Sync from SUSE:SLFO:Main openssl-3 revision f1e5b5790b36d62448b0f56f23f02c6b
This commit is contained in:
commit
fd7429582b
23
.gitattributes
vendored
Normal file
23
.gitattributes
vendored
Normal file
@ -0,0 +1,23 @@
|
||||
## Default LFS
|
||||
*.7z filter=lfs diff=lfs merge=lfs -text
|
||||
*.bsp filter=lfs diff=lfs merge=lfs -text
|
||||
*.bz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.gem filter=lfs diff=lfs merge=lfs -text
|
||||
*.gz filter=lfs diff=lfs merge=lfs -text
|
||||
*.jar filter=lfs diff=lfs merge=lfs -text
|
||||
*.lz filter=lfs diff=lfs merge=lfs -text
|
||||
*.lzma filter=lfs diff=lfs merge=lfs -text
|
||||
*.obscpio filter=lfs diff=lfs merge=lfs -text
|
||||
*.oxt filter=lfs diff=lfs merge=lfs -text
|
||||
*.pdf filter=lfs diff=lfs merge=lfs -text
|
||||
*.png filter=lfs diff=lfs merge=lfs -text
|
||||
*.rpm filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.tgz filter=lfs diff=lfs merge=lfs -text
|
||||
*.ttf filter=lfs diff=lfs merge=lfs -text
|
||||
*.txz filter=lfs diff=lfs merge=lfs -text
|
||||
*.whl filter=lfs diff=lfs merge=lfs -text
|
||||
*.xz filter=lfs diff=lfs merge=lfs -text
|
||||
*.zip filter=lfs diff=lfs merge=lfs -text
|
||||
*.zst filter=lfs diff=lfs merge=lfs -text
|
12
baselibs.conf
Normal file
12
baselibs.conf
Normal file
@ -0,0 +1,12 @@
|
||||
libopenssl3
|
||||
obsoletes "libopenssl1_1_0-<targettype>"
|
||||
provides "libopenssl3-hmac-<targettype> = <version>-%release"
|
||||
obsoletes "libopenssl3-hmac-<targettype> < <version>-%release"
|
||||
libopenssl-3-devel
|
||||
provides "libopenssl-devel-<targettype> = <version>"
|
||||
conflicts "otherproviders(libopenssl-devel-<targettype>)"
|
||||
conflicts "libopenssl-1_1-devel-<targettype>"
|
||||
requires -"openssl-3-<targettype>"
|
||||
requires "libopenssl3-<targettype> = <version>"
|
||||
libopenssl-3-fips-provider
|
||||
requires "libopenssl3-<targettype> >= <version>"
|
35
openssl-3-use-include-directive.patch
Normal file
35
openssl-3-use-include-directive.patch
Normal file
@ -0,0 +1,35 @@
|
||||
---
|
||||
apps/openssl.cnf | 13 +++++++++++++
|
||||
1 file changed, 13 insertions(+)
|
||||
|
||||
Index: openssl-3.1.4/apps/openssl.cnf
|
||||
===================================================================
|
||||
--- openssl-3.1.4.orig/apps/openssl.cnf
|
||||
+++ openssl-3.1.4/apps/openssl.cnf
|
||||
@@ -19,6 +19,7 @@ openssl_conf = openssl_init
|
||||
# Comment out the next line to ignore configuration errors
|
||||
config_diagnostics = 1
|
||||
|
||||
+[ oid_section ]
|
||||
# Extra OBJECT IDENTIFIER info:
|
||||
# oid_file = $ENV::HOME/.oid
|
||||
oid_section = new_oids
|
||||
@@ -47,6 +48,18 @@ providers = provider_sect
|
||||
# Load default TLS policy configuration
|
||||
ssl_conf = ssl_module
|
||||
|
||||
+engines = engine_section
|
||||
+
|
||||
+[ engine_section ]
|
||||
+
|
||||
+# This include will look through the directory that will contain the
|
||||
+# engine declarations for any engines provided by other packages.
|
||||
+.include /etc/ssl/engines3.d
|
||||
+
|
||||
+# This include will look through the directory that will contain the
|
||||
+# definitions of the engines declared in the engine section.
|
||||
+.include /etc/ssl/engdef3.d
|
||||
+
|
||||
# Uncomment the sections that start with ## below to enable the legacy provider.
|
||||
# Loading the legacy provider enables support for the following algorithms:
|
||||
# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
|
BIN
openssl-3.1.4.tar.gz
(Stored with Git LFS)
Normal file
BIN
openssl-3.1.4.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
16
openssl-3.1.4.tar.gz.asc
Normal file
16
openssl-3.1.4.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCAAdFiEE78CkZ9YTy4PH7W0w2JTizos9efUFAmU3yaoACgkQ2JTizos9
|
||||
efXt8BAAqcF9RBzduklMCXSfG4Rzs2KcWmR1+BB0izxG3KwPr+r54qBbSRCCImHA
|
||||
U22An//xsDsQZ0K4rrkkkumpJCxLV/4F3TlEBdoCS4wzDXz/LfONzTuZ8Z3QP/Si
|
||||
ElHTKdqPo2tp6LrDIUSGa9BmK1AsxkhOoC/uJlGpLP0mLJGI3PGo5ordyERAjL/C
|
||||
hTumE16ErrXY3kHVPAeD6tJlxtV3M9UxsZAOK6LVfnhXLzz8hWMu2H5ZigXZWCDx
|
||||
NG6ylV4xxfqO9eLxT2wUrJzg24w0VZzmbD+ZeZ24v9aAxGsbl3ZHLgMKkDehNNuP
|
||||
0ADh3aGq9FkIg5n53UQu0pbOc6aBPgWwVuaNfxOheG2GqBCoca42ikW20QZyJAec
|
||||
h3uLQ76vnWOjUIjeRCjpw0+OCUaWr0wx5WzzfdgYc813VwN6FaC9ZmB46oaLfIeD
|
||||
MBAyuUxdTif/7SXmGgUIQDIf4Vxr2H7I0NyyDxD+y+C2gwn+zVvuVcBBc2cNq4QN
|
||||
UINxZvm75CwaCsys+MDjSneDhpcSlAPqTJqM3DvKf/r3+27buz+sFw463fTHnv0F
|
||||
FpyBPgvvusY4Z4h/jqLcfkl2MBOxlo+lpZJdPpQoEvGz751GsKmmtb0YgZ7BjrYs
|
||||
5vFvo0EJ066J9bWLbp6VZd825B9P2Uy7u3sUz+E5nuavT4eHv7o=
|
||||
=EH33
|
||||
-----END PGP SIGNATURE-----
|
1505
openssl-3.changes
Normal file
1505
openssl-3.changes
Normal file
File diff suppressed because it is too large
Load Diff
387
openssl-3.spec
Normal file
387
openssl-3.spec
Normal file
@ -0,0 +1,387 @@
|
||||
#
|
||||
# spec file for package openssl-3
|
||||
#
|
||||
# Copyright (c) 2024 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
# upon. The license for this file, and modifications and additions to the
|
||||
# file, is the same license as for the pristine package itself (unless the
|
||||
# license for the pristine package is not an Open Source License, in which
|
||||
# case the license is the MIT License). An "Open Source License" is a
|
||||
# license that conforms to the Open Source Definition (Version 1.9)
|
||||
# published by the Open Source Initiative.
|
||||
|
||||
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||
#
|
||||
|
||||
|
||||
%define ssletcdir %{_sysconfdir}/ssl
|
||||
%define sover 3
|
||||
%define _rname openssl
|
||||
%define man_suffix 3ssl
|
||||
%global sslengcnf %{ssletcdir}/engines%{sover}.d
|
||||
%global sslengdef %{ssletcdir}/engdef%{sover}.d
|
||||
Name: openssl-3
|
||||
# Don't forget to update the version in the "openssl" meta-package!
|
||||
Version: 3.1.4
|
||||
Release: 0
|
||||
Summary: Secure Sockets and Transport Layer Security
|
||||
License: Apache-2.0
|
||||
URL: https://www.openssl.org/
|
||||
Source: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz
|
||||
# to get mtime of file:
|
||||
Source1: %{name}.changes
|
||||
Source2: baselibs.conf
|
||||
Source3: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz.asc
|
||||
# https://www.openssl.org/about/
|
||||
# http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA2D29B7BF295C759#/openssl.keyring
|
||||
Source4: %{_rname}.keyring
|
||||
Source5: showciphers.c
|
||||
Source6: openssl-Disable-default-provider-for-test-suite.patch
|
||||
# PATCH-FIX-OPENSUSE: Do not install html docs as it takes ages
|
||||
Patch1: openssl-no-html-docs.patch
|
||||
Patch2: openssl-truststore.patch
|
||||
Patch3: openssl-pkgconfig.patch
|
||||
Patch4: openssl-DEFAULT_SUSE_cipher.patch
|
||||
Patch5: openssl-ppc64-config.patch
|
||||
Patch6: openssl-no-date.patch
|
||||
# Add crypto-policies support
|
||||
Patch7: openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
|
||||
Patch8: openssl-crypto-policies-support.patch
|
||||
# PATCH-FIX-UPSTREAM: bsc#1209430 Upgrade OpenSSL from 3.0.8 to 3.1.0 in TW
|
||||
Patch9: openssl-Add_support_for_Windows_CA_certificate_store.patch
|
||||
# PATCH-FIX-FEDORA Add FIPS_mode compatibility macro and flag support
|
||||
Patch10: openssl-Add-FIPS_mode-compatibility-macro.patch
|
||||
Patch11: openssl-Add-Kernel-FIPS-mode-flag-support.patch
|
||||
# PATCH-FIX-UPSTREAM jsc#PED-5086, jsc#PED-3514
|
||||
# POWER10 performance enhancements for cryptography
|
||||
Patch12: openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch
|
||||
Patch13: openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch
|
||||
Patch14: openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch
|
||||
Patch15: openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch
|
||||
Patch16: openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch
|
||||
Patch17: openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch
|
||||
# PATCH-FIX-UPSTREAM: bsc#1216922 CVE-2023-5678 Generating excessively long X9.42 DH keys or
|
||||
# checking excessively long X9.42 DH keys or parameters may be very slow
|
||||
Patch18: openssl-CVE-2023-5678.patch
|
||||
# PATCH-FIX-UPSTREAM https://github.com/openssl/openssl/pull/22971
|
||||
Patch19: openssl-Enable-BTI-feature-for-md5-on-aarch64.patch
|
||||
# PATCH-FIX-UPSTREAM: bsc#1218690 CVE-2023-6129 - POLY1305 MAC implementation corrupts vector registers on PowerPC
|
||||
Patch20: openssl-CVE-2023-6129.patch
|
||||
# PATCH-FIX-FEDORA Load FIPS the provider and set FIPS properties implicitly
|
||||
Patch21: openssl-Force-FIPS.patch
|
||||
# PATCH-FIX-FEDORA Disable the fipsinstall command-line utility
|
||||
Patch22: openssl-disable-fipsinstall.patch
|
||||
# PATCH-FIX-FEDORA Instructions to load legacy provider in openssl.cnf
|
||||
Patch23: openssl-load-legacy-provider.patch
|
||||
# PATCH-FIX-FEDORA Embed the FIPS hmac
|
||||
Patch24: openssl-FIPS-embed-hmac.patch
|
||||
# PATCH-FIX-UPSTREAM: bsc#1218810 CVE-2023-6237: Excessive time spent checking invalid RSA public keys
|
||||
Patch25: openssl-CVE-2023-6237.patch
|
||||
# PATCH-FIX-SUSE bsc#1194187, bsc#1207472, bsc#1218933 - Add engines section in openssl.cnf
|
||||
Patch26: openssl-3-use-include-directive.patch
|
||||
# PATCH-FIX-UPSTREAM: bsc#1219243 CVE-2024-0727: denial of service via null dereference
|
||||
Patch27: openssl-CVE-2024-0727.patch
|
||||
BuildRequires: pkgconfig
|
||||
BuildRequires: pkgconfig(zlib)
|
||||
Requires: libopenssl3 = %{version}-%{release}
|
||||
Requires: openssl
|
||||
Provides: ssl
|
||||
# Needed for clean upgrade path, boo#1070003
|
||||
Obsoletes: openssl-1_0_0
|
||||
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
|
||||
Obsoletes: openssl-1_1_0
|
||||
%{?suse_build_hwcaps_libs}
|
||||
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
||||
Requires: crypto-policies
|
||||
%endif
|
||||
|
||||
%description
|
||||
OpenSSL is a software library to be used in applications that need to
|
||||
secure communications over computer networks against eavesdropping or
|
||||
need to ascertain the identity of the party at the other end.
|
||||
OpenSSL contains an implementation of the SSL and TLS protocols.
|
||||
|
||||
%package -n libopenssl3
|
||||
Summary: Secure Sockets and Transport Layer Security
|
||||
Recommends: ca-certificates-mozilla
|
||||
Conflicts: %{name} < %{version}-%{release}
|
||||
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
|
||||
Obsoletes: libopenssl1_1_0
|
||||
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
|
||||
Requires: crypto-policies
|
||||
%endif
|
||||
# Merge back the hmac files bsc#1185116
|
||||
Provides: libopenssl3-hmac = %{version}-%{release}
|
||||
Obsoletes: libopenssl3-hmac < %{version}-%{release}
|
||||
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
|
||||
Obsoletes: libopenssl1_1_0-hmac
|
||||
# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499
|
||||
Obsoletes: libopenssl-1_0_0-hmac
|
||||
|
||||
%description -n libopenssl3
|
||||
OpenSSL is a software library to be used in applications that need to
|
||||
secure communications over computer networks against eavesdropping or
|
||||
need to ascertain the identity of the party at the other end.
|
||||
OpenSSL contains an implementation of the SSL and TLS protocols.
|
||||
|
||||
%package -n libopenssl-3-devel
|
||||
Summary: Development files for OpenSSL
|
||||
Requires: libopenssl3 = %{version}
|
||||
Requires: pkgconfig(zlib)
|
||||
Recommends: %{name} = %{version}
|
||||
Provides: ssl-devel
|
||||
Conflicts: ssl-devel
|
||||
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
|
||||
Obsoletes: libopenssl-1_1_0-devel
|
||||
# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499
|
||||
Obsoletes: libopenssl-1_0_0-devel
|
||||
|
||||
%description -n libopenssl-3-devel
|
||||
This subpackage contains header files for developing applications
|
||||
that want to make use of the OpenSSL C API.
|
||||
|
||||
%package -n libopenssl-3-fips-provider
|
||||
Summary: OpenSSL FIPS provider
|
||||
Requires: libopenssl3 >= %{version}
|
||||
BuildRequires: fipscheck
|
||||
|
||||
%description -n libopenssl-3-fips-provider
|
||||
This package contains the OpenSSL FIPS provider.
|
||||
|
||||
%package doc
|
||||
Summary: Manpages and additional documentation for openssl
|
||||
Conflicts: libopenssl-3-devel < %{version}-%{release}
|
||||
Conflicts: openssl-doc
|
||||
Provides: openssl-doc = %{version}
|
||||
Obsoletes: openssl-doc < %{version}
|
||||
BuildArch: noarch
|
||||
|
||||
%description doc
|
||||
This package contains optional documentation provided in addition to
|
||||
this package's base documentation.
|
||||
|
||||
%prep
|
||||
%autosetup -p1 -n %{_rname}-%{version}
|
||||
|
||||
%build
|
||||
%ifarch armv5el armv5tel
|
||||
export MACHINE=armv5el
|
||||
%endif
|
||||
%ifarch armv6l armv6hl
|
||||
export MACHINE=armv6l
|
||||
%endif
|
||||
|
||||
./Configure \
|
||||
no-mdc2 no-ec2m no-sm2 no-sm4 \
|
||||
enable-rfc3779 enable-camellia enable-seed \
|
||||
%ifarch x86_64 aarch64 ppc64le
|
||||
enable-ec_nistp_64_gcc_128 \
|
||||
%endif
|
||||
enable-fips \
|
||||
enable-ktls \
|
||||
zlib \
|
||||
--prefix=%{_prefix} \
|
||||
--libdir=%{_lib} \
|
||||
--openssldir=%{ssletcdir} \
|
||||
%{optflags} \
|
||||
-Wa,--noexecstack \
|
||||
-Wl,-z,relro,-z,now \
|
||||
-fno-common \
|
||||
-DTERMIO \
|
||||
-DPURIFY \
|
||||
-D_GNU_SOURCE \
|
||||
-DOPENSSL_NO_BUF_FREELISTS \
|
||||
$(getconf LFS_CFLAGS) \
|
||||
-Wall \
|
||||
--with-rand-seed=getrandom \
|
||||
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config
|
||||
|
||||
# Show build configuration
|
||||
perl configdata.pm --dump
|
||||
|
||||
# Do not run this in a production package the FIPS symbols must be patched-in
|
||||
# util/mkdef.pl crypto update
|
||||
|
||||
%make_build depend
|
||||
%make_build all
|
||||
|
||||
%check
|
||||
# Relax the crypto-policies requirements for the regression tests
|
||||
# Revert patch8 before running tests
|
||||
patch -p1 -R < %{PATCH8}
|
||||
# Revert openssl-3-use-include-directive.patch because these directories
|
||||
# exists only in buildroot but not in build system and some tests are failing
|
||||
# because of it.
|
||||
patch -p1 -R < %{PATCH26}
|
||||
# Disable the default provider for the test suite.
|
||||
patch -p1 < %{SOURCE6}
|
||||
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
|
||||
export MALLOC_CHECK_=3
|
||||
export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
|
||||
# export HARNESS_VERBOSE=yes
|
||||
# Embed HMAC into fips provider for test run
|
||||
OPENSSL_CONF=/dev/null LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac
|
||||
objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac
|
||||
mv providers/fips.so.mac providers/fips.so
|
||||
|
||||
# Run the tests in non FIPS mode
|
||||
LD_LIBRARY_PATH="$PWD" make test -j16
|
||||
|
||||
# Run the tests also in FIPS mode
|
||||
OPENSSL_FORCE_FIPS_MODE=1 LD_LIBRARY_PATH="$PWD" make test -j16 || :
|
||||
# OPENSSL_FORCE_FIPS_MODE=1 LD_LIBRARY_PATH="$PWD" make TESTS='-test_evp_fetch_prov -test_tsa' test -j16 || :
|
||||
|
||||
# Add generation of HMAC checksum of the final stripped library
|
||||
# We manually copy standard definition of __spec_install_post
|
||||
# and add hmac calculation/embedding to fips.so
|
||||
%define __spec_install_post \
|
||||
%{?__debug_package:%{__debug_install_post}} \
|
||||
%{__arch_install_post} \
|
||||
%{__os_install_post} \
|
||||
OPENSSL_CONF=/dev/null LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so > $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
|
||||
objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac \
|
||||
mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \
|
||||
rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
|
||||
%{nil}
|
||||
|
||||
# show ciphers
|
||||
gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{buildroot}%{_libdir} -lssl -lcrypto
|
||||
LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers
|
||||
|
||||
%install
|
||||
%make_install %{?_smp_mflags} MANSUFFIX=%{man_suffix}
|
||||
|
||||
rename so.%{sover} so.%{version} %{buildroot}%{_libdir}/*.so.%{sover}
|
||||
for lib in %{buildroot}%{_libdir}/*.so.%{version} ; do
|
||||
chmod 755 ${lib}
|
||||
ln -sf $(basename ${lib}) %{buildroot}%{_libdir}/$(basename ${lib} .%{version})
|
||||
ln -sf $(basename ${lib}) %{buildroot}%{_libdir}/$(basename ${lib} .%{version}).%{sover}
|
||||
done
|
||||
|
||||
# Remove static libraries
|
||||
rm -f %{buildroot}%{_libdir}/lib*.a
|
||||
|
||||
# Remove the cnf.dist
|
||||
rm -f %{buildroot}%{ssletcdir}/openssl.cnf.dist
|
||||
rm -f %{buildroot}%{ssletcdir}/ct_log_list.cnf.dist
|
||||
|
||||
# Make a copy of the default openssl.cnf file
|
||||
cp %{buildroot}%{ssletcdir}/openssl.cnf %{buildroot}%{ssletcdir}/openssl-orig.cnf
|
||||
|
||||
# Create openssl ca-certificates dir required by nodejs regression tests [bsc#1207484]
|
||||
mkdir -p %{buildroot}%{_localstatedir}/lib/ca-certificates/openssl
|
||||
install -d -m 555 %{buildroot}%{_localstatedir}/lib/ca-certificates/openssl
|
||||
|
||||
# Remove the fipsmodule.cnf because FIPS module is loaded automatically
|
||||
rm -f %{buildroot}%{ssletcdir}/fipsmodule.cnf
|
||||
|
||||
ln -sf ./%{_rname} %{buildroot}/%{_includedir}/ssl
|
||||
mkdir %{buildroot}/%{_datadir}/ssl
|
||||
mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl/
|
||||
|
||||
# Create the two directories into which packages will drop their configuration
|
||||
# files.
|
||||
mkdir %{buildroot}/%{sslengcnf}
|
||||
mkdir %{buildroot}/%{sslengdef}
|
||||
# Create unversioned symbolic links to above directories
|
||||
ln -s %{sslengcnf} %{buildroot}/%{ssletcdir}/engines.d
|
||||
ln -s %{sslengdef} %{buildroot}/%{ssletcdir}/engdef.d
|
||||
|
||||
# Avoid file conflicts with man pages from other packages
|
||||
pushd %{buildroot}/%{_mandir}
|
||||
find . -type f -exec chmod 644 {} +
|
||||
mv man5/config.5%{man_suffix} man5/openssl.cnf.5
|
||||
popd
|
||||
|
||||
# Do not install demo scripts executable under /usr/share/doc
|
||||
find demos -type f -perm /111 -exec chmod 644 {} +
|
||||
|
||||
# Place showciphers.c for %%doc macro
|
||||
cp %{SOURCE5} .
|
||||
|
||||
# Compute the FIPS hmac using the brp-50-generate-fips-hmac script
|
||||
export BRP_FIPSHMAC_FILES="%{buildroot}%{_libdir}/libssl.so.%{sover} %{buildroot}%{_libdir}/libcrypto.so.%{sover}"
|
||||
|
||||
%post -p "/bin/bash"
|
||||
if [ "$1" -gt 1 ] ; then
|
||||
# Check if the packaged default config file for openssl-3, called openssl.cnf,
|
||||
# is the original or if it has been modified and alert the user in that case
|
||||
# that a copy of the original file openssl-orig.cnf can be used if needed.
|
||||
cmp --silent %{ssletcdir}/openssl.cnf %{ssletcdir}/openssl-orig.cnf 2>/dev/null
|
||||
if [ "$?" -eq 1 ] ; then
|
||||
echo -e " The openssl-3 default config file openssl.cnf is different from" ;
|
||||
echo -e " the original one shipped by the package. A copy of the original" ;
|
||||
echo -e " file is packaged and named as openssl-orig.cnf if needed."
|
||||
fi
|
||||
fi
|
||||
|
||||
%pre
|
||||
# Migrate old engines.d to engines1.1.d.rpmsave
|
||||
if [ ! -L %{ssletcdir}/engines.d ] && [ -d %{ssletcdir}/engines.d ]; then
|
||||
mkdir %{ssletcdir}/engines1.1.d.rpmsave ||:
|
||||
mv %{ssletcdir}/engines.d %{ssletcdir}/engines1.1.d.rpmsave ||:
|
||||
fi
|
||||
|
||||
# Migrate old engdef.d to engdef1.1.d.rpmsave
|
||||
if [ ! -L %{ssletcdir}/engdef.d ] && [ -d %{ssletcdir}/engdef.d ]; then
|
||||
mkdir %{ssletcdir}/engdef1.1.d.rpmsave ||:
|
||||
mv %{ssletcdir}/engdef.d %{ssletcdir}/engdef1.1.d.rpmsave ||:
|
||||
fi
|
||||
|
||||
%post -n libopenssl3 -p /sbin/ldconfig
|
||||
%postun -n libopenssl3 -p /sbin/ldconfig
|
||||
|
||||
%files -n libopenssl3
|
||||
%license LICENSE.txt
|
||||
%attr(0755,root,root) %{_libdir}/libssl.so.%{version}
|
||||
%{_libdir}/libssl.so.%{sover}
|
||||
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version}
|
||||
%{_libdir}/libcrypto.so.%{sover}
|
||||
%{_libdir}/engines-%{sover}
|
||||
%dir %{_libdir}/ossl-modules
|
||||
%{_libdir}/ossl-modules/legacy.so
|
||||
%{_libdir}/.libssl.so.%{sover}.hmac
|
||||
%{_libdir}/.libcrypto.so.%{sover}.hmac
|
||||
|
||||
%files -n libopenssl-3-fips-provider
|
||||
%{_libdir}/ossl-modules/fips.so
|
||||
|
||||
%files -n libopenssl-3-devel
|
||||
%doc NOTES*.md CONTRIBUTING.md HACKING.md AUTHORS.md ACKNOWLEDGEMENTS.md
|
||||
%{_includedir}/%{_rname}/
|
||||
%{_includedir}/ssl
|
||||
%{_libdir}/*.so
|
||||
%{_libdir}/pkgconfig/*.pc
|
||||
|
||||
%files doc
|
||||
%doc README.md
|
||||
%doc doc/html/* doc/HOWTO/* demos
|
||||
%doc showciphers.c
|
||||
%{_mandir}/man3/*
|
||||
|
||||
%files
|
||||
%license LICENSE.txt
|
||||
%doc CHANGES.md NEWS.md FAQ.md README.md
|
||||
%dir %{ssletcdir}
|
||||
%config %{ssletcdir}/openssl-orig.cnf
|
||||
%config (noreplace) %{ssletcdir}/openssl.cnf
|
||||
%config (noreplace) %{ssletcdir}/ct_log_list.cnf
|
||||
%attr(700,root,root) %{ssletcdir}/private
|
||||
%dir %{sslengcnf}
|
||||
%dir %{sslengdef}
|
||||
# symbolic link to above directories
|
||||
%{ssletcdir}/engines.d
|
||||
%{ssletcdir}/engdef.d
|
||||
%dir %{_datadir}/ssl
|
||||
%{_datadir}/ssl/misc
|
||||
%dir %{_localstatedir}/lib/ca-certificates/
|
||||
%dir %{_localstatedir}/lib/ca-certificates/openssl
|
||||
%{_bindir}/%{_rname}
|
||||
%{_bindir}/c_rehash
|
||||
%{_mandir}/man1/*
|
||||
%{_mandir}/man5/*
|
||||
%{_mandir}/man7/*
|
||||
|
||||
%changelog
|
83
openssl-Add-FIPS_mode-compatibility-macro.patch
Normal file
83
openssl-Add-FIPS_mode-compatibility-macro.patch
Normal file
@ -0,0 +1,83 @@
|
||||
From 8e29a10b39a649d751870eb1fd1b8c388e66acc3 Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Mon, 31 Jul 2023 09:41:27 +0200
|
||||
Subject: [PATCH 08/35] 0008-Add-FIPS_mode-compatibility-macro.patch
|
||||
|
||||
Patch-name: 0008-Add-FIPS_mode-compatibility-macro.patch
|
||||
Patch-id: 8
|
||||
Patch-status: |
|
||||
# Add FIPS_mode() compatibility macro
|
||||
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
||||
---
|
||||
include/openssl/fips.h | 26 ++++++++++++++++++++++++++
|
||||
test/property_test.c | 14 ++++++++++++++
|
||||
2 files changed, 40 insertions(+)
|
||||
create mode 100644 include/openssl/fips.h
|
||||
|
||||
diff --git a/include/openssl/fips.h b/include/openssl/fips.h
|
||||
new file mode 100644
|
||||
index 0000000000..4162cbf88e
|
||||
--- /dev/null
|
||||
+++ b/include/openssl/fips.h
|
||||
@@ -0,0 +1,26 @@
|
||||
+/*
|
||||
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ *
|
||||
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
+ * this file except in compliance with the License. You can obtain a copy
|
||||
+ * in the file LICENSE in the source distribution or at
|
||||
+ * https://www.openssl.org/source/license.html
|
||||
+ */
|
||||
+
|
||||
+#ifndef OPENSSL_FIPS_H
|
||||
+# define OPENSSL_FIPS_H
|
||||
+# pragma once
|
||||
+
|
||||
+# include <openssl/evp.h>
|
||||
+# include <openssl/macros.h>
|
||||
+
|
||||
+# ifdef __cplusplus
|
||||
+extern "C" {
|
||||
+# endif
|
||||
+
|
||||
+# define FIPS_mode() EVP_default_properties_is_fips_enabled(NULL)
|
||||
+
|
||||
+# ifdef __cplusplus
|
||||
+}
|
||||
+# endif
|
||||
+#endif
|
||||
diff --git a/test/property_test.c b/test/property_test.c
|
||||
index 45b1db3e85..8894c1c1cb 100644
|
||||
--- a/test/property_test.c
|
||||
+++ b/test/property_test.c
|
||||
@@ -677,6 +677,19 @@ static int test_property_list_to_string(int i)
|
||||
return ret;
|
||||
}
|
||||
|
||||
+#include <openssl/fips.h>
|
||||
+static int test_downstream_FIPS_mode(void)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+
|
||||
+ ret = TEST_true(EVP_set_default_properties(NULL, "fips=yes"))
|
||||
+ && TEST_true(FIPS_mode())
|
||||
+ && TEST_true(EVP_set_default_properties(NULL, "fips=no"))
|
||||
+ && TEST_false(FIPS_mode());
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
int setup_tests(void)
|
||||
{
|
||||
ADD_TEST(test_property_string);
|
||||
@@ -690,6 +703,7 @@ int setup_tests(void)
|
||||
ADD_TEST(test_property);
|
||||
ADD_TEST(test_query_cache_stochastic);
|
||||
ADD_TEST(test_fips_mode);
|
||||
+ ADD_TEST(test_downstream_FIPS_mode);
|
||||
ADD_ALL_TESTS(test_property_list_to_string, OSSL_NELEM(to_string_tests));
|
||||
return 1;
|
||||
}
|
||||
--
|
||||
2.41.0
|
||||
|
86
openssl-Add-Kernel-FIPS-mode-flag-support.patch
Normal file
86
openssl-Add-Kernel-FIPS-mode-flag-support.patch
Normal file
@ -0,0 +1,86 @@
|
||||
From aa3aebf132959e7e44876042efaf9ff24ffe0f2b Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Mon, 31 Jul 2023 09:41:27 +0200
|
||||
Subject: [PATCH 09/35] 0009-Add-Kernel-FIPS-mode-flag-support.patch
|
||||
|
||||
Patch-name: 0009-Add-Kernel-FIPS-mode-flag-support.patch
|
||||
Patch-id: 9
|
||||
Patch-status: |
|
||||
# Add check to see if fips flag is enabled in kernel
|
||||
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
||||
---
|
||||
crypto/context.c | 36 ++++++++++++++++++++++++++++++++++++
|
||||
include/internal/provider.h | 3 +++
|
||||
2 files changed, 39 insertions(+)
|
||||
|
||||
diff --git a/crypto/context.c b/crypto/context.c
|
||||
index e294ea1512..51002ba79a 100644
|
||||
--- a/crypto/context.c
|
||||
+++ b/crypto/context.c
|
||||
@@ -16,6 +16,41 @@
|
||||
#include "internal/provider.h"
|
||||
#include "crypto/context.h"
|
||||
|
||||
+# include <sys/types.h>
|
||||
+# include <sys/stat.h>
|
||||
+# include <fcntl.h>
|
||||
+# include <unistd.h>
|
||||
+# include <openssl/evp.h>
|
||||
+
|
||||
+# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
|
||||
+
|
||||
+static int kernel_fips_flag;
|
||||
+
|
||||
+static void read_kernel_fips_flag(void)
|
||||
+{
|
||||
+ char buf[2] = "0";
|
||||
+ int fd;
|
||||
+
|
||||
+ if (ossl_safe_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
|
||||
+ buf[0] = '1';
|
||||
+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
|
||||
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
|
||||
+ close(fd);
|
||||
+ }
|
||||
+
|
||||
+ if (buf[0] == '1') {
|
||||
+ kernel_fips_flag = 1;
|
||||
+ }
|
||||
+
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
+int ossl_get_kernel_fips_flag()
|
||||
+{
|
||||
+ return kernel_fips_flag;
|
||||
+}
|
||||
+
|
||||
+
|
||||
struct ossl_lib_ctx_st {
|
||||
CRYPTO_RWLOCK *lock, *rand_crngt_lock;
|
||||
OSSL_EX_DATA_GLOBAL global;
|
||||
@@ -336,6 +371,7 @@ static int default_context_inited = 0;
|
||||
|
||||
DEFINE_RUN_ONCE_STATIC(default_context_do_init)
|
||||
{
|
||||
+ read_kernel_fips_flag();
|
||||
if (!CRYPTO_THREAD_init_local(&default_context_thread_local, NULL))
|
||||
goto err;
|
||||
|
||||
diff --git a/include/internal/provider.h b/include/internal/provider.h
|
||||
index 18937f84c7..1446bf7afb 100644
|
||||
--- a/include/internal/provider.h
|
||||
+++ b/include/internal/provider.h
|
||||
@@ -112,6 +112,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx,
|
||||
const OSSL_DISPATCH *in);
|
||||
void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx);
|
||||
|
||||
+/* FIPS flag access */
|
||||
+int ossl_get_kernel_fips_flag(void);
|
||||
+
|
||||
# ifdef __cplusplus
|
||||
}
|
||||
# endif
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,305 @@
|
||||
From 736d709ec194b3a763e004696df22792c62a11fc Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Thu, 24 Sep 2020 10:16:46 +0200
|
||||
Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
||||
|
||||
(was openssl-1.1.1-system-cipherlist.patch)
|
||||
---
|
||||
Configurations/unix-Makefile.tmpl | 5 ++
|
||||
Configure | 11 ++++
|
||||
doc/man1/openssl-ciphers.pod.in | 9 +++
|
||||
include/openssl/ssl.h.in | 5 ++
|
||||
ssl/ssl_ciph.c | 87 +++++++++++++++++++++++++++++++++-----
|
||||
ssl/ssl_lib.c | 4 -
|
||||
test/cipherlist_test.c | 2
|
||||
util/libcrypto.num | 1
|
||||
8 files changed, 110 insertions(+), 14 deletions(-)
|
||||
|
||||
--- a/Configurations/unix-Makefile.tmpl
|
||||
+++ b/Configurations/unix-Makefile.tmpl
|
||||
@@ -315,6 +315,10 @@ MANDIR=$(INSTALLTOP)/share/man
|
||||
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
|
||||
HTMLDIR=$(DOCDIR)/html
|
||||
|
||||
+{- output_off() if $config{system_ciphers_file} eq ""; "" -}
|
||||
+SYSTEM_CIPHERS_FILE_DEFINE=-DSYSTEM_CIPHERS_FILE="\"{- $config{system_ciphers_file} -}\""
|
||||
+{- output_on() if $config{system_ciphers_file} eq ""; "" -}
|
||||
+
|
||||
# MANSUFFIX is for the benefit of anyone who may want to have a suffix
|
||||
# appended after the manpage file section number. "ssl" is popular,
|
||||
# resulting in files such as config.5ssl rather than config.5.
|
||||
@@ -338,6 +342,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
|
||||
CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -}
|
||||
CPPFLAGS={- our $cppflags1 = join(" ",
|
||||
(map { "-D".$_} @{$config{CPPDEFINES}}),
|
||||
+ "\$(SYSTEM_CIPHERS_FILE_DEFINE)",
|
||||
(map { "-I".$_} @{$config{CPPINCLUDES}}),
|
||||
@{$config{CPPFLAGS}}) -}
|
||||
CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
|
||||
--- a/Configure
|
||||
+++ b/Configure
|
||||
@@ -27,7 +27,7 @@ use OpenSSL::config;
|
||||
my $orig_death_handler = $SIG{__DIE__};
|
||||
$SIG{__DIE__} = \&death_handler;
|
||||
|
||||
-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
|
||||
+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
|
||||
|
||||
my $banner = <<"EOF";
|
||||
|
||||
@@ -61,6 +61,10 @@ EOF
|
||||
# given with --prefix.
|
||||
# This becomes the value of OPENSSLDIR in Makefile and in C.
|
||||
# (Default: PREFIX/ssl)
|
||||
+#
|
||||
+# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM
|
||||
+# cipher is specified (default).
|
||||
+#
|
||||
# --banner=".." Output specified text instead of default completion banner
|
||||
#
|
||||
# -w Don't wait after showing a Configure warning
|
||||
@@ -387,6 +391,7 @@ $config{prefix}="";
|
||||
$config{openssldir}="";
|
||||
$config{processor}="";
|
||||
$config{libdir}="";
|
||||
+$config{system_ciphers_file}="";
|
||||
my $auto_threads=1; # enable threads automatically? true by default
|
||||
my $default_ranlib;
|
||||
|
||||
@@ -989,6 +994,10 @@ while (@argvcopy)
|
||||
die "FIPS key too long (64 bytes max)\n"
|
||||
if length $1 > 64;
|
||||
}
|
||||
+ elsif (/^--system-ciphers-file=(.*)$/)
|
||||
+ {
|
||||
+ $config{system_ciphers_file}=$1;
|
||||
+ }
|
||||
elsif (/^--banner=(.*)$/)
|
||||
{
|
||||
$banner = $1 . "\n";
|
||||
--- a/doc/man1/openssl-ciphers.pod.in
|
||||
+++ b/doc/man1/openssl-ciphers.pod.in
|
||||
@@ -186,6 +186,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
|
||||
|
||||
The cipher suites not enabled by B<ALL>, currently B<eNULL>.
|
||||
|
||||
+=item B<PROFILE=SYSTEM>
|
||||
+
|
||||
+The list of enabled cipher suites will be loaded from the system crypto policy
|
||||
+configuration file B</etc/crypto-policies/back-ends/openssl.config>.
|
||||
+See also L<update-crypto-policies(8)>.
|
||||
+This is the default behavior unless an application explicitly sets a cipher
|
||||
+list. If used in a cipher list configuration value this string must be at the
|
||||
+beginning of the cipher list, otherwise it will not be recognized.
|
||||
+
|
||||
=item B<HIGH>
|
||||
|
||||
"High" encryption cipher suites. This currently means those with key lengths
|
||||
--- a/include/openssl/ssl.h.in
|
||||
+++ b/include/openssl/ssl.h.in
|
||||
@@ -213,6 +213,11 @@ extern "C" {
|
||||
* throwing out anonymous and unencrypted ciphersuites! (The latter are not
|
||||
* actually enabled by ALL, but "ALL:RSA" would enable some of them.)
|
||||
*/
|
||||
+# ifdef SYSTEM_CIPHERS_FILE
|
||||
+# define SSL_SYSTEM_DEFAULT_CIPHER_LIST "PROFILE=SYSTEM"
|
||||
+# else
|
||||
+# define SSL_SYSTEM_DEFAULT_CIPHER_LIST OSSL_default_cipher_list()
|
||||
+# endif
|
||||
|
||||
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
|
||||
# define SSL_SENT_SHUTDOWN 1
|
||||
--- a/ssl/ssl_ciph.c
|
||||
+++ b/ssl/ssl_ciph.c
|
||||
@@ -1443,6 +1443,53 @@ int SSL_set_ciphersuites(SSL *s, const c
|
||||
return ret;
|
||||
}
|
||||
|
||||
+#ifdef SYSTEM_CIPHERS_FILE
|
||||
+static char *load_system_str(const char *suffix)
|
||||
+{
|
||||
+ FILE *fp;
|
||||
+ char buf[1024];
|
||||
+ char *new_rules;
|
||||
+ const char *ciphers_path;
|
||||
+ unsigned len, slen;
|
||||
+
|
||||
+ if ((ciphers_path = ossl_safe_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL)
|
||||
+ ciphers_path = SYSTEM_CIPHERS_FILE;
|
||||
+ fp = fopen(ciphers_path, "r");
|
||||
+ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) {
|
||||
+ /* cannot open or file is empty */
|
||||
+ snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST);
|
||||
+ }
|
||||
+
|
||||
+ if (fp)
|
||||
+ fclose(fp);
|
||||
+
|
||||
+ slen = strlen(suffix);
|
||||
+ len = strlen(buf);
|
||||
+
|
||||
+ if (buf[len - 1] == '\n') {
|
||||
+ len--;
|
||||
+ buf[len] = 0;
|
||||
+ }
|
||||
+ if (buf[len - 1] == '\r') {
|
||||
+ len--;
|
||||
+ buf[len] = 0;
|
||||
+ }
|
||||
+
|
||||
+ new_rules = OPENSSL_malloc(len + slen + 1);
|
||||
+ if (new_rules == 0)
|
||||
+ return NULL;
|
||||
+
|
||||
+ memcpy(new_rules, buf, len);
|
||||
+ if (slen > 0) {
|
||||
+ memcpy(&new_rules[len], suffix, slen);
|
||||
+ len += slen;
|
||||
+ }
|
||||
+ new_rules[len] = 0;
|
||||
+
|
||||
+ return new_rules;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
|
||||
STACK_OF(SSL_CIPHER) **cipher_list,
|
||||
@@ -1457,15 +1504,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
|
||||
const SSL_CIPHER **ca_list = NULL;
|
||||
const SSL_METHOD *ssl_method = ctx->method;
|
||||
+#ifdef SYSTEM_CIPHERS_FILE
|
||||
+ char *new_rules = NULL;
|
||||
+
|
||||
+ if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) {
|
||||
+ char *p = rule_str + 14;
|
||||
+
|
||||
+ new_rules = load_system_str(p);
|
||||
+ rule_str = new_rules;
|
||||
+ }
|
||||
+#endif
|
||||
|
||||
/*
|
||||
* Return with error if nothing to do.
|
||||
*/
|
||||
if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
|
||||
- return NULL;
|
||||
+ goto err;
|
||||
|
||||
if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
|
||||
- return NULL;
|
||||
+ goto err;
|
||||
|
||||
/*
|
||||
* To reduce the work to do we only want to process the compiled
|
||||
@@ -1487,7 +1544,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
|
||||
if (co_list == NULL) {
|
||||
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
|
||||
- return NULL; /* Failure */
|
||||
+ goto err;
|
||||
}
|
||||
|
||||
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
|
||||
@@ -1553,8 +1610,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
* in force within each class
|
||||
*/
|
||||
if (!ssl_cipher_strength_sort(&head, &tail)) {
|
||||
- OPENSSL_free(co_list);
|
||||
- return NULL;
|
||||
+ goto err;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1598,9 +1654,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
|
||||
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
|
||||
if (ca_list == NULL) {
|
||||
- OPENSSL_free(co_list);
|
||||
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
|
||||
- return NULL; /* Failure */
|
||||
+ goto err;
|
||||
}
|
||||
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
|
||||
disabled_mkey, disabled_auth, disabled_enc,
|
||||
@@ -1633,8 +1688,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
OPENSSL_free(ca_list); /* Not needed anymore */
|
||||
|
||||
if (!ok) { /* Rule processing failure */
|
||||
- OPENSSL_free(co_list);
|
||||
- return NULL;
|
||||
+ goto err;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1642,10 +1696,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
* if we cannot get one.
|
||||
*/
|
||||
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
|
||||
- OPENSSL_free(co_list);
|
||||
- return NULL;
|
||||
+ goto err;
|
||||
}
|
||||
|
||||
+#ifdef SYSTEM_CIPHERS_FILE
|
||||
+ OPENSSL_free(new_rules); /* Not needed anymore */
|
||||
+#endif
|
||||
+
|
||||
/* Add TLSv1.3 ciphers first - we always prefer those if possible */
|
||||
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
|
||||
const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
|
||||
@@ -1697,6 +1754,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
*cipher_list = cipherstack;
|
||||
|
||||
return cipherstack;
|
||||
+
|
||||
+err:
|
||||
+ OPENSSL_free(co_list);
|
||||
+#ifdef SYSTEM_CIPHERS_FILE
|
||||
+ OPENSSL_free(new_rules);
|
||||
+#endif
|
||||
+ return NULL;
|
||||
+
|
||||
}
|
||||
|
||||
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
|
||||
--- a/ssl/ssl_lib.c
|
||||
+++ b/ssl/ssl_lib.c
|
||||
@@ -661,7 +661,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
|
||||
ctx->tls13_ciphersuites,
|
||||
&(ctx->cipher_list),
|
||||
&(ctx->cipher_list_by_id),
|
||||
- OSSL_default_cipher_list(), ctx->cert);
|
||||
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ctx->cert);
|
||||
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
|
||||
ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
|
||||
return 0;
|
||||
@@ -3286,7 +3286,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li
|
||||
if (!ssl_create_cipher_list(ret,
|
||||
ret->tls13_ciphersuites,
|
||||
&ret->cipher_list, &ret->cipher_list_by_id,
|
||||
- OSSL_default_cipher_list(), ret->cert)
|
||||
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert)
|
||||
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
|
||||
ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
|
||||
goto err2;
|
||||
--- a/test/cipherlist_test.c
|
||||
+++ b/test/cipherlist_test.c
|
||||
@@ -246,7 +246,9 @@ end:
|
||||
|
||||
int setup_tests(void)
|
||||
{
|
||||
+#ifndef SYSTEM_CIPHERS_FILE
|
||||
ADD_TEST(test_default_cipherlist_implicit);
|
||||
+#endif
|
||||
ADD_TEST(test_default_cipherlist_explicit);
|
||||
ADD_TEST(test_default_cipherlist_clear);
|
||||
return 1;
|
||||
--- a/util/libcrypto.num
|
||||
+++ b/util/libcrypto.num
|
||||
@@ -5435,3 +5435,4 @@ EVP_MD_CTX_dup
|
||||
EVP_CIPHER_CTX_dup 5563 3_1_0 EXIST::FUNCTION:
|
||||
BN_are_coprime 5564 3_1_0 EXIST::FUNCTION:
|
||||
OSSL_CMP_MSG_update_recipNonce 5565 3_0_9 EXIST::FUNCTION:CMP
|
||||
+ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
|
743
openssl-Add_support_for_Windows_CA_certificate_store.patch
Normal file
743
openssl-Add_support_for_Windows_CA_certificate_store.patch
Normal file
@ -0,0 +1,743 @@
|
||||
From 2a071544f7d2e963a1f68f266f4e375568909d38 Mon Sep 17 00:00:00 2001
|
||||
From: Hugo Landau <hlandau@openssl.org>
|
||||
Date: Fri, 8 Apr 2022 13:10:52 +0100
|
||||
Subject: [PATCH 1/8] Fix URI handling in SSL_CERT_DIR/introduce SSL_CERT_URI
|
||||
env
|
||||
|
||||
Fixes #18068.
|
||||
---
|
||||
CHANGES.md | 21
|
||||
Configure | 7
|
||||
crypto/x509/by_dir.c | 17
|
||||
crypto/x509/by_store.c | 14
|
||||
crypto/x509/x509_def.c | 15
|
||||
doc/build.info | 6
|
||||
doc/man3/X509_get_default_cert_file.pod | 113 +++++
|
||||
include/internal/cryptlib.h | 11
|
||||
include/internal/e_os.h | 2
|
||||
include/openssl/x509.h.in | 3
|
||||
providers/implementations/include/prov/implementations.h | 1
|
||||
providers/implementations/storemgmt/build.info | 3
|
||||
providers/implementations/storemgmt/winstore_store.c | 327 +++++++++++++++
|
||||
providers/stores.inc | 3
|
||||
util/libcrypto.num | 3
|
||||
util/missingcrypto.txt | 4
|
||||
16 files changed, 536 insertions(+), 14 deletions(-)
|
||||
|
||||
--- a/CHANGES.md
|
||||
+++ b/CHANGES.md
|
||||
@@ -24,6 +24,27 @@ OpenSSL 3.1
|
||||
|
||||
### Changes between 3.1.0 and 3.1.1 [30 May 2023]
|
||||
|
||||
+ * The `SSL_CERT_PATH` and `SSL_CERT_URI` environment variables are introduced.
|
||||
+ `SSL_CERT_URI` can be used to specify a URI for a root certificate store. The
|
||||
+ `SSL_CERT_PATH` environment variable specifies a delimiter-separated list of
|
||||
+ paths which are searched for root certificates.
|
||||
+
|
||||
+ The existing `SSL_CERT_DIR` environment variable is deprecated.
|
||||
+ `SSL_CERT_DIR` was previously used to specify either a delimiter-separated
|
||||
+ list of paths or an URI, which is ambiguous. Setting `SSL_CERT_PATH` causes
|
||||
+ `SSL_CERT_DIR` to be ignored for the purposes of determining root certificate
|
||||
+ directories, and setting `SSL_CERT_URI` causes `SSL_CERT_DIR` to be ignored
|
||||
+ for the purposes of determining root certificate stores.
|
||||
+
|
||||
+ *Hugo Landau*
|
||||
+
|
||||
+ * Support for loading root certificates from the Windows certificate store
|
||||
+ has been added. The support is in the form of a store which recognises the
|
||||
+ URI string of `org.openssl.winstore://`. This store is enabled by default and
|
||||
+ can be disabled using the new compile-time option `no-winstore`.
|
||||
+
|
||||
+ *Hugo Landau*
|
||||
+
|
||||
* Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
|
||||
OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
|
||||
|
||||
--- a/Configure
|
||||
+++ b/Configure
|
||||
@@ -420,6 +420,7 @@ my @disablables = (
|
||||
"cached-fetch",
|
||||
"camellia",
|
||||
"capieng",
|
||||
+ "winstore",
|
||||
"cast",
|
||||
"chacha",
|
||||
"cmac",
|
||||
@@ -1726,6 +1727,12 @@ unless ($disabled{ktls}) {
|
||||
}
|
||||
}
|
||||
|
||||
+unless ($disabled{winstore}) {
|
||||
+ unless ($target =~ /^(?:Cygwin|mingw|VC-|BC-)/) {
|
||||
+ disable('not-windows', 'winstore');
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
push @{$config{openssl_other_defines}}, "OPENSSL_NO_KTLS" if ($disabled{ktls});
|
||||
|
||||
# Get the extra flags used when building shared libraries and modules. We
|
||||
--- a/crypto/x509/by_dir.c
|
||||
+++ b/crypto/x509/by_dir.c
|
||||
@@ -88,13 +88,18 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
|
||||
switch (cmd) {
|
||||
case X509_L_ADD_DIR:
|
||||
if (argl == X509_FILETYPE_DEFAULT) {
|
||||
- const char *dir = ossl_safe_getenv(X509_get_default_cert_dir_env());
|
||||
+ /* If SSL_CERT_PATH is provided and non-empty, use that. */
|
||||
+ const char *dir = ossl_safe_getenv(X509_get_default_cert_path_env());
|
||||
|
||||
- if (dir)
|
||||
- ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
|
||||
- else
|
||||
- ret = add_cert_dir(ld, X509_get_default_cert_dir(),
|
||||
- X509_FILETYPE_PEM);
|
||||
+ /* Fallback to SSL_CERT_DIR. */
|
||||
+ if (dir == NULL)
|
||||
+ dir = ossl_safe_getenv(X509_get_default_cert_dir_env());
|
||||
+
|
||||
+ /* Fallback to built-in default. */
|
||||
+ if (dir == NULL)
|
||||
+ dir = X509_get_default_cert_dir();
|
||||
+
|
||||
+ ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
|
||||
if (!ret) {
|
||||
ERR_raise(ERR_LIB_X509, X509_R_LOADING_CERT_DIR);
|
||||
}
|
||||
--- a/crypto/x509/by_store.c
|
||||
+++ b/crypto/x509/by_store.c
|
||||
@@ -111,11 +111,21 @@ static int by_store_ctrl_ex(X509_LOOKUP
|
||||
{
|
||||
switch (cmd) {
|
||||
case X509_L_ADD_STORE:
|
||||
- /* If no URI is given, use the default cert dir as default URI */
|
||||
+ /* First try the newer default cert URI envvar. */
|
||||
+ if (argp == NULL)
|
||||
+ argp = ossl_safe_getenv(X509_get_default_cert_uri_env());
|
||||
+
|
||||
+ /* If not set, see if we have a URI in the older cert dir envvar. */
|
||||
if (argp == NULL)
|
||||
argp = ossl_safe_getenv(X509_get_default_cert_dir_env());
|
||||
+
|
||||
+ /* Fallback to default store URI. */
|
||||
if (argp == NULL)
|
||||
- argp = X509_get_default_cert_dir();
|
||||
+ argp = X509_get_default_cert_uri();
|
||||
+
|
||||
+ /* No point adding an empty URI. */
|
||||
+ if (!*argp)
|
||||
+ return 1;
|
||||
|
||||
{
|
||||
STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
|
||||
--- a/crypto/x509/x509_def.c
|
||||
+++ b/crypto/x509/x509_def.c
|
||||
@@ -22,6 +22,11 @@ const char *X509_get_default_cert_area(v
|
||||
return X509_CERT_AREA;
|
||||
}
|
||||
|
||||
+const char *X509_get_default_cert_uri(void)
|
||||
+{
|
||||
+ return X509_CERT_URI;
|
||||
+}
|
||||
+
|
||||
const char *X509_get_default_cert_dir(void)
|
||||
{
|
||||
return X509_CERT_DIR;
|
||||
@@ -32,6 +37,16 @@ const char *X509_get_default_cert_file(v
|
||||
return X509_CERT_FILE;
|
||||
}
|
||||
|
||||
+const char *X509_get_default_cert_uri_env(void)
|
||||
+{
|
||||
+ return X509_CERT_URI_EVP;
|
||||
+}
|
||||
+
|
||||
+const char *X509_get_default_cert_path_env(void)
|
||||
+{
|
||||
+ return X509_CERT_PATH_EVP;
|
||||
+}
|
||||
+
|
||||
const char *X509_get_default_cert_dir_env(void)
|
||||
{
|
||||
return X509_CERT_DIR_EVP;
|
||||
--- a/doc/build.info
|
||||
+++ b/doc/build.info
|
||||
@@ -2791,6 +2791,10 @@ DEPEND[html/man3/X509_get0_uids.html]=ma
|
||||
GENERATE[html/man3/X509_get0_uids.html]=man3/X509_get0_uids.pod
|
||||
DEPEND[man/man3/X509_get0_uids.3]=man3/X509_get0_uids.pod
|
||||
GENERATE[man/man3/X509_get0_uids.3]=man3/X509_get0_uids.pod
|
||||
+DEPEND[html/man3/X509_get_default_cert_file.html]=man3/X509_get_default_cert_file.pod
|
||||
+GENERATE[html/man3/X509_get_default_cert_file.html]=man3/X509_get_default_cert_file.pod
|
||||
+DEPEND[man/man3/X509_get_default_cert_file.3]=man3/X509_get_default_cert_file.pod
|
||||
+GENERATE[man/man3/X509_get_default_cert_file.3]=man3/X509_get_default_cert_file.pod
|
||||
DEPEND[html/man3/X509_get_extension_flags.html]=man3/X509_get_extension_flags.pod
|
||||
GENERATE[html/man3/X509_get_extension_flags.html]=man3/X509_get_extension_flags.pod
|
||||
DEPEND[man/man3/X509_get_extension_flags.3]=man3/X509_get_extension_flags.pod
|
||||
@@ -3461,6 +3465,7 @@ html/man3/X509_get0_distinguishing_id.ht
|
||||
html/man3/X509_get0_notBefore.html \
|
||||
html/man3/X509_get0_signature.html \
|
||||
html/man3/X509_get0_uids.html \
|
||||
+html/man3/X509_get_default_cert_file.html \
|
||||
html/man3/X509_get_extension_flags.html \
|
||||
html/man3/X509_get_pubkey.html \
|
||||
html/man3/X509_get_serialNumber.html \
|
||||
@@ -4064,6 +4069,7 @@ man/man3/X509_get0_distinguishing_id.3 \
|
||||
man/man3/X509_get0_notBefore.3 \
|
||||
man/man3/X509_get0_signature.3 \
|
||||
man/man3/X509_get0_uids.3 \
|
||||
+man/man3/X509_get_default_cert_file.3 \
|
||||
man/man3/X509_get_extension_flags.3 \
|
||||
man/man3/X509_get_pubkey.3 \
|
||||
man/man3/X509_get_serialNumber.3 \
|
||||
--- /dev/null
|
||||
+++ b/doc/man3/X509_get_default_cert_file.pod
|
||||
@@ -0,0 +1,113 @@
|
||||
+=pod
|
||||
+
|
||||
+=head1 NAME
|
||||
+
|
||||
+X509_get_default_cert_file, X509_get_default_cert_file_env,
|
||||
+X509_get_default_cert_path_env,
|
||||
+X509_get_default_cert_dir, X509_get_default_cert_dir_env,
|
||||
+X509_get_default_cert_uri, X509_get_default_cert_uri_env -
|
||||
+retrieve default locations for trusted CA certificates
|
||||
+
|
||||
+=head1 SYNOPSIS
|
||||
+
|
||||
+ #include <openssl/x509.h>
|
||||
+
|
||||
+ const char *X509_get_default_cert_file(void);
|
||||
+ const char *X509_get_default_cert_dir(void);
|
||||
+ const char *X509_get_default_cert_uri(void);
|
||||
+
|
||||
+ const char *X509_get_default_cert_file_env(void);
|
||||
+ const char *X509_get_default_cert_path_env(void);
|
||||
+ const char *X509_get_default_cert_dir_env(void);
|
||||
+ const char *X509_get_default_cert_uri_env(void);
|
||||
+
|
||||
+=head1 DESCRIPTION
|
||||
+
|
||||
+The X509_get_default_cert_file() function returns the default path
|
||||
+to a file containing trusted CA certificates. OpenSSL will use this as
|
||||
+the default path when it is asked to load trusted CA certificates
|
||||
+from a file and no other path is specified. If the file exists, CA certificates
|
||||
+are loaded from the file.
|
||||
+
|
||||
+The X509_get_default_cert_dir() function returns a default delimeter-separated
|
||||
+list of paths to a directories containing trusted CA certificates named in the
|
||||
+hashed format. OpenSSL will use this as the default list of paths when it is
|
||||
+asked to load trusted CA certificates from a directory and no other path is
|
||||
+specified. If a given directory in the list exists, OpenSSL attempts to lookup
|
||||
+CA certificates in this directory by calculating a filename based on a hash of
|
||||
+the certificate's subject name.
|
||||
+
|
||||
+The X509_get_default_cert_uri() function returns the default URI for a
|
||||
+certificate store accessed programmatically via an OpenSSL provider. If there is
|
||||
+no default store applicable to the system for which OpenSSL was compiled, this
|
||||
+returns an empty string.
|
||||
+
|
||||
+X509_get_default_cert_file_env() and X509_get_default_cert_uri_env() return
|
||||
+environment variable names which are recommended to specify nondefault values to
|
||||
+be used instead of the values returned by X509_get_default_cert_file() and
|
||||
+X509_get_default_cert_uri() respectively. The values returned by the latter
|
||||
+functions are not affected by these environment variables; you must check for
|
||||
+these environment variables yourself, using these functions to retrieve the
|
||||
+correct environment variable names. If an environment variable is not set, the
|
||||
+value returned by the corresponding function above should be used.
|
||||
+
|
||||
+X509_get_default_cert_path_env() returns the environment variable name which is
|
||||
+recommended to specify a nondefault value to be used instead of the value
|
||||
+returned by X509_get_default_cert_dir(). This environment variable supercedes
|
||||
+the deprecated environment variable whose name is returned by
|
||||
+X509_get_default_cert_dir_env(). This environment variable was deprecated as its
|
||||
+contents can be interpreted ambiguously; see NOTES.
|
||||
+
|
||||
+By default, OpenSSL uses the path list specified in the environment variable
|
||||
+whose name is returned by X509_get_default_cert_path_env() if it is set;
|
||||
+otherwise, it uses the path list specified in the environment variable whose
|
||||
+name is returned by X509_get_default_cert_dir_env() if it is set; otherwise, it
|
||||
+uses the value returned by X509_get_default_cert_dir()).
|
||||
+
|
||||
+=head1 NOTES
|
||||
+
|
||||
+X509_get_default_cert_uri(), X509_get_default_cert_uri_env() and
|
||||
+X509_get_default_cert_path_env() were introduced in OpenSSL 3.1. Prior to this
|
||||
+release, store URIs were expressed via the environment variable returned by
|
||||
+X509_get_default_cert_dir_env(); this environment variable could be used to
|
||||
+specify either a list of directories or a store URI. This creates an ambiguity
|
||||
+in which the environment variable returned by X509_get_default_cert_dir_env() is
|
||||
+interpreted both as a list of directories and as a store URI.
|
||||
+
|
||||
+This usage and the environment variable returned by
|
||||
+X509_get_default_cert_dir_env() are now deprecated; to specify a store URI, use
|
||||
+the environment variable returned by X509_get_default_cert_uri_env(), and to
|
||||
+specify a list of directories, use the environment variable returned by
|
||||
+X509_get_default_cert_path_env().
|
||||
+
|
||||
+=head1 RETURN VALUES
|
||||
+
|
||||
+These functions return pointers to constant strings with static storage
|
||||
+duration.
|
||||
+
|
||||
+=head1 SEE ALSO
|
||||
+
|
||||
+L<X509_LOOKUP(3)>,
|
||||
+L<SSL_CTX_set_default_verify_file(3)>,
|
||||
+L<SSL_CTX_set_default_verify_dir(3)>,
|
||||
+L<SSL_CTX_set_default_verify_store(3)>,
|
||||
+L<SSL_CTX_load_verify_file(3)>,
|
||||
+L<SSL_CTX_load_verify_dir(3)>,
|
||||
+L<SSL_CTX_load_verify_store(3)>,
|
||||
+L<SSL_CTX_load_verify_locations(3)>
|
||||
+
|
||||
+=head1 HISTORY
|
||||
+
|
||||
+X509_get_default_cert_uri(), X509_get_default_cert_path_env() and
|
||||
+X509_get_default_cert_uri_env() were introduced in OpenSSL 3.1.
|
||||
+
|
||||
+=head1 COPYRIGHT
|
||||
+
|
||||
+Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+
|
||||
+Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
+this file except in compliance with the License. You can obtain a copy
|
||||
+in the file LICENSE in the source distribution or at
|
||||
+L<https://www.openssl.org/source/license.html>.
|
||||
+
|
||||
+=cut
|
||||
--- a/include/internal/cryptlib.h
|
||||
+++ b/include/internal/cryptlib.h
|
||||
@@ -13,6 +13,8 @@
|
||||
|
||||
# include <stdlib.h>
|
||||
# include <string.h>
|
||||
+# include "openssl/configuration.h"
|
||||
+# include "internal/e_os.h" /* ossl_inline in many files */
|
||||
|
||||
# ifdef OPENSSL_USE_APPLINK
|
||||
# define BIO_FLAGS_UPLINK_INTERNAL 0x8000
|
||||
@@ -77,6 +79,14 @@ DEFINE_LHASH_OF_EX(MEM);
|
||||
# define CTLOG_FILE "OSSL$DATAROOT:[000000]ct_log_list.cnf"
|
||||
# endif
|
||||
|
||||
+#ifndef OPENSSL_NO_WINSTORE
|
||||
+# define X509_CERT_URI "org.openssl.winstore://"
|
||||
+#else
|
||||
+# define X509_CERT_URI ""
|
||||
+#endif
|
||||
+
|
||||
+# define X509_CERT_URI_EVP "SSL_CERT_URI"
|
||||
+# define X509_CERT_PATH_EVP "SSL_CERT_PATH"
|
||||
# define X509_CERT_DIR_EVP "SSL_CERT_DIR"
|
||||
# define X509_CERT_FILE_EVP "SSL_CERT_FILE"
|
||||
# define CTLOG_FILE_EVP "CTLOG_FILE"
|
||||
@@ -240,5 +250,4 @@ static ossl_inline int ossl_is_absolute_
|
||||
# endif
|
||||
return path[0] == '/';
|
||||
}
|
||||
-
|
||||
#endif
|
||||
--- a/include/internal/e_os.h
|
||||
+++ b/include/internal/e_os.h
|
||||
@@ -249,7 +249,7 @@ FILE *__iob_func();
|
||||
/***********************************************/
|
||||
|
||||
# if defined(OPENSSL_SYS_WINDOWS)
|
||||
-# if (_MSC_VER >= 1310) && !defined(_WIN32_WCE)
|
||||
+# if defined(_MSC_VER) && (_MSC_VER >= 1310) && !defined(_WIN32_WCE)
|
||||
# define open _open
|
||||
# define fdopen _fdopen
|
||||
# define close _close
|
||||
--- a/include/openssl/x509.h.in
|
||||
+++ b/include/openssl/x509.h.in
|
||||
@@ -491,8 +491,11 @@ ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s
|
||||
ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj);
|
||||
|
||||
const char *X509_get_default_cert_area(void);
|
||||
+const char *X509_get_default_cert_uri(void);
|
||||
const char *X509_get_default_cert_dir(void);
|
||||
const char *X509_get_default_cert_file(void);
|
||||
+const char *X509_get_default_cert_uri_env(void);
|
||||
+const char *X509_get_default_cert_path_env(void);
|
||||
const char *X509_get_default_cert_dir_env(void);
|
||||
const char *X509_get_default_cert_file_env(void);
|
||||
const char *X509_get_default_private_dir(void);
|
||||
--- a/providers/implementations/include/prov/implementations.h
|
||||
+++ b/providers/implementations/include/prov/implementations.h
|
||||
@@ -517,3 +517,4 @@ extern const OSSL_DISPATCH ossl_SubjectP
|
||||
extern const OSSL_DISPATCH ossl_pem_to_der_decoder_functions[];
|
||||
|
||||
extern const OSSL_DISPATCH ossl_file_store_functions[];
|
||||
+extern const OSSL_DISPATCH ossl_winstore_store_functions[];
|
||||
--- a/providers/implementations/storemgmt/build.info
|
||||
+++ b/providers/implementations/storemgmt/build.info
|
||||
@@ -4,3 +4,6 @@
|
||||
$STORE_GOAL=../../libdefault.a
|
||||
|
||||
SOURCE[$STORE_GOAL]=file_store.c file_store_any2obj.c
|
||||
+IF[{- !$disabled{winstore} -}]
|
||||
+ SOURCE[$STORE_GOAL]=winstore_store.c
|
||||
+ENDIF
|
||||
--- /dev/null
|
||||
+++ b/providers/implementations/storemgmt/winstore_store.c
|
||||
@@ -0,0 +1,327 @@
|
||||
+/*
|
||||
+ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ *
|
||||
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
+ * this file except in compliance with the License. You can obtain a copy
|
||||
+ * in the file LICENSE in the source distribution or at
|
||||
+ * https://www.openssl.org/source/license.html
|
||||
+ */
|
||||
+#include <openssl/store.h>
|
||||
+#include <openssl/core_dispatch.h>
|
||||
+#include <openssl/core_names.h>
|
||||
+#include <openssl/core_object.h>
|
||||
+#include <openssl/bio.h>
|
||||
+#include <openssl/err.h>
|
||||
+#include <openssl/params.h>
|
||||
+#include <openssl/decoder.h>
|
||||
+#include <openssl/proverr.h>
|
||||
+#include <openssl/store.h> /* The OSSL_STORE_INFO type numbers */
|
||||
+#include "internal/cryptlib.h"
|
||||
+#include "internal/o_dir.h"
|
||||
+#include "crypto/decoder.h"
|
||||
+#include "crypto/ctype.h" /* ossl_isdigit() */
|
||||
+#include "prov/implementations.h"
|
||||
+#include "prov/bio.h"
|
||||
+#include "file_store_local.h"
|
||||
+
|
||||
+#include <wincrypt.h>
|
||||
+
|
||||
+enum {
|
||||
+ STATE_IDLE,
|
||||
+ STATE_READ,
|
||||
+ STATE_EOF,
|
||||
+};
|
||||
+
|
||||
+struct winstore_ctx_st {
|
||||
+ void *provctx;
|
||||
+ char *propq;
|
||||
+ unsigned char *subject;
|
||||
+ size_t subject_len;
|
||||
+
|
||||
+ HCERTSTORE win_store;
|
||||
+ const CERT_CONTEXT *win_ctx;
|
||||
+ int state;
|
||||
+
|
||||
+ OSSL_DECODER_CTX *dctx;
|
||||
+};
|
||||
+
|
||||
+static void winstore_win_reset(struct winstore_ctx_st *ctx)
|
||||
+{
|
||||
+ if (ctx->win_ctx != NULL) {
|
||||
+ CertFreeCertificateContext(ctx->win_ctx);
|
||||
+ ctx->win_ctx = NULL;
|
||||
+ }
|
||||
+
|
||||
+ ctx->state = STATE_IDLE;
|
||||
+}
|
||||
+
|
||||
+static void winstore_win_advance(struct winstore_ctx_st *ctx)
|
||||
+{
|
||||
+ CERT_NAME_BLOB name = {0};
|
||||
+
|
||||
+ if (ctx->state == STATE_EOF)
|
||||
+ return;
|
||||
+
|
||||
+ name.cbData = ctx->subject_len;
|
||||
+ name.pbData = ctx->subject;
|
||||
+
|
||||
+ ctx->win_ctx = (name.cbData == 0 ? NULL :
|
||||
+ CertFindCertificateInStore(ctx->win_store,
|
||||
+ X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
|
||||
+ 0, CERT_FIND_SUBJECT_NAME,
|
||||
+ &name, ctx->win_ctx));
|
||||
+
|
||||
+ ctx->state = (ctx->win_ctx == NULL) ? STATE_EOF : STATE_READ;
|
||||
+}
|
||||
+
|
||||
+static void *winstore_open(void *provctx, const char *uri)
|
||||
+{
|
||||
+ struct winstore_ctx_st *ctx = NULL;
|
||||
+
|
||||
+ if (!HAS_CASE_PREFIX(uri, "org.openssl.winstore:"))
|
||||
+ return NULL;
|
||||
+
|
||||
+ ctx = OPENSSL_zalloc(sizeof(*ctx));
|
||||
+ if (ctx == NULL)
|
||||
+ return NULL;
|
||||
+
|
||||
+ ctx->provctx = provctx;
|
||||
+ ctx->win_store = CertOpenSystemStoreW(0, L"ROOT");
|
||||
+ if (ctx->win_store == NULL) {
|
||||
+ OPENSSL_free(ctx);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ winstore_win_reset(ctx);
|
||||
+ return ctx;
|
||||
+}
|
||||
+
|
||||
+static void *winstore_attach(void *provctx, OSSL_CORE_BIO *cin)
|
||||
+{
|
||||
+ return NULL; /* not supported */
|
||||
+}
|
||||
+
|
||||
+static const OSSL_PARAM *winstore_settable_ctx_params(void *loaderctx, const OSSL_PARAM params[])
|
||||
+{
|
||||
+ static const OSSL_PARAM known_settable_ctx_params[] = {
|
||||
+ OSSL_PARAM_octet_string(OSSL_STORE_PARAM_SUBJECT, NULL, 0),
|
||||
+ OSSL_PARAM_utf8_string(OSSL_STORE_PARAM_PROPERTIES, NULL, 0),
|
||||
+ OSSL_PARAM_END
|
||||
+ };
|
||||
+ return known_settable_ctx_params;
|
||||
+}
|
||||
+
|
||||
+static int winstore_set_ctx_params(void *loaderctx, const OSSL_PARAM params[])
|
||||
+{
|
||||
+ struct winstore_ctx_st *ctx = loaderctx;
|
||||
+ const OSSL_PARAM *p;
|
||||
+ int do_reset = 0;
|
||||
+
|
||||
+ if (params == NULL)
|
||||
+ return 1;
|
||||
+
|
||||
+ p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_PROPERTIES);
|
||||
+ if (p != NULL) {
|
||||
+ do_reset = 1;
|
||||
+ OPENSSL_free(ctx->propq);
|
||||
+ ctx->propq = NULL;
|
||||
+ if (!OSSL_PARAM_get_utf8_string(p, &ctx->propq, 0))
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_SUBJECT);
|
||||
+ if (p != NULL) {
|
||||
+ const unsigned char *der = NULL;
|
||||
+ size_t der_len = 0;
|
||||
+
|
||||
+ if (!OSSL_PARAM_get_octet_string_ptr(p, (const void **)&der, &der_len))
|
||||
+ return 0;
|
||||
+
|
||||
+ do_reset = 1;
|
||||
+
|
||||
+ OPENSSL_free(ctx->subject);
|
||||
+
|
||||
+ ctx->subject = OPENSSL_malloc(der_len);
|
||||
+ if (ctx->subject == NULL) {
|
||||
+ ctx->subject_len = 0;
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ ctx->subject_len = der_len;
|
||||
+ memcpy(ctx->subject, der, der_len);
|
||||
+ }
|
||||
+
|
||||
+ if (do_reset) {
|
||||
+ winstore_win_reset(ctx);
|
||||
+ winstore_win_advance(ctx);
|
||||
+ }
|
||||
+
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
+struct load_data_st {
|
||||
+ OSSL_CALLBACK *object_cb;
|
||||
+ void *object_cbarg;
|
||||
+};
|
||||
+
|
||||
+static int load_construct(OSSL_DECODER_INSTANCE *decoder_inst,
|
||||
+ const OSSL_PARAM *params, void *construct_data)
|
||||
+{
|
||||
+ struct load_data_st *data = construct_data;
|
||||
+ return data->object_cb(params, data->object_cbarg);
|
||||
+}
|
||||
+
|
||||
+static void load_cleanup(void *construct_data)
|
||||
+{
|
||||
+ /* No-op. */
|
||||
+}
|
||||
+
|
||||
+static int setup_decoder(struct winstore_ctx_st *ctx)
|
||||
+{
|
||||
+ OSSL_LIB_CTX *libctx = ossl_prov_ctx_get0_libctx(ctx->provctx);
|
||||
+ const OSSL_ALGORITHM *to_algo = NULL;
|
||||
+
|
||||
+ if (ctx->dctx != NULL)
|
||||
+ return 1;
|
||||
+
|
||||
+ ctx->dctx = OSSL_DECODER_CTX_new();
|
||||
+ if (ctx->dctx == NULL) {
|
||||
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ if (!OSSL_DECODER_CTX_set_input_type(ctx->dctx, "DER")) {
|
||||
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ if (!OSSL_DECODER_CTX_set_input_structure(ctx->dctx, "Certificate")) {
|
||||
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ for (to_algo = ossl_any_to_obj_algorithm;
|
||||
+ to_algo->algorithm_names != NULL;
|
||||
+ to_algo++) {
|
||||
+ OSSL_DECODER *to_obj = NULL;
|
||||
+ OSSL_DECODER_INSTANCE *to_obj_inst = NULL;
|
||||
+
|
||||
+ /*
|
||||
+ * Create the internal last resort decoder implementation
|
||||
+ * together with a "decoder instance".
|
||||
+ * The decoder doesn't need any identification or to be
|
||||
+ * attached to any provider, since it's only used locally.
|
||||
+ */
|
||||
+ to_obj = ossl_decoder_from_algorithm(0, to_algo, NULL);
|
||||
+ if (to_obj != NULL)
|
||||
+ to_obj_inst = ossl_decoder_instance_new(to_obj, ctx->provctx);
|
||||
+
|
||||
+ OSSL_DECODER_free(to_obj);
|
||||
+ if (to_obj_inst == NULL)
|
||||
+ goto err;
|
||||
+
|
||||
+ if (!ossl_decoder_ctx_add_decoder_inst(ctx->dctx,
|
||||
+ to_obj_inst)) {
|
||||
+ ossl_decoder_instance_free(to_obj_inst);
|
||||
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
|
||||
+ goto err;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (!OSSL_DECODER_CTX_add_extra(ctx->dctx, libctx, ctx->propq)) {
|
||||
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ if (!OSSL_DECODER_CTX_set_construct(ctx->dctx, load_construct)) {
|
||||
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ if (!OSSL_DECODER_CTX_set_cleanup(ctx->dctx, load_cleanup)) {
|
||||
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ return 1;
|
||||
+
|
||||
+err:
|
||||
+ OSSL_DECODER_CTX_free(ctx->dctx);
|
||||
+ ctx->dctx = NULL;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static int winstore_load_using(struct winstore_ctx_st *ctx,
|
||||
+ OSSL_CALLBACK *object_cb, void *object_cbarg,
|
||||
+ OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg,
|
||||
+ const void *der, size_t der_len)
|
||||
+{
|
||||
+ struct load_data_st data;
|
||||
+ const unsigned char *der_ = der;
|
||||
+ size_t der_len_ = der_len;
|
||||
+
|
||||
+ if (setup_decoder(ctx) == 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ data.object_cb = object_cb;
|
||||
+ data.object_cbarg = object_cbarg;
|
||||
+
|
||||
+ OSSL_DECODER_CTX_set_construct_data(ctx->dctx, &data);
|
||||
+ OSSL_DECODER_CTX_set_passphrase_cb(ctx->dctx, pw_cb, pw_cbarg);
|
||||
+
|
||||
+ if (OSSL_DECODER_from_data(ctx->dctx, &der_, &der_len_) == 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
+static int winstore_load(void *loaderctx,
|
||||
+ OSSL_CALLBACK *object_cb, void *object_cbarg,
|
||||
+ OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+ struct winstore_ctx_st *ctx = loaderctx;
|
||||
+
|
||||
+ if (ctx->state != STATE_READ)
|
||||
+ return 0;
|
||||
+
|
||||
+ ret = winstore_load_using(ctx, object_cb, object_cbarg, pw_cb, pw_cbarg,
|
||||
+ ctx->win_ctx->pbCertEncoded,
|
||||
+ ctx->win_ctx->cbCertEncoded);
|
||||
+
|
||||
+ if (ret == 1)
|
||||
+ winstore_win_advance(ctx);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+static int winstore_eof(void *loaderctx)
|
||||
+{
|
||||
+ struct winstore_ctx_st *ctx = loaderctx;
|
||||
+
|
||||
+ return ctx->state != STATE_READ;
|
||||
+}
|
||||
+
|
||||
+static int winstore_close(void *loaderctx)
|
||||
+{
|
||||
+ struct winstore_ctx_st *ctx = loaderctx;
|
||||
+
|
||||
+ winstore_win_reset(ctx);
|
||||
+ CertCloseStore(ctx->win_store, 0);
|
||||
+ OSSL_DECODER_CTX_free(ctx->dctx);
|
||||
+ OPENSSL_free(ctx->propq);
|
||||
+ OPENSSL_free(ctx->subject);
|
||||
+ OPENSSL_free(ctx);
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
+const OSSL_DISPATCH ossl_winstore_store_functions[] = {
|
||||
+ { OSSL_FUNC_STORE_OPEN, (void (*)(void))winstore_open },
|
||||
+ { OSSL_FUNC_STORE_ATTACH, (void (*)(void))winstore_attach },
|
||||
+ { OSSL_FUNC_STORE_SETTABLE_CTX_PARAMS, (void (*)(void))winstore_settable_ctx_params },
|
||||
+ { OSSL_FUNC_STORE_SET_CTX_PARAMS, (void (*)(void))winstore_set_ctx_params },
|
||||
+ { OSSL_FUNC_STORE_LOAD, (void (*)(void))winstore_load },
|
||||
+ { OSSL_FUNC_STORE_EOF, (void (*)(void))winstore_eof },
|
||||
+ { OSSL_FUNC_STORE_CLOSE, (void (*)(void))winstore_close },
|
||||
+ { 0, NULL },
|
||||
+};
|
||||
--- a/providers/stores.inc
|
||||
+++ b/providers/stores.inc
|
||||
@@ -12,3 +12,6 @@
|
||||
#endif
|
||||
|
||||
STORE("file", "yes", ossl_file_store_functions)
|
||||
+#ifndef OPENSSL_NO_WINSTORE
|
||||
+STORE("org.openssl.winstore", "yes", ossl_winstore_store_functions)
|
||||
+#endif
|
||||
--- a/util/libcrypto.num
|
||||
+++ b/util/libcrypto.num
|
||||
@@ -5435,4 +5435,7 @@ EVP_MD_CTX_dup
|
||||
EVP_CIPHER_CTX_dup 5563 3_1_0 EXIST::FUNCTION:
|
||||
BN_are_coprime 5564 3_1_0 EXIST::FUNCTION:
|
||||
OSSL_CMP_MSG_update_recipNonce 5565 3_0_9 EXIST::FUNCTION:CMP
|
||||
+X509_get_default_cert_uri ? 3_1_0 EXIST::FUNCTION:
|
||||
+X509_get_default_cert_uri_env ? 3_1_0 EXIST::FUNCTION:
|
||||
+X509_get_default_cert_path_env ? 3_1_0 EXIST::FUNCTION:
|
||||
ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
|
||||
--- a/util/missingcrypto.txt
|
||||
+++ b/util/missingcrypto.txt
|
||||
@@ -1273,10 +1273,6 @@ X509_get0_trust_objects(3)
|
||||
X509_get1_email(3)
|
||||
X509_get1_ocsp(3)
|
||||
X509_get_default_cert_area(3)
|
||||
-X509_get_default_cert_dir(3)
|
||||
-X509_get_default_cert_dir_env(3)
|
||||
-X509_get_default_cert_file(3)
|
||||
-X509_get_default_cert_file_env(3)
|
||||
X509_get_default_private_dir(3)
|
||||
X509_get_pubkey_parameters(3)
|
||||
X509_get_signature_type(3)
|
174
openssl-CVE-2023-5678.patch
Normal file
174
openssl-CVE-2023-5678.patch
Normal file
@ -0,0 +1,174 @@
|
||||
From db925ae2e65d0d925adef429afc37f75bd1c2017 Mon Sep 17 00:00:00 2001
|
||||
From: Richard Levitte <levitte@openssl.org>
|
||||
Date: Fri, 20 Oct 2023 09:18:19 +0200
|
||||
Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet
|
||||
|
||||
We already check for an excessively large P in DH_generate_key(), but not in
|
||||
DH_check_pub_key(), and none of them check for an excessively large Q.
|
||||
|
||||
This change adds all the missing excessive size checks of P and Q.
|
||||
|
||||
It's to be noted that behaviours surrounding excessively sized P and Q
|
||||
differ. DH_check() raises an error on the excessively sized P, but only
|
||||
sets a flag for the excessively sized Q. This behaviour is mimicked in
|
||||
DH_check_pub_key().
|
||||
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/22518)
|
||||
|
||||
(cherry picked from commit ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)
|
||||
---
|
||||
crypto/dh/dh_check.c | 12 ++++++++++++
|
||||
crypto/dh/dh_err.c | 3 ++-
|
||||
crypto/dh/dh_key.c | 12 ++++++++++++
|
||||
crypto/err/openssl.txt | 1 +
|
||||
include/crypto/dherr.h | 2 +-
|
||||
include/openssl/dh.h | 6 +++---
|
||||
include/openssl/dherr.h | 3 ++-
|
||||
7 files changed, 33 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
|
||||
index 7ba2beae7fd6b..e20eb62081c5e 100644
|
||||
--- a/crypto/dh/dh_check.c
|
||||
+++ b/crypto/dh/dh_check.c
|
||||
@@ -249,6 +249,18 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key)
|
||||
*/
|
||||
int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
|
||||
{
|
||||
+ /* Don't do any checks at all with an excessively large modulus */
|
||||
+ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
|
||||
+ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
|
||||
+ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID;
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) {
|
||||
+ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID;
|
||||
+ return 1;
|
||||
+ }
|
||||
+
|
||||
return ossl_ffc_validate_public_key(&dh->params, pub_key, ret);
|
||||
}
|
||||
|
||||
diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
|
||||
index 4152397426cc9..f76ac0dd1463f 100644
|
||||
--- a/crypto/dh/dh_err.c
|
||||
+++ b/crypto/dh/dh_err.c
|
||||
@@ -1,6 +1,6 @@
|
||||
/*
|
||||
* Generated by util/mkerr.pl DO NOT EDIT
|
||||
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@@ -54,6 +54,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = {
|
||||
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
|
||||
"parameter encoding error"},
|
||||
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
|
||||
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"},
|
||||
{ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},
|
||||
{ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),
|
||||
"unable to check generator"},
|
||||
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
|
||||
index d84ea99241b9e..afc49f5cdc87d 100644
|
||||
--- a/crypto/dh/dh_key.c
|
||||
+++ b/crypto/dh/dh_key.c
|
||||
@@ -49,6 +49,12 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
|
||||
goto err;
|
||||
}
|
||||
|
||||
+ if (dh->params.q != NULL
|
||||
+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
|
||||
+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
|
||||
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
|
||||
return 0;
|
||||
@@ -267,6 +273,12 @@ static int generate_key(DH *dh)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ if (dh->params.q != NULL
|
||||
+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
|
||||
+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
|
||||
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
|
||||
return 0;
|
||||
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
|
||||
index e51504b7abd5c..36de321b749be 100644
|
||||
--- a/crypto/err/openssl.txt
|
||||
+++ b/crypto/err/openssl.txt
|
||||
@@ -500,6 +500,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set
|
||||
DH_R_NO_PRIVATE_VALUE:100:no private value
|
||||
DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
|
||||
DH_R_PEER_KEY_ERROR:111:peer key error
|
||||
+DH_R_Q_TOO_LARGE:130:q too large
|
||||
DH_R_SHARED_INFO_ERROR:113:shared info error
|
||||
DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
|
||||
DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters
|
||||
diff --git a/include/crypto/dherr.h b/include/crypto/dherr.h
|
||||
index bb24d131eb887..519327f795742 100644
|
||||
--- a/include/crypto/dherr.h
|
||||
+++ b/include/crypto/dherr.h
|
||||
@@ -1,6 +1,6 @@
|
||||
/*
|
||||
* Generated by util/mkerr.pl DO NOT EDIT
|
||||
- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
diff --git a/include/openssl/dh.h b/include/openssl/dh.h
|
||||
index 6533260f20272..50e0cf54be8cb 100644
|
||||
--- a/include/openssl/dh.h
|
||||
+++ b/include/openssl/dh.h
|
||||
@@ -141,7 +141,7 @@ DECLARE_ASN1_ITEM(DHparams)
|
||||
# define DH_GENERATOR_3 3
|
||||
# define DH_GENERATOR_5 5
|
||||
|
||||
-/* DH_check error codes */
|
||||
+/* DH_check error codes, some of them shared with DH_check_pub_key */
|
||||
/*
|
||||
* NB: These values must align with the equivalently named macros in
|
||||
* internal/ffc.h.
|
||||
@@ -151,10 +151,10 @@ DECLARE_ASN1_ITEM(DHparams)
|
||||
# define DH_UNABLE_TO_CHECK_GENERATOR 0x04
|
||||
# define DH_NOT_SUITABLE_GENERATOR 0x08
|
||||
# define DH_CHECK_Q_NOT_PRIME 0x10
|
||||
-# define DH_CHECK_INVALID_Q_VALUE 0x20
|
||||
+# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */
|
||||
# define DH_CHECK_INVALID_J_VALUE 0x40
|
||||
# define DH_MODULUS_TOO_SMALL 0x80
|
||||
-# define DH_MODULUS_TOO_LARGE 0x100
|
||||
+# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */
|
||||
|
||||
/* DH_check_pub_key error codes */
|
||||
# define DH_CHECK_PUBKEY_TOO_SMALL 0x01
|
||||
diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
|
||||
index 5d2a762a96f8c..074a70145f9f5 100644
|
||||
--- a/include/openssl/dherr.h
|
||||
+++ b/include/openssl/dherr.h
|
||||
@@ -1,6 +1,6 @@
|
||||
/*
|
||||
* Generated by util/mkerr.pl DO NOT EDIT
|
||||
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@@ -50,6 +50,7 @@
|
||||
# define DH_R_NO_PRIVATE_VALUE 100
|
||||
# define DH_R_PARAMETER_ENCODING_ERROR 105
|
||||
# define DH_R_PEER_KEY_ERROR 111
|
||||
+# define DH_R_Q_TOO_LARGE 130
|
||||
# define DH_R_SHARED_INFO_ERROR 113
|
||||
# define DH_R_UNABLE_TO_CHECK_GENERATOR 121
|
||||
|
109
openssl-CVE-2023-6129.patch
Normal file
109
openssl-CVE-2023-6129.patch
Normal file
@ -0,0 +1,109 @@
|
||||
From 050d26383d4e264966fb83428e72d5d48f402d35 Mon Sep 17 00:00:00 2001
|
||||
From: Rohan McLure <rmclure@linux.ibm.com>
|
||||
Date: Thu, 4 Jan 2024 10:25:50 +0100
|
||||
Subject: [PATCH] poly1305-ppc.pl: Fix vector register clobbering
|
||||
|
||||
Fixes CVE-2023-6129
|
||||
|
||||
The POLY1305 MAC (message authentication code) implementation in OpenSSL for
|
||||
PowerPC CPUs saves the the contents of vector registers in different order
|
||||
than they are restored. Thus the contents of some of these vector registers
|
||||
is corrupted when returning to the caller. The vulnerable code is used only
|
||||
on newer PowerPC processors supporting the PowerISA 2.07 instructions.
|
||||
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/23200)
|
||||
|
||||
(cherry picked from commit 8d847a3ffd4f0b17ee33962cf69c36224925b34f)
|
||||
---
|
||||
crypto/poly1305/asm/poly1305-ppc.pl | 42 ++++++++++++++---------------
|
||||
1 file changed, 21 insertions(+), 21 deletions(-)
|
||||
|
||||
diff --git a/crypto/poly1305/asm/poly1305-ppc.pl b/crypto/poly1305/asm/poly1305-ppc.pl
|
||||
index 9f86134d923fb..2e601bb9c24be 100755
|
||||
--- a/crypto/poly1305/asm/poly1305-ppc.pl
|
||||
+++ b/crypto/poly1305/asm/poly1305-ppc.pl
|
||||
@@ -744,7 +744,7 @@
|
||||
my $LOCALS= 6*$SIZE_T;
|
||||
my $VSXFRAME = $LOCALS + 6*$SIZE_T;
|
||||
$VSXFRAME += 128; # local variables
|
||||
- $VSXFRAME += 13*16; # v20-v31 offload
|
||||
+ $VSXFRAME += 12*16; # v20-v31 offload
|
||||
|
||||
my $BIG_ENDIAN = ($flavour !~ /le/) ? 4 : 0;
|
||||
|
||||
@@ -919,12 +919,12 @@
|
||||
addi r11,r11,32
|
||||
stvx v22,r10,$sp
|
||||
addi r10,r10,32
|
||||
- stvx v23,r10,$sp
|
||||
- addi r10,r10,32
|
||||
- stvx v24,r11,$sp
|
||||
+ stvx v23,r11,$sp
|
||||
addi r11,r11,32
|
||||
- stvx v25,r10,$sp
|
||||
+ stvx v24,r10,$sp
|
||||
addi r10,r10,32
|
||||
+ stvx v25,r11,$sp
|
||||
+ addi r11,r11,32
|
||||
stvx v26,r10,$sp
|
||||
addi r10,r10,32
|
||||
stvx v27,r11,$sp
|
||||
@@ -1153,12 +1153,12 @@
|
||||
addi r11,r11,32
|
||||
stvx v22,r10,$sp
|
||||
addi r10,r10,32
|
||||
- stvx v23,r10,$sp
|
||||
- addi r10,r10,32
|
||||
- stvx v24,r11,$sp
|
||||
+ stvx v23,r11,$sp
|
||||
addi r11,r11,32
|
||||
- stvx v25,r10,$sp
|
||||
+ stvx v24,r10,$sp
|
||||
addi r10,r10,32
|
||||
+ stvx v25,r11,$sp
|
||||
+ addi r11,r11,32
|
||||
stvx v26,r10,$sp
|
||||
addi r10,r10,32
|
||||
stvx v27,r11,$sp
|
||||
@@ -1899,26 +1899,26 @@
|
||||
mtspr 256,r12 # restore vrsave
|
||||
lvx v20,r10,$sp
|
||||
addi r10,r10,32
|
||||
- lvx v21,r10,$sp
|
||||
- addi r10,r10,32
|
||||
- lvx v22,r11,$sp
|
||||
+ lvx v21,r11,$sp
|
||||
addi r11,r11,32
|
||||
- lvx v23,r10,$sp
|
||||
+ lvx v22,r10,$sp
|
||||
addi r10,r10,32
|
||||
- lvx v24,r11,$sp
|
||||
+ lvx v23,r11,$sp
|
||||
addi r11,r11,32
|
||||
- lvx v25,r10,$sp
|
||||
+ lvx v24,r10,$sp
|
||||
addi r10,r10,32
|
||||
- lvx v26,r11,$sp
|
||||
+ lvx v25,r11,$sp
|
||||
addi r11,r11,32
|
||||
- lvx v27,r10,$sp
|
||||
+ lvx v26,r10,$sp
|
||||
addi r10,r10,32
|
||||
- lvx v28,r11,$sp
|
||||
+ lvx v27,r11,$sp
|
||||
addi r11,r11,32
|
||||
- lvx v29,r10,$sp
|
||||
+ lvx v28,r10,$sp
|
||||
addi r10,r10,32
|
||||
- lvx v30,r11,$sp
|
||||
- lvx v31,r10,$sp
|
||||
+ lvx v29,r11,$sp
|
||||
+ addi r11,r11,32
|
||||
+ lvx v30,r10,$sp
|
||||
+ lvx v31,r11,$sp
|
||||
$POP r27,`$VSXFRAME-$SIZE_T*5`($sp)
|
||||
$POP r28,`$VSXFRAME-$SIZE_T*4`($sp)
|
||||
$POP r29,`$VSXFRAME-$SIZE_T*3`($sp)
|
122
openssl-CVE-2023-6237.patch
Normal file
122
openssl-CVE-2023-6237.patch
Normal file
@ -0,0 +1,122 @@
|
||||
From 18c02492138d1eb8b6548cb26e7b625fb2414a2a Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Fri, 22 Dec 2023 16:25:56 +0100
|
||||
Subject: [PATCH] Limit the execution time of RSA public key check
|
||||
|
||||
Fixes CVE-2023-6237
|
||||
|
||||
If a large and incorrect RSA public key is checked with
|
||||
EVP_PKEY_public_check() the computation could take very long time
|
||||
due to no limit being applied to the RSA public key size and
|
||||
unnecessarily high number of Miller-Rabin algorithm rounds
|
||||
used for non-primality check of the modulus.
|
||||
|
||||
Now the keys larger than 16384 bits (OPENSSL_RSA_MAX_MODULUS_BITS)
|
||||
will fail the check with RSA_R_MODULUS_TOO_LARGE error reason.
|
||||
Also the number of Miller-Rabin rounds was set to 5.
|
||||
|
||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/23243)
|
||||
|
||||
(cherry picked from commit e09fc1d746a4fd15bb5c3d7bbbab950aadd005db)
|
||||
---
|
||||
crypto/rsa/rsa_sp800_56b_check.c | 8 +++-
|
||||
test/recipes/91-test_pkey_check.t | 2 +-
|
||||
.../91-test_pkey_check_data/rsapub_17k.pem | 48 +++++++++++++++++++
|
||||
3 files changed, 56 insertions(+), 2 deletions(-)
|
||||
create mode 100644 test/recipes/91-test_pkey_check_data/rsapub_17k.pem
|
||||
|
||||
diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c
|
||||
index fc8f19b48770b..bcbdd24fb8199 100644
|
||||
--- a/crypto/rsa/rsa_sp800_56b_check.c
|
||||
+++ b/crypto/rsa/rsa_sp800_56b_check.c
|
||||
@@ -289,6 +289,11 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
|
||||
return 0;
|
||||
|
||||
nbits = BN_num_bits(rsa->n);
|
||||
+ if (nbits > OPENSSL_RSA_MAX_MODULUS_BITS) {
|
||||
+ ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
#ifdef FIPS_MODULE
|
||||
/*
|
||||
* (Step a): modulus must be 2048 or 3072 (caveat from SP800-56Br1)
|
||||
@@ -324,7 +329,8 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
|
||||
goto err;
|
||||
}
|
||||
|
||||
- ret = ossl_bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, &status);
|
||||
+ /* Highest number of MR rounds from FIPS 186-5 Section B.3 Table B.1 */
|
||||
+ ret = ossl_bn_miller_rabin_is_prime(rsa->n, 5, ctx, NULL, 1, &status);
|
||||
#ifdef FIPS_MODULE
|
||||
if (ret != 1 || status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) {
|
||||
#else
|
||||
diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t
|
||||
index dc7cc64533af2..f8088df14d36c 100644
|
||||
--- a/test/recipes/91-test_pkey_check.t
|
||||
+++ b/test/recipes/91-test_pkey_check.t
|
||||
@@ -70,7 +70,7 @@ push(@positive_tests, (
|
||||
"dhpkey.pem"
|
||||
)) unless disabled("dh");
|
||||
|
||||
-my @negative_pubtests = ();
|
||||
+my @negative_pubtests = ("rsapub_17k.pem"); # Too big RSA public key
|
||||
|
||||
push(@negative_pubtests, (
|
||||
"dsapub_noparam.der"
|
||||
diff --git a/test/recipes/91-test_pkey_check_data/rsapub_17k.pem b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
|
||||
new file mode 100644
|
||||
index 0000000000000..9a2eaedaf1b22
|
||||
--- /dev/null
|
||||
+++ b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
|
||||
@@ -0,0 +1,48 @@
|
||||
+-----BEGIN PUBLIC KEY-----
|
||||
+MIIIbzANBgkqhkiG9w0BAQEFAAOCCFwAMIIIVwKCCE4Ang+cE5H+hg3RbapDAHqR
|
||||
+B9lUnp2MlAwsZxQ/FhYepaR60bFQeumbu7817Eo5YLMObVI99hF1C4u/qcpD4Jph
|
||||
+gZt87/JAYDbP+DIh/5gUXCL9m5Fp4u7mvZaZdnlcftBvR1uKUTCAwc9pZ/Cfr8W2
|
||||
+GzrRODzsNYnk2DcZMfe2vRDuDZRopE+Y+I72rom2SZLxoN547N1daM/M/CL9KVQ/
|
||||
+XMI/YOpJrBI0jI3brMRhLkvLckwies9joufydlGbJkeil9H7/grj3fQZtFkZ2Pkj
|
||||
+b87XDzRVX7wsEpAgPJxskL3jApokCp1kQYKG+Uc3dKM9Ade6IAPK7VKcmbAQTYw2
|
||||
+gZxsc28dtstazmfGz0ACCTSMrmbgWAM3oPL7RRzhrXDWgmYQ0jHefGh8SNTIgtPq
|
||||
+TuHxPYkDMQNaf0LmDGCxqlnf4b5ld3YaU8zZ/RqIRx5v/+w0rJUvU53qY1bYSnL1
|
||||
+vbqKSnN2mip0GYyQ4AUgkS1NBV4rGYU/VTvzEjLfkg02KOtHKandvEoUjmZPzCT0
|
||||
+V2ZhGc8K1UJNGYlIiHqCdwCBoghvly/pYajTkDXyd6BsukzA5H3IkZB1xDgl035j
|
||||
+/0Cr7QeZLEOdi9fPdSSaBT6OmD0WFuZfJF0wMr7ucRhWzPXvSensD9v7MBE7tNfH
|
||||
+SLeTSx8tLt8UeWriiM+0CnkPR1IOqMOxubOyf1eV8NQqEWm5wEQG/0IskbOKnaHa
|
||||
+PqLFJZn/bvyL3XK5OxVIJG3z6bnRDOMS9SzkjqgPdIO8tkySEHVSi/6iuGUltx3Y
|
||||
+Fmq6ye/r34ekyHPbfn6UuTON7joM6SIXb5bHM64x4iMVWx4hMvDjfy0UqfywAUyu
|
||||
+C1o7BExSMxxFG8GJcqR0K8akpPp7EM588PC+YuItoxzXgfUJnP3BQ1Beev2Ve7/J
|
||||
+xeGZH0N4ntfr+cuaLAakAER9zDglwChWflw3NNFgIdAgSxXv3XXx5xDXpdP4lxUo
|
||||
+F5zAN4Mero3yV90FaJl7Vhq/UFVidbwFc15jUDwaE0mKRcsBeVd3GOhoECAgE0id
|
||||
+aIPT20z8oVY0FyTJlRk7QSjo8WjJSrHY/Fn14gctX07ZdfkufyL6w+NijBdYluvB
|
||||
+nIrgHEvpkDEWoIa8qcx0EppoIcmqgMV2mTShfFYSybsO33Pm8WXec2FXjwhzs1Pi
|
||||
+R/BuIW8rHPI67xqWm0h8dEw11vtfi9a/BBBikFHe59KBjMTG+lW/gADNvRoTzGh7
|
||||
+kN4+UVDS3jlSisRZZOn1XoeQtpubNYWgUsecjKy45IwIj8h1SHgn3wkmUesY0woN
|
||||
+mOdoNtq+NezN4RFtbCOHhxFVpKKDi/HQP2ro0ykkXMDjwEIVf2Lii1Mg9UP8m+Ux
|
||||
+AOqkTrIkdogkRx+70h7/wUOfDIFUq2JbKzqxJYamyEphcdAko7/B8efQKc61Z93O
|
||||
+f2SHa4++4WI7wIIx18v5KV4M/cRmrfc8w9WRkQN3gBT5AJMuqwcSHVXBWvNQeGmi
|
||||
+ScMh7X6cCZ0daEujqb8svq4WgsJ8UT4GaGBRIYtt7QUKEh+JQwNJzneRYZ3pzpaH
|
||||
+UJeeoYobMlkp3rM9cYzdq90nBQiI9Jsbim9m9ggb2dMOS5CsI9S/IuG2O5uTjfxx
|
||||
+wkwsd5nLDFtNXHYZ7W6XlVJ1Rc6zShnEmdCn3mmibb6OaMUmun2yl9ryEjVSoXLP
|
||||
+fSA8W9K9yNhKTRkzdXJfqlC+s/ovX2xBGxsuOoUDaXhRVz0qmpKIHeSFjIP4iXq4
|
||||
+y8gDiwvM3HbZfvVonbg6siPwpn4uvw3hesojk1DKAENS52i6U3uK2fs1ALVxsFNS
|
||||
+Yh914rDu0Q3e4RXVhURaYzoEbLCot6WGYeCCfQOK0rkETMv+sTYYscC8/THuW7SL
|
||||
+HG5zy9Ed95N1Xmf8J+My7gM7ZFodGdHsWvdzEmqsdOFh6IVx/VfHFX0MDBq0t6lZ
|
||||
+eRvVgVCfu3gkYLwPScn/04E02vOom51ISKHsF/I11erC66jjNYV9BSpH8O7sAHxZ
|
||||
+EmPT2ZVVRSgivOHdQW/FZ3UZQQhVaVSympo2Eb4yWEMFn84Q8T+9Honj6gnB5PXz
|
||||
+chmeCsOMlcg1mwWwhn0k+OAWEZy7VRUk5Ahp0fBAGJgwBdqrZ3kM356DjUkVBiYq
|
||||
+4eHyvafNKmjf2mnFsI3g2NKRNyl1Lh63wyCFx60yYvBUfXF/W9PFJbD9CiP83kEW
|
||||
+gV36gxTsbOSfhpO1OXR90ODy0kx06XzWmJCUugK8u9bx4F/CjV+LIHExuNJiethC
|
||||
+A8sIup/MT0fWp4RO/SsVblGqfoqJTaPnhptQzeH2N07pbWkxeMuL6ppPuwFmfVjK
|
||||
+FJndqCVrAukcPEOQ16iVURuloJMudqYRc9QKkJFsnv0W/iMNbqQGmXe8Q/5qFiys
|
||||
+26NIQBiE2ad9hNLnoccEnmYSRgnW3ZPSKuq5TDdYyDqTZH2r8cam65pr3beKw2XC
|
||||
+xw4cc7VaxiwGC2Mg2wRmwwPaTjrcEt6sMa3RjwFEVBxBFyM26wnTEZsTBquCxV0J
|
||||
+pgERaeplkixP2Q0m7XAdlDaob973SM2vOoUgypzDchWmpx7u775bnOfU5CihwXl+
|
||||
+k0i09WZuT8bPmhEAiGCw5sNzMkz1BC2cCZFfJIkE2vc/wXYOrGxBTJo0EKaUFswa
|
||||
+2dnP/u0bn+VksBUM7ywW9LJSXh4mN+tpzdeJtxEObKwX1I0dQxSPWmjd2++wMr9q
|
||||
+Unre5fCrDToy2H7C2VKSpuOCT2/Kv4JDQRWwI4KxQOpn0UknAGNmfBoTtpIZ3LEb
|
||||
+77oBUJdMQD7tQBBLL0a6f1TdK0dHVprWWawJ+gGFMiMQXqAqblHcxFKWuHv9bQID
|
||||
+AQAB
|
||||
+-----END PUBLIC KEY-----
|
118
openssl-CVE-2024-0727.patch
Normal file
118
openssl-CVE-2024-0727.patch
Normal file
@ -0,0 +1,118 @@
|
||||
From d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Fri, 19 Jan 2024 11:28:58 +0000
|
||||
Subject: [PATCH] Add NULL checks where ContentInfo data can be NULL
|
||||
|
||||
PKCS12 structures contain PKCS7 ContentInfo fields. These fields are
|
||||
optional and can be NULL even if the "type" is a valid value. OpenSSL
|
||||
was not properly accounting for this and a NULL dereference can occur
|
||||
causing a crash.
|
||||
|
||||
CVE-2024-0727
|
||||
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/23362)
|
||||
---
|
||||
crypto/pkcs12/p12_add.c | 18 ++++++++++++++++++
|
||||
crypto/pkcs12/p12_mutl.c | 5 +++++
|
||||
crypto/pkcs12/p12_npas.c | 5 +++--
|
||||
crypto/pkcs7/pk7_mime.c | 7 +++++--
|
||||
4 files changed, 31 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c
|
||||
index 6fd4184af5a52..80ce31b3bca66 100644
|
||||
--- a/crypto/pkcs12/p12_add.c
|
||||
+++ b/crypto/pkcs12/p12_add.c
|
||||
@@ -78,6 +78,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7)
|
||||
ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA);
|
||||
return NULL;
|
||||
}
|
||||
+
|
||||
+ if (p7->d.data == NULL) {
|
||||
+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS));
|
||||
}
|
||||
|
||||
@@ -150,6 +156,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass,
|
||||
{
|
||||
if (!PKCS7_type_is_encrypted(p7))
|
||||
return NULL;
|
||||
+
|
||||
+ if (p7->d.encrypted == NULL) {
|
||||
+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
return PKCS12_item_decrypt_d2i_ex(p7->d.encrypted->enc_data->algorithm,
|
||||
ASN1_ITEM_rptr(PKCS12_SAFEBAGS),
|
||||
pass, passlen,
|
||||
@@ -188,6 +200,12 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12)
|
||||
ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA);
|
||||
return NULL;
|
||||
}
|
||||
+
|
||||
+ if (p12->authsafes->d.data == NULL) {
|
||||
+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
p7s = ASN1_item_unpack(p12->authsafes->d.data,
|
||||
ASN1_ITEM_rptr(PKCS12_AUTHSAFES));
|
||||
if (p7s != NULL) {
|
||||
diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
|
||||
index 67a885a45f89e..68ff54d0e90ee 100644
|
||||
--- a/crypto/pkcs12/p12_mutl.c
|
||||
+++ b/crypto/pkcs12/p12_mutl.c
|
||||
@@ -98,6 +98,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ if (p12->authsafes->d.data == NULL) {
|
||||
+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
salt = p12->mac->salt->data;
|
||||
saltlen = p12->mac->salt->length;
|
||||
if (p12->mac->iter == NULL)
|
||||
diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c
|
||||
index 62230bc6187ff..1e5b5495991a4 100644
|
||||
--- a/crypto/pkcs12/p12_npas.c
|
||||
+++ b/crypto/pkcs12/p12_npas.c
|
||||
@@ -77,8 +77,9 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass)
|
||||
bags = PKCS12_unpack_p7data(p7);
|
||||
} else if (bagnid == NID_pkcs7_encrypted) {
|
||||
bags = PKCS12_unpack_p7encdata(p7, oldpass, -1);
|
||||
- if (!alg_get(p7->d.encrypted->enc_data->algorithm,
|
||||
- &pbe_nid, &pbe_iter, &pbe_saltlen))
|
||||
+ if (p7->d.encrypted == NULL
|
||||
+ || !alg_get(p7->d.encrypted->enc_data->algorithm,
|
||||
+ &pbe_nid, &pbe_iter, &pbe_saltlen))
|
||||
goto err;
|
||||
} else {
|
||||
continue;
|
||||
diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c
|
||||
index 49a0da5f819c4..8228315eeaa3a 100644
|
||||
--- a/crypto/pkcs7/pk7_mime.c
|
||||
+++ b/crypto/pkcs7/pk7_mime.c
|
||||
@@ -33,10 +33,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
|
||||
int ctype_nid = OBJ_obj2nid(p7->type);
|
||||
const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7);
|
||||
|
||||
- if (ctype_nid == NID_pkcs7_signed)
|
||||
+ if (ctype_nid == NID_pkcs7_signed) {
|
||||
+ if (p7->d.sign == NULL)
|
||||
+ return 0;
|
||||
mdalgs = p7->d.sign->md_algs;
|
||||
- else
|
||||
+ } else {
|
||||
mdalgs = NULL;
|
||||
+ }
|
||||
|
||||
flags ^= SMIME_OLDMIME;
|
||||
|
64
openssl-DEFAULT_SUSE_cipher.patch
Normal file
64
openssl-DEFAULT_SUSE_cipher.patch
Normal file
@ -0,0 +1,64 @@
|
||||
Index: openssl-3.0.0-alpha7/ssl/ssl_ciph.c
|
||||
===================================================================
|
||||
--- openssl-3.0.0-alpha7.orig/ssl/ssl_ciph.c
|
||||
+++ openssl-3.0.0-alpha7/ssl/ssl_ciph.c
|
||||
@@ -1592,7 +1592,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
*/
|
||||
ok = 1;
|
||||
rule_p = rule_str;
|
||||
- if (strncmp(rule_str, "DEFAULT", 7) == 0) {
|
||||
+ if (strncmp(rule_str,"DEFAULT_SUSE", 12) == 0) {
|
||||
+ ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST,
|
||||
+ &head, &tail, ca_list, c);
|
||||
+ rule_p += 12;
|
||||
+ if (*rule_p == ':')
|
||||
+ rule_p++;
|
||||
+ }
|
||||
+ else if (strncmp(rule_str, "DEFAULT", 7) == 0) {
|
||||
ok = ssl_cipher_process_rulestr(OSSL_default_cipher_list(),
|
||||
&head, &tail, ca_list, c);
|
||||
rule_p += 7;
|
||||
Index: openssl-3.0.0-alpha7/test/recipes/99-test_suse_default_ciphers.t
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssl-3.0.0-alpha7/test/recipes/99-test_suse_default_ciphers.t
|
||||
@@ -0,0 +1,23 @@
|
||||
+#! /usr/bin/env perl
|
||||
+
|
||||
+use strict;
|
||||
+use warnings;
|
||||
+
|
||||
+use OpenSSL::Test qw/:DEFAULT/;
|
||||
+use OpenSSL::Test::Utils;
|
||||
+
|
||||
+setup("test_default_ciphersuites");
|
||||
+
|
||||
+plan tests => 6;
|
||||
+
|
||||
+my @cipher_suites = ("DEFAULT_SUSE", "DEFAULT");
|
||||
+
|
||||
+foreach my $cipherlist (@cipher_suites) {
|
||||
+ ok(run(app(["openssl", "ciphers", "-s", $cipherlist])),
|
||||
+ "openssl ciphers works with ciphersuite $cipherlist");
|
||||
+ ok(!grep(/(MD5|RC4|DES)/, run(app(["openssl", "ciphers", "-s", $cipherlist]), capture => 1)),
|
||||
+ "$cipherlist shouldn't contain MD5, DES or RC4\n");
|
||||
+ ok(grep(/(TLSv1.3)/, run(app(["openssl", "ciphers", "-tls1_3", "-s", "-v", $cipherlist]), capture => 1)),
|
||||
+ "$cipherlist should contain TLSv1.3 ciphers\n");
|
||||
+}
|
||||
+
|
||||
Index: openssl-3.0.0-alpha7/include/openssl/ssl.h.in
|
||||
===================================================================
|
||||
--- openssl-3.0.0-alpha7.orig/include/openssl/ssl.h.in
|
||||
+++ openssl-3.0.0-alpha7/include/openssl/ssl.h.in
|
||||
@@ -189,6 +189,11 @@ extern "C" {
|
||||
*/
|
||||
# ifndef OPENSSL_NO_DEPRECATED_3_0
|
||||
# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
|
||||
+# define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:"\
|
||||
+ "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:"\
|
||||
+ "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\
|
||||
+ "DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\
|
||||
+ "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA"
|
||||
/*
|
||||
* This is the default set of TLSv1.3 ciphersuites
|
||||
* DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites()
|
19
openssl-Disable-default-provider-for-test-suite.patch
Normal file
19
openssl-Disable-default-provider-for-test-suite.patch
Normal file
@ -0,0 +1,19 @@
|
||||
Index: openssl-3.1.4/apps/openssl.cnf
|
||||
===================================================================
|
||||
--- openssl-3.1.4.orig/apps/openssl.cnf
|
||||
+++ openssl-3.1.4/apps/openssl.cnf
|
||||
@@ -70,11 +70,11 @@ engines = engine_section
|
||||
# to side-channel attacks and as such have been deprecated.
|
||||
|
||||
[provider_sect]
|
||||
-default = default_sect
|
||||
+##default = default_sect
|
||||
##legacy = legacy_sect
|
||||
|
||||
-[default_sect]
|
||||
-activate = 1
|
||||
+##[default_sect]
|
||||
+##activate = 1
|
||||
|
||||
##[legacy_sect]
|
||||
##activate = 1
|
28
openssl-Enable-BTI-feature-for-md5-on-aarch64.patch
Normal file
28
openssl-Enable-BTI-feature-for-md5-on-aarch64.patch
Normal file
@ -0,0 +1,28 @@
|
||||
From d2bfec6e464aeb247a2d6853668d4e473f19e15f Mon Sep 17 00:00:00 2001
|
||||
From: "fangming.fang" <fangming.fang@arm.com>
|
||||
Date: Thu, 7 Dec 2023 06:17:51 +0000
|
||||
Subject: [PATCH] Enable BTI feature for md5 on aarch64
|
||||
|
||||
Fixes: #22959
|
||||
---
|
||||
crypto/md5/asm/md5-aarch64.pl | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/crypto/md5/asm/md5-aarch64.pl b/crypto/md5/asm/md5-aarch64.pl
|
||||
index 3200a0fa9bff0..5a8608069691d 100755
|
||||
--- a/crypto/md5/asm/md5-aarch64.pl
|
||||
+++ b/crypto/md5/asm/md5-aarch64.pl
|
||||
@@ -28,10 +28,13 @@
|
||||
*STDOUT=*OUT;
|
||||
|
||||
$code .= <<EOF;
|
||||
+#include "arm_arch.h"
|
||||
+
|
||||
.text
|
||||
.globl ossl_md5_block_asm_data_order
|
||||
.type ossl_md5_block_asm_data_order,\@function
|
||||
ossl_md5_block_asm_data_order:
|
||||
+ AARCH64_VALID_CALL_TARGET
|
||||
// Save all callee-saved registers
|
||||
stp x19,x20,[sp,#-80]!
|
||||
stp x21,x22,[sp,#16]
|
250
openssl-FIPS-embed-hmac.patch
Normal file
250
openssl-FIPS-embed-hmac.patch
Normal file
@ -0,0 +1,250 @@
|
||||
From e364a858262c8f563954544cc81e66f1b3b8db8c Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Thu, 19 Oct 2023 13:12:40 +0200
|
||||
Subject: [PATCH 16/46] 0033-FIPS-embed-hmac.patch
|
||||
|
||||
Patch-name: 0033-FIPS-embed-hmac.patch
|
||||
Patch-id: 33
|
||||
Patch-status: |
|
||||
# # Embed HMAC into the fips.so
|
||||
From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911
|
||||
---
|
||||
providers/fips/self_test.c | 70 ++++++++++++++++++++++++---
|
||||
test/fipsmodule.cnf | 2 +
|
||||
test/recipes/00-prep_fipsmodule_cnf.t | 2 +-
|
||||
test/recipes/01-test_fipsmodule_cnf.t | 2 +-
|
||||
test/recipes/03-test_fipsinstall.t | 2 +-
|
||||
test/recipes/30-test_defltfips.t | 2 +-
|
||||
test/recipes/80-test_ssl_new.t | 2 +-
|
||||
test/recipes/90-test_sslapi.t | 2 +-
|
||||
8 files changed, 71 insertions(+), 13 deletions(-)
|
||||
create mode 100644 test/fipsmodule.cnf
|
||||
|
||||
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
|
||||
index b8dc9817b2..e3a629018a 100644
|
||||
--- a/providers/fips/self_test.c
|
||||
+++ b/providers/fips/self_test.c
|
||||
@@ -230,11 +230,27 @@ err:
|
||||
return ok;
|
||||
}
|
||||
|
||||
+#define HMAC_LEN 32
|
||||
+/*
|
||||
+ * The __attribute__ ensures we've created the .rodata1 section
|
||||
+ * static ensures it's zero filled
|
||||
+*/
|
||||
+static const unsigned char __attribute__ ((section (".rodata1"))) fips_hmac_container[HMAC_LEN] = {0};
|
||||
+
|
||||
/*
|
||||
* Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify
|
||||
* the result matches the expected value.
|
||||
* Return 1 if verified, or 0 if it fails.
|
||||
*/
|
||||
+#ifndef __USE_GNU
|
||||
+#define __USE_GNU
|
||||
+#include <dlfcn.h>
|
||||
+#undef __USE_GNU
|
||||
+#else
|
||||
+#include <dlfcn.h>
|
||||
+#endif
|
||||
+#include <link.h>
|
||||
+
|
||||
static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
|
||||
unsigned char *expected, size_t expected_len,
|
||||
OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
|
||||
@@ -247,12 +263,23 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
|
||||
EVP_MAC *mac = NULL;
|
||||
EVP_MAC_CTX *ctx = NULL;
|
||||
OSSL_PARAM params[2], *p = params;
|
||||
+ Dl_info info;
|
||||
+ void *extra_info = NULL;
|
||||
+ struct link_map *lm = NULL;
|
||||
+ unsigned long paddr;
|
||||
+ unsigned long off = 0;
|
||||
|
||||
if (!integrity_self_test(ev, libctx))
|
||||
goto err;
|
||||
|
||||
OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
|
||||
|
||||
+ if (!dladdr1 ((const void *)fips_hmac_container,
|
||||
+ &info, &extra_info, RTLD_DL_LINKMAP))
|
||||
+ goto err;
|
||||
+ lm = extra_info;
|
||||
+ paddr = (unsigned long)fips_hmac_container - lm->l_addr;
|
||||
+
|
||||
mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
|
||||
if (mac == NULL)
|
||||
goto err;
|
||||
@@ -266,13 +293,42 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
|
||||
if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
|
||||
goto err;
|
||||
|
||||
- while (1) {
|
||||
- status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
|
||||
+ while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
|
||||
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
|
||||
+ if (status != 1)
|
||||
+ break;
|
||||
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
||||
+ goto err;
|
||||
+ off += bytes_read;
|
||||
+ }
|
||||
+
|
||||
+ if (off + INTEGRITY_BUF_SIZE > paddr) {
|
||||
+ int delta = paddr - off;
|
||||
+ status = read_ex_cb(bio, buf, delta, &bytes_read);
|
||||
+ if (status != 1)
|
||||
+ goto err;
|
||||
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
||||
+ goto err;
|
||||
+ off += bytes_read;
|
||||
+
|
||||
+ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
|
||||
+ memset(buf, 0, HMAC_LEN);
|
||||
+ if (status != 1)
|
||||
+ goto err;
|
||||
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
||||
+ goto err;
|
||||
+ off += bytes_read;
|
||||
+ }
|
||||
+
|
||||
+ while (bytes_read > 0) {
|
||||
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
|
||||
if (status != 1)
|
||||
break;
|
||||
if (!EVP_MAC_update(ctx, buf, bytes_read))
|
||||
goto err;
|
||||
+ off += bytes_read;
|
||||
}
|
||||
+
|
||||
if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
|
||||
goto err;
|
||||
|
||||
@@ -282,6 +338,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
|
||||
goto err;
|
||||
ret = 1;
|
||||
err:
|
||||
+ OPENSSL_cleanse(out, sizeof(out));
|
||||
OSSL_SELF_TEST_onend(ev, ret);
|
||||
EVP_MAC_CTX_free(ctx);
|
||||
EVP_MAC_free(mac);
|
||||
@@ -335,8 +392,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
||||
return 0;
|
||||
}
|
||||
|
||||
- if (st == NULL
|
||||
- || st->module_checksum_data == NULL) {
|
||||
+ if (st == NULL) {
|
||||
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
|
||||
goto end;
|
||||
}
|
||||
@@ -345,8 +401,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
||||
if (ev == NULL)
|
||||
goto end;
|
||||
|
||||
- module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
|
||||
- &checksum_len);
|
||||
+ module_checksum = fips_hmac_container;
|
||||
+ checksum_len = sizeof(fips_hmac_container);
|
||||
+
|
||||
if (module_checksum == NULL) {
|
||||
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
|
||||
goto end;
|
||||
@@ -420,7 +477,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
|
||||
end:
|
||||
EVP_RAND_free(testrand);
|
||||
OSSL_SELF_TEST_free(ev);
|
||||
- OPENSSL_free(module_checksum);
|
||||
OPENSSL_free(indicator_checksum);
|
||||
|
||||
if (st != NULL) {
|
||||
diff --git a/test/fipsmodule.cnf b/test/fipsmodule.cnf
|
||||
new file mode 100644
|
||||
index 0000000000..f05d0dedbe
|
||||
--- /dev/null
|
||||
+++ b/test/fipsmodule.cnf
|
||||
@@ -0,0 +1,2 @@
|
||||
+[fips_sect]
|
||||
+activate = 1
|
||||
diff --git a/test/recipes/00-prep_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t
|
||||
index 4e3a6d85e8..e8255ba974 100644
|
||||
--- a/test/recipes/00-prep_fipsmodule_cnf.t
|
||||
+++ b/test/recipes/00-prep_fipsmodule_cnf.t
|
||||
@@ -20,7 +20,7 @@ use lib srctop_dir('Configurations');
|
||||
use lib bldtop_dir('.');
|
||||
use platform;
|
||||
|
||||
-my $no_check = disabled("fips");
|
||||
+my $no_check = 1;
|
||||
plan skip_all => "FIPS module config file only supported in a fips build"
|
||||
if $no_check;
|
||||
|
||||
diff --git a/test/recipes/01-test_fipsmodule_cnf.t b/test/recipes/01-test_fipsmodule_cnf.t
|
||||
index ce594817d5..00cebacff8 100644
|
||||
--- a/test/recipes/01-test_fipsmodule_cnf.t
|
||||
+++ b/test/recipes/01-test_fipsmodule_cnf.t
|
||||
@@ -23,7 +23,7 @@ use lib srctop_dir('Configurations');
|
||||
use lib bldtop_dir('.');
|
||||
use platform;
|
||||
|
||||
-my $no_check = disabled("fips");
|
||||
+my $no_check = 1;
|
||||
plan skip_all => "Test only supported in a fips build"
|
||||
if $no_check;
|
||||
plan tests => 1;
|
||||
diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t
|
||||
index b8b136d110..8242f4ebc3 100644
|
||||
--- a/test/recipes/03-test_fipsinstall.t
|
||||
+++ b/test/recipes/03-test_fipsinstall.t
|
||||
@@ -22,7 +22,7 @@ use lib srctop_dir('Configurations');
|
||||
use lib bldtop_dir('.');
|
||||
use platform;
|
||||
|
||||
-plan skip_all => "Test only supported in a fips build" if disabled("fips");
|
||||
+plan skip_all => "Test only supported in a fips build" if 1;
|
||||
|
||||
# Compatible options for pedantic FIPS compliance
|
||||
my @pedantic_okay =
|
||||
diff --git a/test/recipes/30-test_defltfips.t b/test/recipes/30-test_defltfips.t
|
||||
index c8f145405b..56a2ec5dc4 100644
|
||||
--- a/test/recipes/30-test_defltfips.t
|
||||
+++ b/test/recipes/30-test_defltfips.t
|
||||
@@ -24,7 +24,7 @@ use lib bldtop_dir('.');
|
||||
plan skip_all => "Configuration loading is turned off"
|
||||
if disabled("autoload-config");
|
||||
|
||||
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||
|
||||
plan tests =>
|
||||
($no_fips ? 1 : 5);
|
||||
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
|
||||
index 0c6d6402d9..e45f9cb560 100644
|
||||
--- a/test/recipes/80-test_ssl_new.t
|
||||
+++ b/test/recipes/80-test_ssl_new.t
|
||||
@@ -27,7 +27,7 @@ setup("test_ssl_new");
|
||||
use lib srctop_dir('Configurations');
|
||||
use lib bldtop_dir('.');
|
||||
|
||||
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||
|
||||
$ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
|
||||
|
||||
diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t
|
||||
index 9e9e32b51e..1a1a7159b5 100644
|
||||
--- a/test/recipes/90-test_sslapi.t
|
||||
+++ b/test/recipes/90-test_sslapi.t
|
||||
@@ -17,7 +17,7 @@ setup("test_sslapi");
|
||||
use lib srctop_dir('Configurations');
|
||||
use lib bldtop_dir('.');
|
||||
|
||||
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||
my $fipsmodcfg_filename = "fipsmodule.cnf";
|
||||
my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename);
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
68
openssl-Force-FIPS.patch
Normal file
68
openssl-Force-FIPS.patch
Normal file
@ -0,0 +1,68 @@
|
||||
From 2c110cf5551a3869514e697d8dc06682b62ca57d Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
||||
Date: Mon, 21 Aug 2023 11:59:02 +0200
|
||||
Subject: [PATCH 16/48] 0032-Force-fips.patch
|
||||
|
||||
Patch-name: 0032-Force-fips.patch
|
||||
Patch-id: 32
|
||||
Patch-status: |
|
||||
# We load FIPS provider and set FIPS properties implicitly
|
||||
---
|
||||
crypto/provider_conf.c | 28 +++++++++++++++++++++++++++-
|
||||
1 file changed, 27 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c
|
||||
index 058fb58837..5274265a70 100644
|
||||
--- a/crypto/provider_conf.c
|
||||
+++ b/crypto/provider_conf.c
|
||||
@@ -10,6 +10,8 @@
|
||||
#include <string.h>
|
||||
#include <openssl/trace.h>
|
||||
#include <openssl/err.h>
|
||||
+#include <openssl/evp.h>
|
||||
+#include <unistd.h>
|
||||
#include <openssl/conf.h>
|
||||
#include <openssl/safestack.h>
|
||||
#include <openssl/provider.h>
|
||||
@@ -169,7 +171,7 @@ static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name,
|
||||
if (path != NULL)
|
||||
ossl_provider_set_module_path(prov, path);
|
||||
|
||||
- ok = provider_conf_params(prov, NULL, NULL, value, cnf);
|
||||
+ ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;
|
||||
|
||||
if (ok) {
|
||||
if (!ossl_provider_activate(prov, 1, 0)) {
|
||||
@@ -309,6 +311,30 @@ static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ if (ossl_get_kernel_fips_flag() != 0) { /* XXX from provider_conf_load */
|
||||
+ OSSL_LIB_CTX *libctx = NCONF_get0_libctx((CONF *)cnf);
|
||||
+# define FIPS_LOCAL_CONF OPENSSLDIR "/fips_local.cnf"
|
||||
+
|
||||
+ if (access(FIPS_LOCAL_CONF, R_OK) == 0) {
|
||||
+ CONF *fips_conf = NCONF_new_ex(libctx, NCONF_default());
|
||||
+ if (NCONF_load(fips_conf, FIPS_LOCAL_CONF, NULL) <= 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (provider_conf_load(libctx, "fips", "fips_sect", fips_conf) != 1) {
|
||||
+ NCONF_free(fips_conf);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ NCONF_free(fips_conf);
|
||||
+ } else {
|
||||
+ if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1)
|
||||
+ return 0;
|
||||
+ }
|
||||
+ if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1)
|
||||
+ return 0;
|
||||
+ if (EVP_default_properties_enable_fips(libctx, 1) != 1)
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
return 1;
|
||||
}
|
||||
|
||||
--
|
||||
2.41.0
|
@ -0,0 +1,495 @@
|
||||
From 3d3a7ecd1ae5ab08d22041f7b3b035c34f12fa02 Mon Sep 17 00:00:00 2001
|
||||
From: Danny Tsen <dtsen@linux.ibm.com>
|
||||
Date: Tue, 22 Aug 2023 15:58:53 -0400
|
||||
Subject: [PATCH] Improve performance for 6x unrolling with vpermxor
|
||||
instruction
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/21812)
|
||||
---
|
||||
crypto/aes/asm/aesp8-ppc.pl | 145 +++++++++++++++++++++++-------------
|
||||
1 file changed, 95 insertions(+), 50 deletions(-)
|
||||
|
||||
diff --git a/crypto/aes/asm/aesp8-ppc.pl b/crypto/aes/asm/aesp8-ppc.pl
|
||||
index 60cf86f52aed2..38b9405a283b7 100755
|
||||
--- a/crypto/aes/asm/aesp8-ppc.pl
|
||||
+++ b/crypto/aes/asm/aesp8-ppc.pl
|
||||
@@ -99,11 +99,12 @@
|
||||
.long 0x1b000000, 0x1b000000, 0x1b000000, 0x1b000000 ?rev
|
||||
.long 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c ?rev
|
||||
.long 0,0,0,0 ?asis
|
||||
+.long 0x0f102132, 0x43546576, 0x8798a9ba, 0xcbdcedfe
|
||||
Lconsts:
|
||||
mflr r0
|
||||
bcl 20,31,\$+4
|
||||
mflr $ptr #vvvvv "distance between . and rcon
|
||||
- addi $ptr,$ptr,-0x48
|
||||
+ addi $ptr,$ptr,-0x58
|
||||
mtlr r0
|
||||
blr
|
||||
.long 0
|
||||
@@ -2405,7 +2406,7 @@ ()
|
||||
my $key_=$key2;
|
||||
my ($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,3,26..31));
|
||||
$x00=0 if ($flavour =~ /osx/);
|
||||
-my ($in0, $in1, $in2, $in3, $in4, $in5 )=map("v$_",(0..5));
|
||||
+my ($in0, $in1, $in2, $in3, $in4, $in5)=map("v$_",(0..5));
|
||||
my ($out0, $out1, $out2, $out3, $out4, $out5)=map("v$_",(7,12..16));
|
||||
my ($twk0, $twk1, $twk2, $twk3, $twk4, $twk5)=map("v$_",(17..22));
|
||||
my $rndkey0="v23"; # v24-v25 rotating buffer for first found keys
|
||||
@@ -2460,6 +2461,18 @@ ()
|
||||
li $x70,0x70
|
||||
mtspr 256,r0
|
||||
|
||||
+ # Reverse eighty7 to 0x010101..87
|
||||
+ xxlor 2, 32+$eighty7, 32+$eighty7
|
||||
+ vsldoi $eighty7,$tmp,$eighty7,1 # 0x010101..87
|
||||
+ xxlor 1, 32+$eighty7, 32+$eighty7
|
||||
+
|
||||
+ # Load XOR contents. 0xf102132435465768798a9bacbdcedfe
|
||||
+ mr $x70, r6
|
||||
+ bl Lconsts
|
||||
+ lxvw4x 0, $x40, r6 # load XOR contents
|
||||
+ mr r6, $x70
|
||||
+ li $x70,0x70
|
||||
+
|
||||
subi $rounds,$rounds,3 # -4 in total
|
||||
|
||||
lvx $rndkey0,$x00,$key1 # load key schedule
|
||||
@@ -2502,69 +2515,77 @@ ()
|
||||
?vperm v31,v31,$twk5,$keyperm
|
||||
lvx v25,$x10,$key_ # pre-load round[2]
|
||||
|
||||
+ # Switch to use the following codes with 0x010101..87 to generate tweak.
|
||||
+ # eighty7 = 0x010101..87
|
||||
+ # vsrab tmp, tweak, seven # next tweak value, right shift 7 bits
|
||||
+ # vand tmp, tmp, eighty7 # last byte with carry
|
||||
+ # vaddubm tweak, tweak, tweak # left shift 1 bit (x2)
|
||||
+ # xxlor vsx, 0, 0
|
||||
+ # vpermxor tweak, tweak, tmp, vsx
|
||||
+
|
||||
vperm $in0,$inout,$inptail,$inpperm
|
||||
subi $inp,$inp,31 # undo "caller"
|
||||
vxor $twk0,$tweak,$rndkey0
|
||||
vsrab $tmp,$tweak,$seven # next tweak value
|
||||
vaddubm $tweak,$tweak,$tweak
|
||||
- vsldoi $tmp,$tmp,$tmp,15
|
||||
vand $tmp,$tmp,$eighty7
|
||||
vxor $out0,$in0,$twk0
|
||||
- vxor $tweak,$tweak,$tmp
|
||||
+ xxlor 32+$in1, 0, 0
|
||||
+ vpermxor $tweak, $tweak, $tmp, $in1
|
||||
|
||||
lvx_u $in1,$x10,$inp
|
||||
vxor $twk1,$tweak,$rndkey0
|
||||
vsrab $tmp,$tweak,$seven # next tweak value
|
||||
vaddubm $tweak,$tweak,$tweak
|
||||
- vsldoi $tmp,$tmp,$tmp,15
|
||||
le?vperm $in1,$in1,$in1,$leperm
|
||||
vand $tmp,$tmp,$eighty7
|
||||
vxor $out1,$in1,$twk1
|
||||
- vxor $tweak,$tweak,$tmp
|
||||
+ xxlor 32+$in2, 0, 0
|
||||
+ vpermxor $tweak, $tweak, $tmp, $in2
|
||||
|
||||
lvx_u $in2,$x20,$inp
|
||||
andi. $taillen,$len,15
|
||||
vxor $twk2,$tweak,$rndkey0
|
||||
vsrab $tmp,$tweak,$seven # next tweak value
|
||||
vaddubm $tweak,$tweak,$tweak
|
||||
- vsldoi $tmp,$tmp,$tmp,15
|
||||
le?vperm $in2,$in2,$in2,$leperm
|
||||
vand $tmp,$tmp,$eighty7
|
||||
vxor $out2,$in2,$twk2
|
||||
- vxor $tweak,$tweak,$tmp
|
||||
+ xxlor 32+$in3, 0, 0
|
||||
+ vpermxor $tweak, $tweak, $tmp, $in3
|
||||
|
||||
lvx_u $in3,$x30,$inp
|
||||
sub $len,$len,$taillen
|
||||
vxor $twk3,$tweak,$rndkey0
|
||||
vsrab $tmp,$tweak,$seven # next tweak value
|
||||
vaddubm $tweak,$tweak,$tweak
|
||||
- vsldoi $tmp,$tmp,$tmp,15
|
||||
le?vperm $in3,$in3,$in3,$leperm
|
||||
vand $tmp,$tmp,$eighty7
|
||||
vxor $out3,$in3,$twk3
|
||||
- vxor $tweak,$tweak,$tmp
|
||||
+ xxlor 32+$in4, 0, 0
|
||||
+ vpermxor $tweak, $tweak, $tmp, $in4
|
||||
|
||||
lvx_u $in4,$x40,$inp
|
||||
subi $len,$len,0x60
|
||||
vxor $twk4,$tweak,$rndkey0
|
||||
vsrab $tmp,$tweak,$seven # next tweak value
|
||||
vaddubm $tweak,$tweak,$tweak
|
||||
- vsldoi $tmp,$tmp,$tmp,15
|
||||
le?vperm $in4,$in4,$in4,$leperm
|
||||
vand $tmp,$tmp,$eighty7
|
||||
vxor $out4,$in4,$twk4
|
||||
- vxor $tweak,$tweak,$tmp
|
||||
+ xxlor 32+$in5, 0, 0
|
||||
+ vpermxor $tweak, $tweak, $tmp, $in5
|
||||
|
||||
lvx_u $in5,$x50,$inp
|
||||
addi $inp,$inp,0x60
|
||||
vxor $twk5,$tweak,$rndkey0
|
||||
vsrab $tmp,$tweak,$seven # next tweak value
|
||||
vaddubm $tweak,$tweak,$tweak
|
||||
- vsldoi $tmp,$tmp,$tmp,15
|
||||
le?vperm $in5,$in5,$in5,$leperm
|
||||
vand $tmp,$tmp,$eighty7
|
||||
vxor $out5,$in5,$twk5
|
||||
- vxor $tweak,$tweak,$tmp
|
||||
+ xxlor 32+$in0, 0, 0
|
||||
+ vpermxor $tweak, $tweak, $tmp, $in0
|
||||
|
||||
vxor v31,v31,$rndkey0
|
||||
mtctr $rounds
|
||||
@@ -2590,6 +2611,8 @@ ()
|
||||
lvx v25,$x10,$key_ # round[4]
|
||||
bdnz Loop_xts_enc6x
|
||||
|
||||
+ xxlor 32+$eighty7, 1, 1 # 0x010101..87
|
||||
+
|
||||
subic $len,$len,96 # $len-=96
|
||||
vxor $in0,$twk0,v31 # xor with last round key
|
||||
vcipher $out0,$out0,v24
|
||||
@@ -2599,7 +2622,6 @@ ()
|
||||
vaddubm $tweak,$tweak,$tweak
|
||||
vcipher $out2,$out2,v24
|
||||
vcipher $out3,$out3,v24
|
||||
- vsldoi $tmp,$tmp,$tmp,15
|
||||
vcipher $out4,$out4,v24
|
||||
vcipher $out5,$out5,v24
|
||||
|
||||
@@ -2607,7 +2629,8 @@ ()
|
||||
vand $tmp,$tmp,$eighty7
|
||||
vcipher $out0,$out0,v25
|
||||
vcipher $out1,$out1,v25
|
||||
- vxor $tweak,$tweak,$tmp
|
||||
+ xxlor 32+$in1, 0, 0
|
||||
+ vpermxor $tweak, $tweak, $tmp, $in1
|
||||
vcipher $out2,$out2,v25
|
||||
vcipher $out3,$out3,v25
|
||||
vxor $in1,$twk1,v31
|
||||
@@ -2618,13 +2641,13 @@ ()
|
||||
|
||||
and r0,r0,$len
|
||||
vaddubm $tweak,$tweak,$tweak
|
||||
- vsldoi $tmp,$tmp,$tmp,15
|
||||
vcipher $out0,$out0,v26
|
||||
vcipher $out1,$out1,v26
|
||||
vand $tmp,$tmp,$eighty7
|
||||
vcipher $out2,$out2,v26
|
||||
vcipher $out3,$out3,v26
|
||||
- vxor $tweak,$tweak,$tmp
|
||||
+ xxlor 32+$in2, 0, 0
|
||||
+ vpermxor $tweak, $tweak, $tmp, $in2
|
||||
vcipher $out4,$out4,v26
|
||||
vcipher $out5,$out5,v26
|
||||
|
||||
@@ -2638,7 +2661,6 @@ ()
|
||||
vaddubm $tweak,$tweak,$tweak
|
||||
vcipher $out0,$out0,v27
|
||||
vcipher $out1,$out1,v27
|
||||
- vsldoi $tmp,$tmp,$tmp,15
|
||||
vcipher $out2,$out2,v27
|
||||
vcipher $out3,$out3,v27
|
||||
vand $tmp,$tmp,$eighty7
|
||||
@@ -2646,7 +2668,8 @@ ()
|
||||
vcipher $out5,$out5,v27
|
||||
|
||||
addi $key_,$sp,$FRAME+15 # rewind $key_
|
||||
- vxor $tweak,$tweak,$tmp
|
||||
+ xxlor 32+$in3, 0, 0
|
||||
+ vpermxor $tweak, $tweak, $tmp, $in3
|
||||
vcipher $out0,$out0,v28
|
||||
vcipher $out1,$out1,v28
|
||||
vxor $in3,$twk3,v31
|
||||
@@ -2655,7 +2678,6 @@ ()
|
||||
vcipher $out2,$out2,v28
|
||||
vcipher $out3,$out3,v28
|
||||
vaddubm $tweak,$tweak,$tweak
|
||||
- vsldoi $tmp,$tmp,$tmp,15
|
||||
vcipher $out4,$out4,v28
|
||||
vcipher $out5,$out5,v28
|
||||
lvx v24,$x00,$key_ # re-pre-load round[1]
|
||||
@@ -2663,7 +2685,8 @@ ()
|
||||
|
||||
vcipher $out0,$out0,v29
|
||||
vcipher $out1,$out1,v29
|
||||
- vxor $tweak,$tweak,$tmp
|
||||
+ xxlor 32+$in4, 0, 0
|
||||
+ vpermxor $tweak, $tweak, $tmp, $in4
|
||||
vcipher $out2,$out2,v29
|
||||
vcipher $out3,$out3,v29
|
||||
vxor $in4,$twk4,v31
|
||||
@@ -2673,14 +2696,14 @@ ()
|
||||
vcipher $out5,$out5,v29
|
||||
lvx v25,$x10,$key_ # re-pre-load round[2]
|
||||
vaddubm $tweak,$tweak,$tweak
|
||||
- vsldoi $tmp,$tmp,$tmp,15
|
||||
|
||||
vcipher $out0,$out0,v30
|
||||
vcipher $out1,$out1,v30
|
||||
vand $tmp,$tmp,$eighty7
|
||||
vcipher $out2,$out2,v30
|
||||
vcipher $out3,$out3,v30
|
||||
- vxor $tweak,$tweak,$tmp
|
||||
+ xxlor 32+$in5, 0, 0
|
||||
+ vpermxor $tweak, $tweak, $tmp, $in5
|
||||
vcipher $out4,$out4,v30
|
||||
vcipher $out5,$out5,v30
|
||||
vxor $in5,$twk5,v31
|
||||
@@ -2690,7 +2713,6 @@ ()
|
||||
vcipherlast $out0,$out0,$in0
|
||||
lvx_u $in0,$x00,$inp # load next input block
|
||||
vaddubm $tweak,$tweak,$tweak
|
||||
- vsldoi $tmp,$tmp,$tmp,15
|
||||
vcipherlast $out1,$out1,$in1
|
||||
lvx_u $in1,$x10,$inp
|
||||
vcipherlast $out2,$out2,$in2
|
||||
@@ -2703,7 +2725,10 @@ ()
|
||||
vcipherlast $out4,$out4,$in4
|
||||
le?vperm $in2,$in2,$in2,$leperm
|
||||
lvx_u $in4,$x40,$inp
|
||||
- vxor $tweak,$tweak,$tmp
|
||||
+ xxlor 10, 32+$in0, 32+$in0
|
||||
+ xxlor 32+$in0, 0, 0
|
||||
+ vpermxor $tweak, $tweak, $tmp, $in0
|
||||
+ xxlor 32+$in0, 10, 10
|
||||
vcipherlast $tmp,$out5,$in5 # last block might be needed
|
||||
# in stealing mode
|
||||
le?vperm $in3,$in3,$in3,$leperm
|
||||
@@ -2736,6 +2761,8 @@ ()
|
||||
mtctr $rounds
|
||||
beq Loop_xts_enc6x # did $len-=96 borrow?
|
||||
|
||||
+ xxlor 32+$eighty7, 2, 2 # 0x870101..01
|
||||
+
|
||||
addic. $len,$len,0x60
|
||||
beq Lxts_enc6x_zero
|
||||
cmpwi $len,0x20
|
||||
@@ -3112,6 +3139,18 @@ ()
|
||||
li $x70,0x70
|
||||
mtspr 256,r0
|
||||
|
||||
+ # Reverse eighty7 to 0x010101..87
|
||||
+ xxlor 2, 32+$eighty7, 32+$eighty7
|
||||
+ vsldoi $eighty7,$tmp,$eighty7,1 # 0x010101..87
|
||||
+ xxlor 1, 32+$eighty7, 32+$eighty7
|
||||
+
|
||||
+ # Load XOR contents. 0xf102132435465768798a9bacbdcedfe
|
||||
+ mr $x70, r6
|
||||
+ bl Lconsts
|
||||
+ lxvw4x 0, $x40, r6 # load XOR contents
|
||||
+ mr r6, $x70
|
||||
+ li $x70,0x70
|
||||
+
|
||||
subi $rounds,$rounds,3 # -4 in total
|
||||
|
||||
lvx $rndkey0,$x00,$key1 # load key schedule
|
||||
@@ -3159,64 +3198,64 @@ ()
|
||||
vxor $twk0,$tweak,$rndkey0
|
||||
vsrab $tmp,$tweak,$seven # next tweak value
|
||||
vaddubm $tweak,$tweak,$tweak
|
||||
- vsldoi $tmp,$tmp,$tmp,15
|
||||
vand $tmp,$tmp,$eighty7
|
||||
vxor $out0,$in0,$twk0
|
||||
- vxor $tweak,$tweak,$tmp
|
||||
+ xxlor 32+$in1, 0, 0
|
||||
+ vpermxor $tweak, $tweak, $tmp, $in1
|
||||
|
||||
lvx_u $in1,$x10,$inp
|
||||
vxor $twk1,$tweak,$rndkey0
|
||||
vsrab $tmp,$tweak,$seven # next tweak value
|
||||
vaddubm $tweak,$tweak,$tweak
|
||||
- vsldoi $tmp,$tmp,$tmp,15
|
||||
le?vperm $in1,$in1,$in1,$leperm
|
||||
vand $tmp,$tmp,$eighty7
|
||||
vxor $out1,$in1,$twk1
|
||||
- vxor $tweak,$tweak,$tmp
|
||||
+ xxlor 32+$in2, 0, 0
|
||||
+ vpermxor $tweak, $tweak, $tmp, $in2
|
||||
|
||||
lvx_u $in2,$x20,$inp
|
||||
andi. $taillen,$len,15
|
||||
vxor $twk2,$tweak,$rndkey0
|
||||
vsrab $tmp,$tweak,$seven # next tweak value
|
||||
vaddubm $tweak,$tweak,$tweak
|
||||
- vsldoi $tmp,$tmp,$tmp,15
|
||||
le?vperm $in2,$in2,$in2,$leperm
|
||||
vand $tmp,$tmp,$eighty7
|
||||
vxor $out2,$in2,$twk2
|
||||
- vxor $tweak,$tweak,$tmp
|
||||
+ xxlor 32+$in3, 0, 0
|
||||
+ vpermxor $tweak, $tweak, $tmp, $in3
|
||||
|
||||
lvx_u $in3,$x30,$inp
|
||||
sub $len,$len,$taillen
|
||||
vxor $twk3,$tweak,$rndkey0
|
||||
vsrab $tmp,$tweak,$seven # next tweak value
|
||||
vaddubm $tweak,$tweak,$tweak
|
||||
- vsldoi $tmp,$tmp,$tmp,15
|
||||
le?vperm $in3,$in3,$in3,$leperm
|
||||
vand $tmp,$tmp,$eighty7
|
||||
vxor $out3,$in3,$twk3
|
||||
- vxor $tweak,$tweak,$tmp
|
||||
+ xxlor 32+$in4, 0, 0
|
||||
+ vpermxor $tweak, $tweak, $tmp, $in4
|
||||
|
||||
lvx_u $in4,$x40,$inp
|
||||
subi $len,$len,0x60
|
||||
vxor $twk4,$tweak,$rndkey0
|
||||
vsrab $tmp,$tweak,$seven # next tweak value
|
||||
vaddubm $tweak,$tweak,$tweak
|
||||
- vsldoi $tmp,$tmp,$tmp,15
|
||||
le?vperm $in4,$in4,$in4,$leperm
|
||||
vand $tmp,$tmp,$eighty7
|
||||
vxor $out4,$in4,$twk4
|
||||
- vxor $tweak,$tweak,$tmp
|
||||
+ xxlor 32+$in5, 0, 0
|
||||
+ vpermxor $tweak, $tweak, $tmp, $in5
|
||||
|
||||
lvx_u $in5,$x50,$inp
|
||||
addi $inp,$inp,0x60
|
||||
vxor $twk5,$tweak,$rndkey0
|
||||
vsrab $tmp,$tweak,$seven # next tweak value
|
||||
vaddubm $tweak,$tweak,$tweak
|
||||
- vsldoi $tmp,$tmp,$tmp,15
|
||||
le?vperm $in5,$in5,$in5,$leperm
|
||||
vand $tmp,$tmp,$eighty7
|
||||
vxor $out5,$in5,$twk5
|
||||
- vxor $tweak,$tweak,$tmp
|
||||
+ xxlor 32+$in0, 0, 0
|
||||
+ vpermxor $tweak, $tweak, $tmp, $in0
|
||||
|
||||
vxor v31,v31,$rndkey0
|
||||
mtctr $rounds
|
||||
@@ -3242,6 +3281,8 @@ ()
|
||||
lvx v25,$x10,$key_ # round[4]
|
||||
bdnz Loop_xts_dec6x
|
||||
|
||||
+ xxlor 32+$eighty7, 1, 1
|
||||
+
|
||||
subic $len,$len,96 # $len-=96
|
||||
vxor $in0,$twk0,v31 # xor with last round key
|
||||
vncipher $out0,$out0,v24
|
||||
@@ -3251,7 +3292,6 @@ ()
|
||||
vaddubm $tweak,$tweak,$tweak
|
||||
vncipher $out2,$out2,v24
|
||||
vncipher $out3,$out3,v24
|
||||
- vsldoi $tmp,$tmp,$tmp,15
|
||||
vncipher $out4,$out4,v24
|
||||
vncipher $out5,$out5,v24
|
||||
|
||||
@@ -3259,7 +3299,8 @@ ()
|
||||
vand $tmp,$tmp,$eighty7
|
||||
vncipher $out0,$out0,v25
|
||||
vncipher $out1,$out1,v25
|
||||
- vxor $tweak,$tweak,$tmp
|
||||
+ xxlor 32+$in1, 0, 0
|
||||
+ vpermxor $tweak, $tweak, $tmp, $in1
|
||||
vncipher $out2,$out2,v25
|
||||
vncipher $out3,$out3,v25
|
||||
vxor $in1,$twk1,v31
|
||||
@@ -3270,13 +3311,13 @@ ()
|
||||
|
||||
and r0,r0,$len
|
||||
vaddubm $tweak,$tweak,$tweak
|
||||
- vsldoi $tmp,$tmp,$tmp,15
|
||||
vncipher $out0,$out0,v26
|
||||
vncipher $out1,$out1,v26
|
||||
vand $tmp,$tmp,$eighty7
|
||||
vncipher $out2,$out2,v26
|
||||
vncipher $out3,$out3,v26
|
||||
- vxor $tweak,$tweak,$tmp
|
||||
+ xxlor 32+$in2, 0, 0
|
||||
+ vpermxor $tweak, $tweak, $tmp, $in2
|
||||
vncipher $out4,$out4,v26
|
||||
vncipher $out5,$out5,v26
|
||||
|
||||
@@ -3290,7 +3331,6 @@ ()
|
||||
vaddubm $tweak,$tweak,$tweak
|
||||
vncipher $out0,$out0,v27
|
||||
vncipher $out1,$out1,v27
|
||||
- vsldoi $tmp,$tmp,$tmp,15
|
||||
vncipher $out2,$out2,v27
|
||||
vncipher $out3,$out3,v27
|
||||
vand $tmp,$tmp,$eighty7
|
||||
@@ -3298,7 +3338,8 @@ ()
|
||||
vncipher $out5,$out5,v27
|
||||
|
||||
addi $key_,$sp,$FRAME+15 # rewind $key_
|
||||
- vxor $tweak,$tweak,$tmp
|
||||
+ xxlor 32+$in3, 0, 0
|
||||
+ vpermxor $tweak, $tweak, $tmp, $in3
|
||||
vncipher $out0,$out0,v28
|
||||
vncipher $out1,$out1,v28
|
||||
vxor $in3,$twk3,v31
|
||||
@@ -3307,7 +3348,6 @@ ()
|
||||
vncipher $out2,$out2,v28
|
||||
vncipher $out3,$out3,v28
|
||||
vaddubm $tweak,$tweak,$tweak
|
||||
- vsldoi $tmp,$tmp,$tmp,15
|
||||
vncipher $out4,$out4,v28
|
||||
vncipher $out5,$out5,v28
|
||||
lvx v24,$x00,$key_ # re-pre-load round[1]
|
||||
@@ -3315,7 +3355,8 @@ ()
|
||||
|
||||
vncipher $out0,$out0,v29
|
||||
vncipher $out1,$out1,v29
|
||||
- vxor $tweak,$tweak,$tmp
|
||||
+ xxlor 32+$in4, 0, 0
|
||||
+ vpermxor $tweak, $tweak, $tmp, $in4
|
||||
vncipher $out2,$out2,v29
|
||||
vncipher $out3,$out3,v29
|
||||
vxor $in4,$twk4,v31
|
||||
@@ -3325,14 +3366,14 @@ ()
|
||||
vncipher $out5,$out5,v29
|
||||
lvx v25,$x10,$key_ # re-pre-load round[2]
|
||||
vaddubm $tweak,$tweak,$tweak
|
||||
- vsldoi $tmp,$tmp,$tmp,15
|
||||
|
||||
vncipher $out0,$out0,v30
|
||||
vncipher $out1,$out1,v30
|
||||
vand $tmp,$tmp,$eighty7
|
||||
vncipher $out2,$out2,v30
|
||||
vncipher $out3,$out3,v30
|
||||
- vxor $tweak,$tweak,$tmp
|
||||
+ xxlor 32+$in5, 0, 0
|
||||
+ vpermxor $tweak, $tweak, $tmp, $in5
|
||||
vncipher $out4,$out4,v30
|
||||
vncipher $out5,$out5,v30
|
||||
vxor $in5,$twk5,v31
|
||||
@@ -3342,7 +3383,6 @@ ()
|
||||
vncipherlast $out0,$out0,$in0
|
||||
lvx_u $in0,$x00,$inp # load next input block
|
||||
vaddubm $tweak,$tweak,$tweak
|
||||
- vsldoi $tmp,$tmp,$tmp,15
|
||||
vncipherlast $out1,$out1,$in1
|
||||
lvx_u $in1,$x10,$inp
|
||||
vncipherlast $out2,$out2,$in2
|
||||
@@ -3355,7 +3395,10 @@ ()
|
||||
vncipherlast $out4,$out4,$in4
|
||||
le?vperm $in2,$in2,$in2,$leperm
|
||||
lvx_u $in4,$x40,$inp
|
||||
- vxor $tweak,$tweak,$tmp
|
||||
+ xxlor 10, 32+$in0, 32+$in0
|
||||
+ xxlor 32+$in0, 0, 0
|
||||
+ vpermxor $tweak, $tweak, $tmp, $in0
|
||||
+ xxlor 32+$in0, 10, 10
|
||||
vncipherlast $out5,$out5,$in5
|
||||
le?vperm $in3,$in3,$in3,$leperm
|
||||
lvx_u $in5,$x50,$inp
|
||||
@@ -3386,6 +3429,8 @@ ()
|
||||
mtctr $rounds
|
||||
beq Loop_xts_dec6x # did $len-=96 borrow?
|
||||
|
||||
+ xxlor 32+$eighty7, 2, 2
|
||||
+
|
||||
addic. $len,$len,0x60
|
||||
beq Lxts_dec6x_zero
|
||||
cmpwi $len,0x20
|
35
openssl-crypto-policies-support.patch
Normal file
35
openssl-crypto-policies-support.patch
Normal file
@ -0,0 +1,35 @@
|
||||
Add default section to load crypto-policies configuration for TLS.
|
||||
|
||||
It needs to be reverted before running tests.
|
||||
|
||||
---
|
||||
apps/openssl.cnf | 20 ++++++++++++++++++--
|
||||
2 files changed, 19 insertions(+), 3 deletions(-)
|
||||
|
||||
Index: openssl-3.2.0/apps/openssl.cnf
|
||||
===================================================================
|
||||
--- openssl-3.2.0.orig/apps/openssl.cnf
|
||||
+++ openssl-3.2.0/apps/openssl.cnf
|
||||
@@ -52,6 +52,8 @@ tsa_policy3 = 1.2.3.4.5.7
|
||||
|
||||
[openssl_init]
|
||||
providers = provider_sect
|
||||
+# Load default TLS policy configuration
|
||||
+ssl_conf = ssl_module
|
||||
|
||||
# List of providers to load
|
||||
[provider_sect]
|
||||
@@ -71,6 +73,13 @@ default = default_sect
|
||||
[default_sect]
|
||||
# activate = 1
|
||||
|
||||
+[ ssl_module ]
|
||||
+
|
||||
+system_default = crypto_policy
|
||||
+
|
||||
+[ crypto_policy ]
|
||||
+
|
||||
+.include = /etc/crypto-policies/back-ends/opensslcnf.config
|
||||
|
||||
####################################################################
|
||||
[ ca ]
|
470
openssl-disable-fipsinstall.patch
Normal file
470
openssl-disable-fipsinstall.patch
Normal file
@ -0,0 +1,470 @@
|
||||
From a9825123e7ab3474d2794a5706d9bed047959c9c Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Mon, 31 Jul 2023 09:41:28 +0200
|
||||
Subject: [PATCH 18/35] 0034.fipsinstall_disable.patch
|
||||
|
||||
Patch-name: 0034.fipsinstall_disable.patch
|
||||
Patch-id: 34
|
||||
Patch-status: |
|
||||
# Comment out fipsinstall command-line utility
|
||||
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
||||
---
|
||||
apps/fipsinstall.c | 3 +
|
||||
doc/man1/openssl-fipsinstall.pod.in | 272 +---------------------------
|
||||
doc/man1/openssl.pod | 4 -
|
||||
doc/man5/config.pod | 1 -
|
||||
doc/man5/fips_config.pod | 104 +----------
|
||||
doc/man7/OSSL_PROVIDER-FIPS.pod | 1 -
|
||||
6 files changed, 10 insertions(+), 375 deletions(-)
|
||||
|
||||
Index: openssl-3.1.4/apps/fipsinstall.c
|
||||
===================================================================
|
||||
--- openssl-3.1.4.orig/apps/fipsinstall.c
|
||||
+++ openssl-3.1.4/apps/fipsinstall.c
|
||||
@@ -375,6 +375,9 @@ int fipsinstall_main(int argc, char **ar
|
||||
EVP_MAC *mac = NULL;
|
||||
CONF *conf = NULL;
|
||||
|
||||
+ BIO_printf(bio_err, "This command is not enabled in SUSE/openSUSE OpenSSL build, please see 'man 8 fips-mode-setup' to learn how to enable FIPS mode\n");
|
||||
+ return 1;
|
||||
+
|
||||
if ((opts = sk_OPENSSL_STRING_new_null()) == NULL)
|
||||
goto end;
|
||||
|
||||
Index: openssl-3.1.4/doc/man1/openssl-fipsinstall.pod.in
|
||||
===================================================================
|
||||
--- openssl-3.1.4.orig/doc/man1/openssl-fipsinstall.pod.in
|
||||
+++ openssl-3.1.4/doc/man1/openssl-fipsinstall.pod.in
|
||||
@@ -8,275 +8,9 @@ openssl-fipsinstall - perform FIPS confi
|
||||
=head1 SYNOPSIS
|
||||
|
||||
B<openssl fipsinstall>
|
||||
-[B<-help>]
|
||||
-[B<-in> I<configfilename>]
|
||||
-[B<-out> I<configfilename>]
|
||||
-[B<-module> I<modulefilename>]
|
||||
-[B<-provider_name> I<providername>]
|
||||
-[B<-section_name> I<sectionname>]
|
||||
-[B<-verify>]
|
||||
-[B<-mac_name> I<macname>]
|
||||
-[B<-macopt> I<nm>:I<v>]
|
||||
-[B<-noout>]
|
||||
-[B<-quiet>]
|
||||
-[B<-pedantic>]
|
||||
-[B<-no_conditional_errors>]
|
||||
-[B<-no_security_checks>]
|
||||
-[B<-ems_check>]
|
||||
-[B<-no_drbg_truncated_digests>]
|
||||
-[B<-self_test_onload>]
|
||||
-[B<-self_test_oninstall>]
|
||||
-[B<-corrupt_desc> I<selftest_description>]
|
||||
-[B<-corrupt_type> I<selftest_type>]
|
||||
-[B<-config> I<parent_config>]
|
||||
-
|
||||
-=head1 DESCRIPTION
|
||||
-
|
||||
-This command is used to generate a FIPS module configuration file.
|
||||
-This configuration file can be used each time a FIPS module is loaded
|
||||
-in order to pass data to the FIPS module self tests. The FIPS module always
|
||||
-verifies its MAC, but optionally only needs to run the KAT's once,
|
||||
-at installation.
|
||||
-
|
||||
-The generated configuration file consists of:
|
||||
-
|
||||
-=over 4
|
||||
-
|
||||
-=item - A MAC of the FIPS module file.
|
||||
-
|
||||
-=item - A test status indicator.
|
||||
-
|
||||
-This indicates if the Known Answer Self Tests (KAT's) have successfully run.
|
||||
-
|
||||
-=item - A MAC of the status indicator.
|
||||
-
|
||||
-=item - A control for conditional self tests errors.
|
||||
-
|
||||
-By default if a continuous test (e.g a key pair test) fails then the FIPS module
|
||||
-will enter an error state, and no services or cryptographic algorithms will be
|
||||
-able to be accessed after this point.
|
||||
-The default value of '1' will cause the fips module error state to be entered.
|
||||
-If the value is '0' then the module error state will not be entered.
|
||||
-Regardless of whether the error state is entered or not, the current operation
|
||||
-(e.g. key generation) will return an error. The user is responsible for retrying
|
||||
-the operation if the module error state is not entered.
|
||||
-
|
||||
-=item - A control to indicate whether run-time security checks are done.
|
||||
-
|
||||
-This indicates if run-time checks related to enforcement of security parameters
|
||||
-such as minimum security strength of keys and approved curve names are used.
|
||||
-The default value of '1' will perform the checks.
|
||||
-If the value is '0' the checks are not performed and FIPS compliance must
|
||||
-be done by procedures documented in the relevant Security Policy.
|
||||
-
|
||||
-=back
|
||||
-
|
||||
-This file is described in L<fips_config(5)>.
|
||||
-
|
||||
-=head1 OPTIONS
|
||||
-
|
||||
-=over 4
|
||||
-
|
||||
-=item B<-help>
|
||||
-
|
||||
-Print a usage message.
|
||||
-
|
||||
-=item B<-module> I<filename>
|
||||
-
|
||||
-Filename of the FIPS module to perform an integrity check on.
|
||||
-The path provided in the filename is used to load the module when it is
|
||||
-activated, and this overrides the environment variable B<OPENSSL_MODULES>.
|
||||
-
|
||||
-=item B<-out> I<configfilename>
|
||||
-
|
||||
-Filename to output the configuration data to; the default is standard output.
|
||||
-
|
||||
-=item B<-in> I<configfilename>
|
||||
-
|
||||
-Input filename to load configuration data from.
|
||||
-Must be used if the B<-verify> option is specified.
|
||||
-
|
||||
-=item B<-verify>
|
||||
-
|
||||
-Verify that the input configuration file contains the correct information.
|
||||
-
|
||||
-=item B<-provider_name> I<providername>
|
||||
-
|
||||
-Name of the provider inside the configuration file.
|
||||
-The default value is C<fips>.
|
||||
-
|
||||
-=item B<-section_name> I<sectionname>
|
||||
-
|
||||
-Name of the section inside the configuration file.
|
||||
-The default value is C<fips_sect>.
|
||||
-
|
||||
-=item B<-mac_name> I<name>
|
||||
-
|
||||
-Specifies the name of a supported MAC algorithm which will be used.
|
||||
-The MAC mechanisms that are available will depend on the options
|
||||
-used when building OpenSSL.
|
||||
-To see the list of supported MAC's use the command
|
||||
-C<openssl list -mac-algorithms>. The default is B<HMAC>.
|
||||
-
|
||||
-=item B<-macopt> I<nm>:I<v>
|
||||
-
|
||||
-Passes options to the MAC algorithm.
|
||||
-A comprehensive list of controls can be found in the EVP_MAC implementation
|
||||
-documentation.
|
||||
-Common control strings used for this command are:
|
||||
-
|
||||
-=over 4
|
||||
-
|
||||
-=item B<key>:I<string>
|
||||
-
|
||||
-Specifies the MAC key as an alphanumeric string (use if the key contains
|
||||
-printable characters only).
|
||||
-The string length must conform to any restrictions of the MAC algorithm.
|
||||
-A key must be specified for every MAC algorithm.
|
||||
-If no key is provided, the default that was specified when OpenSSL was
|
||||
-configured is used.
|
||||
-
|
||||
-=item B<hexkey>:I<string>
|
||||
-
|
||||
-Specifies the MAC key in hexadecimal form (two hex digits per byte).
|
||||
-The key length must conform to any restrictions of the MAC algorithm.
|
||||
-A key must be specified for every MAC algorithm.
|
||||
-If no key is provided, the default that was specified when OpenSSL was
|
||||
-configured is used.
|
||||
-
|
||||
-=item B<digest>:I<string>
|
||||
-
|
||||
-Used by HMAC as an alphanumeric string (use if the key contains printable
|
||||
-characters only).
|
||||
-The string length must conform to any restrictions of the MAC algorithm.
|
||||
-To see the list of supported digests, use the command
|
||||
-C<openssl list -digest-commands>.
|
||||
-The default digest is SHA-256.
|
||||
-
|
||||
-=back
|
||||
-
|
||||
-=item B<-noout>
|
||||
-
|
||||
-Disable logging of the self tests.
|
||||
-
|
||||
-=item B<-pedantic>
|
||||
-
|
||||
-Configure the module so that it is strictly FIPS compliant rather
|
||||
-than being backwards compatible. This enables conditional errors,
|
||||
-security checks etc. Note that any previous configuration options will
|
||||
-be overwritten and any subsequent configuration options that violate
|
||||
-FIPS compliance will result in an error.
|
||||
-
|
||||
-=item B<-no_conditional_errors>
|
||||
-
|
||||
-Configure the module to not enter an error state if a conditional self test
|
||||
-fails as described above.
|
||||
-
|
||||
-=item B<-no_security_checks>
|
||||
-
|
||||
-Configure the module to not perform run-time security checks as described above.
|
||||
-
|
||||
-Enabling the configuration option "no-fips-securitychecks" provides another way to
|
||||
-turn off the check at compile time.
|
||||
-
|
||||
-=item B<-ems_check>
|
||||
-
|
||||
-Configure the module to enable a run-time Extended Master Secret (EMS) check
|
||||
-when using the TLS1_PRF KDF algorithm. This check is disabled by default.
|
||||
-See RFC 7627 for information related to EMS.
|
||||
-
|
||||
-=item B<-no_drbg_truncated_digests>
|
||||
-
|
||||
-Configure the module to not allow truncated digests to be used with Hash and
|
||||
-HMAC DRBGs. See FIPS 140-3 IG D.R for details.
|
||||
-
|
||||
-=item B<-self_test_onload>
|
||||
-
|
||||
-Do not write the two fields related to the "test status indicator" and
|
||||
-"MAC status indicator" to the output configuration file. Without these fields
|
||||
-the self tests KATS will run each time the module is loaded. This option could be
|
||||
-used for cross compiling, since the self tests need to run at least once on each
|
||||
-target machine. Once the self tests have run on the target machine the user
|
||||
-could possibly then add the 2 fields into the configuration using some other
|
||||
-mechanism.
|
||||
-
|
||||
-This is the default.
|
||||
-
|
||||
-=item B<-self_test_oninstall>
|
||||
-
|
||||
-The converse of B<-self_test_oninstall>. The two fields related to the
|
||||
-"test status indicator" and "MAC status indicator" are written to the
|
||||
-output configuration file.
|
||||
-
|
||||
-=item B<-quiet>
|
||||
-
|
||||
-Do not output pass/fail messages. Implies B<-noout>.
|
||||
-
|
||||
-=item B<-corrupt_desc> I<selftest_description>,
|
||||
-B<-corrupt_type> I<selftest_type>
|
||||
-
|
||||
-The corrupt options can be used to test failure of one or more self tests by
|
||||
-name.
|
||||
-Either option or both may be used to select the tests to corrupt.
|
||||
-Refer to the entries for B<st-desc> and B<st-type> in L<OSSL_PROVIDER-FIPS(7)> for
|
||||
-values that can be used.
|
||||
-
|
||||
-=item B<-config> I<parent_config>
|
||||
-
|
||||
-Test that a FIPS provider can be loaded from the specified configuration file.
|
||||
-A previous call to this application needs to generate the extra configuration
|
||||
-data that is included by the base C<parent_config> configuration file.
|
||||
-See L<config(5)> for further information on how to set up a provider section.
|
||||
-All other options are ignored if '-config' is used.
|
||||
-
|
||||
-=back
|
||||
-
|
||||
-=head1 NOTES
|
||||
-
|
||||
-Self tests results are logged by default if the options B<-quiet> and B<-noout>
|
||||
-are not specified, or if either of the options B<-corrupt_desc> or
|
||||
-B<-corrupt_type> are used.
|
||||
-If the base configuration file is set up to autoload the fips module, then the
|
||||
-fips module will be loaded and self tested BEFORE the fipsinstall application
|
||||
-has a chance to set up its own self test callback. As a result of this the self
|
||||
-test output and the options B<-corrupt_desc> and B<-corrupt_type> will be ignored.
|
||||
-For normal usage the base configuration file should use the default provider
|
||||
-when generating the fips configuration file.
|
||||
-
|
||||
-The B<-self_test_oninstall> option was added and the
|
||||
-B<-self_test_onload> option was made the default in OpenSSL 3.1.
|
||||
-
|
||||
-The command and all remaining options were added in OpenSSL 3.0.
|
||||
-
|
||||
-=head1 EXAMPLES
|
||||
-
|
||||
-Calculate the mac of a FIPS module F<fips.so> and run a FIPS self test
|
||||
-for the module, and save the F<fips.cnf> configuration file:
|
||||
-
|
||||
- openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips
|
||||
-
|
||||
-Verify that the configuration file F<fips.cnf> contains the correct info:
|
||||
-
|
||||
- openssl fipsinstall -module ./fips.so -in fips.cnf -provider_name fips -verify
|
||||
-
|
||||
-Corrupt any self tests which have the description C<SHA1>:
|
||||
-
|
||||
- openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips \
|
||||
- -corrupt_desc 'SHA1'
|
||||
-
|
||||
-Validate that the fips module can be loaded from a base configuration file:
|
||||
-
|
||||
- export OPENSSL_CONF_INCLUDE=<path of configuration files>
|
||||
- export OPENSSL_MODULES=<provider-path>
|
||||
- openssl fipsinstall -config' 'default.cnf'
|
||||
-
|
||||
-
|
||||
-=head1 SEE ALSO
|
||||
-
|
||||
-L<config(5)>,
|
||||
-L<fips_config(5)>,
|
||||
-L<OSSL_PROVIDER-FIPS(7)>,
|
||||
-L<EVP_MAC(3)>
|
||||
+This command is disabled.
|
||||
+Please consult the SUSE/openSUSE documentation to learn how to correctly
|
||||
+enable FIPS mode.
|
||||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Index: openssl-3.1.4/doc/man1/openssl.pod
|
||||
===================================================================
|
||||
--- openssl-3.1.4.orig/doc/man1/openssl.pod
|
||||
+++ openssl-3.1.4/doc/man1/openssl.pod
|
||||
@@ -135,10 +135,6 @@ Engine (loadable module) information and
|
||||
|
||||
Error Number to Error String Conversion.
|
||||
|
||||
-=item B<fipsinstall>
|
||||
-
|
||||
-FIPS configuration installation.
|
||||
-
|
||||
=item B<gendsa>
|
||||
|
||||
Generation of DSA Private Key from Parameters. Superseded by
|
||||
Index: openssl-3.1.4/doc/man5/config.pod
|
||||
===================================================================
|
||||
--- openssl-3.1.4.orig/doc/man5/config.pod
|
||||
+++ openssl-3.1.4/doc/man5/config.pod
|
||||
@@ -565,7 +565,6 @@ configuration files using that syntax wi
|
||||
=head1 SEE ALSO
|
||||
|
||||
L<openssl-x509(1)>, L<openssl-req(1)>, L<openssl-ca(1)>,
|
||||
-L<openssl-fipsinstall(1)>,
|
||||
L<ASN1_generate_nconf(3)>,
|
||||
L<EVP_set_default_properties(3)>,
|
||||
L<CONF_modules_load(3)>,
|
||||
Index: openssl-3.1.4/doc/man5/fips_config.pod
|
||||
===================================================================
|
||||
--- openssl-3.1.4.orig/doc/man5/fips_config.pod
|
||||
+++ openssl-3.1.4/doc/man5/fips_config.pod
|
||||
@@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
-A separate configuration file, using the OpenSSL L<config(5)> syntax,
|
||||
-is used to hold information about the FIPS module. This includes a digest
|
||||
-of the shared library file, and status about the self-testing.
|
||||
-This data is used automatically by the module itself for two
|
||||
-purposes:
|
||||
-
|
||||
-=over 4
|
||||
-
|
||||
-=item - Run the startup FIPS self-test known answer tests (KATS).
|
||||
-
|
||||
-This is normally done once, at installation time, but may also be set up to
|
||||
-run each time the module is used.
|
||||
-
|
||||
-=item - Verify the module's checksum.
|
||||
-
|
||||
-This is done each time the module is used.
|
||||
-
|
||||
-=back
|
||||
-
|
||||
-This file is generated by the L<openssl-fipsinstall(1)> program, and
|
||||
-used internally by the FIPS module during its initialization.
|
||||
-
|
||||
-The following options are supported. They should all appear in a section
|
||||
-whose name is identified by the B<fips> option in the B<providers>
|
||||
-section, as described in L<config(5)/Provider Configuration Module>.
|
||||
-
|
||||
-=over 4
|
||||
-
|
||||
-=item B<activate>
|
||||
-
|
||||
-If present, the module is activated. The value assigned to this name is not
|
||||
-significant.
|
||||
-
|
||||
-=item B<install-version>
|
||||
-
|
||||
-A version number for the fips install process. Should be 1.
|
||||
-
|
||||
-=item B<conditional-errors>
|
||||
-
|
||||
-The FIPS module normally enters an internal error mode if any self test fails.
|
||||
-Once this error mode is active, no services or cryptographic algorithms are
|
||||
-accessible from this point on.
|
||||
-Continuous tests are a subset of the self tests (e.g., a key pair test during key
|
||||
-generation, or the CRNG output test).
|
||||
-Setting this value to C<0> allows the error mode to not be triggered if any
|
||||
-continuous test fails. The default value of C<1> will trigger the error mode.
|
||||
-Regardless of the value, the operation (e.g., key generation) that called the
|
||||
-continuous test will return an error code if its continuous test fails. The
|
||||
-operation may then be retried if the error mode has not been triggered.
|
||||
-
|
||||
-=item B<security-checks>
|
||||
-
|
||||
-This indicates if run-time checks related to enforcement of security parameters
|
||||
-such as minimum security strength of keys and approved curve names are used.
|
||||
-A value of '1' will perform the checks, otherwise if the value is '0' the checks
|
||||
-are not performed and FIPS compliance must be done by procedures documented in
|
||||
-the relevant Security Policy.
|
||||
-
|
||||
-=item B<module-mac>
|
||||
-
|
||||
-The calculated MAC of the FIPS provider file.
|
||||
-
|
||||
-=item B<install-status>
|
||||
-
|
||||
-An indicator that the self-tests were successfully run.
|
||||
-This should only be written after the module has
|
||||
-successfully passed its self tests during installation.
|
||||
-If this field is not present, then the self tests will run when the module
|
||||
-loads.
|
||||
-
|
||||
-=item B<install-mac>
|
||||
-
|
||||
-A MAC of the value of the B<install-status> option, to prevent accidental
|
||||
-changes to that value.
|
||||
-It is written-to at the same time as B<install-status> is updated.
|
||||
-
|
||||
-=back
|
||||
-
|
||||
-For example:
|
||||
-
|
||||
- [fips_sect]
|
||||
- activate = 1
|
||||
- install-version = 1
|
||||
- conditional-errors = 1
|
||||
- security-checks = 1
|
||||
- module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC
|
||||
- install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C
|
||||
- install-status = INSTALL_SELF_TEST_KATS_RUN
|
||||
-
|
||||
-=head1 NOTES
|
||||
-
|
||||
-When using the FIPS provider, it is recommended that the
|
||||
-B<config_diagnostics> option is enabled to prevent accidental use of
|
||||
-non-FIPS validated algorithms via broken or mistaken configuration.
|
||||
-See L<config(5)>.
|
||||
-
|
||||
-=head1 SEE ALSO
|
||||
-
|
||||
-L<config(5)>
|
||||
-L<openssl-fipsinstall(1)>
|
||||
+This command is disabled in SUSE/openSUSE. The FIPS provider is
|
||||
+automatically loaded when the system is booted in FIPS mode, or when the
|
||||
+environment variable B<OPENSSL_FORCE_FIPS_MODE> is set.
|
||||
+See the documentation for more information.
|
||||
|
||||
=head1 HISTORY
|
||||
|
||||
Index: openssl-3.1.4/doc/man7/OSSL_PROVIDER-FIPS.pod
|
||||
===================================================================
|
||||
--- openssl-3.1.4.orig/doc/man7/OSSL_PROVIDER-FIPS.pod
|
||||
+++ openssl-3.1.4/doc/man7/OSSL_PROVIDER-FIPS.pod
|
||||
@@ -455,7 +455,6 @@ want to operate in a FIPS approved manne
|
||||
|
||||
=head1 SEE ALSO
|
||||
|
||||
-L<openssl-fipsinstall(1)>,
|
||||
L<fips_config(5)>,
|
||||
L<OSSL_SELF_TEST_set_callback(3)>,
|
||||
L<OSSL_SELF_TEST_new(3)>,
|
2159
openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch
Normal file
2159
openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,65 @@
|
||||
From 3e47a286dc3274bda72a196c3a4030a1fc8302f1 Mon Sep 17 00:00:00 2001
|
||||
From: Rohan McLure <rohanmclure@linux.ibm.com>
|
||||
Date: Fri, 23 Jun 2023 16:41:48 +1000
|
||||
Subject: [PATCH] ec: Use static linkage on nistp521 felem_{square,mul}
|
||||
wrappers
|
||||
|
||||
Runtime selection of implementations for felem_{square,mul} depends on
|
||||
felem_{square,mul}_wrapper functions, which overwrite function points in
|
||||
a similar design to that of .plt.got sections used by program loaders
|
||||
during dynamic linking.
|
||||
|
||||
There's no reason why these functions need to have external linkage.
|
||||
Mark static.
|
||||
|
||||
Signed-off-by: Rohan McLure <rohanmclure@linux.ibm.com>
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
|
||||
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
Reviewed-by: Todd Short <todd.short@me.com>
|
||||
(Merged from https://github.com/openssl/openssl/pull/21471)
|
||||
---
|
||||
crypto/ec/ecp_nistp521.c | 10 +++++-----
|
||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c
|
||||
index 97815cac1f13..32a9268ecf17 100644
|
||||
--- a/crypto/ec/ecp_nistp521.c
|
||||
+++ b/crypto/ec/ecp_nistp521.c
|
||||
@@ -676,8 +676,8 @@ static void felem_reduce(felem out, const largefelem in)
|
||||
}
|
||||
|
||||
#if defined(ECP_NISTP521_ASM)
|
||||
-void felem_square_wrapper(largefelem out, const felem in);
|
||||
-void felem_mul_wrapper(largefelem out, const felem in1, const felem in2);
|
||||
+static void felem_square_wrapper(largefelem out, const felem in);
|
||||
+static void felem_mul_wrapper(largefelem out, const felem in1, const felem in2);
|
||||
|
||||
static void (*felem_square_p)(largefelem out, const felem in) =
|
||||
felem_square_wrapper;
|
||||
@@ -691,7 +691,7 @@ void p521_felem_mul(largefelem out, const felem in1, const felem in2);
|
||||
# include "crypto/ppc_arch.h"
|
||||
# endif
|
||||
|
||||
-void felem_select(void)
|
||||
+static void felem_select(void)
|
||||
{
|
||||
# if defined(_ARCH_PPC64)
|
||||
if ((OPENSSL_ppccap_P & PPC_MADD300) && (OPENSSL_ppccap_P & PPC_ALTIVEC)) {
|
||||
@@ -707,13 +707,13 @@ void felem_select(void)
|
||||
felem_mul_p = felem_mul_ref;
|
||||
}
|
||||
|
||||
-void felem_square_wrapper(largefelem out, const felem in)
|
||||
+static void felem_square_wrapper(largefelem out, const felem in)
|
||||
{
|
||||
felem_select();
|
||||
felem_square_p(out, in);
|
||||
}
|
||||
|
||||
-void felem_mul_wrapper(largefelem out, const felem in1, const felem in2)
|
||||
+static void felem_mul_wrapper(largefelem out, const felem in1, const felem in2)
|
||||
{
|
||||
felem_select();
|
||||
felem_mul_p(out, in1, in2);
|
@ -0,0 +1,428 @@
|
||||
From 966047ee13188e8634af25af348940acceb9316d Mon Sep 17 00:00:00 2001
|
||||
From: Rohan McLure <rohanmclure@linux.ibm.com>
|
||||
Date: Wed, 31 May 2023 14:32:26 +1000
|
||||
Subject: [PATCH] ec: powerpc64le: Add asm implementation of felem_{square,mul}
|
||||
|
||||
Add an assembly implementation of felem_{square,mul}, which will be
|
||||
implemented whenever Altivec support is present and the core implements
|
||||
ISA 3.0 (Power 9) or greater.
|
||||
|
||||
Signed-off-by: Rohan McLure <rohanmclure@linux.ibm.com>
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
|
||||
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
Reviewed-by: Todd Short <todd.short@me.com>
|
||||
(Merged from https://github.com/openssl/openssl/pull/21471)
|
||||
---
|
||||
crypto/ec/asm/ecp_nistp384-ppc64.pl | 355 ++++++++++++++++++++++++++++
|
||||
crypto/ec/build.info | 6 +-
|
||||
crypto/ec/ecp_nistp384.c | 9 +
|
||||
3 files changed, 368 insertions(+), 2 deletions(-)
|
||||
create mode 100755 crypto/ec/asm/ecp_nistp384-ppc64.pl
|
||||
|
||||
diff --git a/crypto/ec/asm/ecp_nistp384-ppc64.pl b/crypto/ec/asm/ecp_nistp384-ppc64.pl
|
||||
new file mode 100755
|
||||
index 000000000000..3f86b391af69
|
||||
--- /dev/null
|
||||
+++ b/crypto/ec/asm/ecp_nistp384-ppc64.pl
|
||||
@@ -0,0 +1,355 @@
|
||||
+#! /usr/bin/env perl
|
||||
+# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+#
|
||||
+# Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
+# this file except in compliance with the License. You can obtain a copy
|
||||
+# in the file LICENSE in the source distribution or at
|
||||
+# https://www.openssl.org/source/license.html
|
||||
+#
|
||||
+# ====================================================================
|
||||
+# Written by Rohan McLure <rmclure@linux.ibm.com> for the OpenSSL
|
||||
+# project.
|
||||
+# ====================================================================
|
||||
+#
|
||||
+# p384 lower-level primitives for PPC64 using vector instructions.
|
||||
+#
|
||||
+
|
||||
+use strict;
|
||||
+use warnings;
|
||||
+
|
||||
+my $flavour = shift;
|
||||
+my $output = "";
|
||||
+while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {}
|
||||
+if (!$output) {
|
||||
+ $output = "-";
|
||||
+}
|
||||
+
|
||||
+my ($xlate, $dir);
|
||||
+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
|
||||
+( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
|
||||
+( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
|
||||
+die "can't locate ppc-xlate.pl";
|
||||
+
|
||||
+open OUT,"| \"$^X\" $xlate $flavour $output";
|
||||
+*STDOUT=*OUT;
|
||||
+
|
||||
+my $code = "";
|
||||
+
|
||||
+my ($sp, $outp, $savelr, $savesp) = ("r1", "r3", "r10", "r12");
|
||||
+
|
||||
+my $vzero = "v32";
|
||||
+
|
||||
+sub startproc($)
|
||||
+{
|
||||
+ my ($name) = @_;
|
||||
+
|
||||
+ $code.=<<___;
|
||||
+ .globl ${name}
|
||||
+ .align 5
|
||||
+${name}:
|
||||
+
|
||||
+___
|
||||
+}
|
||||
+
|
||||
+sub endproc($)
|
||||
+{
|
||||
+ my ($name) = @_;
|
||||
+
|
||||
+ $code.=<<___;
|
||||
+ blr
|
||||
+ .size ${name},.-${name}
|
||||
+
|
||||
+___
|
||||
+}
|
||||
+
|
||||
+
|
||||
+sub push_vrs($$)
|
||||
+{
|
||||
+ my ($min, $max) = @_;
|
||||
+
|
||||
+ my $count = $max - $min + 1;
|
||||
+
|
||||
+ $code.=<<___;
|
||||
+ mr $savesp,$sp
|
||||
+ stdu $sp,-16*`$count+1`($sp)
|
||||
+
|
||||
+___
|
||||
+ for (my $i = $min; $i <= $max; $i++) {
|
||||
+ my $mult = $max - $i + 1;
|
||||
+ $code.=<<___;
|
||||
+ stxv $i,-16*$mult($savesp)
|
||||
+___
|
||||
+
|
||||
+ }
|
||||
+
|
||||
+ $code.=<<___;
|
||||
+
|
||||
+___
|
||||
+}
|
||||
+
|
||||
+sub pop_vrs($$)
|
||||
+{
|
||||
+ my ($min, $max) = @_;
|
||||
+
|
||||
+ $code.=<<___;
|
||||
+ ld $savesp,0($sp)
|
||||
+___
|
||||
+ for (my $i = $min; $i <= $max; $i++) {
|
||||
+ my $mult = $max - $i + 1;
|
||||
+ $code.=<<___;
|
||||
+ lxv $i,-16*$mult($savesp)
|
||||
+___
|
||||
+ }
|
||||
+
|
||||
+ $code.=<<___;
|
||||
+ mr $sp,$savesp
|
||||
+
|
||||
+___
|
||||
+}
|
||||
+
|
||||
+sub load_vrs($$)
|
||||
+{
|
||||
+ my ($pointer, $reg_list) = @_;
|
||||
+
|
||||
+ for (my $i = 0; $i <= 6; $i++) {
|
||||
+ my $offset = $i * 8;
|
||||
+ $code.=<<___;
|
||||
+ lxsd $reg_list->[$i],$offset($pointer)
|
||||
+___
|
||||
+ }
|
||||
+
|
||||
+ $code.=<<___;
|
||||
+
|
||||
+___
|
||||
+}
|
||||
+
|
||||
+sub store_vrs($$)
|
||||
+{
|
||||
+ my ($pointer, $reg_list) = @_;
|
||||
+
|
||||
+ for (my $i = 0; $i <= 12; $i++) {
|
||||
+ my $offset = $i * 16;
|
||||
+ $code.=<<___;
|
||||
+ stxv $reg_list->[$i],$offset($pointer)
|
||||
+___
|
||||
+ }
|
||||
+
|
||||
+ $code.=<<___;
|
||||
+
|
||||
+___
|
||||
+}
|
||||
+
|
||||
+$code.=<<___;
|
||||
+.machine "any"
|
||||
+.text
|
||||
+
|
||||
+___
|
||||
+
|
||||
+{
|
||||
+ # mul/square common
|
||||
+ my ($t1, $t2, $t3, $t4) = ("v33", "v34", "v42", "v43");
|
||||
+ my ($zero, $one) = ("r8", "r9");
|
||||
+ my $out = "v51";
|
||||
+
|
||||
+ {
|
||||
+ #
|
||||
+ # p384_felem_mul
|
||||
+ #
|
||||
+
|
||||
+ my ($in1p, $in2p) = ("r4", "r5");
|
||||
+ my @in1 = map("v$_",(44..50));
|
||||
+ my @in2 = map("v$_",(35..41));
|
||||
+
|
||||
+ startproc("p384_felem_mul");
|
||||
+
|
||||
+ push_vrs(52, 63);
|
||||
+
|
||||
+ $code.=<<___;
|
||||
+ vspltisw $vzero,0
|
||||
+
|
||||
+___
|
||||
+
|
||||
+ load_vrs($in1p, \@in1);
|
||||
+ load_vrs($in2p, \@in2);
|
||||
+
|
||||
+ $code.=<<___;
|
||||
+ vmsumudm $out,$in1[0],$in2[0],$vzero
|
||||
+ stxv $out,0($outp)
|
||||
+
|
||||
+ xxpermdi $t1,$in1[0],$in1[1],0b00
|
||||
+ xxpermdi $t2,$in2[1],$in2[0],0b00
|
||||
+ vmsumudm $out,$t1,$t2,$vzero
|
||||
+ stxv $out,16($outp)
|
||||
+
|
||||
+ xxpermdi $t2,$in2[2],$in2[1],0b00
|
||||
+ vmsumudm $out,$t1,$t2,$vzero
|
||||
+ vmsumudm $out,$in1[2],$in2[0],$out
|
||||
+ stxv $out,32($outp)
|
||||
+
|
||||
+ xxpermdi $t2,$in2[1],$in2[0],0b00
|
||||
+ xxpermdi $t3,$in1[2],$in1[3],0b00
|
||||
+ xxpermdi $t4,$in2[3],$in2[2],0b00
|
||||
+ vmsumudm $out,$t1,$t4,$vzero
|
||||
+ vmsumudm $out,$t3,$t2,$out
|
||||
+ stxv $out,48($outp)
|
||||
+
|
||||
+ xxpermdi $t2,$in2[4],$in2[3],0b00
|
||||
+ xxpermdi $t4,$in2[2],$in2[1],0b00
|
||||
+ vmsumudm $out,$t1,$t2,$vzero
|
||||
+ vmsumudm $out,$t3,$t4,$out
|
||||
+ vmsumudm $out,$in1[4],$in2[0],$out
|
||||
+ stxv $out,64($outp)
|
||||
+
|
||||
+ xxpermdi $t2,$in2[5],$in2[4],0b00
|
||||
+ xxpermdi $t4,$in2[3],$in2[2],0b00
|
||||
+ vmsumudm $out,$t1,$t2,$vzero
|
||||
+ vmsumudm $out,$t3,$t4,$out
|
||||
+ xxpermdi $t4,$in2[1],$in2[0],0b00
|
||||
+ xxpermdi $t1,$in1[4],$in1[5],0b00
|
||||
+ vmsumudm $out,$t1,$t4,$out
|
||||
+ stxv $out,80($outp)
|
||||
+
|
||||
+ xxpermdi $t1,$in1[0],$in1[1],0b00
|
||||
+ xxpermdi $t2,$in2[6],$in2[5],0b00
|
||||
+ xxpermdi $t4,$in2[4],$in2[3],0b00
|
||||
+ vmsumudm $out,$t1,$t2,$vzero
|
||||
+ vmsumudm $out,$t3,$t4,$out
|
||||
+ xxpermdi $t2,$in2[2],$in2[1],0b00
|
||||
+ xxpermdi $t1,$in1[4],$in1[5],0b00
|
||||
+ vmsumudm $out,$t1,$t2,$out
|
||||
+ vmsumudm $out,$in1[6],$in2[0],$out
|
||||
+ stxv $out,96($outp)
|
||||
+
|
||||
+ xxpermdi $t1,$in1[1],$in1[2],0b00
|
||||
+ xxpermdi $t2,$in2[6],$in2[5],0b00
|
||||
+ xxpermdi $t3,$in1[3],$in1[4],0b00
|
||||
+ vmsumudm $out,$t1,$t2,$vzero
|
||||
+ vmsumudm $out,$t3,$t4,$out
|
||||
+ xxpermdi $t3,$in2[2],$in2[1],0b00
|
||||
+ xxpermdi $t1,$in1[5],$in1[6],0b00
|
||||
+ vmsumudm $out,$t1,$t3,$out
|
||||
+ stxv $out,112($outp)
|
||||
+
|
||||
+ xxpermdi $t1,$in1[2],$in1[3],0b00
|
||||
+ xxpermdi $t3,$in1[4],$in1[5],0b00
|
||||
+ vmsumudm $out,$t1,$t2,$vzero
|
||||
+ vmsumudm $out,$t3,$t4,$out
|
||||
+ vmsumudm $out,$in1[6],$in2[2],$out
|
||||
+ stxv $out,128($outp)
|
||||
+
|
||||
+ xxpermdi $t1,$in1[3],$in1[4],0b00
|
||||
+ vmsumudm $out,$t1,$t2,$vzero
|
||||
+ xxpermdi $t1,$in1[5],$in1[6],0b00
|
||||
+ vmsumudm $out,$t1,$t4,$out
|
||||
+ stxv $out,144($outp)
|
||||
+
|
||||
+ vmsumudm $out,$t3,$t2,$vzero
|
||||
+ vmsumudm $out,$in1[6],$in2[4],$out
|
||||
+ stxv $out,160($outp)
|
||||
+
|
||||
+ vmsumudm $out,$t1,$t2,$vzero
|
||||
+ stxv $out,176($outp)
|
||||
+
|
||||
+ vmsumudm $out,$in1[6],$in2[6],$vzero
|
||||
+ stxv $out,192($outp)
|
||||
+___
|
||||
+
|
||||
+ endproc("p384_felem_mul");
|
||||
+ }
|
||||
+
|
||||
+ {
|
||||
+ #
|
||||
+ # p384_felem_square
|
||||
+ #
|
||||
+
|
||||
+ my ($inp) = ("r4");
|
||||
+ my @in = map("v$_",(44..50));
|
||||
+ my @inx2 = map("v$_",(35..41));
|
||||
+
|
||||
+ startproc("p384_felem_square");
|
||||
+
|
||||
+ push_vrs(52, 63);
|
||||
+
|
||||
+ $code.=<<___;
|
||||
+ vspltisw $vzero,0
|
||||
+
|
||||
+___
|
||||
+
|
||||
+ load_vrs($inp, \@in);
|
||||
+
|
||||
+ $code.=<<___;
|
||||
+ li $zero,0
|
||||
+ li $one,1
|
||||
+ mtvsrdd $t1,$one,$zero
|
||||
+___
|
||||
+
|
||||
+ for (my $i = 0; $i <= 6; $i++) {
|
||||
+ $code.=<<___;
|
||||
+ vsld $inx2[$i],$in[$i],$t1
|
||||
+___
|
||||
+ }
|
||||
+
|
||||
+ $code.=<<___;
|
||||
+ vmsumudm $out,$in[0],$in[0],$vzero
|
||||
+ stxv $out,0($outp)
|
||||
+
|
||||
+ vmsumudm $out,$in[0],$inx2[1],$vzero
|
||||
+ stxv $out,16($outp)
|
||||
+
|
||||
+ vmsumudm $out,$in[0],$inx2[2],$vzero
|
||||
+ vmsumudm $out,$in[1],$in[1],$out
|
||||
+ stxv $out,32($outp)
|
||||
+
|
||||
+ xxpermdi $t1,$in[0],$in[1],0b00
|
||||
+ xxpermdi $t2,$inx2[3],$inx2[2],0b00
|
||||
+ vmsumudm $out,$t1,$t2,$vzero
|
||||
+ stxv $out,48($outp)
|
||||
+
|
||||
+ xxpermdi $t4,$inx2[4],$inx2[3],0b00
|
||||
+ vmsumudm $out,$t1,$t4,$vzero
|
||||
+ vmsumudm $out,$in[2],$in[2],$out
|
||||
+ stxv $out,64($outp)
|
||||
+
|
||||
+ xxpermdi $t2,$inx2[5],$inx2[4],0b00
|
||||
+ vmsumudm $out,$t1,$t2,$vzero
|
||||
+ vmsumudm $out,$in[2],$inx2[3],$out
|
||||
+ stxv $out,80($outp)
|
||||
+
|
||||
+ xxpermdi $t2,$inx2[6],$inx2[5],0b00
|
||||
+ vmsumudm $out,$t1,$t2,$vzero
|
||||
+ vmsumudm $out,$in[2],$inx2[4],$out
|
||||
+ vmsumudm $out,$in[3],$in[3],$out
|
||||
+ stxv $out,96($outp)
|
||||
+
|
||||
+ xxpermdi $t3,$in[1],$in[2],0b00
|
||||
+ vmsumudm $out,$t3,$t2,$vzero
|
||||
+ vmsumudm $out,$in[3],$inx2[4],$out
|
||||
+ stxv $out,112($outp)
|
||||
+
|
||||
+ xxpermdi $t1,$in[2],$in[3],0b00
|
||||
+ vmsumudm $out,$t1,$t2,$vzero
|
||||
+ vmsumudm $out,$in[4],$in[4],$out
|
||||
+ stxv $out,128($outp)
|
||||
+
|
||||
+ xxpermdi $t1,$in[3],$in[4],0b00
|
||||
+ vmsumudm $out,$t1,$t2,$vzero
|
||||
+ stxv $out,144($outp)
|
||||
+
|
||||
+ vmsumudm $out,$in[4],$inx2[6],$vzero
|
||||
+ vmsumudm $out,$in[5],$in[5],$out
|
||||
+ stxv $out,160($outp)
|
||||
+
|
||||
+ vmsumudm $out,$in[5],$inx2[6],$vzero
|
||||
+ stxv $out,176($outp)
|
||||
+
|
||||
+ vmsumudm $out,$in[6],$in[6],$vzero
|
||||
+ stxv $out,192($outp)
|
||||
+___
|
||||
+
|
||||
+ endproc("p384_felem_square");
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+$code =~ s/\`([^\`]*)\`/eval $1/gem;
|
||||
+print $code;
|
||||
+close STDOUT or die "error closing STDOUT: $!";
|
||||
diff --git a/crypto/ec/build.info b/crypto/ec/build.info
|
||||
index 1fa60a1deddd..4077bead7bdb 100644
|
||||
--- a/crypto/ec/build.info
|
||||
+++ b/crypto/ec/build.info
|
||||
@@ -39,8 +39,9 @@ IF[{- !$disabled{asm} -}]
|
||||
$ECASM_ppc64=ecp_nistz256.c ecp_ppc.c ecp_nistz256-ppc64.s x25519-ppc64.s
|
||||
$ECDEF_ppc64=ECP_NISTZ256_ASM X25519_ASM
|
||||
IF[{- !$disabled{'ec_nistp_64_gcc_128'} -}]
|
||||
- $ECASM_ppc64=$ECASM_ppc64 ecp_nistp521-ppc64.s
|
||||
- $ECDEF_ppc64=$ECDEF_ppc64 ECP_NISTP521_ASM
|
||||
+ $ECASM_ppc64=$ECASM_ppc64 ecp_nistp384-ppc64.s ecp_nistp521-ppc64.s
|
||||
+ $ECDEF_ppc64=$ECDEF_ppc64 ECP_NISTP384_ASM ECP_NISTP521_ASM
|
||||
+ INCLUDE[ecp_nistp384.o]=..
|
||||
INCLUDE[ecp_nistp521.o]=..
|
||||
ENDIF
|
||||
|
||||
@@ -119,6 +120,7 @@ GENERATE[ecp_nistz256-armv8.S]=asm/ecp_nistz256-armv8.pl
|
||||
INCLUDE[ecp_nistz256-armv8.o]=..
|
||||
GENERATE[ecp_nistz256-ppc64.s]=asm/ecp_nistz256-ppc64.pl
|
||||
|
||||
+GENERATE[ecp_nistp384-ppc64.s]=asm/ecp_nistp384-ppc64.pl
|
||||
GENERATE[ecp_nistp521-ppc64.s]=asm/ecp_nistp521-ppc64.pl
|
||||
|
||||
GENERATE[x25519-x86_64.s]=asm/x25519-x86_64.pl
|
||||
diff --git a/crypto/ec/ecp_nistp384.c b/crypto/ec/ecp_nistp384.c
|
||||
index a0559487ed4e..14f9530d07c6 100644
|
||||
--- a/crypto/ec/ecp_nistp384.c
|
||||
+++ b/crypto/ec/ecp_nistp384.c
|
||||
@@ -691,6 +691,15 @@ void p384_felem_mul(widefelem out, const felem in1, const felem in2);
|
||||
|
||||
static void felem_select(void)
|
||||
{
|
||||
+# if defined(_ARCH_PPC64)
|
||||
+ if ((OPENSSL_ppccap_P & PPC_MADD300) && (OPENSSL_ppccap_P & PPC_ALTIVEC)) {
|
||||
+ felem_square_p = p384_felem_square;
|
||||
+ felem_mul_p = p384_felem_mul;
|
||||
+
|
||||
+ return;
|
||||
+ }
|
||||
+# endif
|
||||
+
|
||||
/* Default */
|
||||
felem_square_p = felem_square_ref;
|
||||
felem_mul_p = felem_mul_ref;
|
76
openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch
Normal file
76
openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch
Normal file
@ -0,0 +1,76 @@
|
||||
From 670e73d9084465384b11ef24802ca4a313e1d2f4 Mon Sep 17 00:00:00 2001
|
||||
From: Rohan McLure <rohanmclure@linux.ibm.com>
|
||||
Date: Tue, 15 Aug 2023 15:20:20 +1000
|
||||
Subject: [PATCH] ecc: Remove extraneous parentheses in secp384r1
|
||||
|
||||
Substitutions in the felem_reduce() method feature unecessary
|
||||
parentheses, remove them.
|
||||
|
||||
Signed-off-by: Rohan McLure <rohan.mclure@linux.ibm.com>
|
||||
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
|
||||
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/21749)
|
||||
---
|
||||
crypto/ec/ecp_nistp384.c | 12 ++++++------
|
||||
1 file changed, 6 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/crypto/ec/ecp_nistp384.c b/crypto/ec/ecp_nistp384.c
|
||||
index 14f9530d07c6..ff68f9cc7ad0 100644
|
||||
--- a/crypto/ec/ecp_nistp384.c
|
||||
+++ b/crypto/ec/ecp_nistp384.c
|
||||
@@ -540,7 +540,7 @@ static void felem_reduce(felem out, const widefelem in)
|
||||
acc[7] += in[12] >> 8;
|
||||
acc[6] += (in[12] & 0xff) << 48;
|
||||
acc[6] -= in[12] >> 16;
|
||||
- acc[5] -= ((in[12] & 0xffff) << 40);
|
||||
+ acc[5] -= (in[12] & 0xffff) << 40;
|
||||
acc[6] += in[12] >> 48;
|
||||
acc[5] += (in[12] & 0xffffffffffff) << 8;
|
||||
|
||||
@@ -549,7 +549,7 @@ static void felem_reduce(felem out, const widefelem in)
|
||||
acc[6] += in[11] >> 8;
|
||||
acc[5] += (in[11] & 0xff) << 48;
|
||||
acc[5] -= in[11] >> 16;
|
||||
- acc[4] -= ((in[11] & 0xffff) << 40);
|
||||
+ acc[4] -= (in[11] & 0xffff) << 40;
|
||||
acc[5] += in[11] >> 48;
|
||||
acc[4] += (in[11] & 0xffffffffffff) << 8;
|
||||
|
||||
@@ -558,7 +558,7 @@ static void felem_reduce(felem out, const widefelem in)
|
||||
acc[5] += in[10] >> 8;
|
||||
acc[4] += (in[10] & 0xff) << 48;
|
||||
acc[4] -= in[10] >> 16;
|
||||
- acc[3] -= ((in[10] & 0xffff) << 40);
|
||||
+ acc[3] -= (in[10] & 0xffff) << 40;
|
||||
acc[4] += in[10] >> 48;
|
||||
acc[3] += (in[10] & 0xffffffffffff) << 8;
|
||||
|
||||
@@ -567,7 +567,7 @@ static void felem_reduce(felem out, const widefelem in)
|
||||
acc[4] += in[9] >> 8;
|
||||
acc[3] += (in[9] & 0xff) << 48;
|
||||
acc[3] -= in[9] >> 16;
|
||||
- acc[2] -= ((in[9] & 0xffff) << 40);
|
||||
+ acc[2] -= (in[9] & 0xffff) << 40;
|
||||
acc[3] += in[9] >> 48;
|
||||
acc[2] += (in[9] & 0xffffffffffff) << 8;
|
||||
|
||||
@@ -582,7 +582,7 @@ static void felem_reduce(felem out, const widefelem in)
|
||||
acc[3] += acc[8] >> 8;
|
||||
acc[2] += (acc[8] & 0xff) << 48;
|
||||
acc[2] -= acc[8] >> 16;
|
||||
- acc[1] -= ((acc[8] & 0xffff) << 40);
|
||||
+ acc[1] -= (acc[8] & 0xffff) << 40;
|
||||
acc[2] += acc[8] >> 48;
|
||||
acc[1] += (acc[8] & 0xffffffffffff) << 8;
|
||||
|
||||
@@ -591,7 +591,7 @@ static void felem_reduce(felem out, const widefelem in)
|
||||
acc[2] += acc[7] >> 8;
|
||||
acc[1] += (acc[7] & 0xff) << 48;
|
||||
acc[1] -= acc[7] >> 16;
|
||||
- acc[0] -= ((acc[7] & 0xffff) << 40);
|
||||
+ acc[0] -= (acc[7] & 0xffff) << 40;
|
||||
acc[1] += acc[7] >> 48;
|
||||
acc[0] += (acc[7] & 0xffffffffffff) << 8;
|
||||
|
90
openssl-load-legacy-provider.patch
Normal file
90
openssl-load-legacy-provider.patch
Normal file
@ -0,0 +1,90 @@
|
||||
287863366dcdd6548dee78c7a4 Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Mon, 31 Jul 2023 09:41:28 +0200
|
||||
Subject: [PATCH 14/35] 0024-load-legacy-prov.patch
|
||||
|
||||
Patch-name: 0024-load-legacy-prov.patch
|
||||
Patch-id: 24
|
||||
Patch-status: |
|
||||
# Instructions to load legacy provider in openssl.cnf
|
||||
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
||||
---
|
||||
apps/openssl.cnf | 37 +++++++++++++++----------------------
|
||||
doc/man5/config.pod | 8 ++++++++
|
||||
2 files changed, 23 insertions(+), 22 deletions(-)
|
||||
|
||||
Index: openssl-3.1.4/apps/openssl.cnf
|
||||
===================================================================
|
||||
--- openssl-3.1.4.orig/apps/openssl.cnf
|
||||
+++ openssl-3.1.4/apps/openssl.cnf
|
||||
@@ -42,36 +42,29 @@ tsa_policy1 = 1.2.3.4.1
|
||||
tsa_policy2 = 1.2.3.4.5.6
|
||||
tsa_policy3 = 1.2.3.4.5.7
|
||||
|
||||
-# For FIPS
|
||||
-# Optionally include a file that is generated by the OpenSSL fipsinstall
|
||||
-# application. This file contains configuration data required by the OpenSSL
|
||||
-# fips provider. It contains a named section e.g. [fips_sect] which is
|
||||
-# referenced from the [provider_sect] below.
|
||||
-# Refer to the OpenSSL security policy for more information.
|
||||
-# .include fipsmodule.cnf
|
||||
-
|
||||
[openssl_init]
|
||||
providers = provider_sect
|
||||
# Load default TLS policy configuration
|
||||
ssl_conf = ssl_module
|
||||
|
||||
-# List of providers to load
|
||||
+# Uncomment the sections that start with ## below to enable the legacy provider.
|
||||
+# Loading the legacy provider enables support for the following algorithms:
|
||||
+# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
|
||||
+# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED
|
||||
+# Key Derivation Function (KDF): PBKDF1
|
||||
+# In general it is not recommended to use the above mentioned algorithms for
|
||||
+# security critical operations, as they are cryptographically weak or vulnerable
|
||||
+# to side-channel attacks and as such have been deprecated.
|
||||
+
|
||||
[provider_sect]
|
||||
default = default_sect
|
||||
-# The fips section name should match the section name inside the
|
||||
-# included fipsmodule.cnf.
|
||||
-# fips = fips_sect
|
||||
-
|
||||
-# If no providers are activated explicitly, the default one is activated implicitly.
|
||||
-# See man 7 OSSL_PROVIDER-default for more details.
|
||||
-#
|
||||
-# If you add a section explicitly activating any other provider(s), you most
|
||||
-# probably need to explicitly activate the default provider, otherwise it
|
||||
-# becomes unavailable in openssl. As a consequence applications depending on
|
||||
-# OpenSSL may not work correctly which could lead to significant system
|
||||
-# problems including inability to remotely access the system.
|
||||
+##legacy = legacy_sect
|
||||
+
|
||||
[default_sect]
|
||||
-# activate = 1
|
||||
+activate = 1
|
||||
+
|
||||
+##[legacy_sect]
|
||||
+##activate = 1
|
||||
|
||||
[ ssl_module ]
|
||||
|
||||
Index: openssl-3.1.4/doc/man5/config.pod
|
||||
===================================================================
|
||||
--- openssl-3.1.4.orig/doc/man5/config.pod
|
||||
+++ openssl-3.1.4/doc/man5/config.pod
|
||||
@@ -273,6 +273,14 @@ significant.
|
||||
All parameters in the section as well as sub-sections are made
|
||||
available to the provider.
|
||||
|
||||
+=head3 Loading the legacy provider
|
||||
+
|
||||
+Uncomment the sections that start with ## in openssl.cnf
|
||||
+to enable the legacy provider.
|
||||
+Note: In general it is not recommended to use the above mentioned algorithms for
|
||||
+security critical operations, as they are cryptographically weak or vulnerable
|
||||
+to side-channel attacks and as such have been deprecated.
|
||||
+
|
||||
=head3 Default provider and its activation
|
||||
|
||||
If no providers are activated explicitly, the default one is activated implicitly.
|
13
openssl-no-date.patch
Normal file
13
openssl-no-date.patch
Normal file
@ -0,0 +1,13 @@
|
||||
Index: openssl-1.1.1-pre1/util/mkbuildinf.pl
|
||||
===================================================================
|
||||
--- openssl-1.1.1-pre1.orig/util/mkbuildinf.pl 2018-02-13 16:31:28.011389734 +0100
|
||||
+++ openssl-1.1.1-pre1/util/mkbuildinf.pl 2018-02-13 16:31:51.539764582 +0100
|
||||
@@ -28,7 +28,7 @@ print <<"END_OUTPUT";
|
||||
*/
|
||||
|
||||
#define PLATFORM "platform: $platform"
|
||||
-#define DATE "built on: $date"
|
||||
+#define DATE ""
|
||||
|
||||
/*
|
||||
* Generate compiler_flags as an array of individual characters. This is a
|
13
openssl-no-html-docs.patch
Normal file
13
openssl-no-html-docs.patch
Normal file
@ -0,0 +1,13 @@
|
||||
Index: openssl-3.1.4/Configurations/unix-Makefile.tmpl
|
||||
===================================================================
|
||||
--- openssl-3.1.4.orig/Configurations/unix-Makefile.tmpl
|
||||
+++ openssl-3.1.4/Configurations/unix-Makefile.tmpl
|
||||
@@ -611,7 +611,7 @@ install_sw: install_dev install_engines
|
||||
|
||||
uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev
|
||||
|
||||
-install_docs: install_man_docs install_html_docs
|
||||
+install_docs: install_man_docs
|
||||
|
||||
uninstall_docs: uninstall_man_docs uninstall_html_docs
|
||||
$(RM) -r "$(DESTDIR)$(DOCDIR)"
|
22
openssl-pkgconfig.patch
Normal file
22
openssl-pkgconfig.patch
Normal file
@ -0,0 +1,22 @@
|
||||
Index: openssl-1.1.1-pre3/Configurations/unix-Makefile.tmpl
|
||||
===================================================================
|
||||
--- openssl-1.1.1-pre3.orig/Configurations/unix-Makefile.tmpl 2018-03-20 15:20:03.037124698 +0100
|
||||
+++ openssl-1.1.1-pre3/Configurations/unix-Makefile.tmpl 2018-03-20 15:21:04.206084731 +0100
|
||||
@@ -843,7 +843,7 @@ libcrypto.pc:
|
||||
echo 'Version: '$(VERSION); \
|
||||
echo 'Libs: -L$${libdir} -lcrypto'; \
|
||||
echo 'Libs.private: $(LIB_EX_LIBS)'; \
|
||||
- echo 'Cflags: -I$${includedir}' ) > libcrypto.pc
|
||||
+ echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir}' ) > libcrypto.pc
|
||||
|
||||
libssl.pc:
|
||||
@ ( echo 'prefix=$(INSTALLTOP)'; \
|
||||
@@ -860,7 +860,7 @@ libssl.pc:
|
||||
echo 'Version: '$(VERSION); \
|
||||
echo 'Requires.private: libcrypto'; \
|
||||
echo 'Libs: -L$${libdir} -lssl'; \
|
||||
- echo 'Cflags: -I$${includedir}' ) > libssl.pc
|
||||
+ echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir}' ) > libssl.pc
|
||||
|
||||
openssl.pc:
|
||||
@ ( echo 'prefix=$(INSTALLTOP)'; \
|
96
openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch
Normal file
96
openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch
Normal file
@ -0,0 +1,96 @@
|
||||
From 50f8b936b00dc18ce1f622a7a6aa46daf03da48b Mon Sep 17 00:00:00 2001
|
||||
From: Rohan McLure <rohanmclure@linux.ibm.com>
|
||||
Date: Wed, 16 Aug 2023 16:52:47 +1000
|
||||
Subject: [PATCH] powerpc: ecc: Fix stack allocation secp384r1 asm
|
||||
|
||||
Assembly acceleration secp384r1 opts to not use any callee-save VSRs, as
|
||||
VSX enabled systems make extensive use of renaming, and so writebacks in
|
||||
felem_{mul,square}() can be reordered for best cache effects.
|
||||
|
||||
Remove stack allocations. This in turn fixes unmatched push/pops in
|
||||
felem_{mul,square}().
|
||||
|
||||
Signed-off-by: Rohan McLure <rohan.mclure@linux.ibm.com>
|
||||
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
|
||||
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/21749)
|
||||
---
|
||||
crypto/ec/asm/ecp_nistp384-ppc64.pl | 49 -----------------------------
|
||||
1 file changed, 49 deletions(-)
|
||||
|
||||
diff --git a/crypto/ec/asm/ecp_nistp384-ppc64.pl b/crypto/ec/asm/ecp_nistp384-ppc64.pl
|
||||
index 3f86b391af69..28f4168e5218 100755
|
||||
--- a/crypto/ec/asm/ecp_nistp384-ppc64.pl
|
||||
+++ b/crypto/ec/asm/ecp_nistp384-ppc64.pl
|
||||
@@ -62,51 +62,6 @@ ($)
|
||||
___
|
||||
}
|
||||
|
||||
-
|
||||
-sub push_vrs($$)
|
||||
-{
|
||||
- my ($min, $max) = @_;
|
||||
-
|
||||
- my $count = $max - $min + 1;
|
||||
-
|
||||
- $code.=<<___;
|
||||
- mr $savesp,$sp
|
||||
- stdu $sp,-16*`$count+1`($sp)
|
||||
-
|
||||
-___
|
||||
- for (my $i = $min; $i <= $max; $i++) {
|
||||
- my $mult = $max - $i + 1;
|
||||
- $code.=<<___;
|
||||
- stxv $i,-16*$mult($savesp)
|
||||
-___
|
||||
-
|
||||
- }
|
||||
-
|
||||
- $code.=<<___;
|
||||
-
|
||||
-___
|
||||
-}
|
||||
-
|
||||
-sub pop_vrs($$)
|
||||
-{
|
||||
- my ($min, $max) = @_;
|
||||
-
|
||||
- $code.=<<___;
|
||||
- ld $savesp,0($sp)
|
||||
-___
|
||||
- for (my $i = $min; $i <= $max; $i++) {
|
||||
- my $mult = $max - $i + 1;
|
||||
- $code.=<<___;
|
||||
- lxv $i,-16*$mult($savesp)
|
||||
-___
|
||||
- }
|
||||
-
|
||||
- $code.=<<___;
|
||||
- mr $sp,$savesp
|
||||
-
|
||||
-___
|
||||
-}
|
||||
-
|
||||
sub load_vrs($$)
|
||||
{
|
||||
my ($pointer, $reg_list) = @_;
|
||||
@@ -162,8 +117,6 @@ ($$)
|
||||
|
||||
startproc("p384_felem_mul");
|
||||
|
||||
- push_vrs(52, 63);
|
||||
-
|
||||
$code.=<<___;
|
||||
vspltisw $vzero,0
|
||||
|
||||
@@ -268,8 +221,6 @@ ($$)
|
||||
|
||||
startproc("p384_felem_square");
|
||||
|
||||
- push_vrs(52, 63);
|
||||
-
|
||||
$code.=<<___;
|
||||
vspltisw $vzero,0
|
||||
|
32
openssl-ppc64-config.patch
Normal file
32
openssl-ppc64-config.patch
Normal file
@ -0,0 +1,32 @@
|
||||
Index: openssl-3.0.0-alpha5/util/perl/OpenSSL/config.pm
|
||||
===================================================================
|
||||
--- openssl-3.0.0-alpha5.orig/util/perl/OpenSSL/config.pm
|
||||
+++ openssl-3.0.0-alpha5/util/perl/OpenSSL/config.pm
|
||||
@@ -525,14 +525,19 @@ EOF
|
||||
return { target => "linux-ppc64" } if $KERNEL_BITS eq '64';
|
||||
|
||||
my %config = ();
|
||||
- if (!okrun('echo __LP64__',
|
||||
- 'gcc -E -x c - 2>/dev/null',
|
||||
- 'grep "^__LP64__" 2>&1 >/dev/null') ) {
|
||||
- %config = ( cflags => [ '-m32' ],
|
||||
- cxxflags => [ '-m32' ] );
|
||||
- }
|
||||
- return { target => "linux-ppc",
|
||||
- %config };
|
||||
+ # ##
|
||||
+ # if (!okrun('echo __LP64__', 'gcc -E -x c - 2>/dev/null', 'grep "^__LP64__" 2>&1 >/dev/null') ) { %config = ( cflags => [ '-m32' ], cxxflags => [ '-m32' ] ); }
|
||||
+ # return { target => "linux-ppc",
|
||||
+ # %config };
|
||||
+ # ##
|
||||
+ if (okrun('echo __LP64__', 'gcc -E -x c - 2>/dev/null',
|
||||
+ 'grep "^__LP64__" 2>&1 >/dev/null') )
|
||||
+ {
|
||||
+ return { target => "linux-ppc", %config };
|
||||
+ } else {
|
||||
+ return { target => "linux-ppc64", %config };
|
||||
+ }
|
||||
+ ##
|
||||
}
|
||||
],
|
||||
[ 'ppc64le-.*-linux2', { target => "linux-ppc64le" } ],
|
17
openssl-truststore.patch
Normal file
17
openssl-truststore.patch
Normal file
@ -0,0 +1,17 @@
|
||||
Don't use the legacy /etc/ssl/certs directory anymore but rather the
|
||||
p11-kit generated /var/lib/ca-certificates/openssl one (fate#314991)
|
||||
Index: openssl-1.1.1-pre1/include/internal/cryptlib.h
|
||||
===================================================================
|
||||
--- openssl-1.1.1-pre1.orig/include/internal/cryptlib.h 2018-02-13 14:48:12.000000000 +0100
|
||||
+++ openssl-1.1.1-pre1/include/internal/cryptlib.h 2018-02-13 16:30:11.738161984 +0100
|
||||
@@ -59,8 +59,8 @@ DEFINE_LHASH_OF(MEM);
|
||||
|
||||
# ifndef OPENSSL_SYS_VMS
|
||||
# define X509_CERT_AREA OPENSSLDIR
|
||||
-# define X509_CERT_DIR OPENSSLDIR "/certs"
|
||||
-# define X509_CERT_FILE OPENSSLDIR "/cert.pem"
|
||||
+# define X509_CERT_DIR "/var/lib/ca-certificates/openssl"
|
||||
+# define X509_CERT_FILE "/var/lib/ca-certificates/ca-bundle.pem"
|
||||
# define X509_PRIVATE_DIR OPENSSLDIR "/private"
|
||||
# define CTLOG_FILE OPENSSLDIR "/ct_log_list.cnf"
|
||||
# else
|
305
openssl.keyring
Normal file
305
openssl.keyring
Normal file
@ -0,0 +1,305 @@
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
Comment: 8657 ABB2 60F0 56B1 E519 0839 D9C4 D26D 0E60 4491
|
||||
Comment: Matt Caswell <matt@openssl.org>
|
||||
Comment: Matt Caswell <frodo@baggins.org>
|
||||
|
||||
mQENBFGALsIBCADBkh6zfxbewW2KJjaMaishSrpxuiVaUyvWgpe6Moae7JNCW8ay
|
||||
hJbwAtsQ69SGA4gUkyrR6PBvDMVYEiYqZwXB/3IErStESjcu+gkbmsa0XcwHpkE3
|
||||
iN7I8aU66yMt710nGEmcrR5E4u4NuNoHtnOBKEh+RCLGp5mo6hwbUYUzG3eUI/zi
|
||||
2hLApPpaATXnD3ZkhgtHV3ln3Z16nUWQAdIVToxYhvVno2EQsqe8Q3ifl2Uf0Ypa
|
||||
N19BDBrxM3WPOAKbJk0Ab1bjgEadavrFBCOl9CrbThewRGmkOdxJWaVkERXMShlz
|
||||
UzjJvKOUEUGOxJCmnfQimPQoCdQyVFLgHfRFABEBAAG0H01hdHQgQ2Fzd2VsbCA8
|
||||
bWF0dEBvcGVuc3NsLm9yZz6JATgEEwECACIFAlPevrwCGwMGCwkIBwMCBhUIAgkK
|
||||
CwQWAgMBAh4BAheAAAoJENnE0m0OYESRoD0H/1lEJXfr66rdvskyOi0zU0ARvUXH
|
||||
jbmmYkZ7ETkdXh7Va/Tjn81T3pwmr3F4IcLGNLDz4Eg67xbq/T8rrsEPOx5nV/mR
|
||||
nUT97UmsQuLnR2wLGbRBu24FKM7oX3KQvgIdJWdxHHJsjpGCViE1mIFARAzlN+6p
|
||||
3tPbnQzANjRy7i/PYU/niGdqVcMhcnZCX5F7YH6w6t0ZmYH3m1QeREnWqfxu7eyH
|
||||
sIvebMgKTI/bMG8Z7KlLZha9HwrFXQAPIST6sfc1blKJ9INUDM9iK6DR/ulkw7e0
|
||||
hmHLqjWqYs5PzyXeoNnsPXJt69wiADYqj4KNDIdNp1RoF9qfb1nE+DM6rga0IE1h
|
||||
dHQgQ2Fzd2VsbCA8ZnJvZG9AYmFnZ2lucy5vcmc+iQE4BBMBAgAiBQJRgC7CAhsD
|
||||
BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDZxNJtDmBEkWP+B/0SsWSeLGo+
|
||||
viob8935Uirei4FvnzGOUV1w/dgDLSzavmysVxb4q9psp1vj1KEtm18vzZO79AeA
|
||||
RGwWTQYGmFmrNRWZ2DgbjGyJ4LS5kLBqQ9FaF7vUFtml6R04yx+RTgQTg601XsAj
|
||||
eU8uSarmeZgGVMAInsdMrUc74lJeWKSnovr4IFOdgiU/env19tK355bsfTvb0ksE
|
||||
5Q7wnnoRXdLyNet0AWf4ednWDEnRb6cIVDF28URjxH6yIfqAVe7VnuDB4Sfuck4R
|
||||
4gYFS/xGfTgocPUDZ4rUz8wleGLwDIiU7GpilmtZTl1FTPkFa/mqbcJgdVTJqLZO
|
||||
5vISJkZvqE5UuQENBFGALsIBCADPZ1CQBKbFQWMCvdjz/TJaNf3rV6eiYASOvLDg
|
||||
icU8Mwa208yJXr1UF6lvc3Tgw+jmynIBjbhvhujcJ+eD+jHEaXdncaK/WAPsmiNM
|
||||
k+glZ4cbF48HP77kOLQQC+rX7jAF0VSHhFZNtnCpOByQevCJlwgkXckYvRyBOYk6
|
||||
2R7BwuLIwLIq4ZXNKPIVN4KpCodhIcGuvlPJczcdOoaBRGcSFUbXqM9Y8whyJhex
|
||||
F87RHAyGpjvLnJFSgLimyYBRpFN25LzYFpXPD4MeLUVDSRgtSxOJ2KmkhMHntUqQ
|
||||
P1XsIgzm4/ez6Mwkxc0QlAQp0r2gJU56QPdE5zgx+2q/i+WhABEBAAGJAR8EGAEC
|
||||
AAkFAlGALsICGwwACgkQ2cTSbQ5gRJELNgf/elwfYchaV/24buNWDa+50gOuXQ4v
|
||||
Xfj5DKry6aYnJBt1UeMV1ssMxCU8OltgzTMhTupjrXV1oDXYAxexymWLxwa+qcrb
|
||||
SwDD+wX1gb1O2GOfbiplEnOb5dDc7Gkm8eTw0kBJEiAiyPv4SMLhFzm+me4Dq1+x
|
||||
dbsvN05hxTjow9pi5eYrFMxYWi1ZNH2UmPpgoIN/4p28G/IN9fdWG5Ni315p3WhL
|
||||
HRMzC609IOsCIJsm8+lHVblT30jxpctFVlQBtbDTzgqQLiaTVevlca3VYgMd70D2
|
||||
8d186gxUtSEpZ3dKkv+0V8DLhQ6VR/wQ780HKIpFp6UWP5aDxpEoOEwe2g==
|
||||
=Z0q9
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
Comment: B7C1 C143 60F3 53A3 6862 E4D5 231C 84CD DCC6 9C45
|
||||
Comment: Paul Dale <pauli@openssl.org>
|
||||
|
||||
mQINBGApr7sBEACoyczHMNgWiVg4jMjtdkb5j7csKPdFx8B7FJNMFrL/Z/I1BjwM
|
||||
TQ7fxKvDN6z3mjAMKhU+wCL9vUSSMUtyze/fox09n84jYDwN3n37ozkrhcDB01ia
|
||||
iKCCeRNEW6meTs3/aJPGCznIOk/kMHlnZnQPcSphIexo/ZUyB59h6smz2LvoTZg0
|
||||
aeZeJwe0cfaVnWYA1a9wr+QJDQwRkEqdy772cM03Phs/sRWd4+nBqP1XxWlX30Yj
|
||||
VGjDsY3gH9AAy4oUnb7tOmk5S9FIKuMdkkWeU0Abm8/36OfZyMFbZDAMbO8i3un4
|
||||
eIQOg5tjynSXYel3nlJ/fwoSHefPgavCkBdknk842LM9xr22t+IKmy99uW7FDqvj
|
||||
wbPoMg6z2Jarl0Fqu3GhIjCmKMe6TBfkYwB4fp5KtzRwrSjDo16vkMoM69mXqA7w
|
||||
f1JV+BKvE6QTePNt8ix4ib5c6mPOrFnYG1X3tkNOc4/q6KcGbvS1xMax12q2/zSZ
|
||||
PmoJvzWTrSF8lQDZKjMnXnhrZMY8h7lu/QE4DQ1M9U1PFdf6vwLrNaHHfi/rWKTe
|
||||
fsrGp2TIqU4lm45p0fDroYqDML+gp8RMUZBU8M4wGwhludEiCoOFjXu2ECvvgrB7
|
||||
JHrh+FtMuuRPx4q2eRO75NepDfZqmp48PIqkt2b3VjisNceB70uYiUQ2eQARAQAB
|
||||
tB1QYXVsIERhbGUgPHBhdWxpQG9wZW5zc2wub3JnPokCTgQTAQoAOBYhBLfBwUNg
|
||||
81OjaGLk1SMchM3cxpxFBQJgKa+7AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA
|
||||
AAoJECMchM3cxpxFa0YQAIAnnNek3+UXZL/u4R6hs/lJopC9p/MFbCnL0b1zZnbz
|
||||
Kbbva10PA3PEv+szhylDKeDIbDKF1yEjI4BTNCLS8sLKEZWSLTMW1MZhmxWm5TdF
|
||||
ebhoj6Tjjfxme4ETyk3+v3hC3Ylm0jiqHHErutRAPIW1VDFQVxKZPasv1yj3YNiB
|
||||
SktTSH1MjZZtlDYjp9z3VTczvrO3BBJJSxQ5CY749pEwtjwdLTqOVtoJL8thZ3J9
|
||||
jSnSDsgFVp/pPNVxxV98Yd89JqM34MvOuD3jYSOEtMUCJgMFXNZ/c2+BpWrX+ssP
|
||||
qrY9vBrq7o91K+OQHbb4Z1pjK/dzDq183E32uTOYbco7ga/JqE7c997zY0fgQsIz
|
||||
hdEveC4oMydzwHQ9WzHUYR7AtTgF9kKsTHy8H6ye3uaJMIMSEdAvI4mxG/k/zG/Q
|
||||
KrIt1nUJh/M7uu2IT9fM+AoR+2VV1u1vimxpCpOXpTB4mTIR5YfiaRfXnHm55iq/
|
||||
odxVj/yVqFUcujy+YC9SAoKRGJRQV0KZur1xAOJsgwUJ1iXJZwypowkI59jpwl2q
|
||||
WCfZIS1ZrpIebiVk4ZBaHDe1v178uLO3IasZR7HLvcD7ESX8U88ng8J1nXHq+Uc7
|
||||
4j5Dc6CMTd5WYTkFvhjO33JiHncK8CLYOFsndIGXts/OEhp08N5JELHCeSuu4UIb
|
||||
uQINBGApr7sBEADNQ6w6jQNqxWxHDjJzcXclQJFPB2qlT/5eMa7QeOYiJ5DmY2VQ
|
||||
P0Mltkmrc8T/I9NfRFpaB7Z+8zE5lmjSi3N5fYWjhoZp9oP0WYfSLef4KpD7KfEE
|
||||
TaBohn8cw0Kt+nmEN904w9kpLE+WAvD0qRKnilcCUWE5Es719W8dMh/8cB6FiCI5
|
||||
8myIvV63yDV1DiNyEcKNeasIFF8n3FCd0gWPXXS9Fe7muQpIJ4Lb2p3ylqcY9UaU
|
||||
8n+LQAb1LL1kC468MU0LBhhkCnZ2BacWnJu7JrzQ1Nihk+JRyXt0QARcgsITt8+3
|
||||
rQdZDb6o6jTixClNXOJ2LGZMAI2NrQppfn3uBny06veyde9l3riwtOYwqEfETt6O
|
||||
Ndy0gOd4zelPOnfMtzwDePC0m0b5ibNsMGVYGu5bmu4XFZrk8ivcAiEg4TJHcYtU
|
||||
meONyuhmaCbcG8in0GZvUgb/YLcBpLBhFFUUd1ALBfi6cXlvFlSU0HHQoNRIAyFt
|
||||
C1DQaAOWQ9v21KSF6zFG9Qg3yHKy+xBjXjfp0IZOqN5jrmXxbfl/+LWqUHD54tmS
|
||||
iHrUf1CiW6no+4WBI9f6/+QCVLFBoStlNgoRt/OcIXmq1cTJ2pTSPl3S0+HobCEa
|
||||
llEGEDXqsGxmV2kNmxsUks/knEGFElp/XtMrhykicIdQYntMaRebljrpiwARAQAB
|
||||
iQI2BBgBCgAgFiEEt8HBQ2DzU6NoYuTVIxyEzdzGnEUFAmApr7sCGwwACgkQIxyE
|
||||
zdzGnEW2ew/+IzGVXgB34NeHnaLVDTtiUXgrNoOV4xFTS+kvZXrGC5i+mMhae9Pc
|
||||
gvAyjssJ7dVP2RJBSNkfdxrRd2D4HFcf3dn/n646HNiTinirfvoUf4VIA1jdDp9q
|
||||
ixi//tO7fsPyn35d672OA9AC3ccBgji6V9XA58REonF+ap2bE0JBJYTJZrET9Wny
|
||||
BPEjefdpORSHaXqimfHN59QV5gXEFZ4Ci1jCt9n6WEb0oo+kQTkUb8z7F9P+7ojj
|
||||
Q+4KrgtlXb9ijxCwMfGRPNInnumqyKJ0PhTVwhM1JNdi53nwVY98OGEZXWiKPFQ6
|
||||
lAGyLLXwaOSztKGSdsFPK/tpyVihwoqHjJCU5St/PVlpvRKhbtq24FfDu7YyDO2Q
|
||||
Dp2/F+QIdVnUFO2I1xeb2k+/Tx+3nfKYNui+AFaudOblrYQzPrlswJzCmmB/OTkt
|
||||
wuOqr2nvQr2JUwmSaRvdCAe8EI/HAa/ujlA87T69L4T66KwBWuBkIYZQxFtCiC+B
|
||||
mksPCYe9TBTZm2+8xk6UiSMKurwESTkDj/uUGmtGHi3cSJPSQ5x41COSEc+/yZ0k
|
||||
eQTSnnkVrB71cMr2yVe9WWiUqUoHbkwiiy9YAHkp76jHbTRsCjs8O2otioAW06Yb
|
||||
7r1iWp6twh/giBzsVJndeP5Ss/85TQfrl8x8yJjv1OQiIRrTTz6GdU0=
|
||||
=AbiA
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
Comment: A21F AB74 B008 8AA3 6115 2586 B8EF 1A6B A9DA 2D5C
|
||||
Comment: Tomáš Mráz <tm@t8m.info>
|
||||
Comment: Tomáš Mráz <tomas@arleto.cz>
|
||||
Comment: Tomáš Mráz <tomas@openssl.org>
|
||||
|
||||
mQINBGDxTCUBEACi0J1AgwXxjrAV/Gam5o4aZSVcPFBcO0bfWML5mT8ZUc3xO1cr
|
||||
55DscbkXb27OK/FSdrq1YP7+pCtSZOstNPY/7k4VzNS1o8VoMzJZ3LAiXI5WB/LH
|
||||
F8XSyzGuFEco/VT1hjTvb8EW2KlcBCR6Y22z5Wm1rVLqu7Q8b/ff1+M/kaWM6BFi
|
||||
UKqfBZdqJuDDNFRGqFr0JjCol0D1v1vollm612OARKpzuUSOERdc11utidkGihag
|
||||
pJDyP5a+qHZ4GNzZkZ+BBduuZDMUdEKgK28Pi0P0Nm17XRzX1Of1uXojMvroov7K
|
||||
/Bkbpv+uvZoiSEAeD+G/+Tyk9VLhmyji9P+0lwYyHb3ACgS3wElz7CZwFgB3kjJv
|
||||
MX93OlCAMruFht/+6hQu0zx1KPxx+55j/w7oSVzH8ZmYND5kM4zlGVnJxJk6aBu8
|
||||
laOARZw7EENz3c+hdgo+C+kXostNsbiuQTQnlFFaIM7Uy029wWnlCKSEmyElW9ZB
|
||||
HnPhcihi8WbfoRdTcdfMraxCEIU1G/oVxYKfzV2koZTSkwPpqJYckyjHs7Zez5A3
|
||||
zVlAXPFEVLECEr02ESpWxFabk8itAz0oMZSn5tb3lBHs1XFqDvJaqME1unasjj06
|
||||
YUuDgKHxCWZLxo/cfJRrVxlRcsDgZ3s4PjxKkAmzUXt5yb7K3EVWDQri0wARAQAB
|
||||
tBtUb23DocWhIE1yw6F6IDx0bUB0OG0uaW5mbz6JAlQEEwEIAD4WIQSiH6t0sAiK
|
||||
o2EVJYa47xprqdotXAUCYPFMkQIbAwUJEswDAAULCQgHAgYVCgkICwIEFgIDAQIe
|
||||
AQIXgAAKCRC47xprqdotXEGoD/9CyRFM8tzcdQsQBeQewKGTGdJvPx9saDLO6EVy
|
||||
U9lEy8vLKMHnmAk+9myVBf0UHxCjVZblvXEL6U/eCINW8TBu9ZH56AMkPQgvfZkE
|
||||
KrpBoP2yfkA9/2rfChec7jkFUwArWKAB8hyLPiABXdm3vRZMhiBAsFTv9rdrr89W
|
||||
nAvcd9OXPxrEM7mNkkCDUlRkfRwdxSezStmJ/18bM5lrlR4Dj9MYUOieYICsu/nh
|
||||
1u9C+QDOGruo/xku7B87qVSnKM4My28/RtSeGjTBNw3QPEmumArINNUDNZbe3e+I
|
||||
m23l6tyP7nmtLbo0wPcRB9q4K1GlmecqzSgLsdf8YCOZKax9DLaA2fWVJCyp22Uj
|
||||
kCmHkVgeXmByndWVdfYyJO4LGJhM7BfmWGa/yIRKRKZGlJavRY+UAkfqkXCbzhFD
|
||||
IMyRTU3zqJfJcXrVDslvB1mMbBGIR7gmL2HSToNvN5E2xiEamHbSOv0ze0Vw5A1M
|
||||
8S71i+jLUSenGTgjLdu52+K7SGLtyhG/kA5NpvMyCLBOYZ+4HPgbIwKLlcm5SRJ6
|
||||
z4sKLSZmU7HLMp69jXfGQqjYbJoUEHsCsLOeVMGiOVZqoZWQWcMHy9VvOA0FVx41
|
||||
xrpdDLft9ad+cM/oaiYXEWhqYRnBM5eIH0B3HOk/kmLZ6crNE+X5xG1qhoZgAurM
|
||||
MriPFbQfVG9tw6HFoSBNcsOheiA8dG9tYXNAYXJsZXRvLmN6PokCVAQTAQgAPhYh
|
||||
BKIfq3SwCIqjYRUlhrjvGmup2i1cBQJg8UxqAhsDBQkSzAMABQsJCAcCBhUKCQgL
|
||||
AgQWAgMBAh4BAheAAAoJELjvGmup2i1cessP/jG7dFv/YEIn7p47wA+q+43Korjk
|
||||
8LLpdb+YhVEpXgLK3yUNOcghs+e+UxSlS4jDV9ThpKgBEgTCn6V8vEWe5djvLVcO
|
||||
UNG/wx33ksZKDOrZt2qGzz9VBd2ur100HjA3ibGClMjchMQCctlAHBCI/jV7g9Sv
|
||||
FIHr/qECDnr50lh4kNeBZH/6gYEnB1Uqkc+7y/0gopk3kEcxO00qKj9d8QPatsoW
|
||||
FOBW6OT0ldX5m19EL+x4Ku2/ayBwmobsQyj3cDV8cJN9QxJxB1AqLAKXK3XpEQ8Q
|
||||
UERor6Z2gQu9bCRoQCl3Xu+lfqh2gmfoXoWiZFinoBzEETtILEUdNa2MsJheNuVy
|
||||
Tf+W/vrfyAKVl7DgPk+n360frxmR8n7pkSpDq12s9J4eimX7aUlbhDX2XiMo/kGS
|
||||
2oo2ulB083oJq09UieI2acwRIn6fFAOXx4Cr9IRAnKtvGxT3XzkDJ8WkC/+QE7wW
|
||||
kjtD994kD2Jf1GCqFIWPx+J88VXp5UbobOENYBGWvc5Pki541aFKkXe5mvK9n2Fm
|
||||
T3fOeBnyhT27J79UYSkOg9Zk0o7lcLKvgX3TqOwRrwMOGqyBIrHkLprIbeX5KOBI
|
||||
yvtovyTuq3piF6OcfOYuZJOcV4LnnW6Ok9sgia1WgqNyJ+FSdSl6tLabzcM6sZ1I
|
||||
8tmXB4BcoHFB9N0AtCFUb23DocWhIE1yw6F6IDx0b21hc0BvcGVuc3NsLm9yZz6J
|
||||
AlQEEwEIAD4WIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFMJQIbAwUJEswDAAUL
|
||||
CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC47xprqdotXJUfD/9qFJURXryr8/Uh
|
||||
KJIAYQawc3rgSCeMaSi60fgPhteBf9VPA5w84OKLtnZFcPcpvGpaHuRxj+mchOSo
|
||||
2HkYz7eseTsWbfguDiBNf1sA0IW6/WfIjqfGliw/ikLn/mA8GgLzgPPEiEbZH+gZ
|
||||
+J1ttxv15E8dWVSYILJcn7VLX8EgYc93uaiPbcc6wG3qBz5UD7FW6pg6AjEhz6j4
|
||||
yQBq/dAUUL9nfrrx8p6548aslAR5A7e1kWPSMkrXD6ECdlJ8LReaPjiWrvLCtf1M
|
||||
cmAQJkXX9PLHtPtkXzfT97GdcEWtPF3qpu9k8gK3QC/dPoACIsDUU1+muaqlRB3A
|
||||
ozLVFbSJ2kA0BqnHvhB+7cIB/ZkAasiI1jJ9XPwJJnzZGlRFGJnUg6MRX//FIvly
|
||||
Vi+hFt1DQ2tWMo6peu1sNDDONYKL7/NhFedJhIRoYUiQtcEuWqtTjOUn7ErkaC2y
|
||||
q8hzWgYCe2afy1sUvyDtUjuldVTNzV1ic4MPC+QZ5ZEw2uHfP2oELlK2zUlLZIpt
|
||||
Bwvgzqw5qcxj0nBHoaDTRyJXrXDWf/DsyS6Df1t8Uidoc6W3zNEhKbabvTb4gtWj
|
||||
hh/QezJNtyRSg4SZ2Zx+ExgAngFdhKUk01XytLcEqYHjOjO6ZHpP0/+E7T8yZ7sI
|
||||
w5AnBC/mkTbqp5Nsbk/spoN0Wl7PZbkCDQRg8UyoARAApiWRrHjdEu9Fp2yd7K93
|
||||
VpttsAWGeZo6adA7kKrdB+DFwyQdQQIGF1MoxzKb3rcO2sxoU/SnY/TpxdVbSO27
|
||||
1MLUcqoEc5F+uxuXsp4Tx5s6iXY9xTwQeBi8pAUQSLlWc/yoakF4sahG+5+0NUDp
|
||||
djCEevRw2nHVbMbyzACgB0VRErhpY6gOBK7LkHwXAEXh1pN836P1s3DLLInjoM50
|
||||
IGQJLJ38/dBeWf9lqJrDif3lZ9Br7h2xHVhaj+08iWKFXb+MDkW6lXOuT+A8pzHK
|
||||
bz1TVhopid9NOcw8ws00Vnq9R0/dhk+FT81XJC6GmoBi2GjjKpLNMzfBE6IkJjhn
|
||||
gMY9Wz5sSfXhyd0x7ZGdS3w9SiIXXoxw35woC1/Ue6QVasm/ldCNSNH63y8G5b7w
|
||||
NA84/fhVa9/Tug8zyzRj9p5Ge7b1yMbtVy9Ret8e1xB3yOJH8rjwmd13ocNBrFYh
|
||||
D4b1+P0DScr4TburR3S4gwzawB2juIToELQGseR8nQg8k6Fk5vZ8MaYslMU2za7H
|
||||
a379C8+A9h0C2mobqtw7Gq8NzDH2H4Bgpy0Ce8ByWnRHEIrZcK4vZDTzBfW+lYJB
|
||||
HFlNc0mheV2ih6vjmz940cakzLvGF65UA69tsS8Q/3sWH2QLFTywdcEUZNgZRWnc
|
||||
nAaLOI/nw1ydegw8F+s1ALEAEQEAAYkEcgQYAQgAJhYhBKIfq3SwCIqjYRUlhrjv
|
||||
Gmup2i1cBQJg8UyoAhsCBQkLRzUAAkAJELjvGmup2i1cwXQgBBkBCAAdFiEE3HAy
|
||||
Zir4heL0fyQ/UnRmohynnm0FAmDxTKgACgkQUnRmohynnm3v+Q/+NpYQuO+0a57+
|
||||
otwvuN3xoMsOmiingnd6u5fefi8qCjHgYJxnZQhihk4MOyiY46CxJImFKI6M13H5
|
||||
SlsuaGMbl17f5V8dE7rUDD9D9tD4+hVe504UsAdqaKHFhE8xyWJ24it9LmIXY358
|
||||
cQ7gm/EzA/wCKEez1Z/IUlx6hrG6BnAuE6FYhLTQt5WcCGbA17I72M1H50rX8fa0
|
||||
8qOg4rzyNEOesz1auI3pt1VOy/VJo7V+oO2yz4NNGBqjCN1mMOmBl1vBldZz4oZJ
|
||||
vqoCFgx4Bj4h8LHilyg2OWZV4Xh7fUGH2/RIdfAYhCTz495N1sdDHew9Qc3PP0vV
|
||||
yzwoCJY2moCiZ16K0o215rgYAJcY2KCCithjw+ktHZ/E108cmJJE0ZXG9sFVdF6A
|
||||
HEEofaYRgXEvwFOwEBnytAq2l1ePmlTe6eu5/hSMYlan93YpsF2tol+jw7F+aspg
|
||||
K2JPWqB4FsupxnvvAvzGBrTTGfCL4z7K8/6QmYrJBByx0W/lkFsebEfOz0SY/Rvs
|
||||
aGQ3LEmQkbn+Cz2c2PwmIuYJisunHNC1rH6lF1a19D2lpe82Eh3TsXEsgjty2+sh
|
||||
uHsKCX/snSa+zySqMbsE6o/8AquuT7tkdHO1rYfr3ffvIeX8HVj6NKm1eyk6uyCE
|
||||
cb08jqBWOG8tzpNt6PIviyrQRrK+ncSLjw/9GT4LhZKnfLM5pVAFV0jVqf29lVhk
|
||||
RHDeiNmdprqpvW35cAS7LH2wv2xGj4+wGaJmksruiJj2KtNAWa+7Uvd4xvntrL3F
|
||||
9kG5qC04iTx9nng4qliZAI1wGxT/fAKS165L5sdTXRvcywokshxtsPgCXcH/J2v/
|
||||
JC6BGn44o8qo/CLGIaTBk6V8NfY4YqNFyMaMRAQSQ9Pk0KXQxswdxASaYzTTb93g
|
||||
muoO7XrIu7ae1lppeL3HB5hQ0/zF1cVzCrLXffsEZNVW/1/9VamicTOWP8dV/ylN
|
||||
86d7NvfJk8L7O+YIsEKYhKEDfCXIZrF7Ynu9SCWiR8LAqxZpBx2/6lommQJ7RlKr
|
||||
HBkWUGyC8WHYr/sxORy0uxSevGFcfK2sFMnpLJhC6C830O05B6SFTWTrD9c/NC2S
|
||||
DDWQCr1Tud3GZ634BowTlQRgJpGJc2s4wOMaARnhVtr/GZQhfCzOhcaHAVMBX0FE
|
||||
ce+LktihEnzEJJgc/bzTH+t3fIW8bS4c65YlwCzMCJ1oYyALlD1BlZ6whFSVUZro
|
||||
uYVu8diJ4Alf9+hcYOU/Gnbyi3bFbRGhBVz8lB3TcEeP02+gSSFD7iDi2Wt3hkmY
|
||||
YaT7k3YGM2ksXdQ25SGM1aW4drxaqAj5sZ48OXTMNT9ira3TL/o/Xp6GRhVE8iOl
|
||||
JKbGoqC+wchHmOK5Ag0EYPFMJQEQAN/J6BypHYuzqwVDH8hrCQJ0s9I1fFdiu60u
|
||||
aeLTQPeB2JVwV4t9WZsM6mVMEUZJGIobk2Y5FFzLsHtbPlSs7MXtLhlLa05iiMXq
|
||||
oZsS7EYI+GDNO6OP1j8h9On2Ik5EnK/0dWGQglSY/ryw+5ShdAjHSd4hCRvBxfX7
|
||||
FJGNrvIkIp8AxlTvNBQyuR4rluOnfS1LXFDlaTWxRAZBJdB/GyAbCqKmkfbkXZbM
|
||||
ZFA93E2skrLJ66CPgaK83r+DUi6+EyvOKTkZw0OU6S0k7xT4Z1f0AbS/ON5G8wjL
|
||||
vxKu+Tmd2LHLMUTMiSQ7/K0iw4+pms1+MOBWFDX8aS/poRe0NS779RIk+Hy4OG7+
|
||||
i9Rpf4wU+Z2QHbUYrun6h7+RySv+E27QWCgNuAdm2F8cIsxQ3B0mAapqf2ECIkNb
|
||||
PftDlv/iDqzAxAobNJzlsKQrcRmEPIOqNxi3TP+H85ekwHTdwwdPb5u8pgehpDum
|
||||
ciyHfYZ7A3eNl6RubQMIWQgQzxUbreUJkKjHwLoqkTHDafJeKI7+2nII4r3peQfE
|
||||
N0jZ5HSXHTHu4520FUBHNutvuHqCy0nQrhvoXEfD4woYk27OOwSKHu1ZdEFa6iJH
|
||||
eAW0f6pSOMkEMDRtFWv0/hVpNDbhA+jAswzD4+XYDk+xZdDONua9inO930MGI2Bs
|
||||
LQ1kotFTABEBAAGJAjwEGAEIACYWIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFM
|
||||
JQIbDAUJEswDAAAKCRC47xprqdotXBU2D/4vF/5FrkPz78jSl7YN77gc/sTpBGMh
|
||||
QxhZxKpf+8xE/oig9/F90BMKaFAflChiEMPc+Dj0VrCGwP2xMTVO4J7lw7bTr3RB
|
||||
uETuVq8S3XgtmTlXwoRQL91XtoGjAjhfgpXbi/DEyZ6+34QwMYr474rsKiMsBcMS
|
||||
nWTDuqRqkFYAaF4LRbD6RkWck+C7k4ps/KIflEKiSEuvpjk1TpibwoSt+zIeZI6u
|
||||
sSLWbGcADqnXHe0GClUqcMYbIgLzVyXQQzUvfrwAzi8XvfW+8QhP+B5oZT6y8YBD
|
||||
NHQDcITC4OYaVHYnZWS+tPtPQZK4duAlZRd/lBxKPbNWee5ufPh5ALFAINpBWP0C
|
||||
nHKVj/P3fBcCrz2ZYaH5iQmqhSbJ3lyFKJoQQgrcnWbnOWI91DdhmvE2GIyn1JJE
|
||||
FT2YQqRH52dDX5gOl5OcwT7PxV1jc03bhZsOCylBoq1Yd9iD3U0bgiqI71dGZrXZ
|
||||
qaQzuigCRxlv8nF97SUGLDCuvqC5ejmecQBYmLCrgIiRcI+FXSVnZhUYkeBbg9sX
|
||||
Cla8mCgxF1RhH2S9z9blrLEf2r+l/8P0+IWmmaTvCbZ7kIrUsbGv7FNCubVA3UXc
|
||||
zPrDR7hQC/xNAX1RXMGNmPru9wVtgnn72UneoD/dLYY65U/ZFLNeQAnq9c3VJKQ2
|
||||
TIdjvGbJ/k4qxw==
|
||||
=Ctij
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
Comment: EFC0 A467 D613 CB83 C7ED 6D30 D894 E2CE 8B3D 79F5
|
||||
Comment: OpenSSL security team <openssl-security@openssl.org>
|
||||
Comment: OpenSSL OMC <openssl-omc@openssl.org>
|
||||
Comment: OpenSSL Security <openssl-security@openssl.org>
|
||||
|
||||
mQINBFQv6Z8BEACuJwJkw/Iniec6U1RzocYHBFKl1eE0WBu1vthYmcn0D/GJKvWM
|
||||
kRhx9GSlWMqj9mgSFUOsFWrpPIm3Jzh4bLweUjH5I7R0Frh39dDFh1hhwHEholBy
|
||||
yUGFTb8TppptXnzzDoNz4yUQcRP2oeG1vC/ePXPWHKgtp+0hmM3MQ3WIN+gSmpdt
|
||||
4vMIoWKKCq+E1tYcsFk9URBWWEwBw+OJ37o7TrernyxwtXwdPOjYhA4mLtnKHs+5
|
||||
QivuOvK7gNf5hggyv6fp6d2ixvJZ9CdUYFdlOwaHA97B694RcAMxaMtzUpfkiJ/Q
|
||||
2zR83QG4az6COKK38W6Kp7bLveMF6Rb4Y+gOjV4KvHKpzNAP2sNkmCIohlmoPhT9
|
||||
Ce9tWq6oK+o1MEc1Ejb1/kn9CeCloKlF8HkzhFLpqqkZ//3j73/6kuK45UVg5PbO
|
||||
3GLcyTJW4enmTUFxy0d24Bfdgu7FpH1vHIisDkON3QO4TMwCJoLWGULqpJKP7kUf
|
||||
5HCnafDroN5wF9jMVxFhmDOOdXyIeYkBVF6swwIlyq8VlYSjYWGAUtIb3rOiUNWc
|
||||
zYY6spdAN6VtKTMnXTm608yH118p+UOB5rJuKBqk3tMaiIjoyOcya4ImenX85rfK
|
||||
eCOVNtdOC/0N8McfO0eFc6fZxcy7ykZ1a7FLyqQDexpZM7OLoM5SXObX1QARAQAB
|
||||
tDRPcGVuU1NMIHNlY3VyaXR5IHRlYW0gPG9wZW5zc2wtc2VjdXJpdHlAb3BlbnNz
|
||||
bC5vcmc+iQJUBBMBCgA+AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEE78Ck
|
||||
Z9YTy4PH7W0w2JTizos9efUFAmPX/PkFCRGJRs4ACgkQ2JTizos9efWXgg/+Negn
|
||||
a1HZIWs18LDktjV49a3IeKhjJV+UrTvQnFpSNXbwpnKa6iVX9PlE+3nLkIrkz6HJ
|
||||
uBl1MZElcmrqIsVCKHcrbcJSgZM4fV0AgEEm5gNfK19gbJjs1qdbtwTYccDiHwGl
|
||||
4EeTkPsOCo20QEC8jvkdHvMsvoD11c57NprQVVsOyuyz7B7LwV+6hZ2MAv6BZrNE
|
||||
XBjzqxHGKcq4iyOKTGwRAufiXdq2+kV7GVjihH41YjV08f/b7O2uAm4k/IbULtvY
|
||||
3Y/9rVvtU/Na044FQBGObH7/DbEOc8uFAH8Vy7M32rZmQet7pO8M5BrBMAaU2OAz
|
||||
ZQ5CqauGvjTJ4GXi+pBoCVafPvsGkB1W6IxnPPJZsFw9kxOKSV1Md4jh90OdaIGe
|
||||
HW4qagRaLDtDRtkFnIkbtc38HC/e30ANoNS3Enws7XSNvQ+O7HfeSsATsM/2cjL8
|
||||
c281Nv9o+xaNI4TN3KsfRswcQtnsN2cCkPZWKgTJcjpdANkX9CK7mYNS8bu6YsAV
|
||||
nRF2iAB25Vjcz/92Dd28/nPI2CkKkOMhDtnFty8B2LZ2tbfoU1DsNzg+b3ejaXLZ
|
||||
jhnZdL3b3F4iKpyzDhTpDHo4P/yxrtV8LOmHJN63oc1JljqgkU+RcxndSZ/LDHqt
|
||||
VH02VwVHMVt4no62mZj2UNT2+Ci5p+tze4Rhfl60JU9wZW5TU0wgT01DIDxvcGVu
|
||||
c3NsLW9tY0BvcGVuc3NsLm9yZz6JAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsFFgID
|
||||
AQACHgECF4AWIQTvwKRn1hPLg8ftbTDYlOLOiz159QUCY9f87QUJEYlGzgAKCRDY
|
||||
lOLOiz159XBzD/9InUdyS1hdC7f2uEbD5A+5UFUwy9hqzy8sXLrGfUMtJC3Ur+CA
|
||||
RqpHw6LC9oqFlAMhdSpIINzswLvpYqYKUllQWw0bStqWed6wuonC7nQk4fJhaWhT
|
||||
MEyVNC7gpy1FcFQYZZ/rwVxftvV6EesOIL+cM9Tg2IKvdrJsuFtmhcrEmrAVrPuO
|
||||
VkIBbOjylU5iHbs3hW15DqMXiu6s9wLlxSJtqWWcGT4Xp3SjUy2XRzsWwFPrdsnZ
|
||||
cj1h1C1onglIpNuq7yQF6rrBmKUdy7FClXswEg+He6qV6zLhZo6bRAZO2b/g4aNX
|
||||
NVOh5BS9ZpQds5FejHx3la6GzfPM/szC0WJR2r/6RqR/dizrPlhsJX3g5I+fRnNG
|
||||
mOrUa7S/OrR3QlWyE5pvytKTno0UvPuITA7MGtQf3z4n4UbM7bYyLmCIVEkDQl9K
|
||||
ax1vtEYLKKx7sVLmJUQVqo8RmmjottRZ6+B5UWOB+dXvt3Z+mJLHt92y6NLk4iOX
|
||||
q3bgO9eMPgk+GdLXjgtgeu7S33BNE984/0B+jDLqhgEjK2spA50uPXBUtDm+Au+s
|
||||
1zfePJVfQxdaoKY00iOltujRS6sqE1PtbebTHgDakxnr9MClzTmRz6ymAglxo72o
|
||||
gk0OJCNELdckK0HHd5hGLEKBlSVGYSx2J985o7VE/raBr7/YULm4k0LXJbQvT3Bl
|
||||
blNTTCBTZWN1cml0eSA8b3BlbnNzbC1zZWN1cml0eUBvcGVuc3NsLm9yZz6JAlUE
|
||||
EwEKAD8CGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAFiEE78CkZ9YTy4PH7W0w
|
||||
2JTizos9efUFAmIp6vAFCRdgAsUACgkQ2JTizos9efWbyA//cw5h9kzqjHNPrWyU
|
||||
nqchSA/BAxGAfv8IW5vTXKIGou/vbF+2eV4pGe8cjYErfiEMI2XEqgW3NqtB8Ie1
|
||||
JpvHb/JARDpXRAeO0nAz68UZiv0s+BYG1cL0MJgxSmwLEo1XIxx+NYQRPaIPhWId
|
||||
gdJmhOylGHRbZPfUu0gsX3JvFYYJvqSbZYJx47JzLgvsaRtY06oOt89hqVOp9geS
|
||||
4HtwcZiIohq1E4Fy8+TYR7iMv62lBAG0xOoLCy4UzM3pVbChzcfmLLtH4ZbDO2ks
|
||||
vhafec6lUetxMJuvqClp4oYDp9ucrcZF3pJA0feSGF6EXOmYo3KMiVbG35DqfJrI
|
||||
8gva6QPTFo8WRsTZ7hUrn/BioXx7Orrmtl5++IPAU7c/0JPHCVordxinD/XDdcFV
|
||||
s2IIf5iL914/CaI8AXmeM4H0m9kuaS9N0UI8+3gIBhO19cP1VJBw/EWdwjwHtUlf
|
||||
d6mOAbwuVAjPEWQmcf0jIxoUR9t+3ieZjPdcHus5d9/xH2iOLdEHYQRHRiLlKFtu
|
||||
PhWgqy7UgpWRye/628at5C9m5TfGQBldSoOkUzPQGGpV3pUiHeJlQPBAYl1AAvAK
|
||||
8+Y2T9iSZXUuMXiMp3lplDEzXKHjUaXXUkgFuGs/L8YB+BBNBSE/GS078kQrc6Wu
|
||||
y7mmnE22aFf7G0N/hin+9QeIWJq0J09wZW5TU0wgdGVhbSA8b3BlbnNzbC10ZWFt
|
||||
QG9wZW5zc2wub3JnPokCWQQwAQoAQxYhBO/ApGfWE8uDx+1tMNiU4s6LPXn1BQJZ
|
||||
2fY1JR0gUmVwbGFjZWQgYnkgb3BlbnNzbC1vbWNAb3BlbnNzbC5vcmcACgkQ2JTi
|
||||
zos9efVQIg/8C1c/ChPOM/ojwXA1yUeIa4rD6BXlLDetE3KIqD1MvR251xV8Ox21
|
||||
3GYFHW+6CEfQ82xiy02CB+VsYh58tMi41NDWq6fkZOW4vFnJbFx/pYk8xFMl0ml3
|
||||
LkGsh9cVoesSiEBAsF4vQ/bmCNfM68DsLtjAK7GQobcW5ArIqvgc3LlYXUspkgE9
|
||||
yMcQcPqyMsNrEPgrFCcd3fWzXF1qsO8Rtd4bwyaJACkpQnZ832wY91uuMGzWcG2A
|
||||
+SxkdOFPuDkWm5l8hbA6+DpdFp/YiDnfwAZqr6uoqdkcT0e8IRsGqJ2FJ7qHeGSv
|
||||
kFjkGHaOPkJM69lJIEFMCrjvBQVN4b8HhcqbnJbnrWVGFDxgSdjNvXqzBDJgDqMh
|
||||
GN5ZHJhGhiZDi02uzqJ0p+OUzK1CiEo0/Mc7Nb5sVfvYrP4LoqKRceNePgwZp8Jw
|
||||
OnC5U84TWa6pHYm3rijfrBPPMFex9NDQQ/KEFINhAMQVMUtj2iy5ANPpqsftOIjs
|
||||
RfWWn+7QIi4EuYRADcllRaHJaTBAzI56ngkDaA55oyaMnSUnu0fjgWTiD4CEVbsS
|
||||
rR0nWJKhCg5DbVwq/dImoN1iK78ziR6cJdeQhe3GY+AdWe7Ci+75TiYy8Zlh9Sz4
|
||||
mpl81xRz9eYcO/g0xG6wpPE/fqua8/AgeKArEKJWN1uvKCCFZzRB7uq5Ag0EVC/p
|
||||
nwEQAMB3s+8dq5T8fW+b3OcGujEcbhyguc6D5shlNWsuCV3W7+izsVUe+0hD1YwD
|
||||
30C6zj2+CJrMxPQ/BB3u3SbyHMDP5fKL7GQiA/n192hX2DuHxvQwnDNkHxYghtrF
|
||||
KOlXAyte2awA0fC+e0o8lHa1Yd2ZZNqlDC23qJtLMJH8bX8CIr59KckNyv64bF+h
|
||||
VPIN3evnh1Ajn4A85848EZMQcjedg72MsA3TW2D4omayY7eXE5uut7FYcY6SM4pT
|
||||
hIB2X9DM39Rgy3qC4ObvEkEfaWnJfHxyXiA8XF+FZukXc/iM68P0VS/sMml9QPsY
|
||||
MWnMHcGlOcuzQJRAalqZJwuK0ZIvobh/Y9rYLxrHtNCgSjaFuSN9K/YhpAxs80H6
|
||||
lVa7GCSASTRrS3OvmY++fTsUPzSOvit0kqQfimziYx7QcJIagG92mvUmuf2PEfzv
|
||||
Si6iaIqMhaTaJq5qxOR0q430KakQktNPX53HflWL7YenDPYw1rEyQFxGqjaBY1X8
|
||||
NtuzZ0P4cahgsBFc8HgYu2u3Ysd5wmvSTsOXld8Qsns1KIUOpzgWw56AJ6dxS3lK
|
||||
4QSUFwjzbZW9H0jJ49eBMAaA+hCjv8c/4BFuZq9Gvsafn425Lx1V/3PFJlPu55V+
|
||||
7qWjeOkSzNctMlmCqPQVetbZ/pHLAJO5IUO3SoTs5kl6bARzABEBAAGJAjwEGAEK
|
||||
ACYCGwwWIQTvwKRn1hPLg8ftbTDYlOLOiz159QUCY9f9DQUJEYlG7gAKCRDYlOLO
|
||||
iz159f5RD/9Dhv5+muyWX9U4wNH7Dt7KHOtFyQ6+YrlLGj6WgZlFQD3sz1hVabJs
|
||||
HwFuiaIjnZmQwiUJm72jCMUncL3OsWrQXm6SU60aG20XeQl1oXWmSD9D/len23hO
|
||||
Yo/3WsC3o1AIkLA9cJ3h/oo3I7RE30skw4MwQ4oCFlmidmOLvkz3TD22qxf+WaK7
|
||||
KO0vJRVHQIVl1ZdsBSSULcr8BcupKXaKSBJQDya2TkEh6OUf1B/7EIk811oeNSaL
|
||||
9eJXS9VGDytVyjGGXSbudBw2XAV0/oiPPDKYElbOZH66d6marGwCCdc29cNono/7
|
||||
zf0+/hyunzY3m1PkYGyzUmfWq4WNulJ9GEAz0O1rss/4hxnGqn/m3gue+aQx4hji
|
||||
/K/vAV+531YT9MEp6m6e3074a7Hvn2l/tsBoL1Xseb6J9ZGL8fnZiuG6RF4sP1Lz
|
||||
sQXmyjgr1yTlCShgNQCYXAgprWXPCwv176kL0WxkGhcI+GmSe3kNWr3HYoeTfBQ/
|
||||
G8GWaIZ2qJRY/d/P9bgWu3oztWcVqEDorK3Pbu5/VeIeEfIkc717EgvdZU4EB70v
|
||||
E/jnY1V9GLFzdPcygy7bz5aA4IA/Y12VFdhQ9/E7HFvEv0KUa294rQiH86lRyCJI
|
||||
aEUqeymypLjoU2oeR4Cujkne+5spQHBfn2/RWGqH28v+vqHysb/8GA==
|
||||
=Q+Oa
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
27
showciphers.c
Normal file
27
showciphers.c
Normal file
@ -0,0 +1,27 @@
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/ssl.h>
|
||||
|
||||
int main() {
|
||||
SSL_CTX *ctx = NULL;
|
||||
SSL *ssl = NULL;
|
||||
STACK_OF(SSL_CIPHER) *sk = NULL;
|
||||
const SSL_METHOD *meth = TLS_server_method();
|
||||
int i;
|
||||
const char *p;
|
||||
|
||||
ctx = SSL_CTX_new(meth);
|
||||
if (ctx == NULL)
|
||||
return 1;
|
||||
ssl = SSL_new(ctx);
|
||||
if (ssl == NULL)
|
||||
return 1;
|
||||
sk = SSL_get_ciphers(ssl);
|
||||
for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
|
||||
const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i);
|
||||
p = SSL_CIPHER_get_name(c);
|
||||
if (p == NULL)
|
||||
break;
|
||||
printf("%s\n", p);
|
||||
}
|
||||
return 0;
|
||||
}
|
Loading…
Reference in New Issue
Block a user