Compare commits
No commits in common. "imports/c8-beta/openssl-1.1.1c-1.el8" and "c8" have entirely different histories.
imports/c8
...
c8
|
@ -1 +1 @@
|
|||
SOURCES/openssl-1.1.1c-hobbled.tar.xz
|
||||
SOURCES/openssl-1.1.1k-hobbled.tar.xz
|
||||
|
|
|
@ -1 +1 @@
|
|||
a85056adf2c2402e808bbe3201f6e473cfa8c214 SOURCES/openssl-1.1.1c-hobbled.tar.xz
|
||||
6fde639a66329f2cd9135eb192f2228f2a402c0e SOURCES/openssl-1.1.1k-hobbled.tar.xz
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
|
@ -9,7 +9,7 @@
|
|||
*/
|
||||
|
||||
#include <string.h>
|
||||
#include "ec_lcl.h"
|
||||
#include "ec_local.h"
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/obj_mac.h>
|
||||
#include <openssl/opensslconf.h>
|
||||
|
@ -468,3 +468,115 @@ int EC_curve_nist2nid(const char *name)
|
|||
}
|
||||
return NID_undef;
|
||||
}
|
||||
|
||||
#define NUM_BN_FIELDS 6
|
||||
/*
|
||||
* Validates EC domain parameter data for known named curves.
|
||||
* This can be used when a curve is loaded explicitly (without a curve
|
||||
* name) or to validate that domain parameters have not been modified.
|
||||
*
|
||||
* Returns: The nid associated with the found named curve, or NID_undef
|
||||
* if not found. If there was an error it returns -1.
|
||||
*/
|
||||
int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx)
|
||||
{
|
||||
int ret = -1, nid, len, field_type, param_len;
|
||||
size_t i, seed_len;
|
||||
const unsigned char *seed, *params_seed, *params;
|
||||
unsigned char *param_bytes = NULL;
|
||||
const EC_CURVE_DATA *data;
|
||||
const EC_POINT *generator = NULL;
|
||||
const EC_METHOD *meth;
|
||||
const BIGNUM *cofactor = NULL;
|
||||
/* An array of BIGNUMs for (p, a, b, x, y, order) */
|
||||
BIGNUM *bn[NUM_BN_FIELDS] = {NULL, NULL, NULL, NULL, NULL, NULL};
|
||||
|
||||
meth = EC_GROUP_method_of(group);
|
||||
if (meth == NULL)
|
||||
return -1;
|
||||
/* Use the optional named curve nid as a search field */
|
||||
nid = EC_GROUP_get_curve_name(group);
|
||||
field_type = EC_METHOD_get_field_type(meth);
|
||||
seed_len = EC_GROUP_get_seed_len(group);
|
||||
seed = EC_GROUP_get0_seed(group);
|
||||
cofactor = EC_GROUP_get0_cofactor(group);
|
||||
|
||||
BN_CTX_start(ctx);
|
||||
|
||||
/*
|
||||
* The built-in curves contains data fields (p, a, b, x, y, order) that are
|
||||
* all zero-padded to be the same size. The size of the padding is
|
||||
* determined by either the number of bytes in the field modulus (p) or the
|
||||
* EC group order, whichever is larger.
|
||||
*/
|
||||
param_len = BN_num_bytes(group->order);
|
||||
len = BN_num_bytes(group->field);
|
||||
if (len > param_len)
|
||||
param_len = len;
|
||||
|
||||
/* Allocate space to store the padded data for (p, a, b, x, y, order) */
|
||||
param_bytes = OPENSSL_malloc(param_len * NUM_BN_FIELDS);
|
||||
if (param_bytes == NULL)
|
||||
goto end;
|
||||
|
||||
/* Create the bignums */
|
||||
for (i = 0; i < NUM_BN_FIELDS; ++i) {
|
||||
if ((bn[i] = BN_CTX_get(ctx)) == NULL)
|
||||
goto end;
|
||||
}
|
||||
/*
|
||||
* Fill in the bn array with the same values as the internal curves
|
||||
* i.e. the values are p, a, b, x, y, order.
|
||||
*/
|
||||
/* Get p, a & b */
|
||||
if (!(EC_GROUP_get_curve(group, bn[0], bn[1], bn[2], ctx)
|
||||
&& ((generator = EC_GROUP_get0_generator(group)) != NULL)
|
||||
/* Get x & y */
|
||||
&& EC_POINT_get_affine_coordinates(group, generator, bn[3], bn[4], ctx)
|
||||
/* Get order */
|
||||
&& EC_GROUP_get_order(group, bn[5], ctx)))
|
||||
goto end;
|
||||
|
||||
/*
|
||||
* Convert the bignum array to bytes that are joined together to form
|
||||
* a single buffer that contains data for all fields.
|
||||
* (p, a, b, x, y, order) are all zero padded to be the same size.
|
||||
*/
|
||||
for (i = 0; i < NUM_BN_FIELDS; ++i) {
|
||||
if (BN_bn2binpad(bn[i], ¶m_bytes[i*param_len], param_len) <= 0)
|
||||
goto end;
|
||||
}
|
||||
|
||||
for (i = 0; i < curve_list_length; i++) {
|
||||
const ec_list_element curve = curve_list[i];
|
||||
|
||||
data = curve.data;
|
||||
/* Get the raw order byte data */
|
||||
params_seed = (const unsigned char *)(data + 1); /* skip header */
|
||||
params = params_seed + data->seed_len;
|
||||
|
||||
/* Look for unique fields in the fixed curve data */
|
||||
if (data->field_type == field_type
|
||||
&& param_len == data->param_len
|
||||
&& (nid <= 0 || nid == curve.nid)
|
||||
/* check the optional cofactor (ignore if its zero) */
|
||||
&& (BN_is_zero(cofactor)
|
||||
|| BN_is_word(cofactor, (const BN_ULONG)curve.data->cofactor))
|
||||
/* Check the optional seed (ignore if its not set) */
|
||||
&& (data->seed_len == 0 || seed_len == 0
|
||||
|| ((size_t)data->seed_len == seed_len
|
||||
&& memcmp(params_seed, seed, seed_len) == 0))
|
||||
/* Check that the groups params match the built-in curve params */
|
||||
&& memcmp(param_bytes, params, param_len * NUM_BN_FIELDS)
|
||||
== 0) {
|
||||
ret = curve.nid;
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
/* Gets here if the group was not found */
|
||||
ret = NID_undef;
|
||||
end:
|
||||
OPENSSL_free(param_bytes);
|
||||
BN_CTX_end(ctx);
|
||||
return ret;
|
||||
}
|
||||
|
|
634
SOURCES/ectest.c
634
SOURCES/ectest.c
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
|
@ -844,6 +844,271 @@ static const unsigned char p521_explicit[] = {
|
|||
0xbb, 0x6f, 0xb7, 0x1e, 0x91, 0x38, 0x64, 0x09, 0x02, 0x01, 0x01,
|
||||
};
|
||||
|
||||
/*
|
||||
* Sometime we cannot compare nids for equality, as the built-in curve table
|
||||
* includes aliases with different names for the same curve.
|
||||
*
|
||||
* This function returns TRUE (1) if the checked nids are identical, or if they
|
||||
* alias to the same curve. FALSE (0) otherwise.
|
||||
*/
|
||||
static ossl_inline
|
||||
int are_ec_nids_compatible(int n1d, int n2d)
|
||||
{
|
||||
int ret = 0;
|
||||
switch (n1d) {
|
||||
# ifndef OPENSSL_NO_EC2M
|
||||
case NID_sect113r1:
|
||||
case NID_wap_wsg_idm_ecid_wtls4:
|
||||
ret = (n2d == NID_sect113r1 || n2d == NID_wap_wsg_idm_ecid_wtls4);
|
||||
break;
|
||||
case NID_sect163k1:
|
||||
case NID_wap_wsg_idm_ecid_wtls3:
|
||||
ret = (n2d == NID_sect163k1 || n2d == NID_wap_wsg_idm_ecid_wtls3);
|
||||
break;
|
||||
case NID_sect233k1:
|
||||
case NID_wap_wsg_idm_ecid_wtls10:
|
||||
ret = (n2d == NID_sect233k1 || n2d == NID_wap_wsg_idm_ecid_wtls10);
|
||||
break;
|
||||
case NID_sect233r1:
|
||||
case NID_wap_wsg_idm_ecid_wtls11:
|
||||
ret = (n2d == NID_sect233r1 || n2d == NID_wap_wsg_idm_ecid_wtls11);
|
||||
break;
|
||||
case NID_X9_62_c2pnb163v1:
|
||||
case NID_wap_wsg_idm_ecid_wtls5:
|
||||
ret = (n2d == NID_X9_62_c2pnb163v1
|
||||
|| n2d == NID_wap_wsg_idm_ecid_wtls5);
|
||||
break;
|
||||
# endif /* OPENSSL_NO_EC2M */
|
||||
case NID_secp112r1:
|
||||
case NID_wap_wsg_idm_ecid_wtls6:
|
||||
ret = (n2d == NID_secp112r1 || n2d == NID_wap_wsg_idm_ecid_wtls6);
|
||||
break;
|
||||
case NID_secp160r2:
|
||||
case NID_wap_wsg_idm_ecid_wtls7:
|
||||
ret = (n2d == NID_secp160r2 || n2d == NID_wap_wsg_idm_ecid_wtls7);
|
||||
break;
|
||||
# ifdef OPENSSL_NO_EC_NISTP_64_GCC_128
|
||||
case NID_secp224r1:
|
||||
case NID_wap_wsg_idm_ecid_wtls12:
|
||||
ret = (n2d == NID_secp224r1 || n2d == NID_wap_wsg_idm_ecid_wtls12);
|
||||
break;
|
||||
# else
|
||||
/*
|
||||
* For SEC P-224 we want to ensure that the SECP nid is returned, as
|
||||
* that is associated with a specialized method.
|
||||
*/
|
||||
case NID_wap_wsg_idm_ecid_wtls12:
|
||||
ret = (n2d == NID_secp224r1);
|
||||
break;
|
||||
# endif /* def(OPENSSL_NO_EC_NISTP_64_GCC_128) */
|
||||
|
||||
default:
|
||||
ret = (n1d == n2d);
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
/*
|
||||
* This checks that EC_GROUP_bew_from_ecparameters() returns a "named"
|
||||
* EC_GROUP for built-in curves.
|
||||
*
|
||||
* Note that it is possible to retrieve an alternative alias that does not match
|
||||
* the original nid.
|
||||
*
|
||||
* Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set.
|
||||
*/
|
||||
static int check_named_curve_from_ecparameters(int id)
|
||||
{
|
||||
int ret = 0, nid, tnid;
|
||||
EC_GROUP *group = NULL, *tgroup = NULL, *tmpg = NULL;
|
||||
const EC_POINT *group_gen = NULL;
|
||||
EC_POINT *other_gen = NULL;
|
||||
BIGNUM *group_cofactor = NULL, *other_cofactor = NULL;
|
||||
BIGNUM *other_gen_x = NULL, *other_gen_y = NULL;
|
||||
const BIGNUM *group_order = NULL;
|
||||
BIGNUM *other_order = NULL;
|
||||
BN_CTX *bn_ctx = NULL;
|
||||
static const unsigned char invalid_seed[] = "THIS IS NOT A VALID SEED";
|
||||
static size_t invalid_seed_len = sizeof(invalid_seed);
|
||||
ECPARAMETERS *params = NULL, *other_params = NULL;
|
||||
EC_GROUP *g_ary[8] = {NULL};
|
||||
EC_GROUP **g_next = &g_ary[0];
|
||||
ECPARAMETERS *p_ary[8] = {NULL};
|
||||
ECPARAMETERS **p_next = &p_ary[0];
|
||||
|
||||
/* Do some setup */
|
||||
nid = curves[id].nid;
|
||||
TEST_note("Curve %s", OBJ_nid2sn(nid));
|
||||
if (!TEST_ptr(bn_ctx = BN_CTX_new()))
|
||||
return ret;
|
||||
BN_CTX_start(bn_ctx);
|
||||
|
||||
if (/* Allocations */
|
||||
!TEST_ptr(group_cofactor = BN_CTX_get(bn_ctx))
|
||||
|| !TEST_ptr(other_gen_x = BN_CTX_get(bn_ctx))
|
||||
|| !TEST_ptr(other_gen_y = BN_CTX_get(bn_ctx))
|
||||
|| !TEST_ptr(other_order = BN_CTX_get(bn_ctx))
|
||||
|| !TEST_ptr(other_cofactor = BN_CTX_get(bn_ctx))
|
||||
/* Generate reference group and params */
|
||||
|| !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))
|
||||
|| !TEST_ptr(params = EC_GROUP_get_ecparameters(group, NULL))
|
||||
|| !TEST_ptr(group_gen = EC_GROUP_get0_generator(group))
|
||||
|| !TEST_ptr(group_order = EC_GROUP_get0_order(group))
|
||||
|| !TEST_true(EC_GROUP_get_cofactor(group, group_cofactor, NULL))
|
||||
/* compute `other_*` values */
|
||||
|| !TEST_ptr(tmpg = EC_GROUP_dup(group))
|
||||
|| !TEST_ptr(other_gen = EC_POINT_dup(group_gen, group))
|
||||
|| !TEST_true(EC_POINT_add(group, other_gen, group_gen, group_gen, NULL))
|
||||
|| !TEST_true(EC_POINT_get_affine_coordinates(group, other_gen,
|
||||
other_gen_x, other_gen_y, bn_ctx))
|
||||
|| !TEST_true(BN_copy(other_order, group_order))
|
||||
|| !TEST_true(BN_add_word(other_order, 1))
|
||||
|| !TEST_true(BN_copy(other_cofactor, group_cofactor))
|
||||
|| !TEST_true(BN_add_word(other_cofactor, 1)))
|
||||
goto err;
|
||||
|
||||
EC_POINT_free(other_gen);
|
||||
other_gen = NULL;
|
||||
|
||||
if (!TEST_ptr(other_gen = EC_POINT_new(tmpg))
|
||||
|| !TEST_true(EC_POINT_set_affine_coordinates(tmpg, other_gen,
|
||||
other_gen_x, other_gen_y,
|
||||
bn_ctx)))
|
||||
goto err;
|
||||
|
||||
/*
|
||||
* ###########################
|
||||
* # Actual tests start here #
|
||||
* ###########################
|
||||
*/
|
||||
|
||||
/*
|
||||
* Creating a group from built-in explicit parameters returns a
|
||||
* "named" EC_GROUP
|
||||
*/
|
||||
if (!TEST_ptr(tgroup = *g_next++ = EC_GROUP_new_from_ecparameters(params))
|
||||
|| !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef))
|
||||
goto err;
|
||||
/*
|
||||
* We cannot always guarantee the names match, as the built-in table
|
||||
* contains aliases for the same curve with different names.
|
||||
*/
|
||||
if (!TEST_true(are_ec_nids_compatible(nid, tnid))) {
|
||||
TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid));
|
||||
goto err;
|
||||
}
|
||||
/* Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set. */
|
||||
if (!TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), OPENSSL_EC_EXPLICIT_CURVE))
|
||||
goto err;
|
||||
|
||||
/*
|
||||
* An invalid seed in the parameters should be ignored: expect a "named"
|
||||
* group.
|
||||
*/
|
||||
if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, invalid_seed, invalid_seed_len),
|
||||
invalid_seed_len)
|
||||
|| !TEST_ptr(other_params = *p_next++ =
|
||||
EC_GROUP_get_ecparameters(tmpg, NULL))
|
||||
|| !TEST_ptr(tgroup = *g_next++ =
|
||||
EC_GROUP_new_from_ecparameters(other_params))
|
||||
|| !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
|
||||
|| !TEST_true(are_ec_nids_compatible(nid, tnid))
|
||||
|| !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
|
||||
OPENSSL_EC_EXPLICIT_CURVE)) {
|
||||
TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid));
|
||||
goto err;
|
||||
}
|
||||
|
||||
/*
|
||||
* A null seed in the parameters should be ignored, as it is optional:
|
||||
* expect a "named" group.
|
||||
*/
|
||||
if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, NULL, 0), 1)
|
||||
|| !TEST_ptr(other_params = *p_next++ =
|
||||
EC_GROUP_get_ecparameters(tmpg, NULL))
|
||||
|| !TEST_ptr(tgroup = *g_next++ =
|
||||
EC_GROUP_new_from_ecparameters(other_params))
|
||||
|| !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
|
||||
|| !TEST_true(are_ec_nids_compatible(nid, tnid))
|
||||
|| !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
|
||||
OPENSSL_EC_EXPLICIT_CURVE)) {
|
||||
TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid));
|
||||
goto err;
|
||||
}
|
||||
|
||||
/*
|
||||
* Check that changing any of the generator parameters does not yield a
|
||||
* match with the built-in curves
|
||||
*/
|
||||
if (/* Other gen, same group order & cofactor */
|
||||
!TEST_true(EC_GROUP_set_generator(tmpg, other_gen, group_order,
|
||||
group_cofactor))
|
||||
|| !TEST_ptr(other_params = *p_next++ =
|
||||
EC_GROUP_get_ecparameters(tmpg, NULL))
|
||||
|| !TEST_ptr(tgroup = *g_next++ =
|
||||
EC_GROUP_new_from_ecparameters(other_params))
|
||||
|| !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
|
||||
/* Same gen & cofactor, different order */
|
||||
|| !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, other_order,
|
||||
group_cofactor))
|
||||
|| !TEST_ptr(other_params = *p_next++ =
|
||||
EC_GROUP_get_ecparameters(tmpg, NULL))
|
||||
|| !TEST_ptr(tgroup = *g_next++ =
|
||||
EC_GROUP_new_from_ecparameters(other_params))
|
||||
|| !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
|
||||
/* The order is not an optional field, so this should fail */
|
||||
|| !TEST_false(EC_GROUP_set_generator(tmpg, group_gen, NULL,
|
||||
group_cofactor))
|
||||
/* Check that a wrong cofactor is ignored, and we still match */
|
||||
|| !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order,
|
||||
other_cofactor))
|
||||
|| !TEST_ptr(other_params = *p_next++ =
|
||||
EC_GROUP_get_ecparameters(tmpg, NULL))
|
||||
|| !TEST_ptr(tgroup = *g_next++ =
|
||||
EC_GROUP_new_from_ecparameters(other_params))
|
||||
|| !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
|
||||
|| !TEST_true(are_ec_nids_compatible(nid, tnid))
|
||||
|| !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
|
||||
OPENSSL_EC_EXPLICIT_CURVE)
|
||||
/* Check that if the cofactor is not set then it still matches */
|
||||
|| !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order,
|
||||
NULL))
|
||||
|| !TEST_ptr(other_params = *p_next++ =
|
||||
EC_GROUP_get_ecparameters(tmpg, NULL))
|
||||
|| !TEST_ptr(tgroup = *g_next++ =
|
||||
EC_GROUP_new_from_ecparameters(other_params))
|
||||
|| !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
|
||||
|| !TEST_true(are_ec_nids_compatible(nid, tnid))
|
||||
|| !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
|
||||
OPENSSL_EC_EXPLICIT_CURVE)
|
||||
/* check that restoring the generator passes */
|
||||
|| !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order,
|
||||
group_cofactor))
|
||||
|| !TEST_ptr(other_params = *p_next++ =
|
||||
EC_GROUP_get_ecparameters(tmpg, NULL))
|
||||
|| !TEST_ptr(tgroup = *g_next++ =
|
||||
EC_GROUP_new_from_ecparameters(other_params))
|
||||
|| !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)
|
||||
|| !TEST_true(are_ec_nids_compatible(nid, tnid))
|
||||
|| !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup),
|
||||
OPENSSL_EC_EXPLICIT_CURVE))
|
||||
goto err;
|
||||
|
||||
ret = 1;
|
||||
err:
|
||||
for (g_next = &g_ary[0]; g_next < g_ary + OSSL_NELEM(g_ary); g_next++)
|
||||
EC_GROUP_free(*g_next);
|
||||
for (p_next = &p_ary[0]; p_next < p_ary + OSSL_NELEM(g_ary); p_next++)
|
||||
ECPARAMETERS_free(*p_next);
|
||||
ECPARAMETERS_free(params);
|
||||
EC_POINT_free(other_gen);
|
||||
EC_GROUP_free(tmpg);
|
||||
EC_GROUP_free(group);
|
||||
BN_CTX_end(bn_ctx);
|
||||
BN_CTX_free(bn_ctx);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int parameter_test(void)
|
||||
{
|
||||
EC_GROUP *group = NULL, *group2 = NULL;
|
||||
|
@ -851,7 +1116,8 @@ static int parameter_test(void)
|
|||
unsigned char *buf = NULL;
|
||||
int r = 0, len;
|
||||
|
||||
if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp384r1))
|
||||
/* must use a curve without a special group method */
|
||||
if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp256k1))
|
||||
|| !TEST_ptr(ecparameters = EC_GROUP_get_ecparameters(group, NULL))
|
||||
|| !TEST_ptr(group2 = EC_GROUP_new_from_ecparameters(ecparameters))
|
||||
|| !TEST_int_eq(EC_GROUP_cmp(group, group2, NULL), 0))
|
||||
|
@ -886,7 +1152,361 @@ err:
|
|||
OPENSSL_free(buf);
|
||||
return r;
|
||||
}
|
||||
#endif
|
||||
|
||||
/*-
|
||||
* random 256-bit explicit parameters curve, cofactor absent
|
||||
* order: 0x0c38d96a9f892b88772ec2e39614a82f4f (132 bit)
|
||||
* cofactor: 0x12bc94785251297abfafddf1565100da (125 bit)
|
||||
*/
|
||||
static const unsigned char params_cf_pass[] = {
|
||||
0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86,
|
||||
0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xe5, 0x00, 0x1f, 0xc5,
|
||||
0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d,
|
||||
0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93,
|
||||
0x44, 0x88, 0xe6, 0x91, 0x30, 0x44, 0x04, 0x20, 0xe5, 0x00, 0x1f, 0xc5,
|
||||
0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d,
|
||||
0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93,
|
||||
0x44, 0x88, 0xe6, 0x8e, 0x04, 0x20, 0x18, 0x8c, 0x59, 0x57, 0xc4, 0xbc,
|
||||
0x85, 0x57, 0xc3, 0x66, 0x9f, 0x89, 0xd5, 0x92, 0x0d, 0x7e, 0x42, 0x27,
|
||||
0x07, 0x64, 0xaa, 0x26, 0xed, 0x89, 0xc4, 0x09, 0x05, 0x4d, 0xc7, 0x23,
|
||||
0x47, 0xda, 0x04, 0x41, 0x04, 0x1b, 0x6b, 0x41, 0x0b, 0xf9, 0xfb, 0x77,
|
||||
0xfd, 0x50, 0xb7, 0x3e, 0x23, 0xa3, 0xec, 0x9a, 0x3b, 0x09, 0x31, 0x6b,
|
||||
0xfa, 0xf6, 0xce, 0x1f, 0xff, 0xeb, 0x57, 0x93, 0x24, 0x70, 0xf3, 0xf4,
|
||||
0xba, 0x7e, 0xfa, 0x86, 0x6e, 0x19, 0x89, 0xe3, 0x55, 0x6d, 0x5a, 0xe9,
|
||||
0xc0, 0x3d, 0xbc, 0xfb, 0xaf, 0xad, 0xd4, 0x7e, 0xa6, 0xe5, 0xfa, 0x1a,
|
||||
0x58, 0x07, 0x9e, 0x8f, 0x0d, 0x3b, 0xf7, 0x38, 0xca, 0x02, 0x11, 0x0c,
|
||||
0x38, 0xd9, 0x6a, 0x9f, 0x89, 0x2b, 0x88, 0x77, 0x2e, 0xc2, 0xe3, 0x96,
|
||||
0x14, 0xa8, 0x2f, 0x4f
|
||||
};
|
||||
|
||||
/*-
|
||||
* random 256-bit explicit parameters curve, cofactor absent
|
||||
* order: 0x045a75c0c17228ebd9b169a10e34a22101 (131 bit)
|
||||
* cofactor: 0x2e134b4ede82649f67a2e559d361e5fe (126 bit)
|
||||
*/
|
||||
static const unsigned char params_cf_fail[] = {
|
||||
0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86,
|
||||
0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xc8, 0x95, 0x27, 0x37,
|
||||
0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b,
|
||||
0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0,
|
||||
0x33, 0xc2, 0xea, 0x13, 0x30, 0x44, 0x04, 0x20, 0xc8, 0x95, 0x27, 0x37,
|
||||
0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b,
|
||||
0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0,
|
||||
0x33, 0xc2, 0xea, 0x10, 0x04, 0x20, 0xbf, 0xa6, 0xa8, 0x05, 0x1d, 0x09,
|
||||
0xac, 0x70, 0x39, 0xbb, 0x4d, 0xb2, 0x90, 0x8a, 0x15, 0x41, 0x14, 0x1d,
|
||||
0x11, 0x86, 0x9f, 0x13, 0xa2, 0x63, 0x1a, 0xda, 0x95, 0x22, 0x4d, 0x02,
|
||||
0x15, 0x0a, 0x04, 0x41, 0x04, 0xaf, 0x16, 0x71, 0xf9, 0xc4, 0xc8, 0x59,
|
||||
0x1d, 0xa3, 0x6f, 0xe7, 0xc3, 0x57, 0xa1, 0xfa, 0x9f, 0x49, 0x7c, 0x11,
|
||||
0x27, 0x05, 0xa0, 0x7f, 0xff, 0xf9, 0xe0, 0xe7, 0x92, 0xdd, 0x9c, 0x24,
|
||||
0x8e, 0xc7, 0xb9, 0x52, 0x71, 0x3f, 0xbc, 0x7f, 0x6a, 0x9f, 0x35, 0x70,
|
||||
0xe1, 0x27, 0xd5, 0x35, 0x8a, 0x13, 0xfa, 0xa8, 0x33, 0x3e, 0xd4, 0x73,
|
||||
0x1c, 0x14, 0x58, 0x9e, 0xc7, 0x0a, 0x87, 0x65, 0x8d, 0x02, 0x11, 0x04,
|
||||
0x5a, 0x75, 0xc0, 0xc1, 0x72, 0x28, 0xeb, 0xd9, 0xb1, 0x69, 0xa1, 0x0e,
|
||||
0x34, 0xa2, 0x21, 0x01
|
||||
};
|
||||
|
||||
/*-
|
||||
* Test two random 256-bit explicit parameters curves with absent cofactor.
|
||||
* The two curves are chosen to roughly straddle the bounds at which the lib
|
||||
* can compute the cofactor automatically, roughly 4*sqrt(p). So test that:
|
||||
*
|
||||
* - params_cf_pass: order is sufficiently close to p to compute cofactor
|
||||
* - params_cf_fail: order is too far away from p to compute cofactor
|
||||
*
|
||||
* For standards-compliant curves, cofactor is chosen as small as possible.
|
||||
* So you can see neither of these curves are fit for cryptographic use.
|
||||
*
|
||||
* Some standards even mandate an upper bound on the cofactor, e.g. SECG1 v2:
|
||||
* h <= 2**(t/8) where t is the security level of the curve, for which the lib
|
||||
* will always succeed in computing the cofactor. Neither of these curves
|
||||
* conform to that -- this is just robustness testing.
|
||||
*/
|
||||
static int cofactor_range_test(void)
|
||||
{
|
||||
EC_GROUP *group = NULL;
|
||||
BIGNUM *cf = NULL;
|
||||
int ret = 0;
|
||||
const unsigned char *b1 = (const unsigned char *)params_cf_fail;
|
||||
const unsigned char *b2 = (const unsigned char *)params_cf_pass;
|
||||
|
||||
if (!TEST_ptr(group = d2i_ECPKParameters(NULL, &b1, sizeof(params_cf_fail)))
|
||||
|| !TEST_BN_eq_zero(EC_GROUP_get0_cofactor(group))
|
||||
|| !TEST_ptr(group = d2i_ECPKParameters(&group, &b2,
|
||||
sizeof(params_cf_pass)))
|
||||
|| !TEST_int_gt(BN_hex2bn(&cf, "12bc94785251297abfafddf1565100da"), 0)
|
||||
|| !TEST_BN_eq(cf, EC_GROUP_get0_cofactor(group)))
|
||||
goto err;
|
||||
ret = 1;
|
||||
err:
|
||||
BN_free(cf);
|
||||
EC_GROUP_free(group);
|
||||
return ret;
|
||||
}
|
||||
|
||||
/*-
|
||||
* For named curves, test that:
|
||||
* - the lib correctly computes the cofactor if passed a NULL or zero cofactor
|
||||
* - a nonsensical cofactor throws an error (negative test)
|
||||
* - nonsensical orders throw errors (negative tests)
|
||||
*/
|
||||
static int cardinality_test(int n)
|
||||
{
|
||||
int ret = 0;
|
||||
int nid = curves[n].nid;
|
||||
BN_CTX *ctx = NULL;
|
||||
EC_GROUP *g1 = NULL, *g2 = NULL;
|
||||
EC_POINT *g2_gen = NULL;
|
||||
BIGNUM *g1_p = NULL, *g1_a = NULL, *g1_b = NULL, *g1_x = NULL, *g1_y = NULL,
|
||||
*g1_order = NULL, *g1_cf = NULL, *g2_cf = NULL;
|
||||
|
||||
TEST_info("Curve %s cardinality test", OBJ_nid2sn(nid));
|
||||
|
||||
if (!TEST_ptr(ctx = BN_CTX_new())
|
||||
|| !TEST_ptr(g1 = EC_GROUP_new_by_curve_name(nid))
|
||||
|| !TEST_ptr(g2 = EC_GROUP_new(EC_GROUP_method_of(g1)))) {
|
||||
EC_GROUP_free(g1);
|
||||
EC_GROUP_free(g2);
|
||||
BN_CTX_free(ctx);
|
||||
return 0;
|
||||
}
|
||||
|
||||
BN_CTX_start(ctx);
|
||||
g1_p = BN_CTX_get(ctx);
|
||||
g1_a = BN_CTX_get(ctx);
|
||||
g1_b = BN_CTX_get(ctx);
|
||||
g1_x = BN_CTX_get(ctx);
|
||||
g1_y = BN_CTX_get(ctx);
|
||||
g1_order = BN_CTX_get(ctx);
|
||||
g1_cf = BN_CTX_get(ctx);
|
||||
|
||||
if (!TEST_ptr(g2_cf = BN_CTX_get(ctx))
|
||||
/* pull out the explicit curve parameters */
|
||||
|| !TEST_true(EC_GROUP_get_curve(g1, g1_p, g1_a, g1_b, ctx))
|
||||
|| !TEST_true(EC_POINT_get_affine_coordinates(g1,
|
||||
EC_GROUP_get0_generator(g1), g1_x, g1_y, ctx))
|
||||
|| !TEST_true(BN_copy(g1_order, EC_GROUP_get0_order(g1)))
|
||||
|| !TEST_true(EC_GROUP_get_cofactor(g1, g1_cf, ctx))
|
||||
/* construct g2 manually with g1 parameters */
|
||||
|| !TEST_true(EC_GROUP_set_curve(g2, g1_p, g1_a, g1_b, ctx))
|
||||
|| !TEST_ptr(g2_gen = EC_POINT_new(g2))
|
||||
|| !TEST_true(EC_POINT_set_affine_coordinates(g2, g2_gen, g1_x, g1_y, ctx))
|
||||
/* pass NULL cofactor: lib should compute it */
|
||||
|| !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))
|
||||
|| !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx))
|
||||
|| !TEST_BN_eq(g1_cf, g2_cf)
|
||||
/* pass zero cofactor: lib should compute it */
|
||||
|| !TEST_true(BN_set_word(g2_cf, 0))
|
||||
|| !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf))
|
||||
|| !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx))
|
||||
|| !TEST_BN_eq(g1_cf, g2_cf)
|
||||
/* negative test for invalid cofactor */
|
||||
|| !TEST_true(BN_set_word(g2_cf, 0))
|
||||
|| !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one()))
|
||||
|| !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf))
|
||||
/* negative test for NULL order */
|
||||
|| !TEST_false(EC_GROUP_set_generator(g2, g2_gen, NULL, NULL))
|
||||
/* negative test for zero order */
|
||||
|| !TEST_true(BN_set_word(g1_order, 0))
|
||||
|| !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))
|
||||
/* negative test for negative order */
|
||||
|| !TEST_true(BN_set_word(g2_cf, 0))
|
||||
|| !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one()))
|
||||
|| !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))
|
||||
/* negative test for too large order */
|
||||
|| !TEST_true(BN_lshift(g1_order, g1_p, 2))
|
||||
|| !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)))
|
||||
goto err;
|
||||
ret = 1;
|
||||
err:
|
||||
EC_POINT_free(g2_gen);
|
||||
EC_GROUP_free(g1);
|
||||
EC_GROUP_free(g2);
|
||||
BN_CTX_end(ctx);
|
||||
BN_CTX_free(ctx);
|
||||
return ret;
|
||||
}
|
||||
|
||||
/*
|
||||
* Helper for ec_point_hex2point_test
|
||||
*
|
||||
* Self-tests EC_POINT_point2hex() against EC_POINT_hex2point() for the given
|
||||
* (group,P) pair.
|
||||
*
|
||||
* If P is NULL use point at infinity.
|
||||
*/
|
||||
static ossl_inline
|
||||
int ec_point_hex2point_test_helper(const EC_GROUP *group, const EC_POINT *P,
|
||||
point_conversion_form_t form,
|
||||
BN_CTX *bnctx)
|
||||
{
|
||||
int ret = 0;
|
||||
EC_POINT *Q = NULL, *Pinf = NULL;
|
||||
char *hex = NULL;
|
||||
|
||||
if (P == NULL) {
|
||||
/* If P is NULL use point at infinity. */
|
||||
if (!TEST_ptr(Pinf = EC_POINT_new(group))
|
||||
|| !TEST_true(EC_POINT_set_to_infinity(group, Pinf)))
|
||||
goto err;
|
||||
P = Pinf;
|
||||
}
|
||||
|
||||
if (!TEST_ptr(hex = EC_POINT_point2hex(group, P, form, bnctx))
|
||||
|| !TEST_ptr(Q = EC_POINT_hex2point(group, hex, NULL, bnctx))
|
||||
|| !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, bnctx)))
|
||||
goto err;
|
||||
|
||||
/*
|
||||
* The next check is most likely superfluous, as EC_POINT_cmp should already
|
||||
* cover this.
|
||||
* Nonetheless it increases the test coverage for EC_POINT_is_at_infinity,
|
||||
* so we include it anyway!
|
||||
*/
|
||||
if (Pinf != NULL
|
||||
&& !TEST_true(EC_POINT_is_at_infinity(group, Q)))
|
||||
goto err;
|
||||
|
||||
ret = 1;
|
||||
|
||||
err:
|
||||
EC_POINT_free(Pinf);
|
||||
OPENSSL_free(hex);
|
||||
EC_POINT_free(Q);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
/*
|
||||
* This test self-validates EC_POINT_hex2point() and EC_POINT_point2hex()
|
||||
*/
|
||||
static int ec_point_hex2point_test(int id)
|
||||
{
|
||||
int ret = 0, nid;
|
||||
EC_GROUP *group = NULL;
|
||||
const EC_POINT *G = NULL;
|
||||
EC_POINT *P = NULL;
|
||||
BN_CTX * bnctx = NULL;
|
||||
|
||||
/* Do some setup */
|
||||
nid = curves[id].nid;
|
||||
if (!TEST_ptr(bnctx = BN_CTX_new())
|
||||
|| !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))
|
||||
|| !TEST_ptr(G = EC_GROUP_get0_generator(group))
|
||||
|| !TEST_ptr(P = EC_POINT_dup(G, group)))
|
||||
goto err;
|
||||
|
||||
if (!TEST_true(ec_point_hex2point_test_helper(group, P,
|
||||
POINT_CONVERSION_COMPRESSED,
|
||||
bnctx))
|
||||
|| !TEST_true(ec_point_hex2point_test_helper(group, NULL,
|
||||
POINT_CONVERSION_COMPRESSED,
|
||||
bnctx))
|
||||
|| !TEST_true(ec_point_hex2point_test_helper(group, P,
|
||||
POINT_CONVERSION_UNCOMPRESSED,
|
||||
bnctx))
|
||||
|| !TEST_true(ec_point_hex2point_test_helper(group, NULL,
|
||||
POINT_CONVERSION_UNCOMPRESSED,
|
||||
bnctx))
|
||||
|| !TEST_true(ec_point_hex2point_test_helper(group, P,
|
||||
POINT_CONVERSION_HYBRID,
|
||||
bnctx))
|
||||
|| !TEST_true(ec_point_hex2point_test_helper(group, NULL,
|
||||
POINT_CONVERSION_HYBRID,
|
||||
bnctx)))
|
||||
goto err;
|
||||
|
||||
ret = 1;
|
||||
|
||||
err:
|
||||
EC_POINT_free(P);
|
||||
EC_GROUP_free(group);
|
||||
BN_CTX_free(bnctx);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
/*
|
||||
* check the EC_METHOD respects the supplied EC_GROUP_set_generator G
|
||||
*/
|
||||
static int custom_generator_test(int id)
|
||||
{
|
||||
int ret = 0, nid, bsize;
|
||||
EC_GROUP *group = NULL;
|
||||
EC_POINT *G2 = NULL, *Q1 = NULL, *Q2 = NULL;
|
||||
BN_CTX *ctx = NULL;
|
||||
BIGNUM *k = NULL;
|
||||
unsigned char *b1 = NULL, *b2 = NULL;
|
||||
|
||||
/* Do some setup */
|
||||
nid = curves[id].nid;
|
||||
TEST_note("Curve %s", OBJ_nid2sn(nid));
|
||||
if (!TEST_ptr(ctx = BN_CTX_new()))
|
||||
return 0;
|
||||
|
||||
BN_CTX_start(ctx);
|
||||
|
||||
if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)))
|
||||
goto err;
|
||||
|
||||
/* expected byte length of encoded points */
|
||||
bsize = (EC_GROUP_get_degree(group) + 7) / 8;
|
||||
bsize = 2 * bsize + 1;
|
||||
|
||||
if (!TEST_ptr(k = BN_CTX_get(ctx))
|
||||
/* fetch a testing scalar k != 0,1 */
|
||||
|| !TEST_true(BN_rand(k, EC_GROUP_order_bits(group) - 1,
|
||||
BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
|
||||
/* make k even */
|
||||
|| !TEST_true(BN_clear_bit(k, 0))
|
||||
|| !TEST_ptr(G2 = EC_POINT_new(group))
|
||||
|| !TEST_ptr(Q1 = EC_POINT_new(group))
|
||||
/* Q1 := kG */
|
||||
|| !TEST_true(EC_POINT_mul(group, Q1, k, NULL, NULL, ctx))
|
||||
/* pull out the bytes of that */
|
||||
|| !TEST_int_eq(EC_POINT_point2oct(group, Q1,
|
||||
POINT_CONVERSION_UNCOMPRESSED, NULL,
|
||||
0, ctx), bsize)
|
||||
|| !TEST_ptr(b1 = OPENSSL_malloc(bsize))
|
||||
|| !TEST_int_eq(EC_POINT_point2oct(group, Q1,
|
||||
POINT_CONVERSION_UNCOMPRESSED, b1,
|
||||
bsize, ctx), bsize)
|
||||
/* new generator is G2 := 2G */
|
||||
|| !TEST_true(EC_POINT_dbl(group, G2, EC_GROUP_get0_generator(group),
|
||||
ctx))
|
||||
|| !TEST_true(EC_GROUP_set_generator(group, G2,
|
||||
EC_GROUP_get0_order(group),
|
||||
EC_GROUP_get0_cofactor(group)))
|
||||
|| !TEST_ptr(Q2 = EC_POINT_new(group))
|
||||
|| !TEST_true(BN_rshift1(k, k))
|
||||
/* Q2 := k/2 G2 */
|
||||
|| !TEST_true(EC_POINT_mul(group, Q2, k, NULL, NULL, ctx))
|
||||
|| !TEST_int_eq(EC_POINT_point2oct(group, Q2,
|
||||
POINT_CONVERSION_UNCOMPRESSED, NULL,
|
||||
0, ctx), bsize)
|
||||
|| !TEST_ptr(b2 = OPENSSL_malloc(bsize))
|
||||
|| !TEST_int_eq(EC_POINT_point2oct(group, Q2,
|
||||
POINT_CONVERSION_UNCOMPRESSED, b2,
|
||||
bsize, ctx), bsize)
|
||||
/* Q1 = kG = k/2 G2 = Q2 should hold */
|
||||
|| !TEST_int_eq(CRYPTO_memcmp(b1, b2, bsize), 0))
|
||||
goto err;
|
||||
|
||||
ret = 1;
|
||||
|
||||
err:
|
||||
BN_CTX_end(ctx);
|
||||
EC_POINT_free(Q1);
|
||||
EC_POINT_free(Q2);
|
||||
EC_POINT_free(G2);
|
||||
EC_GROUP_free(group);
|
||||
BN_CTX_free(ctx);
|
||||
OPENSSL_free(b1);
|
||||
OPENSSL_free(b2);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
#endif /* OPENSSL_NO_EC */
|
||||
|
||||
int setup_tests(void)
|
||||
{
|
||||
|
@ -897,6 +1517,8 @@ int setup_tests(void)
|
|||
return 0;
|
||||
|
||||
ADD_TEST(parameter_test);
|
||||
ADD_TEST(cofactor_range_test);
|
||||
ADD_ALL_TESTS(cardinality_test, crv_len);
|
||||
ADD_TEST(prime_field_tests);
|
||||
# ifndef OPENSSL_NO_EC2M
|
||||
ADD_TEST(char2_field_tests);
|
||||
|
@ -908,7 +1530,11 @@ int setup_tests(void)
|
|||
# endif
|
||||
ADD_ALL_TESTS(internal_curve_test, crv_len);
|
||||
ADD_ALL_TESTS(internal_curve_test_method, crv_len);
|
||||
#endif
|
||||
|
||||
ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len);
|
||||
ADD_ALL_TESTS(ec_point_hex2point_test, crv_len);
|
||||
ADD_ALL_TESTS(custom_generator_test, crv_len);
|
||||
#endif /* OPENSSL_NO_EC */
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
|
|
@ -1,11 +0,0 @@
|
|||
diff -up openssl-1.1.0-pre5/crypto/x509/x509_cmp.c.issuer-hash openssl-1.1.0-pre5/crypto/x509/x509_cmp.c
|
||||
--- openssl-1.1.0-pre5/crypto/x509/x509_cmp.c.issuer-hash 2016-07-18 15:16:32.788881100 +0200
|
||||
+++ openssl-1.1.0-pre5/crypto/x509/x509_cmp.c 2016-07-18 15:17:16.671871840 +0200
|
||||
@@ -87,6 +87,7 @@ unsigned long X509_issuer_and_serial_has
|
||||
|
||||
if (ctx == NULL)
|
||||
goto err;
|
||||
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||
f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0);
|
||||
if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL))
|
||||
goto err;
|
|
@ -1,12 +0,0 @@
|
|||
diff -up openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.nohtml openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl
|
||||
--- openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.no-html 2016-04-19 16:57:52.000000000 +0200
|
||||
+++ openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl 2016-07-18 13:58:55.060106243 +0200
|
||||
@@ -288,7 +288,7 @@ install_sw: all install_dev install_engi
|
||||
|
||||
uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev
|
||||
|
||||
-install_docs: install_man_docs install_html_docs
|
||||
+install_docs: install_man_docs
|
||||
|
||||
uninstall_docs: uninstall_man_docs uninstall_html_docs
|
||||
$(RM) -r -v $(DESTDIR)$(DOCDIR)
|
|
@ -0,0 +1,31 @@
|
|||
From a3f4cd5019b60649f6eb216ebe99caa43cd96f8e Mon Sep 17 00:00:00 2001
|
||||
From: Daiki Ueno <dueno@redhat.com>
|
||||
Date: Mon, 26 Apr 2021 14:40:17 +0200
|
||||
Subject: [PATCH] BIO_lookup_ex: use AI_ADDRCONFIG only if explicit host name
|
||||
is given
|
||||
|
||||
The flag only affects which record types are queried (A or AAAA, or
|
||||
both), and when node is NULL, it prevents getaddrinfo returning the
|
||||
right address associated with the loopback interface.
|
||||
|
||||
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
||||
---
|
||||
crypto/bio/b_addr.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/crypto/bio/b_addr.c b/crypto/bio/b_addr.c
|
||||
index b023bbda40..ea15601f3d 100644
|
||||
--- a/crypto/bio/b_addr.c
|
||||
+++ b/crypto/bio/b_addr.c
|
||||
@@ -689,7 +689,7 @@ int BIO_lookup_ex(const char *host, const char *service, int lookup_type,
|
||||
hints.ai_protocol = protocol;
|
||||
# ifdef AI_ADDRCONFIG
|
||||
# ifdef AF_UNSPEC
|
||||
- if (family == AF_UNSPEC)
|
||||
+ if (host != NULL && family == AF_UNSPEC)
|
||||
# endif
|
||||
hints.ai_flags |= AI_ADDRCONFIG;
|
||||
# endif
|
||||
--
|
||||
2.30.2
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
commit 9e885a707d604e9528b5491b78fb9c00f41193fc
|
||||
Author: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Thu Mar 26 15:59:00 2020 +0100
|
||||
|
||||
s_server: Properly indicate ALPN protocol mismatch
|
||||
|
||||
Return SSL_TLSEXT_ERR_ALERT_FATAL from alpn_select_cb so that
|
||||
an alert is sent to the client on ALPN protocol mismatch.
|
||||
|
||||
Fixes: #2708
|
||||
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/11415)
|
||||
|
||||
diff --git a/apps/s_server.c b/apps/s_server.c
|
||||
index bcc83e562c..591c6c19c5 100644
|
||||
--- a/apps/s_server.c
|
||||
+++ b/apps/s_server.c
|
||||
@@ -707,7 +707,7 @@ static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
|
||||
if (SSL_select_next_proto
|
||||
((unsigned char **)out, outlen, alpn_ctx->data, alpn_ctx->len, in,
|
||||
inlen) != OPENSSL_NPN_NEGOTIATED) {
|
||||
- return SSL_TLSEXT_ERR_NOACK;
|
||||
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||
}
|
||||
|
||||
if (!s_quiet) {
|
File diff suppressed because it is too large
Load Diff
|
@ -1,28 +1,7 @@
|
|||
diff -up openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.build openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl
|
||||
--- openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl.build 2018-06-20 16:48:09.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/Configurations/unix-Makefile.tmpl 2018-07-16 17:15:38.108831031 +0200
|
||||
@@ -680,7 +680,7 @@ uninstall_runtime:
|
||||
install_man_docs:
|
||||
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
|
||||
@$(ECHO) "*** Installing manpages"
|
||||
- $(PERL) $(SRCDIR)/util/process_docs.pl \
|
||||
+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
|
||||
--destdir=$(DESTDIR)$(MANDIR) --type=man --suffix=$(MANSUFFIX)
|
||||
|
||||
uninstall_man_docs:
|
||||
@@ -692,7 +692,7 @@ uninstall_man_docs:
|
||||
install_html_docs:
|
||||
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
|
||||
@$(ECHO) "*** Installing HTML manpages"
|
||||
- $(PERL) $(SRCDIR)/util/process_docs.pl \
|
||||
+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
|
||||
--destdir=$(DESTDIR)$(HTMLDIR) --type=html
|
||||
|
||||
uninstall_html_docs:
|
||||
diff -up openssl-1.1.1-pre8/Configurations/10-main.conf.build openssl-1.1.1-pre8/Configurations/10-main.conf
|
||||
--- openssl-1.1.1-pre8/Configurations/10-main.conf.build 2018-06-20 16:48:09.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/Configurations/10-main.conf 2018-07-16 17:17:10.312045203 +0200
|
||||
@@ -693,6 +693,7 @@ my %targets = (
|
||||
diff -up openssl-1.1.1f/Configurations/10-main.conf.build openssl-1.1.1f/Configurations/10-main.conf
|
||||
--- openssl-1.1.1f/Configurations/10-main.conf.build 2020-03-31 14:17:45.000000000 +0200
|
||||
+++ openssl-1.1.1f/Configurations/10-main.conf 2020-04-07 16:42:10.920546387 +0200
|
||||
@@ -678,6 +678,7 @@ my %targets = (
|
||||
cxxflags => add("-m64"),
|
||||
lib_cppflags => add("-DL_ENDIAN"),
|
||||
perlasm_scheme => "linux64le",
|
||||
|
@ -30,7 +9,7 @@ diff -up openssl-1.1.1-pre8/Configurations/10-main.conf.build openssl-1.1.1-pre8
|
|||
},
|
||||
|
||||
"linux-armv4" => {
|
||||
@@ -733,6 +734,7 @@ my %targets = (
|
||||
@@ -718,6 +719,7 @@ my %targets = (
|
||||
"linux-aarch64" => {
|
||||
inherit_from => [ "linux-generic64", asm("aarch64_asm") ],
|
||||
perlasm_scheme => "linux64",
|
||||
|
@ -38,3 +17,24 @@ diff -up openssl-1.1.1-pre8/Configurations/10-main.conf.build openssl-1.1.1-pre8
|
|||
},
|
||||
"linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32
|
||||
inherit_from => [ "linux-generic32", asm("aarch64_asm") ],
|
||||
diff -up openssl-1.1.1f/Configurations/unix-Makefile.tmpl.build openssl-1.1.1f/Configurations/unix-Makefile.tmpl
|
||||
--- openssl-1.1.1f/Configurations/unix-Makefile.tmpl.build 2020-04-07 16:42:10.920546387 +0200
|
||||
+++ openssl-1.1.1f/Configurations/unix-Makefile.tmpl 2020-04-07 16:44:23.539142108 +0200
|
||||
@@ -823,7 +823,7 @@ uninstall_runtime_libs:
|
||||
install_man_docs:
|
||||
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
|
||||
@$(ECHO) "*** Installing manpages"
|
||||
- $(PERL) $(SRCDIR)/util/process_docs.pl \
|
||||
+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
|
||||
"--destdir=$(DESTDIR)$(MANDIR)" --type=man --suffix=$(MANSUFFIX)
|
||||
|
||||
uninstall_man_docs:
|
||||
@@ -835,7 +835,7 @@ uninstall_man_docs:
|
||||
install_html_docs:
|
||||
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
|
||||
@$(ECHO) "*** Installing HTML manpages"
|
||||
- $(PERL) $(SRCDIR)/util/process_docs.pl \
|
||||
+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
|
||||
"--destdir=$(DESTDIR)$(HTMLDIR)" --type=html
|
||||
|
||||
uninstall_html_docs:
|
||||
|
|
|
@ -0,0 +1,40 @@
|
|||
diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl/statem/extensions.c
|
||||
--- openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg 2021-03-25 14:28:38.000000000 +0100
|
||||
+++ openssl-1.1.1k/ssl/statem/extensions.c 2021-06-24 16:16:19.526181743 +0200
|
||||
@@ -42,6 +42,9 @@ static int tls_parse_certificate_authori
|
||||
#ifndef OPENSSL_NO_SRP
|
||||
static int init_srp(SSL *s, unsigned int context);
|
||||
#endif
|
||||
+#ifndef OPENSSL_NO_EC
|
||||
+static int init_ec_point_formats(SSL *s, unsigned int context);
|
||||
+#endif
|
||||
static int init_etm(SSL *s, unsigned int context);
|
||||
static int init_ems(SSL *s, unsigned int context);
|
||||
static int final_ems(SSL *s, unsigned int context, int sent);
|
||||
@@ -158,7 +159,7 @@ static const EXTENSION_DEFINITION ext_de
|
||||
TLSEXT_TYPE_ec_point_formats,
|
||||
SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
|
||||
| SSL_EXT_TLS1_2_AND_BELOW_ONLY,
|
||||
- NULL, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
|
||||
+ init_ec_point_formats, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
|
||||
tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
|
||||
final_ec_pt_formats
|
||||
},
|
||||
@@ -1164,6 +1165,17 @@ static int init_srp(SSL *s, unsigned int
|
||||
}
|
||||
#endif
|
||||
|
||||
+#ifndef OPENSSL_NO_EC
|
||||
+static int init_ec_point_formats(SSL *s, unsigned int context)
|
||||
+{
|
||||
+ OPENSSL_free(s->ext.peer_ecpointformats);
|
||||
+ s->ext.peer_ecpointformats = NULL;
|
||||
+ s->ext.peer_ecpointformats_len = 0;
|
||||
+
|
||||
+ return 1;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
static int init_etm(SSL *s, unsigned int context)
|
||||
{
|
||||
s->ext.use_etm = 0;
|
|
@ -0,0 +1,179 @@
|
|||
From 3118eb64934499d93db3230748a452351d1d9a65 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Mon, 28 Feb 2022 18:26:21 +0100
|
||||
Subject: [PATCH] Fix possible infinite loop in BN_mod_sqrt()
|
||||
|
||||
The calculation in some cases does not finish for non-prime p.
|
||||
|
||||
This fixes CVE-2022-0778.
|
||||
|
||||
Based on patch by David Benjamin <davidben@google.com>.
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
---
|
||||
crypto/bn/bn_sqrt.c | 30 ++++++++++++++++++------------
|
||||
1 file changed, 18 insertions(+), 12 deletions(-)
|
||||
|
||||
From b5fcb7e133725b8b2eb66f63f5142710ed63a6d1 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Mon, 28 Feb 2022 18:26:30 +0100
|
||||
Subject: [PATCH] Add documentation of BN_mod_sqrt()
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
---
|
||||
doc/man3/BN_add.pod | 15 +++++++++++++--
|
||||
1 file changed, 13 insertions(+), 2 deletions(-)
|
||||
|
||||
From 3ef5c3034e5c545f34d6929568f3f2b10ac4bdf0 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Mon, 28 Feb 2022 18:26:35 +0100
|
||||
Subject: [PATCH] Add a negative testcase for BN_mod_sqrt
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
---
|
||||
test/bntest.c | 11 ++++++++++-
|
||||
test/recipes/10-test_bn_data/bnmod.txt | 12 ++++++++++++
|
||||
2 files changed, 22 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c
|
||||
index 1723d5ded5a8..53b0f559855c 100644
|
||||
--- a/crypto/bn/bn_sqrt.c
|
||||
+++ b/crypto/bn/bn_sqrt.c
|
||||
@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
|
||||
/*
|
||||
* Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks
|
||||
* algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number
|
||||
- * Theory", algorithm 1.5.1). 'p' must be prime!
|
||||
+ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or
|
||||
+ * an incorrect "result" will be returned.
|
||||
*/
|
||||
{
|
||||
BIGNUM *ret = in;
|
||||
@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
|
||||
goto vrfy;
|
||||
}
|
||||
|
||||
- /* find smallest i such that b^(2^i) = 1 */
|
||||
- i = 1;
|
||||
- if (!BN_mod_sqr(t, b, p, ctx))
|
||||
- goto end;
|
||||
- while (!BN_is_one(t)) {
|
||||
- i++;
|
||||
- if (i == e) {
|
||||
- BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
|
||||
- goto end;
|
||||
+ /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */
|
||||
+ for (i = 1; i < e; i++) {
|
||||
+ if (i == 1) {
|
||||
+ if (!BN_mod_sqr(t, b, p, ctx))
|
||||
+ goto end;
|
||||
+
|
||||
+ } else {
|
||||
+ if (!BN_mod_mul(t, t, t, p, ctx))
|
||||
+ goto end;
|
||||
}
|
||||
- if (!BN_mod_mul(t, t, t, p, ctx))
|
||||
- goto end;
|
||||
+ if (BN_is_one(t))
|
||||
+ break;
|
||||
+ }
|
||||
+ /* If not found, a is not a square or p is not prime. */
|
||||
+ if (i >= e) {
|
||||
+ BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
|
||||
+ goto end;
|
||||
}
|
||||
|
||||
/* t := y^2^(e - i - 1) */
|
||||
diff --git a/doc/man3/BN_add.pod b/doc/man3/BN_add.pod
|
||||
index dccd4790ede7..1f5e37a4d183 100644
|
||||
--- a/doc/man3/BN_add.pod
|
||||
+++ b/doc/man3/BN_add.pod
|
||||
@@ -3,7 +3,7 @@
|
||||
=head1 NAME
|
||||
|
||||
BN_add, BN_sub, BN_mul, BN_sqr, BN_div, BN_mod, BN_nnmod, BN_mod_add,
|
||||
-BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_exp, BN_mod_exp, BN_gcd -
|
||||
+BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_mod_sqrt, BN_exp, BN_mod_exp, BN_gcd -
|
||||
arithmetic operations on BIGNUMs
|
||||
|
||||
=head1 SYNOPSIS
|
||||
@@ -36,6 +36,8 @@ arithmetic operations on BIGNUMs
|
||||
|
||||
int BN_mod_sqr(BIGNUM *r, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
|
||||
|
||||
+ BIGNUM *BN_mod_sqrt(BIGNUM *in, BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
|
||||
+
|
||||
int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx);
|
||||
|
||||
int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
|
||||
@@ -87,6 +89,12 @@ L<BN_mod_mul_reciprocal(3)>.
|
||||
BN_mod_sqr() takes the square of I<a> modulo B<m> and places the
|
||||
result in I<r>.
|
||||
|
||||
+BN_mod_sqrt() returns the modular square root of I<a> such that
|
||||
+C<in^2 = a (mod p)>. The modulus I<p> must be a
|
||||
+prime, otherwise an error or an incorrect "result" will be returned.
|
||||
+The result is stored into I<in> which can be NULL. The result will be
|
||||
+newly allocated in that case.
|
||||
+
|
||||
BN_exp() raises I<a> to the I<p>-th power and places the result in I<r>
|
||||
(C<r=a^p>). This function is faster than repeated applications of
|
||||
BN_mul().
|
||||
@@ -108,7 +116,10 @@ the arguments.
|
||||
|
||||
=head1 RETURN VALUES
|
||||
|
||||
-For all functions, 1 is returned for success, 0 on error. The return
|
||||
+The BN_mod_sqrt() returns the result (possibly incorrect if I<p> is
|
||||
+not a prime), or NULL.
|
||||
+
|
||||
+For all remaining functions, 1 is returned for success, 0 on error. The return
|
||||
value should always be checked (e.g., C<if (!BN_add(r,a,b)) goto err;>).
|
||||
The error codes can be obtained by L<ERR_get_error(3)>.
|
||||
|
||||
diff --git a/test/bntest.c b/test/bntest.c
|
||||
index 390dd800733e..1cab660bcafb 100644
|
||||
--- a/test/bntest.c
|
||||
+++ b/test/bntest.c
|
||||
@@ -1729,8 +1729,17 @@ static int file_modsqrt(STANZA *s)
|
||||
|| !TEST_ptr(ret2 = BN_new()))
|
||||
goto err;
|
||||
|
||||
+ if (BN_is_negative(mod_sqrt)) {
|
||||
+ /* A negative testcase */
|
||||
+ if (!TEST_ptr_null(BN_mod_sqrt(ret, a, p, ctx)))
|
||||
+ goto err;
|
||||
+
|
||||
+ st = 1;
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
/* There are two possible answers. */
|
||||
- if (!TEST_true(BN_mod_sqrt(ret, a, p, ctx))
|
||||
+ if (!TEST_ptr(BN_mod_sqrt(ret, a, p, ctx))
|
||||
|| !TEST_true(BN_sub(ret2, p, ret)))
|
||||
goto err;
|
||||
|
||||
diff --git a/test/recipes/10-test_bn_data/bnmod.txt b/test/recipes/10-test_bn_data/bnmod.txt
|
||||
index 5ea4d031f271..e28cc6bfb02e 100644
|
||||
--- a/test/recipes/10-test_bn_data/bnmod.txt
|
||||
+++ b/test/recipes/10-test_bn_data/bnmod.txt
|
||||
@@ -2799,3 +2799,15 @@ P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
|
||||
ModSqrt = a1d52989f12f204d3d2167d9b1e6c8a6174c0c786a979a5952383b7b8bd186
|
||||
A = 2eee37cf06228a387788188e650bc6d8a2ff402931443f69156a29155eca07dcb45f3aac238d92943c0c25c896098716baa433f25bd696a142f5a69d5d937e81
|
||||
P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
|
||||
+
|
||||
+# Negative testcases for BN_mod_sqrt()
|
||||
+
|
||||
+# This one triggers an infinite loop with unfixed implementation
|
||||
+# It should just fail.
|
||||
+ModSqrt = -1
|
||||
+A = 20a7ee
|
||||
+P = 460201
|
||||
+
|
||||
+ModSqrt = -1
|
||||
+A = 65bebdb00a96fc814ec44b81f98b59fba3c30203928fa5214c51e0a97091645280c947b005847f239758482b9bfc45b066fde340d1fe32fc9c1bf02e1b2d0ed
|
||||
+P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
|
|
@ -0,0 +1,74 @@
|
|||
From e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Tue, 26 Apr 2022 12:40:24 +0200
|
||||
Subject: [PATCH] c_rehash: Do not use shell to invoke openssl
|
||||
|
||||
Except on VMS where it is safe.
|
||||
|
||||
This fixes CVE-2022-1292.
|
||||
|
||||
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23]
|
||||
---
|
||||
tools/c_rehash.in | 29 +++++++++++++++++++++++++----
|
||||
1 file changed, 25 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/tools/c_rehash.in b/tools/c_rehash.in
|
||||
index fa7c6c9fef91..83c1cc80e08a 100644
|
||||
--- a/tools/c_rehash.in
|
||||
+++ b/tools/c_rehash.in
|
||||
@@ -152,6 +152,23 @@ sub check_file {
|
||||
return ($is_cert, $is_crl);
|
||||
}
|
||||
|
||||
+sub compute_hash {
|
||||
+ my $fh;
|
||||
+ if ( $^O eq "VMS" ) {
|
||||
+ # VMS uses the open through shell
|
||||
+ # The file names are safe there and list form is unsupported
|
||||
+ if (!open($fh, "-|", join(' ', @_))) {
|
||||
+ print STDERR "Cannot compute hash on '$fname'\n";
|
||||
+ return;
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (!open($fh, "-|", @_)) {
|
||||
+ print STDERR "Cannot compute hash on '$fname'\n";
|
||||
+ return;
|
||||
+ }
|
||||
+ }
|
||||
+ return (<$fh>, <$fh>);
|
||||
+}
|
||||
|
||||
# Link a certificate to its subject name hash value, each hash is of
|
||||
# the form <hash>.<n> where n is an integer. If the hash value already exists
|
||||
@@ -161,10 +178,12 @@ sub check_file {
|
||||
|
||||
sub link_hash_cert {
|
||||
my $fname = $_[0];
|
||||
- $fname =~ s/\"/\\\"/g;
|
||||
- my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
|
||||
+ my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
|
||||
+ "-fingerprint", "-noout",
|
||||
+ "-in", $fname);
|
||||
chomp $hash;
|
||||
chomp $fprint;
|
||||
+ return if !$hash;
|
||||
$fprint =~ s/^.*=//;
|
||||
$fprint =~ tr/://d;
|
||||
my $suffix = 0;
|
||||
@@ -202,10 +221,12 @@ sub link_hash_cert {
|
||||
|
||||
sub link_hash_crl {
|
||||
my $fname = $_[0];
|
||||
- $fname =~ s/'/'\\''/g;
|
||||
- my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
|
||||
+ my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
|
||||
+ "-fingerprint", "-noout",
|
||||
+ "-in", $fname);
|
||||
chomp $hash;
|
||||
chomp $fprint;
|
||||
+ return if !$hash;
|
||||
$fprint =~ s/^.*=//;
|
||||
$fprint =~ tr/://d;
|
||||
my $suffix = 0;
|
|
@ -0,0 +1,255 @@
|
|||
From 9639817dac8bbbaa64d09efad7464ccc405527c7 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Fiala <daniel@openssl.org>
|
||||
Date: Sun, 29 May 2022 20:11:24 +0200
|
||||
Subject: [PATCH] Fix file operations in c_rehash.
|
||||
|
||||
CVE-2022-2068
|
||||
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
||||
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/9639817dac8bbbaa64d09efad7464ccc405527c7]
|
||||
---
|
||||
tools/c_rehash.in | 216 +++++++++++++++++++++++-----------------------
|
||||
1 file changed, 107 insertions(+), 109 deletions(-)
|
||||
|
||||
diff --git a/tools/c_rehash.in b/tools/c_rehash.in
|
||||
index cfd18f5da110..9d2a6f6db73b 100644
|
||||
--- a/tools/c_rehash.in
|
||||
+++ b/tools/c_rehash.in
|
||||
@@ -104,52 +104,78 @@ foreach (@dirlist) {
|
||||
}
|
||||
exit($errorcount);
|
||||
|
||||
+sub copy_file {
|
||||
+ my ($src_fname, $dst_fname) = @_;
|
||||
+
|
||||
+ if (open(my $in, "<", $src_fname)) {
|
||||
+ if (open(my $out, ">", $dst_fname)) {
|
||||
+ print $out $_ while (<$in>);
|
||||
+ close $out;
|
||||
+ } else {
|
||||
+ warn "Cannot open $dst_fname for write, $!";
|
||||
+ }
|
||||
+ close $in;
|
||||
+ } else {
|
||||
+ warn "Cannot open $src_fname for read, $!";
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
sub hash_dir {
|
||||
- my %hashlist;
|
||||
- print "Doing $_[0]\n";
|
||||
- chdir $_[0];
|
||||
- opendir(DIR, ".");
|
||||
- my @flist = sort readdir(DIR);
|
||||
- closedir DIR;
|
||||
- if ( $removelinks ) {
|
||||
- # Delete any existing symbolic links
|
||||
- foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
|
||||
- if (-l $_) {
|
||||
- print "unlink $_" if $verbose;
|
||||
- unlink $_ || warn "Can't unlink $_, $!\n";
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
- FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
|
||||
- # Check to see if certificates and/or CRLs present.
|
||||
- my ($cert, $crl) = check_file($fname);
|
||||
- if (!$cert && !$crl) {
|
||||
- print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
|
||||
- next;
|
||||
- }
|
||||
- link_hash_cert($fname) if ($cert);
|
||||
- link_hash_crl($fname) if ($crl);
|
||||
- }
|
||||
+ my $dir = shift;
|
||||
+ my %hashlist;
|
||||
+
|
||||
+ print "Doing $dir\n";
|
||||
+
|
||||
+ if (!chdir $dir) {
|
||||
+ print STDERR "WARNING: Cannot chdir to '$dir', $!\n";
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n";
|
||||
+ my @flist = sort readdir(DIR);
|
||||
+ closedir DIR;
|
||||
+ if ( $removelinks ) {
|
||||
+ # Delete any existing symbolic links
|
||||
+ foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
|
||||
+ if (-l $_) {
|
||||
+ print "unlink $_\n" if $verbose;
|
||||
+ unlink $_ || warn "Can't unlink $_, $!\n";
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
|
||||
+ # Check to see if certificates and/or CRLs present.
|
||||
+ my ($cert, $crl) = check_file($fname);
|
||||
+ if (!$cert && !$crl) {
|
||||
+ print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
|
||||
+ next;
|
||||
+ }
|
||||
+ link_hash_cert($fname) if ($cert);
|
||||
+ link_hash_crl($fname) if ($crl);
|
||||
+ }
|
||||
+
|
||||
+ chdir $pwd;
|
||||
}
|
||||
|
||||
sub check_file {
|
||||
- my ($is_cert, $is_crl) = (0,0);
|
||||
- my $fname = $_[0];
|
||||
- open IN, $fname;
|
||||
- while(<IN>) {
|
||||
- if (/^-----BEGIN (.*)-----/) {
|
||||
- my $hdr = $1;
|
||||
- if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
|
||||
- $is_cert = 1;
|
||||
- last if ($is_crl);
|
||||
- } elsif ($hdr eq "X509 CRL") {
|
||||
- $is_crl = 1;
|
||||
- last if ($is_cert);
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
- close IN;
|
||||
- return ($is_cert, $is_crl);
|
||||
+ my ($is_cert, $is_crl) = (0,0);
|
||||
+ my $fname = $_[0];
|
||||
+
|
||||
+ open(my $in, "<", $fname);
|
||||
+ while(<$in>) {
|
||||
+ if (/^-----BEGIN (.*)-----/) {
|
||||
+ my $hdr = $1;
|
||||
+ if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
|
||||
+ $is_cert = 1;
|
||||
+ last if ($is_crl);
|
||||
+ } elsif ($hdr eq "X509 CRL") {
|
||||
+ $is_crl = 1;
|
||||
+ last if ($is_cert);
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ close $in;
|
||||
+ return ($is_cert, $is_crl);
|
||||
}
|
||||
|
||||
sub compute_hash {
|
||||
@@ -177,76 +203,48 @@ sub compute_hash {
|
||||
# certificate fingerprints
|
||||
|
||||
sub link_hash_cert {
|
||||
- my $fname = $_[0];
|
||||
- my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
|
||||
- "-fingerprint", "-noout",
|
||||
- "-in", $fname);
|
||||
- chomp $hash;
|
||||
- chomp $fprint;
|
||||
- return if !$hash;
|
||||
- $fprint =~ s/^.*=//;
|
||||
- $fprint =~ tr/://d;
|
||||
- my $suffix = 0;
|
||||
- # Search for an unused hash filename
|
||||
- while(exists $hashlist{"$hash.$suffix"}) {
|
||||
- # Hash matches: if fingerprint matches its a duplicate cert
|
||||
- if ($hashlist{"$hash.$suffix"} eq $fprint) {
|
||||
- print STDERR "WARNING: Skipping duplicate certificate $fname\n";
|
||||
- return;
|
||||
- }
|
||||
- $suffix++;
|
||||
- }
|
||||
- $hash .= ".$suffix";
|
||||
- if ($symlink_exists) {
|
||||
- print "link $fname -> $hash\n" if $verbose;
|
||||
- symlink $fname, $hash || warn "Can't symlink, $!";
|
||||
- } else {
|
||||
- print "copy $fname -> $hash\n" if $verbose;
|
||||
- if (open($in, "<", $fname)) {
|
||||
- if (open($out,">", $hash)) {
|
||||
- print $out $_ while (<$in>);
|
||||
- close $out;
|
||||
- } else {
|
||||
- warn "can't open $hash for write, $!";
|
||||
- }
|
||||
- close $in;
|
||||
- } else {
|
||||
- warn "can't open $fname for read, $!";
|
||||
- }
|
||||
- }
|
||||
- $hashlist{$hash} = $fprint;
|
||||
+ link_hash($_[0], 'cert');
|
||||
}
|
||||
|
||||
# Same as above except for a CRL. CRL links are of the form <hash>.r<n>
|
||||
|
||||
sub link_hash_crl {
|
||||
- my $fname = $_[0];
|
||||
- my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
|
||||
- "-fingerprint", "-noout",
|
||||
- "-in", $fname);
|
||||
- chomp $hash;
|
||||
- chomp $fprint;
|
||||
- return if !$hash;
|
||||
- $fprint =~ s/^.*=//;
|
||||
- $fprint =~ tr/://d;
|
||||
- my $suffix = 0;
|
||||
- # Search for an unused hash filename
|
||||
- while(exists $hashlist{"$hash.r$suffix"}) {
|
||||
- # Hash matches: if fingerprint matches its a duplicate cert
|
||||
- if ($hashlist{"$hash.r$suffix"} eq $fprint) {
|
||||
- print STDERR "WARNING: Skipping duplicate CRL $fname\n";
|
||||
- return;
|
||||
- }
|
||||
- $suffix++;
|
||||
- }
|
||||
- $hash .= ".r$suffix";
|
||||
- if ($symlink_exists) {
|
||||
- print "link $fname -> $hash\n" if $verbose;
|
||||
- symlink $fname, $hash || warn "Can't symlink, $!";
|
||||
- } else {
|
||||
- print "cp $fname -> $hash\n" if $verbose;
|
||||
- system ("cp", $fname, $hash);
|
||||
- warn "Can't copy, $!" if ($? >> 8) != 0;
|
||||
- }
|
||||
- $hashlist{$hash} = $fprint;
|
||||
+ link_hash($_[0], 'crl');
|
||||
+}
|
||||
+
|
||||
+sub link_hash {
|
||||
+ my ($fname, $type) = @_;
|
||||
+ my $is_cert = $type eq 'cert';
|
||||
+
|
||||
+ my ($hash, $fprint) = compute_hash($openssl,
|
||||
+ $is_cert ? "x509" : "crl",
|
||||
+ $is_cert ? $x509hash : $crlhash,
|
||||
+ "-fingerprint", "-noout",
|
||||
+ "-in", $fname);
|
||||
+ chomp $hash;
|
||||
+ chomp $fprint;
|
||||
+ return if !$hash;
|
||||
+ $fprint =~ s/^.*=//;
|
||||
+ $fprint =~ tr/://d;
|
||||
+ my $suffix = 0;
|
||||
+ # Search for an unused hash filename
|
||||
+ my $crlmark = $is_cert ? "" : "r";
|
||||
+ while(exists $hashlist{"$hash.$crlmark$suffix"}) {
|
||||
+ # Hash matches: if fingerprint matches its a duplicate cert
|
||||
+ if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) {
|
||||
+ my $what = $is_cert ? 'certificate' : 'CRL';
|
||||
+ print STDERR "WARNING: Skipping duplicate $what $fname\n";
|
||||
+ return;
|
||||
+ }
|
||||
+ $suffix++;
|
||||
+ }
|
||||
+ $hash .= ".$crlmark$suffix";
|
||||
+ if ($symlink_exists) {
|
||||
+ print "link $fname -> $hash\n" if $verbose;
|
||||
+ symlink $fname, $hash || warn "Can't symlink, $!";
|
||||
+ } else {
|
||||
+ print "copy $fname -> $hash\n" if $verbose;
|
||||
+ copy_file($fname, $hash);
|
||||
+ }
|
||||
+ $hashlist{$hash} = $fprint;
|
||||
}
|
|
@ -0,0 +1,152 @@
|
|||
From 919925673d6c9cfed3c1085497f5dfbbed5fc431 Mon Sep 17 00:00:00 2001
|
||||
From: Alex Chernyakhovsky <achernya@google.com>
|
||||
Date: Thu, 16 Jun 2022 12:00:22 +1000
|
||||
Subject: [PATCH] Fix AES OCB encrypt/decrypt for x86 AES-NI
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path
|
||||
that performs operations on 6 16-byte blocks concurrently (the
|
||||
"grandloop") and then proceeds to handle the "short" tail (which can
|
||||
be anywhere from 0 to 5 blocks) that remain.
|
||||
|
||||
As part of initialization, the assembly initializes $len to the true
|
||||
length, less 96 bytes and converts it to a pointer so that the $inp
|
||||
can be compared to it. Each iteration of "grandloop" checks to see if
|
||||
there's a full 96-byte chunk to process, and if so, continues. Once
|
||||
this has been exhausted, it falls through to "short", which handles
|
||||
the remaining zero to five blocks.
|
||||
|
||||
Unfortunately, the jump at the end of "grandloop" had a fencepost
|
||||
error, doing a `jb` ("jump below") rather than `jbe` (jump below or
|
||||
equal). This should be `jbe`, as $inp is pointing to the *end* of the
|
||||
chunk currently being handled. If $inp == $len, that means that
|
||||
there's a whole 96-byte chunk waiting to be handled. If $inp > $len,
|
||||
then there's 5 or fewer 16-byte blocks left to be handled, and the
|
||||
fall-through is intended.
|
||||
|
||||
The net effect of `jb` instead of `jbe` is that the last 16-byte block
|
||||
of the last 96-byte chunk was completely omitted. The contents of
|
||||
`out` in this position were never written to. Additionally, since
|
||||
those bytes were never processed, the authentication tag generated is
|
||||
also incorrect.
|
||||
|
||||
The same fencepost error, and identical logic, exists in both
|
||||
aesni_ocb_encrypt and aesni_ocb_decrypt.
|
||||
|
||||
This addresses CVE-2022-2097.
|
||||
|
||||
Co-authored-by: Alejandro Sedeño <asedeno@google.com>
|
||||
Co-authored-by: David Benjamin <davidben@google.com>
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/919925673d6c9cfed3c1085497f5dfbbed5fc431]
|
||||
---
|
||||
crypto/aes/asm/aesni-x86.pl | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl
|
||||
index fe2b26542ab6..812758e02e04 100644
|
||||
--- a/crypto/aes/asm/aesni-x86.pl
|
||||
+++ b/crypto/aes/asm/aesni-x86.pl
|
||||
@@ -2027,7 +2027,7 @@ sub aesni_generate6
|
||||
&movdqu (&QWP(-16*2,$out,$inp),$inout4);
|
||||
&movdqu (&QWP(-16*1,$out,$inp),$inout5);
|
||||
&cmp ($inp,$len); # done yet?
|
||||
- &jb (&label("grandloop"));
|
||||
+ &jbe (&label("grandloop"));
|
||||
|
||||
&set_label("short");
|
||||
&add ($len,16*6);
|
||||
@@ -2453,7 +2453,7 @@ sub aesni_generate6
|
||||
&pxor ($rndkey1,$inout5);
|
||||
&movdqu (&QWP(-16*1,$out,$inp),$inout5);
|
||||
&cmp ($inp,$len); # done yet?
|
||||
- &jb (&label("grandloop"));
|
||||
+ &jbe (&label("grandloop"));
|
||||
|
||||
&set_label("short");
|
||||
&add ($len,16*6);
|
||||
From 9131afdca30b6d1650af9ea6179569a80ab8cb06 Mon Sep 17 00:00:00 2001
|
||||
From: Alex Chernyakhovsky <achernya@google.com>
|
||||
Date: Thu, 16 Jun 2022 12:02:37 +1000
|
||||
Subject: [PATCH] AES OCB test vectors
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Add test vectors for AES OCB for x86 AES-NI multiple of 96 byte issue.
|
||||
|
||||
Co-authored-by: Alejandro Sedeño <asedeno@google.com>
|
||||
Co-authored-by: David Benjamin <davidben@google.com>
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/9131afdca30b6d1650af9ea6179569a80ab8cb06]
|
||||
---
|
||||
test/recipes/30-test_evp_data/evpciph.txt | 50 +++++++++++++++++++++++
|
||||
1 file changed, 50 insertions(+)
|
||||
|
||||
diff --git a/test/recipes/30-test_evp_data/evpciph.txt b/test/recipes/30-test_evp_data/evpciph.txt
|
||||
index 1c02ea1e9c2d..e12670d9a4b4 100644
|
||||
--- a/test/recipes/30-test_evp_data/evpciph.txt
|
||||
+++ b/test/recipes/30-test_evp_data/evpciph.txt
|
||||
@@ -1188,6 +1188,56 @@ Ciphertext = 09A4FD29DE949D9A9AA9924248422097AD4883B4713E6C214FF6567ADA08A967B21
|
||||
Operation = DECRYPT
|
||||
Result = CIPHERFINAL_ERROR
|
||||
|
||||
+#Test vectors generated to validate aesni_ocb_encrypt on x86
|
||||
+Cipher = aes-128-ocb
|
||||
+Key = 000102030405060708090A0B0C0D0E0F
|
||||
+IV = 000000000001020304050607
|
||||
+Tag = C14DFF7D62A13C4A3422456207453190
|
||||
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B819333
|
||||
+
|
||||
+Cipher = aes-128-ocb
|
||||
+Key = 000102030405060708090A0B0C0D0E0F
|
||||
+IV = 000000000001020304050607
|
||||
+Tag = D47D84F6FF912C79B6A4223AB9BE2DB8
|
||||
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F
|
||||
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC204
|
||||
+
|
||||
+Cipher = aes-128-ocb
|
||||
+Key = 000102030405060708090A0B0C0D0E0F
|
||||
+IV = 000000000001020304050607
|
||||
+Tag = 41970D13737B7BD1B5FBF49ED4412CA5
|
||||
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D
|
||||
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91
|
||||
+
|
||||
+Cipher = aes-128-ocb
|
||||
+Key = 000102030405060708090A0B0C0D0E0F
|
||||
+IV = 000000000001020304050607
|
||||
+Tag = BE0228651ED4E48A11BDED68D953F3A0
|
||||
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D
|
||||
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F
|
||||
+
|
||||
+Cipher = aes-128-ocb
|
||||
+Key = 000102030405060708090A0B0C0D0E0F
|
||||
+IV = 000000000001020304050607
|
||||
+Tag = 17BC6E10B16E5FDC52836E7D589518C7
|
||||
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D
|
||||
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B
|
||||
+
|
||||
+Cipher = aes-128-ocb
|
||||
+Key = 000102030405060708090A0B0C0D0E0F
|
||||
+IV = 000000000001020304050607
|
||||
+Tag = E84AAC18666116990A3A37B3A5FC55BD
|
||||
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D
|
||||
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED
|
||||
+
|
||||
+Cipher = aes-128-ocb
|
||||
+Key = 000102030405060708090A0B0C0D0E0F
|
||||
+IV = 000000000001020304050607
|
||||
+Tag = 3E5EA7EE064FE83B313E28D411E91EAD
|
||||
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D
|
||||
+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED48D9E09F452F8E6FBEB76A3DED47611C
|
||||
+
|
||||
Title = AES XTS test vectors from IEEE Std 1619-2007
|
||||
|
||||
# Using the same key twice for encryption is always banned.
|
|
@ -0,0 +1,805 @@
|
|||
From 43d8f88511991533f53680a751e9326999a6a31f Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Fri, 20 Jan 2023 15:26:54 +0000
|
||||
Subject: [PATCH 1/6] Fix Timing Oracle in RSA decryption
|
||||
|
||||
A timing based side channel exists in the OpenSSL RSA Decryption
|
||||
implementation which could be sufficient to recover a plaintext across
|
||||
a network in a Bleichenbacher style attack. To achieve a successful
|
||||
decryption an attacker would have to be able to send a very large number
|
||||
of trial messages for decryption. The vulnerability affects all RSA
|
||||
padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
|
||||
|
||||
Patch written by Dmitry Belyavsky and Hubert Kario
|
||||
|
||||
CVE-2022-4304
|
||||
|
||||
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
---
|
||||
crypto/bn/bn_blind.c | 14 -
|
||||
crypto/bn/bn_err.c | 2 +
|
||||
crypto/bn/bn_local.h | 14 +
|
||||
crypto/bn/build.info | 3 +-
|
||||
crypto/bn/rsa_sup_mul.c | 614 ++++++++++++++++++++++++++++++++++++++++
|
||||
crypto/err/openssl.txt | 3 +-
|
||||
crypto/rsa/rsa_ossl.c | 17 +-
|
||||
include/crypto/bn.h | 5 +
|
||||
include/openssl/bnerr.h | 1 +
|
||||
9 files changed, 653 insertions(+), 20 deletions(-)
|
||||
create mode 100644 crypto/bn/rsa_sup_mul.c
|
||||
|
||||
diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c
|
||||
index 76fc7ebcff..6e9d239321 100644
|
||||
--- a/crypto/bn/bn_blind.c
|
||||
+++ b/crypto/bn/bn_blind.c
|
||||
@@ -13,20 +13,6 @@
|
||||
|
||||
#define BN_BLINDING_COUNTER 32
|
||||
|
||||
-struct bn_blinding_st {
|
||||
- BIGNUM *A;
|
||||
- BIGNUM *Ai;
|
||||
- BIGNUM *e;
|
||||
- BIGNUM *mod; /* just a reference */
|
||||
- CRYPTO_THREAD_ID tid;
|
||||
- int counter;
|
||||
- unsigned long flags;
|
||||
- BN_MONT_CTX *m_ctx;
|
||||
- int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
|
||||
- const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
|
||||
- CRYPTO_RWLOCK *lock;
|
||||
-};
|
||||
-
|
||||
BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
|
||||
{
|
||||
BN_BLINDING *ret = NULL;
|
||||
diff --git a/crypto/bn/bn_err.c b/crypto/bn/bn_err.c
|
||||
index dd87c152cf..3dd8d9a568 100644
|
||||
--- a/crypto/bn/bn_err.c
|
||||
+++ b/crypto/bn/bn_err.c
|
||||
@@ -73,6 +73,8 @@ static const ERR_STRING_DATA BN_str_functs[] = {
|
||||
{ERR_PACK(ERR_LIB_BN, BN_F_BN_SET_WORDS, 0), "bn_set_words"},
|
||||
{ERR_PACK(ERR_LIB_BN, BN_F_BN_STACK_PUSH, 0), "BN_STACK_push"},
|
||||
{ERR_PACK(ERR_LIB_BN, BN_F_BN_USUB, 0), "BN_usub"},
|
||||
+ {ERR_PACK(ERR_LIB_BN, BN_F_OSSL_BN_RSA_DO_UNBLIND, 0),
|
||||
+ "ossl_bn_rsa_do_unblind"},
|
||||
{0, NULL}
|
||||
};
|
||||
|
||||
diff --git a/crypto/bn/bn_local.h b/crypto/bn/bn_local.h
|
||||
index 62a969b134..4d8cb64675 100644
|
||||
--- a/crypto/bn/bn_local.h
|
||||
+++ b/crypto/bn/bn_local.h
|
||||
@@ -283,6 +283,20 @@ struct bn_gencb_st {
|
||||
} cb;
|
||||
};
|
||||
|
||||
+struct bn_blinding_st {
|
||||
+ BIGNUM *A;
|
||||
+ BIGNUM *Ai;
|
||||
+ BIGNUM *e;
|
||||
+ BIGNUM *mod; /* just a reference */
|
||||
+ CRYPTO_THREAD_ID tid;
|
||||
+ int counter;
|
||||
+ unsigned long flags;
|
||||
+ BN_MONT_CTX *m_ctx;
|
||||
+ int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
|
||||
+ const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
|
||||
+ CRYPTO_RWLOCK *lock;
|
||||
+};
|
||||
+
|
||||
/*-
|
||||
* BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions
|
||||
*
|
||||
diff --git a/crypto/bn/build.info b/crypto/bn/build.info
|
||||
index b9ed5322fa..c9fe2fdada 100644
|
||||
--- a/crypto/bn/build.info
|
||||
+++ b/crypto/bn/build.info
|
||||
@@ -5,7 +5,8 @@ SOURCE[../../libcrypto]=\
|
||||
bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c \
|
||||
{- $target{bn_asm_src} -} \
|
||||
bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \
|
||||
- bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c
|
||||
+ bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c \
|
||||
+ rsa_sup_mul.c
|
||||
|
||||
INCLUDE[bn_exp.o]=..
|
||||
|
||||
diff --git a/crypto/bn/rsa_sup_mul.c b/crypto/bn/rsa_sup_mul.c
|
||||
new file mode 100644
|
||||
index 0000000000..acafefd5fe
|
||||
--- /dev/null
|
||||
+++ b/crypto/bn/rsa_sup_mul.c
|
||||
@@ -0,0 +1,614 @@
|
||||
+#include <openssl/e_os2.h>
|
||||
+#include <stddef.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <string.h>
|
||||
+#include <openssl/bn.h>
|
||||
+#include <openssl/err.h>
|
||||
+#include <openssl/rsaerr.h>
|
||||
+#include "internal/numbers.h"
|
||||
+#include "internal/constant_time.h"
|
||||
+#include "bn_local.h"
|
||||
+
|
||||
+# if BN_BYTES == 8
|
||||
+typedef uint64_t limb_t;
|
||||
+# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16
|
||||
+/* nonstandard; implemented by gcc on 64-bit platforms */
|
||||
+typedef __uint128_t limb2_t;
|
||||
+# define HAVE_LIMB2_T
|
||||
+# endif
|
||||
+# define LIMB_BIT_SIZE 64
|
||||
+# define LIMB_BYTE_SIZE 8
|
||||
+# elif BN_BYTES == 4
|
||||
+typedef uint32_t limb_t;
|
||||
+typedef uint64_t limb2_t;
|
||||
+# define LIMB_BIT_SIZE 32
|
||||
+# define LIMB_BYTE_SIZE 4
|
||||
+# define HAVE_LIMB2_T
|
||||
+# else
|
||||
+# error "Not supported"
|
||||
+# endif
|
||||
+
|
||||
+/*
|
||||
+ * For multiplication we're using schoolbook multiplication,
|
||||
+ * so if we have two numbers, each with 6 "digits" (words)
|
||||
+ * the multiplication is calculated as follows:
|
||||
+ * A B C D E F
|
||||
+ * x I J K L M N
|
||||
+ * --------------
|
||||
+ * N*F
|
||||
+ * N*E
|
||||
+ * N*D
|
||||
+ * N*C
|
||||
+ * N*B
|
||||
+ * N*A
|
||||
+ * M*F
|
||||
+ * M*E
|
||||
+ * M*D
|
||||
+ * M*C
|
||||
+ * M*B
|
||||
+ * M*A
|
||||
+ * L*F
|
||||
+ * L*E
|
||||
+ * L*D
|
||||
+ * L*C
|
||||
+ * L*B
|
||||
+ * L*A
|
||||
+ * K*F
|
||||
+ * K*E
|
||||
+ * K*D
|
||||
+ * K*C
|
||||
+ * K*B
|
||||
+ * K*A
|
||||
+ * J*F
|
||||
+ * J*E
|
||||
+ * J*D
|
||||
+ * J*C
|
||||
+ * J*B
|
||||
+ * J*A
|
||||
+ * I*F
|
||||
+ * I*E
|
||||
+ * I*D
|
||||
+ * I*C
|
||||
+ * I*B
|
||||
+ * + I*A
|
||||
+ * ==========================
|
||||
+ * N*B N*D N*F
|
||||
+ * + N*A N*C N*E
|
||||
+ * + M*B M*D M*F
|
||||
+ * + M*A M*C M*E
|
||||
+ * + L*B L*D L*F
|
||||
+ * + L*A L*C L*E
|
||||
+ * + K*B K*D K*F
|
||||
+ * + K*A K*C K*E
|
||||
+ * + J*B J*D J*F
|
||||
+ * + J*A J*C J*E
|
||||
+ * + I*B I*D I*F
|
||||
+ * + I*A I*C I*E
|
||||
+ *
|
||||
+ * 1+1 1+3 1+5
|
||||
+ * 1+0 1+2 1+4
|
||||
+ * 0+1 0+3 0+5
|
||||
+ * 0+0 0+2 0+4
|
||||
+ *
|
||||
+ * 0 1 2 3 4 5 6
|
||||
+ * which requires n^2 multiplications and 2n full length additions
|
||||
+ * as we can keep every other result of limb multiplication in two separate
|
||||
+ * limbs
|
||||
+ */
|
||||
+
|
||||
+#if defined HAVE_LIMB2_T
|
||||
+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
|
||||
+{
|
||||
+ limb2_t t;
|
||||
+ /*
|
||||
+ * this is idiomatic code to tell compiler to use the native mul
|
||||
+ * those three lines will actually compile to single instruction
|
||||
+ */
|
||||
+
|
||||
+ t = (limb2_t)a * b;
|
||||
+ *hi = t >> LIMB_BIT_SIZE;
|
||||
+ *lo = (limb_t)t;
|
||||
+}
|
||||
+#elif (BN_BYTES == 8) && (defined _MSC_VER)
|
||||
+/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */
|
||||
+#pragma intrinsic(_umul128)
|
||||
+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
|
||||
+{
|
||||
+ *lo = _umul128(a, b, hi);
|
||||
+}
|
||||
+#else
|
||||
+/*
|
||||
+ * if the compiler doesn't have either a 128bit data type nor a "return
|
||||
+ * high 64 bits of multiplication"
|
||||
+ */
|
||||
+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
|
||||
+{
|
||||
+ limb_t a_low = (limb_t)(uint32_t)a;
|
||||
+ limb_t a_hi = a >> 32;
|
||||
+ limb_t b_low = (limb_t)(uint32_t)b;
|
||||
+ limb_t b_hi = b >> 32;
|
||||
+
|
||||
+ limb_t p0 = a_low * b_low;
|
||||
+ limb_t p1 = a_low * b_hi;
|
||||
+ limb_t p2 = a_hi * b_low;
|
||||
+ limb_t p3 = a_hi * b_hi;
|
||||
+
|
||||
+ uint32_t cy = (uint32_t)(((p0 >> 32) + (uint32_t)p1 + (uint32_t)p2) >> 32);
|
||||
+
|
||||
+ *lo = p0 + (p1 << 32) + (p2 << 32);
|
||||
+ *hi = p3 + (p1 >> 32) + (p2 >> 32) + cy;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
+/* add two limbs with carry in, return carry out */
|
||||
+static ossl_inline limb_t _add_limb(limb_t *ret, limb_t a, limb_t b, limb_t carry)
|
||||
+{
|
||||
+ limb_t carry1, carry2, t;
|
||||
+ /*
|
||||
+ * `c = a + b; if (c < a)` is idiomatic code that makes compilers
|
||||
+ * use add with carry on assembly level
|
||||
+ */
|
||||
+
|
||||
+ *ret = a + carry;
|
||||
+ if (*ret < a)
|
||||
+ carry1 = 1;
|
||||
+ else
|
||||
+ carry1 = 0;
|
||||
+
|
||||
+ t = *ret;
|
||||
+ *ret = t + b;
|
||||
+ if (*ret < t)
|
||||
+ carry2 = 1;
|
||||
+ else
|
||||
+ carry2 = 0;
|
||||
+
|
||||
+ return carry1 + carry2;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * add two numbers of the same size, return overflow
|
||||
+ *
|
||||
+ * add a to b, place result in ret; all arrays need to be n limbs long
|
||||
+ * return overflow from addition (0 or 1)
|
||||
+ */
|
||||
+static ossl_inline limb_t add(limb_t *ret, limb_t *a, limb_t *b, size_t n)
|
||||
+{
|
||||
+ limb_t c = 0;
|
||||
+ ossl_ssize_t i;
|
||||
+
|
||||
+ for(i = n - 1; i > -1; i--)
|
||||
+ c = _add_limb(&ret[i], a[i], b[i], c);
|
||||
+
|
||||
+ return c;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * return number of limbs necessary for temporary values
|
||||
+ * when multiplying numbers n limbs large
|
||||
+ */
|
||||
+static ossl_inline size_t mul_limb_numb(size_t n)
|
||||
+{
|
||||
+ return 2 * n * 2;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * multiply two numbers of the same size
|
||||
+ *
|
||||
+ * multiply a by b, place result in ret; a and b need to be n limbs long
|
||||
+ * ret needs to be 2*n limbs long, tmp needs to be mul_limb_numb(n) limbs
|
||||
+ * long
|
||||
+ */
|
||||
+static void limb_mul(limb_t *ret, limb_t *a, limb_t *b, size_t n, limb_t *tmp)
|
||||
+{
|
||||
+ limb_t *r_odd, *r_even;
|
||||
+ size_t i, j, k;
|
||||
+
|
||||
+ r_odd = tmp;
|
||||
+ r_even = &tmp[2 * n];
|
||||
+
|
||||
+ memset(ret, 0, 2 * n * sizeof(limb_t));
|
||||
+
|
||||
+ for (i = 0; i < n; i++) {
|
||||
+ for (k = 0; k < i + n + 1; k++) {
|
||||
+ r_even[k] = 0;
|
||||
+ r_odd[k] = 0;
|
||||
+ }
|
||||
+ for (j = 0; j < n; j++) {
|
||||
+ /*
|
||||
+ * place results from even and odd limbs in separate arrays so that
|
||||
+ * we don't have to calculate overflow every time we get individual
|
||||
+ * limb multiplication result
|
||||
+ */
|
||||
+ if (j % 2 == 0)
|
||||
+ _mul_limb(&r_even[i + j], &r_even[i + j + 1], a[i], b[j]);
|
||||
+ else
|
||||
+ _mul_limb(&r_odd[i + j], &r_odd[i + j + 1], a[i], b[j]);
|
||||
+ }
|
||||
+ /*
|
||||
+ * skip the least significant limbs when adding multiples of
|
||||
+ * more significant limbs (they're zero anyway)
|
||||
+ */
|
||||
+ add(ret, ret, r_even, n + i + 1);
|
||||
+ add(ret, ret, r_odd, n + i + 1);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/* modifies the value in place by performing a right shift by one bit */
|
||||
+static ossl_inline void rshift1(limb_t *val, size_t n)
|
||||
+{
|
||||
+ limb_t shift_in = 0, shift_out = 0;
|
||||
+ size_t i;
|
||||
+
|
||||
+ for (i = 0; i < n; i++) {
|
||||
+ shift_out = val[i] & 1;
|
||||
+ val[i] = shift_in << (LIMB_BIT_SIZE - 1) | (val[i] >> 1);
|
||||
+ shift_in = shift_out;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/* extend the LSB of flag to all bits of limb */
|
||||
+static ossl_inline limb_t mk_mask(limb_t flag)
|
||||
+{
|
||||
+ flag |= flag << 1;
|
||||
+ flag |= flag << 2;
|
||||
+ flag |= flag << 4;
|
||||
+ flag |= flag << 8;
|
||||
+ flag |= flag << 16;
|
||||
+#if (LIMB_BYTE_SIZE == 8)
|
||||
+ flag |= flag << 32;
|
||||
+#endif
|
||||
+ return flag;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * copy from either a or b to ret based on flag
|
||||
+ * when flag == 0, then copies from b
|
||||
+ * when flag == 1, then copies from a
|
||||
+ */
|
||||
+static ossl_inline void cselect(limb_t flag, limb_t *ret, limb_t *a, limb_t *b, size_t n)
|
||||
+{
|
||||
+ /*
|
||||
+ * would be more efficient with non volatile mask, but then gcc
|
||||
+ * generates code with jumps
|
||||
+ */
|
||||
+ volatile limb_t mask;
|
||||
+ size_t i;
|
||||
+
|
||||
+ mask = mk_mask(flag);
|
||||
+ for (i = 0; i < n; i++) {
|
||||
+#if (LIMB_BYTE_SIZE == 8)
|
||||
+ ret[i] = constant_time_select_64(mask, a[i], b[i]);
|
||||
+#else
|
||||
+ ret[i] = constant_time_select_32(mask, a[i], b[i]);
|
||||
+#endif
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static limb_t _sub_limb(limb_t *ret, limb_t a, limb_t b, limb_t borrow)
|
||||
+{
|
||||
+ limb_t borrow1, borrow2, t;
|
||||
+ /*
|
||||
+ * while it doesn't look constant-time, this is idiomatic code
|
||||
+ * to tell compilers to use the carry bit from subtraction
|
||||
+ */
|
||||
+
|
||||
+ *ret = a - borrow;
|
||||
+ if (*ret > a)
|
||||
+ borrow1 = 1;
|
||||
+ else
|
||||
+ borrow1 = 0;
|
||||
+
|
||||
+ t = *ret;
|
||||
+ *ret = t - b;
|
||||
+ if (*ret > t)
|
||||
+ borrow2 = 1;
|
||||
+ else
|
||||
+ borrow2 = 0;
|
||||
+
|
||||
+ return borrow1 + borrow2;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * place the result of a - b into ret, return the borrow bit.
|
||||
+ * All arrays need to be n limbs long
|
||||
+ */
|
||||
+static limb_t sub(limb_t *ret, limb_t *a, limb_t *b, size_t n)
|
||||
+{
|
||||
+ limb_t borrow = 0;
|
||||
+ ossl_ssize_t i;
|
||||
+
|
||||
+ for (i = n - 1; i > -1; i--)
|
||||
+ borrow = _sub_limb(&ret[i], a[i], b[i], borrow);
|
||||
+
|
||||
+ return borrow;
|
||||
+}
|
||||
+
|
||||
+/* return the number of limbs necessary to allocate for the mod() tmp operand */
|
||||
+static ossl_inline size_t mod_limb_numb(size_t anum, size_t modnum)
|
||||
+{
|
||||
+ return (anum + modnum) * 3;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * calculate a % mod, place the result in ret
|
||||
+ * size of a is defined by anum, size of ret and mod is modnum,
|
||||
+ * size of tmp is returned by mod_limb_numb()
|
||||
+ */
|
||||
+static void mod(limb_t *ret, limb_t *a, size_t anum, limb_t *mod,
|
||||
+ size_t modnum, limb_t *tmp)
|
||||
+{
|
||||
+ limb_t *atmp, *modtmp, *rettmp;
|
||||
+ limb_t res;
|
||||
+ size_t i;
|
||||
+
|
||||
+ memset(tmp, 0, mod_limb_numb(anum, modnum) * LIMB_BYTE_SIZE);
|
||||
+
|
||||
+ atmp = tmp;
|
||||
+ modtmp = &tmp[anum + modnum];
|
||||
+ rettmp = &tmp[(anum + modnum) * 2];
|
||||
+
|
||||
+ for (i = modnum; i <modnum + anum; i++)
|
||||
+ atmp[i] = a[i-modnum];
|
||||
+
|
||||
+ for (i = 0; i < modnum; i++)
|
||||
+ modtmp[i] = mod[i];
|
||||
+
|
||||
+ for (i = 0; i < anum * LIMB_BIT_SIZE; i++) {
|
||||
+ rshift1(modtmp, anum + modnum);
|
||||
+ res = sub(rettmp, atmp, modtmp, anum+modnum);
|
||||
+ cselect(res, atmp, atmp, rettmp, anum+modnum);
|
||||
+ }
|
||||
+
|
||||
+ memcpy(ret, &atmp[anum], sizeof(limb_t) * modnum);
|
||||
+}
|
||||
+
|
||||
+/* necessary size of tmp for a _mul_add_limb() call with provided anum */
|
||||
+static ossl_inline size_t _mul_add_limb_numb(size_t anum)
|
||||
+{
|
||||
+ return 2 * (anum + 1);
|
||||
+}
|
||||
+
|
||||
+/* multiply a by m, add to ret, return carry */
|
||||
+static limb_t _mul_add_limb(limb_t *ret, limb_t *a, size_t anum,
|
||||
+ limb_t m, limb_t *tmp)
|
||||
+{
|
||||
+ limb_t carry = 0;
|
||||
+ limb_t *r_odd, *r_even;
|
||||
+ size_t i;
|
||||
+
|
||||
+ memset(tmp, 0, sizeof(limb_t) * (anum + 1) * 2);
|
||||
+
|
||||
+ r_odd = tmp;
|
||||
+ r_even = &tmp[anum + 1];
|
||||
+
|
||||
+ for (i = 0; i < anum; i++) {
|
||||
+ /*
|
||||
+ * place the results from even and odd limbs in separate arrays
|
||||
+ * so that we have to worry about carry just once
|
||||
+ */
|
||||
+ if (i % 2 == 0)
|
||||
+ _mul_limb(&r_even[i], &r_even[i + 1], a[i], m);
|
||||
+ else
|
||||
+ _mul_limb(&r_odd[i], &r_odd[i + 1], a[i], m);
|
||||
+ }
|
||||
+ /* assert: add() carry here will be equal zero */
|
||||
+ add(r_even, r_even, r_odd, anum + 1);
|
||||
+ /*
|
||||
+ * while here it will not overflow as the max value from multiplication
|
||||
+ * is -2 while max overflow from addition is 1, so the max value of
|
||||
+ * carry is -1 (i.e. max int)
|
||||
+ */
|
||||
+ carry = add(ret, ret, &r_even[1], anum) + r_even[0];
|
||||
+
|
||||
+ return carry;
|
||||
+}
|
||||
+
|
||||
+static ossl_inline size_t mod_montgomery_limb_numb(size_t modnum)
|
||||
+{
|
||||
+ return modnum * 2 + _mul_add_limb_numb(modnum);
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * calculate a % mod, place result in ret
|
||||
+ * assumes that a is in Montgomery form with the R (Montgomery modulus) being
|
||||
+ * smallest power of two big enough to fit mod and that's also a power
|
||||
+ * of the count of number of bits in limb_t (B).
|
||||
+ * For calculation, we also need n', such that mod * n' == -1 mod B.
|
||||
+ * anum must be <= 2 * modnum
|
||||
+ * ret needs to be modnum words long
|
||||
+ * tmp needs to be mod_montgomery_limb_numb(modnum) limbs long
|
||||
+ */
|
||||
+static void mod_montgomery(limb_t *ret, limb_t *a, size_t anum, limb_t *mod,
|
||||
+ size_t modnum, limb_t ni0, limb_t *tmp)
|
||||
+{
|
||||
+ limb_t carry, v;
|
||||
+ limb_t *res, *rp, *tmp2;
|
||||
+ ossl_ssize_t i;
|
||||
+
|
||||
+ res = tmp;
|
||||
+ /*
|
||||
+ * for intermediate result we need an integer twice as long as modulus
|
||||
+ * but keep the input in the least significant limbs
|
||||
+ */
|
||||
+ memset(res, 0, sizeof(limb_t) * (modnum * 2));
|
||||
+ memcpy(&res[modnum * 2 - anum], a, sizeof(limb_t) * anum);
|
||||
+ rp = &res[modnum];
|
||||
+ tmp2 = &res[modnum * 2];
|
||||
+
|
||||
+ carry = 0;
|
||||
+
|
||||
+ /* add multiples of the modulus to the value until R divides it cleanly */
|
||||
+ for (i = modnum; i > 0; i--, rp--) {
|
||||
+ v = _mul_add_limb(rp, mod, modnum, rp[modnum - 1] * ni0, tmp2);
|
||||
+ v = v + carry + rp[-1];
|
||||
+ carry |= (v != rp[-1]);
|
||||
+ carry &= (v <= rp[-1]);
|
||||
+ rp[-1] = v;
|
||||
+ }
|
||||
+
|
||||
+ /* perform the final reduction by mod... */
|
||||
+ carry -= sub(ret, rp, mod, modnum);
|
||||
+
|
||||
+ /* ...conditionally */
|
||||
+ cselect(carry, ret, rp, ret, modnum);
|
||||
+}
|
||||
+
|
||||
+/* allocated buffer should be freed afterwards */
|
||||
+static void BN_to_limb(const BIGNUM *bn, limb_t *buf, size_t limbs)
|
||||
+{
|
||||
+ int i;
|
||||
+ int real_limbs = (BN_num_bytes(bn) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
|
||||
+ limb_t *ptr = buf + (limbs - real_limbs);
|
||||
+
|
||||
+ for (i = 0; i < real_limbs; i++)
|
||||
+ ptr[i] = bn->d[real_limbs - i - 1];
|
||||
+}
|
||||
+
|
||||
+#if LIMB_BYTE_SIZE == 8
|
||||
+static ossl_inline uint64_t be64(uint64_t host)
|
||||
+{
|
||||
+ const union {
|
||||
+ long one;
|
||||
+ char little;
|
||||
+ } is_endian = { 1 };
|
||||
+
|
||||
+ if (is_endian.little) {
|
||||
+ uint64_t big = 0;
|
||||
+
|
||||
+ big |= (host & 0xff00000000000000) >> 56;
|
||||
+ big |= (host & 0x00ff000000000000) >> 40;
|
||||
+ big |= (host & 0x0000ff0000000000) >> 24;
|
||||
+ big |= (host & 0x000000ff00000000) >> 8;
|
||||
+ big |= (host & 0x00000000ff000000) << 8;
|
||||
+ big |= (host & 0x0000000000ff0000) << 24;
|
||||
+ big |= (host & 0x000000000000ff00) << 40;
|
||||
+ big |= (host & 0x00000000000000ff) << 56;
|
||||
+ return big;
|
||||
+ } else {
|
||||
+ return host;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+#else
|
||||
+/* Not all platforms have htobe32(). */
|
||||
+static ossl_inline uint32_t be32(uint32_t host)
|
||||
+{
|
||||
+ const union {
|
||||
+ long one;
|
||||
+ char little;
|
||||
+ } is_endian = { 1 };
|
||||
+
|
||||
+ if (is_endian.little) {
|
||||
+ uint32_t big = 0;
|
||||
+
|
||||
+ big |= (host & 0xff000000) >> 24;
|
||||
+ big |= (host & 0x00ff0000) >> 8;
|
||||
+ big |= (host & 0x0000ff00) << 8;
|
||||
+ big |= (host & 0x000000ff) << 24;
|
||||
+ return big;
|
||||
+ } else {
|
||||
+ return host;
|
||||
+ }
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
+/*
|
||||
+ * We assume that intermediate, possible_arg2, blinding, and ctx are used
|
||||
+ * similar to BN_BLINDING_invert_ex() arguments.
|
||||
+ * to_mod is RSA modulus.
|
||||
+ * buf and num is the serialization buffer and its length.
|
||||
+ *
|
||||
+ * Here we use classic/Montgomery multiplication and modulo. After the calculation finished
|
||||
+ * we serialize the new structure instead of BIGNUMs taking endianness into account.
|
||||
+ */
|
||||
+int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate,
|
||||
+ const BN_BLINDING *blinding,
|
||||
+ const BIGNUM *possible_arg2,
|
||||
+ const BIGNUM *to_mod, BN_CTX *ctx,
|
||||
+ unsigned char *buf, int num)
|
||||
+{
|
||||
+ limb_t *l_im = NULL, *l_mul = NULL, *l_mod = NULL;
|
||||
+ limb_t *l_ret = NULL, *l_tmp = NULL, l_buf;
|
||||
+ size_t l_im_count = 0, l_mul_count = 0, l_size = 0, l_mod_count = 0;
|
||||
+ size_t l_tmp_count = 0;
|
||||
+ int ret = 0;
|
||||
+ size_t i;
|
||||
+ unsigned char *tmp;
|
||||
+ const BIGNUM *arg1 = intermediate;
|
||||
+ const BIGNUM *arg2 = (possible_arg2 == NULL) ? blinding->Ai : possible_arg2;
|
||||
+
|
||||
+ l_im_count = (BN_num_bytes(arg1) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
|
||||
+ l_mul_count = (BN_num_bytes(arg2) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
|
||||
+ l_mod_count = (BN_num_bytes(to_mod) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
|
||||
+
|
||||
+ l_size = l_im_count > l_mul_count ? l_im_count : l_mul_count;
|
||||
+ l_im = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE);
|
||||
+ l_mul = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE);
|
||||
+ l_mod = OPENSSL_zalloc(l_mod_count * LIMB_BYTE_SIZE);
|
||||
+
|
||||
+ if ((l_im == NULL) || (l_mul == NULL) || (l_mod == NULL))
|
||||
+ goto err;
|
||||
+
|
||||
+ BN_to_limb(arg1, l_im, l_size);
|
||||
+ BN_to_limb(arg2, l_mul, l_size);
|
||||
+ BN_to_limb(to_mod, l_mod, l_mod_count);
|
||||
+
|
||||
+ l_ret = OPENSSL_malloc(2 * l_size * LIMB_BYTE_SIZE);
|
||||
+
|
||||
+ if (blinding->m_ctx != NULL) {
|
||||
+ l_tmp_count = mul_limb_numb(l_size) > mod_montgomery_limb_numb(l_mod_count) ?
|
||||
+ mul_limb_numb(l_size) : mod_montgomery_limb_numb(l_mod_count);
|
||||
+ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE);
|
||||
+ } else {
|
||||
+ l_tmp_count = mul_limb_numb(l_size) > mod_limb_numb(2 * l_size, l_mod_count) ?
|
||||
+ mul_limb_numb(l_size) : mod_limb_numb(2 * l_size, l_mod_count);
|
||||
+ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE);
|
||||
+ }
|
||||
+
|
||||
+ if ((l_ret == NULL) || (l_tmp == NULL))
|
||||
+ goto err;
|
||||
+
|
||||
+ if (blinding->m_ctx != NULL) {
|
||||
+ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp);
|
||||
+ mod_montgomery(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count,
|
||||
+ blinding->m_ctx->n0[0], l_tmp);
|
||||
+ } else {
|
||||
+ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp);
|
||||
+ mod(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, l_tmp);
|
||||
+ }
|
||||
+
|
||||
+ /* modulus size in bytes can be equal to num but after limbs conversion it becomes bigger */
|
||||
+ if (num < BN_num_bytes(to_mod)) {
|
||||
+ BNerr(BN_F_OSSL_BN_RSA_DO_UNBLIND, ERR_R_PASSED_INVALID_ARGUMENT);
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ memset(buf, 0, num);
|
||||
+ tmp = buf + num - BN_num_bytes(to_mod);
|
||||
+ for (i = 0; i < l_mod_count; i++) {
|
||||
+#if LIMB_BYTE_SIZE == 8
|
||||
+ l_buf = be64(l_ret[i]);
|
||||
+#else
|
||||
+ l_buf = be32(l_ret[i]);
|
||||
+#endif
|
||||
+ if (i == 0) {
|
||||
+ int delta = LIMB_BYTE_SIZE - ((l_mod_count * LIMB_BYTE_SIZE) - num);
|
||||
+
|
||||
+ memcpy(tmp, ((char *)&l_buf) + LIMB_BYTE_SIZE - delta, delta);
|
||||
+ tmp += delta;
|
||||
+ } else {
|
||||
+ memcpy(tmp, &l_buf, LIMB_BYTE_SIZE);
|
||||
+ tmp += LIMB_BYTE_SIZE;
|
||||
+ }
|
||||
+ }
|
||||
+ ret = num;
|
||||
+
|
||||
+ err:
|
||||
+ OPENSSL_free(l_im);
|
||||
+ OPENSSL_free(l_mul);
|
||||
+ OPENSSL_free(l_mod);
|
||||
+ OPENSSL_free(l_tmp);
|
||||
+ OPENSSL_free(l_ret);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
|
||||
index 9f91a4a811..ba3a46d5b9 100644
|
||||
--- a/crypto/err/openssl.txt
|
||||
+++ b/crypto/err/openssl.txt
|
||||
@@ -1,4 +1,4 @@
|
||||
-# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the OpenSSL license (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
@@ -232,6 +232,7 @@ BN_F_BN_RSHIFT:146:BN_rshift
|
||||
BN_F_BN_SET_WORDS:144:bn_set_words
|
||||
BN_F_BN_STACK_PUSH:148:BN_STACK_push
|
||||
BN_F_BN_USUB:115:BN_usub
|
||||
+BN_F_OSSL_BN_RSA_DO_UNBLIND:151:ossl_bn_rsa_do_unblind
|
||||
BUF_F_BUF_MEM_GROW:100:BUF_MEM_grow
|
||||
BUF_F_BUF_MEM_GROW_CLEAN:105:BUF_MEM_grow_clean
|
||||
BUF_F_BUF_MEM_NEW:101:BUF_MEM_new
|
||||
diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c
|
||||
index b52a66f6a6..6c3c0cf78d 100644
|
||||
--- a/crypto/rsa/rsa_ossl.c
|
||||
+++ b/crypto/rsa/rsa_ossl.c
|
||||
@@ -465,11 +465,20 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
|
||||
BN_free(d);
|
||||
}
|
||||
|
||||
- if (blinding)
|
||||
- if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
|
||||
+ if (blinding) {
|
||||
+ /*
|
||||
+ * ossl_bn_rsa_do_unblind() combines blinding inversion and
|
||||
+ * 0-padded BN BE serialization
|
||||
+ */
|
||||
+ j = ossl_bn_rsa_do_unblind(ret, blinding, unblind, rsa->n, ctx,
|
||||
+ buf, num);
|
||||
+ if (j == 0)
|
||||
goto err;
|
||||
-
|
||||
- j = BN_bn2binpad(ret, buf, num);
|
||||
+ } else {
|
||||
+ j = BN_bn2binpad(ret, buf, num);
|
||||
+ if (j < 0)
|
||||
+ goto err;
|
||||
+ }
|
||||
|
||||
switch (padding) {
|
||||
case RSA_PKCS1_PADDING:
|
||||
diff --git a/include/crypto/bn.h b/include/crypto/bn.h
|
||||
index 60afda1dad..b5f36fb25a 100644
|
||||
--- a/include/crypto/bn.h
|
||||
+++ b/include/crypto/bn.h
|
||||
@@ -86,5 +86,10 @@ int bn_lshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);
|
||||
int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);
|
||||
int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
|
||||
const BIGNUM *d, BN_CTX *ctx);
|
||||
+int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate,
|
||||
+ const BN_BLINDING *blinding,
|
||||
+ const BIGNUM *possible_arg2,
|
||||
+ const BIGNUM *to_mod, BN_CTX *ctx,
|
||||
+ unsigned char *buf, int num);
|
||||
|
||||
#endif
|
||||
diff --git a/include/openssl/bnerr.h b/include/openssl/bnerr.h
|
||||
index 9f3c7cfaab..a0752cea52 100644
|
||||
--- a/include/openssl/bnerr.h
|
||||
+++ b/include/openssl/bnerr.h
|
||||
@@ -72,6 +72,7 @@ int ERR_load_BN_strings(void);
|
||||
# define BN_F_BN_SET_WORDS 144
|
||||
# define BN_F_BN_STACK_PUSH 148
|
||||
# define BN_F_BN_USUB 115
|
||||
+# define BN_F_OSSL_BN_RSA_DO_UNBLIND 151
|
||||
|
||||
/*
|
||||
* BN reason codes.
|
||||
--
|
||||
2.39.1
|
||||
|
|
@ -0,0 +1,103 @@
|
|||
From bbcf509bd046b34cca19c766bbddc31683d0858b Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Tue, 13 Dec 2022 14:54:55 +0000
|
||||
Subject: [PATCH 2/6] Avoid dangling ptrs in header and data params for
|
||||
PEM_read_bio_ex
|
||||
|
||||
In the event of a failure in PEM_read_bio_ex() we free the buffers we
|
||||
allocated for the header and data buffers. However we were not clearing
|
||||
the ptrs stored in *header and *data. Since, on success, the caller is
|
||||
responsible for freeing these ptrs this can potentially lead to a double
|
||||
free if the caller frees them even on failure.
|
||||
|
||||
Thanks to Dawei Wang for reporting this issue.
|
||||
|
||||
Based on a proposed patch by Kurt Roeckx.
|
||||
|
||||
CVE-2022-4450
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
||||
---
|
||||
crypto/pem/pem_lib.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
|
||||
index d416d939ea..328c30cdbb 100644
|
||||
--- a/crypto/pem/pem_lib.c
|
||||
+++ b/crypto/pem/pem_lib.c
|
||||
@@ -957,7 +957,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
|
||||
*data = pem_malloc(len, flags);
|
||||
if (*header == NULL || *data == NULL) {
|
||||
pem_free(*header, flags, 0);
|
||||
+ *header = NULL;
|
||||
pem_free(*data, flags, 0);
|
||||
+ *data = NULL;
|
||||
goto end;
|
||||
}
|
||||
BIO_read(headerB, *header, headerlen);
|
||||
--
|
||||
2.39.1
|
||||
|
||||
From 2bd611267868a008afa576846ba71566bd0d4d15 Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Tue, 13 Dec 2022 15:02:26 +0000
|
||||
Subject: [PATCH 3/6] Add a test for CVE-2022-4450
|
||||
|
||||
Call PEM_read_bio_ex() and expect a failure. There should be no dangling
|
||||
ptrs and therefore there should be no double free if we free the ptrs on
|
||||
error.
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
||||
---
|
||||
test/pemtest.c | 30 ++++++++++++++++++++++++++++++
|
||||
1 file changed, 30 insertions(+)
|
||||
|
||||
diff --git a/test/pemtest.c b/test/pemtest.c
|
||||
index 3203d976be..edeb0a1205 100644
|
||||
--- a/test/pemtest.c
|
||||
+++ b/test/pemtest.c
|
||||
@@ -83,9 +83,39 @@ static int test_invalid(void)
|
||||
return 1;
|
||||
}
|
||||
|
||||
+static int test_empty_payload(void)
|
||||
+{
|
||||
+ BIO *b;
|
||||
+ static char *emptypay =
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "-\n" /* Base64 EOF character */
|
||||
+ "-----END CERTIFICATE-----";
|
||||
+ char *name = NULL, *header = NULL;
|
||||
+ unsigned char *data = NULL;
|
||||
+ long len;
|
||||
+ int ret = 0;
|
||||
+
|
||||
+ b = BIO_new_mem_buf(emptypay, strlen(emptypay));
|
||||
+ if (!TEST_ptr(b))
|
||||
+ return 0;
|
||||
+
|
||||
+ /* Expected to fail because the payload is empty */
|
||||
+ if (!TEST_false(PEM_read_bio_ex(b, &name, &header, &data, &len, 0)))
|
||||
+ goto err;
|
||||
+
|
||||
+ ret = 1;
|
||||
+ err:
|
||||
+ OPENSSL_free(name);
|
||||
+ OPENSSL_free(header);
|
||||
+ OPENSSL_free(data);
|
||||
+ BIO_free(b);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
int setup_tests(void)
|
||||
{
|
||||
ADD_ALL_TESTS(test_b64, OSSL_NELEM(b64_pem_data));
|
||||
ADD_TEST(test_invalid);
|
||||
+ ADD_TEST(test_empty_payload);
|
||||
return 1;
|
||||
}
|
||||
--
|
||||
2.39.1
|
||||
|
|
@ -0,0 +1,186 @@
|
|||
From c3829dd8825c654652201e16f8a0a0c46ee3f344 Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Wed, 14 Dec 2022 16:18:14 +0000
|
||||
Subject: [PATCH 4/6] Fix a UAF resulting from a bug in BIO_new_NDEF
|
||||
|
||||
If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will
|
||||
be part of an invalid BIO chain. This causes a "use after free" when the
|
||||
BIO is eventually freed.
|
||||
|
||||
Based on an original patch by Viktor Dukhovni and an idea from Theo
|
||||
Buehler.
|
||||
|
||||
Thanks to Octavio Galland for reporting this issue.
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
---
|
||||
crypto/asn1/bio_ndef.c | 39 ++++++++++++++++++++++++++++++++-------
|
||||
1 file changed, 32 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c
|
||||
index 760e4846a4..f8d4b1b9aa 100644
|
||||
--- a/crypto/asn1/bio_ndef.c
|
||||
+++ b/crypto/asn1/bio_ndef.c
|
||||
@@ -49,12 +49,19 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg);
|
||||
static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen,
|
||||
void *parg);
|
||||
|
||||
+/*
|
||||
+ * On success, the returned BIO owns the input BIO as part of its BIO chain.
|
||||
+ * On failure, NULL is returned and the input BIO is owned by the caller.
|
||||
+ *
|
||||
+ * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream()
|
||||
+ */
|
||||
BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
|
||||
{
|
||||
NDEF_SUPPORT *ndef_aux = NULL;
|
||||
BIO *asn_bio = NULL;
|
||||
const ASN1_AUX *aux = it->funcs;
|
||||
ASN1_STREAM_ARG sarg;
|
||||
+ BIO *pop_bio = NULL;
|
||||
|
||||
if (!aux || !aux->asn1_cb) {
|
||||
ASN1err(ASN1_F_BIO_NEW_NDEF, ASN1_R_STREAMING_NOT_SUPPORTED);
|
||||
@@ -69,21 +76,39 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
|
||||
out = BIO_push(asn_bio, out);
|
||||
if (out == NULL)
|
||||
goto err;
|
||||
+ pop_bio = asn_bio;
|
||||
|
||||
- BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free);
|
||||
- BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free);
|
||||
+ if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0
|
||||
+ || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0
|
||||
+ || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0)
|
||||
+ goto err;
|
||||
|
||||
/*
|
||||
- * Now let callback prepends any digest, cipher etc BIOs ASN1 structure
|
||||
- * needs.
|
||||
+ * Now let the callback prepend any digest, cipher, etc., that the BIO's
|
||||
+ * ASN1 structure needs.
|
||||
*/
|
||||
|
||||
sarg.out = out;
|
||||
sarg.ndef_bio = NULL;
|
||||
sarg.boundary = NULL;
|
||||
|
||||
- if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0)
|
||||
+ /*
|
||||
+ * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the
|
||||
+ * middle of some partially built, but not returned BIO chain.
|
||||
+ */
|
||||
+ if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) {
|
||||
+ /*
|
||||
+ * ndef_aux is now owned by asn_bio so we must not free it in the err
|
||||
+ * clean up block
|
||||
+ */
|
||||
+ ndef_aux = NULL;
|
||||
goto err;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * We must not fail now because the callback has prepended additional
|
||||
+ * BIOs to the chain
|
||||
+ */
|
||||
|
||||
ndef_aux->val = val;
|
||||
ndef_aux->it = it;
|
||||
@@ -91,11 +116,11 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
|
||||
ndef_aux->boundary = sarg.boundary;
|
||||
ndef_aux->out = out;
|
||||
|
||||
- BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux);
|
||||
-
|
||||
return sarg.ndef_bio;
|
||||
|
||||
err:
|
||||
+ /* BIO_pop() is NULL safe */
|
||||
+ (void)BIO_pop(pop_bio);
|
||||
BIO_free(asn_bio);
|
||||
OPENSSL_free(ndef_aux);
|
||||
return NULL;
|
||||
--
|
||||
2.39.1
|
||||
|
||||
From f040f2577891d2bdb7610566c172233844cf673a Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Wed, 14 Dec 2022 17:15:18 +0000
|
||||
Subject: [PATCH 5/6] Check CMS failure during BIO setup with -stream is
|
||||
handled correctly
|
||||
|
||||
Test for the issue fixed in the previous commit
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
---
|
||||
test/recipes/80-test_cms.t | 15 +++++++++++++--
|
||||
test/smime-certs/badrsa.pem | 18 ++++++++++++++++++
|
||||
2 files changed, 31 insertions(+), 2 deletions(-)
|
||||
create mode 100644 test/smime-certs/badrsa.pem
|
||||
|
||||
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
|
||||
index 5dc6a3aebe..ec11bfc253 100644
|
||||
--- a/test/recipes/80-test_cms.t
|
||||
+++ b/test/recipes/80-test_cms.t
|
||||
@@ -13,7 +13,7 @@ use warnings;
|
||||
use POSIX;
|
||||
use File::Spec::Functions qw/catfile/;
|
||||
use File::Compare qw/compare_text/;
|
||||
-use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file/;
|
||||
+use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file with/;
|
||||
use OpenSSL::Test::Utils;
|
||||
|
||||
setup("test_cms");
|
||||
@@ -27,7 +27,7 @@ my $smcont = srctop_file("test", "smcont.txt");
|
||||
my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
|
||||
= disabled qw/des dh dsa ec ec2m rc2 zlib/;
|
||||
|
||||
-plan tests => 6;
|
||||
+plan tests => 7;
|
||||
|
||||
my @smime_pkcs7_tests = (
|
||||
|
||||
@@ -584,3 +584,14 @@ sub check_availability {
|
||||
|
||||
return "";
|
||||
}
|
||||
+
|
||||
+# Check that we get the expected failure return code
|
||||
+with({ exit_checker => sub { return shift == 6; } },
|
||||
+ sub {
|
||||
+ ok(run(app(['openssl', 'cms', '-encrypt',
|
||||
+ '-in', srctop_file("test", "smcont.txt"),
|
||||
+ '-stream', '-recip',
|
||||
+ srctop_file("test/smime-certs", "badrsa.pem"),
|
||||
+ ])),
|
||||
+ "Check failure during BIO setup with -stream is handled correctly");
|
||||
+ });
|
||||
diff --git a/test/smime-certs/badrsa.pem b/test/smime-certs/badrsa.pem
|
||||
new file mode 100644
|
||||
index 0000000000..f824fc2267
|
||||
--- /dev/null
|
||||
+++ b/test/smime-certs/badrsa.pem
|
||||
@@ -0,0 +1,18 @@
|
||||
+-----BEGIN CERTIFICATE-----
|
||||
+MIIDbTCCAlWgAwIBAgIToTV4Z0iuK08vZP20oTh//hC8BDANBgkqhkiG9w0BAQ0FADAtMSswKQYD
|
||||
+VfcDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoY
|
||||
+DzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcN
|
||||
+AQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOw
|
||||
+I2juwdRrjFBmXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A
|
||||
+/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6s
|
||||
+yTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0
|
||||
+zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSxgCAwEAAaOBlzCB
|
||||
+lDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAww
|
||||
+CgYIKwYBBQUHAwQwDwYDVR0PAQH/BAUDAwfAADAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm
|
||||
+ZnMwHwYDVR0jBBgwFoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBABbW
|
||||
+eonR6TMTckehDKNOabwaCIcekahAIL6l9tTzUX5ew6ufiAPlC6I/zQlmUaU0iSyFDG1NW14kNbFt
|
||||
+5CAokyLhMtE4ASHBIHbiOp/ZSbUBTVYJZB61ot7w1/ol5QECSs08b8zrxIncf+t2DHGuVEy/Qq1d
|
||||
+rBz8d4ay8zpqAE1tUyL5Da6ZiKUfWwZQXSI/JlbjQFzYQqTRDnzHWrg1xPeMTO1P2/cplFaseTiv
|
||||
+yk4cYwOp/W9UAWymOZXF8WcJYCIUXkdcG/nEZxr057KlScrJmFXOoh7Y+8ON4iWYYcAfiNgpUFo/
|
||||
+j8BAwrKKaFvdlZS9k1Ypb2+UQY75mKJE9Bg=
|
||||
+-----END CERTIFICATE-----
|
||||
--
|
||||
2.39.1
|
||||
|
|
@ -0,0 +1,63 @@
|
|||
From 2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9 Mon Sep 17 00:00:00 2001
|
||||
From: Hugo Landau <hlandau@openssl.org>
|
||||
Date: Tue, 17 Jan 2023 17:45:42 +0000
|
||||
Subject: [PATCH 6/6] CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address
|
||||
(1.1.1)
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
---
|
||||
CHANGES | 18 +++++++++++++++++-
|
||||
crypto/x509v3/v3_genn.c | 2 +-
|
||||
include/openssl/x509v3.h | 2 +-
|
||||
test/v3nametest.c | 8 ++++++++
|
||||
4 files changed, 27 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/crypto/x509v3/v3_genn.c b/crypto/x509v3/v3_genn.c
|
||||
index 87a5eff47c..e54ddc55c9 100644
|
||||
--- a/crypto/x509v3/v3_genn.c
|
||||
+++ b/crypto/x509v3/v3_genn.c
|
||||
@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
|
||||
return -1;
|
||||
switch (a->type) {
|
||||
case GEN_X400:
|
||||
- result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
|
||||
+ result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
|
||||
break;
|
||||
|
||||
case GEN_EDIPARTY:
|
||||
diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
|
||||
index 90fa3592ce..e61c0f29d4 100644
|
||||
--- a/include/openssl/x509v3.h
|
||||
+++ b/include/openssl/x509v3.h
|
||||
@@ -136,7 +136,7 @@ typedef struct GENERAL_NAME_st {
|
||||
OTHERNAME *otherName; /* otherName */
|
||||
ASN1_IA5STRING *rfc822Name;
|
||||
ASN1_IA5STRING *dNSName;
|
||||
- ASN1_TYPE *x400Address;
|
||||
+ ASN1_STRING *x400Address;
|
||||
X509_NAME *directoryName;
|
||||
EDIPARTYNAME *ediPartyName;
|
||||
ASN1_IA5STRING *uniformResourceIdentifier;
|
||||
diff --git a/test/v3nametest.c b/test/v3nametest.c
|
||||
index d1852190b8..37819da8fd 100644
|
||||
--- a/test/v3nametest.c
|
||||
+++ b/test/v3nametest.c
|
||||
@@ -646,6 +646,14 @@ static struct gennamedata {
|
||||
0xb7, 0x09, 0x02, 0x02
|
||||
},
|
||||
15
|
||||
+ }, {
|
||||
+ /*
|
||||
+ * Regression test for CVE-2023-0286.
|
||||
+ */
|
||||
+ {
|
||||
+ 0xa3, 0x00
|
||||
+ },
|
||||
+ 2
|
||||
}
|
||||
};
|
||||
|
||||
--
|
||||
2.39.1
|
||||
|
|
@ -0,0 +1,127 @@
|
|||
From 8780a896543a654e757db1b9396383f9d8095528 Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Thu, 6 Jul 2023 16:36:35 +0100
|
||||
Subject: [PATCH] Fix DH_check() excessive time with over sized modulus
|
||||
|
||||
The DH_check() function checks numerous aspects of the key or parameters
|
||||
that have been supplied. Some of those checks use the supplied modulus
|
||||
value even if it is excessively large.
|
||||
|
||||
There is already a maximum DH modulus size (10,000 bits) over which
|
||||
OpenSSL will not generate or derive keys. DH_check() will however still
|
||||
perform various tests for validity on such a large modulus. We introduce a
|
||||
new maximum (32,768) over which DH_check() will just fail.
|
||||
|
||||
An application that calls DH_check() and supplies a key or parameters
|
||||
obtained from an untrusted source could be vulnerable to a Denial of
|
||||
Service attack.
|
||||
|
||||
The function DH_check() is itself called by a number of other OpenSSL
|
||||
functions. An application calling any of those other functions may
|
||||
similarly be affected. The other functions affected by this are
|
||||
DH_check_ex() and EVP_PKEY_param_check().
|
||||
|
||||
CVE-2023-3446
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
|
||||
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/21452)
|
||||
|
||||
Upstream-Status: Backport [8780a896543a654e757db1b9396383f9d8095528]
|
||||
---
|
||||
crypto/dh/dh_check.c | 6 ++++++
|
||||
crypto/dh/dh_err.c | 3 ++-
|
||||
crypto/err/openssl.txt | 3 ++-
|
||||
include/openssl/dh.h | 3 +++
|
||||
include/openssl/dherr.h | 3 ++-
|
||||
5 files changed, 15 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
|
||||
index 4ac169e75c..e5f9dd5030 100644
|
||||
--- a/crypto/dh/dh_check.c
|
||||
+++ b/crypto/dh/dh_check.c
|
||||
@@ -101,6 +101,12 @@ int DH_check(const DH *dh, int *ret)
|
||||
BN_CTX *ctx = NULL;
|
||||
BIGNUM *t1 = NULL, *t2 = NULL;
|
||||
|
||||
+ /* Don't do any checks at all with an excessively large modulus */
|
||||
+ if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
|
||||
+ DHerr(DH_F_DH_CHECK, DH_R_MODULUS_TOO_LARGE);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
if (!DH_check_params(dh, ret))
|
||||
return 0;
|
||||
|
||||
diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
|
||||
index 7285587b4a..92800d3fcc 100644
|
||||
--- a/crypto/dh/dh_err.c
|
||||
+++ b/crypto/dh/dh_err.c
|
||||
@@ -1,6 +1,6 @@
|
||||
/*
|
||||
* Generated by util/mkerr.pl DO NOT EDIT
|
||||
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@@ -18,6 +18,7 @@ static const ERR_STRING_DATA DH_str_functs[] = {
|
||||
{ERR_PACK(ERR_LIB_DH, DH_F_DHPARAMS_PRINT_FP, 0), "DHparams_print_fp"},
|
||||
{ERR_PACK(ERR_LIB_DH, DH_F_DH_BUILTIN_GENPARAMS, 0),
|
||||
"dh_builtin_genparams"},
|
||||
+ {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK, 0), "DH_check"},
|
||||
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_EX, 0), "DH_check_ex"},
|
||||
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PARAMS_EX, 0), "DH_check_params_ex"},
|
||||
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY_EX, 0), "DH_check_pub_key_ex"},
|
||||
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
|
||||
index 9f91a4a811..c0a3cd720b 100644
|
||||
--- a/crypto/err/openssl.txt
|
||||
+++ b/crypto/err/openssl.txt
|
||||
@@ -402,6 +402,7 @@ CT_F_SCT_SET_VERSION:104:SCT_set_version
|
||||
DH_F_COMPUTE_KEY:102:compute_key
|
||||
DH_F_DHPARAMS_PRINT_FP:101:DHparams_print_fp
|
||||
DH_F_DH_BUILTIN_GENPARAMS:106:dh_builtin_genparams
|
||||
+DH_F_DH_CHECK:126:DH_check
|
||||
DH_F_DH_CHECK_EX:121:DH_check_ex
|
||||
DH_F_DH_CHECK_PARAMS_EX:122:DH_check_params_ex
|
||||
DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pub_key_ex
|
||||
diff --git a/include/openssl/dh.h b/include/openssl/dh.h
|
||||
index 3527540cdd..892e31559d 100644
|
||||
--- a/include/openssl/dh.h
|
||||
+++ b/include/openssl/dh.h
|
||||
@@ -29,6 +29,9 @@ extern "C" {
|
||||
# ifndef OPENSSL_DH_MAX_MODULUS_BITS
|
||||
# define OPENSSL_DH_MAX_MODULUS_BITS 10000
|
||||
# endif
|
||||
+# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
|
||||
+# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768
|
||||
+# endif
|
||||
|
||||
# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
|
||||
# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN 2048
|
||||
|
||||
diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
|
||||
index 916b3bed0b..528c819856 100644
|
||||
--- a/include/openssl/dherr.h
|
||||
+++ b/include/openssl/dherr.h
|
||||
@@ -1,6 +1,6 @@
|
||||
/*
|
||||
* Generated by util/mkerr.pl DO NOT EDIT
|
||||
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@@ -30,6 +30,7 @@ int ERR_load_DH_strings(void);
|
||||
# define DH_F_COMPUTE_KEY 102
|
||||
# define DH_F_DHPARAMS_PRINT_FP 101
|
||||
# define DH_F_DH_BUILTIN_GENPARAMS 106
|
||||
+# define DH_F_DH_CHECK 126
|
||||
# define DH_F_DH_CHECK_EX 121
|
||||
# define DH_F_DH_CHECK_PARAMS_EX 122
|
||||
# define DH_F_DH_CHECK_PUB_KEY_EX 123
|
||||
--
|
||||
2.41.0
|
||||
|
|
@ -0,0 +1,60 @@
|
|||
From 91ddeba0f2269b017dc06c46c993a788974b1aa5 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Fri, 21 Jul 2023 11:39:41 +0200
|
||||
Subject: [PATCH] DH_check(): Do not try checking q properties if it is
|
||||
obviously invalid
|
||||
|
||||
If |q| >= |p| then the q value is obviously wrong as q
|
||||
is supposed to be a prime divisor of p-1.
|
||||
|
||||
We check if p is overly large so this added test implies that
|
||||
q is not large either when performing subsequent tests using that
|
||||
q value.
|
||||
|
||||
Otherwise if it is too large these additional checks of the q value
|
||||
such as the primality test can then trigger DoS by doing overly long
|
||||
computations.
|
||||
|
||||
Fixes CVE-2023-3817
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/21551)
|
||||
|
||||
Upstream-Status: Backport [91ddeba0f2269b017dc06c46c993a788974b1aa5]
|
||||
---
|
||||
crypto/dh/dh_check.c | 11 +++++++++--
|
||||
1 file changed, 9 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
|
||||
index 2001d2e7cb..9ae96991eb 100644
|
||||
--- a/crypto/dh/dh_check.c
|
||||
+++ b/crypto/dh/dh_check.c
|
||||
@@ -105,7 +105,7 @@ int DH_check_ex(const DH *dh)
|
||||
/* Note: according to documentation - this only checks the params */
|
||||
int DH_check(const DH *dh, int *ret)
|
||||
{
|
||||
- int ok = 0, r;
|
||||
+ int ok = 0, r, q_good = 0;
|
||||
BN_CTX *ctx = NULL;
|
||||
BIGNUM *t1 = NULL, *t2 = NULL;
|
||||
|
||||
@@ -130,7 +130,14 @@ int DH_check(const DH *dh, int *ret)
|
||||
if (t2 == NULL)
|
||||
goto err;
|
||||
|
||||
- if (dh->q) {
|
||||
+ if (dh->q != NULL) {
|
||||
+ if (BN_ucmp(dh->p, dh->q) > 0)
|
||||
+ q_good = 1;
|
||||
+ else
|
||||
+ *ret |= DH_CHECK_INVALID_Q_VALUE;
|
||||
+ }
|
||||
+
|
||||
+ if (q_good) {
|
||||
if (BN_cmp(dh->g, BN_value_one()) <= 0)
|
||||
*ret |= DH_NOT_SUITABLE_GENERATOR;
|
||||
else if (BN_cmp(dh->g, dh->p) >= 0)
|
||||
--
|
||||
2.41.0
|
||||
|
|
@ -0,0 +1,154 @@
|
|||
From 0814467cc1b6a2839877277d3efa69cdd4582dd7 Mon Sep 17 00:00:00 2001
|
||||
From: Richard Levitte <levitte@openssl.org>
|
||||
Date: Fri, 20 Oct 2023 09:18:19 +0200
|
||||
Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet
|
||||
|
||||
We already check for an excessively large P in DH_generate_key(), but not in
|
||||
DH_check_pub_key(), and none of them check for an excessively large Q.
|
||||
|
||||
This change adds all the missing excessive size checks of P and Q.
|
||||
|
||||
It's to be noted that behaviours surrounding excessively sized P and Q
|
||||
differ. DH_check() raises an error on the excessively sized P, but only
|
||||
sets a flag for the excessively sized Q. This behaviour is mimicked in
|
||||
DH_check_pub_key().
|
||||
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/22518)
|
||||
|
||||
(cherry picked from commit ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)
|
||||
Backported-by: Clemens Lang <cllang@redhat.com>
|
||||
---
|
||||
crypto/dh/dh_check.c | 17 +++++++++++++++++
|
||||
crypto/dh/dh_err.c | 1 +
|
||||
crypto/dh/dh_key.c | 10 ++++++++++
|
||||
crypto/err/openssl.txt | 1 +
|
||||
include/openssl/dh.h | 6 ++++--
|
||||
include/openssl/dherr.h | 1 +
|
||||
6 files changed, 34 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
|
||||
index ae1b03bc92..424a3bb4cd 100644
|
||||
--- a/crypto/dh/dh_check.c
|
||||
+++ b/crypto/dh/dh_check.c
|
||||
@@ -198,10 +198,27 @@ int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
|
||||
BN_CTX *ctx = NULL;
|
||||
|
||||
*ret = 0;
|
||||
+
|
||||
ctx = BN_CTX_new();
|
||||
if (ctx == NULL)
|
||||
goto err;
|
||||
BN_CTX_start(ctx);
|
||||
+
|
||||
+ /* Don't do any checks at all with an excessively large modulus */
|
||||
+ if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
|
||||
+ DHerr(DH_F_DH_CHECK, DH_R_MODULUS_TOO_LARGE);
|
||||
+ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID;
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (dh->q != NULL && BN_ucmp(dh->p, dh->q) < 0) {
|
||||
+ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID;
|
||||
+ /* This may look strange here, but returning 1 after setting ret is
|
||||
+ * correct. See also the behavior of the pub_key^q == 1 mod p check
|
||||
+ * further down, which behaves in the same way. */
|
||||
+ ok = 1;
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
tmp = BN_CTX_get(ctx);
|
||||
if (tmp == NULL || !BN_set_word(tmp, 1))
|
||||
goto err;
|
||||
diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
|
||||
index 92800d3fcc..b3b1e7a706 100644
|
||||
--- a/crypto/dh/dh_err.c
|
||||
+++ b/crypto/dh/dh_err.c
|
||||
@@ -87,6 +87,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = {
|
||||
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
|
||||
"parameter encoding error"},
|
||||
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
|
||||
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"},
|
||||
{ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},
|
||||
{ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),
|
||||
"unable to check generator"},
|
||||
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
|
||||
index 117f2fa883..9f5e6f6d4c 100644
|
||||
--- a/crypto/dh/dh_key.c
|
||||
+++ b/crypto/dh/dh_key.c
|
||||
@@ -140,6 +140,11 @@ static int generate_key(DH *dh)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ if (dh->q != NULL && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) {
|
||||
+ DHerr(DH_F_GENERATE_KEY, DH_R_Q_TOO_LARGE);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
ctx = BN_CTX_new();
|
||||
if (ctx == NULL)
|
||||
goto err;
|
||||
@@ -250,6 +255,12 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
|
||||
DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE);
|
||||
goto err;
|
||||
}
|
||||
+
|
||||
+ if (dh->q != NULL && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) {
|
||||
+ DHerr(DH_F_COMPUTE_KEY, DH_R_Q_TOO_LARGE);
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
#ifdef OPENSSL_FIPS
|
||||
if (FIPS_mode()
|
||||
&& (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
|
||||
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
|
||||
index c0a3cd720b..5e0ff47516 100644
|
||||
--- a/crypto/err/openssl.txt
|
||||
+++ b/crypto/err/openssl.txt
|
||||
@@ -2151,6 +2151,7 @@DH_R_NO_PARAMETERS_SET:107:no parameters set
|
||||
DH_R_NO_PRIVATE_VALUE:100:no private value
|
||||
DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
|
||||
DH_R_PEER_KEY_ERROR:111:peer key error
|
||||
+DH_R_Q_TOO_LARGE:130:q too large
|
||||
DH_R_SHARED_INFO_ERROR:113:shared info error
|
||||
DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
|
||||
DSA_R_BAD_Q_VALUE:102:bad q value
|
||||
diff --git a/include/openssl/dh.h b/include/openssl/dh.h
|
||||
index 6c6ff3636a..b7df43b44f 100644
|
||||
--- a/include/openssl/dh.h
|
||||
+++ b/include/openssl/dh.h
|
||||
@@ -72,14 +72,16 @@ DECLARE_ASN1_ITEM(DHparams)
|
||||
/* #define DH_GENERATOR_3 3 */
|
||||
# define DH_GENERATOR_5 5
|
||||
|
||||
-/* DH_check error codes */
|
||||
+/* DH_check error codes, some of them shared with DH_check_pub_key */
|
||||
# define DH_CHECK_P_NOT_PRIME 0x01
|
||||
# define DH_CHECK_P_NOT_SAFE_PRIME 0x02
|
||||
# define DH_UNABLE_TO_CHECK_GENERATOR 0x04
|
||||
# define DH_NOT_SUITABLE_GENERATOR 0x08
|
||||
# define DH_CHECK_Q_NOT_PRIME 0x10
|
||||
-# define DH_CHECK_INVALID_Q_VALUE 0x20
|
||||
+# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */
|
||||
# define DH_CHECK_INVALID_J_VALUE 0x40
|
||||
+/* DH_MODULUS_TOO_SMALL is 0x80 upstream */
|
||||
+# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */
|
||||
|
||||
/* DH_check_pub_key error codes */
|
||||
# define DH_CHECK_PUBKEY_TOO_SMALL 0x01
|
||||
diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
|
||||
index 528c819856..d66c35aa8e 100644
|
||||
--- a/include/openssl/dherr.h
|
||||
+++ b/include/openssl/dherr.h
|
||||
@@ -87,6 +87,7 @@ int ERR_load_DH_strings(void);
|
||||
# define DH_R_NON_FIPS_METHOD 202
|
||||
# define DH_R_PARAMETER_ENCODING_ERROR 105
|
||||
# define DH_R_PEER_KEY_ERROR 111
|
||||
+# define DH_R_Q_TOO_LARGE 130
|
||||
# define DH_R_SHARED_INFO_ERROR 113
|
||||
# define DH_R_UNABLE_TO_CHECK_GENERATOR 121
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
diff -up openssl-1.1.1k/apps/s_socket.c.addr-ipv6 openssl-1.1.1k/apps/s_socket.c
|
||||
--- openssl-1.1.1k/apps/s_socket.c.addr-ipv6 2021-07-16 15:14:08.491986682 +0200
|
||||
+++ openssl-1.1.1k/apps/s_socket.c 2021-07-16 15:23:21.271329197 +0200
|
||||
@@ -214,6 +214,8 @@ int do_server(int *accept_sock, const ch
|
||||
const BIO_ADDRINFO *next;
|
||||
int sock_family, sock_type, sock_protocol, sock_port;
|
||||
const BIO_ADDR *sock_address;
|
||||
+ int sock_family_fallback = AF_UNSPEC;
|
||||
+ const BIO_ADDR *sock_address_fallback = NULL;
|
||||
int sock_options = BIO_SOCK_REUSEADDR;
|
||||
int ret = 0;
|
||||
|
||||
@@ -244,6 +246,10 @@ int do_server(int *accept_sock, const ch
|
||||
&& BIO_ADDRINFO_protocol(next) == sock_protocol) {
|
||||
if (sock_family == AF_INET
|
||||
&& BIO_ADDRINFO_family(next) == AF_INET6) {
|
||||
+ /* In case AF_INET6 is returned but not supported by the
|
||||
+ * kernel, retry with the first detected address family */
|
||||
+ sock_family_fallback = sock_family;
|
||||
+ sock_address_fallback = sock_address;
|
||||
sock_family = AF_INET6;
|
||||
sock_address = BIO_ADDRINFO_address(next);
|
||||
} else if (sock_family == AF_INET6
|
||||
@@ -253,6 +259,10 @@ int do_server(int *accept_sock, const ch
|
||||
}
|
||||
|
||||
asock = BIO_socket(sock_family, sock_type, sock_protocol, 0);
|
||||
+ if (asock == INVALID_SOCKET && sock_family_fallback != AF_UNSPEC) {
|
||||
+ asock = BIO_socket(sock_family_fallback, sock_type, sock_protocol, 0);
|
||||
+ sock_address = sock_address_fallback;
|
||||
+ }
|
||||
if (asock == INVALID_SOCKET
|
||||
|| !BIO_listen(asock, sock_address, sock_options)) {
|
||||
BIO_ADDRINFO_free(res);
|
|
@ -1,6 +1,6 @@
|
|||
diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
|
||||
--- openssl-1.1.1c/apps/speed.c.curves 2019-05-28 15:12:21.000000000 +0200
|
||||
+++ openssl-1.1.1c/apps/speed.c 2019-05-29 15:36:53.332224470 +0200
|
||||
diff -up openssl-1.1.1h/apps/speed.c.curves openssl-1.1.1h/apps/speed.c
|
||||
--- openssl-1.1.1h/apps/speed.c.curves 2020-09-22 14:55:07.000000000 +0200
|
||||
+++ openssl-1.1.1h/apps/speed.c 2020-11-06 13:27:15.659288431 +0100
|
||||
@@ -490,90 +490,30 @@ static double rsa_results[RSA_NUM][2];
|
||||
#endif /* OPENSSL_NO_RSA */
|
||||
|
||||
|
@ -92,7 +92,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
|
|||
{"ecdhx25519", R_EC_X25519},
|
||||
{"ecdhx448", R_EC_X448}
|
||||
};
|
||||
@@ -1504,31 +1444,10 @@ int speed_main(int argc, char **argv)
|
||||
@@ -1502,31 +1442,10 @@ int speed_main(int argc, char **argv)
|
||||
unsigned int bits;
|
||||
} test_curves[] = {
|
||||
/* Prime Curves */
|
||||
|
@ -124,7 +124,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
|
|||
/* Other and ECDH only ones */
|
||||
{"X25519", NID_X25519, 253},
|
||||
{"X448", NID_X448, 448}
|
||||
@@ -2028,9 +1947,9 @@ int speed_main(int argc, char **argv)
|
||||
@@ -2026,9 +1945,9 @@ int speed_main(int argc, char **argv)
|
||||
# endif
|
||||
|
||||
# ifndef OPENSSL_NO_EC
|
||||
|
@ -137,7 +137,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
|
|||
ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2;
|
||||
ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2;
|
||||
if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0)
|
||||
@@ -2042,7 +1961,7 @@ int speed_main(int argc, char **argv)
|
||||
@@ -2040,7 +1959,7 @@ int speed_main(int argc, char **argv)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -146,7 +146,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
|
|||
ecdsa_c[R_EC_K163][0] = count / 1000;
|
||||
ecdsa_c[R_EC_K163][1] = count / 1000 / 2;
|
||||
for (i = R_EC_K233; i <= R_EC_K571; i++) {
|
||||
@@ -2073,8 +1992,8 @@ int speed_main(int argc, char **argv)
|
||||
@@ -2071,8 +1990,8 @@ int speed_main(int argc, char **argv)
|
||||
}
|
||||
# endif
|
||||
|
||||
|
@ -157,7 +157,7 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
|
|||
ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
|
||||
if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0)
|
||||
ecdh_doit[i] = 0;
|
||||
@@ -2084,7 +2003,7 @@ int speed_main(int argc, char **argv)
|
||||
@@ -2082,7 +2001,7 @@ int speed_main(int argc, char **argv)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -166,9 +166,9 @@ diff -up openssl-1.1.1c/apps/speed.c.curves openssl-1.1.1c/apps/speed.c
|
|||
ecdh_c[R_EC_K163][0] = count / 1000;
|
||||
for (i = R_EC_K233; i <= R_EC_K571; i++) {
|
||||
ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
|
||||
diff -up openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves openssl-1.1.1c/crypto/ec/ecp_smpl.c
|
||||
--- openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves 2019-05-28 15:12:21.000000000 +0200
|
||||
+++ openssl-1.1.1c/crypto/ec/ecp_smpl.c 2019-05-29 15:30:09.071349520 +0200
|
||||
diff -up openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves openssl-1.1.1h/crypto/ec/ecp_smpl.c
|
||||
--- openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves 2020-09-22 14:55:07.000000000 +0200
|
||||
+++ openssl-1.1.1h/crypto/ec/ecp_smpl.c 2020-11-06 13:27:15.659288431 +0100
|
||||
@@ -145,6 +145,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
|
||||
return 0;
|
||||
}
|
||||
|
@ -181,9 +181,9 @@ diff -up openssl-1.1.1c/crypto/ec/ecp_smpl.c.curves openssl-1.1.1c/crypto/ec/ecp
|
|||
if (ctx == NULL) {
|
||||
ctx = new_ctx = BN_CTX_new();
|
||||
if (ctx == NULL)
|
||||
diff -up openssl-1.1.1c/test/ecdsatest.h.curves openssl-1.1.1c/test/ecdsatest.h
|
||||
--- openssl-1.1.1c/test/ecdsatest.h.curves 2019-05-29 15:30:09.010350595 +0200
|
||||
+++ openssl-1.1.1c/test/ecdsatest.h 2019-05-29 15:41:24.586444294 +0200
|
||||
diff -up openssl-1.1.1h/test/ecdsatest.h.curves openssl-1.1.1h/test/ecdsatest.h
|
||||
--- openssl-1.1.1h/test/ecdsatest.h.curves 2020-11-06 13:27:15.627288114 +0100
|
||||
+++ openssl-1.1.1h/test/ecdsatest.h 2020-11-06 13:27:15.660288441 +0100
|
||||
@@ -32,23 +32,6 @@ typedef struct {
|
||||
} ecdsa_cavs_kat_t;
|
||||
|
||||
|
@ -208,3 +208,59 @@ diff -up openssl-1.1.1c/test/ecdsatest.h.curves openssl-1.1.1c/test/ecdsatest.h
|
|||
/* prime KATs from NIST CAVP */
|
||||
{NID_secp224r1, NID_sha224,
|
||||
"699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"
|
||||
--- openssl-1.1.1h/test/recipes/15-test_genec.t.ec-curves 2020-11-06 13:58:36.402895540 +0100
|
||||
+++ openssl-1.1.1h/test/recipes/15-test_genec.t 2020-11-06 13:59:38.508484498 +0100
|
||||
@@ -20,45 +20,11 @@ plan skip_all => "This test is unsupport
|
||||
if disabled("ec");
|
||||
|
||||
my @prime_curves = qw(
|
||||
- secp112r1
|
||||
- secp112r2
|
||||
- secp128r1
|
||||
- secp128r2
|
||||
- secp160k1
|
||||
- secp160r1
|
||||
- secp160r2
|
||||
- secp192k1
|
||||
- secp224k1
|
||||
secp224r1
|
||||
secp256k1
|
||||
secp384r1
|
||||
secp521r1
|
||||
- prime192v1
|
||||
- prime192v2
|
||||
- prime192v3
|
||||
- prime239v1
|
||||
- prime239v2
|
||||
- prime239v3
|
||||
prime256v1
|
||||
- wap-wsg-idm-ecid-wtls6
|
||||
- wap-wsg-idm-ecid-wtls7
|
||||
- wap-wsg-idm-ecid-wtls8
|
||||
- wap-wsg-idm-ecid-wtls9
|
||||
- wap-wsg-idm-ecid-wtls12
|
||||
- brainpoolP160r1
|
||||
- brainpoolP160t1
|
||||
- brainpoolP192r1
|
||||
- brainpoolP192t1
|
||||
- brainpoolP224r1
|
||||
- brainpoolP224t1
|
||||
- brainpoolP256r1
|
||||
- brainpoolP256t1
|
||||
- brainpoolP320r1
|
||||
- brainpoolP320t1
|
||||
- brainpoolP384r1
|
||||
- brainpoolP384t1
|
||||
- brainpoolP512r1
|
||||
- brainpoolP512t1
|
||||
);
|
||||
|
||||
my @binary_curves = qw(
|
||||
@@ -115,7 +81,6 @@ push(@other_curves, 'SM2')
|
||||
if !disabled("sm2");
|
||||
|
||||
my @curve_aliases = qw(
|
||||
- P-192
|
||||
P-224
|
||||
P-256
|
||||
P-384
|
||||
|
|
|
@ -0,0 +1,57 @@
|
|||
diff -up openssl-1.1.1g/crypto/evp/pkey_kdf.c.edk2-build openssl-1.1.1g/crypto/evp/pkey_kdf.c
|
||||
--- openssl-1.1.1g/crypto/evp/pkey_kdf.c.edk2-build 2020-05-18 12:55:53.299548432 +0200
|
||||
+++ openssl-1.1.1g/crypto/evp/pkey_kdf.c 2020-05-18 12:55:53.340548788 +0200
|
||||
@@ -12,6 +12,7 @@
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/kdf.h>
|
||||
+#include "internal/numbers.h"
|
||||
#include "crypto/evp.h"
|
||||
|
||||
static int pkey_kdf_init(EVP_PKEY_CTX *ctx)
|
||||
diff -up openssl-1.1.1g/crypto/kdf/hkdf.c.edk2-build openssl-1.1.1g/crypto/kdf/hkdf.c
|
||||
--- openssl-1.1.1g/crypto/kdf/hkdf.c.edk2-build 2020-05-18 12:55:53.340548788 +0200
|
||||
+++ openssl-1.1.1g/crypto/kdf/hkdf.c 2020-05-18 12:57:18.648288904 +0200
|
||||
@@ -13,6 +13,7 @@
|
||||
#include <openssl/hmac.h>
|
||||
#include <openssl/kdf.h>
|
||||
#include <openssl/evp.h>
|
||||
+#include "internal/numbers.h"
|
||||
#include "internal/cryptlib.h"
|
||||
#include "crypto/evp.h"
|
||||
#include "kdf_local.h"
|
||||
diff -up openssl-1.1.1g/crypto/rand/rand_unix.c.edk2-build openssl-1.1.1g/crypto/rand/rand_unix.c
|
||||
--- openssl-1.1.1g/crypto/rand/rand_unix.c.edk2-build 2020-05-18 12:56:05.646655554 +0200
|
||||
+++ openssl-1.1.1g/crypto/rand/rand_unix.c 2020-05-18 12:58:51.088090896 +0200
|
||||
@@ -20,7 +20,7 @@
|
||||
#include "crypto/fips.h"
|
||||
#include <stdio.h>
|
||||
#include "internal/dso.h"
|
||||
-#ifdef __linux
|
||||
+#if defined(__linux) && !defined(OPENSSL_SYS_UEFI)
|
||||
# include <sys/syscall.h>
|
||||
# include <sys/random.h>
|
||||
# ifdef DEVRANDOM_WAIT
|
||||
diff -up openssl-1.1.1g/include/crypto/fips.h.edk2-build openssl-1.1.1g/include/crypto/fips.h
|
||||
--- openssl-1.1.1g/include/crypto/fips.h.edk2-build 2020-05-18 12:55:53.296548406 +0200
|
||||
+++ openssl-1.1.1g/include/crypto/fips.h 2020-05-18 12:55:53.340548788 +0200
|
||||
@@ -50,10 +50,6 @@
|
||||
#include <openssl/opensslconf.h>
|
||||
#include <openssl/evp.h>
|
||||
|
||||
-#ifndef OPENSSL_FIPS
|
||||
-# error FIPS is disabled.
|
||||
-#endif
|
||||
-
|
||||
#ifdef OPENSSL_FIPS
|
||||
|
||||
int FIPS_module_mode_set(int onoff);
|
||||
@@ -97,4 +93,8 @@ void fips_set_selftest_fail(void);
|
||||
|
||||
void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr);
|
||||
|
||||
+#else
|
||||
+
|
||||
+# define fips_in_post() 0
|
||||
+
|
||||
#endif
|
|
@ -1,7 +1,7 @@
|
|||
diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err/openssl.txt
|
||||
--- openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf 2019-02-26 15:15:30.000000000 +0100
|
||||
+++ openssl-1.1.1b/crypto/err/openssl.txt 2019-02-28 13:05:05.651521474 +0100
|
||||
@@ -743,6 +743,9 @@ EVP_F_EVP_DIGESTINIT_EX:128:EVP_DigestIn
|
||||
diff -up openssl-1.1.1j/crypto/err/openssl.txt.evp-kdf openssl-1.1.1j/crypto/err/openssl.txt
|
||||
--- openssl-1.1.1j/crypto/err/openssl.txt.evp-kdf 2021-02-16 16:24:01.000000000 +0100
|
||||
+++ openssl-1.1.1j/crypto/err/openssl.txt 2021-03-03 14:10:13.729466935 +0100
|
||||
@@ -748,6 +748,9 @@ EVP_F_EVP_DIGESTINIT_EX:128:EVP_DigestIn
|
||||
EVP_F_EVP_ENCRYPTDECRYPTUPDATE:219:evp_EncryptDecryptUpdate
|
||||
EVP_F_EVP_ENCRYPTFINAL_EX:127:EVP_EncryptFinal_ex
|
||||
EVP_F_EVP_ENCRYPTUPDATE:167:EVP_EncryptUpdate
|
||||
|
@ -11,7 +11,7 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err
|
|||
EVP_F_EVP_MD_CTX_COPY_EX:110:EVP_MD_CTX_copy_ex
|
||||
EVP_F_EVP_MD_SIZE:162:EVP_MD_size
|
||||
EVP_F_EVP_OPENINIT:102:EVP_OpenInit
|
||||
@@ -805,11 +808,30 @@ EVP_F_PKCS5_PBE_KEYIVGEN:117:PKCS5_PBE_k
|
||||
@@ -810,12 +813,31 @@ EVP_F_PKCS5_PBE_KEYIVGEN:117:PKCS5_PBE_k
|
||||
EVP_F_PKCS5_V2_PBE_KEYIVGEN:118:PKCS5_v2_PBE_keyivgen
|
||||
EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN:164:PKCS5_v2_PBKDF2_keyivgen
|
||||
EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN:180:PKCS5_v2_scrypt_keyivgen
|
||||
|
@ -19,6 +19,7 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err
|
|||
EVP_F_PKEY_SET_TYPE:158:pkey_set_type
|
||||
EVP_F_RC2_MAGIC_TO_METH:109:rc2_magic_to_meth
|
||||
EVP_F_RC5_CTRL:125:rc5_ctrl
|
||||
EVP_F_R_32_12_16_INIT_KEY:242:r_32_12_16_init_key
|
||||
EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_gcm_ctrl
|
||||
+EVP_F_SCRYPT_ALG:228:scrypt_alg
|
||||
EVP_F_UPDATE:173:update
|
||||
|
@ -42,7 +43,7 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err
|
|||
KDF_F_PKEY_HKDF_CTRL_STR:103:pkey_hkdf_ctrl_str
|
||||
KDF_F_PKEY_HKDF_DERIVE:102:pkey_hkdf_derive
|
||||
KDF_F_PKEY_HKDF_INIT:108:pkey_hkdf_init
|
||||
@@ -821,6 +843,7 @@ KDF_F_PKEY_SCRYPT_SET_MEMBUF:107:pkey_sc
|
||||
@@ -827,6 +849,7 @@ KDF_F_PKEY_SCRYPT_SET_MEMBUF:107:pkey_sc
|
||||
KDF_F_PKEY_TLS1_PRF_CTRL_STR:100:pkey_tls1_prf_ctrl_str
|
||||
KDF_F_PKEY_TLS1_PRF_DERIVE:101:pkey_tls1_prf_derive
|
||||
KDF_F_PKEY_TLS1_PRF_INIT:110:pkey_tls1_prf_init
|
||||
|
@ -50,15 +51,15 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err
|
|||
KDF_F_TLS1_PRF_ALG:111:tls1_prf_alg
|
||||
OBJ_F_OBJ_ADD_OBJECT:105:OBJ_add_object
|
||||
OBJ_F_OBJ_ADD_SIGID:107:OBJ_add_sigid
|
||||
@@ -2264,6 +2287,7 @@ EVP_R_ONLY_ONESHOT_SUPPORTED:177:only on
|
||||
EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:150:\
|
||||
@@ -2284,6 +2307,7 @@ EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_K
|
||||
operation not supported for this keytype
|
||||
EVP_R_OPERATON_NOT_INITIALIZED:151:operaton not initialized
|
||||
EVP_R_OUTPUT_WOULD_OVERFLOW:184:output would overflow
|
||||
+EVP_R_PARAMETER_TOO_LARGE:187:parameter too large
|
||||
EVP_R_PARTIALLY_OVERLAPPING:162:partially overlapping buffers
|
||||
EVP_R_PBKDF2_ERROR:181:pbkdf2 error
|
||||
EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED:179:\
|
||||
@@ -2299,6 +2323,7 @@ KDF_R_MISSING_SEED:106:missing seed
|
||||
@@ -2320,6 +2344,7 @@ KDF_R_MISSING_SEED:106:missing seed
|
||||
KDF_R_UNKNOWN_PARAMETER_TYPE:103:unknown parameter type
|
||||
KDF_R_VALUE_ERROR:108:value error
|
||||
KDF_R_VALUE_MISSING:102:value missing
|
||||
|
@ -66,9 +67,9 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err
|
|||
OBJ_R_OID_EXISTS:102:oid exists
|
||||
OBJ_R_UNKNOWN_NID:101:unknown nid
|
||||
OCSP_R_CERTIFICATE_VERIFY_ERROR:101:certificate verify error
|
||||
diff -up openssl-1.1.1b/crypto/evp/build.info.evp-kdf openssl-1.1.1b/crypto/evp/build.info
|
||||
--- openssl-1.1.1b/crypto/evp/build.info.evp-kdf 2019-02-26 15:15:30.000000000 +0100
|
||||
+++ openssl-1.1.1b/crypto/evp/build.info 2019-02-28 13:05:05.651521474 +0100
|
||||
diff -up openssl-1.1.1j/crypto/evp/build.info.evp-kdf openssl-1.1.1j/crypto/evp/build.info
|
||||
--- openssl-1.1.1j/crypto/evp/build.info.evp-kdf 2021-02-16 16:24:01.000000000 +0100
|
||||
+++ openssl-1.1.1j/crypto/evp/build.info 2021-03-03 14:08:02.490294839 +0100
|
||||
@@ -9,7 +9,8 @@ SOURCE[../../libcrypto]=\
|
||||
p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \
|
||||
bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \
|
||||
|
@ -79,44 +80,37 @@ diff -up openssl-1.1.1b/crypto/evp/build.info.evp-kdf openssl-1.1.1b/crypto/evp/
|
|||
e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \
|
||||
e_aes_cbc_hmac_sha1.c e_aes_cbc_hmac_sha256.c e_rc4_hmac_md5.c \
|
||||
e_chacha20_poly1305.c cmeth_lib.c
|
||||
diff -up openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c.evp-kdf openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c
|
||||
--- openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
|
||||
+++ openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c 2019-02-28 13:05:05.651521474 +0100
|
||||
@@ -14,8 +14,8 @@
|
||||
diff -up openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c.evp-kdf openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c
|
||||
--- openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100
|
||||
+++ openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c 2021-03-03 14:08:02.490294839 +0100
|
||||
@@ -14,9 +14,9 @@
|
||||
|
||||
# include <openssl/evp.h>
|
||||
# include <openssl/objects.h>
|
||||
-# include "evp_locl.h"
|
||||
# include "internal/evp_int.h"
|
||||
+# include "evp_locl.h"
|
||||
# include "internal/chacha.h"
|
||||
-# include "evp_local.h"
|
||||
# include "crypto/evp.h"
|
||||
# include "crypto/chacha.h"
|
||||
+# include "evp_local.h"
|
||||
|
||||
typedef struct {
|
||||
diff -up openssl-1.1.1b/crypto/evp/encode.c.evp-kdf openssl-1.1.1b/crypto/evp/encode.c
|
||||
--- openssl-1.1.1b/crypto/evp/encode.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
|
||||
+++ openssl-1.1.1b/crypto/evp/encode.c 2019-02-28 13:05:05.651521474 +0100
|
||||
union {
|
||||
diff -up openssl-1.1.1j/crypto/evp/encode.c.evp-kdf openssl-1.1.1j/crypto/evp/encode.c
|
||||
--- openssl-1.1.1j/crypto/evp/encode.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100
|
||||
+++ openssl-1.1.1j/crypto/evp/encode.c 2021-03-03 14:08:02.491294847 +0100
|
||||
@@ -11,8 +11,8 @@
|
||||
#include <limits.h>
|
||||
#include "internal/cryptlib.h"
|
||||
#include <openssl/evp.h>
|
||||
-#include "evp_locl.h"
|
||||
#include "internal/evp_int.h"
|
||||
+#include "evp_locl.h"
|
||||
-#include "evp_local.h"
|
||||
#include "crypto/evp.h"
|
||||
+#include "evp_local.h"
|
||||
|
||||
static unsigned char conv_ascii2bin(unsigned char a,
|
||||
const unsigned char *table);
|
||||
diff -up openssl-1.1.1b/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1b/crypto/evp/evp_err.c
|
||||
--- openssl-1.1.1b/crypto/evp/evp_err.c.evp-kdf 2019-02-28 13:05:05.617522103 +0100
|
||||
+++ openssl-1.1.1b/crypto/evp/evp_err.c 2019-02-28 13:05:05.651521474 +0100
|
||||
@@ -1,6 +1,6 @@
|
||||
/*
|
||||
* Generated by util/mkerr.pl DO NOT EDIT
|
||||
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@@ -56,6 +56,9 @@ static const ERR_STRING_DATA EVP_str_fun
|
||||
diff -up openssl-1.1.1j/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1j/crypto/evp/evp_err.c
|
||||
--- openssl-1.1.1j/crypto/evp/evp_err.c.evp-kdf 2021-03-03 14:08:02.469294651 +0100
|
||||
+++ openssl-1.1.1j/crypto/evp/evp_err.c 2021-03-03 14:12:08.272351600 +0100
|
||||
@@ -60,6 +60,9 @@ static const ERR_STRING_DATA EVP_str_fun
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTFINAL_EX, 0),
|
||||
"EVP_EncryptFinal_ex"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTUPDATE, 0), "EVP_EncryptUpdate"},
|
||||
|
@ -126,7 +120,7 @@ diff -up openssl-1.1.1b/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1b/crypto/evp/e
|
|||
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_MD_CTX_COPY_EX, 0), "EVP_MD_CTX_copy_ex"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_MD_SIZE, 0), "EVP_MD_size"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_OPENINIT, 0), "EVP_OpenInit"},
|
||||
@@ -147,10 +150,12 @@ static const ERR_STRING_DATA EVP_str_fun
|
||||
@@ -151,12 +154,14 @@ static const ERR_STRING_DATA EVP_str_fun
|
||||
"PKCS5_v2_PBKDF2_keyivgen"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN, 0),
|
||||
"PKCS5_v2_scrypt_keyivgen"},
|
||||
|
@ -134,23 +128,25 @@ diff -up openssl-1.1.1b/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1b/crypto/evp/e
|
|||
{ERR_PACK(ERR_LIB_EVP, EVP_F_PKEY_SET_TYPE, 0), "pkey_set_type"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_RC2_MAGIC_TO_METH, 0), "rc2_magic_to_meth"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_RC5_CTRL, 0), "rc5_ctrl"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_R_32_12_16_INIT_KEY, 0),
|
||||
"r_32_12_16_init_key"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_S390X_AES_GCM_CTRL, 0), "s390x_aes_gcm_ctrl"},
|
||||
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_SCRYPT_ALG, 0), "scrypt_alg"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_UPDATE, 0), "update"},
|
||||
{0, NULL}
|
||||
};
|
||||
@@ -233,6 +238,8 @@ static const ERR_STRING_DATA EVP_str_rea
|
||||
"operation not supported for this keytype"},
|
||||
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OPERATON_NOT_INITIALIZED),
|
||||
@@ -243,6 +248,8 @@ static const ERR_STRING_DATA EVP_str_rea
|
||||
"operaton not initialized"},
|
||||
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OUTPUT_WOULD_OVERFLOW),
|
||||
"output would overflow"},
|
||||
+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARAMETER_TOO_LARGE),
|
||||
+ "parameter too large"},
|
||||
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARTIALLY_OVERLAPPING),
|
||||
"partially overlapping buffers"},
|
||||
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PBKDF2_ERROR), "pbkdf2 error"},
|
||||
diff -up openssl-1.1.1b/crypto/evp/evp_locl.h.evp-kdf openssl-1.1.1b/crypto/evp/evp_locl.h
|
||||
--- openssl-1.1.1b/crypto/evp/evp_locl.h.evp-kdf 2019-02-28 13:05:05.253528831 +0100
|
||||
+++ openssl-1.1.1b/crypto/evp/evp_locl.h 2019-02-28 13:05:05.652521456 +0100
|
||||
diff -up openssl-1.1.1j/crypto/evp/evp_local.h.evp-kdf openssl-1.1.1j/crypto/evp/evp_local.h
|
||||
--- openssl-1.1.1j/crypto/evp/evp_local.h.evp-kdf 2021-03-03 14:08:02.362293695 +0100
|
||||
+++ openssl-1.1.1j/crypto/evp/evp_local.h 2021-03-03 14:08:02.491294847 +0100
|
||||
@@ -41,6 +41,11 @@ struct evp_cipher_ctx_st {
|
||||
unsigned char final[EVP_MAX_BLOCK_LENGTH]; /* possible final block */
|
||||
} /* EVP_CIPHER_CTX */ ;
|
||||
|
@ -163,20 +159,20 @@ diff -up openssl-1.1.1b/crypto/evp/evp_locl.h.evp-kdf openssl-1.1.1b/crypto/evp/
|
|||
int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass,
|
||||
int passlen, ASN1_TYPE *param,
|
||||
const EVP_CIPHER *c, const EVP_MD *md,
|
||||
diff -up openssl-1.1.1b/crypto/evp/evp_pbe.c.evp-kdf openssl-1.1.1b/crypto/evp/evp_pbe.c
|
||||
--- openssl-1.1.1b/crypto/evp/evp_pbe.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
|
||||
+++ openssl-1.1.1b/crypto/evp/evp_pbe.c 2019-02-28 13:05:05.652521456 +0100
|
||||
diff -up openssl-1.1.1j/crypto/evp/evp_pbe.c.evp-kdf openssl-1.1.1j/crypto/evp/evp_pbe.c
|
||||
--- openssl-1.1.1j/crypto/evp/evp_pbe.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100
|
||||
+++ openssl-1.1.1j/crypto/evp/evp_pbe.c 2021-03-03 14:08:02.491294847 +0100
|
||||
@@ -12,6 +12,7 @@
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/pkcs12.h>
|
||||
#include <openssl/x509.h>
|
||||
+#include "internal/evp_int.h"
|
||||
#include "evp_locl.h"
|
||||
+#include "crypto/evp.h"
|
||||
#include "evp_local.h"
|
||||
|
||||
/* Password based encryption (PBE) functions */
|
||||
diff -up openssl-1.1.1b/crypto/evp/kdf_lib.c.evp-kdf openssl-1.1.1b/crypto/evp/kdf_lib.c
|
||||
--- openssl-1.1.1b/crypto/evp/kdf_lib.c.evp-kdf 2019-02-28 13:05:05.652521456 +0100
|
||||
+++ openssl-1.1.1b/crypto/evp/kdf_lib.c 2019-02-28 13:05:05.652521456 +0100
|
||||
diff -up openssl-1.1.1j/crypto/evp/kdf_lib.c.evp-kdf openssl-1.1.1j/crypto/evp/kdf_lib.c
|
||||
--- openssl-1.1.1j/crypto/evp/kdf_lib.c.evp-kdf 2021-03-03 14:08:02.491294847 +0100
|
||||
+++ openssl-1.1.1j/crypto/evp/kdf_lib.c 2021-03-03 14:08:02.491294847 +0100
|
||||
@@ -0,0 +1,165 @@
|
||||
+/*
|
||||
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
@ -195,10 +191,10 @@ diff -up openssl-1.1.1b/crypto/evp/kdf_lib.c.evp-kdf openssl-1.1.1b/crypto/evp/k
|
|||
+#include <openssl/evp.h>
|
||||
+#include <openssl/x509v3.h>
|
||||
+#include <openssl/kdf.h>
|
||||
+#include "internal/asn1_int.h"
|
||||
+#include "internal/evp_int.h"
|
||||
+#include "crypto/asn1.h"
|
||||
+#include "crypto/evp.h"
|
||||
+#include "internal/numbers.h"
|
||||
+#include "evp_locl.h"
|
||||
+#include "evp_local.h"
|
||||
+
|
||||
+typedef int sk_cmp_fn_type(const char *const *a, const char *const *b);
|
||||
+
|
||||
|
@ -343,9 +339,9 @@ diff -up openssl-1.1.1b/crypto/evp/kdf_lib.c.evp-kdf openssl-1.1.1b/crypto/evp/k
|
|||
+ return ctx->kmeth->derive(ctx->impl, key, keylen);
|
||||
+}
|
||||
+
|
||||
diff -up openssl-1.1.1b/crypto/evp/p5_crpt2.c.evp-kdf openssl-1.1.1b/crypto/evp/p5_crpt2.c
|
||||
--- openssl-1.1.1b/crypto/evp/p5_crpt2.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
|
||||
+++ openssl-1.1.1b/crypto/evp/p5_crpt2.c 2019-02-28 13:05:05.652521456 +0100
|
||||
diff -up openssl-1.1.1j/crypto/evp/p5_crpt2.c.evp-kdf openssl-1.1.1j/crypto/evp/p5_crpt2.c
|
||||
--- openssl-1.1.1j/crypto/evp/p5_crpt2.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100
|
||||
+++ openssl-1.1.1j/crypto/evp/p5_crpt2.c 2021-03-03 14:08:02.491294847 +0100
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
@ -360,13 +356,13 @@ diff -up openssl-1.1.1b/crypto/evp/p5_crpt2.c.evp-kdf openssl-1.1.1b/crypto/evp/
|
|||
-# include <openssl/x509.h>
|
||||
-# include <openssl/evp.h>
|
||||
-# include <openssl/hmac.h>
|
||||
-# include "evp_locl.h"
|
||||
-# include "evp_local.h"
|
||||
+#include <openssl/x509.h>
|
||||
+#include <openssl/evp.h>
|
||||
+#include <openssl/kdf.h>
|
||||
+#include <openssl/hmac.h>
|
||||
+#include "internal/evp_int.h"
|
||||
+#include "evp_locl.h"
|
||||
+#include "crypto/evp.h"
|
||||
+#include "evp_local.h"
|
||||
|
||||
/* set this to print out info about the keygen algorithm */
|
||||
/* #define OPENSSL_DEBUG_PKCS5V2 */
|
||||
|
@ -494,9 +490,9 @@ diff -up openssl-1.1.1b/crypto/evp/p5_crpt2.c.evp-kdf openssl-1.1.1b/crypto/evp/
|
|||
}
|
||||
|
||||
int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
|
||||
diff -up openssl-1.1.1b/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1b/crypto/evp/pbe_scrypt.c
|
||||
--- openssl-1.1.1b/crypto/evp/pbe_scrypt.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
|
||||
+++ openssl-1.1.1b/crypto/evp/pbe_scrypt.c 2019-02-28 13:33:18.446264056 +0100
|
||||
diff -up openssl-1.1.1j/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1j/crypto/evp/pbe_scrypt.c
|
||||
--- openssl-1.1.1j/crypto/evp/pbe_scrypt.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100
|
||||
+++ openssl-1.1.1j/crypto/evp/pbe_scrypt.c 2021-03-03 14:08:02.491294847 +0100
|
||||
@@ -7,135 +7,12 @@
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
@ -682,9 +678,11 @@ diff -up openssl-1.1.1b/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1b/crypto/ev
|
|||
- */
|
||||
- if (Blen > INT_MAX) {
|
||||
- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
|
||||
- return 0;
|
||||
- }
|
||||
-
|
||||
+ if (r > UINT32_MAX || p > UINT32_MAX) {
|
||||
+ EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_PARAMETER_TOO_LARGE);
|
||||
return 0;
|
||||
}
|
||||
|
||||
- /*
|
||||
- * Check 32 * r * (N + 2) * sizeof(uint32_t) fits in uint64_t
|
||||
- * This is combined size V, X and T (section 4)
|
||||
|
@ -692,21 +690,18 @@ diff -up openssl-1.1.1b/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1b/crypto/ev
|
|||
- i = UINT64_MAX / (32 * sizeof(uint32_t));
|
||||
- if (N + 2 > i / r) {
|
||||
- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
|
||||
+ if (r > UINT32_MAX || p > UINT32_MAX) {
|
||||
+ EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_PARAMETER_TOO_LARGE);
|
||||
return 0;
|
||||
}
|
||||
- Vlen = 32 * r * (N + 2) * sizeof(uint32_t);
|
||||
|
||||
- /* check total allocated size fits in uint64_t */
|
||||
- if (Blen > UINT64_MAX - Vlen) {
|
||||
- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
|
||||
- return 0;
|
||||
+ /* Maintain existing behaviour. */
|
||||
+ if (pass == NULL) {
|
||||
+ pass = empty;
|
||||
+ passlen = 0;
|
||||
+ }
|
||||
}
|
||||
- Vlen = 32 * r * (N + 2) * sizeof(uint32_t);
|
||||
-
|
||||
- /* check total allocated size fits in uint64_t */
|
||||
- if (Blen > UINT64_MAX - Vlen) {
|
||||
- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
|
||||
- return 0;
|
||||
+ if (salt == NULL) {
|
||||
+ salt = (const unsigned char *)empty;
|
||||
+ saltlen = 0;
|
||||
|
@ -768,9 +763,9 @@ diff -up openssl-1.1.1b/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1b/crypto/ev
|
|||
}
|
||||
+
|
||||
#endif
|
||||
diff -up openssl-1.1.1b/crypto/evp/pkey_kdf.c.evp-kdf openssl-1.1.1b/crypto/evp/pkey_kdf.c
|
||||
--- openssl-1.1.1b/crypto/evp/pkey_kdf.c.evp-kdf 2019-02-28 13:05:05.653521437 +0100
|
||||
+++ openssl-1.1.1b/crypto/evp/pkey_kdf.c 2019-02-28 13:05:05.653521437 +0100
|
||||
diff -up openssl-1.1.1j/crypto/evp/pkey_kdf.c.evp-kdf openssl-1.1.1j/crypto/evp/pkey_kdf.c
|
||||
--- openssl-1.1.1j/crypto/evp/pkey_kdf.c.evp-kdf 2021-03-03 14:08:02.491294847 +0100
|
||||
+++ openssl-1.1.1j/crypto/evp/pkey_kdf.c 2021-03-03 14:08:02.491294847 +0100
|
||||
@@ -0,0 +1,255 @@
|
||||
+/*
|
||||
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
@ -786,7 +781,7 @@ diff -up openssl-1.1.1b/crypto/evp/pkey_kdf.c.evp-kdf openssl-1.1.1b/crypto/evp/
|
|||
+#include <openssl/evp.h>
|
||||
+#include <openssl/err.h>
|
||||
+#include <openssl/kdf.h>
|
||||
+#include "internal/evp_int.h"
|
||||
+#include "crypto/evp.h"
|
||||
+
|
||||
+static int pkey_kdf_init(EVP_PKEY_CTX *ctx)
|
||||
+{
|
||||
|
@ -1027,45 +1022,17 @@ diff -up openssl-1.1.1b/crypto/evp/pkey_kdf.c.evp-kdf openssl-1.1.1b/crypto/evp/
|
|||
+ pkey_kdf_ctrl_str
|
||||
+};
|
||||
+
|
||||
diff -up openssl-1.1.1b/crypto/include/internal/evp_int.h.evp-kdf openssl-1.1.1b/crypto/include/internal/evp_int.h
|
||||
--- openssl-1.1.1b/crypto/include/internal/evp_int.h.evp-kdf 2019-02-28 13:05:05.304527888 +0100
|
||||
+++ openssl-1.1.1b/crypto/include/internal/evp_int.h 2019-02-28 13:05:05.653521437 +0100
|
||||
@@ -112,6 +112,24 @@ extern const EVP_PKEY_METHOD hkdf_pkey_m
|
||||
extern const EVP_PKEY_METHOD poly1305_pkey_meth;
|
||||
extern const EVP_PKEY_METHOD siphash_pkey_meth;
|
||||
|
||||
+/* struct evp_kdf_impl_st is defined by the implementation */
|
||||
+typedef struct evp_kdf_impl_st EVP_KDF_IMPL;
|
||||
+typedef struct {
|
||||
+ int type;
|
||||
+ EVP_KDF_IMPL *(*new) (void);
|
||||
+ void (*free) (EVP_KDF_IMPL *impl);
|
||||
+ void (*reset) (EVP_KDF_IMPL *impl);
|
||||
+ int (*ctrl) (EVP_KDF_IMPL *impl, int cmd, va_list args);
|
||||
+ int (*ctrl_str) (EVP_KDF_IMPL *impl, const char *type, const char *value);
|
||||
+ size_t (*size) (EVP_KDF_IMPL *impl);
|
||||
+ int (*derive) (EVP_KDF_IMPL *impl, unsigned char *key, size_t keylen);
|
||||
+} EVP_KDF_METHOD;
|
||||
+
|
||||
+extern const EVP_KDF_METHOD pbkdf2_kdf_meth;
|
||||
+extern const EVP_KDF_METHOD scrypt_kdf_meth;
|
||||
+extern const EVP_KDF_METHOD tls1_prf_kdf_meth;
|
||||
+extern const EVP_KDF_METHOD hkdf_kdf_meth;
|
||||
+
|
||||
struct evp_md_st {
|
||||
int type;
|
||||
int pkey_type;
|
||||
diff -up openssl-1.1.1b/crypto/kdf/build.info.evp-kdf openssl-1.1.1b/crypto/kdf/build.info
|
||||
--- openssl-1.1.1b/crypto/kdf/build.info.evp-kdf 2019-02-26 15:15:30.000000000 +0100
|
||||
+++ openssl-1.1.1b/crypto/kdf/build.info 2019-02-28 13:05:05.653521437 +0100
|
||||
diff -up openssl-1.1.1j/crypto/kdf/build.info.evp-kdf openssl-1.1.1j/crypto/kdf/build.info
|
||||
--- openssl-1.1.1j/crypto/kdf/build.info.evp-kdf 2021-02-16 16:24:01.000000000 +0100
|
||||
+++ openssl-1.1.1j/crypto/kdf/build.info 2021-03-03 14:08:02.491294847 +0100
|
||||
@@ -1,3 +1,3 @@
|
||||
LIBS=../../libcrypto
|
||||
SOURCE[../../libcrypto]=\
|
||||
- tls1_prf.c kdf_err.c hkdf.c scrypt.c
|
||||
+ tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c
|
||||
diff -up openssl-1.1.1b/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1b/crypto/kdf/hkdf.c
|
||||
--- openssl-1.1.1b/crypto/kdf/hkdf.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
|
||||
+++ openssl-1.1.1b/crypto/kdf/hkdf.c 2019-02-28 13:05:05.653521437 +0100
|
||||
diff -up openssl-1.1.1j/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1j/crypto/kdf/hkdf.c
|
||||
--- openssl-1.1.1j/crypto/kdf/hkdf.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100
|
||||
+++ openssl-1.1.1j/crypto/kdf/hkdf.c 2021-03-03 14:08:02.492294856 +0100
|
||||
@@ -8,32 +8,33 @@
|
||||
*/
|
||||
|
||||
|
@ -1073,11 +1040,10 @@ diff -up openssl-1.1.1b/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1b/crypto/kdf/hkdf
|
|||
+#include <stdarg.h>
|
||||
#include <string.h>
|
||||
#include <openssl/hmac.h>
|
||||
-#include <openssl/kdf.h>
|
||||
#include <openssl/kdf.h>
|
||||
#include <openssl/evp.h>
|
||||
+#include <openssl/kdf.h>
|
||||
#include "internal/cryptlib.h"
|
||||
#include "internal/evp_int.h"
|
||||
#include "crypto/evp.h"
|
||||
+#include "kdf_local.h"
|
||||
|
||||
#define HKDF_MAXBUF 1024
|
||||
|
@ -1198,18 +1164,18 @@ diff -up openssl-1.1.1b/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1b/crypto/kdf/hkdf
|
|||
return 1;
|
||||
|
||||
- if (p1 < 0)
|
||||
- return 0;
|
||||
-
|
||||
- if (kctx->salt != NULL)
|
||||
- OPENSSL_clear_free(kctx->salt, kctx->salt_len);
|
||||
-
|
||||
- kctx->salt = OPENSSL_memdup(p2, p1);
|
||||
- if (kctx->salt == NULL)
|
||||
+ OPENSSL_free(impl->salt);
|
||||
+ impl->salt = OPENSSL_memdup(p, len);
|
||||
+ if (impl->salt == NULL)
|
||||
return 0;
|
||||
|
||||
- if (kctx->salt != NULL)
|
||||
- OPENSSL_clear_free(kctx->salt, kctx->salt_len);
|
||||
-
|
||||
- kctx->salt = OPENSSL_memdup(p2, p1);
|
||||
- if (kctx->salt == NULL)
|
||||
- return 0;
|
||||
-
|
||||
- kctx->salt_len = p1;
|
||||
+ impl->salt_len = len;
|
||||
return 1;
|
||||
|
@ -1327,14 +1293,14 @@ diff -up openssl-1.1.1b/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1b/crypto/kdf/hkdf
|
|||
+static size_t kdf_hkdf_size(EVP_KDF_IMPL *impl)
|
||||
{
|
||||
- HKDF_PKEY_CTX *kctx = ctx->data;
|
||||
-
|
||||
+ if (impl->mode != EVP_KDF_HKDF_MODE_EXTRACT_ONLY)
|
||||
+ return SIZE_MAX;
|
||||
|
||||
- OPENSSL_clear_free(kctx->key, kctx->key_len);
|
||||
- OPENSSL_clear_free(kctx->salt, kctx->salt_len);
|
||||
- OPENSSL_cleanse(kctx->info, kctx->info_len);
|
||||
- memset(kctx, 0, sizeof(*kctx));
|
||||
+ if (impl->mode != EVP_KDF_HKDF_MODE_EXTRACT_ONLY)
|
||||
+ return SIZE_MAX;
|
||||
|
||||
-
|
||||
- return 1;
|
||||
+ if (impl->md == NULL) {
|
||||
+ KDFerr(KDF_F_KDF_HKDF_SIZE, KDF_R_MISSING_MESSAGE_DIGEST);
|
||||
|
@ -1532,9 +1498,9 @@ diff -up openssl-1.1.1b/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1b/crypto/kdf/hkdf
|
|||
|
||||
err:
|
||||
OPENSSL_cleanse(prev, sizeof(prev));
|
||||
diff -up openssl-1.1.1b/crypto/kdf/kdf_err.c.evp-kdf openssl-1.1.1b/crypto/kdf/kdf_err.c
|
||||
--- openssl-1.1.1b/crypto/kdf/kdf_err.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
|
||||
+++ openssl-1.1.1b/crypto/kdf/kdf_err.c 2019-02-28 13:05:05.654521419 +0100
|
||||
diff -up openssl-1.1.1j/crypto/kdf/kdf_err.c.evp-kdf openssl-1.1.1j/crypto/kdf/kdf_err.c
|
||||
--- openssl-1.1.1j/crypto/kdf/kdf_err.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100
|
||||
+++ openssl-1.1.1j/crypto/kdf/kdf_err.c 2021-03-03 14:08:02.492294856 +0100
|
||||
@@ -1,6 +1,6 @@
|
||||
/*
|
||||
* Generated by util/mkerr.pl DO NOT EDIT
|
||||
|
@ -1590,9 +1556,9 @@ diff -up openssl-1.1.1b/crypto/kdf/kdf_err.c.evp-kdf openssl-1.1.1b/crypto/kdf/k
|
|||
{0, NULL}
|
||||
};
|
||||
|
||||
diff -up openssl-1.1.1b/crypto/kdf/kdf_local.h.evp-kdf openssl-1.1.1b/crypto/kdf/kdf_local.h
|
||||
--- openssl-1.1.1b/crypto/kdf/kdf_local.h.evp-kdf 2019-02-28 13:05:05.654521419 +0100
|
||||
+++ openssl-1.1.1b/crypto/kdf/kdf_local.h 2019-02-28 13:05:05.654521419 +0100
|
||||
diff -up openssl-1.1.1j/crypto/kdf/kdf_local.h.evp-kdf openssl-1.1.1j/crypto/kdf/kdf_local.h
|
||||
--- openssl-1.1.1j/crypto/kdf/kdf_local.h.evp-kdf 2021-03-03 14:08:02.492294856 +0100
|
||||
+++ openssl-1.1.1j/crypto/kdf/kdf_local.h 2021-03-03 14:08:02.492294856 +0100
|
||||
@@ -0,0 +1,22 @@
|
||||
+/*
|
||||
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
@ -1616,9 +1582,9 @@ diff -up openssl-1.1.1b/crypto/kdf/kdf_local.h.evp-kdf openssl-1.1.1b/crypto/kdf
|
|||
+ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
|
||||
+ int cmd, const char *md_name);
|
||||
+
|
||||
diff -up openssl-1.1.1b/crypto/kdf/kdf_util.c.evp-kdf openssl-1.1.1b/crypto/kdf/kdf_util.c
|
||||
--- openssl-1.1.1b/crypto/kdf/kdf_util.c.evp-kdf 2019-02-28 13:05:05.654521419 +0100
|
||||
+++ openssl-1.1.1b/crypto/kdf/kdf_util.c 2019-02-28 13:05:05.654521419 +0100
|
||||
diff -up openssl-1.1.1j/crypto/kdf/kdf_util.c.evp-kdf openssl-1.1.1j/crypto/kdf/kdf_util.c
|
||||
--- openssl-1.1.1j/crypto/kdf/kdf_util.c.evp-kdf 2021-03-03 14:08:02.492294856 +0100
|
||||
+++ openssl-1.1.1j/crypto/kdf/kdf_util.c 2021-03-03 14:08:02.492294856 +0100
|
||||
@@ -0,0 +1,73 @@
|
||||
+/*
|
||||
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
@ -1635,7 +1601,7 @@ diff -up openssl-1.1.1b/crypto/kdf/kdf_util.c.evp-kdf openssl-1.1.1b/crypto/kdf/
|
|||
+#include <openssl/kdf.h>
|
||||
+#include <openssl/evp.h>
|
||||
+#include "internal/cryptlib.h"
|
||||
+#include "internal/evp_int.h"
|
||||
+#include "crypto/evp.h"
|
||||
+#include "internal/numbers.h"
|
||||
+#include "kdf_local.h"
|
||||
+
|
||||
|
@ -1693,9 +1659,9 @@ diff -up openssl-1.1.1b/crypto/kdf/kdf_util.c.evp-kdf openssl-1.1.1b/crypto/kdf/
|
|||
+ return call_ctrl(ctrl, impl, cmd, md);
|
||||
+}
|
||||
+
|
||||
diff -up openssl-1.1.1b/crypto/kdf/pbkdf2.c.evp-kdf openssl-1.1.1b/crypto/kdf/pbkdf2.c
|
||||
--- openssl-1.1.1b/crypto/kdf/pbkdf2.c.evp-kdf 2019-02-28 13:05:05.654521419 +0100
|
||||
+++ openssl-1.1.1b/crypto/kdf/pbkdf2.c 2019-02-28 13:05:05.654521419 +0100
|
||||
diff -up openssl-1.1.1j/crypto/kdf/pbkdf2.c.evp-kdf openssl-1.1.1j/crypto/kdf/pbkdf2.c
|
||||
--- openssl-1.1.1j/crypto/kdf/pbkdf2.c.evp-kdf 2021-03-03 14:08:02.492294856 +0100
|
||||
+++ openssl-1.1.1j/crypto/kdf/pbkdf2.c 2021-03-03 14:08:02.492294856 +0100
|
||||
@@ -0,0 +1,264 @@
|
||||
+/*
|
||||
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
@ -1713,7 +1679,7 @@ diff -up openssl-1.1.1b/crypto/kdf/pbkdf2.c.evp-kdf openssl-1.1.1b/crypto/kdf/pb
|
|||
+#include <openssl/evp.h>
|
||||
+#include <openssl/kdf.h>
|
||||
+#include "internal/cryptlib.h"
|
||||
+#include "internal/evp_int.h"
|
||||
+#include "crypto/evp.h"
|
||||
+#include "kdf_local.h"
|
||||
+
|
||||
+static void kdf_pbkdf2_reset(EVP_KDF_IMPL *impl);
|
||||
|
@ -1961,22 +1927,21 @@ diff -up openssl-1.1.1b/crypto/kdf/pbkdf2.c.evp-kdf openssl-1.1.1b/crypto/kdf/pb
|
|||
+ HMAC_CTX_free(hctx_tpl);
|
||||
+ return ret;
|
||||
+}
|
||||
diff -up openssl-1.1.1b/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1b/crypto/kdf/scrypt.c
|
||||
--- openssl-1.1.1b/crypto/kdf/scrypt.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
|
||||
+++ openssl-1.1.1b/crypto/kdf/scrypt.c 2019-02-28 13:05:05.655521400 +0100
|
||||
@@ -8,25 +8,34 @@
|
||||
diff -up openssl-1.1.1j/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1j/crypto/kdf/scrypt.c
|
||||
--- openssl-1.1.1j/crypto/kdf/scrypt.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100
|
||||
+++ openssl-1.1.1j/crypto/kdf/scrypt.c 2021-03-03 14:08:02.492294856 +0100
|
||||
@@ -8,25 +8,35 @@
|
||||
*/
|
||||
|
||||
#include <stdlib.h>
|
||||
+#include <stdarg.h>
|
||||
#include <string.h>
|
||||
-#include <openssl/hmac.h>
|
||||
-#include <openssl/kdf.h>
|
||||
#include <openssl/hmac.h>
|
||||
#include <openssl/kdf.h>
|
||||
#include <openssl/evp.h>
|
||||
-#include "internal/cryptlib.h"
|
||||
+#include <openssl/kdf.h>
|
||||
+#include <openssl/err.h>
|
||||
#include "internal/evp_int.h"
|
||||
#include "crypto/evp.h"
|
||||
+#include "internal/numbers.h"
|
||||
+#include "kdf_local.h"
|
||||
|
||||
|
@ -2005,7 +1970,7 @@ diff -up openssl-1.1.1b/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1b/crypto/kdf/sc
|
|||
|
||||
/* Custom uint64_t parser since we do not have strtoull */
|
||||
static int atou64(const char *nptr, uint64_t *result)
|
||||
@@ -53,51 +62,53 @@ static int atou64(const char *nptr, uint
|
||||
@@ -53,51 +63,53 @@ static int atou64(const char *nptr, uint
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
@ -2090,7 +2055,7 @@ diff -up openssl-1.1.1b/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1b/crypto/kdf/sc
|
|||
|
||||
if (new_buflen > 0) {
|
||||
*buffer = OPENSSL_memdup(new_buffer, new_buflen);
|
||||
@@ -105,7 +116,7 @@ static int pkey_scrypt_set_membuf(unsign
|
||||
@@ -105,7 +117,7 @@ static int pkey_scrypt_set_membuf(unsign
|
||||
*buffer = OPENSSL_malloc(1);
|
||||
}
|
||||
if (*buffer == NULL) {
|
||||
|
@ -2099,7 +2064,7 @@ diff -up openssl-1.1.1b/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1b/crypto/kdf/sc
|
|||
return 0;
|
||||
}
|
||||
|
||||
@@ -118,149 +129,378 @@ static int is_power_of_two(uint64_t valu
|
||||
@@ -118,149 +130,378 @@ static int is_power_of_two(uint64_t valu
|
||||
return (value != 0) && ((value & (value - 1)) == 0);
|
||||
}
|
||||
|
||||
|
@ -2552,9 +2517,9 @@ diff -up openssl-1.1.1b/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1b/crypto/kdf/sc
|
|||
+}
|
||||
|
||||
#endif
|
||||
diff -up openssl-1.1.1b/crypto/kdf/tls1_prf.c.evp-kdf openssl-1.1.1b/crypto/kdf/tls1_prf.c
|
||||
--- openssl-1.1.1b/crypto/kdf/tls1_prf.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
|
||||
+++ openssl-1.1.1b/crypto/kdf/tls1_prf.c 2019-02-28 13:05:05.655521400 +0100
|
||||
diff -up openssl-1.1.1j/crypto/kdf/tls1_prf.c.evp-kdf openssl-1.1.1j/crypto/kdf/tls1_prf.c
|
||||
--- openssl-1.1.1j/crypto/kdf/tls1_prf.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100
|
||||
+++ openssl-1.1.1j/crypto/kdf/tls1_prf.c 2021-03-03 14:08:02.492294856 +0100
|
||||
@@ -8,11 +8,15 @@
|
||||
*/
|
||||
|
||||
|
@ -2562,10 +2527,9 @@ diff -up openssl-1.1.1b/crypto/kdf/tls1_prf.c.evp-kdf openssl-1.1.1b/crypto/kdf/
|
|||
+#include <stdarg.h>
|
||||
+#include <string.h>
|
||||
#include "internal/cryptlib.h"
|
||||
-#include <openssl/kdf.h>
|
||||
#include <openssl/kdf.h>
|
||||
#include <openssl/evp.h>
|
||||
+#include <openssl/kdf.h>
|
||||
#include "internal/evp_int.h"
|
||||
#include "crypto/evp.h"
|
||||
+#include "kdf_local.h"
|
||||
|
||||
+static void kdf_tls1_prf_reset(EVP_KDF_IMPL *impl);
|
||||
|
@ -2665,15 +2629,15 @@ diff -up openssl-1.1.1b/crypto/kdf/tls1_prf.c.evp-kdf openssl-1.1.1b/crypto/kdf/
|
|||
- kctx->seclen = p1;
|
||||
+
|
||||
+ impl->seclen = len;
|
||||
+ return 1;
|
||||
+
|
||||
+ case EVP_KDF_CTRL_RESET_TLS_SEED:
|
||||
+ OPENSSL_cleanse(impl->seed, impl->seedlen);
|
||||
+ impl->seedlen = 0;
|
||||
return 1;
|
||||
|
||||
- case EVP_PKEY_CTRL_TLS_SEED:
|
||||
- if (p1 == 0 || p2 == NULL)
|
||||
+ case EVP_KDF_CTRL_RESET_TLS_SEED:
|
||||
+ OPENSSL_cleanse(impl->seed, impl->seedlen);
|
||||
+ impl->seedlen = 0;
|
||||
+ return 1;
|
||||
+
|
||||
+ case EVP_KDF_CTRL_ADD_TLS_SEED:
|
||||
+ p = va_arg(args, const unsigned char *);
|
||||
+ len = va_arg(args, size_t);
|
||||
|
@ -2838,9 +2802,9 @@ diff -up openssl-1.1.1b/crypto/kdf/tls1_prf.c.evp-kdf openssl-1.1.1b/crypto/kdf/
|
|||
OPENSSL_clear_free(tmp, olen);
|
||||
return 0;
|
||||
}
|
||||
diff -up openssl-1.1.1b/doc/man3/EVP_KDF_CTX.pod.evp-kdf openssl-1.1.1b/doc/man3/EVP_KDF_CTX.pod
|
||||
--- openssl-1.1.1b/doc/man3/EVP_KDF_CTX.pod.evp-kdf 2019-02-28 13:05:05.656521382 +0100
|
||||
+++ openssl-1.1.1b/doc/man3/EVP_KDF_CTX.pod 2019-02-28 13:05:05.655521400 +0100
|
||||
diff -up openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod.evp-kdf openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod
|
||||
--- openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod.evp-kdf 2021-03-03 14:08:02.492294856 +0100
|
||||
+++ openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod 2021-03-03 14:08:02.492294856 +0100
|
||||
@@ -0,0 +1,217 @@
|
||||
+=pod
|
||||
+
|
||||
|
@ -3059,9 +3023,9 @@ diff -up openssl-1.1.1b/doc/man3/EVP_KDF_CTX.pod.evp-kdf openssl-1.1.1b/doc/man3
|
|||
+L<https://www.openssl.org/source/license.html>.
|
||||
+
|
||||
+=cut
|
||||
diff -up openssl-1.1.1b/doc/man7/EVP_KDF_HKDF.pod.evp-kdf openssl-1.1.1b/doc/man7/EVP_KDF_HKDF.pod
|
||||
--- openssl-1.1.1b/doc/man7/EVP_KDF_HKDF.pod.evp-kdf 2019-02-28 13:05:05.656521382 +0100
|
||||
+++ openssl-1.1.1b/doc/man7/EVP_KDF_HKDF.pod 2019-02-28 13:05:05.656521382 +0100
|
||||
diff -up openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod.evp-kdf openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod
|
||||
--- openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod.evp-kdf 2021-03-03 14:08:02.493294865 +0100
|
||||
+++ openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod 2021-03-03 14:08:02.493294865 +0100
|
||||
@@ -0,0 +1,180 @@
|
||||
+=pod
|
||||
+
|
||||
|
@ -3243,9 +3207,9 @@ diff -up openssl-1.1.1b/doc/man7/EVP_KDF_HKDF.pod.evp-kdf openssl-1.1.1b/doc/man
|
|||
+L<https://www.openssl.org/source/license.html>.
|
||||
+
|
||||
+=cut
|
||||
diff -up openssl-1.1.1b/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf openssl-1.1.1b/doc/man7/EVP_KDF_PBKDF2.pod
|
||||
--- openssl-1.1.1b/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf 2019-02-28 13:05:05.656521382 +0100
|
||||
+++ openssl-1.1.1b/doc/man7/EVP_KDF_PBKDF2.pod 2019-02-28 13:05:05.656521382 +0100
|
||||
diff -up openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod
|
||||
--- openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf 2021-03-03 14:08:02.493294865 +0100
|
||||
+++ openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod 2021-03-03 14:08:02.493294865 +0100
|
||||
@@ -0,0 +1,78 @@
|
||||
+=pod
|
||||
+
|
||||
|
@ -3325,9 +3289,9 @@ diff -up openssl-1.1.1b/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf openssl-1.1.1b/doc/m
|
|||
+L<https://www.openssl.org/source/license.html>.
|
||||
+
|
||||
+=cut
|
||||
diff -up openssl-1.1.1b/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf openssl-1.1.1b/doc/man7/EVP_KDF_SCRYPT.pod
|
||||
--- openssl-1.1.1b/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf 2019-02-28 13:05:05.656521382 +0100
|
||||
+++ openssl-1.1.1b/doc/man7/EVP_KDF_SCRYPT.pod 2019-02-28 13:05:05.656521382 +0100
|
||||
diff -up openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod
|
||||
--- openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf 2021-03-03 14:08:02.493294865 +0100
|
||||
+++ openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod 2021-03-03 14:08:02.493294865 +0100
|
||||
@@ -0,0 +1,149 @@
|
||||
+=pod
|
||||
+
|
||||
|
@ -3478,9 +3442,9 @@ diff -up openssl-1.1.1b/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf openssl-1.1.1b/doc/m
|
|||
+L<https://www.openssl.org/source/license.html>.
|
||||
+
|
||||
+=cut
|
||||
diff -up openssl-1.1.1b/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf openssl-1.1.1b/doc/man7/EVP_KDF_TLS1_PRF.pod
|
||||
--- openssl-1.1.1b/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf 2019-02-28 13:05:05.656521382 +0100
|
||||
+++ openssl-1.1.1b/doc/man7/EVP_KDF_TLS1_PRF.pod 2019-02-28 13:05:05.656521382 +0100
|
||||
diff -up openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod
|
||||
--- openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf 2021-03-03 14:08:02.493294865 +0100
|
||||
+++ openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod 2021-03-03 14:08:02.493294865 +0100
|
||||
@@ -0,0 +1,142 @@
|
||||
+=pod
|
||||
+
|
||||
|
@ -3624,18 +3588,38 @@ diff -up openssl-1.1.1b/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf openssl-1.1.1b/doc
|
|||
+L<https://www.openssl.org/source/license.html>.
|
||||
+
|
||||
+=cut
|
||||
diff -up openssl-1.1.1b/include/openssl/evperr.h.evp-kdf openssl-1.1.1b/include/openssl/evperr.h
|
||||
--- openssl-1.1.1b/include/openssl/evperr.h.evp-kdf 2019-02-28 13:05:05.633521807 +0100
|
||||
+++ openssl-1.1.1b/include/openssl/evperr.h 2019-02-28 13:05:05.657521363 +0100
|
||||
@@ -1,6 +1,6 @@
|
||||
/*
|
||||
* Generated by util/mkerr.pl DO NOT EDIT
|
||||
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@@ -51,6 +51,9 @@ int ERR_load_EVP_strings(void);
|
||||
diff -up openssl-1.1.1j/include/crypto/evp.h.evp-kdf openssl-1.1.1j/include/crypto/evp.h
|
||||
--- openssl-1.1.1j/include/crypto/evp.h.evp-kdf 2021-02-16 16:24:01.000000000 +0100
|
||||
+++ openssl-1.1.1j/include/crypto/evp.h 2021-03-03 14:08:02.493294865 +0100
|
||||
@@ -112,6 +112,24 @@ extern const EVP_PKEY_METHOD hkdf_pkey_m
|
||||
extern const EVP_PKEY_METHOD poly1305_pkey_meth;
|
||||
extern const EVP_PKEY_METHOD siphash_pkey_meth;
|
||||
|
||||
+/* struct evp_kdf_impl_st is defined by the implementation */
|
||||
+typedef struct evp_kdf_impl_st EVP_KDF_IMPL;
|
||||
+typedef struct {
|
||||
+ int type;
|
||||
+ EVP_KDF_IMPL *(*new) (void);
|
||||
+ void (*free) (EVP_KDF_IMPL *impl);
|
||||
+ void (*reset) (EVP_KDF_IMPL *impl);
|
||||
+ int (*ctrl) (EVP_KDF_IMPL *impl, int cmd, va_list args);
|
||||
+ int (*ctrl_str) (EVP_KDF_IMPL *impl, const char *type, const char *value);
|
||||
+ size_t (*size) (EVP_KDF_IMPL *impl);
|
||||
+ int (*derive) (EVP_KDF_IMPL *impl, unsigned char *key, size_t keylen);
|
||||
+} EVP_KDF_METHOD;
|
||||
+
|
||||
+extern const EVP_KDF_METHOD pbkdf2_kdf_meth;
|
||||
+extern const EVP_KDF_METHOD scrypt_kdf_meth;
|
||||
+extern const EVP_KDF_METHOD tls1_prf_kdf_meth;
|
||||
+extern const EVP_KDF_METHOD hkdf_kdf_meth;
|
||||
+
|
||||
struct evp_md_st {
|
||||
int type;
|
||||
int pkey_type;
|
||||
diff -up openssl-1.1.1j/include/openssl/evperr.h.evp-kdf openssl-1.1.1j/include/openssl/evperr.h
|
||||
--- openssl-1.1.1j/include/openssl/evperr.h.evp-kdf 2021-03-03 14:08:02.477294722 +0100
|
||||
+++ openssl-1.1.1j/include/openssl/evperr.h 2021-03-03 14:13:37.587003722 +0100
|
||||
@@ -56,6 +56,9 @@ int ERR_load_EVP_strings(void);
|
||||
# define EVP_F_EVP_ENCRYPTDECRYPTUPDATE 219
|
||||
# define EVP_F_EVP_ENCRYPTFINAL_EX 127
|
||||
# define EVP_F_EVP_ENCRYPTUPDATE 167
|
||||
|
@ -3645,7 +3629,7 @@ diff -up openssl-1.1.1b/include/openssl/evperr.h.evp-kdf openssl-1.1.1b/include/
|
|||
# define EVP_F_EVP_MD_CTX_COPY_EX 110
|
||||
# define EVP_F_EVP_MD_SIZE 162
|
||||
# define EVP_F_EVP_OPENINIT 102
|
||||
@@ -113,10 +116,12 @@ int ERR_load_EVP_strings(void);
|
||||
@@ -118,11 +121,13 @@ int ERR_load_EVP_strings(void);
|
||||
# define EVP_F_PKCS5_V2_PBE_KEYIVGEN 118
|
||||
# define EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN 164
|
||||
# define EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN 180
|
||||
|
@ -3653,31 +3637,24 @@ diff -up openssl-1.1.1b/include/openssl/evperr.h.evp-kdf openssl-1.1.1b/include/
|
|||
# define EVP_F_PKEY_SET_TYPE 158
|
||||
# define EVP_F_RC2_MAGIC_TO_METH 109
|
||||
# define EVP_F_RC5_CTRL 125
|
||||
# define EVP_F_R_32_12_16_INIT_KEY 242
|
||||
# define EVP_F_S390X_AES_GCM_CTRL 201
|
||||
+# define EVP_F_SCRYPT_ALG 228
|
||||
# define EVP_F_UPDATE 173
|
||||
|
||||
/*
|
||||
@@ -171,6 +176,7 @@ int ERR_load_EVP_strings(void);
|
||||
@@ -179,6 +184,7 @@ int ERR_load_EVP_strings(void);
|
||||
# define EVP_R_ONLY_ONESHOT_SUPPORTED 177
|
||||
# define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150
|
||||
# define EVP_R_OPERATON_NOT_INITIALIZED 151
|
||||
+# define EVP_R_PARAMETER_TOO_LARGE 187
|
||||
# define EVP_R_OUTPUT_WOULD_OVERFLOW 184
|
||||
# define EVP_R_PARTIALLY_OVERLAPPING 162
|
||||
# define EVP_R_PBKDF2_ERROR 181
|
||||
# define EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED 179
|
||||
diff -up openssl-1.1.1b/include/openssl/kdferr.h.evp-kdf openssl-1.1.1b/include/openssl/kdferr.h
|
||||
--- openssl-1.1.1b/include/openssl/kdferr.h.evp-kdf 2019-02-26 15:15:30.000000000 +0100
|
||||
+++ openssl-1.1.1b/include/openssl/kdferr.h 2019-02-28 13:05:05.657521363 +0100
|
||||
@@ -1,6 +1,6 @@
|
||||
/*
|
||||
* Generated by util/mkerr.pl DO NOT EDIT
|
||||
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@@ -19,6 +19,23 @@ int ERR_load_KDF_strings(void);
|
||||
diff -up openssl-1.1.1j/include/openssl/kdferr.h.evp-kdf openssl-1.1.1j/include/openssl/kdferr.h
|
||||
--- openssl-1.1.1j/include/openssl/kdferr.h.evp-kdf 2021-02-16 16:24:01.000000000 +0100
|
||||
+++ openssl-1.1.1j/include/openssl/kdferr.h 2021-03-03 14:08:02.493294865 +0100
|
||||
@@ -23,6 +23,23 @@ int ERR_load_KDF_strings(void);
|
||||
/*
|
||||
* KDF function codes.
|
||||
*/
|
||||
|
@ -3701,7 +3678,7 @@ diff -up openssl-1.1.1b/include/openssl/kdferr.h.evp-kdf openssl-1.1.1b/include/
|
|||
# define KDF_F_PKEY_HKDF_CTRL_STR 103
|
||||
# define KDF_F_PKEY_HKDF_DERIVE 102
|
||||
# define KDF_F_PKEY_HKDF_INIT 108
|
||||
@@ -30,6 +47,7 @@ int ERR_load_KDF_strings(void);
|
||||
@@ -34,6 +51,7 @@ int ERR_load_KDF_strings(void);
|
||||
# define KDF_F_PKEY_TLS1_PRF_CTRL_STR 100
|
||||
# define KDF_F_PKEY_TLS1_PRF_DERIVE 101
|
||||
# define KDF_F_PKEY_TLS1_PRF_INIT 110
|
||||
|
@ -3709,16 +3686,16 @@ diff -up openssl-1.1.1b/include/openssl/kdferr.h.evp-kdf openssl-1.1.1b/include/
|
|||
# define KDF_F_TLS1_PRF_ALG 111
|
||||
|
||||
/*
|
||||
@@ -47,5 +65,6 @@ int ERR_load_KDF_strings(void);
|
||||
@@ -51,5 +69,6 @@ int ERR_load_KDF_strings(void);
|
||||
# define KDF_R_UNKNOWN_PARAMETER_TYPE 103
|
||||
# define KDF_R_VALUE_ERROR 108
|
||||
# define KDF_R_VALUE_MISSING 102
|
||||
+# define KDF_R_WRONG_OUTPUT_BUFFER_SIZE 112
|
||||
|
||||
#endif
|
||||
diff -up openssl-1.1.1b/include/openssl/kdf.h.evp-kdf openssl-1.1.1b/include/openssl/kdf.h
|
||||
--- openssl-1.1.1b/include/openssl/kdf.h.evp-kdf 2019-02-26 15:15:30.000000000 +0100
|
||||
+++ openssl-1.1.1b/include/openssl/kdf.h 2019-02-28 13:05:05.657521363 +0100
|
||||
diff -up openssl-1.1.1j/include/openssl/kdf.h.evp-kdf openssl-1.1.1j/include/openssl/kdf.h
|
||||
--- openssl-1.1.1j/include/openssl/kdf.h.evp-kdf 2021-02-16 16:24:01.000000000 +0100
|
||||
+++ openssl-1.1.1j/include/openssl/kdf.h 2021-03-03 14:08:02.493294865 +0100
|
||||
@@ -10,10 +10,50 @@
|
||||
#ifndef HEADER_KDF_H
|
||||
# define HEADER_KDF_H
|
||||
|
@ -3797,9 +3774,9 @@ diff -up openssl-1.1.1b/include/openssl/kdf.h.evp-kdf openssl-1.1.1b/include/ope
|
|||
}
|
||||
# endif
|
||||
#endif
|
||||
diff -up openssl-1.1.1b/include/openssl/ossl_typ.h.evp-kdf openssl-1.1.1b/include/openssl/ossl_typ.h
|
||||
--- openssl-1.1.1b/include/openssl/ossl_typ.h.evp-kdf 2019-02-26 15:15:30.000000000 +0100
|
||||
+++ openssl-1.1.1b/include/openssl/ossl_typ.h 2019-02-28 13:05:05.657521363 +0100
|
||||
diff -up openssl-1.1.1j/include/openssl/ossl_typ.h.evp-kdf openssl-1.1.1j/include/openssl/ossl_typ.h
|
||||
--- openssl-1.1.1j/include/openssl/ossl_typ.h.evp-kdf 2021-02-16 16:24:01.000000000 +0100
|
||||
+++ openssl-1.1.1j/include/openssl/ossl_typ.h 2021-03-03 14:08:02.493294865 +0100
|
||||
@@ -97,6 +97,8 @@ typedef struct evp_pkey_asn1_method_st E
|
||||
typedef struct evp_pkey_method_st EVP_PKEY_METHOD;
|
||||
typedef struct evp_pkey_ctx_st EVP_PKEY_CTX;
|
||||
|
@ -3809,10 +3786,10 @@ diff -up openssl-1.1.1b/include/openssl/ossl_typ.h.evp-kdf openssl-1.1.1b/includ
|
|||
typedef struct evp_Encode_Ctx_st EVP_ENCODE_CTX;
|
||||
|
||||
typedef struct hmac_ctx_st HMAC_CTX;
|
||||
diff -up openssl-1.1.1b/test/build.info.evp-kdf openssl-1.1.1b/test/build.info
|
||||
--- openssl-1.1.1b/test/build.info.evp-kdf 2019-02-26 15:15:30.000000000 +0100
|
||||
+++ openssl-1.1.1b/test/build.info 2019-02-28 13:05:05.657521363 +0100
|
||||
@@ -43,7 +43,8 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I
|
||||
diff -up openssl-1.1.1j/test/build.info.evp-kdf openssl-1.1.1j/test/build.info
|
||||
--- openssl-1.1.1j/test/build.info.evp-kdf 2021-02-16 16:24:01.000000000 +0100
|
||||
+++ openssl-1.1.1j/test/build.info 2021-03-03 14:08:02.493294865 +0100
|
||||
@@ -44,7 +44,8 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I
|
||||
ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \
|
||||
bio_callback_test bio_memleak_test \
|
||||
bioprinttest sslapitest dtlstest sslcorrupttest bio_enc_test \
|
||||
|
@ -3822,7 +3799,7 @@ diff -up openssl-1.1.1b/test/build.info.evp-kdf openssl-1.1.1b/test/build.info
|
|||
asn1_encode_test asn1_decode_test asn1_string_table_test \
|
||||
x509_time_test x509_dup_cert_test x509_check_cert_pkey_test \
|
||||
recordlentest drbgtest sslbuffertest \
|
||||
@@ -335,6 +336,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I
|
||||
@@ -336,6 +337,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I
|
||||
INCLUDE[pkey_meth_kdf_test]=../include
|
||||
DEPEND[pkey_meth_kdf_test]=../libcrypto libtestutil.a
|
||||
|
||||
|
@ -3833,9 +3810,9 @@ diff -up openssl-1.1.1b/test/build.info.evp-kdf openssl-1.1.1b/test/build.info
|
|||
SOURCE[x509_time_test]=x509_time_test.c
|
||||
INCLUDE[x509_time_test]=../include
|
||||
DEPEND[x509_time_test]=../libcrypto libtestutil.a
|
||||
diff -up openssl-1.1.1b/test/evp_kdf_test.c.evp-kdf openssl-1.1.1b/test/evp_kdf_test.c
|
||||
--- openssl-1.1.1b/test/evp_kdf_test.c.evp-kdf 2019-02-28 13:05:05.658521345 +0100
|
||||
+++ openssl-1.1.1b/test/evp_kdf_test.c 2019-02-28 13:05:05.658521345 +0100
|
||||
diff -up openssl-1.1.1j/test/evp_kdf_test.c.evp-kdf openssl-1.1.1j/test/evp_kdf_test.c
|
||||
--- openssl-1.1.1j/test/evp_kdf_test.c.evp-kdf 2021-03-03 14:08:02.494294874 +0100
|
||||
+++ openssl-1.1.1j/test/evp_kdf_test.c 2021-03-03 14:08:02.494294874 +0100
|
||||
@@ -0,0 +1,237 @@
|
||||
+/*
|
||||
+ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
@ -4074,10 +4051,10 @@ diff -up openssl-1.1.1b/test/evp_kdf_test.c.evp-kdf openssl-1.1.1b/test/evp_kdf_
|
|||
+#endif
|
||||
+ return 1;
|
||||
+}
|
||||
diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c
|
||||
--- openssl-1.1.1b/test/evp_test.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
|
||||
+++ openssl-1.1.1b/test/evp_test.c 2019-02-28 13:05:05.658521345 +0100
|
||||
@@ -1672,13 +1672,14 @@ static const EVP_TEST_METHOD encode_test
|
||||
diff -up openssl-1.1.1j/test/evp_test.c.evp-kdf openssl-1.1.1j/test/evp_test.c
|
||||
--- openssl-1.1.1j/test/evp_test.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100
|
||||
+++ openssl-1.1.1j/test/evp_test.c 2021-03-03 14:08:02.494294874 +0100
|
||||
@@ -1705,13 +1705,14 @@ static const EVP_TEST_METHOD encode_test
|
||||
encode_test_run,
|
||||
};
|
||||
|
||||
|
@ -4093,7 +4070,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c
|
|||
/* Expected output */
|
||||
unsigned char *output;
|
||||
size_t output_len;
|
||||
@@ -1705,16 +1706,11 @@ static int kdf_test_init(EVP_TEST *t, co
|
||||
@@ -1738,16 +1739,11 @@ static int kdf_test_init(EVP_TEST *t, co
|
||||
|
||||
if (!TEST_ptr(kdata = OPENSSL_zalloc(sizeof(*kdata))))
|
||||
return 0;
|
||||
|
@ -4111,7 +4088,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c
|
|||
t->data = kdata;
|
||||
return 1;
|
||||
}
|
||||
@@ -1723,7 +1719,42 @@ static void kdf_test_cleanup(EVP_TEST *t
|
||||
@@ -1756,7 +1752,42 @@ static void kdf_test_cleanup(EVP_TEST *t
|
||||
{
|
||||
KDF_DATA *kdata = t->data;
|
||||
OPENSSL_free(kdata->output);
|
||||
|
@ -4155,7 +4132,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c
|
|||
}
|
||||
|
||||
static int kdf_test_parse(EVP_TEST *t,
|
||||
@@ -1734,7 +1765,7 @@ static int kdf_test_parse(EVP_TEST *t,
|
||||
@@ -1767,7 +1798,7 @@ static int kdf_test_parse(EVP_TEST *t,
|
||||
if (strcmp(keyword, "Output") == 0)
|
||||
return parse_bin(value, &kdata->output, &kdata->output_len);
|
||||
if (strncmp(keyword, "Ctrl", 4) == 0)
|
||||
|
@ -4164,7 +4141,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c
|
|||
return 0;
|
||||
}
|
||||
|
||||
@@ -1748,7 +1779,7 @@ static int kdf_test_run(EVP_TEST *t)
|
||||
@@ -1781,7 +1812,7 @@ static int kdf_test_run(EVP_TEST *t)
|
||||
t->err = "INTERNAL_ERROR";
|
||||
goto err;
|
||||
}
|
||||
|
@ -4173,7 +4150,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c
|
|||
t->err = "KDF_DERIVE_ERROR";
|
||||
goto err;
|
||||
}
|
||||
@@ -1774,6 +1805,106 @@ static const EVP_TEST_METHOD kdf_test_me
|
||||
@@ -1807,6 +1838,106 @@ static const EVP_TEST_METHOD kdf_test_me
|
||||
|
||||
|
||||
/**
|
||||
|
@ -4280,7 +4257,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c
|
|||
*** KEYPAIR TESTS
|
||||
**/
|
||||
|
||||
@@ -2277,6 +2408,7 @@ static const EVP_TEST_METHOD *evp_test_l
|
||||
@@ -2310,6 +2441,7 @@ static const EVP_TEST_METHOD *evp_test_l
|
||||
&digestverify_test_method,
|
||||
&encode_test_method,
|
||||
&kdf_test_method,
|
||||
|
@ -4288,9 +4265,9 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c
|
|||
&keypair_test_method,
|
||||
&keygen_test_method,
|
||||
&mac_test_method,
|
||||
diff -up openssl-1.1.1b/test/pkey_meth_kdf_test.c.evp-kdf openssl-1.1.1b/test/pkey_meth_kdf_test.c
|
||||
--- openssl-1.1.1b/test/pkey_meth_kdf_test.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100
|
||||
+++ openssl-1.1.1b/test/pkey_meth_kdf_test.c 2019-02-28 13:05:05.658521345 +0100
|
||||
diff -up openssl-1.1.1j/test/pkey_meth_kdf_test.c.evp-kdf openssl-1.1.1j/test/pkey_meth_kdf_test.c
|
||||
--- openssl-1.1.1j/test/pkey_meth_kdf_test.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100
|
||||
+++ openssl-1.1.1j/test/pkey_meth_kdf_test.c 2021-03-03 14:08:02.494294874 +0100
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
@ -4494,9 +4471,9 @@ diff -up openssl-1.1.1b/test/pkey_meth_kdf_test.c.evp-kdf openssl-1.1.1b/test/pk
|
|||
}
|
||||
#endif
|
||||
|
||||
diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf openssl-1.1.1b/test/recipes/30-test_evp_data/evpkdf.txt
|
||||
--- openssl-1.1.1b/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf 2019-02-26 15:15:30.000000000 +0100
|
||||
+++ openssl-1.1.1b/test/recipes/30-test_evp_data/evpkdf.txt 2019-02-28 13:05:05.659521326 +0100
|
||||
diff -up openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt
|
||||
--- openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf 2021-02-16 16:24:01.000000000 +0100
|
||||
+++ openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt 2021-03-03 14:08:02.494294874 +0100
|
||||
@@ -1,5 +1,5 @@
|
||||
#
|
||||
-# Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
@ -4895,9 +4872,9 @@ diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf openssl
|
|||
+Ctrl.digest = digest:sha512
|
||||
+Output = 00ef42cdbfc98d29db20976608e455567fdddf14
|
||||
+
|
||||
diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf openssl-1.1.1b/test/recipes/30-test_evp_data/evppkey_kdf.txt
|
||||
--- openssl-1.1.1b/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf 2019-02-28 13:05:05.659521326 +0100
|
||||
+++ openssl-1.1.1b/test/recipes/30-test_evp_data/evppkey_kdf.txt 2019-02-28 13:05:05.659521326 +0100
|
||||
diff -up openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt
|
||||
--- openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf 2021-03-03 14:08:02.494294874 +0100
|
||||
+++ openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt 2021-03-03 14:08:02.494294874 +0100
|
||||
@@ -0,0 +1,305 @@
|
||||
+#
|
||||
+# Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
@ -5204,9 +5181,9 @@ diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf op
|
|||
+Ctrl.p = p:1
|
||||
+Result = INTERNAL_ERROR
|
||||
+
|
||||
diff -up openssl-1.1.1b/test/recipes/30-test_evp_kdf.t.evp-kdf openssl-1.1.1b/test/recipes/30-test_evp_kdf.t
|
||||
--- openssl-1.1.1b/test/recipes/30-test_evp_kdf.t.evp-kdf 2019-02-28 13:05:05.659521326 +0100
|
||||
+++ openssl-1.1.1b/test/recipes/30-test_evp_kdf.t 2019-02-28 13:05:05.659521326 +0100
|
||||
diff -up openssl-1.1.1j/test/recipes/30-test_evp_kdf.t.evp-kdf openssl-1.1.1j/test/recipes/30-test_evp_kdf.t
|
||||
--- openssl-1.1.1j/test/recipes/30-test_evp_kdf.t.evp-kdf 2021-03-03 14:08:02.494294874 +0100
|
||||
+++ openssl-1.1.1j/test/recipes/30-test_evp_kdf.t 2021-03-03 14:08:02.494294874 +0100
|
||||
@@ -0,0 +1,13 @@
|
||||
+#! /usr/bin/env perl
|
||||
+# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
@ -5221,9 +5198,9 @@ diff -up openssl-1.1.1b/test/recipes/30-test_evp_kdf.t.evp-kdf openssl-1.1.1b/te
|
|||
+use OpenSSL::Test::Simple;
|
||||
+
|
||||
+simple_test("test_evp_kdf", "evp_kdf_test");
|
||||
diff -up openssl-1.1.1c/test/recipes/30-test_evp.t.evp-kdf openssl-1.1.1c/test/recipes/30-test_evp.t
|
||||
--- openssl-1.1.1c/test/recipes/30-test_evp.t.evp-kdf 2019-05-29 16:55:38.236960543 +0200
|
||||
+++ openssl-1.1.1c/test/recipes/30-test_evp.t 2019-05-29 16:57:46.348718012 +0200
|
||||
diff -up openssl-1.1.1j/test/recipes/30-test_evp.t.evp-kdf openssl-1.1.1j/test/recipes/30-test_evp.t
|
||||
--- openssl-1.1.1j/test/recipes/30-test_evp.t.evp-kdf 2021-02-16 16:24:01.000000000 +0100
|
||||
+++ openssl-1.1.1j/test/recipes/30-test_evp.t 2021-03-03 14:08:02.495294883 +0100
|
||||
@@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT data_file/
|
||||
setup("test_evp");
|
||||
|
||||
|
@ -5233,11 +5210,10 @@ diff -up openssl-1.1.1c/test/recipes/30-test_evp.t.evp-kdf openssl-1.1.1c/test/r
|
|||
"evpcase.txt", "evpccmcavs.txt" );
|
||||
|
||||
plan tests => scalar(@files);
|
||||
|
||||
diff -up openssl-1.1.1b/util/libcrypto.num.evp-kdf openssl-1.1.1b/util/libcrypto.num
|
||||
--- openssl-1.1.1b/util/libcrypto.num.evp-kdf 2019-02-28 13:05:05.636521752 +0100
|
||||
+++ openssl-1.1.1b/util/libcrypto.num 2019-02-28 13:05:05.660521308 +0100
|
||||
@@ -4614,3 +4614,11 @@ FIPS_drbg_get_strength
|
||||
diff -up openssl-1.1.1j/util/libcrypto.num.evp-kdf openssl-1.1.1j/util/libcrypto.num
|
||||
--- openssl-1.1.1j/util/libcrypto.num.evp-kdf 2021-03-03 14:08:02.481294758 +0100
|
||||
+++ openssl-1.1.1j/util/libcrypto.num 2021-03-03 14:08:02.495294883 +0100
|
||||
@@ -4626,3 +4626,11 @@ FIPS_drbg_get_strength
|
||||
FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION:
|
||||
FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION:
|
||||
FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION:
|
||||
|
@ -5249,9 +5225,9 @@ diff -up openssl-1.1.1b/util/libcrypto.num.evp-kdf openssl-1.1.1b/util/libcrypto
|
|||
+EVP_KDF_ctrl_str 6595 1_1_1b EXIST::FUNCTION:
|
||||
+EVP_KDF_size 6596 1_1_1b EXIST::FUNCTION:
|
||||
+EVP_KDF_derive 6597 1_1_1b EXIST::FUNCTION:
|
||||
diff -up openssl-1.1.1b/util/private.num.evp-kdf openssl-1.1.1b/util/private.num
|
||||
--- openssl-1.1.1b/util/private.num.evp-kdf 2019-02-26 15:15:30.000000000 +0100
|
||||
+++ openssl-1.1.1b/util/private.num 2019-02-28 13:05:05.660521308 +0100
|
||||
diff -up openssl-1.1.1j/util/private.num.evp-kdf openssl-1.1.1j/util/private.num
|
||||
--- openssl-1.1.1j/util/private.num.evp-kdf 2021-02-16 16:24:01.000000000 +0100
|
||||
+++ openssl-1.1.1j/util/private.num 2021-03-03 14:08:02.495294883 +0100
|
||||
@@ -21,6 +21,7 @@ CRYPTO_EX_dup
|
||||
CRYPTO_EX_free datatype
|
||||
CRYPTO_EX_new datatype
|
||||
|
|
|
@ -1,33 +1,17 @@
|
|||
diff -up openssl-1.1.1b/crypto/include/internal/rand_int.h.crng-test openssl-1.1.1b/crypto/include/internal/rand_int.h
|
||||
--- openssl-1.1.1b/crypto/include/internal/rand_int.h.crng-test 2019-05-07 08:56:33.242179136 +0200
|
||||
+++ openssl-1.1.1b/crypto/include/internal/rand_int.h 2019-05-07 09:54:14.920204875 +0200
|
||||
@@ -49,6 +49,14 @@ size_t rand_drbg_get_additional_data(RAN
|
||||
|
||||
void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out);
|
||||
|
||||
+/* CRNG test entropy filter callbacks. */
|
||||
+size_t rand_crngt_get_entropy(RAND_DRBG *drbg,
|
||||
+ unsigned char **pout,
|
||||
+ int entropy, size_t min_len, size_t max_len,
|
||||
+ int prediction_resistance);
|
||||
+void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,
|
||||
+ unsigned char *out, size_t outlen);
|
||||
+
|
||||
/*
|
||||
* RAND_POOL functions
|
||||
*/
|
||||
diff -up openssl-1.1.1b/crypto/rand/build.info.crng-test openssl-1.1.1b/crypto/rand/build.info
|
||||
--- openssl-1.1.1b/crypto/rand/build.info.crng-test 2019-05-07 09:54:14.921204857 +0200
|
||||
+++ openssl-1.1.1b/crypto/rand/build.info 2019-05-07 09:55:22.730014705 +0200
|
||||
@@ -1,4 +1,4 @@
|
||||
diff -up openssl-1.1.1g/crypto/rand/build.info.crng-test openssl-1.1.1g/crypto/rand/build.info
|
||||
--- openssl-1.1.1g/crypto/rand/build.info.crng-test 2020-04-23 13:30:45.863389837 +0200
|
||||
+++ openssl-1.1.1g/crypto/rand/build.info 2020-04-23 13:31:55.847069892 +0200
|
||||
@@ -1,6 +1,6 @@
|
||||
LIBS=../../libcrypto
|
||||
SOURCE[../../libcrypto]=\
|
||||
- randfile.c rand_lib.c rand_err.c rand_egd.c \
|
||||
+ randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \
|
||||
rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
|
||||
diff -up openssl-1.1.1b/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1b/crypto/rand/drbg_lib.c
|
||||
--- openssl-1.1.1b/crypto/rand/drbg_lib.c.crng-test 2019-02-26 15:15:30.000000000 +0100
|
||||
+++ openssl-1.1.1b/crypto/rand/drbg_lib.c 2019-05-07 10:04:51.753157224 +0200
|
||||
|
||||
INCLUDE[drbg_ctr.o]=../modes
|
||||
diff -up openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1g/crypto/rand/drbg_lib.c
|
||||
--- openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test 2020-04-23 13:30:45.818390686 +0200
|
||||
+++ openssl-1.1.1g/crypto/rand/drbg_lib.c 2020-04-23 13:30:45.864389819 +0200
|
||||
@@ -67,7 +67,7 @@ static CRYPTO_THREAD_LOCAL private_drbg;
|
||||
|
||||
|
||||
|
@ -51,9 +35,9 @@ diff -up openssl-1.1.1b/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1b/crypto/r
|
|||
#ifndef RAND_DRBG_GET_RANDOM_NONCE
|
||||
drbg->get_nonce = rand_drbg_get_nonce;
|
||||
drbg->cleanup_nonce = rand_drbg_cleanup_nonce;
|
||||
diff -up openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1b/crypto/rand/rand_crng_test.c
|
||||
--- openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test 2019-05-07 09:54:14.925204787 +0200
|
||||
+++ openssl-1.1.1b/crypto/rand/rand_crng_test.c 2019-05-07 09:54:14.932204664 +0200
|
||||
diff -up openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1g/crypto/rand/rand_crng_test.c
|
||||
--- openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test 2020-04-23 13:30:45.864389819 +0200
|
||||
+++ openssl-1.1.1g/crypto/rand/rand_crng_test.c 2020-04-23 13:30:45.864389819 +0200
|
||||
@@ -0,0 +1,118 @@
|
||||
+/*
|
||||
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
@ -71,9 +55,9 @@ diff -up openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1b/cr
|
|||
+
|
||||
+#include <string.h>
|
||||
+#include <openssl/evp.h>
|
||||
+#include "internal/rand_int.h"
|
||||
+#include "crypto/rand.h"
|
||||
+#include "internal/thread_once.h"
|
||||
+#include "rand_lcl.h"
|
||||
+#include "rand_local.h"
|
||||
+
|
||||
+static RAND_POOL *crngt_pool;
|
||||
+static unsigned char crngt_prev[EVP_MAX_MD_SIZE];
|
||||
|
@ -110,7 +94,7 @@ diff -up openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1b/cr
|
|||
+{
|
||||
+ unsigned char buf[CRNGT_BUFSIZ];
|
||||
+
|
||||
+ if ((crngt_pool = rand_pool_new(0, CRNGT_BUFSIZ, CRNGT_BUFSIZ)) == NULL)
|
||||
+ if ((crngt_pool = rand_pool_new(0, 1, CRNGT_BUFSIZ, CRNGT_BUFSIZ)) == NULL)
|
||||
+ return 0;
|
||||
+ if (crngt_get_entropy(buf, crngt_prev, NULL)) {
|
||||
+ OPENSSL_cleanse(buf, sizeof(buf));
|
||||
|
@ -147,7 +131,7 @@ diff -up openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1b/cr
|
|||
+ if (!RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init))
|
||||
+ return 0;
|
||||
+
|
||||
+ if ((pool = rand_pool_new(entropy, min_len, max_len)) == NULL)
|
||||
+ if ((pool = rand_pool_new(entropy, 1, min_len, max_len)) == NULL)
|
||||
+ return 0;
|
||||
+
|
||||
+ while ((q = rand_pool_bytes_needed(pool, 1)) > 0 && attempts-- > 0) {
|
||||
|
@ -173,9 +157,9 @@ diff -up openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1b/cr
|
|||
+{
|
||||
+ OPENSSL_secure_clear_free(out, outlen);
|
||||
+}
|
||||
diff -up openssl-1.1.1b/crypto/rand/rand_lcl.h.crng-test openssl-1.1.1b/crypto/rand/rand_lcl.h
|
||||
--- openssl-1.1.1b/crypto/rand/rand_lcl.h.crng-test 2019-05-07 08:56:33.330177674 +0200
|
||||
+++ openssl-1.1.1b/crypto/rand/rand_lcl.h 2019-05-07 09:54:14.933204647 +0200
|
||||
diff -up openssl-1.1.1g/crypto/rand/rand_local.h.crng-test openssl-1.1.1g/crypto/rand/rand_local.h
|
||||
--- openssl-1.1.1g/crypto/rand/rand_local.h.crng-test 2020-04-23 13:30:45.470397250 +0200
|
||||
+++ openssl-1.1.1g/crypto/rand/rand_local.h 2020-04-23 13:30:45.864389819 +0200
|
||||
@@ -33,7 +33,15 @@
|
||||
# define MASTER_RESEED_TIME_INTERVAL (60*60) /* 1 hour */
|
||||
# define SLAVE_RESEED_TIME_INTERVAL (7*60) /* 7 minutes */
|
||||
|
@ -193,17 +177,16 @@ diff -up openssl-1.1.1b/crypto/rand/rand_lcl.h.crng-test openssl-1.1.1b/crypto/r
|
|||
|
||||
/*
|
||||
* Maximum input size for the DRBG (entropy, nonce, personalization string)
|
||||
@@ -44,7 +52,8 @@
|
||||
@@ -44,6 +52,8 @@
|
||||
*/
|
||||
# define DRBG_MAX_LENGTH INT32_MAX
|
||||
|
||||
-
|
||||
+/* The default nonce */
|
||||
+# define DRBG_DEFAULT_PERS_STRING "OpenSSL NIST SP 800-90A DRBG"
|
||||
|
||||
/*
|
||||
* Maximum allocation size for RANDOM_POOL buffers
|
||||
@@ -290,4 +299,22 @@ int rand_drbg_enable_locking(RAND_DRBG *
|
||||
@@ -296,4 +306,22 @@ int rand_drbg_enable_locking(RAND_DRBG *
|
||||
/* initializes the AES-CTR DRBG implementation */
|
||||
int drbg_ctr_init(RAND_DRBG *drbg);
|
||||
|
||||
|
@ -226,10 +209,28 @@ diff -up openssl-1.1.1b/crypto/rand/rand_lcl.h.crng-test openssl-1.1.1b/crypto/r
|
|||
+int rand_crngt_single_init(void);
|
||||
+
|
||||
#endif
|
||||
diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c
|
||||
--- openssl-1.1.1b/test/drbgtest.c.crng-test 2019-02-26 15:15:30.000000000 +0100
|
||||
+++ openssl-1.1.1b/test/drbgtest.c 2019-05-07 10:06:24.706551561 +0200
|
||||
@@ -143,6 +143,31 @@ static size_t kat_nonce(RAND_DRBG *drbg,
|
||||
diff -up openssl-1.1.1g/include/crypto/rand.h.crng-test openssl-1.1.1g/include/crypto/rand.h
|
||||
--- openssl-1.1.1g/include/crypto/rand.h.crng-test 2020-04-23 13:30:45.824390573 +0200
|
||||
+++ openssl-1.1.1g/include/crypto/rand.h 2020-04-23 13:30:45.864389819 +0200
|
||||
@@ -49,6 +49,14 @@ size_t rand_drbg_get_additional_data(RAN
|
||||
|
||||
void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out);
|
||||
|
||||
+/* CRNG test entropy filter callbacks. */
|
||||
+size_t rand_crngt_get_entropy(RAND_DRBG *drbg,
|
||||
+ unsigned char **pout,
|
||||
+ int entropy, size_t min_len, size_t max_len,
|
||||
+ int prediction_resistance);
|
||||
+void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,
|
||||
+ unsigned char *out, size_t outlen);
|
||||
+
|
||||
/*
|
||||
* RAND_POOL functions
|
||||
*/
|
||||
diff -up openssl-1.1.1g/test/drbgtest.c.crng-test openssl-1.1.1g/test/drbgtest.c
|
||||
--- openssl-1.1.1g/test/drbgtest.c.crng-test 2020-04-21 14:22:39.000000000 +0200
|
||||
+++ openssl-1.1.1g/test/drbgtest.c 2020-04-23 13:30:45.865389800 +0200
|
||||
@@ -150,6 +150,31 @@ static size_t kat_nonce(RAND_DRBG *drbg,
|
||||
return t->noncelen;
|
||||
}
|
||||
|
||||
|
@ -261,7 +262,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c
|
|||
static int uninstantiate(RAND_DRBG *drbg)
|
||||
{
|
||||
int ret = drbg == NULL ? 1 : RAND_DRBG_uninstantiate(drbg);
|
||||
@@ -168,7 +193,8 @@ static int single_kat(DRBG_SELFTEST_DATA
|
||||
@@ -175,7 +200,8 @@ static int single_kat(DRBG_SELFTEST_DATA
|
||||
if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, td->flags, NULL)))
|
||||
return 0;
|
||||
if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
|
||||
|
@ -271,7 +272,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c
|
|||
failures++;
|
||||
goto err;
|
||||
}
|
||||
@@ -286,7 +312,8 @@ static int error_check(DRBG_SELFTEST_DAT
|
||||
@@ -293,7 +319,8 @@ static int error_check(DRBG_SELFTEST_DAT
|
||||
unsigned int reseed_counter_tmp;
|
||||
int ret = 0;
|
||||
|
||||
|
@ -281,7 +282,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c
|
|||
goto err;
|
||||
|
||||
/*
|
||||
@@ -699,6 +726,10 @@ static int test_rand_drbg_reseed(void)
|
||||
@@ -740,6 +767,10 @@ static int test_rand_drbg_reseed(void)
|
||||
|| !TEST_ptr_eq(private->parent, master))
|
||||
return 0;
|
||||
|
||||
|
@ -292,7 +293,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c
|
|||
/* uninstantiate the three global DRBGs */
|
||||
RAND_DRBG_uninstantiate(private);
|
||||
RAND_DRBG_uninstantiate(public);
|
||||
@@ -919,7 +950,8 @@ static int test_rand_seed(void)
|
||||
@@ -964,7 +995,8 @@ static int test_rand_seed(void)
|
||||
size_t rand_buflen;
|
||||
size_t required_seed_buflen = 0;
|
||||
|
||||
|
@ -302,7 +303,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c
|
|||
return 0;
|
||||
|
||||
#ifdef OPENSSL_RAND_SEED_NONE
|
||||
@@ -968,6 +1000,95 @@ static int test_rand_add(void)
|
||||
@@ -1013,6 +1045,95 @@ static int test_rand_add(void)
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
@ -398,7 +399,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c
|
|||
int setup_tests(void)
|
||||
{
|
||||
app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
|
||||
@@ -980,5 +1101,6 @@ int setup_tests(void)
|
||||
@@ -1025,5 +1146,6 @@ int setup_tests(void)
|
||||
#if defined(OPENSSL_THREADS)
|
||||
ADD_TEST(test_multi_thread);
|
||||
#endif
|
||||
|
|
|
@ -0,0 +1,200 @@
|
|||
diff -up openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves openssl-1.1.1g/crypto/ec/ec_curve.c
|
||||
--- openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves 2020-05-18 12:59:54.839643980 +0200
|
||||
+++ openssl-1.1.1g/crypto/ec/ec_curve.c 2020-05-18 12:59:54.852644093 +0200
|
||||
@@ -13,6 +13,7 @@
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/obj_mac.h>
|
||||
#include <openssl/opensslconf.h>
|
||||
+#include <openssl/crypto.h>
|
||||
#include "internal/nelem.h"
|
||||
|
||||
typedef struct {
|
||||
@@ -237,6 +238,7 @@ static const struct {
|
||||
|
||||
typedef struct _ec_list_element_st {
|
||||
int nid;
|
||||
+ int fips_allowed;
|
||||
const EC_CURVE_DATA *data;
|
||||
const EC_METHOD *(*meth) (void);
|
||||
const char *comment;
|
||||
@@ -246,23 +248,23 @@ static const ec_list_element curve_list[
|
||||
/* prime field curves */
|
||||
/* secg curves */
|
||||
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
||||
- {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
|
||||
+ {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
|
||||
"NIST/SECG curve over a 224 bit prime field"},
|
||||
#else
|
||||
- {NID_secp224r1, &_EC_NIST_PRIME_224.h, 0,
|
||||
+ {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, 0,
|
||||
"NIST/SECG curve over a 224 bit prime field"},
|
||||
#endif
|
||||
- {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
|
||||
+ {NID_secp256k1, 0, &_EC_SECG_PRIME_256K1.h, 0,
|
||||
"SECG curve over a 256 bit prime field"},
|
||||
/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
|
||||
- {NID_secp384r1, &_EC_NIST_PRIME_384.h,
|
||||
+ {NID_secp384r1, 1, &_EC_NIST_PRIME_384.h,
|
||||
# if defined(S390X_EC_ASM)
|
||||
EC_GFp_s390x_nistp384_method,
|
||||
# else
|
||||
0,
|
||||
# endif
|
||||
"NIST/SECG curve over a 384 bit prime field"},
|
||||
- {NID_secp521r1, &_EC_NIST_PRIME_521.h,
|
||||
+ {NID_secp521r1, 1, &_EC_NIST_PRIME_521.h,
|
||||
# if defined(S390X_EC_ASM)
|
||||
EC_GFp_s390x_nistp521_method,
|
||||
# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
||||
@@ -272,7 +274,7 @@ static const ec_list_element curve_list[
|
||||
# endif
|
||||
"NIST/SECG curve over a 521 bit prime field"},
|
||||
/* X9.62 curves */
|
||||
- {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
|
||||
+ {NID_X9_62_prime256v1, 1, &_EC_X9_62_PRIME_256V1.h,
|
||||
#if defined(ECP_NISTZ256_ASM)
|
||||
EC_GFp_nistz256_method,
|
||||
# elif defined(S390X_EC_ASM)
|
||||
@@ -404,6 +406,10 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
|
||||
|
||||
for (i = 0; i < curve_list_length; i++)
|
||||
if (curve_list[i].nid == nid) {
|
||||
+ if (!curve_list[i].fips_allowed && FIPS_mode()) {
|
||||
+ ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_NOT_A_NIST_PRIME);
|
||||
+ return NULL;
|
||||
+ }
|
||||
ret = ec_group_new_from_data(curve_list[i]);
|
||||
break;
|
||||
}
|
||||
@@ -418,19 +424,31 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
|
||||
|
||||
size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
|
||||
{
|
||||
- size_t i, min;
|
||||
+ size_t i, j, num;
|
||||
+ int fips_mode = FIPS_mode();
|
||||
|
||||
- if (r == NULL || nitems == 0)
|
||||
- return curve_list_length;
|
||||
+ num = curve_list_length;
|
||||
+ if (fips_mode)
|
||||
+ for (i = 0; i < curve_list_length; i++) {
|
||||
+ if (!curve_list[i].fips_allowed)
|
||||
+ --num;
|
||||
+ }
|
||||
|
||||
- min = nitems < curve_list_length ? nitems : curve_list_length;
|
||||
+ if (r == NULL || nitems == 0) {
|
||||
+ return num;
|
||||
+ }
|
||||
|
||||
- for (i = 0; i < min; i++) {
|
||||
- r[i].nid = curve_list[i].nid;
|
||||
- r[i].comment = curve_list[i].comment;
|
||||
+ for (i = 0, j = 0; i < curve_list_length; i++) {
|
||||
+ if (j >= nitems)
|
||||
+ break;
|
||||
+ if (!fips_mode || curve_list[i].fips_allowed) {
|
||||
+ r[j].nid = curve_list[i].nid;
|
||||
+ r[j].comment = curve_list[i].comment;
|
||||
+ ++j;
|
||||
+ }
|
||||
}
|
||||
|
||||
- return curve_list_length;
|
||||
+ return num;
|
||||
}
|
||||
|
||||
/* Functions to translate between common NIST curve names and NIDs */
|
||||
diff -up openssl-1.1.1g/ssl/t1_lib.c.fips-curves openssl-1.1.1g/ssl/t1_lib.c
|
||||
--- openssl-1.1.1g/ssl/t1_lib.c.fips-curves 2020-05-18 12:59:54.797643616 +0200
|
||||
+++ openssl-1.1.1g/ssl/t1_lib.c 2020-05-18 13:03:54.748725463 +0200
|
||||
@@ -678,6 +678,36 @@ static const uint16_t tls12_sigalgs[] =
|
||||
#endif
|
||||
};
|
||||
|
||||
+static const uint16_t tls12_fips_sigalgs[] = {
|
||||
+#ifndef OPENSSL_NO_EC
|
||||
+ TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
|
||||
+ TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
|
||||
+ TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
|
||||
+#endif
|
||||
+
|
||||
+ TLSEXT_SIGALG_rsa_pss_pss_sha256,
|
||||
+ TLSEXT_SIGALG_rsa_pss_pss_sha384,
|
||||
+ TLSEXT_SIGALG_rsa_pss_pss_sha512,
|
||||
+ TLSEXT_SIGALG_rsa_pss_rsae_sha256,
|
||||
+ TLSEXT_SIGALG_rsa_pss_rsae_sha384,
|
||||
+ TLSEXT_SIGALG_rsa_pss_rsae_sha512,
|
||||
+
|
||||
+ TLSEXT_SIGALG_rsa_pkcs1_sha256,
|
||||
+ TLSEXT_SIGALG_rsa_pkcs1_sha384,
|
||||
+ TLSEXT_SIGALG_rsa_pkcs1_sha512,
|
||||
+
|
||||
+#ifndef OPENSSL_NO_EC
|
||||
+ TLSEXT_SIGALG_ecdsa_sha224,
|
||||
+#endif
|
||||
+ TLSEXT_SIGALG_rsa_pkcs1_sha224,
|
||||
+#ifndef OPENSSL_NO_DSA
|
||||
+ TLSEXT_SIGALG_dsa_sha224,
|
||||
+ TLSEXT_SIGALG_dsa_sha256,
|
||||
+ TLSEXT_SIGALG_dsa_sha384,
|
||||
+ TLSEXT_SIGALG_dsa_sha512,
|
||||
+#endif
|
||||
+};
|
||||
+
|
||||
#ifndef OPENSSL_NO_EC
|
||||
static const uint16_t suiteb_sigalgs[] = {
|
||||
TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
|
||||
@@ -894,6 +924,8 @@ static const SIGALG_LOOKUP *tls1_get_leg
|
||||
}
|
||||
if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg))
|
||||
return NULL;
|
||||
+ if (FIPS_mode()) /* We do not allow legacy SHA1 signatures in FIPS mode */
|
||||
+ return NULL;
|
||||
if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) {
|
||||
const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
|
||||
|
||||
@@ -954,6 +986,9 @@ size_t tls12_get_psigalgs(SSL *s, int se
|
||||
} else if (s->cert->conf_sigalgs) {
|
||||
*psigs = s->cert->conf_sigalgs;
|
||||
return s->cert->conf_sigalgslen;
|
||||
+ } else if (FIPS_mode()) {
|
||||
+ *psigs = tls12_fips_sigalgs;
|
||||
+ return OSSL_NELEM(tls12_fips_sigalgs);
|
||||
} else {
|
||||
*psigs = tls12_sigalgs;
|
||||
return OSSL_NELEM(tls12_sigalgs);
|
||||
@@ -973,6 +1008,9 @@ int tls_check_sigalg_curve(const SSL *s,
|
||||
if (s->cert->conf_sigalgs) {
|
||||
sigs = s->cert->conf_sigalgs;
|
||||
siglen = s->cert->conf_sigalgslen;
|
||||
+ } else if (FIPS_mode()) {
|
||||
+ sigs = tls12_fips_sigalgs;
|
||||
+ siglen = OSSL_NELEM(tls12_fips_sigalgs);
|
||||
} else {
|
||||
sigs = tls12_sigalgs;
|
||||
siglen = OSSL_NELEM(tls12_sigalgs);
|
||||
@@ -1617,6 +1655,8 @@ static int tls12_sigalg_allowed(const SS
|
||||
if (lu->sig == NID_id_GostR3410_2012_256
|
||||
|| lu->sig == NID_id_GostR3410_2012_512
|
||||
|| lu->sig == NID_id_GostR3410_2001) {
|
||||
+ if (FIPS_mode())
|
||||
+ return 0;
|
||||
/* We never allow GOST sig algs on the server with TLSv1.3 */
|
||||
if (s->server && SSL_IS_TLS13(s))
|
||||
return 0;
|
||||
@@ -2842,6 +2882,13 @@ int tls_choose_sigalg(SSL *s, int fatale
|
||||
const uint16_t *sent_sigs;
|
||||
size_t sent_sigslen;
|
||||
|
||||
+ if (fatalerrs && FIPS_mode()) {
|
||||
+ /* There are no suitable legacy algorithms in FIPS mode */
|
||||
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
|
||||
+ SSL_F_TLS_CHOOSE_SIGALG,
|
||||
+ SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
|
||||
+ return 0;
|
||||
+ }
|
||||
if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
|
||||
if (!fatalerrs)
|
||||
return 1;
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,587 @@
|
|||
diff -up openssl-1.1.1g/crypto/fips/fips_post.c.drbg-selftest openssl-1.1.1g/crypto/fips/fips_post.c
|
||||
--- openssl-1.1.1g/crypto/fips/fips_post.c.drbg-selftest 2020-04-23 13:33:12.500624151 +0200
|
||||
+++ openssl-1.1.1g/crypto/fips/fips_post.c 2020-04-23 13:33:12.618621925 +0200
|
||||
@@ -67,12 +67,18 @@
|
||||
|
||||
# include <openssl/fips.h>
|
||||
# include "crypto/fips.h"
|
||||
+# include "crypto/rand.h"
|
||||
# include "fips_locl.h"
|
||||
|
||||
/* Run all selftests */
|
||||
int FIPS_selftest(void)
|
||||
{
|
||||
int rv = 1;
|
||||
+ if (!rand_drbg_selftest()) {
|
||||
+ FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_TEST_FAILURE);
|
||||
+ ERR_add_error_data(2, "Type=", "rand_drbg_selftest");
|
||||
+ rv = 0;
|
||||
+ }
|
||||
if (!FIPS_selftest_drbg())
|
||||
rv = 0;
|
||||
if (!FIPS_selftest_sha1())
|
||||
diff -up openssl-1.1.1g/crypto/rand/build.info.drbg-selftest openssl-1.1.1g/crypto/rand/build.info
|
||||
--- openssl-1.1.1g/crypto/rand/build.info.drbg-selftest 2020-04-23 13:33:12.619621907 +0200
|
||||
+++ openssl-1.1.1g/crypto/rand/build.info 2020-04-23 13:34:10.857523497 +0200
|
||||
@@ -1,6 +1,6 @@
|
||||
LIBS=../../libcrypto
|
||||
SOURCE[../../libcrypto]=\
|
||||
randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \
|
||||
- rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
|
||||
+ rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c drbg_selftest.c
|
||||
|
||||
INCLUDE[drbg_ctr.o]=../modes
|
||||
diff -up openssl-1.1.1g/crypto/rand/drbg_selftest.c.drbg-selftest openssl-1.1.1g/crypto/rand/drbg_selftest.c
|
||||
--- openssl-1.1.1g/crypto/rand/drbg_selftest.c.drbg-selftest 2020-04-23 13:33:12.619621907 +0200
|
||||
+++ openssl-1.1.1g/crypto/rand/drbg_selftest.c 2020-04-23 13:33:12.619621907 +0200
|
||||
@@ -0,0 +1,537 @@
|
||||
+/*
|
||||
+ * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ *
|
||||
+ * Licensed under the OpenSSL license (the "License"). You may not use
|
||||
+ * this file except in compliance with the License. You can obtain a copy
|
||||
+ * in the file LICENSE in the source distribution or at
|
||||
+ * https://www.openssl.org/source/license.html
|
||||
+ */
|
||||
+
|
||||
+#include <string.h>
|
||||
+#include <stddef.h>
|
||||
+#include "internal/nelem.h"
|
||||
+#include <openssl/crypto.h>
|
||||
+#include <openssl/err.h>
|
||||
+#include <openssl/rand_drbg.h>
|
||||
+#include <openssl/obj_mac.h>
|
||||
+#include "internal/thread_once.h"
|
||||
+#include "crypto/rand.h"
|
||||
+
|
||||
+typedef struct test_ctx_st {
|
||||
+ const unsigned char *entropy;
|
||||
+ size_t entropylen;
|
||||
+ int entropycnt;
|
||||
+ const unsigned char *nonce;
|
||||
+ size_t noncelen;
|
||||
+ int noncecnt;
|
||||
+} TEST_CTX;
|
||||
+
|
||||
+static int app_data_index = -1;
|
||||
+static CRYPTO_ONCE get_index_once = CRYPTO_ONCE_STATIC_INIT;
|
||||
+DEFINE_RUN_ONCE_STATIC(drbg_app_data_index_init)
|
||||
+{
|
||||
+ app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
|
||||
+
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
+enum drbg_kat_type {
|
||||
+ NO_RESEED,
|
||||
+ PR_FALSE,
|
||||
+ PR_TRUE
|
||||
+};
|
||||
+
|
||||
+enum drbg_df {
|
||||
+ USE_DF,
|
||||
+ NO_DF,
|
||||
+ NA
|
||||
+};
|
||||
+
|
||||
+struct drbg_kat_no_reseed {
|
||||
+ size_t count;
|
||||
+ const unsigned char *entropyin;
|
||||
+ const unsigned char *nonce;
|
||||
+ const unsigned char *persstr;
|
||||
+ const unsigned char *addin1;
|
||||
+ const unsigned char *addin2;
|
||||
+ const unsigned char *retbytes;
|
||||
+};
|
||||
+
|
||||
+struct drbg_kat_pr_false {
|
||||
+ size_t count;
|
||||
+ const unsigned char *entropyin;
|
||||
+ const unsigned char *nonce;
|
||||
+ const unsigned char *persstr;
|
||||
+ const unsigned char *entropyinreseed;
|
||||
+ const unsigned char *addinreseed;
|
||||
+ const unsigned char *addin1;
|
||||
+ const unsigned char *addin2;
|
||||
+ const unsigned char *retbytes;
|
||||
+};
|
||||
+
|
||||
+struct drbg_kat_pr_true {
|
||||
+ size_t count;
|
||||
+ const unsigned char *entropyin;
|
||||
+ const unsigned char *nonce;
|
||||
+ const unsigned char *persstr;
|
||||
+ const unsigned char *entropyinpr1;
|
||||
+ const unsigned char *addin1;
|
||||
+ const unsigned char *entropyinpr2;
|
||||
+ const unsigned char *addin2;
|
||||
+ const unsigned char *retbytes;
|
||||
+};
|
||||
+
|
||||
+struct drbg_kat {
|
||||
+ enum drbg_kat_type type;
|
||||
+ enum drbg_df df;
|
||||
+ int nid;
|
||||
+
|
||||
+ size_t entropyinlen;
|
||||
+ size_t noncelen;
|
||||
+ size_t persstrlen;
|
||||
+ size_t addinlen;
|
||||
+ size_t retbyteslen;
|
||||
+
|
||||
+ const void *t;
|
||||
+};
|
||||
+
|
||||
+/*
|
||||
+ * Excerpt from test/drbg_cavs_data.c
|
||||
+ * DRBG test vectors from:
|
||||
+ * https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/
|
||||
+ */
|
||||
+
|
||||
+static const unsigned char kat1308_entropyin[] = {
|
||||
+ 0x7c, 0x5d, 0x90, 0x70, 0x3b, 0x8a, 0xc7, 0x0f, 0x23, 0x73, 0x24, 0x9c,
|
||||
+ 0xa7, 0x15, 0x41, 0x71, 0x7a, 0x31, 0xea, 0x32, 0xfc, 0x28, 0x0d, 0xd7,
|
||||
+ 0x5b, 0x09, 0x01, 0x98, 0x1b, 0xe2, 0xa5, 0x53, 0xd9, 0x05, 0x32, 0x97,
|
||||
+ 0xec, 0xbe, 0x86, 0xfd, 0x1c, 0x1c, 0x71, 0x4c, 0x52, 0x29, 0x9e, 0x52,
|
||||
+};
|
||||
+static const unsigned char kat1308_nonce[] = {0};
|
||||
+static const unsigned char kat1308_persstr[] = {
|
||||
+ 0xdc, 0x07, 0x2f, 0x68, 0xfa, 0x77, 0x03, 0x23, 0x42, 0xb0, 0xf5, 0xa2,
|
||||
+ 0xd9, 0xad, 0xa1, 0xd0, 0xad, 0xa2, 0x14, 0xb4, 0xd0, 0x8e, 0xfb, 0x39,
|
||||
+ 0xdd, 0xc2, 0xac, 0xfb, 0x98, 0xdf, 0x7f, 0xce, 0x4c, 0x75, 0x56, 0x45,
|
||||
+ 0xcd, 0x86, 0x93, 0x74, 0x90, 0x6e, 0xf6, 0x9e, 0x85, 0x7e, 0xfb, 0xc3,
|
||||
+};
|
||||
+static const unsigned char kat1308_addin0[] = {
|
||||
+ 0x52, 0x25, 0xc4, 0x2f, 0x03, 0xce, 0x29, 0x71, 0xc5, 0x0b, 0xc3, 0x4e,
|
||||
+ 0xad, 0x8d, 0x6f, 0x17, 0x82, 0xe1, 0xf3, 0xfd, 0xfd, 0x9b, 0x94, 0x9a,
|
||||
+ 0x1d, 0xac, 0xd0, 0xd4, 0x3f, 0x2b, 0xe3, 0xab, 0x7c, 0x3d, 0x3e, 0x5a,
|
||||
+ 0x68, 0xbb, 0xa4, 0x74, 0x68, 0x1a, 0xc6, 0x27, 0xff, 0xe0, 0xc0, 0x6c,
|
||||
+};
|
||||
+static const unsigned char kat1308_addin1[] = {
|
||||
+ 0xdc, 0x91, 0xd7, 0xb7, 0xb9, 0x94, 0x79, 0x0f, 0x06, 0xc4, 0x70, 0x19,
|
||||
+ 0x33, 0x25, 0x7c, 0x96, 0x01, 0xa0, 0x62, 0xb0, 0x50, 0xe6, 0xc0, 0x3a,
|
||||
+ 0x56, 0x8f, 0xc5, 0x50, 0x48, 0xc6, 0xf4, 0x49, 0xe5, 0x70, 0x16, 0x2e,
|
||||
+ 0xae, 0xf2, 0x99, 0xb4, 0x2d, 0x70, 0x18, 0x16, 0xcd, 0xe0, 0x24, 0xe4,
|
||||
+};
|
||||
+static const unsigned char kat1308_retbits[] = {
|
||||
+ 0xde, 0xf8, 0x91, 0x1b, 0xf1, 0xe1, 0xa9, 0x97, 0xd8, 0x61, 0x84, 0xe2,
|
||||
+ 0xdb, 0x83, 0x3e, 0x60, 0x45, 0xcd, 0xc8, 0x66, 0x93, 0x28, 0xc8, 0x92,
|
||||
+ 0xbc, 0x25, 0xae, 0xe8, 0xb0, 0xed, 0xed, 0x16, 0x3d, 0xa5, 0xf9, 0x0f,
|
||||
+ 0xb3, 0x72, 0x08, 0x84, 0xac, 0x3c, 0x3b, 0xaa, 0x5f, 0xf9, 0x7d, 0x63,
|
||||
+ 0x3e, 0xde, 0x59, 0x37, 0x0e, 0x40, 0x12, 0x2b, 0xbc, 0x6c, 0x96, 0x53,
|
||||
+ 0x26, 0x32, 0xd0, 0xb8,
|
||||
+};
|
||||
+static const struct drbg_kat_no_reseed kat1308_t = {
|
||||
+ 2, kat1308_entropyin, kat1308_nonce, kat1308_persstr,
|
||||
+ kat1308_addin0, kat1308_addin1, kat1308_retbits
|
||||
+};
|
||||
+static const struct drbg_kat kat1308 = {
|
||||
+ NO_RESEED, NO_DF, NID_aes_256_ctr, 48, 0, 48, 48, 64, &kat1308_t
|
||||
+};
|
||||
+
|
||||
+static const unsigned char kat1465_entropyin[] = {
|
||||
+ 0xc9, 0x96, 0x3a, 0x15, 0x51, 0x76, 0x4f, 0xe0, 0x45, 0x82, 0x8a, 0x64,
|
||||
+ 0x87, 0xbe, 0xaa, 0xc0,
|
||||
+};
|
||||
+static const unsigned char kat1465_nonce[] = {
|
||||
+ 0x08, 0xcd, 0x69, 0x39, 0xf8, 0x58, 0x9a, 0x85,
|
||||
+};
|
||||
+static const unsigned char kat1465_persstr[] = {0};
|
||||
+static const unsigned char kat1465_entropyinreseed[] = {
|
||||
+ 0x16, 0xcc, 0x35, 0x15, 0xb1, 0x17, 0xf5, 0x33, 0x80, 0x9a, 0x80, 0xc5,
|
||||
+ 0x1f, 0x4b, 0x7b, 0x51,
|
||||
+};
|
||||
+static const unsigned char kat1465_addinreseed[] = {
|
||||
+ 0xf5, 0x3d, 0xf1, 0x2e, 0xdb, 0x28, 0x1c, 0x00, 0x7b, 0xcb, 0xb6, 0x12,
|
||||
+ 0x61, 0x9f, 0x26, 0x5f,
|
||||
+};
|
||||
+static const unsigned char kat1465_addin0[] = {
|
||||
+ 0xe2, 0x67, 0x06, 0x62, 0x09, 0xa7, 0xcf, 0xd6, 0x84, 0x8c, 0x20, 0xf6,
|
||||
+ 0x10, 0x5a, 0x73, 0x9c,
|
||||
+};
|
||||
+static const unsigned char kat1465_addin1[] = {
|
||||
+ 0x26, 0xfa, 0x50, 0xe1, 0xb3, 0xcb, 0x65, 0xed, 0xbc, 0x6d, 0xda, 0x18,
|
||||
+ 0x47, 0x99, 0x1f, 0xeb,
|
||||
+};
|
||||
+static const unsigned char kat1465_retbits[] = {
|
||||
+ 0xf9, 0x47, 0xc6, 0xb0, 0x58, 0xa8, 0x66, 0x8a, 0xf5, 0x2b, 0x2a, 0x6d,
|
||||
+ 0x4e, 0x24, 0x6f, 0x65, 0xbf, 0x51, 0x22, 0xbf, 0xe8, 0x8d, 0x6c, 0xeb,
|
||||
+ 0xf9, 0x68, 0x7f, 0xed, 0x3b, 0xdd, 0x6b, 0xd5, 0x28, 0x47, 0x56, 0x52,
|
||||
+ 0xda, 0x50, 0xf0, 0x90, 0x73, 0x95, 0x06, 0x58, 0xaf, 0x08, 0x98, 0x6e,
|
||||
+ 0x24, 0x18, 0xfd, 0x2f, 0x48, 0x72, 0x57, 0xd6, 0x59, 0xab, 0xe9, 0x41,
|
||||
+ 0x58, 0xdb, 0x27, 0xba,
|
||||
+};
|
||||
+static const struct drbg_kat_pr_false kat1465_t = {
|
||||
+ 9, kat1465_entropyin, kat1465_nonce, kat1465_persstr,
|
||||
+ kat1465_entropyinreseed, kat1465_addinreseed, kat1465_addin0,
|
||||
+ kat1465_addin1, kat1465_retbits
|
||||
+};
|
||||
+static const struct drbg_kat kat1465 = {
|
||||
+ PR_FALSE, USE_DF, NID_aes_128_ctr, 16, 8, 0, 16, 64, &kat1465_t
|
||||
+};
|
||||
+
|
||||
+static const unsigned char kat3146_entropyin[] = {
|
||||
+ 0xd7, 0x08, 0x42, 0x82, 0xc2, 0xd2, 0xd1, 0xde, 0x01, 0xb4, 0x36, 0xb3,
|
||||
+ 0x7f, 0xbd, 0xd3, 0xdd, 0xb3, 0xc4, 0x31, 0x4f, 0x8f, 0xa7, 0x10, 0xf4,
|
||||
+};
|
||||
+static const unsigned char kat3146_nonce[] = {
|
||||
+ 0x7b, 0x9e, 0xcd, 0x49, 0x4f, 0x46, 0xa0, 0x08, 0x32, 0xff, 0x2e, 0xc3,
|
||||
+ 0x50, 0x86, 0xca, 0xca,
|
||||
+};
|
||||
+static const unsigned char kat3146_persstr[] = {0};
|
||||
+static const unsigned char kat3146_entropyinpr1[] = {
|
||||
+ 0x68, 0xd0, 0x7b, 0xa4, 0xe7, 0x22, 0x19, 0xe6, 0xb6, 0x46, 0x6a, 0xda,
|
||||
+ 0x8e, 0x67, 0xea, 0x63, 0x3f, 0xaf, 0x2f, 0x6c, 0x9d, 0x5e, 0x48, 0x15,
|
||||
+};
|
||||
+static const unsigned char kat3146_addinpr1[] = {
|
||||
+ 0x70, 0x0f, 0x54, 0xf4, 0x53, 0xde, 0xca, 0x61, 0x5c, 0x49, 0x51, 0xd1,
|
||||
+ 0x41, 0xc4, 0xf1, 0x2f, 0x65, 0xfb, 0x7e, 0xbc, 0x9b, 0x14, 0xba, 0x90,
|
||||
+ 0x05, 0x33, 0x7e, 0x64, 0xb7, 0x2b, 0xaf, 0x99,
|
||||
+};
|
||||
+static const unsigned char kat3146_entropyinpr2[] = {
|
||||
+ 0xeb, 0x77, 0xb0, 0xe9, 0x2d, 0x31, 0xc8, 0x66, 0xc5, 0xc4, 0xa7, 0xf7,
|
||||
+ 0x6c, 0xb2, 0x74, 0x36, 0x4b, 0x25, 0x78, 0x04, 0xd8, 0xd7, 0xd2, 0x34,
|
||||
+};
|
||||
+static const unsigned char kat3146_addinpr2[] = {
|
||||
+ 0x05, 0xcd, 0x2a, 0x97, 0x5a, 0x5d, 0xfb, 0x98, 0xc1, 0xf1, 0x00, 0x0c,
|
||||
+ 0xed, 0xe6, 0x2a, 0xba, 0xf0, 0x89, 0x1f, 0x5a, 0x4f, 0xd7, 0x48, 0xb3,
|
||||
+ 0x24, 0xc0, 0x8a, 0x3d, 0x60, 0x59, 0x5d, 0xb6,
|
||||
+};
|
||||
+static const unsigned char kat3146_retbits[] = {
|
||||
+ 0x29, 0x94, 0xa4, 0xa8, 0x17, 0x3e, 0x62, 0x2f, 0x94, 0xdd, 0x40, 0x1f,
|
||||
+ 0xe3, 0x7e, 0x77, 0xd4, 0x38, 0xbc, 0x0e, 0x49, 0x46, 0xf6, 0x0e, 0x28,
|
||||
+ 0x91, 0xc6, 0x9c, 0xc4, 0xa6, 0xa1, 0xf8, 0x9a, 0x64, 0x5e, 0x99, 0x76,
|
||||
+ 0xd0, 0x2d, 0xee, 0xde, 0xe1, 0x2c, 0x93, 0x29, 0x4b, 0x12, 0xcf, 0x87,
|
||||
+ 0x03, 0x98, 0xb9, 0x74, 0x41, 0xdb, 0x3a, 0x49, 0x9f, 0x92, 0xd0, 0x45,
|
||||
+ 0xd4, 0x30, 0x73, 0xbb,
|
||||
+};
|
||||
+static const struct drbg_kat_pr_true kat3146_t = {
|
||||
+ 10, kat3146_entropyin, kat3146_nonce, kat3146_persstr,
|
||||
+ kat3146_entropyinpr1, kat3146_addinpr1, kat3146_entropyinpr2,
|
||||
+ kat3146_addinpr2, kat3146_retbits
|
||||
+};
|
||||
+static const struct drbg_kat kat3146 = {
|
||||
+ PR_TRUE, USE_DF, NID_aes_192_ctr, 24, 16, 0, 32, 64, &kat3146_t
|
||||
+};
|
||||
+
|
||||
+static const struct drbg_kat *drbg_test[] = { &kat1308, &kat1465, &kat3146 };
|
||||
+
|
||||
+static const size_t drbg_test_nelem = OSSL_NELEM(drbg_test);
|
||||
+
|
||||
+static size_t kat_entropy(RAND_DRBG *drbg, unsigned char **pout,
|
||||
+ int entropy, size_t min_len, size_t max_len,
|
||||
+ int prediction_resistance)
|
||||
+{
|
||||
+ TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
|
||||
+
|
||||
+ t->entropycnt++;
|
||||
+ *pout = (unsigned char *)t->entropy;
|
||||
+ return t->entropylen;
|
||||
+}
|
||||
+
|
||||
+static size_t kat_nonce(RAND_DRBG *drbg, unsigned char **pout,
|
||||
+ int entropy, size_t min_len, size_t max_len)
|
||||
+{
|
||||
+ TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
|
||||
+
|
||||
+ t->noncecnt++;
|
||||
+ *pout = (unsigned char *)t->nonce;
|
||||
+ return t->noncelen;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Do a single NO_RESEED KAT:
|
||||
+ *
|
||||
+ * Instantiate
|
||||
+ * Generate Random Bits (pr=false)
|
||||
+ * Generate Random Bits (pr=false)
|
||||
+ * Uninstantiate
|
||||
+ *
|
||||
+ * Return 0 on failure.
|
||||
+ */
|
||||
+static int single_kat_no_reseed(const struct drbg_kat *td)
|
||||
+{
|
||||
+ struct drbg_kat_no_reseed *data = (struct drbg_kat_no_reseed *)td->t;
|
||||
+ RAND_DRBG *drbg = NULL;
|
||||
+ unsigned char *buff = NULL;
|
||||
+ unsigned int flags = 0;
|
||||
+ int failures = 0;
|
||||
+ TEST_CTX t;
|
||||
+
|
||||
+ if (td->df != USE_DF)
|
||||
+ flags |= RAND_DRBG_FLAG_CTR_NO_DF;
|
||||
+
|
||||
+ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
|
||||
+ kat_nonce, NULL)) {
|
||||
+ failures++;
|
||||
+ goto err;
|
||||
+ }
|
||||
+ memset(&t, 0, sizeof(t));
|
||||
+ t.entropy = data->entropyin;
|
||||
+ t.entropylen = td->entropyinlen;
|
||||
+ t.nonce = data->nonce;
|
||||
+ t.noncelen = td->noncelen;
|
||||
+ RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
|
||||
+
|
||||
+ buff = OPENSSL_malloc(td->retbyteslen);
|
||||
+ if (buff == NULL) {
|
||||
+ failures++;
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen)
|
||||
+ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
|
||||
+ data->addin1, td->addinlen)
|
||||
+ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
|
||||
+ data->addin2, td->addinlen)
|
||||
+ || memcmp(data->retbytes, buff,
|
||||
+ td->retbyteslen) != 0)
|
||||
+ failures++;
|
||||
+
|
||||
+err:
|
||||
+ OPENSSL_free(buff);
|
||||
+ RAND_DRBG_uninstantiate(drbg);
|
||||
+ RAND_DRBG_free(drbg);
|
||||
+ return failures == 0;
|
||||
+}
|
||||
+
|
||||
+/*-
|
||||
+ * Do a single PR_FALSE KAT:
|
||||
+ *
|
||||
+ * Instantiate
|
||||
+ * Reseed
|
||||
+ * Generate Random Bits (pr=false)
|
||||
+ * Generate Random Bits (pr=false)
|
||||
+ * Uninstantiate
|
||||
+ *
|
||||
+ * Return 0 on failure.
|
||||
+ */
|
||||
+static int single_kat_pr_false(const struct drbg_kat *td)
|
||||
+{
|
||||
+ struct drbg_kat_pr_false *data = (struct drbg_kat_pr_false *)td->t;
|
||||
+ RAND_DRBG *drbg = NULL;
|
||||
+ unsigned char *buff = NULL;
|
||||
+ unsigned int flags = 0;
|
||||
+ int failures = 0;
|
||||
+ TEST_CTX t;
|
||||
+
|
||||
+ if (td->df != USE_DF)
|
||||
+ flags |= RAND_DRBG_FLAG_CTR_NO_DF;
|
||||
+
|
||||
+ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
|
||||
+ kat_nonce, NULL)) {
|
||||
+ failures++;
|
||||
+ goto err;
|
||||
+ }
|
||||
+ memset(&t, 0, sizeof(t));
|
||||
+ t.entropy = data->entropyin;
|
||||
+ t.entropylen = td->entropyinlen;
|
||||
+ t.nonce = data->nonce;
|
||||
+ t.noncelen = td->noncelen;
|
||||
+ RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
|
||||
+
|
||||
+ buff = OPENSSL_malloc(td->retbyteslen);
|
||||
+ if (buff == NULL) {
|
||||
+ failures++;
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen))
|
||||
+ failures++;
|
||||
+
|
||||
+ t.entropy = data->entropyinreseed;
|
||||
+ t.entropylen = td->entropyinlen;
|
||||
+
|
||||
+ if (!RAND_DRBG_reseed(drbg, data->addinreseed, td->addinlen, 0)
|
||||
+ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
|
||||
+ data->addin1, td->addinlen)
|
||||
+ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
|
||||
+ data->addin2, td->addinlen)
|
||||
+ || memcmp(data->retbytes, buff,
|
||||
+ td->retbyteslen) != 0)
|
||||
+ failures++;
|
||||
+
|
||||
+err:
|
||||
+ OPENSSL_free(buff);
|
||||
+ RAND_DRBG_uninstantiate(drbg);
|
||||
+ RAND_DRBG_free(drbg);
|
||||
+ return failures == 0;
|
||||
+}
|
||||
+
|
||||
+/*-
|
||||
+ * Do a single PR_TRUE KAT:
|
||||
+ *
|
||||
+ * Instantiate
|
||||
+ * Generate Random Bits (pr=true)
|
||||
+ * Generate Random Bits (pr=true)
|
||||
+ * Uninstantiate
|
||||
+ *
|
||||
+ * Return 0 on failure.
|
||||
+ */
|
||||
+static int single_kat_pr_true(const struct drbg_kat *td)
|
||||
+{
|
||||
+ struct drbg_kat_pr_true *data = (struct drbg_kat_pr_true *)td->t;
|
||||
+ RAND_DRBG *drbg = NULL;
|
||||
+ unsigned char *buff = NULL;
|
||||
+ unsigned int flags = 0;
|
||||
+ int failures = 0;
|
||||
+ TEST_CTX t;
|
||||
+
|
||||
+ if (td->df != USE_DF)
|
||||
+ flags |= RAND_DRBG_FLAG_CTR_NO_DF;
|
||||
+
|
||||
+ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
|
||||
+ kat_nonce, NULL)) {
|
||||
+ failures++;
|
||||
+ goto err;
|
||||
+ }
|
||||
+ memset(&t, 0, sizeof(t));
|
||||
+ t.nonce = data->nonce;
|
||||
+ t.noncelen = td->noncelen;
|
||||
+ t.entropy = data->entropyin;
|
||||
+ t.entropylen = td->entropyinlen;
|
||||
+ RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
|
||||
+
|
||||
+ buff = OPENSSL_malloc(td->retbyteslen);
|
||||
+ if (buff == NULL) {
|
||||
+ failures++;
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen))
|
||||
+ failures++;
|
||||
+
|
||||
+ t.entropy = data->entropyinpr1;
|
||||
+ t.entropylen = td->entropyinlen;
|
||||
+
|
||||
+ if (!RAND_DRBG_generate(drbg, buff, td->retbyteslen, 1,
|
||||
+ data->addin1, td->addinlen))
|
||||
+ failures++;
|
||||
+
|
||||
+ t.entropy = data->entropyinpr2;
|
||||
+ t.entropylen = td->entropyinlen;
|
||||
+
|
||||
+ if (!RAND_DRBG_generate(drbg, buff, td->retbyteslen, 1,
|
||||
+ data->addin2, td->addinlen)
|
||||
+ || memcmp(data->retbytes, buff,
|
||||
+ td->retbyteslen) != 0)
|
||||
+ failures++;
|
||||
+
|
||||
+err:
|
||||
+ OPENSSL_free(buff);
|
||||
+ RAND_DRBG_uninstantiate(drbg);
|
||||
+ RAND_DRBG_free(drbg);
|
||||
+ return failures == 0;
|
||||
+}
|
||||
+
|
||||
+static int test_kats(int i)
|
||||
+{
|
||||
+ const struct drbg_kat *td = drbg_test[i];
|
||||
+ int rv = 0;
|
||||
+
|
||||
+ switch (td->type) {
|
||||
+ case NO_RESEED:
|
||||
+ if (!single_kat_no_reseed(td))
|
||||
+ goto err;
|
||||
+ break;
|
||||
+ case PR_FALSE:
|
||||
+ if (!single_kat_pr_false(td))
|
||||
+ goto err;
|
||||
+ break;
|
||||
+ case PR_TRUE:
|
||||
+ if (!single_kat_pr_true(td))
|
||||
+ goto err;
|
||||
+ break;
|
||||
+ default: /* cant happen */
|
||||
+ goto err;
|
||||
+ }
|
||||
+ rv = 1;
|
||||
+err:
|
||||
+ return rv;
|
||||
+}
|
||||
+
|
||||
+/*-
|
||||
+ * Do one expected-error test:
|
||||
+ *
|
||||
+ * Instantiate with no entropy supplied
|
||||
+ *
|
||||
+ * Return 0 on failure.
|
||||
+ */
|
||||
+static int test_drbg_sanity(const struct drbg_kat *td)
|
||||
+{
|
||||
+ struct drbg_kat_pr_false *data = (struct drbg_kat_pr_false *)td->t;
|
||||
+ RAND_DRBG *drbg = NULL;
|
||||
+ unsigned int flags = 0;
|
||||
+ int failures = 0;
|
||||
+ TEST_CTX t;
|
||||
+
|
||||
+ if (td->df != USE_DF)
|
||||
+ flags |= RAND_DRBG_FLAG_CTR_NO_DF;
|
||||
+
|
||||
+ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
|
||||
+ kat_nonce, NULL)) {
|
||||
+ failures++;
|
||||
+ goto err;
|
||||
+ }
|
||||
+ memset(&t, 0, sizeof(t));
|
||||
+ t.entropy = data->entropyin;
|
||||
+ t.entropylen = 0; /* No entropy */
|
||||
+ t.nonce = data->nonce;
|
||||
+ t.noncelen = td->noncelen;
|
||||
+ RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
|
||||
+
|
||||
+ ERR_set_mark();
|
||||
+ /* This must fail. */
|
||||
+ if (RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen))
|
||||
+ failures++;
|
||||
+ RAND_DRBG_uninstantiate(drbg);
|
||||
+ ERR_pop_to_mark();
|
||||
+
|
||||
+err:
|
||||
+ RAND_DRBG_free(drbg);
|
||||
+ return failures == 0;
|
||||
+}
|
||||
+
|
||||
+
|
||||
+int rand_drbg_selftest(void)
|
||||
+{
|
||||
+ int i;
|
||||
+
|
||||
+ if (!RUN_ONCE(&get_index_once, drbg_app_data_index_init))
|
||||
+ return 0;
|
||||
+
|
||||
+ for (i = 0; i < drbg_test_nelem; i++) {
|
||||
+ if (test_kats(i) <= 0)
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ if (test_drbg_sanity(&kat1465) <= 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ return 1;
|
||||
+}
|
||||
diff -up openssl-1.1.1g/include/crypto/rand.h.drbg-selftest openssl-1.1.1g/include/crypto/rand.h
|
||||
--- openssl-1.1.1g/include/crypto/rand.h.drbg-selftest 2020-04-23 13:33:12.587622510 +0200
|
||||
+++ openssl-1.1.1g/include/crypto/rand.h 2020-04-23 13:33:12.619621907 +0200
|
||||
@@ -140,4 +140,9 @@ void rand_pool_cleanup(void);
|
||||
*/
|
||||
void rand_pool_keep_random_devices_open(int keep);
|
||||
|
||||
+/*
|
||||
+ * Perform the DRBG KAT selftests
|
||||
+ */
|
||||
+int rand_drbg_selftest(void);
|
||||
+
|
||||
#endif
|
|
@ -1,11 +1,11 @@
|
|||
diff -up openssl-1.1.1c/crypto/fips/fips.c.fips-post-rand openssl-1.1.1c/crypto/fips/fips.c
|
||||
--- openssl-1.1.1c/crypto/fips/fips.c.fips-post-rand 2019-05-29 15:53:56.328216002 +0200
|
||||
+++ openssl-1.1.1c/crypto/fips/fips.c 2019-05-29 15:53:56.359215457 +0200
|
||||
diff -up openssl-1.1.1i/crypto/fips/fips.c.fips-post-rand openssl-1.1.1i/crypto/fips/fips.c
|
||||
--- openssl-1.1.1i/crypto/fips/fips.c.fips-post-rand 2020-12-09 10:26:41.634106328 +0100
|
||||
+++ openssl-1.1.1i/crypto/fips/fips.c 2020-12-09 10:26:41.652106475 +0100
|
||||
@@ -68,6 +68,7 @@
|
||||
|
||||
# include <openssl/fips.h>
|
||||
# include "internal/thread_once.h"
|
||||
+# include "internal/rand_int.h"
|
||||
+# include "crypto/rand.h"
|
||||
|
||||
# ifndef PATH_MAX
|
||||
# define PATH_MAX 1024
|
||||
|
@ -46,41 +46,52 @@ diff -up openssl-1.1.1c/crypto/fips/fips.c.fips-post-rand openssl-1.1.1c/crypto/
|
|||
+
|
||||
fips_set_mode(onoff);
|
||||
+ /* force RNG reseed with entropy from getrandom() on next call */
|
||||
+ rand_fork();
|
||||
+ rand_force_reseed();
|
||||
+
|
||||
ret = 1;
|
||||
goto end;
|
||||
}
|
||||
diff -up openssl-1.1.1c/crypto/include/internal/fips_int.h.fips-post-rand openssl-1.1.1c/crypto/include/internal/fips_int.h
|
||||
--- openssl-1.1.1c/crypto/include/internal/fips_int.h.fips-post-rand 2019-05-29 15:53:56.337215844 +0200
|
||||
+++ openssl-1.1.1c/crypto/include/internal/fips_int.h 2019-05-29 15:53:56.359215457 +0200
|
||||
@@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void);
|
||||
int FIPS_selftest_drbg(void);
|
||||
int FIPS_selftest_cmac(void);
|
||||
diff -up openssl-1.1.1i/crypto/rand/drbg_lib.c.fips-post-rand openssl-1.1.1i/crypto/rand/drbg_lib.c
|
||||
--- openssl-1.1.1i/crypto/rand/drbg_lib.c.fips-post-rand 2020-12-08 14:20:59.000000000 +0100
|
||||
+++ openssl-1.1.1i/crypto/rand/drbg_lib.c 2020-12-09 10:26:41.652106475 +0100
|
||||
@@ -1005,6 +1005,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg
|
||||
return min_entropy > min_entropylen ? min_entropy : min_entropylen;
|
||||
}
|
||||
|
||||
+int fips_in_post(void);
|
||||
+void rand_force_reseed(void)
|
||||
+{
|
||||
+ RAND_DRBG *drbg;
|
||||
+
|
||||
int fips_pkey_signature_test(EVP_PKEY *pkey,
|
||||
const unsigned char *tbs, int tbslen,
|
||||
const unsigned char *kat,
|
||||
diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/crypto/rand/rand_unix.c
|
||||
--- openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand 2019-05-28 15:12:21.000000000 +0200
|
||||
+++ openssl-1.1.1c/crypto/rand/rand_unix.c 2019-05-29 16:54:16.471391802 +0200
|
||||
@@ -16,10 +16,12 @@
|
||||
#include <openssl/rand.h>
|
||||
#include "rand_lcl.h"
|
||||
#include "internal/rand_int.h"
|
||||
+#include "internal/fips_int.h"
|
||||
+ drbg = RAND_DRBG_get0_master();
|
||||
+ drbg->fork_id = 0;
|
||||
+
|
||||
+ drbg = RAND_DRBG_get0_private();
|
||||
+ drbg->fork_id = 0;
|
||||
+
|
||||
+ drbg = RAND_DRBG_get0_public();
|
||||
+ drbg->fork_id = 0;
|
||||
+}
|
||||
+
|
||||
/* Implements the default OpenSSL RAND_add() method */
|
||||
static int drbg_add(const void *buf, int num, double randomness)
|
||||
{
|
||||
diff -up openssl-1.1.1i/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1i/crypto/rand/rand_unix.c
|
||||
--- openssl-1.1.1i/crypto/rand/rand_unix.c.fips-post-rand 2020-12-08 14:20:59.000000000 +0100
|
||||
+++ openssl-1.1.1i/crypto/rand/rand_unix.c 2020-12-09 10:36:59.531221903 +0100
|
||||
@@ -17,10 +17,12 @@
|
||||
#include <openssl/crypto.h>
|
||||
#include "rand_local.h"
|
||||
#include "crypto/rand.h"
|
||||
+#include "crypto/fips.h"
|
||||
#include <stdio.h>
|
||||
#include "internal/dso.h"
|
||||
#if defined(__linux)
|
||||
-# include <asm/unistd.h>
|
||||
+# include <sys/syscall.h>
|
||||
#ifdef __linux
|
||||
# include <sys/syscall.h>
|
||||
+# include <sys/random.h>
|
||||
#endif
|
||||
#if defined(__FreeBSD__)
|
||||
# include <sys/types.h>
|
||||
@@ -279,7 +281,7 @@ static ssize_t sysctl_random(char *buf,
|
||||
# ifdef DEVRANDOM_WAIT
|
||||
# include <sys/shm.h>
|
||||
# include <sys/utsname.h>
|
||||
@@ -344,7 +346,7 @@ static ssize_t sysctl_random(char *buf,
|
||||
* syscall_random(): Try to get random data using a system call
|
||||
* returns the number of bytes returned in buf, or < 0 on error.
|
||||
*/
|
||||
|
@ -89,15 +100,15 @@ diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/cr
|
|||
{
|
||||
/*
|
||||
* Note: 'buflen' equals the size of the buffer which is used by the
|
||||
@@ -301,6 +303,7 @@ static ssize_t syscall_random(void *buf,
|
||||
* - Linux since 3.17 with glibc 2.25
|
||||
* - FreeBSD since 12.0 (1200061)
|
||||
@@ -369,6 +371,7 @@ static ssize_t syscall_random(void *buf,
|
||||
* Note: Sometimes getentropy() can be provided but not implemented
|
||||
* internally. So we need to check errno for ENOSYS
|
||||
*/
|
||||
+# if 0
|
||||
# if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
|
||||
extern int getentropy(void *buffer, size_t length) __attribute__((weak));
|
||||
|
||||
@@ -322,10 +325,10 @@ static ssize_t syscall_random(void *buf,
|
||||
@@ -394,10 +397,10 @@ static ssize_t syscall_random(void *buf,
|
||||
if (p_getentropy.p != NULL)
|
||||
return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
|
||||
# endif
|
||||
|
@ -111,19 +122,17 @@ diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/cr
|
|||
# elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
|
||||
return sysctl_random(buf, buflen);
|
||||
# else
|
||||
@@ -475,8 +478,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
|
||||
size_t bytes_needed;
|
||||
size_t entropy_available = 0;
|
||||
unsigned char *buffer;
|
||||
-
|
||||
@@ -633,6 +636,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
|
||||
size_t entropy_available;
|
||||
|
||||
# if defined(OPENSSL_RAND_SEED_GETRANDOM)
|
||||
+ int in_post;
|
||||
+
|
||||
+ for (in_post = fips_in_post(); in_post >= 0; --in_post) {
|
||||
{
|
||||
ssize_t bytes;
|
||||
/* Maximum allowed number of consecutive unsuccessful attempts */
|
||||
@@ -485,7 +490,7 @@ size_t rand_pool_acquire_entropy(RAND_PO
|
||||
size_t bytes_needed;
|
||||
unsigned char *buffer;
|
||||
@@ -643,7 +649,7 @@ size_t rand_pool_acquire_entropy(RAND_PO
|
||||
bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
|
||||
while (bytes_needed != 0 && attempts-- > 0) {
|
||||
buffer = rand_pool_add_begin(pool, bytes_needed);
|
||||
|
@ -132,7 +141,7 @@ diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/cr
|
|||
if (bytes > 0) {
|
||||
rand_pool_add_end(pool, bytes, 8 * bytes);
|
||||
bytes_needed -= bytes;
|
||||
@@ -540,8 +545,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
|
||||
@@ -678,8 +684,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
|
||||
int attempts = 3;
|
||||
const int fd = get_random_device(i);
|
||||
|
||||
|
@ -144,8 +153,8 @@ diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/cr
|
|||
|
||||
while (bytes_needed != 0 && attempts-- > 0) {
|
||||
buffer = rand_pool_add_begin(pool, bytes_needed);
|
||||
@@ -601,7 +608,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
|
||||
}
|
||||
@@ -742,7 +750,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
|
||||
return entropy_available;
|
||||
}
|
||||
# endif
|
||||
-
|
||||
|
@ -155,3 +164,26 @@ diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/cr
|
|||
return rand_pool_entropy_available(pool);
|
||||
# endif
|
||||
}
|
||||
diff -up openssl-1.1.1i/include/crypto/fips.h.fips-post-rand openssl-1.1.1i/include/crypto/fips.h
|
||||
--- openssl-1.1.1i/include/crypto/fips.h.fips-post-rand 2020-12-09 10:26:41.639106369 +0100
|
||||
+++ openssl-1.1.1i/include/crypto/fips.h 2020-12-09 10:26:41.657106516 +0100
|
||||
@@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void);
|
||||
int FIPS_selftest_drbg(void);
|
||||
int FIPS_selftest_cmac(void);
|
||||
|
||||
+int fips_in_post(void);
|
||||
+
|
||||
int fips_pkey_signature_test(EVP_PKEY *pkey,
|
||||
const unsigned char *tbs, int tbslen,
|
||||
const unsigned char *kat,
|
||||
diff -up openssl-1.1.1i/include/crypto/rand.h.fips-post-rand openssl-1.1.1i/include/crypto/rand.h
|
||||
--- openssl-1.1.1i/include/crypto/rand.h.fips-post-rand 2020-12-08 14:20:59.000000000 +0100
|
||||
+++ openssl-1.1.1i/include/crypto/rand.h 2020-12-09 10:26:41.657106516 +0100
|
||||
@@ -24,6 +24,7 @@
|
||||
typedef struct rand_pool_st RAND_POOL;
|
||||
|
||||
void rand_cleanup_int(void);
|
||||
+void rand_force_reseed(void);
|
||||
void rand_drbg_cleanup_int(void);
|
||||
void drbg_delete_thread_state(void);
|
||||
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -1,14 +0,0 @@
|
|||
Do not return failure when setting version bound on fixed protocol
|
||||
version method.
|
||||
diff -up openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound openssl-1.1.1-pre8/ssl/statem/statem_lib.c
|
||||
--- openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound 2018-06-20 16:48:13.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/ssl/statem/statem_lib.c 2018-08-13 11:07:52.826304045 +0200
|
||||
@@ -1595,7 +1595,7 @@ int ssl_set_version_bound(int method_ver
|
||||
* methods are not subject to controls that disable individual protocol
|
||||
* versions.
|
||||
*/
|
||||
- return 0;
|
||||
+ return 1;
|
||||
|
||||
case TLS_ANY_VERSION:
|
||||
if (version < SSL3_VERSION || version > TLS_MAX_VERSION)
|
|
@ -0,0 +1,500 @@
|
|||
diff -up openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl.intel-cet openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl
|
||||
--- openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100
|
||||
+++ openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl 2020-03-19 17:07:02.626522694 +0100
|
||||
@@ -275,6 +275,7 @@ $code.=<<___;
|
||||
.align 16
|
||||
${PREFIX}_encrypt:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
movups ($inp),$inout0 # load input
|
||||
mov 240($key),$rounds # key->rounds
|
||||
___
|
||||
@@ -293,6 +294,7 @@ $code.=<<___;
|
||||
.align 16
|
||||
${PREFIX}_decrypt:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
movups ($inp),$inout0 # load input
|
||||
mov 240($key),$rounds # key->rounds
|
||||
___
|
||||
@@ -613,6 +615,7 @@ $code.=<<___;
|
||||
.align 16
|
||||
aesni_ecb_encrypt:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
___
|
||||
$code.=<<___ if ($win64);
|
||||
lea -0x58(%rsp),%rsp
|
||||
@@ -985,6 +988,7 @@ $code.=<<___;
|
||||
.align 16
|
||||
aesni_ccm64_encrypt_blocks:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
___
|
||||
$code.=<<___ if ($win64);
|
||||
lea -0x58(%rsp),%rsp
|
||||
@@ -1077,6 +1081,7 @@ $code.=<<___;
|
||||
.align 16
|
||||
aesni_ccm64_decrypt_blocks:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
___
|
||||
$code.=<<___ if ($win64);
|
||||
lea -0x58(%rsp),%rsp
|
||||
@@ -1203,6 +1208,7 @@ $code.=<<___;
|
||||
.align 16
|
||||
aesni_ctr32_encrypt_blocks:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
cmp \$1,$len
|
||||
jne .Lctr32_bulk
|
||||
|
||||
@@ -1775,6 +1781,7 @@ $code.=<<___;
|
||||
.align 16
|
||||
aesni_xts_encrypt:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
lea (%rsp),%r11 # frame pointer
|
||||
.cfi_def_cfa_register %r11
|
||||
push %rbp
|
||||
@@ -2258,6 +2265,7 @@ $code.=<<___;
|
||||
.align 16
|
||||
aesni_xts_decrypt:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
lea (%rsp),%r11 # frame pointer
|
||||
.cfi_def_cfa_register %r11
|
||||
push %rbp
|
||||
@@ -2783,6 +2791,7 @@ $code.=<<___;
|
||||
.align 32
|
||||
aesni_ocb_encrypt:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
lea (%rsp),%rax
|
||||
push %rbx
|
||||
.cfi_push %rbx
|
||||
@@ -3249,6 +3258,7 @@ __ocb_encrypt1:
|
||||
.align 32
|
||||
aesni_ocb_decrypt:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
lea (%rsp),%rax
|
||||
push %rbx
|
||||
.cfi_push %rbx
|
||||
@@ -3737,6 +3747,7 @@ $code.=<<___;
|
||||
.align 16
|
||||
${PREFIX}_cbc_encrypt:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
test $len,$len # check length
|
||||
jz .Lcbc_ret
|
||||
|
||||
diff -up openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl.intel-cet openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl
|
||||
--- openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100
|
||||
+++ openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl 2020-03-19 17:00:15.974621757 +0100
|
||||
@@ -696,6 +696,7 @@ _vpaes_schedule_mangle:
|
||||
.align 16
|
||||
${PREFIX}_set_encrypt_key:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
___
|
||||
$code.=<<___ if ($win64);
|
||||
lea -0xb8(%rsp),%rsp
|
||||
@@ -746,6 +747,7 @@ $code.=<<___;
|
||||
.align 16
|
||||
${PREFIX}_set_decrypt_key:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
___
|
||||
$code.=<<___ if ($win64);
|
||||
lea -0xb8(%rsp),%rsp
|
||||
@@ -801,6 +803,7 @@ $code.=<<___;
|
||||
.align 16
|
||||
${PREFIX}_encrypt:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
___
|
||||
$code.=<<___ if ($win64);
|
||||
lea -0xb8(%rsp),%rsp
|
||||
@@ -846,6 +849,7 @@ $code.=<<___;
|
||||
.align 16
|
||||
${PREFIX}_decrypt:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
___
|
||||
$code.=<<___ if ($win64);
|
||||
lea -0xb8(%rsp),%rsp
|
||||
@@ -897,6 +901,7 @@ $code.=<<___;
|
||||
.align 16
|
||||
${PREFIX}_cbc_encrypt:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
xchg $key,$len
|
||||
___
|
||||
($len,$key)=($key,$len);
|
||||
diff -up openssl-1.1.1e/crypto/async/arch/async_posix.c.intel-cet openssl-1.1.1e/crypto/async/arch/async_posix.c
|
||||
--- openssl-1.1.1e/crypto/async/arch/async_posix.c.intel-cet 2020-03-17 15:31:17.000000000 +0100
|
||||
+++ openssl-1.1.1e/crypto/async/arch/async_posix.c 2020-03-19 17:00:15.974621757 +0100
|
||||
@@ -34,7 +34,9 @@ void async_local_cleanup(void)
|
||||
|
||||
int async_fibre_makecontext(async_fibre *fibre)
|
||||
{
|
||||
+#ifndef USE_SWAPCONTEXT
|
||||
fibre->env_init = 0;
|
||||
+#endif
|
||||
if (getcontext(&fibre->fibre) == 0) {
|
||||
fibre->fibre.uc_stack.ss_sp = OPENSSL_malloc(STACKSIZE);
|
||||
if (fibre->fibre.uc_stack.ss_sp != NULL) {
|
||||
diff -up openssl-1.1.1e/crypto/async/arch/async_posix.h.intel-cet openssl-1.1.1e/crypto/async/arch/async_posix.h
|
||||
--- openssl-1.1.1e/crypto/async/arch/async_posix.h.intel-cet 2020-03-19 17:00:15.435631166 +0100
|
||||
+++ openssl-1.1.1e/crypto/async/arch/async_posix.h 2020-03-19 17:00:15.975621739 +0100
|
||||
@@ -25,17 +25,33 @@
|
||||
# define ASYNC_POSIX
|
||||
# define ASYNC_ARCH
|
||||
|
||||
+# ifdef __CET__
|
||||
+/*
|
||||
+ * When Intel CET is enabled, makecontext will create a different
|
||||
+ * shadow stack for each context. async_fibre_swapcontext cannot
|
||||
+ * use _longjmp. It must call swapcontext to swap shadow stack as
|
||||
+ * well as normal stack.
|
||||
+ */
|
||||
+# define USE_SWAPCONTEXT
|
||||
+# endif
|
||||
# include <ucontext.h>
|
||||
-# include <setjmp.h>
|
||||
+# ifndef USE_SWAPCONTEXT
|
||||
+# include <setjmp.h>
|
||||
+# endif
|
||||
|
||||
typedef struct async_fibre_st {
|
||||
ucontext_t fibre;
|
||||
+# ifndef USE_SWAPCONTEXT
|
||||
jmp_buf env;
|
||||
int env_init;
|
||||
+# endif
|
||||
} async_fibre;
|
||||
|
||||
static ossl_inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r)
|
||||
{
|
||||
+# ifdef USE_SWAPCONTEXT
|
||||
+ swapcontext(&o->fibre, &n->fibre);
|
||||
+# else
|
||||
o->env_init = 1;
|
||||
|
||||
if (!r || !_setjmp(o->env)) {
|
||||
@@ -44,6 +60,7 @@ static ossl_inline int async_fibre_swapc
|
||||
else
|
||||
setcontext(&n->fibre);
|
||||
}
|
||||
+# endif
|
||||
|
||||
return 1;
|
||||
}
|
||||
diff -up openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl.intel-cet openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl
|
||||
--- openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100
|
||||
+++ openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl 2020-03-19 17:00:15.975621739 +0100
|
||||
@@ -685,6 +685,7 @@ $code.=<<___;
|
||||
.align 16
|
||||
Camellia_cbc_encrypt:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
cmp \$0,%rdx
|
||||
je .Lcbc_abort
|
||||
push %rbx
|
||||
diff -up openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl.intel-cet openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl
|
||||
--- openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100
|
||||
+++ openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl 2020-03-19 17:00:15.975621739 +0100
|
||||
@@ -239,6 +239,7 @@ $code=<<___;
|
||||
.align 16
|
||||
gcm_gmult_4bit:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
push %rbx
|
||||
.cfi_push %rbx
|
||||
push %rbp # %rbp and others are pushed exclusively in
|
||||
@@ -286,6 +287,7 @@ $code.=<<___;
|
||||
.align 16
|
||||
gcm_ghash_4bit:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
push %rbx
|
||||
.cfi_push %rbx
|
||||
push %rbp
|
||||
@@ -612,6 +614,7 @@ $code.=<<___;
|
||||
.align 16
|
||||
gcm_gmult_clmul:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
.L_gmult_clmul:
|
||||
movdqu ($Xip),$Xi
|
||||
movdqa .Lbswap_mask(%rip),$T3
|
||||
@@ -663,6 +666,7 @@ $code.=<<___;
|
||||
.align 32
|
||||
gcm_ghash_clmul:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
.L_ghash_clmul:
|
||||
___
|
||||
$code.=<<___ if ($win64);
|
||||
@@ -1166,6 +1170,7 @@ $code.=<<___;
|
||||
.align 32
|
||||
gcm_gmult_avx:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
jmp .L_gmult_clmul
|
||||
.cfi_endproc
|
||||
.size gcm_gmult_avx,.-gcm_gmult_avx
|
||||
@@ -1177,6 +1182,7 @@ $code.=<<___;
|
||||
.align 32
|
||||
gcm_ghash_avx:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
___
|
||||
if ($avx) {
|
||||
my ($Xip,$Htbl,$inp,$len)=@_4args;
|
||||
diff -up openssl-1.1.1e/crypto/perlasm/cbc.pl.intel-cet openssl-1.1.1e/crypto/perlasm/cbc.pl
|
||||
--- openssl-1.1.1e/crypto/perlasm/cbc.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100
|
||||
+++ openssl-1.1.1e/crypto/perlasm/cbc.pl 2020-03-19 17:00:15.976621722 +0100
|
||||
@@ -165,21 +165,28 @@ sub cbc
|
||||
&jmp_ptr($count);
|
||||
|
||||
&set_label("ej7");
|
||||
+ &endbranch()
|
||||
&movb(&HB("edx"), &BP(6,$in,"",0));
|
||||
&shl("edx",8);
|
||||
&set_label("ej6");
|
||||
+ &endbranch()
|
||||
&movb(&HB("edx"), &BP(5,$in,"",0));
|
||||
&set_label("ej5");
|
||||
+ &endbranch()
|
||||
&movb(&LB("edx"), &BP(4,$in,"",0));
|
||||
&set_label("ej4");
|
||||
+ &endbranch()
|
||||
&mov("ecx", &DWP(0,$in,"",0));
|
||||
&jmp(&label("ejend"));
|
||||
&set_label("ej3");
|
||||
+ &endbranch()
|
||||
&movb(&HB("ecx"), &BP(2,$in,"",0));
|
||||
&shl("ecx",8);
|
||||
&set_label("ej2");
|
||||
+ &endbranch()
|
||||
&movb(&HB("ecx"), &BP(1,$in,"",0));
|
||||
&set_label("ej1");
|
||||
+ &endbranch()
|
||||
&movb(&LB("ecx"), &BP(0,$in,"",0));
|
||||
&set_label("ejend");
|
||||
|
||||
diff -up openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl.intel-cet openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl
|
||||
--- openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100
|
||||
+++ openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl 2020-03-19 17:00:15.984621582 +0100
|
||||
@@ -101,6 +101,33 @@ elsif (!$gas)
|
||||
$decor="\$L\$";
|
||||
}
|
||||
|
||||
+my $cet_property;
|
||||
+if ($flavour =~ /elf/) {
|
||||
+ # Always generate .note.gnu.property section for ELF outputs to
|
||||
+ # mark Intel CET support since all input files must be marked
|
||||
+ # with Intel CET support in order for linker to mark output with
|
||||
+ # Intel CET support.
|
||||
+ my $p2align=3; $p2align=2 if ($flavour eq "elf32");
|
||||
+ $cet_property = <<_____;
|
||||
+ .section ".note.gnu.property", "a"
|
||||
+ .p2align $p2align
|
||||
+ .long 1f - 0f
|
||||
+ .long 4f - 1f
|
||||
+ .long 5
|
||||
+0:
|
||||
+ .asciz "GNU"
|
||||
+1:
|
||||
+ .p2align $p2align
|
||||
+ .long 0xc0000002
|
||||
+ .long 3f - 2f
|
||||
+2:
|
||||
+ .long 3
|
||||
+3:
|
||||
+ .p2align $p2align
|
||||
+4:
|
||||
+_____
|
||||
+}
|
||||
+
|
||||
my $current_segment;
|
||||
my $current_function;
|
||||
my %globals;
|
||||
@@ -1213,6 +1240,7 @@ while(defined(my $line=<>)) {
|
||||
print $line,"\n";
|
||||
}
|
||||
|
||||
+print "$cet_property" if ($cet_property);
|
||||
print "\n$current_segment\tENDS\n" if ($current_segment && $masm);
|
||||
print "END\n" if ($masm);
|
||||
|
||||
diff -up openssl-1.1.1e/crypto/perlasm/x86gas.pl.intel-cet openssl-1.1.1e/crypto/perlasm/x86gas.pl
|
||||
--- openssl-1.1.1e/crypto/perlasm/x86gas.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100
|
||||
+++ openssl-1.1.1e/crypto/perlasm/x86gas.pl 2020-03-19 17:00:15.985621565 +0100
|
||||
@@ -124,6 +124,7 @@ sub ::function_begin_B
|
||||
push(@out,".align\t$align\n");
|
||||
push(@out,"$func:\n");
|
||||
push(@out,"$begin:\n") if ($global);
|
||||
+ &::endbranch();
|
||||
$::stack=4;
|
||||
}
|
||||
|
||||
@@ -172,6 +173,26 @@ sub ::file_end
|
||||
else { push (@out,"$tmp\n"); }
|
||||
}
|
||||
push(@out,$initseg) if ($initseg);
|
||||
+ if ($::elf) {
|
||||
+ push(@out,"
|
||||
+ .section \".note.gnu.property\", \"a\"
|
||||
+ .p2align 2
|
||||
+ .long 1f - 0f
|
||||
+ .long 4f - 1f
|
||||
+ .long 5
|
||||
+0:
|
||||
+ .asciz \"GNU\"
|
||||
+1:
|
||||
+ .p2align 2
|
||||
+ .long 0xc0000002
|
||||
+ .long 3f - 2f
|
||||
+2:
|
||||
+ .long 3
|
||||
+3:
|
||||
+ .p2align 2
|
||||
+4:
|
||||
+");
|
||||
+ }
|
||||
}
|
||||
|
||||
sub ::data_byte { push(@out,".byte\t".join(',',@_)."\n"); }
|
||||
diff -up openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl.intel-cet openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl
|
||||
--- openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl.intel-cet 2020-03-19 17:00:38.185234015 +0100
|
||||
+++ openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl 2020-03-19 17:05:46.575850341 +0100
|
||||
@@ -2806,6 +2806,7 @@ $code.=<<___;
|
||||
.align 32
|
||||
poly1305_blocks_vpmadd52:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
shr \$4,$len
|
||||
jz .Lno_data_vpmadd52 # too short
|
||||
|
||||
@@ -3739,6 +3740,7 @@ $code.=<<___;
|
||||
.align 32
|
||||
poly1305_emit_base2_44:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
mov 0($ctx),%r8 # load hash value
|
||||
mov 8($ctx),%r9
|
||||
mov 16($ctx),%r10
|
||||
diff -up openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl.intel-cet openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl
|
||||
--- openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl.intel-cet 2020-03-19 17:00:38.190233928 +0100
|
||||
+++ openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl 2020-03-19 17:05:02.598618064 +0100
|
||||
@@ -140,6 +140,7 @@ $code=<<___;
|
||||
.align 16
|
||||
RC4:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
or $len,$len
|
||||
jne .Lentry
|
||||
ret
|
||||
@@ -455,6 +456,7 @@ $code.=<<___;
|
||||
.align 16
|
||||
RC4_set_key:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
lea 8($dat),$dat
|
||||
lea ($inp,$len),$inp
|
||||
neg $len
|
||||
@@ -529,6 +531,7 @@ RC4_set_key:
|
||||
.align 16
|
||||
RC4_options:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
lea .Lopts(%rip),%rax
|
||||
mov OPENSSL_ia32cap_P(%rip),%edx
|
||||
bt \$20,%edx
|
||||
diff -up openssl-1.1.1e/crypto/x86_64cpuid.pl.intel-cet openssl-1.1.1e/crypto/x86_64cpuid.pl
|
||||
--- openssl-1.1.1e/crypto/x86_64cpuid.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100
|
||||
+++ openssl-1.1.1e/crypto/x86_64cpuid.pl 2020-03-19 17:03:58.172742775 +0100
|
||||
@@ -40,6 +40,7 @@ print<<___;
|
||||
.align 16
|
||||
OPENSSL_atomic_add:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
movl ($arg1),%eax
|
||||
.Lspin: leaq ($arg2,%rax),%r8
|
||||
.byte 0xf0 # lock
|
||||
@@ -56,6 +57,7 @@ OPENSSL_atomic_add:
|
||||
.align 16
|
||||
OPENSSL_rdtsc:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
rdtsc
|
||||
shl \$32,%rdx
|
||||
or %rdx,%rax
|
||||
@@ -68,6 +70,7 @@ OPENSSL_rdtsc:
|
||||
.align 16
|
||||
OPENSSL_ia32_cpuid:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
mov %rbx,%r8 # save %rbx
|
||||
.cfi_register %rbx,%r8
|
||||
|
||||
@@ -237,6 +240,7 @@ OPENSSL_ia32_cpuid:
|
||||
.align 16
|
||||
OPENSSL_cleanse:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
xor %rax,%rax
|
||||
cmp \$15,$arg2
|
||||
jae .Lot
|
||||
@@ -274,6 +278,7 @@ OPENSSL_cleanse:
|
||||
.align 16
|
||||
CRYPTO_memcmp:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
xor %rax,%rax
|
||||
xor %r10,%r10
|
||||
cmp \$0,$arg3
|
||||
@@ -312,6 +317,7 @@ print<<___ if (!$win64);
|
||||
.align 16
|
||||
OPENSSL_wipe_cpu:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
pxor %xmm0,%xmm0
|
||||
pxor %xmm1,%xmm1
|
||||
pxor %xmm2,%xmm2
|
||||
@@ -346,6 +352,8 @@ print<<___ if ($win64);
|
||||
.type OPENSSL_wipe_cpu,\@abi-omnipotent
|
||||
.align 16
|
||||
OPENSSL_wipe_cpu:
|
||||
+.cfi_startproc
|
||||
+ endbranch
|
||||
pxor %xmm0,%xmm0
|
||||
pxor %xmm1,%xmm1
|
||||
pxor %xmm2,%xmm2
|
||||
@@ -376,6 +384,7 @@ print<<___;
|
||||
.align 16
|
||||
OPENSSL_instrument_bus:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
mov $arg1,$out # tribute to Win64
|
||||
mov $arg2,$cnt
|
||||
mov $arg2,$max
|
||||
@@ -410,6 +419,7 @@ OPENSSL_instrument_bus:
|
||||
.align 16
|
||||
OPENSSL_instrument_bus2:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
mov $arg1,$out # tribute to Win64
|
||||
mov $arg2,$cnt
|
||||
mov $arg3,$max
|
||||
@@ -465,6 +475,7 @@ print<<___;
|
||||
.align 16
|
||||
OPENSSL_ia32_${rdop}_bytes:
|
||||
.cfi_startproc
|
||||
+ endbranch
|
||||
xor %rax, %rax # return value
|
||||
cmp \$0,$arg2
|
||||
je .Ldone_${rdop}_bytes
|
|
@ -0,0 +1,456 @@
|
|||
diff -up openssl-1.1.1g/crypto/fips/build.info.kdf-selftest openssl-1.1.1g/crypto/fips/build.info
|
||||
--- openssl-1.1.1g/crypto/fips/build.info.kdf-selftest 2020-06-03 16:08:36.274849058 +0200
|
||||
+++ openssl-1.1.1g/crypto/fips/build.info 2020-06-03 16:11:05.609079372 +0200
|
||||
@@ -5,7 +5,7 @@ SOURCE[../../libcrypto]=\
|
||||
fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
|
||||
fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
|
||||
fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \
|
||||
- fips_dh_selftest.c fips_ers.c
|
||||
+ fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c
|
||||
|
||||
PROGRAMS_NO_INST=\
|
||||
fips_standalone_hmac
|
||||
diff -up openssl-1.1.1g/crypto/fips/fips_err.h.kdf-selftest openssl-1.1.1g/crypto/fips/fips_err.h
|
||||
--- openssl-1.1.1g/crypto/fips/fips_err.h.kdf-selftest 2020-07-14 15:27:51.681785958 +0200
|
||||
+++ openssl-1.1.1g/crypto/fips/fips_err.h 2020-10-22 14:07:13.645614388 +0200
|
||||
@@ -108,9 +108,16 @@ static ERR_STRING_DATA FIPS_str_functs[]
|
||||
{ERR_FUNC(FIPS_F_FIPS_SELFTEST_DES), "FIPS_selftest_des"},
|
||||
{ERR_FUNC(FIPS_F_FIPS_SELFTEST_DSA), "FIPS_selftest_dsa"},
|
||||
{ERR_FUNC(FIPS_F_FIPS_SELFTEST_ECDSA), "FIPS_selftest_ecdsa"},
|
||||
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HKDF), "FIPS_selftest_hkdf"},
|
||||
{ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"},
|
||||
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_KBKDF), "FIPS_selftest_kbkdf"},
|
||||
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_KRB5KDF), "FIPS_selftest_krb5kdf"},
|
||||
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_PBKDF2), "FIPS_selftest_pbkdf2"},
|
||||
{ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"},
|
||||
{ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA2), "FIPS_selftest_sha2"},
|
||||
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SSHKDF), "FIPS_selftest_sshkdf"},
|
||||
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SSKDF), "FIPS_selftest_sskdf"},
|
||||
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_TLS1_PRF), "FIPS_selftest_tls1_prf"},
|
||||
{ERR_FUNC(FIPS_F_OSSL_ECDSA_SIGN_SIG), "ossl_ecdsa_sign_sig"},
|
||||
{ERR_FUNC(FIPS_F_OSSL_ECDSA_VERIFY_SIG), "ossl_ecdsa_verify_sig"},
|
||||
{ERR_FUNC(FIPS_F_RSA_BUILTIN_KEYGEN), "rsa_builtin_keygen"},
|
||||
diff -up openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c.kdf-selftest openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c
|
||||
--- openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c.kdf-selftest 2020-10-22 16:25:33.211248158 +0200
|
||||
+++ openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c 2020-10-22 16:56:54.652267521 +0200
|
||||
@@ -0,0 +1,377 @@
|
||||
+/*
|
||||
+ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ * Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved.
|
||||
+ *
|
||||
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
+ * this file except in compliance with the License. You can obtain a copy
|
||||
+ * in the file LICENSE in the source distribution or at
|
||||
+ * https://www.openssl.org/source/license.html
|
||||
+ */
|
||||
+
|
||||
+#include <string.h>
|
||||
+#include <openssl/err.h>
|
||||
+#include <openssl/fips.h>
|
||||
+#include "crypto/fips.h"
|
||||
+
|
||||
+#include <openssl/evp.h>
|
||||
+#include <openssl/kdf.h>
|
||||
+
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+static int FIPS_selftest_tls1_prf(void)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+ EVP_KDF_CTX *kctx;
|
||||
+ unsigned char out[16];
|
||||
+
|
||||
+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_TLS1_PRF)) == NULL) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_TLS_SECRET,
|
||||
+ "secret", (size_t)6) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_TLS_SEED, "seed", (size_t)4) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ {
|
||||
+ const unsigned char expected[sizeof(out)] = {
|
||||
+ 0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0,
|
||||
+ 0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc
|
||||
+ };
|
||||
+ if (memcmp(out, expected, sizeof(expected))) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ }
|
||||
+ ret = 1;
|
||||
+
|
||||
+err:
|
||||
+ if (!ret)
|
||||
+ FIPSerr(FIPS_F_FIPS_SELFTEST_TLS1_PRF, FIPS_R_SELFTEST_FAILED);
|
||||
+ EVP_KDF_CTX_free(kctx);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+static int FIPS_selftest_hkdf(void)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+ EVP_KDF_CTX *kctx;
|
||||
+ unsigned char out[10];
|
||||
+
|
||||
+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_HKDF)) == NULL) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", (size_t)6) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_HKDF_INFO,
|
||||
+ "label", (size_t)5) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ {
|
||||
+ const unsigned char expected[sizeof(out)] = {
|
||||
+ 0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13
|
||||
+ };
|
||||
+ if (memcmp(out, expected, sizeof(expected))) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ }
|
||||
+ ret = 1;
|
||||
+err:
|
||||
+ if (!ret)
|
||||
+ FIPSerr(FIPS_F_FIPS_SELFTEST_HKDF, FIPS_R_SELFTEST_FAILED);
|
||||
+ EVP_KDF_CTX_free(kctx);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+static int FIPS_selftest_sshkdf(void)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+ EVP_KDF_CTX *kctx;
|
||||
+ unsigned char out[32];
|
||||
+ const unsigned char input_key[] = {
|
||||
+ 0x00, 0x00, 0x00, 0x80, 0x0f, 0xaa, 0x17, 0x2b,
|
||||
+ 0x8c, 0x28, 0x7e, 0x37, 0x2b, 0xb2, 0x36, 0xad,
|
||||
+ 0x34, 0xc7, 0x33, 0x69, 0x5c, 0x13, 0xd7, 0x7f,
|
||||
+ 0x88, 0x2a, 0xdc, 0x0f, 0x47, 0xe5, 0xa7, 0xf6,
|
||||
+ 0xa3, 0xde, 0x07, 0xef, 0xb1, 0x01, 0x20, 0x7a,
|
||||
+ 0xa5, 0xd6, 0x65, 0xb6, 0x19, 0x82, 0x6f, 0x75,
|
||||
+ 0x65, 0x91, 0xf6, 0x53, 0x10, 0xbb, 0xd2, 0xc9,
|
||||
+ 0x2c, 0x93, 0x84, 0xe6, 0xc6, 0xa6, 0x7b, 0x42,
|
||||
+ 0xde, 0xc3, 0x82, 0xfd, 0xb2, 0x4c, 0x59, 0x1d,
|
||||
+ 0x79, 0xff, 0x5e, 0x47, 0x73, 0x7b, 0x0f, 0x5b,
|
||||
+ 0x84, 0x79, 0x69, 0x4c, 0x3a, 0xdc, 0x19, 0x40,
|
||||
+ 0x17, 0x04, 0x91, 0x2b, 0xbf, 0xec, 0x27, 0x04,
|
||||
+ 0xd4, 0xd5, 0xbe, 0xbb, 0xfc, 0x1a, 0x7f, 0xc7,
|
||||
+ 0x96, 0xe2, 0x77, 0x63, 0x4e, 0x40, 0x85, 0x18,
|
||||
+ 0x51, 0xa1, 0x87, 0xec, 0x2d, 0x37, 0xed, 0x3f,
|
||||
+ 0x35, 0x1c, 0x45, 0x96, 0xa5, 0xa0, 0x89, 0x29,
|
||||
+ 0x16, 0xb4, 0xc5, 0x5f
|
||||
+ };
|
||||
+ const unsigned char xcghash[] = {
|
||||
+ 0xa3, 0x47, 0xf5, 0xf1, 0xe1, 0x91, 0xc3, 0x5f,
|
||||
+ 0x21, 0x2c, 0x93, 0x24, 0xd5, 0x86, 0x7e, 0xfd,
|
||||
+ 0xf8, 0x30, 0x26, 0xbe, 0x62, 0xc2, 0xb1, 0x6a,
|
||||
+ 0xe0, 0x06, 0xed, 0xb3, 0x37, 0x8d, 0x40, 0x06
|
||||
+ };
|
||||
+ const unsigned char session_id[] = {
|
||||
+ 0x90, 0xbe, 0xfc, 0xef, 0x3f, 0xf8, 0xf9, 0x20,
|
||||
+ 0x67, 0x4a, 0x9f, 0xab, 0x94, 0x19, 0x8c, 0xf3,
|
||||
+ 0xfd, 0x9d, 0xca, 0x24, 0xa2, 0x1d, 0x3c, 0x9d,
|
||||
+ 0xba, 0x39, 0x4d, 0xaa, 0xfb, 0xc6, 0x21, 0xed
|
||||
+ };
|
||||
+
|
||||
+
|
||||
+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF)) == NULL) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key,
|
||||
+ sizeof(input_key)) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, xcghash,
|
||||
+ sizeof(xcghash)) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID, session_id,
|
||||
+ sizeof(session_id)) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, (int)'F') <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ {
|
||||
+ const unsigned char expected[sizeof(out)] = {
|
||||
+ 0x14, 0x7a, 0x77, 0x14, 0x45, 0x12, 0x3f, 0x84,
|
||||
+ 0x6d, 0x8a, 0xe5, 0x14, 0xd7, 0xff, 0x9b, 0x3c,
|
||||
+ 0x93, 0xb2, 0xbc, 0xeb, 0x7c, 0x7c, 0x95, 0x00,
|
||||
+ 0x94, 0x21, 0x61, 0xb8, 0xe2, 0xd0, 0x11, 0x0f
|
||||
+ };
|
||||
+ if (memcmp(out, expected, sizeof(expected))) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ }
|
||||
+ ret = 1;
|
||||
+
|
||||
+err:
|
||||
+ if (!ret)
|
||||
+ FIPSerr(FIPS_F_FIPS_SELFTEST_SSHKDF, FIPS_R_SELFTEST_FAILED);
|
||||
+ EVP_KDF_CTX_free(kctx);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+static int FIPS_selftest_pbkdf2(void)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+ EVP_KDF_CTX *kctx;
|
||||
+ unsigned char out[32];
|
||||
+
|
||||
+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2)) == NULL) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 2) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ {
|
||||
+ const unsigned char expected[sizeof(out)] = {
|
||||
+ 0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3,
|
||||
+ 0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0,
|
||||
+ 0x2a, 0x30, 0x3f, 0x8e, 0xf3, 0xc2, 0x51, 0xdf,
|
||||
+ 0xd6, 0xe2, 0xd8, 0x5a, 0x95, 0x47, 0x4c, 0x43
|
||||
+ };
|
||||
+ if (memcmp(out, expected, sizeof(expected))) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ }
|
||||
+ ret = 1;
|
||||
+
|
||||
+err:
|
||||
+ if (!ret)
|
||||
+ FIPSerr(FIPS_F_FIPS_SELFTEST_PBKDF2, FIPS_R_SELFTEST_FAILED);
|
||||
+ EVP_KDF_CTX_free(kctx);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+/* Test vector from RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos
|
||||
+ * 5) appendix A. */
|
||||
+static int FIPS_selftest_kbkdf(void)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+ EVP_KDF_CTX *kctx;
|
||||
+ char *label = "prf", *prf_input = "test";
|
||||
+ const unsigned char input_key[] = {
|
||||
+ 0x37, 0x05, 0xD9, 0x60, 0x80, 0xC1, 0x77, 0x28,
|
||||
+ 0xA0, 0xE8, 0x00, 0xEA, 0xB6, 0xE0, 0xD2, 0x3C,
|
||||
+ };
|
||||
+ const unsigned char output[] = {
|
||||
+ 0x9D, 0x18, 0x86, 0x16, 0xF6, 0x38, 0x52, 0xFE,
|
||||
+ 0x86, 0x91, 0x5B, 0xB8, 0x40, 0xB4, 0xA8, 0x86,
|
||||
+ 0xFF, 0x3E, 0x6B, 0xB0, 0xF8, 0x19, 0xB4, 0x9B,
|
||||
+ 0x89, 0x33, 0x93, 0xD3, 0x93, 0x85, 0x42, 0x95,
|
||||
+ };
|
||||
+ unsigned char result[sizeof(output)] = { 0 };
|
||||
+
|
||||
+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_HMAC) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, label, strlen(label)) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, prf_input, strlen(prf_input)) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ ret = EVP_KDF_derive(kctx, result, sizeof(result)) > 0
|
||||
+ && memcmp(result, output, sizeof(output)) == 0;
|
||||
+err:
|
||||
+ if (!ret)
|
||||
+ FIPSerr(FIPS_F_FIPS_SELFTEST_KBKDF, FIPS_R_SELFTEST_FAILED);
|
||||
+ EVP_KDF_CTX_free(kctx);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+static int FIPS_selftest_krb5kdf(void)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+ EVP_KDF_CTX *kctx;
|
||||
+ unsigned char out[16];
|
||||
+ const unsigned char key[] = {
|
||||
+ 0x42, 0x26, 0x3C, 0x6E, 0x89, 0xF4, 0xFC, 0x28,
|
||||
+ 0xB8, 0xDF, 0x68, 0xEE, 0x09, 0x79, 0x9F, 0x15
|
||||
+ };
|
||||
+ const unsigned char constant[] = {
|
||||
+ 0x00, 0x00, 0x00, 0x02, 0x99
|
||||
+ };
|
||||
+ const unsigned char expected[sizeof(out)] = {
|
||||
+ 0x34, 0x28, 0x0A, 0x38, 0x2B, 0xC9, 0x27, 0x69,
|
||||
+ 0xB2, 0xDA, 0x2F, 0x9E, 0xF0, 0x66, 0x85, 0x4B
|
||||
+ };
|
||||
+
|
||||
+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KRB5KDF)) == NULL) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CIPHER, EVP_aes_128_cbc()) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, key, sizeof(key)) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT, constant, sizeof(constant)) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ ret =
|
||||
+ EVP_KDF_derive(kctx, out, sizeof(out)) > 0
|
||||
+ && memcmp(out, expected, sizeof(expected)) == 0;
|
||||
+
|
||||
+err:
|
||||
+ if (!ret)
|
||||
+ FIPSerr(FIPS_F_FIPS_SELFTEST_KRB5KDF, FIPS_R_SELFTEST_FAILED);
|
||||
+ EVP_KDF_CTX_free(kctx);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+static int FIPS_selftest_sskdf(void)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+ EVP_KDF_CTX *kctx;
|
||||
+ const unsigned char z[] = {
|
||||
+ 0x6d,0xbd,0xc2,0x3f,0x04,0x54,0x88,0xe4,0x06,0x27,0x57,0xb0,0x6b,0x9e,
|
||||
+ 0xba,0xe1,0x83,0xfc,0x5a,0x59,0x46,0xd8,0x0d,0xb9,0x3f,0xec,0x6f,0x62,
|
||||
+ 0xec,0x07,0xe3,0x72,0x7f,0x01,0x26,0xae,0xd1,0x2c,0xe4,0xb2,0x62,0xf4,
|
||||
+ 0x7d,0x48,0xd5,0x42,0x87,0xf8,0x1d,0x47,0x4c,0x7c,0x3b,0x18,0x50,0xe9
|
||||
+ };
|
||||
+ const unsigned char other[] = {
|
||||
+ 0xa1,0xb2,0xc3,0xd4,0xe5,0x43,0x41,0x56,0x53,0x69,0x64,0x3c,0x83,0x2e,
|
||||
+ 0x98,0x49,0xdc,0xdb,0xa7,0x1e,0x9a,0x31,0x39,0xe6,0x06,0xe0,0x95,0xde,
|
||||
+ 0x3c,0x26,0x4a,0x66,0xe9,0x8a,0x16,0x58,0x54,0xcd,0x07,0x98,0x9b,0x1e,
|
||||
+ 0xe0,0xec,0x3f,0x8d,0xbe
|
||||
+ };
|
||||
+ const unsigned char expected[] = {
|
||||
+ 0xa4,0x62,0xde,0x16,0xa8,0x9d,0xe8,0x46,0x6e,0xf5,0x46,0x0b,0x47,0xb8
|
||||
+ };
|
||||
+ unsigned char out[14];
|
||||
+
|
||||
+ kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS);
|
||||
+
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha224()) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, z, sizeof(z)) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSKDF_INFO, other,
|
||||
+ sizeof(other)) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ if (memcmp(out, expected, sizeof(expected)))
|
||||
+ goto err;
|
||||
+ ret = 1;
|
||||
+
|
||||
+err:
|
||||
+ if (!ret)
|
||||
+ FIPSerr(FIPS_F_FIPS_SELFTEST_SSKDF, FIPS_R_SELFTEST_FAILED);
|
||||
+ EVP_KDF_CTX_free(kctx);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+int FIPS_selftest_kdf(void)
|
||||
+{
|
||||
+ return FIPS_selftest_tls1_prf()
|
||||
+ && FIPS_selftest_hkdf()
|
||||
+ && FIPS_selftest_sshkdf()
|
||||
+ && FIPS_selftest_pbkdf2()
|
||||
+ && FIPS_selftest_kbkdf()
|
||||
+ && FIPS_selftest_krb5kdf()
|
||||
+ && FIPS_selftest_sskdf();
|
||||
+}
|
||||
+
|
||||
+#endif
|
||||
diff -up openssl-1.1.1g/crypto/fips/fips_post.c.kdf-selftest openssl-1.1.1g/crypto/fips/fips_post.c
|
||||
--- openssl-1.1.1g/crypto/fips/fips_post.c.kdf-selftest 2020-06-03 16:08:36.332849536 +0200
|
||||
+++ openssl-1.1.1g/crypto/fips/fips_post.c 2020-06-03 16:08:36.338849585 +0200
|
||||
@@ -111,6 +111,8 @@ int FIPS_selftest(void)
|
||||
rv = 0;
|
||||
if (!FIPS_selftest_ecdh())
|
||||
rv = 0;
|
||||
+ if (!FIPS_selftest_kdf())
|
||||
+ rv = 0;
|
||||
return rv;
|
||||
}
|
||||
|
||||
diff -up openssl-1.1.1g/include/crypto/fips.h.kdf-selftest openssl-1.1.1g/include/crypto/fips.h
|
||||
--- openssl-1.1.1g/include/crypto/fips.h.kdf-selftest 2020-06-03 16:08:36.330849519 +0200
|
||||
+++ openssl-1.1.1g/include/crypto/fips.h 2020-06-03 16:08:36.338849585 +0200
|
||||
@@ -72,6 +72,7 @@ void FIPS_drbg_stick(int onoff);
|
||||
int FIPS_selftest_hmac(void);
|
||||
int FIPS_selftest_drbg(void);
|
||||
int FIPS_selftest_cmac(void);
|
||||
+int FIPS_selftest_kdf(void);
|
||||
|
||||
int fips_in_post(void);
|
||||
|
||||
diff -up openssl-1.1.1g/include/openssl/fips.h.kdf-selftest openssl-1.1.1g/include/openssl/fips.h
|
||||
--- openssl-1.1.1g/include/openssl/fips.h.kdf-selftest 2020-07-14 15:27:51.685785988 +0200
|
||||
+++ openssl-1.1.1g/include/openssl/fips.h 2020-10-22 14:03:28.868575785 +0200
|
||||
@@ -122,9 +122,16 @@ extern "C" {
|
||||
# define FIPS_F_FIPS_SELFTEST_DES 111
|
||||
# define FIPS_F_FIPS_SELFTEST_DSA 112
|
||||
# define FIPS_F_FIPS_SELFTEST_ECDSA 133
|
||||
+# define FIPS_F_FIPS_SELFTEST_HKDF 153
|
||||
# define FIPS_F_FIPS_SELFTEST_HMAC 113
|
||||
+# define FIPS_F_FIPS_SELFTEST_KBKDF 151
|
||||
+# define FIPS_F_FIPS_SELFTEST_KRB5KDF 154
|
||||
+# define FIPS_F_FIPS_SELFTEST_PBKDF2 152
|
||||
# define FIPS_F_FIPS_SELFTEST_SHA1 115
|
||||
# define FIPS_F_FIPS_SELFTEST_SHA2 105
|
||||
+# define FIPS_F_FIPS_SELFTEST_SSHKDF 155
|
||||
+# define FIPS_F_FIPS_SELFTEST_SSKDF 156
|
||||
+# define FIPS_F_FIPS_SELFTEST_TLS1_PRF 157
|
||||
# define FIPS_F_OSSL_ECDSA_SIGN_SIG 143
|
||||
# define FIPS_F_OSSL_ECDSA_VERIFY_SIG 148
|
||||
# define FIPS_F_RSA_BUILTIN_KEYGEN 116
|
File diff suppressed because it is too large
Load Diff
|
@ -1,17 +1,16 @@
|
|||
diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in.no-brainpool openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in
|
||||
--- openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in.no-brainpool 2019-02-26 15:15:30.000000000 +0100
|
||||
+++ openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in 2019-05-07 11:52:35.885597934 +0200
|
||||
@@ -141,22 +141,23 @@ our @tests = (
|
||||
diff -up openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in.no-brainpool openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in
|
||||
--- openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in.no-brainpool 2019-09-10 15:13:07.000000000 +0200
|
||||
+++ openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in 2019-09-13 15:11:07.358687169 +0200
|
||||
@@ -147,22 +147,22 @@ our @tests = (
|
||||
{
|
||||
name => "ECDSA with brainpool",
|
||||
server => {
|
||||
- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
|
||||
- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
|
||||
- "Groups" => "brainpoolP256r1",
|
||||
+# "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
|
||||
+# "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
|
||||
+ "Certificate" => test_pem("server-ecdsa-cert.pem"),
|
||||
+ "PrivateKey" => test_pem("server-ecdsa-key.pem"),
|
||||
+# "Groups" => "brainpoolP256r1",
|
||||
+ "CipherString" => "aNULL",
|
||||
},
|
||||
client => {
|
||||
#We don't restrict this to TLSv1.2, although use of brainpool
|
||||
|
@ -32,17 +31,16 @@ diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in.no-brainpool opens
|
|||
"ExpectedResult" => "Success"
|
||||
},
|
||||
},
|
||||
@@ -787,18 +788,19 @@ my @tests_tls_1_3 = (
|
||||
@@ -853,18 +853,18 @@ my @tests_tls_1_3 = (
|
||||
{
|
||||
name => "TLS 1.3 ECDSA with brainpool",
|
||||
server => {
|
||||
- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
|
||||
- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
|
||||
- "Groups" => "brainpoolP256r1",
|
||||
+# "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
|
||||
+# "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
|
||||
+ "Certificate" => test_pem("server-ecdsa-cert.pem"),
|
||||
+ "PrivateKey" => test_pem("server-ecdsa-key.pem"),
|
||||
+# "Groups" => "brainpoolP256r1",
|
||||
+ "CipherString" => "aNULL",
|
||||
},
|
||||
client => {
|
||||
"RequestCAFile" => test_pem("root-cert.pem"),
|
||||
|
@ -57,20 +55,19 @@ diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in.no-brainpool opens
|
|||
},
|
||||
},
|
||||
);
|
||||
diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.no-brainpool openssl-1.1.1b/test/ssl-tests/20-cert-select.conf
|
||||
--- openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.no-brainpool 2019-02-26 15:15:30.000000000 +0100
|
||||
+++ openssl-1.1.1b/test/ssl-tests/20-cert-select.conf 2019-05-07 12:15:12.762907496 +0200
|
||||
@@ -233,23 +233,18 @@ server = 5-ECDSA with brainpool-server
|
||||
diff -up openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.no-brainpool openssl-1.1.1d/test/ssl-tests/20-cert-select.conf
|
||||
--- openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.no-brainpool 2019-09-10 15:13:07.000000000 +0200
|
||||
+++ openssl-1.1.1d/test/ssl-tests/20-cert-select.conf 2019-09-13 15:12:27.380288469 +0200
|
||||
@@ -238,23 +238,18 @@ server = 5-ECDSA with brainpool-server
|
||||
client = 5-ECDSA with brainpool-client
|
||||
|
||||
[5-ECDSA with brainpool-server]
|
||||
-Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
|
||||
-CipherString = DEFAULT
|
||||
+Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
|
||||
CipherString = DEFAULT
|
||||
-Groups = brainpoolP256r1
|
||||
-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
|
||||
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
|
||||
+CipherString = aNULL
|
||||
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
||||
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
|
||||
|
||||
[5-ECDSA with brainpool-client]
|
||||
CipherString = aECDSA
|
||||
|
@ -87,28 +84,27 @@ diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.no-brainpool openssl-
|
|||
|
||||
|
||||
# ===========================================================
|
||||
@@ -1577,14 +1572,12 @@ server = 47-TLS 1.3 ECDSA with brainpool
|
||||
client = 47-TLS 1.3 ECDSA with brainpool-client
|
||||
@@ -1713,14 +1708,12 @@ server = 52-TLS 1.3 ECDSA with brainpool
|
||||
client = 52-TLS 1.3 ECDSA with brainpool-client
|
||||
|
||||
[47-TLS 1.3 ECDSA with brainpool-server]
|
||||
[52-TLS 1.3 ECDSA with brainpool-server]
|
||||
-Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
|
||||
-CipherString = DEFAULT
|
||||
+Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
|
||||
CipherString = DEFAULT
|
||||
-Groups = brainpoolP256r1
|
||||
-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
|
||||
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
|
||||
+CipherString = aNULL
|
||||
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
||||
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
|
||||
|
||||
[47-TLS 1.3 ECDSA with brainpool-client]
|
||||
[52-TLS 1.3 ECDSA with brainpool-client]
|
||||
CipherString = DEFAULT
|
||||
-Groups = brainpoolP256r1
|
||||
MaxProtocol = TLSv1.3
|
||||
MinProtocol = TLSv1.3
|
||||
RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
|
||||
@@ -1592,7 +1585,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/ro
|
||||
@@ -1728,7 +1721,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/ro
|
||||
VerifyMode = Peer
|
||||
|
||||
[test-47]
|
||||
[test-52]
|
||||
-ExpectedResult = ServerFail
|
||||
+ExpectedResult = Success
|
||||
|
||||
|
|
|
@ -0,0 +1,12 @@
|
|||
diff -up openssl-1.1.1f/Configurations/unix-Makefile.tmpl.no-html openssl-1.1.1f/Configurations/unix-Makefile.tmpl
|
||||
--- openssl-1.1.1f/Configurations/unix-Makefile.tmpl.no-html 2020-04-07 16:45:21.904083989 +0200
|
||||
+++ openssl-1.1.1f/Configurations/unix-Makefile.tmpl 2020-04-07 16:45:56.218461895 +0200
|
||||
@@ -544,7 +544,7 @@ install_sw: install_dev install_engines
|
||||
|
||||
uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev
|
||||
|
||||
-install_docs: install_man_docs install_html_docs
|
||||
+install_docs: install_man_docs
|
||||
|
||||
uninstall_docs: uninstall_man_docs uninstall_html_docs
|
||||
$(RM) -r "$(DESTDIR)$(DOCDIR)"
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,319 @@
|
|||
diff -up openssl-1.1.1k/crypto/asn1/t_spki.c.read-buff openssl-1.1.1k/crypto/asn1/t_spki.c
|
||||
--- openssl-1.1.1k/crypto/asn1/t_spki.c.read-buff 2021-11-11 15:38:39.678509348 +0100
|
||||
+++ openssl-1.1.1k/crypto/asn1/t_spki.c 2021-11-11 15:40:59.647922530 +0100
|
||||
@@ -38,7 +38,7 @@ int NETSCAPE_SPKI_print(BIO *out, NETSCA
|
||||
}
|
||||
chal = spki->spkac->challenge;
|
||||
if (chal->length)
|
||||
- BIO_printf(out, " Challenge String: %s\n", chal->data);
|
||||
+ BIO_printf(out, " Challenge String: %.*s\n", chal->length, chal->data);
|
||||
i = OBJ_obj2nid(spki->sig_algor.algorithm);
|
||||
BIO_printf(out, " Signature Algorithm: %s",
|
||||
(i == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(i));
|
||||
diff -up openssl-1.1.1k/crypto/ec/ec_asn1.c.read-buff openssl-1.1.1k/crypto/ec/ec_asn1.c
|
||||
--- openssl-1.1.1k/crypto/ec/ec_asn1.c.read-buff 2021-11-11 15:36:43.782339219 +0100
|
||||
+++ openssl-1.1.1k/crypto/ec/ec_asn1.c 2021-11-11 15:37:43.064937758 +0100
|
||||
@@ -761,7 +761,10 @@ EC_GROUP *EC_GROUP_new_from_ecparameters
|
||||
ret->seed_len = params->curve->seed->length;
|
||||
}
|
||||
|
||||
- if (!params->order || !params->base || !params->base->data) {
|
||||
+ if (params->order == NULL
|
||||
+ || params->base == NULL
|
||||
+ || params->base->data == NULL
|
||||
+ || params->base->length == 0) {
|
||||
ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_ASN1_ERROR);
|
||||
goto err;
|
||||
}
|
||||
diff -up openssl-1.1.1k/crypto/x509/t_x509.c.read-buff openssl-1.1.1k/crypto/x509/t_x509.c
|
||||
--- openssl-1.1.1k/crypto/x509/t_x509.c.read-buff 2021-11-12 12:54:15.665091764 +0100
|
||||
+++ openssl-1.1.1k/crypto/x509/t_x509.c 2021-11-12 12:56:10.897782587 +0100
|
||||
@@ -365,9 +365,9 @@ int X509_aux_print(BIO *out, X509 *x, in
|
||||
BIO_puts(out, "\n");
|
||||
} else
|
||||
BIO_printf(out, "%*sNo Rejected Uses.\n", indent, "");
|
||||
- alias = X509_alias_get0(x, NULL);
|
||||
+ alias = X509_alias_get0(x, &i);
|
||||
if (alias)
|
||||
- BIO_printf(out, "%*sAlias: %s\n", indent, "", alias);
|
||||
+ BIO_printf(out, "%*sAlias: %.*s\n", indent, "", i, alias);
|
||||
keyid = X509_keyid_get0(x, &keyidlen);
|
||||
if (keyid) {
|
||||
BIO_printf(out, "%*sKey Id: ", indent, "");
|
||||
diff -up openssl-1.1.1k/crypto/x509v3/v3_cpols.c.read-buff openssl-1.1.1k/crypto/x509v3/v3_cpols.c
|
||||
--- openssl-1.1.1k/crypto/x509v3/v3_cpols.c.read-buff 2021-11-12 12:40:51.415811428 +0100
|
||||
+++ openssl-1.1.1k/crypto/x509v3/v3_cpols.c 2021-11-12 12:50:06.062808372 +0100
|
||||
@@ -422,7 +422,8 @@ static void print_qualifiers(BIO *out, S
|
||||
qualinfo = sk_POLICYQUALINFO_value(quals, i);
|
||||
switch (OBJ_obj2nid(qualinfo->pqualid)) {
|
||||
case NID_id_qt_cps:
|
||||
- BIO_printf(out, "%*sCPS: %s\n", indent, "",
|
||||
+ BIO_printf(out, "%*sCPS: %.*s\n", indent, "",
|
||||
+ qualinfo->d.cpsuri->length,
|
||||
qualinfo->d.cpsuri->data);
|
||||
break;
|
||||
|
||||
@@ -447,7 +448,8 @@ static void print_notice(BIO *out, USERN
|
||||
if (notice->noticeref) {
|
||||
NOTICEREF *ref;
|
||||
ref = notice->noticeref;
|
||||
- BIO_printf(out, "%*sOrganization: %s\n", indent, "",
|
||||
+ BIO_printf(out, "%*sOrganization: %.*s\n", indent, "",
|
||||
+ ref->organization->length,
|
||||
ref->organization->data);
|
||||
BIO_printf(out, "%*sNumber%s: ", indent, "",
|
||||
sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : "");
|
||||
@@ -470,7 +472,8 @@ static void print_notice(BIO *out, USERN
|
||||
BIO_puts(out, "\n");
|
||||
}
|
||||
if (notice->exptext)
|
||||
- BIO_printf(out, "%*sExplicit Text: %s\n", indent, "",
|
||||
+ BIO_printf(out, "%*sExplicit Text: %.*s\n", indent, "",
|
||||
+ notice->exptext->length,
|
||||
notice->exptext->data);
|
||||
}
|
||||
|
||||
diff -up openssl-1.1.1k/crypto/x509v3/v3_ncons.c.read-buff openssl-1.1.1k/crypto/x509v3/v3_ncons.c
|
||||
--- openssl-1.1.1k/crypto/x509v3/v3_ncons.c.read-buff 2021-11-11 15:56:12.675140779 +0100
|
||||
+++ openssl-1.1.1k/crypto/x509v3/v3_ncons.c 2021-11-12 12:38:24.781856836 +0100
|
||||
@@ -63,8 +63,30 @@ ASN1_SEQUENCE(NAME_CONSTRAINTS) = {
|
||||
IMPLEMENT_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
|
||||
IMPLEMENT_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
|
||||
|
||||
+#define IA5_OFFSET_LEN(ia5base, offset) \
|
||||
+ ((ia5base)->length - ((unsigned char *)(offset) - (ia5base)->data))
|
||||
+
|
||||
+/* Like memchr but for ASN1_IA5STRING. Additionally you can specify the
|
||||
+ * starting point to search from
|
||||
+ */
|
||||
+# define ia5memchr(str, start, c) memchr(start, c, IA5_OFFSET_LEN(str, start))
|
||||
+
|
||||
+/* Like memrrchr but for ASN1_IA5STRING */
|
||||
+static char *ia5memrchr(ASN1_IA5STRING *str, int c)
|
||||
+{
|
||||
+ int i;
|
||||
+
|
||||
+ for (i = str->length; i > 0 && str->data[i - 1] != c; i--);
|
||||
+
|
||||
+ if (i == 0)
|
||||
+ return NULL;
|
||||
+
|
||||
+ return (char *)&str->data[i - 1];
|
||||
+}
|
||||
+
|
||||
/*
|
||||
- * We cannot use strncasecmp here because that applies locale specific rules.
|
||||
+ * We cannot use strncasecmp here because that applies locale specific rules. It
|
||||
+ * also doesn't work with ASN1_STRINGs that may have embedded NUL characters.
|
||||
* For example in Turkish 'I' is not the uppercase character for 'i'. We need to
|
||||
* do a simple ASCII case comparison ignoring the locale (that is why we use
|
||||
* numeric constants below).
|
||||
@@ -89,20 +111,12 @@ static int ia5ncasecmp(const char *s1, c
|
||||
|
||||
/* c1 > c2 */
|
||||
return 1;
|
||||
- } else if (*s1 == 0) {
|
||||
- /* If we get here we know that *s2 == 0 too */
|
||||
- return 0;
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
-static int ia5casecmp(const char *s1, const char *s2)
|
||||
-{
|
||||
- return ia5ncasecmp(s1, s2, SIZE_MAX);
|
||||
-}
|
||||
-
|
||||
static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
|
||||
X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
|
||||
{
|
||||
@@ -337,7 +351,7 @@ static int cn2dnsid(ASN1_STRING *cn, uns
|
||||
--utf8_length;
|
||||
|
||||
/* Reject *embedded* NULs */
|
||||
- if ((size_t)utf8_length != strlen((char *)utf8_value)) {
|
||||
+ if (memchr(utf8_value, 0, utf8_length) != NULL) {
|
||||
OPENSSL_free(utf8_value);
|
||||
return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
|
||||
}
|
||||
@@ -537,7 +551,7 @@ static int nc_dns(ASN1_IA5STRING *dns, A
|
||||
char *baseptr = (char *)base->data;
|
||||
char *dnsptr = (char *)dns->data;
|
||||
/* Empty matches everything */
|
||||
- if (!*baseptr)
|
||||
+ if (base->length == 0)
|
||||
return X509_V_OK;
|
||||
/*
|
||||
* Otherwise can add zero or more components on the left so compare RHS
|
||||
@@ -549,7 +563,7 @@ static int nc_dns(ASN1_IA5STRING *dns, A
|
||||
return X509_V_ERR_PERMITTED_VIOLATION;
|
||||
}
|
||||
|
||||
- if (ia5casecmp(baseptr, dnsptr))
|
||||
+ if (ia5ncasecmp(baseptr, dnsptr, base->length))
|
||||
return X509_V_ERR_PERMITTED_VIOLATION;
|
||||
|
||||
return X509_V_OK;
|
||||
@@ -560,16 +574,17 @@ static int nc_email(ASN1_IA5STRING *eml,
|
||||
{
|
||||
const char *baseptr = (char *)base->data;
|
||||
const char *emlptr = (char *)eml->data;
|
||||
+ const char *baseat = ia5memrchr(base, '@');
|
||||
+ const char *emlat = ia5memrchr(eml, '@');
|
||||
+ size_t basehostlen, emlhostlen;
|
||||
|
||||
- const char *baseat = strchr(baseptr, '@');
|
||||
- const char *emlat = strchr(emlptr, '@');
|
||||
if (!emlat)
|
||||
return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
|
||||
/* Special case: initial '.' is RHS match */
|
||||
- if (!baseat && (*baseptr == '.')) {
|
||||
+ if (!baseat && base->length > 0 && (*baseptr == '.')) {
|
||||
if (eml->length > base->length) {
|
||||
emlptr += eml->length - base->length;
|
||||
- if (ia5casecmp(baseptr, emlptr) == 0)
|
||||
+ if (ia5ncasecmp(baseptr, emlptr, base->length) == 0)
|
||||
return X509_V_OK;
|
||||
}
|
||||
return X509_V_ERR_PERMITTED_VIOLATION;
|
||||
@@ -589,8 +604,10 @@ static int nc_email(ASN1_IA5STRING *eml,
|
||||
baseptr = baseat + 1;
|
||||
}
|
||||
emlptr = emlat + 1;
|
||||
+ basehostlen = IA5_OFFSET_LEN(base, baseptr);
|
||||
+ emlhostlen = IA5_OFFSET_LEN(eml, emlptr);
|
||||
/* Just have hostname left to match: case insensitive */
|
||||
- if (ia5casecmp(baseptr, emlptr))
|
||||
+ if (basehostlen != emlhostlen || ia5ncasecmp(baseptr, emlptr, emlhostlen))
|
||||
return X509_V_ERR_PERMITTED_VIOLATION;
|
||||
|
||||
return X509_V_OK;
|
||||
@@ -601,10 +618,14 @@ static int nc_uri(ASN1_IA5STRING *uri, A
|
||||
{
|
||||
const char *baseptr = (char *)base->data;
|
||||
const char *hostptr = (char *)uri->data;
|
||||
- const char *p = strchr(hostptr, ':');
|
||||
+ const char *p = ia5memchr(uri, (char *)uri->data, ':');
|
||||
int hostlen;
|
||||
+
|
||||
/* Check for foo:// and skip past it */
|
||||
- if (!p || (p[1] != '/') || (p[2] != '/'))
|
||||
+ if (p == NULL
|
||||
+ || IA5_OFFSET_LEN(uri, p) < 3
|
||||
+ || p[1] != '/'
|
||||
+ || p[2] != '/')
|
||||
return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
|
||||
hostptr = p + 3;
|
||||
|
||||
@@ -612,13 +633,13 @@ static int nc_uri(ASN1_IA5STRING *uri, A
|
||||
|
||||
/* Look for a port indicator as end of hostname first */
|
||||
|
||||
- p = strchr(hostptr, ':');
|
||||
+ p = ia5memchr(uri, hostptr, ':');
|
||||
/* Otherwise look for trailing slash */
|
||||
- if (!p)
|
||||
- p = strchr(hostptr, '/');
|
||||
+ if (p == NULL)
|
||||
+ p = ia5memchr(uri, hostptr, '/');
|
||||
|
||||
- if (!p)
|
||||
- hostlen = strlen(hostptr);
|
||||
+ if (p == NULL)
|
||||
+ hostlen = IA5_OFFSET_LEN(uri, hostptr);
|
||||
else
|
||||
hostlen = p - hostptr;
|
||||
|
||||
@@ -626,7 +647,7 @@ static int nc_uri(ASN1_IA5STRING *uri, A
|
||||
return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
|
||||
|
||||
/* Special case: initial '.' is RHS match */
|
||||
- if (*baseptr == '.') {
|
||||
+ if (base->length > 0 && *baseptr == '.') {
|
||||
if (hostlen > base->length) {
|
||||
p = hostptr + hostlen - base->length;
|
||||
if (ia5ncasecmp(p, baseptr, base->length) == 0)
|
||||
diff -up openssl-1.1.1k/crypto/x509v3/v3_pci.c.read-buff openssl-1.1.1k/crypto/x509v3/v3_pci.c
|
||||
--- openssl-1.1.1k/crypto/x509v3/v3_pci.c.read-buff 2021-11-12 12:39:06.649337807 +0100
|
||||
+++ openssl-1.1.1k/crypto/x509v3/v3_pci.c 2021-11-12 12:40:07.955201861 +0100
|
||||
@@ -77,7 +77,8 @@ static int i2r_pci(X509V3_EXT_METHOD *me
|
||||
i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
|
||||
BIO_puts(out, "\n");
|
||||
if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
|
||||
- BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",
|
||||
+ BIO_printf(out, "%*sPolicy Text: %.*s\n", indent, "",
|
||||
+ pci->proxyPolicy->policy->length,
|
||||
pci->proxyPolicy->policy->data);
|
||||
return 1;
|
||||
}
|
||||
diff -up openssl-1.1.1k/crypto/x509v3/v3_utl.c.read-buff openssl-1.1.1k/crypto/x509v3/v3_utl.c
|
||||
--- openssl-1.1.1k/crypto/x509v3/v3_utl.c.read-buff 2021-11-11 15:46:16.797124581 +0100
|
||||
+++ openssl-1.1.1k/crypto/x509v3/v3_utl.c 2021-11-11 15:50:36.696748621 +0100
|
||||
@@ -502,18 +502,26 @@ static int append_ia5(STACK_OF(OPENSSL_S
|
||||
/* First some sanity checks */
|
||||
if (email->type != V_ASN1_IA5STRING)
|
||||
return 1;
|
||||
- if (!email->data || !email->length)
|
||||
+ if (email->data == NULL || email->length == 0)
|
||||
+ return 1;
|
||||
+ if (memchr(email->data, 0, email->length) != NULL)
|
||||
return 1;
|
||||
if (*sk == NULL)
|
||||
*sk = sk_OPENSSL_STRING_new(sk_strcmp);
|
||||
if (*sk == NULL)
|
||||
return 0;
|
||||
+
|
||||
+ emtmp = OPENSSL_strndup((char *)email->data, email->length);
|
||||
+ if (emtmp == NULL)
|
||||
+ return 0;
|
||||
+
|
||||
/* Don't add duplicates */
|
||||
- if (sk_OPENSSL_STRING_find(*sk, (char *)email->data) != -1)
|
||||
+ if (sk_OPENSSL_STRING_find(*sk, emtmp) != -1) {
|
||||
+ OPENSSL_free(emtmp);
|
||||
return 1;
|
||||
- emtmp = OPENSSL_strdup((char *)email->data);
|
||||
- if (emtmp == NULL || !sk_OPENSSL_STRING_push(*sk, emtmp)) {
|
||||
- OPENSSL_free(emtmp); /* free on push failure */
|
||||
+ }
|
||||
+ if (!sk_OPENSSL_STRING_push(*sk, emtmp)) {
|
||||
+ OPENSSL_free(emtmp); /* free on push failure */
|
||||
X509_email_free(*sk);
|
||||
*sk = NULL;
|
||||
return 0;
|
||||
diff -up openssl-1.1.1k/test/x509_time_test.c.read-buff openssl-1.1.1k/test/x509_time_test.c
|
||||
--- openssl-1.1.1k/test/x509_time_test.c.read-buff 2021-11-11 15:53:59.112792286 +0100
|
||||
+++ openssl-1.1.1k/test/x509_time_test.c 2021-11-11 15:55:18.148590259 +0100
|
||||
@@ -330,10 +330,12 @@ static int test_x509_time(int idx)
|
||||
|
||||
/* if t is not NULL but expected_string is NULL, it is an 'OK' case too */
|
||||
if (t != NULL && x509_format_tests[idx].expected_string) {
|
||||
- if (!TEST_str_eq((const char *)t->data,
|
||||
- x509_format_tests[idx].expected_string)) {
|
||||
- TEST_info("test_x509_time(%d) failed: expected_string %s, got %s\n",
|
||||
- idx, x509_format_tests[idx].expected_string, t->data);
|
||||
+ if (!TEST_mem_eq((const char *)t->data, t->length,
|
||||
+ x509_format_tests[idx].expected_string,
|
||||
+ strlen(x509_format_tests[idx].expected_string))) {
|
||||
+ TEST_info("test_x509_time(%d) failed: expected_string %s, got %.*s\n",
|
||||
+ idx, x509_format_tests[idx].expected_string, t->length,
|
||||
+ t->data);
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
diff -up openssl-1.1.1k/crypto/x509v3/v3_ncons.c.read-buff openssl-1.1.1k/crypto/x509v3/v3_ncons.c
|
||||
--- openssl-1.1.1k/crypto/x509v3/v3_ncons.c.read-buff 2021-11-12 18:19:14.742820536 +0100
|
||||
+++ openssl-1.1.1k/crypto/x509v3/v3_ncons.c 2021-11-12 18:20:09.663327518 +0100
|
||||
@@ -553,6 +553,10 @@ static int nc_dns(ASN1_IA5STRING *dns, A
|
||||
/* Empty matches everything */
|
||||
if (base->length == 0)
|
||||
return X509_V_OK;
|
||||
+
|
||||
+ if (dns->length < base->length)
|
||||
+ return X509_V_ERR_PERMITTED_VIOLATION;
|
||||
+
|
||||
/*
|
||||
* Otherwise can add zero or more components on the left so compare RHS
|
||||
* and if dns is longer and expect '.' as preceding character.
|
|
@ -1,16 +0,0 @@
|
|||
diff -up openssl-1.1.1b/crypto/conf/conf_lib.c.regression openssl-1.1.1b/crypto/conf/conf_lib.c
|
||||
--- openssl-1.1.1b/crypto/conf/conf_lib.c.regression 2019-02-26 15:15:30.000000000 +0100
|
||||
+++ openssl-1.1.1b/crypto/conf/conf_lib.c 2019-05-10 14:28:57.718049429 +0200
|
||||
@@ -356,8 +356,10 @@ OPENSSL_INIT_SETTINGS *OPENSSL_INIT_new(
|
||||
{
|
||||
OPENSSL_INIT_SETTINGS *ret = malloc(sizeof(*ret));
|
||||
|
||||
- if (ret != NULL)
|
||||
- memset(ret, 0, sizeof(*ret));
|
||||
+ if (ret == NULL)
|
||||
+ return NULL;
|
||||
+
|
||||
+ memset(ret, 0, sizeof(*ret));
|
||||
ret->flags = DEFAULT_CONF_MFLAGS;
|
||||
|
||||
return ret;
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,170 @@
|
|||
diff -up openssl-1.1.1g/crypto/fips/fips_drbg_lib.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_lib.c
|
||||
--- openssl-1.1.1g/crypto/fips/fips_drbg_lib.c.rewire-fips-drbg 2020-06-22 13:32:47.611852927 +0200
|
||||
+++ openssl-1.1.1g/crypto/fips/fips_drbg_lib.c 2020-06-22 13:32:47.675852917 +0200
|
||||
@@ -337,6 +337,19 @@ static int drbg_reseed(DRBG_CTX *dctx,
|
||||
int FIPS_drbg_reseed(DRBG_CTX *dctx,
|
||||
const unsigned char *adin, size_t adinlen)
|
||||
{
|
||||
+ int len = (int)adinlen;
|
||||
+
|
||||
+ if (len < 0 || (size_t)len != adinlen) {
|
||||
+ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ RAND_seed(adin, len);
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
+int FIPS_drbg_reseed_internal(DRBG_CTX *dctx,
|
||||
+ const unsigned char *adin, size_t adinlen)
|
||||
+{
|
||||
return drbg_reseed(dctx, adin, adinlen, 1);
|
||||
}
|
||||
|
||||
@@ -358,6 +371,19 @@ int FIPS_drbg_generate(DRBG_CTX *dctx, u
|
||||
int prediction_resistance,
|
||||
const unsigned char *adin, size_t adinlen)
|
||||
{
|
||||
+ int len = (int)outlen;
|
||||
+
|
||||
+ if (len < 0 || (size_t)len != outlen) {
|
||||
+ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ return RAND_bytes(out, len);
|
||||
+}
|
||||
+
|
||||
+int FIPS_drbg_generate_internal(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
|
||||
+ int prediction_resistance,
|
||||
+ const unsigned char *adin, size_t adinlen)
|
||||
+{
|
||||
int r = 0;
|
||||
|
||||
if (FIPS_selftest_failed()) {
|
||||
diff -up openssl-1.1.1g/crypto/fips/fips_drbg_rand.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_rand.c
|
||||
--- openssl-1.1.1g/crypto/fips/fips_drbg_rand.c.rewire-fips-drbg 2020-06-22 13:32:47.611852927 +0200
|
||||
+++ openssl-1.1.1g/crypto/fips/fips_drbg_rand.c 2020-06-22 13:32:47.675852917 +0200
|
||||
@@ -57,6 +57,8 @@
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/rand.h>
|
||||
#include <openssl/fips.h>
|
||||
+#define FIPS_DRBG_generate FIPS_DRBG_generate_internal
|
||||
+#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal
|
||||
#include <openssl/fips_rand.h>
|
||||
#include "fips_rand_lcl.h"
|
||||
|
||||
diff -up openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c
|
||||
--- openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c.rewire-fips-drbg 2020-06-22 13:32:47.612852927 +0200
|
||||
+++ openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c 2020-06-22 13:32:47.675852917 +0200
|
||||
@@ -55,6 +55,8 @@
|
||||
#include <openssl/crypto.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/fips.h>
|
||||
+#define FIPS_DRBG_generate FIPS_DRBG_generate_internal
|
||||
+#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal
|
||||
#include <openssl/fips_rand.h>
|
||||
#include "fips_rand_lcl.h"
|
||||
#include "fips_locl.h"
|
||||
diff -up openssl-1.1.1g/crypto/fips/fips_post.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_post.c
|
||||
--- openssl-1.1.1g/crypto/fips/fips_post.c.rewire-fips-drbg 2020-06-22 13:32:47.672852918 +0200
|
||||
+++ openssl-1.1.1g/crypto/fips/fips_post.c 2020-06-22 13:32:47.675852917 +0200
|
||||
@@ -79,8 +79,6 @@ int FIPS_selftest(void)
|
||||
ERR_add_error_data(2, "Type=", "rand_drbg_selftest");
|
||||
rv = 0;
|
||||
}
|
||||
- if (!FIPS_selftest_drbg())
|
||||
- rv = 0;
|
||||
if (!FIPS_selftest_sha1())
|
||||
rv = 0;
|
||||
if (!FIPS_selftest_sha2())
|
||||
diff -up openssl-1.1.1g/crypto/fips/fips_rand_lib.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_rand_lib.c
|
||||
--- openssl-1.1.1g/crypto/fips/fips_rand_lib.c.rewire-fips-drbg 2020-06-22 13:32:47.613852927 +0200
|
||||
+++ openssl-1.1.1g/crypto/fips/fips_rand_lib.c 2020-06-22 13:36:28.722817967 +0200
|
||||
@@ -120,6 +120,7 @@ void FIPS_rand_reset(void)
|
||||
|
||||
int FIPS_rand_seed(const void *buf, int num)
|
||||
{
|
||||
+#if 0
|
||||
if (!fips_approved_rand_meth && FIPS_module_mode()) {
|
||||
FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD);
|
||||
return 0;
|
||||
@@ -127,10 +128,15 @@ int FIPS_rand_seed(const void *buf, int
|
||||
if (fips_rand_meth && fips_rand_meth->seed)
|
||||
fips_rand_meth->seed(buf, num);
|
||||
return 1;
|
||||
+#else
|
||||
+ RAND_seed(buf, num);
|
||||
+ return 1;
|
||||
+#endif
|
||||
}
|
||||
|
||||
int FIPS_rand_bytes(unsigned char *buf, int num)
|
||||
{
|
||||
+#if 0
|
||||
if (!fips_approved_rand_meth && FIPS_module_mode()) {
|
||||
FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD);
|
||||
return 0;
|
||||
@@ -138,10 +144,14 @@ int FIPS_rand_bytes(unsigned char *buf,
|
||||
if (fips_rand_meth && fips_rand_meth->bytes)
|
||||
return fips_rand_meth->bytes(buf, num);
|
||||
return 0;
|
||||
+#else
|
||||
+ return RAND_bytes(buf, num);
|
||||
+#endif
|
||||
}
|
||||
|
||||
int FIPS_rand_status(void)
|
||||
{
|
||||
+#if 0
|
||||
if (!fips_approved_rand_meth && FIPS_module_mode()) {
|
||||
FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD);
|
||||
return 0;
|
||||
@@ -149,6 +159,9 @@ int FIPS_rand_status(void)
|
||||
if (fips_rand_meth && fips_rand_meth->status)
|
||||
return fips_rand_meth->status();
|
||||
return 0;
|
||||
+#else
|
||||
+ return RAND_status();
|
||||
+#endif
|
||||
}
|
||||
|
||||
/* Return instantiated strength of PRNG. For DRBG this is an internal
|
||||
diff -up openssl-1.1.1g/include/openssl/fips.h.rewire-fips-drbg openssl-1.1.1g/include/openssl/fips.h
|
||||
--- openssl-1.1.1g/include/openssl/fips.h.rewire-fips-drbg 2020-06-22 13:32:47.672852918 +0200
|
||||
+++ openssl-1.1.1g/include/openssl/fips.h 2020-06-22 13:32:47.675852917 +0200
|
||||
@@ -64,6 +64,11 @@ extern "C" {
|
||||
|
||||
int FIPS_selftest(void);
|
||||
int FIPS_selftest_failed(void);
|
||||
+
|
||||
+ /*
|
||||
+ * This function is deprecated as it performs selftest of the old FIPS drbg
|
||||
+ * implementation that is not validated.
|
||||
+ */
|
||||
int FIPS_selftest_drbg_all(void);
|
||||
|
||||
int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
|
||||
diff -up openssl-1.1.1g/include/openssl/fips_rand.h.rewire-fips-drbg openssl-1.1.1g/include/openssl/fips_rand.h
|
||||
--- openssl-1.1.1g/include/openssl/fips_rand.h.rewire-fips-drbg 2020-06-22 13:32:47.617852926 +0200
|
||||
+++ openssl-1.1.1g/include/openssl/fips_rand.h 2020-06-22 13:32:47.675852917 +0200
|
||||
@@ -60,6 +60,20 @@
|
||||
# ifdef __cplusplus
|
||||
extern "C" {
|
||||
# endif
|
||||
+
|
||||
+/*
|
||||
+ * IMPORTANT NOTE:
|
||||
+ * All functions in this header file are deprecated and should not be used
|
||||
+ * as they use the old FIPS_drbg implementation that is not FIPS validated
|
||||
+ * anymore.
|
||||
+ * To provide backwards compatibility for applications that need FIPS compliant
|
||||
+ * RNG number generation and use FIPS_drbg_generate, this function was
|
||||
+ * re-wired to call the FIPS validated DRBG instance instead through
|
||||
+ * the RAND_bytes() call.
|
||||
+ *
|
||||
+ * All these functions will be removed in future.
|
||||
+ */
|
||||
+
|
||||
typedef struct drbg_ctx_st DRBG_CTX;
|
||||
/* DRBG external flags */
|
||||
/* Flag for CTR mode only: use derivation function ctr_df */
|
|
@ -0,0 +1,497 @@
|
|||
diff -up openssl-1.1.1k/test/evp_extra_test.c.s390x-test-aes openssl-1.1.1k/test/evp_extra_test.c
|
||||
--- openssl-1.1.1k/test/evp_extra_test.c.s390x-test-aes 2021-07-16 17:33:04.663181698 +0200
|
||||
+++ openssl-1.1.1k/test/evp_extra_test.c 2021-07-16 17:49:27.780439742 +0200
|
||||
@@ -320,6 +320,97 @@ static const unsigned char pExampleECPar
|
||||
};
|
||||
#endif
|
||||
|
||||
+static const unsigned char kCFBDefaultKey[] = {
|
||||
+ 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, 0xAB, 0xF7, 0x15, 0x88,
|
||||
+ 0x09, 0xCF, 0x4F, 0x3C
|
||||
+};
|
||||
+
|
||||
+static const unsigned char kGCMDefaultKey[32] = { 0 };
|
||||
+
|
||||
+static const unsigned char kGCMResetKey[] = {
|
||||
+ 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c, 0x6d, 0x6a, 0x8f, 0x94,
|
||||
+ 0x67, 0x30, 0x83, 0x08, 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
|
||||
+ 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08
|
||||
+};
|
||||
+
|
||||
+static const unsigned char iCFBIV[] = {
|
||||
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B,
|
||||
+ 0x0C, 0x0D, 0x0E, 0x0F
|
||||
+};
|
||||
+
|
||||
+static const unsigned char iGCMDefaultIV[12] = { 0 };
|
||||
+
|
||||
+static const unsigned char iGCMResetIV1[] = {
|
||||
+ 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad
|
||||
+};
|
||||
+
|
||||
+static const unsigned char iGCMResetIV2[] = {
|
||||
+ 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88
|
||||
+};
|
||||
+
|
||||
+static const unsigned char cfbPlaintext[] = {
|
||||
+ 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 0xE9, 0x3D, 0x7E, 0x11,
|
||||
+ 0x73, 0x93, 0x17, 0x2A
|
||||
+};
|
||||
+
|
||||
+static const unsigned char gcmDefaultPlaintext[16] = { 0 };
|
||||
+
|
||||
+static const unsigned char gcmResetPlaintext[] = {
|
||||
+ 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5, 0xa5, 0x59, 0x09, 0xc5,
|
||||
+ 0xaf, 0xf5, 0x26, 0x9a, 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
|
||||
+ 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72, 0x1c, 0x3c, 0x0c, 0x95,
|
||||
+ 0x95, 0x68, 0x09, 0x53, 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
|
||||
+ 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57, 0xba, 0x63, 0x7b, 0x39
|
||||
+};
|
||||
+
|
||||
+static const unsigned char cfbCiphertext[] = {
|
||||
+ 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, 0x33, 0x34, 0x49, 0xF8,
|
||||
+ 0xE8, 0x3C, 0xFB, 0x4A
|
||||
+};
|
||||
+
|
||||
+static const unsigned char gcmDefaultCiphertext[] = {
|
||||
+ 0xce, 0xa7, 0x40, 0x3d, 0x4d, 0x60, 0x6b, 0x6e, 0x07, 0x4e, 0xc5, 0xd3,
|
||||
+ 0xba, 0xf3, 0x9d, 0x18
|
||||
+};
|
||||
+
|
||||
+static const unsigned char gcmResetCiphertext1[] = {
|
||||
+ 0xc3, 0x76, 0x2d, 0xf1, 0xca, 0x78, 0x7d, 0x32, 0xae, 0x47, 0xc1, 0x3b,
|
||||
+ 0xf1, 0x98, 0x44, 0xcb, 0xaf, 0x1a, 0xe1, 0x4d, 0x0b, 0x97, 0x6a, 0xfa,
|
||||
+ 0xc5, 0x2f, 0xf7, 0xd7, 0x9b, 0xba, 0x9d, 0xe0, 0xfe, 0xb5, 0x82, 0xd3,
|
||||
+ 0x39, 0x34, 0xa4, 0xf0, 0x95, 0x4c, 0xc2, 0x36, 0x3b, 0xc7, 0x3f, 0x78,
|
||||
+ 0x62, 0xac, 0x43, 0x0e, 0x64, 0xab, 0xe4, 0x99, 0xf4, 0x7c, 0x9b, 0x1f
|
||||
+};
|
||||
+
|
||||
+static const unsigned char gcmResetCiphertext2[] = {
|
||||
+ 0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07, 0xf4, 0x7f, 0x37, 0xa3,
|
||||
+ 0x2a, 0x84, 0x42, 0x7d, 0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9,
|
||||
+ 0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa, 0x8c, 0xb0, 0x8e, 0x48,
|
||||
+ 0x59, 0x0d, 0xbb, 0x3d, 0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38,
|
||||
+ 0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a, 0xbc, 0xc9, 0xf6, 0x62
|
||||
+};
|
||||
+
|
||||
+static const unsigned char gcmAAD[] = {
|
||||
+ 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfe, 0xed, 0xfa, 0xce,
|
||||
+ 0xde, 0xad, 0xbe, 0xef, 0xab, 0xad, 0xda, 0xd2
|
||||
+};
|
||||
+
|
||||
+static const unsigned char gcmDefaultTag[] = {
|
||||
+ 0xd0, 0xd1, 0xc8, 0xa7, 0x99, 0x99, 0x6b, 0xf0, 0x26, 0x5b, 0x98, 0xb5,
|
||||
+ 0xd4, 0x8a, 0xb9, 0x19
|
||||
+};
|
||||
+
|
||||
+static const unsigned char gcmResetTag1[] = {
|
||||
+ 0x3a, 0x33, 0x7d, 0xbf, 0x46, 0xa7, 0x92, 0xc4, 0x5e, 0x45, 0x49, 0x13,
|
||||
+ 0xfe, 0x2e, 0xa8, 0xf2
|
||||
+};
|
||||
+
|
||||
+static const unsigned char gcmResetTag2[] = {
|
||||
+ 0x76, 0xfc, 0x6e, 0xce, 0x0f, 0x4e, 0x17, 0x68, 0xcd, 0xdf, 0x88, 0x53,
|
||||
+ 0xbb, 0x2d, 0x55, 0x1b
|
||||
+};
|
||||
+
|
||||
+
|
||||
+
|
||||
typedef struct APK_DATA_st {
|
||||
const unsigned char *kder;
|
||||
size_t size;
|
||||
@@ -330,6 +421,385 @@ typedef struct APK_DATA_st {
|
||||
int type; /* 0 for private, 1 for public, 2 for params */
|
||||
} APK_DATA;
|
||||
|
||||
+typedef struct {
|
||||
+ const char *cipher;
|
||||
+ const unsigned char *key;
|
||||
+ const unsigned char *iv;
|
||||
+ const unsigned char *input;
|
||||
+ const unsigned char *expected;
|
||||
+ const unsigned char *tag;
|
||||
+ size_t ivlen; /* 0 if we do not need to set a specific IV len */
|
||||
+ size_t inlen;
|
||||
+ size_t expectedlen;
|
||||
+ size_t taglen;
|
||||
+ int keyfirst;
|
||||
+ int initenc;
|
||||
+ int finalenc;
|
||||
+} EVP_INIT_TEST_st;
|
||||
+
|
||||
+static const EVP_INIT_TEST_st evp_init_tests[] = {
|
||||
+ {
|
||||
+ "aes-128-cfb", kCFBDefaultKey, iCFBIV, cfbPlaintext,
|
||||
+ cfbCiphertext, NULL, 0, sizeof(cfbPlaintext), sizeof(cfbCiphertext),
|
||||
+ 0, 1, 0, 1
|
||||
+ },
|
||||
+ {
|
||||
+ "aes-256-gcm", kGCMDefaultKey, iGCMDefaultIV, gcmDefaultPlaintext,
|
||||
+ gcmDefaultCiphertext, gcmDefaultTag, sizeof(iGCMDefaultIV),
|
||||
+ sizeof(gcmDefaultPlaintext), sizeof(gcmDefaultCiphertext),
|
||||
+ sizeof(gcmDefaultTag), 1, 0, 1
|
||||
+ },
|
||||
+ {
|
||||
+ "aes-128-cfb", kCFBDefaultKey, iCFBIV, cfbPlaintext,
|
||||
+ cfbCiphertext, NULL, 0, sizeof(cfbPlaintext), sizeof(cfbCiphertext),
|
||||
+ 0, 0, 0, 1
|
||||
+ },
|
||||
+ {
|
||||
+ "aes-256-gcm", kGCMDefaultKey, iGCMDefaultIV, gcmDefaultPlaintext,
|
||||
+ gcmDefaultCiphertext, gcmDefaultTag, sizeof(iGCMDefaultIV),
|
||||
+ sizeof(gcmDefaultPlaintext), sizeof(gcmDefaultCiphertext),
|
||||
+ sizeof(gcmDefaultTag), 0, 0, 1
|
||||
+ },
|
||||
+ {
|
||||
+ "aes-128-cfb", kCFBDefaultKey, iCFBIV, cfbCiphertext,
|
||||
+ cfbPlaintext, NULL, 0, sizeof(cfbCiphertext), sizeof(cfbPlaintext),
|
||||
+ 0, 1, 1, 0
|
||||
+ },
|
||||
+ {
|
||||
+ "aes-256-gcm", kGCMDefaultKey, iGCMDefaultIV, gcmDefaultCiphertext,
|
||||
+ gcmDefaultPlaintext, gcmDefaultTag, sizeof(iGCMDefaultIV),
|
||||
+ sizeof(gcmDefaultCiphertext), sizeof(gcmDefaultPlaintext),
|
||||
+ sizeof(gcmDefaultTag), 1, 1, 0
|
||||
+ },
|
||||
+ {
|
||||
+ "aes-128-cfb", kCFBDefaultKey, iCFBIV, cfbCiphertext,
|
||||
+ cfbPlaintext, NULL, 0, sizeof(cfbCiphertext), sizeof(cfbPlaintext),
|
||||
+ 0, 0, 1, 0
|
||||
+ },
|
||||
+ {
|
||||
+ "aes-256-gcm", kGCMDefaultKey, iGCMDefaultIV, gcmDefaultCiphertext,
|
||||
+ gcmDefaultPlaintext, gcmDefaultTag, sizeof(iGCMDefaultIV),
|
||||
+ sizeof(gcmDefaultCiphertext), sizeof(gcmDefaultPlaintext),
|
||||
+ sizeof(gcmDefaultTag), 0, 1, 0
|
||||
+ }
|
||||
+};
|
||||
+
|
||||
+static int evp_init_seq_set_iv(EVP_CIPHER_CTX *ctx, const EVP_INIT_TEST_st *t)
|
||||
+{
|
||||
+ int res = 0;
|
||||
+
|
||||
+ if (t->ivlen != 0) {
|
||||
+ if (!TEST_true(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, t->ivlen, NULL)))
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_true(EVP_CipherInit_ex(ctx, NULL, NULL, NULL, t->iv, -1)))
|
||||
+ goto err;
|
||||
+ res = 1;
|
||||
+ err:
|
||||
+ return res;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Test step-wise cipher initialization via EVP_CipherInit_ex where the
|
||||
+ * arguments are given one at a time and a final adjustment to the enc
|
||||
+ * parameter sets the correct operation.
|
||||
+ */
|
||||
+static int test_evp_init_seq(int idx)
|
||||
+{
|
||||
+ int outlen1, outlen2;
|
||||
+ int testresult = 0;
|
||||
+ unsigned char outbuf[1024];
|
||||
+ unsigned char tag[16];
|
||||
+ const EVP_INIT_TEST_st *t = &evp_init_tests[idx];
|
||||
+ EVP_CIPHER_CTX *ctx = NULL;
|
||||
+ const EVP_CIPHER *type = NULL;
|
||||
+ size_t taglen = sizeof(tag);
|
||||
+ char *errmsg = NULL;
|
||||
+
|
||||
+ ctx = EVP_CIPHER_CTX_new();
|
||||
+ if (ctx == NULL) {
|
||||
+ errmsg = "CTX_ALLOC";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_ptr(type = EVP_get_cipherbyname(t->cipher))) {
|
||||
+ errmsg = "GET_CIPHERBYNAME";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_true(EVP_CipherInit_ex(ctx, type, NULL, NULL, NULL, t->initenc))) {
|
||||
+ errmsg = "EMPTY_ENC_INIT";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_true(EVP_CIPHER_CTX_set_padding(ctx, 0))) {
|
||||
+ errmsg = "PADDING";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (t->keyfirst && !TEST_true(EVP_CipherInit_ex(ctx, NULL, NULL, t->key, NULL, -1))) {
|
||||
+ errmsg = "KEY_INIT (before iv)";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!evp_init_seq_set_iv(ctx, t)) {
|
||||
+ errmsg = "IV_INIT";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (t->keyfirst == 0 && !TEST_true(EVP_CipherInit_ex(ctx, NULL, NULL, t->key, NULL, -1))) {
|
||||
+ errmsg = "KEY_INIT (after iv)";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_true(EVP_CipherInit_ex(ctx, NULL, NULL, NULL, NULL, t->finalenc))) {
|
||||
+ errmsg = "FINAL_ENC_INIT";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_true(EVP_CipherUpdate(ctx, outbuf, &outlen1, t->input, t->inlen))) {
|
||||
+ errmsg = "CIPHER_UPDATE";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (t->finalenc == 0 && t->tag != NULL) {
|
||||
+ /* Set expected tag */
|
||||
+ if (!TEST_true(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG,
|
||||
+ t->taglen, (void *)t->tag))) {
|
||||
+ errmsg = "SET_TAG";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ }
|
||||
+ if (!TEST_true(EVP_CipherFinal_ex(ctx, outbuf + outlen1, &outlen2))) {
|
||||
+ errmsg = "CIPHER_FINAL";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_mem_eq(t->expected, t->expectedlen, outbuf, outlen1 + outlen2)) {
|
||||
+ errmsg = "WRONG_RESULT";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (t->finalenc != 0 && t->tag != NULL) {
|
||||
+ if (!TEST_true(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag))) {
|
||||
+ errmsg = "GET_TAG";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_mem_eq(t->tag, t->taglen, tag, taglen)) {
|
||||
+ errmsg = "TAG_ERROR";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ }
|
||||
+ testresult = 1;
|
||||
+ err:
|
||||
+ if (errmsg != NULL)
|
||||
+ TEST_info("evp_init_test %d: %s", idx, errmsg);
|
||||
+ EVP_CIPHER_CTX_free(ctx);
|
||||
+ return testresult;
|
||||
+}
|
||||
+
|
||||
+typedef struct {
|
||||
+ const unsigned char *input;
|
||||
+ const unsigned char *expected;
|
||||
+ size_t inlen;
|
||||
+ size_t expectedlen;
|
||||
+ int enc;
|
||||
+} EVP_RESET_TEST_st;
|
||||
+
|
||||
+static const EVP_RESET_TEST_st evp_reset_tests[] = {
|
||||
+ {
|
||||
+ cfbPlaintext, cfbCiphertext,
|
||||
+ sizeof(cfbPlaintext), sizeof(cfbCiphertext), 1
|
||||
+ },
|
||||
+ {
|
||||
+ cfbCiphertext, cfbPlaintext,
|
||||
+ sizeof(cfbCiphertext), sizeof(cfbPlaintext), 0
|
||||
+ }
|
||||
+};
|
||||
+
|
||||
+/*
|
||||
+ * Test a reset of a cipher via EVP_CipherInit_ex after the cipher has already
|
||||
+ * been used.
|
||||
+ */
|
||||
+static int test_evp_reset(int idx)
|
||||
+{
|
||||
+ const EVP_RESET_TEST_st *t = &evp_reset_tests[idx];
|
||||
+ int outlen1, outlen2;
|
||||
+ int testresult = 0;
|
||||
+ unsigned char outbuf[1024];
|
||||
+ EVP_CIPHER_CTX *ctx = NULL;
|
||||
+ const EVP_CIPHER *type = NULL;
|
||||
+ char *errmsg = NULL;
|
||||
+
|
||||
+ if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())) {
|
||||
+ errmsg = "CTX_ALLOC";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_ptr(type = EVP_get_cipherbyname("aes-128-cfb"))) {
|
||||
+ errmsg = "GET_CIPHERBYNAME";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_true(EVP_CipherInit_ex(ctx, type, NULL, kCFBDefaultKey, iCFBIV, t->enc))) {
|
||||
+ errmsg = "CIPHER_INIT";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_true(EVP_CIPHER_CTX_set_padding(ctx, 0))) {
|
||||
+ errmsg = "PADDING";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_true(EVP_CipherUpdate(ctx, outbuf, &outlen1, t->input, t->inlen))) {
|
||||
+ errmsg = "CIPHER_UPDATE";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_true(EVP_CipherFinal_ex(ctx, outbuf + outlen1, &outlen2))) {
|
||||
+ errmsg = "CIPHER_FINAL";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_mem_eq(t->expected, t->expectedlen, outbuf, outlen1 + outlen2)) {
|
||||
+ errmsg = "WRONG_RESULT";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_true(EVP_CipherInit_ex(ctx, NULL, NULL, NULL, NULL, -1))) {
|
||||
+ errmsg = "CIPHER_REINIT";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_true(EVP_CipherUpdate(ctx, outbuf, &outlen1, t->input, t->inlen))) {
|
||||
+ errmsg = "CIPHER_UPDATE (reinit)";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_true(EVP_CipherFinal_ex(ctx, outbuf + outlen1, &outlen2))) {
|
||||
+ errmsg = "CIPHER_FINAL (reinit)";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_mem_eq(t->expected, t->expectedlen, outbuf, outlen1 + outlen2)) {
|
||||
+ errmsg = "WRONG_RESULT (reinit)";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ testresult = 1;
|
||||
+ err:
|
||||
+ if (errmsg != NULL)
|
||||
+ TEST_info("test_evp_reset %d: %s", idx, errmsg);
|
||||
+ EVP_CIPHER_CTX_free(ctx);
|
||||
+ return testresult;
|
||||
+}
|
||||
+
|
||||
+typedef struct {
|
||||
+ const unsigned char *iv1;
|
||||
+ const unsigned char *iv2;
|
||||
+ const unsigned char *expected1;
|
||||
+ const unsigned char *expected2;
|
||||
+ const unsigned char *tag1;
|
||||
+ const unsigned char *tag2;
|
||||
+ size_t ivlen1;
|
||||
+ size_t ivlen2;
|
||||
+ size_t expectedlen1;
|
||||
+ size_t expectedlen2;
|
||||
+} TEST_GCM_IV_REINIT_st;
|
||||
+
|
||||
+static const TEST_GCM_IV_REINIT_st gcm_reinit_tests[] = {
|
||||
+ {
|
||||
+ iGCMResetIV1, iGCMResetIV2, gcmResetCiphertext1, gcmResetCiphertext2,
|
||||
+ gcmResetTag1, gcmResetTag2, sizeof(iGCMResetIV1), sizeof(iGCMResetIV2),
|
||||
+ sizeof(gcmResetCiphertext1), sizeof(gcmResetCiphertext2)
|
||||
+ },
|
||||
+ {
|
||||
+ iGCMResetIV2, iGCMResetIV1, gcmResetCiphertext2, gcmResetCiphertext1,
|
||||
+ gcmResetTag2, gcmResetTag1, sizeof(iGCMResetIV2), sizeof(iGCMResetIV1),
|
||||
+ sizeof(gcmResetCiphertext2), sizeof(gcmResetCiphertext1)
|
||||
+ }
|
||||
+};
|
||||
+
|
||||
+static int test_gcm_reinit(int idx)
|
||||
+{
|
||||
+ int outlen1, outlen2, outlen3;
|
||||
+ int testresult = 0;
|
||||
+ unsigned char outbuf[1024];
|
||||
+ unsigned char tag[16];
|
||||
+ const TEST_GCM_IV_REINIT_st *t = &gcm_reinit_tests[idx];
|
||||
+ EVP_CIPHER_CTX *ctx = NULL;
|
||||
+ const EVP_CIPHER *type = NULL;
|
||||
+ size_t taglen = sizeof(tag);
|
||||
+ char *errmsg = NULL;
|
||||
+
|
||||
+ if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())) {
|
||||
+ errmsg = "CTX_ALLOC";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_ptr(type = EVP_get_cipherbyname("aes-256-gcm"))) {
|
||||
+ errmsg = "GET_CIPHERBYNAME";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_true(EVP_CipherInit_ex(ctx, type, NULL, NULL, NULL, 1))) {
|
||||
+ errmsg = "ENC_INIT";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_true(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, t->ivlen1, NULL))) {
|
||||
+ errmsg = "SET_IVLEN1";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_true(EVP_CipherInit_ex(ctx, NULL, NULL, kGCMResetKey, t->iv1, 1))) {
|
||||
+ errmsg = "SET_IV1";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_true(EVP_CipherUpdate(ctx, NULL, &outlen3, gcmAAD, sizeof(gcmAAD)))) {
|
||||
+ errmsg = "AAD1";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ EVP_CIPHER_CTX_set_padding(ctx, 0);
|
||||
+ if (!TEST_true(EVP_CipherUpdate(ctx, outbuf, &outlen1, gcmResetPlaintext,
|
||||
+ sizeof(gcmResetPlaintext)))) {
|
||||
+ errmsg = "CIPHER_UPDATE1";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_true(EVP_CipherFinal_ex(ctx, outbuf + outlen1, &outlen2))) {
|
||||
+ errmsg = "CIPHER_FINAL1";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_mem_eq(t->expected1, t->expectedlen1, outbuf, outlen1 + outlen2)) {
|
||||
+ errmsg = "WRONG_RESULT1";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_true(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag))) {
|
||||
+ errmsg = "GET_TAG1";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_mem_eq(t->tag1, taglen, tag, taglen)) {
|
||||
+ errmsg = "TAG_ERROR1";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ /* Now reinit */
|
||||
+ if (!TEST_true(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, t->ivlen2, NULL))) {
|
||||
+ errmsg = "SET_IVLEN2";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_true(EVP_CipherInit_ex(ctx, NULL, NULL, NULL, t->iv2, -1))) {
|
||||
+ errmsg = "SET_IV2";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_true(EVP_CipherUpdate(ctx, NULL, &outlen3, gcmAAD, sizeof(gcmAAD)))) {
|
||||
+ errmsg = "AAD2";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_true(EVP_CipherUpdate(ctx, outbuf, &outlen1, gcmResetPlaintext,
|
||||
+ sizeof(gcmResetPlaintext)))) {
|
||||
+ errmsg = "CIPHER_UPDATE2";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_true(EVP_CipherFinal_ex(ctx, outbuf + outlen1, &outlen2))) {
|
||||
+ errmsg = "CIPHER_FINAL2";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_mem_eq(t->expected2, t->expectedlen2, outbuf, outlen1 + outlen2)) {
|
||||
+ errmsg = "WRONG_RESULT2";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_true(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag))) {
|
||||
+ errmsg = "GET_TAG2";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (!TEST_mem_eq(t->tag2, taglen, tag, taglen)) {
|
||||
+ errmsg = "TAG_ERROR2";
|
||||
+ goto err;
|
||||
+ }
|
||||
+ testresult = 1;
|
||||
+ err:
|
||||
+ if (errmsg != NULL)
|
||||
+ TEST_info("evp_init_test %d: %s", idx, errmsg);
|
||||
+ EVP_CIPHER_CTX_free(ctx);
|
||||
+ return testresult;
|
||||
+}
|
||||
+
|
||||
+
|
||||
+
|
||||
static APK_DATA keydata[] = {
|
||||
{kExampleRSAKeyDER, sizeof(kExampleRSAKeyDER), EVP_PKEY_RSA},
|
||||
{kExampleRSAKeyPKCS8, sizeof(kExampleRSAKeyPKCS8), EVP_PKEY_RSA},
|
||||
@@ -1208,6 +1678,8 @@ int setup_tests(void)
|
||||
#ifndef OPENSSL_NO_DH
|
||||
ADD_TEST(test_EVP_PKEY_set1_DH);
|
||||
#endif
|
||||
-
|
||||
+ ADD_ALL_TESTS(test_evp_init_seq, OSSL_NELEM(evp_init_tests));
|
||||
+ ADD_ALL_TESTS(test_evp_reset, OSSL_NELEM(evp_reset_tests));
|
||||
+ ADD_ALL_TESTS(test_gcm_reinit, OSSL_NELEM(gcm_reinit_tests));
|
||||
return 1;
|
||||
}
|
|
@ -0,0 +1,381 @@
|
|||
diff -up openssl-1.1.1k/crypto/evp/e_aes.c.s390x-aes openssl-1.1.1k/crypto/evp/e_aes.c
|
||||
--- openssl-1.1.1k/crypto/evp/e_aes.c.s390x-aes 2021-07-16 11:03:14.362127435 +0200
|
||||
+++ openssl-1.1.1k/crypto/evp/e_aes.c 2021-07-16 15:00:42.531477251 +0200
|
||||
@@ -1168,9 +1168,9 @@ typedef struct {
|
||||
static int s390x_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
|
||||
const unsigned char *iv, int enc);
|
||||
|
||||
-# define S390X_aes_128_cbc_CAPABLE 1 /* checked by callee */
|
||||
-# define S390X_aes_192_cbc_CAPABLE 1
|
||||
-# define S390X_aes_256_cbc_CAPABLE 1
|
||||
+# define S390X_aes_128_cbc_CAPABLE 0 /* checked by callee */
|
||||
+# define S390X_aes_192_cbc_CAPABLE 0
|
||||
+# define S390X_aes_256_cbc_CAPABLE 0
|
||||
# define S390X_AES_CBC_CTX EVP_AES_KEY
|
||||
|
||||
# define s390x_aes_cbc_init_key aes_init_key
|
||||
@@ -1190,11 +1190,10 @@ static int s390x_aes_ecb_init_key(EVP_CI
|
||||
S390X_AES_ECB_CTX *cctx = EVP_C_DATA(S390X_AES_ECB_CTX, ctx);
|
||||
const int keylen = EVP_CIPHER_CTX_key_length(ctx);
|
||||
|
||||
- cctx->fc = S390X_AES_FC(keylen);
|
||||
- if (!enc)
|
||||
- cctx->fc |= S390X_DECRYPT;
|
||||
+ cctx->fc = S390X_AES_FC(keylen) | (enc ? 0 : S390X_DECRYPT);
|
||||
|
||||
- memcpy(cctx->km.param.k, key, keylen);
|
||||
+ if (key != NULL)
|
||||
+ memcpy(cctx->km.param.k, key, keylen);
|
||||
return 1;
|
||||
}
|
||||
|
||||
@@ -1222,14 +1221,17 @@ static int s390x_aes_ofb_init_key(EVP_CI
|
||||
const unsigned char *ivec, int enc)
|
||||
{
|
||||
S390X_AES_OFB_CTX *cctx = EVP_C_DATA(S390X_AES_OFB_CTX, ctx);
|
||||
- const unsigned char *iv = EVP_CIPHER_CTX_original_iv(ctx);
|
||||
+ const unsigned char *oiv = EVP_CIPHER_CTX_original_iv(ctx);
|
||||
const int keylen = EVP_CIPHER_CTX_key_length(ctx);
|
||||
const int ivlen = EVP_CIPHER_CTX_iv_length(ctx);
|
||||
|
||||
- memcpy(cctx->kmo.param.cv, iv, ivlen);
|
||||
- memcpy(cctx->kmo.param.k, key, keylen);
|
||||
cctx->fc = S390X_AES_FC(keylen);
|
||||
+
|
||||
+ if (key != NULL)
|
||||
+ memcpy(cctx->kmo.param.k, key, keylen);
|
||||
+
|
||||
cctx->res = 0;
|
||||
+ memcpy(cctx->kmo.param.cv, oiv, ivlen);
|
||||
return 1;
|
||||
}
|
||||
|
||||
@@ -1287,18 +1289,18 @@ static int s390x_aes_cfb_init_key(EVP_CI
|
||||
const unsigned char *ivec, int enc)
|
||||
{
|
||||
S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
|
||||
- const unsigned char *iv = EVP_CIPHER_CTX_original_iv(ctx);
|
||||
+ const unsigned char *oiv = EVP_CIPHER_CTX_original_iv(ctx);
|
||||
const int keylen = EVP_CIPHER_CTX_key_length(ctx);
|
||||
const int ivlen = EVP_CIPHER_CTX_iv_length(ctx);
|
||||
|
||||
- cctx->fc = S390X_AES_FC(keylen);
|
||||
- cctx->fc |= 16 << 24; /* 16 bytes cipher feedback */
|
||||
- if (!enc)
|
||||
- cctx->fc |= S390X_DECRYPT;
|
||||
+ cctx->fc = S390X_AES_FC(keylen)| (enc ? 0 : S390X_DECRYPT)
|
||||
+ | (16 << 24); /* 16 bytes cipher feedback */
|
||||
+
|
||||
+ if (key != NULL)
|
||||
+ memcpy(cctx->kmf.param.k, key, keylen);
|
||||
|
||||
cctx->res = 0;
|
||||
- memcpy(cctx->kmf.param.cv, iv, ivlen);
|
||||
- memcpy(cctx->kmf.param.k, key, keylen);
|
||||
+ memcpy(cctx->kmf.param.cv, oiv, ivlen);
|
||||
return 1;
|
||||
}
|
||||
|
||||
@@ -1360,17 +1362,18 @@ static int s390x_aes_cfb8_init_key(EVP_C
|
||||
const unsigned char *ivec, int enc)
|
||||
{
|
||||
S390X_AES_CFB_CTX *cctx = EVP_C_DATA(S390X_AES_CFB_CTX, ctx);
|
||||
- const unsigned char *iv = EVP_CIPHER_CTX_original_iv(ctx);
|
||||
+ const unsigned char *oiv = EVP_CIPHER_CTX_original_iv(ctx);
|
||||
const int keylen = EVP_CIPHER_CTX_key_length(ctx);
|
||||
const int ivlen = EVP_CIPHER_CTX_iv_length(ctx);
|
||||
|
||||
- cctx->fc = S390X_AES_FC(keylen);
|
||||
- cctx->fc |= 1 << 24; /* 1 byte cipher feedback */
|
||||
- if (!enc)
|
||||
- cctx->fc |= S390X_DECRYPT;
|
||||
+ cctx->fc = S390X_AES_FC(keylen) | (enc ? 0 : S390X_DECRYPT)
|
||||
+ | (1 << 24); /* 1 byte cipher feedback flag */
|
||||
+
|
||||
+ if (key != NULL)
|
||||
+ memcpy(cctx->kmf.param.k, key, keylen);
|
||||
|
||||
- memcpy(cctx->kmf.param.cv, iv, ivlen);
|
||||
- memcpy(cctx->kmf.param.k, key, keylen);
|
||||
+ cctx->res = 0;
|
||||
+ memcpy(cctx->kmf.param.cv, oiv, ivlen);
|
||||
return 1;
|
||||
}
|
||||
|
||||
@@ -1393,9 +1396,9 @@ static int s390x_aes_cfb8_cipher(EVP_CIP
|
||||
static int s390x_aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
|
||||
const unsigned char *in, size_t len);
|
||||
|
||||
-# define S390X_aes_128_ctr_CAPABLE 1 /* checked by callee */
|
||||
-# define S390X_aes_192_ctr_CAPABLE 1
|
||||
-# define S390X_aes_256_ctr_CAPABLE 1
|
||||
+# define S390X_aes_128_ctr_CAPABLE 0 /* checked by callee */
|
||||
+# define S390X_aes_192_ctr_CAPABLE 0
|
||||
+# define S390X_aes_256_ctr_CAPABLE 0
|
||||
# define S390X_AES_CTR_CTX EVP_AES_KEY
|
||||
|
||||
# define s390x_aes_ctr_init_key aes_init_key
|
||||
@@ -1563,8 +1566,7 @@ static int s390x_aes_gcm(S390X_AES_GCM_C
|
||||
/*-
|
||||
* Initialize context structure. Code is big-endian.
|
||||
*/
|
||||
-static void s390x_aes_gcm_setiv(S390X_AES_GCM_CTX *ctx,
|
||||
- const unsigned char *iv)
|
||||
+static void s390x_aes_gcm_setiv(S390X_AES_GCM_CTX *ctx)
|
||||
{
|
||||
ctx->kma.param.t.g[0] = 0;
|
||||
ctx->kma.param.t.g[1] = 0;
|
||||
@@ -1575,12 +1577,11 @@ static void s390x_aes_gcm_setiv(S390X_AE
|
||||
ctx->kreslen = 0;
|
||||
|
||||
if (ctx->ivlen == 12) {
|
||||
- memcpy(&ctx->kma.param.j0, iv, ctx->ivlen);
|
||||
+ memcpy(&ctx->kma.param.j0, ctx->iv, ctx->ivlen);
|
||||
ctx->kma.param.j0.w[3] = 1;
|
||||
ctx->kma.param.cv.w = 1;
|
||||
} else {
|
||||
/* ctx->iv has the right size and is already padded. */
|
||||
- memcpy(ctx->iv, iv, ctx->ivlen);
|
||||
s390x_kma(ctx->iv, S390X_gcm_ivpadlen(ctx->ivlen), NULL, 0, NULL,
|
||||
ctx->fc, &ctx->kma.param);
|
||||
ctx->fc |= S390X_KMA_HS;
|
||||
@@ -1694,7 +1695,7 @@ static int s390x_aes_gcm_ctrl(EVP_CIPHER
|
||||
if (gctx->iv_gen == 0 || gctx->key_set == 0)
|
||||
return 0;
|
||||
|
||||
- s390x_aes_gcm_setiv(gctx, gctx->iv);
|
||||
+ s390x_aes_gcm_setiv(gctx);
|
||||
|
||||
if (arg <= 0 || arg > gctx->ivlen)
|
||||
arg = gctx->ivlen;
|
||||
@@ -1714,7 +1715,7 @@ static int s390x_aes_gcm_ctrl(EVP_CIPHER
|
||||
return 0;
|
||||
|
||||
memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
|
||||
- s390x_aes_gcm_setiv(gctx, gctx->iv);
|
||||
+ s390x_aes_gcm_setiv(gctx);
|
||||
gctx->iv_set = 1;
|
||||
return 1;
|
||||
|
||||
@@ -1770,43 +1771,35 @@ static int s390x_aes_gcm_ctrl(EVP_CIPHER
|
||||
}
|
||||
|
||||
/*-
|
||||
- * Set key and/or iv. Returns 1 on success. Otherwise 0 is returned.
|
||||
+ * Set key or iv or enc/dec. Returns 1 on success. Otherwise 0 is returned.
|
||||
*/
|
||||
static int s390x_aes_gcm_init_key(EVP_CIPHER_CTX *ctx,
|
||||
const unsigned char *key,
|
||||
const unsigned char *iv, int enc)
|
||||
{
|
||||
S390X_AES_GCM_CTX *gctx = EVP_C_DATA(S390X_AES_GCM_CTX, ctx);
|
||||
- int keylen;
|
||||
+ const int keylen = EVP_CIPHER_CTX_key_length(ctx);
|
||||
|
||||
- if (iv == NULL && key == NULL)
|
||||
- return 1;
|
||||
+ gctx->fc = S390X_AES_FC(keylen) | (enc ? 0 : S390X_DECRYPT);
|
||||
|
||||
if (key != NULL) {
|
||||
- keylen = EVP_CIPHER_CTX_key_length(ctx);
|
||||
+ gctx->fc &= ~S390X_KMA_HS;
|
||||
memcpy(&gctx->kma.param.k, key, keylen);
|
||||
-
|
||||
- gctx->fc = S390X_AES_FC(keylen);
|
||||
- if (!enc)
|
||||
- gctx->fc |= S390X_DECRYPT;
|
||||
-
|
||||
- if (iv == NULL && gctx->iv_set)
|
||||
- iv = gctx->iv;
|
||||
-
|
||||
- if (iv != NULL) {
|
||||
- s390x_aes_gcm_setiv(gctx, iv);
|
||||
- gctx->iv_set = 1;
|
||||
- }
|
||||
gctx->key_set = 1;
|
||||
- } else {
|
||||
- if (gctx->key_set)
|
||||
- s390x_aes_gcm_setiv(gctx, iv);
|
||||
- else
|
||||
- memcpy(gctx->iv, iv, gctx->ivlen);
|
||||
-
|
||||
- gctx->iv_set = 1;
|
||||
+ }
|
||||
+ if (iv != NULL) {
|
||||
+ memcpy(gctx->iv, iv, gctx->ivlen);
|
||||
gctx->iv_gen = 0;
|
||||
+ gctx->iv_set = 1;
|
||||
}
|
||||
+
|
||||
+ if (gctx->key_set && gctx->iv_set)
|
||||
+ s390x_aes_gcm_setiv(gctx);
|
||||
+
|
||||
+ gctx->fc &= ~(S390X_KMA_LPC | S390X_KMA_LAAD);
|
||||
+ gctx->areslen = 0;
|
||||
+ gctx->mreslen = 0;
|
||||
+ gctx->kreslen = 0;
|
||||
return 1;
|
||||
}
|
||||
|
||||
@@ -1895,7 +1888,6 @@ static int s390x_aes_gcm_cipher(EVP_CIPH
|
||||
/* recall that we already did en-/decrypt gctx->mres
|
||||
* and returned it to caller... */
|
||||
OPENSSL_cleanse(tmp, gctx->mreslen);
|
||||
- gctx->iv_set = 0;
|
||||
|
||||
enc = EVP_CIPHER_CTX_encrypting(ctx);
|
||||
if (enc) {
|
||||
@@ -1929,8 +1921,8 @@ static int s390x_aes_gcm_cleanup(EVP_CIP
|
||||
}
|
||||
|
||||
# define S390X_AES_XTS_CTX EVP_AES_XTS_CTX
|
||||
-# define S390X_aes_128_xts_CAPABLE 1 /* checked by callee */
|
||||
-# define S390X_aes_256_xts_CAPABLE 1
|
||||
+# define S390X_aes_128_xts_CAPABLE 0 /* checked by callee */
|
||||
+# define S390X_aes_256_xts_CAPABLE 0
|
||||
|
||||
# define s390x_aes_xts_init_key aes_xts_init_key
|
||||
static int s390x_aes_xts_init_key(EVP_CIPHER_CTX *ctx,
|
||||
@@ -2134,9 +2126,10 @@ static int s390x_aes_ccm_tls_cipher(EVP_
|
||||
const unsigned char *in, size_t len)
|
||||
{
|
||||
S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx);
|
||||
- unsigned char *ivec = EVP_CIPHER_CTX_iv_noconst(ctx);
|
||||
+ const unsigned char *ivec = EVP_CIPHER_CTX_iv(ctx);
|
||||
unsigned char *buf = EVP_CIPHER_CTX_buf_noconst(ctx);
|
||||
const int enc = EVP_CIPHER_CTX_encrypting(ctx);
|
||||
+ unsigned char iv[EVP_MAX_IV_LENGTH];
|
||||
|
||||
if (out != in
|
||||
|| len < (EVP_CCM_TLS_EXPLICIT_IV_LEN + (size_t)cctx->aes.ccm.m))
|
||||
@@ -2152,8 +2145,9 @@ static int s390x_aes_ccm_tls_cipher(EVP_
|
||||
* Get explicit iv (sequence number). We already have fixed iv
|
||||
* (server/client_write_iv) here.
|
||||
*/
|
||||
- memcpy(ivec + EVP_CCM_TLS_FIXED_IV_LEN, in, EVP_CCM_TLS_EXPLICIT_IV_LEN);
|
||||
- s390x_aes_ccm_setiv(cctx, ivec, len);
|
||||
+ memcpy(iv, ivec, sizeof(iv));
|
||||
+ memcpy(iv + EVP_CCM_TLS_FIXED_IV_LEN, in, EVP_CCM_TLS_EXPLICIT_IV_LEN);
|
||||
+ s390x_aes_ccm_setiv(cctx, iv, len);
|
||||
|
||||
/* Process aad (sequence number|type|version|length) */
|
||||
s390x_aes_ccm_aad(cctx, buf, cctx->aes.ccm.tls_aad_len);
|
||||
@@ -2180,42 +2174,34 @@ static int s390x_aes_ccm_tls_cipher(EVP_
|
||||
}
|
||||
|
||||
/*-
|
||||
- * Set key and flag field and/or iv. Returns 1 if successful. Otherwise 0 is
|
||||
- * returned.
|
||||
+ * Set key or iv or enc/dec. Returns 1 if successful.
|
||||
+ * Otherwise 0 is returned.
|
||||
*/
|
||||
static int s390x_aes_ccm_init_key(EVP_CIPHER_CTX *ctx,
|
||||
const unsigned char *key,
|
||||
const unsigned char *iv, int enc)
|
||||
{
|
||||
S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx);
|
||||
- unsigned char *ivec;
|
||||
- int keylen;
|
||||
+ const int keylen = EVP_CIPHER_CTX_key_length(ctx);
|
||||
+ unsigned char *ivec = EVP_CIPHER_CTX_iv_noconst(ctx);
|
||||
|
||||
- if (iv == NULL && key == NULL)
|
||||
- return 1;
|
||||
+ cctx->aes.ccm.fc = S390X_AES_FC(keylen);
|
||||
|
||||
if (key != NULL) {
|
||||
- keylen = EVP_CIPHER_CTX_key_length(ctx);
|
||||
- cctx->aes.ccm.fc = S390X_AES_FC(keylen);
|
||||
memcpy(cctx->aes.ccm.kmac_param.k, key, keylen);
|
||||
-
|
||||
- /* Store encoded m and l. */
|
||||
- cctx->aes.ccm.nonce.b[0] = ((cctx->aes.ccm.l - 1) & 0x7)
|
||||
- | (((cctx->aes.ccm.m - 2) >> 1) & 0x7) << 3;
|
||||
- memset(cctx->aes.ccm.nonce.b + 1, 0,
|
||||
- sizeof(cctx->aes.ccm.nonce.b));
|
||||
- cctx->aes.ccm.blocks = 0;
|
||||
-
|
||||
cctx->aes.ccm.key_set = 1;
|
||||
}
|
||||
-
|
||||
if (iv != NULL) {
|
||||
- ivec = EVP_CIPHER_CTX_iv_noconst(ctx);
|
||||
memcpy(ivec, iv, 15 - cctx->aes.ccm.l);
|
||||
-
|
||||
cctx->aes.ccm.iv_set = 1;
|
||||
}
|
||||
+ /* Store encoded m and l. */
|
||||
+ cctx->aes.ccm.nonce.b[0] = ((cctx->aes.ccm.l - 1) & 0x7)
|
||||
+ | (((cctx->aes.ccm.m - 2) >> 1) & 0x7) << 3;
|
||||
+ memset(cctx->aes.ccm.nonce.b + 1, 0, sizeof(cctx->aes.ccm.nonce.b) - 1);
|
||||
|
||||
+ cctx->aes.ccm.blocks = 0;
|
||||
+ cctx->aes.ccm.len_set = 0;
|
||||
return 1;
|
||||
}
|
||||
|
||||
@@ -2230,8 +2216,9 @@ static int s390x_aes_ccm_cipher(EVP_CIPH
|
||||
{
|
||||
S390X_AES_CCM_CTX *cctx = EVP_C_DATA(S390X_AES_CCM_CTX, ctx);
|
||||
const int enc = EVP_CIPHER_CTX_encrypting(ctx);
|
||||
+ const unsigned char *ivec = EVP_CIPHER_CTX_iv(ctx);
|
||||
+ unsigned char *buf;
|
||||
int rv;
|
||||
- unsigned char *buf, *ivec;
|
||||
|
||||
if (!cctx->aes.ccm.key_set)
|
||||
return -1;
|
||||
@@ -2253,7 +2240,6 @@ static int s390x_aes_ccm_cipher(EVP_CIPH
|
||||
if (out == NULL) {
|
||||
/* Update(): Pass message length. */
|
||||
if (in == NULL) {
|
||||
- ivec = EVP_CIPHER_CTX_iv_noconst(ctx);
|
||||
s390x_aes_ccm_setiv(cctx, ivec, len);
|
||||
|
||||
cctx->aes.ccm.len_set = 1;
|
||||
@@ -2279,7 +2265,6 @@ static int s390x_aes_ccm_cipher(EVP_CIPH
|
||||
* In case message length was not previously set explicitly via
|
||||
* Update(), set it now.
|
||||
*/
|
||||
- ivec = EVP_CIPHER_CTX_iv_noconst(ctx);
|
||||
s390x_aes_ccm_setiv(cctx, ivec, len);
|
||||
|
||||
cctx->aes.ccm.len_set = 1;
|
||||
@@ -2304,9 +2289,6 @@ static int s390x_aes_ccm_cipher(EVP_CIPH
|
||||
if (rv == -1)
|
||||
OPENSSL_cleanse(out, len);
|
||||
|
||||
- cctx->aes.ccm.iv_set = 0;
|
||||
- cctx->aes.ccm.tag_set = 0;
|
||||
- cctx->aes.ccm.len_set = 0;
|
||||
return rv;
|
||||
}
|
||||
}
|
||||
@@ -2414,9 +2396,6 @@ static int s390x_aes_ccm_ctrl(EVP_CIPHER
|
||||
return 0;
|
||||
|
||||
memcpy(ptr, cctx->aes.ccm.kmac_param.icv.b, cctx->aes.ccm.m);
|
||||
- cctx->aes.ccm.tag_set = 0;
|
||||
- cctx->aes.ccm.iv_set = 0;
|
||||
- cctx->aes.ccm.len_set = 0;
|
||||
return 1;
|
||||
|
||||
case EVP_CTRL_COPY:
|
||||
@@ -2453,7 +2432,7 @@ static const EVP_CIPHER s390x_aes_##keyl
|
||||
nid##_##keylen##_##nmode,blocksize, \
|
||||
keylen / 8, \
|
||||
ivlen, \
|
||||
- flags | EVP_CIPH_##MODE##_MODE, \
|
||||
+ flags | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_##MODE##_MODE, \
|
||||
s390x_aes_##mode##_init_key, \
|
||||
s390x_aes_##mode##_cipher, \
|
||||
NULL, \
|
||||
@@ -2490,7 +2469,7 @@ static const EVP_CIPHER s390x_aes_##keyl
|
||||
blocksize, \
|
||||
(EVP_CIPH_##MODE##_MODE == EVP_CIPH_XTS_MODE ? 2 : 1) * keylen / 8, \
|
||||
ivlen, \
|
||||
- flags | EVP_CIPH_##MODE##_MODE, \
|
||||
+ flags | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_##MODE##_MODE, \
|
||||
s390x_aes_##mode##_init_key, \
|
||||
s390x_aes_##mode##_cipher, \
|
||||
s390x_aes_##mode##_cleanup, \
|
File diff suppressed because it is too large
Load Diff
|
@ -1,13 +1,6 @@
|
|||
diff -up openssl-1.1.1b/crypto/chacha/asm/chacha-s390x.pl.s390x-update openssl-1.1.1b/crypto/chacha/asm/chacha-s390x.pl
|
||||
--- openssl-1.1.1b/crypto/chacha/asm/chacha-s390x.pl.s390x-update 2019-02-26 15:15:30.000000000 +0100
|
||||
+++ openssl-1.1.1b/crypto/chacha/asm/chacha-s390x.pl 2019-05-06 10:54:00.035367605 +0200
|
||||
@@ -1,5 +1,5 @@
|
||||
#! /usr/bin/env perl
|
||||
-# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+# Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the OpenSSL license (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
diff -up openssl-1.1.1e/crypto/chacha/asm/chacha-s390x.pl.s390x-update openssl-1.1.1e/crypto/chacha/asm/chacha-s390x.pl
|
||||
--- openssl-1.1.1e/crypto/chacha/asm/chacha-s390x.pl.s390x-update 2020-03-17 15:31:17.000000000 +0100
|
||||
+++ openssl-1.1.1e/crypto/chacha/asm/chacha-s390x.pl 2020-03-19 16:45:05.483440129 +0100
|
||||
@@ -20,41 +20,53 @@
|
||||
#
|
||||
# 3 times faster than compiler-generated code.
|
||||
|
@ -472,7 +465,7 @@ diff -up openssl-1.1.1b/crypto/chacha/asm/chacha-s390x.pl.s390x-update openssl-1
|
|||
+ vsldb (@b[$_],@b[$_],@b[$_],$odd?12:4) for (0..5);
|
||||
+ vsldb (@d[$_],@d[$_],@d[$_],$odd?4:12) for (0..5);
|
||||
}
|
||||
-close STDOUT;
|
||||
-close STDOUT or die "error closing STDOUT: $!";
|
||||
+
|
||||
+PERLASM_BEGIN($output);
|
||||
+
|
||||
|
@ -1290,9 +1283,9 @@ diff -up openssl-1.1.1b/crypto/chacha/asm/chacha-s390x.pl.s390x-update openssl-1
|
|||
+ALIGN (4);
|
||||
+
|
||||
+PERLASM_END();
|
||||
diff -up openssl-1.1.1b/crypto/perlasm/s390x.pm.s390x-update openssl-1.1.1b/crypto/perlasm/s390x.pm
|
||||
--- openssl-1.1.1b/crypto/perlasm/s390x.pm.s390x-update 2019-05-06 10:54:00.037367571 +0200
|
||||
+++ openssl-1.1.1b/crypto/perlasm/s390x.pm 2019-05-06 10:54:00.038367554 +0200
|
||||
diff -up openssl-1.1.1e/crypto/perlasm/s390x.pm.s390x-update openssl-1.1.1e/crypto/perlasm/s390x.pm
|
||||
--- openssl-1.1.1e/crypto/perlasm/s390x.pm.s390x-update 2020-03-19 16:20:22.039227394 +0100
|
||||
+++ openssl-1.1.1e/crypto/perlasm/s390x.pm 2020-03-19 16:20:22.039227394 +0100
|
||||
@@ -0,0 +1,3060 @@
|
||||
+#!/usr/bin/env perl
|
||||
+# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
@ -4354,9 +4347,9 @@ diff -up openssl-1.1.1b/crypto/perlasm/s390x.pm.s390x-update openssl-1.1.1b/cryp
|
|||
+}
|
||||
+
|
||||
+1;
|
||||
diff -up openssl-1.1.1b/crypto/poly1305/asm/poly1305-s390x.pl.s390x-update openssl-1.1.1b/crypto/poly1305/asm/poly1305-s390x.pl
|
||||
--- openssl-1.1.1b/crypto/poly1305/asm/poly1305-s390x.pl.s390x-update 2019-02-26 15:15:30.000000000 +0100
|
||||
+++ openssl-1.1.1b/crypto/poly1305/asm/poly1305-s390x.pl 2019-05-06 10:54:00.036367588 +0200
|
||||
diff -up openssl-1.1.1e/crypto/poly1305/asm/poly1305-s390x.pl.s390x-update openssl-1.1.1e/crypto/poly1305/asm/poly1305-s390x.pl
|
||||
--- openssl-1.1.1e/crypto/poly1305/asm/poly1305-s390x.pl.s390x-update 2020-03-19 16:20:22.041227359 +0100
|
||||
+++ openssl-1.1.1e/crypto/poly1305/asm/poly1305-s390x.pl 2020-03-19 16:23:22.364098257 +0100
|
||||
@@ -24,204 +24,961 @@
|
||||
#
|
||||
# On side note, z13 enables vector base 2^26 implementation...
|
||||
|
@ -5494,11 +5487,11 @@ diff -up openssl-1.1.1b/crypto/poly1305/asm/poly1305-s390x.pl.s390x-update opens
|
|||
+STRING ("\"Poly1305 for s390x, CRYPTOGAMS by <appro\@openssl.org>\"");
|
||||
|
||||
-print $code;
|
||||
-close STDOUT;
|
||||
-close STDOUT or die "error closing STDOUT: $!";
|
||||
+PERLASM_END();
|
||||
diff -up openssl-1.1.1b/crypto/poly1305/build.info.s390x-update openssl-1.1.1b/crypto/poly1305/build.info
|
||||
--- openssl-1.1.1b/crypto/poly1305/build.info.s390x-update 2019-05-06 10:54:00.036367588 +0200
|
||||
+++ openssl-1.1.1b/crypto/poly1305/build.info 2019-05-06 10:56:14.964105164 +0200
|
||||
diff -up openssl-1.1.1e/crypto/poly1305/build.info.s390x-update openssl-1.1.1e/crypto/poly1305/build.info
|
||||
--- openssl-1.1.1e/crypto/poly1305/build.info.s390x-update 2020-03-17 15:31:17.000000000 +0100
|
||||
+++ openssl-1.1.1e/crypto/poly1305/build.info 2020-03-19 16:20:22.042227342 +0100
|
||||
@@ -18,6 +18,7 @@ INCLUDE[poly1305-armv8.o]=..
|
||||
GENERATE[poly1305-mips.S]=asm/poly1305-mips.pl $(PERLASM_SCHEME)
|
||||
INCLUDE[poly1305-mips.o]=..
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
diff -up openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1/crypto/x509/x509_vfy.c
|
||||
--- openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel 2018-09-11 14:48:22.000000000 +0200
|
||||
+++ openssl-1.1.1/crypto/x509/x509_vfy.c 2018-10-01 14:34:43.083145020 +0200
|
||||
@@ -3220,6 +3220,7 @@ static int build_chain(X509_STORE_CTX *c
|
||||
diff -up openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1g/crypto/x509/x509_vfy.c
|
||||
--- openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel 2020-04-21 14:22:39.000000000 +0200
|
||||
+++ openssl-1.1.1g/crypto/x509/x509_vfy.c 2020-06-05 17:16:54.835536823 +0200
|
||||
@@ -3225,6 +3225,7 @@ static int build_chain(X509_STORE_CTX *c
|
||||
}
|
||||
|
||||
static const int minbits_table[] = { 80, 112, 128, 192, 256 };
|
||||
|
@ -9,20 +9,23 @@ diff -up openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1/crypto/x509
|
|||
static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table);
|
||||
|
||||
/*
|
||||
@@ -3264,6 +3265,8 @@ static int check_sig_level(X509_STORE_CT
|
||||
@@ -3276,6 +3277,11 @@ static int check_sig_level(X509_STORE_CT
|
||||
|
||||
if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
|
||||
return 0;
|
||||
-
|
||||
- return secbits >= minbits_table[level - 1];
|
||||
+ /* Allow SHA1 in SECLEVEL 2 in non-FIPS mode */
|
||||
+ if (FIPS_mode())
|
||||
+ /*
|
||||
+ * Allow SHA1 in SECLEVEL 2 in non-FIPS mode or when the magic
|
||||
+ * disable SHA1 flag is not set.
|
||||
+ */
|
||||
+ if ((ctx->param->flags & 0x40000000) || FIPS_mode())
|
||||
+ return secbits >= minbits_table[level - 1];
|
||||
+ return secbits >= minbits_digest_table[level - 1];
|
||||
}
|
||||
diff -up openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod
|
||||
--- openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel 2018-09-11 14:48:22.000000000 +0200
|
||||
+++ openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod 2018-10-01 14:34:43.083145020 +0200
|
||||
diff -up openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod
|
||||
--- openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel 2020-04-21 14:22:39.000000000 +0200
|
||||
+++ openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod 2020-06-04 15:48:01.608178833 +0200
|
||||
@@ -81,8 +81,10 @@ using MD5 for the MAC is also prohibited
|
||||
|
||||
=item B<Level 2>
|
||||
|
@ -36,23 +39,115 @@ diff -up openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-
|
|||
In addition to the level 1 exclusions any cipher suite using RC4 is also
|
||||
prohibited. SSL version 3 is also not allowed. Compression is disabled.
|
||||
|
||||
diff -up openssl-1.1.1/ssl/ssl_cert.c.seclevel openssl-1.1.1/ssl/ssl_cert.c
|
||||
--- openssl-1.1.1/ssl/ssl_cert.c.seclevel 2018-09-11 14:48:23.000000000 +0200
|
||||
+++ openssl-1.1.1/ssl/ssl_cert.c 2018-10-12 15:29:12.673799305 +0200
|
||||
@@ -983,6 +983,9 @@ static int ssl_security_default_callback
|
||||
diff -up openssl-1.1.1g/ssl/ssl_cert.c.seclevel openssl-1.1.1g/ssl/ssl_cert.c
|
||||
--- openssl-1.1.1g/ssl/ssl_cert.c.seclevel 2020-04-21 14:22:39.000000000 +0200
|
||||
+++ openssl-1.1.1g/ssl/ssl_cert.c 2020-06-05 17:10:11.842198401 +0200
|
||||
@@ -27,6 +27,7 @@
|
||||
static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
|
||||
int op, int bits, int nid, void *other,
|
||||
void *ex);
|
||||
+static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx);
|
||||
|
||||
static CRYPTO_ONCE ssl_x509_store_ctx_once = CRYPTO_ONCE_STATIC_INIT;
|
||||
static volatile int ssl_x509_store_ctx_idx = -1;
|
||||
@@ -396,7 +397,7 @@ int ssl_verify_cert_chain(SSL *s, STACK_
|
||||
X509_VERIFY_PARAM_set_auth_level(param, SSL_get_security_level(s));
|
||||
|
||||
/* Set suite B flags if needed */
|
||||
- X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s));
|
||||
+ X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s) | sha1_disable(s, NULL));
|
||||
if (!X509_STORE_CTX_set_ex_data
|
||||
(ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s)) {
|
||||
goto end;
|
||||
@@ -953,12 +954,33 @@ static int ssl_security_default_callback
|
||||
return 0;
|
||||
break;
|
||||
default:
|
||||
+ /* allow SHA1 in SECLEVEL 2 in non FIPS mode */
|
||||
+ if (nid == NID_sha1 && minbits == 112 && !FIPS_mode())
|
||||
+ if (nid == NID_sha1 && minbits == 112 && !sha1_disable(s, ctx))
|
||||
+ break;
|
||||
if (bits < minbits)
|
||||
return 0;
|
||||
}
|
||||
diff -up openssl-1.1.1/test/recipes/25-test_verify.t.seclevel openssl-1.1.1/test/recipes/25-test_verify.t
|
||||
--- openssl-1.1.1/test/recipes/25-test_verify.t.seclevel 2018-09-11 14:48:24.000000000 +0200
|
||||
+++ openssl-1.1.1/test/recipes/25-test_verify.t 2018-10-01 14:34:43.084145044 +0200
|
||||
@@ -342,8 +342,8 @@ ok(verify("ee-pss-sha1-cert", "sslserver
|
||||
return 1;
|
||||
}
|
||||
|
||||
+static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx)
|
||||
+{
|
||||
+ unsigned long ret = 0x40000000; /* a magical internal value used by X509_VERIFY_PARAM */
|
||||
+ const CERT *c;
|
||||
+
|
||||
+ if (FIPS_mode())
|
||||
+ return ret;
|
||||
+
|
||||
+ if (ctx != NULL) {
|
||||
+ c = ctx->cert;
|
||||
+ } else {
|
||||
+ c = s->cert;
|
||||
+ }
|
||||
+ if (tls1_cert_sigalgs_have_sha1(c))
|
||||
+ return 0;
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
int ssl_security(const SSL *s, int op, int bits, int nid, void *other)
|
||||
{
|
||||
return s->cert->sec_cb(s, NULL, op, bits, nid, other, s->cert->sec_ex);
|
||||
diff -up openssl-1.1.1g/ssl/ssl_local.h.seclevel openssl-1.1.1g/ssl/ssl_local.h
|
||||
--- openssl-1.1.1g/ssl/ssl_local.h.seclevel 2020-06-04 15:48:01.602178783 +0200
|
||||
+++ openssl-1.1.1g/ssl/ssl_local.h 2020-06-05 17:02:22.666313410 +0200
|
||||
@@ -2576,6 +2576,7 @@ __owur int tls1_save_sigalgs(SSL *s, PAC
|
||||
__owur int tls1_process_sigalgs(SSL *s);
|
||||
__owur int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey);
|
||||
__owur int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd);
|
||||
+int tls1_cert_sigalgs_have_sha1(const CERT *c);
|
||||
__owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs);
|
||||
# ifndef OPENSSL_NO_EC
|
||||
__owur int tls_check_sigalg_curve(const SSL *s, int curve);
|
||||
diff -up openssl-1.1.1g/ssl/t1_lib.c.seclevel openssl-1.1.1g/ssl/t1_lib.c
|
||||
--- openssl-1.1.1g/ssl/t1_lib.c.seclevel 2020-06-04 15:48:01.654179221 +0200
|
||||
+++ openssl-1.1.1g/ssl/t1_lib.c 2020-06-05 17:02:40.268459157 +0200
|
||||
@@ -2145,6 +2145,36 @@ int tls1_set_sigalgs(CERT *c, const int
|
||||
return 0;
|
||||
}
|
||||
|
||||
+static int tls1_sigalgs_have_sha1(const uint16_t *sigalgs, size_t sigalgslen)
|
||||
+{
|
||||
+ size_t i;
|
||||
+
|
||||
+ for (i = 0; i < sigalgslen; i++, sigalgs++) {
|
||||
+ const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs);
|
||||
+
|
||||
+ if (lu == NULL)
|
||||
+ continue;
|
||||
+ if (lu->hash == NID_sha1)
|
||||
+ return 1;
|
||||
+ }
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+
|
||||
+int tls1_cert_sigalgs_have_sha1(const CERT *c)
|
||||
+{
|
||||
+ if (c->client_sigalgs != NULL) {
|
||||
+ if (tls1_sigalgs_have_sha1(c->client_sigalgs, c->client_sigalgslen))
|
||||
+ return 1;
|
||||
+ }
|
||||
+ if (c->conf_sigalgs != NULL) {
|
||||
+ if (tls1_sigalgs_have_sha1(c->conf_sigalgs, c->conf_sigalgslen))
|
||||
+ return 1;
|
||||
+ return 0;
|
||||
+ }
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid)
|
||||
{
|
||||
int sig_nid, use_pc_sigalgs = 0;
|
||||
diff -up openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel openssl-1.1.1g/test/recipes/25-test_verify.t
|
||||
--- openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel 2020-04-21 14:22:39.000000000 +0200
|
||||
+++ openssl-1.1.1g/test/recipes/25-test_verify.t 2020-06-04 15:48:01.608178833 +0200
|
||||
@@ -346,8 +346,8 @@ ok(verify("ee-pss-sha1-cert", "sslserver
|
||||
ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], ),
|
||||
"CA with PSS signature using SHA256");
|
||||
|
||||
|
|
|
@ -0,0 +1,108 @@
|
|||
diff -up openssl-1.1.1k/ssl/statem/statem_lib.c.servername-cb openssl-1.1.1k/ssl/statem/statem_lib.c
|
||||
--- openssl-1.1.1k/ssl/statem/statem_lib.c.servername-cb 2021-07-16 16:03:04.200024170 +0200
|
||||
+++ openssl-1.1.1k/ssl/statem/statem_lib.c 2021-07-16 16:08:04.076630415 +0200
|
||||
@@ -1504,8 +1504,8 @@ static int ssl_method_error(const SSL *s
|
||||
|
||||
/*
|
||||
* Only called by servers. Returns 1 if the server has a TLSv1.3 capable
|
||||
- * certificate type, or has PSK or a certificate callback configured, or has
|
||||
- * a servername callback configured. Otherwise returns 0.
|
||||
+ * certificate type, or has PSK or a certificate callback configured. Otherwise
|
||||
+ * returns 0.
|
||||
*/
|
||||
static int is_tls13_capable(const SSL *s)
|
||||
{
|
||||
@@ -1515,17 +1515,6 @@ static int is_tls13_capable(const SSL *s
|
||||
EC_KEY *eckey;
|
||||
#endif
|
||||
|
||||
- if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL))
|
||||
- return 0;
|
||||
-
|
||||
- /*
|
||||
- * A servername callback can change the available certs, so if a servername
|
||||
- * cb is set then we just assume TLSv1.3 will be ok
|
||||
- */
|
||||
- if (s->ctx->ext.servername_cb != NULL
|
||||
- || s->session_ctx->ext.servername_cb != NULL)
|
||||
- return 1;
|
||||
-
|
||||
#ifndef OPENSSL_NO_PSK
|
||||
if (s->psk_server_callback != NULL)
|
||||
return 1;
|
||||
diff -up openssl-1.1.1k/test/sslapitest.c.servername-cb openssl-1.1.1k/test/sslapitest.c
|
||||
--- openssl-1.1.1k/test/sslapitest.c.servername-cb 2021-07-16 16:08:20.094823046 +0200
|
||||
+++ openssl-1.1.1k/test/sslapitest.c 2021-07-16 16:09:25.708612095 +0200
|
||||
@@ -6658,62 +6658,6 @@ static int test_ssl_dup(void)
|
||||
}
|
||||
#endif
|
||||
|
||||
-#ifndef OPENSSL_NO_TLS1_3
|
||||
-/*
|
||||
- * Test that setting an SNI callback works with TLSv1.3. Specifically we check
|
||||
- * that it works even without a certificate configured for the original
|
||||
- * SSL_CTX
|
||||
- */
|
||||
-static int test_sni_tls13(void)
|
||||
-{
|
||||
- SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
|
||||
- SSL *clientssl = NULL, *serverssl = NULL;
|
||||
- int testresult = 0;
|
||||
-
|
||||
- /* Reset callback counter */
|
||||
- snicb = 0;
|
||||
-
|
||||
- /* Create an initial SSL_CTX with no certificate configured */
|
||||
- sctx = SSL_CTX_new(TLS_server_method());
|
||||
- if (!TEST_ptr(sctx))
|
||||
- goto end;
|
||||
- /* Require TLSv1.3 as a minimum */
|
||||
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
|
||||
- TLS1_3_VERSION, 0, &sctx2, &cctx, cert,
|
||||
- privkey)))
|
||||
- goto end;
|
||||
-
|
||||
- /* Set up SNI */
|
||||
- if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
|
||||
- || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
|
||||
- goto end;
|
||||
-
|
||||
- /*
|
||||
- * Connection should still succeed because the final SSL_CTX has the right
|
||||
- * certificates configured.
|
||||
- */
|
||||
- if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
|
||||
- &clientssl, NULL, NULL))
|
||||
- || !TEST_true(create_ssl_connection(serverssl, clientssl,
|
||||
- SSL_ERROR_NONE)))
|
||||
- goto end;
|
||||
-
|
||||
- /* We should have had the SNI callback called exactly once */
|
||||
- if (!TEST_int_eq(snicb, 1))
|
||||
- goto end;
|
||||
-
|
||||
- testresult = 1;
|
||||
-
|
||||
-end:
|
||||
- SSL_free(serverssl);
|
||||
- SSL_free(clientssl);
|
||||
- SSL_CTX_free(sctx2);
|
||||
- SSL_CTX_free(sctx);
|
||||
- SSL_CTX_free(cctx);
|
||||
- return testresult;
|
||||
-}
|
||||
-#endif
|
||||
-
|
||||
int setup_tests(void)
|
||||
{
|
||||
if (!TEST_ptr(certsdir = test_get_argument(0))
|
||||
@@ -6837,9 +6781,6 @@ int setup_tests(void)
|
||||
#ifndef OPENSSL_NO_TLS1_2
|
||||
ADD_TEST(test_ssl_dup);
|
||||
#endif
|
||||
-#ifndef OPENSSL_NO_TLS1_3
|
||||
- ADD_TEST(test_sni_tls13);
|
||||
-#endif
|
||||
return 1;
|
||||
}
|
||||
|
|
@ -51,10 +51,10 @@ index 05f5cec3a9..811fe727f6 100644
|
|||
};
|
||||
|
||||
DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_KDF_METHOD *, const EVP_KDF_METHOD *,
|
||||
diff --git a/crypto/include/internal/evp_int.h b/crypto/include/internal/evp_int.h
|
||||
diff --git a/include/crypto/evp.h b/include/crypto/evp.h
|
||||
index a109e561b3..8c313c65ac 100644
|
||||
--- a/crypto/include/internal/evp_int.h
|
||||
+++ b/crypto/include/internal/evp_int.h
|
||||
--- a/include/crypto/evp.h
|
||||
+++ b/include/crypto/evp.h
|
||||
@@ -129,6 +129,7 @@ extern const EVP_KDF_METHOD pbkdf2_kdf_meth;
|
||||
extern const EVP_KDF_METHOD scrypt_kdf_meth;
|
||||
extern const EVP_KDF_METHOD tls1_prf_kdf_meth;
|
||||
|
@ -119,7 +119,7 @@ index 0000000000..24f37cbed4
|
|||
+#include <openssl/evp.h>
|
||||
+#include <openssl/kdf.h>
|
||||
+#include "internal/cryptlib.h"
|
||||
+#include "internal/evp_int.h"
|
||||
+#include "crypto/evp.h"
|
||||
+#include "kdf_local.h"
|
||||
+
|
||||
+/* See RFC 4253, Section 7.2 */
|
||||
|
|
|
@ -0,0 +1,43 @@
|
|||
diff -up openssl-1.1.1g/ssl/ssl_local.h.tls13-curves openssl-1.1.1g/ssl/ssl_local.h
|
||||
--- openssl-1.1.1g/ssl/ssl_local.h.tls13-curves 2021-04-26 17:11:17.851072025 +0200
|
||||
+++ openssl-1.1.1g/ssl/ssl_local.h 2021-04-26 17:12:11.551756124 +0200
|
||||
@@ -1517,6 +1517,7 @@ typedef struct tls_group_info_st {
|
||||
# define TLS_CURVE_CHAR2 0x1
|
||||
# define TLS_CURVE_CUSTOM 0x2
|
||||
# define TLS_CURVE_FIPS 0x80
|
||||
+# define TLS_CURVE_TLS1_3 0x100
|
||||
|
||||
typedef struct cert_pkey_st CERT_PKEY;
|
||||
|
||||
diff -up openssl-1.1.1g/ssl/t1_lib.c.tls13-curves openssl-1.1.1g/ssl/t1_lib.c
|
||||
--- openssl-1.1.1g/ssl/t1_lib.c.tls13-curves 2021-04-26 17:11:30.237999157 +0200
|
||||
+++ openssl-1.1.1g/ssl/t1_lib.c 2021-04-26 17:13:51.161170191 +0200
|
||||
@@ -161,14 +161,14 @@ static const TLS_GROUP_INFO nid_list[] =
|
||||
{NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
|
||||
{NID_secp224r1, 112, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp224r1 (21) */
|
||||
{NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
|
||||
- {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp256r1 (23) */
|
||||
- {NID_secp384r1, 192, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp384r1 (24) */
|
||||
- {NID_secp521r1, 256, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp521r1 (25) */
|
||||
+ {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME | TLS_CURVE_FIPS | TLS_CURVE_TLS1_3}, /* secp256r1 (23) */
|
||||
+ {NID_secp384r1, 192, TLS_CURVE_PRIME | TLS_CURVE_FIPS | TLS_CURVE_TLS1_3}, /* secp384r1 (24) */
|
||||
+ {NID_secp521r1, 256, TLS_CURVE_PRIME | TLS_CURVE_FIPS | TLS_CURVE_TLS1_3}, /* secp521r1 (25) */
|
||||
{NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
|
||||
{NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
|
||||
{NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
|
||||
- {EVP_PKEY_X25519, 128, TLS_CURVE_CUSTOM}, /* X25519 (29) */
|
||||
- {EVP_PKEY_X448, 224, TLS_CURVE_CUSTOM}, /* X448 (30) */
|
||||
+ {EVP_PKEY_X25519, 128, TLS_CURVE_CUSTOM | TLS_CURVE_TLS1_3}, /* X25519 (29) */
|
||||
+ {EVP_PKEY_X448, 224, TLS_CURVE_CUSTOM | TLS_CURVE_TLS1_3}, /* X448 (30) */
|
||||
};
|
||||
|
||||
static const unsigned char ecformats_default[] = {
|
||||
@@ -260,6 +260,8 @@ int tls_curve_allowed(SSL *s, uint16_t c
|
||||
# endif
|
||||
if (FIPS_mode() && !(cinfo->flags & TLS_CURVE_FIPS))
|
||||
return 0;
|
||||
+ if (s->version >= TLS1_3_VERSION && !(cinfo->flags & TLS_CURVE_TLS1_3))
|
||||
+ return 0;
|
||||
ctmp[0] = curve >> 8;
|
||||
ctmp[1] = curve & 0xff;
|
||||
return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp);
|
|
@ -1,8 +1,17 @@
|
|||
diff --git a/apps/ts.c b/apps/ts.c
|
||||
index 63c5210183..4ef8a72eef 100644
|
||||
--- a/apps/ts.c
|
||||
+++ b/apps/ts.c
|
||||
@@ -425,7 +425,7 @@ static TS_REQ *create_query(BIO *data_bio, const char *digest, const EVP_MD *md,
|
||||
diff -up openssl-1.1.1h/apps/openssl.cnf.ts-sha256-default openssl-1.1.1h/apps/openssl.cnf
|
||||
--- openssl-1.1.1h/apps/openssl.cnf.ts-sha256-default 2020-11-06 11:07:28.850100899 +0100
|
||||
+++ openssl-1.1.1h/apps/openssl.cnf 2020-11-06 11:11:28.042913791 +0100
|
||||
@@ -364,5 +348,5 @@ tsa_name = yes # Must the TSA name be i
|
||||
# (optional, default: no)
|
||||
ess_cert_id_chain = no # Must the ESS cert id chain be included?
|
||||
# (optional, default: no)
|
||||
-ess_cert_id_alg = sha1 # algorithm to compute certificate
|
||||
+ess_cert_id_alg = sha256 # algorithm to compute certificate
|
||||
# identifier (optional, default: sha1)
|
||||
diff -up openssl-1.1.1h/apps/ts.c.ts-sha256-default openssl-1.1.1h/apps/ts.c
|
||||
--- openssl-1.1.1h/apps/ts.c.ts-sha256-default 2020-09-22 14:55:07.000000000 +0200
|
||||
+++ openssl-1.1.1h/apps/ts.c 2020-11-06 11:07:28.883101220 +0100
|
||||
@@ -423,7 +423,7 @@ static TS_REQ *create_query(BIO *data_bi
|
||||
ASN1_OBJECT *policy_obj = NULL;
|
||||
ASN1_INTEGER *nonce_asn1 = NULL;
|
||||
|
||||
|
@ -11,11 +20,22 @@ index 63c5210183..4ef8a72eef 100644
|
|||
goto err;
|
||||
if ((ts_req = TS_REQ_new()) == NULL)
|
||||
goto err;
|
||||
diff --git a/doc/man1/ts.pod b/doc/man1/ts.pod
|
||||
index 078905a845..83b8fe4350 100644
|
||||
--- a/doc/man1/ts.pod
|
||||
+++ b/doc/man1/ts.pod
|
||||
@@ -517,7 +517,7 @@ included. Default is no. (Optional)
|
||||
diff -up openssl-1.1.1h/crypto/ts/ts_conf.c.ts-sha256-default openssl-1.1.1h/crypto/ts/ts_conf.c
|
||||
--- openssl-1.1.1h/crypto/ts/ts_conf.c.ts-sha256-default 2020-11-06 12:03:51.226372867 +0100
|
||||
+++ openssl-1.1.1h/crypto/ts/ts_conf.c 2020-11-06 12:04:01.713488990 +0100
|
||||
@@ -476,7 +476,7 @@ int TS_CONF_set_ess_cert_id_digest(CONF
|
||||
const char *md = NCONF_get_string(conf, section, ENV_ESS_CERT_ID_ALG);
|
||||
|
||||
if (md == NULL)
|
||||
- md = "sha1";
|
||||
+ md = "sha256";
|
||||
|
||||
cert_md = EVP_get_digestbyname(md);
|
||||
if (cert_md == NULL) {
|
||||
diff -up openssl-1.1.1h/doc/man1/ts.pod.ts-sha256-default openssl-1.1.1h/doc/man1/ts.pod
|
||||
--- openssl-1.1.1h/doc/man1/ts.pod.ts-sha256-default 2020-09-22 14:55:07.000000000 +0200
|
||||
+++ openssl-1.1.1h/doc/man1/ts.pod 2020-11-06 11:07:28.883101220 +0100
|
||||
@@ -518,7 +518,7 @@ included. Default is no. (Optional)
|
||||
=item B<ess_cert_id_alg>
|
||||
|
||||
This option specifies the hash function to be used to calculate the TSA's
|
||||
|
@ -24,21 +44,21 @@ index 078905a845..83b8fe4350 100644
|
|||
|
||||
=back
|
||||
|
||||
@@ -529,7 +529,7 @@ openssl/apps/openssl.cnf will do.
|
||||
@@ -530,7 +530,7 @@ openssl/apps/openssl.cnf will do.
|
||||
|
||||
=head2 Time Stamp Request
|
||||
|
||||
-To create a time stamp request for design1.txt with SHA-1
|
||||
+To create a time stamp request for design1.txt with SHA-256
|
||||
-To create a timestamp request for design1.txt with SHA-1
|
||||
+To create a timestamp request for design1.txt with SHA-256
|
||||
without nonce and policy and no certificate is required in the response:
|
||||
|
||||
openssl ts -query -data design1.txt -no_nonce \
|
||||
@@ -545,12 +545,12 @@ To print the content of the previous request in human readable format:
|
||||
@@ -546,12 +546,12 @@ To print the content of the previous req
|
||||
|
||||
openssl ts -query -in design1.tsq -text
|
||||
|
||||
-To create a time stamp request which includes the MD-5 digest
|
||||
+To create a time stamp request which includes the SHA-512 digest
|
||||
-To create a timestamp request which includes the MD-5 digest
|
||||
+To create a timestamp request which includes the SHA-512 digest
|
||||
of design2.txt, requests the signer certificate and nonce,
|
||||
specifies a policy id (assuming the tsa_policy1 name is defined in the
|
||||
OID section of the config file):
|
||||
|
|
|
@ -1,446 +0,0 @@
|
|||
diff -up openssl-1.1.1c/crypto/dsa/dsa_ameth.c.sync openssl-1.1.1c/crypto/dsa/dsa_ameth.c
|
||||
--- openssl-1.1.1c/crypto/dsa/dsa_ameth.c.sync 2019-05-28 15:12:21.000000000 +0200
|
||||
+++ openssl-1.1.1c/crypto/dsa/dsa_ameth.c 2019-05-29 17:10:39.768187283 +0200
|
||||
@@ -503,7 +503,7 @@ static int dsa_pkey_ctrl(EVP_PKEY *pkey,
|
||||
|
||||
case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
|
||||
*(int *)arg2 = NID_sha256;
|
||||
- return 2;
|
||||
+ return 1;
|
||||
|
||||
default:
|
||||
return -2;
|
||||
diff -up openssl-1.1.1c/crypto/err/err.c.sync openssl-1.1.1c/crypto/err/err.c
|
||||
--- openssl-1.1.1c/crypto/err/err.c.sync 2019-05-28 15:12:21.000000000 +0200
|
||||
+++ openssl-1.1.1c/crypto/err/err.c 2019-05-29 17:07:13.345793792 +0200
|
||||
@@ -184,8 +184,8 @@ static ERR_STRING_DATA *int_err_get_item
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_ERR
|
||||
-/* A measurement on Linux 2018-11-21 showed about 3.5kib */
|
||||
-# define SPACE_SYS_STR_REASONS 4 * 1024
|
||||
+/* 2019-05-21: Russian and Ukrainian locales on Linux require more than 6,5 kB */
|
||||
+# define SPACE_SYS_STR_REASONS 8 * 1024
|
||||
# define NUM_SYS_STR_REASONS 127
|
||||
|
||||
static ERR_STRING_DATA SYS_str_reasons[NUM_SYS_STR_REASONS + 1];
|
||||
@@ -219,21 +219,23 @@ static void build_SYS_str_reasons(void)
|
||||
ERR_STRING_DATA *str = &SYS_str_reasons[i - 1];
|
||||
|
||||
str->error = ERR_PACK(ERR_LIB_SYS, 0, i);
|
||||
- if (str->string == NULL) {
|
||||
+ /*
|
||||
+ * If we have used up all the space in strerror_pool,
|
||||
+ * there's no point in calling openssl_strerror_r()
|
||||
+ */
|
||||
+ if (str->string == NULL && cnt < sizeof(strerror_pool)) {
|
||||
if (openssl_strerror_r(i, cur, sizeof(strerror_pool) - cnt)) {
|
||||
size_t l = strlen(cur);
|
||||
|
||||
str->string = cur;
|
||||
cnt += l;
|
||||
- if (cnt > sizeof(strerror_pool))
|
||||
- cnt = sizeof(strerror_pool);
|
||||
cur += l;
|
||||
|
||||
/*
|
||||
* VMS has an unusual quirk of adding spaces at the end of
|
||||
- * some (most? all?) messages. Lets trim them off.
|
||||
+ * some (most? all?) messages. Lets trim them off.
|
||||
*/
|
||||
- while (ossl_isspace(cur[-1])) {
|
||||
+ while (cur > strerror_pool && ossl_isspace(cur[-1])) {
|
||||
cur--;
|
||||
cnt--;
|
||||
}
|
||||
diff -up openssl-1.1.1c/crypto/rand/rand_lib.c.sync openssl-1.1.1c/crypto/rand/rand_lib.c
|
||||
--- openssl-1.1.1c/crypto/rand/rand_lib.c.sync 2019-05-29 17:20:17.175099183 +0200
|
||||
+++ openssl-1.1.1c/crypto/rand/rand_lib.c 2019-05-30 11:51:20.784850208 +0200
|
||||
@@ -239,8 +239,9 @@ size_t rand_drbg_get_nonce(RAND_DRBG *dr
|
||||
struct {
|
||||
void * instance;
|
||||
int count;
|
||||
- } data = { NULL, 0 };
|
||||
+ } data;
|
||||
|
||||
+ memset(&data, 0, sizeof(data));
|
||||
pool = rand_pool_new(0, min_len, max_len);
|
||||
if (pool == NULL)
|
||||
return 0;
|
||||
From 6c2f347c78a530407b5310497080810094427920 Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Wed, 17 Apr 2019 11:09:05 +0100
|
||||
Subject: [PATCH 1/2] Defer sending a KeyUpdate until after pending writes are
|
||||
complete
|
||||
|
||||
If we receive a KeyUpdate message (update requested) from the peer while
|
||||
we are in the middle of a write, we should defer sending the responding
|
||||
KeyUpdate message until after the current write is complete. We do this
|
||||
by waiting to send the KeyUpdate until the next time we write and there is
|
||||
no pending write data.
|
||||
|
||||
This does imply a subtle change in behaviour. Firstly the responding
|
||||
KeyUpdate message won't be sent straight away as it is now. Secondly if
|
||||
the peer sends multiple KeyUpdates without us doing any writing then we
|
||||
will only send one response, as opposed to previously where we sent a
|
||||
response for each KeyUpdate received.
|
||||
|
||||
Fixes #8677
|
||||
|
||||
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
|
||||
(Merged from https://github.com/openssl/openssl/pull/8773)
|
||||
|
||||
(cherry picked from commit feb9e31c40c49de6384dd0413685e9b5a15adc99)
|
||||
---
|
||||
ssl/record/rec_layer_s3.c | 7 +++++++
|
||||
ssl/statem/statem_clnt.c | 6 ------
|
||||
ssl/statem/statem_lib.c | 7 ++-----
|
||||
ssl/statem/statem_srvr.c | 6 ------
|
||||
4 files changed, 9 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
|
||||
index b2f97ef905..b65137c332 100644
|
||||
--- a/ssl/record/rec_layer_s3.c
|
||||
+++ b/ssl/record/rec_layer_s3.c
|
||||
@@ -373,6 +373,13 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len,
|
||||
|
||||
s->rlayer.wnum = 0;
|
||||
|
||||
+ /*
|
||||
+ * If we are supposed to be sending a KeyUpdate then go into init unless we
|
||||
+ * have writes pending - in which case we should finish doing that first.
|
||||
+ */
|
||||
+ if (wb->left == 0 && s->key_update != SSL_KEY_UPDATE_NONE)
|
||||
+ ossl_statem_set_in_init(s, 1);
|
||||
+
|
||||
/*
|
||||
* When writing early data on the server side we could be "in_init" in
|
||||
* between receiving the EoED and the CF - but we don't want to handle those
|
||||
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
|
||||
index 87800cd835..6410414fb6 100644
|
||||
--- a/ssl/statem/statem_clnt.c
|
||||
+++ b/ssl/statem/statem_clnt.c
|
||||
@@ -473,12 +473,6 @@ static WRITE_TRAN ossl_statem_client13_write_transition(SSL *s)
|
||||
return WRITE_TRAN_CONTINUE;
|
||||
|
||||
case TLS_ST_CR_KEY_UPDATE:
|
||||
- if (s->key_update != SSL_KEY_UPDATE_NONE) {
|
||||
- st->hand_state = TLS_ST_CW_KEY_UPDATE;
|
||||
- return WRITE_TRAN_CONTINUE;
|
||||
- }
|
||||
- /* Fall through */
|
||||
-
|
||||
case TLS_ST_CW_KEY_UPDATE:
|
||||
case TLS_ST_CR_SESSION_TICKET:
|
||||
case TLS_ST_CW_FINISHED:
|
||||
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
|
||||
index c0482b0a90..2960dafa52 100644
|
||||
--- a/ssl/statem/statem_lib.c
|
||||
+++ b/ssl/statem/statem_lib.c
|
||||
@@ -645,12 +645,9 @@ MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
|
||||
/*
|
||||
* If we get a request for us to update our sending keys too then, we need
|
||||
* to additionally send a KeyUpdate message. However that message should
|
||||
- * not also request an update (otherwise we get into an infinite loop). We
|
||||
- * ignore a request for us to update our sending keys too if we already
|
||||
- * sent close_notify.
|
||||
+ * not also request an update (otherwise we get into an infinite loop).
|
||||
*/
|
||||
- if (updatetype == SSL_KEY_UPDATE_REQUESTED
|
||||
- && (s->shutdown & SSL_SENT_SHUTDOWN) == 0)
|
||||
+ if (updatetype == SSL_KEY_UPDATE_REQUESTED)
|
||||
s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
|
||||
|
||||
if (!tls13_update_key(s, 0)) {
|
||||
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
|
||||
index d454326a99..04a23320fc 100644
|
||||
--- a/ssl/statem/statem_srvr.c
|
||||
+++ b/ssl/statem/statem_srvr.c
|
||||
@@ -502,12 +502,6 @@ static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s)
|
||||
return WRITE_TRAN_CONTINUE;
|
||||
|
||||
case TLS_ST_SR_KEY_UPDATE:
|
||||
- if (s->key_update != SSL_KEY_UPDATE_NONE) {
|
||||
- st->hand_state = TLS_ST_SW_KEY_UPDATE;
|
||||
- return WRITE_TRAN_CONTINUE;
|
||||
- }
|
||||
- /* Fall through */
|
||||
-
|
||||
case TLS_ST_SW_KEY_UPDATE:
|
||||
st->hand_state = TLS_ST_OK;
|
||||
return WRITE_TRAN_CONTINUE;
|
||||
--
|
||||
2.20.1
|
||||
|
||||
From c8feb1039ccc4cd11e6db084df1446bf863bee1e Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Wed, 17 Apr 2019 10:30:53 +0100
|
||||
Subject: [PATCH 2/2] Write a test for receiving a KeyUpdate (update requested)
|
||||
while writing
|
||||
|
||||
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
|
||||
(Merged from https://github.com/openssl/openssl/pull/8773)
|
||||
|
||||
(cherry picked from commit a77b4dba237d001073d2d1c5d55c674a196c949f)
|
||||
---
|
||||
test/sslapitest.c | 92 +++++++++++++++++++++++++++++++++++++++++++++
|
||||
test/ssltestlib.c | 96 +++++++++++++++++++++++++++++++++++++++++++++++
|
||||
test/ssltestlib.h | 3 ++
|
||||
3 files changed, 191 insertions(+)
|
||||
|
||||
diff --git a/test/sslapitest.c b/test/sslapitest.c
|
||||
index 2261fe4a7a..577342644d 100644
|
||||
--- a/test/sslapitest.c
|
||||
+++ b/test/sslapitest.c
|
||||
@@ -4290,6 +4290,11 @@ static int test_key_update(void)
|
||||
|| !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
|
||||
strlen(mess)))
|
||||
goto end;
|
||||
+
|
||||
+ if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
|
||||
+ || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
|
||||
+ strlen(mess)))
|
||||
+ goto end;
|
||||
}
|
||||
|
||||
testresult = 1;
|
||||
@@ -4302,6 +4307,91 @@ static int test_key_update(void)
|
||||
|
||||
return testresult;
|
||||
}
|
||||
+
|
||||
+/*
|
||||
+ * Test we can handle a KeyUpdate (update requested) message while write data
|
||||
+ * is pending.
|
||||
+ * Test 0: Client sends KeyUpdate while Server is writing
|
||||
+ * Test 1: Server sends KeyUpdate while Client is writing
|
||||
+ */
|
||||
+static int test_key_update_in_write(int tst)
|
||||
+{
|
||||
+ SSL_CTX *cctx = NULL, *sctx = NULL;
|
||||
+ SSL *clientssl = NULL, *serverssl = NULL;
|
||||
+ int testresult = 0;
|
||||
+ char buf[20];
|
||||
+ static char *mess = "A test message";
|
||||
+ BIO *bretry = BIO_new(bio_s_always_retry());
|
||||
+ BIO *tmp = NULL;
|
||||
+ SSL *peerupdate = NULL, *peerwrite = NULL;
|
||||
+
|
||||
+ if (!TEST_ptr(bretry)
|
||||
+ || !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
|
||||
+ TLS_client_method(),
|
||||
+ TLS1_3_VERSION,
|
||||
+ 0,
|
||||
+ &sctx, &cctx, cert, privkey))
|
||||
+ || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
|
||||
+ NULL, NULL))
|
||||
+ || !TEST_true(create_ssl_connection(serverssl, clientssl,
|
||||
+ SSL_ERROR_NONE)))
|
||||
+ goto end;
|
||||
+
|
||||
+ peerupdate = tst == 0 ? clientssl : serverssl;
|
||||
+ peerwrite = tst == 0 ? serverssl : clientssl;
|
||||
+
|
||||
+ if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
|
||||
+ || !TEST_true(SSL_do_handshake(peerupdate)))
|
||||
+ goto end;
|
||||
+
|
||||
+ /* Swap the writing endpoint's write BIO to force a retry */
|
||||
+ tmp = SSL_get_wbio(peerwrite);
|
||||
+ if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
|
||||
+ tmp = NULL;
|
||||
+ goto end;
|
||||
+ }
|
||||
+ SSL_set0_wbio(peerwrite, bretry);
|
||||
+ bretry = NULL;
|
||||
+
|
||||
+ /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
|
||||
+ if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
|
||||
+ || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
|
||||
+ goto end;
|
||||
+
|
||||
+ /* Reinstate the original writing endpoint's write BIO */
|
||||
+ SSL_set0_wbio(peerwrite, tmp);
|
||||
+ tmp = NULL;
|
||||
+
|
||||
+ /* Now read some data - we will read the key update */
|
||||
+ if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
|
||||
+ || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
|
||||
+ goto end;
|
||||
+
|
||||
+ /*
|
||||
+ * Complete the write we started previously and read it from the other
|
||||
+ * endpoint
|
||||
+ */
|
||||
+ if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
|
||||
+ || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
|
||||
+ goto end;
|
||||
+
|
||||
+ /* Write more data to ensure we send the KeyUpdate message back */
|
||||
+ if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
|
||||
+ || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
|
||||
+ goto end;
|
||||
+
|
||||
+ testresult = 1;
|
||||
+
|
||||
+ end:
|
||||
+ SSL_free(serverssl);
|
||||
+ SSL_free(clientssl);
|
||||
+ SSL_CTX_free(sctx);
|
||||
+ SSL_CTX_free(cctx);
|
||||
+ BIO_free(bretry);
|
||||
+ BIO_free(tmp);
|
||||
+
|
||||
+ return testresult;
|
||||
+}
|
||||
#endif /* OPENSSL_NO_TLS1_3 */
|
||||
|
||||
static int test_ssl_clear(int idx)
|
||||
@@ -5982,6 +6072,7 @@ int setup_tests(void)
|
||||
#ifndef OPENSSL_NO_TLS1_3
|
||||
ADD_ALL_TESTS(test_export_key_mat_early, 3);
|
||||
ADD_TEST(test_key_update);
|
||||
+ ADD_ALL_TESTS(test_key_update_in_write, 2);
|
||||
#endif
|
||||
ADD_ALL_TESTS(test_ssl_clear, 2);
|
||||
ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
|
||||
@@ -6002,4 +6093,5 @@ int setup_tests(void)
|
||||
void cleanup_tests(void)
|
||||
{
|
||||
bio_s_mempacket_test_free();
|
||||
+ bio_s_always_retry_free();
|
||||
}
|
||||
diff --git a/test/ssltestlib.c b/test/ssltestlib.c
|
||||
index 05139be750..e1038620ac 100644
|
||||
--- a/test/ssltestlib.c
|
||||
+++ b/test/ssltestlib.c
|
||||
@@ -62,9 +62,11 @@ static int tls_dump_puts(BIO *bp, const char *str);
|
||||
/* Choose a sufficiently large type likely to be unused for this custom BIO */
|
||||
#define BIO_TYPE_TLS_DUMP_FILTER (0x80 | BIO_TYPE_FILTER)
|
||||
#define BIO_TYPE_MEMPACKET_TEST 0x81
|
||||
+#define BIO_TYPE_ALWAYS_RETRY 0x82
|
||||
|
||||
static BIO_METHOD *method_tls_dump = NULL;
|
||||
static BIO_METHOD *meth_mem = NULL;
|
||||
+static BIO_METHOD *meth_always_retry = NULL;
|
||||
|
||||
/* Note: Not thread safe! */
|
||||
const BIO_METHOD *bio_f_tls_dump_filter(void)
|
||||
@@ -612,6 +614,100 @@ static int mempacket_test_puts(BIO *bio, const char *str)
|
||||
return mempacket_test_write(bio, str, strlen(str));
|
||||
}
|
||||
|
||||
+static int always_retry_new(BIO *bi);
|
||||
+static int always_retry_free(BIO *a);
|
||||
+static int always_retry_read(BIO *b, char *out, int outl);
|
||||
+static int always_retry_write(BIO *b, const char *in, int inl);
|
||||
+static long always_retry_ctrl(BIO *b, int cmd, long num, void *ptr);
|
||||
+static int always_retry_gets(BIO *bp, char *buf, int size);
|
||||
+static int always_retry_puts(BIO *bp, const char *str);
|
||||
+
|
||||
+const BIO_METHOD *bio_s_always_retry(void)
|
||||
+{
|
||||
+ if (meth_always_retry == NULL) {
|
||||
+ if (!TEST_ptr(meth_always_retry = BIO_meth_new(BIO_TYPE_ALWAYS_RETRY,
|
||||
+ "Always Retry"))
|
||||
+ || !TEST_true(BIO_meth_set_write(meth_always_retry,
|
||||
+ always_retry_write))
|
||||
+ || !TEST_true(BIO_meth_set_read(meth_always_retry,
|
||||
+ always_retry_read))
|
||||
+ || !TEST_true(BIO_meth_set_puts(meth_always_retry,
|
||||
+ always_retry_puts))
|
||||
+ || !TEST_true(BIO_meth_set_gets(meth_always_retry,
|
||||
+ always_retry_gets))
|
||||
+ || !TEST_true(BIO_meth_set_ctrl(meth_always_retry,
|
||||
+ always_retry_ctrl))
|
||||
+ || !TEST_true(BIO_meth_set_create(meth_always_retry,
|
||||
+ always_retry_new))
|
||||
+ || !TEST_true(BIO_meth_set_destroy(meth_always_retry,
|
||||
+ always_retry_free)))
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ return meth_always_retry;
|
||||
+}
|
||||
+
|
||||
+void bio_s_always_retry_free(void)
|
||||
+{
|
||||
+ BIO_meth_free(meth_always_retry);
|
||||
+}
|
||||
+
|
||||
+static int always_retry_new(BIO *bio)
|
||||
+{
|
||||
+ BIO_set_init(bio, 1);
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
+static int always_retry_free(BIO *bio)
|
||||
+{
|
||||
+ BIO_set_data(bio, NULL);
|
||||
+ BIO_set_init(bio, 0);
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
+static int always_retry_read(BIO *bio, char *out, int outl)
|
||||
+{
|
||||
+ BIO_set_retry_read(bio);
|
||||
+ return -1;
|
||||
+}
|
||||
+
|
||||
+static int always_retry_write(BIO *bio, const char *in, int inl)
|
||||
+{
|
||||
+ BIO_set_retry_write(bio);
|
||||
+ return -1;
|
||||
+}
|
||||
+
|
||||
+static long always_retry_ctrl(BIO *bio, int cmd, long num, void *ptr)
|
||||
+{
|
||||
+ long ret = 1;
|
||||
+
|
||||
+ switch (cmd) {
|
||||
+ case BIO_CTRL_FLUSH:
|
||||
+ BIO_set_retry_write(bio);
|
||||
+ /* fall through */
|
||||
+ case BIO_CTRL_EOF:
|
||||
+ case BIO_CTRL_RESET:
|
||||
+ case BIO_CTRL_DUP:
|
||||
+ case BIO_CTRL_PUSH:
|
||||
+ case BIO_CTRL_POP:
|
||||
+ default:
|
||||
+ ret = 0;
|
||||
+ break;
|
||||
+ }
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+static int always_retry_gets(BIO *bio, char *buf, int size)
|
||||
+{
|
||||
+ BIO_set_retry_read(bio);
|
||||
+ return -1;
|
||||
+}
|
||||
+
|
||||
+static int always_retry_puts(BIO *bio, const char *str)
|
||||
+{
|
||||
+ BIO_set_retry_write(bio);
|
||||
+ return -1;
|
||||
+}
|
||||
+
|
||||
int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm,
|
||||
int min_proto_version, int max_proto_version,
|
||||
SSL_CTX **sctx, SSL_CTX **cctx, char *certfile,
|
||||
diff --git a/test/ssltestlib.h b/test/ssltestlib.h
|
||||
index fa19e7d80d..56e323f5bc 100644
|
||||
--- a/test/ssltestlib.h
|
||||
+++ b/test/ssltestlib.h
|
||||
@@ -30,6 +30,9 @@ void bio_f_tls_dump_filter_free(void);
|
||||
const BIO_METHOD *bio_s_mempacket_test(void);
|
||||
void bio_s_mempacket_test_free(void);
|
||||
|
||||
+const BIO_METHOD *bio_s_always_retry(void);
|
||||
+void bio_s_always_retry_free(void);
|
||||
+
|
||||
/* Packet types - value 0 is reserved */
|
||||
#define INJECT_PACKET 1
|
||||
#define INJECT_PACKET_IGNORE_REC_SEQ 2
|
||||
--
|
||||
2.20.1
|
||||
|
|
@ -1,12 +1,12 @@
|
|||
diff -up openssl-1.1.1c/include/openssl/opensslv.h.version-override openssl-1.1.1c/include/openssl/opensslv.h
|
||||
--- openssl-1.1.1c/include/openssl/opensslv.h.version-override 2019-05-29 15:52:30.014734859 +0200
|
||||
+++ openssl-1.1.1c/include/openssl/opensslv.h 2019-05-29 15:53:23.093800831 +0200
|
||||
diff -up openssl-1.1.1i/include/openssl/opensslv.h.version-override openssl-1.1.1i/include/openssl/opensslv.h
|
||||
--- openssl-1.1.1i/include/openssl/opensslv.h.version-override 2020-12-09 10:25:12.042374409 +0100
|
||||
+++ openssl-1.1.1i/include/openssl/opensslv.h 2020-12-09 10:26:00.362769170 +0100
|
||||
@@ -40,7 +40,7 @@ extern "C" {
|
||||
* major minor fix final patch/beta)
|
||||
*/
|
||||
# define OPENSSL_VERSION_NUMBER 0x1010103fL
|
||||
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1c 28 May 2019"
|
||||
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1c FIPS 28 May 2019"
|
||||
# define OPENSSL_VERSION_NUMBER 0x101010bfL
|
||||
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1k 25 Mar 2021"
|
||||
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1k FIPS 25 Mar 2021"
|
||||
|
||||
/*-
|
||||
* The macros below are to be used for shared library (.so, .dll, ...)
|
||||
|
|
|
@ -21,8 +21,8 @@
|
|||
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 1.1.1c
|
||||
Release: 1%{?dist}
|
||||
Version: 1.1.1k
|
||||
Release: 12%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
|
@ -40,10 +40,9 @@ Source13: ectest.c
|
|||
# Build changes
|
||||
Patch1: openssl-1.1.1-build.patch
|
||||
Patch2: openssl-1.1.1-defaults.patch
|
||||
Patch3: openssl-1.1.0-no-html.patch
|
||||
Patch3: openssl-1.1.1-no-html.patch
|
||||
Patch4: openssl-1.1.1-man-rename.patch
|
||||
# Bug fixes
|
||||
Patch21: openssl-1.1.0-issuer-hash.patch
|
||||
|
||||
# Functionality changes
|
||||
Patch31: openssl-1.1.1-conf-paths.patch
|
||||
Patch32: openssl-1.1.1-version-add-engines.patch
|
||||
|
@ -54,7 +53,6 @@ Patch38: openssl-1.1.1-no-weak-verify.patch
|
|||
Patch40: openssl-1.1.1-sslv3-keep-abi.patch
|
||||
Patch41: openssl-1.1.1-system-cipherlist.patch
|
||||
Patch42: openssl-1.1.1-fips.patch
|
||||
Patch43: openssl-1.1.1-ignore-bound.patch
|
||||
Patch44: openssl-1.1.1-version-override.patch
|
||||
Patch45: openssl-1.1.1-weak-ciphers.patch
|
||||
Patch46: openssl-1.1.1-seclevel.patch
|
||||
|
@ -62,14 +60,47 @@ Patch47: openssl-1.1.1-ts-sha256-default.patch
|
|||
Patch48: openssl-1.1.1-fips-post-rand.patch
|
||||
Patch49: openssl-1.1.1-evp-kdf.patch
|
||||
Patch50: openssl-1.1.1-ssh-kdf.patch
|
||||
Patch51: openssl-1.1.1-intel-cet.patch
|
||||
Patch60: openssl-1.1.1-krb5-kdf.patch
|
||||
Patch61: openssl-1.1.1-edk2-build.patch
|
||||
Patch62: openssl-1.1.1-fips-curves.patch
|
||||
Patch65: openssl-1.1.1-fips-drbg-selftest.patch
|
||||
Patch66: openssl-1.1.1-fips-dh.patch
|
||||
Patch67: openssl-1.1.1-kdf-selftest.patch
|
||||
Patch69: openssl-1.1.1-alpn-cb.patch
|
||||
Patch70: openssl-1.1.1-rewire-fips-drbg.patch
|
||||
Patch76: openssl-1.1.1-cleanup-peer-point-reneg.patch
|
||||
Patch77: openssl-1.1.1-s390x-aes.patch
|
||||
Patch78: openssl-1.1.1-detected-addr-ipv6.patch
|
||||
Patch79: openssl-1.1.1-servername-cb.patch
|
||||
Patch80: openssl-1.1.1-s390x-aes-tests.patch
|
||||
# Backported fixes including security fixes
|
||||
Patch51: openssl-1.1.1-upstream-sync.patch
|
||||
Patch52: openssl-1.1.1-s390x-update.patch
|
||||
Patch53: openssl-1.1.1-fips-crng-test.patch
|
||||
Patch54: openssl-1.1.1-regression-fixes.patch
|
||||
Patch55: openssl-1.1.1-arm-update.patch
|
||||
Patch56: openssl-1.1.1-s390x-ecc.patch
|
||||
Patch74: openssl-1.1.1-addrconfig.patch
|
||||
Patch75: openssl-1.1.1-tls13-curves.patch
|
||||
Patch81: openssl-1.1.1-read-buff.patch
|
||||
Patch82: openssl-1.1.1-cve-2022-0778.patch
|
||||
Patch83: openssl-1.1.1-replace-expired-certs.patch
|
||||
Patch84: openssl-1.1.1-cve-2022-1292.patch
|
||||
Patch85: openssl-1.1.1-cve-2022-2068.patch
|
||||
Patch86: openssl-1.1.1-cve-2022-2097.patch
|
||||
#OpenSSL 1.1.1t CVEs
|
||||
Patch101: openssl-1.1.1-cve-2022-4304-RSA-oracle.patch
|
||||
Patch102: openssl-1.1.1-cve-2022-4450-PEM-bio.patch
|
||||
Patch103: openssl-1.1.1-cve-2023-0215-BIO-UAF.patch
|
||||
Patch104: openssl-1.1.1-cve-2023-0286-X400.patch
|
||||
# OpenSSL 1.1.1v CVEs
|
||||
Patch105: openssl-1.1.1-cve-2023-3446.patch
|
||||
Patch106: openssl-1.1.1-cve-2023-3817.patch
|
||||
Patch107: openssl-1.1.1-cve-2023-5678.patch
|
||||
# Backport from OpenSSL 3.2/RHEL 9
|
||||
# Proper fix for CVE-2020-25659
|
||||
Patch108: openssl-1.1.1-pkcs1-implicit-rejection.patch
|
||||
|
||||
License: OpenSSL
|
||||
Group: System Environment/Libraries
|
||||
License: OpenSSL and ASL 2.0
|
||||
URL: http://www.openssl.org/
|
||||
BuildRequires: gcc
|
||||
BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp
|
||||
|
@ -80,6 +111,7 @@ BuildRequires: /usr/sbin/sysctl
|
|||
BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt)
|
||||
BuildRequires: perl(Module::Load::Conditional), perl(File::Temp)
|
||||
BuildRequires: perl(Time::HiRes)
|
||||
BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy)
|
||||
Requires: coreutils
|
||||
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
|
||||
|
@ -91,7 +123,6 @@ protocols.
|
|||
|
||||
%package libs
|
||||
Summary: A general purpose cryptography library with TLS implementation
|
||||
Group: System Environment/Libraries
|
||||
Requires: ca-certificates >= 2008-5
|
||||
Requires: crypto-policies >= 20180730
|
||||
Recommends: openssl-pkcs11%{?_isa}
|
||||
|
@ -107,7 +138,6 @@ support cryptographic algorithms and protocols.
|
|||
|
||||
%package devel
|
||||
Summary: Files for development of applications which will use OpenSSL
|
||||
Group: Development/Libraries
|
||||
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Requires: krb5-devel%{?_isa}, zlib-devel%{?_isa}
|
||||
Requires: pkgconfig
|
||||
|
@ -119,7 +149,6 @@ support various cryptographic algorithms and protocols.
|
|||
|
||||
%package static
|
||||
Summary: Libraries for static linking of applications which will use OpenSSL
|
||||
Group: Development/Libraries
|
||||
Requires: %{name}-devel%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
|
||||
%description static
|
||||
|
@ -130,7 +159,6 @@ protocols.
|
|||
|
||||
%package perl
|
||||
Summary: Perl scripts provided with OpenSSL
|
||||
Group: Applications/Internet
|
||||
Requires: perl-interpreter
|
||||
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
|
||||
|
@ -154,8 +182,6 @@ cp %{SOURCE13} test/
|
|||
%patch3 -p1 -b .no-html %{?_rawbuild}
|
||||
%patch4 -p1 -b .man-rename
|
||||
|
||||
%patch21 -p1 -b .issuer-hash
|
||||
|
||||
%patch31 -p1 -b .conf-paths
|
||||
%patch32 -p1 -b .version-add-engines
|
||||
%patch33 -p1 -b .dgst
|
||||
|
@ -165,7 +191,6 @@ cp %{SOURCE13} test/
|
|||
%patch40 -p1 -b .sslv3-abi
|
||||
%patch41 -p1 -b .system-cipherlist
|
||||
%patch42 -p1 -b .fips
|
||||
%patch43 -p1 -b .ignore-bound
|
||||
%patch44 -p1 -b .version-override
|
||||
%patch45 -p1 -b .weak-ciphers
|
||||
%patch46 -p1 -b .seclevel
|
||||
|
@ -173,11 +198,40 @@ cp %{SOURCE13} test/
|
|||
%patch48 -p1 -b .fips-post-rand
|
||||
%patch49 -p1 -b .evp-kdf
|
||||
%patch50 -p1 -b .ssh-kdf
|
||||
%patch51 -p1 -b .upstream-sync
|
||||
%patch51 -p1 -b .intel-cet
|
||||
%patch52 -p1 -b .s390x-update
|
||||
%patch53 -p1 -b .crng-test
|
||||
%patch54 -p1 -b .regression
|
||||
|
||||
%patch55 -p1 -b .arm-update
|
||||
%patch56 -p1 -b .s390x-ecc
|
||||
%patch60 -p1 -b .krb5-kdf
|
||||
%patch61 -p1 -b .edk2-build
|
||||
%patch62 -p1 -b .fips-curves
|
||||
%patch65 -p1 -b .drbg-selftest
|
||||
%patch66 -p1 -b .fips-dh
|
||||
%patch67 -p1 -b .kdf-selftest
|
||||
%patch69 -p1 -b .alpn-cb
|
||||
%patch70 -p1 -b .rewire-fips-drbg
|
||||
%patch74 -p1 -b .addrconfig
|
||||
%patch75 -p1 -b .tls13-curves
|
||||
%patch76 -p1 -b .cleanup-reneg
|
||||
%patch77 -p1 -b .s390x-aes
|
||||
%patch78 -p1 -b .addr-ipv6
|
||||
%patch79 -p1 -b .servername-cb
|
||||
%patch80 -p1 -b .s390x-test-aes
|
||||
%patch81 -p1 -b .read-buff
|
||||
%patch82 -p1 -b .cve-2022-0778
|
||||
%patch83 -p1 -b .replace-expired-certs
|
||||
%patch84 -p1 -b .cve-2022-1292
|
||||
%patch85 -p1 -b .cve-2022-2068
|
||||
%patch86 -p1 -b .cve-2022-2097
|
||||
%patch101 -p1 -b .cve-2022-4304
|
||||
%patch102 -p1 -b .cve-2022-4450
|
||||
%patch103 -p1 -b .cve-2023-0215
|
||||
%patch104 -p1 -b .cve-2023-0286
|
||||
%patch105 -p1 -b .cve-2023-3446
|
||||
%patch106 -p1 -b .cve-2023-3817
|
||||
%patch107 -p1 -b .cve-2023-5678
|
||||
%patch108 -p1 -b .pkcs15imprejection
|
||||
|
||||
%build
|
||||
# Figure out which flags we want to use.
|
||||
|
@ -461,6 +515,165 @@ export LD_LIBRARY_PATH
|
|||
%postun libs -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Thu Nov 30 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-12
|
||||
- Backport implicit rejection mechanism for RSA PKCS#1 v1.5 to RHEL-8 series
|
||||
(a proper fix for CVE-2020-25659)
|
||||
Resolves: RHEL-17696
|
||||
|
||||
* Wed Nov 15 2023 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-11
|
||||
- Fix CVE-2023-5678: Generating excessively long X9.42 DH keys or checking
|
||||
excessively long X9.42 DH keys or parameters may be very slow
|
||||
Resolves: RHEL-16538
|
||||
|
||||
* Thu Oct 19 2023 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-10
|
||||
- Fix CVE-2023-3446: Excessive time spent checking DH keys and parameters
|
||||
Resolves: RHEL-14245
|
||||
- Fix CVE-2023-3817: Excessive time spent checking DH q parameter value
|
||||
Resolves: RHEL-14239
|
||||
|
||||
* Wed Feb 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-9
|
||||
- Fixed Timing Oracle in RSA Decryption
|
||||
Resolves: CVE-2022-4304
|
||||
- Fixed Double free after calling PEM_read_bio_ex
|
||||
Resolves: CVE-2022-4450
|
||||
- Fixed Use-after-free following BIO_new_NDEF
|
||||
Resolves: CVE-2023-0215
|
||||
- Fixed X.400 address type confusion in X.509 GeneralName
|
||||
Resolves: CVE-2023-0286
|
||||
|
||||
* Thu Jul 21 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-8
|
||||
- Fix no-ec build
|
||||
Resolves: rhbz#2071020
|
||||
|
||||
* Tue Jul 05 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-7
|
||||
- Fix CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86
|
||||
Resolves: CVE-2022-2097
|
||||
- Update expired certificates used in the testsuite
|
||||
Resolves: rhbz#2092462
|
||||
- Fix CVE-2022-1292: openssl: c_rehash script allows command injection
|
||||
Resolves: rhbz#2090372
|
||||
- Fix CVE-2022-2068: the c_rehash script allows command injection
|
||||
Resolves: rhbz#2098279
|
||||
|
||||
* Wed Mar 23 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-6
|
||||
- Fixes CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
|
||||
- Resolves: rhbz#2067146
|
||||
|
||||
* Tue Nov 16 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-5
|
||||
- Fixes CVE-2021-3712 openssl: Read buffer overruns processing ASN.1 strings
|
||||
- Resolves: rhbz#2005402
|
||||
|
||||
* Fri Jul 16 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-4
|
||||
- Fixes bugs in s390x AES code.
|
||||
- Uses the first detected address family if IPv6 is not available
|
||||
- Reverts the changes in https://github.com/openssl/openssl/pull/13305
|
||||
as it introduces a regression if server has a DSA key pair, the handshake fails
|
||||
when the protocol is not explicitly set to TLS 1.2. However, if the patch is reverted,
|
||||
it has an effect on the "ssl_reject_handshake" feature in nginx. Although, this feature
|
||||
will continue to work, TLS 1.3 protocol becomes unavailable/disabled. This is already
|
||||
known - https://trac.nginx.org/nginx/ticket/2071#comment:1
|
||||
As per https://github.com/openssl/openssl/issues/16075#issuecomment-879939938, nginx
|
||||
could early callback instead of servername callback.
|
||||
- Resolves: rhbz#1978214
|
||||
- Related: rhbz#1934534
|
||||
|
||||
* Thu Jun 24 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-3
|
||||
- Cleansup the peer point formats on renegotiation
|
||||
- Resolves rhbz#1965362
|
||||
|
||||
* Wed Jun 23 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-2
|
||||
- Fixes FIPS_selftest to work in FIPS mode. Resolves: rhbz#1940085
|
||||
- Using safe primes for FIPS DH self-test
|
||||
|
||||
* Mon May 24 2021 Sahana Prasad <sahana@redhat.com> 1.1.1k-1
|
||||
- Update to version 1.1.1k
|
||||
|
||||
* Mon Apr 26 2021 Daiki Ueno <dueno@redhat.com> 1.1.1g-16
|
||||
- Use AI_ADDRCONFIG only when explicit host name is given
|
||||
- Allow only curves defined in RFC 8446 in TLS 1.3
|
||||
|
||||
* Fri Apr 16 2021 Dmitry Belyavski <dbelyavs@redhat.com> 1.1.1g-15
|
||||
- Remove 2-key 3DES test from FIPS_selftest
|
||||
|
||||
* Mon Mar 29 2021 Sahana Prasad <sahana@redhat.com> 1.1.1g-14
|
||||
- Fix CVE-2021-3450 openssl: CA certificate check bypass with
|
||||
X509_V_FLAG_X509_STRICT
|
||||
- Fix CVE-2021-3449 NULL pointer deref in signature_algorithms processing
|
||||
|
||||
* Fri Dec 4 2020 Sahana Prasad <sahana@redhat.com> 1.1.1g-13
|
||||
- Fix CVE-2020-1971 ediparty null pointer dereference
|
||||
|
||||
* Fri Oct 23 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-12
|
||||
- Implemented new FIPS requirements in regards to KDF and DH selftests
|
||||
- Disallow certificates with explicit EC parameters
|
||||
|
||||
* Mon Jul 20 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-11
|
||||
- Further changes for SP 800-56A rev3 requirements
|
||||
|
||||
* Tue Jun 23 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-9
|
||||
- Rewire FIPS_drbg API to use the RAND_DRBG
|
||||
- Use the well known DH groups in TLS even for 2048 and 1024 bit parameters
|
||||
|
||||
* Mon Jun 8 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-7
|
||||
- Disallow dropping Extended Master Secret extension
|
||||
on renegotiation
|
||||
- Return alert from s_server if ALPN protocol does not match
|
||||
- SHA1 is allowed in @SECLEVEL=2 only if allowed by
|
||||
TLS SigAlgs configuration
|
||||
|
||||
* Wed Jun 3 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-6
|
||||
- Add FIPS selftest for PBKDF2 and KBKDF
|
||||
|
||||
* Wed May 27 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-5
|
||||
- Allow only well known DH groups in the FIPS mode
|
||||
|
||||
* Mon May 18 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-1
|
||||
- update to the 1.1.1g release
|
||||
- FIPS module installed state definition is modified
|
||||
|
||||
* Thu Mar 5 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-15
|
||||
- add selftest of the RAND_DRBG implementation
|
||||
|
||||
* Wed Feb 19 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-14
|
||||
- fix incorrect error return value from FIPS_selftest_dsa
|
||||
- S390x: properly restore SIGILL signal handler
|
||||
|
||||
* Wed Dec 4 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-12
|
||||
- additional fix for the edk2 build
|
||||
|
||||
* Tue Nov 26 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-9
|
||||
- disallow use of SHA-1 signatures in TLS in FIPS mode
|
||||
|
||||
* Mon Nov 25 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-8
|
||||
- fix CVE-2019-1547 - side-channel weak encryption vulnerability
|
||||
- fix CVE-2019-1563 - padding oracle in CMS API
|
||||
- fix CVE-2019-1549 - ensure fork safety of the DRBG
|
||||
- fix handling of non-FIPS allowed EC curves in FIPS mode
|
||||
- fix TLS compliance issues
|
||||
|
||||
* Thu Nov 21 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-7
|
||||
- backported ARM performance fixes from master
|
||||
|
||||
* Wed Nov 20 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-6
|
||||
- backport of S390x ECC CPACF enhancements from master
|
||||
- FIPS mode: properly disable 1024 bit DSA key generation
|
||||
- FIPS mode: skip ED25519 and ED448 algorithms in openssl speed
|
||||
- FIPS mode: allow AES-CCM ciphersuites
|
||||
|
||||
* Tue Nov 19 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-5
|
||||
- make the code suitable for edk2 build
|
||||
|
||||
* Thu Nov 14 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-4
|
||||
- backport of SSKDF from master
|
||||
|
||||
* Wed Nov 13 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-3
|
||||
- backport of KBKDF and KRB5KDF from master
|
||||
|
||||
* Mon Jun 24 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-2
|
||||
- do not try to use EC groups disallowed in FIPS mode
|
||||
in TLS
|
||||
- fix Valgrind regression with constant-time code
|
||||
|
||||
* Mon Jun 3 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-1
|
||||
- update to the 1.1.1c release
|
||||
|
||||
|
|
Loading…
Reference in New Issue