100 lines
3.4 KiB
Diff
100 lines
3.4 KiB
Diff
Index: openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c
|
|
===================================================================
|
|
--- openssl-1.1.1m.orig/crypto/fips/fips_kdf_selftest.c
|
|
+++ openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c
|
|
@@ -61,4 +61,44 @@ err:
|
|
return ret;
|
|
}
|
|
|
|
+int FIPS_selftest_tls(void)
|
|
+{
|
|
+ int ret = 0;
|
|
+ EVP_KDF_CTX *kctx;
|
|
+ unsigned char out[16];
|
|
+
|
|
+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_TLS1_PRF)) == NULL)
|
|
+ goto err;
|
|
+
|
|
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0)
|
|
+ goto err;
|
|
+
|
|
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_TLS_SECRET,
|
|
+ "secret", (size_t)6) <= 0)
|
|
+ goto err;
|
|
+
|
|
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_TLS_SEED, "seed", (size_t)4) <= 0)
|
|
+ goto err;
|
|
+
|
|
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0)
|
|
+ goto err;
|
|
+
|
|
+ {
|
|
+ const unsigned char expected[sizeof(out)] = {
|
|
+ 0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0,
|
|
+ 0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc
|
|
+ };
|
|
+ if (memcmp(out, expected, sizeof(expected))) {
|
|
+ goto err;
|
|
+ }
|
|
+ }
|
|
+ ret = 1;
|
|
+
|
|
+err:
|
|
+ if (!ret)
|
|
+ FIPSerr(FIPS_F_FIPS_SELFTEST_TLS, FIPS_R_SELFTEST_FAILED);
|
|
+ EVP_KDF_CTX_free(kctx);
|
|
+ return ret;
|
|
+}
|
|
+
|
|
#endif
|
|
Index: openssl-1.1.1m/crypto/fips/fips_post.c
|
|
===================================================================
|
|
--- openssl-1.1.1m.orig/crypto/fips/fips_post.c
|
|
+++ openssl-1.1.1m/crypto/fips/fips_post.c
|
|
@@ -106,6 +106,9 @@ int FIPS_selftest(void)
|
|
rv = 0;
|
|
if (!FIPS_selftest_pbkdf2())
|
|
rv = 0;
|
|
+ if (!FIPS_selftest_tls())
|
|
+ rv = 0;
|
|
+
|
|
return rv;
|
|
}
|
|
|
|
Index: openssl-1.1.1m/include/crypto/fips_int.h
|
|
===================================================================
|
|
--- openssl-1.1.1m.orig/include/crypto/fips_int.h
|
|
+++ openssl-1.1.1m/include/crypto/fips_int.h
|
|
@@ -77,6 +77,7 @@ int FIPS_selftest_hmac(void);
|
|
int FIPS_selftest_drbg(void);
|
|
int FIPS_selftest_cmac(void);
|
|
int FIPS_selftest_pbkdf2(void);
|
|
+int FIPS_selftest_tls(void);
|
|
|
|
int fips_in_post(void);
|
|
|
|
Index: openssl-1.1.1m/include/openssl/fips.h
|
|
===================================================================
|
|
--- openssl-1.1.1m.orig/include/openssl/fips.h
|
|
+++ openssl-1.1.1m/include/openssl/fips.h
|
|
@@ -125,6 +125,7 @@ extern "C" {
|
|
# define FIPS_F_FIPS_SELFTEST_ECDSA 133
|
|
# define FIPS_F_FIPS_SELFTEST_HMAC 113
|
|
# define FIPS_F_FIPS_SELFTEST_PBKDF2 152
|
|
+# define FIPS_F_FIPS_SELFTEST_TLS 153
|
|
# define FIPS_F_FIPS_SELFTEST_SHA1 115
|
|
# define FIPS_F_FIPS_SELFTEST_SHA2 105
|
|
# define FIPS_F_OSSL_ECDSA_SIGN_SIG 143
|
|
Index: openssl-1.1.1m/crypto/fips/fips_err.h
|
|
===================================================================
|
|
--- openssl-1.1.1m.orig/crypto/fips/fips_err.h
|
|
+++ openssl-1.1.1m/crypto/fips/fips_err.h
|
|
@@ -112,6 +112,7 @@ static ERR_STRING_DATA FIPS_str_functs[]
|
|
{ERR_FUNC(FIPS_F_FIPS_SELFTEST_ECDSA), "FIPS_selftest_ecdsa"},
|
|
{ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"},
|
|
{ERR_FUNC(FIPS_F_FIPS_SELFTEST_PBKDF2), "FIPS_selftest_pbkdf2"},
|
|
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_TLS), "FIPS_selftest_tls"},
|
|
{ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"},
|
|
{ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA2), "FIPS_selftest_sha2"},
|
|
{ERR_FUNC(FIPS_F_OSSL_ECDSA_SIGN_SIG), "ossl_ecdsa_sign_sig"},
|