod[i];
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < anum * LIMB_BIT_SIZE; i++) {
|
||||||
|
+ rshift1(modtmp, anum + modnum);
|
||||||
|
+ res = sub(rettmp, atmp, modtmp, anum+modnum);
|
||||||
|
+ cselect(res, atmp, atmp, rettmp, anum+modnum);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ memcpy(ret, &atmp[anum], sizeof(limb_t) * modnum);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/* necessary size of tmp for a _mul_add_limb() call with provided anum */
|
||||||
|
+static ossl_inline size_t _mul_add_limb_numb(size_t anum)
|
||||||
|
+{
|
||||||
|
+ return 2 * (anum + 1);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/* multiply a by m, add to ret, return carry */
|
||||||
|
+static limb_t _mul_add_limb(limb_t *ret, limb_t *a, size_t anum,
|
||||||
|
+ limb_t m, limb_t *tmp)
|
||||||
|
+{
|
||||||
|
+ limb_t carry = 0;
|
||||||
|
+ limb_t *r_odd, *r_even;
|
||||||
|
+ size_t i;
|
||||||
|
+
|
||||||
|
+ memset(tmp, 0, sizeof(limb_t) * (anum + 1) * 2);
|
||||||
|
+
|
||||||
|
+ r_odd = tmp;
|
||||||
|
+ r_even = &tmp[anum + 1];
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < anum; i++) {
|
||||||
|
+ /*
|
||||||
|
+ * place the results from even and odd limbs in separate arrays
|
||||||
|
+ * so that we have to worry about carry just once
|
||||||
|
+ */
|
||||||
|
+ if (i % 2 == 0)
|
||||||
|
+ _mul_limb(&r_even[i], &r_even[i + 1], a[i], m);
|
||||||
|
+ else
|
||||||
|
+ _mul_limb(&r_odd[i], &r_odd[i + 1], a[i], m);
|
||||||
|
+ }
|
||||||
|
+ /* assert: add() carry here will be equal zero */
|
||||||
|
+ add(r_even, r_even, r_odd, anum + 1);
|
||||||
|
+ /*
|
||||||
|
+ * while here it will not overflow as the max value from multiplication
|
||||||
|
+ * is -2 while max overflow from addition is 1, so the max value of
|
||||||
|
+ * carry is -1 (i.e. max int)
|
||||||
|
+ */
|
||||||
|
+ carry = add(ret, ret, &r_even[1], anum) + r_even[0];
|
||||||
|
+
|
||||||
|
+ return carry;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static ossl_inline size_t mod_montgomery_limb_numb(size_t modnum)
|
||||||
|
+{
|
||||||
|
+ return modnum * 2 + _mul_add_limb_numb(modnum);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * calculate a % mod, place result in ret
|
||||||
|
+ * assumes that a is in Montgomery form with the R (Montgomery modulus) being
|
||||||
|
+ * smallest power of two big enough to fit mod and that's also a power
|
||||||
|
+ * of the count of number of bits in limb_t (B).
|
||||||
|
+ * For calculation, we also need n', such that mod * n' == -1 mod B.
|
||||||
|
+ * anum must be <= 2 * modnum
|
||||||
|
+ * ret needs to be modnum words long
|
||||||
|
+ * tmp needs to be mod_montgomery_limb_numb(modnum) limbs long
|
||||||
|
+ */
|
||||||
|
+static void mod_montgomery(limb_t *ret, limb_t *a, size_t anum, limb_t *mod,
|
||||||
|
+ size_t modnum, limb_t ni0, limb_t *tmp)
|
||||||
|
+{
|
||||||
|
+ limb_t carry, v;
|
||||||
|
+ limb_t *res, *rp, *tmp2;
|
||||||
|
+ ossl_ssize_t i;
|
||||||
|
+
|
||||||
|
+ res = tmp;
|
||||||
|
+ /*
|
||||||
|
+ * for intermediate result we need an integer twice as long as modulus
|
||||||
|
+ * but keep the input in the least significant limbs
|
||||||
|
+ */
|
||||||
|
+ memset(res, 0, sizeof(limb_t) * (modnum * 2));
|
||||||
|
+ memcpy(&res[modnum * 2 - anum], a, sizeof(limb_t) * anum);
|
||||||
|
+ rp = &res[modnum];
|
||||||
|
+ tmp2 = &res[modnum * 2];
|
||||||
|
+
|
||||||
|
+ carry = 0;
|
||||||
|
+
|
||||||
|
+ /* add multiples of the modulus to the value until R divides it cleanly */
|
||||||
|
+ for (i = modnum; i > 0; i--, rp--) {
|
||||||
|
+ v = _mul_add_limb(rp, mod, modnum, rp[modnum - 1] * ni0, tmp2);
|
||||||
|
+ v = v + carry + rp[-1];
|
||||||
|
+ carry |= (v != rp[-1]);
|
||||||
|
+ carry &= (v <= rp[-1]);
|
||||||
|
+ rp[-1] = v;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* perform the final reduction by mod... */
|
||||||
|
+ carry -= sub(ret, rp, mod, modnum);
|
||||||
|
+
|
||||||
|
+ /* ...conditionally */
|
||||||
|
+ cselect(carry, ret, rp, ret, modnum);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/* allocated buffer should be freed afterwards */
|
||||||
|
+static void BN_to_limb(const BIGNUM *bn, limb_t *buf, size_t limbs)
|
||||||
|
+{
|
||||||
|
+ int i;
|
||||||
|
+ int real_limbs = (BN_num_bytes(bn) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
|
||||||
|
+ limb_t *ptr = buf + (limbs - real_limbs);
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < real_limbs; i++)
|
||||||
|
+ ptr[i] = bn->d[real_limbs - i - 1];
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#if LIMB_BYTE_SIZE == 8
|
||||||
|
+static ossl_inline uint64_t be64(uint64_t host)
|
||||||
|
+{
|
||||||
|
+ const union {
|
||||||
|
+ long one;
|
||||||
|
+ char little;
|
||||||
|
+ } is_endian = { 1 };
|
||||||
|
+
|
||||||
|
+ if (is_endian.little) {
|
||||||
|
+ uint64_t big = 0;
|
||||||
|
+
|
||||||
|
+ big |= (host & 0xff00000000000000) >> 56;
|
||||||
|
+ big |= (host & 0x00ff000000000000) >> 40;
|
||||||
|
+ big |= (host & 0x0000ff0000000000) >> 24;
|
||||||
|
+ big |= (host & 0x000000ff00000000) >> 8;
|
||||||
|
+ big |= (host & 0x00000000ff000000) << 8;
|
||||||
|
+ big |= (host & 0x0000000000ff0000) << 24;
|
||||||
|
+ big |= (host & 0x000000000000ff00) << 40;
|
||||||
|
+ big |= (host & 0x00000000000000ff) << 56;
|
||||||
|
+ return big;
|
||||||
|
+ } else {
|
||||||
|
+ return host;
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#else
|
||||||
|
+/* Not all platforms have htobe32(). */
|
||||||
|
+static ossl_inline uint32_t be32(uint32_t host)
|
||||||
|
+{
|
||||||
|
+ const union {
|
||||||
|
+ long one;
|
||||||
|
+ char little;
|
||||||
|
+ } is_endian = { 1 };
|
||||||
|
+
|
||||||
|
+ if (is_endian.little) {
|
||||||
|
+ uint32_t big = 0;
|
||||||
|
+
|
||||||
|
+ big |= (host & 0xff000000) >> 24;
|
||||||
|
+ big |= (host & 0x00ff0000) >> 8;
|
||||||
|
+ big |= (host & 0x0000ff00) << 8;
|
||||||
|
+ big |= (host & 0x000000ff) << 24;
|
||||||
|
+ return big;
|
||||||
|
+ } else {
|
||||||
|
+ return host;
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * We assume that intermediate, possible_arg2, blinding, and ctx are used
|
||||||
|
+ * similar to BN_BLINDING_invert_ex() arguments.
|
||||||
|
+ * to_mod is RSA modulus.
|
||||||
|
+ * buf and num is the serialization buffer and its length.
|
||||||
|
+ *
|
||||||
|
+ * Here we use classic/Montgomery multiplication and modulo. After the calculation finished
|
||||||
|
+ * we serialize the new structure instead of BIGNUMs taking endianness into account.
|
||||||
|
+ */
|
||||||
|
+int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate,
|
||||||
|
+ const BN_BLINDING *blinding,
|
||||||
|
+ const BIGNUM *possible_arg2,
|
||||||
|
+ const BIGNUM *to_mod, BN_CTX *ctx,
|
||||||
|
+ unsigned char *buf, int num)
|
||||||
|
+{
|
||||||
|
+ limb_t *l_im = NULL, *l_mul = NULL, *l_mod = NULL;
|
||||||
|
+ limb_t *l_ret = NULL, *l_tmp = NULL, l_buf;
|
||||||
|
+ size_t l_im_count = 0, l_mul_count = 0, l_size = 0, l_mod_count = 0;
|
||||||
|
+ size_t l_tmp_count = 0;
|
||||||
|
+ int ret = 0;
|
||||||
|
+ size_t i;
|
||||||
|
+ unsigned char *tmp;
|
||||||
|
+ const BIGNUM *arg1 = intermediate;
|
||||||
|
+ const BIGNUM *arg2 = (possible_arg2 == NULL) ? blinding->Ai : possible_arg2;
|
||||||
|
+
|
||||||
|
+ l_im_count = (BN_num_bytes(arg1) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
|
||||||
|
+ l_mul_count = (BN_num_bytes(arg2) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
|
||||||
|
+ l_mod_count = (BN_num_bytes(to_mod) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
|
||||||
|
+
|
||||||
|
+ l_size = l_im_count > l_mul_count ? l_im_count : l_mul_count;
|
||||||
|
+ l_im = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE);
|
||||||
|
+ l_mul = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE);
|
||||||
|
+ l_mod = OPENSSL_zalloc(l_mod_count * LIMB_BYTE_SIZE);
|
||||||
|
+
|
||||||
|
+ if ((l_im == NULL) || (l_mul == NULL) || (l_mod == NULL))
|
||||||
|
+ goto err;
|
||||||
|
+
|
||||||
|
+ BN_to_limb(arg1, l_im, l_size);
|
||||||
|
+ BN_to_limb(arg2, l_mul, l_size);
|
||||||
|
+ BN_to_limb(to_mod, l_mod, l_mod_count);
|
||||||
|
+
|
||||||
|
+ l_ret = OPENSSL_malloc(2 * l_size * LIMB_BYTE_SIZE);
|
||||||
|
+
|
||||||
|
+ if (blinding->m_ctx != NULL) {
|
||||||
|
+ l_tmp_count = mul_limb_numb(l_size) > mod_montgomery_limb_numb(l_mod_count) ?
|
||||||
|
+ mul_limb_numb(l_size) : mod_montgomery_limb_numb(l_mod_count);
|
||||||
|
+ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE);
|
||||||
|
+ } else {
|
||||||
|
+ l_tmp_count = mul_limb_numb(l_size) > mod_limb_numb(2 * l_size, l_mod_count) ?
|
||||||
|
+ mul_limb_numb(l_size) : mod_limb_numb(2 * l_size, l_mod_count);
|
||||||
|
+ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if ((l_ret == NULL) || (l_tmp == NULL))
|
||||||
|
+ goto err;
|
||||||
|
+
|
||||||
|
+ if (blinding->m_ctx != NULL) {
|
||||||
|
+ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp);
|
||||||
|
+ mod_montgomery(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count,
|
||||||
|
+ blinding->m_ctx->n0[0], l_tmp);
|
||||||
|
+ } else {
|
||||||
|
+ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp);
|
||||||
|
+ mod(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, l_tmp);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* modulus size in bytes can be equal to num but after limbs conversion it becomes bigger */
|
||||||
|
+ if (num < BN_num_bytes(to_mod)) {
|
||||||
|
+ BNerr(BN_F_OSSL_BN_RSA_DO_UNBLIND, ERR_R_PASSED_INVALID_ARGUMENT);
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ memset(buf, 0, num);
|
||||||
|
+ tmp = buf + num - BN_num_bytes(to_mod);
|
||||||
|
+ for (i = 0; i < l_mod_count; i++) {
|
||||||
|
+#if LIMB_BYTE_SIZE == 8
|
||||||
|
+ l_buf = be64(l_ret[i]);
|
||||||
|
+#else
|
||||||
|
+ l_buf = be32(l_ret[i]);
|
||||||
|
+#endif
|
||||||
|
+ if (i == 0) {
|
||||||
|
+ int delta = LIMB_BYTE_SIZE - ((l_mod_count * LIMB_BYTE_SIZE) - num);
|
||||||
|
+
|
||||||
|
+ memcpy(tmp, ((char *)&l_buf) + LIMB_BYTE_SIZE - delta, delta);
|
||||||
|
+ tmp += delta;
|
||||||
|
+ } else {
|
||||||
|
+ memcpy(tmp, &l_buf, LIMB_BYTE_SIZE);
|
||||||
|
+ tmp += LIMB_BYTE_SIZE;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ ret = num;
|
||||||
|
+
|
||||||
|
+ err:
|
||||||
|
+ OPENSSL_free(l_im);
|
||||||
|
+ OPENSSL_free(l_mul);
|
||||||
|
+ OPENSSL_free(l_mod);
|
||||||
|
+ OPENSSL_free(l_tmp);
|
||||||
|
+ OPENSSL_free(l_ret);
|
||||||
|
+
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
|
||||||
|
index 9f91a4a811..ba3a46d5b9 100644
|
||||||
|
--- a/crypto/err/openssl.txt
|
||||||
|
+++ b/crypto/err/openssl.txt
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
|
+# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
|
#
|
||||||
|
# Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
|
# this file except in compliance with the License. You can obtain a copy
|
||||||
|
@@ -232,6 +232,7 @@ BN_F_BN_RSHIFT:146:BN_rshift
|
||||||
|
BN_F_BN_SET_WORDS:144:bn_set_words
|
||||||
|
BN_F_BN_STACK_PUSH:148:BN_STACK_push
|
||||||
|
BN_F_BN_USUB:115:BN_usub
|
||||||
|
+BN_F_OSSL_BN_RSA_DO_UNBLIND:151:ossl_bn_rsa_do_unblind
|
||||||
|
BUF_F_BUF_MEM_GROW:100:BUF_MEM_grow
|
||||||
|
BUF_F_BUF_MEM_GROW_CLEAN:105:BUF_MEM_grow_clean
|
||||||
|
BUF_F_BUF_MEM_NEW:101:BUF_MEM_new
|
||||||
|
diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c
|
||||||
|
index b52a66f6a6..6c3c0cf78d 100644
|
||||||
|
--- a/crypto/rsa/rsa_ossl.c
|
||||||
|
+++ b/crypto/rsa/rsa_ossl.c
|
||||||
|
@@ -465,11 +465,20 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
|
||||||
|
BN_free(d);
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (blinding)
|
||||||
|
- if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
|
||||||
|
+ if (blinding) {
|
||||||
|
+ /*
|
||||||
|
+ * ossl_bn_rsa_do_unblind() combines blinding inversion and
|
||||||
|
+ * 0-padded BN BE serialization
|
||||||
|
+ */
|
||||||
|
+ j = ossl_bn_rsa_do_unblind(ret, blinding, unblind, rsa->n, ctx,
|
||||||
|
+ buf, num);
|
||||||
|
+ if (j == 0)
|
||||||
|
goto err;
|
||||||
|
-
|
||||||
|
- j = BN_bn2binpad(ret, buf, num);
|
||||||
|
+ } else {
|
||||||
|
+ j = BN_bn2binpad(ret, buf, num);
|
||||||
|
+ if (j < 0)
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
switch (padding) {
|
||||||
|
case RSA_PKCS1_PADDING:
|
||||||
|
diff --git a/include/crypto/bn.h b/include/crypto/bn.h
|
||||||
|
index 60afda1dad..b5f36fb25a 100644
|
||||||
|
--- a/include/crypto/bn.h
|
||||||
|
+++ b/include/crypto/bn.h
|
||||||
|
@@ -86,5 +86,10 @@ int bn_lshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);
|
||||||
|
int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);
|
||||||
|
int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
|
||||||
|
const BIGNUM *d, BN_CTX *ctx);
|
||||||
|
+int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate,
|
||||||
|
+ const BN_BLINDING *blinding,
|
||||||
|
+ const BIGNUM *possible_arg2,
|
||||||
|
+ const BIGNUM *to_mod, BN_CTX *ctx,
|
||||||
|
+ unsigned char *buf, int num);
|
||||||
|
|
||||||
|
#endif
|
||||||
|
diff --git a/include/openssl/bnerr.h b/include/openssl/bnerr.h
|
||||||
|
index 9f3c7cfaab..a0752cea52 100644
|
||||||
|
--- a/include/openssl/bnerr.h
|
||||||
|
+++ b/include/openssl/bnerr.h
|
||||||
|
@@ -72,6 +72,7 @@ int ERR_load_BN_strings(void);
|
||||||
|
# define BN_F_BN_SET_WORDS 144
|
||||||
|
# define BN_F_BN_STACK_PUSH 148
|
||||||
|
# define BN_F_BN_USUB 115
|
||||||
|
+# define BN_F_OSSL_BN_RSA_DO_UNBLIND 151
|
||||||
|
|
||||||
|
/*
|
||||||
|
* BN reason codes.
|
||||||
|
--
|
||||||
|
2.39.1
|
||||||
|
|
103
SOURCES/openssl-1.1.1-cve-2022-4450-PEM-bio.patch
Normal file
103
SOURCES/openssl-1.1.1-cve-2022-4450-PEM-bio.patch
Normal file
@ -0,0 +1,103 @@
|
|||||||
|
From bbcf509bd046b34cca19c766bbddc31683d0858b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Matt Caswell <matt@openssl.org>
|
||||||
|
Date: Tue, 13 Dec 2022 14:54:55 +0000
|
||||||
|
Subject: [PATCH 2/6] Avoid dangling ptrs in header and data params for
|
||||||
|
PEM_read_bio_ex
|
||||||
|
|
||||||
|
In the event of a failure in PEM_read_bio_ex() we free the buffers we
|
||||||
|
allocated for the header and data buffers. However we were not clearing
|
||||||
|
the ptrs stored in *header and *data. Since, on success, the caller is
|
||||||
|
responsible for freeing these ptrs this can potentially lead to a double
|
||||||
|
free if the caller frees them even on failure.
|
||||||
|
|
||||||
|
Thanks to Dawei Wang for reporting this issue.
|
||||||
|
|
||||||
|
Based on a proposed patch by Kurt Roeckx.
|
||||||
|
|
||||||
|
CVE-2022-4450
|
||||||
|
|
||||||
|
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||||
|
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
||||||
|
---
|
||||||
|
crypto/pem/pem_lib.c | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
|
||||||
|
index d416d939ea..328c30cdbb 100644
|
||||||
|
--- a/crypto/pem/pem_lib.c
|
||||||
|
+++ b/crypto/pem/pem_lib.c
|
||||||
|
@@ -957,7 +957,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
|
||||||
|
*data = pem_malloc(len, flags);
|
||||||
|
if (*header == NULL || *data == NULL) {
|
||||||
|
pem_free(*header, flags, 0);
|
||||||
|
+ *header = NULL;
|
||||||
|
pem_free(*data, flags, 0);
|
||||||
|
+ *data = NULL;
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
BIO_read(headerB, *header, headerlen);
|
||||||
|
--
|
||||||
|
2.39.1
|
||||||
|
|
||||||
|
From 2bd611267868a008afa576846ba71566bd0d4d15 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Matt Caswell <matt@openssl.org>
|
||||||
|
Date: Tue, 13 Dec 2022 15:02:26 +0000
|
||||||
|
Subject: [PATCH 3/6] Add a test for CVE-2022-4450
|
||||||
|
|
||||||
|
Call PEM_read_bio_ex() and expect a failure. There should be no dangling
|
||||||
|
ptrs and therefore there should be no double free if we free the ptrs on
|
||||||
|
error.
|
||||||
|
|
||||||
|
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||||
|
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
||||||
|
---
|
||||||
|
test/pemtest.c | 30 ++++++++++++++++++++++++++++++
|
||||||
|
1 file changed, 30 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/test/pemtest.c b/test/pemtest.c
|
||||||
|
index 3203d976be..edeb0a1205 100644
|
||||||
|
--- a/test/pemtest.c
|
||||||
|
+++ b/test/pemtest.c
|
||||||
|
@@ -83,9 +83,39 @@ static int test_invalid(void)
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int test_empty_payload(void)
|
||||||
|
+{
|
||||||
|
+ BIO *b;
|
||||||
|
+ static char *emptypay =
|
||||||
|
+ "-----BEGIN CERTIFICATE-----\n"
|
||||||
|
+ "-\n" /* Base64 EOF character */
|
||||||
|
+ "-----END CERTIFICATE-----";
|
||||||
|
+ char *name = NULL, *header = NULL;
|
||||||
|
+ unsigned char *data = NULL;
|
||||||
|
+ long len;
|
||||||
|
+ int ret = 0;
|
||||||
|
+
|
||||||
|
+ b = BIO_new_mem_buf(emptypay, strlen(emptypay));
|
||||||
|
+ if (!TEST_ptr(b))
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ /* Expected to fail because the payload is empty */
|
||||||
|
+ if (!TEST_false(PEM_read_bio_ex(b, &name, &header, &data, &len, 0)))
|
||||||
|
+ goto err;
|
||||||
|
+
|
||||||
|
+ ret = 1;
|
||||||
|
+ err:
|
||||||
|
+ OPENSSL_free(name);
|
||||||
|
+ OPENSSL_free(header);
|
||||||
|
+ OPENSSL_free(data);
|
||||||
|
+ BIO_free(b);
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int setup_tests(void)
|
||||||
|
{
|
||||||
|
ADD_ALL_TESTS(test_b64, OSSL_NELEM(b64_pem_data));
|
||||||
|
ADD_TEST(test_invalid);
|
||||||
|
+ ADD_TEST(test_empty_payload);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.39.1
|
||||||
|
|
186
SOURCES/openssl-1.1.1-cve-2023-0215-BIO-UAF.patch
Normal file
186
SOURCES/openssl-1.1.1-cve-2023-0215-BIO-UAF.patch
Normal file
@ -0,0 +1,186 @@
|
|||||||
|
From c3829dd8825c654652201e16f8a0a0c46ee3f344 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Matt Caswell <matt@openssl.org>
|
||||||
|
Date: Wed, 14 Dec 2022 16:18:14 +0000
|
||||||
|
Subject: [PATCH 4/6] Fix a UAF resulting from a bug in BIO_new_NDEF
|
||||||
|
|
||||||
|
If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will
|
||||||
|
be part of an invalid BIO chain. This causes a "use after free" when the
|
||||||
|
BIO is eventually freed.
|
||||||
|
|
||||||
|
Based on an original patch by Viktor Dukhovni and an idea from Theo
|
||||||
|
Buehler.
|
||||||
|
|
||||||
|
Thanks to Octavio Galland for reporting this issue.
|
||||||
|
|
||||||
|
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||||
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||||
|
---
|
||||||
|
crypto/asn1/bio_ndef.c | 39 ++++++++++++++++++++++++++++++++-------
|
||||||
|
1 file changed, 32 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c
|
||||||
|
index 760e4846a4..f8d4b1b9aa 100644
|
||||||
|
--- a/crypto/asn1/bio_ndef.c
|
||||||
|
+++ b/crypto/asn1/bio_ndef.c
|
||||||
|
@@ -49,12 +49,19 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg);
|
||||||
|
static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen,
|
||||||
|
void *parg);
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * On success, the returned BIO owns the input BIO as part of its BIO chain.
|
||||||
|
+ * On failure, NULL is returned and the input BIO is owned by the caller.
|
||||||
|
+ *
|
||||||
|
+ * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream()
|
||||||
|
+ */
|
||||||
|
BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
|
||||||
|
{
|
||||||
|
NDEF_SUPPORT *ndef_aux = NULL;
|
||||||
|
BIO *asn_bio = NULL;
|
||||||
|
const ASN1_AUX *aux = it->funcs;
|
||||||
|
ASN1_STREAM_ARG sarg;
|
||||||
|
+ BIO *pop_bio = NULL;
|
||||||
|
|
||||||
|
if (!aux || !aux->asn1_cb) {
|
||||||
|
ASN1err(ASN1_F_BIO_NEW_NDEF, ASN1_R_STREAMING_NOT_SUPPORTED);
|
||||||
|
@@ -69,21 +76,39 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
|
||||||
|
out = BIO_push(asn_bio, out);
|
||||||
|
if (out == NULL)
|
||||||
|
goto err;
|
||||||
|
+ pop_bio = asn_bio;
|
||||||
|
|
||||||
|
- BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free);
|
||||||
|
- BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free);
|
||||||
|
+ if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0
|
||||||
|
+ || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0
|
||||||
|
+ || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0)
|
||||||
|
+ goto err;
|
||||||
|
|
||||||
|
/*
|
||||||
|
- * Now let callback prepends any digest, cipher etc BIOs ASN1 structure
|
||||||
|
- * needs.
|
||||||
|
+ * Now let the callback prepend any digest, cipher, etc., that the BIO's
|
||||||
|
+ * ASN1 structure needs.
|
||||||
|
*/
|
||||||
|
|
||||||
|
sarg.out = out;
|
||||||
|
sarg.ndef_bio = NULL;
|
||||||
|
sarg.boundary = NULL;
|
||||||
|
|
||||||
|
- if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0)
|
||||||
|
+ /*
|
||||||
|
+ * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the
|
||||||
|
+ * middle of some partially built, but not returned BIO chain.
|
||||||
|
+ */
|
||||||
|
+ if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) {
|
||||||
|
+ /*
|
||||||
|
+ * ndef_aux is now owned by asn_bio so we must not free it in the err
|
||||||
|
+ * clean up block
|
||||||
|
+ */
|
||||||
|
+ ndef_aux = NULL;
|
||||||
|
goto err;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * We must not fail now because the callback has prepended additional
|
||||||
|
+ * BIOs to the chain
|
||||||
|
+ */
|
||||||
|
|
||||||
|
ndef_aux->val = val;
|
||||||
|
ndef_aux->it = it;
|
||||||
|
@@ -91,11 +116,11 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
|
||||||
|
ndef_aux->boundary = sarg.boundary;
|
||||||
|
ndef_aux->out = out;
|
||||||
|
|
||||||
|
- BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux);
|
||||||
|
-
|
||||||
|
return sarg.ndef_bio;
|
||||||
|
|
||||||
|
err:
|
||||||
|
+ /* BIO_pop() is NULL safe */
|
||||||
|
+ (void)BIO_pop(pop_bio);
|
||||||
|
BIO_free(asn_bio);
|
||||||
|
OPENSSL_free(ndef_aux);
|
||||||
|
return NULL;
|
||||||
|
--
|
||||||
|
2.39.1
|
||||||
|
|
||||||
|
From f040f2577891d2bdb7610566c172233844cf673a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Matt Caswell <matt@openssl.org>
|
||||||
|
Date: Wed, 14 Dec 2022 17:15:18 +0000
|
||||||
|
Subject: [PATCH 5/6] Check CMS failure during BIO setup with -stream is
|
||||||
|
handled correctly
|
||||||
|
|
||||||
|
Test for the issue fixed in the previous commit
|
||||||
|
|
||||||
|
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||||
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||||
|
---
|
||||||
|
test/recipes/80-test_cms.t | 15 +++++++++++++--
|
||||||
|
test/smime-certs/badrsa.pem | 18 ++++++++++++++++++
|
||||||
|
2 files changed, 31 insertions(+), 2 deletions(-)
|
||||||
|
create mode 100644 test/smime-certs/badrsa.pem
|
||||||
|
|
||||||
|
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
|
||||||
|
index 5dc6a3aebe..ec11bfc253 100644
|
||||||
|
--- a/test/recipes/80-test_cms.t
|
||||||
|
+++ b/test/recipes/80-test_cms.t
|
||||||
|
@@ -13,7 +13,7 @@ use warnings;
|
||||||
|
use POSIX;
|
||||||
|
use File::Spec::Functions qw/catfile/;
|
||||||
|
use File::Compare qw/compare_text/;
|
||||||
|
-use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file/;
|
||||||
|
+use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file with/;
|
||||||
|
use OpenSSL::Test::Utils;
|
||||||
|
|
||||||
|
setup("test_cms");
|
||||||
|
@@ -27,7 +27,7 @@ my $smcont = srctop_file("test", "smcont.txt");
|
||||||
|
my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
|
||||||
|
= disabled qw/des dh dsa ec ec2m rc2 zlib/;
|
||||||
|
|
||||||
|
-plan tests => 6;
|
||||||
|
+plan tests => 7;
|
||||||
|
|
||||||
|
my @smime_pkcs7_tests = (
|
||||||
|
|
||||||
|
@@ -584,3 +584,14 @@ sub check_availability {
|
||||||
|
|
||||||
|
return "";
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+# Check that we get the expected failure return code
|
||||||
|
+with({ exit_checker => sub { return shift == 6; } },
|
||||||
|
+ sub {
|
||||||
|
+ ok(run(app(['openssl', 'cms', '-encrypt',
|
||||||
|
+ '-in', srctop_file("test", "smcont.txt"),
|
||||||
|
+ '-stream', '-recip',
|
||||||
|
+ srctop_file("test/smime-certs", "badrsa.pem"),
|
||||||
|
+ ])),
|
||||||
|
+ "Check failure during BIO setup with -stream is handled correctly");
|
||||||
|
+ });
|
||||||
|
diff --git a/test/smime-certs/badrsa.pem b/test/smime-certs/badrsa.pem
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000..f824fc2267
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/test/smime-certs/badrsa.pem
|
||||||
|
@@ -0,0 +1,18 @@
|
||||||
|
+-----BEGIN CERTIFICATE-----
|
||||||
|
+MIIDbTCCAlWgAwIBAgIToTV4Z0iuK08vZP20oTh//hC8BDANBgkqhkiG9w0BAQ0FADAtMSswKQYD
|
||||||
|
+VfcDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoY
|
||||||
|
+DzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcN
|
||||||
|
+AQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOw
|
||||||
|
+I2juwdRrjFBmXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A
|
||||||
|
+/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6s
|
||||||
|
+yTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0
|
||||||
|
+zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSxgCAwEAAaOBlzCB
|
||||||
|
+lDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAww
|
||||||
|
+CgYIKwYBBQUHAwQwDwYDVR0PAQH/BAUDAwfAADAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm
|
||||||
|
+ZnMwHwYDVR0jBBgwFoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBABbW
|
||||||
|
+eonR6TMTckehDKNOabwaCIcekahAIL6l9tTzUX5ew6ufiAPlC6I/zQlmUaU0iSyFDG1NW14kNbFt
|
||||||
|
+5CAokyLhMtE4ASHBIHbiOp/ZSbUBTVYJZB61ot7w1/ol5QECSs08b8zrxIncf+t2DHGuVEy/Qq1d
|
||||||
|
+rBz8d4ay8zpqAE1tUyL5Da6ZiKUfWwZQXSI/JlbjQFzYQqTRDnzHWrg1xPeMTO1P2/cplFaseTiv
|
||||||
|
+yk4cYwOp/W9UAWymOZXF8WcJYCIUXkdcG/nEZxr057KlScrJmFXOoh7Y+8ON4iWYYcAfiNgpUFo/
|
||||||
|
+j8BAwrKKaFvdlZS9k1Ypb2+UQY75mKJE9Bg=
|
||||||
|
+-----END CERTIFICATE-----
|
||||||
|
--
|
||||||
|
2.39.1
|
||||||
|
|
63
SOURCES/openssl-1.1.1-cve-2023-0286-X400.patch
Normal file
63
SOURCES/openssl-1.1.1-cve-2023-0286-X400.patch
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
From 2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Hugo Landau <hlandau@openssl.org>
|
||||||
|
Date: Tue, 17 Jan 2023 17:45:42 +0000
|
||||||
|
Subject: [PATCH 6/6] CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address
|
||||||
|
(1.1.1)
|
||||||
|
|
||||||
|
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||||
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||||
|
---
|
||||||
|
CHANGES | 18 +++++++++++++++++-
|
||||||
|
crypto/x509v3/v3_genn.c | 2 +-
|
||||||
|
include/openssl/x509v3.h | 2 +-
|
||||||
|
test/v3nametest.c | 8 ++++++++
|
||||||
|
4 files changed, 27 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/crypto/x509v3/v3_genn.c b/crypto/x509v3/v3_genn.c
|
||||||
|
index 87a5eff47c..e54ddc55c9 100644
|
||||||
|
--- a/crypto/x509v3/v3_genn.c
|
||||||
|
+++ b/crypto/x509v3/v3_genn.c
|
||||||
|
@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
|
||||||
|
return -1;
|
||||||
|
switch (a->type) {
|
||||||
|
case GEN_X400:
|
||||||
|
- result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
|
||||||
|
+ result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
|
||||||
|
break;
|
||||||
|
|
||||||
|
case GEN_EDIPARTY:
|
||||||
|
diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
|
||||||
|
index 90fa3592ce..e61c0f29d4 100644
|
||||||
|
--- a/include/openssl/x509v3.h
|
||||||
|
+++ b/include/openssl/x509v3.h
|
||||||
|
@@ -136,7 +136,7 @@ typedef struct GENERAL_NAME_st {
|
||||||
|
OTHERNAME *otherName; /* otherName */
|
||||||
|
ASN1_IA5STRING *rfc822Name;
|
||||||
|
ASN1_IA5STRING *dNSName;
|
||||||
|
- ASN1_TYPE *x400Address;
|
||||||
|
+ ASN1_STRING *x400Address;
|
||||||
|
X509_NAME *directoryName;
|
||||||
|
EDIPARTYNAME *ediPartyName;
|
||||||
|
ASN1_IA5STRING *uniformResourceIdentifier;
|
||||||
|
diff --git a/test/v3nametest.c b/test/v3nametest.c
|
||||||
|
index d1852190b8..37819da8fd 100644
|
||||||
|
--- a/test/v3nametest.c
|
||||||
|
+++ b/test/v3nametest.c
|
||||||
|
@@ -646,6 +646,14 @@ static struct gennamedata {
|
||||||
|
0xb7, 0x09, 0x02, 0x02
|
||||||
|
},
|
||||||
|
15
|
||||||
|
+ }, {
|
||||||
|
+ /*
|
||||||
|
+ * Regression test for CVE-2023-0286.
|
||||||
|
+ */
|
||||||
|
+ {
|
||||||
|
+ 0xa3, 0x00
|
||||||
|
+ },
|
||||||
|
+ 2
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
--
|
||||||
|
2.39.1
|
||||||
|
|
127
SOURCES/openssl-1.1.1-cve-2023-3446.patch
Normal file
127
SOURCES/openssl-1.1.1-cve-2023-3446.patch
Normal file
@ -0,0 +1,127 @@
|
|||||||
|
From 8780a896543a654e757db1b9396383f9d8095528 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Matt Caswell <matt@openssl.org>
|
||||||
|
Date: Thu, 6 Jul 2023 16:36:35 +0100
|
||||||
|
Subject: [PATCH] Fix DH_check() excessive time with over sized modulus
|
||||||
|
|
||||||
|
The DH_check() function checks numerous aspects of the key or parameters
|
||||||
|
that have been supplied. Some of those checks use the supplied modulus
|
||||||
|
value even if it is excessively large.
|
||||||
|
|
||||||
|
There is already a maximum DH modulus size (10,000 bits) over which
|
||||||
|
OpenSSL will not generate or derive keys. DH_check() will however still
|
||||||
|
perform various tests for validity on such a large modulus. We introduce a
|
||||||
|
new maximum (32,768) over which DH_check() will just fail.
|
||||||
|
|
||||||
|
An application that calls DH_check() and supplies a key or parameters
|
||||||
|
obtained from an untrusted source could be vulnerable to a Denial of
|
||||||
|
Service attack.
|
||||||
|
|
||||||
|
The function DH_check() is itself called by a number of other OpenSSL
|
||||||
|
functions. An application calling any of those other functions may
|
||||||
|
similarly be affected. The other functions affected by this are
|
||||||
|
DH_check_ex() and EVP_PKEY_param_check().
|
||||||
|
|
||||||
|
CVE-2023-3446
|
||||||
|
|
||||||
|
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||||
|
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
|
||||||
|
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
|
||||||
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||||
|
(Merged from https://github.com/openssl/openssl/pull/21452)
|
||||||
|
|
||||||
|
Upstream-Status: Backport [8780a896543a654e757db1b9396383f9d8095528]
|
||||||
|
---
|
||||||
|
crypto/dh/dh_check.c | 6 ++++++
|
||||||
|
crypto/dh/dh_err.c | 3 ++-
|
||||||
|
crypto/err/openssl.txt | 3 ++-
|
||||||
|
include/openssl/dh.h | 3 +++
|
||||||
|
include/openssl/dherr.h | 3 ++-
|
||||||
|
5 files changed, 15 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
|
||||||
|
index 4ac169e75c..e5f9dd5030 100644
|
||||||
|
--- a/crypto/dh/dh_check.c
|
||||||
|
+++ b/crypto/dh/dh_check.c
|
||||||
|
@@ -101,6 +101,12 @@ int DH_check(const DH *dh, int *ret)
|
||||||
|
BN_CTX *ctx = NULL;
|
||||||
|
BIGNUM *t1 = NULL, *t2 = NULL;
|
||||||
|
|
||||||
|
+ /* Don't do any checks at all with an excessively large modulus */
|
||||||
|
+ if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
|
||||||
|
+ DHerr(DH_F_DH_CHECK, DH_R_MODULUS_TOO_LARGE);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (!DH_check_params(dh, ret))
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
|
||||||
|
index 7285587b4a..92800d3fcc 100644
|
||||||
|
--- a/crypto/dh/dh_err.c
|
||||||
|
+++ b/crypto/dh/dh_err.c
|
||||||
|
@@ -1,6 +1,6 @@
|
||||||
|
/*
|
||||||
|
* Generated by util/mkerr.pl DO NOT EDIT
|
||||||
|
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
|
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
|
*
|
||||||
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
|
@@ -18,6 +18,7 @@ static const ERR_STRING_DATA DH_str_functs[] = {
|
||||||
|
{ERR_PACK(ERR_LIB_DH, DH_F_DHPARAMS_PRINT_FP, 0), "DHparams_print_fp"},
|
||||||
|
{ERR_PACK(ERR_LIB_DH, DH_F_DH_BUILTIN_GENPARAMS, 0),
|
||||||
|
"dh_builtin_genparams"},
|
||||||
|
+ {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK, 0), "DH_check"},
|
||||||
|
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_EX, 0), "DH_check_ex"},
|
||||||
|
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PARAMS_EX, 0), "DH_check_params_ex"},
|
||||||
|
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY_EX, 0), "DH_check_pub_key_ex"},
|
||||||
|
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
|
||||||
|
index 9f91a4a811..c0a3cd720b 100644
|
||||||
|
--- a/crypto/err/openssl.txt
|
||||||
|
+++ b/crypto/err/openssl.txt
|
||||||
|
@@ -402,6 +402,7 @@ CT_F_SCT_SET_VERSION:104:SCT_set_version
|
||||||
|
DH_F_COMPUTE_KEY:102:compute_key
|
||||||
|
DH_F_DHPARAMS_PRINT_FP:101:DHparams_print_fp
|
||||||
|
DH_F_DH_BUILTIN_GENPARAMS:106:dh_builtin_genparams
|
||||||
|
+DH_F_DH_CHECK:126:DH_check
|
||||||
|
DH_F_DH_CHECK_EX:121:DH_check_ex
|
||||||
|
DH_F_DH_CHECK_PARAMS_EX:122:DH_check_params_ex
|
||||||
|
DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pub_key_ex
|
||||||
|
diff --git a/include/openssl/dh.h b/include/openssl/dh.h
|
||||||
|
index 3527540cdd..892e31559d 100644
|
||||||
|
--- a/include/openssl/dh.h
|
||||||
|
+++ b/include/openssl/dh.h
|
||||||
|
@@ -29,6 +29,9 @@ extern "C" {
|
||||||
|
# ifndef OPENSSL_DH_MAX_MODULUS_BITS
|
||||||
|
# define OPENSSL_DH_MAX_MODULUS_BITS 10000
|
||||||
|
# endif
|
||||||
|
+# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
|
||||||
|
+# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768
|
||||||
|
+# endif
|
||||||
|
|
||||||
|
# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
|
||||||
|
# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN 2048
|
||||||
|
|
||||||
|
diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
|
||||||
|
index 916b3bed0b..528c819856 100644
|
||||||
|
--- a/include/openssl/dherr.h
|
||||||
|
+++ b/include/openssl/dherr.h
|
||||||
|
@@ -1,6 +1,6 @@
|
||||||
|
/*
|
||||||
|
* Generated by util/mkerr.pl DO NOT EDIT
|
||||||
|
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
|
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
|
*
|
||||||
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
|
@@ -30,6 +30,7 @@ int ERR_load_DH_strings(void);
|
||||||
|
# define DH_F_COMPUTE_KEY 102
|
||||||
|
# define DH_F_DHPARAMS_PRINT_FP 101
|
||||||
|
# define DH_F_DH_BUILTIN_GENPARAMS 106
|
||||||
|
+# define DH_F_DH_CHECK 126
|
||||||
|
# define DH_F_DH_CHECK_EX 121
|
||||||
|
# define DH_F_DH_CHECK_PARAMS_EX 122
|
||||||
|
# define DH_F_DH_CHECK_PUB_KEY_EX 123
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
60
SOURCES/openssl-1.1.1-cve-2023-3817.patch
Normal file
60
SOURCES/openssl-1.1.1-cve-2023-3817.patch
Normal file
@ -0,0 +1,60 @@
|
|||||||
|
From 91ddeba0f2269b017dc06c46c993a788974b1aa5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Mraz <tomas@openssl.org>
|
||||||
|
Date: Fri, 21 Jul 2023 11:39:41 +0200
|
||||||
|
Subject: [PATCH] DH_check(): Do not try checking q properties if it is
|
||||||
|
obviously invalid
|
||||||
|
|
||||||
|
If |q| >= |p| then the q value is obviously wrong as q
|
||||||
|
is supposed to be a prime divisor of p-1.
|
||||||
|
|
||||||
|
We check if p is overly large so this added test implies that
|
||||||
|
q is not large either when performing subsequent tests using that
|
||||||
|
q value.
|
||||||
|
|
||||||
|
Otherwise if it is too large these additional checks of the q value
|
||||||
|
such as the primality test can then trigger DoS by doing overly long
|
||||||
|
computations.
|
||||||
|
|
||||||
|
Fixes CVE-2023-3817
|
||||||
|
|
||||||
|
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||||
|
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||||
|
(Merged from https://github.com/openssl/openssl/pull/21551)
|
||||||
|
|
||||||
|
Upstream-Status: Backport [91ddeba0f2269b017dc06c46c993a788974b1aa5]
|
||||||
|
---
|
||||||
|
crypto/dh/dh_check.c | 11 +++++++++--
|
||||||
|
1 file changed, 9 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
|
||||||
|
index 2001d2e7cb..9ae96991eb 100644
|
||||||
|
--- a/crypto/dh/dh_check.c
|
||||||
|
+++ b/crypto/dh/dh_check.c
|
||||||
|
@@ -105,7 +105,7 @@ int DH_check_ex(const DH *dh)
|
||||||
|
/* Note: according to documentation - this only checks the params */
|
||||||
|
int DH_check(const DH *dh, int *ret)
|
||||||
|
{
|
||||||
|
- int ok = 0, r;
|
||||||
|
+ int ok = 0, r, q_good = 0;
|
||||||
|
BN_CTX *ctx = NULL;
|
||||||
|
BIGNUM *t1 = NULL, *t2 = NULL;
|
||||||
|
|
||||||
|
@@ -130,7 +130,14 @@ int DH_check(const DH *dh, int *ret)
|
||||||
|
if (t2 == NULL)
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
- if (dh->q) {
|
||||||
|
+ if (dh->q != NULL) {
|
||||||
|
+ if (BN_ucmp(dh->p, dh->q) > 0)
|
||||||
|
+ q_good = 1;
|
||||||
|
+ else
|
||||||
|
+ *ret |= DH_CHECK_INVALID_Q_VALUE;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (q_good) {
|
||||||
|
if (BN_cmp(dh->g, BN_value_one()) <= 0)
|
||||||
|
*ret |= DH_NOT_SUITABLE_GENERATOR;
|
||||||
|
else if (BN_cmp(dh->g, dh->p) >= 0)
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
154
SOURCES/openssl-1.1.1-cve-2023-5678.patch
Normal file
154
SOURCES/openssl-1.1.1-cve-2023-5678.patch
Normal file
@ -0,0 +1,154 @@
|
|||||||
|
From 0814467cc1b6a2839877277d3efa69cdd4582dd7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Richard Levitte <levitte@openssl.org>
|
||||||
|
Date: Fri, 20 Oct 2023 09:18:19 +0200
|
||||||
|
Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet
|
||||||
|
|
||||||
|
We already check for an excessively large P in DH_generate_key(), but not in
|
||||||
|
DH_check_pub_key(), and none of them check for an excessively large Q.
|
||||||
|
|
||||||
|
This change adds all the missing excessive size checks of P and Q.
|
||||||
|
|
||||||
|
It's to be noted that behaviours surrounding excessively sized P and Q
|
||||||
|
differ. DH_check() raises an error on the excessively sized P, but only
|
||||||
|
sets a flag for the excessively sized Q. This behaviour is mimicked in
|
||||||
|
DH_check_pub_key().
|
||||||
|
|
||||||
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||||
|
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||||
|
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
||||||
|
(Merged from https://github.com/openssl/openssl/pull/22518)
|
||||||
|
|
||||||
|
(cherry picked from commit ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)
|
||||||
|
Backported-by: Clemens Lang <cllang@redhat.com>
|
||||||
|
---
|
||||||
|
crypto/dh/dh_check.c | 17 +++++++++++++++++
|
||||||
|
crypto/dh/dh_err.c | 1 +
|
||||||
|
crypto/dh/dh_key.c | 10 ++++++++++
|
||||||
|
crypto/err/openssl.txt | 1 +
|
||||||
|
include/openssl/dh.h | 6 ++++--
|
||||||
|
include/openssl/dherr.h | 1 +
|
||||||
|
6 files changed, 34 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
|
||||||
|
index ae1b03bc92..424a3bb4cd 100644
|
||||||
|
--- a/crypto/dh/dh_check.c
|
||||||
|
+++ b/crypto/dh/dh_check.c
|
||||||
|
@@ -198,10 +198,27 @@ int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
|
||||||
|
BN_CTX *ctx = NULL;
|
||||||
|
|
||||||
|
*ret = 0;
|
||||||
|
+
|
||||||
|
ctx = BN_CTX_new();
|
||||||
|
if (ctx == NULL)
|
||||||
|
goto err;
|
||||||
|
BN_CTX_start(ctx);
|
||||||
|
+
|
||||||
|
+ /* Don't do any checks at all with an excessively large modulus */
|
||||||
|
+ if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
|
||||||
|
+ DHerr(DH_F_DH_CHECK, DH_R_MODULUS_TOO_LARGE);
|
||||||
|
+ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID;
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+ if (dh->q != NULL && BN_ucmp(dh->p, dh->q) < 0) {
|
||||||
|
+ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID;
|
||||||
|
+ /* This may look strange here, but returning 1 after setting ret is
|
||||||
|
+ * correct. See also the behavior of the pub_key^q == 1 mod p check
|
||||||
|
+ * further down, which behaves in the same way. */
|
||||||
|
+ ok = 1;
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
tmp = BN_CTX_get(ctx);
|
||||||
|
if (tmp == NULL || !BN_set_word(tmp, 1))
|
||||||
|
goto err;
|
||||||
|
diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
|
||||||
|
index 92800d3fcc..b3b1e7a706 100644
|
||||||
|
--- a/crypto/dh/dh_err.c
|
||||||
|
+++ b/crypto/dh/dh_err.c
|
||||||
|
@@ -87,6 +87,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = {
|
||||||
|
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
|
||||||
|
"parameter encoding error"},
|
||||||
|
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
|
||||||
|
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"},
|
||||||
|
{ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},
|
||||||
|
{ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),
|
||||||
|
"unable to check generator"},
|
||||||
|
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
|
||||||
|
index 117f2fa883..9f5e6f6d4c 100644
|
||||||
|
--- a/crypto/dh/dh_key.c
|
||||||
|
+++ b/crypto/dh/dh_key.c
|
||||||
|
@@ -140,6 +140,11 @@ static int generate_key(DH *dh)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (dh->q != NULL && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) {
|
||||||
|
+ DHerr(DH_F_GENERATE_KEY, DH_R_Q_TOO_LARGE);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
ctx = BN_CTX_new();
|
||||||
|
if (ctx == NULL)
|
||||||
|
goto err;
|
||||||
|
@@ -250,6 +255,12 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
|
||||||
|
DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ if (dh->q != NULL && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) {
|
||||||
|
+ DHerr(DH_F_COMPUTE_KEY, DH_R_Q_TOO_LARGE);
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
#ifdef OPENSSL_FIPS
|
||||||
|
if (FIPS_mode()
|
||||||
|
&& (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
|
||||||
|
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
|
||||||
|
index c0a3cd720b..5e0ff47516 100644
|
||||||
|
--- a/crypto/err/openssl.txt
|
||||||
|
+++ b/crypto/err/openssl.txt
|
||||||
|
@@ -2151,6 +2151,7 @@DH_R_NO_PARAMETERS_SET:107:no parameters set
|
||||||
|
DH_R_NO_PRIVATE_VALUE:100:no private value
|
||||||
|
DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
|
||||||
|
DH_R_PEER_KEY_ERROR:111:peer key error
|
||||||
|
+DH_R_Q_TOO_LARGE:130:q too large
|
||||||
|
DH_R_SHARED_INFO_ERROR:113:shared info error
|
||||||
|
DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
|
||||||
|
DSA_R_BAD_Q_VALUE:102:bad q value
|
||||||
|
diff --git a/include/openssl/dh.h b/include/openssl/dh.h
|
||||||
|
index 6c6ff3636a..b7df43b44f 100644
|
||||||
|
--- a/include/openssl/dh.h
|
||||||
|
+++ b/include/openssl/dh.h
|
||||||
|
@@ -72,14 +72,16 @@ DECLARE_ASN1_ITEM(DHparams)
|
||||||
|
/* #define DH_GENERATOR_3 3 */
|
||||||
|
# define DH_GENERATOR_5 5
|
||||||
|
|
||||||
|
-/* DH_check error codes */
|
||||||
|
+/* DH_check error codes, some of them shared with DH_check_pub_key */
|
||||||
|
# define DH_CHECK_P_NOT_PRIME 0x01
|
||||||
|
# define DH_CHECK_P_NOT_SAFE_PRIME 0x02
|
||||||
|
# define DH_UNABLE_TO_CHECK_GENERATOR 0x04
|
||||||
|
# define DH_NOT_SUITABLE_GENERATOR 0x08
|
||||||
|
# define DH_CHECK_Q_NOT_PRIME 0x10
|
||||||
|
-# define DH_CHECK_INVALID_Q_VALUE 0x20
|
||||||
|
+# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */
|
||||||
|
# define DH_CHECK_INVALID_J_VALUE 0x40
|
||||||
|
+/* DH_MODULUS_TOO_SMALL is 0x80 upstream */
|
||||||
|
+# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */
|
||||||
|
|
||||||
|
/* DH_check_pub_key error codes */
|
||||||
|
# define DH_CHECK_PUBKEY_TOO_SMALL 0x01
|
||||||
|
diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
|
||||||
|
index 528c819856..d66c35aa8e 100644
|
||||||
|
--- a/include/openssl/dherr.h
|
||||||
|
+++ b/include/openssl/dherr.h
|
||||||
|
@@ -87,6 +87,7 @@ int ERR_load_DH_strings(void);
|
||||||
|
# define DH_R_NON_FIPS_METHOD 202
|
||||||
|
# define DH_R_PARAMETER_ENCODING_ERROR 105
|
||||||
|
# define DH_R_PEER_KEY_ERROR 111
|
||||||
|
+# define DH_R_Q_TOO_LARGE 130
|
||||||
|
# define DH_R_SHARED_INFO_ERROR 113
|
||||||
|
# define DH_R_UNABLE_TO_CHECK_GENERATOR 121
|
||||||
|
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -1,21 +1,7 @@
|
|||||||
From 41df9ae215cee9574e17e6f887c96a7c97d588f5 Mon Sep 17 00:00:00 2001
|
diff -up openssl-1.1.1a/apps/openssl.cnf.defaults openssl-1.1.1a/apps/openssl.cnf
|
||||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
--- openssl-1.1.1a/apps/openssl.cnf.defaults 2018-11-20 14:35:37.000000000 +0100
|
||||||
Date: Thu, 24 Sep 2020 09:03:40 +0200
|
+++ openssl-1.1.1a/apps/openssl.cnf 2019-01-15 13:56:50.841719776 +0100
|
||||||
Subject: Use more general default values in openssl.cnf
|
@@ -74,7 +74,7 @@ cert_opt = ca_default # Certificate fi
|
||||||
|
|
||||||
Also set sha256 as default hash, although that should not be
|
|
||||||
necessary anymore.
|
|
||||||
|
|
||||||
(was openssl-1.1.1-defaults.patch)
|
|
||||||
---
|
|
||||||
apps/openssl.cnf | 12 +++++++-----
|
|
||||||
1 file changed, 7 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
|
|
||||||
index 97567a67be..eb25a0ac48 100644
|
|
||||||
--- a/apps/openssl.cnf
|
|
||||||
+++ b/apps/openssl.cnf
|
|
||||||
@@ -104,7 +104,7 @@ cert_opt = ca_default # Certificate field options
|
|
||||||
|
|
||||||
default_days = 365 # how long to certify for
|
default_days = 365 # how long to certify for
|
||||||
default_crl_days= 30 # how long before next CRL
|
default_crl_days= 30 # how long before next CRL
|
||||||
@ -24,7 +10,7 @@ index 97567a67be..eb25a0ac48 100644
|
|||||||
preserve = no # keep passed DN ordering
|
preserve = no # keep passed DN ordering
|
||||||
|
|
||||||
# A few difference way of specifying how similar the request should look
|
# A few difference way of specifying how similar the request should look
|
||||||
@@ -136,6 +136,7 @@ emailAddress = optional
|
@@ -106,6 +106,7 @@ emailAddress = optional
|
||||||
####################################################################
|
####################################################################
|
||||||
[ req ]
|
[ req ]
|
||||||
default_bits = 2048
|
default_bits = 2048
|
||||||
@ -32,7 +18,7 @@ index 97567a67be..eb25a0ac48 100644
|
|||||||
default_keyfile = privkey.pem
|
default_keyfile = privkey.pem
|
||||||
distinguished_name = req_distinguished_name
|
distinguished_name = req_distinguished_name
|
||||||
attributes = req_attributes
|
attributes = req_attributes
|
||||||
@@ -158,17 +159,18 @@ string_mask = utf8only
|
@@ -128,17 +129,18 @@ string_mask = utf8only
|
||||||
|
|
||||||
[ req_distinguished_name ]
|
[ req_distinguished_name ]
|
||||||
countryName = Country Name (2 letter code)
|
countryName = Country Name (2 letter code)
|
||||||
@ -54,7 +40,7 @@ index 97567a67be..eb25a0ac48 100644
|
|||||||
|
|
||||||
# we can do this but it is not needed normally :-)
|
# we can do this but it is not needed normally :-)
|
||||||
#1.organizationName = Second Organization Name (eg, company)
|
#1.organizationName = Second Organization Name (eg, company)
|
||||||
@@ -177,7 +179,7 @@ localityName = Locality Name (eg, city)
|
@@ -147,7 +149,7 @@ localityName = Locality Name (eg, city
|
||||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||||
#organizationalUnitName_default =
|
#organizationalUnitName_default =
|
||||||
|
|
||||||
@ -63,6 +49,3 @@ index 97567a67be..eb25a0ac48 100644
|
|||||||
commonName_max = 64
|
commonName_max = 64
|
||||||
|
|
||||||
emailAddress = Email Address
|
emailAddress = Email Address
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
34
SOURCES/openssl-1.1.1-detected-addr-ipv6.patch
Normal file
34
SOURCES/openssl-1.1.1-detected-addr-ipv6.patch
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
diff -up openssl-1.1.1k/apps/s_socket.c.addr-ipv6 openssl-1.1.1k/apps/s_socket.c
|
||||||
|
--- openssl-1.1.1k/apps/s_socket.c.addr-ipv6 2021-07-16 15:14:08.491986682 +0200
|
||||||
|
+++ openssl-1.1.1k/apps/s_socket.c 2021-07-16 15:23:21.271329197 +0200
|
||||||
|
@@ -214,6 +214,8 @@ int do_server(int *accept_sock, const ch
|
||||||
|
const BIO_ADDRINFO *next;
|
||||||
|
int sock_family, sock_type, sock_protocol, sock_port;
|
||||||
|
const BIO_ADDR *sock_address;
|
||||||
|
+ int sock_family_fallback = AF_UNSPEC;
|
||||||
|
+ const BIO_ADDR *sock_address_fallback = NULL;
|
||||||
|
int sock_options = BIO_SOCK_REUSEADDR;
|
||||||
|
int ret = 0;
|
||||||
|
|
||||||
|
@@ -244,6 +246,10 @@ int do_server(int *accept_sock, const ch
|
||||||
|
&& BIO_ADDRINFO_protocol(next) == sock_protocol) {
|
||||||
|
if (sock_family == AF_INET
|
||||||
|
&& BIO_ADDRINFO_family(next) == AF_INET6) {
|
||||||
|
+ /* In case AF_INET6 is returned but not supported by the
|
||||||
|
+ * kernel, retry with the first detected address family */
|
||||||
|
+ sock_family_fallback = sock_family;
|
||||||
|
+ sock_address_fallback = sock_address;
|
||||||
|
sock_family = AF_INET6;
|
||||||
|
sock_address = BIO_ADDRINFO_address(next);
|
||||||
|
} else if (sock_family == AF_INET6
|
||||||
|
@@ -253,6 +259,10 @@ int do_server(int *accept_sock, const ch
|
||||||
|
}
|
||||||
|
|
||||||
|
asock = BIO_socket(sock_family, sock_type, sock_protocol, 0);
|
||||||
|
+ if (asock == INVALID_SOCKET && sock_family_fallback != AF_UNSPEC) {
|
||||||
|
+ asock = BIO_socket(sock_family_fallback, sock_type, sock_protocol, 0);
|
||||||
|
+ sock_address = sock_address_fallback;
|
||||||
|
+ }
|
||||||
|
if (asock == INVALID_SOCKET
|
||||||
|
|| !BIO_listen(asock, sock_address, sock_options)) {
|
||||||
|
BIO_ADDRINFO_free(res);
|
266
SOURCES/openssl-1.1.1-ec-curves.patch
Normal file
266
SOURCES/openssl-1.1.1-ec-curves.patch
Normal file
@ -0,0 +1,266 @@
|
|||||||
|
diff -up openssl-1.1.1h/apps/speed.c.curves openssl-1.1.1h/apps/speed.c
|
||||||
|
--- openssl-1.1.1h/apps/speed.c.curves 2020-09-22 14:55:07.000000000 +0200
|
||||||
|
+++ openssl-1.1.1h/apps/speed.c 2020-11-06 13:27:15.659288431 +0100
|
||||||
|
@@ -490,90 +490,30 @@ static double rsa_results[RSA_NUM][2];
|
||||||
|
#endif /* OPENSSL_NO_RSA */
|
||||||
|
|
||||||
|
enum {
|
||||||
|
- R_EC_P160,
|
||||||
|
- R_EC_P192,
|
||||||
|
R_EC_P224,
|
||||||
|
R_EC_P256,
|
||||||
|
R_EC_P384,
|
||||||
|
R_EC_P521,
|
||||||
|
-#ifndef OPENSSL_NO_EC2M
|
||||||
|
- R_EC_K163,
|
||||||
|
- R_EC_K233,
|
||||||
|
- R_EC_K283,
|
||||||
|
- R_EC_K409,
|
||||||
|
- R_EC_K571,
|
||||||
|
- R_EC_B163,
|
||||||
|
- R_EC_B233,
|
||||||
|
- R_EC_B283,
|
||||||
|
- R_EC_B409,
|
||||||
|
- R_EC_B571,
|
||||||
|
-#endif
|
||||||
|
- R_EC_BRP256R1,
|
||||||
|
- R_EC_BRP256T1,
|
||||||
|
- R_EC_BRP384R1,
|
||||||
|
- R_EC_BRP384T1,
|
||||||
|
- R_EC_BRP512R1,
|
||||||
|
- R_EC_BRP512T1,
|
||||||
|
R_EC_X25519,
|
||||||
|
R_EC_X448
|
||||||
|
};
|
||||||
|
|
||||||
|
#ifndef OPENSSL_NO_EC
|
||||||
|
static OPT_PAIR ecdsa_choices[] = {
|
||||||
|
- {"ecdsap160", R_EC_P160},
|
||||||
|
- {"ecdsap192", R_EC_P192},
|
||||||
|
{"ecdsap224", R_EC_P224},
|
||||||
|
{"ecdsap256", R_EC_P256},
|
||||||
|
{"ecdsap384", R_EC_P384},
|
||||||
|
{"ecdsap521", R_EC_P521},
|
||||||
|
-# ifndef OPENSSL_NO_EC2M
|
||||||
|
- {"ecdsak163", R_EC_K163},
|
||||||
|
- {"ecdsak233", R_EC_K233},
|
||||||
|
- {"ecdsak283", R_EC_K283},
|
||||||
|
- {"ecdsak409", R_EC_K409},
|
||||||
|
- {"ecdsak571", R_EC_K571},
|
||||||
|
- {"ecdsab163", R_EC_B163},
|
||||||
|
- {"ecdsab233", R_EC_B233},
|
||||||
|
- {"ecdsab283", R_EC_B283},
|
||||||
|
- {"ecdsab409", R_EC_B409},
|
||||||
|
- {"ecdsab571", R_EC_B571},
|
||||||
|
-# endif
|
||||||
|
- {"ecdsabrp256r1", R_EC_BRP256R1},
|
||||||
|
- {"ecdsabrp256t1", R_EC_BRP256T1},
|
||||||
|
- {"ecdsabrp384r1", R_EC_BRP384R1},
|
||||||
|
- {"ecdsabrp384t1", R_EC_BRP384T1},
|
||||||
|
- {"ecdsabrp512r1", R_EC_BRP512R1},
|
||||||
|
- {"ecdsabrp512t1", R_EC_BRP512T1}
|
||||||
|
};
|
||||||
|
# define ECDSA_NUM OSSL_NELEM(ecdsa_choices)
|
||||||
|
|
||||||
|
static double ecdsa_results[ECDSA_NUM][2]; /* 2 ops: sign then verify */
|
||||||
|
|
||||||
|
static const OPT_PAIR ecdh_choices[] = {
|
||||||
|
- {"ecdhp160", R_EC_P160},
|
||||||
|
- {"ecdhp192", R_EC_P192},
|
||||||
|
{"ecdhp224", R_EC_P224},
|
||||||
|
{"ecdhp256", R_EC_P256},
|
||||||
|
{"ecdhp384", R_EC_P384},
|
||||||
|
{"ecdhp521", R_EC_P521},
|
||||||
|
-# ifndef OPENSSL_NO_EC2M
|
||||||
|
- {"ecdhk163", R_EC_K163},
|
||||||
|
- {"ecdhk233", R_EC_K233},
|
||||||
|
- {"ecdhk283", R_EC_K283},
|
||||||
|
- {"ecdhk409", R_EC_K409},
|
||||||
|
- {"ecdhk571", R_EC_K571},
|
||||||
|
- {"ecdhb163", R_EC_B163},
|
||||||
|
- {"ecdhb233", R_EC_B233},
|
||||||
|
- {"ecdhb283", R_EC_B283},
|
||||||
|
- {"ecdhb409", R_EC_B409},
|
||||||
|
- {"ecdhb571", R_EC_B571},
|
||||||
|
-# endif
|
||||||
|
- {"ecdhbrp256r1", R_EC_BRP256R1},
|
||||||
|
- {"ecdhbrp256t1", R_EC_BRP256T1},
|
||||||
|
- {"ecdhbrp384r1", R_EC_BRP384R1},
|
||||||
|
- {"ecdhbrp384t1", R_EC_BRP384T1},
|
||||||
|
- {"ecdhbrp512r1", R_EC_BRP512R1},
|
||||||
|
- {"ecdhbrp512t1", R_EC_BRP512T1},
|
||||||
|
{"ecdhx25519", R_EC_X25519},
|
||||||
|
{"ecdhx448", R_EC_X448}
|
||||||
|
};
|
||||||
|
@@ -1502,31 +1442,10 @@ int speed_main(int argc, char **argv)
|
||||||
|
unsigned int bits;
|
||||||
|
} test_curves[] = {
|
||||||
|
/* Prime Curves */
|
||||||
|
- {"secp160r1", NID_secp160r1, 160},
|
||||||
|
- {"nistp192", NID_X9_62_prime192v1, 192},
|
||||||
|
{"nistp224", NID_secp224r1, 224},
|
||||||
|
{"nistp256", NID_X9_62_prime256v1, 256},
|
||||||
|
{"nistp384", NID_secp384r1, 384},
|
||||||
|
{"nistp521", NID_secp521r1, 521},
|
||||||
|
-# ifndef OPENSSL_NO_EC2M
|
||||||
|
- /* Binary Curves */
|
||||||
|
- {"nistk163", NID_sect163k1, 163},
|
||||||
|
- {"nistk233", NID_sect233k1, 233},
|
||||||
|
- {"nistk283", NID_sect283k1, 283},
|
||||||
|
- {"nistk409", NID_sect409k1, 409},
|
||||||
|
- {"nistk571", NID_sect571k1, 571},
|
||||||
|
- {"nistb163", NID_sect163r2, 163},
|
||||||
|
- {"nistb233", NID_sect233r1, 233},
|
||||||
|
- {"nistb283", NID_sect283r1, 283},
|
||||||
|
- {"nistb409", NID_sect409r1, 409},
|
||||||
|
- {"nistb571", NID_sect571r1, 571},
|
||||||
|
-# endif
|
||||||
|
- {"brainpoolP256r1", NID_brainpoolP256r1, 256},
|
||||||
|
- {"brainpoolP256t1", NID_brainpoolP256t1, 256},
|
||||||
|
- {"brainpoolP384r1", NID_brainpoolP384r1, 384},
|
||||||
|
- {"brainpoolP384t1", NID_brainpoolP384t1, 384},
|
||||||
|
- {"brainpoolP512r1", NID_brainpoolP512r1, 512},
|
||||||
|
- {"brainpoolP512t1", NID_brainpoolP512t1, 512},
|
||||||
|
/* Other and ECDH only ones */
|
||||||
|
{"X25519", NID_X25519, 253},
|
||||||
|
{"X448", NID_X448, 448}
|
||||||
|
@@ -2026,9 +1945,9 @@ int speed_main(int argc, char **argv)
|
||||||
|
# endif
|
||||||
|
|
||||||
|
# ifndef OPENSSL_NO_EC
|
||||||
|
- ecdsa_c[R_EC_P160][0] = count / 1000;
|
||||||
|
- ecdsa_c[R_EC_P160][1] = count / 1000 / 2;
|
||||||
|
- for (i = R_EC_P192; i <= R_EC_P521; i++) {
|
||||||
|
+ ecdsa_c[R_EC_P224][0] = count / 1000;
|
||||||
|
+ ecdsa_c[R_EC_P224][1] = count / 1000 / 2;
|
||||||
|
+ for (i = R_EC_P256; i <= R_EC_P521; i++) {
|
||||||
|
ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2;
|
||||||
|
ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2;
|
||||||
|
if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0)
|
||||||
|
@@ -2040,7 +1959,7 @@ int speed_main(int argc, char **argv)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
-# ifndef OPENSSL_NO_EC2M
|
||||||
|
+# if 0
|
||||||
|
ecdsa_c[R_EC_K163][0] = count / 1000;
|
||||||
|
ecdsa_c[R_EC_K163][1] = count / 1000 / 2;
|
||||||
|
for (i = R_EC_K233; i <= R_EC_K571; i++) {
|
||||||
|
@@ -2071,8 +1990,8 @@ int speed_main(int argc, char **argv)
|
||||||
|
}
|
||||||
|
# endif
|
||||||
|
|
||||||
|
- ecdh_c[R_EC_P160][0] = count / 1000;
|
||||||
|
- for (i = R_EC_P192; i <= R_EC_P521; i++) {
|
||||||
|
+ ecdh_c[R_EC_P224][0] = count / 1000;
|
||||||
|
+ for (i = R_EC_P256; i <= R_EC_P521; i++) {
|
||||||
|
ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
|
||||||
|
if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0)
|
||||||
|
ecdh_doit[i] = 0;
|
||||||
|
@@ -2082,7 +2001,7 @@ int speed_main(int argc, char **argv)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
-# ifndef OPENSSL_NO_EC2M
|
||||||
|
+# if 0
|
||||||
|
ecdh_c[R_EC_K163][0] = count / 1000;
|
||||||
|
for (i = R_EC_K233; i <= R_EC_K571; i++) {
|
||||||
|
ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
|
||||||
|
diff -up openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves openssl-1.1.1h/crypto/ec/ecp_smpl.c
|
||||||
|
--- openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves 2020-09-22 14:55:07.000000000 +0200
|
||||||
|
+++ openssl-1.1.1h/crypto/ec/ecp_smpl.c 2020-11-06 13:27:15.659288431 +0100
|
||||||
|
@@ -145,6 +145,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (BN_num_bits(p) < 224) {
|
||||||
|
+ ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (ctx == NULL) {
|
||||||
|
ctx = new_ctx = BN_CTX_new();
|
||||||
|
if (ctx == NULL)
|
||||||
|
diff -up openssl-1.1.1h/test/ecdsatest.h.curves openssl-1.1.1h/test/ecdsatest.h
|
||||||
|
--- openssl-1.1.1h/test/ecdsatest.h.curves 2020-11-06 13:27:15.627288114 +0100
|
||||||
|
+++ openssl-1.1.1h/test/ecdsatest.h 2020-11-06 13:27:15.660288441 +0100
|
||||||
|
@@ -32,23 +32,6 @@ typedef struct {
|
||||||
|
} ecdsa_cavs_kat_t;
|
||||||
|
|
||||||
|
static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = {
|
||||||
|
- /* prime KATs from X9.62 */
|
||||||
|
- {NID_X9_62_prime192v1, NID_sha1,
|
||||||
|
- "616263", /* "abc" */
|
||||||
|
- "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb",
|
||||||
|
- "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e"
|
||||||
|
- "5ca5c0d69716dfcb3474373902",
|
||||||
|
- "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e",
|
||||||
|
- "885052380ff147b734c330c43d39b2c4a89f29b0f749fead",
|
||||||
|
- "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"},
|
||||||
|
- {NID_X9_62_prime239v1, NID_sha1,
|
||||||
|
- "616263", /* "abc" */
|
||||||
|
- "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d",
|
||||||
|
- "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e"
|
||||||
|
- "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee",
|
||||||
|
- "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af",
|
||||||
|
- "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0",
|
||||||
|
- "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"},
|
||||||
|
/* prime KATs from NIST CAVP */
|
||||||
|
{NID_secp224r1, NID_sha224,
|
||||||
|
"699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"
|
||||||
|
--- openssl-1.1.1h/test/recipes/15-test_genec.t.ec-curves 2020-11-06 13:58:36.402895540 +0100
|
||||||
|
+++ openssl-1.1.1h/test/recipes/15-test_genec.t 2020-11-06 13:59:38.508484498 +0100
|
||||||
|
@@ -20,45 +20,11 @@ plan skip_all => "This test is unsupport
|
||||||
|
if disabled("ec");
|
||||||
|
|
||||||
|
my @prime_curves = qw(
|
||||||
|
- secp112r1
|
||||||
|
- secp112r2
|
||||||
|
- secp128r1
|
||||||
|
- secp128r2
|
||||||
|
- secp160k1
|
||||||
|
- secp160r1
|
||||||
|
- secp160r2
|
||||||
|
- secp192k1
|
||||||
|
- secp224k1
|
||||||
|
secp224r1
|
||||||
|
secp256k1
|
||||||
|
secp384r1
|
||||||
|
secp521r1
|
||||||
|
- prime192v1
|
||||||
|
- prime192v2
|
||||||
|
- prime192v3
|
||||||
|
- prime239v1
|
||||||
|
- prime239v2
|
||||||
|
- prime239v3
|
||||||
|
prime256v1
|
||||||
|
- wap-wsg-idm-ecid-wtls6
|
||||||
|
- wap-wsg-idm-ecid-wtls7
|
||||||
|
- wap-wsg-idm-ecid-wtls8
|
||||||
|
- wap-wsg-idm-ecid-wtls9
|
||||||
|
- wap-wsg-idm-ecid-wtls12
|
||||||
|
- brainpoolP160r1
|
||||||
|
- brainpoolP160t1
|
||||||
|
- brainpoolP192r1
|
||||||
|
- brainpoolP192t1
|
||||||
|
- brainpoolP224r1
|
||||||
|
- brainpoolP224t1
|
||||||
|
- brainpoolP256r1
|
||||||
|
- brainpoolP256t1
|
||||||
|
- brainpoolP320r1
|
||||||
|
- brainpoolP320t1
|
||||||
|
- brainpoolP384r1
|
||||||
|
- brainpoolP384t1
|
||||||
|
- brainpoolP512r1
|
||||||
|
- brainpoolP512t1
|
||||||
|
);
|
||||||
|
|
||||||
|
my @binary_curves = qw(
|
||||||
|
@@ -115,7 +81,6 @@ push(@other_curves, 'SM2')
|
||||||
|
if !disabled("sm2");
|
||||||
|
|
||||||
|
my @curve_aliases = qw(
|
||||||
|
- P-192
|
||||||
|
P-224
|
||||||
|
P-256
|
||||||
|
P-384
|
57
SOURCES/openssl-1.1.1-edk2-build.patch
Normal file
57
SOURCES/openssl-1.1.1-edk2-build.patch
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
diff -up openssl-1.1.1g/crypto/evp/pkey_kdf.c.edk2-build openssl-1.1.1g/crypto/evp/pkey_kdf.c
|
||||||
|
--- openssl-1.1.1g/crypto/evp/pkey_kdf.c.edk2-build 2020-05-18 12:55:53.299548432 +0200
|
||||||
|
+++ openssl-1.1.1g/crypto/evp/pkey_kdf.c 2020-05-18 12:55:53.340548788 +0200
|
||||||
|
@@ -12,6 +12,7 @@
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
#include <openssl/err.h>
|
||||||
|
#include <openssl/kdf.h>
|
||||||
|
+#include "internal/numbers.h"
|
||||||
|
#include "crypto/evp.h"
|
||||||
|
|
||||||
|
static int pkey_kdf_init(EVP_PKEY_CTX *ctx)
|
||||||
|
diff -up openssl-1.1.1g/crypto/kdf/hkdf.c.edk2-build openssl-1.1.1g/crypto/kdf/hkdf.c
|
||||||
|
--- openssl-1.1.1g/crypto/kdf/hkdf.c.edk2-build 2020-05-18 12:55:53.340548788 +0200
|
||||||
|
+++ openssl-1.1.1g/crypto/kdf/hkdf.c 2020-05-18 12:57:18.648288904 +0200
|
||||||
|
@@ -13,6 +13,7 @@
|
||||||
|
#include <openssl/hmac.h>
|
||||||
|
#include <openssl/kdf.h>
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
+#include "internal/numbers.h"
|
||||||
|
#include "internal/cryptlib.h"
|
||||||
|
#include "crypto/evp.h"
|
||||||
|
#include "kdf_local.h"
|
||||||
|
diff -up openssl-1.1.1g/crypto/rand/rand_unix.c.edk2-build openssl-1.1.1g/crypto/rand/rand_unix.c
|
||||||
|
--- openssl-1.1.1g/crypto/rand/rand_unix.c.edk2-build 2020-05-18 12:56:05.646655554 +0200
|
||||||
|
+++ openssl-1.1.1g/crypto/rand/rand_unix.c 2020-05-18 12:58:51.088090896 +0200
|
||||||
|
@@ -20,7 +20,7 @@
|
||||||
|
#include "crypto/fips.h"
|
||||||
|
#include <stdio.h>
|
||||||
|
#include "internal/dso.h"
|
||||||
|
-#ifdef __linux
|
||||||
|
+#if defined(__linux) && !defined(OPENSSL_SYS_UEFI)
|
||||||
|
# include <sys/syscall.h>
|
||||||
|
# include <sys/random.h>
|
||||||
|
# ifdef DEVRANDOM_WAIT
|
||||||
|
diff -up openssl-1.1.1g/include/crypto/fips.h.edk2-build openssl-1.1.1g/include/crypto/fips.h
|
||||||
|
--- openssl-1.1.1g/include/crypto/fips.h.edk2-build 2020-05-18 12:55:53.296548406 +0200
|
||||||
|
+++ openssl-1.1.1g/include/crypto/fips.h 2020-05-18 12:55:53.340548788 +0200
|
||||||
|
@@ -50,10 +50,6 @@
|
||||||
|
#include <openssl/opensslconf.h>
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
|
||||||
|
-#ifndef OPENSSL_FIPS
|
||||||
|
-# error FIPS is disabled.
|
||||||
|
-#endif
|
||||||
|
-
|
||||||
|
#ifdef OPENSSL_FIPS
|
||||||
|
|
||||||
|
int FIPS_module_mode_set(int onoff);
|
||||||
|
@@ -97,4 +93,8 @@ void fips_set_selftest_fail(void);
|
||||||
|
|
||||||
|
void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr);
|
||||||
|
|
||||||
|
+#else
|
||||||
|
+
|
||||||
|
+# define fips_in_post() 0
|
||||||
|
+
|
||||||
|
#endif
|
5238
SOURCES/openssl-1.1.1-evp-kdf.patch
Normal file
5238
SOURCES/openssl-1.1.1-evp-kdf.patch
Normal file
File diff suppressed because it is too large
Load Diff
408
SOURCES/openssl-1.1.1-fips-crng-test.patch
Normal file
408
SOURCES/openssl-1.1.1-fips-crng-test.patch
Normal file
@ -0,0 +1,408 @@
|
|||||||
|
diff -up openssl-1.1.1g/crypto/rand/build.info.crng-test openssl-1.1.1g/crypto/rand/build.info
|
||||||
|
--- openssl-1.1.1g/crypto/rand/build.info.crng-test 2020-04-23 13:30:45.863389837 +0200
|
||||||
|
+++ openssl-1.1.1g/crypto/rand/build.info 2020-04-23 13:31:55.847069892 +0200
|
||||||
|
@@ -1,6 +1,6 @@
|
||||||
|
LIBS=../../libcrypto
|
||||||
|
SOURCE[../../libcrypto]=\
|
||||||
|
- randfile.c rand_lib.c rand_err.c rand_egd.c \
|
||||||
|
+ randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \
|
||||||
|
rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
|
||||||
|
|
||||||
|
INCLUDE[drbg_ctr.o]=../modes
|
||||||
|
diff -up openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1g/crypto/rand/drbg_lib.c
|
||||||
|
--- openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test 2020-04-23 13:30:45.818390686 +0200
|
||||||
|
+++ openssl-1.1.1g/crypto/rand/drbg_lib.c 2020-04-23 13:30:45.864389819 +0200
|
||||||
|
@@ -67,7 +67,7 @@ static CRYPTO_THREAD_LOCAL private_drbg;
|
||||||
|
|
||||||
|
|
||||||
|
/* NIST SP 800-90A DRBG recommends the use of a personalization string. */
|
||||||
|
-static const char ossl_pers_string[] = "OpenSSL NIST SP 800-90A DRBG";
|
||||||
|
+static const char ossl_pers_string[] = DRBG_DEFAULT_PERS_STRING;
|
||||||
|
|
||||||
|
static CRYPTO_ONCE rand_drbg_init = CRYPTO_ONCE_STATIC_INIT;
|
||||||
|
|
||||||
|
@@ -201,8 +201,13 @@ static RAND_DRBG *rand_drbg_new(int secu
|
||||||
|
drbg->parent = parent;
|
||||||
|
|
||||||
|
if (parent == NULL) {
|
||||||
|
+#ifdef OPENSSL_FIPS
|
||||||
|
+ drbg->get_entropy = rand_crngt_get_entropy;
|
||||||
|
+ drbg->cleanup_entropy = rand_crngt_cleanup_entropy;
|
||||||
|
+#else
|
||||||
|
drbg->get_entropy = rand_drbg_get_entropy;
|
||||||
|
drbg->cleanup_entropy = rand_drbg_cleanup_entropy;
|
||||||
|
+#endif
|
||||||
|
#ifndef RAND_DRBG_GET_RANDOM_NONCE
|
||||||
|
drbg->get_nonce = rand_drbg_get_nonce;
|
||||||
|
drbg->cleanup_nonce = rand_drbg_cleanup_nonce;
|
||||||
|
diff -up openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1g/crypto/rand/rand_crng_test.c
|
||||||
|
--- openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test 2020-04-23 13:30:45.864389819 +0200
|
||||||
|
+++ openssl-1.1.1g/crypto/rand/rand_crng_test.c 2020-04-23 13:30:45.864389819 +0200
|
||||||
|
@@ -0,0 +1,118 @@
|
||||||
|
+/*
|
||||||
|
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
|
+ * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
|
||||||
|
+ *
|
||||||
|
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||||
|
+ * this file except in compliance with the License. You can obtain a copy
|
||||||
|
+ * in the file LICENSE in the source distribution or at
|
||||||
|
+ * https://www.openssl.org/source/license.html
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Implementation of the FIPS 140-2 section 4.9.2 Conditional Tests.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#include <string.h>
|
||||||
|
+#include <openssl/evp.h>
|
||||||
|
+#include "crypto/rand.h"
|
||||||
|
+#include "internal/thread_once.h"
|
||||||
|
+#include "rand_local.h"
|
||||||
|
+
|
||||||
|
+static RAND_POOL *crngt_pool;
|
||||||
|
+static unsigned char crngt_prev[EVP_MAX_MD_SIZE];
|
||||||
|
+
|
||||||
|
+int (*crngt_get_entropy)(unsigned char *, unsigned char *, unsigned int *)
|
||||||
|
+ = &rand_crngt_get_entropy_cb;
|
||||||
|
+
|
||||||
|
+int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md,
|
||||||
|
+ unsigned int *md_size)
|
||||||
|
+{
|
||||||
|
+ int r;
|
||||||
|
+ size_t n;
|
||||||
|
+ unsigned char *p;
|
||||||
|
+
|
||||||
|
+ n = rand_pool_acquire_entropy(crngt_pool);
|
||||||
|
+ if (n >= CRNGT_BUFSIZ) {
|
||||||
|
+ p = rand_pool_detach(crngt_pool);
|
||||||
|
+ r = EVP_Digest(p, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL);
|
||||||
|
+ if (r != 0)
|
||||||
|
+ memcpy(buf, p, CRNGT_BUFSIZ);
|
||||||
|
+ rand_pool_reattach(crngt_pool, p);
|
||||||
|
+ return r;
|
||||||
|
+ }
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+void rand_crngt_cleanup(void)
|
||||||
|
+{
|
||||||
|
+ rand_pool_free(crngt_pool);
|
||||||
|
+ crngt_pool = NULL;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+int rand_crngt_init(void)
|
||||||
|
+{
|
||||||
|
+ unsigned char buf[CRNGT_BUFSIZ];
|
||||||
|
+
|
||||||
|
+ if ((crngt_pool = rand_pool_new(0, 1, CRNGT_BUFSIZ, CRNGT_BUFSIZ)) == NULL)
|
||||||
|
+ return 0;
|
||||||
|
+ if (crngt_get_entropy(buf, crngt_prev, NULL)) {
|
||||||
|
+ OPENSSL_cleanse(buf, sizeof(buf));
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+ rand_crngt_cleanup();
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static CRYPTO_ONCE rand_crngt_init_flag = CRYPTO_ONCE_STATIC_INIT;
|
||||||
|
+DEFINE_RUN_ONCE_STATIC(do_rand_crngt_init)
|
||||||
|
+{
|
||||||
|
+ return OPENSSL_init_crypto(0, NULL)
|
||||||
|
+ && rand_crngt_init()
|
||||||
|
+ && OPENSSL_atexit(&rand_crngt_cleanup);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+int rand_crngt_single_init(void)
|
||||||
|
+{
|
||||||
|
+ return RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+size_t rand_crngt_get_entropy(RAND_DRBG *drbg,
|
||||||
|
+ unsigned char **pout,
|
||||||
|
+ int entropy, size_t min_len, size_t max_len,
|
||||||
|
+ int prediction_resistance)
|
||||||
|
+{
|
||||||
|
+ unsigned char buf[CRNGT_BUFSIZ], md[EVP_MAX_MD_SIZE];
|
||||||
|
+ unsigned int sz;
|
||||||
|
+ RAND_POOL *pool;
|
||||||
|
+ size_t q, r = 0, s, t = 0;
|
||||||
|
+ int attempts = 3;
|
||||||
|
+
|
||||||
|
+ if (!RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init))
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ if ((pool = rand_pool_new(entropy, 1, min_len, max_len)) == NULL)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ while ((q = rand_pool_bytes_needed(pool, 1)) > 0 && attempts-- > 0) {
|
||||||
|
+ s = q > sizeof(buf) ? sizeof(buf) : q;
|
||||||
|
+ if (!crngt_get_entropy(buf, md, &sz)
|
||||||
|
+ || memcmp(crngt_prev, md, sz) == 0
|
||||||
|
+ || !rand_pool_add(pool, buf, s, s * 8))
|
||||||
|
+ goto err;
|
||||||
|
+ memcpy(crngt_prev, md, sz);
|
||||||
|
+ t += s;
|
||||||
|
+ attempts++;
|
||||||
|
+ }
|
||||||
|
+ r = t;
|
||||||
|
+ *pout = rand_pool_detach(pool);
|
||||||
|
+err:
|
||||||
|
+ OPENSSL_cleanse(buf, sizeof(buf));
|
||||||
|
+ rand_pool_free(pool);
|
||||||
|
+ return r;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,
|
||||||
|
+ unsigned char *out, size_t outlen)
|
||||||
|
+{
|
||||||
|
+ OPENSSL_secure_clear_free(out, outlen);
|
||||||
|
+}
|
||||||
|
diff -up openssl-1.1.1g/crypto/rand/rand_local.h.crng-test openssl-1.1.1g/crypto/rand/rand_local.h
|
||||||
|
--- openssl-1.1.1g/crypto/rand/rand_local.h.crng-test 2020-04-23 13:30:45.470397250 +0200
|
||||||
|
+++ openssl-1.1.1g/crypto/rand/rand_local.h 2020-04-23 13:30:45.864389819 +0200
|
||||||
|
@@ -33,7 +33,15 @@
|
||||||
|
# define MASTER_RESEED_TIME_INTERVAL (60*60) /* 1 hour */
|
||||||
|
# define SLAVE_RESEED_TIME_INTERVAL (7*60) /* 7 minutes */
|
||||||
|
|
||||||
|
-
|
||||||
|
+/*
|
||||||
|
+ * The number of bytes that constitutes an atomic lump of entropy with respect
|
||||||
|
+ * to the FIPS 140-2 section 4.9.2 Conditional Tests. The size is somewhat
|
||||||
|
+ * arbitrary, the smaller the value, the less entropy is consumed on first
|
||||||
|
+ * read but the higher the probability of the test failing by accident.
|
||||||
|
+ *
|
||||||
|
+ * The value is in bytes.
|
||||||
|
+ */
|
||||||
|
+#define CRNGT_BUFSIZ 16
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Maximum input size for the DRBG (entropy, nonce, personalization string)
|
||||||
|
@@ -44,6 +52,8 @@
|
||||||
|
*/
|
||||||
|
# define DRBG_MAX_LENGTH INT32_MAX
|
||||||
|
|
||||||
|
+/* The default nonce */
|
||||||
|
+# define DRBG_DEFAULT_PERS_STRING "OpenSSL NIST SP 800-90A DRBG"
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Maximum allocation size for RANDOM_POOL buffers
|
||||||
|
@@ -296,4 +306,22 @@ int rand_drbg_enable_locking(RAND_DRBG *
|
||||||
|
/* initializes the AES-CTR DRBG implementation */
|
||||||
|
int drbg_ctr_init(RAND_DRBG *drbg);
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * Entropy call back for the FIPS 140-2 section 4.9.2 Conditional Tests.
|
||||||
|
+ * These need to be exposed for the unit tests.
|
||||||
|
+ */
|
||||||
|
+int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md,
|
||||||
|
+ unsigned int *md_size);
|
||||||
|
+extern int (*crngt_get_entropy)(unsigned char *buf, unsigned char *md,
|
||||||
|
+ unsigned int *md_size);
|
||||||
|
+int rand_crngt_init(void);
|
||||||
|
+void rand_crngt_cleanup(void);
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Expose the run once initialisation function for the unit tests because.
|
||||||
|
+ * they need to restart from scratch to validate the first block is skipped
|
||||||
|
+ * properly.
|
||||||
|
+ */
|
||||||
|
+int rand_crngt_single_init(void);
|
||||||
|
+
|
||||||
|
#endif
|
||||||
|
diff -up openssl-1.1.1g/include/crypto/rand.h.crng-test openssl-1.1.1g/include/crypto/rand.h
|
||||||
|
--- openssl-1.1.1g/include/crypto/rand.h.crng-test 2020-04-23 13:30:45.824390573 +0200
|
||||||
|
+++ openssl-1.1.1g/include/crypto/rand.h 2020-04-23 13:30:45.864389819 +0200
|
||||||
|
@@ -49,6 +49,14 @@ size_t rand_drbg_get_additional_data(RAN
|
||||||
|
|
||||||
|
void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out);
|
||||||
|
|
||||||
|
+/* CRNG test entropy filter callbacks. */
|
||||||
|
+size_t rand_crngt_get_entropy(RAND_DRBG *drbg,
|
||||||
|
+ unsigned char **pout,
|
||||||
|
+ int entropy, size_t min_len, size_t max_len,
|
||||||
|
+ int prediction_resistance);
|
||||||
|
+void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,
|
||||||
|
+ unsigned char *out, size_t outlen);
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* RAND_POOL functions
|
||||||
|
*/
|
||||||
|
diff -up openssl-1.1.1g/test/drbgtest.c.crng-test openssl-1.1.1g/test/drbgtest.c
|
||||||
|
--- openssl-1.1.1g/test/drbgtest.c.crng-test 2020-04-21 14:22:39.000000000 +0200
|
||||||
|
+++ openssl-1.1.1g/test/drbgtest.c 2020-04-23 13:30:45.865389800 +0200
|
||||||
|
@@ -150,6 +150,31 @@ static size_t kat_nonce(RAND_DRBG *drbg,
|
||||||
|
return t->noncelen;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * Disable CRNG testing if it is enabled.
|
||||||
|
+ * If the DRBG is ready or in an error state, this means an instantiate cycle
|
||||||
|
+ * for which the default personalisation string is used.
|
||||||
|
+ */
|
||||||
|
+static int disable_crngt(RAND_DRBG *drbg)
|
||||||
|
+{
|
||||||
|
+ static const char pers[] = DRBG_DEFAULT_PERS_STRING;
|
||||||
|
+ const int instantiate = drbg->state != DRBG_UNINITIALISED;
|
||||||
|
+
|
||||||
|
+ if (drbg->get_entropy != rand_crngt_get_entropy)
|
||||||
|
+ return 1;
|
||||||
|
+
|
||||||
|
+ if ((instantiate && !RAND_DRBG_uninstantiate(drbg))
|
||||||
|
+ || !TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_drbg_get_entropy,
|
||||||
|
+ &rand_drbg_cleanup_entropy,
|
||||||
|
+ &rand_drbg_get_nonce,
|
||||||
|
+ &rand_drbg_cleanup_nonce))
|
||||||
|
+ || (instantiate
|
||||||
|
+ && !RAND_DRBG_instantiate(drbg, (const unsigned char *)pers,
|
||||||
|
+ sizeof(pers) - 1)))
|
||||||
|
+ return 0;
|
||||||
|
+ return 1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static int uninstantiate(RAND_DRBG *drbg)
|
||||||
|
{
|
||||||
|
int ret = drbg == NULL ? 1 : RAND_DRBG_uninstantiate(drbg);
|
||||||
|
@@ -175,7 +200,8 @@ static int single_kat(DRBG_SELFTEST_DATA
|
||||||
|
if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, td->flags, NULL)))
|
||||||
|
return 0;
|
||||||
|
if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
|
||||||
|
- kat_nonce, NULL))) {
|
||||||
|
+ kat_nonce, NULL))
|
||||||
|
+ || !TEST_true(disable_crngt(drbg))) {
|
||||||
|
failures++;
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
@@ -293,7 +319,8 @@ static int error_check(DRBG_SELFTEST_DAT
|
||||||
|
unsigned int reseed_counter_tmp;
|
||||||
|
int ret = 0;
|
||||||
|
|
||||||
|
- if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL)))
|
||||||
|
+ if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL))
|
||||||
|
+ || !TEST_true(disable_crngt(drbg)))
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -740,6 +767,10 @@ static int test_rand_drbg_reseed(void)
|
||||||
|
|| !TEST_ptr_eq(private->parent, master))
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
+ /* Disable CRNG testing for the master DRBG */
|
||||||
|
+ if (!TEST_true(disable_crngt(master)))
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
/* uninstantiate the three global DRBGs */
|
||||||
|
RAND_DRBG_uninstantiate(private);
|
||||||
|
RAND_DRBG_uninstantiate(public);
|
||||||
|
@@ -964,7 +995,8 @@ static int test_rand_seed(void)
|
||||||
|
size_t rand_buflen;
|
||||||
|
size_t required_seed_buflen = 0;
|
||||||
|
|
||||||
|
- if (!TEST_ptr(master = RAND_DRBG_get0_master()))
|
||||||
|
+ if (!TEST_ptr(master = RAND_DRBG_get0_master())
|
||||||
|
+ || !TEST_true(disable_crngt(master)))
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
#ifdef OPENSSL_RAND_SEED_NONE
|
||||||
|
@@ -1013,6 +1045,95 @@ static int test_rand_add(void)
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * A list of the FIPS DRGB types.
|
||||||
|
+ */
|
||||||
|
+static const struct s_drgb_types {
|
||||||
|
+ int nid;
|
||||||
|
+ int flags;
|
||||||
|
+} drgb_types[] = {
|
||||||
|
+ { NID_aes_128_ctr, 0 },
|
||||||
|
+ { NID_aes_192_ctr, 0 },
|
||||||
|
+ { NID_aes_256_ctr, 0 },
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+/* Six cases for each covers seed sizes up to 32 bytes */
|
||||||
|
+static const size_t crngt_num_cases = 6;
|
||||||
|
+
|
||||||
|
+static size_t crngt_case, crngt_idx;
|
||||||
|
+
|
||||||
|
+static int crngt_entropy_cb(unsigned char *buf, unsigned char *md,
|
||||||
|
+ unsigned int *md_size)
|
||||||
|
+{
|
||||||
|
+ size_t i, z;
|
||||||
|
+
|
||||||
|
+ if (!TEST_int_lt(crngt_idx, crngt_num_cases))
|
||||||
|
+ return 0;
|
||||||
|
+ /* Generate a block of unique data unless this is the duplication point */
|
||||||
|
+ z = crngt_idx++;
|
||||||
|
+ if (z > 0 && crngt_case == z)
|
||||||
|
+ z--;
|
||||||
|
+ for (i = 0; i < CRNGT_BUFSIZ; i++)
|
||||||
|
+ buf[i] = (unsigned char)(i + 'A' + z);
|
||||||
|
+ return EVP_Digest(buf, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int test_crngt(int n)
|
||||||
|
+{
|
||||||
|
+ const struct s_drgb_types *dt = drgb_types + n / crngt_num_cases;
|
||||||
|
+ RAND_DRBG *drbg = NULL;
|
||||||
|
+ unsigned char buff[100];
|
||||||
|
+ size_t ent;
|
||||||
|
+ int res = 0;
|
||||||
|
+ int expect;
|
||||||
|
+
|
||||||
|
+ if (!TEST_true(rand_crngt_single_init()))
|
||||||
|
+ return 0;
|
||||||
|
+ rand_crngt_cleanup();
|
||||||
|
+
|
||||||
|
+ if (!TEST_ptr(drbg = RAND_DRBG_new(dt->nid, dt->flags, NULL)))
|
||||||
|
+ return 0;
|
||||||
|
+ ent = (drbg->min_entropylen + CRNGT_BUFSIZ - 1) / CRNGT_BUFSIZ;
|
||||||
|
+ crngt_case = n % crngt_num_cases;
|
||||||
|
+ crngt_idx = 0;
|
||||||
|
+ crngt_get_entropy = &crngt_entropy_cb;
|
||||||
|
+ if (!TEST_true(rand_crngt_init()))
|
||||||
|
+ goto err;
|
||||||
|
+#ifndef OPENSSL_FIPS
|
||||||
|
+ if (!TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_crngt_get_entropy,
|
||||||
|
+ &rand_crngt_cleanup_entropy,
|
||||||
|
+ &rand_drbg_get_nonce,
|
||||||
|
+ &rand_drbg_cleanup_nonce)))
|
||||||
|
+ goto err;
|
||||||
|
+#endif
|
||||||
|
+ expect = crngt_case == 0 || crngt_case > ent;
|
||||||
|
+ if (!TEST_int_eq(RAND_DRBG_instantiate(drbg, NULL, 0), expect))
|
||||||
|
+ goto err;
|
||||||
|
+ if (!expect)
|
||||||
|
+ goto fin;
|
||||||
|
+ if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0)))
|
||||||
|
+ goto err;
|
||||||
|
+
|
||||||
|
+ expect = crngt_case == 0 || crngt_case > 2 * ent;
|
||||||
|
+ if (!TEST_int_eq(RAND_DRBG_reseed(drbg, NULL, 0, 0), expect))
|
||||||
|
+ goto err;
|
||||||
|
+ if (!expect)
|
||||||
|
+ goto fin;
|
||||||
|
+ if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0)))
|
||||||
|
+ goto err;
|
||||||
|
+
|
||||||
|
+fin:
|
||||||
|
+ res = 1;
|
||||||
|
+err:
|
||||||
|
+ if (!res)
|
||||||
|
+ TEST_note("DRBG %zd case %zd block %zd", n / crngt_num_cases,
|
||||||
|
+ crngt_case, crngt_idx);
|
||||||
|
+ uninstantiate(drbg);
|
||||||
|
+ RAND_DRBG_free(drbg);
|
||||||
|
+ crngt_get_entropy = &rand_crngt_get_entropy_cb;
|
||||||
|
+ return res;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int setup_tests(void)
|
||||||
|
{
|
||||||
|
app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
|
||||||
|
@@ -1025,5 +1146,6 @@ int setup_tests(void)
|
||||||
|
#if defined(OPENSSL_THREADS)
|
||||||
|
ADD_TEST(test_multi_thread);
|
||||||
|
#endif
|
||||||
|
+ ADD_ALL_TESTS(test_crngt, crngt_num_cases * OSSL_NELEM(drgb_types));
|
||||||
|
return 1;
|
||||||
|
}
|
200
SOURCES/openssl-1.1.1-fips-curves.patch
Normal file
200
SOURCES/openssl-1.1.1-fips-curves.patch
Normal file
@ -0,0 +1,200 @@
|
|||||||
|
diff -up openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves openssl-1.1.1g/crypto/ec/ec_curve.c
|
||||||
|
--- openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves 2020-05-18 12:59:54.839643980 +0200
|
||||||
|
+++ openssl-1.1.1g/crypto/ec/ec_curve.c 2020-05-18 12:59:54.852644093 +0200
|
||||||
|
@@ -13,6 +13,7 @@
|
||||||
|
#include <openssl/err.h>
|
||||||
|
#include <openssl/obj_mac.h>
|
||||||
|
#include <openssl/opensslconf.h>
|
||||||
|
+#include <openssl/crypto.h>
|
||||||
|
#include "internal/nelem.h"
|
||||||
|
|
||||||
|
typedef struct {
|
||||||
|
@@ -237,6 +238,7 @@ static const struct {
|
||||||
|
|
||||||
|
typedef struct _ec_list_element_st {
|
||||||
|
int nid;
|
||||||
|
+ int fips_allowed;
|
||||||
|
const EC_CURVE_DATA *data;
|
||||||
|
const EC_METHOD *(*meth) (void);
|
||||||
|
const char *comment;
|
||||||
|
@@ -246,23 +248,23 @@ static const ec_list_element curve_list[
|
||||||
|
/* prime field curves */
|
||||||
|
/* secg curves */
|
||||||
|
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
||||||
|
- {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
|
||||||
|
+ {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
|
||||||
|
"NIST/SECG curve over a 224 bit prime field"},
|
||||||
|
#else
|
||||||
|
- {NID_secp224r1, &_EC_NIST_PRIME_224.h, 0,
|
||||||
|
+ {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, 0,
|
||||||
|
"NIST/SECG curve over a 224 bit prime field"},
|
||||||
|
#endif
|
||||||
|
- {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
|
||||||
|
+ {NID_secp256k1, 0, &_EC_SECG_PRIME_256K1.h, 0,
|
||||||
|
"SECG curve over a 256 bit prime field"},
|
||||||
|
/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
|
||||||
|
- {NID_secp384r1, &_EC_NIST_PRIME_384.h,
|
||||||
|
+ {NID_secp384r1, 1, &_EC_NIST_PRIME_384.h,
|
||||||
|
# if defined(S390X_EC_ASM)
|
||||||
|
EC_GFp_s390x_nistp384_method,
|
||||||
|
# else
|
||||||
|
0,
|
||||||
|
# endif
|
||||||
|
"NIST/SECG curve over a 384 bit prime field"},
|
||||||
|
- {NID_secp521r1, &_EC_NIST_PRIME_521.h,
|
||||||
|
+ {NID_secp521r1, 1, &_EC_NIST_PRIME_521.h,
|
||||||
|
# if defined(S390X_EC_ASM)
|
||||||
|
EC_GFp_s390x_nistp521_method,
|
||||||
|
# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
||||||
|
@@ -272,7 +274,7 @@ static const ec_list_element curve_list[
|
||||||
|
# endif
|
||||||
|
"NIST/SECG curve over a 521 bit prime field"},
|
||||||
|
/* X9.62 curves */
|
||||||
|
- {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
|
||||||
|
+ {NID_X9_62_prime256v1, 1, &_EC_X9_62_PRIME_256V1.h,
|
||||||
|
#if defined(ECP_NISTZ256_ASM)
|
||||||
|
EC_GFp_nistz256_method,
|
||||||
|
# elif defined(S390X_EC_ASM)
|
||||||
|
@@ -404,6 +406,10 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
|
||||||
|
|
||||||
|
for (i = 0; i < curve_list_length; i++)
|
||||||
|
if (curve_list[i].nid == nid) {
|
||||||
|
+ if (!curve_list[i].fips_allowed && FIPS_mode()) {
|
||||||
|
+ ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_NOT_A_NIST_PRIME);
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
ret = ec_group_new_from_data(curve_list[i]);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
@@ -418,19 +424,31 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
|
||||||
|
|
||||||
|
size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
|
||||||
|
{
|
||||||
|
- size_t i, min;
|
||||||
|
+ size_t i, j, num;
|
||||||
|
+ int fips_mode = FIPS_mode();
|
||||||
|
|
||||||
|
- if (r == NULL || nitems == 0)
|
||||||
|
- return curve_list_length;
|
||||||
|
+ num = curve_list_length;
|
||||||
|
+ if (fips_mode)
|
||||||
|
+ for (i = 0; i < curve_list_length; i++) {
|
||||||
|
+ if (!curve_list[i].fips_allowed)
|
||||||
|
+ --num;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- min = nitems < curve_list_length ? nitems : curve_list_length;
|
||||||
|
+ if (r == NULL || nitems == 0) {
|
||||||
|
+ return num;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- for (i = 0; i < min; i++) {
|
||||||
|
- r[i].nid = curve_list[i].nid;
|
||||||
|
- r[i].comment = curve_list[i].comment;
|
||||||
|
+ for (i = 0, j = 0; i < curve_list_length; i++) {
|
||||||
|
+ if (j >= nitems)
|
||||||
|
+ break;
|
||||||
|
+ if (!fips_mode || curve_list[i].fips_allowed) {
|
||||||
|
+ r[j].nid = curve_list[i].nid;
|
||||||
|
+ r[j].comment = curve_list[i].comment;
|
||||||
|
+ ++j;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
- return curve_list_length;
|
||||||
|
+ return num;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Functions to translate between common NIST curve names and NIDs */
|
||||||
|
diff -up openssl-1.1.1g/ssl/t1_lib.c.fips-curves openssl-1.1.1g/ssl/t1_lib.c
|
||||||
|
--- openssl-1.1.1g/ssl/t1_lib.c.fips-curves 2020-05-18 12:59:54.797643616 +0200
|
||||||
|
+++ openssl-1.1.1g/ssl/t1_lib.c 2020-05-18 13:03:54.748725463 +0200
|
||||||
|
@@ -678,6 +678,36 @@ static const uint16_t tls12_sigalgs[] =
|
||||||
|
#endif
|
||||||
|
};
|
||||||
|
|
||||||
|
+static const uint16_t tls12_fips_sigalgs[] = {
|
||||||
|
+#ifndef OPENSSL_NO_EC
|
||||||
|
+ TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
|
||||||
|
+ TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
|
||||||
|
+ TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+ TLSEXT_SIGALG_rsa_pss_pss_sha256,
|
||||||
|
+ TLSEXT_SIGALG_rsa_pss_pss_sha384,
|
||||||
|
+ TLSEXT_SIGALG_rsa_pss_pss_sha512,
|
||||||
|
+ TLSEXT_SIGALG_rsa_pss_rsae_sha256,
|
||||||
|
+ TLSEXT_SIGALG_rsa_pss_rsae_sha384,
|
||||||
|
+ TLSEXT_SIGALG_rsa_pss_rsae_sha512,
|
||||||
|
+
|
||||||
|
+ TLSEXT_SIGALG_rsa_pkcs1_sha256,
|
||||||
|
+ TLSEXT_SIGALG_rsa_pkcs1_sha384,
|
||||||
|
+ TLSEXT_SIGALG_rsa_pkcs1_sha512,
|
||||||
|
+
|
||||||
|
+#ifndef OPENSSL_NO_EC
|
||||||
|
+ TLSEXT_SIGALG_ecdsa_sha224,
|
||||||
|
+#endif
|
||||||
|
+ TLSEXT_SIGALG_rsa_pkcs1_sha224,
|
||||||
|
+#ifndef OPENSSL_NO_DSA
|
||||||
|
+ TLSEXT_SIGALG_dsa_sha224,
|
||||||
|
+ TLSEXT_SIGALG_dsa_sha256,
|
||||||
|
+ TLSEXT_SIGALG_dsa_sha384,
|
||||||
|
+ TLSEXT_SIGALG_dsa_sha512,
|
||||||
|
+#endif
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
#ifndef OPENSSL_NO_EC
|
||||||
|
static const uint16_t suiteb_sigalgs[] = {
|
||||||
|
TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
|
||||||
|
@@ -894,6 +924,8 @@ static const SIGALG_LOOKUP *tls1_get_leg
|
||||||
|
}
|
||||||
|
if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg))
|
||||||
|
return NULL;
|
||||||
|
+ if (FIPS_mode()) /* We do not allow legacy SHA1 signatures in FIPS mode */
|
||||||
|
+ return NULL;
|
||||||
|
if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) {
|
||||||
|
const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
|
||||||
|
|
||||||
|
@@ -954,6 +986,9 @@ size_t tls12_get_psigalgs(SSL *s, int se
|
||||||
|
} else if (s->cert->conf_sigalgs) {
|
||||||
|
*psigs = s->cert->conf_sigalgs;
|
||||||
|
return s->cert->conf_sigalgslen;
|
||||||
|
+ } else if (FIPS_mode()) {
|
||||||
|
+ *psigs = tls12_fips_sigalgs;
|
||||||
|
+ return OSSL_NELEM(tls12_fips_sigalgs);
|
||||||
|
} else {
|
||||||
|
*psigs = tls12_sigalgs;
|
||||||
|
return OSSL_NELEM(tls12_sigalgs);
|
||||||
|
@@ -973,6 +1008,9 @@ int tls_check_sigalg_curve(const SSL *s,
|
||||||
|
if (s->cert->conf_sigalgs) {
|
||||||
|
sigs = s->cert->conf_sigalgs;
|
||||||
|
siglen = s->cert->conf_sigalgslen;
|
||||||
|
+ } else if (FIPS_mode()) {
|
||||||
|
+ sigs = tls12_fips_sigalgs;
|
||||||
|
+ siglen = OSSL_NELEM(tls12_fips_sigalgs);
|
||||||
|
} else {
|
||||||
|
sigs = tls12_sigalgs;
|
||||||
|
siglen = OSSL_NELEM(tls12_sigalgs);
|
||||||
|
@@ -1617,6 +1655,8 @@ static int tls12_sigalg_allowed(const SS
|
||||||
|
if (lu->sig == NID_id_GostR3410_2012_256
|
||||||
|
|| lu->sig == NID_id_GostR3410_2012_512
|
||||||
|
|| lu->sig == NID_id_GostR3410_2001) {
|
||||||
|
+ if (FIPS_mode())
|
||||||
|
+ return 0;
|
||||||
|
/* We never allow GOST sig algs on the server with TLSv1.3 */
|
||||||
|
if (s->server && SSL_IS_TLS13(s))
|
||||||
|
return 0;
|
||||||
|
@@ -2842,6 +2882,13 @@ int tls_choose_sigalg(SSL *s, int fatale
|
||||||
|
const uint16_t *sent_sigs;
|
||||||
|
size_t sent_sigslen;
|
||||||
|
|
||||||
|
+ if (fatalerrs && FIPS_mode()) {
|
||||||
|
+ /* There are no suitable legacy algorithms in FIPS mode */
|
||||||
|
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
|
||||||
|
+ SSL_F_TLS_CHOOSE_SIGALG,
|
||||||
|
+ SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
|
||||||
|
if (!fatalerrs)
|
||||||
|
return 1;
|
2730
SOURCES/openssl-1.1.1-fips-dh.patch
Normal file
2730
SOURCES/openssl-1.1.1-fips-dh.patch
Normal file
File diff suppressed because it is too large
Load Diff
587
SOURCES/openssl-1.1.1-fips-drbg-selftest.patch
Normal file
587
SOURCES/openssl-1.1.1-fips-drbg-selftest.patch
Normal file
@ -0,0 +1,587 @@
|
|||||||
|
diff -up openssl-1.1.1g/crypto/fips/fips_post.c.drbg-selftest openssl-1.1.1g/crypto/fips/fips_post.c
|
||||||
|
--- openssl-1.1.1g/crypto/fips/fips_post.c.drbg-selftest 2020-04-23 13:33:12.500624151 +0200
|
||||||
|
+++ openssl-1.1.1g/crypto/fips/fips_post.c 2020-04-23 13:33:12.618621925 +0200
|
||||||
|
@@ -67,12 +67,18 @@
|
||||||
|
|
||||||
|
# include <openssl/fips.h>
|
||||||
|
# include "crypto/fips.h"
|
||||||
|
+# include "crypto/rand.h"
|
||||||
|
# include "fips_locl.h"
|
||||||
|
|
||||||
|
/* Run all selftests */
|
||||||
|
int FIPS_selftest(void)
|
||||||
|
{
|
||||||
|
int rv = 1;
|
||||||
|
+ if (!rand_drbg_selftest()) {
|
||||||
|
+ FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_TEST_FAILURE);
|
||||||
|
+ ERR_add_error_data(2, "Type=", "rand_drbg_selftest");
|
||||||
|
+ rv = 0;
|
||||||
|
+ }
|
||||||
|
if (!FIPS_selftest_drbg())
|
||||||
|
rv = 0;
|
||||||
|
if (!FIPS_selftest_sha1())
|
||||||
|
diff -up openssl-1.1.1g/crypto/rand/build.info.drbg-selftest openssl-1.1.1g/crypto/rand/build.info
|
||||||
|
--- openssl-1.1.1g/crypto/rand/build.info.drbg-selftest 2020-04-23 13:33:12.619621907 +0200
|
||||||
|
+++ openssl-1.1.1g/crypto/rand/build.info 2020-04-23 13:34:10.857523497 +0200
|
||||||
|
@@ -1,6 +1,6 @@
|
||||||
|
LIBS=../../libcrypto
|
||||||
|
SOURCE[../../libcrypto]=\
|
||||||
|
randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \
|
||||||
|
- rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
|
||||||
|
+ rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c drbg_selftest.c
|
||||||
|
|
||||||
|
INCLUDE[drbg_ctr.o]=../modes
|
||||||
|
diff -up openssl-1.1.1g/crypto/rand/drbg_selftest.c.drbg-selftest openssl-1.1.1g/crypto/rand/drbg_selftest.c
|
||||||
|
--- openssl-1.1.1g/crypto/rand/drbg_selftest.c.drbg-selftest 2020-04-23 13:33:12.619621907 +0200
|
||||||
|
+++ openssl-1.1.1g/crypto/rand/drbg_selftest.c 2020-04-23 13:33:12.619621907 +0200
|
||||||
|
@@ -0,0 +1,537 @@
|
||||||
|
+/*
|
||||||
|
+ * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
|
+ *
|
||||||
|
+ * Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
|
+ * this file except in compliance with the License. You can obtain a copy
|
||||||
|
+ * in the file LICENSE in the source distribution or at
|
||||||
|
+ * https://www.openssl.org/source/license.html
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#include <string.h>
|
||||||
|
+#include <stddef.h>
|
||||||
|
+#include "internal/nelem.h"
|
||||||
|
+#include <openssl/crypto.h>
|
||||||
|
+#include <openssl/err.h>
|
||||||
|
+#include <openssl/rand_drbg.h>
|
||||||
|
+#include <openssl/obj_mac.h>
|
||||||
|
+#include "internal/thread_once.h"
|
||||||
|
+#include "crypto/rand.h"
|
||||||
|
+
|
||||||
|
+typedef struct test_ctx_st {
|
||||||
|
+ const unsigned char *entropy;
|
||||||
|
+ size_t entropylen;
|
||||||
|
+ int entropycnt;
|
||||||
|
+ const unsigned char *nonce;
|
||||||
|
+ size_t noncelen;
|
||||||
|
+ int noncecnt;
|
||||||
|
+} TEST_CTX;
|
||||||
|
+
|
||||||
|
+static int app_data_index = -1;
|
||||||
|
+static CRYPTO_ONCE get_index_once = CRYPTO_ONCE_STATIC_INIT;
|
||||||
|
+DEFINE_RUN_ONCE_STATIC(drbg_app_data_index_init)
|
||||||
|
+{
|
||||||
|
+ app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
|
||||||
|
+
|
||||||
|
+ return 1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+enum drbg_kat_type {
|
||||||
|
+ NO_RESEED,
|
||||||
|
+ PR_FALSE,
|
||||||
|
+ PR_TRUE
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+enum drbg_df {
|
||||||
|
+ USE_DF,
|
||||||
|
+ NO_DF,
|
||||||
|
+ NA
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+struct drbg_kat_no_reseed {
|
||||||
|
+ size_t count;
|
||||||
|
+ const unsigned char *entropyin;
|
||||||
|
+ const unsigned char *nonce;
|
||||||
|
+ const unsigned char *persstr;
|
||||||
|
+ const unsigned char *addin1;
|
||||||
|
+ const unsigned char *addin2;
|
||||||
|
+ const unsigned char *retbytes;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+struct drbg_kat_pr_false {
|
||||||
|
+ size_t count;
|
||||||
|
+ const unsigned char *entropyin;
|
||||||
|
+ const unsigned char *nonce;
|
||||||
|
+ const unsigned char *persstr;
|
||||||
|
+ const unsigned char *entropyinreseed;
|
||||||
|
+ const unsigned char *addinreseed;
|
||||||
|
+ const unsigned char *addin1;
|
||||||
|
+ const unsigned char *addin2;
|
||||||
|
+ const unsigned char *retbytes;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+struct drbg_kat_pr_true {
|
||||||
|
+ size_t count;
|
||||||
|
+ const unsigned char *entropyin;
|
||||||
|
+ const unsigned char *nonce;
|
||||||
|
+ const unsigned char *persstr;
|
||||||
|
+ const unsigned char *entropyinpr1;
|
||||||
|
+ const unsigned char *addin1;
|
||||||
|
+ const unsigned char *entropyinpr2;
|
||||||
|
+ const unsigned char *addin2;
|
||||||
|
+ const unsigned char *retbytes;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+struct drbg_kat {
|
||||||
|
+ enum drbg_kat_type type;
|
||||||
|
+ enum drbg_df df;
|
||||||
|
+ int nid;
|
||||||
|
+
|
||||||
|
+ size_t entropyinlen;
|
||||||
|
+ size_t noncelen;
|
||||||
|
+ size_t persstrlen;
|
||||||
|
+ size_t addinlen;
|
||||||
|
+ size_t retbyteslen;
|
||||||
|
+
|
||||||
|
+ const void *t;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Excerpt from test/drbg_cavs_data.c
|
||||||
|
+ * DRBG test vectors from:
|
||||||
|
+ * https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+static const unsigned char kat1308_entropyin[] = {
|
||||||
|
+ 0x7c, 0x5d, 0x90, 0x70, 0x3b, 0x8a, 0xc7, 0x0f, 0x23, 0x73, 0x24, 0x9c,
|
||||||
|
+ 0xa7, 0x15, 0x41, 0x71, 0x7a, 0x31, 0xea, 0x32, 0xfc, 0x28, 0x0d, 0xd7,
|
||||||
|
+ 0x5b, 0x09, 0x01, 0x98, 0x1b, 0xe2, 0xa5, 0x53, 0xd9, 0x05, 0x32, 0x97,
|
||||||
|
+ 0xec, 0xbe, 0x86, 0xfd, 0x1c, 0x1c, 0x71, 0x4c, 0x52, 0x29, 0x9e, 0x52,
|
||||||
|
+};
|
||||||
|
+static const unsigned char kat1308_nonce[] = {0};
|
||||||
|
+static const unsigned char kat1308_persstr[] = {
|
||||||
|
+ 0xdc, 0x07, 0x2f, 0x68, 0xfa, 0x77, 0x03, 0x23, 0x42, 0xb0, 0xf5, 0xa2,
|
||||||
|
+ 0xd9, 0xad, 0xa1, 0xd0, 0xad, 0xa2, 0x14, 0xb4, 0xd0, 0x8e, 0xfb, 0x39,
|
||||||
|
+ 0xdd, 0xc2, 0xac, 0xfb, 0x98, 0xdf, 0x7f, 0xce, 0x4c, 0x75, 0x56, 0x45,
|
||||||
|
+ 0xcd, 0x86, 0x93, 0x74, 0x90, 0x6e, 0xf6, 0x9e, 0x85, 0x7e, 0xfb, 0xc3,
|
||||||
|
+};
|
||||||
|
+static const unsigned char kat1308_addin0[] = {
|
||||||
|
+ 0x52, 0x25, 0xc4, 0x2f, 0x03, 0xce, 0x29, 0x71, 0xc5, 0x0b, 0xc3, 0x4e,
|
||||||
|
+ 0xad, 0x8d, 0x6f, 0x17, 0x82, 0xe1, 0xf3, 0xfd, 0xfd, 0x9b, 0x94, 0x9a,
|
||||||
|
+ 0x1d, 0xac, 0xd0, 0xd4, 0x3f, 0x2b, 0xe3, 0xab, 0x7c, 0x3d, 0x3e, 0x5a,
|
||||||
|
+ 0x68, 0xbb, 0xa4, 0x74, 0x68, 0x1a, 0xc6, 0x27, 0xff, 0xe0, 0xc0, 0x6c,
|
||||||
|
+};
|
||||||
|
+static const unsigned char kat1308_addin1[] = {
|
||||||
|
+ 0xdc, 0x91, 0xd7, 0xb7, 0xb9, 0x94, 0x79, 0x0f, 0x06, 0xc4, 0x70, 0x19,
|
||||||
|
+ 0x33, 0x25, 0x7c, 0x96, 0x01, 0xa0, 0x62, 0xb0, 0x50, 0xe6, 0xc0, 0x3a,
|
||||||
|
+ 0x56, 0x8f, 0xc5, 0x50, 0x48, 0xc6, 0xf4, 0x49, 0xe5, 0x70, 0x16, 0x2e,
|
||||||
|
+ 0xae, 0xf2, 0x99, 0xb4, 0x2d, 0x70, 0x18, 0x16, 0xcd, 0xe0, 0x24, 0xe4,
|
||||||
|
+};
|
||||||
|
+static const unsigned char kat1308_retbits[] = {
|
||||||
|
+ 0xde, 0xf8, 0x91, 0x1b, 0xf1, 0xe1, 0xa9, 0x97, 0xd8, 0x61, 0x84, 0xe2,
|
||||||
|
+ 0xdb, 0x83, 0x3e, 0x60, 0x45, 0xcd, 0xc8, 0x66, 0x93, 0x28, 0xc8, 0x92,
|
||||||
|
+ 0xbc, 0x25, 0xae, 0xe8, 0xb0, 0xed, 0xed, 0x16, 0x3d, 0xa5, 0xf9, 0x0f,
|
||||||
|
+ 0xb3, 0x72, 0x08, 0x84, 0xac, 0x3c, 0x3b, 0xaa, 0x5f, 0xf9, 0x7d, 0x63,
|
||||||
|
+ 0x3e, 0xde, 0x59, 0x37, 0x0e, 0x40, 0x12, 0x2b, 0xbc, 0x6c, 0x96, 0x53,
|
||||||
|
+ 0x26, 0x32, 0xd0, 0xb8,
|
||||||
|
+};
|
||||||
|
+static const struct drbg_kat_no_reseed kat1308_t = {
|
||||||
|
+ 2, kat1308_entropyin, kat1308_nonce, kat1308_persstr,
|
||||||
|
+ kat1308_addin0, kat1308_addin1, kat1308_retbits
|
||||||
|
+};
|
||||||
|
+static const struct drbg_kat kat1308 = {
|
||||||
|
+ NO_RESEED, NO_DF, NID_aes_256_ctr, 48, 0, 48, 48, 64, &kat1308_t
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static const unsigned char kat1465_entropyin[] = {
|
||||||
|
+ 0xc9, 0x96, 0x3a, 0x15, 0x51, 0x76, 0x4f, 0xe0, 0x45, 0x82, 0x8a, 0x64,
|
||||||
|
+ 0x87, 0xbe, 0xaa, 0xc0,
|
||||||
|
+};
|
||||||
|
+static const unsigned char kat1465_nonce[] = {
|
||||||
|
+ 0x08, 0xcd, 0x69, 0x39, 0xf8, 0x58, 0x9a, 0x85,
|
||||||
|
+};
|
||||||
|
+static const unsigned char kat1465_persstr[] = {0};
|
||||||
|
+static const unsigned char kat1465_entropyinreseed[] = {
|
||||||
|
+ 0x16, 0xcc, 0x35, 0x15, 0xb1, 0x17, 0xf5, 0x33, 0x80, 0x9a, 0x80, 0xc5,
|
||||||
|
+ 0x1f, 0x4b, 0x7b, 0x51,
|
||||||
|
+};
|
||||||
|
+static const unsigned char kat1465_addinreseed[] = {
|
||||||
|
+ 0xf5, 0x3d, 0xf1, 0x2e, 0xdb, 0x28, 0x1c, 0x00, 0x7b, 0xcb, 0xb6, 0x12,
|
||||||
|
+ 0x61, 0x9f, 0x26, 0x5f,
|
||||||
|
+};
|
||||||
|
+static const unsigned char kat1465_addin0[] = {
|
||||||
|
+ 0xe2, 0x67, 0x06, 0x62, 0x09, 0xa7, 0xcf, 0xd6, 0x84, 0x8c, 0x20, 0xf6,
|
||||||
|
+ 0x10, 0x5a, 0x73, 0x9c,
|
||||||
|
+};
|
||||||
|
+static const unsigned char kat1465_addin1[] = {
|
||||||
|
+ 0x26, 0xfa, 0x50, 0xe1, 0xb3, 0xcb, 0x65, 0xed, 0xbc, 0x6d, 0xda, 0x18,
|
||||||
|
+ 0x47, 0x99, 0x1f, 0xeb,
|
||||||
|
+};
|
||||||
|
+static const unsigned char kat1465_retbits[] = {
|
||||||
|
+ 0xf9, 0x47, 0xc6, 0xb0, 0x58, 0xa8, 0x66, 0x8a, 0xf5, 0x2b, 0x2a, 0x6d,
|
||||||
|
+ 0x4e, 0x24, 0x6f, 0x65, 0xbf, 0x51, 0x22, 0xbf, 0xe8, 0x8d, 0x6c, 0xeb,
|
||||||
|
+ 0xf9, 0x68, 0x7f, 0xed, 0x3b, 0xdd, 0x6b, 0xd5, 0x28, 0x47, 0x56, 0x52,
|
||||||
|
+ 0xda, 0x50, 0xf0, 0x90, 0x73, 0x95, 0x06, 0x58, 0xaf, 0x08, 0x98, 0x6e,
|
||||||
|
+ 0x24, 0x18, 0xfd, 0x2f, 0x48, 0x72, 0x57, 0xd6, 0x59, 0xab, 0xe9, 0x41,
|
||||||
|
+ 0x58, 0xdb, 0x27, 0xba,
|
||||||
|
+};
|
||||||
|
+static const struct drbg_kat_pr_false kat1465_t = {
|
||||||
|
+ 9, kat1465_entropyin, kat1465_nonce, kat1465_persstr,
|
||||||
|
+ kat1465_entropyinreseed, kat1465_addinreseed, kat1465_addin0,
|
||||||
|
+ kat1465_addin1, kat1465_retbits
|
||||||
|
+};
|
||||||
|
+static const struct drbg_kat kat1465 = {
|
||||||
|
+ PR_FALSE, USE_DF, NID_aes_128_ctr, 16, 8, 0, 16, 64, &kat1465_t
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static const unsigned char kat3146_entropyin[] = {
|
||||||
|
+ 0xd7, 0x08, 0x42, 0x82, 0xc2, 0xd2, 0xd1, 0xde, 0x01, 0xb4, 0x36, 0xb3,
|
||||||
|
+ 0x7f, 0xbd, 0xd3, 0xdd, 0xb3, 0xc4, 0x31, 0x4f, 0x8f, 0xa7, 0x10, 0xf4,
|
||||||
|
+};
|
||||||
|
+static const unsigned char kat3146_nonce[] = {
|
||||||
|
+ 0x7b, 0x9e, 0xcd, 0x49, 0x4f, 0x46, 0xa0, 0x08, 0x32, 0xff, 0x2e, 0xc3,
|
||||||
|
+ 0x50, 0x86, 0xca, 0xca,
|
||||||
|
+};
|
||||||
|
+static const unsigned char kat3146_persstr[] = {0};
|
||||||
|
+static const unsigned char kat3146_entropyinpr1[] = {
|
||||||
|
+ 0x68, 0xd0, 0x7b, 0xa4, 0xe7, 0x22, 0x19, 0xe6, 0xb6, 0x46, 0x6a, 0xda,
|
||||||
|
+ 0x8e, 0x67, 0xea, 0x63, 0x3f, 0xaf, 0x2f, 0x6c, 0x9d, 0x5e, 0x48, 0x15,
|
||||||
|
+};
|
||||||
|
+static const unsigned char kat3146_addinpr1[] = {
|
||||||
|
+ 0x70, 0x0f, 0x54, 0xf4, 0x53, 0xde, 0xca, 0x61, 0x5c, 0x49, 0x51, 0xd1,
|
||||||
|
+ 0x41, 0xc4, 0xf1, 0x2f, 0x65, 0xfb, 0x7e, 0xbc, 0x9b, 0x14, 0xba, 0x90,
|
||||||
|
+ 0x05, 0x33, 0x7e, 0x64, 0xb7, 0x2b, 0xaf, 0x99,
|
||||||
|
+};
|
||||||
|
+static const unsigned char kat3146_entropyinpr2[] = {
|
||||||
|
+ 0xeb, 0x77, 0xb0, 0xe9, 0x2d, 0x31, 0xc8, 0x66, 0xc5, 0xc4, 0xa7, 0xf7,
|
||||||
|
+ 0x6c, 0xb2, 0x74, 0x36, 0x4b, 0x25, 0x78, 0x04, 0xd8, 0xd7, 0xd2, 0x34,
|
||||||
|
+};
|
||||||
|
+static const unsigned char kat3146_addinpr2[] = {
|
||||||
|
+ 0x05, 0xcd, 0x2a, 0x97, 0x5a, 0x5d, 0xfb, 0x98, 0xc1, 0xf1, 0x00, 0x0c,
|
||||||
|
+ 0xed, 0xe6, 0x2a, 0xba, 0xf0, 0x89, 0x1f, 0x5a, 0x4f, 0xd7, 0x48, 0xb3,
|
||||||
|
+ 0x24, 0xc0, 0x8a, 0x3d, 0x60, 0x59, 0x5d, 0xb6,
|
||||||
|
+};
|
||||||
|
+static const unsigned char kat3146_retbits[] = {
|
||||||
|
+ 0x29, 0x94, 0xa4, 0xa8, 0x17, 0x3e, 0x62, 0x2f, 0x94, 0xdd, 0x40, 0x1f,
|
||||||
|
+ 0xe3, 0x7e, 0x77, 0xd4, 0x38, 0xbc, 0x0e, 0x49, 0x46, 0xf6, 0x0e, 0x28,
|
||||||
|
+ 0x91, 0xc6, 0x9c, 0xc4, 0xa6, 0xa1, 0xf8, 0x9a, 0x64, 0x5e, 0x99, 0x76,
|
||||||
|
+ 0xd0, 0x2d, 0xee, 0xde, 0xe1, 0x2c, 0x93, 0x29, 0x4b, 0x12, 0xcf, 0x87,
|
||||||
|
+ 0x03, 0x98, 0xb9, 0x74, 0x41, 0xdb, 0x3a, 0x49, 0x9f, 0x92, 0xd0, 0x45,
|
||||||
|
+ 0xd4, 0x30, 0x73, 0xbb,
|
||||||
|
+};
|
||||||
|
+static const struct drbg_kat_pr_true kat3146_t = {
|
||||||
|
+ 10, kat3146_entropyin, kat3146_nonce, kat3146_persstr,
|
||||||
|
+ kat3146_entropyinpr1, kat3146_addinpr1, kat3146_entropyinpr2,
|
||||||
|
+ kat3146_addinpr2, kat3146_retbits
|
||||||
|
+};
|
||||||
|
+static const struct drbg_kat kat3146 = {
|
||||||
|
+ PR_TRUE, USE_DF, NID_aes_192_ctr, 24, 16, 0, 32, 64, &kat3146_t
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static const struct drbg_kat *drbg_test[] = { &kat1308, &kat1465, &kat3146 };
|
||||||
|
+
|
||||||
|
+static const size_t drbg_test_nelem = OSSL_NELEM(drbg_test);
|
||||||
|
+
|
||||||
|
+static size_t kat_entropy(RAND_DRBG *drbg, unsigned char **pout,
|
||||||
|
+ int entropy, size_t min_len, size_t max_len,
|
||||||
|
+ int prediction_resistance)
|
||||||
|
+{
|
||||||
|
+ TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
|
||||||
|
+
|
||||||
|
+ t->entropycnt++;
|
||||||
|
+ *pout = (unsigned char *)t->entropy;
|
||||||
|
+ return t->entropylen;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static size_t kat_nonce(RAND_DRBG *drbg, unsigned char **pout,
|
||||||
|
+ int entropy, size_t min_len, size_t max_len)
|
||||||
|
+{
|
||||||
|
+ TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
|
||||||
|
+
|
||||||
|
+ t->noncecnt++;
|
||||||
|
+ *pout = (unsigned char *)t->nonce;
|
||||||
|
+ return t->noncelen;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Do a single NO_RESEED KAT:
|
||||||
|
+ *
|
||||||
|
+ * Instantiate
|
||||||
|
+ * Generate Random Bits (pr=false)
|
||||||
|
+ * Generate Random Bits (pr=false)
|
||||||
|
+ * Uninstantiate
|
||||||
|
+ *
|
||||||
|
+ * Return 0 on failure.
|
||||||
|
+ */
|
||||||
|
+static int single_kat_no_reseed(const struct drbg_kat *td)
|
||||||
|
+{
|
||||||
|
+ struct drbg_kat_no_reseed *data = (struct drbg_kat_no_reseed *)td->t;
|
||||||
|
+ RAND_DRBG *drbg = NULL;
|
||||||
|
+ unsigned char *buff = NULL;
|
||||||
|
+ unsigned int flags = 0;
|
||||||
|
+ int failures = 0;
|
||||||
|
+ TEST_CTX t;
|
||||||
|
+
|
||||||
|
+ if (td->df != USE_DF)
|
||||||
|
+ flags |= RAND_DRBG_FLAG_CTR_NO_DF;
|
||||||
|
+
|
||||||
|
+ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
|
||||||
|
+ kat_nonce, NULL)) {
|
||||||
|
+ failures++;
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+ memset(&t, 0, sizeof(t));
|
||||||
|
+ t.entropy = data->entropyin;
|
||||||
|
+ t.entropylen = td->entropyinlen;
|
||||||
|
+ t.nonce = data->nonce;
|
||||||
|
+ t.noncelen = td->noncelen;
|
||||||
|
+ RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
|
||||||
|
+
|
||||||
|
+ buff = OPENSSL_malloc(td->retbyteslen);
|
||||||
|
+ if (buff == NULL) {
|
||||||
|
+ failures++;
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen)
|
||||||
|
+ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
|
||||||
|
+ data->addin1, td->addinlen)
|
||||||
|
+ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
|
||||||
|
+ data->addin2, td->addinlen)
|
||||||
|
+ || memcmp(data->retbytes, buff,
|
||||||
|
+ td->retbyteslen) != 0)
|
||||||
|
+ failures++;
|
||||||
|
+
|
||||||
|
+err:
|
||||||
|
+ OPENSSL_free(buff);
|
||||||
|
+ RAND_DRBG_uninstantiate(drbg);
|
||||||
|
+ RAND_DRBG_free(drbg);
|
||||||
|
+ return failures == 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*-
|
||||||
|
+ * Do a single PR_FALSE KAT:
|
||||||
|
+ *
|
||||||
|
+ * Instantiate
|
||||||
|
+ * Reseed
|
||||||
|
+ * Generate Random Bits (pr=false)
|
||||||
|
+ * Generate Random Bits (pr=false)
|
||||||
|
+ * Uninstantiate
|
||||||
|
+ *
|
||||||
|
+ * Return 0 on failure.
|
||||||
|
+ */
|
||||||
|
+static int single_kat_pr_false(const struct drbg_kat *td)
|
||||||
|
+{
|
||||||
|
+ struct drbg_kat_pr_false *data = (struct drbg_kat_pr_false *)td->t;
|
||||||
|
+ RAND_DRBG *drbg = NULL;
|
||||||
|
+ unsigned char *buff = NULL;
|
||||||
|
+ unsigned int flags = 0;
|
||||||
|
+ int failures = 0;
|
||||||
|
+ TEST_CTX t;
|
||||||
|
+
|
||||||
|
+ if (td->df != USE_DF)
|
||||||
|
+ flags |= RAND_DRBG_FLAG_CTR_NO_DF;
|
||||||
|
+
|
||||||
|
+ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
|
||||||
|
+ kat_nonce, NULL)) {
|
||||||
|
+ failures++;
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+ memset(&t, 0, sizeof(t));
|
||||||
|
+ t.entropy = data->entropyin;
|
||||||
|
+ t.entropylen = td->entropyinlen;
|
||||||
|
+ t.nonce = data->nonce;
|
||||||
|
+ t.noncelen = td->noncelen;
|
||||||
|
+ RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
|
||||||
|
+
|
||||||
|
+ buff = OPENSSL_malloc(td->retbyteslen);
|
||||||
|
+ if (buff == NULL) {
|
||||||
|
+ failures++;
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen))
|
||||||
|
+ failures++;
|
||||||
|
+
|
||||||
|
+ t.entropy = data->entropyinreseed;
|
||||||
|
+ t.entropylen = td->entropyinlen;
|
||||||
|
+
|
||||||
|
+ if (!RAND_DRBG_reseed(drbg, data->addinreseed, td->addinlen, 0)
|
||||||
|
+ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
|
||||||
|
+ data->addin1, td->addinlen)
|
||||||
|
+ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
|
||||||
|
+ data->addin2, td->addinlen)
|
||||||
|
+ || memcmp(data->retbytes, buff,
|
||||||
|
+ td->retbyteslen) != 0)
|
||||||
|
+ failures++;
|
||||||
|
+
|
||||||
|
+err:
|
||||||
|
+ OPENSSL_free(buff);
|
||||||
|
+ RAND_DRBG_uninstantiate(drbg);
|
||||||
|
+ RAND_DRBG_free(drbg);
|
||||||
|
+ return failures == 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*-
|
||||||
|
+ * Do a single PR_TRUE KAT:
|
||||||
|
+ *
|
||||||
|
+ * Instantiate
|
||||||
|
+ * Generate Random Bits (pr=true)
|
||||||
|
+ * Generate Random Bits (pr=true)
|
||||||
|
+ * Uninstantiate
|
||||||
|
+ *
|
||||||
|
+ * Return 0 on failure.
|
||||||
|
+ */
|
||||||
|
+static int single_kat_pr_true(const struct drbg_kat *td)
|
||||||
|
+{
|
||||||
|
+ struct drbg_kat_pr_true *data = (struct drbg_kat_pr_true *)td->t;
|
||||||
|
+ RAND_DRBG *drbg = NULL;
|
||||||
|
+ unsigned char *buff = NULL;
|
||||||
|
+ unsigned int flags = 0;
|
||||||
|
+ int failures = 0;
|
||||||
|
+ TEST_CTX t;
|
||||||
|
+
|
||||||
|
+ if (td->df != USE_DF)
|
||||||
|
+ flags |= RAND_DRBG_FLAG_CTR_NO_DF;
|
||||||
|
+
|
||||||
|
+ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
|
||||||
|
+ kat_nonce, NULL)) {
|
||||||
|
+ failures++;
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+ memset(&t, 0, sizeof(t));
|
||||||
|
+ t.nonce = data->nonce;
|
||||||
|
+ t.noncelen = td->noncelen;
|
||||||
|
+ t.entropy = data->entropyin;
|
||||||
|
+ t.entropylen = td->entropyinlen;
|
||||||
|
+ RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
|
||||||
|
+
|
||||||
|
+ buff = OPENSSL_malloc(td->retbyteslen);
|
||||||
|
+ if (buff == NULL) {
|
||||||
|
+ failures++;
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen))
|
||||||
|
+ failures++;
|
||||||
|
+
|
||||||
|
+ t.entropy = data->entropyinpr1;
|
||||||
|
+ t.entropylen = td->entropyinlen;
|
||||||
|
+
|
||||||
|
+ if (!RAND_DRBG_generate(drbg, buff, td->retbyteslen, 1,
|
||||||
|
+ data->addin1, td->addinlen))
|
||||||
|
+ failures++;
|
||||||
|
+
|
||||||
|
+ t.entropy = data->entropyinpr2;
|
||||||
|
+ t.entropylen = td->entropyinlen;
|
||||||
|
+
|
||||||
|
+ if (!RAND_DRBG_generate(drbg, buff, td->retbyteslen, 1,
|
||||||
|
+ data->addin2, td->addinlen)
|
||||||
|
+ || memcmp(data->retbytes, buff,
|
||||||
|
+ td->retbyteslen) != 0)
|
||||||
|
+ failures++;
|
||||||
|
+
|
||||||
|
+err:
|
||||||
|
+ OPENSSL_free(buff);
|
||||||
|
+ RAND_DRBG_uninstantiate(drbg);
|
||||||
|
+ RAND_DRBG_free(drbg);
|
||||||
|
+ return failures == 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int test_kats(int i)
|
||||||
|
+{
|
||||||
|
+ const struct drbg_kat *td = drbg_test[i];
|
||||||
|
+ int rv = 0;
|
||||||
|
+
|
||||||
|
+ switch (td->type) {
|
||||||
|
+ case NO_RESEED:
|
||||||
|
+ if (!single_kat_no_reseed(td))
|
||||||
|
+ goto err;
|
||||||
|
+ break;
|
||||||
|
+ case PR_FALSE:
|
||||||
|
+ if (!single_kat_pr_false(td))
|
||||||
|
+ goto err;
|
||||||
|
+ break;
|
||||||
|
+ case PR_TRUE:
|
||||||
|
+ if (!single_kat_pr_true(td))
|
||||||
|
+ goto err;
|
||||||
|
+ break;
|
||||||
|
+ default: /* cant happen */
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+ rv = 1;
|
||||||
|
+err:
|
||||||
|
+ return rv;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*-
|
||||||
|
+ * Do one expected-error test:
|
||||||
|
+ *
|
||||||
|
+ * Instantiate with no entropy supplied
|
||||||
|
+ *
|
||||||
|
+ * Return 0 on failure.
|
||||||
|
+ */
|
||||||
|
+static int test_drbg_sanity(const struct drbg_kat *td)
|
||||||
|
+{
|
||||||
|
+ struct drbg_kat_pr_false *data = (struct drbg_kat_pr_false *)td->t;
|
||||||
|
+ RAND_DRBG *drbg = NULL;
|
||||||
|
+ unsigned int flags = 0;
|
||||||
|
+ int failures = 0;
|
||||||
|
+ TEST_CTX t;
|
||||||
|
+
|
||||||
|
+ if (td->df != USE_DF)
|
||||||
|
+ flags |= RAND_DRBG_FLAG_CTR_NO_DF;
|
||||||
|
+
|
||||||
|
+ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
|
||||||
|
+ kat_nonce, NULL)) {
|
||||||
|
+ failures++;
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+ memset(&t, 0, sizeof(t));
|
||||||
|
+ t.entropy = data->entropyin;
|
||||||
|
+ t.entropylen = 0; /* No entropy */
|
||||||
|
+ t.nonce = data->nonce;
|
||||||
|
+ t.noncelen = td->noncelen;
|
||||||
|
+ RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
|
||||||
|
+
|
||||||
|
+ ERR_set_mark();
|
||||||
|
+ /* This must fail. */
|
||||||
|
+ if (RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen))
|
||||||
|
+ failures++;
|
||||||
|
+ RAND_DRBG_uninstantiate(drbg);
|
||||||
|
+ ERR_pop_to_mark();
|
||||||
|
+
|
||||||
|
+err:
|
||||||
|
+ RAND_DRBG_free(drbg);
|
||||||
|
+ return failures == 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+int rand_drbg_selftest(void)
|
||||||
|
+{
|
||||||
|
+ int i;
|
||||||
|
+
|
||||||
|
+ if (!RUN_ONCE(&get_index_once, drbg_app_data_index_init))
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < drbg_test_nelem; i++) {
|
||||||
|
+ if (test_kats(i) <= 0)
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (test_drbg_sanity(&kat1465) <= 0)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ return 1;
|
||||||
|
+}
|
||||||
|
diff -up openssl-1.1.1g/include/crypto/rand.h.drbg-selftest openssl-1.1.1g/include/crypto/rand.h
|
||||||
|
--- openssl-1.1.1g/include/crypto/rand.h.drbg-selftest 2020-04-23 13:33:12.587622510 +0200
|
||||||
|
+++ openssl-1.1.1g/include/crypto/rand.h 2020-04-23 13:33:12.619621907 +0200
|
||||||
|
@@ -140,4 +140,9 @@ void rand_pool_cleanup(void);
|
||||||
|
*/
|
||||||
|
void rand_pool_keep_random_devices_open(int keep);
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * Perform the DRBG KAT selftests
|
||||||
|
+ */
|
||||||
|
+int rand_drbg_selftest(void);
|
||||||
|
+
|
||||||
|
#endif
|
189
SOURCES/openssl-1.1.1-fips-post-rand.patch
Normal file
189
SOURCES/openssl-1.1.1-fips-post-rand.patch
Normal file
@ -0,0 +1,189 @@
|
|||||||
|
diff -up openssl-1.1.1i/crypto/fips/fips.c.fips-post-rand openssl-1.1.1i/crypto/fips/fips.c
|
||||||
|
--- openssl-1.1.1i/crypto/fips/fips.c.fips-post-rand 2020-12-09 10:26:41.634106328 +0100
|
||||||
|
+++ openssl-1.1.1i/crypto/fips/fips.c 2020-12-09 10:26:41.652106475 +0100
|
||||||
|
@@ -68,6 +68,7 @@
|
||||||
|
|
||||||
|
# include <openssl/fips.h>
|
||||||
|
# include "internal/thread_once.h"
|
||||||
|
+# include "crypto/rand.h"
|
||||||
|
|
||||||
|
# ifndef PATH_MAX
|
||||||
|
# define PATH_MAX 1024
|
||||||
|
@@ -76,6 +77,7 @@
|
||||||
|
static int fips_selftest_fail = 0;
|
||||||
|
static int fips_mode = 0;
|
||||||
|
static int fips_started = 0;
|
||||||
|
+static int fips_post = 0;
|
||||||
|
|
||||||
|
static int fips_is_owning_thread(void);
|
||||||
|
static int fips_set_owning_thread(void);
|
||||||
|
@@ -158,6 +160,11 @@ void fips_set_selftest_fail(void)
|
||||||
|
fips_selftest_fail = 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
+int fips_in_post(void)
|
||||||
|
+{
|
||||||
|
+ return fips_post;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/* we implement what libfipscheck does ourselves */
|
||||||
|
|
||||||
|
static int
|
||||||
|
@@ -445,6 +452,8 @@ int FIPS_module_mode_set(int onoff)
|
||||||
|
}
|
||||||
|
# endif
|
||||||
|
|
||||||
|
+ fips_post = 1;
|
||||||
|
+
|
||||||
|
if (!FIPS_selftest()) {
|
||||||
|
fips_selftest_fail = 1;
|
||||||
|
ret = 0;
|
||||||
|
@@ -459,7 +468,12 @@ int FIPS_module_mode_set(int onoff)
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ fips_post = 0;
|
||||||
|
+
|
||||||
|
fips_set_mode(onoff);
|
||||||
|
+ /* force RNG reseed with entropy from getrandom() on next call */
|
||||||
|
+ rand_force_reseed();
|
||||||
|
+
|
||||||
|
ret = 1;
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
diff -up openssl-1.1.1i/crypto/rand/drbg_lib.c.fips-post-rand openssl-1.1.1i/crypto/rand/drbg_lib.c
|
||||||
|
--- openssl-1.1.1i/crypto/rand/drbg_lib.c.fips-post-rand 2020-12-08 14:20:59.000000000 +0100
|
||||||
|
+++ openssl-1.1.1i/crypto/rand/drbg_lib.c 2020-12-09 10:26:41.652106475 +0100
|
||||||
|
@@ -1005,6 +1005,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg
|
||||||
|
return min_entropy > min_entropylen ? min_entropy : min_entropylen;
|
||||||
|
}
|
||||||
|
|
||||||
|
+void rand_force_reseed(void)
|
||||||
|
+{
|
||||||
|
+ RAND_DRBG *drbg;
|
||||||
|
+
|
||||||
|
+ drbg = RAND_DRBG_get0_master();
|
||||||
|
+ drbg->fork_id = 0;
|
||||||
|
+
|
||||||
|
+ drbg = RAND_DRBG_get0_private();
|
||||||
|
+ drbg->fork_id = 0;
|
||||||
|
+
|
||||||
|
+ drbg = RAND_DRBG_get0_public();
|
||||||
|
+ drbg->fork_id = 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/* Implements the default OpenSSL RAND_add() method */
|
||||||
|
static int drbg_add(const void *buf, int num, double randomness)
|
||||||
|
{
|
||||||
|
diff -up openssl-1.1.1i/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1i/crypto/rand/rand_unix.c
|
||||||
|
--- openssl-1.1.1i/crypto/rand/rand_unix.c.fips-post-rand 2020-12-08 14:20:59.000000000 +0100
|
||||||
|
+++ openssl-1.1.1i/crypto/rand/rand_unix.c 2020-12-09 10:36:59.531221903 +0100
|
||||||
|
@@ -17,10 +17,12 @@
|
||||||
|
#include <openssl/crypto.h>
|
||||||
|
#include "rand_local.h"
|
||||||
|
#include "crypto/rand.h"
|
||||||
|
+#include "crypto/fips.h"
|
||||||
|
#include <stdio.h>
|
||||||
|
#include "internal/dso.h"
|
||||||
|
#ifdef __linux
|
||||||
|
# include <sys/syscall.h>
|
||||||
|
+# include <sys/random.h>
|
||||||
|
# ifdef DEVRANDOM_WAIT
|
||||||
|
# include <sys/shm.h>
|
||||||
|
# include <sys/utsname.h>
|
||||||
|
@@ -344,7 +346,7 @@ static ssize_t sysctl_random(char *buf,
|
||||||
|
* syscall_random(): Try to get random data using a system call
|
||||||
|
* returns the number of bytes returned in buf, or < 0 on error.
|
||||||
|
*/
|
||||||
|
-static ssize_t syscall_random(void *buf, size_t buflen)
|
||||||
|
+static ssize_t syscall_random(void *buf, size_t buflen, int nonblock)
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
* Note: 'buflen' equals the size of the buffer which is used by the
|
||||||
|
@@ -369,6 +371,7 @@ static ssize_t syscall_random(void *buf,
|
||||||
|
* Note: Sometimes getentropy() can be provided but not implemented
|
||||||
|
* internally. So we need to check errno for ENOSYS
|
||||||
|
*/
|
||||||
|
+# if 0
|
||||||
|
# if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
|
||||||
|
extern int getentropy(void *buffer, size_t length) __attribute__((weak));
|
||||||
|
|
||||||
|
@@ -394,10 +397,10 @@ static ssize_t syscall_random(void *buf,
|
||||||
|
if (p_getentropy.p != NULL)
|
||||||
|
return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
|
||||||
|
# endif
|
||||||
|
-
|
||||||
|
+# endif
|
||||||
|
/* Linux supports this since version 3.17 */
|
||||||
|
-# if defined(__linux) && defined(__NR_getrandom)
|
||||||
|
- return syscall(__NR_getrandom, buf, buflen, 0);
|
||||||
|
+# if defined(__linux) && defined(SYS_getrandom)
|
||||||
|
+ return syscall(SYS_getrandom, buf, buflen, nonblock?GRND_NONBLOCK:0);
|
||||||
|
# elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
|
||||||
|
return sysctl_random(buf, buflen);
|
||||||
|
# else
|
||||||
|
@@ -633,6 +636,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
|
||||||
|
size_t entropy_available;
|
||||||
|
|
||||||
|
# if defined(OPENSSL_RAND_SEED_GETRANDOM)
|
||||||
|
+ int in_post;
|
||||||
|
+
|
||||||
|
+ for (in_post = fips_in_post(); in_post >= 0; --in_post) {
|
||||||
|
{
|
||||||
|
size_t bytes_needed;
|
||||||
|
unsigned char *buffer;
|
||||||
|
@@ -643,7 +649,7 @@ size_t rand_pool_acquire_entropy(RAND_PO
|
||||||
|
bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
|
||||||
|
while (bytes_needed != 0 && attempts-- > 0) {
|
||||||
|
buffer = rand_pool_add_begin(pool, bytes_needed);
|
||||||
|
- bytes = syscall_random(buffer, bytes_needed);
|
||||||
|
+ bytes = syscall_random(buffer, bytes_needed, in_post);
|
||||||
|
if (bytes > 0) {
|
||||||
|
rand_pool_add_end(pool, bytes, 8 * bytes);
|
||||||
|
bytes_needed -= bytes;
|
||||||
|
@@ -678,8 +684,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
|
||||||
|
int attempts = 3;
|
||||||
|
const int fd = get_random_device(i);
|
||||||
|
|
||||||
|
- if (fd == -1)
|
||||||
|
+ if (fd == -1) {
|
||||||
|
+ OPENSSL_showfatal("Random device %s cannot be opened.\n", random_device_paths[i]);
|
||||||
|
continue;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
while (bytes_needed != 0 && attempts-- > 0) {
|
||||||
|
buffer = rand_pool_add_begin(pool, bytes_needed);
|
||||||
|
@@ -742,7 +750,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
|
||||||
|
return entropy_available;
|
||||||
|
}
|
||||||
|
# endif
|
||||||
|
-
|
||||||
|
+# ifdef OPENSSL_RAND_SEED_GETRANDOM
|
||||||
|
+ }
|
||||||
|
+# endif
|
||||||
|
return rand_pool_entropy_available(pool);
|
||||||
|
# endif
|
||||||
|
}
|
||||||
|
diff -up openssl-1.1.1i/include/crypto/fips.h.fips-post-rand openssl-1.1.1i/include/crypto/fips.h
|
||||||
|
--- openssl-1.1.1i/include/crypto/fips.h.fips-post-rand 2020-12-09 10:26:41.639106369 +0100
|
||||||
|
+++ openssl-1.1.1i/include/crypto/fips.h 2020-12-09 10:26:41.657106516 +0100
|
||||||
|
@@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void);
|
||||||
|
int FIPS_selftest_drbg(void);
|
||||||
|
int FIPS_selftest_cmac(void);
|
||||||
|
|
||||||
|
+int fips_in_post(void);
|
||||||
|
+
|
||||||
|
int fips_pkey_signature_test(EVP_PKEY *pkey,
|
||||||
|
const unsigned char *tbs, int tbslen,
|
||||||
|
const unsigned char *kat,
|
||||||
|
diff -up openssl-1.1.1i/include/crypto/rand.h.fips-post-rand openssl-1.1.1i/include/crypto/rand.h
|
||||||
|
--- openssl-1.1.1i/include/crypto/rand.h.fips-post-rand 2020-12-08 14:20:59.000000000 +0100
|
||||||
|
+++ openssl-1.1.1i/include/crypto/rand.h 2020-12-09 10:26:41.657106516 +0100
|
||||||
|
@@ -24,6 +24,7 @@
|
||||||
|
typedef struct rand_pool_st RAND_POOL;
|
||||||
|
|
||||||
|
void rand_cleanup_int(void);
|
||||||
|
+void rand_force_reseed(void);
|
||||||
|
void rand_drbg_cleanup_int(void);
|
||||||
|
void drbg_delete_thread_state(void);
|
||||||
|
|
11626
SOURCES/openssl-1.1.1-fips.patch
Normal file
11626
SOURCES/openssl-1.1.1-fips.patch
Normal file
File diff suppressed because it is too large
Load Diff
255
SOURCES/openssl-1.1.1-fix-ssl-select-next-proto.patch
Normal file
255
SOURCES/openssl-1.1.1-fix-ssl-select-next-proto.patch
Normal file
@ -0,0 +1,255 @@
|
|||||||
|
From d1d4b56fe0c9a4200276d630f62108e1165e0990 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Maurizio Barbaro <mbarbaro@redhat.com>
|
||||||
|
Date: Mon, 16 Sep 2024 10:53:53 +0200
|
||||||
|
Subject: [PATCH] Backport openssl: SSL_select_next_proto buffer overread from 3.2
|
||||||
|
|
||||||
|
Ensure that the provided client list is non-NULL and starts with a valid
|
||||||
|
entry. When called from the ALPN callback the client list should already
|
||||||
|
have been validated by OpenSSL so this should not cause a problem. When
|
||||||
|
called from the NPN callback the client list is locally configured and
|
||||||
|
will not have already been validated. Therefore SSL_select_next_proto
|
||||||
|
should not assume that it is correctly formatted.
|
||||||
|
|
||||||
|
We implement stricter checking of the client protocol list. We also do the
|
||||||
|
same for the server list while we are about it.
|
||||||
|
|
||||||
|
CVE-2024-5535
|
||||||
|
|
||||||
|
From: Matt Caswell <matt@openssl.org>
|
||||||
|
Date: Fri, 31 May 2024 11:14:33 +0100
|
||||||
|
Merged from: https://github.com/openssl/openssl/pull/24717.
|
||||||
|
|
||||||
|
Backported-by: Maurizio Barbaro <mbarbaro@redhat.com>
|
||||||
|
we did't ported test changes because rely on internal testing framework.
|
||||||
|
|
||||||
|
---
|
||||||
|
doc/man3/SSL_CTX_set_alpn_select_cb.pod | 28 +++++++----
|
||||||
|
ssl/ssl_lib.c | 64 +++++++++++++++----------
|
||||||
|
ssl/statem/extensions_clnt.c | 30 +++++++++++-
|
||||||
|
ssl/statem/extensions_srvr.c | 3 +-
|
||||||
|
4 files changed, 89 insertions(+), 36 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
|
||||||
|
index e90caec..a3f8dfd 100644
|
||||||
|
--- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod
|
||||||
|
+++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
|
||||||
|
@@ -43,7 +43,7 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated
|
||||||
|
const unsigned char *server,
|
||||||
|
unsigned int server_len,
|
||||||
|
const unsigned char *client,
|
||||||
|
- unsigned int client_len)
|
||||||
|
+ unsigned int client_len);
|
||||||
|
void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
|
||||||
|
unsigned *len);
|
||||||
|
|
||||||
|
@@ -52,7 +52,8 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated
|
||||||
|
SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to
|
||||||
|
set the list of protocols available to be negotiated. The B<protos> must be in
|
||||||
|
protocol-list format, described below. The length of B<protos> is specified in
|
||||||
|
-B<protos_len>.
|
||||||
|
+B<protos_len>. Setting B<protos_len> to 0 clears any existing list of ALPN
|
||||||
|
+protocols and no ALPN extension will be sent to the server.
|
||||||
|
|
||||||
|
SSL_CTX_set_alpn_select_cb() sets the application callback B<cb> used by a
|
||||||
|
server to select which protocol to use for the incoming connection. When B<cb>
|
||||||
|
@@ -73,9 +74,16 @@ B<server_len> and B<client>, B<client_len> must be in the protocol-list format
|
||||||
|
described below. The first item in the B<server>, B<server_len> list that
|
||||||
|
matches an item in the B<client>, B<client_len> list is selected, and returned
|
||||||
|
in B<out>, B<outlen>. The B<out> value will point into either B<server> or
|
||||||
|
-B<client>, so it should be copied immediately. If no match is found, the first
|
||||||
|
-item in B<client>, B<client_len> is returned in B<out>, B<outlen>. This
|
||||||
|
-function can also be used in the NPN callback.
|
||||||
|
+B<client>, so it should be copied immediately. The client list must include at
|
||||||
|
+least one valid (nonempty) protocol entry in the list.
|
||||||
|
+
|
||||||
|
+The SSL_select_next_proto() helper function can be useful from either the ALPN
|
||||||
|
+callback or the NPN callback (described below). If no match is found, the first
|
||||||
|
+item in B<client>, B<client_len> is returned in B<out>, B<outlen> and
|
||||||
|
+B<OPENSSL_NPN_NO_OVERLAP> is returned. This can be useful when implementating
|
||||||
|
+the NPN callback. In the ALPN case, the value returned in B<out> and B<outlen>
|
||||||
|
+must be ignored if B<OPENSSL_NPN_NO_OVERLAP> has been returned from
|
||||||
|
+SSL_select_next_proto().
|
||||||
|
|
||||||
|
SSL_CTX_set_next_proto_select_cb() sets a callback B<cb> that is called when a
|
||||||
|
client needs to select a protocol from the server's provided list, and a
|
||||||
|
@@ -85,9 +93,10 @@ must be set to point to the selected protocol (which may be within B<in>).
|
||||||
|
The length of the protocol name must be written into B<outlen>. The
|
||||||
|
server's advertised protocols are provided in B<in> and B<inlen>. The
|
||||||
|
callback can assume that B<in> is syntactically valid. The client must
|
||||||
|
-select a protocol. It is fatal to the connection if this callback returns
|
||||||
|
-a value other than B<SSL_TLSEXT_ERR_OK>. The B<arg> parameter is the pointer
|
||||||
|
-set via SSL_CTX_set_next_proto_select_cb().
|
||||||
|
+select a protocol (although it may be an empty, zero length protocol). It is
|
||||||
|
+fatal to the connection if this callback returns a value other than
|
||||||
|
+B<SSL_TLSEXT_ERR_OK> or if the zero length protocol is selected. The B<arg>
|
||||||
|
+parameter is the pointer set via SSL_CTX_set_next_proto_select_cb().
|
||||||
|
|
||||||
|
SSL_CTX_set_next_protos_advertised_cb() sets a callback B<cb> that is called
|
||||||
|
when a TLS server needs a list of supported protocols for Next Protocol
|
||||||
|
@@ -149,7 +158,8 @@ A match was found and is returned in B<out>, B<outlen>.
|
||||||
|
=item OPENSSL_NPN_NO_OVERLAP
|
||||||
|
|
||||||
|
No match was found. The first item in B<client>, B<client_len> is returned in
|
||||||
|
-B<out>, B<outlen>.
|
||||||
|
+B<out>, B<outlen> (or B<NULL> and 0 in the case where the first entry in
|
||||||
|
+B<client> is invalid).
|
||||||
|
|
||||||
|
=back
|
||||||
|
|
||||||
|
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
|
||||||
|
index c71c686..21e6c45 100644
|
||||||
|
--- a/ssl/ssl_lib.c
|
||||||
|
+++ b/ssl/ssl_lib.c
|
||||||
|
@@ -2739,38 +2739,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
|
||||||
|
unsigned int server_len,
|
||||||
|
const unsigned char *client, unsigned int client_len)
|
||||||
|
{
|
||||||
|
- unsigned int i, j;
|
||||||
|
- const unsigned char *result;
|
||||||
|
- int status = OPENSSL_NPN_UNSUPPORTED;
|
||||||
|
+ PACKET cpkt, csubpkt, spkt, ssubpkt;
|
||||||
|
+ if (!PACKET_buf_init(&cpkt, client, client_len)
|
||||||
|
+ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
|
||||||
|
+ || PACKET_remaining(&csubpkt) == 0) {
|
||||||
|
+ *out = NULL;
|
||||||
|
+ *outlen = 0;
|
||||||
|
+ return OPENSSL_NPN_NO_OVERLAP;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Set the default opportunistic protocol. Will be overwritten if we find
|
||||||
|
+ * a match.
|
||||||
|
+ */
|
||||||
|
+ *out = (unsigned char *)PACKET_data(&csubpkt);
|
||||||
|
+ *outlen = (unsigned char)PACKET_remaining(&csubpkt);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* For each protocol in server preference order, see if we support it.
|
||||||
|
*/
|
||||||
|
- for (i = 0; i < server_len;) {
|
||||||
|
- for (j = 0; j < client_len;) {
|
||||||
|
- if (server[i] == client[j] &&
|
||||||
|
- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
|
||||||
|
- /* We found a match */
|
||||||
|
- result = &server[i];
|
||||||
|
- status = OPENSSL_NPN_NEGOTIATED;
|
||||||
|
- goto found;
|
||||||
|
+ if (PACKET_buf_init(&spkt, server, server_len)) {
|
||||||
|
+ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
|
||||||
|
+ if (PACKET_remaining(&ssubpkt) == 0)
|
||||||
|
+ continue; /* Invalid - ignore it */
|
||||||
|
+ if (PACKET_buf_init(&cpkt, client, client_len)) {
|
||||||
|
+ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
|
||||||
|
+ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
|
||||||
|
+ PACKET_remaining(&ssubpkt))) {
|
||||||
|
+ /* We found a match */
|
||||||
|
+ *out = (unsigned char *)PACKET_data(&ssubpkt);
|
||||||
|
+ *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
|
||||||
|
+ return OPENSSL_NPN_NEGOTIATED;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ /* Ignore spurious trailing bytes in the client list */
|
||||||
|
+ } else {
|
||||||
|
+ /* This should never happen */
|
||||||
|
+ return OPENSSL_NPN_NO_OVERLAP;
|
||||||
|
}
|
||||||
|
- j += client[j];
|
||||||
|
- j++;
|
||||||
|
}
|
||||||
|
- i += server[i];
|
||||||
|
- i++;
|
||||||
|
+ /* Ignore spurious trailing bytes in the server list */
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* There's no overlap between our protocols and the server's list. */
|
||||||
|
- result = client;
|
||||||
|
- status = OPENSSL_NPN_NO_OVERLAP;
|
||||||
|
-
|
||||||
|
- found:
|
||||||
|
- *out = (unsigned char *)result + 1;
|
||||||
|
- *outlen = result[0];
|
||||||
|
- return status;
|
||||||
|
-}
|
||||||
|
+ /*
|
||||||
|
+ * There's no overlap between our protocols and the server's list. We use
|
||||||
|
+ * the default opportunistic protocol selected earlier
|
||||||
|
+ */
|
||||||
|
+ return OPENSSL_NPN_NO_OVERLAP;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
||||||
|
/*
|
||||||
|
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
|
||||||
|
index ce8a757..cfde733 100644
|
||||||
|
--- a/ssl/statem/extensions_clnt.c
|
||||||
|
+++ b/ssl/statem/extensions_clnt.c
|
||||||
|
@@ -1585,8 +1585,8 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
||||||
|
if (s->ctx->ext.npn_select_cb(s, &selected, &selected_len,
|
||||||
|
PACKET_data(pkt),
|
||||||
|
PACKET_remaining(pkt),
|
||||||
|
- s->ctx->ext.npn_select_cb_arg) !=
|
||||||
|
- SSL_TLSEXT_ERR_OK) {
|
||||||
|
+ s->ctx->ext.npn_select_cb_arg) != SSL_TLSEXT_ERR_OK
|
||||||
|
+ || selected_len == 0) {
|
||||||
|
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_STOC_NPN,
|
||||||
|
SSL_R_BAD_EXTENSION);
|
||||||
|
return 0;
|
||||||
|
@@ -1617,6 +1617,8 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
||||||
|
size_t chainidx)
|
||||||
|
{
|
||||||
|
size_t len;
|
||||||
|
+ PACKET confpkt, protpkt;
|
||||||
|
+ int valid = 0;
|
||||||
|
|
||||||
|
/* We must have requested it. */
|
||||||
|
if (!s->s3->alpn_sent) {
|
||||||
|
@@ -1637,6 +1639,30 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
||||||
|
SSL_R_BAD_EXTENSION);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ /* It must be a protocol that we sent */
|
||||||
|
+ if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) {
|
||||||
|
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
|
||||||
|
+ ERR_R_INTERNAL_ERROR);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) {
|
||||||
|
+ if (PACKET_remaining(&protpkt) != len)
|
||||||
|
+ continue;
|
||||||
|
+ if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) {
|
||||||
|
+ /* Valid protocol found */
|
||||||
|
+ valid = 1;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!valid) {
|
||||||
|
+ /* The protocol sent from the server does not match one we advertised */
|
||||||
|
+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
|
||||||
|
+ SSL_R_BAD_EXTENSION);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
OPENSSL_free(s->s3->alpn_selected);
|
||||||
|
s->s3->alpn_selected = OPENSSL_malloc(len);
|
||||||
|
if (s->s3->alpn_selected == NULL) {
|
||||||
|
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
|
||||||
|
index 3c7395c..4e3cbf8 100644
|
||||||
|
--- a/ssl/statem/extensions_srvr.c
|
||||||
|
+++ b/ssl/statem/extensions_srvr.c
|
||||||
|
@@ -1559,9 +1559,10 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
|
||||||
|
return EXT_RETURN_FAIL;
|
||||||
|
}
|
||||||
|
s->s3->npn_seen = 1;
|
||||||
|
+ return EXT_RETURN_SENT;
|
||||||
|
}
|
||||||
|
|
||||||
|
- return EXT_RETURN_SENT;
|
||||||
|
+ return EXT_RETURN_NOT_SENT;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
--
|
||||||
|
2.46.0
|
||||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user