openssl-1_1/openssl-1.1.1-fips.patch

11992 lines
443 KiB
Diff
Raw Normal View History

Index: openssl-1.1.1n/apps/pkcs12.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/apps/pkcs12.c
+++ openssl-1.1.1n/apps/pkcs12.c
@@ -123,7 +123,7 @@ int pkcs12_main(int argc, char **argv)
2020-01-24 12:52:58 +01:00
int export_cert = 0, options = 0, chain = 0, twopass = 0, keytype = 0;
int iter = PKCS12_DEFAULT_ITER, maciter = PKCS12_DEFAULT_ITER;
#ifndef OPENSSL_NO_RC2
2020-01-24 12:52:58 +01:00
- int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
+ int cert_pbe = FIPS_mode() ? NID_pbe_WithSHA1And3_Key_TripleDES_CBC : NID_pbe_WithSHA1And40BitRC2_CBC;
#else
2020-01-24 12:52:58 +01:00
int cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
#endif
Index: openssl-1.1.1n/apps/speed.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/apps/speed.c
+++ openssl-1.1.1n/apps/speed.c
@@ -1678,7 +1678,8 @@ int speed_main(int argc, char **argv)
2020-01-24 12:52:58 +01:00
continue;
if (strcmp(*argv, "rsa") == 0) {
for (loop = 0; loop < OSSL_NELEM(rsa_doit); loop++)
- rsa_doit[loop] = 1;
+ if (!FIPS_mode() || loop != R_RSA_512)
+ rsa_doit[loop] = 1;
continue;
}
if (found(*argv, rsa_choices, &i)) {
@@ -1688,7 +1689,9 @@ int speed_main(int argc, char **argv)
2020-01-24 12:52:58 +01:00
#endif
#ifndef OPENSSL_NO_DSA
if (strcmp(*argv, "dsa") == 0) {
- dsa_doit[R_DSA_512] = dsa_doit[R_DSA_1024] =
+ if (!FIPS_mode())
+ dsa_doit[R_DSA_512] = 1;
+ dsa_doit[R_DSA_1024] =
dsa_doit[R_DSA_2048] = 1;
continue;
}
@@ -1719,19 +1722,21 @@ int speed_main(int argc, char **argv)
2020-01-24 12:52:58 +01:00
}
if (strcmp(*argv, "ecdh") == 0) {
for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++)
- ecdh_doit[loop] = 1;
+ if(!FIPS_mode() || (loop != R_EC_X25519 && loop != R_EC_X448))
+ ecdh_doit[loop] = 1;
continue;
}
if (found(*argv, ecdh_choices, &i)) {
- ecdh_doit[i] = 2;
+ if(!FIPS_mode() || (i != R_EC_X25519 && i != R_EC_X448))
+ ecdh_doit[i] = 2;
continue;
}
- if (strcmp(*argv, "eddsa") == 0) {
+ if (!FIPS_mode() && strcmp(*argv, "eddsa") == 0) {
for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++)
eddsa_doit[loop] = 1;
continue;
}
- if (found(*argv, eddsa_choices, &i)) {
+ if (!FIPS_mode() && found(*argv, eddsa_choices, &i)) {
eddsa_doit[i] = 2;
continue;
}
@@ -1820,23 +1825,31 @@ int speed_main(int argc, char **argv)
2020-01-24 12:52:58 +01:00
/* No parameters; turn on everything. */
if ((argc == 0) && !doit[D_EVP]) {
for (i = 0; i < ALGOR_NUM; i++)
- if (i != D_EVP)
+ if (i != D_EVP &&
+ (!FIPS_mode() || (i != D_WHIRLPOOL &&
+ i != D_MD2 && i != D_MD4 &&
+ i != D_MD5 && i != D_MDC2 &&
+ i != D_RMD160)))
doit[i] = 1;
#ifndef OPENSSL_NO_RSA
for (i = 0; i < RSA_NUM; i++)
- rsa_doit[i] = 1;
+ if (!FIPS_mode() || i != R_RSA_512)
+ rsa_doit[i] = 1;
#endif
#ifndef OPENSSL_NO_DSA
for (i = 0; i < DSA_NUM; i++)
- dsa_doit[i] = 1;
+ if (!FIPS_mode() || i != R_DSA_512)
+ dsa_doit[i] = 1;
#endif
#ifndef OPENSSL_NO_EC
for (loop = 0; loop < OSSL_NELEM(ecdsa_doit); loop++)
ecdsa_doit[loop] = 1;
for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++)
- ecdh_doit[loop] = 1;
- for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++)
- eddsa_doit[loop] = 1;
+ if(!FIPS_mode() || (loop != R_EC_X25519 && loop != R_EC_X448))
+ ecdh_doit[loop] = 1;
+ if (!FIPS_mode())
+ for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++)
+ eddsa_doit[loop] = 1;
#endif
}
for (i = 0; i < ALGOR_NUM; i++)
@@ -1884,30 +1897,46 @@ int speed_main(int argc, char **argv)
2020-01-24 12:52:58 +01:00
AES_set_encrypt_key(key24, 192, &aes_ks2);
AES_set_encrypt_key(key32, 256, &aes_ks3);
#ifndef OPENSSL_NO_CAMELLIA
- Camellia_set_key(key16, 128, &camellia_ks1);
- Camellia_set_key(ckey24, 192, &camellia_ks2);
- Camellia_set_key(ckey32, 256, &camellia_ks3);
+ if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML]) {
+ Camellia_set_key(key16, 128, &camellia_ks1);
+ Camellia_set_key(ckey24, 192, &camellia_ks2);
+ Camellia_set_key(ckey32, 256, &camellia_ks3);
+ }
#endif
#ifndef OPENSSL_NO_IDEA
- IDEA_set_encrypt_key(key16, &idea_ks);
+ if (doit[D_CBC_IDEA]) {
+ IDEA_set_encrypt_key(key16, &idea_ks);
+ }
#endif
#ifndef OPENSSL_NO_SEED
- SEED_set_key(key16, &seed_ks);
+ if (doit[D_CBC_SEED]) {
+ SEED_set_key(key16, &seed_ks);
+ }
#endif
#ifndef OPENSSL_NO_RC4
- RC4_set_key(&rc4_ks, 16, key16);
+ if (doit[D_RC4]) {
+ RC4_set_key(&rc4_ks, 16, key16);
+ }
#endif
#ifndef OPENSSL_NO_RC2
- RC2_set_key(&rc2_ks, 16, key16, 128);
+ if (doit[D_CBC_RC2]) {
+ RC2_set_key(&rc2_ks, 16, key16, 128);
+ }
#endif
#ifndef OPENSSL_NO_RC5
- RC5_32_set_key(&rc5_ks, 16, key16, 12);
+ if (doit[D_CBC_RC5]) {
+ RC5_32_set_key(&rc5_ks, 16, key16, 12);
+ }
#endif
#ifndef OPENSSL_NO_BF
- BF_set_key(&bf_ks, 16, key16);
+ if (doit[D_CBC_BF]) {
+ BF_set_key(&bf_ks, 16, key16);
+ }
#endif
#ifndef OPENSSL_NO_CAST
- CAST_set_key(&cast_ks, 16, key16);
+ if (doit[D_CBC_CAST]) {
+ CAST_set_key(&cast_ks, 16, key16);
+ }
#endif
#ifndef SIGALRM
# ifndef OPENSSL_NO_DES
@@ -2205,6 +2234,7 @@ int speed_main(int argc, char **argv)
2020-01-24 12:52:58 +01:00
for (i = 0; i < loopargs_len; i++) {
loopargs[i].hctx = HMAC_CTX_new();
+ HMAC_CTX_set_flags(loopargs[i].hctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
if (loopargs[i].hctx == NULL) {
BIO_printf(bio_err, "HMAC malloc failure, exiting...");
exit(1);
Index: openssl-1.1.1n/Configure
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/Configure
+++ openssl-1.1.1n/Configure
@@ -325,7 +325,7 @@ $config{sdirs} = [
2020-01-24 12:52:58 +01:00
"md2", "md4", "md5", "sha", "mdc2", "hmac", "ripemd", "whrlpool", "poly1305", "blake2", "siphash", "sm3",
"des", "aes", "rc2", "rc4", "rc5", "idea", "aria", "bf", "cast", "camellia", "seed", "sm4", "chacha", "modes",
"bn", "ec", "rsa", "dsa", "dh", "sm2", "dso", "engine",
- "buffer", "bio", "stack", "lhash", "rand", "err",
+ "buffer", "bio", "stack", "lhash", "rand", "err", "fips",
"evp", "asn1", "pem", "x509", "x509v3", "conf", "txt_db", "pkcs7", "pkcs12", "comp", "ocsp", "ui",
"cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store"
];
Index: openssl-1.1.1n/crypto/cmac/cm_pmeth.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/cmac/cm_pmeth.c
+++ openssl-1.1.1n/crypto/cmac/cm_pmeth.c
2020-01-24 12:52:58 +01:00
@@ -129,7 +129,7 @@ static int pkey_cmac_ctrl_str(EVP_PKEY_C
const EVP_PKEY_METHOD cmac_pkey_meth = {
EVP_PKEY_CMAC,
- EVP_PKEY_FLAG_SIGCTX_CUSTOM,
+ EVP_PKEY_FLAG_SIGCTX_CUSTOM | EVP_PKEY_FLAG_FIPS,
pkey_cmac_init,
pkey_cmac_copy,
pkey_cmac_cleanup,
Index: openssl-1.1.1n/crypto/dh/dh_err.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/dh/dh_err.c
+++ openssl-1.1.1n/crypto/dh/dh_err.c
2020-01-24 12:52:58 +01:00
@@ -25,6 +25,9 @@ static const ERR_STRING_DATA DH_str_func
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_PEERKEY, 0), "dh_cms_set_peerkey"},
{ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_SHARED_INFO, 0),
"dh_cms_set_shared_info"},
+ {ERR_PACK(ERR_LIB_DH, DH_F_DH_COMPUTE_KEY, 0), "DH_compute_key"},
+ {ERR_PACK(ERR_LIB_DH, DH_F_DH_GENERATE_KEY, 0), "DH_generate_key"},
+ {ERR_PACK(ERR_LIB_DH, DH_F_DH_GENERATE_PARAMETERS_EX, 0), "DH_generate_parameters_ex"},
{ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_DUP, 0), "DH_meth_dup"},
{ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_NEW, 0), "DH_meth_new"},
{ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_SET1_NAME, 0), "DH_meth_set1_name"},
@@ -72,12 +75,14 @@ static const ERR_STRING_DATA DH_str_reas
{ERR_PACK(ERR_LIB_DH, 0, DH_R_INVALID_PUBKEY), "invalid public key"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_KDF_PARAMETER_ERROR), "kdf parameter error"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_KEYS_NOT_SET), "keys not set"},
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_KEY_SIZE_TOO_SMALL), "key size too small"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_MISSING_PUBKEY), "missing pubkey"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_MODULUS_TOO_LARGE), "modulus too large"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_NOT_SUITABLE_GENERATOR),
"not suitable generator"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_NO_PARAMETERS_SET), "no parameters set"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_NO_PRIVATE_VALUE), "no private value"},
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_NON_FIPS_METHOD), "non FIPS method"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
"parameter encoding error"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
Index: openssl-1.1.1n/crypto/dh/dh_gen.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/dh/dh_gen.c
+++ openssl-1.1.1n/crypto/dh/dh_gen.c
2020-01-24 12:52:58 +01:00
@@ -16,6 +16,9 @@
#include "internal/cryptlib.h"
#include <openssl/bn.h>
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
#include "dh_local.h"
2020-01-24 12:52:58 +01:00
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
BN_GENCB *cb);
@@ -23,6 +26,13 @@ static int dh_builtin_genparams(DH *ret,
int DH_generate_parameters_ex(DH *ret, int prime_len, int generator,
BN_GENCB *cb)
{
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(ret->meth->flags & DH_FLAG_FIPS_METHOD)
+ && !(ret->flags & DH_FLAG_NON_FIPS_ALLOW)) {
+ DHerr(DH_F_DH_GENERATE_PARAMETERS_EX, DH_R_NON_FIPS_METHOD);
+ return 0;
+ }
+#endif
if (ret->meth->generate_params)
return ret->meth->generate_params(ret, prime_len, generator, cb);
return dh_builtin_genparams(ret, prime_len, generator, cb);
@@ -65,6 +75,18 @@ static int dh_builtin_genparams(DH *ret,
int g, ok = -1;
BN_CTX *ctx = NULL;
+#ifdef OPENSSL_FIPS
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS, FIPS_R_FIPS_SELFTEST_FAILED);
+ return 0;
+ }
+
+ if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN)) {
+ DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
+ goto err;
+ }
+#endif
+
ctx = BN_CTX_new();
if (ctx == NULL)
goto err;
Index: openssl-1.1.1n/crypto/dh/dh_key.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/dh/dh_key.c
+++ openssl-1.1.1n/crypto/dh/dh_key.c
2020-01-24 12:52:58 +01:00
@@ -11,6 +11,9 @@
#include "internal/cryptlib.h"
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
#include "dh_local.h"
#include "crypto/bn.h"
2020-01-24 12:52:58 +01:00
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
static int generate_key(DH *dh);
static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
@@ -22,6 +25,13 @@ static int dh_finish(DH *dh);
2020-01-24 12:52:58 +01:00
int DH_generate_key(DH *dh)
{
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD)
+ && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) {
+ DHerr(DH_F_DH_GENERATE_KEY, DH_R_NON_FIPS_METHOD);
+ return 0;
+ }
+#endif
return dh->meth->generate_key(dh);
}
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
@@ -31,6 +41,13 @@ int DH_generate_key(DH *dh)
*/
2020-01-24 12:52:58 +01:00
int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
{
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD)
+ && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) {
+ DHerr(DH_F_DH_COMPUTE_KEY, DH_R_NON_FIPS_METHOD);
+ return 0;
+ }
+#endif
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
int ret = 0, i;
volatile size_t npad = 0, mask = 1;
2020-01-24 12:52:58 +01:00
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
@@ -59,7 +76,7 @@ int DH_compute_key_padded(unsigned char
2020-01-24 12:52:58 +01:00
int rv, pad;
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
/* rv is constant unless compute_key is external */
2020-01-24 12:52:58 +01:00
- rv = dh->meth->compute_key(key, pub_key, dh);
+ rv = DH_compute_key(key, pub_key, dh);
if (rv <= 0)
return rv;
pad = BN_num_bytes(dh->p) - rv;
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
@@ -109,6 +126,14 @@ static int generate_key(DH *dh)
2020-01-24 12:52:58 +01:00
BN_MONT_CTX *mont = NULL;
BIGNUM *pub_key = NULL, *priv_key = NULL;
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode()
+ && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
+ DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
+ return 0;
+ }
+#endif
+
if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
return 0;
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
@@ -206,6 +231,13 @@ static int compute_key(unsigned char *ke
2020-01-24 12:52:58 +01:00
DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE);
goto err;
}
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode()
+ && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
+ DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
+ goto err;
+ }
+#endif
ctx = BN_CTX_new();
if (ctx == NULL)
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
@@ -255,6 +287,9 @@ static int dh_bn_mod_exp(const DH *dh, B
2020-01-24 12:52:58 +01:00
static int dh_init(DH *dh)
{
+#ifdef OPENSSL_FIPS
+ FIPS_selftest_check();
+#endif
dh->flags |= DH_FLAG_CACHE_MONT_P;
return 1;
}
Index: openssl-1.1.1n/crypto/dh/dh_pmeth.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/dh/dh_pmeth.c
+++ openssl-1.1.1n/crypto/dh/dh_pmeth.c
2020-01-24 12:52:58 +01:00
@@ -480,7 +480,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX *
const EVP_PKEY_METHOD dh_pkey_meth = {
EVP_PKEY_DH,
- 0,
+ EVP_PKEY_FLAG_FIPS,
pkey_dh_init,
pkey_dh_copy,
pkey_dh_cleanup,
@@ -514,7 +514,7 @@ const EVP_PKEY_METHOD dh_pkey_meth = {
const EVP_PKEY_METHOD dhx_pkey_meth = {
EVP_PKEY_DHX,
- 0,
+ EVP_PKEY_FLAG_FIPS,
pkey_dh_init,
pkey_dh_copy,
pkey_dh_cleanup,
Index: openssl-1.1.1n/crypto/dsa/dsa_err.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/dsa/dsa_err.c
+++ openssl-1.1.1n/crypto/dsa/dsa_err.c
2020-01-24 12:52:58 +01:00
@@ -16,12 +16,15 @@
static const ERR_STRING_DATA DSA_str_functs[] = {
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSAPARAMS_PRINT, 0), "DSAparams_print"},
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSAPARAMS_PRINT_FP, 0), "DSAparams_print_fp"},
+ {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_BUILTIN_KEYGEN, 0), "dsa_builtin_keygen"},
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_BUILTIN_PARAMGEN, 0),
"dsa_builtin_paramgen"},
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_BUILTIN_PARAMGEN2, 0),
"dsa_builtin_paramgen2"},
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_DO_SIGN, 0), "DSA_do_sign"},
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_DO_VERIFY, 0), "DSA_do_verify"},
+ {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_GENERATE_KEY, 0), "DSA_generate_key"},
+ {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_GENERATE_PARAMETERS_EX, 0), "DSA_generate_parameters_ex"},
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_DUP, 0), "DSA_meth_dup"},
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_NEW, 0), "DSA_meth_new"},
{ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_SET1_NAME, 0), "DSA_meth_set1_name"},
@@ -51,11 +54,14 @@ static const ERR_STRING_DATA DSA_str_rea
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_INVALID_DIGEST_TYPE),
"invalid digest type"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_INVALID_PARAMETERS), "invalid parameters"},
+ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_KEY_SIZE_INVALID), "key size invalid"},
+ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_KEY_SIZE_TOO_SMALL), "key size too small"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PARAMETERS), "missing parameters"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PRIVATE_KEY),
"missing private key"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MODULUS_TOO_LARGE), "modulus too large"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NO_PARAMETERS_SET), "no parameters set"},
+ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NON_FIPS_DSA_METHOD), "non FIPS DSA method"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_PARAMETER_ENCODING_ERROR),
"parameter encoding error"},
{ERR_PACK(ERR_LIB_DSA, 0, DSA_R_Q_NOT_PRIME), "q not prime"},
Index: openssl-1.1.1n/crypto/dsa/dsa_gen.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/dsa/dsa_gen.c
+++ openssl-1.1.1n/crypto/dsa/dsa_gen.c
2020-01-24 12:52:58 +01:00
@@ -22,12 +22,22 @@
#include <openssl/rand.h>
#include <openssl/sha.h>
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
#include "dsa_local.h"
2020-01-24 12:52:58 +01:00
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
int DSA_generate_parameters_ex(DSA *ret, int bits,
const unsigned char *seed_in, int seed_len,
int *counter_ret, unsigned long *h_ret,
BN_GENCB *cb)
{
+# ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(ret->meth->flags & DSA_FLAG_FIPS_METHOD)
+ && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW)) {
+ DSAerr(DSA_F_DSA_GENERATE_PARAMETERS_EX, DSA_R_NON_FIPS_DSA_METHOD);
+ return 0;
+ }
+# endif
if (ret->meth->dsa_paramgen)
return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len,
counter_ret, h_ret, cb);
@@ -35,9 +45,15 @@ int DSA_generate_parameters_ex(DSA *ret,
const EVP_MD *evpmd = bits >= 2048 ? EVP_sha256() : EVP_sha1();
size_t qbits = EVP_MD_size(evpmd) * 8;
+# ifdef OPENSSL_FIPS
+ return dsa_builtin_paramgen2(ret, bits, qbits, evpmd,
+ seed_in, seed_len, -1, NULL, counter_ret,
+ h_ret, cb);
+# else
return dsa_builtin_paramgen(ret, bits, qbits, evpmd,
seed_in, seed_len, NULL, counter_ret,
h_ret, cb);
+# endif
}
}
@@ -309,7 +325,7 @@ int dsa_builtin_paramgen2(DSA *ret, size
int *counter_ret, unsigned long *h_ret,
BN_GENCB *cb)
{
- int ok = -1;
+ int ok = 0;
unsigned char *seed = NULL, *seed_tmp = NULL;
unsigned char md[EVP_MAX_MD_SIZE];
int mdsize;
@@ -332,6 +348,20 @@ int dsa_builtin_paramgen2(DSA *ret, size
goto err;
}
+# ifdef OPENSSL_FIPS
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN2, FIPS_R_FIPS_SELFTEST_FAILED);
+ goto err;
+ }
+
+ if (FIPS_mode() &&
+ (L != 2048 || N != 224) && (L != 2048 || N != 256) &&
+ (L != 3072 || N != 256)) {
+ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_KEY_SIZE_INVALID);
+ goto err;
+ }
+# endif
+
if (evpmd == NULL) {
if (N == 160)
evpmd = EVP_sha1();
@@ -432,9 +462,10 @@ int dsa_builtin_paramgen2(DSA *ret, size
goto err;
/* Provided seed didn't produce a prime: error */
if (seed_in) {
- ok = 0;
- DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_Q_NOT_PRIME);
- goto err;
+ /* Different seed_out will indicate that seed_in
+ * did not generate primes.
+ */
+ seed_in = NULL;
}
/* do a callback call */
@@ -520,11 +551,14 @@ int dsa_builtin_paramgen2(DSA *ret, size
if (counter >= (int)(4 * L))
break;
}
+#if 0
+ /* Cannot happen */
if (seed_in) {
ok = 0;
DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_INVALID_PARAMETERS);
goto err;
}
+#endif
}
end:
if (!BN_GENCB_call(cb, 2, 1))
@@ -595,7 +629,7 @@ int dsa_builtin_paramgen2(DSA *ret, size
BN_free(ret->g);
ret->g = BN_dup(g);
if (ret->p == NULL || ret->q == NULL || ret->g == NULL) {
- ok = -1;
+ ok = 0;
goto err;
}
if (counter_ret != NULL)
@@ -612,3 +646,53 @@ int dsa_builtin_paramgen2(DSA *ret, size
EVP_MD_CTX_free(mctx);
return ok;
}
+
+#ifdef OPENSSL_FIPS
+
+int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
+ const EVP_MD *evpmd, const unsigned char *seed_in,
+ size_t seed_len, int idx, unsigned char *seed_out,
+ int *counter_ret, unsigned long *h_ret,
+ BN_GENCB *cb)
+{
+ return dsa_builtin_paramgen2(ret, L, N, evpmd, seed_in, seed_len,
+ idx, seed_out, counter_ret, h_ret, cb);
+}
+
+int FIPS_dsa_paramgen_check_g(DSA *dsa)
+{
+ BN_CTX *ctx;
+ BIGNUM *tmp;
+ BN_MONT_CTX *mont = NULL;
+ int rv = -1;
+
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+ return -1;
+ if (BN_cmp(dsa->g, BN_value_one()) <= 0)
+ return 0;
+ if (BN_cmp(dsa->g, dsa->p) >= 0)
+ return 0;
+ BN_CTX_start(ctx);
+ tmp = BN_CTX_get(ctx);
+ if (tmp == NULL)
+ goto err;
+ if ((mont=BN_MONT_CTX_new()) == NULL)
+ goto err;
+ if (!BN_MONT_CTX_set(mont,dsa->p,ctx))
+ goto err;
+ /* Work out g^q mod p */
+ if (!BN_mod_exp_mont(tmp,dsa->g,dsa->q, dsa->p, ctx, mont))
+ goto err;
+ if (!BN_cmp(tmp, BN_value_one()))
+ rv = 1;
+ else
+ rv = 0;
+ err:
+ BN_CTX_end(ctx);
+ BN_MONT_CTX_free(mont);
+ BN_CTX_free(ctx);
+ return rv;
+}
+
+#endif
Index: openssl-1.1.1n/crypto/dsa/dsa_key.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/dsa/dsa_key.c
+++ openssl-1.1.1n/crypto/dsa/dsa_key.c
2020-01-24 12:52:58 +01:00
@@ -13,10 +13,49 @@
#include <openssl/bn.h>
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
#include "dsa_local.h"
2020-01-24 12:52:58 +01:00
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
+# include "crypto/fips_int.h"
2020-01-24 12:52:58 +01:00
+
+static int fips_check_dsa(DSA *dsa)
+{
+ EVP_PKEY *pk;
+ unsigned char tbs[] = "DSA Pairwise Check Data";
+ int ret = 0;
+
+ if ((pk = EVP_PKEY_new()) == NULL)
+ goto err;
+
+ EVP_PKEY_set1_DSA(pk, dsa);
+
+ if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL))
+ ret = 1;
+
+ err:
+ if (ret == 0) {
+ FIPSerr(FIPS_F_FIPS_CHECK_DSA, FIPS_R_PAIRWISE_TEST_FAILED);
+ fips_set_selftest_fail();
+ }
+
+ if (pk)
+ EVP_PKEY_free(pk);
+
+ return ret;
+}
+
+#endif
+
static int dsa_builtin_keygen(DSA *dsa);
int DSA_generate_key(DSA *dsa)
{
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
+ && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)) {
+ DSAerr(DSA_F_DSA_GENERATE_KEY, DSA_R_NON_FIPS_DSA_METHOD);
+ return 0;
+ }
+#endif
if (dsa->meth->dsa_keygen)
return dsa->meth->dsa_keygen(dsa);
return dsa_builtin_keygen(dsa);
@@ -28,6 +67,14 @@ static int dsa_builtin_keygen(DSA *dsa)
BN_CTX *ctx = NULL;
BIGNUM *pub_key = NULL, *priv_key = NULL;
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN)) {
+ DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
+ goto err;
+ }
+#endif
+
if ((ctx = BN_CTX_new()) == NULL)
goto err;
@@ -65,6 +112,13 @@ static int dsa_builtin_keygen(DSA *dsa)
dsa->priv_key = priv_key;
dsa->pub_key = pub_key;
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !fips_check_dsa(dsa)) {
+ dsa->pub_key = NULL;
+ dsa->priv_key = NULL;
+ goto err;
+ }
+#endif
ok = 1;
err:
Index: openssl-1.1.1n/crypto/dsa/dsa_ossl.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/dsa/dsa_ossl.c
+++ openssl-1.1.1n/crypto/dsa/dsa_ossl.c
2020-01-24 12:52:58 +01:00
@@ -14,6 +14,9 @@
#include <openssl/sha.h>
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
#include "dsa_local.h"
2020-01-24 12:52:58 +01:00
#include <openssl/asn1.h>
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
@@ -77,6 +80,19 @@ static DSA_SIG *dsa_do_sign(const unsign
goto err;
}
+#ifdef OPENSSL_FIPS
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_DSA_DO_SIGN, FIPS_R_FIPS_SELFTEST_FAILED);
+ return NULL;
+ }
+
+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) {
+ DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL);
+ return NULL;
+ }
+#endif
+
ret = DSA_SIG_new();
if (ret == NULL)
goto err;
@@ -315,6 +331,18 @@ static int dsa_do_verify(const unsigned
DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_BAD_Q_VALUE);
return -1;
}
+#ifdef OPENSSL_FIPS
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_DSA_DO_VERIFY, FIPS_R_FIPS_SELFTEST_FAILED);
+ return -1;
+ }
+
+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) {
+ DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL);
+ return -1;
+ }
+#endif
if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MODULUS_TOO_LARGE);
@@ -403,6 +431,9 @@ static int dsa_do_verify(const unsigned
static int dsa_init(DSA *dsa)
{
+#ifdef OPENSSL_FIPS
+ FIPS_selftest_check();
+#endif
dsa->flags |= DSA_FLAG_CACHE_MONT_P;
return 1;
}
Index: openssl-1.1.1n/crypto/dsa/dsa_pmeth.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/dsa/dsa_pmeth.c
+++ openssl-1.1.1n/crypto/dsa/dsa_pmeth.c
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
@@ -211,8 +211,8 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT
2020-01-24 12:52:58 +01:00
BN_GENCB_free(pcb);
return 0;
}
- ret = dsa_builtin_paramgen(dsa, dctx->nbits, dctx->qbits, dctx->pmd,
- NULL, 0, NULL, NULL, NULL, pcb);
+ ret = dsa_builtin_paramgen2(dsa, dctx->nbits, dctx->qbits, dctx->pmd,
+ NULL, 0, -1, NULL, NULL, NULL, pcb);
BN_GENCB_free(pcb);
if (ret)
EVP_PKEY_assign_DSA(pkey, dsa);
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
@@ -241,7 +241,7 @@ static int pkey_dsa_keygen(EVP_PKEY_CTX
2020-01-24 12:52:58 +01:00
const EVP_PKEY_METHOD dsa_pkey_meth = {
EVP_PKEY_DSA,
- EVP_PKEY_FLAG_AUTOARGLEN,
+ EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS,
pkey_dsa_init,
pkey_dsa_copy,
pkey_dsa_cleanup,
Index: openssl-1.1.1n/crypto/ec/ecdh_ossl.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/ec/ecdh_ossl.c
+++ openssl-1.1.1n/crypto/ec/ecdh_ossl.c
2020-01-24 12:52:58 +01:00
@@ -19,9 +19,20 @@
#include <openssl/ec.h>
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
#include "ec_local.h"
2020-01-24 12:52:58 +01:00
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
+
int ossl_ecdh_compute_key(unsigned char **psec, size_t *pseclen,
const EC_POINT *pub_key, const EC_KEY *ecdh)
{
+#ifdef OPENSSL_FIPS
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_ECDH_COMPUTE_KEY, FIPS_R_FIPS_SELFTEST_FAILED);
+ return -1;
+ }
+#endif
+
if (ecdh->group->meth->ecdh_compute_key == NULL) {
ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH);
return 0;
Index: openssl-1.1.1n/crypto/ec/ecdsa_ossl.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/ec/ecdsa_ossl.c
+++ openssl-1.1.1n/crypto/ec/ecdsa_ossl.c
2020-01-24 12:52:58 +01:00
@@ -14,6 +14,11 @@
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
#include "crypto/bn.h"
#include "ec_local.h"
2020-01-24 12:52:58 +01:00
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
+
+
int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
BIGNUM **rp)
{
@@ -198,6 +203,13 @@ ECDSA_SIG *ecdsa_simple_sign_sig(const u
ECDSA_SIG *ret;
const BIGNUM *priv_key;
+#ifdef OPENSSL_FIPS
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_OSSL_ECDSA_SIGN_SIG, FIPS_R_FIPS_SELFTEST_FAILED);
+ return NULL;
+ }
+#endif
+
group = EC_KEY_get0_group(eckey);
priv_key = EC_KEY_get0_private_key(eckey);
@@ -360,6 +372,13 @@ int ecdsa_simple_verify_sig(const unsign
const EC_GROUP *group;
const EC_POINT *pub_key;
+#ifdef OPENSSL_FIPS
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_OSSL_ECDSA_VERIFY_SIG, FIPS_R_FIPS_SELFTEST_FAILED);
+ return -1;
+ }
+#endif
+
/* check input values */
if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
(pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) {
Index: openssl-1.1.1n/crypto/ec/ec_key.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/ec/ec_key.c
+++ openssl-1.1.1n/crypto/ec/ec_key.c
@@ -179,14 +179,62 @@ ENGINE *EC_KEY_get0_engine(const EC_KEY
2020-01-24 12:52:58 +01:00
return eckey->engine;
}
+#ifdef OPENSSL_FIPS
+
+# include <openssl/fips.h>
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
+# include "crypto/fips_int.h"
2020-01-24 12:52:58 +01:00
+
+static int fips_check_ec(EC_KEY *key)
+{
+ EVP_PKEY *pk;
+ unsigned char tbs[] = "ECDSA Pairwise Check Data";
+ int ret = 0;
+
+ if (!EC_KEY_can_sign(key)) /* no test for non-signing keys */
+ return 1;
+
+ if ((pk = EVP_PKEY_new()) == NULL)
+ goto err;
+
+ EVP_PKEY_set1_EC_KEY(pk, key);
+
+ if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL))
+ ret = 1;
+
+ err:
+ if (ret == 0) {
+ FIPSerr(FIPS_F_FIPS_CHECK_EC, FIPS_R_PAIRWISE_TEST_FAILED);
+ fips_set_selftest_fail();
+ }
+ if (pk)
+ EVP_PKEY_free(pk);
+ return ret;
+}
+
+#endif
+
int EC_KEY_generate_key(EC_KEY *eckey)
{
+#ifdef OPENSSL_FIPS
+ if (FIPS_selftest_failed()) {
+ ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_NOT_INITIALIZED);
+ return 0;
+ }
+#endif
if (eckey == NULL || eckey->group == NULL) {
ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
- if (eckey->meth->keygen != NULL)
- return eckey->meth->keygen(eckey);
+ if (eckey->meth->keygen != NULL) {
+ int rv = eckey->meth->keygen(eckey);
+
+#ifdef OPENSSL_FIPS
+ if (rv > 0 && FIPS_mode()) {
+ rv = fips_check_ec(eckey);
+ }
+#endif
+ return rv;
+ }
ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_OPERATION_NOT_SUPPORTED);
return 0;
}
Index: openssl-1.1.1n/crypto/ec/ec_pmeth.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/ec/ec_pmeth.c
+++ openssl-1.1.1n/crypto/ec/ec_pmeth.c
2020-01-24 12:52:58 +01:00
@@ -438,7 +438,7 @@ static int pkey_ec_keygen(EVP_PKEY_CTX *
const EVP_PKEY_METHOD ec_pkey_meth = {
EVP_PKEY_EC,
- 0,
+ EVP_PKEY_FLAG_FIPS,
pkey_ec_init,
pkey_ec_copy,
pkey_ec_cleanup,
Index: openssl-1.1.1n/crypto/evp/c_allc.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/evp/c_allc.c
+++ openssl-1.1.1n/crypto/evp/c_allc.c
2020-01-24 12:52:58 +01:00
@@ -17,6 +17,9 @@
void openssl_add_all_ciphers_int(void)
{
+#ifdef OPENSSL_FIPS
+ if (!FIPS_mode()) {
+#endif
#ifndef OPENSSL_NO_DES
EVP_add_cipher(EVP_des_cfb());
EVP_add_cipher(EVP_des_cfb1());
@@ -263,4 +266,70 @@ void openssl_add_all_ciphers_int(void)
EVP_add_cipher(EVP_chacha20_poly1305());
# endif
#endif
+#ifdef OPENSSL_FIPS
+ } else {
+# ifndef OPENSSL_NO_DES
+ EVP_add_cipher(EVP_des_ede3_cfb());
+
+ EVP_add_cipher(EVP_des_ede3_ofb());
+
+ EVP_add_cipher(EVP_des_ede3_cbc());
+ EVP_add_cipher_alias(SN_des_ede3_cbc, "DES3");
+ EVP_add_cipher_alias(SN_des_ede3_cbc, "des3");
+
+ EVP_add_cipher(EVP_des_ede3());
+ EVP_add_cipher_alias(SN_des_ede3_ecb, "DES-EDE3-ECB");
+ EVP_add_cipher_alias(SN_des_ede3_ecb, "des-ede3-ecb");
+ EVP_add_cipher(EVP_des_ede3_wrap());
+ EVP_add_cipher_alias(SN_id_smime_alg_CMS3DESwrap, "des3-wrap");
+# endif
+
+# ifndef OPENSSL_NO_AES
+ EVP_add_cipher(EVP_aes_128_ecb());
+ EVP_add_cipher(EVP_aes_128_cbc());
+ EVP_add_cipher(EVP_aes_128_cfb());
+ EVP_add_cipher(EVP_aes_128_cfb1());
+ EVP_add_cipher(EVP_aes_128_cfb8());
+ EVP_add_cipher(EVP_aes_128_ofb());
+ EVP_add_cipher(EVP_aes_128_ctr());
+ EVP_add_cipher(EVP_aes_128_gcm());
+ EVP_add_cipher(EVP_aes_128_xts());
+ EVP_add_cipher(EVP_aes_128_ccm());
+ EVP_add_cipher(EVP_aes_128_wrap());
+ EVP_add_cipher_alias(SN_id_aes128_wrap, "aes128-wrap");
+ EVP_add_cipher(EVP_aes_128_wrap_pad());
+ EVP_add_cipher_alias(SN_aes_128_cbc, "AES128");
+ EVP_add_cipher_alias(SN_aes_128_cbc, "aes128");
+ EVP_add_cipher(EVP_aes_192_ecb());
+ EVP_add_cipher(EVP_aes_192_cbc());
+ EVP_add_cipher(EVP_aes_192_cfb());
+ EVP_add_cipher(EVP_aes_192_cfb1());
+ EVP_add_cipher(EVP_aes_192_cfb8());
+ EVP_add_cipher(EVP_aes_192_ofb());
+ EVP_add_cipher(EVP_aes_192_ctr());
+ EVP_add_cipher(EVP_aes_192_gcm());
+ EVP_add_cipher(EVP_aes_192_ccm());
+ EVP_add_cipher(EVP_aes_192_wrap());
+ EVP_add_cipher_alias(SN_id_aes192_wrap, "aes192-wrap");
+ EVP_add_cipher(EVP_aes_192_wrap_pad());
+ EVP_add_cipher_alias(SN_aes_192_cbc, "AES192");
+ EVP_add_cipher_alias(SN_aes_192_cbc, "aes192");
+ EVP_add_cipher(EVP_aes_256_ecb());
+ EVP_add_cipher(EVP_aes_256_cbc());
+ EVP_add_cipher(EVP_aes_256_cfb());
+ EVP_add_cipher(EVP_aes_256_cfb1());
+ EVP_add_cipher(EVP_aes_256_cfb8());
+ EVP_add_cipher(EVP_aes_256_ofb());
+ EVP_add_cipher(EVP_aes_256_ctr());
+ EVP_add_cipher(EVP_aes_256_gcm());
+ EVP_add_cipher(EVP_aes_256_xts());
+ EVP_add_cipher(EVP_aes_256_ccm());
+ EVP_add_cipher(EVP_aes_256_wrap());
+ EVP_add_cipher_alias(SN_id_aes256_wrap, "aes256-wrap");
+ EVP_add_cipher(EVP_aes_256_wrap_pad());
+ EVP_add_cipher_alias(SN_aes_256_cbc, "AES256");
+ EVP_add_cipher_alias(SN_aes_256_cbc, "aes256");
+# endif
+ }
+#endif
}
Index: openssl-1.1.1n/crypto/evp/c_alld.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/evp/c_alld.c
+++ openssl-1.1.1n/crypto/evp/c_alld.c
2020-01-24 12:52:58 +01:00
@@ -16,6 +16,9 @@
void openssl_add_all_digests_int(void)
{
+#ifdef OPENSSL_FIPS
+ if (!FIPS_mode()) {
+#endif
#ifndef OPENSSL_NO_MD4
EVP_add_digest(EVP_md4());
#endif
@@ -57,4 +60,24 @@ void openssl_add_all_digests_int(void)
EVP_add_digest(EVP_sha3_512());
EVP_add_digest(EVP_shake128());
EVP_add_digest(EVP_shake256());
+#ifdef OPENSSL_FIPS
+ } else {
+ EVP_add_digest(EVP_md5_sha1());
+ EVP_add_digest(EVP_sha1());
+ EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
+ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
+ EVP_add_digest(EVP_sha224());
+ EVP_add_digest(EVP_sha256());
+ EVP_add_digest(EVP_sha384());
+ EVP_add_digest(EVP_sha512());
+ EVP_add_digest(EVP_sha512_224());
+ EVP_add_digest(EVP_sha512_256());
+ EVP_add_digest(EVP_sha3_224());
+ EVP_add_digest(EVP_sha3_256());
+ EVP_add_digest(EVP_sha3_384());
+ EVP_add_digest(EVP_sha3_512());
+ EVP_add_digest(EVP_shake128());
+ EVP_add_digest(EVP_shake256());
+ }
+#endif
}
Index: openssl-1.1.1n/crypto/evp/digest.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/evp/digest.c
+++ openssl-1.1.1n/crypto/evp/digest.c
2020-01-24 12:52:58 +01:00
@@ -14,6 +14,9 @@
#include <openssl/engine.h>
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
#include "crypto/evp.h"
#include "evp_local.h"
2020-01-24 12:52:58 +01:00
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
static void cleanup_old_md_data(EVP_MD_CTX *ctx, int force)
@@ -77,6 +80,12 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons
2020-01-24 12:52:58 +01:00
int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
{
EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_CLEANED);
+#ifdef OPENSSL_FIPS
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_EVP_DIGESTINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED);
+ return 0;
+ }
+#endif
#ifndef OPENSSL_NO_ENGINE
/*
* Whether it's nice or not, "Inits" can be used on "Final"'d contexts so
@@ -131,6 +140,15 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
2020-01-24 12:52:58 +01:00
}
#endif
if (ctx->digest != type) {
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode()) {
+ if (!(type->flags & EVP_MD_FLAG_FIPS)
+ && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
+ EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
+ return 0;
+ }
+ }
+#endif
cleanup_old_md_data(ctx, 1);
ctx->digest = type;
@@ -160,6 +178,10 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
2020-01-24 12:52:58 +01:00
int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
{
+#ifdef OPENSSL_FIPS
+ FIPS_selftest_check();
+#endif
+
if (count == 0)
return 1;
@@ -180,6 +202,9 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx,
2020-01-24 12:52:58 +01:00
{
int ret;
+#ifdef OPENSSL_FIPS
+ FIPS_selftest_check();
+#endif
OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
ret = ctx->digest->final(ctx, md);
if (size != NULL)
Index: openssl-1.1.1n/crypto/evp/e_aes.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/evp/e_aes.c
+++ openssl-1.1.1n/crypto/evp/e_aes.c
@@ -397,7 +397,7 @@ static int aesni_xts_init_key(EVP_CIPHER
2020-01-24 12:52:58 +01:00
* This addresses Rogaway's vulnerability.
* See comment in aes_xts_init_key() below.
*/
- if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
+ if (CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
EVPerr(EVP_F_AESNI_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
return 0;
}
@@ -817,7 +817,7 @@ static int aes_t4_xts_init_key(EVP_CIPHE
2020-01-24 12:52:58 +01:00
* This addresses Rogaway's vulnerability.
* See comment in aes_xts_init_key() below.
*/
- if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
+ if (CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
EVPerr(EVP_F_AES_T4_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
return 0;
}
@@ -2827,9 +2827,9 @@ static int aes_ctr_cipher(EVP_CIPHER_CTX
2020-01-24 12:52:58 +01:00
return 1;
}
-BLOCK_CIPHER_generic_pack(NID_aes, 128, 0)
- BLOCK_CIPHER_generic_pack(NID_aes, 192, 0)
- BLOCK_CIPHER_generic_pack(NID_aes, 256, 0)
+BLOCK_CIPHER_generic_pack(NID_aes, 128, EVP_CIPH_FLAG_FIPS)
+ BLOCK_CIPHER_generic_pack(NID_aes, 192, EVP_CIPH_FLAG_FIPS)
+ BLOCK_CIPHER_generic_pack(NID_aes, 256, EVP_CIPH_FLAG_FIPS)
static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
{
@@ -2863,6 +2863,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *
2020-01-24 12:52:58 +01:00
case EVP_CTRL_AEAD_SET_IVLEN:
if (arg <= 0)
return 0;
+# ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
+ && arg < 12)
+ return 0;
+# endif
/* Allocate memory for IV if needed */
if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
if (gctx->iv != c->iv)
@@ -3312,11 +3317,14 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX
2020-01-24 12:52:58 +01:00
| EVP_CIPH_CUSTOM_COPY | EVP_CIPH_CUSTOM_IV_LENGTH)
BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |
+ CUSTOM_FLAGS)
BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM,
- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |
+ CUSTOM_FLAGS)
BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM,
- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |
+ CUSTOM_FLAGS)
static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
{
@@ -3374,7 +3382,7 @@ static int aes_xts_init_key(EVP_CIPHER_C
2020-01-24 12:52:58 +01:00
* BEFORE using the keys in the XTS-AES algorithm to process
* data with them."
*/
- if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
+ if (CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
EVPerr(EVP_F_AES_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
return 0;
}
@@ -3478,6 +3486,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX
2020-01-24 12:52:58 +01:00
return 0;
if (!out || !in || len < AES_BLOCK_SIZE)
return 0;
+# ifdef OPENSSL_FIPS
+ /* Requirement of SP800-38E */
+ if (FIPS_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
+ (len > (1UL << 20) * 16)) {
+ EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);
+ return 0;
+ }
+# endif
if (xctx->stream)
(*xctx->stream) (in, out, len,
xctx->xts.key1, xctx->xts.key2,
@@ -3495,8 +3511,10 @@ static int aes_xts_cipher(EVP_CIPHER_CTX
2020-01-24 12:52:58 +01:00
| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
| EVP_CIPH_CUSTOM_COPY)
-BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, XTS_FLAGS)
- BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, XTS_FLAGS)
+BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS,
+ EVP_CIPH_FLAG_FIPS | XTS_FLAGS)
+ BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS,
+ EVP_CIPH_FLAG_FIPS | XTS_FLAGS)
static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
{
@@ -3766,11 +3784,11 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX
2020-01-24 12:52:58 +01:00
#define aes_ccm_cleanup NULL
BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM,
- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM,
- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM,
- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
typedef struct {
union {
@@ -3863,7 +3881,7 @@ static int aes_wrap_cipher(EVP_CIPHER_CT
2020-01-24 12:52:58 +01:00
return rv ? (int)rv : -1;
}
-#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \
+#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE | EVP_CIPH_FLAG_FIPS \
| EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
Index: openssl-1.1.1n/crypto/evp/e_des3.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/evp/e_des3.c
+++ openssl-1.1.1n/crypto/evp/e_des3.c
2020-01-24 12:52:58 +01:00
@@ -211,16 +211,19 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY,
# define des_ede3_cbc_cipher des_ede_cbc_cipher
# define des_ede3_ecb_cipher des_ede_ecb_cipher
BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64,
- EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1,
- des_ede3_init_key, NULL, NULL, NULL, des3_ctrl)
+ EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS |
+ EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL, NULL,
+ des3_ctrl)
BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 1,
- EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1,
- des_ede3_init_key, NULL, NULL, NULL, des3_ctrl)
+ EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS |
+ EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL,
+ NULL, des3_ctrl)
BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 8,
- EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1,
- des_ede3_init_key, NULL, NULL, NULL, des3_ctrl)
+ EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS |
+ EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL,
+ NULL, des3_ctrl)
static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc)
Index: openssl-1.1.1n/crypto/evp/e_null.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/evp/e_null.c
+++ openssl-1.1.1n/crypto/evp/e_null.c
2020-01-24 12:52:58 +01:00
@@ -19,7 +19,8 @@ static int null_cipher(EVP_CIPHER_CTX *c
const unsigned char *in, size_t inl);
static const EVP_CIPHER n_cipher = {
NID_undef,
- 1, 0, 0, 0,
+ 1, 0, 0,
+ EVP_CIPH_FLAG_FIPS,
null_init_key,
null_cipher,
NULL,
Index: openssl-1.1.1n/crypto/evp/evp_enc.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/evp/evp_enc.c
+++ openssl-1.1.1n/crypto/evp/evp_enc.c
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
@@ -18,10 +18,19 @@
2020-01-24 12:52:58 +01:00
#include <openssl/engine.h>
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
#include "crypto/evp.h"
#include "evp_local.h"
2020-01-24 12:52:58 +01:00
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c)
{
- if (c == NULL)
+#ifdef OPENSSL_FIPS
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_EVP_CIPHER_CTX_RESET, FIPS_R_FIPS_SELFTEST_FAILED);
+ return 0;
+ }
+#endif
+ if (c == NULL)
return 1;
if (c->cipher != NULL) {
if (c->cipher->cleanup && !c->cipher->cleanup(c))
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
@@ -40,6 +49,12 @@ int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX
2020-01-24 12:52:58 +01:00
EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void)
{
+#ifdef OPENSSL_FIPS
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_EVP_CIPHER_CTX_NEW, FIPS_R_FIPS_SELFTEST_FAILED);
+ return NULL;
+ }
+#endif
return OPENSSL_zalloc(sizeof(EVP_CIPHER_CTX));
}
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
@@ -68,6 +83,12 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
2020-01-24 12:52:58 +01:00
enc = 1;
ctx->encrypt = enc;
}
+#ifdef OPENSSL_FIPS
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_EVP_CIPHERINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED);
+ return 0;
+ }
+#endif
#ifndef OPENSSL_NO_ENGINE
/*
* Whether it's nice or not, "Inits" can be used on "Final"'d contexts so
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
@@ -137,7 +158,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
2020-01-24 12:52:58 +01:00
}
ctx->key_len = cipher->key_len;
/* Preserve wrap enable flag, zero everything else */
- ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW;
+ ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW | EVP_CIPH_FLAG_NON_FIPS_ALLOW;
if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) {
if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) {
ctx->cipher = NULL;
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
@@ -196,6 +217,18 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
2020-01-24 12:52:58 +01:00
return 0;
}
}
+#ifdef OPENSSL_FIPS
+ /* After 'key' is set no further parameters changes are permissible.
+ * So only check for non FIPS enabling at this point.
+ */
+ if (key && FIPS_mode()) {
+ if (!(ctx->cipher->flags & EVP_CIPH_FLAG_FIPS)
+ & !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) {
+ EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_DISABLED_FOR_FIPS);
+ return 0;
+ }
+ }
+#endif
if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
if (!ctx->cipher->init(ctx, key, iv, enc))
Index: openssl-1.1.1n/crypto/evp/evp_err.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/evp/evp_err.c
+++ openssl-1.1.1n/crypto/evp/evp_err.c
2020-01-24 12:52:58 +01:00
@@ -23,6 +23,7 @@ static const ERR_STRING_DATA EVP_str_fun
{ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_XTS_INIT_KEY, 0),
"aes_t4_xts_init_key"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_AES_WRAP_CIPHER, 0), "aes_wrap_cipher"},
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_CIPHER, 0), "aes_xts_cipher"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_INIT_KEY, 0), "aes_xts_init_key"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_ALG_MODULE_INIT, 0), "alg_module_init"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_CCM_INIT_KEY, 0), "aria_ccm_init_key"},
@@ -186,6 +187,7 @@ static const ERR_STRING_DATA EVP_str_rea
"different key types"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DIFFERENT_PARAMETERS),
"different parameters"},
+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DISABLED_FOR_FIPS), "disabled for FIPS"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_LOADING_SECTION),
"error loading section"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_SETTING_FIPS_MODE),
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
@@ -251,6 +253,7 @@ static const ERR_STRING_DATA EVP_str_rea
2020-01-24 12:52:58 +01:00
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PRIVATE_KEY_ENCODE_ERROR),
"private key encode error"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PUBLIC_KEY_NOT_RSA), "public key not rsa"},
+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_TOO_LARGE), "too large"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_CIPHER), "unknown cipher"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_DIGEST), "unknown digest"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_OPTION), "unknown option"},
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
@@ -276,6 +279,8 @@ static const ERR_STRING_DATA EVP_str_rea
2020-01-24 12:52:58 +01:00
"wrap mode not allowed"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_WRONG_FINAL_BLOCK_LENGTH),
"wrong final block length"},
+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE),
+ "xts data unit is too large"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DUPLICATED_KEYS),
"xts duplicated keys"},
{0, NULL}
Index: openssl-1.1.1n/crypto/evp/evp_lib.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/evp/evp_lib.c
+++ openssl-1.1.1n/crypto/evp/evp_lib.c
2020-01-24 12:52:58 +01:00
@@ -192,6 +192,9 @@ int EVP_CIPHER_impl_ctx_size(const EVP_C
int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
const unsigned char *in, unsigned int inl)
{
+#ifdef OPENSSL_FIPS
+ FIPS_selftest_check();
+#endif
return ctx->cipher->do_cipher(ctx, out, in, inl);
}
Index: openssl-1.1.1n/crypto/evp/m_sha1.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/evp/m_sha1.c
+++ openssl-1.1.1n/crypto/evp/m_sha1.c
2020-01-24 12:52:58 +01:00
@@ -95,7 +95,7 @@ static const EVP_MD sha1_md = {
NID_sha1,
NID_sha1WithRSAEncryption,
SHA_DIGEST_LENGTH,
- EVP_MD_FLAG_DIGALGID_ABSENT,
+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
init,
update,
final,
@@ -145,7 +145,7 @@ static const EVP_MD sha224_md = {
NID_sha224,
NID_sha224WithRSAEncryption,
SHA224_DIGEST_LENGTH,
- EVP_MD_FLAG_DIGALGID_ABSENT,
+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
init224,
update224,
final224,
@@ -164,7 +164,7 @@ static const EVP_MD sha256_md = {
NID_sha256,
NID_sha256WithRSAEncryption,
SHA256_DIGEST_LENGTH,
- EVP_MD_FLAG_DIGALGID_ABSENT,
+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
init256,
update256,
final256,
@@ -224,7 +224,7 @@ static const EVP_MD sha512_224_md = {
NID_sha512_224,
NID_sha512_224WithRSAEncryption,
SHA224_DIGEST_LENGTH,
- EVP_MD_FLAG_DIGALGID_ABSENT,
+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
init512_224,
update512,
final512,
@@ -243,7 +243,7 @@ static const EVP_MD sha512_256_md = {
NID_sha512_256,
NID_sha512_256WithRSAEncryption,
SHA256_DIGEST_LENGTH,
- EVP_MD_FLAG_DIGALGID_ABSENT,
+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
init512_256,
update512,
final512,
@@ -262,7 +262,7 @@ static const EVP_MD sha384_md = {
NID_sha384,
NID_sha384WithRSAEncryption,
SHA384_DIGEST_LENGTH,
- EVP_MD_FLAG_DIGALGID_ABSENT,
+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
init384,
update384,
final384,
@@ -281,7 +281,7 @@ static const EVP_MD sha512_md = {
NID_sha512,
NID_sha512WithRSAEncryption,
SHA512_DIGEST_LENGTH,
- EVP_MD_FLAG_DIGALGID_ABSENT,
+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
init512,
update512,
final512,
Index: openssl-1.1.1n/crypto/evp/m_sha3.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/evp/m_sha3.c
+++ openssl-1.1.1n/crypto/evp/m_sha3.c
2020-01-24 12:52:58 +01:00
@@ -295,7 +295,7 @@ const EVP_MD *EVP_sha3_##bitlen(void)
NID_sha3_##bitlen, \
NID_RSA_SHA3_##bitlen, \
bitlen / 8, \
- EVP_MD_FLAG_DIGALGID_ABSENT, \
+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, \
s390x_sha3_init, \
s390x_sha3_update, \
s390x_sha3_final, \
@@ -308,7 +308,7 @@ const EVP_MD *EVP_sha3_##bitlen(void)
NID_sha3_##bitlen, \
NID_RSA_SHA3_##bitlen, \
bitlen / 8, \
- EVP_MD_FLAG_DIGALGID_ABSENT, \
+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, \
sha3_init, \
sha3_update, \
sha3_final, \
@@ -329,7 +329,7 @@ const EVP_MD *EVP_shake##bitlen(void)
NID_shake##bitlen, \
0, \
bitlen / 8, \
- EVP_MD_FLAG_XOF, \
+ EVP_MD_FLAG_XOF | EVP_MD_FLAG_FIPS, \
s390x_shake_init, \
s390x_sha3_update, \
s390x_shake_final, \
@@ -343,7 +343,7 @@ const EVP_MD *EVP_shake##bitlen(void)
NID_shake##bitlen, \
0, \
bitlen / 8, \
- EVP_MD_FLAG_XOF, \
+ EVP_MD_FLAG_XOF | EVP_MD_FLAG_FIPS, \
shake_init, \
sha3_update, \
sha3_final, \
@@ -367,7 +367,7 @@ const EVP_MD *EVP_sha3_##bitlen(void)
NID_sha3_##bitlen, \
NID_RSA_SHA3_##bitlen, \
bitlen / 8, \
- EVP_MD_FLAG_DIGALGID_ABSENT, \
+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, \
sha3_init, \
sha3_update, \
sha3_final, \
@@ -386,7 +386,7 @@ const EVP_MD *EVP_shake##bitlen(void)
NID_shake##bitlen, \
0, \
bitlen / 8, \
- EVP_MD_FLAG_XOF, \
+ EVP_MD_FLAG_XOF | EVP_MD_FLAG_FIPS, \
shake_init, \
sha3_update, \
sha3_final, \
Index: openssl-1.1.1n/crypto/evp/pmeth_lib.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/evp/pmeth_lib.c
+++ openssl-1.1.1n/crypto/evp/pmeth_lib.c
2020-01-24 12:52:58 +01:00
@@ -131,7 +131,15 @@ static EVP_PKEY_CTX *int_ctx_new(EVP_PKE
pmeth = ENGINE_get_pkey_meth(e, id);
else
#endif
+ {
pmeth = EVP_PKEY_meth_find(id);
+#ifdef OPENSSL_FIPS
+ if (pmeth && !(pmeth->flags & EVP_PKEY_FLAG_FIPS) && FIPS_mode()) {
+ EVPerr(EVP_F_INT_CTX_NEW, EVP_R_DISABLED_FOR_FIPS);
+ return NULL;
+ }
+#endif
+ }
if (pmeth == NULL) {
#ifndef OPENSSL_NO_ENGINE
Index: openssl-1.1.1n/crypto/fips/build.info
2020-01-24 12:52:58 +01:00
===================================================================
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
--- /dev/null
+++ openssl-1.1.1n/crypto/fips/build.info
2020-01-24 12:52:58 +01:00
@@ -0,0 +1,15 @@
+LIBS=../../libcrypto
+SOURCE[../../libcrypto]=\
+ fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c \
+ fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c \
+ fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
+ fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
+ fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \
+ fips_dh_selftest.c fips_ers.c
+
+PROGRAMS_NO_INST=\
+ fips_standalone_hmac
+
+SOURCE[fips_standalone_hmac]=fips_standalone_hmac.c
+INCLUDE[fips_standalone_hmac]=../../include
+DEPEND[fips_standalone_hmac]=../../libcrypto
Index: openssl-1.1.1n/crypto/fips/fips_aes_selftest.c
2020-01-24 12:52:58 +01:00
===================================================================
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
--- /dev/null
+++ openssl-1.1.1n/crypto/fips/fips_aes_selftest.c
2020-01-24 12:52:58 +01:00
@@ -0,0 +1,372 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
2020-01-24 12:52:58 +01:00
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <string.h>
+#include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
+# include "crypto/fips_int.h"
2020-01-24 12:52:58 +01:00
+#endif
+
+#ifdef OPENSSL_FIPS
+static const struct {
+ const unsigned char key[16];
+ const unsigned char plaintext[16];
+ const unsigned char ciphertext[16];
+} tests[] = {
+ {
+ {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F}, {
+ 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
+ 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF}, {
+0x69, 0xC4, 0xE0, 0xD8, 0x6A, 0x7B, 0x04, 0x30,
+ 0xD8, 0xCD, 0xB7, 0x80, 0x70, 0xB4, 0xC5, 0x5A},},};
+
+int FIPS_selftest_aes()
+{
+ int n;
+ int ret = 0;
+ EVP_CIPHER_CTX *ctx;
+
+ ctx = EVP_CIPHER_CTX_new();
+ if (ctx == NULL)
+ goto err;
+
+ for (n = 0; n < 1; ++n) {
+ unsigned char key[16];
+
+ memcpy(key, tests[n].key, sizeof(key));
+ if (fips_cipher_test(ctx, EVP_aes_128_ecb(),
+ key, NULL,
+ tests[n].plaintext,
+ tests[n].ciphertext, 16) <= 0)
+ goto err;
+ }
+ ret = 1;
+ err:
+ EVP_CIPHER_CTX_free(ctx);
+ if (ret == 0)
+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES, FIPS_R_SELFTEST_FAILED);
+ return ret;
+}
+
+/* AES-CCM test data from NIST public test vectors */
+
+static const unsigned char ccm_key[] = {
+ 0xce, 0xb0, 0x09, 0xae, 0xa4, 0x45, 0x44, 0x51, 0xfe, 0xad, 0xf0, 0xe6,
+ 0xb3, 0x6f, 0x45, 0x55, 0x5d, 0xd0, 0x47, 0x23, 0xba, 0xa4, 0x48, 0xe8
+};
+
+static const unsigned char ccm_nonce[] = {
+ 0x76, 0x40, 0x43, 0xc4, 0x94, 0x60, 0xb7
+};
+
+static const unsigned char ccm_adata[] = {
+ 0x6e, 0x80, 0xdd, 0x7f, 0x1b, 0xad, 0xf3, 0xa1, 0xc9, 0xab, 0x25, 0xc7,
+ 0x5f, 0x10, 0xbd, 0xe7, 0x8c, 0x23, 0xfa, 0x0e, 0xb8, 0xf9, 0xaa, 0xa5,
+ 0x3a, 0xde, 0xfb, 0xf4, 0xcb, 0xf7, 0x8f, 0xe4
+};
+
+static const unsigned char ccm_pt[] = {
+ 0xc8, 0xd2, 0x75, 0xf9, 0x19, 0xe1, 0x7d, 0x7f, 0xe6, 0x9c, 0x2a, 0x1f,
+ 0x58, 0x93, 0x9d, 0xfe, 0x4d, 0x40, 0x37, 0x91, 0xb5, 0xdf, 0x13, 0x10
+};
+
+static const unsigned char ccm_ct[] = {
+ 0x8a, 0x0f, 0x3d, 0x82, 0x29, 0xe4, 0x8e, 0x74, 0x87, 0xfd, 0x95, 0xa2,
+ 0x8a, 0xd3, 0x92, 0xc8, 0x0b, 0x36, 0x81, 0xd4, 0xfb, 0xc7, 0xbb, 0xfd
+};
+
+static const unsigned char ccm_tag[] = {
+ 0x2d, 0xd6, 0xef, 0x1c, 0x45, 0xd4, 0xcc, 0xb7, 0x23, 0xdc, 0x07, 0x44,
+ 0x14, 0xdb, 0x50, 0x6d
+};
+
+int FIPS_selftest_aes_ccm(void)
+{
+ int ret = 0;
+ unsigned char out[128], tag[16];
+ EVP_CIPHER_CTX *ctx;
+
+ ctx = EVP_CIPHER_CTX_new();
+ if (ctx == NULL)
+ goto err;
+
+ memset(out, 0, sizeof(out));
+ if (!EVP_CipherInit_ex(ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 1))
+ goto err;
+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN,
+ sizeof(ccm_nonce), NULL))
+ goto err;
+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG,
+ sizeof(ccm_tag), NULL))
+ goto err;
+ if (!EVP_CipherInit_ex(ctx, NULL, NULL, ccm_key, ccm_nonce, 1))
+ goto err;
+ if (EVP_Cipher(ctx, NULL, NULL, sizeof(ccm_pt)) != sizeof(ccm_pt))
+ goto err;
+ if (EVP_Cipher(ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0)
+ goto err;
+ if (EVP_Cipher(ctx, out, ccm_pt, sizeof(ccm_pt)) != sizeof(ccm_ct))
+ goto err;
+
+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_GET_TAG, 16, tag))
+ goto err;
+ if (memcmp(tag, ccm_tag, sizeof(ccm_tag))
+ || memcmp(out, ccm_ct, sizeof(ccm_ct)))
+ goto err;
+
+ memset(out, 0, sizeof(out));
+
+ if (!EVP_CipherInit_ex(ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 0))
+ goto err;
+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN,
+ sizeof(ccm_nonce), NULL))
+ goto err;
+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, 16, tag))
+ goto err;
+ if (!EVP_CipherInit_ex(ctx, NULL, NULL, ccm_key, ccm_nonce, 0))
+ goto err;
+ if (EVP_Cipher(ctx, NULL, NULL, sizeof(ccm_ct)) != sizeof(ccm_ct))
+ goto err;
+ if (EVP_Cipher(ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0)
+ goto err;
+ if (EVP_Cipher(ctx, out, ccm_ct, sizeof(ccm_ct)) != sizeof(ccm_pt))
+ goto err;
+
+ if (memcmp(out, ccm_pt, sizeof(ccm_pt)))
+ goto err;
+
+ ret = 1;
+
+ err:
+ EVP_CIPHER_CTX_free(ctx);
+
+ if (ret == 0) {
+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_CCM, FIPS_R_SELFTEST_FAILED);
+ return 0;
+ } else
+ return ret;
+
+}
+
+/* AES-GCM test data from NIST public test vectors */
+
+static const unsigned char gcm_key[] = {
+ 0xee, 0xbc, 0x1f, 0x57, 0x48, 0x7f, 0x51, 0x92, 0x1c, 0x04, 0x65, 0x66,
+ 0x5f, 0x8a, 0xe6, 0xd1, 0x65, 0x8b, 0xb2, 0x6d, 0xe6, 0xf8, 0xa0, 0x69,
+ 0xa3, 0x52, 0x02, 0x93, 0xa5, 0x72, 0x07, 0x8f
+};
+
+static const unsigned char gcm_iv[] = {
+ 0x99, 0xaa, 0x3e, 0x68, 0xed, 0x81, 0x73, 0xa0, 0xee, 0xd0, 0x66, 0x84
+};
+
+static const unsigned char gcm_pt[] = {
+ 0xf5, 0x6e, 0x87, 0x05, 0x5b, 0xc3, 0x2d, 0x0e, 0xeb, 0x31, 0xb2, 0xea,
+ 0xcc, 0x2b, 0xf2, 0xa5
+};
+
+static const unsigned char gcm_aad[] = {
+ 0x4d, 0x23, 0xc3, 0xce, 0xc3, 0x34, 0xb4, 0x9b, 0xdb, 0x37, 0x0c, 0x43,
+ 0x7f, 0xec, 0x78, 0xde
+};
+
+static const unsigned char gcm_ct[] = {
+ 0xf7, 0x26, 0x44, 0x13, 0xa8, 0x4c, 0x0e, 0x7c, 0xd5, 0x36, 0x86, 0x7e,
+ 0xb9, 0xf2, 0x17, 0x36
+};
+
+static const unsigned char gcm_tag[] = {
+ 0x67, 0xba, 0x05, 0x10, 0x26, 0x2a, 0xe4, 0x87, 0xd7, 0x37, 0xee, 0x62,
+ 0x98, 0xf7, 0x7e, 0x0c
+};
+
+int FIPS_selftest_aes_gcm(void)
+{
+ int ret = 0;
+ unsigned char out[128], tag[16];
+ EVP_CIPHER_CTX *ctx;
+
+ ctx = EVP_CIPHER_CTX_new();
+ if (ctx == NULL)
+ goto err;
+
+ memset(out, 0, sizeof(out));
+ memset(tag, 0, sizeof(tag));
+ if (!EVP_CipherInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 1))
+ goto err;
+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN,
+ sizeof(gcm_iv), NULL))
+ goto err;
+ if (!EVP_CipherInit_ex(ctx, NULL, NULL, gcm_key, gcm_iv, 1))
+ goto err;
+ if (EVP_Cipher(ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0)
+ goto err;
+ if (EVP_Cipher(ctx, out, gcm_pt, sizeof(gcm_pt)) != sizeof(gcm_ct))
+ goto err;
+ if (EVP_Cipher(ctx, NULL, NULL, 0) < 0)
+ goto err;
+
+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, tag))
+ goto err;
+
+ if (memcmp(tag, gcm_tag, 16) || memcmp(out, gcm_ct, 16))
+ goto err;
+
+ memset(out, 0, sizeof(out));
+
+ if (!EVP_CipherInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 0))
+ goto err;
+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN,
+ sizeof(gcm_iv), NULL))
+ goto err;
+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, tag))
+ goto err;
+ if (!EVP_CipherInit_ex(ctx, NULL, NULL, gcm_key, gcm_iv, 0))
+ goto err;
+ if (EVP_Cipher(ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0)
+ goto err;
+ if (EVP_Cipher(ctx, out, gcm_ct, sizeof(gcm_ct)) != sizeof(gcm_pt))
+ goto err;
+ if (EVP_Cipher(ctx, NULL, NULL, 0) < 0)
+ goto err;
+
+ if (memcmp(out, gcm_pt, 16))
+ goto err;
+
+ ret = 1;
+
+ err:
+ EVP_CIPHER_CTX_free(ctx);
+
+ if (ret == 0) {
+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_GCM, FIPS_R_SELFTEST_FAILED);
+ return 0;
+ } else
+ return ret;
+
+}
+
+static const unsigned char XTS_128_key[] = {
+ 0xa1, 0xb9, 0x0c, 0xba, 0x3f, 0x06, 0xac, 0x35, 0x3b, 0x2c, 0x34, 0x38,
+ 0x76, 0x08, 0x17, 0x62, 0x09, 0x09, 0x23, 0x02, 0x6e, 0x91, 0x77, 0x18,
+ 0x15, 0xf2, 0x9d, 0xab, 0x01, 0x93, 0x2f, 0x2f
+};
+
+static const unsigned char XTS_128_i[] = {
+ 0x4f, 0xae, 0xf7, 0x11, 0x7c, 0xda, 0x59, 0xc6, 0x6e, 0x4b, 0x92, 0x01,
+ 0x3e, 0x76, 0x8a, 0xd5
+};
+
+static const unsigned char XTS_128_pt[] = {
+ 0xeb, 0xab, 0xce, 0x95, 0xb1, 0x4d, 0x3c, 0x8d, 0x6f, 0xb3, 0x50, 0x39,
+ 0x07, 0x90, 0x31, 0x1c
+};
+
+static const unsigned char XTS_128_ct[] = {
+ 0x77, 0x8a, 0xe8, 0xb4, 0x3c, 0xb9, 0x8d, 0x5a, 0x82, 0x50, 0x81, 0xd5,
+ 0xbe, 0x47, 0x1c, 0x63
+};
+
+static const unsigned char XTS_256_key[] = {
+ 0x1e, 0xa6, 0x61, 0xc5, 0x8d, 0x94, 0x3a, 0x0e, 0x48, 0x01, 0xe4, 0x2f,
+ 0x4b, 0x09, 0x47, 0x14, 0x9e, 0x7f, 0x9f, 0x8e, 0x3e, 0x68, 0xd0, 0xc7,
+ 0x50, 0x52, 0x10, 0xbd, 0x31, 0x1a, 0x0e, 0x7c, 0xd6, 0xe1, 0x3f, 0xfd,
+ 0xf2, 0x41, 0x8d, 0x8d, 0x19, 0x11, 0xc0, 0x04, 0xcd, 0xa5, 0x8d, 0xa3,
+ 0xd6, 0x19, 0xb7, 0xe2, 0xb9, 0x14, 0x1e, 0x58, 0x31, 0x8e, 0xea, 0x39,
+ 0x2c, 0xf4, 0x1b, 0x08
+};
+
+static const unsigned char XTS_256_i[] = {
+ 0xad, 0xf8, 0xd9, 0x26, 0x27, 0x46, 0x4a, 0xd2, 0xf0, 0x42, 0x8e, 0x84,
+ 0xa9, 0xf8, 0x75, 0x64
+};
+
+static const unsigned char XTS_256_pt[] = {
+ 0x2e, 0xed, 0xea, 0x52, 0xcd, 0x82, 0x15, 0xe1, 0xac, 0xc6, 0x47, 0xe8,
+ 0x10, 0xbb, 0xc3, 0x64, 0x2e, 0x87, 0x28, 0x7f, 0x8d, 0x2e, 0x57, 0xe3,
+ 0x6c, 0x0a, 0x24, 0xfb, 0xc1, 0x2a, 0x20, 0x2e
+};
+
+static const unsigned char XTS_256_ct[] = {
+ 0xcb, 0xaa, 0xd0, 0xe2, 0xf6, 0xce, 0xa3, 0xf5, 0x0b, 0x37, 0xf9, 0x34,
+ 0xd4, 0x6a, 0x9b, 0x13, 0x0b, 0x9d, 0x54, 0xf0, 0x7e, 0x34, 0xf3, 0x6a,
+ 0xf7, 0x93, 0xe8, 0x6f, 0x73, 0xc6, 0xd7, 0xdb
+};
+
+int FIPS_selftest_aes_xts()
+{
+ int ret = 1;
+ EVP_CIPHER_CTX *ctx;
+
+ ctx = EVP_CIPHER_CTX_new();
+ if (ctx == NULL)
+ goto err;
+
+ if (fips_cipher_test(ctx, EVP_aes_128_xts(),
+ XTS_128_key, XTS_128_i, XTS_128_pt, XTS_128_ct,
+ sizeof(XTS_128_pt)) <= 0)
+ ret = 0;
+
+ if (fips_cipher_test(ctx, EVP_aes_256_xts(),
+ XTS_256_key, XTS_256_i, XTS_256_pt, XTS_256_ct,
+ sizeof(XTS_256_pt)) <= 0)
+ ret = 0;
+
+ EVP_CIPHER_CTX_free(ctx);
+
+ err:
+ if (ret == 0)
+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_XTS, FIPS_R_SELFTEST_FAILED);
+ return ret;
+}
+
+#endif
Index: openssl-1.1.1n/crypto/fips/fips.c
2020-01-24 12:52:58 +01:00
===================================================================
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
--- /dev/null
+++ openssl-1.1.1n/crypto/fips/fips.c
2020-01-24 12:52:58 +01:00
@@ -0,0 +1,526 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
2020-01-24 12:52:58 +01:00
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#define _GNU_SOURCE
+
+#include <openssl/rand.h>
+#include <openssl/fips_rand.h>
+#include <openssl/err.h>
+#include <openssl/bio.h>
+#include <openssl/hmac.h>
+#include <openssl/rsa.h>
+#include <string.h>
+#include <limits.h>
+#include <dlfcn.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
+#include "fips_locl.h"
+
+#ifdef OPENSSL_FIPS
+
+# include <openssl/fips.h>
+# include "internal/thread_once.h"
+
+# ifndef PATH_MAX
+# define PATH_MAX 1024
+# endif
+
+static int fips_selftest_fail = 0;
+static int fips_mode = 0;
+static int fips_started = 0;
+
+static int fips_is_owning_thread(void);
+static int fips_set_owning_thread(void);
+static int fips_clear_owning_thread(void);
+
+static CRYPTO_RWLOCK *fips_lock = NULL;
+static CRYPTO_RWLOCK *fips_owning_lock = NULL;
+static CRYPTO_ONCE fips_lock_init = CRYPTO_ONCE_STATIC_INIT;
+
+DEFINE_RUN_ONCE_STATIC(do_fips_lock_init)
+{
+ fips_lock = CRYPTO_THREAD_lock_new();
+ fips_owning_lock = CRYPTO_THREAD_lock_new();
+ return fips_lock != NULL && fips_owning_lock != NULL;
+}
+
+# define fips_w_lock() CRYPTO_THREAD_write_lock(fips_lock)
+# define fips_w_unlock() CRYPTO_THREAD_unlock(fips_lock)
+# define fips_r_lock() CRYPTO_THREAD_read_lock(fips_lock)
+# define fips_r_unlock() CRYPTO_THREAD_unlock(fips_lock)
+
+static void fips_set_mode(int onoff)
+{
+ int owning_thread = fips_is_owning_thread();
+
+ if (fips_started) {
+ if (!owning_thread)
+ fips_w_lock();
+ fips_mode = onoff;
+ if (!owning_thread)
+ fips_w_unlock();
+ }
+}
+
+int FIPS_module_mode(void)
+{
+ int ret = 0;
+ int owning_thread = fips_is_owning_thread();
+
+ if (fips_started) {
+ if (!owning_thread)
+ fips_r_lock();
+ ret = fips_mode;
+ if (!owning_thread)
+ fips_r_unlock();
+ }
+ return ret;
+}
+
+/* just a compat symbol - return NULL */
+int FIPS_selftest_failed(void)
+{
+ int ret = 0;
+ if (fips_started) {
+ int owning_thread = fips_is_owning_thread();
+
+ if (!owning_thread)
+ fips_r_lock();
+ ret = fips_selftest_fail;
+ if (!owning_thread)
+ fips_r_unlock();
+ }
+ return ret;
+}
+
+/* Selftest failure fatal exit routine. This will be called
+ * during *any* cryptographic operation. It has the minimum
+ * overhead possible to avoid too big a performance hit.
+ */
+
+void FIPS_selftest_check(void)
+{
+ if (fips_selftest_fail) {
+ OpenSSLDie(__FILE__, __LINE__, "FATAL FIPS SELFTEST FAILURE");
+ }
+}
+
+void fips_set_selftest_fail(void)
+{
+ fips_selftest_fail = 1;
+}
+
+/* we implement what libfipscheck does ourselves */
+
+static int
+get_library_path(const char *libname, const char *symbolname, char *path,
+ size_t pathlen)
+{
+ Dl_info info;
+ void *dl, *sym;
+ int rv = -1;
+
+ dl = dlopen(libname, RTLD_LAZY);
+ if (dl == NULL) {
+ return -1;
+ }
+
+ sym = dlsym(dl, symbolname);
+
+ if (sym != NULL && dladdr(sym, &info)) {
+ strncpy(path, info.dli_fname, pathlen - 1);
+ path[pathlen - 1] = '\0';
+ rv = 0;
+ }
+
+ dlclose(dl);
+
+ return rv;
+}
+
+static const char conv[] = "0123456789abcdef";
+
+static char *bin2hex(void *buf, size_t len)
+{
+ char *hex, *p;
+ unsigned char *src = buf;
+
+ hex = malloc(len * 2 + 1);
+ if (hex == NULL)
+ return NULL;
+
+ p = hex;
+
+ while (len > 0) {
+ unsigned c;
+
+ c = *src;
+ src++;
+
+ *p = conv[c >> 4];
+ ++p;
+ *p = conv[c & 0x0f];
+ ++p;
+ --len;
+ }
+ *p = '\0';
+ return hex;
+}
+
+# define HMAC_PREFIX "."
+# ifndef HMAC_SUFFIX
+# define HMAC_SUFFIX ".hmac"
+# endif
+# define READ_BUFFER_LENGTH 16384
+
+static char *make_hmac_path(const char *origpath)
+{
+ char *path, *p;
+ const char *fn;
+
+ path =
+ malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
+ if (path == NULL) {
+ return NULL;
+ }
+
+ fn = strrchr(origpath, '/');
+ if (fn == NULL) {
+ fn = origpath;
+ } else {
+ ++fn;
+ }
+
+ strncpy(path, origpath, fn - origpath);
+ p = path + (fn - origpath);
+ p = stpcpy(p, HMAC_PREFIX);
+ p = stpcpy(p, fn);
+ p = stpcpy(p, HMAC_SUFFIX);
+
+ return path;
+}
+
+static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
+
+static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
+{
+ FILE *f = NULL;
+ int rv = -1;
+ unsigned char rbuf[READ_BUFFER_LENGTH];
+ size_t len;
+ unsigned int hlen;
+ HMAC_CTX *c;
+
+ c = HMAC_CTX_new();
+ if (c == NULL)
+ return rv;
+
+ f = fopen(path, "r");
+
+ if (f == NULL) {
+ goto end;
+ }
+
+ if (HMAC_Init_ex(c, hmackey, sizeof(hmackey) - 1, EVP_sha256(), NULL) <= 0) {
+ goto end;
+ }
+
+ while ((len = fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
+ if (HMAC_Update(c, rbuf, len) <= 0) {
+ goto end;
+ }
+ }
+
+ len = sizeof(rbuf);
+ /* reuse rbuf for hmac */
+ if (HMAC_Final(c, rbuf, &hlen) <= 0) {
+ goto end;
+ }
+
+ *buf = malloc(hlen);
+ if (*buf == NULL) {
+ goto end;
+ }
+
+ *hmaclen = hlen;
+
+ memcpy(*buf, rbuf, hlen);
+
+ rv = 0;
+ end:
+ HMAC_CTX_free(c);
+
+ if (f)
+ fclose(f);
+
+ return rv;
+}
+
+static int FIPSCHECK_verify(const char *path)
+{
+ int rv = 0;
+ FILE *hf;
+ char *hmacpath, *p;
+ char *hmac = NULL;
+ size_t n;
+
+ hmacpath = make_hmac_path(path);
+ if (hmacpath == NULL)
+ return 0;
+
+ hf = fopen(hmacpath, "r");
+ if (hf == NULL) {
+ free(hmacpath);
+ return 0;
+ }
+
+ if (getline(&hmac, &n, hf) > 0) {
+ void *buf;
+ size_t hmaclen;
+ char *hex;
+
+ if ((p = strchr(hmac, '\n')) != NULL)
+ *p = '\0';
+
+ if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
+ rv = -4;
+ goto end;
+ }
+
+ if ((hex = bin2hex(buf, hmaclen)) == NULL) {
+ free(buf);
+ rv = -5;
+ goto end;
+ }
+
+ if (strcmp(hex, hmac) != 0) {
+ rv = -1;
+ }
+ free(buf);
+ free(hex);
+ } else {
+ rv = -1;
+ }
+
+ end:
+ free(hmac);
+ free(hmacpath);
+ fclose(hf);
+
+ if (rv < 0)
+ return 0;
+
+ /* check successful */
+ return 1;
+}
+
+static int verify_checksums(void)
+{
+ int rv;
+ char path[PATH_MAX + 1];
+ char *p;
+
+ /* we need to avoid dlopening libssl, assume both libcrypto and libssl
+ are in the same directory */
+
+ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER,
+ "FIPS_mode_set", path, sizeof(path));
+ if (rv < 0)
+ return 0;
+
+ rv = FIPSCHECK_verify(path);
+ if (!rv)
+ return 0;
+
+ /* replace libcrypto with libssl */
+ while ((p = strstr(path, "libcrypto.so")) != NULL) {
+ p = stpcpy(p, "libssl");
+ memmove(p, p + 3, strlen(p + 2));
+ }
+
+ rv = FIPSCHECK_verify(path);
+ if (!rv)
+ return 0;
+ return 1;
+}
+
+# ifndef FIPS_MODULE_PATH
+# define FIPS_MODULE_PATH "/etc/system-fips"
+# endif
+
+int FIPS_module_installed(void)
+{
+ int rv;
+ rv = access(FIPS_MODULE_PATH, F_OK);
+ if (rv < 0 && errno != ENOENT)
+ rv = 0;
+
+ /* Installed == true */
+ return !rv;
+}
+
+int FIPS_module_mode_set(int onoff)
+{
+ int ret = 0;
+
+ if (!RUN_ONCE(&fips_lock_init, do_fips_lock_init))
+ return 0;
+
+ fips_w_lock();
+ fips_started = 1;
+ fips_set_owning_thread();
+
+ if (onoff) {
+
+ fips_selftest_fail = 0;
+
+ /* Don't go into FIPS mode twice, just so we can do automagic
+ seeding */
+ if (FIPS_module_mode()) {
+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
+ FIPS_R_FIPS_MODE_ALREADY_SET);
+ fips_selftest_fail = 1;
+ ret = 0;
+ goto end;
+ }
+# ifdef OPENSSL_IA32_SSE2
+ {
+ extern unsigned int OPENSSL_ia32cap_P[2];
+ if ((OPENSSL_ia32cap_P[0] & (1 << 25 | 1 << 26)) !=
+ (1 << 25 | 1 << 26)) {
+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
+ FIPS_R_UNSUPPORTED_PLATFORM);
+ fips_selftest_fail = 1;
+ ret = 0;
+ goto end;
+ }
+ }
+# endif
+
+ if (!FIPS_selftest()) {
+ fips_selftest_fail = 1;
+ ret = 0;
+ goto end;
+ }
+
+ if (!verify_checksums()) {
+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
+ FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
+ fips_selftest_fail = 1;
+ ret = 0;
+ goto end;
+ }
+
+ fips_set_mode(onoff);
+ ret = 1;
+ goto end;
+ }
+ fips_set_mode(0);
+ fips_selftest_fail = 0;
+ ret = 1;
+ end:
+ fips_clear_owning_thread();
+ fips_w_unlock();
+ return ret;
+}
+
+static CRYPTO_THREAD_ID fips_threadid;
+static int fips_thread_set = 0;
+
+static int fips_is_owning_thread(void)
+{
+ int ret = 0;
+
+ if (fips_started) {
+ CRYPTO_THREAD_read_lock(fips_owning_lock);
+ if (fips_thread_set) {
+ CRYPTO_THREAD_ID cur = CRYPTO_THREAD_get_current_id();
+ if (CRYPTO_THREAD_compare_id(fips_threadid, cur))
+ ret = 1;
+ }
+ CRYPTO_THREAD_unlock(fips_owning_lock);
+ }
+ return ret;
+}
+
+int fips_set_owning_thread(void)
+{
+ int ret = 0;
+
+ if (fips_started) {
+ CRYPTO_THREAD_write_lock(fips_owning_lock);
+ if (!fips_thread_set) {
+ fips_threadid = CRYPTO_THREAD_get_current_id();
+ ret = 1;
+ fips_thread_set = 1;
+ }
+ CRYPTO_THREAD_unlock(fips_owning_lock);
+ }
+ return ret;
+}
+
+int fips_clear_owning_thread(void)
+{
+ int ret = 0;
+
+ if (fips_started) {
+ CRYPTO_THREAD_write_lock(fips_owning_lock);
+ if (fips_thread_set) {
+ CRYPTO_THREAD_ID cur = CRYPTO_THREAD_get_current_id();
+ if (CRYPTO_THREAD_compare_id(fips_threadid, cur))
+ fips_thread_set = 0;
+ }
+ CRYPTO_THREAD_unlock(fips_owning_lock);
+ }
+ return ret;
+}
+
+#endif
Index: openssl-1.1.1n/crypto/fips/fips_cmac_selftest.c
2020-01-24 12:52:58 +01:00
===================================================================
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
--- /dev/null
+++ openssl-1.1.1n/crypto/fips/fips_cmac_selftest.c
2020-01-24 12:52:58 +01:00
@@ -0,0 +1,156 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
2020-01-24 12:52:58 +01:00
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <string.h>
+#include <openssl/err.h>
+#include <openssl/fips.h>
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
+#include "crypto/fips_int.h"
2020-01-24 12:52:58 +01:00
+#include <openssl/cmac.h>
+#include "fips_locl.h"
+
+#ifdef OPENSSL_FIPS
+typedef struct {
+ int nid;
+ const unsigned char key[EVP_MAX_KEY_LENGTH];
+ size_t keysize;
+ const unsigned char msg[64];
+ size_t msgsize;
+ const unsigned char mac[32];
+ size_t macsize;
+} CMAC_KAT;
+
+/* from http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf */
+static const CMAC_KAT vector[] = {
+ {NID_aes_128_cbc, /* Count = 32 from CMACGenAES128.txt */
+ {0x77, 0xa7, 0x7f, 0xaf, 0x29, 0x0c, 0x1f, 0xa3,
+ 0x0c, 0x68, 0x3d, 0xf1, 0x6b, 0xa7, 0xa7, 0x7b,}, 128,
+ {0x02, 0x06, 0x83, 0xe1, 0xf0, 0x39, 0x2f, 0x4c,
+ 0xac, 0x54, 0x31, 0x8b, 0x60, 0x29, 0x25, 0x9e,
+ 0x9c, 0x55, 0x3d, 0xbc, 0x4b, 0x6a, 0xd9, 0x98,
+ 0xe6, 0x4d, 0x58, 0xe4, 0xe7, 0xdc, 0x2e, 0x13,}, 256,
+ {0xfb, 0xfe, 0xa4, 0x1b,}, 32},
+ {NID_aes_192_cbc, /* Count = 23 from CMACGenAES192.txt */
+ {0x7b, 0x32, 0x39, 0x13, 0x69, 0xaa, 0x4c, 0xa9,
+ 0x75, 0x58, 0x09, 0x5b, 0xe3, 0xc3, 0xec, 0x86,
+ 0x2b, 0xd0, 0x57, 0xce, 0xf1, 0xe3, 0x2d, 0x62,}, 192,
+ {0x0}, 0,
+ {0xe4, 0xd9, 0x34, 0x0b, 0x03, 0xe6, 0x7d, 0xef,
+ 0xd4, 0x96, 0x9c, 0xc1, 0xed, 0x37, 0x35, 0xe6,}, 128,
+ },
+ {NID_aes_256_cbc, /* Count = 33 from CMACGenAES256.txt */
+ {0x0b, 0x12, 0x2a, 0xc8, 0xf3, 0x4e, 0xd1, 0xfe,
+ 0x08, 0x2a, 0x36, 0x25, 0xd1, 0x57, 0x56, 0x14,
+ 0x54, 0x16, 0x7a, 0xc1, 0x45, 0xa1, 0x0b, 0xbf,
+ 0x77, 0xc6, 0xa7, 0x05, 0x96, 0xd5, 0x74, 0xf1,}, 256,
+ {0x49, 0x8b, 0x53, 0xfd, 0xec, 0x87, 0xed, 0xcb,
+ 0xf0, 0x70, 0x97, 0xdc, 0xcd, 0xe9, 0x3a, 0x08,
+ 0x4b, 0xad, 0x75, 0x01, 0xa2, 0x24, 0xe3, 0x88,
+ 0xdf, 0x34, 0x9c, 0xe1, 0x89, 0x59, 0xfe, 0x84,
+ 0x85, 0xf8, 0xad, 0x15, 0x37, 0xf0, 0xd8, 0x96,
+ 0xea, 0x73, 0xbe, 0xdc, 0x72, 0x14, 0x71, 0x3f,}, 384,
+ {0xf6, 0x2c, 0x46, 0x32, 0x9b,}, 40,
+ },
+ {NID_des_ede3_cbc, /* Count = 41 from CMACGenTDES3.req */
+ {0x89, 0xbc, 0xd9, 0x52, 0xa8, 0xc8, 0xab, 0x37,
+ 0x1a, 0xf4, 0x8a, 0xc7, 0xd0, 0x70, 0x85, 0xd5,
+ 0xef, 0xf7, 0x02, 0xe6, 0xd6, 0x2c, 0xdc, 0x23,}, 192,
+ {0xfa, 0x62, 0x0c, 0x1b, 0xbe, 0x97, 0x31, 0x9e,
+ 0x9a, 0x0c, 0xf0, 0x49, 0x21, 0x21, 0xf7, 0xa2,
+ 0x0e, 0xb0, 0x8a, 0x6a, 0x70, 0x9d, 0xcb, 0xd0,
+ 0x0a, 0xaf, 0x38, 0xe4, 0xf9, 0x9e, 0x75, 0x4e,}, 256,
+ {0x8f, 0x49, 0xa1, 0xb7, 0xd6, 0xaa, 0x22, 0x58,}, 64,
+ },
+};
+
+int FIPS_selftest_cmac()
+{
+ size_t n, outlen;
+ unsigned char out[32];
+ const EVP_CIPHER *cipher;
+ CMAC_CTX *ctx = CMAC_CTX_new();
+ const CMAC_KAT *t;
+ int rv = 1;
+
+ for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) {
+ cipher = EVP_get_cipherbynid(t->nid);
+ if (!cipher) {
+ rv = -1;
+ goto err;
+ }
+ if (!CMAC_Init(ctx, t->key, t->keysize / 8, cipher, 0)) {
+ rv = -1;
+ goto err;
+ }
+ if (!CMAC_Update(ctx, t->msg, t->msgsize / 8)) {
+ rv = -1;
+ goto err;
+ }
+
+ if (!CMAC_Final(ctx, out, &outlen)) {
+ rv = -1;
+ goto err;
+ }
+
+ if (outlen < t->macsize / 8 || memcmp(out, t->mac, t->macsize / 8)) {
+ rv = 0;
+ }
+ }
+
+ err:
+ CMAC_CTX_free(ctx);
+
+ if (rv == -1) {
+ rv = 0;
+ }
+ if (!rv)
+ FIPSerr(FIPS_F_FIPS_SELFTEST_CMAC, FIPS_R_SELFTEST_FAILED);
+
+ return rv;
+}
+#endif
Index: openssl-1.1.1n/crypto/fips/fips_des_selftest.c
2020-01-24 12:52:58 +01:00
===================================================================
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
--- /dev/null
+++ openssl-1.1.1n/crypto/fips/fips_des_selftest.c
2020-01-24 12:52:58 +01:00
@@ -0,0 +1,133 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
2020-01-24 12:52:58 +01:00
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <string.h>
+#include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
+# include "crypto/fips_int.h"
2020-01-24 12:52:58 +01:00
+#endif
+#include <openssl/opensslconf.h>
+
+#ifdef OPENSSL_FIPS
+
+static const struct {
+ const unsigned char key[16];
+ const unsigned char plaintext[8];
+ const unsigned char ciphertext[8];
+} tests2[] = {
+ {
+ {
+ 0x7c, 0x4f, 0x6e, 0xf7, 0xa2, 0x04, 0x16, 0xec,
+ 0x0b, 0x6b, 0x7c, 0x9e, 0x5e, 0x19, 0xa7, 0xc4}, {
+ 0x06, 0xa7, 0xd8, 0x79, 0xaa, 0xce, 0x69, 0xef}, {
+ 0x4c, 0x11, 0x17, 0x55, 0xbf, 0xc4, 0x4e, 0xfd}
+ }, {
+ {
+ 0x5d, 0x9e, 0x01, 0xd3, 0x25, 0xc7, 0x3e, 0x34,
+ 0x01, 0x16, 0x7c, 0x85, 0x23, 0xdf, 0xe0, 0x68}, {
+ 0x9c, 0x50, 0x09, 0x0f, 0x5e, 0x7d, 0x69, 0x7e}, {
+ 0xd2, 0x0b, 0x18, 0xdf, 0xd9, 0x0d, 0x9e, 0xff},}
+};
+
+static const struct {
+ const unsigned char key[24];
+ const unsigned char plaintext[8];
+ const unsigned char ciphertext[8];
+} tests3[] = {
+ {
+ {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10,
+ 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0}, {
+ 0x8f, 0x8f, 0xbf, 0x9b, 0x5d, 0x48, 0xb4, 0x1c}, {
+ 0x59, 0x8c, 0xe5, 0xd3, 0x6c, 0xa2, 0xea, 0x1b},}, {
+ {
+ 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10, 0xFE,
+ 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
+ 0xED, 0x39, 0xD9, 0x50, 0xFA, 0x74, 0xBC, 0xC4}, {
+ 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF}, {
+0x11, 0x25, 0xb0, 0x35, 0xbe, 0xa0, 0x82, 0x86},},};
+
+int FIPS_selftest_des()
+{
+ int n, ret = 0;
+ EVP_CIPHER_CTX *ctx;
+
+ ctx = EVP_CIPHER_CTX_new();
+ if (ctx == NULL)
+ goto err;
+
+ /* Encrypt/decrypt with 2-key 3DES and compare to known answers */
+ for (n = 0; n < 2; ++n) {
+ unsigned char plaintext[8];
+
+ memcpy(plaintext, tests2[n].plaintext, sizeof(plaintext));
+ if (!fips_cipher_test(ctx, EVP_des_ede_ecb(),
+ tests2[n].key, NULL,
+ plaintext, tests2[n].ciphertext, 8))
+ goto err;
+ }
+
+ /* Encrypt/decrypt with 3DES and compare to known answers */
+ for (n = 0; n < 2; ++n) {
+ if (!fips_cipher_test(ctx, EVP_des_ede3_ecb(),
+ tests3[n].key, NULL,
+ tests3[n].plaintext, tests3[n].ciphertext, 8))
+ goto err;
+ }
+ ret = 1;
+ err:
+ EVP_CIPHER_CTX_free(ctx);
+ if (ret == 0)
+ FIPSerr(FIPS_F_FIPS_SELFTEST_DES, FIPS_R_SELFTEST_FAILED);
+
+ return ret;
+}
+#endif
Index: openssl-1.1.1n/crypto/fips/fips_dh_selftest.c
2020-01-24 12:52:58 +01:00
===================================================================
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
--- /dev/null
+++ openssl-1.1.1n/crypto/fips/fips_dh_selftest.c
2020-01-24 12:52:58 +01:00
@@ -0,0 +1,180 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 2013 Red Hat, Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
2020-01-24 12:52:58 +01:00
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/dh.h>
+#include <openssl/fips.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/bn.h>
+#include "fips_locl.h"
+
+#ifdef OPENSSL_FIPS
+
+static const unsigned char dh_test_2048_p[] = {
+ 0xAE, 0xEC, 0xEE, 0x22, 0xFA, 0x3A, 0xA5, 0x22, 0xC0, 0xDE, 0x0F, 0x09,
+ 0x7E, 0x17, 0xC0, 0x05, 0xF9, 0xF1, 0xE7, 0xC6, 0x87, 0x14, 0x6D, 0x11,
+ 0xE7, 0xAE, 0xED, 0x2F, 0x72, 0x59, 0xC5, 0xA9, 0x9B, 0xB8, 0x02, 0xA5,
+ 0xF3, 0x69, 0x70, 0xD6, 0xDD, 0x90, 0xF9, 0x19, 0x79, 0xBE, 0x60, 0x8F,
+ 0x25, 0x92, 0x30, 0x1C, 0x51, 0x51, 0x38, 0x26, 0x82, 0x25, 0xE6, 0xFC,
+ 0xED, 0x65, 0x96, 0x8F, 0x57, 0xE5, 0x53, 0x8B, 0x38, 0x63, 0xC7, 0xCE,
+ 0xBC, 0x1B, 0x4D, 0x18, 0x2A, 0x5B, 0x04, 0x3F, 0x6A, 0x3C, 0x94, 0x39,
+ 0xAE, 0x36, 0xD6, 0x5E, 0x0F, 0xA2, 0xCC, 0xD0, 0xD4, 0xD5, 0xC6, 0x1E,
+ 0xF6, 0xA0, 0xF5, 0x89, 0x4E, 0xB4, 0x0B, 0xA4, 0xB3, 0x2B, 0x3D, 0xE2,
+ 0x4E, 0xE1, 0x49, 0x25, 0x99, 0x5F, 0x32, 0x16, 0x33, 0x32, 0x1B, 0x7A,
+ 0xA5, 0x5C, 0x6B, 0x34, 0x0D, 0x39, 0x99, 0xDC, 0xF0, 0x76, 0xE5, 0x5A,
+ 0xD4, 0x71, 0x00, 0xED, 0x5A, 0x73, 0xFB, 0xC8, 0x01, 0xAD, 0x99, 0xCF,
+ 0x99, 0x52, 0x7C, 0x9C, 0x64, 0xC6, 0x76, 0x40, 0x57, 0xAF, 0x59, 0xD7,
+ 0x38, 0x0B, 0x40, 0xDE, 0x33, 0x0D, 0xB8, 0x76, 0xEC, 0xA9, 0xD8, 0x73,
+ 0xF8, 0xEF, 0x26, 0x66, 0x06, 0x27, 0xDD, 0x7C, 0xA4, 0x10, 0x9C, 0xA6,
+ 0xAA, 0xF9, 0x53, 0x62, 0x73, 0x1D, 0xBA, 0x1C, 0xF1, 0x67, 0xF4, 0x35,
+ 0xED, 0x6F, 0x37, 0x92, 0xE8, 0x4F, 0x6C, 0xBA, 0x52, 0x6E, 0xA1, 0xED,
+ 0xDA, 0x9F, 0x85, 0x11, 0x82, 0x52, 0x62, 0x08, 0x44, 0xF1, 0x30, 0x03,
+ 0xC3, 0x38, 0x2C, 0x79, 0xBD, 0xD4, 0x43, 0x45, 0xEE, 0x8E, 0x50, 0xFC,
+ 0x29, 0x46, 0x9A, 0xFE, 0x54, 0x1A, 0x19, 0x8F, 0x4B, 0x84, 0x08, 0xDE,
+ 0x20, 0x62, 0x73, 0xCC, 0xDD, 0x7E, 0xF0, 0xEF, 0xA2, 0xFD, 0x86, 0x58,
+ 0x4B, 0xD8, 0x37, 0xEB
+};
+
+static const unsigned char dh_test_2048_g[] = {
+ 0x02
+};
+
+static const unsigned char dh_test_2048_pub_key[] = {
+ 0xA0, 0x39, 0x11, 0x77, 0x9A, 0xC1, 0x30, 0x1F, 0xBE, 0x48, 0xA7, 0xAA,
+ 0xA0, 0x84, 0x54, 0x64, 0xAD, 0x1B, 0x70, 0xFA, 0x13, 0x55, 0x63, 0xD2,
+ 0x1F, 0x62, 0x32, 0x93, 0x8E, 0xC9, 0x3E, 0x09, 0xA7, 0x64, 0xE4, 0x12,
+ 0x6E, 0x1B, 0xF2, 0x92, 0x3B, 0xB9, 0xCB, 0x56, 0xEA, 0x07, 0x88, 0xB5,
+ 0xA6, 0xBC, 0x16, 0x1F, 0x27, 0xFE, 0xD8, 0xAA, 0x40, 0xB2, 0xB0, 0x2D,
+ 0x37, 0x76, 0xA6, 0xA4, 0x82, 0x2C, 0x0E, 0x22, 0x64, 0x9D, 0xCB, 0xD1,
+ 0x00, 0xB7, 0x89, 0x14, 0x72, 0x4E, 0xBE, 0x48, 0x41, 0xF8, 0xB2, 0x51,
+ 0x11, 0x09, 0x4B, 0x22, 0x01, 0x23, 0x39, 0x96, 0xE0, 0x15, 0xD7, 0x9F,
+ 0x60, 0xD1, 0xB7, 0xAE, 0xFE, 0x5F, 0xDB, 0xE7, 0x03, 0x17, 0x97, 0xA6,
+ 0x16, 0x74, 0xBD, 0x53, 0x81, 0x19, 0xC5, 0x47, 0x5E, 0xCE, 0x8D, 0xED,
+ 0x45, 0x5D, 0x3C, 0x00, 0xA0, 0x0A, 0x68, 0x6A, 0xE0, 0x8E, 0x06, 0x46,
+ 0x6F, 0xD7, 0xF9, 0xDF, 0x31, 0x7E, 0x77, 0x44, 0x0D, 0x98, 0xE0, 0xCA,
+ 0x98, 0x09, 0x52, 0x04, 0x90, 0xEA, 0x6D, 0xF4, 0x30, 0x69, 0x8F, 0xB1,
+ 0x9B, 0xC1, 0x43, 0xDB, 0xD5, 0x8D, 0xC8, 0x8E, 0xB6, 0x0B, 0x05, 0xBE,
+ 0x0E, 0xC5, 0x99, 0xC8, 0x6E, 0x4E, 0xF3, 0xCB, 0xC3, 0x5E, 0x9B, 0x53,
+ 0xF7, 0x06, 0x1C, 0x4F, 0xC7, 0xB8, 0x6E, 0x30, 0x18, 0xCA, 0x9B, 0xB9,
+ 0xBC, 0x5F, 0x17, 0x72, 0x29, 0x5A, 0xE5, 0xD9, 0x96, 0xB7, 0x0B, 0xF3,
+ 0x2D, 0x8C, 0xF1, 0xE1, 0x0E, 0x0D, 0x74, 0xD5, 0x9D, 0xF0, 0x06, 0xA9,
+ 0xB4, 0x95, 0x63, 0x76, 0x46, 0x55, 0x48, 0x82, 0x39, 0x90, 0xEF, 0x56,
+ 0x75, 0x34, 0xB8, 0x34, 0xC3, 0x18, 0x6E, 0x1E, 0xAD, 0xE3, 0x48, 0x7E,
+ 0x93, 0x2C, 0x23, 0xE7, 0xF8, 0x90, 0x73, 0xB1, 0x77, 0x80, 0x67, 0xA9,
+ 0x36, 0x9E, 0xDA, 0xD2
+};
+
+static const unsigned char dh_test_2048_priv_key[] = {
+ 0x0C, 0x4B, 0x30, 0x89, 0xD1, 0xB8, 0x62, 0xCB, 0x3C, 0x43, 0x64, 0x91,
+ 0xF0, 0x91, 0x54, 0x70, 0xC5, 0x27, 0x96, 0xE3, 0xAC, 0xBE, 0xE8, 0x00,
+ 0xEC, 0x55, 0xF6, 0xCC
+};
+
+int FIPS_selftest_dh()
+{
+ DH *dh = NULL;
+ int ret = 0;
+ void *pub_key_bin = NULL;
+ int len;
+ BIGNUM *p = NULL, *g = NULL, *priv_key = NULL, *tmp_pub_key = NULL;
+ const BIGNUM *pub_key;
+
+ fips_load_key_component(p, dh_test_2048);
+ fips_load_key_component(g, dh_test_2048);
+ /* note that the private key is much shorter than normally used
+ * but still g ** priv_key > p
+ */
+ fips_load_key_component(priv_key, dh_test_2048);
+ if ((tmp_pub_key = BN_new()) == NULL)
+ goto err;
+
+ dh = DH_new();
+
+ if (dh == NULL)
+ goto err;
+
+ DH_set0_pqg(dh, p, NULL, g);
+ DH_set0_key(dh, tmp_pub_key, priv_key);
+
+ if (DH_generate_key(dh) <= 0)
+ goto err;
+
+ DH_get0_key(dh, &pub_key, NULL);
+
+ if (pub_key == NULL)
+ goto err;
+
+ len = BN_num_bytes(pub_key);
+ if ((pub_key_bin = OPENSSL_malloc(len)) == NULL)
+ goto err;
+ BN_bn2bin(pub_key, pub_key_bin);
+
+ if (len != sizeof(dh_test_2048_pub_key) ||
+ memcmp(pub_key_bin, dh_test_2048_pub_key, len) != 0)
+ goto err;
+
+ ret = 1;
+
+ err:
+ if (dh)
+ DH_free(dh);
+ else {
+ BN_free(p);
+ BN_free(g);
+ BN_free(priv_key);
+ BN_free(tmp_pub_key);
+ }
+
+ OPENSSL_free(pub_key_bin);
+ return ret;
+}
+#endif
Index: openssl-1.1.1n/crypto/fips/fips_drbg_ctr.c
2020-01-24 12:52:58 +01:00
===================================================================
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
--- /dev/null
+++ openssl-1.1.1n/crypto/fips/fips_drbg_ctr.c
2020-01-24 12:52:58 +01:00
@@ -0,0 +1,406 @@
+/* fips/rand/fips_drbg_ctr.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
2020-01-24 12:52:58 +01:00
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/fips.h>
+#include <openssl/fips_rand.h>
+#include "fips_rand_lcl.h"
+
+static void inc_128(DRBG_CTR_CTX * cctx)
+{
+ int i;
+ unsigned char c;
+ unsigned char *p = cctx->V + 15;
+ for (i = 0; i < 16; i++) {
+ c = *p;
+ c++;
+ *p = c;
+ if (c)
+ return;
+ p--;
+ }
+}
+
+static void ctr_XOR(DRBG_CTR_CTX * cctx, const unsigned char *in,
+ size_t inlen)
+{
+ size_t i, n;
+ /* Any zero padding will have no effect on the result as we
+ * are XORing. So just process however much input we have.
+ */
+
+ if (!in || !inlen)
+ return;
+
+ if (inlen < cctx->keylen)
+ n = inlen;
+ else
+ n = cctx->keylen;
+
+ for (i = 0; i < n; i++)
+ cctx->K[i] ^= in[i];
+ if (inlen <= cctx->keylen)
+ return;
+
+ n = inlen - cctx->keylen;
+ /* Should never happen */
+ if (n > 16)
+ n = 16;
+ for (i = 0; i < 16; i++)
+ cctx->V[i] ^= in[i + cctx->keylen];
+}
+
+/* Process a complete block using BCC algorithm of SPP 800-90 10.4.3 */
+
+static void ctr_BCC_block(DRBG_CTR_CTX * cctx, unsigned char *out,
+ const unsigned char *in)
+{
+ int i;
+ for (i = 0; i < 16; i++)
+ out[i] ^= in[i];
+ AES_encrypt(out, out, &cctx->df_ks);
+#if 0
+ fprintf(stderr, "BCC in+out\n");
+ BIO_dump_fp(stderr, in, 16);
+ BIO_dump_fp(stderr, out, 16);
+#endif
+}
+
+/* Handle several BCC operations for as much data as we need for K and X */
+static void ctr_BCC_blocks(DRBG_CTR_CTX * cctx, const unsigned char *in)
+{
+ ctr_BCC_block(cctx, cctx->KX, in);
+ ctr_BCC_block(cctx, cctx->KX + 16, in);
+ if (cctx->keylen != 16)
+ ctr_BCC_block(cctx, cctx->KX + 32, in);
+}
+
+/* Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
+ * see 10.4.2 stage 7.
+ */
+static void ctr_BCC_init(DRBG_CTR_CTX * cctx)
+{
+ memset(cctx->KX, 0, 48);
+ memset(cctx->bltmp, 0, 16);
+ ctr_BCC_block(cctx, cctx->KX, cctx->bltmp);
+ cctx->bltmp[3] = 1;
+ ctr_BCC_block(cctx, cctx->KX + 16, cctx->bltmp);
+ if (cctx->keylen != 16) {
+ cctx->bltmp[3] = 2;
+ ctr_BCC_block(cctx, cctx->KX + 32, cctx->bltmp);
+ }
+}
+
+/* Process several blocks into BCC algorithm, some possibly partial */
+static void ctr_BCC_update(DRBG_CTR_CTX * cctx,
+ const unsigned char *in, size_t inlen)
+{
+ if (!in || !inlen)
+ return;
+ /* If we have partial block handle it first */
+ if (cctx->bltmp_pos) {
+ size_t left = 16 - cctx->bltmp_pos;
+ /* If we now have a complete block process it */
+ if (inlen >= left) {
+ memcpy(cctx->bltmp + cctx->bltmp_pos, in, left);
+ ctr_BCC_blocks(cctx, cctx->bltmp);
+ cctx->bltmp_pos = 0;
+ inlen -= left;
+ in += left;
+ }
+ }
+ /* Process zero or more complete blocks */
+ while (inlen >= 16) {
+ ctr_BCC_blocks(cctx, in);
+ in += 16;
+ inlen -= 16;
+ }
+ /* Copy any remaining partial block to the temporary buffer */
+ if (inlen > 0) {
+ memcpy(cctx->bltmp + cctx->bltmp_pos, in, inlen);
+ cctx->bltmp_pos += inlen;
+ }
+}
+
+static void ctr_BCC_final(DRBG_CTR_CTX * cctx)
+{
+ if (cctx->bltmp_pos) {
+ memset(cctx->bltmp + cctx->bltmp_pos, 0, 16 - cctx->bltmp_pos);
+ ctr_BCC_blocks(cctx, cctx->bltmp);
+ }
+}
+
+static void ctr_df(DRBG_CTR_CTX * cctx,
+ const unsigned char *in1, size_t in1len,
+ const unsigned char *in2, size_t in2len,
+ const unsigned char *in3, size_t in3len)
+{
+ size_t inlen;
+ unsigned char *p = cctx->bltmp;
+ static unsigned char c80 = 0x80;
+
+ ctr_BCC_init(cctx);
+ if (!in1)
+ in1len = 0;
+ if (!in2)
+ in2len = 0;
+ if (!in3)
+ in3len = 0;
+ inlen = in1len + in2len + in3len;
+ /* Initialise L||N in temporary block */
+ *p++ = (inlen >> 24) & 0xff;
+ *p++ = (inlen >> 16) & 0xff;
+ *p++ = (inlen >> 8) & 0xff;
+ *p++ = inlen & 0xff;
+ /* NB keylen is at most 32 bytes */
+ *p++ = 0;
+ *p++ = 0;
+ *p++ = 0;
+ *p = (unsigned char)((cctx->keylen + 16) & 0xff);
+ cctx->bltmp_pos = 8;
+ ctr_BCC_update(cctx, in1, in1len);
+ ctr_BCC_update(cctx, in2, in2len);
+ ctr_BCC_update(cctx, in3, in3len);
+ ctr_BCC_update(cctx, &c80, 1);
+ ctr_BCC_final(cctx);
+ /* Set up key K */
+ AES_set_encrypt_key(cctx->KX, cctx->keylen * 8, &cctx->df_kxks);
+ /* X follows key K */
+ AES_encrypt(cctx->KX + cctx->keylen, cctx->KX, &cctx->df_kxks);
+ AES_encrypt(cctx->KX, cctx->KX + 16, &cctx->df_kxks);
+ if (cctx->keylen != 16)
+ AES_encrypt(cctx->KX + 16, cctx->KX + 32, &cctx->df_kxks);
+#if 0
+ fprintf(stderr, "Output of ctr_df:\n");
+ BIO_dump_fp(stderr, cctx->KX, cctx->keylen + 16);
+#endif
+}
+
+/* NB the no-df Update in SP800-90 specifies a constant input length
+ * of seedlen, however other uses of this algorithm pad the input with
+ * zeroes if necessary and have up to two parameters XORed together,
+ * handle both cases in this function instead.
+ */
+
+static void ctr_Update(DRBG_CTX *dctx,
+ const unsigned char *in1, size_t in1len,
+ const unsigned char *in2, size_t in2len,
+ const unsigned char *nonce, size_t noncelen)
+{
+ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
+ /* ks is already setup for correct key */
+ inc_128(cctx);
+ AES_encrypt(cctx->V, cctx->K, &cctx->ks);
+ /* If keylen longer than 128 bits need extra encrypt */
+ if (cctx->keylen != 16) {
+ inc_128(cctx);
+ AES_encrypt(cctx->V, cctx->K + 16, &cctx->ks);
+ }
+ inc_128(cctx);
+ AES_encrypt(cctx->V, cctx->V, &cctx->ks);
+ /* If 192 bit key part of V is on end of K */
+ if (cctx->keylen == 24) {
+ memcpy(cctx->V + 8, cctx->V, 8);
+ memcpy(cctx->V, cctx->K + 24, 8);
+ }
+
+ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) {
+ /* If no input reuse existing derived value */
+ if (in1 || nonce || in2)
+ ctr_df(cctx, in1, in1len, nonce, noncelen, in2, in2len);
+ /* If this a reuse input in1len != 0 */
+ if (in1len)
+ ctr_XOR(cctx, cctx->KX, dctx->seedlen);
+ } else {
+ ctr_XOR(cctx, in1, in1len);
+ ctr_XOR(cctx, in2, in2len);
+ }
+
+ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
+#if 0
+ fprintf(stderr, "K+V after update is:\n");
+ BIO_dump_fp(stderr, cctx->K, cctx->keylen);
+ BIO_dump_fp(stderr, cctx->V, 16);
+#endif
+}
+
+static int drbg_ctr_instantiate(DRBG_CTX *dctx,
+ const unsigned char *ent, size_t entlen,
+ const unsigned char *nonce, size_t noncelen,
+ const unsigned char *pers, size_t perslen)
+{
+ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
+ memset(cctx->K, 0, sizeof(cctx->K));
+ memset(cctx->V, 0, sizeof(cctx->V));
+ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
+ ctr_Update(dctx, ent, entlen, pers, perslen, nonce, noncelen);
+ return 1;
+}
+
+static int drbg_ctr_reseed(DRBG_CTX *dctx,
+ const unsigned char *ent, size_t entlen,
+ const unsigned char *adin, size_t adinlen)
+{
+ ctr_Update(dctx, ent, entlen, adin, adinlen, NULL, 0);
+ return 1;
+}
+
+static int drbg_ctr_generate(DRBG_CTX *dctx,
+ unsigned char *out, size_t outlen,
+ const unsigned char *adin, size_t adinlen)
+{
+ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
+ if (adin && adinlen) {
+ ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0);
+ /* This means we reuse derived value */
+ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) {
+ adin = NULL;
+ adinlen = 1;
+ }
+ } else
+ adinlen = 0;
+
+ for (;;) {
+ inc_128(cctx);
+ if (outlen < 16) {
+ /* Use K as temp space as it will be updated */
+ AES_encrypt(cctx->V, cctx->K, &cctx->ks);
+ memcpy(out, cctx->K, outlen);
+ break;
+ }
+ AES_encrypt(cctx->V, out, &cctx->ks);
+ out += 16;
+ outlen -= 16;
+ if (outlen == 0)
+ break;
+ }
+
+ ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0);
+
+ return 1;
+
+}
+
+static int drbg_ctr_uninstantiate(DRBG_CTX *dctx)
+{
+ memset(&dctx->d.ctr, 0, sizeof(DRBG_CTR_CTX));
+ return 1;
+}
+
+int fips_drbg_ctr_init(DRBG_CTX *dctx)
+{
+ DRBG_CTR_CTX *cctx = &dctx->d.ctr;
+
+ size_t keylen;
+
+ switch (dctx->type) {
+ case NID_aes_128_ctr:
+ keylen = 16;
+ break;
+
+ case NID_aes_192_ctr:
+ keylen = 24;
+ break;
+
+ case NID_aes_256_ctr:
+ keylen = 32;
+ break;
+
+ default:
+ return -2;
+ }
+
+ dctx->instantiate = drbg_ctr_instantiate;
+ dctx->reseed = drbg_ctr_reseed;
+ dctx->generate = drbg_ctr_generate;
+ dctx->uninstantiate = drbg_ctr_uninstantiate;
+
+ cctx->keylen = keylen;
+ dctx->strength = keylen * 8;
+ dctx->blocklength = 16;
+ dctx->seedlen = keylen + 16;
+
+ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) {
+ /* df initialisation */
+ static unsigned char df_key[32] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
+ };
+ /* Set key schedule for df_key */
+ AES_set_encrypt_key(df_key, dctx->strength, &cctx->df_ks);
+
+ dctx->min_entropy = cctx->keylen;
+ dctx->max_entropy = DRBG_MAX_LENGTH;
+ dctx->min_nonce = dctx->min_entropy / 2;
+ dctx->max_nonce = DRBG_MAX_LENGTH;
+ dctx->max_pers = DRBG_MAX_LENGTH;
+ dctx->max_adin = DRBG_MAX_LENGTH;
+ } else {
+ dctx->min_entropy = dctx->seedlen;
+ dctx->max_entropy = dctx->seedlen;
+ /* Nonce not used */
+ dctx->min_nonce = 0;
+ dctx->max_nonce = 0;
+ dctx->max_pers = dctx->seedlen;
+ dctx->max_adin = dctx->seedlen;
+ }
+
+ dctx->max_request = 1 << 16;
+ dctx->reseed_interval = 1 << 24;
+
+ return 1;
+}
Index: openssl-1.1.1n/crypto/fips/fips_drbg_hash.c
2020-01-24 12:52:58 +01:00
===================================================================
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
--- /dev/null
+++ openssl-1.1.1n/crypto/fips/fips_drbg_hash.c
2020-01-24 12:52:58 +01:00
@@ -0,0 +1,354 @@
+/* fips/rand/fips_drbg_hash.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
2020-01-24 12:52:58 +01:00
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#define OPENSSL_FIPSAPI
+
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/fips.h>
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
+#include "crypto/fips_int.h"
2020-01-24 12:52:58 +01:00
+#include <openssl/fips_rand.h>
+#include "fips_rand_lcl.h"
+
+/* This is Hash_df from SP 800-90 10.4.1 */
+
+static int hash_df(DRBG_CTX *dctx, unsigned char *out,
+ const unsigned char *in1, size_t in1len,
+ const unsigned char *in2, size_t in2len,
+ const unsigned char *in3, size_t in3len,
+ const unsigned char *in4, size_t in4len)
+{
+ EVP_MD_CTX *mctx = dctx->d.hash.mctx;
+ unsigned char *vtmp = dctx->d.hash.vtmp;
+ unsigned char tmp[6];
+ /* Standard only ever needs seedlen bytes which is always less than
+ * maximum permitted so no need to check length.
+ */
+ size_t outlen = dctx->seedlen;
+ tmp[0] = 1;
+ tmp[1] = ((outlen * 8) >> 24) & 0xff;
+ tmp[2] = ((outlen * 8) >> 16) & 0xff;
+ tmp[3] = ((outlen * 8) >> 8) & 0xff;
+ tmp[4] = (outlen * 8) & 0xff;
+ if (!in1) {
+ tmp[5] = (unsigned char)in1len;
+ in1 = tmp + 5;
+ in1len = 1;
+ }
+ for (;;) {
+ if (!FIPS_digestinit(mctx, dctx->d.hash.md))
+ return 0;
+ if (!FIPS_digestupdate(mctx, tmp, 5))
+ return 0;
+ if (in1 && !FIPS_digestupdate(mctx, in1, in1len))
+ return 0;
+ if (in2 && !FIPS_digestupdate(mctx, in2, in2len))
+ return 0;
+ if (in3 && !FIPS_digestupdate(mctx, in3, in3len))
+ return 0;
+ if (in4 && !FIPS_digestupdate(mctx, in4, in4len))
+ return 0;
+ if (outlen < dctx->blocklength) {
+ if (!FIPS_digestfinal(mctx, vtmp, NULL))
+ return 0;
+ memcpy(out, vtmp, outlen);
+ OPENSSL_cleanse(vtmp, dctx->blocklength);
+ return 1;
+ } else if (!FIPS_digestfinal(mctx, out, NULL))
+ return 0;
+
+ outlen -= dctx->blocklength;
+ if (outlen == 0)
+ return 1;
+ tmp[0]++;
+ out += dctx->blocklength;
+ }
+}
+
+/* Add an unsigned buffer to the buf value, storing the result in buf. For
+ * this algorithm the length of input never exceeds the seed length.
+ */
+
+static void ctx_add_buf(DRBG_CTX *dctx, unsigned char *buf,
+ unsigned char *in, size_t inlen)
+{
+ size_t i = inlen;
+ const unsigned char *q;
+ unsigned char c, *p;
+ p = buf + dctx->seedlen;
+ q = in + inlen;
+
+ OPENSSL_assert(i <= dctx->seedlen);
+
+ /* Special case: zero length, just increment buffer */
+ if (i)
+ c = 0;
+ else
+ c = 1;
+
+ while (i) {
+ int r;
+ p--;
+ q--;
+ r = *p + *q + c;
+ /* Carry */
+ if (r > 0xff)
+ c = 1;
+ else
+ c = 0;
+ *p = r & 0xff;
+ i--;
+ }
+
+ i = dctx->seedlen - inlen;
+
+ /* If not adding whole buffer handle final carries */
+ if (c && i) {
+ do {
+ p--;
+ c = *p;
+ c++;
+ *p = c;
+ if (c)
+ return;
+ } while (i--);
+ }
+}
+
+/* Finalise and add hash to V */
+
+static int ctx_add_md(DRBG_CTX *dctx)
+{
+ if (!FIPS_digestfinal(dctx->d.hash.mctx, dctx->d.hash.vtmp, NULL))
+ return 0;
+ ctx_add_buf(dctx, dctx->d.hash.V, dctx->d.hash.vtmp, dctx->blocklength);
+ return 1;
+}
+
+static int hash_gen(DRBG_CTX *dctx, unsigned char *out, size_t outlen)
+{
+ DRBG_HASH_CTX *hctx = &dctx->d.hash;
+ if (outlen == 0)
+ return 1;
+ memcpy(hctx->vtmp, hctx->V, dctx->seedlen);
+ for (;;) {
+ FIPS_digestinit(hctx->mctx, hctx->md);
+ FIPS_digestupdate(hctx->mctx, hctx->vtmp, dctx->seedlen);
+ if (outlen < dctx->blocklength) {
+ FIPS_digestfinal(hctx->mctx, hctx->vtmp, NULL);
+ memcpy(out, hctx->vtmp, outlen);
+ return 1;
+ } else {
+ FIPS_digestfinal(hctx->mctx, out, NULL);
+ outlen -= dctx->blocklength;
+ if (outlen == 0)
+ return 1;
+ out += dctx->blocklength;
+ }
+ ctx_add_buf(dctx, hctx->vtmp, NULL, 0);
+ }
+}
+
+static int drbg_hash_instantiate(DRBG_CTX *dctx,
+ const unsigned char *ent, size_t ent_len,
+ const unsigned char *nonce, size_t nonce_len,
+ const unsigned char *pstr, size_t pstr_len)
+{
+ DRBG_HASH_CTX *hctx = &dctx->d.hash;
+ if (!hash_df(dctx, hctx->V,
+ ent, ent_len, nonce, nonce_len, pstr, pstr_len, NULL, 0))
+ return 0;
+ if (!hash_df(dctx, hctx->C,
+ NULL, 0, hctx->V, dctx->seedlen, NULL, 0, NULL, 0))
+ return 0;
+
+#ifdef HASH_DRBG_TRACE
+ fprintf(stderr, "V+C after instantiate:\n");
+ hexprint(stderr, hctx->V, dctx->seedlen);
+ hexprint(stderr, hctx->C, dctx->seedlen);
+#endif
+ return 1;
+}
+
+static int drbg_hash_reseed(DRBG_CTX *dctx,
+ const unsigned char *ent, size_t ent_len,
+ const unsigned char *adin, size_t adin_len)
+{
+ DRBG_HASH_CTX *hctx = &dctx->d.hash;
+ /* V about to be updated so use C as output instead */
+ if (!hash_df(dctx, hctx->C,
+ NULL, 1, hctx->V, dctx->seedlen,
+ ent, ent_len, adin, adin_len))
+ return 0;
+ memcpy(hctx->V, hctx->C, dctx->seedlen);
+ if (!hash_df(dctx, hctx->C, NULL, 0,
+ hctx->V, dctx->seedlen, NULL, 0, NULL, 0))
+ return 0;
+#ifdef HASH_DRBG_TRACE
+ fprintf(stderr, "V+C after reseed:\n");
+ hexprint(stderr, hctx->V, dctx->seedlen);
+ hexprint(stderr, hctx->C, dctx->seedlen);
+#endif
+ return 1;
+}
+
+static int drbg_hash_generate(DRBG_CTX *dctx,
+ unsigned char *out, size_t outlen,
+ const unsigned char *adin, size_t adin_len)
+{
+ DRBG_HASH_CTX *hctx = &dctx->d.hash;
+ EVP_MD_CTX *mctx = hctx->mctx;
+ unsigned char tmp[4];
+ if (adin && adin_len) {
+ tmp[0] = 2;
+ if (!FIPS_digestinit(mctx, hctx->md))
+ return 0;
+ if (!EVP_DigestUpdate(mctx, tmp, 1))
+ return 0;
+ if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen))
+ return 0;
+ if (!EVP_DigestUpdate(mctx, adin, adin_len))
+ return 0;
+ if (!ctx_add_md(dctx))
+ return 0;
+ }
+ if (!hash_gen(dctx, out, outlen))
+ return 0;
+
+ tmp[0] = 3;
+ if (!FIPS_digestinit(mctx, hctx->md))
+ return 0;
+ if (!EVP_DigestUpdate(mctx, tmp, 1))
+ return 0;
+ if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen))
+ return 0;
+
+ if (!ctx_add_md(dctx))
+ return 0;
+
+ ctx_add_buf(dctx, hctx->V, hctx->C, dctx->seedlen);
+
+ tmp[0] = (dctx->reseed_counter >> 24) & 0xff;
+ tmp[1] = (dctx->reseed_counter >> 16) & 0xff;
+ tmp[2] = (dctx->reseed_counter >> 8) & 0xff;
+ tmp[3] = dctx->reseed_counter & 0xff;
+ ctx_add_buf(dctx, hctx->V, tmp, 4);
+#ifdef HASH_DRBG_TRACE
+ fprintf(stderr, "V+C after generate:\n");
+ hexprint(stderr, hctx->V, dctx->seedlen);
+ hexprint(stderr, hctx->C, dctx->seedlen);
+#endif
+ return 1;
+}
+
+static int drbg_hash_uninstantiate(DRBG_CTX *dctx)
+{
+ EVP_MD_CTX_free(dctx->d.hash.mctx);
+ OPENSSL_cleanse(&dctx->d.hash, sizeof(DRBG_HASH_CTX));
+ return 1;
+}
+
+int fips_drbg_hash_init(DRBG_CTX *dctx)
+{
+ const EVP_MD *md;
+ DRBG_HASH_CTX *hctx = &dctx->d.hash;
+ md = EVP_get_digestbynid(dctx->type);
+ if (!md)
+ return -2;
+ switch (dctx->type) {
+ case NID_sha1:
+ dctx->strength = 128;
+ break;
+
+ case NID_sha224:
+ dctx->strength = 192;
+ break;
+
+ default:
+ dctx->strength = 256;
+ break;
+ }
+
+ dctx->instantiate = drbg_hash_instantiate;
+ dctx->reseed = drbg_hash_reseed;
+ dctx->generate = drbg_hash_generate;
+ dctx->uninstantiate = drbg_hash_uninstantiate;
+
+ dctx->d.hash.md = md;
+ hctx->mctx = EVP_MD_CTX_new();
+ if (hctx->mctx == NULL)
+ return -1;
+
+ /* These are taken from SP 800-90 10.1 table 2 */
+
+ dctx->blocklength = EVP_MD_size(md);
+ if (dctx->blocklength > 32)
+ dctx->seedlen = 111;
+ else
+ dctx->seedlen = 55;
+
+ dctx->min_entropy = dctx->strength / 8;
+ dctx->max_entropy = DRBG_MAX_LENGTH;
+
+ dctx->min_nonce = dctx->min_entropy / 2;
+ dctx->max_nonce = DRBG_MAX_LENGTH;
+
+ dctx->max_pers = DRBG_MAX_LENGTH;
+ dctx->max_adin = DRBG_MAX_LENGTH;
+
+ dctx->max_request = 1 << 16;
+ dctx->reseed_interval = 1 << 24;
+
+ return 1;
+}
Index: openssl-1.1.1n/crypto/fips/fips_drbg_hmac.c
2020-01-24 12:52:58 +01:00
===================================================================
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
--- /dev/null
+++ openssl-1.1.1n/crypto/fips/fips_drbg_hmac.c
2020-01-24 12:52:58 +01:00
@@ -0,0 +1,262 @@
+/* fips/rand/fips_drbg_hmac.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
2020-01-24 12:52:58 +01:00
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include <openssl/aes.h>
+#include <openssl/fips.h>
+#include <openssl/fips_rand.h>
+#include "fips_rand_lcl.h"
+
+static int drbg_hmac_update(DRBG_CTX *dctx,
+ const unsigned char *in1, size_t in1len,
+ const unsigned char *in2, size_t in2len,
+ const unsigned char *in3, size_t in3len)
+{
+ static unsigned char c0 = 0, c1 = 1;
+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
+ HMAC_CTX *hctx = hmac->hctx;
+
+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
+ return 0;
+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
+ return 0;
+ if (!HMAC_Update(hctx, &c0, 1))
+ return 0;
+ if (in1len && !HMAC_Update(hctx, in1, in1len))
+ return 0;
+ if (in2len && !HMAC_Update(hctx, in2, in2len))
+ return 0;
+ if (in3len && !HMAC_Update(hctx, in3, in3len))
+ return 0;
+
+ if (!HMAC_Final(hctx, hmac->K, NULL))
+ return 0;
+
+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
+ return 0;
+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
+ return 0;
+
+ if (!HMAC_Final(hctx, hmac->V, NULL))
+ return 0;
+
+ if (!in1len && !in2len && !in3len)
+ return 1;
+
+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
+ return 0;
+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
+ return 0;
+ if (!HMAC_Update(hctx, &c1, 1))
+ return 0;
+ if (in1len && !HMAC_Update(hctx, in1, in1len))
+ return 0;
+ if (in2len && !HMAC_Update(hctx, in2, in2len))
+ return 0;
+ if (in3len && !HMAC_Update(hctx, in3, in3len))
+ return 0;
+
+ if (!HMAC_Final(hctx, hmac->K, NULL))
+ return 0;
+
+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
+ return 0;
+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
+ return 0;
+
+ if (!HMAC_Final(hctx, hmac->V, NULL))
+ return 0;
+
+ return 1;
+
+}
+
+static int drbg_hmac_instantiate(DRBG_CTX *dctx,
+ const unsigned char *ent, size_t ent_len,
+ const unsigned char *nonce, size_t nonce_len,
+ const unsigned char *pstr, size_t pstr_len)
+{
+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
+ memset(hmac->K, 0, dctx->blocklength);
+ memset(hmac->V, 1, dctx->blocklength);
+ if (!drbg_hmac_update(dctx,
+ ent, ent_len, nonce, nonce_len, pstr, pstr_len))
+ return 0;
+
+#ifdef HMAC_DRBG_TRACE
+ fprintf(stderr, "K+V after instantiate:\n");
+ hexprint(stderr, hmac->K, hmac->blocklength);
+ hexprint(stderr, hmac->V, hmac->blocklength);
+#endif
+ return 1;
+}
+
+static int drbg_hmac_reseed(DRBG_CTX *dctx,
+ const unsigned char *ent, size_t ent_len,
+ const unsigned char *adin, size_t adin_len)
+{
+ if (!drbg_hmac_update(dctx, ent, ent_len, adin, adin_len, NULL, 0))
+ return 0;
+
+#ifdef HMAC_DRBG_TRACE
+ {
+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
+ fprintf(stderr, "K+V after reseed:\n");
+ hexprint(stderr, hmac->K, hmac->blocklength);
+ hexprint(stderr, hmac->V, hmac->blocklength);
+ }
+#endif
+ return 1;
+}
+
+static int drbg_hmac_generate(DRBG_CTX *dctx,
+ unsigned char *out, size_t outlen,
+ const unsigned char *adin, size_t adin_len)
+{
+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
+ HMAC_CTX *hctx = hmac->hctx;
+ const unsigned char *Vtmp = hmac->V;
+ if (adin_len && !drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0))
+ return 0;
+ for (;;) {
+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
+ return 0;
+ if (!HMAC_Update(hctx, Vtmp, dctx->blocklength))
+ return 0;
+ if (outlen > dctx->blocklength) {
+ if (!HMAC_Final(hctx, out, NULL))
+ return 0;
+ Vtmp = out;
+ } else {
+ if (!HMAC_Final(hctx, hmac->V, NULL))
+ return 0;
+ memcpy(out, hmac->V, outlen);
+ break;
+ }
+ out += dctx->blocklength;
+ outlen -= dctx->blocklength;
+ }
+ if (!drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0))
+ return 0;
+
+ return 1;
+}
+
+static int drbg_hmac_uninstantiate(DRBG_CTX *dctx)
+{
+ HMAC_CTX_free(dctx->d.hmac.hctx);
+ OPENSSL_cleanse(&dctx->d.hmac, sizeof(DRBG_HMAC_CTX));
+ return 1;
+}
+
+int fips_drbg_hmac_init(DRBG_CTX *dctx)
+{
+ const EVP_MD *md = NULL;
+ DRBG_HMAC_CTX *hctx = &dctx->d.hmac;
+ dctx->strength = 256;
+ switch (dctx->type) {
+ case NID_hmacWithSHA1:
+ md = EVP_sha1();
+ dctx->strength = 128;
+ break;
+
+ case NID_hmacWithSHA224:
+ md = EVP_sha224();
+ dctx->strength = 192;
+ break;
+
+ case NID_hmacWithSHA256:
+ md = EVP_sha256();
+ break;
+
+ case NID_hmacWithSHA384:
+ md = EVP_sha384();
+ break;
+
+ case NID_hmacWithSHA512:
+ md = EVP_sha512();
+ break;
+
+ default:
+ dctx->strength = 0;
+ return -2;
+ }
+ dctx->instantiate = drbg_hmac_instantiate;
+ dctx->reseed = drbg_hmac_reseed;
+ dctx->generate = drbg_hmac_generate;
+ dctx->uninstantiate = drbg_hmac_uninstantiate;
+ hctx->hctx = HMAC_CTX_new();
+ if (hctx->hctx == NULL)
+ return -1;
+ hctx->md = md;
+ dctx->blocklength = M_EVP_MD_size(md);
+ dctx->seedlen = M_EVP_MD_size(md);
+
+ dctx->min_entropy = dctx->strength / 8;
+ dctx->max_entropy = DRBG_MAX_LENGTH;
+
+ dctx->min_nonce = dctx->min_entropy / 2;
+ dctx->max_nonce = DRBG_MAX_LENGTH;
+
+ dctx->max_pers = DRBG_MAX_LENGTH;
+ dctx->max_adin = DRBG_MAX_LENGTH;
+
+ dctx->max_request = 1 << 16;
+ dctx->reseed_interval = 1 << 24;
+
+ return 1;
+}
Index: openssl-1.1.1n/crypto/fips/fips_drbg_lib.c
2020-01-24 12:52:58 +01:00
===================================================================
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
--- /dev/null
+++ openssl-1.1.1n/crypto/fips/fips_drbg_lib.c
2020-01-24 12:52:58 +01:00
@@ -0,0 +1,528 @@
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
2020-01-24 12:52:58 +01:00
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/fips.h>
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
+#include "crypto/fips_int.h"
2020-01-24 12:52:58 +01:00
+#include <openssl/fips_rand.h>
+#include "fips_locl.h"
+#include "fips_rand_lcl.h"
+
+/* Support framework for SP800-90 DRBGs */
+
+int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags)
+{
+ int rv;
+ memset(dctx, 0, sizeof(DRBG_CTX));
+ dctx->status = DRBG_STATUS_UNINITIALISED;
+ dctx->xflags = flags;
+ dctx->type = type;
+
+ dctx->iflags = 0;
+ dctx->entropy_blocklen = 0;
+ dctx->health_check_cnt = 0;
+ dctx->health_check_interval = DRBG_HEALTH_INTERVAL;
+
+ rv = fips_drbg_hash_init(dctx);
+
+ if (rv == -2)
+ rv = fips_drbg_ctr_init(dctx);
+ if (rv == -2)
+ rv = fips_drbg_hmac_init(dctx);
+
+ if (rv <= 0) {
+ if (rv == -2)
+ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_UNSUPPORTED_DRBG_TYPE);
+ else
+ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_ERROR_INITIALISING_DRBG);
+ }
+
+ /* If not in test mode run selftests on DRBG of the same type */
+
+ if (!(dctx->xflags & DRBG_FLAG_TEST)) {
+ if (!FIPS_drbg_health_check(dctx)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE);
+ return 0;
+ }
+ }
+
+ return rv;
+}
+
+DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags)
+{
+ DRBG_CTX *dctx;
+ dctx = OPENSSL_malloc(sizeof(DRBG_CTX));
+ if (!dctx) {
+ FIPSerr(FIPS_F_FIPS_DRBG_NEW, ERR_R_MALLOC_FAILURE);
+ return NULL;
+ }
+
+ if (type == 0) {
+ memset(dctx, 0, sizeof(DRBG_CTX));
+ dctx->type = 0;
+ dctx->status = DRBG_STATUS_UNINITIALISED;
+ return dctx;
+ }
+
+ if (FIPS_drbg_init(dctx, type, flags) <= 0) {
+ OPENSSL_free(dctx);
+ return NULL;
+ }
+
+ return dctx;
+}
+
+void FIPS_drbg_free(DRBG_CTX *dctx)
+{
+ if (dctx->uninstantiate)
+ dctx->uninstantiate(dctx);
+ /* Don't free up default DRBG */
+ if (dctx == FIPS_get_default_drbg()) {
+ memset(dctx, 0, sizeof(DRBG_CTX));
+ dctx->type = 0;
+ dctx->status = DRBG_STATUS_UNINITIALISED;
+ } else {
+ OPENSSL_cleanse(&dctx->d, sizeof(dctx->d));
+ OPENSSL_free(dctx);
+ }
+}
+
+static size_t fips_get_entropy(DRBG_CTX *dctx, unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len)
+{
+ unsigned char *tout, *p;
+ size_t bl = dctx->entropy_blocklen, rv;
+ if (!dctx->get_entropy)
+ return 0;
+ if (dctx->xflags & DRBG_FLAG_TEST || !bl)
+ return dctx->get_entropy(dctx, pout, entropy, min_len, max_len);
+ rv = dctx->get_entropy(dctx, &tout, entropy + bl,
+ min_len + bl, max_len + bl);
+ if (tout == NULL)
+ return 0;
+ *pout = tout + bl;
+ if (rv < (min_len + bl) || (rv % bl))
+ return 0;
+ /* Compare consecutive blocks for continuous PRNG test */
+ for (p = tout; p < tout + rv - bl; p += bl) {
+ if (!memcmp(p, p + bl, bl)) {
+ FIPSerr(FIPS_F_FIPS_GET_ENTROPY, FIPS_R_ENTROPY_SOURCE_STUCK);
+ return 0;
+ }
+ }
+ rv -= bl;
+ if (rv > max_len)
+ return max_len;
+ return rv;
+}
+
+static void fips_cleanup_entropy(DRBG_CTX *dctx,
+ unsigned char *out, size_t olen)
+{
+ size_t bl;
+ if (dctx->xflags & DRBG_FLAG_TEST)
+ bl = 0;
+ else
+ bl = dctx->entropy_blocklen;
+ /* Call cleanup with original arguments */
+ dctx->cleanup_entropy(dctx, out - bl, olen + bl);
+}
+
+int FIPS_drbg_instantiate(DRBG_CTX *dctx,
+ const unsigned char *pers, size_t perslen)
+{
+ size_t entlen = 0, noncelen = 0;
+ unsigned char *nonce = NULL, *entropy = NULL;
+
+#if 0
+ /* Put here so error script picks them up */
+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE,
+ FIPS_R_PERSONALISATION_STRING_TOO_LONG);
+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_IN_ERROR_STATE);
+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ALREADY_INSTANTIATED);
+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_ENTROPY);
+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_NONCE);
+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_INSTANTIATE_ERROR);
+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_DRBG_NOT_INITIALISED);
+#endif
+
+ int r = 0;
+
+ if (perslen > dctx->max_pers) {
+ r = FIPS_R_PERSONALISATION_STRING_TOO_LONG;
+ goto end;
+ }
+
+ if (!dctx->instantiate) {
+ r = FIPS_R_DRBG_NOT_INITIALISED;
+ goto end;
+ }
+
+ if (dctx->status != DRBG_STATUS_UNINITIALISED) {
+ if (dctx->status == DRBG_STATUS_ERROR)
+ r = FIPS_R_IN_ERROR_STATE;
+ else
+ r = FIPS_R_ALREADY_INSTANTIATED;
+ goto end;
+ }
+
+ dctx->status = DRBG_STATUS_ERROR;
+
+ entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
+ dctx->min_entropy, dctx->max_entropy);
+
+ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) {
+ r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
+ goto end;
+ }
+
+ if (dctx->max_nonce > 0 && dctx->get_nonce) {
+ noncelen = dctx->get_nonce(dctx, &nonce,
+ dctx->strength / 2,
+ dctx->min_nonce, dctx->max_nonce);
+
+ if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce) {
+ r = FIPS_R_ERROR_RETRIEVING_NONCE;
+ goto end;
+ }
+
+ }
+
+ if (!dctx->instantiate(dctx,
+ entropy, entlen, nonce, noncelen, pers, perslen)) {
+ r = FIPS_R_ERROR_INSTANTIATING_DRBG;
+ goto end;
+ }
+
+ dctx->status = DRBG_STATUS_READY;
+ if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
+ dctx->reseed_counter = 1;
+
+ end:
+
+ if (entropy && dctx->cleanup_entropy)
+ fips_cleanup_entropy(dctx, entropy, entlen);
+
+ if (nonce && dctx->cleanup_nonce)
+ dctx->cleanup_nonce(dctx, nonce, noncelen);
+
+ if (dctx->status == DRBG_STATUS_READY)
+ return 1;
+
+ if (r && !(dctx->iflags & DRBG_FLAG_NOERR))
+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, r);
+
+ return 0;
+
+}
+
+static int drbg_reseed(DRBG_CTX *dctx,
+ const unsigned char *adin, size_t adinlen, int hcheck)
+{
+ unsigned char *entropy = NULL;
+ size_t entlen = 0;
+ int r = 0;
+
+#if 0
+ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_NOT_INSTANTIATED);
+ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG);
+#endif
+ if (dctx->status != DRBG_STATUS_READY
+ && dctx->status != DRBG_STATUS_RESEED) {
+ if (dctx->status == DRBG_STATUS_ERROR)
+ r = FIPS_R_IN_ERROR_STATE;
+ else if (dctx->status == DRBG_STATUS_UNINITIALISED)
+ r = FIPS_R_NOT_INSTANTIATED;
+ goto end;
+ }
+
+ if (!adin)
+ adinlen = 0;
+ else if (adinlen > dctx->max_adin) {
+ r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
+ goto end;
+ }
+
+ dctx->status = DRBG_STATUS_ERROR;
+ /* Peform health check on all reseed operations if not a prediction
+ * resistance request and not in test mode.
+ */
+ if (hcheck && !(dctx->xflags & DRBG_FLAG_TEST)) {
+ if (!FIPS_drbg_health_check(dctx)) {
+ r = FIPS_R_SELFTEST_FAILURE;
+ goto end;
+ }
+ }
+
+ entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
+ dctx->min_entropy, dctx->max_entropy);
+
+ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) {
+ r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
+ goto end;
+ }
+
+ if (!dctx->reseed(dctx, entropy, entlen, adin, adinlen))
+ goto end;
+
+ dctx->status = DRBG_STATUS_READY;
+ if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
+ dctx->reseed_counter = 1;
+ end:
+
+ if (entropy && dctx->cleanup_entropy)
+ fips_cleanup_entropy(dctx, entropy, entlen);
+
+ if (dctx->status == DRBG_STATUS_READY)
+ return 1;
+
+ if (r && !(dctx->iflags & DRBG_FLAG_NOERR))
+ FIPSerr(FIPS_F_DRBG_RESEED, r);
+
+ return 0;
+}
+
+int FIPS_drbg_reseed(DRBG_CTX *dctx,
+ const unsigned char *adin, size_t adinlen)
+{
+ return drbg_reseed(dctx, adin, adinlen, 1);
+}
+
+static int fips_drbg_check(DRBG_CTX *dctx)
+{
+ if (dctx->xflags & DRBG_FLAG_TEST)
+ return 1;
+ dctx->health_check_cnt++;
+ if (dctx->health_check_cnt >= dctx->health_check_interval) {
+ if (!FIPS_drbg_health_check(dctx)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_CHECK, FIPS_R_SELFTEST_FAILURE);
+ return 0;
+ }
+ }
+ return 1;
+}
+
+int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
+ int prediction_resistance,
+ const unsigned char *adin, size_t adinlen)
+{
+ int r = 0;
+
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_SELFTEST_FAILED);
+ return 0;
+ }
+
+ if (!fips_drbg_check(dctx))
+ return 0;
+
+ if (dctx->status != DRBG_STATUS_READY
+ && dctx->status != DRBG_STATUS_RESEED) {
+ if (dctx->status == DRBG_STATUS_ERROR)
+ r = FIPS_R_IN_ERROR_STATE;
+ else if (dctx->status == DRBG_STATUS_UNINITIALISED)
+ r = FIPS_R_NOT_INSTANTIATED;
+ goto end;
+ }
+
+ if (outlen > dctx->max_request) {
+ r = FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG;
+ return 0;
+ }
+
+ if (adinlen > dctx->max_adin) {
+ r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
+ goto end;
+ }
+
+ if (dctx->iflags & DRBG_CUSTOM_RESEED)
+ dctx->generate(dctx, NULL, outlen, NULL, 0);
+ else if (dctx->reseed_counter >= dctx->reseed_interval)
+ dctx->status = DRBG_STATUS_RESEED;
+
+ if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance) {
+ /* If prediction resistance request don't do health check */
+ int hcheck = prediction_resistance ? 0 : 1;
+
+ if (!drbg_reseed(dctx, adin, adinlen, hcheck)) {
+ r = FIPS_R_RESEED_ERROR;
+ goto end;
+ }
+ adin = NULL;
+ adinlen = 0;
+ }
+
+ if (!dctx->generate(dctx, out, outlen, adin, adinlen)) {
+ r = FIPS_R_GENERATE_ERROR;
+ dctx->status = DRBG_STATUS_ERROR;
+ goto end;
+ }
+ if (!(dctx->iflags & DRBG_CUSTOM_RESEED)) {
+ if (dctx->reseed_counter >= dctx->reseed_interval)
+ dctx->status = DRBG_STATUS_RESEED;
+ else
+ dctx->reseed_counter++;
+ }
+
+ end:
+ if (r) {
+ if (!(dctx->iflags & DRBG_FLAG_NOERR))
+ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, r);
+ return 0;
+ }
+
+ return 1;
+}
+
+int FIPS_drbg_uninstantiate(DRBG_CTX *dctx)
+{
+ int rv;
+ if (!dctx->uninstantiate)
+ rv = 1;
+ else
+ rv = dctx->uninstantiate(dctx);
+ /* Although we'd like to cleanse here we can't because we have to
+ * test the uninstantiate really zeroes the data.
+ */
+ memset(&dctx->d, 0, sizeof(dctx->d));
+ dctx->status = DRBG_STATUS_UNINITIALISED;
+ /* If method has problems uninstantiating, return error */
+ return rv;
+}
+
+int FIPS_drbg_set_callbacks(DRBG_CTX *dctx,
+ size_t (*get_entropy) (DRBG_CTX *ctx,
+ unsigned char **pout,
+ int entropy,
+ size_t min_len,
+ size_t max_len),
+ void (*cleanup_entropy) (DRBG_CTX *ctx,
+ unsigned char *out,
+ size_t olen),
+ size_t entropy_blocklen,
+ size_t (*get_nonce) (DRBG_CTX *ctx,
+ unsigned char **pout,
+ int entropy, size_t min_len,
+ size_t max_len),
+ void (*cleanup_nonce) (DRBG_CTX *ctx,
+ unsigned char *out,
+ size_t olen))
+{
+ if (dctx->status != DRBG_STATUS_UNINITIALISED)
+ return 0;
+ dctx->entropy_blocklen = entropy_blocklen;
+ dctx->get_entropy = get_entropy;
+ dctx->cleanup_entropy = cleanup_entropy;
+ dctx->get_nonce = get_nonce;
+ dctx->cleanup_nonce = cleanup_nonce;
+ return 1;
+}
+
+int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx,
+ size_t (*get_adin) (DRBG_CTX *ctx,
+ unsigned char **pout),
+ void (*cleanup_adin) (DRBG_CTX *ctx,
+ unsigned char *out,
+ size_t olen),
+ int (*rand_seed_cb) (DRBG_CTX *ctx,
+ const void *buf,
+ int num),
+ int (*rand_add_cb) (DRBG_CTX *ctx,
+ const void *buf, int num,
+ double entropy))
+{
+ if (dctx->status != DRBG_STATUS_UNINITIALISED)
+ return 0;
+ dctx->get_adin = get_adin;
+ dctx->cleanup_adin = cleanup_adin;
+ dctx->rand_seed_cb = rand_seed_cb;
+ dctx->rand_add_cb = rand_add_cb;
+ return 1;
+}
+
+void *FIPS_drbg_get_app_data(DRBG_CTX *dctx)
+{
+ return dctx->app_data;
+}
+
+void FIPS_drbg_set_app_data(DRBG_CTX *dctx, void *app_data)
+{
+ dctx->app_data = app_data;
+}
+
+size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx)
+{
+ return dctx->blocklength;
+}
+
+int FIPS_drbg_get_strength(DRBG_CTX *dctx)
+{
+ return dctx->strength;
+}
+
+void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval)
+{
+ dctx->health_check_interval = interval;
+}
+
+void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval)
+{
+ dctx->reseed_interval = interval;
+}
+
+void FIPS_drbg_stick(int onoff)
+{
+ /* Just backwards compatibility API call with no effect. */
+}
Index: openssl-1.1.1n/crypto/fips/fips_drbg_rand.c
2020-01-24 12:52:58 +01:00
===================================================================
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
--- /dev/null
+++ openssl-1.1.1n/crypto/fips/fips_drbg_rand.c
2020-01-24 12:52:58 +01:00
@@ -0,0 +1,185 @@
+/* fips/rand/fips_drbg_rand.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
2020-01-24 12:52:58 +01:00
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#include <string.h>
+#include <openssl/crypto.h>
+#include "internal/thread_once.h"
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#include <openssl/fips.h>
+#include <openssl/fips_rand.h>
+#include "fips_rand_lcl.h"
+
+/* Mapping of SP800-90 DRBGs to OpenSSL RAND_METHOD */
+
+/* Since we only have one global PRNG used at any time in OpenSSL use a global
+ * variable to store context.
+ */
+
+static DRBG_CTX ossl_dctx;
+
+static CRYPTO_RWLOCK *fips_rand_lock = NULL;
+static CRYPTO_ONCE fips_rand_lock_init = CRYPTO_ONCE_STATIC_INIT;
+
+DEFINE_RUN_ONCE_STATIC(do_fips_rand_lock_init)
+{
+ fips_rand_lock = CRYPTO_THREAD_lock_new();
+ return fips_rand_lock != NULL;
+}
+
+DRBG_CTX *FIPS_get_default_drbg(void)
+{
+ if (!RUN_ONCE(&fips_rand_lock_init, do_fips_rand_lock_init))
+ return NULL;
+ return &ossl_dctx;
+}
+
+static int fips_drbg_bytes(unsigned char *out, int count)
+{
+ DRBG_CTX *dctx = &ossl_dctx;
+ int rv = 0;
+ unsigned char *adin = NULL;
+ size_t adinlen = 0;
+ CRYPTO_THREAD_write_lock(fips_rand_lock);
+ do {
+ size_t rcnt;
+ if (count > (int)dctx->max_request)
+ rcnt = dctx->max_request;
+ else
+ rcnt = count;
+ if (dctx->get_adin) {
+ adinlen = dctx->get_adin(dctx, &adin);
+ if (adinlen && !adin) {
+ FIPSerr(FIPS_F_FIPS_DRBG_BYTES,
+ FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT);
+ goto err;
+ }
+ }
+ rv = FIPS_drbg_generate(dctx, out, rcnt, 0, adin, adinlen);
+ if (adin) {
+ if (dctx->cleanup_adin)
+ dctx->cleanup_adin(dctx, adin, adinlen);
+ adin = NULL;
+ }
+ if (!rv)
+ goto err;
+ out += rcnt;
+ count -= rcnt;
+ }
+ while (count);
+ rv = 1;
+ err:
+ CRYPTO_THREAD_unlock(fips_rand_lock);
+ return rv;
+}
+
+static int fips_drbg_pseudo(unsigned char *out, int count)
+{
+ if (fips_drbg_bytes(out, count) <= 0)
+ return -1;
+ return 1;
+}
+
+static int fips_drbg_status(void)
+{
+ DRBG_CTX *dctx = &ossl_dctx;
+ int rv;
+ CRYPTO_THREAD_read_lock(fips_rand_lock);
+ rv = dctx->status == DRBG_STATUS_READY ? 1 : 0;
+ CRYPTO_THREAD_unlock(fips_rand_lock);
+ return rv;
+}
+
+static void fips_drbg_cleanup(void)
+{
+ DRBG_CTX *dctx = &ossl_dctx;
+ CRYPTO_THREAD_write_lock(fips_rand_lock);
+ FIPS_drbg_uninstantiate(dctx);
+ CRYPTO_THREAD_unlock(fips_rand_lock);
+}
+
+static int fips_drbg_seed(const void *seed, int seedlen)
+{
+ DRBG_CTX *dctx = &ossl_dctx;
+ int ret = 1;
+ CRYPTO_THREAD_write_lock(fips_rand_lock);
+ if (dctx->rand_seed_cb)
+ ret = dctx->rand_seed_cb(dctx, seed, seedlen);
+ CRYPTO_THREAD_unlock(fips_rand_lock);
+ return ret;
+}
+
+static int fips_drbg_add(const void *seed, int seedlen, double add_entropy)
+{
+ DRBG_CTX *dctx = &ossl_dctx;
+ int ret = 1;
+ CRYPTO_THREAD_write_lock(fips_rand_lock);
+ if (dctx->rand_add_cb)
+ ret = dctx->rand_add_cb(dctx, seed, seedlen, add_entropy);
+ CRYPTO_THREAD_unlock(fips_rand_lock);
+ return ret;
+}
+
+static const RAND_METHOD rand_drbg_meth = {
+ fips_drbg_seed,
+ fips_drbg_bytes,
+ fips_drbg_cleanup,
+ fips_drbg_add,
+ fips_drbg_pseudo,
+ fips_drbg_status
+};
+
+const RAND_METHOD *FIPS_drbg_method(void)
+{
+ return &rand_drbg_meth;
+}
Index: openssl-1.1.1n/crypto/fips/fips_drbg_selftest.c
2020-01-24 12:52:58 +01:00
===================================================================
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
--- /dev/null
+++ openssl-1.1.1n/crypto/fips/fips_drbg_selftest.c
2020-01-24 12:52:58 +01:00
@@ -0,0 +1,828 @@
+/* fips/rand/fips_drbg_selftest.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
2020-01-24 12:52:58 +01:00
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/fips.h>
+#include <openssl/fips_rand.h>
+#include "fips_rand_lcl.h"
+#include "fips_locl.h"
+
+#include "fips_drbg_selftest.h"
+
+typedef struct {
+ int post;
+ int nid;
+ unsigned int flags;
+
+ /* KAT data for no PR */
+ const unsigned char *ent;
+ size_t entlen;
+ const unsigned char *nonce;
+ size_t noncelen;
+ const unsigned char *pers;
+ size_t perslen;
+ const unsigned char *adin;
+ size_t adinlen;
+ const unsigned char *entreseed;
+ size_t entreseedlen;
+ const unsigned char *adinreseed;
+ size_t adinreseedlen;
+ const unsigned char *adin2;
+ size_t adin2len;
+ const unsigned char *kat;
+ size_t katlen;
+ const unsigned char *kat2;
+ size_t kat2len;
+
+ /* KAT data for PR */
+ const unsigned char *ent_pr;
+ size_t entlen_pr;
+ const unsigned char *nonce_pr;
+ size_t noncelen_pr;
+ const unsigned char *pers_pr;
+ size_t perslen_pr;
+ const unsigned char *adin_pr;
+ size_t adinlen_pr;
+ const unsigned char *entpr_pr;
+ size_t entprlen_pr;
+ const unsigned char *ading_pr;
+ size_t adinglen_pr;
+ const unsigned char *entg_pr;
+ size_t entglen_pr;
+ const unsigned char *kat_pr;
+ size_t katlen_pr;
+ const unsigned char *kat2_pr;
+ size_t kat2len_pr;
+
+} DRBG_SELFTEST_DATA;
+
+#define make_drbg_test_data(nid, flag, pr, p) {p, nid, flag | DRBG_FLAG_TEST, \
+ pr##_entropyinput, sizeof(pr##_entropyinput), \
+ pr##_nonce, sizeof(pr##_nonce), \
+ pr##_personalizationstring, sizeof(pr##_personalizationstring), \
+ pr##_additionalinput, sizeof(pr##_additionalinput), \
+ pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \
+ pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \
+ pr##_additionalinput2, sizeof(pr##_additionalinput2), \
+ pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \
+ pr##_returnedbits, sizeof(pr##_returnedbits), \
+ pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \
+ pr##_pr_nonce, sizeof(pr##_pr_nonce), \
+ pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \
+ pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \
+ pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \
+ pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \
+ pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \
+ pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \
+ pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits), \
+ }
+
+#define make_drbg_test_data_df(nid, pr, p) \
+ make_drbg_test_data(nid, DRBG_FLAG_CTR_USE_DF, pr, p)
+
+#define make_drbg_test_data_ec(curve, md, pr, p) \
+ make_drbg_test_data((curve << 16) | md , 0, pr, p)
+
+static DRBG_SELFTEST_DATA drbg_test[] = {
+ make_drbg_test_data_df(NID_aes_128_ctr, aes_128_use_df, 0),
+ make_drbg_test_data_df(NID_aes_192_ctr, aes_192_use_df, 0),
+ make_drbg_test_data_df(NID_aes_256_ctr, aes_256_use_df, 1),
+ make_drbg_test_data(NID_aes_128_ctr, 0, aes_128_no_df, 0),
+ make_drbg_test_data(NID_aes_192_ctr, 0, aes_192_no_df, 0),
+ make_drbg_test_data(NID_aes_256_ctr, 0, aes_256_no_df, 1),
+ make_drbg_test_data(NID_sha1, 0, sha1, 0),
+ make_drbg_test_data(NID_sha224, 0, sha224, 0),
+ make_drbg_test_data(NID_sha256, 0, sha256, 1),
+ make_drbg_test_data(NID_sha384, 0, sha384, 0),
+ make_drbg_test_data(NID_sha512, 0, sha512, 0),
+ make_drbg_test_data(NID_hmacWithSHA1, 0, hmac_sha1, 0),
+ make_drbg_test_data(NID_hmacWithSHA224, 0, hmac_sha224, 0),
+ make_drbg_test_data(NID_hmacWithSHA256, 0, hmac_sha256, 1),
+ make_drbg_test_data(NID_hmacWithSHA384, 0, hmac_sha384, 0),
+ make_drbg_test_data(NID_hmacWithSHA512, 0, hmac_sha512, 0),
+ {0, 0, 0}
+};
+
+typedef struct {
+ const unsigned char *ent;
+ size_t entlen;
+ int entcnt;
+ const unsigned char *nonce;
+ size_t noncelen;
+ int noncecnt;
+} TEST_ENT;
+
+static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len)
+{
+ TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
+ *pout = (unsigned char *)t->ent;
+ t->entcnt++;
+ return t->entlen;
+}
+
+static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len)
+{
+ TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
+ *pout = (unsigned char *)t->nonce;
+ t->noncecnt++;
+ return t->noncelen;
+}
+
+static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td,
+ int quick)
+{
+ TEST_ENT t;
+ int rv = 0;
+ size_t adinlen;
+ unsigned char randout[1024];
+
+ /* Initial test without PR */
+
+ /* Instantiate DRBG with test entropy, nonce and personalisation
+ * string.
+ */
+
+ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
+ return 0;
+ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
+ return 0;
+
+ FIPS_drbg_set_app_data(dctx, &t);
+
+ t.ent = td->ent;
+ t.entlen = td->entlen;
+ t.nonce = td->nonce;
+ t.noncelen = td->noncelen;
+ t.entcnt = 0;
+ t.noncecnt = 0;
+
+ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
+ goto err;
+
+ /* Note for CTR without DF some additional input values
+ * ignore bytes after the keylength: so reduce adinlen
+ * to half to ensure invalid data is fed in.
+ */
+ if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags))
+ adinlen = td->adinlen / 2;
+ else
+ adinlen = td->adinlen;
+
+ /* Generate with no PR and verify output matches expected data */
+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, td->adin, adinlen))
+ goto err;
+
+ if (memcmp(randout, td->kat, td->katlen)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST1_FAILURE);
+ goto err2;
+ }
+ /* If abbreviated POST end of test */
+ if (quick) {
+ rv = 1;
+ goto err;
+ }
+ /* Reseed DRBG with test entropy and additional input */
+ t.ent = td->entreseed;
+ t.entlen = td->entreseedlen;
+
+ if (!FIPS_drbg_reseed(dctx, td->adinreseed, td->adinreseedlen))
+ goto err;
+
+ /* Generate with no PR and verify output matches expected data */
+ if (!FIPS_drbg_generate(dctx, randout, td->kat2len, 0,
+ td->adin2, td->adin2len))
+ goto err;
+
+ if (memcmp(randout, td->kat2, td->kat2len)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST2_FAILURE);
+ goto err2;
+ }
+
+ FIPS_drbg_uninstantiate(dctx);
+
+ /* Now test with PR */
+
+ /* Instantiate DRBG with test entropy, nonce and personalisation
+ * string.
+ */
+ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
+ return 0;
+ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
+ return 0;
+
+ FIPS_drbg_set_app_data(dctx, &t);
+
+ t.ent = td->ent_pr;
+ t.entlen = td->entlen_pr;
+ t.nonce = td->nonce_pr;
+ t.noncelen = td->noncelen_pr;
+ t.entcnt = 0;
+ t.noncecnt = 0;
+
+ if (!FIPS_drbg_instantiate(dctx, td->pers_pr, td->perslen_pr))
+ goto err;
+
+ /* Now generate with PR: we need to supply entropy as this will
+ * perform a reseed operation. Check output matches expected value.
+ */
+
+ t.ent = td->entpr_pr;
+ t.entlen = td->entprlen_pr;
+
+ /* Note for CTR without DF some additional input values
+ * ignore bytes after the keylength: so reduce adinlen
+ * to half to ensure invalid data is fed in.
+ */
+ if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags))
+ adinlen = td->adinlen_pr / 2;
+ else
+ adinlen = td->adinlen_pr;
+ if (!FIPS_drbg_generate(dctx, randout, td->katlen_pr, 1,
+ td->adin_pr, adinlen))
+ goto err;
+
+ if (memcmp(randout, td->kat_pr, td->katlen_pr)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST1_FAILURE);
+ goto err2;
+ }
+
+ /* Now generate again with PR: supply new entropy again.
+ * Check output matches expected value.
+ */
+
+ t.ent = td->entg_pr;
+ t.entlen = td->entglen_pr;
+
+ if (!FIPS_drbg_generate(dctx, randout, td->kat2len_pr, 1,
+ td->ading_pr, td->adinglen_pr))
+ goto err;
+
+ if (memcmp(randout, td->kat2_pr, td->kat2len_pr)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST2_FAILURE);
+ goto err2;
+ }
+ /* All OK, test complete */
+ rv = 1;
+
+ err:
+ if (rv == 0)
+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_SELFTEST_FAILED);
+ err2:
+ FIPS_drbg_uninstantiate(dctx);
+
+ return rv;
+
+}
+
+/* Initialise a DRBG based on selftest data */
+
+static int do_drbg_init(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td, TEST_ENT * t)
+{
+
+ if (!FIPS_drbg_init(dctx, td->nid, td->flags))
+ return 0;
+
+ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
+ return 0;
+
+ FIPS_drbg_set_app_data(dctx, t);
+
+ t->ent = td->ent;
+ t->entlen = td->entlen;
+ t->nonce = td->nonce;
+ t->noncelen = td->noncelen;
+ t->entcnt = 0;
+ t->noncecnt = 0;
+ return 1;
+}
+
+/* Initialise and instantiate DRBG based on selftest data */
+static int do_drbg_instantiate(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td,
+ TEST_ENT * t)
+{
+ if (!do_drbg_init(dctx, td, t))
+ return 0;
+ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
+ return 0;
+
+ return 1;
+}
+
+/* This function performs extensive error checking as required by SP800-90.
+ * Induce several failure modes and check an error condition is set.
+ * This function along with fips_drbg_single_kat peforms the health checking
+ * operation.
+ */
+
+static int fips_drbg_error_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td)
+{
+ unsigned char randout[1024];
+ TEST_ENT t;
+ size_t i;
+ unsigned int reseed_counter_tmp;
+ unsigned char *p = (unsigned char *)dctx;
+
+ /* Initialise DRBG */
+
+ if (!do_drbg_init(dctx, td, &t))
+ goto err;
+
+ /* Don't report induced errors */
+ dctx->iflags |= DRBG_FLAG_NOERR;
+
+ /* Personalisation string tests */
+
+ /* Test detection of too large personlisation string */
+
+ if (FIPS_drbg_instantiate(dctx, td->pers, dctx->max_pers + 1) > 0) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_PERSONALISATION_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ /* Entropy source tests */
+
+ /* Test entropy source failure detecion: i.e. returns no data */
+
+ t.entlen = 0;
+
+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_ENTROPY_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ /* Try to generate output from uninstantiated DRBG */
+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0,
+ td->adin, td->adinlen)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_GENERATE_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ dctx->iflags &= ~DRBG_FLAG_NOERR;
+ if (!FIPS_drbg_uninstantiate(dctx)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
+ goto err;
+ }
+
+ if (!do_drbg_init(dctx, td, &t))
+ goto err;
+
+ dctx->iflags |= DRBG_FLAG_NOERR;
+
+ /* Test insufficient entropy */
+
+ t.entlen = dctx->min_entropy - 1;
+
+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_ENTROPY_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ dctx->iflags &= ~DRBG_FLAG_NOERR;
+ if (!FIPS_drbg_uninstantiate(dctx)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
+ goto err;
+ }
+
+ /* Test too much entropy */
+
+ if (!do_drbg_init(dctx, td, &t))
+ goto err;
+
+ dctx->iflags |= DRBG_FLAG_NOERR;
+
+ t.entlen = dctx->max_entropy + 1;
+
+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_ENTROPY_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ dctx->iflags &= ~DRBG_FLAG_NOERR;
+ if (!FIPS_drbg_uninstantiate(dctx)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
+ goto err;
+ }
+
+ /* Nonce tests */
+
+ /* Test too small nonce */
+
+ if (dctx->min_nonce) {
+
+ if (!do_drbg_init(dctx, td, &t))
+ goto err;
+
+ dctx->iflags |= DRBG_FLAG_NOERR;
+
+ t.noncelen = dctx->min_nonce - 1;
+
+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_NONCE_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ dctx->iflags &= ~DRBG_FLAG_NOERR;
+ if (!FIPS_drbg_uninstantiate(dctx)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
+ goto err;
+ }
+
+ }
+
+ /* Test too large nonce */
+
+ if (dctx->max_nonce) {
+
+ if (!do_drbg_init(dctx, td, &t))
+ goto err;
+
+ dctx->iflags |= DRBG_FLAG_NOERR;
+
+ t.noncelen = dctx->max_nonce + 1;
+
+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_NONCE_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ dctx->iflags &= ~DRBG_FLAG_NOERR;
+ if (!FIPS_drbg_uninstantiate(dctx)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
+ goto err;
+ }
+
+ }
+
+ /* Instantiate with valid data. */
+ if (!do_drbg_instantiate(dctx, td, &t))
+ goto err;
+
+ /* Check generation is now OK */
+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
+ td->adin, td->adinlen))
+ goto err;
+
+ dctx->iflags |= DRBG_FLAG_NOERR;
+
+ /* Request too much data for one request */
+ if (FIPS_drbg_generate(dctx, randout, dctx->max_request + 1, 0,
+ td->adin, td->adinlen)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ /* Try too large additional input */
+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0,
+ td->adin, dctx->max_adin + 1)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ /* Check prediction resistance request fails if entropy source
+ * failure.
+ */
+
+ t.entlen = 0;
+
+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 1,
+ td->adin, td->adinlen)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_ENTROPY_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ dctx->iflags &= ~DRBG_FLAG_NOERR;
+ if (!FIPS_drbg_uninstantiate(dctx)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
+ goto err;
+ }
+
+ /* Instantiate again with valid data */
+
+ if (!do_drbg_instantiate(dctx, td, &t))
+ goto err;
+ /* Test reseed counter works */
+ /* Save initial reseed counter */
+ reseed_counter_tmp = dctx->reseed_counter;
+ /* Set reseed counter to beyond interval */
+ dctx->reseed_counter = dctx->reseed_interval;
+
+ /* Generate output and check entropy has been requested for reseed */
+ t.entcnt = 0;
+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
+ td->adin, td->adinlen))
+ goto err;
+ if (t.entcnt != 1) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);
+ goto err;
+ }
+ /* Check reseed counter has been reset */
+ if (dctx->reseed_counter != reseed_counter_tmp + 1) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR);
+ goto err;
+ }
+
+ dctx->iflags &= ~DRBG_FLAG_NOERR;
+ if (!FIPS_drbg_uninstantiate(dctx)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
+ goto err;
+ }
+
+ /* Check prediction resistance request fails if entropy source
+ * failure.
+ */
+
+ t.entlen = 0;
+
+ dctx->iflags |= DRBG_FLAG_NOERR;
+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 1,
+ td->adin, td->adinlen)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_ENTROPY_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ dctx->iflags &= ~DRBG_FLAG_NOERR;
+
+ if (!FIPS_drbg_uninstantiate(dctx)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
+ goto err;
+ }
+
+ if (!do_drbg_instantiate(dctx, td, &t))
+ goto err;
+ /* Test reseed counter works */
+ /* Save initial reseed counter */
+ reseed_counter_tmp = dctx->reseed_counter;
+ /* Set reseed counter to beyond interval */
+ dctx->reseed_counter = dctx->reseed_interval;
+
+ /* Generate output and check entropy has been requested for reseed */
+ t.entcnt = 0;
+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
+ td->adin, td->adinlen))
+ goto err;
+ if (t.entcnt != 1) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);
+ goto err;
+ }
+ /* Check reseed counter has been reset */
+ if (dctx->reseed_counter != reseed_counter_tmp + 1) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR);
+ goto err;
+ }
+
+ dctx->iflags &= ~DRBG_FLAG_NOERR;
+ if (!FIPS_drbg_uninstantiate(dctx)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
+ goto err;
+ }
+
+ /* Explicit reseed tests */
+
+ /* Test explicit reseed with too large additional input */
+ if (!do_drbg_init(dctx, td, &t))
+ goto err;
+
+ dctx->iflags |= DRBG_FLAG_NOERR;
+
+ if (FIPS_drbg_reseed(dctx, td->adin, dctx->max_adin + 1) > 0) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ /* Test explicit reseed with entropy source failure */
+
+ t.entlen = 0;
+
+ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_ENTROPY_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ if (!FIPS_drbg_uninstantiate(dctx)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
+ goto err;
+ }
+
+ /* Test explicit reseed with too much entropy */
+
+ if (!do_drbg_init(dctx, td, &t))
+ goto err;
+
+ dctx->iflags |= DRBG_FLAG_NOERR;
+
+ t.entlen = dctx->max_entropy + 1;
+
+ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_ENTROPY_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ if (!FIPS_drbg_uninstantiate(dctx)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
+ goto err;
+ }
+
+ /* Test explicit reseed with too little entropy */
+
+ if (!do_drbg_init(dctx, td, &t))
+ goto err;
+
+ dctx->iflags |= DRBG_FLAG_NOERR;
+
+ t.entlen = dctx->min_entropy - 1;
+
+ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_ENTROPY_ERROR_UNDETECTED);
+ goto err;
+ }
+
+ if (!FIPS_drbg_uninstantiate(dctx)) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
+ goto err;
+ }
+
+ p = (unsigned char *)&dctx->d;
+ /* Standard says we have to check uninstantiate really zeroes
+ * the data...
+ */
+ for (i = 0; i < sizeof(dctx->d); i++) {
+ if (*p != 0) {
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
+ FIPS_R_UNINSTANTIATE_ZEROISE_ERROR);
+ goto err;
+ }
+ p++;
+ }
+
+ return 1;
+
+ err:
+ /* A real error as opposed to an induced one: underlying function will
+ * indicate the error.
+ */
+ if (!(dctx->iflags & DRBG_FLAG_NOERR))
+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_FUNCTION_ERROR);
+ FIPS_drbg_uninstantiate(dctx);
+ return 0;
+
+}
+
+int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags)
+{
+ DRBG_SELFTEST_DATA *td;
+ flags |= DRBG_FLAG_TEST;
+ for (td = drbg_test; td->nid != 0; td++) {
+ if (td->nid == nid && td->flags == flags) {
+ if (!fips_drbg_single_kat(dctx, td, 0))
+ return 0;
+ return fips_drbg_error_check(dctx, td);
+ }
+ }
+ return 0;
+}
+
+int FIPS_drbg_health_check(DRBG_CTX *dctx)
+{
+ int rv;
+ DRBG_CTX *tctx = NULL;
+ tctx = FIPS_drbg_new(0, 0);
+ fips_post_started(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
+ if (!tctx)
+ return 0;
+ rv = fips_drbg_kat(tctx, dctx->type, dctx->xflags);
+ if (tctx)
+ FIPS_drbg_free(tctx);
+ if (rv)
+ fips_post_success(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
+ else
+ fips_post_failed(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
+ if (!rv)
+ dctx->status = DRBG_STATUS_ERROR;
+ else
+ dctx->health_check_cnt = 0;
+ return rv;
+}
+
+int FIPS_selftest_drbg(void)
+{
+ DRBG_CTX *dctx;
+ DRBG_SELFTEST_DATA *td;
+ int rv = 1;
+ dctx = FIPS_drbg_new(0, 0);
+ if (!dctx)
+ return 0;
+ for (td = drbg_test; td->nid != 0; td++) {
+ if (td->post != 1)
+ continue;
+ if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))
+ return 1;
+ if (!fips_drbg_single_kat(dctx, td, 1)) {
+ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
+ rv = 0;
+ continue;
+ }
+ if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags))
+ return 0;
+ }
+ FIPS_drbg_free(dctx);
+ return rv;
+}
+
+int FIPS_selftest_drbg_all(void)
+{
+ DRBG_CTX *dctx;
+ DRBG_SELFTEST_DATA *td;
+ int rv = 1;
+ dctx = FIPS_drbg_new(0, 0);
+ if (!dctx)
+ return 0;
+ for (td = drbg_test; td->nid != 0; td++) {
+ if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))
+ return 1;
+ if (!fips_drbg_single_kat(dctx, td, 0)) {
+ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
+ rv = 0;
+ continue;
+ }
+ if (!fips_drbg_error_check(dctx, td)) {
+ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
+ rv = 0;
+ continue;
+ }
+ if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags))
+ return 0;
+ }
+ FIPS_drbg_free(dctx);
+ return rv;
+}
Index: openssl-1.1.1n/crypto/fips/fips_drbg_selftest.h
2020-01-24 12:52:58 +01:00
===================================================================
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
--- /dev/null
+++ openssl-1.1.1n/crypto/fips/fips_drbg_selftest.h
2020-01-24 12:52:58 +01:00
@@ -0,0 +1,1791 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
2020-01-24 12:52:58 +01:00
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+/* Selftest and health check data for the SP800-90 DRBG */
+
+#define __fips_constseg
+
+/* AES-128 use df PR */
+__fips_constseg static const unsigned char aes_128_use_df_pr_entropyinput[] = {
+ 0x61, 0x52, 0x7c, 0xe3, 0x23, 0x7d, 0x0a, 0x07, 0x10, 0x0c, 0x50, 0x33,
+ 0xc8, 0xdb, 0xff, 0x12
+};
+
+__fips_constseg static const unsigned char aes_128_use_df_pr_nonce[] = {
+ 0x51, 0x0d, 0x85, 0x77, 0xed, 0x22, 0x97, 0x28
+};
+
+__fips_constseg
+ static const unsigned char aes_128_use_df_pr_personalizationstring[] = {
+ 0x59, 0x9f, 0xbb, 0xcd, 0xd5, 0x25, 0x69, 0xb5, 0xcb, 0xb5, 0x03, 0xfe,
+ 0xd7, 0xd7, 0x01, 0x67
+};
+
+__fips_constseg
+ static const unsigned char aes_128_use_df_pr_additionalinput[] = {
+ 0xef, 0x88, 0x76, 0x01, 0xaf, 0x3c, 0xfe, 0x8b, 0xaf, 0x26, 0x06, 0x9e,
+ 0x9a, 0x47, 0x08, 0x76
+};
+
+__fips_constseg
+ static const unsigned char aes_128_use_df_pr_entropyinputpr[] = {
+ 0xe2, 0x76, 0xf9, 0xf6, 0x3a, 0xba, 0x10, 0x9f, 0xbf, 0x47, 0x0e, 0x51,
+ 0x09, 0xfb, 0xa3, 0xb6
+};
+
+__fips_constseg
+ static const unsigned char aes_128_use_df_pr_int_returnedbits[] = {
+ 0xd4, 0x98, 0x8a, 0x46, 0x80, 0x4c, 0xdb, 0xa3, 0x59, 0x02, 0x57, 0x52,
+ 0x66, 0x1c, 0xea, 0x5b
+};
+
+__fips_constseg
+ static const unsigned char aes_128_use_df_pr_additionalinput2[] = {
+ 0x88, 0x8c, 0x91, 0xd6, 0xbe, 0x56, 0x6e, 0x08, 0x9a, 0x62, 0x2b, 0x11,
+ 0x3f, 0x5e, 0x31, 0x06
+};
+
+__fips_constseg
+ static const unsigned char aes_128_use_df_pr_entropyinputpr2[] = {
+ 0xc0, 0x5c, 0x6b, 0x98, 0x01, 0x0d, 0x58, 0x18, 0x51, 0x18, 0x96, 0xae,
+ 0xa7, 0xe3, 0xa8, 0x67
+};
+
+__fips_constseg static const unsigned char aes_128_use_df_pr_returnedbits[] = {
+ 0xcf, 0x01, 0xac, 0x22, 0x31, 0x06, 0x8e, 0xfc, 0xce, 0x56, 0xea, 0x24,
+ 0x0f, 0x38, 0x43, 0xc6
+};
+
+/* AES-128 use df No PR */
+__fips_constseg static const unsigned char aes_128_use_df_entropyinput[] = {
+ 0x1f, 0x8e, 0x34, 0x82, 0x0c, 0xb7, 0xbe, 0xc5, 0x01, 0x3e, 0xd0, 0xa3,
+ 0x9d, 0x7d, 0x1c, 0x9b
+};
+
+__fips_constseg static const unsigned char aes_128_use_df_nonce[] = {
+ 0xd5, 0x4d, 0xbd, 0x4a, 0x93, 0x7f, 0xb8, 0x96
+};
+
+__fips_constseg
+ static const unsigned char aes_128_use_df_personalizationstring[] = {
+ 0xab, 0xd6, 0x3f, 0x04, 0xfe, 0x27, 0x6b, 0x2d, 0xd7, 0xc3, 0x1c, 0xf3,
+ 0x38, 0x66, 0xba, 0x1b
+};
+
+__fips_constseg static const unsigned char aes_128_use_df_additionalinput[] = {
+ 0xfe, 0xf4, 0x09, 0xa8, 0xb7, 0x73, 0x27, 0x9c, 0x5f, 0xa7, 0xea, 0x46,
+ 0xb5, 0xe2, 0xb2, 0x41
+};
+
+__fips_constseg static const unsigned char aes_128_use_df_int_returnedbits[] = {
+ 0x42, 0xe4, 0x4e, 0x7b, 0x27, 0xdd, 0xcb, 0xbc, 0x0a, 0xcf, 0xa6, 0x67,
+ 0xe7, 0x57, 0x11, 0xb4
+};
+
+__fips_constseg
+ static const unsigned char aes_128_use_df_entropyinputreseed[] = {
+ 0x14, 0x26, 0x69, 0xd9, 0xf3, 0x65, 0x03, 0xd6, 0x6b, 0xb9, 0x44, 0x0b,
+ 0xc7, 0xc4, 0x9e, 0x39
+};
+
+__fips_constseg
+ static const unsigned char aes_128_use_df_additionalinputreseed[] = {
+ 0x55, 0x2e, 0x60, 0x9a, 0x05, 0x72, 0x8a, 0xa8, 0xef, 0x22, 0x81, 0x5a,
+ 0xc8, 0x93, 0xfa, 0x84
+};
+
+__fips_constseg static const unsigned char aes_128_use_df_additionalinput2[] = {
+ 0x3c, 0x40, 0xc8, 0xc4, 0x16, 0x0c, 0x21, 0xa4, 0x37, 0x2c, 0x8f, 0xa5,
+ 0x06, 0x0c, 0x15, 0x2c
+};
+
+__fips_constseg static const unsigned char aes_128_use_df_returnedbits[] = {
+ 0xe1, 0x3e, 0x99, 0x98, 0x86, 0x67, 0x0b, 0x63, 0x7b, 0xbe, 0x3f, 0x88,
+ 0x46, 0x81, 0xc7, 0x19
+};
+
+/* AES-192 use df PR */
+__fips_constseg static const unsigned char aes_192_use_df_pr_entropyinput[] = {
+ 0x2b, 0x4e, 0x8b, 0xe1, 0xf1, 0x34, 0x80, 0x56, 0x81, 0xf9, 0x74, 0xec,
+ 0x17, 0x44, 0x2a, 0xf1, 0x14, 0xb0, 0xbf, 0x97, 0x39, 0xb7, 0x04, 0x7d
+};
+
+__fips_constseg static const unsigned char aes_192_use_df_pr_nonce[] = {
+ 0xd6, 0x9d, 0xeb, 0x14, 0x4e, 0x6c, 0x30, 0x1e, 0x39, 0x55, 0x73, 0xd0,
+ 0xd1, 0x80, 0x78, 0xfa
+};
+
+__fips_constseg
+ static const unsigned char aes_192_use_df_pr_personalizationstring[] = {
+ 0xfc, 0x43, 0x4a, 0xf8, 0x9a, 0x55, 0xb3, 0x53, 0x83, 0xe2, 0x18, 0x16,
+ 0x0c, 0xdc, 0xcd, 0x5e, 0x4f, 0xa0, 0x03, 0x01, 0x2b, 0x9f, 0xe4, 0xd5,
+ 0x7d, 0x49, 0xf0, 0x41, 0x9e, 0x3d, 0x99, 0x04
+};
+
+__fips_constseg
+ static const unsigned char aes_192_use_df_pr_additionalinput[] = {
+ 0x5e, 0x9f, 0x49, 0x6f, 0x21, 0x8b, 0x1d, 0x32, 0xd5, 0x84, 0x5c, 0xac,
+ 0xaf, 0xdf, 0xe4, 0x79, 0x9e, 0xaf, 0xa9, 0x82, 0xd0, 0xf8, 0x4f, 0xcb,
+ 0x69, 0x10, 0x0a, 0x7e, 0x81, 0x57, 0xb5, 0x36
+};
+
+__fips_constseg
+ static const unsigned char aes_192_use_df_pr_entropyinputpr[] = {
+ 0xd4, 0x81, 0x0c, 0xd7, 0x66, 0x39, 0xec, 0x42, 0x53, 0x87, 0x41, 0xa5,
+ 0x1e, 0x7d, 0x80, 0x91, 0x8e, 0xbb, 0xed, 0xac, 0x14, 0x02, 0x1a, 0xd5
+};
+
+__fips_constseg
+ static const unsigned char aes_192_use_df_pr_int_returnedbits[] = {
+ 0xdf, 0x1d, 0x39, 0x45, 0x7c, 0x9b, 0xc6, 0x2b, 0x7d, 0x8c, 0x93, 0xe9,
+ 0x19, 0x30, 0x6b, 0x67
+};
+
+__fips_constseg
+ static const unsigned char aes_192_use_df_pr_additionalinput2[] = {
+ 0x00, 0x71, 0x27, 0x4e, 0xd3, 0x14, 0xf1, 0x20, 0x7f, 0x4a, 0x41, 0x32,
+ 0x2a, 0x97, 0x11, 0x43, 0x8f, 0x4a, 0x15, 0x7b, 0x9b, 0x51, 0x79, 0xda,
+ 0x49, 0x3d, 0xde, 0xe8, 0xbc, 0x93, 0x91, 0x99
+};
+
+__fips_constseg
+ static const unsigned char aes_192_use_df_pr_entropyinputpr2[] = {
+ 0x90, 0xee, 0x76, 0xa1, 0x45, 0x8d, 0xb7, 0x40, 0xb0, 0x11, 0xbf, 0xd0,
+ 0x65, 0xd7, 0x3c, 0x7c, 0x4f, 0x20, 0x3f, 0x4e, 0x11, 0x9d, 0xb3, 0x5e
+};
+
+__fips_constseg static const unsigned char aes_192_use_df_pr_returnedbits[] = {
+ 0x24, 0x3b, 0x20, 0xa4, 0x37, 0x66, 0xba, 0x72, 0x39, 0x3f, 0xcf, 0x3c,
+ 0x7e, 0x1a, 0x2b, 0x83
+};
+
+/* AES-192 use df No PR */
+__fips_constseg static const unsigned char aes_192_use_df_entropyinput[] = {
+ 0x8d, 0x74, 0xa4, 0x50, 0x1a, 0x02, 0x68, 0x0c, 0x2a, 0x69, 0xc4, 0x82,
+ 0x3b, 0xbb, 0xda, 0x0e, 0x7f, 0x77, 0xa3, 0x17, 0x78, 0x57, 0xb2, 0x7b
+};
+
+__fips_constseg static const unsigned char aes_192_use_df_nonce[] = {
+ 0x75, 0xd5, 0x1f, 0xac, 0xa4, 0x8d, 0x42, 0x78, 0xd7, 0x69, 0x86, 0x9d,
+ 0x77, 0xd7, 0x41, 0x0e
+};
+
+__fips_constseg
+ static const unsigned char aes_192_use_df_personalizationstring[] = {
+ 0x4e, 0x33, 0x41, 0x3c, 0x9c, 0xc2, 0xd2, 0x53, 0xaf, 0x90, 0xea, 0xcf,
+ 0x19, 0x50, 0x1e, 0xe6, 0x6f, 0x63, 0xc8, 0x32, 0x22, 0xdc, 0x07, 0x65,
+ 0x9c, 0xd3, 0xf8, 0x30, 0x9e, 0xed, 0x35, 0x70
+};
+
+__fips_constseg static const unsigned char aes_192_use_df_additionalinput[] = {
+ 0x5d, 0x8b, 0x8c, 0xc1, 0xdf, 0x0e, 0x02, 0x78, 0xfb, 0x19, 0xb8, 0x69,
+ 0x78, 0x4e, 0x9c, 0x52, 0xbc, 0xc7, 0x20, 0xc9, 0xe6, 0x5e, 0x77, 0x22,
+ 0x28, 0x3d, 0x0c, 0x9e, 0x68, 0xa8, 0x45, 0xd7
+};
+
+__fips_constseg static const unsigned char aes_192_use_df_int_returnedbits[] = {
+ 0xd5, 0xe7, 0x08, 0xc5, 0x19, 0x99, 0xd5, 0x31, 0x03, 0x0a, 0x74, 0xb6,
+ 0xb7, 0xed, 0xe9, 0xea
+};
+
+__fips_constseg
+ static const unsigned char aes_192_use_df_entropyinputreseed[] = {
+ 0x9c, 0x26, 0xda, 0xf1, 0xac, 0xd9, 0x5a, 0xd6, 0xa8, 0x65, 0xf5, 0x02,
+ 0x8f, 0xdc, 0xa2, 0x09, 0x54, 0xa6, 0xe2, 0xa4, 0xde, 0x32, 0xe0, 0x01
+};
+
+__fips_constseg
+ static const unsigned char aes_192_use_df_additionalinputreseed[] = {
+ 0x9b, 0x90, 0xb0, 0x3a, 0x0e, 0x3a, 0x80, 0x07, 0x4a, 0xf4, 0xda, 0x76,
+ 0x28, 0x30, 0x3c, 0xee, 0x54, 0x1b, 0x94, 0x59, 0x51, 0x43, 0x56, 0x77,
+ 0xaf, 0x88, 0xdd, 0x63, 0x89, 0x47, 0x06, 0x65
+};
+
+__fips_constseg static const unsigned char aes_192_use_df_additionalinput2[] = {
+ 0x3c, 0x11, 0x64, 0x7a, 0x96, 0xf5, 0xd8, 0xb8, 0xae, 0xd6, 0x70, 0x4e,
+ 0x16, 0x96, 0xde, 0xe9, 0x62, 0xbc, 0xee, 0x28, 0x2f, 0x26, 0xa6, 0xf0,
+ 0x56, 0xef, 0xa3, 0xf1, 0x6b, 0xa1, 0xb1, 0x77
+};
+
+__fips_constseg static const unsigned char aes_192_use_df_returnedbits[] = {
+ 0x0b, 0xe2, 0x56, 0x03, 0x1e, 0xdb, 0x2c, 0x6d, 0x7f, 0x1b, 0x15, 0x58,
+ 0x1a, 0xf9, 0x13, 0x28
+};
+
+/* AES-256 use df PR */
+__fips_constseg static const unsigned char aes_256_use_df_pr_entropyinput[] = {
+ 0x61, 0x68, 0xfc, 0x1a, 0xf0, 0xb5, 0x95, 0x6b, 0x85, 0x09, 0x9b, 0x74,
+ 0x3f, 0x13, 0x78, 0x49, 0x3b, 0x85, 0xec, 0x93, 0x13, 0x3b, 0xa9, 0x4f,
+ 0x96, 0xab, 0x2c, 0xe4, 0xc8, 0x8f, 0xdd, 0x6a
+};
+
+__fips_constseg static const unsigned char aes_256_use_df_pr_nonce[] = {
+ 0xad, 0xd2, 0xbb, 0xba, 0xb7, 0x65, 0x89, 0xc3, 0x21, 0x6c, 0x55, 0x33,
+ 0x2b, 0x36, 0xff, 0xa4
+};
+
+__fips_constseg
+ static const unsigned char aes_256_use_df_pr_personalizationstring[] = {
+ 0x6e, 0xca, 0xe7, 0x20, 0x72, 0xd3, 0x84, 0x5a, 0x32, 0xd3, 0x4b, 0x24,
+ 0x72, 0xc4, 0x63, 0x2b, 0x9d, 0x12, 0x24, 0x0c, 0x23, 0x26, 0x8e, 0x83,
+ 0x16, 0x37, 0x0b, 0xd1, 0x06, 0x4f, 0x68, 0x6d
+};
+
+__fips_constseg
+ static const unsigned char aes_256_use_df_pr_additionalinput[] = {
+ 0x7e, 0x08, 0x4a, 0xbb, 0xe3, 0x21, 0x7c, 0xc9, 0x23, 0xd2, 0xf8, 0xb0,
+ 0x73, 0x98, 0xba, 0x84, 0x74, 0x23, 0xab, 0x06, 0x8a, 0xe2, 0x22, 0xd3,
+ 0x7b, 0xce, 0x9b, 0xd2, 0x4a, 0x76, 0xb8, 0xde
+};
+
+__fips_constseg
+ static const unsigned char aes_256_use_df_pr_entropyinputpr[] = {
+ 0x0b, 0x23, 0xaf, 0xdf, 0xf1, 0x62, 0xd7, 0xd3, 0x43, 0x97, 0xf8, 0x77,
+ 0x04, 0xa8, 0x42, 0x20, 0xbd, 0xf6, 0x0f, 0xc1, 0x17, 0x2f, 0x9f, 0x54,
+ 0xbb, 0x56, 0x17, 0x86, 0x68, 0x0e, 0xba, 0xa9
+};
+
+__fips_constseg
+ static const unsigned char aes_256_use_df_pr_int_returnedbits[] = {
+ 0x31, 0x8e, 0xad, 0xaf, 0x40, 0xeb, 0x6b, 0x74, 0x31, 0x46, 0x80, 0xc7,
+ 0x17, 0xab, 0x3c, 0x7a
+};
+
+__fips_constseg
+ static const unsigned char aes_256_use_df_pr_additionalinput2[] = {
+ 0x94, 0x6b, 0xc9, 0x9f, 0xab, 0x8d, 0xc5, 0xec, 0x71, 0x88, 0x1d, 0x00,
+ 0x8c, 0x89, 0x68, 0xe4, 0xc8, 0x07, 0x77, 0x36, 0x17, 0x6d, 0x79, 0x78,
+ 0xc7, 0x06, 0x4e, 0x99, 0x04, 0x28, 0x29, 0xc3
+};
+
+__fips_constseg
+ static const unsigned char aes_256_use_df_pr_entropyinputpr2[] = {
+ 0xbf, 0x6c, 0x59, 0x2a, 0x0d, 0x44, 0x0f, 0xae, 0x9a, 0x5e, 0x03, 0x73,
+ 0xd8, 0xa6, 0xe1, 0xcf, 0x25, 0x61, 0x38, 0x24, 0x86, 0x9e, 0x53, 0xe8,
+ 0xa4, 0xdf, 0x56, 0xf4, 0x06, 0x07, 0x9c, 0x0f
+};
+
+__fips_constseg static const unsigned char aes_256_use_df_pr_returnedbits[] = {
+ 0x22, 0x4a, 0xb4, 0xb8, 0xb6, 0xee, 0x7d, 0xb1, 0x9e, 0xc9, 0xf9, 0xa0,
+ 0xd9, 0xe2, 0x97, 0x00
+};
+
+/* AES-256 use df No PR */
+__fips_constseg static const unsigned char aes_256_use_df_entropyinput[] = {
+ 0xa5, 0x3e, 0x37, 0x10, 0x17, 0x43, 0x91, 0x93, 0x59, 0x1e, 0x47, 0x50,
+ 0x87, 0xaa, 0xdd, 0xd5, 0xc1, 0xc3, 0x86, 0xcd, 0xca, 0x0d, 0xdb, 0x68,
+ 0xe0, 0x02, 0xd8, 0x0f, 0xdc, 0x40, 0x1a, 0x47
+};
+
+__fips_constseg static const unsigned char aes_256_use_df_nonce[] = {
+ 0xa9, 0x4d, 0xa5, 0x5a, 0xfd, 0xc5, 0x0c, 0xe5, 0x1c, 0x9a, 0x3b, 0x8a,
+ 0x4c, 0x44, 0x84, 0x40
+};
+
+__fips_constseg
+ static const unsigned char aes_256_use_df_personalizationstring[] = {
+ 0x8b, 0x52, 0xa2, 0x4a, 0x93, 0xc3, 0x4e, 0xa7, 0x1e, 0x1c, 0xa7, 0x05,
+ 0xeb, 0x82, 0x9b, 0xa6, 0x5d, 0xe4, 0xd4, 0xe0, 0x7f, 0xa3, 0xd8, 0x6b,
+ 0x37, 0x84, 0x5f, 0xf1, 0xc7, 0xd5, 0xf6, 0xd2
+};
+
+__fips_constseg static const unsigned char aes_256_use_df_additionalinput[] = {
+ 0x20, 0xf4, 0x22, 0xed, 0xf8, 0x5c, 0xa1, 0x6a, 0x01, 0xcf, 0xbe, 0x5f,
+ 0x8d, 0x6c, 0x94, 0x7f, 0xae, 0x12, 0xa8, 0x57, 0xdb, 0x2a, 0xa9, 0xbf,
+ 0xc7, 0xb3, 0x65, 0x81, 0x80, 0x8d, 0x0d, 0x46
+};
+
+__fips_constseg static const unsigned char aes_256_use_df_int_returnedbits[] = {
+ 0x4e, 0x44, 0xfd, 0xf3, 0x9e, 0x29, 0xa2, 0xb8, 0x0f, 0x5d, 0x6c, 0xe1,
+ 0x28, 0x0c, 0x3b, 0xc1
+};
+
+__fips_constseg
+ static const unsigned char aes_256_use_df_entropyinputreseed[] = {
+ 0xdd, 0x40, 0xe5, 0x98, 0x7b, 0x27, 0x16, 0x73, 0x15, 0x68, 0xd2, 0x76,
+ 0xbf, 0x0c, 0x67, 0x15, 0x75, 0x79, 0x03, 0xd3, 0xde, 0xde, 0x91, 0x46,
+ 0x42, 0xdd, 0xd4, 0x67, 0xc8, 0x79, 0xc8, 0x1e
+};
+
+__fips_constseg
+ static const unsigned char aes_256_use_df_additionalinputreseed[] = {
+ 0x7f, 0xd8, 0x1f, 0xbd, 0x2a, 0xb5, 0x1c, 0x11, 0x5d, 0x83, 0x4e, 0x99,
+ 0xf6, 0x5c, 0xa5, 0x40, 0x20, 0xed, 0x38, 0x8e, 0xd5, 0x9e, 0xe0, 0x75,
+ 0x93, 0xfe, 0x12, 0x5e, 0x5d, 0x73, 0xfb, 0x75
+};
+
+__fips_constseg static const unsigned char aes_256_use_df_additionalinput2[] = {
+ 0xcd, 0x2c, 0xff, 0x14, 0x69, 0x3e, 0x4c, 0x9e, 0xfd, 0xfe, 0x26, 0x0d,
+ 0xe9, 0x86, 0x00, 0x49, 0x30, 0xba, 0xb1, 0xc6, 0x50, 0x57, 0x77, 0x2a,
+ 0x62, 0x39, 0x2c, 0x3b, 0x74, 0xeb, 0xc9, 0x0d
+};
+
+__fips_constseg static const unsigned char aes_256_use_df_returnedbits[] = {
+ 0x4f, 0x78, 0xbe, 0xb9, 0x4d, 0x97, 0x8c, 0xe9, 0xd0, 0x97, 0xfe, 0xad,
+ 0xfa, 0xfd, 0x35, 0x5e
+};
+
+/* AES-128 no df PR */
+__fips_constseg static const unsigned char aes_128_no_df_pr_entropyinput[] = {
+ 0x9a, 0x25, 0x65, 0x10, 0x67, 0xd5, 0xb6, 0x6b, 0x70, 0xa1, 0xb3, 0xa4,
+ 0x43, 0x95, 0x80, 0xc0, 0x84, 0x0a, 0x79, 0xb0, 0x88, 0x74, 0xf2, 0xbf,
+ 0x31, 0x6c, 0x33, 0x38, 0x0b, 0x00, 0xb2, 0x5a
+};
+
+__fips_constseg static const unsigned char aes_128_no_df_pr_nonce[] = {
+ 0x78, 0x47, 0x6b, 0xf7, 0x90, 0x8e, 0x87, 0xf1
+};
+
+__fips_constseg
+ static const unsigned char aes_128_no_df_pr_personalizationstring[] = {
+ 0xf7, 0x22, 0x1d, 0x3a, 0xbe, 0x1d, 0xca, 0x32, 0x1b, 0xbd, 0x87, 0x0c,
+ 0x51, 0x24, 0x19, 0xee, 0xa3, 0x23, 0x09, 0x63, 0x33, 0x3d, 0xa8, 0x0c,
+ 0x1c, 0xfa, 0x42, 0x89, 0xcc, 0x6f, 0xa0, 0xa8
+};
+
+__fips_constseg
+ static const unsigned char aes_128_no_df_pr_additionalinput[] = {
+ 0xc9, 0xe0, 0x80, 0xbf, 0x8c, 0x45, 0x58, 0x39, 0xff, 0x00, 0xab, 0x02,
+ 0x4c, 0x3e, 0x3a, 0x95, 0x9b, 0x80, 0xa8, 0x21, 0x2a, 0xee, 0xba, 0x73,
+ 0xb1, 0xd9, 0xcf, 0x28, 0xf6, 0x8f, 0x9b, 0x12
+};
+
+__fips_constseg static const unsigned char aes_128_no_df_pr_entropyinputpr[] = {
+ 0x4c, 0xa8, 0xc5, 0xf0, 0x59, 0x9e, 0xa6, 0x8d, 0x26, 0x53, 0xd7, 0x8a,
+ 0xa9, 0xd8, 0xf7, 0xed, 0xb2, 0xf9, 0x12, 0x42, 0xe1, 0xe5, 0xbd, 0xe7,
+ 0xe7, 0x1d, 0x74, 0x99, 0x00, 0x9d, 0x31, 0x3e
+};
+
+__fips_constseg
+ static const unsigned char aes_128_no_df_pr_int_returnedbits[] = {
+ 0xe2, 0xac, 0x20, 0xf0, 0x80, 0xe7, 0xbc, 0x7e, 0x9c, 0x7b, 0x65, 0x71,
+ 0xaf, 0x19, 0x32, 0x16
+};
+
+__fips_constseg
+ static const unsigned char aes_128_no_df_pr_additionalinput2[] = {
+ 0x32, 0x7f, 0x38, 0x8b, 0x73, 0x0a, 0x78, 0x83, 0xdc, 0x30, 0xbe, 0x9f,
+ 0x10, 0x1f, 0xf5, 0x1f, 0xca, 0x00, 0xb5, 0x0d, 0xd6, 0x9d, 0x60, 0x83,
+ 0x51, 0x54, 0x7d, 0x38, 0x23, 0x3a, 0x52, 0x50
+};
+
+__fips_constseg
+ static const unsigned char aes_128_no_df_pr_entropyinputpr2[] = {
+ 0x18, 0x61, 0x53, 0x56, 0xed, 0xed, 0xd7, 0x20, 0xfb, 0x71, 0x04, 0x7a,
+ 0xb2, 0xac, 0xc1, 0x28, 0xcd, 0xf2, 0xc2, 0xfc, 0xaa, 0xb1, 0x06, 0x07,
+ 0xe9, 0x46, 0x95, 0x02, 0x48, 0x01, 0x78, 0xf9
+};
+
+__fips_constseg static const unsigned char aes_128_no_df_pr_returnedbits[] = {
+ 0x29, 0xc8, 0x1b, 0x15, 0xb1, 0xd1, 0xc2, 0xf6, 0x71, 0x86, 0x68, 0x33,
+ 0x57, 0x82, 0x33, 0xaf
+};
+
+/* AES-128 no df No PR */
+__fips_constseg static const unsigned char aes_128_no_df_entropyinput[] = {
+ 0xc9, 0xc5, 0x79, 0xbc, 0xe8, 0xc5, 0x19, 0xd8, 0xbc, 0x66, 0x73, 0x67,
+ 0xf6, 0xd3, 0x72, 0xaa, 0xa6, 0x16, 0xb8, 0x50, 0xb7, 0x47, 0x3a, 0x42,
+ 0xab, 0xf4, 0x16, 0xb2, 0x96, 0xd2, 0xb6, 0x60
+};
+
+__fips_constseg static const unsigned char aes_128_no_df_nonce[] = {
+ 0x5f, 0xbf, 0x97, 0x0c, 0x4b, 0xa4, 0x87, 0x13
+};
+
+__fips_constseg
+ static const unsigned char aes_128_no_df_personalizationstring[] = {
+ 0xce, 0xfb, 0x7b, 0x3f, 0xd4, 0x6b, 0x29, 0x0d, 0x69, 0x06, 0xff, 0xbb,
+ 0xf2, 0xe5, 0xc6, 0x6c, 0x0a, 0x10, 0xa0, 0xcf, 0x1a, 0x48, 0xc7, 0x8b,
+ 0x3c, 0x16, 0x88, 0xed, 0x50, 0x13, 0x81, 0xce
+};
+
+__fips_constseg static const unsigned char aes_128_no_df_additionalinput[] = {
+ 0x4b, 0x22, 0x46, 0x18, 0x02, 0x7b, 0xd2, 0x1b, 0x22, 0x42, 0x7c, 0x37,
+ 0xd9, 0xf6, 0xe8, 0x9b, 0x12, 0x30, 0x5f, 0xe9, 0x90, 0xe8, 0x08, 0x24,
+ 0x4f, 0x06, 0x66, 0xdb, 0x19, 0x2b, 0x13, 0x95
+};
+
+__fips_constseg static const unsigned char aes_128_no_df_int_returnedbits[] = {
+ 0x2e, 0x96, 0x70, 0x64, 0xfa, 0xdf, 0xdf, 0x57, 0xb5, 0x82, 0xee, 0xd6,
+ 0xed, 0x3e, 0x65, 0xc2
+};
+
+__fips_constseg
+ static const unsigned char aes_128_no_df_entropyinputreseed[] = {
+ 0x26, 0xc0, 0x72, 0x16, 0x3a, 0x4b, 0xb7, 0x99, 0xd4, 0x07, 0xaf, 0x66,
+ 0x62, 0x36, 0x96, 0xa4, 0x51, 0x17, 0xfa, 0x07, 0x8b, 0x17, 0x5e, 0xa1,
+ 0x2f, 0x3c, 0x10, 0xe7, 0x90, 0xd0, 0x46, 0x00
+};
+
+__fips_constseg
+ static const unsigned char aes_128_no_df_additionalinputreseed[] = {
+ 0x83, 0x39, 0x37, 0x7b, 0x02, 0x06, 0xd2, 0x12, 0x13, 0x8d, 0x8b, 0xf2,
+ 0xf0, 0xf6, 0x26, 0xeb, 0xa4, 0x22, 0x7b, 0xc2, 0xe7, 0xba, 0x79, 0xe4,
+ 0x3b, 0x77, 0x5d, 0x4d, 0x47, 0xb2, 0x2d, 0xb4
+};
+
+__fips_constseg static const unsigned char aes_128_no_df_additionalinput2[] = {
+ 0x0b, 0xb9, 0x67, 0x37, 0xdb, 0x83, 0xdf, 0xca, 0x81, 0x8b, 0xf9, 0x3f,
+ 0xf1, 0x11, 0x1b, 0x2f, 0xf0, 0x61, 0xa6, 0xdf, 0xba, 0xa3, 0xb1, 0xac,
+ 0xd3, 0xe6, 0x09, 0xb8, 0x2c, 0x6a, 0x67, 0xd6
+};
+
+__fips_constseg static const unsigned char aes_128_no_df_returnedbits[] = {
+ 0x1e, 0xa7, 0xa4, 0xe4, 0xe1, 0xa6, 0x7c, 0x69, 0x9a, 0x44, 0x6c, 0x36,
+ 0x81, 0x37, 0x19, 0xd4
+};
+
+/* AES-192 no df PR */
+__fips_constseg static const unsigned char aes_192_no_df_pr_entropyinput[] = {
+ 0x9d, 0x2c, 0xd2, 0x55, 0x66, 0xea, 0xe0, 0xbe, 0x18, 0xb7, 0x76, 0xe7,
+ 0x73, 0x35, 0xd8, 0x1f, 0xad, 0x3a, 0xe3, 0x81, 0x0e, 0x92, 0xd0, 0x61,
+ 0xc9, 0x12, 0x26, 0xf6, 0x1c, 0xdf, 0xfe, 0x47, 0xaa, 0xfe, 0x7d, 0x5a,
+ 0x17, 0x1f, 0x8d, 0x9a
+};
+
+__fips_constseg static const unsigned char aes_192_no_df_pr_nonce[] = {
+ 0x44, 0x82, 0xed, 0xe8, 0x4c, 0x28, 0x5a, 0x14, 0xff, 0x88, 0x8d, 0x19,
+ 0x61, 0x5c, 0xee, 0x0f
+};
+
+__fips_constseg
+ static const unsigned char aes_192_no_df_pr_personalizationstring[] = {
+ 0x47, 0xd7, 0x9b, 0x99, 0xaa, 0xcb, 0xe7, 0xd2, 0x57, 0x66, 0x2c, 0xe1,
+ 0x78, 0xd6, 0x2c, 0xea, 0xa3, 0x23, 0x5f, 0x2a, 0xc1, 0x3a, 0xf0, 0xa4,
+ 0x20, 0x3b, 0xfa, 0x07, 0xd5, 0x05, 0x02, 0xe4, 0x57, 0x01, 0xb6, 0x10,
+ 0x57, 0x2e, 0xe7, 0x55
+};
+
+__fips_constseg
+ static const unsigned char aes_192_no_df_pr_additionalinput[] = {
+ 0x4b, 0x74, 0x0b, 0x40, 0xce, 0x6b, 0xc2, 0x6a, 0x24, 0xb4, 0xf3, 0xad,
+ 0x7a, 0xa5, 0x7a, 0xa2, 0x15, 0xe2, 0xc8, 0x61, 0x15, 0xc6, 0xb7, 0x85,
+ 0x69, 0x11, 0xad, 0x7b, 0x14, 0xd2, 0xf6, 0x12, 0xa1, 0x95, 0x5d, 0x3f,
+ 0xe2, 0xd0, 0x0c, 0x2f
+};
+
+__fips_constseg static const unsigned char aes_192_no_df_pr_entropyinputpr[] = {
+ 0x0c, 0x9c, 0xad, 0x05, 0xee, 0xae, 0x48, 0x23, 0x89, 0x59, 0xa1, 0x94,
+ 0xd7, 0xd8, 0x75, 0xd5, 0x54, 0x93, 0xc7, 0x4a, 0xd9, 0x26, 0xde, 0xeb,
+ 0xba, 0xb0, 0x7e, 0x30, 0x1d, 0x5f, 0x69, 0x40, 0x9c, 0x3b, 0x17, 0x58,
+ 0x1d, 0x30, 0xb3, 0x78
+};
+
+__fips_constseg
+ static const unsigned char aes_192_no_df_pr_int_returnedbits[] = {
+ 0xf7, 0x93, 0xb0, 0x6d, 0x77, 0x83, 0xd5, 0x38, 0x01, 0xe1, 0x52, 0x40,
+ 0x7e, 0x3e, 0x0c, 0x26
+};
+
+__fips_constseg
+ static const unsigned char aes_192_no_df_pr_additionalinput2[] = {
+ 0xbc, 0x4b, 0x37, 0x44, 0x1c, 0xc5, 0x45, 0x5f, 0x8f, 0x51, 0x62, 0x8a,
+ 0x85, 0x30, 0x1d, 0x7c, 0xe4, 0xcf, 0xf7, 0x44, 0xce, 0x32, 0x3e, 0x57,
+ 0x95, 0xa4, 0x2a, 0xdf, 0xfd, 0x9e, 0x38, 0x41, 0xb3, 0xf6, 0xc5, 0xee,
+ 0x0c, 0x4b, 0xee, 0x6e
+};
+
+__fips_constseg
+ static const unsigned char aes_192_no_df_pr_entropyinputpr2[] = {
+ 0xec, 0xaf, 0xf6, 0x4f, 0xb1, 0xa0, 0x54, 0xb5, 0x5b, 0xe3, 0x46, 0xb0,
+ 0x76, 0x5a, 0x7c, 0x3f, 0x7b, 0x94, 0x69, 0x21, 0x51, 0x02, 0xe5, 0x9f,
+ 0x04, 0x59, 0x02, 0x98, 0xc6, 0x43, 0x2c, 0xcc, 0x26, 0x4c, 0x87, 0x6b,
+ 0x8e, 0x0a, 0x83, 0xdf
+};
+
+__fips_constseg static const unsigned char aes_192_no_df_pr_returnedbits[] = {
+ 0x74, 0x45, 0xfb, 0x53, 0x84, 0x96, 0xbe, 0xff, 0x15, 0xcc, 0x41, 0x91,
+ 0xb9, 0xa1, 0x21, 0x68
+};
+
+/* AES-192 no df No PR */
+__fips_constseg static const unsigned char aes_192_no_df_entropyinput[] = {
+ 0x3c, 0x7d, 0xb5, 0xe0, 0x54, 0xd9, 0x6e, 0x8c, 0xa9, 0x86, 0xce, 0x4e,
+ 0x6b, 0xaf, 0xeb, 0x2f, 0xe7, 0x75, 0xe0, 0x8b, 0xa4, 0x3b, 0x07, 0xfe,
+ 0xbe, 0x33, 0x75, 0x93, 0x80, 0x27, 0xb5, 0x29, 0x47, 0x8b, 0xc7, 0x28,
+ 0x94, 0xc3, 0x59, 0x63
+};
+
+__fips_constseg static const unsigned char aes_192_no_df_nonce[] = {
+ 0x43, 0xf1, 0x7d, 0xb8, 0xc3, 0xfe, 0xd0, 0x23, 0x6b, 0xb4, 0x92, 0xdb,
+ 0x29, 0xfd, 0x45, 0x71
+};
+
+__fips_constseg
+ static const unsigned char aes_192_no_df_personalizationstring[] = {
+ 0x9f, 0x24, 0x29, 0x99, 0x9e, 0x01, 0xab, 0xe9, 0x19, 0xd8, 0x23, 0x08,
+ 0xb7, 0xd6, 0x7e, 0x8c, 0xc0, 0x9e, 0x7f, 0x6e, 0x5b, 0x33, 0x20, 0x96,
+ 0x0b, 0x23, 0x2c, 0xa5, 0x6a, 0xf8, 0x1b, 0x04, 0x26, 0xdb, 0x2e, 0x2b,
+ 0x3b, 0x88, 0xce, 0x35
+};
+
+__fips_constseg static const unsigned char aes_192_no_df_additionalinput[] = {
+ 0x94, 0xe9, 0x7c, 0x3d, 0xa7, 0xdb, 0x60, 0x83, 0x1f, 0x98, 0x3f, 0x0b,
+ 0x88, 0x59, 0x57, 0x51, 0x88, 0x9f, 0x76, 0x49, 0x9f, 0xa6, 0xda, 0x71,
+ 0x1d, 0x0d, 0x47, 0x16, 0x63, 0xc5, 0x68, 0xe4, 0x5d, 0x39, 0x69, 0xb3,
+ 0x3e, 0xbe, 0xd4, 0x8e
+};
+
+__fips_constseg static const unsigned char aes_192_no_df_int_returnedbits[] = {
+ 0xf9, 0xd7, 0xad, 0x69, 0xab, 0x8f, 0x23, 0x56, 0x70, 0x17, 0x4f, 0x2a,
+ 0x45, 0xe7, 0x4a, 0xc5
+};
+
+__fips_constseg
+ static const unsigned char aes_192_no_df_entropyinputreseed[] = {
+ 0xa6, 0x71, 0x6a, 0x3d, 0xba, 0xd1, 0xe8, 0x66, 0xa6, 0xef, 0xb2, 0x0e,
+ 0xa8, 0x9c, 0xaa, 0x4e, 0xaf, 0x17, 0x89, 0x50, 0x00, 0xda, 0xa1, 0xb1,
+ 0x0b, 0xa4, 0xd9, 0x35, 0x89, 0xc8, 0xe5, 0xb0, 0xd9, 0xb7, 0xc4, 0x33,
+ 0x9b, 0xcb, 0x7e, 0x75
+};
+
+__fips_constseg
+ static const unsigned char aes_192_no_df_additionalinputreseed[] = {
+ 0x27, 0x21, 0xfc, 0xc2, 0xbd, 0xf3, 0x3c, 0xce, 0xc3, 0xca, 0xc1, 0x01,
+ 0xe0, 0xff, 0x93, 0x12, 0x7d, 0x54, 0x42, 0xe3, 0x9f, 0x03, 0xdf, 0x27,
+ 0x04, 0x07, 0x3c, 0x53, 0x7f, 0xa8, 0x66, 0xc8, 0x97, 0x4b, 0x61, 0x40,
+ 0x5d, 0x7a, 0x25, 0x79
+};
+
+__fips_constseg static const unsigned char aes_192_no_df_additionalinput2[] = {
+ 0x2d, 0x8e, 0x16, 0x5d, 0x0b, 0x9f, 0xeb, 0xaa, 0xd6, 0xec, 0x28, 0x71,
+ 0x7c, 0x0b, 0xc1, 0x1d, 0xd4, 0x44, 0x19, 0x47, 0xfd, 0x1d, 0x7c, 0xe5,
+ 0xf3, 0x27, 0xe1, 0xb6, 0x72, 0x0a, 0xe0, 0xec, 0x0e, 0xcd, 0xef, 0x1a,
+ 0x91, 0x6a, 0xe3, 0x5f
+};
+
+__fips_constseg static const unsigned char aes_192_no_df_returnedbits[] = {
+ 0xe5, 0xda, 0xb8, 0xe0, 0x63, 0x59, 0x5a, 0xcc, 0x3d, 0xdc, 0x9f, 0xe8,
+ 0x66, 0x67, 0x2c, 0x92
+};
+
+/* AES-256 no df PR */
+__fips_constseg static const unsigned char aes_256_no_df_pr_entropyinput[] = {
+ 0x15, 0xc7, 0x5d, 0xcb, 0x41, 0x4b, 0x16, 0x01, 0x3a, 0xd1, 0x44, 0xe8,
+ 0x22, 0x32, 0xc6, 0x9c, 0x3f, 0xe7, 0x43, 0xf5, 0x9a, 0xd3, 0xea, 0xf2,
+ 0xd7, 0x4e, 0x6e, 0x6a, 0x55, 0x73, 0x40, 0xef, 0x89, 0xad, 0x0d, 0x03,
+ 0x96, 0x7e, 0x78, 0x81, 0x2f, 0x91, 0x1b, 0x44, 0xb0, 0x02, 0xba, 0x1c
+};
+
+__fips_constseg static const unsigned char aes_256_no_df_pr_nonce[] = {
+ 0xdc, 0xe4, 0xd4, 0x27, 0x7a, 0x90, 0xd7, 0x99, 0x43, 0xa1, 0x3c, 0x30,
+ 0xcc, 0x4b, 0xee, 0x2e
+};
+
+__fips_constseg
+ static const unsigned char aes_256_no_df_pr_personalizationstring[] = {
+ 0xe3, 0xe6, 0xb9, 0x11, 0xe4, 0x7a, 0xa4, 0x40, 0x6b, 0xf8, 0x73, 0xf7,
+ 0x7e, 0xec, 0xc7, 0xb9, 0x97, 0xbf, 0xf8, 0x25, 0x7b, 0xbe, 0x11, 0x9b,
+ 0x5b, 0x6a, 0x0c, 0x2e, 0x2b, 0x01, 0x51, 0xcd, 0x41, 0x4b, 0x6b, 0xac,
+ 0x31, 0xa8, 0x0b, 0xf7, 0xe6, 0x59, 0x42, 0xb8, 0x03, 0x0c, 0xf8, 0x06
+};
+
+__fips_constseg
+ static const unsigned char aes_256_no_df_pr_additionalinput[] = {
+ 0x6a, 0x9f, 0x00, 0x91, 0xae, 0xfe, 0xcf, 0x84, 0x99, 0xce, 0xb1, 0x40,
+ 0x6d, 0x5d, 0x33, 0x28, 0x84, 0xf4, 0x8c, 0x63, 0x4c, 0x7e, 0xbd, 0x2c,
+ 0x80, 0x76, 0xee, 0x5a, 0xaa, 0x15, 0x07, 0x31, 0xd8, 0xbb, 0x8c, 0x69,
+ 0x9d, 0x9d, 0xbc, 0x7e, 0x49, 0xae, 0xec, 0x39, 0x6b, 0xd1, 0x1f, 0x7e
+};
+
+__fips_constseg static const unsigned char aes_256_no_df_pr_entropyinputpr[] = {
+ 0xf3, 0xb9, 0x75, 0x9c, 0xbd, 0x88, 0xea, 0xa2, 0x50, 0xad, 0xd6, 0x16,
+ 0x1a, 0x12, 0x3c, 0x86, 0x68, 0xaf, 0x6f, 0xbe, 0x19, 0xf2, 0xee, 0xcc,
+ 0xa5, 0x70, 0x84, 0x53, 0x50, 0xcb, 0x9f, 0x14, 0xa9, 0xe5, 0xee, 0xb9,
+ 0x48, 0x45, 0x40, 0xe2, 0xc7, 0xc9, 0x9a, 0x74, 0xff, 0x8c, 0x99, 0x1f
+};
+
+__fips_constseg
+ static const unsigned char aes_256_no_df_pr_int_returnedbits[] = {
+ 0x2e, 0xf2, 0x45, 0x4c, 0x62, 0x2e, 0x0a, 0xb9, 0x6b, 0xa2, 0xfd, 0x56,
+ 0x79, 0x60, 0x93, 0xcf
+};
+
+__fips_constseg
+ static const unsigned char aes_256_no_df_pr_additionalinput2[] = {
+ 0xaf, 0x69, 0x20, 0xe9, 0x3b, 0x37, 0x9d, 0x3f, 0xb4, 0x80, 0x02, 0x7a,
+ 0x25, 0x7d, 0xb8, 0xde, 0x71, 0xc5, 0x06, 0x0c, 0xb4, 0xe2, 0x8f, 0x35,
+ 0xd8, 0x14, 0x0d, 0x7f, 0x76, 0x63, 0x4e, 0xb5, 0xee, 0xe9, 0x6f, 0x34,
+ 0xc7, 0x5f, 0x56, 0x14, 0x4a, 0xe8, 0x73, 0x95, 0x5b, 0x1c, 0xb9, 0xcb
+};
+
+__fips_constseg
+ static const unsigned char aes_256_no_df_pr_entropyinputpr2[] = {
+ 0xe5, 0xb0, 0x2e, 0x7e, 0x52, 0x30, 0xe3, 0x63, 0x82, 0xb6, 0x44, 0xd3,
+ 0x25, 0x19, 0x05, 0x24, 0x9a, 0x9f, 0x5f, 0x27, 0x6a, 0x29, 0xab, 0xfa,
+ 0x07, 0xa2, 0x42, 0x0f, 0xc5, 0xa8, 0x94, 0x7c, 0x17, 0x7b, 0x85, 0x83,
+ 0x0c, 0x25, 0x0e, 0x63, 0x0b, 0xe9, 0x12, 0x60, 0xcd, 0xef, 0x80, 0x0f
+};
+
+__fips_constseg static const unsigned char aes_256_no_df_pr_returnedbits[] = {
+ 0x5e, 0xf2, 0x26, 0xef, 0x9f, 0x58, 0x5d, 0xd5, 0x4a, 0x10, 0xfe, 0xa7,
+ 0x2d, 0x5f, 0x4a, 0x46
+};
+
+/* AES-256 no df No PR */
+__fips_constseg static const unsigned char aes_256_no_df_entropyinput[] = {
+ 0xfb, 0xcf, 0x1b, 0x61, 0x16, 0x89, 0x78, 0x23, 0xf5, 0xd8, 0x96, 0xe3,
+ 0x4e, 0x64, 0x0b, 0x29, 0x9a, 0x3f, 0xf8, 0xa5, 0xed, 0xf2, 0xfe, 0xdb,
+ 0x16, 0xca, 0x7f, 0x10, 0xfa, 0x5e, 0x18, 0x76, 0x2c, 0x63, 0x5e, 0x96,
+ 0xcf, 0xb3, 0xd6, 0xfc, 0xaf, 0x99, 0x39, 0x28, 0x9c, 0x61, 0xe8, 0xb3
+};
+
+__fips_constseg static const unsigned char aes_256_no_df_nonce[] = {
+ 0x12, 0x96, 0xf0, 0x52, 0xf3, 0x8d, 0x81, 0xcf, 0xde, 0x86, 0xf2, 0x99,
+ 0x43, 0x96, 0xb9, 0xf0
+};
+
+__fips_constseg
+ static const unsigned char aes_256_no_df_personalizationstring[] = {
+ 0x63, 0x0d, 0x78, 0xf5, 0x90, 0x8e, 0x32, 0x47, 0xb0, 0x4d, 0x37, 0x60,
+ 0x09, 0x96, 0xbc, 0xbf, 0x97, 0x7a, 0x62, 0x14, 0x45, 0xbd, 0x8d, 0xcc,
+ 0x69, 0xfb, 0x03, 0xe1, 0x80, 0x1c, 0xc7, 0xe2, 0x2a, 0xf9, 0x37, 0x3f,
+ 0x66, 0x4d, 0x62, 0xd9, 0x10, 0xe0, 0xad, 0xc8, 0x9a, 0xf0, 0xa8, 0x6d
+};
+
+__fips_constseg static const unsigned char aes_256_no_df_additionalinput[] = {
+ 0x36, 0xc6, 0x13, 0x60, 0xbb, 0x14, 0xad, 0x22, 0xb0, 0x38, 0xac, 0xa6,
+ 0x18, 0x16, 0x93, 0x25, 0x86, 0xb7, 0xdc, 0xdc, 0x36, 0x98, 0x2b, 0xf9,
+ 0x68, 0x33, 0xd3, 0xc6, 0xff, 0xce, 0x8d, 0x15, 0x59, 0x82, 0x76, 0xed,
+ 0x6f, 0x8d, 0x49, 0x74, 0x2f, 0xda, 0xdc, 0x1f, 0x17, 0xd0, 0xde, 0x17
+};
+
+__fips_constseg static const unsigned char aes_256_no_df_int_returnedbits[] = {
+ 0x16, 0x2f, 0x8e, 0x3f, 0x21, 0x7a, 0x1c, 0x20, 0x56, 0xd1, 0x92, 0xf6,
+ 0xd2, 0x25, 0x75, 0x0e
+};
+
+__fips_constseg
+ static const unsigned char aes_256_no_df_entropyinputreseed[] = {
+ 0x91, 0x79, 0x76, 0xee, 0xe0, 0xcf, 0x9e, 0xc2, 0xd5, 0xd4, 0x23, 0x9b,
+ 0x12, 0x8c, 0x7e, 0x0a, 0xb7, 0xd2, 0x8b, 0xd6, 0x7c, 0xa3, 0xc6, 0xe5,
+ 0x0e, 0xaa, 0xc7, 0x6b, 0xae, 0x0d, 0xfa, 0x53, 0x06, 0x79, 0xa1, 0xed,
+ 0x4d, 0x6a, 0x0e, 0xd8, 0x9d, 0xbe, 0x1b, 0x31, 0x93, 0x7b, 0xec, 0xfb
+};
+
+__fips_constseg
+ static const unsigned char aes_256_no_df_additionalinputreseed[] = {
+ 0xd2, 0x46, 0x50, 0x22, 0x10, 0x14, 0x63, 0xf7, 0xea, 0x0f, 0xb9, 0x7e,
+ 0x0d, 0xe1, 0x94, 0x07, 0xaf, 0x09, 0x44, 0x31, 0xea, 0x64, 0xa4, 0x18,
+ 0x5b, 0xf9, 0xd8, 0xc2, 0xfa, 0x03, 0x47, 0xc5, 0x39, 0x43, 0xd5, 0x3b,
+ 0x62, 0x86, 0x64, 0xea, 0x2c, 0x73, 0x8c, 0xae, 0x9d, 0x98, 0x98, 0x29
+};
+
+__fips_constseg static const unsigned char aes_256_no_df_additionalinput2[] = {
+ 0x8c, 0xab, 0x18, 0xf8, 0xc3, 0xec, 0x18, 0x5c, 0xb3, 0x1e, 0x9d, 0xbe,
+ 0x3f, 0x03, 0xb4, 0x00, 0x98, 0x9d, 0xae, 0xeb, 0xf4, 0x94, 0xf8, 0x42,
+ 0x8f, 0xe3, 0x39, 0x07, 0xe1, 0xc9, 0xad, 0x0b, 0x1f, 0xed, 0xc0, 0xba,
+ 0xf6, 0xd1, 0xec, 0x27, 0x86, 0x7b, 0xd6, 0x55, 0x9b, 0x60, 0xa5, 0xc6
+};
+
+__fips_constseg static const unsigned char aes_256_no_df_returnedbits[] = {
+ 0xef, 0xd2, 0xd8, 0x5c, 0xdc, 0x62, 0x25, 0x9f, 0xaa, 0x1e, 0x2c, 0x67,
+ 0xf6, 0x02, 0x32, 0xe2
+};
+
+/* SHA-1 PR */
+__fips_constseg static const unsigned char sha1_pr_entropyinput[] = {
+ 0xd2, 0x36, 0xa5, 0x27, 0x31, 0x73, 0xdd, 0x11, 0x4f, 0x93, 0xbd, 0xe2,
+ 0x31, 0xa5, 0x91, 0x13
+};
+
+__fips_constseg static const unsigned char sha1_pr_nonce[] = {
+ 0xb5, 0xb3, 0x60, 0xef, 0xf7, 0x63, 0x31, 0xf3
+};
+
+__fips_constseg static const unsigned char sha1_pr_personalizationstring[] = {
+ 0xd4, 0xbb, 0x02, 0x10, 0xb2, 0x71, 0xdb, 0x81, 0xd6, 0xf0, 0x42, 0x60,
+ 0xda, 0xea, 0x77, 0x52
+};
+
+__fips_constseg static const unsigned char sha1_pr_additionalinput[] = {
+ 0x4d, 0xd2, 0x6c, 0x87, 0xfb, 0x2c, 0x4f, 0xa6, 0x8d, 0x16, 0x63, 0x22,
+ 0x6a, 0x51, 0xe3, 0xf8
+};
+
+__fips_constseg static const unsigned char sha1_pr_entropyinputpr[] = {
+ 0xc9, 0x83, 0x9e, 0x16, 0xf6, 0x1c, 0x0f, 0xb2, 0xec, 0x60, 0x31, 0xa9,
+ 0xcb, 0xa9, 0x36, 0x7a
+};
+
+__fips_constseg static const unsigned char sha1_pr_int_returnedbits[] = {
+ 0xa8, 0x13, 0x4f, 0xf4, 0x31, 0x02, 0x44, 0xe3, 0xd3, 0x3d, 0x61, 0x9e,
+ 0xe5, 0xc6, 0x3e, 0x89, 0xb5, 0x9b, 0x0f, 0x35
+};
+
+__fips_constseg static const unsigned char sha1_pr_additionalinput2[] = {
+ 0xf9, 0xe8, 0xd2, 0x72, 0x13, 0x34, 0x95, 0x6f, 0x15, 0x49, 0x47, 0x99,
+ 0x16, 0x03, 0x19, 0x47
+};
+
+__fips_constseg static const unsigned char sha1_pr_entropyinputpr2[] = {
+ 0x4e, 0x8c, 0x49, 0x9b, 0x4a, 0x5c, 0x9b, 0x9c, 0x3a, 0xee, 0xfb, 0xd2,
+ 0xae, 0xcd, 0x8c, 0xc4
+};
+
+__fips_constseg static const unsigned char sha1_pr_returnedbits[] = {
+ 0x50, 0xb4, 0xb4, 0xcd, 0x68, 0x57, 0xfc, 0x2e, 0xc1, 0x52, 0xcc, 0xf6,
+ 0x68, 0xa4, 0x81, 0xed, 0x7e, 0xe4, 0x1d, 0x87
+};
+
+/* SHA-1 No PR */
+__fips_constseg static const unsigned char sha1_entropyinput[] = {
+ 0xa9, 0x47, 0x1b, 0x29, 0x2d, 0x1c, 0x05, 0xdf, 0x76, 0xd0, 0x62, 0xf9,
+ 0xe2, 0x7f, 0x4c, 0x7b
+};
+
+__fips_constseg static const unsigned char sha1_nonce[] = {
+ 0x53, 0x23, 0x24, 0xe3, 0xec, 0x0c, 0x54, 0x14
+};
+
+__fips_constseg static const unsigned char sha1_personalizationstring[] = {
+ 0x7a, 0x87, 0xa1, 0xac, 0x1c, 0xfd, 0xab, 0xae, 0xf7, 0xd6, 0xfb, 0x76,
+ 0x28, 0xec, 0x6d, 0xca
+};
+
+__fips_constseg static const unsigned char sha1_additionalinput[] = {
+ 0xfc, 0x92, 0x35, 0xd6, 0x7e, 0xb7, 0x24, 0x65, 0xfd, 0x12, 0x27, 0x35,
+ 0xc0, 0x72, 0xca, 0x28
+};
+
+__fips_constseg static const unsigned char sha1_int_returnedbits[] = {
+ 0x57, 0x88, 0x82, 0xe5, 0x25, 0xa5, 0x2c, 0x4a, 0x06, 0x20, 0x6c, 0x72,
+ 0x55, 0x61, 0xdd, 0x90, 0x71, 0x9f, 0x95, 0xea
+};
+
+__fips_constseg static const unsigned char sha1_entropyinputreseed[] = {
+ 0x69, 0xa5, 0x40, 0x62, 0x98, 0x47, 0x56, 0x73, 0x4a, 0x8f, 0x60, 0x96,
+ 0xd6, 0x99, 0x27, 0xed
+};
+
+__fips_constseg static const unsigned char sha1_additionalinputreseed[] = {
+ 0xe5, 0x40, 0x4e, 0xbd, 0x50, 0x00, 0xf5, 0x15, 0xa6, 0xee, 0x45, 0xda,
+ 0x84, 0x3d, 0xd4, 0xc0
+};
+
+__fips_constseg static const unsigned char sha1_additionalinput2[] = {
+ 0x11, 0x51, 0x14, 0xf0, 0x09, 0x1b, 0x4e, 0x56, 0x0d, 0xe9, 0xf6, 0x1e,
+ 0x52, 0x65, 0xcd, 0x96
+};
+
+__fips_constseg static const unsigned char sha1_returnedbits[] = {
+ 0xa1, 0x9c, 0x94, 0x6e, 0x29, 0xe1, 0x33, 0x0d, 0x32, 0xd6, 0xaa, 0xce,
+ 0x71, 0x3f, 0x52, 0x72, 0x8b, 0x42, 0xa8, 0xd7
+};
+
+/* SHA-224 PR */
+__fips_constseg static const unsigned char sha224_pr_entropyinput[] = {
+ 0x12, 0x69, 0x32, 0x4f, 0x83, 0xa6, 0xf5, 0x14, 0xe3, 0x49, 0x3e, 0x75,
+ 0x3e, 0xde, 0xad, 0xa1, 0x29, 0xc3, 0xf3, 0x19, 0x20, 0xb5, 0x4c, 0xd9
+};
+
+__fips_constseg static const unsigned char sha224_pr_nonce[] = {
+ 0x6a, 0x78, 0xd0, 0xeb, 0xbb, 0x5a, 0xf0, 0xee, 0xe8, 0xc3, 0xba, 0x71
+};
+
+__fips_constseg static const unsigned char sha224_pr_personalizationstring[] = {
+ 0xd5, 0xb8, 0xb6, 0xbc, 0xc1, 0x5b, 0x60, 0x31, 0x3c, 0xf5, 0xe5, 0xc0,
+ 0x8e, 0x52, 0x7a, 0xbd, 0xea, 0x47, 0xa9, 0x5f, 0x8f, 0xf9, 0x8b, 0xae
+};
+
+__fips_constseg static const unsigned char sha224_pr_additionalinput[] = {
+ 0x1f, 0x55, 0xec, 0xae, 0x16, 0x12, 0x84, 0xba, 0x84, 0x16, 0x19, 0x88,
+ 0x8e, 0xb8, 0x33, 0x25, 0x54, 0xff, 0xca, 0x79, 0xaf, 0x07, 0x25, 0x50
+};
+
+__fips_constseg static const unsigned char sha224_pr_entropyinputpr[] = {
+ 0x92, 0xa3, 0x32, 0xa8, 0x9a, 0x0a, 0x58, 0x7c, 0x1d, 0x5a, 0x7e, 0xe1,
+ 0xb2, 0x73, 0xab, 0x0e, 0x16, 0x79, 0x23, 0xd3, 0x29, 0x89, 0x81, 0xe1
+};
+
+__fips_constseg static const unsigned char sha224_pr_int_returnedbits[] = {
+ 0xf3, 0x38, 0x91, 0x40, 0x37, 0x7a, 0x51, 0x72, 0x42, 0x74, 0x78, 0x0a,
+ 0x69, 0xfd, 0xa6, 0x44, 0x43, 0x45, 0x6c, 0x0c, 0x5a, 0x19, 0xff, 0xf1,
+ 0x54, 0x60, 0xee, 0x6a
+};
+
+__fips_constseg static const unsigned char sha224_pr_additionalinput2[] = {
+ 0x75, 0xf3, 0x04, 0x25, 0xdd, 0x36, 0xa8, 0x37, 0x46, 0xae, 0x0c, 0x52,
+ 0x05, 0x79, 0x4c, 0x26, 0xdb, 0xe9, 0x71, 0x16, 0x4c, 0x0a, 0xf2, 0x60
+};
+
+__fips_constseg static const unsigned char sha224_pr_entropyinputpr2[] = {
+ 0xea, 0xc5, 0x03, 0x0a, 0x4f, 0xb0, 0x38, 0x8d, 0x23, 0xd4, 0xc8, 0x77,
+ 0xe2, 0x6d, 0x9c, 0x0b, 0x44, 0xf7, 0x2d, 0x5b, 0xbf, 0x5d, 0x2a, 0x11
+};
+
+__fips_constseg static const unsigned char sha224_pr_returnedbits[] = {
+ 0x60, 0x50, 0x2b, 0xe7, 0x86, 0xd8, 0x26, 0x73, 0xe3, 0x1d, 0x95, 0x20,
+ 0xb3, 0x2c, 0x32, 0x1c, 0xf5, 0xce, 0x57, 0xa6, 0x67, 0x2b, 0xdc, 0x4e,
+ 0xdd, 0x11, 0x4c, 0xc4
+};
+
+/* SHA-224 No PR */
+__fips_constseg static const unsigned char sha224_entropyinput[] = {
+ 0xb2, 0x1c, 0x77, 0x4d, 0xf6, 0xd3, 0xb6, 0x40, 0xb7, 0x30, 0x3e, 0x29,
+ 0xb0, 0x85, 0x1c, 0xbe, 0x4a, 0xea, 0x6b, 0x5a, 0xb5, 0x8a, 0x97, 0xeb
+};
+
+__fips_constseg static const unsigned char sha224_nonce[] = {
+ 0x42, 0x02, 0x0a, 0x1c, 0x98, 0x9a, 0x77, 0x9e, 0x9f, 0x80, 0xba, 0xe0
+};
+
+__fips_constseg static const unsigned char sha224_personalizationstring[] = {
+ 0x98, 0xb8, 0x04, 0x41, 0xfc, 0xc1, 0x5d, 0xc5, 0xe9, 0xb9, 0x08, 0xda,
+ 0xf9, 0xfa, 0x0d, 0x90, 0xce, 0xdf, 0x1d, 0x10, 0xa9, 0x8d, 0x50, 0x0c
+};
+
+__fips_constseg static const unsigned char sha224_additionalinput[] = {
+ 0x9a, 0x8d, 0x39, 0x49, 0x42, 0xd5, 0x0b, 0xae, 0xe1, 0xaf, 0xb7, 0x00,
+ 0x02, 0xfa, 0x96, 0xb1, 0xa5, 0x1d, 0x2d, 0x25, 0x78, 0xee, 0x83, 0x3f
+};
+
+__fips_constseg static const unsigned char sha224_int_returnedbits[] = {
+ 0xe4, 0xf5, 0x53, 0x79, 0x5a, 0x97, 0x58, 0x06, 0x08, 0xba, 0x7b, 0xfa,
+ 0xf0, 0x83, 0x05, 0x8c, 0x22, 0xc0, 0xc9, 0xdb, 0x15, 0xe7, 0xde, 0x20,
+ 0x55, 0x22, 0x9a, 0xad
+};
+
+__fips_constseg static const unsigned char sha224_entropyinputreseed[] = {
+ 0x67, 0x09, 0x48, 0xaa, 0x07, 0x16, 0x99, 0x89, 0x7f, 0x6d, 0xa0, 0xe5,
+ 0x8f, 0xdf, 0xbc, 0xdb, 0xfe, 0xe5, 0x6c, 0x7a, 0x95, 0x4a, 0x66, 0x17
+};
+
+__fips_constseg static const unsigned char sha224_additionalinputreseed[] = {
+ 0x0f, 0x4b, 0x1c, 0x6f, 0xb7, 0xe3, 0x47, 0xe5, 0x5d, 0x7d, 0x38, 0xd6,
+ 0x28, 0x9b, 0xeb, 0x55, 0x63, 0x09, 0x3e, 0x7c, 0x56, 0xea, 0xf8, 0x19
+};
+
+__fips_constseg static const unsigned char sha224_additionalinput2[] = {
+ 0x2d, 0x26, 0x7c, 0x37, 0xe4, 0x7a, 0x28, 0x5e, 0x5a, 0x3c, 0xaf, 0x3d,
+ 0x5a, 0x8e, 0x55, 0xa2, 0x1a, 0x6e, 0xc0, 0xe5, 0xf6, 0x21, 0xd3, 0xf6
+};
+
+__fips_constseg static const unsigned char sha224_returnedbits[] = {
+ 0x4d, 0x83, 0x35, 0xdf, 0x67, 0xa9, 0xfc, 0x17, 0xda, 0x70, 0xcc, 0x8b,
+ 0x7f, 0x77, 0xae, 0xa2, 0x5f, 0xb9, 0x7e, 0x74, 0x4c, 0x26, 0xc1, 0x7a,
+ 0x3b, 0xa7, 0x5c, 0x93
+};
+
+/* SHA-256 PR */
+__fips_constseg static const unsigned char sha256_pr_entropyinput[] = {
+ 0xce, 0x49, 0x00, 0x7a, 0x56, 0xe3, 0x67, 0x8f, 0xe1, 0xb6, 0xa7, 0xd4,
+ 0x4f, 0x08, 0x7a, 0x1b, 0x01, 0xf4, 0xfa, 0x6b, 0xef, 0xb7, 0xe5, 0xeb,
+ 0x07, 0x3d, 0x11, 0x0d, 0xc8, 0xea, 0x2b, 0xfe
+};
+
+__fips_constseg static const unsigned char sha256_pr_nonce[] = {
+ 0x73, 0x41, 0xc8, 0x92, 0x94, 0xe2, 0xc5, 0x5f, 0x93, 0xfd, 0x39, 0x5d,
+ 0x2b, 0x91, 0x4d, 0x38
+};
+
+__fips_constseg static const unsigned char sha256_pr_personalizationstring[] = {
+ 0x50, 0x6d, 0x01, 0x01, 0x07, 0x5a, 0x80, 0x35, 0x7a, 0x56, 0x1a, 0x56,
+ 0x2f, 0x9a, 0x0b, 0x35, 0xb2, 0xb1, 0xc9, 0xe5, 0xca, 0x69, 0x61, 0x48,
+ 0xff, 0xfb, 0x0f, 0xd9, 0x4b, 0x79, 0x1d, 0xba
+};
+
+__fips_constseg static const unsigned char sha256_pr_additionalinput[] = {
+ 0x20, 0xb8, 0xdf, 0x44, 0x77, 0x5a, 0xb8, 0xd3, 0xbf, 0xf6, 0xcf, 0xac,
+ 0x5e, 0xa6, 0x96, 0x62, 0x73, 0x44, 0x40, 0x4a, 0x30, 0xfb, 0x38, 0xa5,
+ 0x7b, 0x0d, 0xe4, 0x0d, 0xc6, 0xe4, 0x9a, 0x1f
+};
+
+__fips_constseg static const unsigned char sha256_pr_entropyinputpr[] = {
+ 0x04, 0xc4, 0x65, 0xf4, 0xd3, 0xbf, 0x83, 0x4b, 0xab, 0xc8, 0x41, 0xa8,
+ 0xc2, 0xe0, 0x44, 0x63, 0x77, 0x4c, 0x6f, 0x6c, 0x49, 0x46, 0xff, 0x94,
+ 0x17, 0xea, 0xe6, 0x1a, 0x9d, 0x5e, 0x66, 0x78
+};
+
+__fips_constseg static const unsigned char sha256_pr_int_returnedbits[] = {
+ 0x07, 0x4d, 0xac, 0x9b, 0x86, 0xca, 0x4a, 0xaa, 0x6e, 0x7a, 0x03, 0xa2,
+ 0x5d, 0x10, 0xea, 0x0b, 0xf9, 0x83, 0xcc, 0xd1, 0xfc, 0xe2, 0x07, 0xc7,
+ 0x06, 0x34, 0x60, 0x6f, 0x83, 0x94, 0x99, 0x76
+};
+
+__fips_constseg static const unsigned char sha256_pr_additionalinput2[] = {
+ 0x89, 0x4e, 0x45, 0x8c, 0x11, 0xf9, 0xbc, 0x5b, 0xac, 0x74, 0x8b, 0x4b,
+ 0x5f, 0xf7, 0x19, 0xf3, 0xf5, 0x24, 0x54, 0x14, 0xd1, 0x15, 0xb1, 0x43,
+ 0x12, 0xa4, 0x5f, 0xd4, 0xec, 0xfc, 0xcd, 0x09
+};
+
+__fips_constseg static const unsigned char sha256_pr_entropyinputpr2[] = {
+ 0x0e, 0xeb, 0x1f, 0xd7, 0xfc, 0xd1, 0x9d, 0xd4, 0x05, 0x36, 0x8b, 0xb2,
+ 0xfb, 0xe4, 0xf4, 0x51, 0x0c, 0x87, 0x9b, 0x02, 0x44, 0xd5, 0x92, 0x4d,
+ 0x44, 0xfe, 0x1a, 0x03, 0x43, 0x56, 0xbd, 0x86
+};
+
+__fips_constseg static const unsigned char sha256_pr_returnedbits[] = {
+ 0x02, 0xaa, 0xb6, 0x1d, 0x7e, 0x2a, 0x40, 0x03, 0x69, 0x2d, 0x49, 0xa3,
+ 0x41, 0xe7, 0x44, 0x0b, 0xaf, 0x7b, 0x85, 0xe4, 0x5f, 0x53, 0x3b, 0x64,
+ 0xbc, 0x89, 0xc8, 0x82, 0xd4, 0x78, 0x37, 0xa2
+};
+
+/* SHA-256 No PR */
+__fips_constseg static const unsigned char sha256_entropyinput[] = {
+ 0x5b, 0x1b, 0xec, 0x4d, 0xa9, 0x38, 0x74, 0x5a, 0x34, 0x0b, 0x7b, 0xc5,
+ 0xe5, 0xd7, 0x66, 0x7c, 0xbc, 0x82, 0xb9, 0x0e, 0x2d, 0x1f, 0x92, 0xd7,
+ 0xc1, 0xbc, 0x67, 0x69, 0xec, 0x6b, 0x03, 0x3c
+};
+
+__fips_constseg static const unsigned char sha256_nonce[] = {
+ 0xa4, 0x0c, 0xd8, 0x9c, 0x61, 0xd8, 0xc3, 0x54, 0xfe, 0x53, 0xc9, 0xe5,
+ 0x5d, 0x6f, 0x6d, 0x35
+};
+
+__fips_constseg static const unsigned char sha256_personalizationstring[] = {
+ 0x22, 0x5e, 0x62, 0x93, 0x42, 0x83, 0x78, 0x24, 0xd8, 0x40, 0x8c, 0xde,
+ 0x6f, 0xf9, 0xa4, 0x7a, 0xc5, 0xa7, 0x3b, 0x88, 0xa3, 0xee, 0x42, 0x20,
+ 0xfd, 0x61, 0x56, 0xc6, 0x4c, 0x13, 0x41, 0x9c
+};
+
+__fips_constseg static const unsigned char sha256_additionalinput[] = {
+ 0xbf, 0x74, 0x5b, 0xf6, 0xc5, 0x64, 0x5e, 0x99, 0x34, 0x8f, 0xbc, 0xa4,
+ 0xe2, 0xbd, 0xd8, 0x85, 0x26, 0x37, 0xea, 0xba, 0x4f, 0xf2, 0x9a, 0x9a,
+ 0x66, 0xfc, 0xdf, 0x63, 0x26, 0x26, 0x19, 0x87
+};
+
+__fips_constseg static const unsigned char sha256_int_returnedbits[] = {
+ 0xb3, 0xc6, 0x07, 0x07, 0xd6, 0x75, 0xf6, 0x2b, 0xd6, 0x21, 0x96, 0xf1,
+ 0xae, 0xdb, 0x2b, 0xac, 0x25, 0x2a, 0xae, 0xae, 0x41, 0x72, 0x03, 0x5e,
+ 0xbf, 0xd3, 0x64, 0xbc, 0x59, 0xf9, 0xc0, 0x76
+};
+
+__fips_constseg static const unsigned char sha256_entropyinputreseed[] = {
+ 0xbf, 0x20, 0x33, 0x56, 0x29, 0xa8, 0x37, 0x04, 0x1f, 0x78, 0x34, 0x3d,
+ 0x81, 0x2a, 0xc9, 0x86, 0xc6, 0x7a, 0x2f, 0x88, 0x5e, 0xd5, 0xbe, 0x34,
+ 0x46, 0x20, 0xa4, 0x35, 0xeb, 0xc7, 0xe2, 0x9d
+};
+
+__fips_constseg static const unsigned char sha256_additionalinputreseed[] = {
+ 0x9b, 0xae, 0x2d, 0x2d, 0x61, 0xa4, 0x89, 0xeb, 0x43, 0x46, 0xa7, 0xda,
+ 0xef, 0x40, 0xca, 0x4a, 0x99, 0x11, 0x41, 0xdc, 0x5c, 0x94, 0xe9, 0xac,
+ 0xd4, 0xd0, 0xe6, 0xbd, 0xfb, 0x03, 0x9c, 0xa8
+};
+
+__fips_constseg static const unsigned char sha256_additionalinput2[] = {
+ 0x23, 0xaa, 0x0c, 0xbd, 0x28, 0x33, 0xe2, 0x51, 0xfc, 0x71, 0xd2, 0x15,
+ 0x1f, 0x76, 0xfd, 0x0d, 0xe0, 0xb7, 0xb5, 0x84, 0x75, 0x5b, 0xbe, 0xf3,
+ 0x5c, 0xca, 0xc5, 0x30, 0xf2, 0x75, 0x1f, 0xda
+};
+
+__fips_constseg static const unsigned char sha256_returnedbits[] = {
+ 0x90, 0x3c, 0xc1, 0x10, 0x8c, 0x12, 0x01, 0xc6, 0xa6, 0x3a, 0x0f, 0x4d,
+ 0xb6, 0x3a, 0x4f, 0x41, 0x9c, 0x61, 0x75, 0x84, 0xe9, 0x74, 0x75, 0xfd,
+ 0xfe, 0xf2, 0x1f, 0x43, 0xd8, 0x5e, 0x24, 0xa3
+};
+
+/* SHA-384 PR */
+__fips_constseg static const unsigned char sha384_pr_entropyinput[] = {
+ 0x71, 0x9d, 0xb2, 0x5a, 0x71, 0x6d, 0x04, 0xe9, 0x1e, 0xc7, 0x92, 0x24,
+ 0x6e, 0x12, 0x33, 0xa9, 0x52, 0x64, 0x31, 0xef, 0x71, 0xeb, 0x22, 0x55,
+ 0x28, 0x97, 0x06, 0x6a, 0xc0, 0x0c, 0xa0, 0x7e
+};
+
+__fips_constseg static const unsigned char sha384_pr_nonce[] = {
+ 0xf5, 0x0d, 0xfa, 0xb0, 0xec, 0x6a, 0x7c, 0xd6, 0xbd, 0x9b, 0x05, 0xfd,
+ 0x38, 0x3e, 0x2e, 0x56
+};
+
+__fips_constseg static const unsigned char sha384_pr_personalizationstring[] = {
+ 0x74, 0xac, 0x7e, 0x6d, 0xb1, 0xa4, 0xe7, 0x21, 0xd1, 0x1e, 0x6e, 0x96,
+ 0x6d, 0x4d, 0x53, 0x46, 0x82, 0x96, 0x6e, 0xcf, 0xaa, 0x81, 0x8d, 0x7d,
+ 0x9e, 0xe1, 0x0f, 0x15, 0xea, 0x41, 0xbf, 0xe3
+};
+
+__fips_constseg static const unsigned char sha384_pr_additionalinput[] = {
+ 0xda, 0x95, 0xd4, 0xd0, 0xb8, 0x11, 0xd3, 0x49, 0x27, 0x5d, 0xa9, 0x39,
+ 0x68, 0xf3, 0xa8, 0xe9, 0x5d, 0x19, 0x8a, 0x2b, 0x66, 0xe8, 0x69, 0x06,
+ 0x7c, 0x9e, 0x03, 0xa1, 0x8b, 0x26, 0x2d, 0x6e
+};
+
+__fips_constseg static const unsigned char sha384_pr_entropyinputpr[] = {
+ 0x49, 0xdf, 0x44, 0x00, 0xe4, 0x1c, 0x75, 0x0b, 0x26, 0x5a, 0x59, 0x64,
+ 0x1f, 0x4e, 0xb1, 0xb2, 0x13, 0xf1, 0x22, 0x4e, 0xb4, 0x6d, 0x9a, 0xcc,
+ 0xa0, 0x48, 0xe6, 0xcf, 0x1d, 0xd1, 0x92, 0x0d
+};
+
+__fips_constseg static const unsigned char sha384_pr_int_returnedbits[] = {
+ 0xc8, 0x52, 0xae, 0xbf, 0x04, 0x3c, 0x27, 0xb7, 0x78, 0x18, 0xaa, 0x8f,
+ 0xff, 0xcf, 0xa4, 0xf1, 0xcc, 0xe7, 0x68, 0xfa, 0x22, 0xa2, 0x13, 0x45,
+ 0xe8, 0xdd, 0x87, 0xe6, 0xf2, 0x6e, 0xdd, 0xc7, 0x52, 0x90, 0x9f, 0x7b,
+ 0xfa, 0x61, 0x2d, 0x9d, 0x9e, 0xcf, 0x98, 0xac, 0x52, 0x40, 0xce, 0xaf
+};
+
+__fips_constseg static const unsigned char sha384_pr_additionalinput2[] = {
+ 0x61, 0x7c, 0x03, 0x9a, 0x3e, 0x50, 0x57, 0x60, 0xc5, 0x83, 0xc9, 0xb2,
+ 0xd1, 0x87, 0x85, 0x66, 0x92, 0x5d, 0x84, 0x0e, 0x53, 0xfb, 0x70, 0x03,
+ 0x72, 0xfd, 0xba, 0xae, 0x9c, 0x8f, 0xf8, 0x18
+};
+
+__fips_constseg static const unsigned char sha384_pr_entropyinputpr2[] = {
+ 0xf8, 0xeb, 0x89, 0xb1, 0x8d, 0x78, 0xbe, 0x21, 0xe0, 0xbb, 0x9d, 0xb7,
+ 0x95, 0x0e, 0xd9, 0x46, 0x0c, 0x8c, 0xe2, 0x63, 0xb7, 0x9d, 0x67, 0x90,
+ 0xbd, 0xc7, 0x0b, 0xa5, 0xce, 0xb2, 0x65, 0x81
+};
+
+__fips_constseg static const unsigned char sha384_pr_returnedbits[] = {
+ 0xe6, 0x9f, 0xfe, 0x68, 0xd6, 0xb5, 0x79, 0xf1, 0x06, 0x5f, 0xa3, 0xbb,
+ 0x23, 0x85, 0xd8, 0xf0, 0x29, 0x5a, 0x68, 0x9e, 0xf5, 0xf4, 0xa6, 0x12,
+ 0xe0, 0x9a, 0xe2, 0xac, 0x00, 0x1d, 0x98, 0x26, 0xfc, 0x53, 0x95, 0x53,
+ 0xe4, 0x3e, 0x17, 0xd5, 0x08, 0x0b, 0x70, 0x3d, 0x67, 0x99, 0xac, 0x66
+};
+
+/* SHA-384 No PR */
+__fips_constseg static const unsigned char sha384_entropyinput[] = {
+ 0x07, 0x15, 0x27, 0x2a, 0xaf, 0x74, 0x24, 0x37, 0xbc, 0xd5, 0x14, 0x69,
+ 0xce, 0x11, 0xff, 0xa2, 0x6b, 0xb8, 0x05, 0x67, 0x34, 0xf8, 0xbd, 0x6d,
+ 0x6a, 0xcc, 0xcd, 0x60, 0xa3, 0x68, 0xca, 0xf4
+};
+
+__fips_constseg static const unsigned char sha384_nonce[] = {
+ 0x70, 0x17, 0xc2, 0x5b, 0x5d, 0x22, 0x0b, 0x06, 0x15, 0x54, 0x78, 0x77,
+ 0x44, 0xaf, 0x2f, 0x09
+};
+
+__fips_constseg static const unsigned char sha384_personalizationstring[] = {
+ 0x89, 0x39, 0x28, 0xb0, 0x60, 0xeb, 0x3d, 0xdc, 0x55, 0x75, 0x86, 0xeb,
+ 0xae, 0xa2, 0x8f, 0xbc, 0x1b, 0x75, 0xd4, 0xe1, 0x0f, 0xaa, 0x38, 0xca,
+ 0x62, 0x8b, 0xcb, 0x2c, 0x26, 0xf6, 0xbc, 0xb1
+};
+
+__fips_constseg static const unsigned char sha384_additionalinput[] = {
+ 0x30, 0x2b, 0x42, 0x35, 0xef, 0xda, 0x40, 0x55, 0x28, 0xc6, 0x95, 0xfb,
+ 0x54, 0x01, 0x62, 0xd7, 0x87, 0x14, 0x48, 0x6d, 0x90, 0x4c, 0xa9, 0x02,
+ 0x54, 0x40, 0x22, 0xc8, 0x66, 0xa5, 0x48, 0x48
+};
+
+__fips_constseg static const unsigned char sha384_int_returnedbits[] = {
+ 0x82, 0xc4, 0xa1, 0x9c, 0x21, 0xd2, 0xe7, 0xa5, 0xa6, 0xf6, 0x5f, 0x04,
+ 0x5c, 0xc7, 0x31, 0x9d, 0x8d, 0x59, 0x74, 0x50, 0x19, 0x89, 0x2f, 0x63,
+ 0xd5, 0xb7, 0x7e, 0xeb, 0x15, 0xe3, 0x70, 0x83, 0xa1, 0x24, 0x59, 0xfa,
+ 0x2c, 0x56, 0xf6, 0x88, 0x3a, 0x92, 0x93, 0xa1, 0xfb, 0x79, 0xc1, 0x7a
+};
+
+__fips_constseg static const unsigned char sha384_entropyinputreseed[] = {
+ 0x39, 0xa6, 0xe8, 0x5c, 0x82, 0x17, 0x71, 0x26, 0x57, 0x4f, 0x9f, 0xc2,
+ 0x55, 0xff, 0x5c, 0x9b, 0x53, 0x1a, 0xd1, 0x5f, 0xbc, 0x62, 0xe4, 0x27,
+ 0x2d, 0x32, 0xf0, 0xe4, 0x52, 0x8c, 0xc5, 0x0c
+};
+
+__fips_constseg static const unsigned char sha384_additionalinputreseed[] = {
+ 0x8d, 0xcb, 0x8d, 0xce, 0x08, 0xea, 0x80, 0xe8, 0x9b, 0x61, 0xa8, 0x0f,
+ 0xaf, 0x49, 0x20, 0x9e, 0x74, 0xcb, 0x57, 0x80, 0x42, 0xb0, 0x84, 0x5e,
+ 0x30, 0x2a, 0x67, 0x08, 0xf4, 0xe3, 0x40, 0x22
+};
+
+__fips_constseg static const unsigned char sha384_additionalinput2[] = {
+ 0x7c, 0x8f, 0xc2, 0xae, 0x22, 0x4a, 0xd6, 0xf6, 0x05, 0xa4, 0x7a, 0xea,
+ 0xbb, 0x25, 0xd0, 0xb7, 0x5a, 0xd6, 0xcf, 0x9d, 0xf3, 0x6c, 0xe2, 0xb2,
+ 0x4e, 0xb4, 0xbd, 0xf4, 0xe5, 0x40, 0x80, 0x94
+};
+
+__fips_constseg static const unsigned char sha384_returnedbits[] = {
+ 0x9e, 0x7e, 0xfb, 0x59, 0xbb, 0xaa, 0x3c, 0xf7, 0xe1, 0xf8, 0x76, 0xdd,
+ 0x63, 0x5f, 0xaf, 0x23, 0xd6, 0x64, 0x61, 0xc0, 0x9a, 0x09, 0x47, 0xc9,
+ 0x33, 0xdf, 0x6d, 0x55, 0x91, 0x34, 0x79, 0x70, 0xc4, 0x99, 0x6e, 0x54,
+ 0x09, 0x64, 0x21, 0x1a, 0xbd, 0x1e, 0x80, 0x40, 0x34, 0xad, 0xfa, 0xd7
+};
+
+/* SHA-512 PR */
+__fips_constseg static const unsigned char sha512_pr_entropyinput[] = {
+ 0x13, 0xf7, 0x61, 0x75, 0x65, 0x28, 0xa2, 0x59, 0x13, 0x5a, 0x4a, 0x4f,
+ 0x56, 0x60, 0x8c, 0x53, 0x7d, 0xb0, 0xbd, 0x06, 0x4f, 0xed, 0xcc, 0xd2,
+ 0xa2, 0xb5, 0xfd, 0x5b, 0x3a, 0xab, 0xec, 0x28
+};
+
+__fips_constseg static const unsigned char sha512_pr_nonce[] = {
+ 0xbe, 0xa3, 0x91, 0x93, 0x1d, 0xc3, 0x31, 0x3a, 0x23, 0x33, 0x50, 0x67,
+ 0x88, 0xc7, 0xa2, 0xc4
+};
+
+__fips_constseg static const unsigned char sha512_pr_personalizationstring[] = {
+ 0x1f, 0x59, 0x4d, 0x7b, 0xe6, 0x46, 0x91, 0x48, 0xc1, 0x25, 0xfa, 0xff,
+ 0x89, 0x12, 0x77, 0x35, 0xdf, 0x3e, 0xf4, 0x80, 0x5f, 0xd9, 0xb0, 0x07,
+ 0x22, 0x41, 0xdd, 0x48, 0x78, 0x6b, 0x77, 0x2b
+};
+
+__fips_constseg static const unsigned char sha512_pr_additionalinput[] = {
+ 0x30, 0xff, 0x63, 0x6f, 0xac, 0xd9, 0x84, 0x39, 0x6f, 0xe4, 0x99, 0xce,
+ 0x91, 0x7d, 0x7e, 0xc8, 0x58, 0xf2, 0x12, 0xc3, 0xb6, 0xad, 0xda, 0x22,
+ 0x04, 0xa0, 0xd2, 0x21, 0xfe, 0xf2, 0x95, 0x1d
+};
+
+__fips_constseg static const unsigned char sha512_pr_entropyinputpr[] = {
+ 0x64, 0x54, 0x13, 0xec, 0x4f, 0x77, 0xda, 0xb2, 0x92, 0x2e, 0x52, 0x80,
+ 0x11, 0x10, 0xc2, 0xf8, 0xe6, 0xa7, 0xcd, 0x4b, 0xfc, 0x32, 0x2e, 0x9e,
+ 0xeb, 0xbb, 0xb1, 0xbf, 0x15, 0x5c, 0x73, 0x08
+};
+
+__fips_constseg static const unsigned char sha512_pr_int_returnedbits[] = {
+ 0xef, 0x1e, 0xdc, 0x0a, 0xa4, 0x36, 0x91, 0x9c, 0x3d, 0x27, 0x97, 0x50,
+ 0x8d, 0x36, 0x29, 0x8d, 0xce, 0x6a, 0x0c, 0xf7, 0x21, 0xc0, 0x91, 0xae,
+ 0x0c, 0x96, 0x72, 0xbd, 0x52, 0x81, 0x58, 0xfc, 0x6d, 0xe5, 0xf7, 0xa5,
+ 0xfd, 0x5d, 0xa7, 0x58, 0x68, 0xc8, 0x99, 0x58, 0x8e, 0xc8, 0xce, 0x95,
+ 0x01, 0x7d, 0xff, 0xa4, 0xc8, 0xf7, 0x63, 0xfe, 0x5f, 0x69, 0x83, 0x53,
+ 0xe2, 0xc6, 0x8b, 0xc3
+};
+
+__fips_constseg static const unsigned char sha512_pr_additionalinput2[] = {
+ 0xe6, 0x9b, 0xc4, 0x88, 0x34, 0xca, 0xea, 0x29, 0x2f, 0x98, 0x05, 0xa4,
+ 0xd3, 0xc0, 0x7b, 0x11, 0xe8, 0xbb, 0x75, 0xf2, 0xbd, 0x29, 0xb7, 0x40,
+ 0x25, 0x7f, 0xc1, 0xb7, 0xb1, 0xf1, 0x25, 0x61
+};
+
+__fips_constseg static const unsigned char sha512_pr_entropyinputpr2[] = {
+ 0x23, 0x6d, 0xff, 0xde, 0xfb, 0xd1, 0xba, 0x33, 0x18, 0xe6, 0xbe, 0xb5,
+ 0x48, 0x77, 0x6d, 0x7f, 0xa7, 0xe1, 0x4d, 0x48, 0x1e, 0x3c, 0xa7, 0x34,
+ 0x1a, 0xc8, 0x60, 0xdb, 0x8f, 0x99, 0x15, 0x99
+};
+
+__fips_constseg static const unsigned char sha512_pr_returnedbits[] = {
+ 0x70, 0x27, 0x31, 0xdb, 0x92, 0x70, 0x21, 0xfe, 0x16, 0xb6, 0xc8, 0x51,
+ 0x34, 0x87, 0x65, 0xd0, 0x4e, 0xfd, 0xfe, 0x68, 0xec, 0xac, 0xdc, 0x93,
+ 0x41, 0x38, 0x92, 0x90, 0xb4, 0x94, 0xf9, 0x0d, 0xa4, 0xf7, 0x4e, 0x80,
+ 0x92, 0x67, 0x48, 0x40, 0xa7, 0x08, 0xc7, 0xbc, 0x66, 0x00, 0xfd, 0xf7,
+ 0x4c, 0x8b, 0x17, 0x6e, 0xd1, 0x8f, 0x9b, 0xf3, 0x6f, 0xf6, 0x34, 0xdd,
+ 0x67, 0xf7, 0x68, 0xdd
+};
+
+/* SHA-512 No PR */
+__fips_constseg static const unsigned char sha512_entropyinput[] = {
+ 0xb6, 0x0b, 0xb7, 0xbc, 0x84, 0x56, 0xf6, 0x12, 0xaf, 0x45, 0x67, 0x17,
+ 0x7c, 0xd1, 0xb2, 0x78, 0x2b, 0xa0, 0xf2, 0xbe, 0xb6, 0x6d, 0x8b, 0x56,
+ 0xc6, 0xbc, 0x4d, 0xe1, 0xf7, 0xbe, 0xce, 0xbd
+};
+
+__fips_constseg static const unsigned char sha512_nonce[] = {
+ 0x9d, 0xed, 0xc0, 0xe5, 0x5a, 0x98, 0x6a, 0xcb, 0x51, 0x7d, 0x76, 0x31,
+ 0x5a, 0x64, 0xf0, 0xf7
+};
+
+__fips_constseg static const unsigned char sha512_personalizationstring[] = {
+ 0xc2, 0x6d, 0xa3, 0xc3, 0x06, 0x74, 0xe5, 0x01, 0x5c, 0x10, 0x17, 0xc7,
+ 0xaf, 0x83, 0x9d, 0x59, 0x8d, 0x2d, 0x29, 0x38, 0xc5, 0x59, 0x70, 0x8b,
+ 0x46, 0x48, 0x2d, 0xcf, 0x36, 0x7d, 0x59, 0xc0
+};
+
+__fips_constseg static const unsigned char sha512_additionalinput[] = {
+ 0xec, 0x8c, 0xd4, 0xf7, 0x61, 0x6e, 0x0d, 0x95, 0x79, 0xb7, 0x28, 0xad,
+ 0x5f, 0x69, 0x74, 0x5f, 0x2d, 0x36, 0x06, 0x8a, 0x6b, 0xac, 0x54, 0x97,
+ 0xc4, 0xa1, 0x12, 0x85, 0x0a, 0xdf, 0x4b, 0x34
+};
+
+__fips_constseg static const unsigned char sha512_int_returnedbits[] = {
+ 0x84, 0x2f, 0x1f, 0x68, 0x6a, 0xa3, 0xad, 0x1e, 0xfb, 0xf4, 0x15, 0xbd,
+ 0xde, 0x38, 0xd4, 0x30, 0x80, 0x51, 0xe9, 0xd3, 0xc7, 0x20, 0x88, 0xe9,
+ 0xf5, 0xcc, 0xdf, 0x57, 0x5c, 0x47, 0x2f, 0x57, 0x3c, 0x5f, 0x13, 0x56,
+ 0xcc, 0xc5, 0x4f, 0x84, 0xf8, 0x10, 0x41, 0xd5, 0x7e, 0x58, 0x6e, 0x19,
+ 0x19, 0x9e, 0xaf, 0xc2, 0x22, 0x58, 0x41, 0x50, 0x79, 0xc2, 0xd8, 0x04,
+ 0x28, 0xd4, 0x39, 0x9a
+};
+
+__fips_constseg static const unsigned char sha512_entropyinputreseed[] = {
+ 0xfa, 0x7f, 0x46, 0x51, 0x83, 0x62, 0x98, 0x16, 0x9a, 0x19, 0xa2, 0x49,
+ 0xa9, 0xe6, 0x4a, 0xd8, 0x85, 0xe7, 0xd4, 0x3b, 0x2c, 0x82, 0xc5, 0x82,
+ 0xbf, 0x11, 0xf9, 0x9e, 0xbc, 0xd0, 0x01, 0xee
+};
+
+__fips_constseg static const unsigned char sha512_additionalinputreseed[] = {
+ 0xb9, 0x12, 0xe0, 0x4f, 0xf7, 0xa7, 0xc4, 0xd8, 0xd0, 0x8e, 0x99, 0x29,
+ 0x7c, 0x9a, 0xe9, 0xcf, 0xc4, 0x6c, 0xf8, 0xc3, 0xa7, 0x41, 0x83, 0xd6,
+ 0x2e, 0xfa, 0xb8, 0x5e, 0x8e, 0x6b, 0x78, 0x20
+};
+
+__fips_constseg static const unsigned char sha512_additionalinput2[] = {
+ 0xd7, 0x07, 0x52, 0xb9, 0x83, 0x2c, 0x03, 0x71, 0xee, 0xc9, 0xc0, 0x85,
+ 0xe1, 0x57, 0xb2, 0xcd, 0x3a, 0xf0, 0xc9, 0x34, 0x24, 0x41, 0x1c, 0x42,
+ 0x99, 0xb2, 0x84, 0xe9, 0x17, 0xd2, 0x76, 0x92
+};
+
+__fips_constseg static const unsigned char sha512_returnedbits[] = {
+ 0x36, 0x17, 0x5d, 0x98, 0x2b, 0x65, 0x25, 0x8e, 0xc8, 0x29, 0xdf, 0x27,
+ 0x05, 0x36, 0x26, 0x12, 0x8a, 0x68, 0x74, 0x27, 0x37, 0xd4, 0x7f, 0x32,
+ 0xb1, 0x12, 0xd6, 0x85, 0x83, 0xeb, 0x2e, 0xa0, 0xed, 0x4b, 0xb5, 0x7b,
+ 0x6f, 0x39, 0x3c, 0x71, 0x77, 0x02, 0x12, 0xcc, 0x2c, 0x3a, 0x8e, 0x63,
+ 0xdf, 0x4a, 0xbd, 0x6f, 0x6e, 0x2e, 0xed, 0x0a, 0x85, 0xa5, 0x2f, 0xa2,
+ 0x68, 0xde, 0x42, 0xb5
+};
+
+/* HMAC SHA-1 PR */
+__fips_constseg static const unsigned char hmac_sha1_pr_entropyinput[] = {
+ 0x26, 0x5f, 0x36, 0x14, 0xff, 0x3d, 0x83, 0xfa, 0x73, 0x5e, 0x75, 0xdc,
+ 0x2c, 0x18, 0x17, 0x1b
+};
+
+__fips_constseg static const unsigned char hmac_sha1_pr_nonce[] = {
+ 0xc8, 0xe3, 0x57, 0xa5, 0x7b, 0x74, 0x86, 0x6e
+};
+
+__fips_constseg
+ static const unsigned char hmac_sha1_pr_personalizationstring[] = {
+ 0x6e, 0xdb, 0x0d, 0xfe, 0x7d, 0xac, 0x79, 0xd0, 0xa5, 0x3a, 0x48, 0x85,
+ 0x80, 0xe2, 0x7f, 0x2a
+};
+
+__fips_constseg static const unsigned char hmac_sha1_pr_additionalinput[] = {
+ 0x31, 0xcd, 0x5e, 0x43, 0xdc, 0xfb, 0x7a, 0x79, 0xca, 0x88, 0xde, 0x1f,
+ 0xd7, 0xbb, 0x42, 0x09
+};
+
+__fips_constseg static const unsigned char hmac_sha1_pr_entropyinputpr[] = {
+ 0x7c, 0x23, 0x95, 0x38, 0x00, 0x95, 0xc1, 0x78, 0x1f, 0x8f, 0xd7, 0x63,
+ 0x23, 0x87, 0x2a, 0xed
+};
+
+__fips_constseg static const unsigned char hmac_sha1_pr_int_returnedbits[] = {
+ 0xbb, 0x34, 0xe7, 0x93, 0xa3, 0x02, 0x2c, 0x4a, 0xd0, 0x89, 0xda, 0x7f,
+ 0xed, 0xf4, 0x4c, 0xde, 0x17, 0xec, 0xe5, 0x6c
+};
+
+__fips_constseg static const unsigned char hmac_sha1_pr_additionalinput2[] = {
+ 0x49, 0xbc, 0x2d, 0x2c, 0xb7, 0x32, 0xcb, 0x20, 0xdf, 0xf5, 0x77, 0x58,
+ 0xa0, 0x4b, 0x93, 0x6e
+};
+
+__fips_constseg static const unsigned char hmac_sha1_pr_entropyinputpr2[] = {
+ 0x3c, 0xaa, 0xb0, 0x21, 0x42, 0xb0, 0xdd, 0x34, 0xf0, 0x16, 0x7f, 0x0c,
+ 0x0f, 0xff, 0x2e, 0xaf
+};
+
+__fips_constseg static const unsigned char hmac_sha1_pr_returnedbits[] = {
+ 0x8e, 0xcb, 0xa3, 0x64, 0xb2, 0xb8, 0x33, 0x6c, 0x64, 0x3b, 0x78, 0x16,
+ 0x99, 0x35, 0xc8, 0x30, 0xcb, 0x3e, 0xa0, 0xd8
+};
+
+/* HMAC SHA-1 No PR */
+__fips_constseg static const unsigned char hmac_sha1_entropyinput[] = {
+ 0x32, 0x9a, 0x2a, 0x87, 0x7b, 0x89, 0x7c, 0xf6, 0xcb, 0x95, 0xd5, 0x40,
+ 0x17, 0xfe, 0x47, 0x70
+};
+
+__fips_constseg static const unsigned char hmac_sha1_nonce[] = {
+ 0x16, 0xd8, 0xe0, 0xc7, 0x52, 0xcf, 0x4a, 0x25
+};
+
+__fips_constseg static const unsigned char hmac_sha1_personalizationstring[] = {
+ 0x35, 0x35, 0xa9, 0xa5, 0x40, 0xbe, 0x9b, 0xd1, 0x56, 0xdd, 0x44, 0x00,
+ 0x72, 0xf7, 0xd3, 0x5e
+};
+
+__fips_constseg static const unsigned char hmac_sha1_additionalinput[] = {
+ 0x1b, 0x2c, 0x84, 0x2d, 0x4a, 0x89, 0x8f, 0x69, 0x19, 0xf1, 0xf3, 0xdb,
+ 0xbb, 0xe3, 0xaa, 0xea
+};
+
+__fips_constseg static const unsigned char hmac_sha1_int_returnedbits[] = {
+ 0xcf, 0xfa, 0x7d, 0x72, 0x0f, 0xe6, 0xc7, 0x96, 0xa0, 0x69, 0x31, 0x11,
+ 0x9b, 0x0b, 0x1a, 0x20, 0x1f, 0x3f, 0xaa, 0xd1
+};
+
+__fips_constseg static const unsigned char hmac_sha1_entropyinputreseed[] = {
+ 0x90, 0x75, 0x15, 0x04, 0x95, 0xf1, 0xba, 0x81, 0x0c, 0x37, 0x94, 0x6f,
+ 0x86, 0x52, 0x6d, 0x9c
+};
+
+__fips_constseg static const unsigned char hmac_sha1_additionalinputreseed[] = {
+ 0x5b, 0x40, 0xba, 0x5f, 0x17, 0x70, 0xf0, 0x4b, 0xdf, 0xc9, 0x97, 0x92,
+ 0x79, 0xc5, 0x82, 0x28
+};
+
+__fips_constseg static const unsigned char hmac_sha1_additionalinput2[] = {
+ 0x97, 0xc8, 0x80, 0x90, 0xb3, 0xaa, 0x6e, 0x60, 0xea, 0x83, 0x7a, 0xe3,
+ 0x8a, 0xca, 0xa4, 0x7f
+};
+
+__fips_constseg static const unsigned char hmac_sha1_returnedbits[] = {
+ 0x90, 0xbd, 0x05, 0x56, 0x6d, 0xb5, 0x22, 0xd5, 0xb9, 0x5a, 0x29, 0x2d,
+ 0xe9, 0x0b, 0xe1, 0xac, 0xde, 0x27, 0x0b, 0xb0
+};
+
+/* HMAC SHA-224 PR */
+__fips_constseg static const unsigned char hmac_sha224_pr_entropyinput[] = {
+ 0x17, 0x32, 0x2b, 0x2e, 0x6f, 0x1b, 0x9c, 0x6d, 0x31, 0xe0, 0x34, 0x07,
+ 0xcf, 0xed, 0xf6, 0xb6, 0x5a, 0x76, 0x4c, 0xbc, 0x62, 0x85, 0x01, 0x90
+};
+
+__fips_constseg static const unsigned char hmac_sha224_pr_nonce[] = {
+ 0x38, 0xbf, 0x5f, 0x20, 0xb3, 0x68, 0x2f, 0x43, 0x61, 0x05, 0x8f, 0x23
+};
+
+__fips_constseg
+ static const unsigned char hmac_sha224_pr_personalizationstring[] = {
+ 0xc0, 0xc9, 0x45, 0xac, 0x8d, 0x27, 0x77, 0x08, 0x0b, 0x17, 0x6d, 0xed,
+ 0xc1, 0x7d, 0xd5, 0x07, 0x9d, 0x6e, 0xf8, 0x23, 0x2a, 0x22, 0x13, 0xbd
+};
+
+__fips_constseg static const unsigned char hmac_sha224_pr_additionalinput[] = {
+ 0xa4, 0x3c, 0xe7, 0x3b, 0xea, 0x19, 0x45, 0x32, 0xc2, 0x83, 0x6d, 0x21,
+ 0x8a, 0xc0, 0xee, 0x67, 0x45, 0xde, 0x13, 0x7d, 0x9d, 0x61, 0x00, 0x3b
+};
+
+__fips_constseg static const unsigned char hmac_sha224_pr_entropyinputpr[] = {
+ 0x15, 0x05, 0x74, 0x4a, 0x7f, 0x8d, 0x5c, 0x60, 0x16, 0xe5, 0x7b, 0xad,
+ 0xf5, 0x41, 0x8f, 0x55, 0x60, 0xc4, 0x09, 0xee, 0x1e, 0x11, 0x81, 0xab
+};
+
+__fips_constseg static const unsigned char hmac_sha224_pr_int_returnedbits[] = {
+ 0x6f, 0xf5, 0x9a, 0xe2, 0x54, 0x53, 0x30, 0x3d, 0x5a, 0x27, 0x29, 0x38,
+ 0x27, 0xf2, 0x0d, 0x05, 0xe9, 0x26, 0xcb, 0x16, 0xc3, 0x51, 0x5f, 0x13,
+ 0x41, 0xfe, 0x99, 0xf2
+};
+
+__fips_constseg static const unsigned char hmac_sha224_pr_additionalinput2[] = {
+ 0x73, 0x81, 0x88, 0x84, 0x8f, 0xed, 0x6f, 0x10, 0x9f, 0x93, 0xbf, 0x17,
+ 0x35, 0x7c, 0xef, 0xd5, 0x8d, 0x26, 0xa6, 0x7a, 0xe8, 0x09, 0x36, 0x4f
+};
+
+__fips_constseg static const unsigned char hmac_sha224_pr_entropyinputpr2[] = {
+ 0xe6, 0xcf, 0xcf, 0x7e, 0x12, 0xe5, 0x43, 0xd2, 0x38, 0xd8, 0x24, 0x6f,
+ 0x5a, 0x37, 0x68, 0xbf, 0x4f, 0xa0, 0xff, 0xd5, 0x61, 0x8a, 0x93, 0xe0
+};
+
+__fips_constseg static const unsigned char hmac_sha224_pr_returnedbits[] = {
+ 0xaf, 0xf9, 0xd8, 0x19, 0x91, 0x30, 0x82, 0x6f, 0xa9, 0x1e, 0x9d, 0xd7,
+ 0xf3, 0x50, 0xe0, 0xc7, 0xd5, 0x64, 0x96, 0x7d, 0x4c, 0x4d, 0x78, 0x03,
+ 0x6d, 0xd8, 0x9e, 0x72
+};
+
+/* HMAC SHA-224 No PR */
+__fips_constseg static const unsigned char hmac_sha224_entropyinput[] = {
+ 0x11, 0x82, 0xfd, 0xd9, 0x42, 0xf4, 0xfa, 0xc8, 0xf2, 0x41, 0xe6, 0x54,
+ 0x01, 0xae, 0x22, 0x6e, 0xc6, 0xaf, 0xaf, 0xd0, 0xa6, 0xb2, 0xe2, 0x6d
+};
+
+__fips_constseg static const unsigned char hmac_sha224_nonce[] = {
+ 0xa9, 0x48, 0xd7, 0x92, 0x39, 0x7e, 0x2a, 0xdc, 0x30, 0x1f, 0x0e, 0x2b
+};
+
+__fips_constseg
+ static const unsigned char hmac_sha224_personalizationstring[] = {
+ 0x11, 0xd5, 0xf4, 0xbd, 0x67, 0x8c, 0x31, 0xcf, 0xa3, 0x3f, 0x1e, 0x6b,
+ 0xa8, 0x07, 0x02, 0x0b, 0xc8, 0x2e, 0x6c, 0x64, 0x41, 0x5b, 0xc8, 0x37
+};
+
+__fips_constseg static const unsigned char hmac_sha224_additionalinput[] = {
+ 0x68, 0x18, 0xc2, 0x06, 0xeb, 0x3e, 0x04, 0x95, 0x44, 0x5e, 0xfb, 0xe6,
+ 0x41, 0xc1, 0x5c, 0xcc, 0x40, 0x2f, 0xb7, 0xd2, 0x0f, 0xf3, 0x6b, 0xe7
+};
+
+__fips_constseg static const unsigned char hmac_sha224_int_returnedbits[] = {
+ 0x7f, 0x45, 0xc7, 0x5d, 0x32, 0xe6, 0x17, 0x60, 0xba, 0xdc, 0xb8, 0x42,
+ 0x1b, 0x9c, 0xf1, 0xfa, 0x3b, 0x4d, 0x29, 0x54, 0xc6, 0x90, 0xff, 0x5c,
+ 0xcd, 0xd6, 0xa9, 0xcc
+};
+
+__fips_constseg static const unsigned char hmac_sha224_entropyinputreseed[] = {
+ 0xc4, 0x8e, 0x37, 0x95, 0x69, 0x53, 0x28, 0xd7, 0x37, 0xbb, 0x70, 0x95,
+ 0x1c, 0x07, 0x1d, 0xd9, 0xb7, 0xe6, 0x1b, 0xbb, 0xfe, 0x41, 0xeb, 0xc9
+};
+
+__fips_constseg
+ static const unsigned char hmac_sha224_additionalinputreseed[] = {
+ 0x53, 0x17, 0xa1, 0x6a, 0xfa, 0x77, 0x47, 0xb0, 0x95, 0x56, 0x9a, 0x20,
+ 0x57, 0xde, 0x5c, 0x89, 0x9f, 0x7f, 0xe2, 0xde, 0x17, 0x3a, 0x50, 0x23
+};
+
+__fips_constseg static const unsigned char hmac_sha224_additionalinput2[] = {
+ 0x3a, 0x32, 0xf9, 0x85, 0x0c, 0xc1, 0xed, 0x76, 0x2d, 0xdf, 0x40, 0xc3,
+ 0x06, 0x22, 0x66, 0xd4, 0x9a, 0x9a, 0xff, 0x5a, 0x7e, 0x7a, 0xf3, 0x96
+};
+
+__fips_constseg static const unsigned char hmac_sha224_returnedbits[] = {
+ 0x43, 0xb4, 0x57, 0x5c, 0x38, 0x25, 0x9d, 0xae, 0xec, 0x96, 0xd1, 0x85,
+ 0x3a, 0x84, 0x8d, 0xfe, 0x68, 0xd5, 0x0e, 0x5c, 0x8f, 0x65, 0xa5, 0x4e,
+ 0x45, 0x84, 0xa8, 0x94
+};
+
+/* HMAC SHA-256 PR */
+__fips_constseg static const unsigned char hmac_sha256_pr_entropyinput[] = {
+ 0x4d, 0xb0, 0x43, 0xd8, 0x34, 0x4b, 0x10, 0x70, 0xb1, 0x8b, 0xed, 0xea,
+ 0x07, 0x92, 0x9f, 0x6c, 0x79, 0x31, 0xaf, 0x81, 0x29, 0xeb, 0x6e, 0xca,
+ 0x32, 0x48, 0x28, 0xe7, 0x02, 0x5d, 0xa6, 0xa6
+};
+
+__fips_constseg static const unsigned char hmac_sha256_pr_nonce[] = {
+ 0x3a, 0xae, 0x15, 0xa9, 0x99, 0xdc, 0xe4, 0x67, 0x34, 0x3b, 0x70, 0x15,
+ 0xaa, 0xd3, 0x30, 0x9a
+};
+
+__fips_constseg
+ static const unsigned char hmac_sha256_pr_personalizationstring[] = {
+ 0x13, 0x1d, 0x24, 0x04, 0xb0, 0x18, 0x81, 0x15, 0x21, 0x51, 0x2a, 0x24,
+ 0x52, 0x61, 0xbe, 0x64, 0x82, 0x6b, 0x55, 0x2f, 0xe2, 0xf1, 0x40, 0x7d,
+ 0x71, 0xd8, 0x01, 0x86, 0x15, 0xb7, 0x8b, 0xb5
+};
+
+__fips_constseg static const unsigned char hmac_sha256_pr_additionalinput[] = {
+ 0x8f, 0xa6, 0x54, 0x5f, 0xb1, 0xd0, 0xd8, 0xc3, 0xe7, 0x0c, 0x15, 0xa9,
+ 0x23, 0x6e, 0xfe, 0xfb, 0x93, 0xf7, 0x3a, 0xbd, 0x59, 0x01, 0xfa, 0x18,
+ 0x8e, 0xe9, 0x1a, 0xa9, 0x78, 0xfc, 0x79, 0x0b
+};
+
+__fips_constseg static const unsigned char hmac_sha256_pr_entropyinputpr[] = {
+ 0xcf, 0x24, 0xb9, 0xeb, 0xb3, 0xd4, 0xcd, 0x17, 0x37, 0x38, 0x75, 0x79,
+ 0x15, 0xcb, 0x2d, 0x75, 0x51, 0xf1, 0xcc, 0xaa, 0x32, 0xa4, 0xa7, 0x36,
+ 0x7c, 0x5c, 0xe4, 0x47, 0xf1, 0x3e, 0x1d, 0xe5
+};
+
+__fips_constseg static const unsigned char hmac_sha256_pr_int_returnedbits[] = {
+ 0x52, 0x42, 0xfa, 0xeb, 0x85, 0xe0, 0x30, 0x22, 0x79, 0x00, 0x16, 0xb2,
+ 0x88, 0x2f, 0x14, 0x6a, 0xb7, 0xfc, 0xb7, 0x53, 0xdc, 0x4a, 0x12, 0xef,
+ 0x54, 0xd6, 0x33, 0xe9, 0x20, 0xd6, 0xfd, 0x56
+};
+
+__fips_constseg static const unsigned char hmac_sha256_pr_additionalinput2[] = {
+ 0xf4, 0xf6, 0x49, 0xa1, 0x2d, 0x64, 0x2b, 0x30, 0x58, 0xf8, 0xbd, 0xb8,
+ 0x75, 0xeb, 0xbb, 0x5e, 0x1c, 0x9b, 0x81, 0x6a, 0xda, 0x14, 0x86, 0x6e,
+ 0xd0, 0xda, 0x18, 0xb7, 0x88, 0xfb, 0x59, 0xf3
+};
+
+__fips_constseg static const unsigned char hmac_sha256_pr_entropyinputpr2[] = {
+ 0x21, 0xcd, 0x6e, 0x46, 0xad, 0x99, 0x07, 0x17, 0xb4, 0x3d, 0x76, 0x0a,
+ 0xff, 0x5b, 0x52, 0x50, 0x78, 0xdf, 0x1f, 0x24, 0x06, 0x0d, 0x3f, 0x74,
+ 0xa9, 0xc9, 0x37, 0xcf, 0xd8, 0x26, 0x25, 0x91
+};
+
+__fips_constseg static const unsigned char hmac_sha256_pr_returnedbits[] = {
+ 0xa7, 0xaf, 0x2f, 0x29, 0xe0, 0x3a, 0x72, 0x95, 0x96, 0x1c, 0xa9, 0xf0,
+ 0x4a, 0x17, 0x4d, 0x66, 0x06, 0x10, 0xbf, 0x39, 0x89, 0x88, 0xb8, 0x91,
+ 0x37, 0x18, 0x99, 0xcf, 0x8c, 0x53, 0x3b, 0x7e
+};
+
+/* HMAC SHA-256 No PR */
+__fips_constseg static const unsigned char hmac_sha256_entropyinput[] = {
+ 0x96, 0xb7, 0x53, 0x22, 0x1e, 0x52, 0x2a, 0x96, 0xb1, 0x15, 0x3c, 0x35,
+ 0x5a, 0x8b, 0xd3, 0x4a, 0xa6, 0x6c, 0x83, 0x0a, 0x7d, 0xa3, 0x23, 0x3d,
+ 0x43, 0xa1, 0x07, 0x2c, 0x2d, 0xe3, 0x81, 0xcc
+};
+
+__fips_constseg static const unsigned char hmac_sha256_nonce[] = {
+ 0xf1, 0xac, 0x97, 0xcb, 0x5e, 0x06, 0x48, 0xd2, 0x94, 0xbe, 0x15, 0x2e,
+ 0xc7, 0xfc, 0xc2, 0x01
+};
+
+__fips_constseg
+ static const unsigned char hmac_sha256_personalizationstring[] = {
+ 0x98, 0xc5, 0x1e, 0x35, 0x5e, 0x89, 0x0d, 0xce, 0x64, 0x6d, 0x18, 0xa7,
+ 0x5a, 0xc6, 0xf3, 0xe7, 0xd6, 0x9e, 0xc0, 0xea, 0xb7, 0x3a, 0x8d, 0x65,
+ 0xb8, 0xeb, 0x10, 0xd7, 0x57, 0x18, 0xa0, 0x32
+};
+
+__fips_constseg static const unsigned char hmac_sha256_additionalinput[] = {
+ 0x1b, 0x10, 0xaf, 0xac, 0xd0, 0x65, 0x95, 0xad, 0x04, 0xad, 0x03, 0x1c,
+ 0xe0, 0x40, 0xd6, 0x3e, 0x1c, 0x46, 0x53, 0x39, 0x7c, 0xe2, 0xbc, 0xda,
+ 0x8c, 0xa2, 0x33, 0xa7, 0x9a, 0x26, 0xd3, 0x27
+};
+
+__fips_constseg static const unsigned char hmac_sha256_int_returnedbits[] = {
+ 0xba, 0x61, 0x0e, 0x55, 0xfe, 0x11, 0x8a, 0x9e, 0x0f, 0x80, 0xdf, 0x1d,
+ 0x03, 0x0a, 0xfe, 0x15, 0x94, 0x28, 0x4b, 0xba, 0xf4, 0x9f, 0x51, 0x25,
+ 0x88, 0xe5, 0x4e, 0xfb, 0xaf, 0xce, 0x69, 0x90
+};
+
+__fips_constseg static const unsigned char hmac_sha256_entropyinputreseed[] = {
+ 0x62, 0x7f, 0x1e, 0x6b, 0xe8, 0x8e, 0xe1, 0x35, 0x7d, 0x9b, 0x4f, 0xc7,
+ 0xec, 0xc8, 0xac, 0xef, 0x6b, 0x13, 0x9e, 0x05, 0x56, 0xc1, 0x08, 0xf9,
+ 0x2f, 0x0f, 0x27, 0x9c, 0xd4, 0x15, 0xed, 0x2d
+};
+
+__fips_constseg
+ static const unsigned char hmac_sha256_additionalinputreseed[] = {
+ 0xc7, 0x76, 0x6e, 0xa9, 0xd2, 0xb2, 0x76, 0x40, 0x82, 0x25, 0x2c, 0xb3,
+ 0x6f, 0xac, 0xe9, 0x74, 0xef, 0x8f, 0x3c, 0x8e, 0xcd, 0xf1, 0xbf, 0xb3,
+ 0x49, 0x77, 0x34, 0x88, 0x52, 0x36, 0xe6, 0x2e
+};
+
+__fips_constseg static const unsigned char hmac_sha256_additionalinput2[] = {
+ 0x8d, 0xb8, 0x0c, 0xd1, 0xbf, 0x70, 0xf6, 0x19, 0xc3, 0x41, 0x80, 0x9f,
+ 0xe1, 0xa5, 0xa4, 0x1f, 0x2c, 0x26, 0xb1, 0xe5, 0xd8, 0xeb, 0xbe, 0xf8,
+ 0xdf, 0x88, 0x6a, 0x89, 0xd6, 0x05, 0xd8, 0x9d
+};
+
+__fips_constseg static const unsigned char hmac_sha256_returnedbits[] = {
+ 0x43, 0x12, 0x2a, 0x2c, 0x40, 0x53, 0x2e, 0x7c, 0x66, 0x34, 0xac, 0xc3,
+ 0x43, 0xe3, 0xe0, 0x6a, 0xfc, 0xfa, 0xea, 0x87, 0x21, 0x1f, 0xe2, 0x26,
+ 0xc4, 0xf9, 0x09, 0x9a, 0x0d, 0x6e, 0x7f, 0xe0
+};
+
+/* HMAC SHA-384 PR */
+__fips_constseg static const unsigned char hmac_sha384_pr_entropyinput[] = {
+ 0x69, 0x81, 0x98, 0x88, 0x44, 0xf5, 0xd6, 0x2e, 0x00, 0x08, 0x3b, 0xc5,
+ 0xfb, 0xd7, 0x8e, 0x6f, 0x23, 0xf8, 0x6d, 0x09, 0xd6, 0x85, 0x49, 0xd1,
+ 0xf8, 0x6d, 0xa4, 0x58, 0x54, 0xfd, 0x88, 0xa9
+};
+
+__fips_constseg static const unsigned char hmac_sha384_pr_nonce[] = {
+ 0x6e, 0x38, 0x81, 0xca, 0xb7, 0xe8, 0x6e, 0x66, 0x49, 0x8a, 0xb2, 0x59,
+ 0xee, 0x16, 0xc9, 0xde
+};
+
+__fips_constseg
+ static const unsigned char hmac_sha384_pr_personalizationstring[] = {
+ 0xfe, 0x4c, 0xd9, 0xf4, 0x78, 0x3b, 0x08, 0x41, 0x8d, 0x8f, 0x55, 0xc4,
+ 0x43, 0x56, 0xb6, 0x12, 0x36, 0x6b, 0x30, 0xb7, 0x5e, 0xe1, 0xb9, 0x47,
+ 0x04, 0xb1, 0x4e, 0xa9, 0x00, 0xa1, 0x52, 0xa1
+};
+
+__fips_constseg static const unsigned char hmac_sha384_pr_additionalinput[] = {
+ 0x89, 0xe9, 0xcc, 0x8f, 0x27, 0x3c, 0x26, 0xd1, 0x95, 0xc8, 0x7d, 0x0f,
+ 0x5b, 0x1a, 0xf0, 0x78, 0x39, 0x56, 0x6f, 0xa4, 0x23, 0xe7, 0xd1, 0xda,
+ 0x7c, 0x66, 0x33, 0xa0, 0x90, 0xc9, 0x92, 0x88
+};
+
+__fips_constseg static const unsigned char hmac_sha384_pr_entropyinputpr[] = {
+ 0xbe, 0x3d, 0x7c, 0x0d, 0xca, 0xda, 0x7c, 0x49, 0xb8, 0x12, 0x36, 0xc0,
+ 0xdb, 0xad, 0x35, 0xa8, 0xc7, 0x0b, 0x2a, 0x2c, 0x69, 0x6d, 0x25, 0x56,
+ 0x63, 0x82, 0x11, 0x3e, 0xa7, 0x33, 0x70, 0x72
+};
+
+__fips_constseg static const unsigned char hmac_sha384_pr_int_returnedbits[] = {
+ 0x82, 0x3d, 0xe6, 0x54, 0x80, 0x42, 0xf8, 0xba, 0x90, 0x4f, 0x06, 0xa6,
+ 0xd2, 0x7f, 0xbf, 0x79, 0x7c, 0x12, 0x7d, 0xa6, 0xa2, 0x66, 0xe8, 0xa6,
+ 0xc0, 0xd6, 0x4a, 0x55, 0xbf, 0xd8, 0x0a, 0xc5, 0xf8, 0x03, 0x88, 0xdd,
+ 0x8e, 0x87, 0xd1, 0x5a, 0x48, 0x26, 0x72, 0x2a, 0x8e, 0xcf, 0xee, 0xba
+};
+
+__fips_constseg static const unsigned char hmac_sha384_pr_additionalinput2[] = {
+ 0x8f, 0xff, 0xd9, 0x84, 0xbb, 0x85, 0x3a, 0x66, 0xa1, 0x21, 0xce, 0xb2,
+ 0x3a, 0x3a, 0x17, 0x22, 0x19, 0xae, 0xc7, 0xb6, 0x63, 0x81, 0xd5, 0xff,
+ 0x0d, 0xc8, 0xe1, 0xaf, 0x57, 0xd2, 0xcb, 0x60
+};
+
+__fips_constseg static const unsigned char hmac_sha384_pr_entropyinputpr2[] = {
+ 0xd7, 0xfb, 0xc9, 0xe8, 0xe2, 0xf2, 0xaa, 0x4c, 0xb8, 0x51, 0x2f, 0xe1,
+ 0x22, 0xba, 0xf3, 0xda, 0x0a, 0x19, 0x76, 0x71, 0x57, 0xb2, 0x1d, 0x94,
+ 0x09, 0x69, 0x6c, 0xd3, 0x97, 0x51, 0x81, 0x87
+};
+
+__fips_constseg static const unsigned char hmac_sha384_pr_returnedbits[] = {
+ 0xe6, 0x19, 0x28, 0xa8, 0x21, 0xce, 0x5e, 0xdb, 0x24, 0x79, 0x8c, 0x76,
+ 0x5d, 0x73, 0xb2, 0xdf, 0xac, 0xef, 0x85, 0xa7, 0x3b, 0x19, 0x09, 0x8b,
+ 0x7f, 0x98, 0x28, 0xa9, 0x93, 0xd8, 0x7a, 0xad, 0x55, 0x8b, 0x24, 0x9d,
+ 0xe6, 0x98, 0xfe, 0x47, 0xd5, 0x48, 0xc1, 0x23, 0xd8, 0x1d, 0x62, 0x75
+};
+
+/* HMAC SHA-384 No PR */
+__fips_constseg static const unsigned char hmac_sha384_entropyinput[] = {
+ 0xc3, 0x56, 0x2b, 0x1d, 0xc2, 0xbb, 0xa8, 0xf0, 0xae, 0x1b, 0x0d, 0xd3,
+ 0x5a, 0x6c, 0xda, 0x57, 0x8e, 0xa5, 0x8a, 0x0d, 0x6c, 0x4b, 0x18, 0xb1,
+ 0x04, 0x3e, 0xb4, 0x99, 0x35, 0xc4, 0xc0, 0x5f
+};
+
+__fips_constseg static const unsigned char hmac_sha384_nonce[] = {
+ 0xc5, 0x49, 0x1e, 0x66, 0x27, 0x92, 0xbe, 0xec, 0xb5, 0x1e, 0x4b, 0xb1,
+ 0x38, 0xe3, 0xeb, 0x62
+};
+
+__fips_constseg
+ static const unsigned char hmac_sha384_personalizationstring[] = {
+ 0xbe, 0xe7, 0x6b, 0x57, 0xde, 0x88, 0x11, 0x96, 0x9b, 0x6e, 0xea, 0xe5,
+ 0x63, 0x83, 0x4c, 0xb6, 0x8d, 0x66, 0xaa, 0x1f, 0x8b, 0x54, 0xe7, 0x62,
+ 0x6d, 0x5a, 0xfc, 0xbf, 0x97, 0xba, 0xcd, 0x77
+};
+
+__fips_constseg static const unsigned char hmac_sha384_additionalinput[] = {
+ 0xe5, 0x28, 0x5f, 0x43, 0xf5, 0x83, 0x6e, 0x0a, 0x83, 0x5c, 0xe3, 0x81,
+ 0x03, 0xf2, 0xf8, 0x78, 0x00, 0x7c, 0x95, 0x87, 0x16, 0xd6, 0x6c, 0x58,
+ 0x33, 0x6c, 0x53, 0x35, 0x0d, 0x66, 0xe3, 0xce
+};
+
+__fips_constseg static const unsigned char hmac_sha384_int_returnedbits[] = {
+ 0xe2, 0x1f, 0xf3, 0xda, 0x0d, 0x19, 0x99, 0x87, 0xc4, 0x90, 0xa2, 0x31,
+ 0xca, 0x2a, 0x89, 0x58, 0x43, 0x44, 0xb8, 0xde, 0xcf, 0xa4, 0xbe, 0x3b,
+ 0x53, 0x26, 0x22, 0x31, 0x76, 0x41, 0x22, 0xb5, 0xa8, 0x70, 0x2f, 0x4b,
+ 0x64, 0x95, 0x4d, 0x48, 0x96, 0x35, 0xe6, 0xbd, 0x3c, 0x34, 0xdb, 0x1b
+};
+
+__fips_constseg static const unsigned char hmac_sha384_entropyinputreseed[] = {
+ 0x77, 0x61, 0xba, 0xbc, 0xf2, 0xc1, 0xf3, 0x4b, 0x86, 0x65, 0xfd, 0x48,
+ 0x0e, 0x3c, 0x02, 0x5e, 0xa2, 0x7a, 0x6b, 0x7c, 0xed, 0x21, 0x5e, 0xf9,
+ 0xcd, 0xcd, 0x77, 0x07, 0x2b, 0xbe, 0xc5, 0x5c
+};
+
+__fips_constseg
+ static const unsigned char hmac_sha384_additionalinputreseed[] = {
+ 0x18, 0x24, 0x5f, 0xc6, 0x84, 0xd1, 0x67, 0xc3, 0x9a, 0x11, 0xa5, 0x8c,
+ 0x07, 0x39, 0x21, 0x83, 0x4d, 0x04, 0xc4, 0x6a, 0x28, 0x19, 0xcf, 0x92,
+ 0x21, 0xd9, 0x9e, 0x41, 0x72, 0x6c, 0x9e, 0x63
+};
+
+__fips_constseg static const unsigned char hmac_sha384_additionalinput2[] = {
+ 0x96, 0x67, 0x41, 0x28, 0x9b, 0xb7, 0x92, 0x8d, 0x64, 0x3b, 0xe4, 0xcf,
+ 0x7e, 0xaa, 0x1e, 0xb1, 0x4b, 0x1d, 0x09, 0x56, 0x67, 0x9c, 0xc6, 0x6d,
+ 0x3b, 0xe8, 0x91, 0x9d, 0xe1, 0x8a, 0xb7, 0x32
+};
+
+__fips_constseg static const unsigned char hmac_sha384_returnedbits[] = {
+ 0xe3, 0x59, 0x61, 0x38, 0x92, 0xec, 0xe2, 0x3c, 0xff, 0xb7, 0xdb, 0x19,
+ 0x0f, 0x5b, 0x93, 0x68, 0x0d, 0xa4, 0x94, 0x40, 0x72, 0x0b, 0xe0, 0xed,
+ 0x4d, 0xcd, 0x68, 0xa0, 0x1e, 0xfe, 0x67, 0xb2, 0xfa, 0x21, 0x56, 0x74,
+ 0xa4, 0xad, 0xcf, 0xb7, 0x60, 0x66, 0x2e, 0x40, 0xde, 0x82, 0xca, 0xfb
+};
+
+/* HMAC SHA-512 PR */
+__fips_constseg static const unsigned char hmac_sha512_pr_entropyinput[] = {
+ 0xaa, 0x9e, 0x45, 0x67, 0x0e, 0x00, 0x2a, 0x67, 0x98, 0xd6, 0xda, 0x0b,
+ 0x0f, 0x17, 0x7e, 0xac, 0xfd, 0x27, 0xc4, 0xca, 0x84, 0xdf, 0xde, 0xba,
+ 0x85, 0xd9, 0xbe, 0x8f, 0xf3, 0xff, 0x91, 0x4d
+};
+
+__fips_constseg static const unsigned char hmac_sha512_pr_nonce[] = {
+ 0x8c, 0x49, 0x2f, 0x58, 0x1e, 0x7a, 0xda, 0x4b, 0x7e, 0x8a, 0x30, 0x7b,
+ 0x86, 0xea, 0xaf, 0xa2
+};
+
+__fips_constseg
+ static const unsigned char hmac_sha512_pr_personalizationstring[] = {
+ 0x71, 0xe1, 0xbb, 0xad, 0xa7, 0x4b, 0x2e, 0x31, 0x3b, 0x0b, 0xec, 0x24,
+ 0x99, 0x38, 0xbc, 0xaa, 0x05, 0x4c, 0x46, 0x44, 0xfa, 0xad, 0x8e, 0x02,
+ 0xc1, 0x7e, 0xad, 0xec, 0x54, 0xa6, 0xd0, 0xad
+};
+
+__fips_constseg static const unsigned char hmac_sha512_pr_additionalinput[] = {
+ 0x3d, 0x6e, 0xa6, 0xa8, 0x29, 0x2a, 0xb2, 0xf5, 0x98, 0x42, 0xe4, 0x92,
+ 0x78, 0x22, 0x67, 0xfd, 0x1b, 0x15, 0x1e, 0x29, 0xaa, 0x71, 0x3c, 0x3c,
+ 0xe7, 0x05, 0x20, 0xa9, 0x29, 0xc6, 0x75, 0x71
+};
+
+__fips_constseg static const unsigned char hmac_sha512_pr_entropyinputpr[] = {
+ 0xab, 0xb9, 0x16, 0xd8, 0x55, 0x35, 0x54, 0xb7, 0x97, 0x3f, 0x94, 0xbc,
+ 0x2f, 0x7c, 0x70, 0xc7, 0xd0, 0xed, 0xb7, 0x4b, 0xf7, 0xf6, 0x6c, 0x03,
+ 0x0c, 0xb0, 0x03, 0xd8, 0xbb, 0x71, 0xd9, 0x10
+};
+
+__fips_constseg static const unsigned char hmac_sha512_pr_int_returnedbits[] = {
+ 0x8e, 0xd3, 0xfd, 0x52, 0x9e, 0x83, 0x08, 0x49, 0x18, 0x6e, 0x23, 0x56,
+ 0x5c, 0x45, 0x93, 0x34, 0x05, 0xe2, 0x98, 0x8f, 0x0c, 0xd4, 0x32, 0x0c,
+ 0xfd, 0xda, 0x5f, 0x92, 0x3a, 0x8c, 0x81, 0xbd, 0xf6, 0x6c, 0x55, 0xfd,
+ 0xb8, 0x20, 0xce, 0x8d, 0x97, 0x27, 0xe8, 0xe8, 0xe0, 0xb3, 0x85, 0x50,
+ 0xa2, 0xc2, 0xb2, 0x95, 0x1d, 0x48, 0xd3, 0x7b, 0x4b, 0x78, 0x13, 0x35,
+ 0x05, 0x17, 0xbe, 0x0d
+};
+
+__fips_constseg static const unsigned char hmac_sha512_pr_additionalinput2[] = {
+ 0xc3, 0xfc, 0x95, 0xaa, 0x69, 0x06, 0xae, 0x59, 0x41, 0xce, 0x26, 0x08,
+ 0x29, 0x6d, 0x45, 0xda, 0xe8, 0xb3, 0x6c, 0x95, 0x60, 0x0f, 0x70, 0x2c,
+ 0x10, 0xba, 0x38, 0x8c, 0xcf, 0x29, 0x99, 0xaa
+};
+
+__fips_constseg static const unsigned char hmac_sha512_pr_entropyinputpr2[] = {
+ 0x3b, 0x9a, 0x25, 0xce, 0xd7, 0xf9, 0x5c, 0xd1, 0x3a, 0x3e, 0xaa, 0x71,
+ 0x14, 0x3e, 0x19, 0xe8, 0xce, 0xe6, 0xfe, 0x51, 0x84, 0xe9, 0x1b, 0xfe,
+ 0x3f, 0xa7, 0xf2, 0xfd, 0x76, 0x5f, 0x6a, 0xe7
+};
+
+__fips_constseg static const unsigned char hmac_sha512_pr_returnedbits[] = {
+ 0xb7, 0x82, 0xa9, 0x57, 0x81, 0x67, 0x53, 0xb5, 0xa1, 0xe9, 0x3d, 0x35,
+ 0xf9, 0xe4, 0x97, 0xbe, 0xa6, 0xca, 0xf1, 0x01, 0x13, 0x09, 0xe7, 0x21,
+ 0xc0, 0xed, 0x93, 0x5d, 0x4b, 0xf4, 0xeb, 0x8d, 0x53, 0x25, 0x8a, 0xc4,
+ 0xb1, 0x6f, 0x6e, 0x37, 0xcd, 0x2e, 0xac, 0x39, 0xb2, 0xb6, 0x99, 0xa3,
+ 0x82, 0x00, 0xb0, 0x21, 0xf0, 0xc7, 0x2f, 0x4c, 0x73, 0x92, 0xfd, 0x00,
+ 0xb6, 0xaf, 0xbc, 0xd3
+};
+
+/* HMAC SHA-512 No PR */
+__fips_constseg static const unsigned char hmac_sha512_entropyinput[] = {
+ 0x6e, 0x85, 0xe6, 0x25, 0x96, 0x29, 0xa7, 0x52, 0x5b, 0x60, 0xba, 0xaa,
+ 0xde, 0xdb, 0x36, 0x0a, 0x51, 0x9a, 0x15, 0xae, 0x6e, 0x18, 0xd3, 0xfe,
+ 0x39, 0xb9, 0x4a, 0x96, 0xf8, 0x77, 0xcb, 0x95
+};
+
+__fips_constseg static const unsigned char hmac_sha512_nonce[] = {
+ 0xe0, 0xa6, 0x5d, 0x08, 0xc3, 0x7c, 0xae, 0x25, 0x2e, 0x80, 0xd1, 0x3e,
+ 0xd9, 0xaf, 0x43, 0x3c
+};
+
+__fips_constseg
+ static const unsigned char hmac_sha512_personalizationstring[] = {
+ 0x53, 0x99, 0x52, 0x5f, 0x11, 0xa9, 0x64, 0x66, 0x20, 0x5e, 0x1b, 0x5f,
+ 0x42, 0xb3, 0xf4, 0xda, 0xed, 0xbb, 0x63, 0xc1, 0x23, 0xaf, 0xd0, 0x01,
+ 0x90, 0x3b, 0xd0, 0x78, 0xe4, 0x0b, 0xa7, 0x20
+};
+
+__fips_constseg static const unsigned char hmac_sha512_additionalinput[] = {
+ 0x85, 0x90, 0x80, 0xd3, 0x98, 0xf1, 0x53, 0x6d, 0x68, 0x15, 0x8f, 0xe5,
+ 0x60, 0x3f, 0x17, 0x29, 0x55, 0x8d, 0x33, 0xb1, 0x45, 0x64, 0x64, 0x8d,
+ 0x50, 0x21, 0x89, 0xae, 0xf6, 0xfd, 0x32, 0x73
+};
+
+__fips_constseg static const unsigned char hmac_sha512_int_returnedbits[] = {
+ 0x28, 0x56, 0x30, 0x6f, 0xf4, 0xa1, 0x48, 0xe0, 0xc9, 0xf5, 0x75, 0x90,
+ 0xcc, 0xfb, 0xdf, 0xdf, 0x71, 0x3d, 0x0a, 0x9a, 0x03, 0x65, 0x3b, 0x18,
+ 0x61, 0xe3, 0xd1, 0xda, 0xcc, 0x4a, 0xfe, 0x55, 0x38, 0xf8, 0x21, 0x6b,
+ 0xfa, 0x18, 0x01, 0x42, 0x39, 0x2f, 0x99, 0x53, 0x38, 0x15, 0x82, 0x34,
+ 0xc5, 0x93, 0x92, 0xbc, 0x4d, 0x75, 0x1a, 0x5f, 0x21, 0x27, 0xcc, 0xa1,
+ 0xb1, 0x57, 0x69, 0xe8
+};
+
+__fips_constseg static const unsigned char hmac_sha512_entropyinputreseed[] = {
+ 0x8c, 0x52, 0x7e, 0x77, 0x72, 0x3f, 0xa3, 0x04, 0x97, 0x10, 0x9b, 0x41,
+ 0xbd, 0xe8, 0xff, 0x89, 0xed, 0x80, 0xe3, 0xbd, 0xaa, 0x12, 0x2d, 0xca,
+ 0x75, 0x82, 0x36, 0x77, 0x88, 0xcd, 0xa6, 0x73
+};
+
+__fips_constseg
+ static const unsigned char hmac_sha512_additionalinputreseed[] = {
+ 0x7e, 0x32, 0xe3, 0x69, 0x69, 0x07, 0x34, 0xa2, 0x16, 0xa2, 0x5d, 0x1a,
+ 0x10, 0x91, 0xd3, 0xe2, 0x21, 0xa2, 0xa3, 0xdd, 0xcd, 0x0c, 0x09, 0x86,
+ 0x11, 0xe1, 0x50, 0xff, 0x5c, 0xb7, 0xeb, 0x5c
+};
+
+__fips_constseg static const unsigned char hmac_sha512_additionalinput2[] = {
+ 0x7f, 0x78, 0x66, 0xd8, 0xfb, 0x67, 0xcf, 0x8d, 0x8c, 0x08, 0x30, 0xa5,
+ 0xf8, 0x7d, 0xcf, 0x44, 0x59, 0xce, 0xf8, 0xdf, 0x58, 0xd3, 0x60, 0xcb,
+ 0xa8, 0x60, 0xb9, 0x07, 0xc4, 0xb1, 0x95, 0x48
+};
+
+__fips_constseg static const unsigned char hmac_sha512_returnedbits[] = {
+ 0xdf, 0xa7, 0x36, 0xd4, 0xdc, 0x5d, 0x4d, 0x31, 0xad, 0x69, 0x46, 0x9f,
+ 0xf1, 0x7c, 0xd7, 0x3b, 0x4f, 0x55, 0xf2, 0xd7, 0xb9, 0x9d, 0xad, 0x7a,
+ 0x79, 0x08, 0x59, 0xa5, 0xdc, 0x74, 0xf5, 0x9b, 0x73, 0xd2, 0x13, 0x25,
+ 0x0b, 0x81, 0x08, 0x08, 0x25, 0xfb, 0x39, 0xf2, 0xf0, 0xa3, 0xa4, 0x8d,
+ 0xef, 0x05, 0x9e, 0xb8, 0xc7, 0x52, 0xe4, 0x0e, 0x42, 0xaa, 0x7c, 0x79,
+ 0xc2, 0xd6, 0xfd, 0xa5
+};
Index: openssl-1.1.1n/crypto/fips/fips_dsa_selftest.c
2020-01-24 12:52:58 +01:00
===================================================================
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
--- /dev/null
+++ openssl-1.1.1n/crypto/fips/fips_dsa_selftest.c
2020-01-24 12:52:58 +01:00
@@ -0,0 +1,195 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
2020-01-24 12:52:58 +01:00
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/dsa.h>
+#include <openssl/fips.h>
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
+#include "crypto/fips_int.h"
2020-01-24 12:52:58 +01:00
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/bn.h>
+#include "fips_locl.h"
+
+#ifdef OPENSSL_FIPS
+
+static const unsigned char dsa_test_2048_p[] = {
+ 0xa8, 0x53, 0x78, 0xd8, 0xfd, 0x3f, 0x8d, 0x72, 0xec, 0x74, 0x18, 0x08,
+ 0x0d, 0xa2, 0x13, 0x17, 0xe4, 0x3e, 0xc4, 0xb6, 0x2b, 0xa8, 0xc8, 0x62,
+ 0x3b, 0x7e, 0x4d, 0x04, 0x44, 0x1d, 0xd1, 0xa0, 0x65, 0x86, 0x62, 0x59,
+ 0x64, 0x93, 0xca, 0x8e, 0x9e, 0x8f, 0xbb, 0x7e, 0x34, 0xaa, 0xdd, 0xb6,
+ 0x2e, 0x5d, 0x67, 0xb6, 0xd0, 0x9a, 0x6e, 0x61, 0xb7, 0x69, 0xe7, 0xc3,
+ 0x52, 0xaa, 0x2b, 0x10, 0xe2, 0x0c, 0xa0, 0x63, 0x69, 0x63, 0xb5, 0x52,
+ 0x3e, 0x86, 0x47, 0x0d, 0xec, 0xbb, 0xed, 0xa0, 0x27, 0xe7, 0x97, 0xe7,
+ 0xb6, 0x76, 0x35, 0xd4, 0xd4, 0x9c, 0x30, 0x70, 0x0e, 0x74, 0xaf, 0x8a,
+ 0x0f, 0xf1, 0x56, 0xa8, 0x01, 0xaf, 0x57, 0xa2, 0x6e, 0x70, 0x78, 0xf1,
+ 0xd8, 0x2f, 0x74, 0x90, 0x8e, 0xcb, 0x6d, 0x07, 0xe7, 0x0b, 0x35, 0x03,
+ 0xee, 0xd9, 0x4f, 0xa3, 0x2c, 0xf1, 0x7a, 0x7f, 0xc3, 0xd6, 0xcf, 0x40,
+ 0xdc, 0x7b, 0x00, 0x83, 0x0e, 0x6a, 0x25, 0x66, 0xdc, 0x07, 0x3e, 0x34,
+ 0x33, 0x12, 0x51, 0x7c, 0x6a, 0xa5, 0x15, 0x2b, 0x4b, 0xfe, 0xcd, 0x2e,
+ 0x55, 0x1f, 0xee, 0x34, 0x63, 0x18, 0xa1, 0x53, 0x42, 0x3c, 0x99, 0x6b,
+ 0x0d, 0x5d, 0xcb, 0x91, 0x02, 0xae, 0xdd, 0x38, 0x79, 0x86, 0x16, 0xf1,
+ 0xf1, 0xe0, 0xd6, 0xc4, 0x03, 0x52, 0x5b, 0x1f, 0x9b, 0x3d, 0x4d, 0xc7,
+ 0x66, 0xde, 0x2d, 0xfc, 0x4a, 0x56, 0xd7, 0xb8, 0xba, 0x59, 0x63, 0xd6,
+ 0x0f, 0x3e, 0x16, 0x31, 0x88, 0x70, 0xad, 0x43, 0x69, 0x52, 0xe5, 0x57,
+ 0x65, 0x37, 0x4e, 0xab, 0x85, 0xe8, 0xec, 0x17, 0xd6, 0xb9, 0xa4, 0x54,
+ 0x7b, 0x9b, 0x5f, 0x27, 0x52, 0xf3, 0x10, 0x5b, 0xe8, 0x09, 0xb2, 0x3a,
+ 0x2c, 0x8d, 0x74, 0x69, 0xdb, 0x02, 0xe2, 0x4d, 0x59, 0x23, 0x94, 0xa7,
+ 0xdb, 0xa0, 0x69, 0xe9
+};
+
+static const unsigned char dsa_test_2048_q[] = {
+ 0xd2, 0x77, 0x04, 0x4e, 0x50, 0xf5, 0xa4, 0xe3, 0xf5, 0x10, 0xa5, 0x0a,
+ 0x0b, 0x84, 0xfd, 0xff, 0xbc, 0xa0, 0x47, 0xed, 0x27, 0x60, 0x20, 0x56,
+ 0x74, 0x41, 0xa0, 0xa5
+};
+
+static const unsigned char dsa_test_2048_g[] = {
+ 0x13, 0xd7, 0x54, 0xe2, 0x1f, 0xd2, 0x41, 0x65, 0x5d, 0xa8, 0x91, 0xc5,
+ 0x22, 0xa6, 0x5a, 0x72, 0xa8, 0x9b, 0xdc, 0x64, 0xec, 0x9b, 0x54, 0xa8,
+ 0x21, 0xed, 0x4a, 0x89, 0x8b, 0x49, 0x0e, 0x0c, 0x4f, 0xcb, 0x72, 0x19,
+ 0x2a, 0x4a, 0x20, 0xf5, 0x41, 0xf3, 0xf2, 0x92, 0x53, 0x99, 0xf0, 0xba,
+ 0xec, 0xf9, 0x29, 0xaa, 0xfb, 0xf7, 0x9d, 0xfe, 0x43, 0x32, 0x39, 0x3b,
+ 0x32, 0xcd, 0x2e, 0x2f, 0xcf, 0x27, 0x2f, 0x32, 0xa6, 0x27, 0x43, 0x4a,
+ 0x0d, 0xf2, 0x42, 0xb7, 0x5b, 0x41, 0x4d, 0xf3, 0x72, 0x12, 0x1e, 0x53,
+ 0xa5, 0x53, 0xf2, 0x22, 0xf8, 0x36, 0xb0, 0x00, 0xf0, 0x16, 0x48, 0x5b,
+ 0x6b, 0xd0, 0x89, 0x84, 0x51, 0x80, 0x1d, 0xcd, 0x8d, 0xe6, 0x4c, 0xd5,
+ 0x36, 0x56, 0x96, 0xff, 0xc5, 0x32, 0xd5, 0x28, 0xc5, 0x06, 0x62, 0x0a,
+ 0x94, 0x2a, 0x03, 0x05, 0x04, 0x6d, 0x8f, 0x18, 0x76, 0x34, 0x1f, 0x1e,
+ 0x57, 0x0b, 0xc3, 0x97, 0x4b, 0xa6, 0xb9, 0xa4, 0x38, 0xe9, 0x70, 0x23,
+ 0x02, 0xa2, 0xe6, 0xe6, 0x7b, 0xfd, 0x06, 0xd3, 0x2b, 0xc6, 0x79, 0x96,
+ 0x22, 0x71, 0xd7, 0xb4, 0x0c, 0xd7, 0x2f, 0x38, 0x6e, 0x64, 0xe0, 0xd7,
+ 0xef, 0x86, 0xca, 0x8c, 0xa5, 0xd1, 0x42, 0x28, 0xdc, 0x2a, 0x4f, 0x16,
+ 0xe3, 0x18, 0x98, 0x86, 0xb5, 0x99, 0x06, 0x74, 0xf4, 0x20, 0x0f, 0x3a,
+ 0x4c, 0xf6, 0x5a, 0x3f, 0x0d, 0xdb, 0xa1, 0xfa, 0x67, 0x2d, 0xff, 0x2f,
+ 0x5e, 0x14, 0x3d, 0x10, 0xe4, 0xe9, 0x7a, 0xe8, 0x4f, 0x6d, 0xa0, 0x95,
+ 0x35, 0xd5, 0xb9, 0xdf, 0x25, 0x91, 0x81, 0xa7, 0x9b, 0x63, 0xb0, 0x69,
+ 0xe9, 0x49, 0x97, 0x2b, 0x02, 0xba, 0x36, 0xb3, 0x58, 0x6a, 0xab, 0x7e,
+ 0x45, 0xf3, 0x22, 0xf8, 0x2e, 0x4e, 0x85, 0xca, 0x3a, 0xb8, 0x55, 0x91,
+ 0xb3, 0xc2, 0xa9, 0x66
+};
+
+static const unsigned char dsa_test_2048_pub_key[] = {
+ 0x24, 0x52, 0xf3, 0xcc, 0xbe, 0x9e, 0xd5, 0xca, 0x7d, 0xc7, 0x4c, 0x60,
+ 0x2b, 0x99, 0x22, 0x6e, 0x8f, 0x2f, 0xab, 0x38, 0xe7, 0xd7, 0xdd, 0xfb,
+ 0x75, 0x53, 0x9b, 0x17, 0x15, 0x5e, 0x9f, 0xcf, 0xd1, 0xab, 0xa5, 0x64,
+ 0xeb, 0x85, 0x35, 0xd8, 0x12, 0xc9, 0xc2, 0xdc, 0xf9, 0x72, 0x84, 0x44,
+ 0x1b, 0xc4, 0x82, 0x24, 0x36, 0x24, 0xc7, 0xf4, 0x57, 0x58, 0x0c, 0x1c,
+ 0x38, 0xa5, 0x7c, 0x46, 0xc4, 0x57, 0x39, 0x24, 0x70, 0xed, 0xb5, 0x2c,
+ 0xb5, 0xa6, 0xe0, 0x3f, 0xe6, 0x28, 0x7b, 0xb6, 0xf4, 0x9a, 0x42, 0xa2,
+ 0x06, 0x5a, 0x05, 0x4f, 0x03, 0x08, 0x39, 0xdf, 0x1f, 0xd3, 0x14, 0x9c,
+ 0x4c, 0xa0, 0x53, 0x1d, 0xd8, 0xca, 0x8a, 0xaa, 0x9c, 0xc7, 0x33, 0x71,
+ 0x93, 0x38, 0x73, 0x48, 0x33, 0x61, 0x18, 0x22, 0x45, 0x45, 0xe8, 0x8c,
+ 0x80, 0xff, 0xd8, 0x76, 0x5d, 0x74, 0x36, 0x03, 0x33, 0xcc, 0xab, 0x99,
+ 0x72, 0x77, 0x9b, 0x65, 0x25, 0xa6, 0x5b, 0xdd, 0x0d, 0x10, 0xc6, 0x75,
+ 0xc1, 0x09, 0xbb, 0xd3, 0xe5, 0xbe, 0x4d, 0x72, 0xef, 0x6e, 0xba, 0x6e,
+ 0x43, 0x8d, 0x52, 0x26, 0x23, 0x7d, 0xb8, 0x88, 0x37, 0x9c, 0x5f, 0xcc,
+ 0x47, 0xa3, 0x84, 0x7f, 0xf6, 0x37, 0x11, 0xba, 0xed, 0x6d, 0x03, 0xaf,
+ 0xe8, 0x1e, 0x69, 0x4a, 0x41, 0x3b, 0x68, 0x0b, 0xd3, 0x8a, 0xb4, 0x90,
+ 0x3f, 0x83, 0x70, 0xa7, 0x07, 0xef, 0x55, 0x1d, 0x49, 0x41, 0x02, 0x6d,
+ 0x95, 0x79, 0xd6, 0x91, 0xde, 0x8e, 0xda, 0xa1, 0x61, 0x05, 0xeb, 0x9d,
+ 0xba, 0x3c, 0x2f, 0x4c, 0x1b, 0xec, 0x50, 0x82, 0x75, 0xaa, 0x02, 0x07,
+ 0xe2, 0x51, 0xb5, 0xec, 0xcb, 0x28, 0x6a, 0x4b, 0x01, 0xd4, 0x49, 0xd3,
+ 0x0a, 0xcb, 0x67, 0x37, 0x17, 0xa0, 0xd2, 0xfb, 0x3b, 0x50, 0xc8, 0x93,
+ 0xf7, 0xda, 0xb1, 0x4f
+};
+
+static const unsigned char dsa_test_2048_priv_key[] = {
+ 0x0c, 0x4b, 0x30, 0x89, 0xd1, 0xb8, 0x62, 0xcb, 0x3c, 0x43, 0x64, 0x91,
+ 0xf0, 0x91, 0x54, 0x70, 0xc5, 0x27, 0x96, 0xe3, 0xac, 0xbe, 0xe8, 0x00,
+ 0xec, 0x55, 0xf6, 0xcc
+};
+
+int FIPS_selftest_dsa()
+{
+ DSA *dsa = NULL;
+ EVP_PKEY *pk = NULL;
+ int ret = -1;
+ BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub_key = NULL, *priv_key = NULL;
+
+ fips_load_key_component(p, dsa_test_2048);
+ fips_load_key_component(q, dsa_test_2048);
+ fips_load_key_component(g, dsa_test_2048);
+ fips_load_key_component(pub_key, dsa_test_2048);
+ fips_load_key_component(priv_key, dsa_test_2048);
+
+ dsa = DSA_new();
+
+ if (dsa == NULL)
+ goto err;
+
+ DSA_set0_pqg(dsa, p, q, g);
+
+ DSA_set0_key(dsa, pub_key, priv_key);
+
+ if ((pk = EVP_PKEY_new()) == NULL)
+ goto err;
+
+ EVP_PKEY_assign_DSA(pk, dsa);
+
+ if (!fips_pkey_signature_test(pk, NULL, 0,
+ NULL, 0, EVP_sha256(), 0, "DSA SHA256"))
+ goto err;
+ ret = 1;
+
+ err:
+ if (pk)
+ EVP_PKEY_free(pk);
+ else if (dsa)
+ DSA_free(dsa);
+ else {
+ BN_free(p);
+ BN_free(q);
+ BN_free(g);
+ BN_free(pub_key);
+ BN_free(priv_key);
+ }
+ return ret;
+}
+#endif
Index: openssl-1.1.1n/crypto/fips/fips_ecdh_selftest.c
2020-01-24 12:52:58 +01:00
===================================================================
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
--- /dev/null
+++ openssl-1.1.1n/crypto/fips/fips_ecdh_selftest.c
2020-01-24 12:52:58 +01:00
@@ -0,0 +1,242 @@
+/* fips/ecdh/fips_ecdh_selftest.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 2011.
+ */
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
2020-01-24 12:52:58 +01:00
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+
+#define OPENSSL_FIPSAPI
+
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/ec.h>
+#include <openssl/ecdh.h>
+#include <openssl/fips.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/bn.h>
+
+#ifdef OPENSSL_FIPS
+
+# include "fips_locl.h"
+
+static const unsigned char p256_qcavsx[] = {
+ 0x52, 0xc6, 0xa5, 0x75, 0xf3, 0x04, 0x98, 0xb3, 0x29, 0x66, 0x0c, 0x62,
+ 0x18, 0x60, 0x55, 0x41, 0x59, 0xd4, 0x60, 0x85, 0x99, 0xc1, 0x51, 0x13,
+ 0x6f, 0x97, 0x85, 0x93, 0x33, 0x34, 0x07, 0x50
+};
+
+static const unsigned char p256_qcavsy[] = {
+ 0x6f, 0x69, 0x24, 0xeb, 0xe9, 0x3b, 0xa7, 0xcc, 0x47, 0x17, 0xaa, 0x3f,
+ 0x70, 0xfc, 0x10, 0x73, 0x0a, 0xcd, 0x21, 0xee, 0x29, 0x19, 0x1f, 0xaf,
+ 0xb4, 0x1c, 0x1e, 0xc2, 0x8e, 0x97, 0x81, 0x6e
+};
+
+static const unsigned char p256_qiutx[] = {
+ 0x71, 0x46, 0x88, 0x08, 0x92, 0x21, 0x1b, 0x10, 0x21, 0x74, 0xff, 0x0c,
+ 0x94, 0xde, 0x34, 0x7c, 0x86, 0x74, 0xbe, 0x67, 0x41, 0x68, 0xd4, 0xc1,
+ 0xe5, 0x75, 0x63, 0x9c, 0xa7, 0x46, 0x93, 0x6f
+};
+
+static const unsigned char p256_qiuty[] = {
+ 0x33, 0x40, 0xa9, 0x6a, 0xf5, 0x20, 0xb5, 0x9e, 0xfc, 0x60, 0x1a, 0xae,
+ 0x3d, 0xf8, 0x21, 0xd2, 0xa7, 0xca, 0x52, 0x34, 0xb9, 0x5f, 0x27, 0x75,
+ 0x6c, 0x81, 0xbe, 0x32, 0x4d, 0xba, 0xbb, 0xf8
+};
+
+static const unsigned char p256_qiutd[] = {
+ 0x1a, 0x48, 0x55, 0x6b, 0x11, 0xbe, 0x92, 0xd4, 0x1c, 0xd7, 0x45, 0xc3,
+ 0x82, 0x81, 0x51, 0xf1, 0x23, 0x40, 0xb7, 0x83, 0xfd, 0x01, 0x6d, 0xbc,
+ 0xa1, 0x66, 0xaf, 0x0a, 0x03, 0x23, 0xcd, 0xc8
+};
+
+static const unsigned char p256_ziut[] = {
+ 0x77, 0x2a, 0x1e, 0x37, 0xee, 0xe6, 0x51, 0x02, 0x71, 0x40, 0xf8, 0x6a,
+ 0x36, 0xf8, 0x65, 0x61, 0x2b, 0x18, 0x71, 0x82, 0x23, 0xe6, 0xf2, 0x77,
+ 0xce, 0xec, 0xb8, 0x49, 0xc7, 0xbf, 0x36, 0x4f
+};
+
+typedef struct {
+ int curve;
+ const unsigned char *x1;
+ size_t x1len;
+ const unsigned char *y1;
+ size_t y1len;
+ const unsigned char *d1;
+ size_t d1len;
+ const unsigned char *x2;
+ size_t x2len;
+ const unsigned char *y2;
+ size_t y2len;
+ const unsigned char *z;
+ size_t zlen;
+} ECDH_SELFTEST_DATA;
+
+# define make_ecdh_test(nid, pr) { nid, \
+ pr##_qiutx, sizeof(pr##_qiutx), \
+ pr##_qiuty, sizeof(pr##_qiuty), \
+ pr##_qiutd, sizeof(pr##_qiutd), \
+ pr##_qcavsx, sizeof(pr##_qcavsx), \
+ pr##_qcavsy, sizeof(pr##_qcavsy), \
+ pr##_ziut, sizeof(pr##_ziut) }
+
+static ECDH_SELFTEST_DATA test_ecdh_data[] = {
+ make_ecdh_test(NID_X9_62_prime256v1, p256),
+};
+
+int FIPS_selftest_ecdh(void)
+{
+ EC_KEY *ec1 = NULL, *ec2 = NULL;
+ const EC_POINT *ecp = NULL;
+ BIGNUM *x = NULL, *y = NULL, *d = NULL;
+ unsigned char *ztmp = NULL;
+ int rv = 1;
+ size_t i;
+
+ for (i = 0; i < sizeof(test_ecdh_data) / sizeof(ECDH_SELFTEST_DATA); i++) {
+ ECDH_SELFTEST_DATA *ecd = test_ecdh_data + i;
+ if (!fips_post_started(FIPS_TEST_ECDH, ecd->curve, 0))
+ continue;
+ ztmp = OPENSSL_malloc(ecd->zlen);
+
+ x = BN_bin2bn(ecd->x1, ecd->x1len, x);
+ y = BN_bin2bn(ecd->y1, ecd->y1len, y);
+ d = BN_bin2bn(ecd->d1, ecd->d1len, d);
+
+ if (!x || !y || !d || !ztmp) {
+ rv = -1;
+ goto err;
+ }
+
+ ec1 = EC_KEY_new_by_curve_name(ecd->curve);
+ if (!ec1) {
+ rv = -1;
+ goto err;
+ }
+ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH);
+
+ if (!EC_KEY_set_public_key_affine_coordinates(ec1, x, y)) {
+ rv = -1;
+ goto err;
+ }
+
+ if (!EC_KEY_set_private_key(ec1, d)) {
+ rv = -1;
+ goto err;
+ }
+
+ x = BN_bin2bn(ecd->x2, ecd->x2len, x);
+ y = BN_bin2bn(ecd->y2, ecd->y2len, y);
+
+ if (!x || !y) {
+ rv = -1;
+ goto err;
+ }
+
+ ec2 = EC_KEY_new_by_curve_name(ecd->curve);
+ if (!ec2) {
+ rv = -1;
+ goto err;
+ }
+ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH);
+
+ if (!EC_KEY_set_public_key_affine_coordinates(ec2, x, y)) {
+ rv = -1;
+ goto err;
+ }
+
+ ecp = EC_KEY_get0_public_key(ec2);
+ if (!ecp) {
+ rv = -1;
+ goto err;
+ }
+
+ if (!ECDH_compute_key(ztmp, ecd->zlen, ecp, ec1, 0)) {
+ rv = -1;
+ goto err;
+ }
+
+ if (!fips_post_corrupt(FIPS_TEST_ECDH, ecd->curve, NULL))
+ ztmp[0] ^= 0x1;
+
+ if (memcmp(ztmp, ecd->z, ecd->zlen)) {
+ fips_post_failed(FIPS_TEST_ECDH, ecd->curve, 0);
+ rv = 0;
+ } else if (!fips_post_success(FIPS_TEST_ECDH, ecd->curve, 0))
+ goto err;
+
+ EC_KEY_free(ec1);
+ ec1 = NULL;
+ EC_KEY_free(ec2);
+ ec2 = NULL;
+ OPENSSL_free(ztmp);
+ ztmp = NULL;
+ }
+
+ err:
+
+ if (x)
+ BN_clear_free(x);
+ if (y)
+ BN_clear_free(y);
+ if (d)
+ BN_clear_free(d);
+ if (ec1)
+ EC_KEY_free(ec1);
+ if (ec2)
+ EC_KEY_free(ec2);
+ if (ztmp)
+ OPENSSL_free(ztmp);
+
+ return rv;
+
+}
+
+#endif
Index: openssl-1.1.1n/crypto/fips/fips_ecdsa_selftest.c
2020-01-24 12:52:58 +01:00
===================================================================
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
--- /dev/null
+++ openssl-1.1.1n/crypto/fips/fips_ecdsa_selftest.c
2020-01-24 12:52:58 +01:00
@@ -0,0 +1,166 @@
+/* fips/ecdsa/fips_ecdsa_selftest.c */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 2011.
+ */
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
2020-01-24 12:52:58 +01:00
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+
+#define OPENSSL_FIPSAPI
+
+#include <string.h>
+#include <openssl/crypto.h>
+#include <openssl/ec.h>
+#include <openssl/ecdsa.h>
+#include <openssl/fips.h>
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
+#include "crypto/fips_int.h"
2020-01-24 12:52:58 +01:00
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/bn.h>
+
+#ifdef OPENSSL_FIPS
+
+static const char P_256_name[] = "ECDSA P-256";
+
+static const unsigned char P_256_d[] = {
+ 0x51, 0xbd, 0x06, 0xa1, 0x1c, 0xda, 0xe2, 0x12, 0x99, 0xc9, 0x52, 0x3f,
+ 0xea, 0xa4, 0xd2, 0xd1, 0xf4, 0x7f, 0xd4, 0x3e, 0xbd, 0xf8, 0xfc, 0x87,
+ 0xdc, 0x82, 0x53, 0x21, 0xee, 0xa0, 0xdc, 0x64
+};
+
+static const unsigned char P_256_qx[] = {
+ 0x23, 0x89, 0xe0, 0xf4, 0x69, 0xe0, 0x49, 0xe5, 0xc7, 0xe5, 0x40, 0x6e,
+ 0x8f, 0x25, 0xdd, 0xad, 0x11, 0x16, 0x14, 0x9b, 0xab, 0x44, 0x06, 0x31,
+ 0xbf, 0x5e, 0xa6, 0x44, 0xac, 0x86, 0x00, 0x07
+};
+
+static const unsigned char P_256_qy[] = {
+ 0xb3, 0x05, 0x0d, 0xd0, 0xdc, 0xf7, 0x40, 0xe6, 0xf9, 0xd8, 0x6d, 0x7b,
+ 0x63, 0xca, 0x97, 0xe6, 0x12, 0xf9, 0xd4, 0x18, 0x59, 0xbe, 0xb2, 0x5e,
+ 0x4a, 0x6a, 0x77, 0x23, 0xf4, 0x11, 0x9d, 0xeb
+};
+
+typedef struct {
+ int curve;
+ const char *name;
+ const unsigned char *x;
+ size_t xlen;
+ const unsigned char *y;
+ size_t ylen;
+ const unsigned char *d;
+ size_t dlen;
+} EC_SELFTEST_DATA;
+
+# define make_ecdsa_test(nid, pr) { nid, pr##_name, \
+ pr##_qx, sizeof(pr##_qx), \
+ pr##_qy, sizeof(pr##_qy), \
+ pr##_d, sizeof(pr##_d)}
+
+static EC_SELFTEST_DATA test_ec_data[] = {
+ make_ecdsa_test(NID_X9_62_prime256v1, P_256),
+};
+
+int FIPS_selftest_ecdsa()
+{
+ EC_KEY *ec = NULL;
+ BIGNUM *x = NULL, *y = NULL, *d = NULL;
+ EVP_PKEY *pk = NULL;
+ int rv = 0;
+ size_t i;
+
+ for (i = 0; i < sizeof(test_ec_data) / sizeof(EC_SELFTEST_DATA); i++) {
+ EC_SELFTEST_DATA *ecd = test_ec_data + i;
+
+ x = BN_bin2bn(ecd->x, ecd->xlen, x);
+ y = BN_bin2bn(ecd->y, ecd->ylen, y);
+ d = BN_bin2bn(ecd->d, ecd->dlen, d);
+
+ if (!x || !y || !d)
+ goto err;
+
+ ec = EC_KEY_new_by_curve_name(ecd->curve);
+ if (!ec)
+ goto err;
+
+ if (!EC_KEY_set_public_key_affine_coordinates(ec, x, y))
+ goto err;
+
+ if (!EC_KEY_set_private_key(ec, d))
+ goto err;
+
+ if ((pk = EVP_PKEY_new()) == NULL)
+ goto err;
+
+ EVP_PKEY_assign_EC_KEY(pk, ec);
+
+ if (!fips_pkey_signature_test(pk, NULL, 0,
+ NULL, 0, EVP_sha256(), 0, ecd->name))
+ goto err;
+ }
+
+ rv = 1;
+
+ err:
+
+ if (x)
+ BN_clear_free(x);
+ if (y)
+ BN_clear_free(y);
+ if (d)
+ BN_clear_free(d);
+ if (pk)
+ EVP_PKEY_free(pk);
+ else if (ec)
+ EC_KEY_free(ec);
+
+ return rv;
+
+}
+
+#endif
Index: openssl-1.1.1n/crypto/fips/fips_err.h
2020-01-24 12:52:58 +01:00
===================================================================
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
--- /dev/null
+++ openssl-1.1.1n/crypto/fips/fips_err.h
@@ -0,0 +1,199 @@
2020-01-24 12:52:58 +01:00
+/* crypto/fips_err.h */
+/* ====================================================================
+ * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+ * NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/fips.h>
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+
+# define ERR_FUNC(func) ERR_PACK(ERR_LIB_FIPS,func,0)
+# define ERR_REASON(reason) ERR_PACK(ERR_LIB_FIPS,0,reason)
+
+static ERR_STRING_DATA FIPS_str_functs[] = {
+ {ERR_FUNC(FIPS_F_DH_BUILTIN_GENPARAMS), "dh_builtin_genparams"},
+ {ERR_FUNC(FIPS_F_DRBG_RESEED), "drbg_reseed"},
+ {ERR_FUNC(FIPS_F_DSA_BUILTIN_PARAMGEN2), "dsa_builtin_paramgen2"},
+ {ERR_FUNC(FIPS_F_DSA_DO_SIGN), "DSA_do_sign"},
+ {ERR_FUNC(FIPS_F_DSA_DO_VERIFY), "DSA_do_verify"},
+ {ERR_FUNC(FIPS_F_ECDH_COMPUTE_KEY), "ECDH_compute_key"},
+ {ERR_FUNC(FIPS_F_EVP_CIPHER_CTX_NEW), "EVP_CIPHER_CTX_new"},
+ {ERR_FUNC(FIPS_F_EVP_CIPHER_CTX_RESET), "EVP_CIPHER_CTX_reset"},
+ {ERR_FUNC(FIPS_F_EVP_CIPHERINIT_EX), "EVP_CipherInit_ex"},
+ {ERR_FUNC(FIPS_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"},
2020-01-24 12:52:58 +01:00
+ {ERR_FUNC(FIPS_F_FIPS_CHECK_DSA), "fips_check_dsa"},
+ {ERR_FUNC(FIPS_F_FIPS_CHECK_EC), "fips_check_ec"},
+ {ERR_FUNC(FIPS_F_FIPS_CHECK_RSA), "fips_check_rsa"},
+ {ERR_FUNC(FIPS_F_FIPS_DRBG_BYTES), "fips_drbg_bytes"},
+ {ERR_FUNC(FIPS_F_FIPS_DRBG_CHECK), "fips_drbg_check"},
+ {ERR_FUNC(FIPS_F_FIPS_DRBG_CPRNG_TEST), "fips_drbg_cprng_test"},
+ {ERR_FUNC(FIPS_F_FIPS_DRBG_ERROR_CHECK), "fips_drbg_error_check"},
+ {ERR_FUNC(FIPS_F_FIPS_DRBG_GENERATE), "FIPS_drbg_generate"},
+ {ERR_FUNC(FIPS_F_FIPS_DRBG_INIT), "FIPS_drbg_init"},
+ {ERR_FUNC(FIPS_F_FIPS_DRBG_INSTANTIATE), "FIPS_drbg_instantiate"},
+ {ERR_FUNC(FIPS_F_FIPS_DRBG_NEW), "FIPS_drbg_new"},
+ {ERR_FUNC(FIPS_F_FIPS_DRBG_RESEED), "FIPS_drbg_reseed"},
+ {ERR_FUNC(FIPS_F_FIPS_DRBG_SINGLE_KAT), "FIPS_DRBG_SINGLE_KAT"},
+ {ERR_FUNC(FIPS_F_FIPS_GET_ENTROPY), "fips_get_entropy"},
+ {ERR_FUNC(FIPS_F_FIPS_MODULE_MODE_SET), "FIPS_module_mode_set"},
+ {ERR_FUNC(FIPS_F_FIPS_PKEY_SIGNATURE_TEST), "fips_pkey_signature_test"},
+ {ERR_FUNC(FIPS_F_FIPS_RAND_BYTES), "FIPS_rand_bytes"},
+ {ERR_FUNC(FIPS_F_FIPS_RAND_SEED), "FIPS_rand_seed"},
+ {ERR_FUNC(FIPS_F_FIPS_RAND_SET_METHOD), "FIPS_rand_set_method"},
+ {ERR_FUNC(FIPS_F_FIPS_RAND_STATUS), "FIPS_rand_status"},
+ {ERR_FUNC(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN), "fips_rsa_builtin_keygen"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST), "FIPS_selftest"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES), "FIPS_selftest_aes"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_CCM), "FIPS_selftest_aes_ccm"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_GCM), "FIPS_selftest_aes_gcm"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_XTS), "FIPS_selftest_aes_xts"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_CMAC), "FIPS_selftest_cmac"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DES), "FIPS_selftest_des"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DSA), "FIPS_selftest_dsa"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_ECDSA), "FIPS_selftest_ecdsa"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"},
+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA2), "FIPS_selftest_sha2"},
+ {ERR_FUNC(FIPS_F_OSSL_ECDSA_SIGN_SIG), "ossl_ecdsa_sign_sig"},
+ {ERR_FUNC(FIPS_F_OSSL_ECDSA_VERIFY_SIG), "ossl_ecdsa_verify_sig"},
+ {ERR_FUNC(FIPS_F_RSA_BUILTIN_KEYGEN), "rsa_builtin_keygen"},
+ {ERR_FUNC(FIPS_F_RSA_OSSL_INIT), "rsa_ossl_init"},
+ {ERR_FUNC(FIPS_F_RSA_OSSL_PRIVATE_DECRYPT), "rsa_ossl_private_decrypt"},
+ {ERR_FUNC(FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT), "rsa_ossl_private_encrypt"},
+ {ERR_FUNC(FIPS_F_RSA_OSSL_PUBLIC_DECRYPT), "rsa_ossl_public_decrypt"},
+ {ERR_FUNC(FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT), "rsa_ossl_public_encrypt"},
+ {0, NULL}
+};
+
+static ERR_STRING_DATA FIPS_str_reasons[] = {
+ {ERR_REASON(FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED),
+ "additional input error undetected"},
+ {ERR_REASON(FIPS_R_ADDITIONAL_INPUT_TOO_LONG),
+ "additional input too long"},
+ {ERR_REASON(FIPS_R_ALREADY_INSTANTIATED), "already instantiated"},
+ {ERR_REASON(FIPS_R_DRBG_NOT_INITIALISED), "drbg not initialised"},
+ {ERR_REASON(FIPS_R_DRBG_STUCK), "drbg stuck"},
+ {ERR_REASON(FIPS_R_ENTROPY_ERROR_UNDETECTED), "entropy error undetected"},
+ {ERR_REASON(FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED),
+ "entropy not requested for reseed"},
+ {ERR_REASON(FIPS_R_ENTROPY_SOURCE_STUCK), "entropy source stuck"},
+ {ERR_REASON(FIPS_R_ERROR_INITIALISING_DRBG), "error initialising drbg"},
+ {ERR_REASON(FIPS_R_ERROR_INSTANTIATING_DRBG), "error instantiating drbg"},
+ {ERR_REASON(FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT),
+ "error retrieving additional input"},
+ {ERR_REASON(FIPS_R_ERROR_RETRIEVING_ENTROPY), "error retrieving entropy"},
+ {ERR_REASON(FIPS_R_ERROR_RETRIEVING_NONCE), "error retrieving nonce"},
+ {ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH),
+ "fingerprint does not match"},
+ {ERR_REASON(FIPS_R_FIPS_MODE_ALREADY_SET), "fips mode already set"},
+ {ERR_REASON(FIPS_R_FIPS_SELFTEST_FAILED), "fips selftest failed"},
+ {ERR_REASON(FIPS_R_FUNCTION_ERROR), "function error"},
+ {ERR_REASON(FIPS_R_GENERATE_ERROR), "generate error"},
+ {ERR_REASON(FIPS_R_GENERATE_ERROR_UNDETECTED),
+ "generate error undetected"},
+ {ERR_REASON(FIPS_R_INSTANTIATE_ERROR), "instantiate error"},
+ {ERR_REASON(FIPS_R_INTERNAL_ERROR), "internal error"},
+ {ERR_REASON(FIPS_R_INVALID_KEY_LENGTH), "invalid key length"},
+ {ERR_REASON(FIPS_R_IN_ERROR_STATE), "in error state"},
+ {ERR_REASON(FIPS_R_KEY_TOO_SHORT), "key too short"},
+ {ERR_REASON(FIPS_R_NONCE_ERROR_UNDETECTED), "nonce error undetected"},
+ {ERR_REASON(FIPS_R_NON_FIPS_METHOD), "non fips method"},
+ {ERR_REASON(FIPS_R_NOPR_TEST1_FAILURE), "nopr test1 failure"},
+ {ERR_REASON(FIPS_R_NOPR_TEST2_FAILURE), "nopr test2 failure"},
+ {ERR_REASON(FIPS_R_NOT_INSTANTIATED), "not instantiated"},
+ {ERR_REASON(FIPS_R_PAIRWISE_TEST_FAILED), "pairwise test failed"},
+ {ERR_REASON(FIPS_R_PERSONALISATION_ERROR_UNDETECTED),
+ "personalisation error undetected"},
+ {ERR_REASON(FIPS_R_PERSONALISATION_STRING_TOO_LONG),
+ "personalisation string too long"},
+ {ERR_REASON(FIPS_R_PR_TEST1_FAILURE), "pr test1 failure"},
+ {ERR_REASON(FIPS_R_PR_TEST2_FAILURE), "pr test2 failure"},
+ {ERR_REASON(FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED),
+ "request length error undetected"},
+ {ERR_REASON(FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG),
+ "request too large for drbg"},
+ {ERR_REASON(FIPS_R_RESEED_COUNTER_ERROR), "reseed counter error"},
+ {ERR_REASON(FIPS_R_RESEED_ERROR), "reseed error"},
+ {ERR_REASON(FIPS_R_SELFTEST_FAILED), "selftest failed"},
+ {ERR_REASON(FIPS_R_SELFTEST_FAILURE), "selftest failure"},
+ {ERR_REASON(FIPS_R_TEST_FAILURE), "test failure"},
+ {ERR_REASON(FIPS_R_UNINSTANTIATE_ERROR), "uninstantiate error"},
+ {ERR_REASON(FIPS_R_UNINSTANTIATE_ZEROISE_ERROR),
+ "uninstantiate zeroise error"},
+ {ERR_REASON(FIPS_R_UNSUPPORTED_DRBG_TYPE), "unsupported drbg type"},
+ {ERR_REASON(FIPS_R_UNSUPPORTED_PLATFORM), "unsupported platform"},
+ {0, NULL}
+};
+
+#endif
+
+int ERR_load_FIPS_strings(void)
+{
+#ifndef OPENSSL_NO_ERR
+
+ if (ERR_func_error_string(FIPS_str_functs[0].error) == NULL) {
+ ERR_load_strings(0, FIPS_str_functs);
+ ERR_load_strings(0, FIPS_str_reasons);
+ }
+#endif
+ return 1;
+}
Index: openssl-1.1.1n/crypto/fips/fips_ers.c
2020-01-24 12:52:58 +01:00
===================================================================
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
--- /dev/null
+++ openssl-1.1.1n/crypto/fips/fips_ers.c
2020-01-24 12:52:58 +01:00
@@ -0,0 +1,7 @@
+#include <openssl/opensslconf.h>
+
+#ifdef OPENSSL_FIPS
+# include "fips_err.h"
+#else
+static void *dummy = &dummy;
+#endif
Index: openssl-1.1.1n/crypto/fips/fips_hmac_selftest.c
2020-01-24 12:52:58 +01:00
===================================================================
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
--- /dev/null
+++ openssl-1.1.1n/crypto/fips/fips_hmac_selftest.c
2020-01-24 12:52:58 +01:00
@@ -0,0 +1,134 @@
+/* ====================================================================
+ * Copyright (c) 2005 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
2020-01-24 12:52:58 +01:00
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <string.h>
+#include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
+#include <openssl/hmac.h>
+
+#ifdef OPENSSL_FIPS
+typedef struct {
+ const EVP_MD *(*alg) (void);
+ const char *key, *iv;
+ unsigned char kaval[EVP_MAX_MD_SIZE];
+} HMAC_KAT;
+
+static const HMAC_KAT vector[] = {
+ {EVP_sha1,
+ /* from http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf */
+ "0123456789:;<=>?@ABC",
+ "Sample #2",
+ {0x09, 0x22, 0xd3, 0x40, 0x5f, 0xaa, 0x3d, 0x19,
+ 0x4f, 0x82, 0xa4, 0x58, 0x30, 0x73, 0x7d, 0x5c,
+ 0xc6, 0xc7, 0x5d, 0x24}
+ },
+ {EVP_sha224,
+ /* just keep extending the above... */
+ "0123456789:;<=>?@ABC",
+ "Sample #2",
+ {0xdd, 0xef, 0x0a, 0x40, 0xcb, 0x7d, 0x50, 0xfb,
+ 0x6e, 0xe6, 0xce, 0xa1, 0x20, 0xba, 0x26, 0xaa,
+ 0x08, 0xf3, 0x07, 0x75, 0x87, 0xb8, 0xad, 0x1b,
+ 0x8c, 0x8d, 0x12, 0xc7}
+ },
+ {EVP_sha256,
+ "0123456789:;<=>?@ABC",
+ "Sample #2",
+ {0xb8, 0xf2, 0x0d, 0xb5, 0x41, 0xea, 0x43, 0x09,
+ 0xca, 0x4e, 0xa9, 0x38, 0x0c, 0xd0, 0xe8, 0x34,
+ 0xf7, 0x1f, 0xbe, 0x91, 0x74, 0xa2, 0x61, 0x38,
+ 0x0d, 0xc1, 0x7e, 0xae, 0x6a, 0x34, 0x51, 0xd9}
+ },
+ {EVP_sha384,
+ "0123456789:;<=>?@ABC",
+ "Sample #2",
+ {0x08, 0xbc, 0xb0, 0xda, 0x49, 0x1e, 0x87, 0xad,
+ 0x9a, 0x1d, 0x6a, 0xce, 0x23, 0xc5, 0x0b, 0xf6,
+ 0xb7, 0x18, 0x06, 0xa5, 0x77, 0xcd, 0x49, 0x04,
+ 0x89, 0xf1, 0xe6, 0x23, 0x44, 0x51, 0x51, 0x9f,
+ 0x85, 0x56, 0x80, 0x79, 0x0c, 0xbd, 0x4d, 0x50,
+ 0xa4, 0x5f, 0x29, 0xe3, 0x93, 0xf0, 0xe8, 0x7f}
+ },
+ {EVP_sha512,
+ "0123456789:;<=>?@ABC",
+ "Sample #2",
+ {0x80, 0x9d, 0x44, 0x05, 0x7c, 0x5b, 0x95, 0x41,
+ 0x05, 0xbd, 0x04, 0x13, 0x16, 0xdb, 0x0f, 0xac,
+ 0x44, 0xd5, 0xa4, 0xd5, 0xd0, 0x89, 0x2b, 0xd0,
+ 0x4e, 0x86, 0x64, 0x12, 0xc0, 0x90, 0x77, 0x68,
+ 0xf1, 0x87, 0xb7, 0x7c, 0x4f, 0xae, 0x2c, 0x2f,
+ 0x21, 0xa5, 0xb5, 0x65, 0x9a, 0x4f, 0x4b, 0xa7,
+ 0x47, 0x02, 0xa3, 0xde, 0x9b, 0x51, 0xf1, 0x45,
+ 0xbd, 0x4f, 0x25, 0x27, 0x42, 0x98, 0x99, 0x05}
+ },
+};
+
+int FIPS_selftest_hmac()
+{
+ int n;
+ unsigned int outlen;
+ unsigned char out[EVP_MAX_MD_SIZE];
+ const EVP_MD *md;
+ const HMAC_KAT *t;
+
+ for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) {
+ md = (*t->alg) ();
+ HMAC(md, t->key, strlen(t->key),
+ (const unsigned char *)t->iv, strlen(t->iv), out, &outlen);
+
+ if (memcmp(out, t->kaval, outlen)) {
+ FIPSerr(FIPS_F_FIPS_SELFTEST_HMAC, FIPS_R_SELFTEST_FAILED);
+ return 0;
+ }
+ }
+ return 1;
+}
+#endif
Index: openssl-1.1.1n/crypto/fips/fips_locl.h
2020-01-24 12:52:58 +01:00
===================================================================
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
--- /dev/null
+++ openssl-1.1.1n/crypto/fips/fips_locl.h
2020-01-24 12:52:58 +01:00
@@ -0,0 +1,71 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
2020-01-24 12:52:58 +01:00
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef OPENSSL_FIPS
+
+# ifdef __cplusplus
+extern "C" {
+# endif
+
+# define FIPS_MAX_CIPHER_TEST_SIZE 32
+# define fips_load_key_component(comp, pre) \
+ comp = BN_bin2bn(pre##_##comp, sizeof(pre##_##comp), NULL); \
+ if (!comp) \
+ goto err
+
+# define fips_post_started(id, subid, ex) 1
+# define fips_post_success(id, subid, ex) 1
+# define fips_post_failed(id, subid, ex) 1
+# define fips_post_corrupt(id, subid, ex) 1
+# define fips_post_status() 1
+
+# ifdef __cplusplus
+}
+# endif
+#endif
Index: openssl-1.1.1n/crypto/fips/fips_post.c
2020-01-24 12:52:58 +01:00
===================================================================
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
--- /dev/null
+++ openssl-1.1.1n/crypto/fips/fips_post.c
2020-01-24 12:52:58 +01:00
@@ -0,0 +1,224 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
2020-01-24 12:52:58 +01:00
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#define OPENSSL_FIPSAPI
+
+#include <openssl/crypto.h>
+#include <openssl/rand.h>
+#include <openssl/fips_rand.h>
+#include <openssl/err.h>
+#include <openssl/bio.h>
+#include <openssl/hmac.h>
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+#include <openssl/evp.h>
+#include <string.h>
+#include <limits.h>
+
+#ifdef OPENSSL_FIPS
+
+/* Power on self test (POST) support functions */
+
+# include <openssl/fips.h>
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
+# include "crypto/fips_int.h"
2020-01-24 12:52:58 +01:00
+# include "fips_locl.h"
+
+/* Run all selftests */
+int FIPS_selftest(void)
+{
+ int rv = 1;
+ if (!FIPS_selftest_drbg())
+ rv = 0;
+ if (!FIPS_selftest_sha1())
+ rv = 0;
+ if (!FIPS_selftest_sha2())
+ rv = 0;
+ if (!FIPS_selftest_sha3())
+ rv = 0;
+ if (!FIPS_selftest_hmac())
+ rv = 0;
+ if (!FIPS_selftest_cmac())
+ rv = 0;
+ if (!FIPS_selftest_aes())
+ rv = 0;
+ if (!FIPS_selftest_aes_ccm())
+ rv = 0;
+ if (!FIPS_selftest_aes_gcm())
+ rv = 0;
+ if (!FIPS_selftest_aes_xts())
+ rv = 0;
+ if (!FIPS_selftest_des())
+ rv = 0;
+ if (!FIPS_selftest_rsa())
+ rv = 0;
+ if (!FIPS_selftest_ecdsa())
+ rv = 0;
+ if (!FIPS_selftest_dsa())
+ rv = 0;
+ if (!FIPS_selftest_dh())
+ rv = 0;
+ if (!FIPS_selftest_ecdh())
+ rv = 0;
+ return rv;
+}
+
+/* Generalized public key test routine. Signs and verifies the data
+ * supplied in tbs using mesage digest md and setting option digest
+ * flags md_flags. If the 'kat' parameter is not NULL it will
+ * additionally check the signature matches it: a known answer test
+ * The string "fail_str" is used for identification purposes in case
+ * of failure. If "pkey" is NULL just perform a message digest check.
+ */
+
+int fips_pkey_signature_test(EVP_PKEY *pkey,
+ const unsigned char *tbs, int tbslen,
+ const unsigned char *kat, unsigned int katlen,
+ const EVP_MD *digest, unsigned int flags,
+ const char *fail_str)
+{
+ int ret = 0;
+ unsigned char sigtmp[256], *sig = sigtmp;
+ size_t siglen = sizeof(sigtmp);
+ EVP_MD_CTX *mctx;
+ EVP_PKEY_CTX *pctx;
+
+ if (digest == NULL)
+ digest = EVP_sha256();
+
+ mctx = EVP_MD_CTX_new();
+
+ if ((EVP_PKEY_id(pkey) == EVP_PKEY_RSA)
+ && (RSA_size(EVP_PKEY_get0_RSA(pkey)) > sizeof(sigtmp))) {
+ sig = OPENSSL_malloc(RSA_size(EVP_PKEY_get0_RSA(pkey)));
+ siglen = RSA_size(EVP_PKEY_get0_RSA(pkey));
+ }
+ if (!sig || ! mctx) {
+ EVP_MD_CTX_free(mctx);
+ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+
+ if (tbslen == -1)
+ tbslen = strlen((char *)tbs);
+
+ if (EVP_DigestSignInit(mctx, &pctx, digest, NULL, pkey) <= 0)
+ goto error;
+
+ if (flags == EVP_MD_CTX_FLAG_PAD_PSS) {
+ EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING);
+ EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 0);
+ }
+
+ if (EVP_DigestSignUpdate(mctx, tbs, tbslen) <= 0)
+ goto error;
+
+ if (EVP_DigestSignFinal(mctx, sig, &siglen) <= 0)
+ goto error;
+
+ if (kat && ((siglen != katlen) || memcmp(kat, sig, katlen)))
+ goto error;
+
+ if (EVP_DigestVerifyInit(mctx, &pctx, digest, NULL, pkey) <= 0)
+ goto error;
+
+ if (flags == EVP_MD_CTX_FLAG_PAD_PSS) {
+ EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING);
+ EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 0);
+ }
+
+ if (EVP_DigestVerifyUpdate(mctx, tbs, tbslen) <= 0)
+ goto error;
+
+ ret = EVP_DigestVerifyFinal(mctx, sig, siglen);
+
+ error:
+ if (sig != sigtmp)
+ OPENSSL_free(sig);
+ EVP_MD_CTX_free(mctx);
+ if (ret <= 0) {
+ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, FIPS_R_TEST_FAILURE);
+ if (fail_str)
+ ERR_add_error_data(2, "Type=", fail_str);
+ return 0;
+ }
+ return 1;
+}
+
+/* Generalized symmetric cipher test routine. Encrypt data, verify result
+ * against known answer, decrypt and compare with original plaintext.
+ */
+
+int fips_cipher_test(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
+ const unsigned char *key,
+ const unsigned char *iv,
+ const unsigned char *plaintext,
+ const unsigned char *ciphertext, int len)
+{
+ unsigned char pltmp[FIPS_MAX_CIPHER_TEST_SIZE];
+ unsigned char citmp[FIPS_MAX_CIPHER_TEST_SIZE];
+
+ OPENSSL_assert(len <= FIPS_MAX_CIPHER_TEST_SIZE);
+ memset(pltmp, 0, FIPS_MAX_CIPHER_TEST_SIZE);
+ memset(citmp, 0, FIPS_MAX_CIPHER_TEST_SIZE);
+
+ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 1) <= 0)
+ return 0;
+ if (EVP_Cipher(ctx, citmp, plaintext, len) <= 0)
+ return 0;
+ if (memcmp(citmp, ciphertext, len))
+ return 0;
+ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0) <= 0)
+ return 0;
+ if (EVP_Cipher(ctx, pltmp, citmp, len) <= 0)
+ return 0;
+ if (memcmp(pltmp, plaintext, len))
+ return 0;
+ return 1;
+}
+#endif
Index: openssl-1.1.1n/crypto/fips/fips_rand_lcl.h
2020-01-24 12:52:58 +01:00
===================================================================
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
--- /dev/null
+++ openssl-1.1.1n/crypto/fips/fips_rand_lcl.h
2020-01-24 12:52:58 +01:00
@@ -0,0 +1,203 @@
+/* fips/rand/fips_rand_lcl.h */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
2020-01-24 12:52:58 +01:00
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+typedef struct drbg_hash_ctx_st DRBG_HASH_CTX;
+typedef struct drbg_hmac_ctx_st DRBG_HMAC_CTX;
+typedef struct drbg_ctr_ctx_st DRBG_CTR_CTX;
+
+/* 888 bits from 10.1 table 2 */
+#define HASH_PRNG_MAX_SEEDLEN 111
+
+struct drbg_hash_ctx_st {
+ const EVP_MD *md;
+ EVP_MD_CTX *mctx;
+ unsigned char V[HASH_PRNG_MAX_SEEDLEN];
+ unsigned char C[HASH_PRNG_MAX_SEEDLEN];
+ /* Temporary value storage: should always exceed max digest length */
+ unsigned char vtmp[HASH_PRNG_MAX_SEEDLEN];
+};
+
+struct drbg_hmac_ctx_st {
+ const EVP_MD *md;
+ HMAC_CTX *hctx;
+ unsigned char K[EVP_MAX_MD_SIZE];
+ unsigned char V[EVP_MAX_MD_SIZE];
+};
+
+struct drbg_ctr_ctx_st {
+ AES_KEY ks;
+ size_t keylen;
+ unsigned char K[32];
+ unsigned char V[16];
+ /* Temp variables used by derivation function */
+ AES_KEY df_ks;
+ AES_KEY df_kxks;
+ /* Temporary block storage used by ctr_df */
+ unsigned char bltmp[16];
+ size_t bltmp_pos;
+ unsigned char KX[48];
+};
+
+/* DRBG internal flags */
+
+/* Functions shouldn't call err library */
+#define DRBG_FLAG_NOERR 0x1
+/* Custom reseed checking */
+#define DRBG_CUSTOM_RESEED 0x2
+
+/* DRBG status values */
+/* not initialised */
+#define DRBG_STATUS_UNINITIALISED 0
+/* ok and ready to generate random bits */
+#define DRBG_STATUS_READY 1
+/* reseed required */
+#define DRBG_STATUS_RESEED 2
+/* fatal error condition */
+#define DRBG_STATUS_ERROR 3
+
+/* A default maximum length: larger than any reasonable value used in pratice */
+
+#define DRBG_MAX_LENGTH 0x7ffffff0
+/* Maximum DRBG block length: all md sizes are bigger than cipher blocks sizes
+ * so use max digest length.
+ */
+#define DRBG_MAX_BLOCK EVP_MAX_MD_SIZE
+
+#define DRBG_HEALTH_INTERVAL (1 << 24)
+
+/* DRBG context structure */
+
+struct drbg_ctx_st {
+ /* First types common to all implementations */
+ /* DRBG type: a NID for the underlying algorithm */
+ int type;
+ /* Various external flags */
+ unsigned int xflags;
+ /* Various internal use only flags */
+ unsigned int iflags;
+ /* Used for periodic health checks */
+ int health_check_cnt, health_check_interval;
+
+ /* The following parameters are setup by mechanism drbg_init() call */
+ int strength;
+ size_t blocklength;
+ size_t max_request;
+
+ size_t min_entropy, max_entropy;
+ size_t min_nonce, max_nonce;
+ size_t max_pers, max_adin;
+ unsigned int reseed_counter;
+ unsigned int reseed_interval;
+ size_t seedlen;
+ int status;
+ /* Application data: typically used by test get_entropy */
+ void *app_data;
+ /* Implementation specific structures */
+ union {
+ DRBG_HASH_CTX hash;
+ DRBG_HMAC_CTX hmac;
+ DRBG_CTR_CTX ctr;
+ } d;
+ /* Initialiase PRNG and setup callbacks below */
+ int (*init) (DRBG_CTX *ctx, int nid, int security, unsigned int flags);
+ /* Intantiate PRNG */
+ int (*instantiate) (DRBG_CTX *ctx,
+ const unsigned char *ent, size_t entlen,
+ const unsigned char *nonce, size_t noncelen,
+ const unsigned char *pers, size_t perslen);
+ /* reseed */
+ int (*reseed) (DRBG_CTX *ctx,
+ const unsigned char *ent, size_t entlen,
+ const unsigned char *adin, size_t adinlen);
+ /* generat output */
+ int (*generate) (DRBG_CTX *ctx,
+ unsigned char *out, size_t outlen,
+ const unsigned char *adin, size_t adinlen);
+ /* uninstantiate */
+ int (*uninstantiate) (DRBG_CTX *ctx);
+
+ /* Entropy source block length */
+ size_t entropy_blocklen;
+
+ /* entropy gathering function */
+ size_t (*get_entropy) (DRBG_CTX *ctx, unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len);
+ /* Indicates we have finished with entropy buffer */
+ void (*cleanup_entropy) (DRBG_CTX *ctx, unsigned char *out, size_t olen);
+
+ /* nonce gathering function */
+ size_t (*get_nonce) (DRBG_CTX *ctx, unsigned char **pout,
+ int entropy, size_t min_len, size_t max_len);
+ /* Indicates we have finished with nonce buffer */
+ void (*cleanup_nonce) (DRBG_CTX *ctx, unsigned char *out, size_t olen);
+
+ /* Callbacks used when called through RAND interface */
+ /* Get any additional input for generate */
+ size_t (*get_adin) (DRBG_CTX *ctx, unsigned char **pout);
+ void (*cleanup_adin) (DRBG_CTX *ctx, unsigned char *out, size_t olen);
+ /* Callback for RAND_seed(), RAND_add() */
+ int (*rand_seed_cb) (DRBG_CTX *ctx, const void *buf, int num);
+ int (*rand_add_cb) (DRBG_CTX *ctx,
+ const void *buf, int num, double entropy);
+};
+
+int fips_drbg_ctr_init(DRBG_CTX *dctx);
+int fips_drbg_hash_init(DRBG_CTX *dctx);
+int fips_drbg_hmac_init(DRBG_CTX *dctx);
+int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags);
+int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out);
+
+#define FIPS_digestinit EVP_DigestInit
+#define FIPS_digestupdate EVP_DigestUpdate
+#define FIPS_digestfinal EVP_DigestFinal
+#define M_EVP_MD_size EVP_MD_size
Index: openssl-1.1.1n/crypto/fips/fips_rand_lib.c
2020-01-24 12:52:58 +01:00
===================================================================
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
--- /dev/null
+++ openssl-1.1.1n/crypto/fips/fips_rand_lib.c
2020-01-24 12:52:58 +01:00
@@ -0,0 +1,234 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
2020-01-24 12:52:58 +01:00
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+/* If we don't define _XOPEN_SOURCE_EXTENDED, struct timeval won't
+ be defined and gettimeofday() won't be declared with strict compilers
+ like DEC C in ANSI C mode. */
+#ifndef _XOPEN_SOURCE_EXTENDED
+# define _XOPEN_SOURCE_EXTENDED 1
+#endif
+
+#include <openssl/crypto.h>
+#include <openssl/rand.h>
+#include <openssl/err.h>
+#include <openssl/fips.h>
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
+#include "crypto/fips_int.h"
2020-01-24 12:52:58 +01:00
+#include <openssl/fips_rand.h>
+#include "e_os.h"
+
+#if !(defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS))
+# include <sys/time.h>
+#endif
+#if defined(OPENSSL_SYS_VXWORKS)
+# include <time.h>
+#endif
+#ifndef OPENSSL_SYS_WIN32
+# ifdef OPENSSL_UNISTD
+# include OPENSSL_UNISTD
+# else
+# include <unistd.h>
+# endif
+#endif
+
+/* FIPS API for PRNG use. Similar to RAND functionality but without
+ * ENGINE and additional checking for non-FIPS rand methods.
+ */
+
+static const RAND_METHOD *fips_rand_meth = NULL;
+static int fips_approved_rand_meth = 0;
+static int fips_rand_bits = 0;
+
+/* Allows application to override number of bits and uses non-FIPS methods */
+void FIPS_rand_set_bits(int nbits)
+{
+ fips_rand_bits = nbits;
+}
+
+int FIPS_rand_set_method(const RAND_METHOD *meth)
+{
+ if (!fips_rand_bits) {
+ if (meth == FIPS_drbg_method())
+ fips_approved_rand_meth = 1;
+ else {
+ fips_approved_rand_meth = 0;
+ if (FIPS_module_mode()) {
+ FIPSerr(FIPS_F_FIPS_RAND_SET_METHOD, FIPS_R_NON_FIPS_METHOD);
+ return 0;
+ }
+ }
+ }
+ fips_rand_meth = meth;
+ return 1;
+}
+
+const RAND_METHOD *FIPS_rand_get_method(void)
+{
+ return fips_rand_meth;
+}
+
+void FIPS_rand_reset(void)
+{
+ if (fips_rand_meth && fips_rand_meth->cleanup)
+ fips_rand_meth->cleanup();
+}
+
+int FIPS_rand_seed(const void *buf, int num)
+{
+ if (!fips_approved_rand_meth && FIPS_module_mode()) {
+ FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD);
+ return 0;
+ }
+ if (fips_rand_meth && fips_rand_meth->seed)
+ fips_rand_meth->seed(buf, num);
+ return 1;
+}
+
+int FIPS_rand_bytes(unsigned char *buf, int num)
+{
+ if (!fips_approved_rand_meth && FIPS_module_mode()) {
+ FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD);
+ return 0;
+ }
+ if (fips_rand_meth && fips_rand_meth->bytes)
+ return fips_rand_meth->bytes(buf, num);
+ return 0;
+}
+
+int FIPS_rand_status(void)
+{
+ if (!fips_approved_rand_meth && FIPS_module_mode()) {
+ FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD);
+ return 0;
+ }
+ if (fips_rand_meth && fips_rand_meth->status)
+ return fips_rand_meth->status();
+ return 0;
+}
+
+/* Return instantiated strength of PRNG. For DRBG this is an internal
+ * parameter. Any other type of PRNG is not approved and returns 0 in
+ * FIPS mode and maximum 256 outside FIPS mode.
+ */
+
+int FIPS_rand_strength(void)
+{
+ if (fips_rand_bits)
+ return fips_rand_bits;
+ if (fips_approved_rand_meth == 1)
+ return FIPS_drbg_get_strength(FIPS_get_default_drbg());
+ else if (fips_approved_rand_meth == 0) {
+ if (FIPS_module_mode())
+ return 0;
+ else
+ return 256;
+ }
+ return 0;
+}
+
+void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr)
+{
+# ifdef OPENSSL_SYS_WIN32
+ FILETIME ft;
+# elif defined(OPENSSL_SYS_VXWORKS)
+ struct timespec ts;
+# else
+ struct timeval tv;
+# endif
+
+# ifndef GETPID_IS_MEANINGLESS
+ unsigned long pid;
+# endif
+
+# ifdef OPENSSL_SYS_WIN32
+ GetSystemTimeAsFileTime(&ft);
+ buf[0] = (unsigned char)(ft.dwHighDateTime & 0xff);
+ buf[1] = (unsigned char)((ft.dwHighDateTime >> 8) & 0xff);
+ buf[2] = (unsigned char)((ft.dwHighDateTime >> 16) & 0xff);
+ buf[3] = (unsigned char)((ft.dwHighDateTime >> 24) & 0xff);
+ buf[4] = (unsigned char)(ft.dwLowDateTime & 0xff);
+ buf[5] = (unsigned char)((ft.dwLowDateTime >> 8) & 0xff);
+ buf[6] = (unsigned char)((ft.dwLowDateTime >> 16) & 0xff);
+ buf[7] = (unsigned char)((ft.dwLowDateTime >> 24) & 0xff);
+# elif defined(OPENSSL_SYS_VXWORKS)
+ clock_gettime(CLOCK_REALTIME, &ts);
+ buf[0] = (unsigned char)(ts.tv_sec & 0xff);
+ buf[1] = (unsigned char)((ts.tv_sec >> 8) & 0xff);
+ buf[2] = (unsigned char)((ts.tv_sec >> 16) & 0xff);
+ buf[3] = (unsigned char)((ts.tv_sec >> 24) & 0xff);
+ buf[4] = (unsigned char)(ts.tv_nsec & 0xff);
+ buf[5] = (unsigned char)((ts.tv_nsec >> 8) & 0xff);
+ buf[6] = (unsigned char)((ts.tv_nsec >> 16) & 0xff);
+ buf[7] = (unsigned char)((ts.tv_nsec >> 24) & 0xff);
+# else
+ gettimeofday(&tv, NULL);
+ buf[0] = (unsigned char)(tv.tv_sec & 0xff);
+ buf[1] = (unsigned char)((tv.tv_sec >> 8) & 0xff);
+ buf[2] = (unsigned char)((tv.tv_sec >> 16) & 0xff);
+ buf[3] = (unsigned char)((tv.tv_sec >> 24) & 0xff);
+ buf[4] = (unsigned char)(tv.tv_usec & 0xff);
+ buf[5] = (unsigned char)((tv.tv_usec >> 8) & 0xff);
+ buf[6] = (unsigned char)((tv.tv_usec >> 16) & 0xff);
+ buf[7] = (unsigned char)((tv.tv_usec >> 24) & 0xff);
+# endif
+ buf[8] = (unsigned char)(*pctr & 0xff);
+ buf[9] = (unsigned char)((*pctr >> 8) & 0xff);
+ buf[10] = (unsigned char)((*pctr >> 16) & 0xff);
+ buf[11] = (unsigned char)((*pctr >> 24) & 0xff);
+
+ (*pctr)++;
+
+# ifndef GETPID_IS_MEANINGLESS
+ pid = (unsigned long)getpid();
+ buf[12] = (unsigned char)(pid & 0xff);
+ buf[13] = (unsigned char)((pid >> 8) & 0xff);
+ buf[14] = (unsigned char)((pid >> 16) & 0xff);
+ buf[15] = (unsigned char)((pid >> 24) & 0xff);
+# endif
+}
+
Index: openssl-1.1.1n/crypto/fips/fips_rsa_selftest.c
2020-01-24 12:52:58 +01:00
===================================================================
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
--- /dev/null
+++ openssl-1.1.1n/crypto/fips/fips_rsa_selftest.c
2020-01-24 12:52:58 +01:00
@@ -0,0 +1,338 @@
+/* ====================================================================
+ * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
2020-01-24 12:52:58 +01:00
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <string.h>
+#include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
+# include "crypto/fips_int.h"
2020-01-24 12:52:58 +01:00
+#endif
+#include <openssl/rsa.h>
+#include <openssl/evp.h>
+#include <openssl/bn.h>
+#include <openssl/opensslconf.h>
+#include "fips_locl.h"
+
+#ifdef OPENSSL_FIPS
+
+static int setrsakey(RSA *key)
+{
+ static const unsigned char keydata_n[] = {
+ 0x00, 0xc9, 0xd5, 0x6d, 0x9d, 0x90, 0xdb, 0x43, 0xd6, 0x02, 0xed, 0x96, 0x88, 0x13, 0x8a,
+ 0xb2, 0xbf, 0x6e, 0xa1, 0x06, 0x10, 0xb2, 0x78, 0x37, 0xa7, 0x14, 0xa8, 0xff, 0xdd, 0x00,
+ 0xdd, 0xb4, 0x93, 0xa0, 0x45, 0xcc, 0x96, 0x90, 0xed, 0xad, 0xa9, 0xdd, 0xc4, 0xd6, 0xca,
+ 0x0c, 0xf0, 0xed, 0x4f, 0x72, 0x5e, 0x21, 0x49, 0x9a, 0x18, 0x12, 0x15, 0x8f, 0x90, 0x5a,
+ 0xdb, 0xb6, 0x33, 0x99, 0xa3, 0xe6, 0xb4, 0xf0, 0xc4, 0x97, 0x21, 0x26, 0xbb, 0xe3, 0xba,
+ 0xf2, 0xff, 0xa0, 0x72, 0xda, 0x89, 0x63, 0x8e, 0x8b, 0x3e, 0x08, 0x9d, 0x92, 0x2a, 0xbe,
+ 0x16, 0xe1, 0x43, 0x15, 0xfc, 0x57, 0xc7, 0x1f, 0x09, 0x11, 0x67, 0x1c, 0xa9, 0x96, 0xd1,
+ 0x8b, 0x3e, 0x80, 0x93, 0xc1, 0x59, 0xd0, 0x6d, 0x39, 0xf2, 0xac, 0x95, 0xcc, 0x10, 0x75,
+ 0xe9, 0x31, 0x24, 0xd1, 0x43, 0xaf, 0x68, 0x52, 0x4b, 0xe7, 0x16, 0xd7, 0x49, 0x65, 0x6f,
+ 0x26, 0xc0, 0x86, 0xad, 0xc0, 0x07, 0x0a, 0xc1, 0xe1, 0x2f, 0x87, 0x85, 0x86, 0x3b, 0xdc,
+ 0x5a, 0x99, 0xbe, 0xe9, 0xf9, 0xb9, 0xe9, 0x82, 0x27, 0x51, 0x04, 0x15, 0xab, 0x06, 0x0e,
+ 0x76, 0x5a, 0x28, 0x8d, 0x92, 0xbd, 0xc5, 0xb5, 0x7b, 0xa8, 0xdf, 0x4e, 0x47, 0xa2, 0xc1,
+ 0xe7, 0x52, 0xbf, 0x47, 0xf7, 0x62, 0xe0, 0x3a, 0x6f, 0x4d, 0x6a, 0x4d, 0x4e, 0xd4, 0xb9,
+ 0x59, 0x69, 0xfa, 0xb2, 0x14, 0xc1, 0xee, 0xe6, 0x2f, 0x95, 0xcd, 0x94, 0x72, 0xae, 0xe4,
+ 0xdb, 0x18, 0x9a, 0xc4, 0xcd, 0x70, 0xbd, 0xee, 0x31, 0x16, 0xb7, 0x49, 0x65, 0xac, 0x40,
+ 0x19, 0x0e, 0xb5, 0x6d, 0x83, 0xf1, 0x36, 0xbb, 0x08, 0x2f, 0x2e, 0x4e, 0x92, 0x62, 0xa4,
+ 0xff, 0x50, 0xdb, 0x20, 0x45, 0xa2, 0xeb, 0x16, 0x7a, 0xf2, 0xd5, 0x28, 0xc1, 0xfd, 0x4e,
+ 0x03, 0x71
+ };
+
+ static const unsigned char keydata_e[] = { 0x01, 0x00, 0x01 };
+
+ static const unsigned char keydata_d[] = {
+ 0x36, 0x27, 0x3d, 0xb1, 0xf9, 0x1b, 0xdb, 0xa7, 0xa0, 0x41, 0x7f, 0x12, 0x23, 0xac, 0x23,
+ 0x29, 0x99, 0xd5, 0x3a, 0x7b, 0x60, 0x67, 0x41, 0x07, 0x63, 0x53, 0xb4, 0xd2, 0xe7, 0x58,
+ 0x95, 0x0a, 0xc7, 0x05, 0xf3, 0x4e, 0xb2, 0xb4, 0x12, 0xd4, 0x70, 0xdc, 0x4f, 0x85, 0x06,
+ 0xd3, 0xdd, 0xd8, 0x63, 0x27, 0x3e, 0x67, 0x31, 0x21, 0x24, 0x39, 0x04, 0xbc, 0x06, 0xa4,
+ 0xcc, 0xce, 0x2b, 0x7a, 0xfe, 0x7b, 0xad, 0xde, 0x11, 0x6e, 0xa3, 0xa5, 0xe6, 0x04, 0x53,
+ 0x0e, 0xa3, 0x4e, 0x2d, 0xb4, 0x8f, 0x31, 0xbf, 0xca, 0x75, 0x25, 0x52, 0x02, 0x85, 0xde,
+ 0x3d, 0xb2, 0x72, 0x43, 0xb2, 0x89, 0x8a, 0x9a, 0x34, 0x41, 0x26, 0x3f, 0x9a, 0x67, 0xbe,
+ 0xa4, 0x96, 0x7b, 0x0e, 0x75, 0xba, 0xa6, 0x93, 0xd5, 0xb8, 0xd8, 0xb8, 0x57, 0xf2, 0x4b,
+ 0x0f, 0x14, 0x81, 0xd1, 0x57, 0x4e, 0xf6, 0x45, 0x4c, 0xa6, 0x3b, 0xd0, 0x70, 0xca, 0xd3,
+ 0x9d, 0x55, 0xde, 0x22, 0x05, 0xe7, 0x8e, 0x28, 0x4d, 0xee, 0x11, 0xcf, 0xb6, 0x67, 0x76,
+ 0x09, 0xd3, 0xe3, 0x3c, 0x13, 0xf9, 0x99, 0x34, 0x10, 0x7b, 0xec, 0x81, 0x38, 0xf0, 0xb6,
+ 0x34, 0x9c, 0x9b, 0x50, 0x6f, 0x0b, 0x91, 0x81, 0x4d, 0x89, 0x94, 0x04, 0x7b, 0xf0, 0x3c,
+ 0xf4, 0xb1, 0xb2, 0x00, 0x48, 0x8d, 0x5a, 0x8f, 0x88, 0x9e, 0xc5, 0xab, 0x3a, 0x9e, 0x44,
+ 0x3f, 0x54, 0xe7, 0xd9, 0x6e, 0x47, 0xaa, 0xa1, 0xbd, 0x40, 0x46, 0x31, 0xf9, 0xf0, 0x34,
+ 0xb6, 0x04, 0xe1, 0x2b, 0x5b, 0x73, 0x86, 0xdd, 0x3a, 0x92, 0x1b, 0x71, 0xc7, 0x3f, 0x32,
+ 0xe5, 0xc3, 0xc2, 0xab, 0xa1, 0x7e, 0xbf, 0xa4, 0x52, 0xa0, 0xb0, 0x68, 0x90, 0xd1, 0x20,
+ 0x12, 0x79, 0xe9, 0xd7, 0xc9, 0x40, 0xba, 0xf2, 0x19, 0xc7, 0xa5, 0x00, 0x92, 0x86, 0x0d,
+ 0x01
+ };
+
+ static const unsigned char keydata_p[] = {
+ 0x00, 0xfc, 0x5c, 0x6e, 0x16, 0xce, 0x1f, 0x03, 0x7b, 0xcd, 0xf7, 0xb3, 0x72, 0xb2, 0x8f,
+ 0x16, 0x72, 0xb8, 0x56, 0xae, 0xf7, 0xcd, 0x67, 0xd8, 0x4e, 0x7d, 0x07, 0xaf, 0xd5, 0x43,
+ 0x26, 0xc3, 0x35, 0xbe, 0x43, 0x8f, 0x4e, 0x2f, 0x1c, 0x43, 0x4e, 0x6b, 0xd2, 0xb2, 0xec,
+ 0x52, 0x6d, 0x97, 0x52, 0x2b, 0xcc, 0x5c, 0x3a, 0x6b, 0xf4, 0x14, 0xc6, 0x74, 0xda, 0x66,
+ 0x38, 0x1c, 0x7a, 0x3f, 0x84, 0x2f, 0xe3, 0xf9, 0x5a, 0xb8, 0x65, 0x69, 0x46, 0x06, 0xa3,
+ 0x37, 0x79, 0xb2, 0xa1, 0x5b, 0x58, 0xed, 0x5e, 0xa7, 0x5f, 0x8c, 0x65, 0x66, 0xbb, 0xd1,
+ 0x24, 0x36, 0xe6, 0x37, 0xa7, 0x3d, 0x49, 0x77, 0x8a, 0x8c, 0x34, 0xd8, 0x69, 0x29, 0xf3,
+ 0x4d, 0x58, 0x22, 0xb0, 0x51, 0x24, 0xb6, 0x40, 0xa8, 0x86, 0x59, 0x0a, 0xb7, 0xba, 0x5c,
+ 0x97, 0xda, 0x57, 0xe8, 0x36, 0xda, 0x7a, 0x9c, 0xad
+ };
+
+ static const unsigned char keydata_q[] = {
+ 0x00, 0xcc, 0xbe, 0x7b, 0x09, 0x69, 0x06, 0xee, 0x45, 0xbf, 0x88, 0x47, 0x38, 0xa8, 0xf8,
+ 0x17, 0xe5, 0xb6, 0xba, 0x67, 0x55, 0xe3, 0xe8, 0x05, 0x8b, 0xb8, 0xe2, 0x53, 0xd6, 0x8e,
+ 0xef, 0x2c, 0xe7, 0x4f, 0x4a, 0xf7, 0x4e, 0x26, 0x8d, 0x85, 0x0b, 0x3f, 0xec, 0xc3, 0x1c,
+ 0xd4, 0xeb, 0xec, 0x6a, 0xc8, 0x72, 0x2a, 0x25, 0x7d, 0xfd, 0xa6, 0x77, 0x96, 0xf0, 0x1e,
+ 0xcd, 0x28, 0x57, 0xf8, 0x37, 0x30, 0x75, 0x6b, 0xbd, 0xd4, 0x7b, 0x0c, 0x87, 0xc5, 0x6c,
+ 0x87, 0x40, 0xa5, 0xbb, 0x27, 0x2c, 0x78, 0xc9, 0x74, 0x5a, 0x54, 0x5b, 0x0b, 0x30, 0x6f,
+ 0x44, 0x4a, 0xfa, 0x71, 0xe4, 0x21, 0x61, 0x66, 0xf9, 0xee, 0x65, 0xde, 0x7c, 0x04, 0xd7,
+ 0xfd, 0xa9, 0x15, 0x5b, 0x7f, 0xe2, 0x7a, 0xba, 0x69, 0x86, 0x72, 0xa6, 0x06, 0x8d, 0x9b,
+ 0x90, 0x55, 0x60, 0x9e, 0x4c, 0x5d, 0xa9, 0xb6, 0x55
+ };
+
+ static const unsigned char keydata_dmp1[] = {
+ 0x7a, 0xd6, 0x12, 0xd0, 0x0e, 0xec, 0x91, 0xa9, 0x85, 0x8b, 0xf8, 0x50, 0xf0, 0x11, 0x2e,
+ 0x00, 0x11, 0x32, 0x40, 0x60, 0x66, 0x1f, 0x11, 0xee, 0xc2, 0x75, 0x27, 0x65, 0x4b, 0x16,
+ 0x67, 0x16, 0x95, 0xd2, 0x14, 0xc3, 0x1d, 0xb3, 0x48, 0x1f, 0xb7, 0xe4, 0x0b, 0x2b, 0x74,
+ 0xc3, 0xdb, 0x50, 0x27, 0xf9, 0x85, 0x3a, 0xfa, 0xa9, 0x08, 0x23, 0xc1, 0x65, 0x3d, 0x34,
+ 0x3a, 0xc8, 0x56, 0x7a, 0x65, 0x45, 0x36, 0x6e, 0xae, 0x2a, 0xce, 0x9f, 0x43, 0x43, 0xd7,
+ 0x10, 0xe9, 0x9e, 0x18, 0xf4, 0xa4, 0x35, 0xda, 0x8a, 0x6b, 0xb0, 0x3f, 0xdd, 0x53, 0xe3,
+ 0xa8, 0xc5, 0x4e, 0x79, 0x9d, 0x1f, 0x51, 0x8c, 0xa2, 0xca, 0x66, 0x3c, 0x6a, 0x2a, 0xff,
+ 0x8e, 0xd2, 0xf3, 0xb7, 0xcb, 0x82, 0xda, 0xde, 0x2c, 0xe6, 0xd2, 0x8c, 0xb3, 0xad, 0xb6,
+ 0x4c, 0x95, 0x55, 0x76, 0xbd, 0xc9, 0xc8, 0xd1
+ };
+
+ static const unsigned char keydata_dmq1[] = {
+ 0x00, 0x83, 0x23, 0x1d, 0xbb, 0x11, 0x42, 0x17, 0x2b, 0x25, 0x5a, 0x2c, 0x03, 0xe6, 0x75,
+ 0xc1, 0x18, 0xa8, 0xc9, 0x0b, 0x96, 0xbf, 0xba, 0xc4, 0x92, 0x91, 0x80, 0xa5, 0x22, 0x2f,
+ 0xba, 0x91, 0x90, 0x36, 0x01, 0x56, 0x15, 0x00, 0x2c, 0x74, 0xa2, 0x97, 0xf7, 0x15, 0xa1,
+ 0x49, 0xdf, 0x32, 0x35, 0xd2, 0xdd, 0x0c, 0x91, 0xa6, 0xf8, 0xe7, 0xbe, 0x81, 0x36, 0x9b,
+ 0x03, 0xdc, 0x6b, 0x3b, 0xd8, 0x5d, 0x79, 0x57, 0xe0, 0xe6, 0x4f, 0x49, 0xdf, 0x4c, 0x5c,
+ 0x0e, 0xe5, 0x21, 0x41, 0x95, 0xfd, 0xad, 0xff, 0x9a, 0x3e, 0xa0, 0xf9, 0x0f, 0x59, 0x9e,
+ 0x6a, 0xa7, 0x7b, 0x71, 0xa7, 0x24, 0x9a, 0x36, 0x52, 0xae, 0x97, 0x20, 0xc1, 0x5e, 0x78,
+ 0xd9, 0x47, 0x8b, 0x1e, 0x67, 0xf2, 0xaf, 0x98, 0xe6, 0x2d, 0xef, 0x10, 0xd7, 0xf1, 0xab,
+ 0x49, 0xee, 0xe5, 0x4b, 0x7e, 0xae, 0x1f, 0x1d, 0x61
+ };
+
+ static const unsigned char keydata_iqmp[] = {
+ 0x23, 0x96, 0xc1, 0x91, 0x17, 0x5e, 0x0a, 0x83, 0xd2, 0xdc, 0x7b, 0x69, 0xb2, 0x59, 0x1d,
+ 0x33, 0x58, 0x52, 0x3f, 0x18, 0xc7, 0x09, 0x50, 0x1c, 0xb9, 0xa1, 0xbb, 0x4c, 0xa2, 0x38,
+ 0x40, 0x4c, 0x9a, 0x8e, 0xfe, 0x9c, 0x90, 0x92, 0xd0, 0x71, 0x9f, 0x89, 0x99, 0x50, 0x91,
+ 0x1f, 0x34, 0x8b, 0x74, 0x53, 0x11, 0x11, 0x4a, 0x70, 0xe2, 0xf7, 0x30, 0xd8, 0x8c, 0x80,
+ 0xe1, 0xcc, 0x9f, 0xf1, 0x63, 0x17, 0x1a, 0x7d, 0x67, 0x29, 0x4c, 0xcb, 0x4e, 0x74, 0x7b,
+ 0xe0, 0x3e, 0x9e, 0x2f, 0xf4, 0x67, 0x8f, 0xec, 0xb9, 0x5c, 0x00, 0x1e, 0x7e, 0xa2, 0x7b,
+ 0x92, 0xc9, 0x6f, 0x4c, 0xe4, 0x0e, 0xf9, 0x48, 0x63, 0xcd, 0x50, 0x22, 0x5d, 0xbf, 0xb6,
+ 0x9d, 0x01, 0x33, 0x6a, 0xf4, 0x50, 0xbe, 0x86, 0x98, 0x4f, 0xca, 0x3f, 0x3a, 0xfa, 0xcf,
+ 0x07, 0x40, 0xc4, 0xaa, 0xad, 0xae, 0xbe, 0xbf
+ };
+
+ int rv = 0;
+ BIGNUM *n = NULL, *e = NULL, *d = NULL, *p = NULL, *q = NULL, *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
+
+ fips_load_key_component(n, keydata);
+ fips_load_key_component(e, keydata);
+ fips_load_key_component(d, keydata);
+ fips_load_key_component(p, keydata);
+ fips_load_key_component(q, keydata);
+ fips_load_key_component(dmp1, keydata);
+ fips_load_key_component(dmq1, keydata);
+ fips_load_key_component(iqmp, keydata);
+
+ RSA_set0_key(key, n, e, d);
+ RSA_set0_factors(key, p, q);
+ RSA_set0_crt_params(key, dmp1, dmq1, iqmp);
+
+ rv = 1;
+err:
+ if (!rv) {
+ BN_free(n);
+ BN_free(e);
+ BN_free(d);
+ BN_free(p);
+ BN_free(q);
+ BN_free(dmp1);
+ BN_free(dmq1);
+ BN_free(iqmp);
+ }
+ return rv;
+}
+
+/* Known Answer Test (KAT) data for the above RSA private key signing
+ * kat_tbs.
+ */
+
+static const unsigned char kat_tbs[] =
+ "OpenSSL FIPS 140-2 Public Key RSA KAT";
+
+static const unsigned char kat_RSA_PSS_SHA256[] = {
+ 0x38, 0xDA, 0x99, 0x51, 0x26, 0x38, 0xC6, 0x7F, 0xC4, 0x81, 0x57, 0x19,
+ 0x35, 0xC6, 0xF6, 0x1E, 0x90, 0x47, 0x20, 0x55, 0x47, 0x56, 0x26, 0xE9,
+ 0xF2, 0xA8, 0x39, 0x6C, 0xD5, 0xCD, 0xCB, 0x55, 0xFC, 0x0C, 0xC5, 0xCB,
+ 0xF7, 0x40, 0x17, 0x3B, 0xCF, 0xE4, 0x05, 0x03, 0x3B, 0xA0, 0xB2, 0xC9,
+ 0x0D, 0x5E, 0x48, 0x3A, 0xE9, 0xAD, 0x28, 0x71, 0x7D, 0x8F, 0x89, 0x16,
+ 0x59, 0x93, 0x35, 0xDC, 0x4D, 0x7B, 0xDF, 0x84, 0xE4, 0x68, 0xAA, 0x33,
+ 0xAA, 0xDC, 0x66, 0x50, 0xC8, 0xA9, 0x32, 0x12, 0xDC, 0xC6, 0x90, 0x49,
+ 0x0B, 0x75, 0xFF, 0x9B, 0x95, 0x00, 0x9A, 0x90, 0xE0, 0xD4, 0x0E, 0x67,
+ 0xAB, 0x3C, 0x47, 0x36, 0xC5, 0x2E, 0x1C, 0x46, 0xF0, 0x2D, 0xD3, 0x8B,
+ 0x42, 0x08, 0xDE, 0x0D, 0xB6, 0x2C, 0x86, 0xB0, 0x35, 0x71, 0x18, 0x6B,
+ 0x89, 0x67, 0xC0, 0x05, 0xAD, 0xF4, 0x1D, 0x62, 0x4E, 0x75, 0xEC, 0xD6,
+ 0xC2, 0xDB, 0x07, 0xB0, 0xB6, 0x8D, 0x15, 0xAD, 0xCD, 0xBF, 0xF5, 0x60,
+ 0x76, 0xAE, 0x48, 0xB8, 0x77, 0x7F, 0xC5, 0x01, 0xD9, 0x29, 0xBB, 0xD6,
+ 0x17, 0xA2, 0x20, 0x5A, 0xC0, 0x4A, 0x3B, 0x34, 0xC8, 0xB9, 0x39, 0xCF,
+ 0x06, 0x89, 0x95, 0x6F, 0xC7, 0xCA, 0xC4, 0xE4, 0x43, 0xDF, 0x5A, 0x23,
+ 0xE2, 0x89, 0xA3, 0x38, 0x78, 0x31, 0x38, 0xC6, 0xA4, 0x6F, 0x5F, 0x73,
+ 0x5A, 0xE5, 0x9E, 0x09, 0xE7, 0x6F, 0xD4, 0xF8, 0x3E, 0xB7, 0xB0, 0x56,
+ 0x9A, 0xF3, 0x65, 0xF0, 0xC2, 0xA6, 0x8A, 0x08, 0xBA, 0x44, 0xAC, 0x97,
+ 0xDE, 0xB4, 0x16, 0x83, 0xDF, 0xE3, 0xEE, 0x71, 0xFA, 0xF9, 0x51, 0x50,
+ 0x14, 0xDC, 0xFD, 0x6A, 0x82, 0x20, 0x68, 0x64, 0x7D, 0x4E, 0x82, 0x68,
+ 0xD7, 0x45, 0xFA, 0x6A, 0xE4, 0xE5, 0x29, 0x3A, 0x70, 0xFB, 0xE4, 0x62,
+ 0x2B, 0x31, 0xB9, 0x7D
+};
+
+static const unsigned char kat_RSA_SHA256[] = {
+ 0xC2, 0xB1, 0x97, 0x00, 0x9A, 0xE5, 0x80, 0x6A, 0xE2, 0x51, 0x68, 0xB9,
+ 0x7A, 0x0C, 0xF2, 0xB4, 0x77, 0xED, 0x15, 0x0C, 0x4E, 0xE1, 0xDC, 0xFF,
+ 0x8E, 0xBC, 0xDE, 0xC7, 0x9A, 0x96, 0xF1, 0x47, 0x45, 0x24, 0x9D, 0x6F,
+ 0xA6, 0xF3, 0x1D, 0x0D, 0x35, 0x4C, 0x1A, 0xF3, 0x58, 0x2C, 0x6C, 0x06,
+ 0xD6, 0x22, 0x37, 0x77, 0x8C, 0x33, 0xE5, 0x07, 0x53, 0x93, 0x28, 0xCF,
+ 0x67, 0xFA, 0xC4, 0x1F, 0x1B, 0x24, 0xDB, 0x4C, 0xC5, 0x2A, 0x51, 0xA2,
+ 0x60, 0x15, 0x8C, 0x54, 0xB4, 0x30, 0xE2, 0x24, 0x47, 0x86, 0xF2, 0xF8,
+ 0x6C, 0xD6, 0x12, 0x59, 0x2C, 0x74, 0x9A, 0x37, 0xF3, 0xC4, 0xA2, 0xD5,
+ 0x4E, 0x1F, 0x77, 0xF0, 0x27, 0xCE, 0x77, 0xF8, 0x4A, 0x79, 0x03, 0xBE,
+ 0xC8, 0x06, 0x2D, 0xA7, 0xA6, 0x46, 0xF5, 0x55, 0x79, 0xD7, 0x5C, 0xC6,
+ 0x5B, 0xB1, 0x00, 0x4E, 0x7C, 0xD9, 0x11, 0x85, 0xE0, 0xB1, 0x4D, 0x2D,
+ 0x13, 0xD7, 0xAC, 0xEA, 0x64, 0xD1, 0xAC, 0x8F, 0x8D, 0x8F, 0xEA, 0x42,
+ 0x7F, 0xF9, 0xB7, 0x7D, 0x2C, 0x68, 0x49, 0x07, 0x7A, 0x74, 0xEF, 0xB4,
+ 0xC9, 0x97, 0x16, 0x5C, 0x6C, 0x6E, 0x5C, 0x09, 0x2E, 0x8E, 0x13, 0x2E,
+ 0x1A, 0x8D, 0xA6, 0x0C, 0x6E, 0x0C, 0x1C, 0x0F, 0xCC, 0xB2, 0x78, 0x8A,
+ 0x07, 0xFC, 0x5C, 0xC2, 0xF5, 0x65, 0xEC, 0xAB, 0x8B, 0x3C, 0xCA, 0x91,
+ 0x6F, 0x84, 0x7C, 0x21, 0x0E, 0xB8, 0xDA, 0x7B, 0x6C, 0xF7, 0xDF, 0xAB,
+ 0x7E, 0x15, 0xFD, 0x85, 0x0B, 0x33, 0x9B, 0x6A, 0x3A, 0xC3, 0xEF, 0x65,
+ 0x04, 0x6E, 0xB2, 0xAC, 0x98, 0xFD, 0xEB, 0x02, 0xF5, 0xC0, 0x0B, 0x5E,
+ 0xCB, 0xD4, 0x83, 0x82, 0x18, 0x1B, 0xDA, 0xB4, 0xCD, 0xE8, 0x71, 0x6B,
+ 0x1D, 0xB5, 0x4F, 0xE9, 0xD6, 0x43, 0xA0, 0x0A, 0x14, 0xA0, 0xE7, 0x5D,
+ 0x47, 0x9D, 0x18, 0xD7
+};
+
+static int fips_rsa_encrypt_test(RSA *rsa, const unsigned char *plaintext,
+ int ptlen)
+{
+ unsigned char *ctbuf = NULL, *ptbuf = NULL;
+ int ret = 0;
+ int len;
+
+ ctbuf = OPENSSL_malloc(RSA_size(rsa));
+ if (!ctbuf)
+ goto err;
+
+ len = RSA_public_encrypt(ptlen, plaintext, ctbuf, rsa, RSA_PKCS1_PADDING);
+ if (len <= 0)
+ goto err;
+ /* Check ciphertext doesn't match plaintext */
+ if (len >= ptlen && !memcmp(plaintext, ctbuf, ptlen))
+ goto err;
+
+ ptbuf = OPENSSL_malloc(RSA_size(rsa));
+ if (!ptbuf)
+ goto err;
+
+ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING);
+ if (len != ptlen)
+ goto err;
+ if (memcmp(ptbuf, plaintext, len))
+ goto err;
+
+ ret = 1;
+
+ err:
+ if (ctbuf)
+ OPENSSL_free(ctbuf);
+ if (ptbuf)
+ OPENSSL_free(ptbuf);
+ return ret;
+}
+
+int FIPS_selftest_rsa()
+{
+ int ret = 0;
+ RSA *key;
+ EVP_PKEY *pk = NULL;
+
+ if ((key = RSA_new()) == NULL)
+ goto err;
+
+ if (!setrsakey(key))
+ goto err;
+
+ if ((pk = EVP_PKEY_new()) == NULL)
+ goto err;
+
+ EVP_PKEY_set1_RSA(pk, key);
+
+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+ kat_RSA_SHA256, sizeof(kat_RSA_SHA256),
+ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PKCS1,
+ "RSA SHA256 PKCS#1"))
+ goto err;
+
+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
+ kat_RSA_PSS_SHA256,
+ sizeof(kat_RSA_PSS_SHA256), EVP_sha256(),
+ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA256 PSS"))
+ goto err;
+
+ if (!fips_rsa_encrypt_test(key, kat_tbs, sizeof(kat_tbs) - 1))
+ goto err;
+
+ ret = 1;
+
+ err:
+ if (pk)
+ EVP_PKEY_free(pk);
+ if (key)
+ RSA_free(key);
+ return ret;
+}
+
+#endif /* def OPENSSL_FIPS */
Index: openssl-1.1.1n/crypto/fips/fips_sha_selftest.c
2020-01-24 12:52:58 +01:00
===================================================================
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
--- /dev/null
+++ openssl-1.1.1n/crypto/fips/fips_sha_selftest.c
2020-01-24 12:52:58 +01:00
@@ -0,0 +1,223 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
2020-01-24 12:52:58 +01:00
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <string.h>
+#include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
+#include <openssl/evp.h>
+#include <openssl/sha.h>
+
+#ifdef OPENSSL_FIPS
+static const char test[][60] = {
+ "",
+ "abc",
+ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
+};
+
+static const unsigned char ret[][SHA_DIGEST_LENGTH] = {
+ {0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b, 0x0d, 0x32, 0x55,
+ 0xbf, 0xef, 0x95, 0x60, 0x18, 0x90, 0xaf, 0xd8, 0x07, 0x09},
+ {0xa9, 0x99, 0x3e, 0x36, 0x47, 0x06, 0x81, 0x6a, 0xba, 0x3e,
+ 0x25, 0x71, 0x78, 0x50, 0xc2, 0x6c, 0x9c, 0xd0, 0xd8, 0x9d},
+ {0x84, 0x98, 0x3e, 0x44, 0x1c, 0x3b, 0xd2, 0x6e, 0xba, 0xae,
+ 0x4a, 0xa1, 0xf9, 0x51, 0x29, 0xe5, 0xe5, 0x46, 0x70, 0xf1},
+};
+
+int FIPS_selftest_sha1()
+{
+ int n;
+
+ for (n = 0; n < sizeof(test) / sizeof(test[0]); ++n) {
+ unsigned char md[SHA_DIGEST_LENGTH];
+
+ EVP_Digest(test[n], strlen(test[n]), md, NULL,
+ EVP_sha1(), NULL);
+ if (memcmp(md, ret[n], sizeof md)) {
+ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA1, FIPS_R_SELFTEST_FAILED);
+ return 0;
+ }
+ }
+ return 1;
+}
+
+static const unsigned char msg_sha256[] =
+ { 0xfa, 0x48, 0x59, 0x2a, 0xe1, 0xae, 0x1f, 0x30,
+ 0xfc
+};
+
+static const unsigned char dig_sha256[] =
+ { 0xf7, 0x26, 0xd8, 0x98, 0x47, 0x91, 0x68, 0x5b,
+ 0x9e, 0x39, 0xb2, 0x58, 0xbb, 0x75, 0xbf, 0x01,
+ 0x17, 0x0c, 0x84, 0x00, 0x01, 0x7a, 0x94, 0x83,
+ 0xf3, 0x0b, 0x15, 0x84, 0x4b, 0x69, 0x88, 0x8a
+};
+
+static const unsigned char msg_sha512[] =
+ { 0x37, 0xd1, 0x35, 0x9d, 0x18, 0x41, 0xe9, 0xb7,
+ 0x6d, 0x9a, 0x13, 0xda, 0x5f, 0xf3, 0xbd
+};
+
+static const unsigned char dig_sha512[] =
+ { 0x11, 0x13, 0xc4, 0x19, 0xed, 0x2b, 0x1d, 0x16,
+ 0x11, 0xeb, 0x9b, 0xbe, 0xf0, 0x7f, 0xcf, 0x44,
+ 0x8b, 0xd7, 0x57, 0xbd, 0x8d, 0xa9, 0x25, 0xb0,
+ 0x47, 0x25, 0xd6, 0x6c, 0x9a, 0x54, 0x7f, 0x8f,
+ 0x0b, 0x53, 0x1a, 0x10, 0x68, 0x32, 0x03, 0x38,
+ 0x82, 0xc4, 0x87, 0xc4, 0xea, 0x0e, 0xd1, 0x04,
+ 0xa9, 0x98, 0xc1, 0x05, 0xa3, 0xf3, 0xf8, 0xb1,
+ 0xaf, 0xbc, 0xd9, 0x78, 0x7e, 0xee, 0x3d, 0x43
+};
+
+int FIPS_selftest_sha2(void)
+{
+ unsigned char md[SHA512_DIGEST_LENGTH];
+
+ EVP_Digest(msg_sha256, sizeof(msg_sha256), md, NULL, EVP_sha256(), NULL);
+ if (memcmp(dig_sha256, md, sizeof(dig_sha256))) {
+ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA2, FIPS_R_SELFTEST_FAILED);
+ return 0;
+ }
+
+ EVP_Digest(msg_sha512, sizeof(msg_sha512), md, NULL, EVP_sha512(), NULL);
+ if (memcmp(dig_sha512, md, sizeof(dig_sha512))) {
+ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA2, FIPS_R_SELFTEST_FAILED);
+ return 0;
+ }
+
+ return 1;
+}
+
+static const unsigned char msg_sha3_256[] = {
+ 0xa1, 0xd7, 0xce, 0x51, 0x04, 0xeb, 0x25, 0xd6,
+ 0x13, 0x1b, 0xb8, 0xf6, 0x6e, 0x1f, 0xb1, 0x3f,
+ 0x35, 0x23
+};
+
+static const unsigned char dig_sha3_256[] = {
+ 0xee, 0x90, 0x62, 0xf3, 0x97, 0x20, 0xb8, 0x21,
+ 0xb8, 0x8b, 0xe5, 0xe6, 0x46, 0x21, 0xd7, 0xe0,
+ 0xca, 0x02, 0x6a, 0x9f, 0xe7, 0x24, 0x8d, 0x78,
+ 0x15, 0x0b, 0x14, 0xbd, 0xba, 0xa4, 0x0b, 0xed
+};
+
+static const unsigned char msg_sha3_512[] = {
+ 0x13, 0x3b, 0x49, 0x7b, 0x00, 0x93, 0x27, 0x73,
+ 0xa5, 0x3b, 0xa9, 0xbf, 0x8e, 0x61, 0xd5, 0x9f,
+ 0x05, 0xf4
+};
+
+static const unsigned char dig_sha3_512[] = {
+ 0x78, 0x39, 0x64, 0xa1, 0xcf, 0x41, 0xd6, 0xd2,
+ 0x10, 0xa8, 0xd7, 0xc8, 0x1c, 0xe6, 0x97, 0x0a,
+ 0xa6, 0x2c, 0x90, 0x53, 0xcb, 0x89, 0xe1, 0x5f,
+ 0x88, 0x05, 0x39, 0x57, 0xec, 0xf6, 0x07, 0xf4,
+ 0x2a, 0xf0, 0x88, 0x04, 0xe7, 0x6f, 0x2f, 0xbd,
+ 0xbb, 0x31, 0x80, 0x9c, 0x9e, 0xef, 0xc6, 0x0e,
+ 0x23, 0x3d, 0x66, 0x24, 0x36, 0x7a, 0x3b, 0x9c,
+ 0x30, 0xf8, 0xee, 0x5f, 0x65, 0xbe, 0x56, 0xac
+};
+
+static const unsigned char msg_shake_128[] = {
+ 0x43, 0xbd, 0xb1, 0x1e, 0xac, 0x71, 0x03, 0x1f,
+ 0x02, 0xa1, 0x1c, 0x15, 0xa1, 0x88, 0x5f, 0xa4,
+ 0x28, 0x98
+};
+
+static const unsigned char dig_shake_128[] = {
+ 0xde, 0x68, 0x02, 0x7d, 0xa1, 0x30, 0x66, 0x3a,
+ 0x73, 0x98, 0x0e, 0x35, 0x25, 0xb8, 0x8c, 0x75
+};
+
+static const unsigned char msg_shake_256[] = {
+ 0x8f, 0x84, 0xa3, 0x7d, 0xbd, 0x44, 0xd0, 0xf6,
+ 0x95, 0x36, 0xc5, 0xf4, 0x44, 0x6b, 0xa3, 0x23,
+ 0x9b, 0xfc
+};
+
+static const unsigned char dig_shake_256[] = {
+ 0x05, 0xca, 0x83, 0x5e, 0x0c, 0xdb, 0xfa, 0xf5,
+ 0x95, 0xc6, 0x86, 0x7e, 0x2d, 0x9d, 0xb9, 0x3f,
+ 0xca, 0x9c, 0x8b, 0xc6, 0x65, 0x02, 0x2e, 0xdd,
+ 0x6f, 0xe7, 0xb3, 0xda, 0x5e, 0x07, 0xc4, 0xcf
+};
+
+int FIPS_selftest_sha3(void)
+{
+ unsigned char md[SHA512_DIGEST_LENGTH];
+
+ EVP_Digest(msg_sha3_256, sizeof(msg_sha3_256), md, NULL, EVP_sha3_256(), NULL);
+ if (memcmp(dig_sha3_256, md, sizeof(dig_sha3_256))) {
+ FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED);
+ return 0;
+ }
+
+ EVP_Digest(msg_sha3_512, sizeof(msg_sha3_512), md, NULL, EVP_sha3_512(), NULL);
+ if (memcmp(dig_sha3_512, md, sizeof(dig_sha3_512))) {
+ FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED);
+ return 0;
+ }
+
+ EVP_Digest(msg_shake_128, sizeof(msg_shake_128), md, NULL, EVP_shake128(), NULL);
+ if (memcmp(dig_shake_128, md, sizeof(dig_shake_128))) {
+ FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED);
+ return 0;
+ }
+
+ EVP_Digest(msg_shake_256, sizeof(msg_shake_256), md, NULL, EVP_shake256(), NULL);
+ if (memcmp(dig_shake_256, md, sizeof(dig_shake_256))) {
+ FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED);
+ return 0;
+ }
+
+ return 1;
+}
+
+#endif
Index: openssl-1.1.1n/crypto/fips/fips_standalone_hmac.c
2020-01-24 12:52:58 +01:00
===================================================================
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
--- /dev/null
+++ openssl-1.1.1n/crypto/fips/fips_standalone_hmac.c
2020-01-24 12:52:58 +01:00
@@ -0,0 +1,127 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
2020-01-24 12:52:58 +01:00
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/opensslconf.h>
+#include <openssl/hmac.h>
+#include <openssl/sha.h>
+
+int main(int argc, char **argv)
+{
+#ifdef OPENSSL_FIPS
+ static char key[] = "orboDeJITITejsirpADONivirpUkvarP";
+ int n, binary = 0;
+
+ if (argc < 2) {
+ fprintf(stderr, "%s [<file>]+\n", argv[0]);
+ exit(1);
+ }
+
+ n = 1;
+ if (!strcmp(argv[n], "-binary")) {
+ n++;
+ binary = 1; /* emit binary fingerprint... */
+ }
+
+ for (; n < argc; ++n) {
+ FILE *f = fopen(argv[n], "rb");
+ HMAC_CTX *hmac_ctx;
+ unsigned char mac[EVP_MAX_MD_SIZE];
+ unsigned int len;
+ unsigned int i;
+
+ if (!f) {
+ perror(argv[n]);
+ exit(2);
+ }
+ hmac_ctx = HMAC_CTX_new();
+ if (!hmac_ctx)
+ exit(3);
+
+ if (HMAC_Init_ex(hmac_ctx, key, strlen(key), EVP_sha256(), NULL) <= 0) {
+ fprintf(stderr, "HMAC SHA256 initialization failed.\n");
+ exit(4);
+ }
+
+ for (;;) {
+ unsigned char buf[1024];
+ size_t l = fread(buf, 1, sizeof buf, f);
+
+ if (l == 0) {
+ if (ferror(f)) {
+ perror(argv[n]);
+ exit(3);
+ } else
+ break;
+ }
+ if (HMAC_Update(hmac_ctx, buf, l) <= 0) {
+ fprintf(stderr, "HMAC_Update() failed.\n");
+ exit(4);
+ }
+ }
+ if (HMAC_Final(hmac_ctx, mac, &len) <= 0) {
+ fprintf(stderr, "HMAC_Final() failed.\n");
+ exit(4);
+ }
+
+ if (binary) {
+ fwrite(mac, len, 1, stdout);
+ break; /* ... for single(!) file */
+ }
+
+/* printf("HMAC-SHA1(%s)= ",argv[n]); */
+ for (i = 0; i < len; ++i)
+ printf("%02x", mac[i]);
+ printf("\n");
+ }
+#endif
+ return 0;
+}
Index: openssl-1.1.1n/crypto/hmac/hmac.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/hmac/hmac.c
+++ openssl-1.1.1n/crypto/hmac/hmac.c
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
@@ -44,6 +44,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
2020-01-24 12:52:58 +01:00
return 0;
if (key != NULL) {
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(EVP_MD_flags(md) & EVP_MD_FLAG_FIPS)
+ && (!EVP_MD_CTX_test_flags(ctx->md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
+ || !EVP_MD_CTX_test_flags(ctx->i_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
+ || !EVP_MD_CTX_test_flags(ctx->o_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)))
+ goto err;
+#endif
reset = 1;
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
2020-01-24 12:52:58 +01:00
j = EVP_MD_block_size(md);
Index: openssl-1.1.1n/crypto/hmac/hm_pmeth.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/hmac/hm_pmeth.c
+++ openssl-1.1.1n/crypto/hmac/hm_pmeth.c
2020-01-24 12:52:58 +01:00
@@ -180,7 +180,7 @@ static int pkey_hmac_ctrl_str(EVP_PKEY_C
const EVP_PKEY_METHOD hmac_pkey_meth = {
EVP_PKEY_HMAC,
- 0,
+ EVP_PKEY_FLAG_FIPS,
pkey_hmac_init,
pkey_hmac_copy,
pkey_hmac_cleanup,
Index: openssl-1.1.1n/include/crypto/fips_int.h
2020-01-24 12:52:58 +01:00
===================================================================
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
--- /dev/null
+++ openssl-1.1.1n/include/crypto/fips_int.h
2020-01-24 12:52:58 +01:00
@@ -0,0 +1,98 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
2020-01-24 12:52:58 +01:00
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <openssl/opensslconf.h>
+#include <openssl/evp.h>
+
+#ifndef OPENSSL_FIPS
+# error FIPS is disabled.
+#endif
+
+#ifdef OPENSSL_FIPS
+
+int FIPS_module_mode_set(int onoff);
+int FIPS_module_mode(void);
+int FIPS_module_installed(void);
+int FIPS_selftest_sha1(void);
+int FIPS_selftest_sha2(void);
+int FIPS_selftest_sha3(void);
+int FIPS_selftest_aes_ccm(void);
+int FIPS_selftest_aes_gcm(void);
+int FIPS_selftest_aes_xts(void);
+int FIPS_selftest_aes(void);
+int FIPS_selftest_des(void);
+int FIPS_selftest_rsa(void);
+int FIPS_selftest_dsa(void);
+int FIPS_selftest_ecdsa(void);
+int FIPS_selftest_ecdh(void);
+int FIPS_selftest_dh(void);
+void FIPS_drbg_stick(int onoff);
+int FIPS_selftest_hmac(void);
+int FIPS_selftest_drbg(void);
+int FIPS_selftest_cmac(void);
+
+int fips_pkey_signature_test(EVP_PKEY *pkey,
+ const unsigned char *tbs, int tbslen,
+ const unsigned char *kat,
+ unsigned int katlen,
+ const EVP_MD *digest,
+ unsigned int md_flags, const char *fail_str);
+
+int fips_cipher_test(EVP_CIPHER_CTX *ctx,
+ const EVP_CIPHER *cipher,
+ const unsigned char *key,
+ const unsigned char *iv,
+ const unsigned char *plaintext,
+ const unsigned char *ciphertext, int len);
+
+void fips_set_selftest_fail(void);
+
+void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr);
+
+#endif
Index: openssl-1.1.1n/crypto/o_fips.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/o_fips.c
+++ openssl-1.1.1n/crypto/o_fips.c
2020-01-24 12:52:58 +01:00
@@ -8,17 +8,28 @@
*/
#include "internal/cryptlib.h"
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
+#include "crypto/fips_int.h"
2020-01-24 12:52:58 +01:00
int FIPS_mode(void)
{
+#ifdef OPENSSL_FIPS
+ return FIPS_module_mode();
+#else
/* This version of the library does not support FIPS mode. */
return 0;
+#endif
}
int FIPS_mode_set(int r)
{
+#ifdef OPENSSL_FIPS
+ if (r && FIPS_module_mode()) /* can be implicitly initialized by OPENSSL_init() */
+ return 1;
+ return FIPS_module_mode_set(r);
+#else
if (r == 0)
return 1;
CRYPTOerr(CRYPTO_F_FIPS_MODE_SET, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED);
return 0;
+#endif
}
Index: openssl-1.1.1n/crypto/o_init.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/o_init.c
+++ openssl-1.1.1n/crypto/o_init.c
2020-01-24 12:52:58 +01:00
@@ -7,8 +7,68 @@
* https://www.openssl.org/source/license.html
*/
+/* for secure_getenv */
+#define _GNU_SOURCE
#include "e_os.h"
#include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+# include <sys/types.h>
+# include <sys/stat.h>
+# include <fcntl.h>
+# include <unistd.h>
+# include <errno.h>
+# include <stdlib.h>
+# include <openssl/rand.h>
+# include <openssl/fips.h>
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
+# include "crypto/fips_int.h"
2020-01-24 12:52:58 +01:00
+
+# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
+
+static void init_fips_mode(void)
+{
+ char buf[2] = "0";
+ int fd;
+
+ /* Ensure the selftests always run */
+ /* XXX: TO SOLVE - premature initialization due to selftests */
+ FIPS_mode_set(1);
+
+ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
+ buf[0] = '1';
+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
+ close(fd);
+ }
+ /* Failure reading the fips mode switch file means just not
+ * switching into FIPS mode. We would break too many things
+ * otherwise..
+ */
+
+ if (buf[0] != '1') {
+ /* drop down to non-FIPS mode if it is not requested */
+ FIPS_mode_set(0);
+ } else {
+ /* abort if selftest failed */
+ FIPS_selftest_check();
+ }
+}
+
+/*
+ * Perform FIPS module power on selftest and automatic FIPS mode switch.
+ */
+
+void __attribute__ ((constructor)) OPENSSL_init_library(void)
+{
+ static int done = 0;
+ if (done)
+ return;
+ done = 1;
+ if (!FIPS_module_installed()) {
+ return;
+ }
+ init_fips_mode();
+}
+#endif
/*
* Perform any essential OpenSSL initialization operations. Currently does
Index: openssl-1.1.1n/crypto/rand/rand_lib.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/rand/rand_lib.c
+++ openssl-1.1.1n/crypto/rand/rand_lib.c
@@ -963,3 +963,15 @@ int RAND_status(void)
2020-01-24 12:52:58 +01:00
return meth->status();
return 0;
}
+
+#ifdef OPENSSL_FIPS
+void RAND_set_fips_drbg_type(int type, int flags)
+{ /* just a stub for ABI compatibility */
+}
+
+int RAND_init_fips(void)
+{
+ /* just a stub for ABI compatibility */
+ return 1;
+}
+#endif
Index: openssl-1.1.1n/crypto/rsa/rsa_crpt.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/rsa/rsa_crpt.c
+++ openssl-1.1.1n/crypto/rsa/rsa_crpt.c
2020-01-24 12:52:58 +01:00
@@ -27,24 +27,52 @@ int RSA_size(const RSA *r)
int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
RSA *rsa, int padding)
{
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
+ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
+ RSAerr(RSA_F_RSA_PUBLIC_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD);
+ return -1;
+ }
+#endif
return rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding);
}
int RSA_private_encrypt(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding)
{
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
+ RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT,
+ RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
+ return -1;
+ }
+#endif
return rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding);
}
int RSA_private_decrypt(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding)
{
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
+ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
+ RSAerr(RSA_F_RSA_PRIVATE_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD);
+ return -1;
+ }
+#endif
return rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding);
}
int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
RSA *rsa, int padding)
{
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
+ RSAerr(RSA_F_RSA_PUBLIC_DECRYPT,
+ RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
+ return -1;
+ }
+#endif
return rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding);
}
Index: openssl-1.1.1n/crypto/rsa/rsa_err.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/rsa/rsa_err.c
+++ openssl-1.1.1n/crypto/rsa/rsa_err.c
2020-01-24 12:52:58 +01:00
@@ -16,6 +16,8 @@
static const ERR_STRING_DATA RSA_str_functs[] = {
{ERR_PACK(ERR_LIB_RSA, RSA_F_CHECK_PADDING_MD, 0), "check_padding_md"},
{ERR_PACK(ERR_LIB_RSA, RSA_F_ENCODE_PKCS1, 0), "encode_pkcs1"},
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_FIPS_RSA_BUILTIN_KEYGEN, 0),
+ "fips_rsa_builtin_keygen"},
{ERR_PACK(ERR_LIB_RSA, RSA_F_INT_RSA_VERIFY, 0), "int_rsa_verify"},
{ERR_PACK(ERR_LIB_RSA, RSA_F_OLD_RSA_PRIV_DECODE, 0),
"old_rsa_priv_decode"},
@@ -32,6 +34,9 @@ static const ERR_STRING_DATA RSA_str_fun
{ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CHECK_KEY_EX, 0), "RSA_check_key_ex"},
{ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CMS_DECRYPT, 0), "rsa_cms_decrypt"},
{ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CMS_VERIFY, 0), "rsa_cms_verify"},
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_GENERATE_KEY_EX, 0), "RSA_generate_key_ex"},
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_GENERATE_MULTI_PRIME_KEY, 0),
+ "RSA_generate_multi_prime_key"},
{ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_ITEM_VERIFY, 0), "rsa_item_verify"},
{ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_METH_DUP, 0), "RSA_meth_dup"},
{ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_METH_NEW, 0), "RSA_meth_new"},
@@ -90,9 +95,13 @@ static const ERR_STRING_DATA RSA_str_fun
{ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRINT_FP, 0), "RSA_print_fp"},
{ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIV_DECODE, 0), "rsa_priv_decode"},
{ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIV_ENCODE, 0), "rsa_priv_encode"},
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_DECRYPT, 0), "RSA_private_decrypt"},
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_ENCRYPT, 0), "RSA_private_encrypt"},
{ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PSS_GET_PARAM, 0), "rsa_pss_get_param"},
{ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PSS_TO_CTX, 0), "rsa_pss_to_ctx"},
{ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUB_DECODE, 0), "rsa_pub_decode"},
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUBLIC_DECRYPT, 0), "RSA_public_decrypt"},
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUBLIC_ENCRYPT, 0), "RSA_public_encrypt"},
{ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SETUP_BLINDING, 0), "RSA_setup_blinding"},
{ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SIGN, 0), "RSA_sign"},
{ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SIGN_ASN1_OCTET_STRING, 0),
@@ -102,6 +111,8 @@ static const ERR_STRING_DATA RSA_str_fun
"RSA_verify_ASN1_OCTET_STRING"},
{ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, 0),
"RSA_verify_PKCS1_PSS_mgf1"},
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SET_DEFAULT_METHOD, 0), "RSA_set_default_method"},
+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SET_METHOD, 0), "RSA_set_method"},
{ERR_PACK(ERR_LIB_RSA, RSA_F_SETUP_TBUF, 0), "setup_tbuf"},
{0, NULL}
};
@@ -183,6 +194,7 @@ static const ERR_STRING_DATA RSA_str_rea
"mp exponent not congruent to d"},
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MP_R_NOT_PRIME), "mp r not prime"},
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NO_PUBLIC_EXPONENT), "no public exponent"},
+ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NON_FIPS_RSA_METHOD), "non FIPS rsa method"},
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NULL_BEFORE_BLOCK_MISSING),
"null before block missing"},
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES),
@@ -191,6 +203,8 @@ static const ERR_STRING_DATA RSA_str_rea
"n does not equal p q"},
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OAEP_DECODING_ERROR),
"oaep decoding error"},
+ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE),
+ "operation not allowed in FIPS mode"},
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),
"operation not supported for this keytype"},
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_PADDING_CHECK_FAILED),
@@ -226,6 +240,8 @@ static const ERR_STRING_DATA RSA_str_rea
"unsupported mask algorithm"},
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_MASK_PARAMETER),
"unsupported mask parameter"},
+ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_PARAMETERS),
+ "unsupported parameters"},
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_SIGNATURE_TYPE),
"unsupported signature type"},
{ERR_PACK(ERR_LIB_RSA, 0, RSA_R_VALUE_MISSING), "value missing"},
Index: openssl-1.1.1n/crypto/rsa/rsa_gen.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/rsa/rsa_gen.c
+++ openssl-1.1.1n/crypto/rsa/rsa_gen.c
2020-01-24 12:52:58 +01:00
@@ -18,6 +18,76 @@
#include "internal/cryptlib.h"
#include <openssl/bn.h>
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
#include "rsa_local.h"
2020-01-24 12:52:58 +01:00
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
+# include "crypto/fips_int.h"
2020-01-24 12:52:58 +01:00
+
+int fips_check_rsa(RSA *rsa)
+{
+ const unsigned char tbs[] = "RSA Pairwise Check Data";
+ unsigned char *ctbuf = NULL, *ptbuf = NULL;
+ int len, ret = 0;
+ EVP_PKEY *pk;
+
+ if ((pk = EVP_PKEY_new()) == NULL)
+ goto err;
+
+ EVP_PKEY_set1_RSA(pk, rsa);
+
+ /* Perform pairwise consistency signature test */
+ if (!fips_pkey_signature_test(pk, tbs, -1,
+ NULL, 0, EVP_sha256(),
+ EVP_MD_CTX_FLAG_PAD_PKCS1, NULL)
+ || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha256(),
+ EVP_MD_CTX_FLAG_PAD_PSS, NULL))
+ goto err;
+ /* Now perform pairwise consistency encrypt/decrypt test */
+ ctbuf = OPENSSL_malloc(RSA_size(rsa));
+ if (!ctbuf)
+ goto err;
+
+ len =
+ RSA_public_encrypt(sizeof(tbs) - 1, tbs, ctbuf, rsa,
+ RSA_PKCS1_PADDING);
+ if (len <= 0)
+ goto err;
+ /* Check ciphertext doesn't match plaintext */
+ if ((len == (sizeof(tbs) - 1)) && !memcmp(tbs, ctbuf, len))
+ goto err;
+ ptbuf = OPENSSL_malloc(RSA_size(rsa));
+
+ if (!ptbuf)
+ goto err;
+ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING);
+ if (len != (sizeof(tbs) - 1))
+ goto err;
+ if (memcmp(ptbuf, tbs, len))
+ goto err;
+
+ ret = 1;
+
+ if (!ptbuf)
+ goto err;
+
+ err:
+ if (ret == 0) {
+ fips_set_selftest_fail();
+ FIPSerr(FIPS_F_FIPS_CHECK_RSA, FIPS_R_PAIRWISE_TEST_FAILED);
+ }
+
+ if (ctbuf)
+ OPENSSL_free(ctbuf);
+ if (ptbuf)
+ OPENSSL_free(ptbuf);
+ if (pk)
+ EVP_PKEY_free(pk);
+
+ return ret;
+}
+
+static int fips_rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
+ BN_GENCB *cb);
+#endif
static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value,
BN_GENCB *cb);
@@ -31,6 +101,13 @@ static int rsa_builtin_keygen(RSA *rsa,
*/
int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
{
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
+ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
+ RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD);
+ return 0;
+ }
+#endif
if (rsa->meth->rsa_keygen != NULL)
return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
@@ -41,6 +118,13 @@ int RSA_generate_key_ex(RSA *rsa, int bi
int RSA_generate_multi_prime_key(RSA *rsa, int bits, int primes,
BIGNUM *e_value, BN_GENCB *cb)
{
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
+ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
+ RSAerr(RSA_F_RSA_GENERATE_MULTI_PRIME_KEY, RSA_R_NON_FIPS_RSA_METHOD);
+ return 0;
+ }
+#endif
/* multi-prime is only supported with the builtin key generation */
if (rsa->meth->rsa_multi_prime_keygen != NULL) {
return rsa->meth->rsa_multi_prime_keygen(rsa, bits, primes,
@@ -57,10 +141,285 @@ int RSA_generate_multi_prime_key(RSA *rs
else
return 0;
}
-
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode()) {
+ if (primes != 2) {
+ RSAerr(RSA_F_RSA_GENERATE_MULTI_PRIME_KEY, RSA_R_UNSUPPORTED_PARAMETERS);
+ return 0;
+ }
+ return fips_rsa_builtin_keygen(rsa, bits, e_value, cb);
+ }
+#endif
return rsa_builtin_keygen(rsa, bits, primes, e_value, cb);
}
+#ifdef OPENSSL_FIPS
+static int fips_rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
+ BN_GENCB *cb)
+{
+ BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
+ BN_CTX *ctx = NULL;
+ int ok = -1;
+ int i;
+ int n = 0;
+ int test = 0;
+ int pbits = bits / 2;
+ unsigned long error = 0;
+
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, FIPS_R_FIPS_SELFTEST_FAILED);
+ return 0;
+ }
+
+ if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS
+ || (getenv("OPENSSL_ENFORCE_MODULUS_BITS") && bits < 2048)) {
+ FIPSerr(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, FIPS_R_KEY_TOO_SHORT);
+ return 0;
+ }
+ if ((pbits & 0xFF) != 0) {
+ FIPSerr(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, FIPS_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
+
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+ goto err;
+ BN_CTX_start(ctx);
+ r0 = BN_CTX_get(ctx);
+ r1 = BN_CTX_get(ctx);
+ r2 = BN_CTX_get(ctx);
+ r3 = BN_CTX_get(ctx);
+
+ if (r3 == NULL)
+ goto err;
+
+ /* We need the RSA components non-NULL */
+ if (!rsa->n && ((rsa->n = BN_new()) == NULL))
+ goto err;
+ if (!rsa->d && ((rsa->d = BN_secure_new()) == NULL))
+ goto err;
+ if (!rsa->e && ((rsa->e = BN_new()) == NULL))
+ goto err;
+ if (!rsa->p && ((rsa->p = BN_secure_new()) == NULL))
+ goto err;
+ if (!rsa->q && ((rsa->q = BN_secure_new()) == NULL))
+ goto err;
+ if (!rsa->dmp1 && ((rsa->dmp1 = BN_secure_new()) == NULL))
+ goto err;
+ if (!rsa->dmq1 && ((rsa->dmq1 = BN_secure_new()) == NULL))
+ goto err;
+ if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL))
+ goto err;
+
+ if (!BN_set_word(r0, RSA_F4))
+ goto err;
+ if (BN_cmp(e_value, r0) < 0 || BN_num_bits(e_value) > 256) {
+ ok = 0; /* we set our own err */
+ RSAerr(RSA_F_FIPS_RSA_BUILTIN_KEYGEN, RSA_R_BAD_E_VALUE);
+ goto err;
+ }
+
+ /* prepare approximate minimum p and q */
+ if (!BN_set_word(r0, 0xB504F334))
+ goto err;
+ if (!BN_lshift(r0, r0, pbits - 32))
+ goto err;
+
+ /* prepare minimum p and q difference */
+ if (!BN_one(r3))
+ goto err;
+ if (!BN_lshift(r3, r3, pbits - 100))
+ goto err;
+
+ BN_copy(rsa->e, e_value);
+
+ if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q))
+ test = 1;
+
+ BN_set_flags(r0, BN_FLG_CONSTTIME);
+ BN_set_flags(r1, BN_FLG_CONSTTIME);
+ BN_set_flags(r2, BN_FLG_CONSTTIME);
+ BN_set_flags(rsa->p, BN_FLG_CONSTTIME);
+ BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
+
+ retry:
+ /* generate p and q */
+ for (i = 0; i < 5 * pbits; i++) {
+ ploop:
+ if (!test)
+ if (!BN_rand(rsa->p, pbits, 0, 1))
+ goto err;
+ if (BN_cmp(rsa->p, r0) < 0) {
+ if (test)
+ goto err;
+ goto ploop;
+ }
+
+ if (!BN_sub(r2, rsa->p, BN_value_one()))
+ goto err;
+ ERR_set_mark();
+ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
+ /* GCD == 1 since inverse exists */
+ int r;
+ r = BN_is_prime_fasttest_ex(rsa->p, pbits > 1024 ? 4 : 5, ctx, 0,
+ cb);
+ if (r == -1 || (test && r <= 0))
+ goto err;
+ if (r > 0)
+ break;
+ } else {
+ error = ERR_peek_last_error();
+ if (ERR_GET_LIB(error) == ERR_LIB_BN
+ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
+ /* GCD != 1 */
+ ERR_pop_to_mark();
+ } else {
+ goto err;
+ }
+ }
+ if (!BN_GENCB_call(cb, 2, n++))
+ goto err;
+ }
+
+ if (!BN_GENCB_call(cb, 3, 0))
+ goto err;
+
+ if (i >= 5 * pbits)
+ /* prime not found */
+ goto err;
+
+ for (i = 0; i < 5 * pbits; i++) {
+ qloop:
+ if (!test)
+ if (!BN_rand(rsa->q, pbits, 0, 1))
+ goto err;
+ if (BN_cmp(rsa->q, r0) < 0) {
+ if (test)
+ goto err;
+ goto qloop;
+ }
+ if (!BN_sub(r2, rsa->q, rsa->p))
+ goto err;
+ if (BN_ucmp(r2, r3) <= 0) {
+ if (test)
+ goto err;
+ goto qloop;
+ }
+
+ if (!BN_sub(r2, rsa->q, BN_value_one()))
+ goto err;
+ ERR_set_mark();
+ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
+ /* GCD == 1 since inverse exists */
+ int r;
+ r = BN_is_prime_fasttest_ex(rsa->q, pbits > 1024 ? 4 : 5, ctx, 0,
+ cb);
+ if (r == -1 || (test && r <= 0))
+ goto err;
+ if (r > 0)
+ break;
+ } else {
+ error = ERR_peek_last_error();
+ if (ERR_GET_LIB(error) == ERR_LIB_BN
+ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
+ /* GCD != 1 */
+ ERR_pop_to_mark();
+ } else {
+ goto err;
+ }
+ }
+ if (!BN_GENCB_call(cb, 2, n++))
+ goto err;
+ }
+
+ if (!BN_GENCB_call(cb, 3, 1))
+ goto err;
+
+ if (i >= 5 * pbits)
+ /* prime not found */
+ goto err;
+
+ if (test) {
+ /* do not try to calculate the remaining key values */
+ BN_clear(rsa->n);
+ ok = 1;
+ goto err;
+ }
+
+ if (BN_cmp(rsa->p, rsa->q) < 0) {
+ tmp = rsa->p;
+ rsa->p = rsa->q;
+ rsa->q = tmp;
+ }
+
+ /* calculate n */
+ if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx))
+ goto err;
+
+ /* calculate d */
+ if (!BN_sub(r1, rsa->p, BN_value_one()))
+ goto err; /* p-1 */
+ if (!BN_sub(r2, rsa->q, BN_value_one()))
+ goto err; /* q-1 */
+
+ /* note that computing gcd is not safe to timing attacks */
+ if (!BN_gcd(r0, r1, r2, ctx))
+ goto err;
+
+ {
+ if (!BN_div(r0, NULL, r1, r0, ctx))
+ goto err;
+
+ if (!BN_mul(r0, r0, r2, ctx)) /* lcm(p-1, q-1) */
+ goto err;
+
+ if (!BN_mod_inverse(rsa->d, rsa->e, r0, ctx)) /* d */
+ goto err;
+ }
+
+ if (BN_num_bits(rsa->d) < pbits)
+ goto retry; /* d is too small */
+
+ {
+ BIGNUM *d = BN_new();
+
+ if (d == NULL)
+ goto err;
+ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
+
+ if (/* calculate d mod (p-1) */
+ !BN_mod(rsa->dmp1, d, r1, ctx)
+ /* calculate d mod (q-1) */
+ || !BN_mod(rsa->dmq1, d, r2, ctx)) {
+ BN_free(d);
+ goto err;
+ }
+ /* We MUST free d before any further use of rsa->d */
+ BN_free(d);
+ }
+
+ /* calculate inverse of q mod p */
+ if (!BN_mod_inverse(rsa->iqmp, rsa->q, rsa->p, ctx))
+ goto err;
+
+ if (!fips_check_rsa(rsa))
+ goto err;
+
+ ok = 1;
+ err:
+ if (ok == -1) {
+ RSAerr(RSA_F_FIPS_RSA_BUILTIN_KEYGEN, ERR_LIB_BN);
+ ok = 0;
+ }
+ if (ctx != NULL) {
+ BN_CTX_end(ctx);
+ BN_CTX_free(ctx);
+ }
+
+ return ok;
+}
+#endif
+
static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value,
BN_GENCB *cb)
{
Index: openssl-1.1.1n/crypto/rsa/rsa_lib.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/rsa/rsa_lib.c
+++ openssl-1.1.1n/crypto/rsa/rsa_lib.c
2020-01-24 12:52:58 +01:00
@@ -34,6 +34,12 @@ int RSA_set_method(RSA *rsa, const RSA_M
* to deal with which ENGINE it comes from.
*/
const RSA_METHOD *mtmp;
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) {
+ RSAerr(RSA_F_RSA_SET_METHOD, RSA_R_NON_FIPS_RSA_METHOD);
+ return 0;
+ }
+#endif
mtmp = rsa->meth;
if (mtmp->finish)
mtmp->finish(rsa);
@@ -66,7 +72,6 @@ RSA *RSA_new_method(ENGINE *engine)
ret->meth = RSA_get_default_method();
#ifndef OPENSSL_NO_ENGINE
- ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
if (engine) {
if (!ENGINE_init(engine)) {
RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB);
@@ -84,8 +89,19 @@ RSA *RSA_new_method(ENGINE *engine)
}
}
#endif
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(ret->meth->flags & RSA_FLAG_FIPS_METHOD)) {
+ RSAerr(RSA_F_RSA_NEW_METHOD, RSA_R_NON_FIPS_RSA_METHOD);
+# ifndef OPENSSL_NO_ENGINE
+ if (ret->engine)
+ ENGINE_finish(ret->engine);
+# endif
+ OPENSSL_free(ret);
+ return NULL;
+ }
+#endif
- ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
+ ret->flags = ret->meth->flags;
if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) {
goto err;
}
Index: openssl-1.1.1n/crypto/rsa/rsa_ossl.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/rsa/rsa_ossl.c
+++ openssl-1.1.1n/crypto/rsa/rsa_ossl.c
2020-01-24 12:52:58 +01:00
@@ -12,6 +12,10 @@
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
#include "rsa_local.h"
#include "internal/constant_time.h"
2020-01-24 12:52:58 +01:00
+#ifdef OPENSSL_FIPS
+# include <openssl/fips.h>
+#endif
+
static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
@@ -47,6 +51,12 @@ static const RSA_METHOD *default_RSA_met
void RSA_set_default_method(const RSA_METHOD *meth)
{
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) {
+ RSAerr(RSA_F_RSA_SET_DEFAULT_METHOD, RSA_R_NON_FIPS_RSA_METHOD);
+ return;
+ }
+#endif
default_RSA_meth = meth;
}
@@ -73,6 +83,22 @@ static int rsa_ossl_public_encrypt(int f
unsigned char *buf = NULL;
BN_CTX *ctx = NULL;
+# ifdef OPENSSL_FIPS
+ if (FIPS_mode()) {
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT,
+ FIPS_R_FIPS_SELFTEST_FAILED);
+ goto err;
+ }
+
+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
+ RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
+ return -1;
+ }
+ }
+# endif
+
if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
return -1;
@@ -246,6 +272,22 @@ static int rsa_ossl_private_encrypt(int
BIGNUM *unblind = NULL;
BN_BLINDING *blinding = NULL;
+# ifdef OPENSSL_FIPS
+ if (FIPS_mode()) {
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT,
+ FIPS_R_FIPS_SELFTEST_FAILED);
+ return -1;
+ }
+
+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
+ RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
+ return -1;
+ }
+ }
+# endif
+
if ((ctx = BN_CTX_new()) == NULL)
goto err;
BN_CTX_start(ctx);
@@ -380,6 +422,22 @@ static int rsa_ossl_private_decrypt(int
BIGNUM *unblind = NULL;
BN_BLINDING *blinding = NULL;
+# ifdef OPENSSL_FIPS
+ if (FIPS_mode()) {
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_RSA_OSSL_PRIVATE_DECRYPT,
+ FIPS_R_FIPS_SELFTEST_FAILED);
+ return -1;
+ }
+
+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
+ RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
+ return -1;
+ }
+ }
+# endif
+
if ((ctx = BN_CTX_new()) == NULL)
goto err;
BN_CTX_start(ctx);
@@ -507,6 +565,22 @@ static int rsa_ossl_public_decrypt(int f
unsigned char *buf = NULL;
BN_CTX *ctx = NULL;
+# ifdef OPENSSL_FIPS
+ if (FIPS_mode()) {
+ if (FIPS_selftest_failed()) {
+ FIPSerr(FIPS_F_RSA_OSSL_PUBLIC_DECRYPT,
+ FIPS_R_FIPS_SELFTEST_FAILED);
+ goto err;
+ }
+
+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
+ RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
+ return -1;
+ }
+ }
+# endif
+
if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
return -1;
Index: openssl-1.1.1n/crypto/rsa/rsa_pmeth.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/rsa/rsa_pmeth.c
+++ openssl-1.1.1n/crypto/rsa/rsa_pmeth.c
2020-01-24 12:52:58 +01:00
@@ -756,7 +756,7 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX
const EVP_PKEY_METHOD rsa_pkey_meth = {
EVP_PKEY_RSA,
- EVP_PKEY_FLAG_AUTOARGLEN,
+ EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS,
pkey_rsa_init,
pkey_rsa_copy,
pkey_rsa_cleanup,
@@ -838,7 +838,7 @@ static int pkey_pss_init(EVP_PKEY_CTX *c
const EVP_PKEY_METHOD rsa_pss_pkey_meth = {
EVP_PKEY_RSA_PSS,
- EVP_PKEY_FLAG_AUTOARGLEN,
+ EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS,
pkey_rsa_init,
pkey_rsa_copy,
pkey_rsa_cleanup,
Index: openssl-1.1.1n/crypto/rsa/rsa_sign.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/rsa/rsa_sign.c
+++ openssl-1.1.1n/crypto/rsa/rsa_sign.c
2020-01-24 12:52:58 +01:00
@@ -73,6 +73,13 @@ int RSA_sign(int type, const unsigned ch
unsigned char *tmps = NULL;
const unsigned char *encoded = NULL;
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
+ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
+ RSAerr(RSA_F_RSA_SIGN, RSA_R_NON_FIPS_RSA_METHOD);
+ return 0;
+ }
+#endif
if (rsa->meth->rsa_sign) {
return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa);
}
@@ -100,8 +107,9 @@ int RSA_sign(int type, const unsigned ch
RSAerr(RSA_F_RSA_SIGN, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
goto err;
}
- encrypt_len = RSA_private_encrypt(encoded_len, encoded, sigret, rsa,
- RSA_PKCS1_PADDING);
+ /* NB: call underlying method directly to avoid FIPS blocking */
+ encrypt_len = rsa->meth->rsa_priv_enc ? rsa->meth->rsa_priv_enc(encoded_len, encoded, sigret, rsa,
+ RSA_PKCS1_PADDING) : 0;
if (encrypt_len <= 0)
goto err;
Index: openssl-1.1.1n/crypto/sha/sha256.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/sha/sha256.c
+++ openssl-1.1.1n/crypto/sha/sha256.c
2020-01-24 12:52:58 +01:00
@@ -18,6 +18,9 @@
int SHA224_Init(SHA256_CTX *c)
{
+# ifdef OPENSSL_FIPS
+ FIPS_selftest_check();
+# endif
memset(c, 0, sizeof(*c));
c->h[0] = 0xc1059ed8UL;
c->h[1] = 0x367cd507UL;
@@ -33,6 +36,9 @@ int SHA224_Init(SHA256_CTX *c)
int SHA256_Init(SHA256_CTX *c)
{
+# ifdef OPENSSL_FIPS
+ FIPS_selftest_check();
+# endif
memset(c, 0, sizeof(*c));
c->h[0] = 0x6a09e667UL;
c->h[1] = 0xbb67ae85UL;
Index: openssl-1.1.1n/crypto/sha/sha512.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/sha/sha512.c
+++ openssl-1.1.1n/crypto/sha/sha512.c
2020-01-24 12:52:58 +01:00
@@ -98,6 +98,9 @@ int sha512_256_init(SHA512_CTX *c)
int SHA384_Init(SHA512_CTX *c)
{
+# ifdef OPENSSL_FIPS
+ FIPS_selftest_check();
+# endif
c->h[0] = U64(0xcbbb9d5dc1059ed8);
c->h[1] = U64(0x629a292a367cd507);
c->h[2] = U64(0x9159015a3070dd17);
@@ -116,6 +119,9 @@ int SHA384_Init(SHA512_CTX *c)
int SHA512_Init(SHA512_CTX *c)
{
+# ifdef OPENSSL_FIPS
+ FIPS_selftest_check();
+# endif
c->h[0] = U64(0x6a09e667f3bcc908);
c->h[1] = U64(0xbb67ae8584caa73b);
c->h[2] = U64(0x3c6ef372fe94f82b);
Index: openssl-1.1.1n/crypto/sha/sha_local.h
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/crypto/sha/sha_local.h
+++ openssl-1.1.1n/crypto/sha/sha_local.h
2020-01-24 12:52:58 +01:00
@@ -52,6 +52,9 @@ void sha1_block_data_order(SHA_CTX *c, c
int HASH_INIT(SHA_CTX *c)
{
+#if defined(OPENSSL_FIPS)
+ FIPS_selftest_check();
+#endif
memset(c, 0, sizeof(*c));
c->h0 = INIT_DATA_h0;
c->h1 = INIT_DATA_h1;
Index: openssl-1.1.1n/doc/man3/DSA_generate_parameters.pod
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/doc/man3/DSA_generate_parameters.pod
+++ openssl-1.1.1n/doc/man3/DSA_generate_parameters.pod
2020-01-24 12:52:58 +01:00
@@ -30,8 +30,10 @@ B<bits> is the length of the prime p to
For lengths under 2048 bits, the length of q is 160 bits; for lengths
greater than or equal to 2048 bits, the length of q is set to 256 bits.
-If B<seed> is NULL, the primes will be generated at random.
-If B<seed_len> is less than the length of q, an error is returned.
+If B<seed> is NULL, or it does not generate primes, the primes will be
+generated at random.
+If B<seed_len> is less than the length of q, an error is returned
+if old DSA parameter generation method is used as a backend.
DSA_generate_parameters_ex() places the iteration count in
*B<counter_ret> and a counter used for finding a generator in
Index: openssl-1.1.1n/include/openssl/crypto.h
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/include/openssl/crypto.h
+++ openssl-1.1.1n/include/openssl/crypto.h
2020-01-24 12:52:58 +01:00
@@ -331,6 +331,11 @@ int OPENSSL_isservice(void);
int FIPS_mode(void);
int FIPS_mode_set(int r);
+# ifdef OPENSSL_FIPS
+/* die if FIPS selftest failed */
+void FIPS_selftest_check(void);
+# endif
+
void OPENSSL_init(void);
# ifdef OPENSSL_SYS_UNIX
void OPENSSL_fork_prepare(void);
Index: openssl-1.1.1n/include/openssl/dherr.h
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/include/openssl/dherr.h
+++ openssl-1.1.1n/include/openssl/dherr.h
2020-01-24 12:52:58 +01:00
@@ -36,6 +36,9 @@ int ERR_load_DH_strings(void);
# define DH_F_DH_CMS_DECRYPT 114
# define DH_F_DH_CMS_SET_PEERKEY 115
# define DH_F_DH_CMS_SET_SHARED_INFO 116
+# define DH_F_DH_COMPUTE_KEY 203
+# define DH_F_DH_GENERATE_KEY 202
+# define DH_F_DH_GENERATE_PARAMETERS_EX 201
# define DH_F_DH_METH_DUP 117
# define DH_F_DH_METH_NEW 118
# define DH_F_DH_METH_SET1_NAME 119
@@ -73,12 +76,14 @@ int ERR_load_DH_strings(void);
# define DH_R_INVALID_PARAMETER_NID 114
# define DH_R_INVALID_PUBKEY 102
# define DH_R_KDF_PARAMETER_ERROR 112
+# define DH_R_KEY_SIZE_TOO_SMALL 201
# define DH_R_KEYS_NOT_SET 108
# define DH_R_MISSING_PUBKEY 125
# define DH_R_MODULUS_TOO_LARGE 103
# define DH_R_NOT_SUITABLE_GENERATOR 120
# define DH_R_NO_PARAMETERS_SET 107
# define DH_R_NO_PRIVATE_VALUE 100
+# define DH_R_NON_FIPS_METHOD 202
# define DH_R_PARAMETER_ENCODING_ERROR 105
# define DH_R_PEER_KEY_ERROR 111
# define DH_R_SHARED_INFO_ERROR 113
Index: openssl-1.1.1n/include/openssl/dh.h
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/include/openssl/dh.h
+++ openssl-1.1.1n/include/openssl/dh.h
2020-01-24 12:52:58 +01:00
@@ -31,6 +31,7 @@ extern "C" {
# endif
# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
+# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN 2048
# define DH_FLAG_CACHE_MONT_P 0x01
Index: openssl-1.1.1n/include/openssl/dsaerr.h
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/include/openssl/dsaerr.h
+++ openssl-1.1.1n/include/openssl/dsaerr.h
2020-01-24 12:52:58 +01:00
@@ -29,8 +29,11 @@ int ERR_load_DSA_strings(void);
*/
# define DSA_F_DSAPARAMS_PRINT 100
# define DSA_F_DSAPARAMS_PRINT_FP 101
+# define DSA_F_DSA_BUILTIN_KEYGEN 202
# define DSA_F_DSA_BUILTIN_PARAMGEN 125
# define DSA_F_DSA_BUILTIN_PARAMGEN2 126
+# define DSA_F_DSA_GENERATE_KEY 201
+# define DSA_F_DSA_GENERATE_PARAMETERS_EX 200
# define DSA_F_DSA_DO_SIGN 112
# define DSA_F_DSA_DO_VERIFY 113
# define DSA_F_DSA_METH_DUP 127
@@ -60,10 +63,13 @@ int ERR_load_DSA_strings(void);
# define DSA_R_DECODE_ERROR 104
# define DSA_R_INVALID_DIGEST_TYPE 106
# define DSA_R_INVALID_PARAMETERS 112
+# define DSA_R_KEY_SIZE_INVALID 201
+# define DSA_R_KEY_SIZE_TOO_SMALL 202
# define DSA_R_MISSING_PARAMETERS 101
# define DSA_R_MISSING_PRIVATE_KEY 111
# define DSA_R_MODULUS_TOO_LARGE 103
# define DSA_R_NO_PARAMETERS_SET 107
+# define DSA_R_NON_FIPS_DSA_METHOD 200
# define DSA_R_PARAMETER_ENCODING_ERROR 105
# define DSA_R_Q_NOT_PRIME 113
# define DSA_R_SEED_LEN_SMALL 110
Index: openssl-1.1.1n/include/openssl/dsa.h
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/include/openssl/dsa.h
+++ openssl-1.1.1n/include/openssl/dsa.h
2020-01-24 12:52:58 +01:00
@@ -31,6 +31,7 @@ extern "C" {
# endif
# define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024
+# define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN 2048
# define DSA_FLAG_CACHE_MONT_P 0x01
# if OPENSSL_API_COMPAT < 0x10100000L
Index: openssl-1.1.1n/include/openssl/evperr.h
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/include/openssl/evperr.h
+++ openssl-1.1.1n/include/openssl/evperr.h
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
@@ -22,14 +22,15 @@ int ERR_load_EVP_strings(void);
2020-01-24 12:52:58 +01:00
* EVP function codes.
*/
# define EVP_F_AESNI_INIT_KEY 165
-# define EVP_F_AESNI_XTS_INIT_KEY 207
+# define EVP_F_AESNI_XTS_INIT_KEY 233
# define EVP_F_AES_GCM_CTRL 196
# define EVP_F_AES_INIT_KEY 133
# define EVP_F_AES_OCB_CIPHER 169
# define EVP_F_AES_T4_INIT_KEY 178
-# define EVP_F_AES_T4_XTS_INIT_KEY 208
+# define EVP_F_AES_T4_XTS_INIT_KEY 234
# define EVP_F_AES_WRAP_CIPHER 170
-# define EVP_F_AES_XTS_INIT_KEY 209
+# define EVP_F_AES_XTS_CIPHER 229
+# define EVP_F_AES_XTS_INIT_KEY 235
# define EVP_F_ALG_MODULE_INIT 177
# define EVP_F_ARIA_CCM_INIT_KEY 175
# define EVP_F_ARIA_GCM_CTRL 197
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
@@ -140,6 +141,7 @@ int ERR_load_EVP_strings(void);
2020-01-24 12:52:58 +01:00
# define EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED 133
# define EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH 138
# define EVP_R_DECODE_ERROR 114
+# define EVP_R_DISABLED_FOR_FIPS 200
# define EVP_R_DIFFERENT_KEY_TYPES 101
# define EVP_R_DIFFERENT_PARAMETERS 153
# define EVP_R_ERROR_LOADING_SECTION 165
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
@@ -184,6 +186,7 @@ int ERR_load_EVP_strings(void);
2020-01-24 12:52:58 +01:00
# define EVP_R_PRIVATE_KEY_DECODE_ERROR 145
# define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146
# define EVP_R_PUBLIC_KEY_NOT_RSA 106
+# define EVP_R_TOO_LARGE 201
# define EVP_R_UNKNOWN_CIPHER 160
# define EVP_R_UNKNOWN_DIGEST 161
# define EVP_R_UNKNOWN_OPTION 169
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
@@ -199,6 +202,7 @@ int ERR_load_EVP_strings(void);
2020-01-24 12:52:58 +01:00
# define EVP_R_UNSUPPORTED_SALT_TYPE 126
# define EVP_R_WRAP_MODE_NOT_ALLOWED 170
# define EVP_R_WRONG_FINAL_BLOCK_LENGTH 109
-# define EVP_R_XTS_DUPLICATED_KEYS 183
+# define EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE 191
+# define EVP_R_XTS_DUPLICATED_KEYS 192
#endif
Index: openssl-1.1.1n/include/openssl/evp.h
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/include/openssl/evp.h
+++ openssl-1.1.1n/include/openssl/evp.h
2020-01-24 12:52:58 +01:00
@@ -1324,6 +1324,9 @@ void EVP_PKEY_asn1_set_security_bits(EVP
*/
# define EVP_PKEY_FLAG_SIGCTX_CUSTOM 4
+/* Downstream modification, large value to avoid conflict */
+# define EVP_PKEY_FLAG_FIPS 0x4000
+
const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type);
EVP_PKEY_METHOD *EVP_PKEY_meth_new(int id, int flags);
void EVP_PKEY_meth_get0_info(int *ppkey_id, int *pflags,
Index: openssl-1.1.1n/include/openssl/fips.h
2020-01-24 12:52:58 +01:00
===================================================================
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
--- /dev/null
+++ openssl-1.1.1n/include/openssl/fips.h
2020-01-24 12:52:58 +01:00
@@ -0,0 +1,187 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
2020-01-24 12:52:58 +01:00
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <openssl/opensslconf.h>
+#include <openssl/dsa.h>
+#include <openssl/evp.h>
+#include <openssl/bn.h>
+
+#ifndef OPENSSL_FIPS
+# error FIPS is disabled.
+#endif
+
+#ifdef OPENSSL_FIPS
+
+# ifdef __cplusplus
+extern "C" {
+# endif
+
+ int FIPS_selftest(void);
+ int FIPS_selftest_failed(void);
+ int FIPS_selftest_drbg_all(void);
+
+ int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
+ const EVP_MD *evpmd, const unsigned char *seed_in,
+ size_t seed_len, int idx, unsigned char *seed_out,
+ int *counter_ret, unsigned long *h_ret,
+ BN_GENCB *cb);
+ int FIPS_dsa_paramgen_check_g(DSA *dsa);
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+ int ERR_load_FIPS_strings(void);
+
+/* Error codes for the FIPS functions. */
+
+/* Function codes. */
+# define FIPS_F_DH_BUILTIN_GENPARAMS 100
+# define FIPS_F_DRBG_RESEED 121
+# define FIPS_F_DSA_BUILTIN_PARAMGEN2 107
+# define FIPS_F_DSA_DO_SIGN 102
+# define FIPS_F_DSA_DO_VERIFY 103
+# define FIPS_F_EVP_CIPHER_CTX_NEW 137
+# define FIPS_F_EVP_CIPHER_CTX_RESET 122
+# define FIPS_F_ECDH_COMPUTE_KEY 123
+# define FIPS_F_EVP_CIPHERINIT_EX 124
+# define FIPS_F_EVP_DIGESTINIT_EX 125
+# define FIPS_F_FIPS_CHECK_DSA 104
+# define FIPS_F_FIPS_CHECK_EC 142
+# define FIPS_F_FIPS_CHECK_RSA 106
+# define FIPS_F_FIPS_DRBG_BYTES 131
+# define FIPS_F_FIPS_DRBG_CHECK 146
+# define FIPS_F_FIPS_DRBG_CPRNG_TEST 132
+# define FIPS_F_FIPS_DRBG_ERROR_CHECK 136
+# define FIPS_F_FIPS_DRBG_GENERATE 134
+# define FIPS_F_FIPS_DRBG_INIT 135
+# define FIPS_F_FIPS_DRBG_INSTANTIATE 138
+# define FIPS_F_FIPS_DRBG_NEW 139
+# define FIPS_F_FIPS_DRBG_RESEED 140
+# define FIPS_F_FIPS_DRBG_SINGLE_KAT 141
+# define FIPS_F_FIPS_GET_ENTROPY 147
+# define FIPS_F_FIPS_MODULE_MODE_SET 108
+# define FIPS_F_FIPS_PKEY_SIGNATURE_TEST 109
+# define FIPS_F_FIPS_RAND_BYTES 114
+# define FIPS_F_FIPS_RAND_SEED 128
+# define FIPS_F_FIPS_RAND_SET_METHOD 126
+# define FIPS_F_FIPS_RAND_STATUS 127
+# define FIPS_F_FIPS_RSA_BUILTIN_KEYGEN 101
+# define FIPS_F_FIPS_SELFTEST 150
+# define FIPS_F_FIPS_SELFTEST_AES 110
+# define FIPS_F_FIPS_SELFTEST_AES_CCM 145
+# define FIPS_F_FIPS_SELFTEST_AES_GCM 129
+# define FIPS_F_FIPS_SELFTEST_AES_XTS 144
+# define FIPS_F_FIPS_SELFTEST_CMAC 130
+# define FIPS_F_FIPS_SELFTEST_DES 111
+# define FIPS_F_FIPS_SELFTEST_DSA 112
+# define FIPS_F_FIPS_SELFTEST_ECDSA 133
+# define FIPS_F_FIPS_SELFTEST_HMAC 113
+# define FIPS_F_FIPS_SELFTEST_SHA1 115
+# define FIPS_F_FIPS_SELFTEST_SHA2 105
+# define FIPS_F_OSSL_ECDSA_SIGN_SIG 143
+# define FIPS_F_OSSL_ECDSA_VERIFY_SIG 148
+# define FIPS_F_RSA_BUILTIN_KEYGEN 116
+# define FIPS_F_RSA_OSSL_INIT 149
+# define FIPS_F_RSA_OSSL_PRIVATE_DECRYPT 117
+# define FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT 118
+# define FIPS_F_RSA_OSSL_PUBLIC_DECRYPT 119
+# define FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT 120
+
+/* Reason codes. */
+# define FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED 150
+# define FIPS_R_ADDITIONAL_INPUT_TOO_LONG 125
+# define FIPS_R_ALREADY_INSTANTIATED 134
+# define FIPS_R_DRBG_NOT_INITIALISED 152
+# define FIPS_R_DRBG_STUCK 103
+# define FIPS_R_ENTROPY_ERROR_UNDETECTED 104
+# define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED 105
+# define FIPS_R_ENTROPY_SOURCE_STUCK 142
+# define FIPS_R_ERROR_INITIALISING_DRBG 115
+# define FIPS_R_ERROR_INSTANTIATING_DRBG 127
+# define FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT 124
+# define FIPS_R_ERROR_RETRIEVING_ENTROPY 122
+# define FIPS_R_ERROR_RETRIEVING_NONCE 140
+# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH 110
+# define FIPS_R_FIPS_MODE_ALREADY_SET 102
+# define FIPS_R_FIPS_SELFTEST_FAILED 106
+# define FIPS_R_FUNCTION_ERROR 116
+# define FIPS_R_GENERATE_ERROR 137
+# define FIPS_R_GENERATE_ERROR_UNDETECTED 118
+# define FIPS_R_INSTANTIATE_ERROR 119
+# define FIPS_R_INTERNAL_ERROR 121
+# define FIPS_R_INVALID_KEY_LENGTH 109
+# define FIPS_R_IN_ERROR_STATE 123
+# define FIPS_R_KEY_TOO_SHORT 108
+# define FIPS_R_NONCE_ERROR_UNDETECTED 149
+# define FIPS_R_NON_FIPS_METHOD 100
+# define FIPS_R_NOPR_TEST1_FAILURE 145
+# define FIPS_R_NOPR_TEST2_FAILURE 146
+# define FIPS_R_NOT_INSTANTIATED 126
+# define FIPS_R_PAIRWISE_TEST_FAILED 107
+# define FIPS_R_PERSONALISATION_ERROR_UNDETECTED 128
+# define FIPS_R_PERSONALISATION_STRING_TOO_LONG 129
+# define FIPS_R_PR_TEST1_FAILURE 147
+# define FIPS_R_PR_TEST2_FAILURE 148
+# define FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED 130
+# define FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG 131
+# define FIPS_R_RESEED_COUNTER_ERROR 132
+# define FIPS_R_RESEED_ERROR 133
+# define FIPS_R_SELFTEST_FAILED 101
+# define FIPS_R_SELFTEST_FAILURE 135
+# define FIPS_R_TEST_FAILURE 117
+# define FIPS_R_UNINSTANTIATE_ERROR 141
+# define FIPS_R_UNINSTANTIATE_ZEROISE_ERROR 138
+# define FIPS_R_UNSUPPORTED_DRBG_TYPE 139
+# define FIPS_R_UNSUPPORTED_PLATFORM 113
+
+# ifdef __cplusplus
+}
+# endif
+#endif
Index: openssl-1.1.1n/include/openssl/fips_rand.h
2020-01-24 12:52:58 +01:00
===================================================================
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
--- /dev/null
+++ openssl-1.1.1n/include/openssl/fips_rand.h
2020-01-24 12:52:58 +01:00
@@ -0,0 +1,145 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
2020-01-24 12:52:58 +01:00
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef HEADER_FIPS_RAND_H
+# define HEADER_FIPS_RAND_H
+
+# include <openssl/aes.h>
+# include <openssl/evp.h>
+# include <openssl/hmac.h>
+# include <openssl/rand.h>
+
+# ifdef OPENSSL_FIPS
+
+# ifdef __cplusplus
+extern "C" {
+# endif
+ typedef struct drbg_ctx_st DRBG_CTX;
+/* DRBG external flags */
+/* Flag for CTR mode only: use derivation function ctr_df */
+# define DRBG_FLAG_CTR_USE_DF 0x1
+/* PRNG is in test state */
+# define DRBG_FLAG_TEST 0x2
+
+ DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags);
+ int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags);
+ int FIPS_drbg_instantiate(DRBG_CTX *dctx,
+ const unsigned char *pers, size_t perslen);
+ int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin,
+ size_t adinlen);
+ int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
+ int prediction_resistance,
+ const unsigned char *adin, size_t adinlen);
+
+ int FIPS_drbg_uninstantiate(DRBG_CTX *dctx);
+ void FIPS_drbg_free(DRBG_CTX *dctx);
+
+ int FIPS_drbg_set_callbacks(DRBG_CTX *dctx,
+ size_t (*get_entropy) (DRBG_CTX *ctx,
+ unsigned char **pout,
+ int entropy,
+ size_t min_len,
+ size_t max_len),
+ void (*cleanup_entropy) (DRBG_CTX *ctx,
+ unsigned char *out,
+ size_t olen),
+ size_t entropy_blocklen,
+ size_t (*get_nonce) (DRBG_CTX *ctx,
+ unsigned char **pout,
+ int entropy,
+ size_t min_len,
+ size_t max_len),
+ void (*cleanup_nonce) (DRBG_CTX *ctx,
+ unsigned char *out,
+ size_t olen));
+
+ int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx,
+ size_t (*get_adin) (DRBG_CTX *ctx,
+ unsigned char
+ **pout),
+ void (*cleanup_adin) (DRBG_CTX *ctx,
+ unsigned char *out,
+ size_t olen),
+ int (*rand_seed_cb) (DRBG_CTX *ctx,
+ const void *buf,
+ int num),
+ int (*rand_add_cb) (DRBG_CTX *ctx,
+ const void *buf,
+ int num,
+ double entropy));
+
+ void *FIPS_drbg_get_app_data(DRBG_CTX *ctx);
+ void FIPS_drbg_set_app_data(DRBG_CTX *ctx, void *app_data);
+ size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx);
+ int FIPS_drbg_get_strength(DRBG_CTX *dctx);
+ void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval);
+ void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval);
+
+ int FIPS_drbg_health_check(DRBG_CTX *dctx);
+
+ DRBG_CTX *FIPS_get_default_drbg(void);
+ const RAND_METHOD *FIPS_drbg_method(void);
+
+ int FIPS_rand_set_method(const RAND_METHOD *meth);
+ const RAND_METHOD *FIPS_rand_get_method(void);
+
+ void FIPS_rand_set_bits(int nbits);
+
+ int FIPS_rand_strength(void);
+
+/* 1.0.0 compat functions */
+ int FIPS_rand_seed(const void *buf, int num);
+ int FIPS_rand_bytes(unsigned char *out, int outlen);
+ void FIPS_rand_reset(void);
+ int FIPS_rand_status(void);
+# ifdef __cplusplus
+}
+# endif
+# endif
+#endif
Index: openssl-1.1.1n/include/openssl/opensslconf.h.in
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/include/openssl/opensslconf.h.in
+++ openssl-1.1.1n/include/openssl/opensslconf.h.in
@@ -155,6 +155,11 @@ extern "C" {
2020-01-24 12:52:58 +01:00
#define RC4_INT {- $config{rc4_int} -}
+/* Always build FIPS module */
+#ifndef OPENSSL_FIPS
+# define OPENSSL_FIPS
+#endif
+
#ifdef __cplusplus
}
#endif
Index: openssl-1.1.1n/include/openssl/randerr.h
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/include/openssl/randerr.h
+++ openssl-1.1.1n/include/openssl/randerr.h
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
@@ -38,6 +38,7 @@ int ERR_load_RAND_strings(void);
2020-01-24 12:52:58 +01:00
# define RAND_F_RAND_DRBG_SET 104
# define RAND_F_RAND_DRBG_SET_DEFAULTS 121
# define RAND_F_RAND_DRBG_UNINSTANTIATE 118
+# define RAND_F_RAND_INIT_FIPS 200
# define RAND_F_RAND_LOAD_FILE 111
# define RAND_F_RAND_POOL_ACQUIRE_ENTROPY 122
# define RAND_F_RAND_POOL_ADD 103
Index: openssl-1.1.1n/include/openssl/rand.h
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/include/openssl/rand.h
+++ openssl-1.1.1n/include/openssl/rand.h
2020-01-24 12:52:58 +01:00
@@ -69,6 +69,11 @@ DEPRECATEDIN_1_1_0(void RAND_screen(void
DEPRECATEDIN_1_1_0(int RAND_event(UINT, WPARAM, LPARAM))
# endif
+# ifdef OPENSSL_FIPS
+/* just stubs for API compatibility */
+void RAND_set_fips_drbg_type(int type, int flags);
+int RAND_init_fips(void);
+# endif
#ifdef __cplusplus
}
Index: openssl-1.1.1n/include/openssl/rsaerr.h
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/include/openssl/rsaerr.h
+++ openssl-1.1.1n/include/openssl/rsaerr.h
2020-01-24 12:52:58 +01:00
@@ -25,6 +25,7 @@ int ERR_load_RSA_strings(void);
*/
# define RSA_F_CHECK_PADDING_MD 140
# define RSA_F_ENCODE_PKCS1 146
+# define RSA_F_FIPS_RSA_BUILTIN_KEYGEN 206
# define RSA_F_INT_RSA_VERIFY 145
# define RSA_F_OLD_RSA_PRIV_DECODE 147
# define RSA_F_PKEY_PSS_INIT 165
@@ -39,6 +40,8 @@ int ERR_load_RSA_strings(void);
# define RSA_F_RSA_CHECK_KEY_EX 160
# define RSA_F_RSA_CMS_DECRYPT 159
# define RSA_F_RSA_CMS_VERIFY 158
+# define RSA_F_RSA_GENERATE_KEY_EX 204
+# define RSA_F_RSA_GENERATE_MULTI_PRIME_KEY 207
# define RSA_F_RSA_ITEM_VERIFY 148
# define RSA_F_RSA_METH_DUP 161
# define RSA_F_RSA_METH_NEW 162
@@ -76,10 +79,16 @@ int ERR_load_RSA_strings(void);
# define RSA_F_RSA_PRINT_FP 116
# define RSA_F_RSA_PRIV_DECODE 150
# define RSA_F_RSA_PRIV_ENCODE 138
+# define RSA_F_RSA_PRIVATE_DECRYPT 200
+# define RSA_F_RSA_PRIVATE_ENCRYPT 201
# define RSA_F_RSA_PSS_GET_PARAM 151
# define RSA_F_RSA_PSS_TO_CTX 155
# define RSA_F_RSA_PUB_DECODE 139
+# define RSA_F_RSA_PUBLIC_DECRYPT 202
+# define RSA_F_RSA_PUBLIC_ENCRYPT 203
# define RSA_F_RSA_SETUP_BLINDING 136
+# define RSA_F_RSA_SET_DEFAULT_METHOD 205
+# define RSA_F_RSA_SET_METHOD 204
# define RSA_F_RSA_SIGN 117
# define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118
# define RSA_F_RSA_VERIFY 119
@@ -137,10 +146,12 @@ int ERR_load_RSA_strings(void);
# define RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D 169
# define RSA_R_MP_R_NOT_PRIME 170
# define RSA_R_NO_PUBLIC_EXPONENT 140
+# define RSA_R_NON_FIPS_RSA_METHOD 200
# define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
# define RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES 172
# define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
# define RSA_R_OAEP_DECODING_ERROR 121
+# define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 201
# define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148
# define RSA_R_PADDING_CHECK_FAILED 114
# define RSA_R_PKCS_DECODING_ERROR 159
@@ -160,6 +171,7 @@ int ERR_load_RSA_strings(void);
# define RSA_R_UNSUPPORTED_LABEL_SOURCE 163
# define RSA_R_UNSUPPORTED_MASK_ALGORITHM 153
# define RSA_R_UNSUPPORTED_MASK_PARAMETER 154
+# define RSA_R_UNSUPPORTED_PARAMETERS 202
# define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155
# define RSA_R_VALUE_MISSING 147
# define RSA_R_WRONG_SIGNATURE_LENGTH 119
Index: openssl-1.1.1n/ssl/s3_lib.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/ssl/s3_lib.c
+++ openssl-1.1.1n/ssl/s3_lib.c
2020-01-24 12:52:58 +01:00
@@ -43,7 +43,7 @@ static SSL_CIPHER tls13_ciphers[] = {
SSL_AEAD,
TLS1_3_VERSION, TLS1_3_VERSION,
0, 0,
- SSL_HIGH,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256,
128,
128,
@@ -58,7 +58,7 @@ static SSL_CIPHER tls13_ciphers[] = {
SSL_AEAD,
TLS1_3_VERSION, TLS1_3_VERSION,
0, 0,
- SSL_HIGH,
+ SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384,
256,
256,
@@ -92,7 +92,7 @@ static SSL_CIPHER tls13_ciphers[] = {
SSL_AEAD,
TLS1_3_VERSION, TLS1_3_VERSION,
0, 0,
- SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256,
128,
128,
@@ -634,7 +634,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
- SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -650,7 +650,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
- SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
@@ -666,7 +666,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
- SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -682,7 +682,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
- SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
@@ -794,7 +794,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
- SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -810,7 +810,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
- SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
@@ -890,7 +890,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
- SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -906,7 +906,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
- SSL_NOT_DEFAULT | SSL_HIGH,
+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
Index: openssl-1.1.1n/ssl/ssl_ciph.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/ssl/ssl_ciph.c
+++ openssl-1.1.1n/ssl/ssl_ciph.c
2020-01-24 12:52:58 +01:00
@@ -385,7 +385,7 @@ int ssl_load_ciphers(void)
}
}
/* Make sure we can access MD5 and SHA1 */
- if (!ossl_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL))
+ if (!FIPS_mode() && !ossl_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL))
return 0;
if (!ossl_assert(ssl_digest_methods[SSL_MD_SHA1_IDX] != NULL))
return 0;
@@ -557,6 +557,9 @@ int ssl_cipher_get_evp(const SSL_SESSION
s->ssl_version < TLS1_VERSION)
return 1;
+ if (FIPS_mode())
+ return 1;
+
if (c->algorithm_enc == SSL_RC4 &&
c->algorithm_mac == SSL_MD5 &&
(evp = EVP_get_cipherbyname("RC4-HMAC-MD5")))
@@ -665,6 +668,8 @@ static void ssl_cipher_collect_ciphers(c
/* drop those that use any of that is not available */
if (c == NULL || !c->valid)
continue;
+ if (FIPS_mode() && !(c->algo_strength & SSL_FIPS))
+ continue;
if ((c->algorithm_mkey & disabled_mkey) ||
(c->algorithm_auth & disabled_auth) ||
(c->algorithm_enc & disabled_enc) ||
@@ -1619,7 +1624,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
2020-01-24 12:52:58 +01:00
* to the resulting precedence to the STACK_OF(SSL_CIPHER).
*/
for (curr = head; curr != NULL; curr = curr->next) {
- if (curr->active) {
+ if (curr->active
+ && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) {
if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
OPENSSL_free(co_list);
sk_SSL_CIPHER_free(cipherstack);
Index: openssl-1.1.1n/ssl/ssl_init.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/ssl/ssl_init.c
+++ openssl-1.1.1n/ssl/ssl_init.c
2020-01-24 12:52:58 +01:00
@@ -27,6 +27,10 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_bas
fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: "
"Adding SSL ciphers and digests\n");
#endif
+#ifdef OPENSSL_FIPS
+ if (!FIPS_mode()) {
+#endif
+
#ifndef OPENSSL_NO_DES
EVP_add_cipher(EVP_des_cbc());
EVP_add_cipher(EVP_des_ede3_cbc());
@@ -87,6 +91,31 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_bas
EVP_add_digest(EVP_sha256());
EVP_add_digest(EVP_sha384());
EVP_add_digest(EVP_sha512());
+#ifdef OPENSSL_FIPS
+ } else {
+# ifndef OPENSSL_NO_DES
+ EVP_add_cipher(EVP_des_ede3_cbc());
+# endif
+ EVP_add_cipher(EVP_aes_128_cbc());
+ EVP_add_cipher(EVP_aes_192_cbc());
+ EVP_add_cipher(EVP_aes_256_cbc());
+ EVP_add_cipher(EVP_aes_128_gcm());
+ EVP_add_cipher(EVP_aes_256_gcm());
+ EVP_add_cipher(EVP_aes_128_ccm());
+ EVP_add_cipher(EVP_aes_256_ccm());
+# ifndef OPENSSL_NO_MD5
+ /* needed even in the FIPS mode for TLS-1.0 */
+ EVP_add_digest(EVP_md5_sha1());
+# endif
+ EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
+ EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
+ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
+ EVP_add_digest(EVP_sha224());
+ EVP_add_digest(EVP_sha256());
+ EVP_add_digest(EVP_sha384());
+ EVP_add_digest(EVP_sha512());
+ }
+#endif
#ifndef OPENSSL_NO_COMP
# ifdef OPENSSL_INIT_DEBUG
fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: "
Index: openssl-1.1.1n/ssl/ssl_lib.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/ssl/ssl_lib.c
+++ openssl-1.1.1n/ssl/ssl_lib.c
@@ -3025,6 +3025,11 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
2020-01-24 12:52:58 +01:00
if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL))
return NULL;
+ if (FIPS_mode() && (meth->version < TLS1_VERSION)) {
+ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE);
+ return NULL;
+ }
+
if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) {
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
goto err;
@@ -3081,13 +3086,17 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
2020-01-24 12:52:58 +01:00
if (ret->param == NULL)
goto err;
- if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) {
- SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
- goto err2;
- }
- if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) {
- SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
- goto err2;
+ if (!FIPS_mode()) {
+ if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) {
+ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
+ goto err2;
+ }
+ if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) {
+ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
+ goto err2;
+ }
+ } else {
+ ret->min_proto_version = TLS1_VERSION;
}
if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL)
Index: openssl-1.1.1n/ssl/ssl_local.h
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/ssl/ssl_local.h
+++ openssl-1.1.1n/ssl/ssl_local.h
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 13:20:01 +01:00
@@ -1515,6 +1515,7 @@ typedef struct tls_group_info_st {
2020-01-24 12:52:58 +01:00
# define TLS_CURVE_PRIME 0x0
# define TLS_CURVE_CHAR2 0x1
# define TLS_CURVE_CUSTOM 0x2
+# define TLS_CURVE_FIPS 0x80
typedef struct cert_pkey_st CERT_PKEY;
Index: openssl-1.1.1n/ssl/t1_lib.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/ssl/t1_lib.c
+++ openssl-1.1.1n/ssl/t1_lib.c
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
@@ -159,11 +159,11 @@ static const TLS_GROUP_INFO nid_list[] =
2020-01-24 12:52:58 +01:00
{NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
{NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
{NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
- {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
+ {NID_secp224r1, 112, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp224r1 (21) */
{NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
- {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
- {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
- {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
+ {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp256r1 (23) */
+ {NID_secp384r1, 192, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp384r1 (24) */
+ {NID_secp521r1, 256, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp521r1 (25) */
{NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
{NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
{NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
Accepting request 786956 from home:vitezslav_cizek:branches:security:tls - Update to 1.1.1e * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. * Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. * Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. * Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. - Update bunch of patches as the internal crypto headers got reorganized - drop openssl-1_1-CVE-2019-1551.patch (upstream) - openssl dgst: default to SHA256 only when called without a digest, OBS-URL: https://build.opensuse.org/request/show/786956 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=65
2020-03-20 18:43:35 +01:00
@@ -258,6 +258,8 @@ int tls_curve_allowed(SSL *s, uint16_t c
2020-01-24 12:52:58 +01:00
if (cinfo->flags & TLS_CURVE_CHAR2)
return 0;
# endif
+ if (FIPS_mode() && !(cinfo->flags & TLS_CURVE_FIPS))
+ return 0;
ctmp[0] = curve >> 8;
ctmp[1] = curve & 0xff;
return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp);
Index: openssl-1.1.1n/test/dsatest.c
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/test/dsatest.c
+++ openssl-1.1.1n/test/dsatest.c
2020-01-24 12:52:58 +01:00
@@ -24,41 +24,42 @@
#ifndef OPENSSL_NO_DSA
static int dsa_cb(int p, int n, BN_GENCB *arg);
-/*
- * seed, out_p, out_q, out_g are taken from the updated Appendix 5 to FIPS
- * PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1
- */
static unsigned char seed[20] = {
- 0xd5, 0x01, 0x4e, 0x4b, 0x60, 0xef, 0x2b, 0xa8, 0xb6, 0x21, 0x1b, 0x40,
- 0x62, 0xba, 0x32, 0x24, 0xe0, 0x42, 0x7d, 0xd3,
+ 0x02, 0x47, 0x11, 0x92, 0x11, 0x88, 0xC8, 0xFB, 0xAF, 0x48, 0x4C, 0x62,
+ 0xDF, 0xA5, 0xBE, 0xA0, 0xA4, 0x3C, 0x56, 0xE3,
};
static unsigned char out_p[] = {
- 0x8d, 0xf2, 0xa4, 0x94, 0x49, 0x22, 0x76, 0xaa,
- 0x3d, 0x25, 0x75, 0x9b, 0xb0, 0x68, 0x69, 0xcb,
- 0xea, 0xc0, 0xd8, 0x3a, 0xfb, 0x8d, 0x0c, 0xf7,
- 0xcb, 0xb8, 0x32, 0x4f, 0x0d, 0x78, 0x82, 0xe5,
- 0xd0, 0x76, 0x2f, 0xc5, 0xb7, 0x21, 0x0e, 0xaf,
- 0xc2, 0xe9, 0xad, 0xac, 0x32, 0xab, 0x7a, 0xac,
- 0x49, 0x69, 0x3d, 0xfb, 0xf8, 0x37, 0x24, 0xc2,
- 0xec, 0x07, 0x36, 0xee, 0x31, 0xc8, 0x02, 0x91,
+ 0xAC, 0xCB, 0x1E, 0x63, 0x60, 0x69, 0x0C, 0xFB, 0x06, 0x19, 0x68, 0x3E,
+ 0xA5, 0x01, 0x5A, 0xA2, 0x15, 0x5C, 0xE2, 0x99, 0x2D, 0xD5, 0x30, 0x99,
+ 0x7E, 0x5F, 0x8D, 0xE2, 0xF7, 0xC6, 0x2E, 0x8D, 0xA3, 0x9F, 0x58, 0xAD,
+ 0xD6, 0xA9, 0x7D, 0x0E, 0x0D, 0x95, 0x53, 0xA6, 0x71, 0x3A, 0xDE, 0xAB,
+ 0xAC, 0xE9, 0xF4, 0x36, 0x55, 0x9E, 0xB9, 0xD6, 0x93, 0xBF, 0xF3, 0x18,
+ 0x1C, 0x14, 0x7B, 0xA5, 0x42, 0x2E, 0xCD, 0x00, 0xEB, 0x35, 0x3B, 0x1B,
+ 0xA8, 0x51, 0xBB, 0xE1, 0x58, 0x42, 0x85, 0x84, 0x22, 0xA7, 0x97, 0x5E,
+ 0x99, 0x6F, 0x38, 0x20, 0xBD, 0x9D, 0xB6, 0xD9, 0x33, 0x37, 0x2A, 0xFD,
+ 0xBB, 0xD4, 0xBC, 0x0C, 0x2A, 0x67, 0xCB, 0x9F, 0xBB, 0xDF, 0xF9, 0x93,
+ 0xAA, 0xD6, 0xF0, 0xD6, 0x95, 0x0B, 0x5D, 0x65, 0x14, 0xD0, 0x18, 0x9D,
+ 0xC6, 0xAF, 0xF0, 0xC6, 0x37, 0x7C, 0xF3, 0x5F,
};
static unsigned char out_q[] = {
- 0xc7, 0x73, 0x21, 0x8c, 0x73, 0x7e, 0xc8, 0xee,
- 0x99, 0x3b, 0x4f, 0x2d, 0xed, 0x30, 0xf4, 0x8e,
- 0xda, 0xce, 0x91, 0x5f,
+ 0xE3, 0x8E, 0x5E, 0x6D, 0xBF, 0x2B, 0x79, 0xF8, 0xC5, 0x4B, 0x89, 0x8B,
+ 0xBA, 0x2D, 0x91, 0xC3, 0x6C, 0x80, 0xAC, 0x87,
};
static unsigned char out_g[] = {
- 0x62, 0x6d, 0x02, 0x78, 0x39, 0xea, 0x0a, 0x13,
- 0x41, 0x31, 0x63, 0xa5, 0x5b, 0x4c, 0xb5, 0x00,
- 0x29, 0x9d, 0x55, 0x22, 0x95, 0x6c, 0xef, 0xcb,
- 0x3b, 0xff, 0x10, 0xf3, 0x99, 0xce, 0x2c, 0x2e,
- 0x71, 0xcb, 0x9d, 0xe5, 0xfa, 0x24, 0xba, 0xbf,
- 0x58, 0xe5, 0xb7, 0x95, 0x21, 0x92, 0x5c, 0x9c,
- 0xc4, 0x2e, 0x9f, 0x6f, 0x46, 0x4b, 0x08, 0x8c,
- 0xc5, 0x72, 0xaf, 0x53, 0xe6, 0xd7, 0x88, 0x02,
+ 0x42, 0x4A, 0x04, 0x4E, 0x79, 0xB4, 0x99, 0x7F, 0xFD, 0x58, 0x36, 0x2C,
+ 0x1B, 0x5F, 0x18, 0x7E, 0x0D, 0xCC, 0xAB, 0x81, 0xC9, 0x5D, 0x10, 0xCE,
+ 0x4E, 0x80, 0x7E, 0x58, 0xB4, 0x34, 0x3F, 0xA7, 0x45, 0xC7, 0xAA, 0x36,
+ 0x24, 0x42, 0xA9, 0x3B, 0xE8, 0x0E, 0x04, 0x02, 0x2D, 0xFB, 0xA6, 0x13,
+ 0xB9, 0xB5, 0x15, 0xA5, 0x56, 0x07, 0x35, 0xE4, 0x03, 0xB6, 0x79, 0x7C,
+ 0x62, 0xDD, 0xDF, 0x3F, 0x71, 0x3A, 0x9D, 0x8B, 0xC4, 0xF6, 0xE7, 0x1D,
+ 0x52, 0xA8, 0xA9, 0x43, 0x1D, 0x33, 0x51, 0x88, 0x39, 0xBD, 0x73, 0xE9,
+ 0x5F, 0xBE, 0x82, 0x49, 0x27, 0xE6, 0xB5, 0x53, 0xC1, 0x38, 0xAC, 0x2F,
+ 0x6D, 0x97, 0x6C, 0xEB, 0x67, 0xC1, 0x5F, 0x67, 0xF8, 0x35, 0x05, 0x5E,
+ 0xD5, 0x68, 0x80, 0xAA, 0x96, 0xCA, 0x0B, 0x8A, 0xE6, 0xF1, 0xB1, 0x41,
+ 0xC6, 0x75, 0x94, 0x0A, 0x0A, 0x2A, 0xFA, 0x29,
};
static const unsigned char str1[] = "12345678901234567890";
@@ -79,11 +80,11 @@ static int dsa_test(void)
BN_GENCB_set(cb, dsa_cb, NULL);
if (!TEST_ptr(dsa = DSA_new())
- || !TEST_true(DSA_generate_parameters_ex(dsa, 512, seed, 20,
+ || !TEST_true(DSA_generate_parameters_ex(dsa, 1024, seed, 20,
&counter, &h, cb)))
goto end;
- if (!TEST_int_eq(counter, 105))
+ if (!TEST_int_eq(counter, 239))
goto end;
if (!TEST_int_eq(h, 2))
goto end;
Index: openssl-1.1.1n/test/recipes/30-test_evp_data/evpciph.txt
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/test/recipes/30-test_evp_data/evpciph.txt
+++ openssl-1.1.1n/test/recipes/30-test_evp_data/evpciph.txt
2020-01-24 12:52:58 +01:00
@@ -1206,6 +1206,7 @@ Key = 0000000000000000000000000000000000
IV = 00000000000000000000000000000000
Plaintext = 0000000000000000000000000000000000000000000000000000000000000000
Ciphertext = 917cf69ebd68b2ec9b9fe9a3eadda692cd43d2f59598ed858c02c2652fbf922e
+Result = KEY_SET_ERROR
Cipher = aes-128-xts
Key = 1111111111111111111111111111111122222222222222222222222222222222
Index: openssl-1.1.1n/util/libcrypto.num
2020-01-24 12:52:58 +01:00
===================================================================
--- openssl-1.1.1n.orig/util/libcrypto.num
+++ openssl-1.1.1n/util/libcrypto.num
@@ -4591,3 +4591,38 @@ X509_ALGOR_copy
X509_REQ_set0_signature 4545 1_1_1h EXIST::FUNCTION:
X509_REQ_set1_signature_algo 4546 1_1_1h EXIST::FUNCTION:
EC_KEY_decoded_from_explicit_params 4547 1_1_1h EXIST::FUNCTION:EC
2020-01-24 12:52:58 +01:00
+FIPS_drbg_reseed 6348 1_1_0g EXIST::FUNCTION:
+FIPS_selftest_check 6349 1_1_0g EXIST::FUNCTION:
+FIPS_rand_set_method 6350 1_1_0g EXIST::FUNCTION:
+FIPS_get_default_drbg 6351 1_1_0g EXIST::FUNCTION:
+FIPS_drbg_set_reseed_interval 6352 1_1_0g EXIST::FUNCTION:
+FIPS_drbg_set_app_data 6353 1_1_0g EXIST::FUNCTION:
+FIPS_drbg_method 6354 1_1_0g EXIST::FUNCTION:
+FIPS_rand_status 6355 1_1_0g EXIST::FUNCTION:
+FIPS_drbg_instantiate 6356 1_1_0g EXIST::FUNCTION:
+FIPS_drbg_set_callbacks 6357 1_1_0g EXIST::FUNCTION:
+FIPS_drbg_new 6358 1_1_0g EXIST::FUNCTION:
+FIPS_dsa_paramgen_check_g 6359 1_1_0g EXIST::FUNCTION:
+FIPS_selftest 6360 1_1_0g EXIST::FUNCTION:
+FIPS_rand_set_bits 6361 1_1_0g EXIST::FUNCTION:
+FIPS_rand_bytes 6362 1_1_0g EXIST::FUNCTION:
+FIPS_drbg_get_app_data 6363 1_1_0g EXIST::FUNCTION:
+FIPS_selftest_failed 6364 1_1_0g EXIST::FUNCTION:
+FIPS_dsa_builtin_paramgen2 6365 1_1_0g EXIST::FUNCTION:
+FIPS_rand_reset 6366 1_1_0g EXIST::FUNCTION:
+ERR_load_FIPS_strings 6367 1_1_0g EXIST::FUNCTION:
+FIPS_drbg_generate 6368 1_1_0g EXIST::FUNCTION:
+FIPS_drbg_uninstantiate 6369 1_1_0g EXIST::FUNCTION:
+FIPS_drbg_set_check_interval 6370 1_1_0g EXIST::FUNCTION:
+FIPS_drbg_free 6371 1_1_0g EXIST::FUNCTION:
+FIPS_selftest_drbg_all 6372 1_1_0g EXIST::FUNCTION:
+FIPS_rand_get_method 6373 1_1_0g EXIST::FUNCTION:
+RAND_set_fips_drbg_type 6374 1_1_0g EXIST::FUNCTION:
+FIPS_drbg_health_check 6375 1_1_0g EXIST::FUNCTION:
+RAND_init_fips 6376 1_1_0g EXIST::FUNCTION:
+FIPS_drbg_set_rand_callbacks 6377 1_1_0g EXIST::FUNCTION:
+FIPS_rand_seed 6378 1_1_0g EXIST::FUNCTION:
+FIPS_drbg_get_strength 6379 1_1_0g EXIST::FUNCTION:
+FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION:
+FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION:
+FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION:
Index: openssl-1.1.1n/crypto/err/openssl.txt
===================================================================
--- openssl-1.1.1n.orig/crypto/err/openssl.txt
+++ openssl-1.1.1n/crypto/err/openssl.txt
@@ -822,6 +822,57 @@ EVP_F_RC5_CTRL:125:rc5_ctrl
EVP_F_R_32_12_16_INIT_KEY:242:r_32_12_16_init_key
EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_gcm_ctrl
EVP_F_UPDATE:173:update
+FIPS_F_DH_BUILTIN_GENPARAMS:100:dh_builtin_genparams
+FIPS_F_DRBG_RESEED:121:drbg_reseed
+FIPS_F_DSA_BUILTIN_PARAMGEN2:107:dsa_builtin_paramgen2
+FIPS_F_DSA_DO_SIGN:102:DSA_do_sign
+FIPS_F_DSA_DO_VERIFY:103:DSA_do_verify
+FIPS_F_ECDH_COMPUTE_KEY:123:ECDH_compute_key
+FIPS_F_EVP_CIPHER_CTX_NEW:137:EVP_CIPHER_CTX_new
+FIPS_F_EVP_CIPHER_CTX_RESET:122:EVP_CIPHER_CTX_reset
+FIPS_F_EVP_CIPHERINIT_EX:124:EVP_CipherInit_ex
+FIPS_F_EVP_DIGESTINIT_EX:125:EVP_DigestInit_ex
+FIPS_F_FIPS_CHECK_DSA:104:fips_check_dsa
+FIPS_F_FIPS_CHECK_EC:142:fips_check_ec
+FIPS_F_FIPS_CHECK_RSA:106:fips_check_rsa
+FIPS_F_FIPS_DRBG_BYTES:131:fips_drbg_bytes
+FIPS_F_FIPS_DRBG_CHECK:146:fips_drbg_check
+FIPS_F_FIPS_DRBG_CPRNG_TEST:132:fips_drbg_cprng_test
+FIPS_F_FIPS_DRBG_ERROR_CHECK:136:fips_drbg_error_check
+FIPS_F_FIPS_DRBG_GENERATE:134:FIPS_drbg_generate
+FIPS_F_FIPS_DRBG_INIT:138:FIPS_drbg_init
+FIPS_F_FIPS_DRBG_INSTANTIATE:138:FIPS_drbg_instantiate
+FIPS_F_FIPS_DRBG_NEW:139:FIPS_drbg_new
+FIPS_F_FIPS_DRBG_RESEED:140:FIPS_drbg_reseed
+FIPS_F_FIPS_DRBG_SINGLE_KAT:141:FIPS_DRBG_SINGLE_KAT
+FIPS_F_FIPS_GET_ENTROPY:147:fips_get_entropy
+FIPS_F_FIPS_MODULE_MODE_SET:108:FIPS_module_mode_set
+FIPS_F_FIPS_PKEY_SIGNATURE_TEST:109:fips_pkey_signature_test
+FIPS_F_FIPS_RAND_BYTES:114:FIPS_rand_bytes
+FIPS_F_FIPS_RAND_SEED:128:FIPS_rand_seed
+FIPS_F_FIPS_RAND_SET_METHOD:126:FIPS_rand_set_method
+FIPS_F_FIPS_RAND_STATUS:127:FIPS_rand_status
+FIPS_F_FIPS_RSA_BUILTIN_KEYGEN:101:fips_rsa_builtin_keygen
+FIPS_F_FIPS_SELFTEST:150:FIPS_selftest
+FIPS_F_FIPS_SELFTEST_AES:110:FIPS_selftest_aes
+FIPS_F_FIPS_SELFTEST_AES_CCM:145:FIPS_selftest_aes_ccm
+FIPS_F_FIPS_SELFTEST_AES_GCM:129:FIPS_selftest_aes_gcm
+FIPS_F_FIPS_SELFTEST_AES_XTS:144:FIPS_selftest_aes_xts
+FIPS_F_FIPS_SELFTEST_CMAC:130:FIPS_selftest_cmac
+FIPS_F_FIPS_SELFTEST_DES:111:FIPS_selftest_des
+FIPS_F_FIPS_SELFTEST_DSA:112:FIPS_selftest_dsa
+FIPS_F_FIPS_SELFTEST_ECDSA:133:FIPS_selftest_ecdsa
+FIPS_F_FIPS_SELFTEST_HMAC:113:FIPS_selftest_hmac
+FIPS_F_FIPS_SELFTEST_SHA1:115:FIPS_selftest_sha1
+FIPS_F_FIPS_SELFTEST_SHA2:105:FIPS_selftest_sha2
+FIPS_F_OSSL_ECDSA_SIGN_SIG:143:ossl_ecdsa_sign_sig
+FIPS_F_OSSL_ECDSA_VERIFY_SIG:148:ossl_ecdsa_verify_sig
+FIPS_F_RSA_BUILTIN_KEYGEN:116:rsa_builtin_keygen
+FIPS_F_RSA_OSSL_INIT:149:rsa_ossl_init
+FIPS_F_RSA_OSSL_PRIVATE_DECRYPT:117:rsa_ossl_private_decrypt
+FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT:118:rsa_ossl_private_encrypt
+FIPS_F_RSA_OSSL_PUBLIC_DECRYPT:119:rsa_ossl_public_decrypt
+FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT:120:rsa_ossl_public_encrypt
KDF_F_PKEY_HKDF_CTRL_STR:103:pkey_hkdf_ctrl_str
KDF_F_PKEY_HKDF_DERIVE:102:pkey_hkdf_derive
KDF_F_PKEY_HKDF_INIT:108:pkey_hkdf_init
@@ -2318,6 +2369,61 @@ EVP_R_UNSUPPORTED_SALT_TYPE:126:unsuppor
EVP_R_WRAP_MODE_NOT_ALLOWED:170:wrap mode not allowed
EVP_R_WRONG_FINAL_BLOCK_LENGTH:109:wrong final block length
EVP_R_XTS_DUPLICATED_KEYS:183:xts duplicated keys
+FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED:150:\
+ additional input error undetected
+FIPS_R_ADDITIONAL_INPUT_TOO_LONG:125:\
+ additional input too long
+FIPS_R_ALREADY_INSTANTIATED:134:already instantiated
+FIPS_R_DRBG_NOT_INITIALISED:152:drbg not initialised
+FIPS_R_DRBG_STUCK:103:drbg stuck
+FIPS_R_ENTROPY_ERROR_UNDETECTED:104:entropy error undetected
+FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED:105:\
+ entropy not requested for reseed
+FIPS_R_ENTROPY_SOURCE_STUCK:142:entropy source stuck
+FIPS_R_ERROR_INITIALISING_DRBG:115:error initialising drbg
+FIPS_R_ERROR_INSTANTIATING_DRBG:127:error instantiating drbg
+FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT:124:\
+ error retrieving additional input
+FIPS_R_ERROR_RETRIEVING_ENTROPY:122:error retrieving entropy
+FIPS_R_ERROR_RETRIEVING_NONCE:140:error retrieving nonce
+FIPS_R_FINGERPRINT_DOES_NOT_MATCH:110:\
+ fingerprint does not match
+FIPS_R_FIPS_MODE_ALREADY_SET:102:fips mode already set
+FIPS_R_FIPS_SELFTEST_FAILED:106:fips selftest failed
+FIPS_R_FUNCTION_ERROR:116:function error
+FIPS_R_GENERATE_ERROR:137:generate error
+FIPS_R_GENERATE_ERROR_UNDETECTED:118:\
+ generate error undetected
+FIPS_R_INSTANTIATE_ERROR:119:instantiate error
+FIPS_R_INTERNAL_ERROR:121:internal error
+FIPS_R_INVALID_KEY_LENGTH:109:invalid key length
+FIPS_R_IN_ERROR_STATE:123:in error state
+FIPS_R_KEY_TOO_SHORT:108:key too short
+FIPS_R_NONCE_ERROR_UNDETECTED:149:nonce error undetected
+FIPS_R_NON_FIPS_METHOD:100:non fips method
+FIPS_R_NOPR_TEST1_FAILURE:145:nopr test1 failure
+FIPS_R_NOPR_TEST2_FAILURE:146:nopr test2 failure
+FIPS_R_NOT_INSTANTIATED:126:not instantiated
+FIPS_R_PAIRWISE_TEST_FAILED:107:pairwise test failed
+FIPS_R_PERSONALISATION_ERROR_UNDETECTED:128:\
+ personalisation error undetected
+FIPS_R_PERSONALISATION_STRING_TOO_LONG:129:\
+ personalisation string too long
+FIPS_R_PR_TEST1_FAILURE:147:pr test1 failure
+FIPS_R_PR_TEST2_FAILURE:148:pr test2 failure
+FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED:130:\
+ request length error undetected
+FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG:131:\
+ request too large for drbg
+FIPS_R_RESEED_COUNTER_ERROR:132:reseed counter error
+FIPS_R_RESEED_ERROR:133:reseed error
+FIPS_R_SELFTEST_FAILED:101:selftest failed
+FIPS_R_SELFTEST_FAILURE:135:selftest failure
+FIPS_R_TEST_FAILURE:117:test failure
+FIPS_R_UNINSTANTIATE_ERROR:141:uninstantiate error
+FIPS_R_UNINSTANTIATE_ZEROISE_ERROR:138:uninstantiate zeroise error
+FIPS_R_UNSUPPORTED_DRBG_TYPE:139:unsupported drbg type
+FIPS_R_UNSUPPORTED_PLATFORM:113:unsupported platform
KDF_R_INVALID_DIGEST:100:invalid digest
KDF_R_MISSING_ITERATION_COUNT:109:missing iteration count
KDF_R_MISSING_KEY:104:missing key