pool/openssl-3
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- FIPS: Deny SHA-1 signature verification in FIPS provider [bsc#1221365]

Browse Source 
* SHA-1 is not allowed anymore in FIPS 186-5 for signature
    verification operations. After 12/31/2030, NIST will disallow
    SHA-1 for all of its usages.
  * Add openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch

- FIPS: RSA keygen PCT requirements.
  * Skip the rsa_keygen_pairwise_test() PCT in rsa_keygen() as the
    self-test requirements are covered by do_rsa_pct() for both
    RSA-OAEP and RSA signatures [bsc#1221760]
  * Enforce error state if rsa_keygen PCT is run and fails [bsc#1221753]
  * Add openssl-3-FIPS-PCT_rsa_keygen.patch

- FIPS: Check that the fips provider is available before setting
  it as the default provider in FIPS mode. [bsc#1220523]
  * Rebase openssl-Force-FIPS.patch

- FIPS: Port openssl to use jitterentropy [bsc#1220523]
  * Set the module in error state if the jitter RNG fails either on
    initialization or entropy gathering because health tests failed.
  * Add jitterentropy as a seeding source output also in crypto/info.c
  * Move the jitter entropy collector and the associated lock out
    of the header file to avoid redefinitions.
  * Add the fips_local.cnf symlink to the spec file. This simlink
    points to the openssl_fips.config file that is provided by the
    crypto-policies package.
  * Rebase openssl-3-jitterentropy-3.4.0.patch
  * Rebase openssl-FIPS-enforce-EMS-support.patch

- FIPS: Block non-Approved Elliptic Curves [bsc#1221786]

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=110
This commit is contained in:
Pedro Monreal Gonzalez 2024-08-07 21:54:42 +00:00 committed by Git OBS Bridge
commit 6bc57d937f
80 changed files with 21282 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

12
baselibs.conf Normal file
View File

@ -0,0 +1,12 @@
libopenssl3
obsoletes "libopenssl1_1_0-<targettype>"
provides "libopenssl3-hmac-<targettype> = <version>-%release"
obsoletes "libopenssl3-hmac-<targettype> < <version>-%release"
libopenssl-3-devel
provides "libopenssl-devel-<targettype> = <version>"
conflicts "otherproviders(libopenssl-devel-<targettype>)"
conflicts "libopenssl-1_1-devel-<targettype>"
requires -"openssl-3-<targettype>"
requires "libopenssl3-<targettype> = <version>"
libopenssl-3-fips-provider
requires "libopenssl3-<targettype> >= <version>"

548
openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch Normal file
View File

@ -0,0 +1,548 @@
From 5f4f350ce797a7cd2fdca84c474ee196da9d6fae Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Wed, 18 May 2022 17:25:59 +0200
Subject: [PATCH] Deny SHA-1 signature verification in FIPS provider
For RHEL, we already disable SHA-1 signatures by default in the default
provider, so it is unexpected that the FIPS provider would have a more
lenient configuration in this regard. Additionally, we do not think
continuing to accept SHA-1 signatures is a good idea due to the
published chosen-prefix collision attacks.
As a consequence, disable verification of SHA-1 signatures in the FIPS
provider.
This requires adjusting a few tests that would otherwise fail:
- 30-test_acvp: Remove the test vectors that use SHA-1.
- 30-test_evp: Mark tests in evppkey_rsa_common.txt and
evppkey_ecdsa.txt that use SHA-1 digests as "Availablein = default",
which will not run them when the FIPS provider is enabled.
- 80-test_cms: Re-create all certificates in test/smime-certificates
with SHA256 signatures while keeping the same private keys. These
certificates were signed with SHA-1 and thus fail verification in the
FIPS provider.
Fix some other tests by explicitly running them in the default
provider, where SHA-1 is available.
- 80-test_ssl_old: Skip tests that rely on SSLv3 and SHA-1 when run with
the FIPS provider.
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
providers/implementations/signature/dsa_sig.c | 4 --
.../implementations/signature/ecdsa_sig.c | 4 --
providers/implementations/signature/rsa_sig.c | 8 +--
test/acvp_test.inc | 20 -------
.../30-test_evp_data/evppkey_ecdsa.txt | 7 +++
.../30-test_evp_data/evppkey_rsa_common.txt | 51 +++++++++++++++-
test/recipes/80-test_cms.t | 4 +-
test/recipes/80-test_ssl_old.t | 4 ++
test/smime-certs/smdh.pem | 18 +++---
test/smime-certs/smdsa1.pem | 60 +++++++++----------
test/smime-certs/smdsa2.pem | 60 +++++++++----------
test/smime-certs/smdsa3.pem | 60 +++++++++----------
test/smime-certs/smec1.pem | 30 +++++-----
test/smime-certs/smec2.pem | 30 +++++-----
test/smime-certs/smec3.pem | 30 +++++-----
test/smime-certs/smroot.pem | 38 ++++++------
test/smime-certs/smrsa1.pem | 38 ++++++------
test/smime-certs/smrsa2.pem | 38 ++++++------
test/smime-certs/smrsa3.pem | 38 ++++++------
19 files changed, 286 insertions(+), 256 deletions(-)
Index: openssl-3.1.4/providers/implementations/signature/dsa_sig.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/signature/dsa_sig.c
+++ openssl-3.1.4/providers/implementations/signature/dsa_sig.c
@@ -127,11 +127,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ct
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
int md_nid;
size_t mdname_len = strlen(mdname);
-#ifdef FIPS_MODULE
- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
-#else
int sha1_allowed = 0;
-#endif
md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
sha1_allowed);
Index: openssl-3.1.4/providers/implementations/signature/ecdsa_sig.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/signature/ecdsa_sig.c
+++ openssl-3.1.4/providers/implementations/signature/ecdsa_sig.c
@@ -237,11 +237,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX
"%s could not be fetched", mdname);
return 0;
}
-#ifdef FIPS_MODULE
- sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
-#else
sha1_allowed = 0;
-#endif
md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
sha1_allowed);
if (md_nid < 0) {
Index: openssl-3.1.4/providers/implementations/signature/rsa_sig.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/signature/rsa_sig.c
+++ openssl-3.1.4/providers/implementations/signature/rsa_sig.c
@@ -306,11 +306,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ct
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
int md_nid;
size_t mdname_len = strlen(mdname);
-#ifdef FIPS_MODULE
- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
-#else
int sha1_allowed = 0;
-#endif
md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
sha1_allowed);
@@ -1414,8 +1410,10 @@ static int rsa_set_ctx_params(void *vprs
if (prsactx->md == NULL && pmdname == NULL
&& pad_mode == RSA_PKCS1_PSS_PADDING) {
+#ifdef FIPS_MODULE
+ pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
+#else
pmdname = RSA_DEFAULT_DIGEST_NAME;
-#ifndef FIPS_MODULE
if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) {
pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
}
Index: openssl-3.1.4/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
===================================================================
--- openssl-3.1.4.orig/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+++ openssl-3.1.4/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
@@ -37,12 +37,14 @@ PrivPubKeyPair = P-256:P-256-PUBLIC
Title = ECDSA tests
+Availablein = default
Verify = P-256
Ctrl = digest:SHA1
Input = "0123456789ABCDEF1234"
Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
# Digest too long
+Availablein = default
Verify = P-256
Ctrl = digest:SHA1
Input = "0123456789ABCDEF12345"
@@ -50,6 +52,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a
Result = VERIFY_ERROR
# Digest too short
+Availablein = default
Verify = P-256
Ctrl = digest:SHA1
Input = "0123456789ABCDEF123"
@@ -57,6 +60,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a
Result = VERIFY_ERROR
# Digest invalid
+Availablein = default
Verify = P-256
Ctrl = digest:SHA1
Input = "0123456789ABCDEF1235"
@@ -64,6 +68,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a
Result = VERIFY_ERROR
# Invalid signature
+Availablein = default
Verify = P-256
Ctrl = digest:SHA1
Input = "0123456789ABCDEF1234"
@@ -79,12 +84,14 @@ Output = 3045022100b1d1cb1a577035bccdd5a
Result = VERIFY_ERROR
# BER signature
+Availablein = default
Verify = P-256
Ctrl = digest:SHA1
Input = "0123456789ABCDEF1234"
Output = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000
Result = VERIFY_ERROR
+Availablein = default
Verify = P-256-PUBLIC
Ctrl = digest:SHA1
Input = "0123456789ABCDEF1234"
Index: openssl-3.1.4/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
===================================================================
--- openssl-3.1.4.orig/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+++ openssl-3.1.4/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
@@ -96,6 +96,7 @@ NDL6WCBbets=
Title = RSA tests
+Availablein = default
Verify = RSA-2048
Ctrl = digest:SHA1
Input = "0123456789ABCDEF1234"
@@ -112,24 +113,28 @@ Ctrl = digest:SHA512-224
Input = "0123456789ABCDEF123456789ABC"
Output = 5f720e9488139bb21e1c2f027fd5ce5993e6d31c5a8faaee833487b3a944d66891178868ace8070cad3ee2ffbe54aa4885a15fd1a7cc5166970fe1fd8c0423e72bd3e3b56fc4a53ed80aaaeca42497f0ec3c62113edc05cd006608f5eef7ce3ad4cba1069f68731dd28a524a1f93fcdc5547112d48d45586dd943ba0d443be9635720d8a61697c54c96627f0d85c5fbeaa3b4af86a65cf2fc3800dd5de34c046985f25d0efc0bb6edccc1d08b3a4fb9c8faffe181c7e68b31e374ad1440a4a664eec9ca0dc53a9d2f5bc7d9940d866f64201bcbc63612754df45727ea24b531d7de83d1bb707444859fa35521320c33bf6f4dbeb6fb56e653adbf7af15843f17
+Availablein = default
VerifyRecover = RSA-2048
Ctrl = digest:SHA1
Input = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
Output = "0123456789ABCDEF1234"
# Leading zero in the signature
+Availablein = default
Verify = RSA-2048
Ctrl = digest:SHA1
Input = "0123456789ABCDEF1234"
Output = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
Result = VERIFY_ERROR
+Availablein = default
VerifyRecover = RSA-2048
Ctrl = digest:SHA1
Input = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
Result = KEYOP_ERROR
# Mismatched digest
+Availablein = default
Verify = RSA-2048
Ctrl = digest:SHA1
Input = "0123456789ABCDEF1233"
@@ -137,6 +142,7 @@ Output = c09d402423cbf233d26cae21f954547
Result = VERIFY_ERROR
# Corrupted signature
+Availablein = default
Verify = RSA-2048
Ctrl = digest:SHA1
Input = "0123456789ABCDEF1233"
@@ -144,6 +150,7 @@ Output = c09d402423cbf233d26cae21f954547
Result = VERIFY_ERROR
# parameter is not NULLt
+Availablein = default
Verify = RSA-2048
Ctrl = digest:sha1
Input = "0123456789ABCDEF1234"
@@ -151,42 +158,49 @@ Output = 3ec3fc29eb6e122bd7aa361cd09fe1b
Result = VERIFY_ERROR
# embedded digest too long
+Availablein = default
Verify = RSA-2048
Ctrl = digest:sha1
Input = "0123456789ABCDEF1234"
Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
Result = VERIFY_ERROR
+Availablein = default
VerifyRecover = RSA-2048
Ctrl = digest:sha1
Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
Result = KEYOP_ERROR
# embedded digest too short
+Availablein = default
Verify = RSA-2048
Ctrl = digest:sha1
Input = "0123456789ABCDEF1234"
Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
Result = VERIFY_ERROR
+Availablein = default
VerifyRecover = RSA-2048
Ctrl = digest:sha1
Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
Result = KEYOP_ERROR
# Garbage after DigestInfo
+Availablein = default
Verify = RSA-2048
Ctrl = digest:sha1
Input = "0123456789ABCDEF1234"
Output = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274
Result = VERIFY_ERROR
+Availablein = default
VerifyRecover = RSA-2048
Ctrl = digest:sha1
Input = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274
Result = KEYOP_ERROR
# invalid tag for parameter
+Availablein = default
Verify = RSA-2048
Ctrl = digest:sha1
Input = "0123456789ABCDEF1234"
@@ -195,6 +209,7 @@ Result = VERIFY_ERROR
# Verify using public key
+Availablein = default
Verify = RSA-2048-PUBLIC
Ctrl = digest:SHA1
Input = "0123456789ABCDEF1234"
@@ -371,6 +386,8 @@ Input="0123456789ABCDEF0123456789ABCDEF"
Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A
# Verify using salt length auto detect
+# In the FIPS provider on RHEL-9, the default digest for PSS signatures is SHA-256
+Availablein = default
Verify = RSA-2048-PUBLIC
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_pss_saltlen:auto
@@ -405,6 +422,10 @@ Output=4DE433D5844043EF08D354DA03CB29068
Result = VERIFY_ERROR
# Verify using default parameters, explicitly setting parameters
+# NOTE: RSA-PSS-DEFAULT contains a restriction to use SHA1 as digest, which
+# RHEL-9 does not support in FIPS mode; all these tests are thus marked
+# Availablein = default.
+Availablein = default
Verify = RSA-PSS-DEFAULT
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_pss_saltlen:20
@@ -413,6 +434,7 @@ Input="0123456789ABCDEF0123"
Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF
# Verify explicitly setting parameters "digest" salt length
+Availablein = default
Verify = RSA-PSS-DEFAULT
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_pss_saltlen:digest
@@ -421,18 +443,21 @@ Input="0123456789ABCDEF0123"
Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF
# Verify using salt length larger than minimum
+Availablein = default
Verify = RSA-PSS-DEFAULT
Ctrl = rsa_pss_saltlen:30
Input="0123456789ABCDEF0123"
Output = 6BF7EDC63A0BA184EEEC7F3020FEC8F5EBF38C2B76481881F48BCCE5796E7AB294548BA9AE810457C7723CABD1BDE94CF59CF7C0FC7461B22760C8ED703DD98E97BFDD61FA8D1181C411F6DEE5FF159F4850746D78EDEE385A363DC28E2CB373D5CAD7953F3BD5E639BE345732C03A1BDEA268814DA036EB1891C82D4012F3B903D86636055F87B96FC98806AD1B217685A4D754046A5DE0B0D7870664BE07902153EC85BA457BE7D7F89D7FE0F626D02A9CBBB2BB479DDA1A5CAE75247FB7BF6BFB15C1D3FD9E6B1573CCDBC72011C3B97716058BB11C7EA2E4E56ADAFE1F5DE6A7FD405AC5890100F9C3408EFFB5C73BF73F48177FF743B4B819D0699D507B
# Verify using maximum salt length
+Availablein = default
Verify = RSA-PSS-DEFAULT
Ctrl = rsa_pss_saltlen:max
Input="0123456789ABCDEF0123"
Output = 4470DCFE812DEE2E58E4301D4ED274AB348FE040B724B2CD1D8CD0914BFF375F0B86FCB32BFA8AEA9BD22BD7C4F1ADD4F3D215A5CFCC99055BAFECFC23800E9BECE19A08C66BEBC5802122D13A732E5958FC228DCC0B49B5B4B1154F032D8FA2F3564AA949C1310CC9266B0C47F86D449AC9D2E7678347E7266E2D7C888CCE1ADF44A109A293F8516AE2BD94CE220F26E137DB8E7A66BB9FCE052CDC1D0BE24D8CEBB20D10125F26B069F117044B9E1D16FDDAABCA5340AE1702F37D0E1C08A2E93801C0A41035C6C73DA02A0E32227EAFB0B85E79107B59650D0EE7DC32A6772CCCE90F06369B2880FE87ED76997BA61F5EA818091EE88F8B0D6F24D02A3FC6
# Attempt to change salt length below minimum
+Availablein = default
Verify = RSA-PSS-DEFAULT
Ctrl = rsa_pss_saltlen:0
Result = PKEY_CTRL_ERROR
@@ -440,21 +465,25 @@ Result = PKEY_CTRL_ERROR
# Attempt to change padding mode
# Note this used to return PKEY_CTRL_INVALID
# but it is limited because setparams only returns 0 or 1.
+Availablein = default
Verify = RSA-PSS-DEFAULT
Ctrl = rsa_padding_mode:pkcs1
Result = PKEY_CTRL_ERROR
# Attempt to change digest
+Availablein = default
Verify = RSA-PSS-DEFAULT
Ctrl = digest:sha256
Result = PKEY_CTRL_ERROR
# Invalid key: rejected when we try to init
+Availablein = default
Verify = RSA-PSS-BAD
Result = KEYOP_INIT_ERROR
Reason = invalid salt length
# Invalid key: rejected when we try to init
+Availablein = default
Verify = RSA-PSS-BAD2
Result = KEYOP_INIT_ERROR
Reason = invalid salt length
@@ -473,36 +502,42 @@ CAltWyuLbfXWce9jd8CSHLI8Jwpw4lmOb/idGfEF
4fINDOjP+yJJvZohNwIDAQAB
-----END PUBLIC KEY-----
+Availablein = default
Verify=RSA-PSS-1
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=cd8b6538cb8e8de566b68bd067569dbf1ee2718e
Output=9074308fb598e9701b2294388e52f971faac2b60a5145af185df5287b5ed2887e57ce7fd44dc8634e407c8e0e4360bc226f3ec227f9d9e54638e8d31f5051215df6ebb9c2f9579aa77598a38f914b5b9c1bd83c4e2f9f382a0d0aa3542ffee65984a601bc69eb28deb27dca12c82c2d4c3f66cd500f1ff2b994d8a4e30cbb33c
+Availablein = default
Verify=RSA-PSS-1
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=e35befc17a1d160b9ce35fbd8eb16e7ee491d3fd
Output=3ef7f46e831bf92b32274142a585ffcefbdca7b32ae90d10fb0f0c729984f04ef29a9df0780775ce43739b97838390db0a5505e63de927028d9d29b219ca2c4517832558a55d694a6d25b9dab66003c4cccd907802193be5170d26147d37b93590241be51c25055f47ef62752cfbe21418fafe98c22c4d4d47724fdb5669e843
+Availablein = default
Verify=RSA-PSS-1
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=0652ec67bcee30f9d2699122b91c19abdba89f91
Output=666026fba71bd3e7cf13157cc2c51a8e4aa684af9778f91849f34335d141c00154c4197621f9624a675b5abc22ee7d5baaffaae1c9baca2cc373b3f33e78e6143c395a91aa7faca664eb733afd14d8827259d99a7550faca501ef2b04e33c23aa51f4b9e8282efdb728cc0ab09405a91607c6369961bc8270d2d4f39fce612b1
+Availablein = default
Verify=RSA-PSS-1
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=39c21c4cceda9c1adf839c744e1212a6437575ec
Output=4609793b23e9d09362dc21bb47da0b4f3a7622649a47d464019b9aeafe53359c178c91cd58ba6bcb78be0346a7bc637f4b873d4bab38ee661f199634c547a1ad8442e03da015b136e543f7ab07c0c13e4225b8de8cce25d4f6eb8400f81f7e1833b7ee6e334d370964ca79fdb872b4d75223b5eeb08101591fb532d155a6de87
+Availablein = default
Verify=RSA-PSS-1
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=36dae913b77bd17cae6e7b09453d24544cebb33c
Output=1d2aad221ca4d31ddf13509239019398e3d14b32dc34dc5af4aeaea3c095af73479cf0a45e5629635a53a018377615b16cb9b13b3e09d671eb71e387b8545c5960da5a64776e768e82b2c93583bf104c3fdb23512b7b4e89f633dd0063a530db4524b01c3f384c09310e315a79dcd3d684022a7f31c865a664e316978b759fad
+Availablein = default
Verify=RSA-PSS-1
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
@@ -518,36 +553,42 @@ swU7R97S7NSkyu/WFIM9yLtiLzF+0Ha4BX/o3j+E
0w5GMTmBXG/U/VrFuBcqRSMOy2MYoE8UVdhOWosCAwEAAQ==
-----END PUBLIC KEY-----
+Availablein = default
Verify=RSA-PSS-9
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=2715a49b8b0012cd7aee84c116446e6dfe3faec0
Output=586107226c3ce013a7c8f04d1a6a2959bb4b8e205ba43a27b50f124111bc35ef589b039f5932187cb696d7d9a32c0c38300a5cdda4834b62d2eb240af33f79d13dfbf095bf599e0d9686948c1964747b67e89c9aba5cd85016236f566cc5802cb13ead51bc7ca6bef3b94dcbdbb1d570469771df0e00b1a8a06777472d2316279edae86474668d4e1efff95f1de61c6020da32ae92bbf16520fef3cf4d88f61121f24bbd9fe91b59caf1235b2a93ff81fc403addf4ebdea84934a9cdaf8e1a9e
+Availablein = default
Verify=RSA-PSS-9
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=2dac956d53964748ac364d06595827c6b4f143cd
Output=80b6d643255209f0a456763897ac9ed259d459b49c2887e5882ecb4434cfd66dd7e1699375381e51cd7f554f2c271704b399d42b4be2540a0eca61951f55267f7c2878c122842dadb28b01bd5f8c025f7e228418a673c03d6bc0c736d0a29546bd67f786d9d692ccea778d71d98c2063b7a71092187a4d35af108111d83e83eae46c46aa34277e06044589903788f1d5e7cee25fb485e92949118814d6f2c3ee361489016f327fb5bc517eb50470bffa1afa5f4ce9aa0ce5b8ee19bf5501b958
+Availablein = default
Verify=RSA-PSS-9
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=28d98c46cccafbd3bc04e72f967a54bd3ea12298
Output=484408f3898cd5f53483f80819efbf2708c34d27a8b2a6fae8b322f9240237f981817aca1846f1084daa6d7c0795f6e5bf1af59c38e1858437ce1f7ec419b98c8736adf6dd9a00b1806d2bd3ad0a73775e05f52dfef3a59ab4b08143f0df05cd1ad9d04bececa6daa4a2129803e200cbc77787caf4c1d0663a6c5987b605952019782caf2ec1426d68fb94ed1d4be816a7ed081b77e6ab330b3ffc073820fecde3727fcbe295ee61a050a343658637c3fd659cfb63736de32d9f90d3c2f63eca
+Availablein = default
Verify=RSA-PSS-9
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=0866d2ff5a79f25ef668cd6f31b42dee421e4c0e
Output=84ebeb481be59845b46468bafb471c0112e02b235d84b5d911cbd1926ee5074ae0424495cb20e82308b8ebb65f419a03fb40e72b78981d88aad143053685172c97b29c8b7bf0ae73b5b2263c403da0ed2f80ff7450af7828eb8b86f0028bd2a8b176a4d228cccea18394f238b09ff758cc00bc04301152355742f282b54e663a919e709d8da24ade5500a7b9aa50226e0ca52923e6c2d860ec50ff480fa57477e82b0565f4379f79c772d5c2da80af9fbf325ece6fc20b00961614bee89a183e
+Availablein = default
Verify=RSA-PSS-9
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=6a5b4be4cd36cc97dfde9995efbf8f097a4a991a
Output=82102df8cb91e7179919a04d26d335d64fbc2f872c44833943241de8454810274cdf3db5f42d423db152af7135f701420e39b494a67cbfd19f9119da233a23da5c6439b5ba0d2bc373eee3507001378d4a4073856b7fe2aba0b5ee93b27f4afec7d4d120921c83f606765b02c19e4d6a1a3b95fa4c422951be4f52131077ef17179729cddfbdb56950dbaceefe78cb16640a099ea56d24389eef10f8fecb31ba3ea3b227c0a86698bb89e3e9363905bf22777b2a3aa521b65b4cef76d83bde4c
+Availablein = default
Verify=RSA-PSS-9
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
@@ -565,36 +606,42 @@ F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5
BQIDAQAB
-----END PUBLIC KEY-----
+Availablein = default
Verify=RSA-PSS-10
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=9596bb630cf6a8d4ea4600422b9eba8b13675dd4
Output=82c2b160093b8aa3c0f7522b19f87354066c77847abf2a9fce542d0e84e920c5afb49ffdfdace16560ee94a1369601148ebad7a0e151cf16331791a5727d05f21e74e7eb811440206935d744765a15e79f015cb66c532c87a6a05961c8bfad741a9a6657022894393e7223739796c02a77455d0f555b0ec01ddf259b6207fd0fd57614cef1a5573baaff4ec00069951659b85f24300a25160ca8522dc6e6727e57d019d7e63629b8fe5e89e25cc15beb3a647577559299280b9b28f79b0409000be25bbd96408ba3b43cc486184dd1c8e62553fa1af4040f60663de7f5e49c04388e257f1ce89c95dab48a315d9b66b1b7628233876ff2385230d070d07e1666
+Availablein = default
Verify=RSA-PSS-10
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=b503319399277fd6c1c8f1033cbf04199ea21716
Output=14ae35d9dd06ba92f7f3b897978aed7cd4bf5ff0b585a40bd46ce1b42cd2703053bb9044d64e813d8f96db2dd7007d10118f6f8f8496097ad75e1ff692341b2892ad55a633a1c55e7f0a0ad59a0e203a5b8278aec54dd8622e2831d87174f8caff43ee6c46445345d84a59659bfb92ecd4c818668695f34706f66828a89959637f2bf3e3251c24bdba4d4b7649da0022218b119c84e79a6527ec5b8a5f861c159952e23ec05e1e717346faefe8b1686825bd2b262fb2531066c0de09acde2e4231690728b5d85e115a2f6b92b79c25abc9bd9399ff8bcf825a52ea1f56ea76dd26f43baafa18bfa92a504cbd35699e26d1dcc5a2887385f3c63232f06f3244c3
+Availablein = default
Verify=RSA-PSS-10
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=50aaede8536b2c307208b275a67ae2df196c7628
Output=6e3e4d7b6b15d2fb46013b8900aa5bbb3939cf2c095717987042026ee62c74c54cffd5d7d57efbbf950a0f5c574fa09d3fc1c9f513b05b4ff50dd8df7edfa20102854c35e592180119a70ce5b085182aa02d9ea2aa90d1df03f2daae885ba2f5d05afdac97476f06b93b5bc94a1a80aa9116c4d615f333b098892b25fface266f5db5a5a3bcc10a824ed55aad35b727834fb8c07da28fcf416a5d9b2224f1f8b442b36f91e456fdea2d7cfe3367268de0307a4c74e924159ed33393d5e0655531c77327b89821bdedf880161c78cd4196b5419f7acc3f13e5ebf161b6e7c6724716ca33b85c2e25640192ac2859651d50bde7eb976e51cec828b98b6563b86bb
+Availablein = default
Verify=RSA-PSS-10
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=aa0b72b8b371ddd10c8ae474425ccccf8842a294
Output=34047ff96c4dc0dc90b2d4ff59a1a361a4754b255d2ee0af7d8bf87c9bc9e7ddeede33934c63ca1c0e3d262cb145ef932a1f2c0a997aa6a34f8eaee7477d82ccf09095a6b8acad38d4eec9fb7eab7ad02da1d11d8e54c1825e55bf58c2a23234b902be124f9e9038a8f68fa45dab72f66e0945bf1d8bacc9044c6f07098c9fcec58a3aab100c805178155f030a124c450e5acbda47d0e4f10b80a23f803e774d023b0015c20b9f9bbe7c91296338d5ecb471cafb032007b67a60be5f69504a9f01abb3cb467b260e2bce860be8d95bf92c0c8e1496ed1e528593a4abb6df462dde8a0968dffe4683116857a232f5ebf6c85be238745ad0f38f767a5fdbf486fb
+Availablein = default
Verify=RSA-PSS-10
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
Input=fad3902c9750622a2bc672622c48270cc57d3ea8
Output=7e0935ea18f4d6c1d17ce82eb2b3836c55b384589ce19dfe743363ac9948d1f346b7bfddfe92efd78adb21faefc89ade42b10f374003fe122e67429a1cb8cbd1f8d9014564c44d120116f4990f1a6e38774c194bd1b8213286b077b0499d2e7b3f434ab12289c556684deed78131934bb3dd6537236f7c6f3dcb09d476be07721e37e1ceed9b2f7b406887bd53157305e1c8b4f84d733bc1e186fe06cc59b6edb8f4bd7ffefdf4f7ba9cfb9d570689b5a1a4109a746a690893db3799255a0cb9215d2d1cd490590e952e8c8786aa0011265252470c041dfbc3eec7c3cbf71c24869d115c0cb4a956f56d530b80ab589acfefc690751ddf36e8d383f83cedd2cc
+Availablein = default
Verify=RSA-PSS-10
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
@@ -1384,11 +1431,13 @@ Title = RSA FIPS tests
# FIPS tests
-# Verifying with SHA1 is permitted in fips mode for older applications
+# Verifying with SHA1 is not permitted on RHEL-9 in FIPS mode
+Availablein = fips
DigestVerify = SHA1
Key = RSA-2048
Input = "Hello "
Output = 87ea0e2226ef35e5a2aec9ca1222fcbe39ba723f05b3203564f671dd3601271806ead3240e61d424359ee3b17bd3e32f54b82df83998a8ac4148410710361de0400f9ddf98278618fbc87747a0531972543e6e5f18ab2fdfbfda02952f6ac69690e43864690af271bf43d4be9705b303d4ff994ab3abd4d5851562b73e59be3edc01cec41a4cc13b68206329bad1a46c6608d3609e951faa321d0fdbc765d54e9a7c59248d2f67913c9903e932b769c9c8a45520cabea06e8c0b231dd3bcc7f7ec55b46b0157ccb5fc5011fa57353cd3df32edcbadcb8d168133cbd0acfb64444cb040e1298f621508a38f79e14ae8c2c5c857f90aa9d24ef5fc07d34bf23859
+Result = DIGESTVERIFYINIT_ERROR
# Verifying with a 1024 bit key is permitted in fips mode for older applications
DigestVerify = SHA256
Index: openssl-3.1.4/test/recipes/80-test_cms.t
===================================================================
--- openssl-3.1.4.orig/test/recipes/80-test_cms.t
+++ openssl-3.1.4/test/recipes/80-test_cms.t
@@ -163,7 +163,7 @@ my @smime_pkcs7_tests = (
[ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1",
"-certfile", $smroot,
"-signer", $smrsa1, "-out", "{output}.cms" ],
- [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
+ [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms",
"-CAfile", $smroot, "-out", "{output}.txt" ],
\&final_compare
],
@@ -171,7 +171,7 @@ my @smime_pkcs7_tests = (
[ "signed zero-length content S/MIME format, RSA key SHA1",
[ "{cmd1}", @defaultprov, "-sign", "-in", $smcont_zero, "-md", "sha1",
"-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
- [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
+ [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms",
"-CAfile", $smroot, "-out", "{output}.txt" ],
\&zero_compare
],
Index: openssl-3.1.4/test/recipes/80-test_ssl_old.t
===================================================================
--- openssl-3.1.4.orig/test/recipes/80-test_ssl_old.t
+++ openssl-3.1.4/test/recipes/80-test_ssl_old.t
@@ -397,6 +397,9 @@ sub testssl {
'test sslv2/sslv3 with 1024bit DHE via BIO pair');
}
+ SKIP: {
+ skip "SSLv3 is not supported by the FIPS provider", 4
+ if $provider eq "fips";
ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])),
'test sslv2/sslv3 with server authentication');
ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])),
@@ -405,6 +408,7 @@ sub testssl {
'test sslv2/sslv3 with both client and server authentication via BIO pair');
ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])),
'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify');
+ }
SKIP: {
skip "No IPv4 available on this machine", 4

98
openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch Normal file
View File

@ -0,0 +1,98 @@
From 589eb3898896c1ac916bc20069ecd5adb8534850 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Fri, 17 Feb 2023 15:31:08 +0100
Subject: [PATCH] GCM: Implement explicit FIPS indicator for IV gen
Implementation Guidance for FIPS 140-3 and the Cryptographic Module
Verification Program, Section C.H requires guarantees about the
uniqueness of key/iv pairs, and proposes a few approaches to ensure
this. Provide an indicator for option 2 "The IV may be generated
internally at its entirety randomly."
Resolves: rhbz#2168289
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
include/openssl/core_names.h | 1 +
include/openssl/evp.h | 4 +++
.../implementations/ciphers/ciphercommon.c | 4 +++
.../ciphers/ciphercommon_gcm.c | 25 +++++++++++++++++++
4 files changed, 34 insertions(+)
Index: openssl-3.1.4/include/openssl/core_names.h
===================================================================
--- openssl-3.1.4.orig/include/openssl/core_names.h
+++ openssl-3.1.4/include/openssl/core_names.h
@@ -99,6 +99,7 @@ extern "C" {
#define OSSL_CIPHER_PARAM_CTS_MODE "cts_mode" /* utf8_string */
/* For passing the AlgorithmIdentifier parameter in DER form */
#define OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS "alg_id_param" /* octet_string */
+#define OSSL_CIPHER_PARAM_SUSE_FIPS_INDICATOR "suse-fips-indicator" /* int */
#define OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT \
"tls1multi_maxsndfrag" /* uint */
Index: openssl-3.1.4/include/openssl/evp.h
===================================================================
--- openssl-3.1.4.orig/include/openssl/evp.h
+++ openssl-3.1.4/include/openssl/evp.h
@@ -750,6 +750,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER
void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags);
int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags);
+# define EVP_CIPHER_SUSE_FIPS_INDICATOR_UNDETERMINED 0
+# define EVP_CIPHER_SUSE_FIPS_INDICATOR_APPROVED 1
+# define EVP_CIPHER_SUSE_FIPS_INDICATOR_NOT_APPROVED 2
+
__owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
const unsigned char *key, const unsigned char *iv);
/*__owur*/ int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,
Index: openssl-3.1.4/providers/implementations/ciphers/ciphercommon.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/ciphers/ciphercommon.c
+++ openssl-3.1.4/providers/implementations/ciphers/ciphercommon.c
@@ -149,6 +149,10 @@ static const OSSL_PARAM cipher_aead_know
OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL),
OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN, NULL, 0),
+ /* normally we would hide this under an #ifdef FIPS_MODULE, but that does
+ * not work in ciphercommon.c because it is compiled only once into
+ * libcommon.a */
+ OSSL_PARAM_int(OSSL_CIPHER_PARAM_SUSE_FIPS_INDICATOR, NULL),
OSSL_PARAM_END
};
const OSSL_PARAM *ossl_cipher_aead_gettable_ctx_params(
Index: openssl-3.1.4/providers/implementations/ciphers/ciphercommon_gcm.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/ciphers/ciphercommon_gcm.c
+++ openssl-3.1.4/providers/implementations/ciphers/ciphercommon_gcm.c
@@ -224,6 +224,31 @@ int ossl_gcm_get_ctx_params(void *vctx,
|| !getivgen(ctx, p->data, p->data_size))
return 0;
}
+
+ /* We would usually hide this under #ifdef FIPS_MODULE, but
+ * ciphercommon_gcm.c is only compiled once into libcommon.a, so ifdefs do
+ * not work here. */
+ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_SUSE_FIPS_INDICATOR);
+ if (p != NULL) {
+ int fips_indicator = EVP_CIPHER_SUSE_FIPS_INDICATOR_APPROVED;
+
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
+ * Verification Program, Section C.H requires guarantees about the
+ * uniqueness of key/iv pairs, and proposes a few approaches to ensure
+ * this. This provides an indicator for option 2 "The IV may be
+ * generated internally at its entirety randomly." Note that one of the
+ * conditions of this option is that "The IV length shall be at least
+ * 96 bits (per SP 800-38D)." We do not specically check for this
+ * condition here, because gcm_iv_generate will fail in this case. */
+ if (ctx->enc && !ctx->iv_gen_rand)
+ fips_indicator = EVP_CIPHER_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+
+ if (!OSSL_PARAM_set_int(p, fips_indicator)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
+ return 0;
+ }
+ }
+
return 1;
}

28
openssl-3-FIPS-PCT_rsa_keygen.patch Normal file
View File

@ -0,0 +1,28 @@
Index: openssl-3.1.4/crypto/rsa/rsa_gen.c
===================================================================
--- openssl-3.1.4.orig/crypto/rsa/rsa_gen.c
+++ openssl-3.1.4/crypto/rsa/rsa_gen.c
@@ -428,7 +428,12 @@ static int rsa_keygen(OSSL_LIB_CTX *libc
#ifdef FIPS_MODULE
ok = ossl_rsa_sp800_56b_generate_key(rsa, bits, e_value, cb);
- pairwise_test = 1; /* FIPS MODE needs to always run the pairwise test */
+ /* FIPS MODE needs to always run the pairwise test. But, the
+ * rsa_keygen_pairwise_test() PCT as self-test requirements will be
+ * covered by do_rsa_pct() for both RSA-OAEP and RSA signatures and
+ * this PCT can be skipped here. See bsc#1221760 for more info.
+ */
+ pairwise_test = 0;
#else
/*
* Only multi-prime keys or insecure keys with a small key length or a
@@ -463,6 +468,9 @@ static int rsa_keygen(OSSL_LIB_CTX *libc
rsa->dmp1 = NULL;
rsa->dmq1 = NULL;
rsa->iqmp = NULL;
+#ifdef FIPS_MODULE
+ abort();
+#endif /* FIPS_MODULE */
}
}
return ok;

372
openssl-3-jitterentropy-3.4.0.patch Normal file
View File

@ -0,0 +1,372 @@
Index: openssl-3.1.4/Configurations/00-base-templates.conf
===================================================================
--- openssl-3.1.4.orig/Configurations/00-base-templates.conf
+++ openssl-3.1.4/Configurations/00-base-templates.conf
@@ -71,9 +71,12 @@ my %targets=(
lflags =>
sub { $withargs{zlib_lib} ? "-L".$withargs{zlib_lib} : () },
ex_libs =>
- sub { !defined($disabled{zlib})
- && defined($disabled{"zlib-dynamic"})
- ? "-lz" : () },
+ sub {
+ my @libs = ();
+ push(@libs, "-lz") if !defined($disabled{zlib}) && defined($disabled{"zlib-dynamic"});
+ push(@libs, "-ljitterentropy") if !defined($disabled{jitterentropy});
+ return join(" ", @libs);
+ },
HASHBANGPERL => "/usr/bin/env perl", # Only Unix actually cares
RANLIB => sub { which("$config{cross_compile_prefix}ranlib")
? "ranlib" : "" },
Index: openssl-3.1.4/crypto/rand/rand_jitter_entropy.c
===================================================================
--- /dev/null
+++ openssl-3.1.4/crypto/rand/rand_jitter_entropy.c
@@ -0,0 +1,97 @@
+# include "jitterentropy.h"
+# include "prov/jitter_entropy.h"
+
+struct rand_data* ec = NULL;
+CRYPTO_RWLOCK *jent_lock = NULL;
+int stop = 0;
+
+struct rand_data* FIPS_entropy_init(void)
+{
+ if (ec != NULL) {
+ /* Entropy source has been initiated and collector allocated */
+ return ec;
+ }
+ if (stop != 0) {
+ /* FIPS_entropy_cleanup() already called, don't initialize it again */
+ return NULL;
+ }
+ if (jent_lock == NULL) {
+ /* Allocates a new lock to serialize access to jent library */
+ jent_lock = CRYPTO_THREAD_lock_new();
+ if (jent_lock == NULL) {
+ return NULL;
+ }
+ }
+ if (CRYPTO_THREAD_write_lock(jent_lock) == 0) {
+ return NULL;
+ }
+ /* If the initialization is successful, the call returns with 0 */
+ if (jent_entropy_init_ex(1, JENT_FORCE_FIPS) == 0) {
+ /* Allocate entropy collector */
+ ec = jent_entropy_collector_alloc(1, JENT_FORCE_FIPS);
+ } else {
+ /* abort if jitter rng fails initialization */
+ abort();
+ }
+ if (ec == NULL) {
+ /* abort if jitter rng fails initialization */
+ abort();
+ }
+ CRYPTO_THREAD_unlock(jent_lock);
+
+ return ec;
+}
+
+/*
+ * The following error codes can be returned by jent_read_entropy_safe():
+ * -1 entropy_collector is NULL
+ * -2 RCT failed
+ * -3 APT failed
+ * -4 The timer cannot be initialized
+ * -5 LAG failure
+ * -6 RCT permanent failure
+ * -7 APT permanent failure
+ * -8 LAG permanent failure
+ */
+ssize_t FIPS_jitter_entropy(unsigned char *buf, size_t buflen)
+{
+ ssize_t ent_bytes = -1;
+
+ /*
+ * Order is important. We need to call FIPS_entropy_init() before we
+ * acquire jent_lock, otherwise it can lead to deadlock. Once we have
+ * jent_lock, we need to ensure that FIPS_entropy_cleanup() was not called
+ * in the meantime. Then it's safe to read entropy.
+ */
+ if (buf != NULL
+ && buflen != 0
+ && FIPS_entropy_init()
+ && CRYPTO_THREAD_write_lock(jent_lock) != 0
+ && stop == 0) {
+ /* Get entropy */
+ ent_bytes = jent_read_entropy_safe(&ec, (char *)buf, buflen);
+ if (ent_bytes < 0) {
+ /* abort if jitter rng fails entropy gathering because health tests failed. */
+ abort();
+ }
+ CRYPTO_THREAD_unlock(jent_lock);
+ }
+
+ return ent_bytes;
+}
+
+void FIPS_entropy_cleanup(void)
+{
+ if (jent_lock != NULL && stop == 0) {
+ CRYPTO_THREAD_write_lock(jent_lock);
+ }
+ /* Disable re-initialization in FIPS_entropy_init() */
+ stop = 1;
+ /* Free entropy collector */
+ if (ec != NULL) {
+ jent_entropy_collector_free(ec);
+ ec = NULL;
+ }
+ CRYPTO_THREAD_lock_free(jent_lock);
+ jent_lock = NULL;
+}
Index: openssl-3.1.4/providers/implementations/rands/seeding/rand_unix.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/rands/seeding/rand_unix.c
+++ openssl-3.1.4/providers/implementations/rands/seeding/rand_unix.c
@@ -20,6 +20,7 @@
#include "internal/dso.h"
#include "internal/nelem.h"
#include "prov/seeding.h"
+#include "prov/jitter_entropy.h"
#ifdef __linux
# include <sys/syscall.h>
@@ -631,6 +632,31 @@ size_t ossl_pool_acquire_entropy(RAND_PO
(void)entropy_available; /* avoid compiler warning */
+ /* Use jitter entropy in FIPS mode */
+ if (EVP_default_properties_is_fips_enabled(NULL))
+ {
+ size_t bytes_needed;
+ unsigned char *buffer;
+ ssize_t bytes;
+ /* Maximum allowed number of consecutive unsuccessful attempts */
+ int attempts = 3;
+
+ bytes_needed = ossl_rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
+ while (bytes_needed != 0 && attempts-- > 0) {
+ buffer = ossl_rand_pool_add_begin(pool, bytes_needed);
+ bytes = FIPS_jitter_entropy(buffer, bytes_needed);
+ if (bytes > 0) {
+ ossl_rand_pool_add_end(pool, bytes, 8 * bytes);
+ bytes_needed -= bytes;
+ attempts = 3; /* reset counter after successful attempt */
+ } else if (bytes < 0) {
+ break;
+ }
+ }
+ entropy_available = ossl_rand_pool_entropy_available(pool);
+ return entropy_available;
+ }
+
# if defined(OPENSSL_RAND_SEED_GETRANDOM)
{
size_t bytes_needed;
Index: openssl-3.1.4/providers/implementations/include/prov/jitter_entropy.h
===================================================================
--- /dev/null
+++ openssl-3.1.4/providers/implementations/include/prov/jitter_entropy.h
@@ -0,0 +1,17 @@
+#ifndef OSSL_PROVIDERS_JITTER_ENTROPY_H
+# define OSSL_PROVIDERS_JITTER_ENTROPY_H
+
+# include <openssl/core.h>
+# include <openssl/types.h>
+# include <openssl/crypto.h>
+# include <openssl/fips.h>
+
+extern struct rand_data* ec;
+extern CRYPTO_RWLOCK *jent_lock;
+extern int stop;
+
+struct rand_data* FIPS_entropy_init(void);
+ssize_t FIPS_jitter_entropy(unsigned char *buf, size_t buflen);
+void FIPS_entropy_cleanup(void);
+
+#endif
Index: openssl-3.1.4/providers/fips/self_test.c
===================================================================
--- openssl-3.1.4.orig/providers/fips/self_test.c
+++ openssl-3.1.4/providers/fips/self_test.c
@@ -20,6 +20,7 @@
#include "internal/tsan_assist.h"
#include "prov/providercommon.h"
#include "crypto/rand.h"
+#include "prov/jitter_entropy.h"
/*
* We're cheating here. Normally we don't allow RUN_ONCE usage inside the FIPS
@@ -392,6 +393,11 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
return 0;
}
+ if (!FIPS_entropy_init()) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_ENTROPY_INIT_FAILED);
+ goto end;
+ }
+
if (st == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
goto end;
Index: openssl-3.1.4/include/openssl/proverr.h
===================================================================
--- openssl-3.1.4.orig/include/openssl/proverr.h
+++ openssl-3.1.4/include/openssl/proverr.h
@@ -44,6 +44,7 @@
# define PROV_R_FAILED_TO_GET_PARAMETER 103
# define PROV_R_FAILED_TO_SET_PARAMETER 104
# define PROV_R_FAILED_TO_SIGN 175
+# define PROV_R_FIPS_ENTROPY_INIT_FAILED 234
# define PROV_R_FIPS_MODULE_CONDITIONAL_ERROR 227
# define PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE 224
# define PROV_R_FIPS_MODULE_IN_ERROR_STATE 225
Index: openssl-3.1.4/providers/common/provider_err.c
===================================================================
--- openssl-3.1.4.orig/providers/common/provider_err.c
+++ openssl-3.1.4/providers/common/provider_err.c
@@ -54,6 +54,8 @@ static const ERR_STRING_DATA PROV_str_re
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FAILED_TO_SET_PARAMETER),
"failed to set parameter"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FAILED_TO_SIGN), "failed to sign"},
+ {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_ENTROPY_INIT_FAILED),
+ "fips module jitter entropy init failed"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_CONDITIONAL_ERROR),
"fips module conditional error"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE),
Index: openssl-3.1.4/crypto/rand/build.info
===================================================================
--- openssl-3.1.4.orig/crypto/rand/build.info
+++ openssl-3.1.4/crypto/rand/build.info
@@ -1,6 +1,6 @@
LIBS=../../libcrypto
-$COMMON=rand_lib.c
+$COMMON=rand_lib.c rand_jitter_entropy.c
$CRYPTO=randfile.c rand_err.c rand_deprecated.c prov_seed.c rand_pool.c
IF[{- !$disabled{'egd'} -}]
Index: openssl-3.1.4/providers/fips/fipsprov.c
===================================================================
--- openssl-3.1.4.orig/providers/fips/fipsprov.c
+++ openssl-3.1.4/providers/fips/fipsprov.c
@@ -27,6 +27,7 @@
#include "crypto/context.h"
#include "internal/core.h"
#include "indicator.h"
+#include "prov/jitter_entropy.h"
static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes";
static const char FIPS_UNAPPROVED_PROPERTIES[] = "provider=fips,fips=no";
@@ -603,6 +604,7 @@ const OSSL_SUSE_FIPSINDICATOR_ALGORITHM
static void fips_teardown(void *provctx)
{
+ FIPS_entropy_cleanup();
OSSL_LIB_CTX_free(PROV_LIBCTX_OF(provctx));
ossl_prov_ctx_free(provctx);
}
Index: openssl-3.1.4/util/libcrypto.num
===================================================================
--- openssl-3.1.4.orig/util/libcrypto.num
+++ openssl-3.1.4/util/libcrypto.num
@@ -5441,3 +5441,5 @@ X509_get_default_cert_path_env
ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
+FIPS_entropy_init ? 3_1_4 EXIST::FUNCTION:
+FIPS_entropy_cleanup ? 3_1_4 EXIST::FUNCTION:
Index: openssl-3.1.4/Configure
===================================================================
--- openssl-3.1.4.orig/Configure
+++ openssl-3.1.4/Configure
@@ -454,6 +454,7 @@ my @disablables = (
"fuzz-libfuzzer",
"gost",
"idea",
+ "jitterentropy",
"ktls",
"legacy",
"loadereng",
@@ -550,6 +551,7 @@ our %disabled = ( # "what" => "c
"external-tests" => "default",
"fuzz-afl" => "default",
"fuzz-libfuzzer" => "default",
+ "jitterentropy" => "default",
"ktls" => "default",
"md2" => "default",
"msan" => "default",
@@ -763,7 +765,7 @@ my %cmdvars = (); # Stores
my %unsupported_options = ();
my %deprecated_options = ();
# If you change this, update apps/version.c
-my @known_seed_sources = qw(getrandom devrandom os egd none rdcpu librandom);
+my @known_seed_sources = qw(getrandom devrandom os egd none rdcpu librandom jitterentropy);
my @seed_sources = ();
while (@argvcopy)
{
@@ -1231,6 +1233,9 @@ if (scalar(@seed_sources) == 0) {
if (scalar(grep { $_ eq 'egd' } @seed_sources) > 0) {
delete $disabled{'egd'};
}
+if (scalar(grep { $_ eq 'jitterentropy' } @seed_sources) > 0) {
+ delete $disabled{'jitterentropy'};
+}
if (scalar(grep { $_ eq 'none' } @seed_sources) > 0) {
die "Cannot seed with none and anything else" if scalar(@seed_sources) > 1;
warn <<_____ if scalar(@seed_sources) == 1;
Index: openssl-3.1.4/crypto/info.c
===================================================================
--- openssl-3.1.4.orig/crypto/info.c
+++ openssl-3.1.4/crypto/info.c
@@ -15,6 +15,9 @@
#include "internal/e_os.h"
#include "buildinf.h"
+# include <stdio.h>
+# include <jitterentropy.h>
+
#if defined(__arm__) || defined(__arm) || defined(__aarch64__)
# include "arm_arch.h"
# define CPU_INFO_STR_LEN 128
@@ -128,6 +131,14 @@ DEFINE_RUN_ONCE_STATIC(init_info_strings
OPENSSL_strlcat(seeds, ")", sizeof(seeds)); \
} while (0)
+ /* In FIPS mode, only jitterentropy is used for seeding and
+ * reseeding the primary DRBG.
+ */
+ if (EVP_default_properties_is_fips_enabled(NULL)) {
+ char jent_version_string[32];
+ sprintf(jent_version_string, "jitterentropy (%d)", jent_version());
+ add_seeds_string(jent_version_string);
+ } else {
#ifdef OPENSSL_RAND_SEED_NONE
add_seeds_string("none");
#endif
@@ -156,6 +167,7 @@ DEFINE_RUN_ONCE_STATIC(init_info_strings
#ifdef OPENSSL_RAND_SEED_OS
add_seeds_string("os-specific");
#endif
+ }
seed_sources = seeds;
}
return 1;
Index: openssl-3.1.4/INSTALL.md
===================================================================
--- openssl-3.1.4.orig/INSTALL.md
+++ openssl-3.1.4/INSTALL.md
@@ -463,6 +463,12 @@ if provided by the CPU.
Use librandom (not implemented yet).
This source is ignored by the FIPS provider.
+### jitterentropy
+
+Use [jitterentropy-library](https://github.com/smuellerDD/jitterentropy-library)
+dynamically linked. In FIPS mode, only the jitter RNG is used to seed and reseed
+the primary DRBG.
+
### none
Disable automatic seeding. This is the default on some operating systems where

35
openssl-3-use-include-directive.patch Normal file
View File

@ -0,0 +1,35 @@
---
apps/openssl.cnf | 13 +++++++++++++
1 file changed, 13 insertions(+)
Index: openssl-3.1.4/apps/openssl.cnf
===================================================================
--- openssl-3.1.4.orig/apps/openssl.cnf
+++ openssl-3.1.4/apps/openssl.cnf
@@ -19,6 +19,7 @@ openssl_conf = openssl_init
# Comment out the next line to ignore configuration errors
config_diagnostics = 1
+[ oid_section ]
# Extra OBJECT IDENTIFIER info:
# oid_file = $ENV::HOME/.oid
oid_section = new_oids
@@ -47,6 +48,18 @@ providers = provider_sect
# Load default TLS policy configuration
ssl_conf = ssl_module
+engines = engine_section
+
+[ engine_section ]
+
+# This include will look through the directory that will contain the
+# engine declarations for any engines provided by other packages.
+.include /etc/ssl/engines3.d
+
+# This include will look through the directory that will contain the
+# definitions of the engines declared in the engine section.
+.include /etc/ssl/engdef3.d
+
# Uncomment the sections that start with ## below to enable the legacy provider.
# Loading the legacy provider enables support for the following algorithms:
# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160

BIN
openssl-3.1.4.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

16
openssl-3.1.4.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE78CkZ9YTy4PH7W0w2JTizos9efUFAmU3yaoACgkQ2JTizos9
efXt8BAAqcF9RBzduklMCXSfG4Rzs2KcWmR1+BB0izxG3KwPr+r54qBbSRCCImHA
U22An//xsDsQZ0K4rrkkkumpJCxLV/4F3TlEBdoCS4wzDXz/LfONzTuZ8Z3QP/Si
ElHTKdqPo2tp6LrDIUSGa9BmK1AsxkhOoC/uJlGpLP0mLJGI3PGo5ordyERAjL/C
hTumE16ErrXY3kHVPAeD6tJlxtV3M9UxsZAOK6LVfnhXLzz8hWMu2H5ZigXZWCDx
NG6ylV4xxfqO9eLxT2wUrJzg24w0VZzmbD+ZeZ24v9aAxGsbl3ZHLgMKkDehNNuP
0ADh3aGq9FkIg5n53UQu0pbOc6aBPgWwVuaNfxOheG2GqBCoca42ikW20QZyJAec
h3uLQ76vnWOjUIjeRCjpw0+OCUaWr0wx5WzzfdgYc813VwN6FaC9ZmB46oaLfIeD
MBAyuUxdTif/7SXmGgUIQDIf4Vxr2H7I0NyyDxD+y+C2gwn+zVvuVcBBc2cNq4QN
UINxZvm75CwaCsys+MDjSneDhpcSlAPqTJqM3DvKf/r3+27buz+sFw463fTHnv0F
FpyBPgvvusY4Z4h/jqLcfkl2MBOxlo+lpZJdPpQoEvGz751GsKmmtb0YgZ7BjrYs
5vFvo0EJ066J9bWLbp6VZd825B9P2Uy7u3sUz+E5nuavT4eHv7o=
=EH33
-----END PGP SIGNATURE-----

1611
openssl-3.changes Normal file
View File

File diff suppressed because it is too large Load Diff

492
openssl-3.spec Normal file
View File

@ -0,0 +1,492 @@
#
# spec file for package openssl-3
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define ssletcdir %{_sysconfdir}/ssl
%define sover 3
%define _rname openssl
%define man_suffix 3ssl
%global sslengcnf %{ssletcdir}/engines%{sover}.d
%global sslengdef %{ssletcdir}/engdef%{sover}.d
# Enable userspace livepatching.
%define livepatchable 1
Name: openssl-3
# Don't forget to update the version in the "openssl" meta-package!
Version: 3.1.4
Release: 0
Summary: Secure Sockets and Transport Layer Security
License: Apache-2.0
URL: https://www.openssl.org/
Source: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz
# to get mtime of file:
Source1: %{name}.changes
Source2: baselibs.conf
Source3: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz.asc
# https://www.openssl.org/about/
# http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA2D29B7BF295C759#/openssl.keyring
Source4: %{_rname}.keyring
Source5: showciphers.c
Source6: openssl-Disable-default-provider-for-test-suite.patch
# PATCH-FIX-OPENSUSE: Do not install html docs as it takes ages
Patch1: openssl-no-html-docs.patch
Patch2: openssl-truststore.patch
Patch3: openssl-pkgconfig.patch
Patch4: openssl-DEFAULT_SUSE_cipher.patch
Patch5: openssl-ppc64-config.patch
Patch6: openssl-no-date.patch
# Add crypto-policies support
Patch7: openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
Patch8: openssl-crypto-policies-support.patch
# PATCH-FIX-UPSTREAM: bsc#1209430 Upgrade OpenSSL from 3.0.8 to 3.1.0 in TW
Patch9: openssl-Add_support_for_Windows_CA_certificate_store.patch
# PATCH-FIX-FEDORA Add FIPS_mode compatibility macro and flag support
Patch10: openssl-Add-FIPS_mode-compatibility-macro.patch
Patch11: openssl-Add-Kernel-FIPS-mode-flag-support.patch
# PATCH-FIX-UPSTREAM jsc#PED-5086, jsc#PED-3514
# POWER10 performance enhancements for cryptography
Patch12: openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch
Patch13: openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch
Patch14: openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch
Patch15: openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch
Patch16: openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch
Patch17: openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch
# PATCH-FIX-UPSTREAM: bsc#1216922 CVE-2023-5678 Generating excessively long X9.42 DH keys or
# checking excessively long X9.42 DH keys or parameters may be very slow
Patch18: openssl-CVE-2023-5678.patch
# PATCH-FIX-UPSTREAM https://github.com/openssl/openssl/pull/22971
Patch19: openssl-Enable-BTI-feature-for-md5-on-aarch64.patch
# PATCH-FIX-UPSTREAM: bsc#1218690 CVE-2023-6129 - POLY1305 MAC implementation corrupts vector registers on PowerPC
Patch20: openssl-CVE-2023-6129.patch
# PATCH-FIX-FEDORA Load FIPS the provider and set FIPS properties implicitly
Patch21: openssl-Force-FIPS.patch
# PATCH-FIX-FEDORA Disable the fipsinstall command-line utility
Patch22: openssl-disable-fipsinstall.patch
# PATCH-FIX-FEDORA Instructions to load legacy provider in openssl.cnf
Patch23: openssl-load-legacy-provider.patch
# PATCH-FIX-FEDORA Embed the FIPS hmac
Patch24: openssl-FIPS-embed-hmac.patch
# PATCH-FIX-UPSTREAM: bsc#1218810 CVE-2023-6237: Excessive time spent checking invalid RSA public keys
Patch25: openssl-CVE-2023-6237.patch
# PATCH-FIX-SUSE bsc#1194187, bsc#1207472, bsc#1218933 - Add engines section in openssl.cnf
Patch26: openssl-3-use-include-directive.patch
# PATCH-FIX-UPSTREAM: bsc#1219243 CVE-2024-0727: denial of service via null dereference
Patch27: openssl-CVE-2024-0727.patch
# PATCH-FIX-UPSTREAM: bsc#1222548 CVE-2024-2511: Unbounded memory growth with session handling in TLSv1.3
Patch28: openssl-CVE-2024-2511.patch
# PATCH-FIX-UPSTREAM: bsc#1224388 CVE-2024-4603: excessive time spent checking DSA keys and parameters
Patch29: openssl-CVE-2024-4603.patch
# PATCH-FIX-UPSTREAM: bsc#1225291 NVMe/TCP TLS connection fails due to handshake failure
Patch30: openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch
Patch31: openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch
# PATCH-FIX-UPSTREAM bsc#1225551 CVE-2024-4741: use After Free with SSL_free_buffers
Patch32: openssl-CVE-2024-4741.patch
# PATCH-FIX-UPSTREAM: bsc#1223336 aes-gcm-avx512.pl: fix non-reproducibility issue
Patch33: reproducible.patch
# PATCH-FIX-UPSTREAM: bsc#1227138 CVE-2024-5535: SSL_select_next_proto buffer overread
Patch34: openssl-CVE-2024-5535.patch
# PATCH-FIX-FEDORA bsc#1221786 FIPS: Use of non-Approved Elliptic Curves
Patch35: openssl-Add-changes-to-ectest-and-eccurve.patch
Patch36: openssl-Remove-EC-curves.patch
Patch37: openssl-Disable-explicit-ec.patch
Patch38: openssl-skipped-tests-EC-curves.patch
# PATCH-FIX-FEDORA bsc#1221753 bsc#1221760 bsc#1221822 FIPS: Extra public/private key checks required by FIPS-140-3
Patch39: openssl-FIPS-140-3-keychecks.patch
# PATCH-FIX-FEDORA bsc#1221365 bsc#1221786 bsc#1221787 FIPS: Minimize fips services
Patch40: openssl-FIPS-services-minimize.patch
# PATCH-FIX-SUSE bsc#1221751 FIPS: Add release number to version string
Patch41: openssl-FIPS-release_num_in_version_string.patch
# PATCH-FIX-FEDORA bsc#1221760 FIPS: Execute KATS before HMAC verification
Patch42: openssl-FIPS-early-KATS.patch
# PATCH-FIX-SUSE bsc#1221787 FIPS: Approved Modulus Sizes for RSA Digital Signature for FIPS 186-4
Patch43: openssl-Revert-Improve-FIPS-RSA-keygen-performance.patch
# PATCH-FIX-FEDORA bsc#1221787 FIPS: Selectively disallow SHA1 signatures
Patch44: openssl-Allow-disabling-of-SHA1-signatures.patch
Patch45: openssl-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
# PATCH-FIX-FEDORA bsc#1221365 bsc#1221824 FIPS: Service Level Indicator is needed
Patch46: openssl-FIPS-limit-rsa-encrypt.patch
Patch47: openssl-FIPS-Expose-a-FIPS-indicator.patch
# PATCH-FIX-FEDORA bsc#1221760 FIPS: Execute KATS before HMAC verification
Patch48: openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
# PATCH-FIX-FEDORA bsc#1221365 bsc#1221760 FIPS: Selftests are required
Patch49: openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
# PATCH-FIX-FEDORA bsc#1221760 FIPS: Selftests are required
Patch50: openssl-FIPS-Use-FFDHE2048-in-self-test.patch
# PATCH-FIX-FEDORA bsc#1220690 bsc#1220693 bsc#1220696 FIPS: Reseed DRBG
Patch51: openssl-FIPS-140-3-DRBG.patch
# PATCH-FIX-FEDORA bsc#1221752 FIPS: Zeroisation is required
Patch52: openssl-FIPS-140-3-zeroization.patch
# PATCH-FIX-FEDORA bsc#1221365 FIPS: Service Level Indicator is needed
Patch53: openssl-Add-FIPS-indicator-parameter-to-HKDF.patch
Patch54: openssl-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
# PATCH-FIX-FEDORA bsc#1221365 bsc#1221365 FIPS: Service Level Indicator is needed
Patch55: openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch
# PATCH-FIX-FEDORA bsc#1221365 FIPS: Service Level Indicator is needed
Patch56: openssl-FIPS-Add-explicit-indicator-for-key-length.patch
# PATCH-FIX-FEDORA bsc#1221827 FIPS: Recommendation for Password-Based Key Derivation
Patch57: openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
# PATCH-FIX-FEDORA bsc#1221365 FIPS: Service Level Indicator is needed
Patch58: openssl-FIPS-RSA-disable-shake.patch
Patch59: openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch
# PATCH-FIX-FEDORA bsc#1221824 FIPS: NIST SP 800-56Brev2 Section 6.4.1.2.1
Patch60: openssl-FIPS-RSA-encapsulate.patch
# PATCH-FIX-FEDORA bsc#1221821 FIPS: Disable FIPS 186-4 Domain Parameters
Patch61: openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
# PATCH-FIX-SUSE bsc#1221365 FIPS: Service Level Indicator is needed
Patch62: openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch
# PATCH-FIX-FEDORA bsc#1221827 FIPS: Recommendation for Password-Based Key Derivation
Patch63: openssl-pbkdf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
# PATCH-FIX-FEDORA bsc#1221365 FIPS: Service Level Indicator is needed
Patch64: openssl-FIPS-enforce-EMS-support.patch
# PATCH-FIX-SUSE bsc#1221824 FIPS: Add check for SP 800-56Brev2 Section 6.4.1.2.1
Patch65: openssl-FIPS-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch
# PATCH-FIX-SUSE bsc#1220523 FIPS: Port openssl to use jitterentropy
Patch66: openssl-3-jitterentropy-3.4.0.patch
# PATCH-FIX-SUSE bsc#1221753 FIPS: Enforce error state
Patch67: openssl-FIPS-Enforce-error-state.patch
# PATCH-FIX-SUSE bsc#1221365 FIPS: Service Level Indicator is needed
Patch68: openssl-FIPS-enforce-security-checks-during-initialization.patch
# PATCH-FIX-SUSE bsc#1221753 bsc#1221760 FIPS: RSA keygen PCT requirements
Patch69: openssl-3-FIPS-PCT_rsa_keygen.patch
# PATCH-FIX-FEDORA bsc#1221365 FIPS: Deny SHA-1 signature verification in FIPS provider
Patch70: openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
BuildRequires: pkgconfig
%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550
BuildRequires: ulp-macros
%else
# Define ulp-macros macros as empty
%define cflags_livepatching ""
%define pack_ipa_dumps echo "Livepatching is disabled in this build"
%endif
BuildRequires: pkgconfig
BuildRequires: pkgconfig(zlib)
Requires: libopenssl3 = %{version}-%{release}
Requires: openssl
Provides: ssl
# Needed for clean upgrade path, boo#1070003
Obsoletes: openssl-1_0_0
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
Obsoletes: openssl-1_1_0
%{?suse_build_hwcaps_libs}
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
Requires: crypto-policies
%endif
%description
OpenSSL is a software library to be used in applications that need to
secure communications over computer networks against eavesdropping or
need to ascertain the identity of the party at the other end.
OpenSSL contains an implementation of the SSL and TLS protocols.
%package -n libopenssl3
Summary: Secure Sockets and Transport Layer Security
Recommends: ca-certificates-mozilla
Conflicts: %{name} < %{version}-%{release}
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
Obsoletes: libopenssl1_1_0
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
Requires: crypto-policies
%endif
# Merge back the hmac files bsc#1185116
Provides: libopenssl3-hmac = %{version}-%{release}
Obsoletes: libopenssl3-hmac < %{version}-%{release}
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
Obsoletes: libopenssl1_1_0-hmac
# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499
Obsoletes: libopenssl-1_0_0-hmac
%description -n libopenssl3
OpenSSL is a software library to be used in applications that need to
secure communications over computer networks against eavesdropping or
need to ascertain the identity of the party at the other end.
OpenSSL contains an implementation of the SSL and TLS protocols.
%package -n libopenssl-3-devel
Summary: Development files for OpenSSL
Requires: jitterentropy-devel >= 3.4.0
Requires: libopenssl3 = %{version}
Requires: pkgconfig(zlib)
Recommends: %{name} = %{version}
Provides: ssl-devel
Conflicts: ssl-devel
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
Obsoletes: libopenssl-1_1_0-devel
# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499
Obsoletes: libopenssl-1_0_0-devel
%description -n libopenssl-3-devel
This subpackage contains header files for developing applications
that want to make use of the OpenSSL C API.
%package -n libopenssl-3-fips-provider
Summary: OpenSSL FIPS provider
Requires: libjitterentropy3 >= 3.4.0
Requires: libopenssl3 >= %{version}
BuildRequires: fipscheck
BuildRequires: jitterentropy-devel >= 3.4.0
%description -n libopenssl-3-fips-provider
This package contains the OpenSSL FIPS provider.
%package doc
Summary: Manpages and additional documentation for openssl
Conflicts: libopenssl-3-devel < %{version}-%{release}
Conflicts: openssl-doc
Provides: openssl-doc = %{version}
Obsoletes: openssl-doc < %{version}
BuildArch: noarch
%description doc
This package contains optional documentation provided in addition to
this package's base documentation.
%prep
%autosetup -p1 -n %{_rname}-%{version}
%build
%ifarch armv5el armv5tel
export MACHINE=armv5el
%endif
%ifarch armv6l armv6hl
export MACHINE=armv6l
%endif
./Configure \
no-mdc2 no-ec2m \
no-afalgeng \
enable-rfc3779 enable-camellia enable-seed \
%ifarch x86_64 aarch64 ppc64le
enable-ec_nistp_64_gcc_128 \
%endif
enable-fips \
enable-jitterentropy \
enable-ktls \
zlib \
--prefix=%{_prefix} \
--libdir=%{_lib} \
--openssldir=%{ssletcdir} \
%{optflags} \
%{cflags_livepatching} \
-Wa,--noexecstack \
-Wl,-z,relro,-z,now \
-fno-common \
-DTERMIO \
-DPURIFY \
-D_GNU_SOURCE \
'-DSUSE_OPENSSL_RELEASE="\"%{release}\""' \
-DOPENSSL_NO_BUF_FREELISTS \
$(getconf LFS_CFLAGS) \
-Wall \
--with-rand-seed=getrandom,jitterentropy \
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config
# Show build configuration
perl configdata.pm --dump
# Do not run this in a production package the FIPS symbols must be patched-in
# util/mkdef.pl crypto update
%make_build depend
%make_build all
%check
# Relax the crypto-policies requirements for the regression tests
# Revert patch8 before running tests
patch -p1 -R < %{PATCH8}
# Revert openssl-3-use-include-directive.patch because these directories
# exists only in buildroot but not in build system and some tests are failing
# because of it.
patch -p1 -R < %{PATCH26}
# Disable the default provider for the test suite.
patch -p1 < %{SOURCE6}
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
export MALLOC_CHECK_=3
export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
# export HARNESS_VERBOSE=yes
# Embed HMAC into fips provider for test run
OPENSSL_CONF=/dev/null LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac
objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac
mv providers/fips.so.mac providers/fips.so
# Run the tests in non FIPS mode
LD_LIBRARY_PATH="$PWD" make test -j16
# Run the tests also in FIPS mode
# OPENSSL_FORCE_FIPS_MODE=1 LD_LIBRARY_PATH="$PWD" make TESTS='-test_evp_fetch_prov -test_tsa' test -j16 || :
# Add generation of HMAC checksum of the final stripped library
# We manually copy standard definition of __spec_install_post
# and add hmac calculation/embedding to fips.so
%define __spec_install_post \
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%{__os_install_post} \
OPENSSL_CONF=/dev/null LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < %{buildroot}%{_libdir}/ossl-modules/fips.so > %{buildroot}%{_libdir}/ossl-modules/fips.so.hmac \
objcopy --update-section .rodata1=%{buildroot}%{_libdir}/ossl-modules/fips.so.hmac %{buildroot}%{_libdir}/ossl-modules/fips.so %{buildroot}%{_libdir}/ossl-modules/fips.so.mac \
mv %{buildroot}%{_libdir}/ossl-modules/fips.so.mac %{buildroot}%{_libdir}/ossl-modules/fips.so \
rm %{buildroot}%{_libdir}/ossl-modules/fips.so.hmac \
%{nil}
# show ciphers
gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{buildroot}%{_libdir} -lssl -lcrypto
LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers
%install
%{pack_ipa_dumps}
%make_install %{?_smp_mflags} MANSUFFIX=%{man_suffix}
rename so.%{sover} so.%{version} %{buildroot}%{_libdir}/*.so.%{sover}
for lib in %{buildroot}%{_libdir}/*.so.%{version} ; do
chmod 755 ${lib}
ln -sf $(basename ${lib}) %{buildroot}%{_libdir}/$(basename ${lib} .%{version})
ln -sf $(basename ${lib}) %{buildroot}%{_libdir}/$(basename ${lib} .%{version}).%{sover}
done
# Remove static libraries
rm -f %{buildroot}%{_libdir}/lib*.a
# Remove the cnf.dist
rm -f %{buildroot}%{ssletcdir}/openssl.cnf.dist
rm -f %{buildroot}%{ssletcdir}/ct_log_list.cnf.dist
# Make a copy of the default openssl.cnf file
cp %{buildroot}%{ssletcdir}/openssl.cnf %{buildroot}%{ssletcdir}/openssl-orig.cnf
# Create openssl ca-certificates dir required by nodejs regression tests [bsc#1207484]
mkdir -p %{buildroot}%{_localstatedir}/lib/ca-certificates/openssl
install -d -m 555 %{buildroot}%{_localstatedir}/lib/ca-certificates/openssl
# Remove the fipsmodule.cnf because FIPS module is loaded automatically
rm -f %{buildroot}%{ssletcdir}/fipsmodule.cnf
ln -sf ./%{_rname} %{buildroot}/%{_includedir}/ssl
mkdir %{buildroot}/%{_datadir}/ssl
mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl/
# Create the two directories into which packages will drop their configuration
# files.
mkdir %{buildroot}/%{sslengcnf}
mkdir %{buildroot}/%{sslengdef}
# Create unversioned symbolic links to above directories
ln -s %{sslengcnf} %{buildroot}/%{ssletcdir}/engines.d
ln -s %{sslengdef} %{buildroot}/%{ssletcdir}/engdef.d
# Add the FIPS module configuration from crypto-policies since SP6
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150600
ln -s %{_sysconfdir}/crypto-policies/back-ends/openssl_fips.config %{buildroot}%{ssletcdir}/fips_local.cnf
%endif
# Avoid file conflicts with man pages from other packages
pushd %{buildroot}/%{_mandir}
find . -type f -exec chmod 644 {} +
mv man5/config.5%{man_suffix} man5/openssl.cnf.5
popd
# Do not install demo scripts executable under /usr/share/doc
find demos -type f -perm /111 -exec chmod 644 {} +
# Place showciphers.c for %%doc macro
cp %{SOURCE5} .
# Compute the FIPS hmac using the brp-50-generate-fips-hmac script
export BRP_FIPSHMAC_FILES="%{buildroot}%{_libdir}/libssl.so.%{sover} %{buildroot}%{_libdir}/libcrypto.so.%{sover}"
%post -p "/bin/bash"
if [ "$1" -gt 1 ] ; then
# Check if the packaged default config file for openssl-3, called openssl.cnf,
# is the original or if it has been modified and alert the user in that case
# that a copy of the original file openssl-orig.cnf can be used if needed.
cmp --silent %{ssletcdir}/openssl.cnf %{ssletcdir}/openssl-orig.cnf 2>/dev/null
if [ "$?" -eq 1 ] ; then
echo -e " The openssl-3 default config file openssl.cnf is different from" ;
echo -e " the original one shipped by the package. A copy of the original" ;
echo -e " file is packaged and named as openssl-orig.cnf if needed."
fi
fi
%pre
# Migrate old engines.d to engines1.1.d.rpmsave
if [ ! -L %{ssletcdir}/engines.d ] && [ -d %{ssletcdir}/engines.d ]; then
mkdir %{ssletcdir}/engines1.1.d.rpmsave ||:
mv %{ssletcdir}/engines.d %{ssletcdir}/engines1.1.d.rpmsave ||:
fi
# Migrate old engdef.d to engdef1.1.d.rpmsave
if [ ! -L %{ssletcdir}/engdef.d ] && [ -d %{ssletcdir}/engdef.d ]; then
mkdir %{ssletcdir}/engdef1.1.d.rpmsave ||:
mv %{ssletcdir}/engdef.d %{ssletcdir}/engdef1.1.d.rpmsave ||:
fi
%post -n libopenssl3 -p /sbin/ldconfig
%postun -n libopenssl3 -p /sbin/ldconfig
%files -n libopenssl3
%license LICENSE.txt
%attr(0755,root,root) %{_libdir}/libssl.so.%{version}
%{_libdir}/libssl.so.%{sover}
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version}
%{_libdir}/libcrypto.so.%{sover}
%{_libdir}/engines-%{sover}
%dir %{_libdir}/ossl-modules
%{_libdir}/ossl-modules/legacy.so
%{_libdir}/.libssl.so.%{sover}.hmac
%{_libdir}/.libcrypto.so.%{sover}.hmac
%files -n libopenssl-3-fips-provider
%{_libdir}/ossl-modules/fips.so
%files -n libopenssl-3-devel
%doc NOTES*.md CONTRIBUTING.md HACKING.md AUTHORS.md ACKNOWLEDGEMENTS.md
%{_includedir}/%{_rname}/
%{_includedir}/ssl
%{_libdir}/*.so
%{_libdir}/pkgconfig/*.pc
%files doc
%doc README.md
%doc doc/html/* doc/HOWTO/* demos
%doc showciphers.c
%{_mandir}/man3/*
%files
%license LICENSE.txt
%doc CHANGES.md NEWS.md FAQ.md README.md
%dir %{ssletcdir}
%config %{ssletcdir}/openssl-orig.cnf
%config (noreplace) %{ssletcdir}/openssl.cnf
%config (noreplace) %{ssletcdir}/ct_log_list.cnf
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150600
%config %{ssletcdir}/fips_local.cnf
%endif
%attr(700,root,root) %{ssletcdir}/private
%dir %{sslengcnf}
%dir %{sslengdef}
# symbolic link to above directories
%{ssletcdir}/engines.d
%{ssletcdir}/engdef.d
%dir %{_datadir}/ssl
%{_datadir}/ssl/misc
%dir %{_localstatedir}/lib/ca-certificates/
%dir %{_localstatedir}/lib/ca-certificates/openssl
%{_bindir}/%{_rname}
%{_bindir}/c_rehash
%{_mandir}/man1/*
%{_mandir}/man5/*
%{_mandir}/man7/*
%changelog

877
openssl-Add-FIPS-indicator-parameter-to-HKDF.patch Normal file
View File

@ -0,0 +1,877 @@
From 2000eaead63732669283e6b54c8ef02e268eaeb8 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 31 Jul 2023 09:41:29 +0200
Subject: [PATCH 34/48] 0078-Add-FIPS-indicator-parameter-to-HKDF.patch
Patch-name: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch
Patch-id: 78
Patch-status: |
# https://bugzilla.redhat.com/show_bug.cgi?id=2114772
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
include/crypto/evp.h | 7 ++
include/openssl/core_names.h | 1 +
include/openssl/kdf.h | 4 +
providers/implementations/kdfs/hkdf.c | 100 +++++++++++++++++++++-
providers/implementations/kdfs/kbkdf.c | 82 ++++++++++++++++--
providers/implementations/kdfs/sshkdf.c | 75 +++++++++++++++-
providers/implementations/kdfs/sskdf.c | 100 +++++++++++++++++++++-
providers/implementations/kdfs/tls1_prf.c | 74 +++++++++++++++-
providers/implementations/kdfs/x942kdf.c | 66 +++++++++++++-
9 files changed, 487 insertions(+), 22 deletions(-)
Index: openssl-3.1.4/include/crypto/evp.h
===================================================================
--- openssl-3.1.4.orig/include/crypto/evp.h
+++ openssl-3.1.4/include/crypto/evp.h
@@ -219,6 +219,13 @@ struct evp_mac_st {
OSSL_FUNC_mac_set_ctx_params_fn *set_ctx_params;
};
+#ifdef FIPS_MODULE
+/* According to NIST Special Publication 800-131Ar2, Section 8: Deriving
+ * Additional Keys from a Cryptographic Key, "[t]he length of the
+ * key-derivation key [i.e., the input key] shall be at least 112 bits". */
+# define EVP_KDF_FIPS_MIN_KEY_LEN (112 / 8)
+#endif
+
struct evp_kdf_st {
OSSL_PROVIDER *prov;
int name_id;
Index: openssl-3.1.4/include/openssl/core_names.h
===================================================================
--- openssl-3.1.4.orig/include/openssl/core_names.h
+++ openssl-3.1.4/include/openssl/core_names.h
@@ -226,6 +226,7 @@ extern "C" {
#define OSSL_KDF_PARAM_X942_SUPP_PUBINFO "supp-pubinfo"
#define OSSL_KDF_PARAM_X942_SUPP_PRIVINFO "supp-privinfo"
#define OSSL_KDF_PARAM_X942_USE_KEYBITS "use-keybits"
+#define OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR "suse-fips-indicator"
/* Known KDF names */
#define OSSL_KDF_NAME_HKDF "HKDF"
Index: openssl-3.1.4/include/openssl/kdf.h
===================================================================
--- openssl-3.1.4.orig/include/openssl/kdf.h
+++ openssl-3.1.4/include/openssl/kdf.h
@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *
# define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1
# define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2
+# define EVP_KDF_SUSE_FIPS_INDICATOR_UNDETERMINED 0
+# define EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED 1
+# define EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED 2
+
#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65
#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66
#define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67
Index: openssl-3.1.4/providers/implementations/kdfs/hkdf.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/kdfs/hkdf.c
+++ openssl-3.1.4/providers/implementations/kdfs/hkdf.c
@@ -43,6 +43,7 @@ static OSSL_FUNC_kdf_settable_ctx_params
static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params;
static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params;
static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params;
+static OSSL_FUNC_kdf_newctx_fn kdf_tls1_3_new;
static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive;
static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params;
static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params;
@@ -86,6 +87,10 @@ typedef struct {
size_t data_len;
unsigned char *info;
size_t info_len;
+ int is_tls13;
+#ifdef FIPS_MODULE
+ int fips_indicator;
+#endif /* defined(FIPS_MODULE) */
} KDF_HKDF;
static void *kdf_hkdf_new(void *provctx)
@@ -201,6 +206,11 @@ static int kdf_hkdf_derive(void *vctx, u
return 0;
}
+#ifdef FIPS_MODULE
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
+ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+#endif /* defined(FIPS_MODULE) */
+
switch (ctx->mode) {
case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND:
default:
@@ -363,13 +373,15 @@ static int kdf_hkdf_get_ctx_params(void
{
KDF_HKDF *ctx = (KDF_HKDF *)vctx;
OSSL_PARAM *p;
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
size_t sz = kdf_hkdf_size(ctx);
- if (sz == 0)
+ any_valid = 1;
+
+ if (sz == 0 || !OSSL_PARAM_set_size_t(p, sz))
return 0;
- return OSSL_PARAM_set_size_t(p, sz);
}
if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) {
if (ctx->info == NULL || ctx->info_len == 0) {
@@ -378,7 +390,68 @@ static int kdf_hkdf_get_ctx_params(void
}
return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len);
}
- return -2;
+
+#ifdef FIPS_MODULE
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR))
+ != NULL) {
+ int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
+ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
+
+ any_valid = 1;
+
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
+ * the key-derivation key [i.e., the input key] shall be at least 112
+ * bits". */
+ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN)
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
+ * Verification Program, Section D.B and NIST Special Publication
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
+ * strength < 112 bits is legacy use only, so all derived keys should
+ * be longer than that. If a derived key has ever been shorter than
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
+ * should also set the returned FIPS indicator to unapproved. */
+ if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED)
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+
+ if (ctx->is_tls13) {
+ if (md != NULL
+ && !EVP_MD_is_a(md, "SHA2-256")
+ && !EVP_MD_is_a(md, "SHA2-384")) {
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic
+ * Module Validation Program, Section 2.4.B, (5): "The TLS 1.3
+ * key derivation function documented in Section 7.1 of RFC
+ * 8446. This is considered an approved CVL because the
+ * underlying functions performed within the TLS 1.3 KDF map to
+ * NIST approved standards, namely: SP 800-133rev2 (Section 6.3
+ * Option #3), SP 800-56Crev2, and SP 800-108."
+ *
+ * RFC 8446 appendix B.4 only lists SHA-256 and SHA-384. */
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+ }
+ } else {
+ if (md != NULL
+ && (EVP_MD_is_a(md, "SHAKE-128") ||
+ EVP_MD_is_a(md, "SHAKE-256"))) {
+ /* HKDF is a SP 800-56Cr2 TwoStep KDF, for which all SHA-1,
+ * SHA-2 and SHA-3 are approved. SHAKE is not approved, because
+ * of FIPS 140-3 IG, section C.C: "The SHAKE128 and SHAKE256
+ * extendable-output functions may only be used as the
+ * standalone algorithms." */
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+ }
+ }
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
+ return 0;
+ }
+#endif /* defined(FIPS_MODULE) */
+
+ if (!any_valid)
+ return -2;
+
+ return 1;
}
static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
@@ -387,6 +460,9 @@ static const OSSL_PARAM *kdf_hkdf_gettab
static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0),
+#ifdef FIPS_MODULE
+ OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, NULL),
+#endif /* defined(FIPS_MODULE) */
OSSL_PARAM_END
};
return known_gettable_ctx_params;
@@ -717,6 +793,17 @@ static int prov_tls13_hkdf_generate_secr
return ret;
}
+static void *kdf_tls1_3_new(void *provctx)
+{
+ KDF_HKDF *hkdf = kdf_hkdf_new(provctx);
+
+ if (hkdf != NULL)
+ hkdf->is_tls13 = 1;
+
+ return hkdf;
+}
+
+
static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
const OSSL_PARAM params[])
{
@@ -732,6 +819,11 @@ static int kdf_tls1_3_derive(void *vctx,
return 0;
}
+#ifdef FIPS_MODULE
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
+ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+#endif /* defined(FIPS_MODULE) */
+
switch (ctx->mode) {
default:
return 0;
@@ -809,7 +901,7 @@ static const OSSL_PARAM *kdf_tls1_3_sett
}
const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = {
- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new },
+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_tls1_3_new },
{ OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_hkdf_dup },
{ OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free },
{ OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset },
Index: openssl-3.1.4/providers/implementations/kdfs/kbkdf.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/kdfs/kbkdf.c
+++ openssl-3.1.4/providers/implementations/kdfs/kbkdf.c
@@ -59,6 +59,9 @@ typedef struct {
kbkdf_mode mode;
EVP_MAC_CTX *ctx_init;
+ /* HMAC digest algorithm, if any; used to compute FIPS indicator */
+ PROV_DIGEST digest;
+
/* Names are lowercased versions of those found in SP800-108. */
int r;
unsigned char *ki;
@@ -72,6 +75,9 @@ typedef struct {
int use_l;
int is_kmac;
int use_separator;
+#ifdef FIPS_MODULE
+ int fips_indicator;
+#endif /* defined(FIPS_MODULE) */
} KBKDF;
/* Definitions needed for typechecking. */
@@ -143,6 +149,7 @@ static void kbkdf_reset(void *vctx)
void *provctx = ctx->provctx;
EVP_MAC_CTX_free(ctx->ctx_init);
+ ossl_prov_digest_reset(&ctx->digest);
OPENSSL_clear_free(ctx->context, ctx->context_len);
OPENSSL_clear_free(ctx->label, ctx->label_len);
OPENSSL_clear_free(ctx->ki, ctx->ki_len);
@@ -308,6 +315,11 @@ static int kbkdf_derive(void *vctx, unsi
goto done;
}
+#ifdef FIPS_MODULE
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
+ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+#endif /* defined(FIPS_MODULE) */
+
h = EVP_MAC_CTX_get_mac_size(ctx->ctx_init);
if (h == 0)
goto done;
@@ -381,6 +393,9 @@ static int kbkdf_set_ctx_params(void *vc
}
}
+ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
+ return 0;
+
p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE);
if (p != NULL
&& OPENSSL_strncasecmp("counter", p->data, p->data_size) == 0) {
@@ -461,20 +476,77 @@ static const OSSL_PARAM *kbkdf_settable_
static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
{
OSSL_PARAM *p;
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE);
- if (p == NULL)
+ if (p != NULL) {
+ any_valid = 1;
+
+ /* KBKDF can produce results as large as you like. */
+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
+ return 0;
+ }
+
+#ifdef FIPS_MODULE
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR);
+ if (p != NULL) {
+ KBKDF *ctx = (KBKDF *)vctx;
+ int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
+
+ any_valid = 1;
+
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
+ * the key-derivation key [i.e., the input key] shall be at least 112
+ * bits". */
+ if (ctx->ki_len < EVP_KDF_FIPS_MIN_KEY_LEN)
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
+ * Verification Program, Section D.B and NIST Special Publication
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
+ * strength < 112 bits is legacy use only, so all derived keys should
+ * be longer than that. If a derived key has ever been shorter than
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
+ * should also set the returned FIPS indicator to unapproved. */
+ if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED)
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
+ * extendable-output functions may only be used as the standalone
+ * algorithms." Note that the digest is only used when the MAC
+ * algorithm is HMAC. */
+ if (ctx->ctx_init != NULL
+ && EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->ctx_init), OSSL_MAC_NAME_HMAC)) {
+ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
+ if (md != NULL
+ && (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256"))) {
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+ }
+ }
+
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
+ return 0;
+ }
+#endif
+
+ if (!any_valid)
return -2;
- /* KBKDF can produce results as large as you like. */
- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
+ return 1;
}
static const OSSL_PARAM *kbkdf_gettable_ctx_params(ossl_unused void *ctx,
ossl_unused void *provctx)
{
- static const OSSL_PARAM known_gettable_ctx_params[] =
- { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_END };
+ static const OSSL_PARAM known_gettable_ctx_params[] = {
+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
+#ifdef FIPS_MODULE
+ OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, NULL),
+#endif /* defined(FIPS_MODULE) */
+ OSSL_PARAM_END
+ };
return known_gettable_ctx_params;
}
Index: openssl-3.1.4/providers/implementations/kdfs/sshkdf.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/kdfs/sshkdf.c
+++ openssl-3.1.4/providers/implementations/kdfs/sshkdf.c
@@ -49,6 +49,9 @@ typedef struct {
char type; /* X */
unsigned char *session_id;
size_t session_id_len;
+#ifdef FIPS_MODULE
+ int fips_indicator;
+#endif /* defined(FIPS_MODULE) */
} KDF_SSHKDF;
static void *kdf_sshkdf_new(void *provctx)
@@ -151,6 +154,12 @@ static int kdf_sshkdf_derive(void *vctx,
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE);
return 0;
}
+
+#ifdef FIPS_MODULE
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
+ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+#endif /* defined(FIPS_MODULE) */
+
return SSHKDF(md, ctx->key, ctx->key_len,
ctx->xcghash, ctx->xcghash_len,
ctx->session_id, ctx->session_id_len,
@@ -219,10 +228,67 @@ static const OSSL_PARAM *kdf_sshkdf_sett
static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
{
OSSL_PARAM *p;
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
- return -2;
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
+ any_valid = 1;
+
+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
+ return 0;
+ }
+
+#ifdef FIPS_MODULE
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR);
+ if (p != NULL) {
+ KDF_SSHKDF *ctx = vctx;
+ int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
+
+ any_valid = 1;
+
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
+ * the key-derivation key [i.e., the input key] shall be at least 112
+ * bits". */
+ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN)
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
+ * Verification Program, Section D.B and NIST Special Publication
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
+ * strength < 112 bits is legacy use only, so all derived keys should
+ * be longer than that. If a derived key has ever been shorter than
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
+ * should also set the returned FIPS indicator to unapproved. */
+ if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED)
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
+ * extendable-output functions may only be used as the standalone
+ * algorithms."
+ *
+ * Additionally, SP 800-135r1 section 5.2 specifies that the hash
+ * function used in SSHKDF "is one of the hash functions specified in
+ * FIPS 180-3.", which rules out SHA-3 and truncated variants of SHA-2.
+ * */
+ if (ctx->digest.md != NULL
+ && !EVP_MD_is_a(ctx->digest.md, "SHA-1")
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-224")
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256")
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384")
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) {
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+ }
+
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
+ return 0;
+ }
+#endif
+
+ if (!any_valid)
+ return -2;
+
+ return 1;
}
static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
@@ -230,6 +296,9 @@ static const OSSL_PARAM *kdf_sshkdf_gett
{
static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
+#ifdef FIPS_MODULE
+ OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, NULL),
+#endif /* defined(FIPS_MODULE) */
OSSL_PARAM_END
};
return known_gettable_ctx_params;
Index: openssl-3.1.4/providers/implementations/kdfs/sskdf.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/kdfs/sskdf.c
+++ openssl-3.1.4/providers/implementations/kdfs/sskdf.c
@@ -63,6 +63,10 @@ typedef struct {
size_t salt_len;
size_t out_len; /* optional KMAC parameter */
int is_kmac;
+ int is_x963kdf;
+#ifdef FIPS_MODULE
+ int fips_indicator;
+#endif /* defined(FIPS_MODULE) */
} KDF_SSKDF;
#define SSKDF_MAX_INLEN (1<<30)
@@ -73,6 +77,7 @@ typedef struct {
static const unsigned char kmac_custom_str[] = { 0x4B, 0x44, 0x46 };
static OSSL_FUNC_kdf_newctx_fn sskdf_new;
+static OSSL_FUNC_kdf_newctx_fn x963kdf_new;
static OSSL_FUNC_kdf_dupctx_fn sskdf_dup;
static OSSL_FUNC_kdf_freectx_fn sskdf_free;
static OSSL_FUNC_kdf_reset_fn sskdf_reset;
@@ -297,6 +302,16 @@ static void *sskdf_new(void *provctx)
return ctx;
}
+static void *x963kdf_new(void *provctx)
+{
+ KDF_SSKDF *ctx = sskdf_new(provctx);
+
+ if (ctx)
+ ctx->is_x963kdf = 1;
+
+ return ctx;
+}
+
static void sskdf_reset(void *vctx)
{
KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
@@ -392,6 +407,11 @@ static int sskdf_derive(void *vctx, unsi
}
md = ossl_prov_digest_md(&ctx->digest);
+#ifdef FIPS_MODULE
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
+ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+#endif /* defined(FIPS_MODULE) */
+
if (ctx->macctx != NULL) {
/* H(x) = KMAC or H(x) = HMAC */
int ret;
@@ -473,6 +493,11 @@ static int x963kdf_derive(void *vctx, un
return 0;
}
+#ifdef FIPS_MODULE
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
+ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+#endif /* defined(FIPS_MODULE) */
+
return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len,
ctx->info, ctx->info_len, 1, key, keylen);
}
@@ -545,10 +570,74 @@ static int sskdf_get_ctx_params(void *vc
{
KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
OSSL_PARAM *p;
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
+
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
+ any_valid = 1;
+
+ if (!OSSL_PARAM_set_size_t(p, sskdf_size(ctx)))
+ return 0;
+ }
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
- return OSSL_PARAM_set_size_t(p, sskdf_size(ctx));
- return -2;
+#ifdef FIPS_MODULE
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR);
+ if (p != NULL) {
+ int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
+
+ any_valid = 1;
+
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
+ * the key-derivation key [i.e., the input key] shall be at least 112
+ * bits". */
+ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN)
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
+ * Verification Program, Section D.B and NIST Special Publication
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
+ * strength < 112 bits is legacy use only, so all derived keys should
+ * be longer than that. If a derived key has ever been shorter than
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
+ * should also set the returned FIPS indicator to unapproved. */
+ if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED)
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
+ * extendable-output functions may only be used as the standalone
+ * algorithms." */
+ if (ctx->macctx == NULL
+ || (ctx->macctx != NULL &&
+ EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx), OSSL_MAC_NAME_HMAC))) {
+ if (ctx->digest.md != NULL
+ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") ||
+ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) {
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+ }
+
+ /* Table H-3 in ANS X9.63-2001 says that 160-bit hash functions
+ * should only be used for 80-bit key agreement, but FIPS 140-3
+ * requires a security strength of 112 bits, so SHA-1 cannot be
+ * used with X9.63. See the discussion in
+ * https://github.com/usnistgov/ACVP/issues/1403#issuecomment-1435300395.
+ */
+ if (ctx->is_x963kdf
+ && ctx->digest.md != NULL
+ && EVP_MD_is_a(ctx->digest.md, "SHA-1")) {
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+ }
+ }
+
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
+ return 0;
+ }
+#endif
+
+ if (!any_valid)
+ return -2;
+
+ return 1;
}
static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
@@ -556,6 +645,9 @@ static const OSSL_PARAM *sskdf_gettable_
{
static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
+#ifdef FIPS_MODULE
+ OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, 0),
+#endif /* defined(FIPS_MODULE) */
OSSL_PARAM_END
};
return known_gettable_ctx_params;
@@ -577,7 +669,7 @@ const OSSL_DISPATCH ossl_kdf_sskdf_funct
};
const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = {
- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new },
+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))x963kdf_new },
{ OSSL_FUNC_KDF_DUPCTX, (void(*)(void))sskdf_dup },
{ OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free },
{ OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset },
Index: openssl-3.1.4/providers/implementations/kdfs/tls1_prf.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/kdfs/tls1_prf.c
+++ openssl-3.1.4/providers/implementations/kdfs/tls1_prf.c
@@ -104,6 +104,13 @@ typedef struct {
/* Buffer of concatenated seed data */
unsigned char seed[TLS1_PRF_MAXBUF];
size_t seedlen;
+
+ /* MAC digest algorithm; used to compute FIPS indicator */
+ PROV_DIGEST digest;
+
+#ifdef FIPS_MODULE
+ int fips_indicator;
+#endif /* defined(FIPS_MODULE) */
} TLS1_PRF;
static void *kdf_tls1_prf_new(void *provctx)
@@ -140,6 +147,7 @@ static void kdf_tls1_prf_reset(void *vct
EVP_MAC_CTX_free(ctx->P_sha1);
OPENSSL_clear_free(ctx->sec, ctx->seclen);
OPENSSL_cleanse(ctx->seed, ctx->seedlen);
+ ossl_prov_digest_reset(&ctx->digest);
memset(ctx, 0, sizeof(*ctx));
ctx->provctx = provctx;
}
@@ -194,6 +202,10 @@ static int kdf_tls1_prf_derive(void *vct
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
+#ifdef FIPS_MODULE
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
+ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+#endif /* defined(FIPS_MODULE) */
/*
* The seed buffer is prepended with a label.
@@ -243,6 +255,9 @@ static int kdf_tls1_prf_set_ctx_params(v
}
}
+ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
+ return 0;
+
if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) {
OPENSSL_clear_free(ctx->sec, ctx->seclen);
ctx->sec = NULL;
@@ -284,10 +299,60 @@ static const OSSL_PARAM *kdf_tls1_prf_se
static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[])
{
OSSL_PARAM *p;
+#ifdef FIPS_MODULE
+ TLS1_PRF *ctx = vctx;
+#endif /* defined(FIPS_MODULE) */
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
+
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
+ any_valid = 1;
+
+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
+ return 0;
+ }
+
+#ifdef FIPS_MODULE
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR);
+ if (p != NULL) {
+ int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
+
+ any_valid = 1;
+
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
+ * the key-derivation key [i.e., the input key] shall be at least 112
+ * bits". */
+ if (ctx->seclen < EVP_KDF_FIPS_MIN_KEY_LEN)
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
+ * Verification Program, Section D.B and NIST Special Publication
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
+ * strength < 112 bits is legacy use only, so all derived keys should
+ * be longer than that. If a derived key has ever been shorter than
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
+ * should also set the returned FIPS indicator to unapproved. */
+ if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED)
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+
+ /* SP 800-135r1 section 4.2.2 says TLS 1.2 KDF is approved when "(3)
+ * P_HASH uses either SHA-256, SHA-384 or SHA-512." */
+ if (ctx->digest.md != NULL
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256")
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384")
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) {
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+ }
+
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
+ return 0;
+ }
+#endif
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
- return -2;
+ if (!any_valid)
+ return -2;
+
+ return 1;
}
static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
@@ -295,6 +360,9 @@ static const OSSL_PARAM *kdf_tls1_prf_ge
{
static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
+#ifdef FIPS_MODULE
+ OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, 0),
+#endif /* defined(FIPS_MODULE) */
OSSL_PARAM_END
};
return known_gettable_ctx_params;
Index: openssl-3.1.4/providers/implementations/kdfs/x942kdf.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/kdfs/x942kdf.c
+++ openssl-3.1.4/providers/implementations/kdfs/x942kdf.c
@@ -13,11 +13,13 @@
#include <openssl/core_dispatch.h>
#include <openssl/err.h>
#include <openssl/evp.h>
+#include <openssl/kdf.h>
#include <openssl/params.h>
#include <openssl/proverr.h>
#include "internal/packet.h"
#include "internal/der.h"
#include "internal/nelem.h"
+#include "crypto/evp.h"
#include "prov/provider_ctx.h"
#include "prov/providercommon.h"
#include "prov/implementations.h"
@@ -49,6 +51,9 @@ typedef struct {
const unsigned char *cek_oid;
size_t cek_oid_len;
int use_keybits;
+#ifdef FIPS_MODULE
+ int fips_indicator;
+#endif /* defined(FIPS_MODULE) */
} KDF_X942;
/*
@@ -497,6 +502,10 @@ static int x942kdf_derive(void *vctx, un
ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING);
return 0;
}
+#ifdef FIPS_MODULE
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
+ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+#endif /* defined(FIPS_MODULE) */
ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len,
der, der_len, ctr, key, keylen);
OPENSSL_free(der);
@@ -600,10 +609,58 @@ static int x942kdf_get_ctx_params(void *
{
KDF_X942 *ctx = (KDF_X942 *)vctx;
OSSL_PARAM *p;
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
- return OSSL_PARAM_set_size_t(p, x942kdf_size(ctx));
- return -2;
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
+ any_valid = 1;
+
+ if (!OSSL_PARAM_set_size_t(p, x942kdf_size(ctx)))
+ return 0;
+ }
+
+#ifdef FIPS_MODULE
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR);
+ if (p != NULL) {
+ int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
+
+ any_valid = 1;
+
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
+ * the key-derivation key [i.e., the input key] shall be at least 112
+ * bits". */
+ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN)
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
+ * Verification Program, Section D.B and NIST Special Publication
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
+ * strength < 112 bits is legacy use only, so all derived keys should
+ * be longer than that. If a derived key has ever been shorter than
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
+ * should also set the returned FIPS indicator to unapproved. */
+ if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED)
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
+ * extendable-output functions may only be used as the standalone
+ * algorithms." */
+ if (ctx->digest.md != NULL
+ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") ||
+ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) {
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+ }
+
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
+ return 0;
+ }
+#endif
+
+ if (!any_valid)
+ return -2;
+
+ return 1;
}
static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
@@ -611,6 +668,9 @@ static const OSSL_PARAM *x942kdf_gettabl
{
static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
+#ifdef FIPS_MODULE
+ OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, 0),
+#endif /* defined(FIPS_MODULE) */
OSSL_PARAM_END
};
return known_gettable_ctx_params;

83
openssl-Add-FIPS_mode-compatibility-macro.patch Normal file
View File

@ -0,0 +1,83 @@
From 8e29a10b39a649d751870eb1fd1b8c388e66acc3 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 31 Jul 2023 09:41:27 +0200
Subject: [PATCH 08/35] 0008-Add-FIPS_mode-compatibility-macro.patch
Patch-name: 0008-Add-FIPS_mode-compatibility-macro.patch
Patch-id: 8
Patch-status: |
# Add FIPS_mode() compatibility macro
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
include/openssl/fips.h | 26 ++++++++++++++++++++++++++
test/property_test.c | 14 ++++++++++++++
2 files changed, 40 insertions(+)
create mode 100644 include/openssl/fips.h
diff --git a/include/openssl/fips.h b/include/openssl/fips.h
new file mode 100644
index 0000000000..4162cbf88e
--- /dev/null
+++ b/include/openssl/fips.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OPENSSL_FIPS_H
+# define OPENSSL_FIPS_H
+# pragma once
+
+# include <openssl/evp.h>
+# include <openssl/macros.h>
+
+# ifdef __cplusplus
+extern "C" {
+# endif
+
+# define FIPS_mode() EVP_default_properties_is_fips_enabled(NULL)
+
+# ifdef __cplusplus
+}
+# endif
+#endif
diff --git a/test/property_test.c b/test/property_test.c
index 45b1db3e85..8894c1c1cb 100644
--- a/test/property_test.c
+++ b/test/property_test.c
@@ -677,6 +677,19 @@ static int test_property_list_to_string(int i)
return ret;
}
+#include <openssl/fips.h>
+static int test_downstream_FIPS_mode(void)
+{
+ int ret = 0;
+
+ ret = TEST_true(EVP_set_default_properties(NULL, "fips=yes"))
+ && TEST_true(FIPS_mode())
+ && TEST_true(EVP_set_default_properties(NULL, "fips=no"))
+ && TEST_false(FIPS_mode());
+
+ return ret;
+}
+
int setup_tests(void)
{
ADD_TEST(test_property_string);
@@ -690,6 +703,7 @@ int setup_tests(void)
ADD_TEST(test_property);
ADD_TEST(test_query_cache_stochastic);
ADD_TEST(test_fips_mode);
+ ADD_TEST(test_downstream_FIPS_mode);
ADD_ALL_TESTS(test_property_list_to_string, OSSL_NELEM(to_string_tests));
return 1;
}
--
2.41.0

86
openssl-Add-Kernel-FIPS-mode-flag-support.patch Normal file
View File

@ -0,0 +1,86 @@
From aa3aebf132959e7e44876042efaf9ff24ffe0f2b Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 31 Jul 2023 09:41:27 +0200
Subject: [PATCH 09/35] 0009-Add-Kernel-FIPS-mode-flag-support.patch
Patch-name: 0009-Add-Kernel-FIPS-mode-flag-support.patch
Patch-id: 9
Patch-status: |
# Add check to see if fips flag is enabled in kernel
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
crypto/context.c | 36 ++++++++++++++++++++++++++++++++++++
include/internal/provider.h | 3 +++
2 files changed, 39 insertions(+)
diff --git a/crypto/context.c b/crypto/context.c
index e294ea1512..51002ba79a 100644
--- a/crypto/context.c
+++ b/crypto/context.c
@@ -16,6 +16,41 @@
#include "internal/provider.h"
#include "crypto/context.h"
+# include <sys/types.h>
+# include <sys/stat.h>
+# include <fcntl.h>
+# include <unistd.h>
+# include <openssl/evp.h>
+
+# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
+
+static int kernel_fips_flag;
+
+static void read_kernel_fips_flag(void)
+{
+ char buf[2] = "0";
+ int fd;
+
+ if (ossl_safe_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
+ buf[0] = '1';
+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
+ close(fd);
+ }
+
+ if (buf[0] == '1') {
+ kernel_fips_flag = 1;
+ }
+
+ return;
+}
+
+int ossl_get_kernel_fips_flag()
+{
+ return kernel_fips_flag;
+}
+
+
struct ossl_lib_ctx_st {
CRYPTO_RWLOCK *lock, *rand_crngt_lock;
OSSL_EX_DATA_GLOBAL global;
@@ -336,6 +371,7 @@ static int default_context_inited = 0;
DEFINE_RUN_ONCE_STATIC(default_context_do_init)
{
+ read_kernel_fips_flag();
if (!CRYPTO_THREAD_init_local(&default_context_thread_local, NULL))
goto err;
diff --git a/include/internal/provider.h b/include/internal/provider.h
index 18937f84c7..1446bf7afb 100644
--- a/include/internal/provider.h
+++ b/include/internal/provider.h
@@ -112,6 +112,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx,
const OSSL_DISPATCH *in);
void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx);
+/* FIPS flag access */
+int ossl_get_kernel_fips_flag(void);
+
# ifdef __cplusplus
}
# endif
--
2.41.0

1148
openssl-Add-changes-to-ectest-and-eccurve.patch Normal file
View File

File diff suppressed because it is too large Load Diff

305
openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch Normal file
View File

@ -0,0 +1,305 @@
From 736d709ec194b3a763e004696df22792c62a11fc Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 24 Sep 2020 10:16:46 +0200
Subject: Add support for PROFILE=SYSTEM system default cipherlist
(was openssl-1.1.1-system-cipherlist.patch)
---
Configurations/unix-Makefile.tmpl | 5 ++
Configure | 11 ++++
doc/man1/openssl-ciphers.pod.in | 9 +++
include/openssl/ssl.h.in | 5 ++
ssl/ssl_ciph.c | 87 +++++++++++++++++++++++++++++++++-----
ssl/ssl_lib.c | 4 -
test/cipherlist_test.c | 2
util/libcrypto.num | 1
8 files changed, 110 insertions(+), 14 deletions(-)
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -315,6 +315,10 @@ MANDIR=$(INSTALLTOP)/share/man
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
HTMLDIR=$(DOCDIR)/html
+{- output_off() if $config{system_ciphers_file} eq ""; "" -}
+SYSTEM_CIPHERS_FILE_DEFINE=-DSYSTEM_CIPHERS_FILE="\"{- $config{system_ciphers_file} -}\""
+{- output_on() if $config{system_ciphers_file} eq ""; "" -}
+
# MANSUFFIX is for the benefit of anyone who may want to have a suffix
# appended after the manpage file section number. "ssl" is popular,
# resulting in files such as config.5ssl rather than config.5.
@@ -338,6 +342,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -}
CPPFLAGS={- our $cppflags1 = join(" ",
(map { "-D".$_} @{$config{CPPDEFINES}}),
+ "\$(SYSTEM_CIPHERS_FILE_DEFINE)",
(map { "-I".$_} @{$config{CPPINCLUDES}}),
@{$config{CPPFLAGS}}) -}
CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
--- a/Configure
+++ b/Configure
@@ -27,7 +27,7 @@ use OpenSSL::config;
my $orig_death_handler = $SIG{__DIE__};
$SIG{__DIE__} = \&death_handler;
-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
my $banner = <<"EOF";
@@ -61,6 +61,10 @@ EOF
# given with --prefix.
# This becomes the value of OPENSSLDIR in Makefile and in C.
# (Default: PREFIX/ssl)
+#
+# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM
+# cipher is specified (default).
+#
# --banner=".." Output specified text instead of default completion banner
#
# -w Don't wait after showing a Configure warning
@@ -387,6 +391,7 @@ $config{prefix}="";
$config{openssldir}="";
$config{processor}="";
$config{libdir}="";
+$config{system_ciphers_file}="";
my $auto_threads=1; # enable threads automatically? true by default
my $default_ranlib;
@@ -989,6 +994,10 @@ while (@argvcopy)
die "FIPS key too long (64 bytes max)\n"
if length $1 > 64;
}
+ elsif (/^--system-ciphers-file=(.*)$/)
+ {
+ $config{system_ciphers_file}=$1;
+ }
elsif (/^--banner=(.*)$/)
{
$banner = $1 . "\n";
--- a/doc/man1/openssl-ciphers.pod.in
+++ b/doc/man1/openssl-ciphers.pod.in
@@ -186,6 +186,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
The cipher suites not enabled by B<ALL>, currently B<eNULL>.
+=item B<PROFILE=SYSTEM>
+
+The list of enabled cipher suites will be loaded from the system crypto policy
+configuration file B</etc/crypto-policies/back-ends/openssl.config>.
+See also L<update-crypto-policies(8)>.
+This is the default behavior unless an application explicitly sets a cipher
+list. If used in a cipher list configuration value this string must be at the
+beginning of the cipher list, otherwise it will not be recognized.
+
=item B<HIGH>
"High" encryption cipher suites. This currently means those with key lengths
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -213,6 +213,11 @@ extern "C" {
* throwing out anonymous and unencrypted ciphersuites! (The latter are not
* actually enabled by ALL, but "ALL:RSA" would enable some of them.)
*/
+# ifdef SYSTEM_CIPHERS_FILE
+# define SSL_SYSTEM_DEFAULT_CIPHER_LIST "PROFILE=SYSTEM"
+# else
+# define SSL_SYSTEM_DEFAULT_CIPHER_LIST OSSL_default_cipher_list()
+# endif
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
# define SSL_SENT_SHUTDOWN 1
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1443,6 +1443,53 @@ int SSL_set_ciphersuites(SSL *s, const c
return ret;
}
+#ifdef SYSTEM_CIPHERS_FILE
+static char *load_system_str(const char *suffix)
+{
+ FILE *fp;
+ char buf[1024];
+ char *new_rules;
+ const char *ciphers_path;
+ unsigned len, slen;
+
+ if ((ciphers_path = ossl_safe_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL)
+ ciphers_path = SYSTEM_CIPHERS_FILE;
+ fp = fopen(ciphers_path, "r");
+ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) {
+ /* cannot open or file is empty */
+ snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST);
+ }
+
+ if (fp)
+ fclose(fp);
+
+ slen = strlen(suffix);
+ len = strlen(buf);
+
+ if (buf[len - 1] == '\n') {
+ len--;
+ buf[len] = 0;
+ }
+ if (buf[len - 1] == '\r') {
+ len--;
+ buf[len] = 0;
+ }
+
+ new_rules = OPENSSL_malloc(len + slen + 1);
+ if (new_rules == 0)
+ return NULL;
+
+ memcpy(new_rules, buf, len);
+ if (slen > 0) {
+ memcpy(&new_rules[len], suffix, slen);
+ len += slen;
+ }
+ new_rules[len] = 0;
+
+ return new_rules;
+}
+#endif
+
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
STACK_OF(SSL_CIPHER) **cipher_list,
@@ -1457,15 +1504,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
const SSL_CIPHER **ca_list = NULL;
const SSL_METHOD *ssl_method = ctx->method;
+#ifdef SYSTEM_CIPHERS_FILE
+ char *new_rules = NULL;
+
+ if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) {
+ char *p = rule_str + 14;
+
+ new_rules = load_system_str(p);
+ rule_str = new_rules;
+ }
+#endif
/*
* Return with error if nothing to do.
*/
if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
- return NULL;
+ goto err;
if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
- return NULL;
+ goto err;
/*
* To reduce the work to do we only want to process the compiled
@@ -1487,7 +1544,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
if (co_list == NULL) {
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
- return NULL; /* Failure */
+ goto err;
}
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
@@ -1553,8 +1610,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
* in force within each class
*/
if (!ssl_cipher_strength_sort(&head, &tail)) {
- OPENSSL_free(co_list);
- return NULL;
+ goto err;
}
/*
@@ -1598,9 +1654,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
if (ca_list == NULL) {
- OPENSSL_free(co_list);
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
- return NULL; /* Failure */
+ goto err;
}
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
disabled_mkey, disabled_auth, disabled_enc,
@@ -1633,8 +1688,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
OPENSSL_free(ca_list); /* Not needed anymore */
if (!ok) { /* Rule processing failure */
- OPENSSL_free(co_list);
- return NULL;
+ goto err;
}
/*
@@ -1642,10 +1696,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
* if we cannot get one.
*/
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
- OPENSSL_free(co_list);
- return NULL;
+ goto err;
}
+#ifdef SYSTEM_CIPHERS_FILE
+ OPENSSL_free(new_rules); /* Not needed anymore */
+#endif
+
/* Add TLSv1.3 ciphers first - we always prefer those if possible */
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
@@ -1697,6 +1754,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
*cipher_list = cipherstack;
return cipherstack;
+
+err:
+ OPENSSL_free(co_list);
+#ifdef SYSTEM_CIPHERS_FILE
+ OPENSSL_free(new_rules);
+#endif
+ return NULL;
+
}
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -661,7 +661,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
ctx->tls13_ciphersuites,
&(ctx->cipher_list),
&(ctx->cipher_list_by_id),
- OSSL_default_cipher_list(), ctx->cert);
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ctx->cert);
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
return 0;
@@ -3286,7 +3286,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li
if (!ssl_create_cipher_list(ret,
ret->tls13_ciphersuites,
&ret->cipher_list, &ret->cipher_list_by_id,
- OSSL_default_cipher_list(), ret->cert)
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert)
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
goto err2;
--- a/test/cipherlist_test.c
+++ b/test/cipherlist_test.c
@@ -246,7 +246,9 @@ end:
int setup_tests(void)
{
+#ifndef SYSTEM_CIPHERS_FILE
ADD_TEST(test_default_cipherlist_implicit);
+#endif
ADD_TEST(test_default_cipherlist_explicit);
ADD_TEST(test_default_cipherlist_clear);
return 1;
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -5435,3 +5435,4 @@ EVP_MD_CTX_dup
EVP_CIPHER_CTX_dup 5563 3_1_0 EXIST::FUNCTION:
BN_are_coprime 5564 3_1_0 EXIST::FUNCTION:
OSSL_CMP_MSG_update_recipNonce 5565 3_0_9 EXIST::FUNCTION:CMP
+ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:

743
openssl-Add_support_for_Windows_CA_certificate_store.patch Normal file
View File

@ -0,0 +1,743 @@
From 2a071544f7d2e963a1f68f266f4e375568909d38 Mon Sep 17 00:00:00 2001
From: Hugo Landau <hlandau@openssl.org>
Date: Fri, 8 Apr 2022 13:10:52 +0100
Subject: [PATCH 1/8] Fix URI handling in SSL_CERT_DIR/introduce SSL_CERT_URI
env
Fixes #18068.
---
CHANGES.md | 21
Configure | 7
crypto/x509/by_dir.c | 17
crypto/x509/by_store.c | 14
crypto/x509/x509_def.c | 15
doc/build.info | 6
doc/man3/X509_get_default_cert_file.pod | 113 +++++
include/internal/cryptlib.h | 11
include/internal/e_os.h | 2
include/openssl/x509.h.in | 3
providers/implementations/include/prov/implementations.h | 1
providers/implementations/storemgmt/build.info | 3
providers/implementations/storemgmt/winstore_store.c | 327 +++++++++++++++
providers/stores.inc | 3
util/libcrypto.num | 3
util/missingcrypto.txt | 4
16 files changed, 536 insertions(+), 14 deletions(-)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -24,6 +24,27 @@ OpenSSL 3.1
### Changes between 3.1.0 and 3.1.1 [30 May 2023]
+ * The `SSL_CERT_PATH` and `SSL_CERT_URI` environment variables are introduced.
+ `SSL_CERT_URI` can be used to specify a URI for a root certificate store. The
+ `SSL_CERT_PATH` environment variable specifies a delimiter-separated list of
+ paths which are searched for root certificates.
+
+ The existing `SSL_CERT_DIR` environment variable is deprecated.
+ `SSL_CERT_DIR` was previously used to specify either a delimiter-separated
+ list of paths or an URI, which is ambiguous. Setting `SSL_CERT_PATH` causes
+ `SSL_CERT_DIR` to be ignored for the purposes of determining root certificate
+ directories, and setting `SSL_CERT_URI` causes `SSL_CERT_DIR` to be ignored
+ for the purposes of determining root certificate stores.
+
+ *Hugo Landau*
+
+ * Support for loading root certificates from the Windows certificate store
+ has been added. The support is in the form of a store which recognises the
+ URI string of `org.openssl.winstore://`. This store is enabled by default and
+ can be disabled using the new compile-time option `no-winstore`.
+
+ *Hugo Landau*
+
* Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
--- a/Configure
+++ b/Configure
@@ -420,6 +420,7 @@ my @disablables = (
"cached-fetch",
"camellia",
"capieng",
+ "winstore",
"cast",
"chacha",
"cmac",
@@ -1726,6 +1727,12 @@ unless ($disabled{ktls}) {
}
}
+unless ($disabled{winstore}) {
+ unless ($target =~ /^(?:Cygwin|mingw|VC-|BC-)/) {
+ disable('not-windows', 'winstore');
+ }
+}
+
push @{$config{openssl_other_defines}}, "OPENSSL_NO_KTLS" if ($disabled{ktls});
# Get the extra flags used when building shared libraries and modules. We
--- a/crypto/x509/by_dir.c
+++ b/crypto/x509/by_dir.c
@@ -88,13 +88,18 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
switch (cmd) {
case X509_L_ADD_DIR:
if (argl == X509_FILETYPE_DEFAULT) {
- const char *dir = ossl_safe_getenv(X509_get_default_cert_dir_env());
+ /* If SSL_CERT_PATH is provided and non-empty, use that. */
+ const char *dir = ossl_safe_getenv(X509_get_default_cert_path_env());
- if (dir)
- ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
- else
- ret = add_cert_dir(ld, X509_get_default_cert_dir(),
- X509_FILETYPE_PEM);
+ /* Fallback to SSL_CERT_DIR. */
+ if (dir == NULL)
+ dir = ossl_safe_getenv(X509_get_default_cert_dir_env());
+
+ /* Fallback to built-in default. */
+ if (dir == NULL)
+ dir = X509_get_default_cert_dir();
+
+ ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
if (!ret) {
ERR_raise(ERR_LIB_X509, X509_R_LOADING_CERT_DIR);
}
--- a/crypto/x509/by_store.c
+++ b/crypto/x509/by_store.c
@@ -111,11 +111,21 @@ static int by_store_ctrl_ex(X509_LOOKUP
{
switch (cmd) {
case X509_L_ADD_STORE:
- /* If no URI is given, use the default cert dir as default URI */
+ /* First try the newer default cert URI envvar. */
+ if (argp == NULL)
+ argp = ossl_safe_getenv(X509_get_default_cert_uri_env());
+
+ /* If not set, see if we have a URI in the older cert dir envvar. */
if (argp == NULL)
argp = ossl_safe_getenv(X509_get_default_cert_dir_env());
+
+ /* Fallback to default store URI. */
if (argp == NULL)
- argp = X509_get_default_cert_dir();
+ argp = X509_get_default_cert_uri();
+
+ /* No point adding an empty URI. */
+ if (!*argp)
+ return 1;
{
STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
--- a/crypto/x509/x509_def.c
+++ b/crypto/x509/x509_def.c
@@ -22,6 +22,11 @@ const char *X509_get_default_cert_area(v
return X509_CERT_AREA;
}
+const char *X509_get_default_cert_uri(void)
+{
+ return X509_CERT_URI;
+}
+
const char *X509_get_default_cert_dir(void)
{
return X509_CERT_DIR;
@@ -32,6 +37,16 @@ const char *X509_get_default_cert_file(v
return X509_CERT_FILE;
}
+const char *X509_get_default_cert_uri_env(void)
+{
+ return X509_CERT_URI_EVP;
+}
+
+const char *X509_get_default_cert_path_env(void)
+{
+ return X509_CERT_PATH_EVP;
+}
+
const char *X509_get_default_cert_dir_env(void)
{
return X509_CERT_DIR_EVP;
--- a/doc/build.info
+++ b/doc/build.info
@@ -2791,6 +2791,10 @@ DEPEND[html/man3/X509_get0_uids.html]=ma
GENERATE[html/man3/X509_get0_uids.html]=man3/X509_get0_uids.pod
DEPEND[man/man3/X509_get0_uids.3]=man3/X509_get0_uids.pod
GENERATE[man/man3/X509_get0_uids.3]=man3/X509_get0_uids.pod
+DEPEND[html/man3/X509_get_default_cert_file.html]=man3/X509_get_default_cert_file.pod
+GENERATE[html/man3/X509_get_default_cert_file.html]=man3/X509_get_default_cert_file.pod
+DEPEND[man/man3/X509_get_default_cert_file.3]=man3/X509_get_default_cert_file.pod
+GENERATE[man/man3/X509_get_default_cert_file.3]=man3/X509_get_default_cert_file.pod
DEPEND[html/man3/X509_get_extension_flags.html]=man3/X509_get_extension_flags.pod
GENERATE[html/man3/X509_get_extension_flags.html]=man3/X509_get_extension_flags.pod
DEPEND[man/man3/X509_get_extension_flags.3]=man3/X509_get_extension_flags.pod
@@ -3461,6 +3465,7 @@ html/man3/X509_get0_distinguishing_id.ht
html/man3/X509_get0_notBefore.html \
html/man3/X509_get0_signature.html \
html/man3/X509_get0_uids.html \
+html/man3/X509_get_default_cert_file.html \
html/man3/X509_get_extension_flags.html \
html/man3/X509_get_pubkey.html \
html/man3/X509_get_serialNumber.html \
@@ -4064,6 +4069,7 @@ man/man3/X509_get0_distinguishing_id.3 \
man/man3/X509_get0_notBefore.3 \
man/man3/X509_get0_signature.3 \
man/man3/X509_get0_uids.3 \
+man/man3/X509_get_default_cert_file.3 \
man/man3/X509_get_extension_flags.3 \
man/man3/X509_get_pubkey.3 \
man/man3/X509_get_serialNumber.3 \
--- /dev/null
+++ b/doc/man3/X509_get_default_cert_file.pod
@@ -0,0 +1,113 @@
+=pod
+
+=head1 NAME
+
+X509_get_default_cert_file, X509_get_default_cert_file_env,
+X509_get_default_cert_path_env,
+X509_get_default_cert_dir, X509_get_default_cert_dir_env,
+X509_get_default_cert_uri, X509_get_default_cert_uri_env -
+retrieve default locations for trusted CA certificates
+
+=head1 SYNOPSIS
+
+ #include <openssl/x509.h>
+
+ const char *X509_get_default_cert_file(void);
+ const char *X509_get_default_cert_dir(void);
+ const char *X509_get_default_cert_uri(void);
+
+ const char *X509_get_default_cert_file_env(void);
+ const char *X509_get_default_cert_path_env(void);
+ const char *X509_get_default_cert_dir_env(void);
+ const char *X509_get_default_cert_uri_env(void);
+
+=head1 DESCRIPTION
+
+The X509_get_default_cert_file() function returns the default path
+to a file containing trusted CA certificates. OpenSSL will use this as
+the default path when it is asked to load trusted CA certificates
+from a file and no other path is specified. If the file exists, CA certificates
+are loaded from the file.
+
+The X509_get_default_cert_dir() function returns a default delimeter-separated
+list of paths to a directories containing trusted CA certificates named in the
+hashed format. OpenSSL will use this as the default list of paths when it is
+asked to load trusted CA certificates from a directory and no other path is
+specified. If a given directory in the list exists, OpenSSL attempts to lookup
+CA certificates in this directory by calculating a filename based on a hash of
+the certificate's subject name.
+
+The X509_get_default_cert_uri() function returns the default URI for a
+certificate store accessed programmatically via an OpenSSL provider. If there is
+no default store applicable to the system for which OpenSSL was compiled, this
+returns an empty string.
+
+X509_get_default_cert_file_env() and X509_get_default_cert_uri_env() return
+environment variable names which are recommended to specify nondefault values to
+be used instead of the values returned by X509_get_default_cert_file() and
+X509_get_default_cert_uri() respectively. The values returned by the latter
+functions are not affected by these environment variables; you must check for
+these environment variables yourself, using these functions to retrieve the
+correct environment variable names. If an environment variable is not set, the
+value returned by the corresponding function above should be used.
+
+X509_get_default_cert_path_env() returns the environment variable name which is
+recommended to specify a nondefault value to be used instead of the value
+returned by X509_get_default_cert_dir(). This environment variable supercedes
+the deprecated environment variable whose name is returned by
+X509_get_default_cert_dir_env(). This environment variable was deprecated as its
+contents can be interpreted ambiguously; see NOTES.
+
+By default, OpenSSL uses the path list specified in the environment variable
+whose name is returned by X509_get_default_cert_path_env() if it is set;
+otherwise, it uses the path list specified in the environment variable whose
+name is returned by X509_get_default_cert_dir_env() if it is set; otherwise, it
+uses the value returned by X509_get_default_cert_dir()).
+
+=head1 NOTES
+
+X509_get_default_cert_uri(), X509_get_default_cert_uri_env() and
+X509_get_default_cert_path_env() were introduced in OpenSSL 3.1. Prior to this
+release, store URIs were expressed via the environment variable returned by
+X509_get_default_cert_dir_env(); this environment variable could be used to
+specify either a list of directories or a store URI. This creates an ambiguity
+in which the environment variable returned by X509_get_default_cert_dir_env() is
+interpreted both as a list of directories and as a store URI.
+
+This usage and the environment variable returned by
+X509_get_default_cert_dir_env() are now deprecated; to specify a store URI, use
+the environment variable returned by X509_get_default_cert_uri_env(), and to
+specify a list of directories, use the environment variable returned by
+X509_get_default_cert_path_env().
+
+=head1 RETURN VALUES
+
+These functions return pointers to constant strings with static storage
+duration.
+
+=head1 SEE ALSO
+
+L<X509_LOOKUP(3)>,
+L<SSL_CTX_set_default_verify_file(3)>,
+L<SSL_CTX_set_default_verify_dir(3)>,
+L<SSL_CTX_set_default_verify_store(3)>,
+L<SSL_CTX_load_verify_file(3)>,
+L<SSL_CTX_load_verify_dir(3)>,
+L<SSL_CTX_load_verify_store(3)>,
+L<SSL_CTX_load_verify_locations(3)>
+
+=head1 HISTORY
+
+X509_get_default_cert_uri(), X509_get_default_cert_path_env() and
+X509_get_default_cert_uri_env() were introduced in OpenSSL 3.1.
+
+=head1 COPYRIGHT
+
+Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
--- a/include/internal/cryptlib.h
+++ b/include/internal/cryptlib.h
@@ -13,6 +13,8 @@
# include <stdlib.h>
# include <string.h>
+# include "openssl/configuration.h"
+# include "internal/e_os.h" /* ossl_inline in many files */
# ifdef OPENSSL_USE_APPLINK
# define BIO_FLAGS_UPLINK_INTERNAL 0x8000
@@ -77,6 +79,14 @@ DEFINE_LHASH_OF_EX(MEM);
# define CTLOG_FILE "OSSL$DATAROOT:[000000]ct_log_list.cnf"
# endif
+#ifndef OPENSSL_NO_WINSTORE
+# define X509_CERT_URI "org.openssl.winstore://"
+#else
+# define X509_CERT_URI ""
+#endif
+
+# define X509_CERT_URI_EVP "SSL_CERT_URI"
+# define X509_CERT_PATH_EVP "SSL_CERT_PATH"
# define X509_CERT_DIR_EVP "SSL_CERT_DIR"
# define X509_CERT_FILE_EVP "SSL_CERT_FILE"
# define CTLOG_FILE_EVP "CTLOG_FILE"
@@ -240,5 +250,4 @@ static ossl_inline int ossl_is_absolute_
# endif
return path[0] == '/';
}
-
#endif
--- a/include/internal/e_os.h
+++ b/include/internal/e_os.h
@@ -249,7 +249,7 @@ FILE *__iob_func();
/***********************************************/
# if defined(OPENSSL_SYS_WINDOWS)
-# if (_MSC_VER >= 1310) && !defined(_WIN32_WCE)
+# if defined(_MSC_VER) && (_MSC_VER >= 1310) && !defined(_WIN32_WCE)
# define open _open
# define fdopen _fdopen
# define close _close
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -491,8 +491,11 @@ ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s
ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj);
const char *X509_get_default_cert_area(void);
+const char *X509_get_default_cert_uri(void);
const char *X509_get_default_cert_dir(void);
const char *X509_get_default_cert_file(void);
+const char *X509_get_default_cert_uri_env(void);
+const char *X509_get_default_cert_path_env(void);
const char *X509_get_default_cert_dir_env(void);
const char *X509_get_default_cert_file_env(void);
const char *X509_get_default_private_dir(void);
--- a/providers/implementations/include/prov/implementations.h
+++ b/providers/implementations/include/prov/implementations.h
@@ -517,3 +517,4 @@ extern const OSSL_DISPATCH ossl_SubjectP
extern const OSSL_DISPATCH ossl_pem_to_der_decoder_functions[];
extern const OSSL_DISPATCH ossl_file_store_functions[];
+extern const OSSL_DISPATCH ossl_winstore_store_functions[];
--- a/providers/implementations/storemgmt/build.info
+++ b/providers/implementations/storemgmt/build.info
@@ -4,3 +4,6 @@
$STORE_GOAL=../../libdefault.a
SOURCE[$STORE_GOAL]=file_store.c file_store_any2obj.c
+IF[{- !$disabled{winstore} -}]
+ SOURCE[$STORE_GOAL]=winstore_store.c
+ENDIF
--- /dev/null
+++ b/providers/implementations/storemgmt/winstore_store.c
@@ -0,0 +1,327 @@
+/*
+ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+#include <openssl/store.h>
+#include <openssl/core_dispatch.h>
+#include <openssl/core_names.h>
+#include <openssl/core_object.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/params.h>
+#include <openssl/decoder.h>
+#include <openssl/proverr.h>
+#include <openssl/store.h> /* The OSSL_STORE_INFO type numbers */
+#include "internal/cryptlib.h"
+#include "internal/o_dir.h"
+#include "crypto/decoder.h"
+#include "crypto/ctype.h" /* ossl_isdigit() */
+#include "prov/implementations.h"
+#include "prov/bio.h"
+#include "file_store_local.h"
+
+#include <wincrypt.h>
+
+enum {
+ STATE_IDLE,
+ STATE_READ,
+ STATE_EOF,
+};
+
+struct winstore_ctx_st {
+ void *provctx;
+ char *propq;
+ unsigned char *subject;
+ size_t subject_len;
+
+ HCERTSTORE win_store;
+ const CERT_CONTEXT *win_ctx;
+ int state;
+
+ OSSL_DECODER_CTX *dctx;
+};
+
+static void winstore_win_reset(struct winstore_ctx_st *ctx)
+{
+ if (ctx->win_ctx != NULL) {
+ CertFreeCertificateContext(ctx->win_ctx);
+ ctx->win_ctx = NULL;
+ }
+
+ ctx->state = STATE_IDLE;
+}
+
+static void winstore_win_advance(struct winstore_ctx_st *ctx)
+{
+ CERT_NAME_BLOB name = {0};
+
+ if (ctx->state == STATE_EOF)
+ return;
+
+ name.cbData = ctx->subject_len;
+ name.pbData = ctx->subject;
+
+ ctx->win_ctx = (name.cbData == 0 ? NULL :
+ CertFindCertificateInStore(ctx->win_store,
+ X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+ 0, CERT_FIND_SUBJECT_NAME,
+ &name, ctx->win_ctx));
+
+ ctx->state = (ctx->win_ctx == NULL) ? STATE_EOF : STATE_READ;
+}
+
+static void *winstore_open(void *provctx, const char *uri)
+{
+ struct winstore_ctx_st *ctx = NULL;
+
+ if (!HAS_CASE_PREFIX(uri, "org.openssl.winstore:"))
+ return NULL;
+
+ ctx = OPENSSL_zalloc(sizeof(*ctx));
+ if (ctx == NULL)
+ return NULL;
+
+ ctx->provctx = provctx;
+ ctx->win_store = CertOpenSystemStoreW(0, L"ROOT");
+ if (ctx->win_store == NULL) {
+ OPENSSL_free(ctx);
+ return NULL;
+ }
+
+ winstore_win_reset(ctx);
+ return ctx;
+}
+
+static void *winstore_attach(void *provctx, OSSL_CORE_BIO *cin)
+{
+ return NULL; /* not supported */
+}
+
+static const OSSL_PARAM *winstore_settable_ctx_params(void *loaderctx, const OSSL_PARAM params[])
+{
+ static const OSSL_PARAM known_settable_ctx_params[] = {
+ OSSL_PARAM_octet_string(OSSL_STORE_PARAM_SUBJECT, NULL, 0),
+ OSSL_PARAM_utf8_string(OSSL_STORE_PARAM_PROPERTIES, NULL, 0),
+ OSSL_PARAM_END
+ };
+ return known_settable_ctx_params;
+}
+
+static int winstore_set_ctx_params(void *loaderctx, const OSSL_PARAM params[])
+{
+ struct winstore_ctx_st *ctx = loaderctx;
+ const OSSL_PARAM *p;
+ int do_reset = 0;
+
+ if (params == NULL)
+ return 1;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_PROPERTIES);
+ if (p != NULL) {
+ do_reset = 1;
+ OPENSSL_free(ctx->propq);
+ ctx->propq = NULL;
+ if (!OSSL_PARAM_get_utf8_string(p, &ctx->propq, 0))
+ return 0;
+ }
+
+ p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_SUBJECT);
+ if (p != NULL) {
+ const unsigned char *der = NULL;
+ size_t der_len = 0;
+
+ if (!OSSL_PARAM_get_octet_string_ptr(p, (const void **)&der, &der_len))
+ return 0;
+
+ do_reset = 1;
+
+ OPENSSL_free(ctx->subject);
+
+ ctx->subject = OPENSSL_malloc(der_len);
+ if (ctx->subject == NULL) {
+ ctx->subject_len = 0;
+ return 0;
+ }
+
+ ctx->subject_len = der_len;
+ memcpy(ctx->subject, der, der_len);
+ }
+
+ if (do_reset) {
+ winstore_win_reset(ctx);
+ winstore_win_advance(ctx);
+ }
+
+ return 1;
+}
+
+struct load_data_st {
+ OSSL_CALLBACK *object_cb;
+ void *object_cbarg;
+};
+
+static int load_construct(OSSL_DECODER_INSTANCE *decoder_inst,
+ const OSSL_PARAM *params, void *construct_data)
+{
+ struct load_data_st *data = construct_data;
+ return data->object_cb(params, data->object_cbarg);
+}
+
+static void load_cleanup(void *construct_data)
+{
+ /* No-op. */
+}
+
+static int setup_decoder(struct winstore_ctx_st *ctx)
+{
+ OSSL_LIB_CTX *libctx = ossl_prov_ctx_get0_libctx(ctx->provctx);
+ const OSSL_ALGORITHM *to_algo = NULL;
+
+ if (ctx->dctx != NULL)
+ return 1;
+
+ ctx->dctx = OSSL_DECODER_CTX_new();
+ if (ctx->dctx == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+
+ if (!OSSL_DECODER_CTX_set_input_type(ctx->dctx, "DER")) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
+ goto err;
+ }
+
+ if (!OSSL_DECODER_CTX_set_input_structure(ctx->dctx, "Certificate")) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
+ goto err;
+ }
+
+ for (to_algo = ossl_any_to_obj_algorithm;
+ to_algo->algorithm_names != NULL;
+ to_algo++) {
+ OSSL_DECODER *to_obj = NULL;
+ OSSL_DECODER_INSTANCE *to_obj_inst = NULL;
+
+ /*
+ * Create the internal last resort decoder implementation
+ * together with a "decoder instance".
+ * The decoder doesn't need any identification or to be
+ * attached to any provider, since it's only used locally.
+ */
+ to_obj = ossl_decoder_from_algorithm(0, to_algo, NULL);
+ if (to_obj != NULL)
+ to_obj_inst = ossl_decoder_instance_new(to_obj, ctx->provctx);
+
+ OSSL_DECODER_free(to_obj);
+ if (to_obj_inst == NULL)
+ goto err;
+
+ if (!ossl_decoder_ctx_add_decoder_inst(ctx->dctx,
+ to_obj_inst)) {
+ ossl_decoder_instance_free(to_obj_inst);
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
+ goto err;
+ }
+ }
+
+ if (!OSSL_DECODER_CTX_add_extra(ctx->dctx, libctx, ctx->propq)) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
+ goto err;
+ }
+
+ if (!OSSL_DECODER_CTX_set_construct(ctx->dctx, load_construct)) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
+ goto err;
+ }
+
+ if (!OSSL_DECODER_CTX_set_cleanup(ctx->dctx, load_cleanup)) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
+ goto err;
+ }
+
+ return 1;
+
+err:
+ OSSL_DECODER_CTX_free(ctx->dctx);
+ ctx->dctx = NULL;
+ return 0;
+}
+
+static int winstore_load_using(struct winstore_ctx_st *ctx,
+ OSSL_CALLBACK *object_cb, void *object_cbarg,
+ OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg,
+ const void *der, size_t der_len)
+{
+ struct load_data_st data;
+ const unsigned char *der_ = der;
+ size_t der_len_ = der_len;
+
+ if (setup_decoder(ctx) == 0)
+ return 0;
+
+ data.object_cb = object_cb;
+ data.object_cbarg = object_cbarg;
+
+ OSSL_DECODER_CTX_set_construct_data(ctx->dctx, &data);
+ OSSL_DECODER_CTX_set_passphrase_cb(ctx->dctx, pw_cb, pw_cbarg);
+
+ if (OSSL_DECODER_from_data(ctx->dctx, &der_, &der_len_) == 0)
+ return 0;
+
+ return 1;
+}
+
+static int winstore_load(void *loaderctx,
+ OSSL_CALLBACK *object_cb, void *object_cbarg,
+ OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg)
+{
+ int ret = 0;
+ struct winstore_ctx_st *ctx = loaderctx;
+
+ if (ctx->state != STATE_READ)
+ return 0;
+
+ ret = winstore_load_using(ctx, object_cb, object_cbarg, pw_cb, pw_cbarg,
+ ctx->win_ctx->pbCertEncoded,
+ ctx->win_ctx->cbCertEncoded);
+
+ if (ret == 1)
+ winstore_win_advance(ctx);
+
+ return ret;
+}
+
+static int winstore_eof(void *loaderctx)
+{
+ struct winstore_ctx_st *ctx = loaderctx;
+
+ return ctx->state != STATE_READ;
+}
+
+static int winstore_close(void *loaderctx)
+{
+ struct winstore_ctx_st *ctx = loaderctx;
+
+ winstore_win_reset(ctx);
+ CertCloseStore(ctx->win_store, 0);
+ OSSL_DECODER_CTX_free(ctx->dctx);
+ OPENSSL_free(ctx->propq);
+ OPENSSL_free(ctx->subject);
+ OPENSSL_free(ctx);
+ return 1;
+}
+
+const OSSL_DISPATCH ossl_winstore_store_functions[] = {
+ { OSSL_FUNC_STORE_OPEN, (void (*)(void))winstore_open },
+ { OSSL_FUNC_STORE_ATTACH, (void (*)(void))winstore_attach },
+ { OSSL_FUNC_STORE_SETTABLE_CTX_PARAMS, (void (*)(void))winstore_settable_ctx_params },
+ { OSSL_FUNC_STORE_SET_CTX_PARAMS, (void (*)(void))winstore_set_ctx_params },
+ { OSSL_FUNC_STORE_LOAD, (void (*)(void))winstore_load },
+ { OSSL_FUNC_STORE_EOF, (void (*)(void))winstore_eof },
+ { OSSL_FUNC_STORE_CLOSE, (void (*)(void))winstore_close },
+ { 0, NULL },
+};
--- a/providers/stores.inc
+++ b/providers/stores.inc
@@ -12,3 +12,6 @@
#endif
STORE("file", "yes", ossl_file_store_functions)
+#ifndef OPENSSL_NO_WINSTORE
+STORE("org.openssl.winstore", "yes", ossl_winstore_store_functions)
+#endif
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -5435,4 +5435,7 @@ EVP_MD_CTX_dup
EVP_CIPHER_CTX_dup 5563 3_1_0 EXIST::FUNCTION:
BN_are_coprime 5564 3_1_0 EXIST::FUNCTION:
OSSL_CMP_MSG_update_recipNonce 5565 3_0_9 EXIST::FUNCTION:CMP
+X509_get_default_cert_uri ? 3_1_0 EXIST::FUNCTION:
+X509_get_default_cert_uri_env ? 3_1_0 EXIST::FUNCTION:
+X509_get_default_cert_path_env ? 3_1_0 EXIST::FUNCTION:
ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
--- a/util/missingcrypto.txt
+++ b/util/missingcrypto.txt
@@ -1273,10 +1273,6 @@ X509_get0_trust_objects(3)
X509_get1_email(3)
X509_get1_ocsp(3)
X509_get_default_cert_area(3)
-X509_get_default_cert_dir(3)
-X509_get_default_cert_dir_env(3)
-X509_get_default_cert_file(3)
-X509_get_default_cert_file_env(3)
X509_get_default_private_dir(3)
X509_get_pubkey_parameters(3)
X509_get_signature_type(3)

217
openssl-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch Normal file
View File

@ -0,0 +1,217 @@
From f470b130139919f32926b3f5a75ba4d161cbcf88 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Tue, 1 Mar 2022 15:44:18 +0100
Subject: Allow SHA1 in seclevel 1 if rh-allow-sha1-signatures = yes
NOTE: This patch is ported from CentOS 9 / RHEL 9, where it allows SHA1
in seclevel 2 if rh-allow-sha1-signatures = yes. This was chosen because
on CentOS 9 and RHEL 9, the LEGACY crypto policy sets the security level
to 2.
On Fedora 35 (with OpenSSL 1.1) the legacy crypto policy uses security
level 1. Because Fedora 36 supports both OpenSSL 1.1 and OpenSSL 3, and
we want the legacy crypto policy to allow SHA-1 in TLS, the only option
to make this happen consistently in both OpenSSL 1.1 and OpenSSL 3 is
SECLEVEL=1 (which will allow SHA-1 in OpenSSL 1.1) and this change to
allow SHA-1 in SECLEVEL=1 with rh-allow-sha1-signatures = yes (which
will allow SHA-1 in OpenSSL 3).
The change from CentOS 9 / RHEL 9 cannot be applied unmodified, because
rh-allow-sha1-signatures will default to yes in Fedora (according to our
current plans including until F38), and the security level in the
DEFAULT crypto policy is 2, i.e., the unmodified change would weaken the
default configuration.
Related: rhbz#2055796
Related: rhbz#2070977
---
crypto/x509/x509_vfy.c | 20 ++++++++++-
doc/man5/config.pod | 7 ++++
ssl/t1_lib.c | 67 ++++++++++++++++++++++++++++-------
test/recipes/25-test_verify.t | 4 +--
4 files changed, 82 insertions(+), 16 deletions(-)
Index: openssl-3.1.4/crypto/x509/x509_vfy.c
===================================================================
--- openssl-3.1.4.orig/crypto/x509/x509_vfy.c
+++ openssl-3.1.4/crypto/x509/x509_vfy.c
@@ -25,6 +25,7 @@
#include <openssl/objects.h>
#include <openssl/core_names.h>
#include "internal/dane.h"
+#include "internal/sslconf.h"
#include "crypto/x509.h"
#include "x509_local.h"
@@ -3438,14 +3439,31 @@ static int check_sig_level(X509_STORE_CT
{
int secbits = -1;
int level = ctx->param->auth_level;
+ int nid;
+ OSSL_LIB_CTX *libctx = NULL;
if (level <= 0)
return 1;
if (level > NUM_AUTH_LEVELS)
level = NUM_AUTH_LEVELS;
- if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
+ if (ctx->libctx)
+ libctx = ctx->libctx;
+ else if (cert->libctx)
+ libctx = cert->libctx;
+ else
+ libctx = OSSL_LIB_CTX_get0_global_default();
+
+ if (!X509_get_signature_info(cert, &nid, NULL, &secbits, NULL))
return 0;
+ if ((nid == NID_sha1 || nid == NID_md5_sha1)
+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
+ && ctx->param->auth_level < 2)
+ /* When rh-allow-sha1-signatures = yes and security level <= 1,
+ * explicitly allow SHA1 for backwards compatibility. Also allow
+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
+ return 1;
+
return secbits >= minbits_table[level - 1];
}
Index: openssl-3.1.4/doc/man5/config.pod
===================================================================
--- openssl-3.1.4.orig/doc/man5/config.pod
+++ openssl-3.1.4/doc/man5/config.pod
@@ -317,6 +317,13 @@ this option is set to B<no>. Because TL
pseudorandom function (PRF) to derive key material, disabling
B<rh-allow-sha1-signatures> requires the use of TLS 1.2 or newer.
+Note that enabling B<rh-allow-sha1-signatures> will allow TLS signature
+algorithms that use SHA1 in security level 1, despite the definition of
+security level 1 of 80 bits of security, which SHA1 and MD5-SHA1 do not meet.
+This allows using SHA1 and MD5-SHA1 in TLS in the LEGACY crypto-policy on
+Fedora without requiring to set the security level to 0, which would include
+further insecure algorithms, and thus restores support for TLS 1.0 and 1.1.
+
This is a downstream specific option, and normally it should be set up via crypto-policies.
=item B<fips_mode> (deprecated)
Index: openssl-3.1.4/ssl/t1_lib.c
===================================================================
--- openssl-3.1.4.orig/ssl/t1_lib.c
+++ openssl-3.1.4/ssl/t1_lib.c
@@ -20,6 +20,7 @@
#include <openssl/bn.h>
#include <openssl/provider.h>
#include <openssl/param_build.h>
+#include "crypto/x509.h"
#include "internal/sslconf.h"
#include "internal/nelem.h"
#include "internal/sizes.h"
@@ -1588,19 +1589,28 @@ int tls12_check_peer_sigalg(SSL *s, uint
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST);
return 0;
}
- /*
- * Make sure security callback allows algorithm. For historical
- * reasons we have to pass the sigalg as a two byte char array.
- */
- sigalgstr[0] = (sig >> 8) & 0xff;
- sigalgstr[1] = sig & 0xff;
- secbits = sigalg_security_bits(s->ctx, lu);
- if (secbits == 0 ||
- !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
- md != NULL ? EVP_MD_get_type(md) : NID_undef,
- (void *)sigalgstr)) {
- SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
- return 0;
+
+ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)
+ && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0)
+ && SSL_get_security_level(s) < 2) {
+ /* When rh-allow-sha1-signatures = yes and security level <= 1,
+ * explicitly allow SHA1 for backwards compatibility. Also allow
+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
+ } else {
+ /*
+ * Make sure security callback allows algorithm. For historical
+ * reasons we have to pass the sigalg as a two byte char array.
+ */
+ sigalgstr[0] = (sig >> 8) & 0xff;
+ sigalgstr[1] = sig & 0xff;
+ secbits = sigalg_security_bits(s->ctx, lu);
+ if (secbits == 0 ||
+ !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
+ md != NULL ? EVP_MD_get_type(md) : NID_undef,
+ (void *)sigalgstr)) {
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
+ return 0;
+ }
}
/* Store the sigalg the peer uses */
s->s3.tmp.peer_sigalg = lu;
@@ -2138,6 +2148,15 @@ static int tls12_sigalg_allowed(const SS
}
}
+ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)
+ && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0)
+ && SSL_get_security_level(s) < 2) {
+ /* When rh-allow-sha1-signatures = yes and security level <= 1,
+ * explicitly allow SHA1 for backwards compatibility. Also allow
+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
+ return 1;
+ }
+
/* Finally see if security callback allows it */
secbits = sigalg_security_bits(s->ctx, lu);
sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
@@ -3007,6 +3026,8 @@ static int ssl_security_cert_sig(SSL *s,
{
/* Lookup signature algorithm digest */
int secbits, nid, pknid;
+ OSSL_LIB_CTX *libctx = NULL;
+
/* Don't check signature if self signed */
if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
return 1;
@@ -3015,6 +3036,26 @@ static int ssl_security_cert_sig(SSL *s,
/* If digest NID not defined use signature NID */
if (nid == NID_undef)
nid = pknid;
+
+ if (x && x->libctx)
+ libctx = x->libctx;
+ else if (ctx && ctx->libctx)
+ libctx = ctx->libctx;
+ else if (s && s->ctx && s->ctx->libctx)
+ libctx = s->ctx->libctx;
+ else
+ libctx = OSSL_LIB_CTX_get0_global_default();
+
+ if ((nid == NID_sha1 || nid == NID_md5_sha1)
+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
+ && ((s != NULL && SSL_get_security_level(s) < 2)
+ || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 2)
+ ))
+ /* When rh-allow-sha1-signatures = yes and security level <= 1,
+ * explicitly allow SHA1 for backwards compatibility. Also allow
+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
+ return 1;
+
if (s)
return ssl_security(s, op, secbits, nid, x);
else
Index: openssl-3.1.4/test/recipes/25-test_verify.t
===================================================================
--- openssl-3.1.4.orig/test/recipes/25-test_verify.t
+++ openssl-3.1.4/test/recipes/25-test_verify.t
@@ -439,8 +439,8 @@ ok(verify("ee-pss-sha1-cert", "", ["root
ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ),
"CA with PSS signature using SHA256");
-ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"),
- "Reject PSS signature using SHA1 and auth level 1");
+ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
+ "Reject PSS signature using SHA1 and auth level 2");
ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
"PSS signature using SHA256 and auth level 2");

519
openssl-Allow-disabling-of-SHA1-signatures.patch Normal file
View File

@ -0,0 +1,519 @@
From 2e8388e06eafb703aeb315498915bf079561bdb5 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 13:07:07 +0200
Subject: 0049-Allow-disabling-of-SHA1-signatures.patch
Patch-name: 0049-Allow-disabling-of-SHA1-signatures.patch
Patch-id: 49
Patch-status: |
# Selectively disallow SHA1 signatures rhbz#2070977
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
crypto/context.c | 14 ++++
crypto/evp/evp_cnf.c | 13 +++
crypto/evp/m_sigver.c | 79 +++++++++++++++++++
crypto/evp/pmeth_lib.c | 15 ++++
doc/man5/config.pod | 13 +++
include/crypto/context.h | 3 +
include/internal/cryptlib.h | 3 +-
include/internal/sslconf.h | 4 +
providers/common/securitycheck.c | 20 +++++
providers/common/securitycheck_default.c | 9 ++-
providers/implementations/signature/dsa_sig.c | 11 ++-
.../implementations/signature/ecdsa_sig.c | 4 +
providers/implementations/signature/rsa_sig.c | 20 ++++-
ssl/t1_lib.c | 8 ++
util/libcrypto.num | 2 +
15 files changed, 209 insertions(+), 9 deletions(-)
Index: openssl-3.1.4/crypto/context.c
===================================================================
--- openssl-3.1.4.orig/crypto/context.c
+++ openssl-3.1.4/crypto/context.c
@@ -78,6 +78,8 @@ struct ossl_lib_ctx_st {
void *fips_prov;
#endif
+ void *legacy_digest_signatures;
+
unsigned int ischild:1;
};
@@ -206,6 +208,10 @@ static int context_init(OSSL_LIB_CTX *ct
goto err;
#endif
+ ctx->legacy_digest_signatures = ossl_ctx_legacy_digest_signatures_new(ctx);
+ if (ctx->legacy_digest_signatures == NULL)
+ goto err;
+
/* Low priority. */
#ifndef FIPS_MODULE
ctx->child_provider = ossl_child_prov_ctx_new(ctx);
@@ -334,6 +340,11 @@ static void context_deinit_objs(OSSL_LIB
}
#endif
+ if (ctx->legacy_digest_signatures != NULL) {
+ ossl_ctx_legacy_digest_signatures_free(ctx->legacy_digest_signatures);
+ ctx->legacy_digest_signatures = NULL;
+ }
+
/* Low priority. */
#ifndef FIPS_MODULE
if (ctx->child_provider != NULL) {
@@ -625,6 +636,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX
return ctx->fips_prov;
#endif
+ case OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX:
+ return ctx->legacy_digest_signatures;
+
default:
return NULL;
}
Index: openssl-3.1.4/crypto/evp/evp_cnf.c
===================================================================
--- openssl-3.1.4.orig/crypto/evp/evp_cnf.c
+++ openssl-3.1.4/crypto/evp/evp_cnf.c
@@ -10,6 +10,7 @@
#include <stdio.h>
#include <openssl/crypto.h>
#include "internal/cryptlib.h"
+#include "internal/sslconf.h"
#include <openssl/conf.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
@@ -57,6 +58,18 @@ static int alg_module_init(CONF_IMODULE
ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
return 0;
}
+ } else if (strcmp(oval->name, "rh-allow-sha1-signatures") == 0) {
+ int m;
+
+ /* Detailed error already reported. */
+ if (!X509V3_get_value_bool(oval, &m))
+ return 0;
+
+ if (!ossl_ctx_legacy_digest_signatures_allowed_set(
+ NCONF_get0_libctx((CONF *)cnf), m > 0, 0)) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
+ return 0;
+ }
} else {
ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,
"name=%s, value=%s", oval->name, oval->value);
Index: openssl-3.1.4/crypto/evp/m_sigver.c
===================================================================
--- openssl-3.1.4.orig/crypto/evp/m_sigver.c
+++ openssl-3.1.4/crypto/evp/m_sigver.c
@@ -15,6 +15,69 @@
#include "internal/provider.h"
#include "internal/numbers.h" /* includes SIZE_MAX */
#include "evp_local.h"
+#include "crypto/context.h"
+
+typedef struct ossl_legacy_digest_signatures_st {
+ int allowed;
+} OSSL_LEGACY_DIGEST_SIGNATURES;
+
+void ossl_ctx_legacy_digest_signatures_free(void *vldsigs)
+{
+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs = vldsigs;
+
+ if (ldsigs != NULL) {
+ OPENSSL_free(ldsigs);
+ }
+}
+
+void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx)
+{
+ OSSL_LEGACY_DIGEST_SIGNATURES* ldsigs = OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES));
+ /* Default to allow SHA-1 and support disabling it via config. */
+ ldsigs->allowed = 1;
+ return ldsigs;
+}
+
+static OSSL_LEGACY_DIGEST_SIGNATURES *ossl_ctx_legacy_digest_signatures(
+ OSSL_LIB_CTX *libctx, int loadconfig)
+{
+#ifndef FIPS_MODULE
+ if (loadconfig && !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL))
+ return NULL;
+#endif
+
+ return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX);
+}
+
+int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig)
+{
+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs
+ = ossl_ctx_legacy_digest_signatures(libctx, loadconfig);
+
+#ifndef FIPS_MODULE
+ if (ossl_safe_getenv("OPENSSL_ENABLE_SHA1_SIGNATURES") != NULL)
+ /* This is to be used in tests if SHA-1 is disabled. */
+ return 1;
+#endif
+
+ /* Default to allow SHA-1 and support disabling it via config. */
+ return ldsigs != NULL ? ldsigs->allowed : 1;
+}
+
+int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow,
+ int loadconfig)
+{
+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs
+ = ossl_ctx_legacy_digest_signatures(libctx, loadconfig);
+
+ if (ldsigs == NULL) {
+ ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
+ ldsigs->allowed = allow;
+ return 1;
+}
#ifndef FIPS_MODULE
@@ -251,6 +314,18 @@ static int do_sigver_init(EVP_MD_CTX *ct
}
}
+ if (ctx->reqdigest != NULL
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_hkdf)) {
+ int mdnid = EVP_MD_nid(ctx->reqdigest);
+ if (!ossl_ctx_legacy_digest_signatures_allowed(locpctx->libctx, 0)
+ && (mdnid == NID_sha1 || mdnid == NID_md5_sha1)) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
+ goto err;
+ }
+ }
+
if (ver) {
if (signature->digest_verify_init == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
Index: openssl-3.1.4/crypto/evp/pmeth_lib.c
===================================================================
--- openssl-3.1.4.orig/crypto/evp/pmeth_lib.c
+++ openssl-3.1.4/crypto/evp/pmeth_lib.c
@@ -33,6 +33,7 @@
#include "internal/ffc.h"
#include "internal/numbers.h"
#include "internal/provider.h"
+#include "internal/sslconf.h"
#include "evp_local.h"
#ifndef FIPS_MODULE
@@ -959,6 +960,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_
return -2;
}
+ if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx)
+ && md != NULL
+ && ctx->pkey != NULL
+ && !EVP_PKEY_is_a(ctx->pkey, SN_hmac)
+ && !EVP_PKEY_is_a(ctx->pkey, SN_tls1_prf)
+ && !EVP_PKEY_is_a(ctx->pkey, SN_hkdf)) {
+ int mdnid = EVP_MD_nid(md);
+ if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
+ && !ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0)) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
+ return -1;
+ }
+ }
+
if (fallback)
return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md));
Index: openssl-3.1.4/doc/man5/config.pod
===================================================================
--- openssl-3.1.4.orig/doc/man5/config.pod
+++ openssl-3.1.4/doc/man5/config.pod
@@ -304,6 +304,21 @@ Within the algorithm properties section,
The value may be anything that is acceptable as a property query
string for EVP_set_default_properties().
+=item B<rh-allow-sha1-signatures>
+
+The value is a boolean that can be B<yes> or B<no>. If the value is not set,
+it behaves as if it was set to B<yes>.
+
+When set to B<no>, any attempt to create or verify a signature with a SHA1
+digest will fail. To test whether your software will work with future versions
+of OpenSSL, set this option to B<no>. This setting also affects TLS, where
+signature algorithms that use SHA1 as digest will no longer be supported if
+this option is set to B<no>. Because TLS 1.1 or lower use MD5-SHA1 as
+pseudorandom function (PRF) to derive key material, disabling
+B<rh-allow-sha1-signatures> requires the use of TLS 1.2 or newer.
+
+This is a downstream specific option, and normally it should be set up via crypto-policies.
+
=item B<fips_mode> (deprecated)
The value is a boolean that can be B<yes> or B<no>. If the value is
Index: openssl-3.1.4/include/crypto/context.h
===================================================================
--- openssl-3.1.4.orig/include/crypto/context.h
+++ openssl-3.1.4/include/crypto/context.h
@@ -40,3 +40,6 @@ void ossl_rand_crng_ctx_free(void *);
void ossl_thread_event_ctx_free(void *);
void ossl_fips_prov_ossl_ctx_free(void *);
void ossl_release_default_drbg_ctx(void);
+
+void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *);
+void ossl_ctx_legacy_digest_signatures_free(void *);
Index: openssl-3.1.4/include/internal/cryptlib.h
===================================================================
--- openssl-3.1.4.orig/include/internal/cryptlib.h
+++ openssl-3.1.4/include/internal/cryptlib.h
@@ -178,7 +178,8 @@ typedef struct ossl_ex_data_global_st {
# define OSSL_LIB_CTX_PROVIDER_CONF_INDEX 16
# define OSSL_LIB_CTX_BIO_CORE_INDEX 17
# define OSSL_LIB_CTX_CHILD_PROVIDER_INDEX 18
-# define OSSL_LIB_CTX_MAX_INDEXES 19
+# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX 19
+# define OSSL_LIB_CTX_MAX_INDEXES 20
OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx);
int ossl_lib_ctx_is_default(OSSL_LIB_CTX *ctx);
Index: openssl-3.1.4/include/internal/sslconf.h
===================================================================
--- openssl-3.1.4.orig/include/internal/sslconf.h
+++ openssl-3.1.4/include/internal/sslconf.h
@@ -18,4 +18,8 @@ int conf_ssl_name_find(const char *name,
void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr,
char **arg);
+/* Methods to support disabling all signatures with legacy digests */
+int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig);
+int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow,
+ int loadconfig);
#endif
Index: openssl-3.1.4/providers/common/securitycheck.c
===================================================================
--- openssl-3.1.4.orig/providers/common/securitycheck.c
+++ openssl-3.1.4/providers/common/securitycheck.c
@@ -19,6 +19,7 @@
#include <openssl/core_names.h>
#include <openssl/obj_mac.h>
#include "prov/securitycheck.h"
+#include "internal/sslconf.h"
/*
* FIPS requires a minimum security strength of 112 bits (for encryption or
@@ -243,6 +244,14 @@ int ossl_digest_get_approved_nid_with_sh
mdnid = -1; /* disallowed by security checks */
}
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
+
+#ifndef FIPS_MODULE
+ if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
+ /* SHA1 is globally enabled by default, check whether we want to locally disable it. */
+ if (mdnid == NID_sha1 && !sha1_allowed)
+ mdnid = -1;
+#endif
+
return mdnid;
}
@@ -252,5 +261,15 @@ int ossl_digest_is_allowed(OSSL_LIB_CTX
if (ossl_securitycheck_enabled(ctx))
return ossl_digest_get_approved_nid(md) != NID_undef;
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
+
+#ifndef FIPS_MODULE
+ {
+ int mdnid = EVP_MD_nid(md);
+ if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
+ && !ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
+ return 0;
+ }
+#endif
+
return 1;
}
Index: openssl-3.1.4/providers/common/securitycheck_default.c
===================================================================
--- openssl-3.1.4.orig/providers/common/securitycheck_default.c
+++ openssl-3.1.4/providers/common/securitycheck_default.c
@@ -15,6 +15,7 @@
#include <openssl/obj_mac.h>
#include "prov/securitycheck.h"
#include "internal/nelem.h"
+#include "internal/sslconf.h"
/* Disable the security checks in the default provider */
int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
@@ -29,9 +30,10 @@ int ossl_tls1_prf_ems_check_enabled(OSSL
}
int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
- ossl_unused int sha1_allowed)
+ int sha1_allowed)
{
int mdnid;
+ int ldsigs_allowed;
static const OSSL_ITEM name_to_nid[] = {
{ NID_md5, OSSL_DIGEST_NAME_MD5 },
@@ -42,8 +44,11 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL
{ NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 },
};
- mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, 1);
+ ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx, 0);
+ mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, sha1_allowed || ldsigs_allowed);
if (mdnid == NID_undef)
mdnid = ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid));
+ if (mdnid == NID_md5_sha1 && !ldsigs_allowed)
+ mdnid = -1;
return mdnid;
}
Index: openssl-3.1.4/providers/implementations/signature/dsa_sig.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/signature/dsa_sig.c
+++ openssl-3.1.4/providers/implementations/signature/dsa_sig.c
@@ -123,12 +123,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ct
mdprops = ctx->propq;
if (mdname != NULL) {
- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
WPACKET pkt;
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
- int md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
- sha1_allowed);
+ int md_nid;
size_t mdname_len = strlen(mdname);
+#ifdef FIPS_MODULE
+ int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
+#else
+ int sha1_allowed = 0;
+#endif
+ md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
+ sha1_allowed);
if (md == NULL || md_nid < 0) {
if (md == NULL)
Index: openssl-3.1.4/providers/implementations/signature/ecdsa_sig.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/signature/ecdsa_sig.c
+++ openssl-3.1.4/providers/implementations/signature/ecdsa_sig.c
@@ -237,7 +237,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX
"%s could not be fetched", mdname);
return 0;
}
+#ifdef FIPS_MODULE
sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
+#else
+ sha1_allowed = 0;
+#endif
md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
sha1_allowed);
if (md_nid < 0) {
Index: openssl-3.1.4/providers/implementations/signature/rsa_sig.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/signature/rsa_sig.c
+++ openssl-3.1.4/providers/implementations/signature/rsa_sig.c
@@ -25,6 +25,7 @@
#include "internal/cryptlib.h"
#include "internal/nelem.h"
#include "internal/sizes.h"
+#include "internal/sslconf.h"
#include "crypto/rsa.h"
#include "prov/providercommon.h"
#include "prov/implementations.h"
@@ -33,6 +34,7 @@
#include "prov/securitycheck.h"
#define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
+#define RSA_DEFAULT_DIGEST_NAME_NONLEGACY OSSL_DIGEST_NAME_SHA2_256
OSSL_FUNC_signature_newctx_fn rsa_newctx;
static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
@@ -302,10 +304,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ct
if (mdname != NULL) {
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
+ int md_nid;
+ size_t mdname_len = strlen(mdname);
+#ifdef FIPS_MODULE
int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
- int md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
+#else
+ int sha1_allowed = 0;
+#endif
+ md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
sha1_allowed);
- size_t mdname_len = strlen(mdname);
if (md == NULL
|| md_nid <= 0
@@ -1386,8 +1393,15 @@ static int rsa_set_ctx_params(void *vprs
prsactx->pad_mode = pad_mode;
if (prsactx->md == NULL && pmdname == NULL
- && pad_mode == RSA_PKCS1_PSS_PADDING)
+ && pad_mode == RSA_PKCS1_PSS_PADDING) {
pmdname = RSA_DEFAULT_DIGEST_NAME;
+#ifndef FIPS_MODULE
+ if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) {
+ pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
+ }
+#endif
+ }
+
if (pmgf1mdname != NULL
&& !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))
Index: openssl-3.1.4/ssl/t1_lib.c
===================================================================
--- openssl-3.1.4.orig/ssl/t1_lib.c
+++ openssl-3.1.4/ssl/t1_lib.c
@@ -20,6 +20,7 @@
#include <openssl/bn.h>
#include <openssl/provider.h>
#include <openssl/param_build.h>
+#include "internal/sslconf.h"
#include "internal/nelem.h"
#include "internal/sizes.h"
#include "internal/tlsgroups.h"
@@ -1172,11 +1173,13 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)
= OPENSSL_malloc(sizeof(*lu) * OSSL_NELEM(sigalg_lookup_tbl));
EVP_PKEY *tmpkey = EVP_PKEY_new();
int ret = 0;
+ int ldsigs_allowed;
if (cache == NULL || tmpkey == NULL)
goto err;
ERR_set_mark();
+ ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0);
for (i = 0, lu = sigalg_lookup_tbl;
i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) {
EVP_PKEY_CTX *pctx;
@@ -1196,6 +1199,11 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)
cache[i].enabled = 0;
continue;
}
+ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)
+ && !ldsigs_allowed) {
+ cache[i].enabled = 0;
+ continue;
+ }
if (!EVP_PKEY_set_type(tmpkey, lu->sig)) {
cache[i].enabled = 0;
Index: openssl-3.1.4/util/libcrypto.num
===================================================================
--- openssl-3.1.4.orig/util/libcrypto.num
+++ openssl-3.1.4/util/libcrypto.num
@@ -5439,3 +5439,5 @@ X509_get_default_cert_uri
X509_get_default_cert_uri_env ? 3_1_0 EXIST::FUNCTION:
X509_get_default_cert_path_env ? 3_1_0 EXIST::FUNCTION:
ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
+ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
+ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:

172
openssl-CVE-2023-5678.patch Normal file
View File

@ -0,0 +1,172 @@
From ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6 Mon Sep 17 00:00:00 2001
From: Richard Levitte <levitte@openssl.org>
Date: Fri, 20 Oct 2023 09:18:19 +0200
Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet
We already check for an excessively large P in DH_generate_key(), but not in
DH_check_pub_key(), and none of them check for an excessively large Q.
This change adds all the missing excessive size checks of P and Q.
It's to be noted that behaviours surrounding excessively sized P and Q
differ. DH_check() raises an error on the excessively sized P, but only
sets a flag for the excessively sized Q. This behaviour is mimicked in
DH_check_pub_key().
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22518)
---
crypto/dh/dh_check.c | 12 ++++++++++++
crypto/dh/dh_err.c | 3 ++-
crypto/dh/dh_key.c | 12 ++++++++++++
crypto/err/openssl.txt | 1 +
include/crypto/dherr.h | 2 +-
include/openssl/dh.h | 6 +++---
include/openssl/dherr.h | 3 ++-
7 files changed, 33 insertions(+), 6 deletions(-)
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
index 7ba2beae7fd6b..e20eb62081c5e 100644
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -249,6 +249,18 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key)
*/
int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
{
+ /* Don't do any checks at all with an excessively large modulus */
+ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
+ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
+ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID;
+ return 0;
+ }
+
+ if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) {
+ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID;
+ return 1;
+ }
+
return ossl_ffc_validate_public_key(&dh->params, pub_key, ret);
}
diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
index 4152397426cc9..f76ac0dd1463f 100644
--- a/crypto/dh/dh_err.c
+++ b/crypto/dh/dh_err.c
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -54,6 +54,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = {
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
"parameter encoding error"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),
"unable to check generator"},
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
index d84ea99241b9e..afc49f5cdc87d 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -49,6 +49,12 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
goto err;
}
+ if (dh->params.q != NULL
+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
+ goto err;
+ }
+
if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
return 0;
@@ -267,6 +273,12 @@ static int generate_key(DH *dh)
return 0;
}
+ if (dh->params.q != NULL
+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
+ return 0;
+ }
+
if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
return 0;
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index a1e6bbb617fcb..69e4f61aa1801 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -513,6 +513,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set
DH_R_NO_PRIVATE_VALUE:100:no private value
DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
DH_R_PEER_KEY_ERROR:111:peer key error
+DH_R_Q_TOO_LARGE:130:q too large
DH_R_SHARED_INFO_ERROR:113:shared info error
DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters
diff --git a/include/crypto/dherr.h b/include/crypto/dherr.h
index bb24d131eb887..519327f795742 100644
--- a/include/crypto/dherr.h
+++ b/include/crypto/dherr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff --git a/include/openssl/dh.h b/include/openssl/dh.h
index 8bc17448a0817..f1c0ed06b375a 100644
--- a/include/openssl/dh.h
+++ b/include/openssl/dh.h
@@ -144,7 +144,7 @@ DECLARE_ASN1_ITEM(DHparams)
# define DH_GENERATOR_3 3
# define DH_GENERATOR_5 5
-/* DH_check error codes */
+/* DH_check error codes, some of them shared with DH_check_pub_key */
/*
* NB: These values must align with the equivalently named macros in
* internal/ffc.h.
@@ -154,10 +154,10 @@ DECLARE_ASN1_ITEM(DHparams)
# define DH_UNABLE_TO_CHECK_GENERATOR 0x04
# define DH_NOT_SUITABLE_GENERATOR 0x08
# define DH_CHECK_Q_NOT_PRIME 0x10
-# define DH_CHECK_INVALID_Q_VALUE 0x20
+# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */
# define DH_CHECK_INVALID_J_VALUE 0x40
# define DH_MODULUS_TOO_SMALL 0x80
-# define DH_MODULUS_TOO_LARGE 0x100
+# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */
/* DH_check_pub_key error codes */
# define DH_CHECK_PUBKEY_TOO_SMALL 0x01
diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
index 5d2a762a96f8c..074a70145f9f5 100644
--- a/include/openssl/dherr.h
+++ b/include/openssl/dherr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -50,6 +50,7 @@
# define DH_R_NO_PRIVATE_VALUE 100
# define DH_R_PARAMETER_ENCODING_ERROR 105
# define DH_R_PEER_KEY_ERROR 111
+# define DH_R_Q_TOO_LARGE 130
# define DH_R_SHARED_INFO_ERROR 113
# define DH_R_UNABLE_TO_CHECK_GENERATOR 121

109
openssl-CVE-2023-6129.patch Normal file
View File

@ -0,0 +1,109 @@
From 050d26383d4e264966fb83428e72d5d48f402d35 Mon Sep 17 00:00:00 2001
From: Rohan McLure <rmclure@linux.ibm.com>
Date: Thu, 4 Jan 2024 10:25:50 +0100
Subject: [PATCH] poly1305-ppc.pl: Fix vector register clobbering
Fixes CVE-2023-6129
The POLY1305 MAC (message authentication code) implementation in OpenSSL for
PowerPC CPUs saves the the contents of vector registers in different order
than they are restored. Thus the contents of some of these vector registers
is corrupted when returning to the caller. The vulnerable code is used only
on newer PowerPC processors supporting the PowerISA 2.07 instructions.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23200)
(cherry picked from commit 8d847a3ffd4f0b17ee33962cf69c36224925b34f)
---
crypto/poly1305/asm/poly1305-ppc.pl | 42 ++++++++++++++---------------
1 file changed, 21 insertions(+), 21 deletions(-)
diff --git a/crypto/poly1305/asm/poly1305-ppc.pl b/crypto/poly1305/asm/poly1305-ppc.pl
index 9f86134d923fb..2e601bb9c24be 100755
--- a/crypto/poly1305/asm/poly1305-ppc.pl
+++ b/crypto/poly1305/asm/poly1305-ppc.pl
@@ -744,7 +744,7 @@
my $LOCALS= 6*$SIZE_T;
my $VSXFRAME = $LOCALS + 6*$SIZE_T;
$VSXFRAME += 128; # local variables
- $VSXFRAME += 13*16; # v20-v31 offload
+ $VSXFRAME += 12*16; # v20-v31 offload
my $BIG_ENDIAN = ($flavour !~ /le/) ? 4 : 0;
@@ -919,12 +919,12 @@
addi r11,r11,32
stvx v22,r10,$sp
addi r10,r10,32
- stvx v23,r10,$sp
- addi r10,r10,32
- stvx v24,r11,$sp
+ stvx v23,r11,$sp
addi r11,r11,32
- stvx v25,r10,$sp
+ stvx v24,r10,$sp
addi r10,r10,32
+ stvx v25,r11,$sp
+ addi r11,r11,32
stvx v26,r10,$sp
addi r10,r10,32
stvx v27,r11,$sp
@@ -1153,12 +1153,12 @@
addi r11,r11,32
stvx v22,r10,$sp
addi r10,r10,32
- stvx v23,r10,$sp
- addi r10,r10,32
- stvx v24,r11,$sp
+ stvx v23,r11,$sp
addi r11,r11,32
- stvx v25,r10,$sp
+ stvx v24,r10,$sp
addi r10,r10,32
+ stvx v25,r11,$sp
+ addi r11,r11,32
stvx v26,r10,$sp
addi r10,r10,32
stvx v27,r11,$sp
@@ -1899,26 +1899,26 @@
mtspr 256,r12 # restore vrsave
lvx v20,r10,$sp
addi r10,r10,32
- lvx v21,r10,$sp
- addi r10,r10,32
- lvx v22,r11,$sp
+ lvx v21,r11,$sp
addi r11,r11,32
- lvx v23,r10,$sp
+ lvx v22,r10,$sp
addi r10,r10,32
- lvx v24,r11,$sp
+ lvx v23,r11,$sp
addi r11,r11,32
- lvx v25,r10,$sp
+ lvx v24,r10,$sp
addi r10,r10,32
- lvx v26,r11,$sp
+ lvx v25,r11,$sp
addi r11,r11,32
- lvx v27,r10,$sp
+ lvx v26,r10,$sp
addi r10,r10,32
- lvx v28,r11,$sp
+ lvx v27,r11,$sp
addi r11,r11,32
- lvx v29,r10,$sp
+ lvx v28,r10,$sp
addi r10,r10,32
- lvx v30,r11,$sp
- lvx v31,r10,$sp
+ lvx v29,r11,$sp
+ addi r11,r11,32
+ lvx v30,r10,$sp
+ lvx v31,r11,$sp
$POP r27,`$VSXFRAME-$SIZE_T*5`($sp)
$POP r28,`$VSXFRAME-$SIZE_T*4`($sp)
$POP r29,`$VSXFRAME-$SIZE_T*3`($sp)

122
openssl-CVE-2023-6237.patch Normal file
View File

@ -0,0 +1,122 @@
From 18c02492138d1eb8b6548cb26e7b625fb2414a2a Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Fri, 22 Dec 2023 16:25:56 +0100
Subject: [PATCH] Limit the execution time of RSA public key check
Fixes CVE-2023-6237
If a large and incorrect RSA public key is checked with
EVP_PKEY_public_check() the computation could take very long time
due to no limit being applied to the RSA public key size and
unnecessarily high number of Miller-Rabin algorithm rounds
used for non-primality check of the modulus.
Now the keys larger than 16384 bits (OPENSSL_RSA_MAX_MODULUS_BITS)
will fail the check with RSA_R_MODULUS_TOO_LARGE error reason.
Also the number of Miller-Rabin rounds was set to 5.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23243)
(cherry picked from commit e09fc1d746a4fd15bb5c3d7bbbab950aadd005db)
---
crypto/rsa/rsa_sp800_56b_check.c | 8 +++-
test/recipes/91-test_pkey_check.t | 2 +-
.../91-test_pkey_check_data/rsapub_17k.pem | 48 +++++++++++++++++++
3 files changed, 56 insertions(+), 2 deletions(-)
create mode 100644 test/recipes/91-test_pkey_check_data/rsapub_17k.pem
diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c
index fc8f19b48770b..bcbdd24fb8199 100644
--- a/crypto/rsa/rsa_sp800_56b_check.c
+++ b/crypto/rsa/rsa_sp800_56b_check.c
@@ -289,6 +289,11 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
return 0;
nbits = BN_num_bits(rsa->n);
+ if (nbits > OPENSSL_RSA_MAX_MODULUS_BITS) {
+ ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE);
+ return 0;
+ }
+
#ifdef FIPS_MODULE
/*
* (Step a): modulus must be 2048 or 3072 (caveat from SP800-56Br1)
@@ -324,7 +329,8 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
goto err;
}
- ret = ossl_bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, &status);
+ /* Highest number of MR rounds from FIPS 186-5 Section B.3 Table B.1 */
+ ret = ossl_bn_miller_rabin_is_prime(rsa->n, 5, ctx, NULL, 1, &status);
#ifdef FIPS_MODULE
if (ret != 1 || status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) {
#else
diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t
index dc7cc64533af2..f8088df14d36c 100644
--- a/test/recipes/91-test_pkey_check.t
+++ b/test/recipes/91-test_pkey_check.t
@@ -70,7 +70,7 @@ push(@positive_tests, (
"dhpkey.pem"
)) unless disabled("dh");
-my @negative_pubtests = ();
+my @negative_pubtests = ("rsapub_17k.pem"); # Too big RSA public key
push(@negative_pubtests, (
"dsapub_noparam.der"
diff --git a/test/recipes/91-test_pkey_check_data/rsapub_17k.pem b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
new file mode 100644
index 0000000000000..9a2eaedaf1b22
--- /dev/null
+++ b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
@@ -0,0 +1,48 @@
+-----BEGIN PUBLIC KEY-----
+MIIIbzANBgkqhkiG9w0BAQEFAAOCCFwAMIIIVwKCCE4Ang+cE5H+hg3RbapDAHqR
+B9lUnp2MlAwsZxQ/FhYepaR60bFQeumbu7817Eo5YLMObVI99hF1C4u/qcpD4Jph
+gZt87/JAYDbP+DIh/5gUXCL9m5Fp4u7mvZaZdnlcftBvR1uKUTCAwc9pZ/Cfr8W2
+GzrRODzsNYnk2DcZMfe2vRDuDZRopE+Y+I72rom2SZLxoN547N1daM/M/CL9KVQ/
+XMI/YOpJrBI0jI3brMRhLkvLckwies9joufydlGbJkeil9H7/grj3fQZtFkZ2Pkj
+b87XDzRVX7wsEpAgPJxskL3jApokCp1kQYKG+Uc3dKM9Ade6IAPK7VKcmbAQTYw2
+gZxsc28dtstazmfGz0ACCTSMrmbgWAM3oPL7RRzhrXDWgmYQ0jHefGh8SNTIgtPq
+TuHxPYkDMQNaf0LmDGCxqlnf4b5ld3YaU8zZ/RqIRx5v/+w0rJUvU53qY1bYSnL1
+vbqKSnN2mip0GYyQ4AUgkS1NBV4rGYU/VTvzEjLfkg02KOtHKandvEoUjmZPzCT0
+V2ZhGc8K1UJNGYlIiHqCdwCBoghvly/pYajTkDXyd6BsukzA5H3IkZB1xDgl035j
+/0Cr7QeZLEOdi9fPdSSaBT6OmD0WFuZfJF0wMr7ucRhWzPXvSensD9v7MBE7tNfH
+SLeTSx8tLt8UeWriiM+0CnkPR1IOqMOxubOyf1eV8NQqEWm5wEQG/0IskbOKnaHa
+PqLFJZn/bvyL3XK5OxVIJG3z6bnRDOMS9SzkjqgPdIO8tkySEHVSi/6iuGUltx3Y
+Fmq6ye/r34ekyHPbfn6UuTON7joM6SIXb5bHM64x4iMVWx4hMvDjfy0UqfywAUyu
+C1o7BExSMxxFG8GJcqR0K8akpPp7EM588PC+YuItoxzXgfUJnP3BQ1Beev2Ve7/J
+xeGZH0N4ntfr+cuaLAakAER9zDglwChWflw3NNFgIdAgSxXv3XXx5xDXpdP4lxUo
+F5zAN4Mero3yV90FaJl7Vhq/UFVidbwFc15jUDwaE0mKRcsBeVd3GOhoECAgE0id
+aIPT20z8oVY0FyTJlRk7QSjo8WjJSrHY/Fn14gctX07ZdfkufyL6w+NijBdYluvB
+nIrgHEvpkDEWoIa8qcx0EppoIcmqgMV2mTShfFYSybsO33Pm8WXec2FXjwhzs1Pi
+R/BuIW8rHPI67xqWm0h8dEw11vtfi9a/BBBikFHe59KBjMTG+lW/gADNvRoTzGh7
+kN4+UVDS3jlSisRZZOn1XoeQtpubNYWgUsecjKy45IwIj8h1SHgn3wkmUesY0woN
+mOdoNtq+NezN4RFtbCOHhxFVpKKDi/HQP2ro0ykkXMDjwEIVf2Lii1Mg9UP8m+Ux
+AOqkTrIkdogkRx+70h7/wUOfDIFUq2JbKzqxJYamyEphcdAko7/B8efQKc61Z93O
+f2SHa4++4WI7wIIx18v5KV4M/cRmrfc8w9WRkQN3gBT5AJMuqwcSHVXBWvNQeGmi
+ScMh7X6cCZ0daEujqb8svq4WgsJ8UT4GaGBRIYtt7QUKEh+JQwNJzneRYZ3pzpaH
+UJeeoYobMlkp3rM9cYzdq90nBQiI9Jsbim9m9ggb2dMOS5CsI9S/IuG2O5uTjfxx
+wkwsd5nLDFtNXHYZ7W6XlVJ1Rc6zShnEmdCn3mmibb6OaMUmun2yl9ryEjVSoXLP
+fSA8W9K9yNhKTRkzdXJfqlC+s/ovX2xBGxsuOoUDaXhRVz0qmpKIHeSFjIP4iXq4
+y8gDiwvM3HbZfvVonbg6siPwpn4uvw3hesojk1DKAENS52i6U3uK2fs1ALVxsFNS
+Yh914rDu0Q3e4RXVhURaYzoEbLCot6WGYeCCfQOK0rkETMv+sTYYscC8/THuW7SL
+HG5zy9Ed95N1Xmf8J+My7gM7ZFodGdHsWvdzEmqsdOFh6IVx/VfHFX0MDBq0t6lZ
+eRvVgVCfu3gkYLwPScn/04E02vOom51ISKHsF/I11erC66jjNYV9BSpH8O7sAHxZ
+EmPT2ZVVRSgivOHdQW/FZ3UZQQhVaVSympo2Eb4yWEMFn84Q8T+9Honj6gnB5PXz
+chmeCsOMlcg1mwWwhn0k+OAWEZy7VRUk5Ahp0fBAGJgwBdqrZ3kM356DjUkVBiYq
+4eHyvafNKmjf2mnFsI3g2NKRNyl1Lh63wyCFx60yYvBUfXF/W9PFJbD9CiP83kEW
+gV36gxTsbOSfhpO1OXR90ODy0kx06XzWmJCUugK8u9bx4F/CjV+LIHExuNJiethC
+A8sIup/MT0fWp4RO/SsVblGqfoqJTaPnhptQzeH2N07pbWkxeMuL6ppPuwFmfVjK
+FJndqCVrAukcPEOQ16iVURuloJMudqYRc9QKkJFsnv0W/iMNbqQGmXe8Q/5qFiys
+26NIQBiE2ad9hNLnoccEnmYSRgnW3ZPSKuq5TDdYyDqTZH2r8cam65pr3beKw2XC
+xw4cc7VaxiwGC2Mg2wRmwwPaTjrcEt6sMa3RjwFEVBxBFyM26wnTEZsTBquCxV0J
+pgERaeplkixP2Q0m7XAdlDaob973SM2vOoUgypzDchWmpx7u775bnOfU5CihwXl+
+k0i09WZuT8bPmhEAiGCw5sNzMkz1BC2cCZFfJIkE2vc/wXYOrGxBTJo0EKaUFswa
+2dnP/u0bn+VksBUM7ywW9LJSXh4mN+tpzdeJtxEObKwX1I0dQxSPWmjd2++wMr9q
+Unre5fCrDToy2H7C2VKSpuOCT2/Kv4JDQRWwI4KxQOpn0UknAGNmfBoTtpIZ3LEb
+77oBUJdMQD7tQBBLL0a6f1TdK0dHVprWWawJ+gGFMiMQXqAqblHcxFKWuHv9bQID
+AQAB
+-----END PUBLIC KEY-----

120
openssl-CVE-2024-0727.patch Normal file
View File

@ -0,0 +1,120 @@
From 09df4395b5071217b76dc7d3d2e630eb8c5a79c2 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 19 Jan 2024 11:28:58 +0000
Subject: [PATCH] Add NULL checks where ContentInfo data can be NULL
PKCS12 structures contain PKCS7 ContentInfo fields. These fields are
optional and can be NULL even if the "type" is a valid value. OpenSSL
was not properly accounting for this and a NULL dereference can occur
causing a crash.
CVE-2024-0727
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23362)
(cherry picked from commit d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)
---
crypto/pkcs12/p12_add.c | 18 ++++++++++++++++++
crypto/pkcs12/p12_mutl.c | 5 +++++
crypto/pkcs12/p12_npas.c | 5 +++--
crypto/pkcs7/pk7_mime.c | 7 +++++--
4 files changed, 31 insertions(+), 4 deletions(-)
diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c
index 6fd4184af5a52..80ce31b3bca66 100644
--- a/crypto/pkcs12/p12_add.c
+++ b/crypto/pkcs12/p12_add.c
@@ -78,6 +78,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7)
ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA);
return NULL;
}
+
+ if (p7->d.data == NULL) {
+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
+ return NULL;
+ }
+
return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS));
}
@@ -150,6 +156,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass,
{
if (!PKCS7_type_is_encrypted(p7))
return NULL;
+
+ if (p7->d.encrypted == NULL) {
+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
+ return NULL;
+ }
+
return PKCS12_item_decrypt_d2i_ex(p7->d.encrypted->enc_data->algorithm,
ASN1_ITEM_rptr(PKCS12_SAFEBAGS),
pass, passlen,
@@ -188,6 +200,12 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12)
ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA);
return NULL;
}
+
+ if (p12->authsafes->d.data == NULL) {
+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
+ return NULL;
+ }
+
p7s = ASN1_item_unpack(p12->authsafes->d.data,
ASN1_ITEM_rptr(PKCS12_AUTHSAFES));
if (p7s != NULL) {
diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
index 67a885a45f89e..68ff54d0e90ee 100644
--- a/crypto/pkcs12/p12_mutl.c
+++ b/crypto/pkcs12/p12_mutl.c
@@ -98,6 +98,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
return 0;
}
+ if (p12->authsafes->d.data == NULL) {
+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
+ return 0;
+ }
+
salt = p12->mac->salt->data;
saltlen = p12->mac->salt->length;
if (p12->mac->iter == NULL)
diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c
index 62230bc6187ff..1e5b5495991a4 100644
--- a/crypto/pkcs12/p12_npas.c
+++ b/crypto/pkcs12/p12_npas.c
@@ -77,8 +77,9 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass)
bags = PKCS12_unpack_p7data(p7);
} else if (bagnid == NID_pkcs7_encrypted) {
bags = PKCS12_unpack_p7encdata(p7, oldpass, -1);
- if (!alg_get(p7->d.encrypted->enc_data->algorithm,
- &pbe_nid, &pbe_iter, &pbe_saltlen))
+ if (p7->d.encrypted == NULL
+ || !alg_get(p7->d.encrypted->enc_data->algorithm,
+ &pbe_nid, &pbe_iter, &pbe_saltlen))
goto err;
} else {
continue;
diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c
index 49a0da5f819c4..8228315eeaa3a 100644
--- a/crypto/pkcs7/pk7_mime.c
+++ b/crypto/pkcs7/pk7_mime.c
@@ -33,10 +33,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
int ctype_nid = OBJ_obj2nid(p7->type);
const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7);
- if (ctype_nid == NID_pkcs7_signed)
+ if (ctype_nid == NID_pkcs7_signed) {
+ if (p7->d.sign == NULL)
+ return 0;
mdalgs = p7->d.sign->md_algs;
- else
+ } else {
mdalgs = NULL;
+ }
flags ^= SMIME_OLDMIME;

116
openssl-CVE-2024-2511.patch Normal file
View File

@ -0,0 +1,116 @@
From 7e4d731b1c07201ad9374c1cd9ac5263bdf35bce Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Tue, 5 Mar 2024 15:43:53 +0000
Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3
In TLSv1.3 we create a new session object for each ticket that we send.
We do this by duplicating the original session. If SSL_OP_NO_TICKET is in
use then the new session will be added to the session cache. However, if
early data is not in use (and therefore anti-replay protection is being
used), then multiple threads could be resuming from the same session
simultaneously. If this happens and a problem occurs on one of the threads,
then the original session object could be marked as not_resumable. When we
duplicate the session object this not_resumable status gets copied into the
new session object. The new session object is then added to the session
cache even though it is not_resumable.
Subsequently, another bug means that the session_id_length is set to 0 for
sessions that are marked as not_resumable - even though that session is
still in the cache. Once this happens the session can never be removed from
the cache. When that object gets to be the session cache tail object the
cache never shrinks again and grows indefinitely.
CVE-2024-2511
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24044)
---
ssl/ssl_lib.c | 5 +++--
ssl/ssl_sess.c | 28 ++++++++++++++++++++++------
ssl/statem/statem_srvr.c | 5 ++---
3 files changed, 27 insertions(+), 11 deletions(-)
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index b5cc4af2f0302..e747b7f90aa71 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3737,9 +3737,10 @@ void ssl_update_cache(SSL *s, int mode)
/*
* If the session_id_length is 0, we are not supposed to cache it, and it
- * would be rather hard to do anyway :-)
+ * would be rather hard to do anyway :-). Also if the session has already
+ * been marked as not_resumable we should not cache it for later reuse.
*/
- if (s->session->session_id_length == 0)
+ if (s->session->session_id_length == 0 || s->session->not_resumable)
return;
/*
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index bf84e792251b8..241cf43c46296 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -154,16 +154,11 @@ SSL_SESSION *SSL_SESSION_new(void)
return ss;
}
-SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
-{
- return ssl_session_dup(src, 1);
-}
-
/*
* Create a new SSL_SESSION and duplicate the contents of |src| into it. If
* ticket == 0 then no ticket information is duplicated, otherwise it is.
*/
-SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
+static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket)
{
SSL_SESSION *dest;
@@ -287,6 +282,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
return NULL;
}
+SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
+{
+ return ssl_session_dup_intern(src, 1);
+}
+
+/*
+ * Used internally when duplicating a session which might be already shared.
+ * We will have resumed the original session. Subsequently we might have marked
+ * it as non-resumable (e.g. in another thread) - but this copy should be ok to
+ * resume from.
+ */
+SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
+{
+ SSL_SESSION *sess = ssl_session_dup_intern(src, ticket);
+
+ if (sess != NULL)
+ sess->not_resumable = 0;
+
+ return sess;
+}
+
const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
{
if (len)
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 5d59d53563ed8..8e493176f658e 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -2338,9 +2338,8 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt)
* so the following won't overwrite an ID that we're supposed
* to send back.
*/
- if (s->session->not_resumable ||
- (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
- && !s->hit))
+ if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
+ && !s->hit)
s->session->session_id_length = 0;
if (usetls13) {

199
openssl-CVE-2024-4603.patch Normal file
View File

@ -0,0 +1,199 @@
From 9c39b3858091c152f52513c066ff2c5a47969f0d Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Wed, 8 May 2024 15:23:45 +0200
Subject: [PATCH] Check DSA parameters for excessive sizes before validating
This avoids overly long computation of various validation
checks.
Fixes CVE-2024-4603
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/24346)
(cherry picked from commit 85ccbab216da245cf9a6503dd327072f21950d9b)
---
CHANGES.md | 17 ++++++
crypto/dsa/dsa_check.c | 44 ++++++++++++--
.../invalid/p10240_q256_too_big.pem | 57 +++++++++++++++++++
3 files changed, 114 insertions(+), 4 deletions(-)
create mode 100644 test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
Index: openssl-3.1.4/crypto/dsa/dsa_check.c
===================================================================
--- openssl-3.1.4.orig/crypto/dsa/dsa_check.c
+++ openssl-3.1.4/crypto/dsa/dsa_check.c
@@ -19,8 +19,34 @@
#include "dsa_local.h"
#include "crypto/dsa.h"
+static int dsa_precheck_params(const DSA *dsa, int *ret)
+{
+ if (dsa->params.p == NULL || dsa->params.q == NULL) {
+ ERR_raise(ERR_LIB_DSA, DSA_R_BAD_FFC_PARAMETERS);
+ *ret = FFC_CHECK_INVALID_PQ;
+ return 0;
+ }
+
+ if (BN_num_bits(dsa->params.p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
+ ERR_raise(ERR_LIB_DSA, DSA_R_MODULUS_TOO_LARGE);
+ *ret = FFC_CHECK_INVALID_PQ;
+ return 0;
+ }
+
+ if (BN_num_bits(dsa->params.q) >= BN_num_bits(dsa->params.p)) {
+ ERR_raise(ERR_LIB_DSA, DSA_R_BAD_Q_VALUE);
+ *ret = FFC_CHECK_INVALID_PQ;
+ return 0;
+ }
+
+ return 1;
+}
+
int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret)
{
+ if (!dsa_precheck_params(dsa, ret))
+ return 0;
+
if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK)
return ossl_ffc_params_simple_validate(dsa->libctx, &dsa->params,
FFC_PARAM_TYPE_DSA, ret);
@@ -39,6 +65,9 @@ int ossl_dsa_check_params(const DSA *dsa
*/
int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret)
{
+ if (!dsa_precheck_params(dsa, ret))
+ return 0;
+
return ossl_ffc_validate_public_key(&dsa->params, pub_key, ret)
&& *ret == 0;
}
@@ -50,6 +79,9 @@ int ossl_dsa_check_pub_key(const DSA *ds
*/
int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int *ret)
{
+ if (!dsa_precheck_params(dsa, ret))
+ return 0;
+
return ossl_ffc_validate_public_key_partial(&dsa->params, pub_key, ret)
&& *ret == 0;
}
@@ -58,8 +90,10 @@ int ossl_dsa_check_priv_key(const DSA *d
{
*ret = 0;
- return (dsa->params.q != NULL
- && ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret));
+ if (!dsa_precheck_params(dsa, ret))
+ return 0;
+
+ return ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret);
}
/*
@@ -72,8 +106,10 @@ int ossl_dsa_check_pairwise(const DSA *d
BN_CTX *ctx = NULL;
BIGNUM *pub_key = NULL;
- if (dsa->params.p == NULL
- || dsa->params.g == NULL
+ if (!dsa_precheck_params(dsa, &ret))
+ return 0;
+
+ if (dsa->params.g == NULL
|| dsa->priv_key == NULL
|| dsa->pub_key == NULL)
return 0;
Index: openssl-3.1.4/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
===================================================================
--- /dev/null
+++ openssl-3.1.4/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
@@ -0,0 +1,57 @@
+-----BEGIN DSA PARAMETERS-----
+MIIKLAKCBQEAym47LzPFZdbz16WvjczLKuzLtsP8yRk/exxL4bBthJhP1qOwctja
+p1586SF7gDxCMn7yWVEYdfRbFefGoq0gj1XOE917XqlbnkmZhMgxut2KbNJo/xil
+XNFUjGvKs3F413U9rAodC8f07cWHP1iTcWL+vPe6u2yilKWYYfnLWHQH+Z6aPrrF
+x/R08LI6DZ6nEsIo+hxaQnEtx+iqNTJC6Q1RIjWDqxQkFVTkJ0Y7miRDXmRdneWk
+oLrMZRpaXr5l5tSjEghh1pBgJcdyOv0lh4dlDy/alAiqE2Qlb667yHl6A9dDPlpW
+dAntpffy4LwOxfbuEhISvKjjQoBwIvYE4TBPqL0Q6bC6HgQ4+tqd9b44pQjdIQjb
+Xcjc6azheITSnPEex3OdKtKoQeRq01qCeLBpMXu1c+CTf4ApKArZvT3vZSg0hM1O
+pR71bRZrEEegDj0LH2HCgI5W6H3blOS9A0kUTddCoQXr2lsVdiPtRbPKH1gcd9FQ
+P8cGrvbakpTiC0dCczOMDaCteM1QNILlkM7ZoV6VghsKvDnFPxFsiIr5GgjasXP5
+hhbn3g7sDoq1LiTEo+IKQY28pBWx7etSOSRuXW/spnvCkivZla7lSEGljoy9QlQ2
+UZmsEQI9G3YyzgpxHvKZBK1CiZVTywdYKTZ4TYCxvqzhYhjv2bqbpjI12HRFLojB
+koyEmMSp53lldCzp158PrIanqSp2rksMR8SmmCL3FwfAp2OjqFMEglG9DT8x0WaN
+TLSkjGC6t2csMte7WyU1ekNoFDKfMjDSAz0+xIx21DEmZtYqFOg1DNPK1xYLS0pl
+RSMRRkJVN2mk/G7/1oxlB8Wb9wgi3GKUqqCYT11SnBjzq0NdoJ3E4GMedp5Lx3AZ
+4mFuRPUd4iV86tE0XDSHSFE7Y3ZkrOjD7Q/26/L53L/UH5z4HW6CHP5os7QERJjg
+c1S3x87wXWo9QXbB9b2xmf+c+aWwAAr1cviw38tru58jF3/IGyduj9H8claKQqBG
+cIOUF4aNe1hK2K3ArAOApUxr4KE+tCvrltRfiTmVFip0g9Jt1CPY3Zu7Bd4Z2ZkE
+DtSztpwa49HrWF5E9xpquvBL2U8jQ68E7Xd8Wp4orI/TIChriamBmdkgRz3H2LvN
+Ozb6+hsnEGrz3sp2RVAToSqA9ysa6nHZdfufPNtMEbQdO/k1ehmGRb0ljBRsO6b2
+rsG2eYuC8tg8eCrIkua0TGRI7g6a4K32AJdzaX6NsISaaIW+OYJuoDSscvD3oOg8
+PPEhU+zM7xJskTA+jxvPlikKx8V7MNHOCQECldJlUBwzJvqp40JvwfnDsF+8VYwd
+UaiieR3pzMzyTjpReXRmZbnRPusRcsVzxb2OhB79wmuy4UPjjQBX+7eD0rs8xxvW
+5a5q1Cjq4AvbwmmcA/wDrHDOjcbD/zodad2O1QtBWa/R4xyWea4zKsflgACE1zY9
+wW2br7+YQFekcrXkkkEzgxd6zxv8KVEDpXRZjmAM1cI5LvkoN64To4GedN8Qe/G7
+R9SZh9gnS17PTP64hK+aYqhFafMdu87q/+qLfxaSux727qE5hiW01u4nnWhACf9s
+xuOozowKqxZxkolMIyZv6Lddwy1Zv5qjCyd0DvM/1skpXWkb9kfabYC+OhjsjVhs
+0Ktfs6a5B3eixiw5x94hhIcTEcS4hmvhGUL72FiTca6ZeSERTKmNBy8CIQC9/ZUN
+uU/V5JTcnYyUGHzm7+XcZBjyGBagBj9rCmW3SQKCBQAJ/k9rb39f1cO+/3XDEMjy
+9bIEXSuS48g5RAc1UGd5nrrBQwuDxGWFyz0yvAY7LgyidZuJS21+MAp9EY7AOMmx
+TDttifNaBJYt4GZ8of166PcqTKkHQwq5uBpxeSDv/ZE8YbYfaCtLTcUC8KlO+l36
+gjJHSkdkflSsGy1yObSNDQDfVAAwQs//TjDMnuEtvlNXZllsTvFFBceXVETn10K2
+ZMmdSIJNfLnjReUKEN6PfeGqv7F4xoyGwUybEfRE4u5RmXrqCODaIjY3SNMrOq8B
+R3Ata/cCozsM1jIdIW2z+OybDJH+BYsYm2nkSZQjZS6javTYClLrntEKG/hAQwL8
+F16YLOQXpHhgiAaWnTZzANtLppB2+5qCVy5ElzKongOwT8JTjTFXOaRnqe/ngm9W
+SSbrxfDaoWUOyK9XD8Cydzpv3n4Y8nWNGayi7/yAFCU36Ri040ufgv/TZLuKacnl
++3ga3ZUpRlSigzx0kb1+KjTSWeQ8vE/psdWjvBukVEbzdUauMLyRLo/6znSVvvPX
+UGhviThE5uhrsUg+wEPFINriSHfF7JDKVhDcJnLBdaXvfN52pkF/naLBF5Rt3Gvq
+fjCxjx0Sy9Lag1hDN4dor7dzuO7wmwOS01DJW1PtNLuuH0Bbqh1kYSaQkmyXBZWX
+qo8K3nkoDM0niOtJJubOhTNrGmSaZpNXkK3Mcy9rBbdvEs5O0Jmqaax/eOdU0Yot
+B3lX+3ddOseT2ZEFjzObqTtkWuFBeBxuYNcRTsu3qMdIBsEb8URQdsTtjoIja2fK
+hreVgjK36GW70KXEl8V/vq5qjQulmqkBEjmilcDuiREKqQuyeagUOnhQaBplqVco
+4xznh5DMBMRbpGb5lHxKv4cPNi+uNAJ5i98zWUM1JRt6aXnRCuWcll1z8fRZ+5kD
+vK9FaZU3VRMK/eknEG49cGr8OuJ6ZRSaC+tKwV1y+amkSZpKPWnk2bUnQI3ApJv3
+k1e1EToeECpMUkLMDgNbpKBoz4nqMEvAAlYgw9xKNbLlQlahqTVEAmaJHh4yDMDy
+i7IZ9Wrn47IGoR7s3cvhDHUpRPeW4nsmgzj+tf5EAxemI61STZJTTWo0iaPGJxct
+9nhOOhw1I38Mvm4vkAbFH7YJ0B6QrjjYL2MbOTp5JiIh4vdOeWwNo9/y4ffyaN5+
+ADpxuuIAmcbdr6GPOhkOFFixRJa0B2eP1i032HESlLs8RB9oYtdTXdXQotnIgJGd
+Y8tSKOa1zjzeLHn3AVpRZTUW++/BxmApV3GKIeG8fsUjg/df0QRrBcdC/1uccdaG
+KKlAOwlywVn5jUlwHkTmDiTM9w5AqVVGHZ2b+4ZgQW8jnPKN0SrKf6U555D+zp7E
+x4uXoE8ojN9y8m8UKf0cTLnujH2XgZorjPfuMOt5VZEhQFMS2QaljSeni5CJJ8gk
+XtztNqfBlAtWR4V5iAHeQOfIB2YaOy8GESda89tyKraKeaez41VblpTVHTeq9IIF
+YB4cQA2PfuNaGVRGLMAgT3Dvl+mxxxeJyxnGAiUcETU/jJJt9QombiuszBlYGQ5d
+ELOSm/eQSRARV9zNSt5jaQlMSjMBqenIEM09BzYqa7jDwqoztFxNdO8bcuQPuKwa
+4z3bBZ1yYm63WFdNbQqqGEwc0OYmqg1raJ0zltgHyjFyw8IGu4g/wETs+nVQcH7D
+vKuje86bePD6kD/LH3wmkA==
+-----END DSA PARAMETERS-----
Index: openssl-3.1.4/CHANGES.md
===================================================================
--- openssl-3.1.4.orig/CHANGES.md
+++ openssl-3.1.4/CHANGES.md
@@ -22,6 +22,23 @@ OpenSSL Releases
OpenSSL 3.1
-----------
+ * Fixed an issue where checking excessively long DSA keys or parameters may
+ be very slow.
+
+ Applications that use the functions EVP_PKEY_param_check() or
+ EVP_PKEY_public_check() to check a DSA public key or DSA parameters may
+ experience long delays. Where the key or parameters that are being checked
+ have been obtained from an untrusted source this may lead to a Denial of
+ Service.
+
+ To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS
+ will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error
+ reason.
+
+ ([CVE-2024-4603])
+
+ *Tomáš Mráz*
+
### Changes between 3.1.3 and 3.1.4 [24 Oct 2023]
* Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(),

28
openssl-CVE-2024-4741.patch Normal file
View File

@ -0,0 +1,28 @@
@@ -, +, @@
---
ssl/record/methods/tls_common.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- openssl-3.0.8/ssl/record/ssl3_buffer.c
+++ openssl-3.0.8/ssl/record/ssl3_buffer.c
@@ -186,5 +186,7 @@ int ssl3_release_read_buffer(SSL *s)
OPENSSL_cleanse(b->buf, b->len);
OPENSSL_free(b->buf);
b->buf = NULL;
+ s->rlayer.packet = NULL;
+ s->rlayer.packet_length = 0;
return 1;
}
--- openssl-3.0.8/ssl/record/rec_layer_s3.c
+++ openssl-3.0.8/ssl/record/rec_layer_s3.c
@@ -238,6 +238,11 @@ int ssl3_read_n(SSL *s, size_t n, size_t
s->rlayer.packet_length = 0;
/* ... now we can act as if 'extend' was set */
}
+ if (!ossl_assert(s->rlayer.packet != NULL)) {
+ /* does not happen */
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return -1;
+ }
len = s->rlayer.packet_length;
pkt = rb->buf + align;

326
openssl-CVE-2024-5535.patch Normal file
View File

@ -0,0 +1,326 @@
From 4ada436a1946cbb24db5ab4ca082b69c1bc10f37 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 31 May 2024 11:14:33 +0100
Subject: [PATCH] Fix SSL_select_next_proto
Ensure that the provided client list is non-NULL and starts with a valid
entry. When called from the ALPN callback the client list should already
have been validated by OpenSSL so this should not cause a problem. When
called from the NPN callback the client list is locally configured and
will not have already been validated. Therefore SSL_select_next_proto
should not assume that it is correctly formatted.
We implement stricter checking of the client protocol list. We also do the
same for the server list while we are about it.
CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24718)
---
ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++-------------------
1 file changed, 40 insertions(+), 23 deletions(-)
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 5493d9b9c7..f218dcf1db 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2953,37 +2953,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
unsigned int server_len,
const unsigned char *client, unsigned int client_len)
{
- unsigned int i, j;
- const unsigned char *result;
- int status = OPENSSL_NPN_UNSUPPORTED;
+ PACKET cpkt, csubpkt, spkt, ssubpkt;
+
+ if (!PACKET_buf_init(&cpkt, client, client_len)
+ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
+ || PACKET_remaining(&csubpkt) == 0) {
+ *out = NULL;
+ *outlen = 0;
+ return OPENSSL_NPN_NO_OVERLAP;
+ }
+
+ /*
+ * Set the default opportunistic protocol. Will be overwritten if we find
+ * a match.
+ */
+ *out = (unsigned char *)PACKET_data(&csubpkt);
+ *outlen = (unsigned char)PACKET_remaining(&csubpkt);
/*
* For each protocol in server preference order, see if we support it.
*/
- for (i = 0; i < server_len;) {
- for (j = 0; j < client_len;) {
- if (server[i] == client[j] &&
- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
- /* We found a match */
- result = &server[i];
- status = OPENSSL_NPN_NEGOTIATED;
- goto found;
+ if (PACKET_buf_init(&spkt, server, server_len)) {
+ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
+ if (PACKET_remaining(&ssubpkt) == 0)
+ continue; /* Invalid - ignore it */
+ if (PACKET_buf_init(&cpkt, client, client_len)) {
+ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
+ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
+ PACKET_remaining(&ssubpkt))) {
+ /* We found a match */
+ *out = (unsigned char *)PACKET_data(&ssubpkt);
+ *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
+ return OPENSSL_NPN_NEGOTIATED;
+ }
+ }
+ /* Ignore spurious trailing bytes in the client list */
+ } else {
+ /* This should never happen */
+ return OPENSSL_NPN_NO_OVERLAP;
}
- j += client[j];
- j++;
}
- i += server[i];
- i++;
+ /* Ignore spurious trailing bytes in the server list */
}
- /* There's no overlap between our protocols and the server's list. */
- result = client;
- status = OPENSSL_NPN_NO_OVERLAP;
-
- found:
- *out = (unsigned char *)result + 1;
- *outlen = result[0];
- return status;
+ /*
+ * There's no overlap between our protocols and the server's list. We use
+ * the default opportunistic protocol selected earlier
+ */
+ return OPENSSL_NPN_NO_OVERLAP;
}
#ifndef OPENSSL_NO_NEXTPROTONEG
--
2.45.2
From 4279c89a726025c758db3dafb263b17e52211304 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 31 May 2024 11:18:27 +0100
Subject: [PATCH] More correctly handle a selected_len of 0 when
processing NPN
In the case where the NPN callback returns with SSL_TLEXT_ERR_OK, but
the selected_len is 0 we should fail. Previously this would fail with an
internal_error alert because calling OPENSSL_malloc(selected_len) will
return NULL when selected_len is 0. We make this error detection more
explicit and return a handshake failure alert.
Follow on from CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24718)
---
ssl/statem/extensions_clnt.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 842be0722b..a07dc62e9a 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -1536,7 +1536,8 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
PACKET_data(pkt),
PACKET_remaining(pkt),
s->ctx->ext.npn_select_cb_arg) !=
- SSL_TLSEXT_ERR_OK) {
+ SSL_TLSEXT_ERR_OK
+ || selected_len == 0) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
return 0;
}
--
2.45.2
From 889ed19ba25abebd2690997acd6d4791cbe5c493 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 31 May 2024 11:46:38 +0100
Subject: [PATCH] Clarify the SSL_select_next_proto() documentation
We clarify the input preconditions and the expected behaviour in the event
of no overlap.
Follow on from CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24718)
---
doc/man3/SSL_CTX_set_alpn_select_cb.pod | 26 +++++++++++++++++--------
1 file changed, 18 insertions(+), 8 deletions(-)
diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
index 102e657851..a29557dd91 100644
--- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod
+++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
@@ -52,7 +52,8 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated
SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to
set the list of protocols available to be negotiated. The B<protos> must be in
protocol-list format, described below. The length of B<protos> is specified in
-B<protos_len>.
+B<protos_len>. Setting B<protos_len> to 0 clears any existing list of ALPN
+protocols and no ALPN extension will be sent to the server.
SSL_CTX_set_alpn_select_cb() sets the application callback B<cb> used by a
server to select which protocol to use for the incoming connection. When B<cb>
@@ -73,9 +74,16 @@ B<server_len> and B<client>, B<client_len> must be in the protocol-list format
described below. The first item in the B<server>, B<server_len> list that
matches an item in the B<client>, B<client_len> list is selected, and returned
in B<out>, B<outlen>. The B<out> value will point into either B<server> or
-B<client>, so it should be copied immediately. If no match is found, the first
-item in B<client>, B<client_len> is returned in B<out>, B<outlen>. This
-function can also be used in the NPN callback.
+B<client>, so it should be copied immediately. The client list must include at
+least one valid (nonempty) protocol entry in the list.
+
+The SSL_select_next_proto() helper function can be useful from either the ALPN
+callback or the NPN callback (described below). If no match is found, the first
+item in B<client>, B<client_len> is returned in B<out>, B<outlen> and
+B<OPENSSL_NPN_NO_OVERLAP> is returned. This can be useful when implementating
+the NPN callback. In the ALPN case, the value returned in B<out> and B<outlen>
+must be ignored if B<OPENSSL_NPN_NO_OVERLAP> has been returned from
+SSL_select_next_proto().
SSL_CTX_set_next_proto_select_cb() sets a callback B<cb> that is called when a
client needs to select a protocol from the server's provided list, and a
@@ -85,9 +93,10 @@ must be set to point to the selected protocol (which may be within B<in>).
The length of the protocol name must be written into B<outlen>. The
server's advertised protocols are provided in B<in> and B<inlen>. The
callback can assume that B<in> is syntactically valid. The client must
-select a protocol. It is fatal to the connection if this callback returns
-a value other than B<SSL_TLSEXT_ERR_OK>. The B<arg> parameter is the pointer
-set via SSL_CTX_set_next_proto_select_cb().
+select a protocol (although it may be an empty, zero length protocol). It is
+fatal to the connection if this callback returns a value other than
+B<SSL_TLSEXT_ERR_OK> or if the zero length protocol is selected. The B<arg>
+parameter is the pointer set via SSL_CTX_set_next_proto_select_cb().
SSL_CTX_set_next_protos_advertised_cb() sets a callback B<cb> that is called
when a TLS server needs a list of supported protocols for Next Protocol
@@ -149,7 +158,8 @@ A match was found and is returned in B<out>, B<outlen>.
=item OPENSSL_NPN_NO_OVERLAP
No match was found. The first item in B<client>, B<client_len> is returned in
-B<out>, B<outlen>.
+B<out>, B<outlen> (or B<NULL> and 0 in the case where the first entry in
+B<client> is invalid).
=back
--
2.45.2
From 087501b4f572825e27ca8cc2c5874fcf6fd47cf7 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 21 Jun 2024 10:41:55 +0100
Subject: [PATCH] Correct return values for
tls_construct_stoc_next_proto_neg
Return EXT_RETURN_NOT_SENT in the event that we don't send the extension,
rather than EXT_RETURN_SENT. This actually makes no difference at all to
the current control flow since this return value is ignored in this case
anyway. But lets make it correct anyway.
Follow on from CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24718)
---
ssl/statem/extensions_srvr.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 4ea085e1a1..2da880450f 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -1476,9 +1476,10 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
return EXT_RETURN_FAIL;
}
s->s3.npn_seen = 1;
+ return EXT_RETURN_SENT;
}
- return EXT_RETURN_SENT;
+ return EXT_RETURN_NOT_SENT;
}
#endif
--
2.45.2
From 017e54183b95617825fb9316d618c154a34c634e Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 21 Jun 2024 11:51:54 +0100
Subject: [PATCH] Add ALPN validation in the client
The ALPN protocol selected by the server must be one that we originally
advertised. We should verify that it is.
Follow on from CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24718)
---
ssl/statem/extensions_clnt.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index a07dc62e9a..b21ccf9273 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -1566,6 +1566,8 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx)
{
size_t len;
+ PACKET confpkt, protpkt;
+ int valid = 0;
/* We must have requested it. */
if (!s->s3.alpn_sent) {
@@ -1584,6 +1586,28 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
return 0;
}
+
+ /* It must be a protocol that we sent */
+ if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) {
+ if (PACKET_remaining(&protpkt) != len)
+ continue;
+ if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) {
+ /* Valid protocol found */
+ valid = 1;
+ break;
+ }
+ }
+
+ if (!valid) {
+ /* The protocol sent from the server does not match one we advertised */
+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
+ return 0;
+ }
+
OPENSSL_free(s->s3.alpn_selected);
s->s3.alpn_selected = OPENSSL_malloc(len);
if (s->s3.alpn_selected == NULL) {
--
2.45.2

64
openssl-DEFAULT_SUSE_cipher.patch Normal file
View File

@ -0,0 +1,64 @@
Index: openssl-3.0.0-alpha7/ssl/ssl_ciph.c
===================================================================
--- openssl-3.0.0-alpha7.orig/ssl/ssl_ciph.c
+++ openssl-3.0.0-alpha7/ssl/ssl_ciph.c
@@ -1592,7 +1592,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
*/
ok = 1;
rule_p = rule_str;
- if (strncmp(rule_str, "DEFAULT", 7) == 0) {
+ if (strncmp(rule_str,"DEFAULT_SUSE", 12) == 0) {
+ ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST,
+ &head, &tail, ca_list, c);
+ rule_p += 12;
+ if (*rule_p == ':')
+ rule_p++;
+ }
+ else if (strncmp(rule_str, "DEFAULT", 7) == 0) {
ok = ssl_cipher_process_rulestr(OSSL_default_cipher_list(),
&head, &tail, ca_list, c);
rule_p += 7;
Index: openssl-3.0.0-alpha7/test/recipes/99-test_suse_default_ciphers.t
===================================================================
--- /dev/null
+++ openssl-3.0.0-alpha7/test/recipes/99-test_suse_default_ciphers.t
@@ -0,0 +1,23 @@
+#! /usr/bin/env perl
+
+use strict;
+use warnings;
+
+use OpenSSL::Test qw/:DEFAULT/;
+use OpenSSL::Test::Utils;
+
+setup("test_default_ciphersuites");
+
+plan tests => 6;
+
+my @cipher_suites = ("DEFAULT_SUSE", "DEFAULT");
+
+foreach my $cipherlist (@cipher_suites) {
+ ok(run(app(["openssl", "ciphers", "-s", $cipherlist])),
+ "openssl ciphers works with ciphersuite $cipherlist");
+ ok(!grep(/(MD5|RC4|DES)/, run(app(["openssl", "ciphers", "-s", $cipherlist]), capture => 1)),
+ "$cipherlist shouldn't contain MD5, DES or RC4\n");
+ ok(grep(/(TLSv1.3)/, run(app(["openssl", "ciphers", "-tls1_3", "-s", "-v", $cipherlist]), capture => 1)),
+ "$cipherlist should contain TLSv1.3 ciphers\n");
+}
+
Index: openssl-3.0.0-alpha7/include/openssl/ssl.h.in
===================================================================
--- openssl-3.0.0-alpha7.orig/include/openssl/ssl.h.in
+++ openssl-3.0.0-alpha7/include/openssl/ssl.h.in
@@ -189,6 +189,11 @@ extern "C" {
*/
# ifndef OPENSSL_NO_DEPRECATED_3_0
# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
+# define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:"\
+ "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:"\
+ "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\
+ "DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\
+ "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA"
/*
* This is the default set of TLSv1.3 ciphersuites
* DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites()

330
openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch Normal file
View File

@ -0,0 +1,330 @@
From 590babb35e3aa399c889282747965e301333a656 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 16:07:18 +0200
Subject: [PATCH 43/48]
0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
Patch-name: 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
Patch-id: 93
---
crypto/dh/dh_backend.c | 10 ++++
crypto/dh/dh_check.c | 12 ++--
crypto/dh/dh_gen.c | 12 +++-
crypto/dh/dh_key.c | 13 ++--
crypto/dh/dh_pmeth.c | 10 +++-
providers/implementations/keymgmt/dh_kmgmt.c | 5 ++
test/endecode_test.c | 4 +-
test/evp_libctx_test.c | 2 +-
test/helpers/predefined_dhparams.c | 62 ++++++++++++++++++++
test/helpers/predefined_dhparams.h | 1 +
test/recipes/80-test_cms.t | 4 +-
test/recipes/80-test_ssl_old.t | 3 +
12 files changed, 118 insertions(+), 20 deletions(-)
diff --git a/crypto/dh/dh_backend.c b/crypto/dh/dh_backend.c
index 726843fd30..24c65ca84f 100644
--- a/crypto/dh/dh_backend.c
+++ b/crypto/dh/dh_backend.c
@@ -53,6 +53,16 @@ int ossl_dh_params_fromdata(DH *dh, const OSSL_PARAM params[])
if (!dh_ffc_params_fromdata(dh, params))
return 0;
+#ifdef FIPS_MODULE
+ if (!ossl_dh_is_named_safe_prime_group(dh)) {
+ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
+ "FIPS 186-4 type domain parameters no longer allowed in"
+ " FIPS mode, since the required validation routines"
+ " were removed from FIPS 186-5");
+ return 0;
+ }
+#endif
+
param_priv_len =
OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_DH_PRIV_LEN);
if (param_priv_len != NULL
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
index 0b391910d6..75581ca347 100644
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -57,13 +57,15 @@ int DH_check_params(const DH *dh, int *ret)
nid = DH_get_nid((DH *)dh);
if (nid != NID_undef)
return 1;
+
/*
- * OR
- * (2b) FFC domain params conform to FIPS-186-4 explicit domain param
- * validity tests.
+ * FIPS 186-4 explicit domain parameters are no longer supported in FIPS mode.
*/
- return ossl_ffc_params_FIPS186_4_validate(dh->libctx, &dh->params,
- FFC_PARAM_TYPE_DH, ret, NULL);
+ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
+ "FIPS 186-4 type domain parameters no longer allowed in"
+ " FIPS mode, since the required validation routines were"
+ " removed from FIPS 186-5");
+ return 0;
}
#else
int DH_check_params(const DH *dh, int *ret)
diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c
index 204662a81c..9961f21920 100644
--- a/crypto/dh/dh_gen.c
+++ b/crypto/dh/dh_gen.c
@@ -39,18 +39,26 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
int ossl_dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits,
BN_GENCB *cb)
{
- int ret, res;
+ int ret = 0;
#ifndef FIPS_MODULE
+ int res;
+
if (type == DH_PARAMGEN_TYPE_FIPS_186_2)
ret = ossl_ffc_params_FIPS186_2_generate(dh->libctx, &dh->params,
FFC_PARAM_TYPE_DH,
pbits, qbits, &res, cb);
else
-#endif
ret = ossl_ffc_params_FIPS186_4_generate(dh->libctx, &dh->params,
FFC_PARAM_TYPE_DH,
pbits, qbits, &res, cb);
+#else
+ /* In FIPS mode, we no longer support FIPS 186-4 domain parameters */
+ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
+ "FIPS 186-4 type domain parameters no longer allowed in"
+ " FIPS mode, since the required generation routines were"
+ " removed from FIPS 186-5");
+#endif
if (ret > 0)
dh->dirty_cnt++;
return ret;
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
index 83773cceea..7e988368d3 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -321,8 +321,12 @@ static int generate_key(DH *dh)
goto err;
} else {
#ifdef FIPS_MODULE
- if (dh->params.q == NULL)
- goto err;
+ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
+ "FIPS 186-4 type domain parameters no longer"
+ " allowed in FIPS mode, since the required"
+ " generation routines were removed from FIPS"
+ " 186-5");
+ goto err;
#else
if (dh->params.q == NULL) {
/* secret exponent length, must satisfy 2^(l-1) <= p */
@@ -343,9 +347,7 @@ static int generate_key(DH *dh)
if (!BN_clear_bit(priv_key, 0))
goto err;
}
- } else
-#endif
- {
+ } else {
/* Do a partial check for invalid p, q, g */
if (!ossl_ffc_params_simple_validate(dh->libctx, &dh->params,
FFC_PARAM_TYPE_DH, NULL))
@@ -361,6 +363,7 @@ static int generate_key(DH *dh)
priv_key))
goto err;
}
+#endif
}
}
diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c
index f201eede0d..30f90d15be 100644
--- a/crypto/dh/dh_pmeth.c
+++ b/crypto/dh/dh_pmeth.c
@@ -305,13 +305,17 @@ static DH *ffc_params_generate(OSSL_LIB_CTX *libctx, DH_PKEY_CTX *dctx,
prime_len, subprime_len, &res,
pcb);
else
-# endif
- /* For FIPS we always use the DH_PARAMGEN_TYPE_FIPS_186_4 generator */
- if (dctx->paramgen_type >= DH_PARAMGEN_TYPE_FIPS_186_2)
rv = ossl_ffc_params_FIPS186_4_generate(libctx, &ret->params,
FFC_PARAM_TYPE_DH,
prime_len, subprime_len, &res,
pcb);
+# else
+ /* In FIPS mode, we no longer support FIPS 186-4 domain parameters */
+ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
+ "FIPS 186-4 type domain parameters no longer allowed in"
+ " FIPS mode, since the required generation routines were"
+ " removed from FIPS 186-5");
+# endif
if (rv <= 0) {
DH_free(ret);
return NULL;
diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
index 9a7dde7c66..b3e7bca5ac 100644
--- a/providers/implementations/keymgmt/dh_kmgmt.c
+++ b/providers/implementations/keymgmt/dh_kmgmt.c
@@ -414,6 +414,11 @@ static int dh_validate(const void *keydata, int selection, int checktype)
if ((selection & DH_POSSIBLE_SELECTIONS) == 0)
return 1; /* nothing to validate */
+#ifdef FIPS_MODULE
+ /* In FIPS provider, always check the domain parameters to disallow
+ * operations on keys with FIPS 186-4 params. */
+ selection |= OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS;
+#endif
if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) {
/*
* Both of these functions check parameters. DH_check_params_ex()
diff --git a/test/endecode_test.c b/test/endecode_test.c
index 53385028fc..169f3ccd73 100644
--- a/test/endecode_test.c
+++ b/test/endecode_test.c
@@ -84,10 +84,10 @@ static EVP_PKEY *make_template(const char *type, OSSL_PARAM *genparams)
* for testing only. Use a minimum key size of 2048 for security purposes.
*/
if (strcmp(type, "DH") == 0)
- return get_dh512(keyctx);
+ return get_dh2048(keyctx);
if (strcmp(type, "X9.42 DH") == 0)
- return get_dhx512(keyctx);
+ return get_dhx_ffdhe2048(keyctx);
# endif
/*
diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c
index a7913cda4c..96a35ac1cc 100644
--- a/test/evp_libctx_test.c
+++ b/test/evp_libctx_test.c
@@ -189,7 +189,7 @@ static int do_dh_param_keygen(int tstid, const BIGNUM **bn)
if (!TEST_ptr(gen_ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey_parm, NULL))
|| !TEST_int_gt(EVP_PKEY_keygen_init(gen_ctx), 0)
- || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey), expected))
+ || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey) == 1, expected))
goto err;
if (expected) {
diff --git a/test/helpers/predefined_dhparams.c b/test/helpers/predefined_dhparams.c
index 4bdadc4143..e5186e4b4a 100644
--- a/test/helpers/predefined_dhparams.c
+++ b/test/helpers/predefined_dhparams.c
@@ -116,6 +116,68 @@ EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx)
dhx512_q, sizeof(dhx512_q));
}
+EVP_PKEY *get_dhx_ffdhe2048(OSSL_LIB_CTX *libctx)
+{
+ /* This is RFC 7919 ffdhe2048, since Red Hat removes support for
+ * non-well-known groups in FIPS mode. */
+ static unsigned char dhx_p[] = {
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xad, 0xf8, 0x54, 0x58,
+ 0xa2, 0xbb, 0x4a, 0x9a, 0xaf, 0xdc, 0x56, 0x20, 0x27, 0x3d, 0x3c, 0xf1,
+ 0xd8, 0xb9, 0xc5, 0x83, 0xce, 0x2d, 0x36, 0x95, 0xa9, 0xe1, 0x36, 0x41,
+ 0x14, 0x64, 0x33, 0xfb, 0xcc, 0x93, 0x9d, 0xce, 0x24, 0x9b, 0x3e, 0xf9,
+ 0x7d, 0x2f, 0xe3, 0x63, 0x63, 0x0c, 0x75, 0xd8, 0xf6, 0x81, 0xb2, 0x02,
+ 0xae, 0xc4, 0x61, 0x7a, 0xd3, 0xdf, 0x1e, 0xd5, 0xd5, 0xfd, 0x65, 0x61,
+ 0x24, 0x33, 0xf5, 0x1f, 0x5f, 0x06, 0x6e, 0xd0, 0x85, 0x63, 0x65, 0x55,
+ 0x3d, 0xed, 0x1a, 0xf3, 0xb5, 0x57, 0x13, 0x5e, 0x7f, 0x57, 0xc9, 0x35,
+ 0x98, 0x4f, 0x0c, 0x70, 0xe0, 0xe6, 0x8b, 0x77, 0xe2, 0xa6, 0x89, 0xda,
+ 0xf3, 0xef, 0xe8, 0x72, 0x1d, 0xf1, 0x58, 0xa1, 0x36, 0xad, 0xe7, 0x35,
+ 0x30, 0xac, 0xca, 0x4f, 0x48, 0x3a, 0x79, 0x7a, 0xbc, 0x0a, 0xb1, 0x82,
+ 0xb3, 0x24, 0xfb, 0x61, 0xd1, 0x08, 0xa9, 0x4b, 0xb2, 0xc8, 0xe3, 0xfb,
+ 0xb9, 0x6a, 0xda, 0xb7, 0x60, 0xd7, 0xf4, 0x68, 0x1d, 0x4f, 0x42, 0xa3,
+ 0xde, 0x39, 0x4d, 0xf4, 0xae, 0x56, 0xed, 0xe7, 0x63, 0x72, 0xbb, 0x19,
+ 0x0b, 0x07, 0xa7, 0xc8, 0xee, 0x0a, 0x6d, 0x70, 0x9e, 0x02, 0xfc, 0xe1,
+ 0xcd, 0xf7, 0xe2, 0xec, 0xc0, 0x34, 0x04, 0xcd, 0x28, 0x34, 0x2f, 0x61,
+ 0x91, 0x72, 0xfe, 0x9c, 0xe9, 0x85, 0x83, 0xff, 0x8e, 0x4f, 0x12, 0x32,
+ 0xee, 0xf2, 0x81, 0x83, 0xc3, 0xfe, 0x3b, 0x1b, 0x4c, 0x6f, 0xad, 0x73,
+ 0x3b, 0xb5, 0xfc, 0xbc, 0x2e, 0xc2, 0x20, 0x05, 0xc5, 0x8e, 0xf1, 0x83,
+ 0x7d, 0x16, 0x83, 0xb2, 0xc6, 0xf3, 0x4a, 0x26, 0xc1, 0xb2, 0xef, 0xfa,
+ 0x88, 0x6b, 0x42, 0x38, 0x61, 0x28, 0x5c, 0x97, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff
+ };
+ static unsigned char dhx_g[] = {
+ 0x02
+ };
+ static unsigned char dhx_q[] = {
+ 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xd6, 0xfc, 0x2a, 0x2c,
+ 0x51, 0x5d, 0xa5, 0x4d, 0x57, 0xee, 0x2b, 0x10, 0x13, 0x9e, 0x9e, 0x78,
+ 0xec, 0x5c, 0xe2, 0xc1, 0xe7, 0x16, 0x9b, 0x4a, 0xd4, 0xf0, 0x9b, 0x20,
+ 0x8a, 0x32, 0x19, 0xfd, 0xe6, 0x49, 0xce, 0xe7, 0x12, 0x4d, 0x9f, 0x7c,
+ 0xbe, 0x97, 0xf1, 0xb1, 0xb1, 0x86, 0x3a, 0xec, 0x7b, 0x40, 0xd9, 0x01,
+ 0x57, 0x62, 0x30, 0xbd, 0x69, 0xef, 0x8f, 0x6a, 0xea, 0xfe, 0xb2, 0xb0,
+ 0x92, 0x19, 0xfa, 0x8f, 0xaf, 0x83, 0x37, 0x68, 0x42, 0xb1, 0xb2, 0xaa,
+ 0x9e, 0xf6, 0x8d, 0x79, 0xda, 0xab, 0x89, 0xaf, 0x3f, 0xab, 0xe4, 0x9a,
+ 0xcc, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xbb, 0xf1, 0x53, 0x44, 0xed,
+ 0x79, 0xf7, 0xf4, 0x39, 0x0e, 0xf8, 0xac, 0x50, 0x9b, 0x56, 0xf3, 0x9a,
+ 0x98, 0x56, 0x65, 0x27, 0xa4, 0x1d, 0x3c, 0xbd, 0x5e, 0x05, 0x58, 0xc1,
+ 0x59, 0x92, 0x7d, 0xb0, 0xe8, 0x84, 0x54, 0xa5, 0xd9, 0x64, 0x71, 0xfd,
+ 0xdc, 0xb5, 0x6d, 0x5b, 0xb0, 0x6b, 0xfa, 0x34, 0x0e, 0xa7, 0xa1, 0x51,
+ 0xef, 0x1c, 0xa6, 0xfa, 0x57, 0x2b, 0x76, 0xf3, 0xb1, 0xb9, 0x5d, 0x8c,
+ 0x85, 0x83, 0xd3, 0xe4, 0x77, 0x05, 0x36, 0xb8, 0x4f, 0x01, 0x7e, 0x70,
+ 0xe6, 0xfb, 0xf1, 0x76, 0x60, 0x1a, 0x02, 0x66, 0x94, 0x1a, 0x17, 0xb0,
+ 0xc8, 0xb9, 0x7f, 0x4e, 0x74, 0xc2, 0xc1, 0xff, 0xc7, 0x27, 0x89, 0x19,
+ 0x77, 0x79, 0x40, 0xc1, 0xe1, 0xff, 0x1d, 0x8d, 0xa6, 0x37, 0xd6, 0xb9,
+ 0x9d, 0xda, 0xfe, 0x5e, 0x17, 0x61, 0x10, 0x02, 0xe2, 0xc7, 0x78, 0xc1,
+ 0xbe, 0x8b, 0x41, 0xd9, 0x63, 0x79, 0xa5, 0x13, 0x60, 0xd9, 0x77, 0xfd,
+ 0x44, 0x35, 0xa1, 0x1c, 0x30, 0x94, 0x2e, 0x4b, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff
+ };
+
+ return get_dh_from_pg(libctx, "X9.42 DH",
+ dhx_p, sizeof(dhx_p),
+ dhx_g, sizeof(dhx_g),
+ dhx_q, sizeof(dhx_q));
+}
+
EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libctx)
{
static unsigned char dh1024_p[] = {
diff --git a/test/helpers/predefined_dhparams.h b/test/helpers/predefined_dhparams.h
index f0e8709062..2ff6d6e721 100644
--- a/test/helpers/predefined_dhparams.h
+++ b/test/helpers/predefined_dhparams.h
@@ -12,6 +12,7 @@
#ifndef OPENSSL_NO_DH
EVP_PKEY *get_dh512(OSSL_LIB_CTX *libctx);
EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx);
+EVP_PKEY *get_dhx_ffdhe2048(OSSL_LIB_CTX *libctx);
EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libct);
EVP_PKEY *get_dh2048(OSSL_LIB_CTX *libctx);
EVP_PKEY *get_dh4096(OSSL_LIB_CTX *libctx);
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
index 2a459856f0..afac836fa3 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -627,10 +627,10 @@ my @smime_cms_param_tests = (
],
[ "enveloped content test streaming S/MIME format, X9.42 DH",
- [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
+ [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
"-stream", "-out", "{output}.cms",
"-recip", catfile($smdir, "smdh.pem"), "-aes128" ],
- [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
+ [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
"-in", "{output}.cms", "-out", "{output}.txt" ],
\&final_compare
]
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index 527abcea6e..e1d38b1e62 100644
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -390,6 +390,9 @@ sub testssl {
skip "skipping dhe1024dsa test", 1
if ($no_dh);
+ skip "FIPS 186-4 type DH groups are no longer supported by the FIPS provider", 1
+ if $provider eq "fips";
+
ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])),
'test sslv2/sslv3 with 1024bit DHE via BIO pair');
}
--
2.41.0

19
openssl-Disable-default-provider-for-test-suite.patch Normal file
View File

@ -0,0 +1,19 @@
Index: openssl-3.1.4/apps/openssl.cnf
===================================================================
--- openssl-3.1.4.orig/apps/openssl.cnf
+++ openssl-3.1.4/apps/openssl.cnf
@@ -70,11 +70,11 @@ engines = engine_section
# to side-channel attacks and as such have been deprecated.
[provider_sect]
-default = default_sect
+##default = default_sect
##legacy = legacy_sect
-[default_sect]
-activate = 1
+##[default_sect]
+##activate = 1
##[legacy_sect]
##activate = 1

235
openssl-Disable-explicit-ec.patch Normal file
View File

@ -0,0 +1,235 @@
From 91bdd9b816b22bc1464ec323f3272b866b24114d Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 31 Jul 2023 09:41:28 +0200
Subject: [PATCH 12/35] 0012-Disable-explicit-ec.patch
Patch-name: 0012-Disable-explicit-ec.patch
Patch-id: 12
Patch-status: |
# Disable explicit EC curves
# https://bugzilla.redhat.com/show_bug.cgi?id=2066412
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
crypto/ec/ec_asn1.c | 11 ++++++++++
crypto/ec/ec_lib.c | 6 +++++
test/ectest.c | 22 ++++++++++---------
test/endecode_test.c | 20 ++++++++---------
.../30-test_evp_data/evppkey_ecdsa.txt | 12 ----------
5 files changed, 39 insertions(+), 32 deletions(-)
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index 7a0b35a594..d19d57344e 100644
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -905,6 +905,12 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len)
if (params->type == ECPKPARAMETERS_TYPE_EXPLICIT)
group->decoded_from_explicit_params = 1;
+ if (EC_GROUP_check_named_curve(group, 0, NULL) == NID_undef) {
+ EC_GROUP_free(group);
+ ECPKPARAMETERS_free(params);
+ return NULL;
+ }
+
if (a) {
EC_GROUP_free(*a);
*a = group;
@@ -964,6 +970,11 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
goto err;
}
+ if (EC_GROUP_check_named_curve(ret->group, 0, NULL) == NID_undef) {
+ ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP);
+ goto err;
+ }
+
ret->version = priv_key->version;
if (priv_key->privateKey) {
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
index a84e088c19..6c37bf78ae 100644
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
@@ -1724,6 +1724,11 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
goto err;
}
if (named_group == group) {
+ if (EC_GROUP_check_named_curve(group, 0, NULL) == NID_undef) {
+ ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP);
+ goto err;
+ }
+#if 0
/*
* If we did not find a named group then the encoding should be explicit
* if it was specified
@@ -1739,6 +1744,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
goto err;
}
EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE);
+#endif
} else {
EC_GROUP_free(group);
group = named_group;
diff --git a/test/ectest.c b/test/ectest.c
index 4890b0555e..e11aec5b3b 100644
--- a/test/ectest.c
+++ b/test/ectest.c
@@ -2301,10 +2301,11 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx,
if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))
|| !TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL))
|| !TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0)
- || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkeyparam,
+ || !TEST_int_le(EVP_PKEY_fromdata(pctx, &pkeyparam,
EVP_PKEY_KEY_PARAMETERS, params), 0))
goto err;
-
+/* As creating the key should fail, the rest of the test is pointless */
+# if 0
/*- Check that all the set values are retrievable -*/
/* There should be no match to a group name since the generator changed */
@@ -2433,6 +2434,7 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx,
#endif
)
goto err;
+#endif
ret = 1;
err:
BN_free(order_out);
@@ -2714,21 +2716,21 @@ static int custom_params_test(int id)
/* Compute keyexchange in both directions */
if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL))
- || !TEST_int_eq(EVP_PKEY_derive_init(pctx1), 1)
- || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1)
+ || !TEST_int_le(EVP_PKEY_derive_init(pctx1), 0)
+/* || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1)
|| !TEST_int_eq(EVP_PKEY_derive(pctx1, NULL, &sslen), 1)
|| !TEST_int_gt(bsize, sslen)
- || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1))
+ || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1)*/)
goto err;
if (!TEST_ptr(pctx2 = EVP_PKEY_CTX_new(pkey2, NULL))
- || !TEST_int_eq(EVP_PKEY_derive_init(pctx2), 1)
- || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1)
+ || !TEST_int_le(EVP_PKEY_derive_init(pctx2), 1)
+/* || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1)
|| !TEST_int_eq(EVP_PKEY_derive(pctx2, NULL, &t), 1)
|| !TEST_int_gt(bsize, t)
|| !TEST_int_le(sslen, t)
- || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1))
+ || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1) */)
goto err;
-
+#if 0
/* Both sides should expect the same shared secret */
if (!TEST_mem_eq(buf1, sslen, buf2, t))
goto err;
@@ -2780,7 +2782,7 @@ static int custom_params_test(int id)
/* compare with previous result */
|| !TEST_mem_eq(buf1, t, buf2, sslen))
goto err;
-
+#endif
ret = 1;
err:
diff --git a/test/endecode_test.c b/test/endecode_test.c
index 14648287eb..9a437d8c64 100644
--- a/test/endecode_test.c
+++ b/test/endecode_test.c
@@ -62,7 +62,7 @@ static BN_CTX *bnctx = NULL;
static OSSL_PARAM_BLD *bld_prime_nc = NULL;
static OSSL_PARAM_BLD *bld_prime = NULL;
static OSSL_PARAM *ec_explicit_prime_params_nc = NULL;
-static OSSL_PARAM *ec_explicit_prime_params_explicit = NULL;
+/*static OSSL_PARAM *ec_explicit_prime_params_explicit = NULL;*/
# ifndef OPENSSL_NO_EC2M
static OSSL_PARAM_BLD *bld_tri_nc = NULL;
@@ -1009,9 +1009,9 @@ IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC")
DOMAIN_KEYS(ECExplicitPrimeNamedCurve);
IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC", 1)
IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve, "EC")
-DOMAIN_KEYS(ECExplicitPrime2G);
-IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)
-IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")
+/*DOMAIN_KEYS(ECExplicitPrime2G);*/
+/*IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)*/
+/*IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")*/
# ifndef OPENSSL_NO_EC2M
DOMAIN_KEYS(ECExplicitTriNamedCurve);
IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC", 1)
@@ -1352,7 +1352,7 @@ int setup_tests(void)
|| !create_ec_explicit_prime_params_namedcurve(bld_prime_nc)
|| !create_ec_explicit_prime_params(bld_prime)
|| !TEST_ptr(ec_explicit_prime_params_nc = OSSL_PARAM_BLD_to_param(bld_prime_nc))
- || !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime))
+/* || !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime))*/
# ifndef OPENSSL_NO_EC2M
|| !TEST_ptr(bld_tri_nc = OSSL_PARAM_BLD_new())
|| !TEST_ptr(bld_tri = OSSL_PARAM_BLD_new())
@@ -1380,7 +1380,7 @@ int setup_tests(void)
TEST_info("Generating EC keys...");
MAKE_DOMAIN_KEYS(EC, "EC", EC_params);
MAKE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve, "EC", ec_explicit_prime_params_nc);
- MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);
+/* MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);*/
# ifndef OPENSSL_NO_EC2M
MAKE_DOMAIN_KEYS(ECExplicitTriNamedCurve, "EC", ec_explicit_tri_params_nc);
MAKE_DOMAIN_KEYS(ECExplicitTri2G, "EC", ec_explicit_tri_params_explicit);
@@ -1423,8 +1423,8 @@ int setup_tests(void)
ADD_TEST_SUITE_LEGACY(EC);
ADD_TEST_SUITE(ECExplicitPrimeNamedCurve);
ADD_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve);
- ADD_TEST_SUITE(ECExplicitPrime2G);
- ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G);
+/* ADD_TEST_SUITE(ECExplicitPrime2G);*/
+/* ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G);*/
# ifndef OPENSSL_NO_EC2M
ADD_TEST_SUITE(ECExplicitTriNamedCurve);
ADD_TEST_SUITE_LEGACY(ECExplicitTriNamedCurve);
@@ -1461,7 +1461,7 @@ void cleanup_tests(void)
{
#ifndef OPENSSL_NO_EC
OSSL_PARAM_free(ec_explicit_prime_params_nc);
- OSSL_PARAM_free(ec_explicit_prime_params_explicit);
+/* OSSL_PARAM_free(ec_explicit_prime_params_explicit);*/
OSSL_PARAM_BLD_free(bld_prime_nc);
OSSL_PARAM_BLD_free(bld_prime);
# ifndef OPENSSL_NO_EC2M
@@ -1483,7 +1483,7 @@ void cleanup_tests(void)
#ifndef OPENSSL_NO_EC
FREE_DOMAIN_KEYS(EC);
FREE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve);
- FREE_DOMAIN_KEYS(ECExplicitPrime2G);
+/* FREE_DOMAIN_KEYS(ECExplicitPrime2G);*/
# ifndef OPENSSL_NO_EC2M
FREE_DOMAIN_KEYS(ECExplicitTriNamedCurve);
FREE_DOMAIN_KEYS(ECExplicitTri2G);
diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
index ec3c032aba..584ecee0eb 100644
--- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
@@ -133,18 +133,6 @@ AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgiUTxtr5vLVjj
3ev1gTwRBduzqqlwd54AUSgI+pjttW8zrWNitO8H1sf59MPWOESKxNtZ1+Nl
-----END PRIVATE KEY-----
-PrivateKey = EC_EXPLICIT
------BEGIN PRIVATE KEY-----
-MIIBeQIBADCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAAB
-AAAAAAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA
-///////////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMV
-AMSdNgiG5wSTamZ44ROdJreBn36QBEEE5JcIvn36opqjEm/k59Al40rBAxWM2TPG
-l0L13Je51zHpfXQ9Z2o7IQicMXP4wSfJ0qCgg2bgydqoxlYrlLGuVQIhAP////8A
-AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgec92jwduadCk
-OjoNRI+YT5Be5TkzZXzYCyTLkMOikDmhRANCAATtECEhQbLEaiUj/Wu0qjcr81lL
-46dx5zYgArz/iaSNJ3W80oO+F7v04jlQ7wxQzg96R0bwKiMeq5CcW9ZFt6xg
------END PRIVATE KEY-----
-
PrivateKey = B-163
-----BEGIN PRIVATE KEY-----
MGMCAQAwEAYHKoZIzj0CAQYFK4EEAA8ETDBKAgEBBBUDnQW0mLiHVha/jqFznX/K
--
2.41.0

28
openssl-Enable-BTI-feature-for-md5-on-aarch64.patch Normal file
View File

@ -0,0 +1,28 @@
From d2bfec6e464aeb247a2d6853668d4e473f19e15f Mon Sep 17 00:00:00 2001
From: "fangming.fang" <fangming.fang@arm.com>
Date: Thu, 7 Dec 2023 06:17:51 +0000
Subject: [PATCH] Enable BTI feature for md5 on aarch64
Fixes: #22959
---
crypto/md5/asm/md5-aarch64.pl | 3 +++
1 file changed, 3 insertions(+)
diff --git a/crypto/md5/asm/md5-aarch64.pl b/crypto/md5/asm/md5-aarch64.pl
index 3200a0fa9bff0..5a8608069691d 100755
--- a/crypto/md5/asm/md5-aarch64.pl
+++ b/crypto/md5/asm/md5-aarch64.pl
@@ -28,10 +28,13 @@
*STDOUT=*OUT;
$code .= <<EOF;
+#include "arm_arch.h"
+
.text
.globl ossl_md5_block_asm_data_order
.type ossl_md5_block_asm_data_order,\@function
ossl_md5_block_asm_data_order:
+ AARCH64_VALID_CALL_TARGET
// Save all callee-saved registers
stp x19,x20,[sp,#-80]!
stp x21,x22,[sp,#16]

116
openssl-FIPS-140-3-DRBG.patch Normal file
View File

@ -0,0 +1,116 @@
Index: openssl-3.1.4/providers/implementations/rands/drbg.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/rands/drbg.c
+++ openssl-3.1.4/providers/implementations/rands/drbg.c
@@ -570,6 +570,9 @@ int ossl_prov_drbg_reseed(PROV_DRBG *drb
#endif
}
+#ifdef FIPS_MODULE
+ prediction_resistance = 1;
+#endif
/* Reseed using our sources in addition */
entropylen = get_entropy(drbg, &entropy, drbg->strength,
drbg->min_entropylen, drbg->max_entropylen,
@@ -662,8 +665,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d
reseed_required = 1;
}
if (drbg->parent != NULL
- && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter)
+ && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) {
+#ifdef FIPS_MODULE
+ /* SUSE patches provide chain reseeding when necessary so just sync counters*/
+ drbg->parent_reseed_counter = get_parent_reseed_count(drbg);
+#else
reseed_required = 1;
+#endif
+ }
if (reseed_required || prediction_resistance) {
if (!ossl_prov_drbg_reseed(drbg, prediction_resistance, NULL, 0,
Index: openssl-3.1.4/crypto/rand/prov_seed.c
===================================================================
--- openssl-3.1.4.orig/crypto/rand/prov_seed.c
+++ openssl-3.1.4/crypto/rand/prov_seed.c
@@ -23,7 +23,14 @@ size_t ossl_rand_get_entropy(ossl_unused
size_t entropy_available;
RAND_POOL *pool;
- pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
+ /*
+ * OpenSSL still implements an internal entropy pool of
+ * some size that is hashed to get seed data.
+ * Note that this is a conditioning step for which SP800-90C requires
+ * 64 additional bits from the entropy source to claim the requested
+ * amount of entropy.
+ */
+ pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len);
if (pool == NULL) {
ERR_raise(ERR_LIB_RAND, ERR_R_MALLOC_FAILURE);
return 0;
Index: openssl-3.1.4/providers/implementations/rands/crngt.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/rands/crngt.c
+++ openssl-3.1.4/providers/implementations/rands/crngt.c
@@ -133,7 +133,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG
* to the nearest byte. If the entropy is of less than full quality,
* the amount required should be scaled up appropriately here.
*/
- bytes_needed = (entropy + 7) / 8;
+ /*
+ * FIPS 140-3: the yet draft SP800-90C requires requested entropy
+ * + 128 bits during initial seeding
+ */
+ bytes_needed = (entropy + 128 + 7) / 8;
if (bytes_needed < min_len)
bytes_needed = min_len;
if (bytes_needed > max_len)
Index: openssl-3.1.4/providers/implementations/rands/drbg_local.h
===================================================================
--- openssl-3.1.4.orig/providers/implementations/rands/drbg_local.h
+++ openssl-3.1.4/providers/implementations/rands/drbg_local.h
@@ -38,7 +38,7 @@
*
* The value is in bytes.
*/
-#define CRNGT_BUFSIZ 16
+#define CRNGT_BUFSIZ 32
/*
* Maximum input size for the DRBG (entropy, nonce, personalization string)
Index: openssl-3.1.4/providers/implementations/rands/seed_src.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/rands/seed_src.c
+++ openssl-3.1.4/providers/implementations/rands/seed_src.c
@@ -104,7 +104,14 @@ static int seed_src_generate(void *vseed
return 0;
}
- pool = ossl_rand_pool_new(strength, 1, outlen, outlen);
+ /*
+ * OpenSSL still implements an internal entropy pool of
+ * some size that is hashed to get seed data.
+ * Note that this is a conditioning step for which SP800-90C requires
+ * 64 additional bits from the entropy source to claim the requested
+ * amount of entropy.
+ */
+ pool = ossl_rand_pool_new(strength + 64, 1, outlen, outlen);
if (pool == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
return 0;
@@ -184,7 +191,14 @@ static size_t seed_get_seed(void *vseed,
size_t i;
RAND_POOL *pool;
- pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
+ /*
+ * OpenSSL still implements an internal entropy pool of
+ * some size that is hashed to get seed data.
+ * Note that this is a conditioning step for which SP800-90C requires
+ * 64 additional bits from the entropy source to claim the requested
+ * amount of entropy.
+ */
+ pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len);
if (pool == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB);
return 0;

388
openssl-FIPS-140-3-keychecks.patch Normal file
View File

@ -0,0 +1,388 @@
From b300beb172d5813b01b93bfd62fe191f8187fe1e Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 12:05:23 +0200
Subject: [PATCH 20/48] 0044-FIPS-140-3-keychecks.patch
Patch-name: 0044-FIPS-140-3-keychecks.patch
Patch-id: 44
Patch-status: |
# Extra public/private key checks required by FIPS-140-3
---
crypto/dh/dh_key.c | 26 ++++++++++
.../implementations/exchange/ecdh_exch.c | 19 ++++++++
providers/implementations/keymgmt/ec_kmgmt.c | 24 +++++++++-
providers/implementations/keymgmt/rsa_kmgmt.c | 18 +++++++
.../implementations/signature/ecdsa_sig.c | 37 +++++++++++++--
providers/implementations/signature/rsa_sig.c | 47 +++++++++++++++++--
6 files changed, 162 insertions(+), 9 deletions(-)
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
index 4e9705beef..83773cceea 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -43,6 +43,9 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
BN_MONT_CTX *mont = NULL;
BIGNUM *z = NULL, *pminus1;
int ret = -1;
+#ifdef FIPS_MODULE
+ int validate = 0;
+#endif
if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
@@ -54,6 +57,13 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
return 0;
}
+#ifdef FIPS_MODULE
+ if (DH_check_pub_key(dh, pub_key, &validate) <= 0) {
+ ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID);
+ return 0;
+ }
+#endif
+
ctx = BN_CTX_new_ex(dh->libctx);
if (ctx == NULL)
goto err;
@@ -262,6 +272,9 @@ static int generate_key(DH *dh)
#endif
BN_CTX *ctx = NULL;
BIGNUM *pub_key = NULL, *priv_key = NULL;
+#ifdef FIPS_MODULE
+ int validate = 0;
+#endif
if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
@@ -354,8 +367,21 @@ static int generate_key(DH *dh)
if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key))
goto err;
+#ifdef FIPS_MODULE
+ if (DH_check_pub_key(dh, pub_key, &validate) <= 0) {
+ ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID);
+ goto err;
+ }
+#endif
+
dh->pub_key = pub_key;
dh->priv_key = priv_key;
+#ifdef FIPS_MODULE
+ if (ossl_dh_check_pairwise(dh) <= 0) {
+ abort();
+ }
+#endif
+
dh->dirty_cnt++;
ok = 1;
err:
diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c
index 43caedb6df..73873f9758 100644
--- a/providers/implementations/exchange/ecdh_exch.c
+++ b/providers/implementations/exchange/ecdh_exch.c
@@ -489,6 +489,25 @@ int ecdh_plain_derive(void *vpecdhctx, unsigned char *secret,
}
ppubkey = EC_KEY_get0_public_key(pecdhctx->peerk);
+#ifdef FIPS_MODULE
+ {
+ BN_CTX *bn_ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(privk));
+ int check = 0;
+
+ if (bn_ctx == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ goto end;
+ }
+
+ check = ossl_ec_key_public_check(pecdhctx->peerk, bn_ctx);
+ BN_CTX_free(bn_ctx);
+
+ if (check <= 0) {
+ ERR_raise(ERR_LIB_PROV, EC_R_INVALID_PEER_KEY);
+ goto end;
+ }
+ }
+#endif
retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL);
diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
index a37cbbdba8..bca3f3c674 100644
--- a/providers/implementations/keymgmt/ec_kmgmt.c
+++ b/providers/implementations/keymgmt/ec_kmgmt.c
@@ -989,8 +989,17 @@ struct ec_gen_ctx {
int selection;
int ecdh_mode;
EC_GROUP *gen_group;
+#ifdef FIPS_MODULE
+ void *ecdsa_sig_ctx;
+#endif
};
+#ifdef FIPS_MODULE
+void *ecdsa_newctx(void *provctx, const char *propq);
+void ecdsa_freectx(void *vctx);
+int do_ec_pct(void *, const char *, void *);
+#endif
+
static void *ec_gen_init(void *provctx, int selection,
const OSSL_PARAM params[])
{
@@ -1009,6 +1018,10 @@ static void *ec_gen_init(void *provctx, int selection,
gctx = NULL;
}
}
+#ifdef FIPS_MODULE
+ if (gctx != NULL)
+ gctx->ecdsa_sig_ctx = ecdsa_newctx(provctx, NULL);
+#endif
return gctx;
}
@@ -1279,6 +1292,12 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
if (gctx->ecdh_mode != -1)
ret = ret && ossl_ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode);
+#ifdef FIPS_MODULE
+ /* Pairwise consistency test */
+ if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0
+ && do_ec_pct(gctx->ecdsa_sig_ctx, "sha256", ec) != 1)
+ abort();
+#endif
if (gctx->group_check != NULL)
ret = ret && ossl_ec_set_check_group_type_from_name(ec, gctx->group_check);
@@ -1348,7 +1367,10 @@ static void ec_gen_cleanup(void *genctx)
if (gctx == NULL)
return;
-
+#ifdef FIPS_MODULE
+ ecdsa_freectx(gctx->ecdsa_sig_ctx);
+ gctx->ecdsa_sig_ctx = NULL;
+#endif
EC_GROUP_free(gctx->gen_group);
BN_free(gctx->p);
BN_free(gctx->a);
diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c
index 3ba12c4889..ff49f8fcd8 100644
--- a/providers/implementations/keymgmt/rsa_kmgmt.c
+++ b/providers/implementations/keymgmt/rsa_kmgmt.c
@@ -434,6 +434,7 @@ struct rsa_gen_ctx {
#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
/* ACVP test parameters */
OSSL_PARAM *acvp_test_params;
+ void *prov_rsa_ctx;
#endif
};
@@ -447,6 +448,12 @@ static int rsa_gencb(int p, int n, BN_GENCB *cb)
return gctx->cb(params, gctx->cbarg);
}
+#ifdef FIPS_MODULE
+void *rsa_newctx(void *provctx, const char *propq);
+void rsa_freectx(void *vctx);
+int do_rsa_pct(void *, const char *, void *);
+#endif
+
static void *gen_init(void *provctx, int selection, int rsa_type,
const OSSL_PARAM params[])
{
@@ -474,6 +481,10 @@ static void *gen_init(void *provctx, int selection, int rsa_type,
if (!rsa_gen_set_params(gctx, params))
goto err;
+#ifdef FIPS_MODULE
+ if (gctx != NULL)
+ gctx->prov_rsa_ctx = rsa_newctx(provctx, NULL);
+#endif
return gctx;
err:
@@ -630,6 +641,11 @@ static void *rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
rsa = rsa_tmp;
rsa_tmp = NULL;
+#ifdef FIPS_MODULE
+ /* Pairwise consistency test */
+ if (do_rsa_pct(gctx->prov_rsa_ctx, "sha256", rsa) != 1)
+ abort();
+#endif
err:
BN_GENCB_free(gencb);
RSA_free(rsa_tmp);
@@ -645,6 +661,8 @@ static void rsa_gen_cleanup(void *genctx)
#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
ossl_rsa_acvp_test_gen_params_free(gctx->acvp_test_params);
gctx->acvp_test_params = NULL;
+ rsa_freectx(gctx->prov_rsa_ctx);
+ gctx->prov_rsa_ctx = NULL;
#endif
BN_clear_free(gctx->pub_exp);
OPENSSL_free(gctx);
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
index 865d49d100..ebeb30e002 100644
--- a/providers/implementations/signature/ecdsa_sig.c
+++ b/providers/implementations/signature/ecdsa_sig.c
@@ -32,7 +32,7 @@
#include "crypto/ec.h"
#include "prov/der_ec.h"
-static OSSL_FUNC_signature_newctx_fn ecdsa_newctx;
+OSSL_FUNC_signature_newctx_fn ecdsa_newctx;
static OSSL_FUNC_signature_sign_init_fn ecdsa_sign_init;
static OSSL_FUNC_signature_verify_init_fn ecdsa_verify_init;
static OSSL_FUNC_signature_sign_fn ecdsa_sign;
@@ -43,7 +43,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn ecdsa_digest_sign_final;
static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_verify_init;
static OSSL_FUNC_signature_digest_verify_update_fn ecdsa_digest_signverify_update;
static OSSL_FUNC_signature_digest_verify_final_fn ecdsa_digest_verify_final;
-static OSSL_FUNC_signature_freectx_fn ecdsa_freectx;
+OSSL_FUNC_signature_freectx_fn ecdsa_freectx;
static OSSL_FUNC_signature_dupctx_fn ecdsa_dupctx;
static OSSL_FUNC_signature_get_ctx_params_fn ecdsa_get_ctx_params;
static OSSL_FUNC_signature_gettable_ctx_params_fn ecdsa_gettable_ctx_params;
@@ -104,7 +104,7 @@ typedef struct {
#endif
} PROV_ECDSA_CTX;
-static void *ecdsa_newctx(void *provctx, const char *propq)
+void *ecdsa_newctx(void *provctx, const char *propq)
{
PROV_ECDSA_CTX *ctx;
@@ -370,7 +370,7 @@ int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig,
return ecdsa_verify(ctx, sig, siglen, digest, (size_t)dlen);
}
-static void ecdsa_freectx(void *vctx)
+void ecdsa_freectx(void *vctx)
{
PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
@@ -581,6 +581,35 @@ static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx)
return EVP_MD_settable_ctx_params(ctx->md);
}
+#ifdef FIPS_MODULE
+int do_ec_pct(void *vctx, const char *mdname, void *ec)
+{
+ static const unsigned char data[32];
+ unsigned char sigbuf[256];
+ size_t siglen = sizeof(sigbuf);
+
+ if (ecdsa_digest_sign_init(vctx, mdname, ec, NULL) <= 0)
+ return 0;
+
+ if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
+ return 0;
+
+ if (ecdsa_digest_sign_final(vctx, sigbuf, &siglen, sizeof(sigbuf)) <= 0)
+ return 0;
+
+ if (ecdsa_digest_verify_init(vctx, mdname, ec, NULL) <= 0)
+ return 0;
+
+ if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
+ return 0;
+
+ if (ecdsa_digest_verify_final(vctx, sigbuf, siglen) <= 0)
+ return 0;
+
+ return 1;
+}
+#endif
+
const OSSL_DISPATCH ossl_ecdsa_signature_functions[] = {
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx },
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init },
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index cd5de6bd51..d4261e8f7d 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -34,7 +34,7 @@
#define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
-static OSSL_FUNC_signature_newctx_fn rsa_newctx;
+OSSL_FUNC_signature_newctx_fn rsa_newctx;
static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
static OSSL_FUNC_signature_verify_init_fn rsa_verify_init;
static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init;
@@ -47,7 +47,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final;
static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init;
static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_signverify_update;
static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final;
-static OSSL_FUNC_signature_freectx_fn rsa_freectx;
+OSSL_FUNC_signature_freectx_fn rsa_freectx;
static OSSL_FUNC_signature_dupctx_fn rsa_dupctx;
static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params;
static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params;
@@ -170,7 +170,7 @@ static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen)
return 1;
}
-static void *rsa_newctx(void *provctx, const char *propq)
+void *rsa_newctx(void *provctx, const char *propq)
{
PROV_RSA_CTX *prsactx = NULL;
char *propq_copy = NULL;
@@ -977,7 +977,7 @@ int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,
return rsa_verify(vprsactx, sig, siglen, digest, (size_t)dlen);
}
-static void rsa_freectx(void *vprsactx)
+void rsa_freectx(void *vprsactx)
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
@@ -1455,6 +1455,45 @@ static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx)
return EVP_MD_settable_ctx_params(prsactx->md);
}
+#ifdef FIPS_MODULE
+int do_rsa_pct(void *vctx, const char *mdname, void *rsa)
+{
+ static const unsigned char data[32];
+ unsigned char *sigbuf = NULL;
+ size_t siglen = 0;
+ int ret = 0;
+
+ if (rsa_digest_sign_init(vctx, mdname, rsa, NULL) <= 0)
+ return 0;
+
+ if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
+ return 0;
+
+ if (rsa_digest_sign_final(vctx, NULL, &siglen, 0) <= 0)
+ return 0;
+
+ if ((sigbuf = OPENSSL_malloc(siglen)) == NULL)
+ return 0;
+
+ if (rsa_digest_sign_final(vctx, sigbuf, &siglen, siglen) <= 0)
+ goto err;
+
+ if (rsa_digest_verify_init(vctx, mdname, rsa, NULL) <= 0)
+ goto err;
+
+ if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
+ goto err;
+
+ if (rsa_digest_verify_final(vctx, sigbuf, siglen) <= 0)
+ goto err;
+ ret = 1;
+
+ err:
+ OPENSSL_free(sigbuf);
+ return ret;
+}
+#endif
+
const OSSL_DISPATCH ossl_rsa_signature_functions[] = {
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx },
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },
--
2.41.0

81
openssl-FIPS-140-3-zeroization.patch Normal file
View File

@ -0,0 +1,81 @@
Index: openssl-3.1.4/crypto/ffc/ffc_params.c
===================================================================
--- openssl-3.1.4.orig/crypto/ffc/ffc_params.c
+++ openssl-3.1.4/crypto/ffc/ffc_params.c
@@ -27,10 +27,10 @@ void ossl_ffc_params_init(FFC_PARAMS *pa
void ossl_ffc_params_cleanup(FFC_PARAMS *params)
{
- BN_free(params->p);
- BN_free(params->q);
- BN_free(params->g);
- BN_free(params->j);
+ BN_clear_free(params->p);
+ BN_clear_free(params->q);
+ BN_clear_free(params->g);
+ BN_clear_free(params->j);
OPENSSL_free(params->seed);
ossl_ffc_params_init(params);
}
Index: openssl-3.1.4/crypto/rsa/rsa_lib.c
===================================================================
--- openssl-3.1.4.orig/crypto/rsa/rsa_lib.c
+++ openssl-3.1.4/crypto/rsa/rsa_lib.c
@@ -155,8 +155,8 @@ void RSA_free(RSA *r)
CRYPTO_THREAD_lock_free(r->lock);
- BN_free(r->n);
- BN_free(r->e);
+ BN_clear_free(r->n);
+ BN_clear_free(r->e);
BN_clear_free(r->d);
BN_clear_free(r->p);
BN_clear_free(r->q);
Index: openssl-3.1.4/providers/implementations/kdfs/hkdf.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/kdfs/hkdf.c
+++ openssl-3.1.4/providers/implementations/kdfs/hkdf.c
@@ -118,7 +118,7 @@ static void kdf_hkdf_reset(void *vctx)
void *provctx = ctx->provctx;
ossl_prov_digest_reset(&ctx->digest);
- OPENSSL_free(ctx->salt);
+ OPENSSL_clear_free(ctx->salt, ctx->salt_len);
OPENSSL_free(ctx->prefix);
OPENSSL_free(ctx->label);
OPENSSL_clear_free(ctx->data, ctx->data_len);
Index: openssl-3.1.4/providers/implementations/kdfs/pbkdf2.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/kdfs/pbkdf2.c
+++ openssl-3.1.4/providers/implementations/kdfs/pbkdf2.c
@@ -92,7 +92,7 @@ static void *kdf_pbkdf2_new(void *provct
static void kdf_pbkdf2_cleanup(KDF_PBKDF2 *ctx)
{
ossl_prov_digest_reset(&ctx->digest);
- OPENSSL_free(ctx->salt);
+ OPENSSL_clear_free(ctx->salt, ctx->salt_len);
OPENSSL_clear_free(ctx->pass, ctx->pass_len);
memset(ctx, 0, sizeof(*ctx));
}
Index: openssl-3.1.4/crypto/ec/ec_lib.c
===================================================================
--- openssl-3.1.4.orig/crypto/ec/ec_lib.c
+++ openssl-3.1.4/crypto/ec/ec_lib.c
@@ -752,12 +752,16 @@ EC_POINT *EC_POINT_new(const EC_GROUP *g
void EC_POINT_free(EC_POINT *point)
{
+#ifdef FIPS_MODULE
+ EC_POINT_clear_free(point);
+#else
if (point == NULL)
return;
if (point->meth->point_finish != 0)
point->meth->point_finish(point);
OPENSSL_free(point);
+#endif
}
void EC_POINT_clear_free(EC_POINT *point)

16
openssl-FIPS-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch Normal file
View File

@ -0,0 +1,16 @@
Index: openssl-3.1.4/crypto/rsa/rsa_sp800_56b_check.c
===================================================================
--- openssl-3.1.4.orig/crypto/rsa/rsa_sp800_56b_check.c
+++ openssl-3.1.4/crypto/rsa/rsa_sp800_56b_check.c
@@ -405,7 +405,10 @@ int ossl_rsa_sp800_56b_check_keypair(con
return 0;
}
/* (Step 3.b): check the modulus */
- if (nbits != BN_num_bits(rsa->n)) {
+ /* If nBits is not a positive even integer, output an indication of an
+ * invalid key pair, and exit without further processing.
+ */
+ if (nbits <= 0 || nbits % 2 || nbits != BN_num_bits(rsa->n)) {
ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_KEYPAIR);
return 0;
}

108
openssl-FIPS-Add-explicit-indicator-for-key-length.patch Normal file
View File

@ -0,0 +1,108 @@
From e1eba21921ceeffa45ffd2115868c14e4c7fb8d9 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Thu, 17 Nov 2022 18:08:24 +0100
Subject: [PATCH] hmac: Add explicit FIPS indicator for key length
NIST SP 800-131Ar2, table 9 "Approval Status of MAC Algorithms"
specifies key lengths < 112 bytes are disallowed for HMAC generation and
are legacy use for HMAC verification.
Add an explicit indicator that will mark shorter key lengths as
unsupported. The indicator can be queries from the EVP_MAC_CTX object
using EVP_MAC_CTX_get_params() with the
OSSL_MAC_PARAM_SUSE_FIPS_INDICATOR
parameter.
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
include/crypto/evp.h | 7 +++++++
include/openssl/evp.h | 3 +++
providers/implementations/macs/hmac_prov.c | 17 +++++++++++++++++
4 files changed, 28 insertions(+)
Index: openssl-3.1.4/include/crypto/evp.h
===================================================================
--- openssl-3.1.4.orig/include/crypto/evp.h
+++ openssl-3.1.4/include/crypto/evp.h
@@ -196,6 +196,13 @@ const EVP_PKEY_METHOD *ossl_ed448_pkey_m
const EVP_PKEY_METHOD *ossl_rsa_pkey_method(void);
const EVP_PKEY_METHOD *ossl_rsa_pss_pkey_method(void);
+#ifdef FIPS_MODULE
+/* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms specifies key
+ * lengths < 112 bytes are disallowed for HMAC generation and legacy use for
+ * HMAC verification. */
+# define EVP_HMAC_GEN_FIPS_MIN_KEY_LEN (112 / 8)
+#endif
+
struct evp_mac_st {
OSSL_PROVIDER *prov;
int name_id;
Index: openssl-3.1.4/include/openssl/evp.h
===================================================================
--- openssl-3.1.4.orig/include/openssl/evp.h
+++ openssl-3.1.4/include/openssl/evp.h
@@ -1196,6 +1196,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX
void *arg);
/* MAC stuff */
+# define EVP_MAC_SUSE_FIPS_INDICATOR_UNDETERMINED 0
+# define EVP_MAC_SUSE_FIPS_INDICATOR_APPROVED 1
+# define EVP_MAC_SUSE_FIPS_INDICATOR_NOT_APPROVED 2
EVP_MAC *EVP_MAC_fetch(OSSL_LIB_CTX *libctx, const char *algorithm,
const char *properties);
Index: openssl-3.1.4/providers/implementations/macs/hmac_prov.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/macs/hmac_prov.c
+++ openssl-3.1.4/providers/implementations/macs/hmac_prov.c
@@ -21,6 +21,8 @@
#include <openssl/evp.h>
#include <openssl/hmac.h>
+#include "crypto/evp.h"
+
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/provider_util.h"
@@ -244,6 +246,9 @@ static int hmac_final(void *vmacctx, uns
static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL),
OSSL_PARAM_size_t(OSSL_MAC_PARAM_BLOCK_SIZE, NULL),
+#ifdef FIPS_MODULE
+ OSSL_PARAM_int(OSSL_MAC_PARAM_SUSE_FIPS_INDICATOR, NULL),
+#endif /* defined(FIPS_MODULE) */
OSSL_PARAM_END
};
static const OSSL_PARAM *hmac_gettable_ctx_params(ossl_unused void *ctx,
@@ -265,6 +270,18 @@ static int hmac_get_ctx_params(void *vma
&& !OSSL_PARAM_set_int(p, hmac_block_size(macctx)))
return 0;
+#ifdef FIPS_MODULE
+ if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_SUSE_FIPS_INDICATOR)) != NULL) {
+ int fips_indicator = EVP_MAC_SUSE_FIPS_INDICATOR_APPROVED;
+ /* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms
+ * specifies key lengths < 112 bytes are disallowed for HMAC generation
+ * and legacy use for HMAC verification. */
+ if (macctx->keylen < EVP_HMAC_GEN_FIPS_MIN_KEY_LEN)
+ fips_indicator = EVP_MAC_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+ return OSSL_PARAM_set_int(p, fips_indicator);
+ }
+#endif /* defined(FIPS_MODULE) */
+
return 1;
}
Index: openssl-3.1.4/include/openssl/core_names.h
===================================================================
--- openssl-3.1.4.orig/include/openssl/core_names.h
+++ openssl-3.1.4/include/openssl/core_names.h
@@ -175,6 +175,7 @@ extern "C" {
#define OSSL_MAC_PARAM_SIZE "size" /* size_t */
#define OSSL_MAC_PARAM_BLOCK_SIZE "block-size" /* size_t */
#define OSSL_MAC_PARAM_TLS_DATA_SIZE "tls-data-size" /* size_t */
+#define OSSL_MAC_PARAM_SUSE_FIPS_INDICATOR "suse-fips-indicator" /* size_t */
/* Known MAC names */
#define OSSL_MAC_NAME_BLAKE2BMAC "BLAKE2BMAC"

20
openssl-FIPS-Enforce-error-state.patch Normal file
View File

@ -0,0 +1,20 @@
Index: openssl-3.1.4/providers/fips/fipsprov.c
===================================================================
--- openssl-3.1.4.orig/providers/fips/fipsprov.c
+++ openssl-3.1.4/providers/fips/fipsprov.c
@@ -805,6 +805,7 @@ int OSSL_provider_init_int(const OSSL_CO
/* Error already raised */
goto err;
}
+#if 0 /* Don't allow to skip the error state */
/*
* Disable the conditional error check if it's disabled in the fips config
* file.
@@ -812,6 +813,7 @@ int OSSL_provider_init_int(const OSSL_CO
if (fgbl->selftest_params.conditional_error_check != NULL
&& strcmp(fgbl->selftest_params.conditional_error_check, "0") == 0)
SELF_TEST_disable_conditional_error_state();
+#endif
/* Enable or disable FIPS provider options */
#define FIPS_SET_OPTION(fgbl, field) \

462
openssl-FIPS-Expose-a-FIPS-indicator.patch Normal file
View File

@ -0,0 +1,462 @@
From e3d6fca1af033d00c47bcd8f9ba28fcf1aa476aa Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Tue, 7 Jun 2022 12:02:49 +0200
Subject: [PATCH] fips: Expose a FIPS indicator
FIPS 140-3 requires us to indicate whether an operation was using
approved services or not. The FIPS 140-3 implementation guidelines
provide two basic approaches to doing this: implicit indicators, and
explicit indicators.
Implicit indicators are basically the concept of "if the operation
passes, it was approved". We were originally aiming for implicit
indicators in our copy of OpenSSL. However, this proved to be a problem,
because we wanted to certify a signature service, and FIPS 140-3
requires that a signature service computes the digest to be signed
within the boundaries of the FIPS module. Since we were planning to
certify fips.so only, this means that EVP_PKEY_sign/EVP_PKEY_verify
would have to be blocked. Unfortunately, EVP_SignFinal uses
EVP_PKEY_sign internally, but outside of fips.so and thus outside of the
FIPS module boundary. This means that using implicit indicators in
combination with certifying only fips.so would require us to block both
EVP_PKEY_sign and EVP_SignFinal, which are the two APIs currently used
by most users of OpenSSL for signatures.
EVP_DigestSign would be acceptable, but has only been added in 3.0 and
is thus not yet widely used.
As a consequence, we've decided to introduce explicit indicators so that
EVP_PKEY_sign and EVP_SignFinal can continue to work for now, but
FIPS-aware applications can query the explicit indicator to check
whether the operation was approved.
To avoid affecting the ABI and public API too much, this is implemented
as an exported symbol in fips.so and a private header, so applications
that wish to use this will have to dlopen(3) fips.so, locate the
function using dlsym(3), and then call it. These applications will have
to build against the private header in order to use the returned
pointer.
Modify util/mkdef.pl to support exposing a symbol only for a specific
provider identified by its name and path.
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
doc/build.info | 6 ++
doc/man7/fips_module_indicators.pod | 154 ++++++++++++++++++++++++++++
providers/fips/fipsprov.c | 71 +++++++++++++
providers/fips/indicator.h | 66 ++++++++++++
util/mkdef.pl | 25 ++++-
util/providers.num | 1 +
6 files changed, 322 insertions(+), 1 deletion(-)
create mode 100644 doc/man7/fips_module_indicators.pod
create mode 100644 providers/fips/indicator.h
Index: openssl-3.1.4/doc/build.info
===================================================================
--- openssl-3.1.4.orig/doc/build.info
+++ openssl-3.1.4/doc/build.info
@@ -4467,6 +4467,10 @@ DEPEND[html/man7/fips_module.html]=man7/
GENERATE[html/man7/fips_module.html]=man7/fips_module.pod
DEPEND[man/man7/fips_module.7]=man7/fips_module.pod
GENERATE[man/man7/fips_module.7]=man7/fips_module.pod
+DEPEND[html/man7/fips_module_indicators.html]=man7/fips_module_indicators.pod
+GENERATE[html/man7/fips_module_indicators.html]=man7/fips_module_indicators.pod
+DEPEND[man/man7/fips_module_indicators.7]=man7/fips_module_indicators.pod
+GENERATE[man/man7/fips_module_indicators.7]=man7/fips_module_indicators.pod
DEPEND[html/man7/life_cycle-cipher.html]=man7/life_cycle-cipher.pod
GENERATE[html/man7/life_cycle-cipher.html]=man7/life_cycle-cipher.pod
DEPEND[man/man7/life_cycle-cipher.7]=man7/life_cycle-cipher.pod
@@ -4712,6 +4716,7 @@ html/man7/ct.html \
html/man7/des_modes.html \
html/man7/evp.html \
html/man7/fips_module.html \
+html/man7/fips_module_indicators.html \
html/man7/life_cycle-cipher.html \
html/man7/life_cycle-digest.html \
html/man7/life_cycle-kdf.html \
@@ -4838,6 +4843,7 @@ man/man7/ct.7 \
man/man7/des_modes.7 \
man/man7/evp.7 \
man/man7/fips_module.7 \
+man/man7/fips_module_indicators.7 \
man/man7/life_cycle-cipher.7 \
man/man7/life_cycle-digest.7 \
man/man7/life_cycle-kdf.7 \
Index: openssl-3.1.4/doc/man7/fips_module_indicators.pod
===================================================================
--- /dev/null
+++ openssl-3.1.4/doc/man7/fips_module_indicators.pod
@@ -0,0 +1,155 @@
+=pod
+
+=head1 NAME
+
+fips_module_indicators - SUSE OpenSSL FIPS module indicators guide
+
+=head1 DESCRIPTION
+
+This guide documents how the SUSE Linux Enterprise OpenSSL FIPS provider
+implements Approved Security Service Indicators according to the FIPS 140-3
+Implementation Guidelines, section 2.4.C. See
+L<https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf>
+for the FIPS 140-3 Implementation Guidelines.
+
+For all approved services except signatures, the SUSE OpenSSL FIPS provider
+uses the return code as the indicator as understood by FIPS 140-3. That means
+that every operation that succeeds denotes use of an approved security service.
+Operations that do not succeed may not have been approved security services, or
+may have been used incorrectly.
+
+For signatures, an explicit indicator API is available to determine whether
+a selected operation is an approved security service, in combination with the
+return code of the operation. For a signature operation to be approved, the
+explicit indicator must claim it as approved, and it must succeed.
+
+=head2 Querying the explicit indicator
+
+The SUSE OpenSSL FIPS provider exports a symbol named
+I<suse_ossl_query_fipsindicator> that provides information on which signature
+operations are approved security functions. To use this function, either link
+against I<fips.so> directly, or load it at runtime using dlopen(3) and
+dlsym(3).
+
+ #include <openssl/core_dispatch.h>
+ #include "providers/fips/indicator.h"
+
+ void *provider = dlopen("/usr/lib64/ossl-modules/fips.so", RTLD_LAZY);
+ if (provider == NULL) {
+ fprintf(stderr, "%s\n", dlerror());
+ // handle error
+ }
+
+ const OSSL_SUSE_FIPSINDICATOR_ALGORITHM *(*suse_ossl_query_fipsindicator)(int) \
+ = dlsym(provider, "suse_ossl_query_fipsindicator");
+ if (suse_ossl_query_fipsindicator == NULL) {
+ fprintf(stderr, "%s\n", dlerror());
+ fprintf(stderr, "Does your copy of fips.so have the required SUSE"
+ " patches?\n");
+ // handle error
+ }
+
+Note that this uses the I<providers/fips/indicator.h> header, which is not
+public. Install the I<openssl-3-debugsource> package from the I<Debuginfo-Pool>
+repository using I<zypper install openssl-3-debugsource> and include
+I</usr/src/debug/openssl-3.*/> in the compiler's include path.
+
+I<suse_ossl_query_fipsindicator> expects an operation ID as its only
+argument. Currently, the only supported operation ID is I<OSSL_OP_SIGNATURE> to
+obtain the indicators for signature operations. On success, the return value is
+a pointer to an array of I<OSSL_SUSE_FIPSINDICATOR_STRUCT>s. On failure, NULL is
+returned. The last entry in the array is indicated by I<algorithm_names> being
+NULL.
+
+ typedef struct ossl_suse_fipsindicator_algorithm_st {
+ const char *algorithm_names; /* key */
+ const char *property_definition; /* key */
+ const OSSL_SUSE_FIPSINDICATOR_DISPATCH *indicators;
+ } OSSL_SUSE_FIPSINDICATOR_ALGORITHM;
+
+ typedef struct ossl_suse_fipsindicator_dispatch_st {
+ int function_id;
+ int approved;
+ } OSSL_SUSE_FIPSINDICATOR_DISPATCH;
+
+The I<algorithm_names> field is a colon-separated list of algorithm names from
+one of the I<PROV_NAMES_...> constants, e.g., I<PROV_NAMES_RSA>. strtok(3) can
+be used to locate the appropriate entry. See the example below, where
+I<algorithm> contains the algorithm name to search for:
+
+ const OSSL_SUSE_FIPSINDICATOR_DISPATCH *indicator_dispatch = NULL;
+ const OSSL_SUSE_FIPSINDICATOR_ALGORITHM *indicator =
+ suse_ossl_query_fipsindicator(operation_id);
+ if (indicator == NULL) {
+ fprintf(stderr, "No indicator for operation, probably using implicit"
+ " indicators.\n");
+ // handle error
+ }
+
+ for (; indicator->algorithm_names != NULL; ++indicator) {
+ char *algorithm_names = strdup(indicator->algorithm_names);
+ if (algorithm_names == NULL) {
+ perror("strdup(3)");
+ // handle error
+ }
+
+ const char *algorithm_name = strtok(algorithm_names, ":");
+ for (; algorithm_name != NULL; algorithm_name = strtok(NULL, ":")) {
+ if (strcasecmp(algorithm_name, algorithm) == 0) {
+ indicator_dispatch = indicator->indicators;
+ free(algorithm_names);
+ algorithm_names = NULL;
+ break;
+ }
+ }
+ free(algorithm_names);
+ }
+ if (indicator_dispatch == NULL) {
+ fprintf(stderr, "No indicator for algorithm %s.\n", algorithm);
+ // handle error
+ }
+
+If an appropriate I<OSSL_SUSE_FIPSINDICATOR_DISPATCH> array is available for the
+given algorithm name, it maps function IDs to their approval status. The last
+entry is indicated by a zero I<function_id>. I<approved> is
+I<OSSL_SUSE_FIPSINDICATOR_APPROVED> if the operation is an approved security
+service, or part of an approved security service, or
+I<OSSL_SUSE_FIPSINDICATOR_UNAPPROVED> otherwise. Any other value is invalid.
+Function IDs are I<OSSL_FUNC_*> constants from I<openssl/core_dispatch.h>,
+e.g., I<OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE> or I<OSSL_FUNC_SIGNATURE_SIGN>.
+
+Assuming I<function_id> is the function in question, the following code can be
+used to query the approval status:
+
+ for (; indicator_dispatch->function_id != 0; ++indicator_dispatch) {
+ if (indicator_dispatch->function_id == function_id) {
+ switch (indicator_dispatch->approved) {
+ case OSSL_SUSE_FIPSINDICATOR_APPROVED:
+ // approved security service
+ break;
+ case OSSL_SUSE_FIPSINDICATOR_UNAPPROVED:
+ // unapproved security service
+ break;
+ default:
+ // invalid result
+ break;
+ }
+ break;
+ }
+ }
+
+=head1 SEE ALSO
+
+L<fips_module(7)>, L<provider(7)>
+
+=head1 COPYRIGHT
+
+Copyright 2022 Red Hat, Inc. All Rights Reserved.
+Copyright 2024 SUSE LLC. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
Index: openssl-3.1.4/providers/fips/fipsprov.c
===================================================================
--- openssl-3.1.4.orig/providers/fips/fipsprov.c
+++ openssl-3.1.4/providers/fips/fipsprov.c
@@ -26,6 +26,7 @@
#include "self_test.h"
#include "crypto/context.h"
#include "internal/core.h"
+#include "indicator.h"
static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes";
static const char FIPS_UNAPPROVED_PROPERTIES[] = "provider=fips,fips=no";
@@ -438,6 +439,68 @@ static const OSSL_ALGORITHM fips_signatu
{ NULL, NULL, NULL }
};
+static const OSSL_SUSE_FIPSINDICATOR_DISPATCH suse_rsa_signature_indicators[] = {
+ { OSSL_FUNC_SIGNATURE_NEWCTX, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_SIGN_INIT, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED },
+ { OSSL_FUNC_SIGNATURE_SIGN, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED },
+ { OSSL_FUNC_SIGNATURE_VERIFY_INIT, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED },
+ { OSSL_FUNC_SIGNATURE_VERIFY, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED },
+ { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED },
+ { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_FREECTX, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DUPCTX, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { 0, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED }
+};
+
+static const OSSL_SUSE_FIPSINDICATOR_DISPATCH suse_ecdsa_signature_indicators[] = {
+ { OSSL_FUNC_SIGNATURE_NEWCTX, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_SIGN_INIT, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED },
+ { OSSL_FUNC_SIGNATURE_SIGN, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED },
+ { OSSL_FUNC_SIGNATURE_VERIFY_INIT, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED },
+ { OSSL_FUNC_SIGNATURE_VERIFY, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_FREECTX, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_DUPCTX, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED },
+ { 0, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED }
+};
+
+static const OSSL_SUSE_FIPSINDICATOR_ALGORITHM suse_indicator_fips_signature[] = {
+ { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES,
+ suse_rsa_signature_indicators },
+#ifndef OPENSSL_NO_EC
+ { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES,
+ suse_ecdsa_signature_indicators },
+#endif
+ { NULL, NULL, NULL }
+};
+
static const OSSL_ALGORITHM fips_asym_cipher[] = {
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_asym_cipher_functions },
{ NULL, NULL, NULL }
@@ -520,6 +583,14 @@ static const OSSL_ALGORITHM *fips_query(
}
return NULL;
}
+
+const OSSL_SUSE_FIPSINDICATOR_ALGORITHM *suse_ossl_query_fipsindicator(int operation_id) {
+ switch (operation_id) {
+ case OSSL_OP_SIGNATURE:
+ return suse_indicator_fips_signature;
+ }
+ return NULL;
+}
static void fips_teardown(void *provctx)
{
Index: openssl-3.1.4/providers/fips/indicator.h
===================================================================
--- /dev/null
+++ openssl-3.1.4/providers/fips/indicator.h
@@ -0,0 +1,66 @@
+/*
+ * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OPENSSL_FIPS_INDICATOR_H
+# define OPENSSL_FIPS_INDICATOR_H
+# pragma once
+
+# ifdef __cplusplus
+extern "C" {
+# endif
+
+# define OSSL_SUSE_FIPSINDICATOR_UNAPPROVED (0)
+# define OSSL_SUSE_FIPSINDICATOR_APPROVED (1)
+
+/*
+ * FIPS indicator dispatch table element. function_id numbers and the
+ * functions are defined in core_dispatch.h, see macros with
+ * 'OSSL_CORE_MAKE_FUNC' in their names.
+ *
+ * An array of these is always terminated by function_id == 0
+ */
+typedef struct ossl_suse_fipsindicator_dispatch_st {
+ int function_id;
+ int approved;
+} OSSL_SUSE_FIPSINDICATOR_DISPATCH;
+
+/*
+ * Type to tie together algorithm names, property definition string and the
+ * algorithm implementation's FIPS indicator status in the form of a FIPS
+ * indicator dispatch table.
+ *
+ * An array of these is always terminated by algorithm_names == NULL
+ */
+typedef struct ossl_suse_fipsindicator_algorithm_st {
+ const char *algorithm_names; /* key */
+ const char *property_definition; /* key */
+ const OSSL_SUSE_FIPSINDICATOR_DISPATCH *indicators;
+} OSSL_SUSE_FIPSINDICATOR_ALGORITHM;
+
+/**
+ * Query FIPS indicator status for the given operation. Possible values for
+ * 'operation_id' are currently only OSSL_OP_SIGNATURE, as all other algorithms
+ * use implicit indicators. The return value is an array of
+ * OSSL_SUSE_FIPSINDICATOR_ALGORITHMs, terminated by an entry with
+ * algorithm_names == NULL. 'algorithm_names' is a colon-separated list of
+ * algorithm names, 'property_definition' a comma-separated list of properties,
+ * and 'indicators' is a list of OSSL_SUSE_FIPSINDICATOR_DISPATCH structs. This
+ * list is terminated by function_id == 0. 'function_id' is one of the
+ * OSSL_FUNC_* constants, e.g., OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL.
+ *
+ * If there is no entry in the returned struct for the given operation_id,
+ * algorithm name, or function_id, the algorithm is unapproved.
+ */
+const OSSL_SUSE_FIPSINDICATOR_ALGORITHM *suse_ossl_query_fipsindicator(int operation_id);
+
+# ifdef __cplusplus
+}
+# endif
+
+#endif
Index: openssl-3.1.4/util/mkdef.pl
===================================================================
--- openssl-3.1.4.orig/util/mkdef.pl
+++ openssl-3.1.4/util/mkdef.pl
@@ -153,7 +153,8 @@ $ordinal_opts{filter} =
return
$item->exists()
&& platform_filter($item)
- && feature_filter($item);
+ && feature_filter($item)
+ && fips_filter($item, $name);
};
my $ordinals = OpenSSL::Ordinals->new(from => $ordinals_file);
@@ -209,6 +210,28 @@ sub feature_filter {
return $verdict;
}
+sub fips_filter {
+ my $item = shift;
+ my $name = uc(shift);
+ my @features = ( $item->features() );
+
+ # True if no features are defined
+ return 1 if scalar @features == 0;
+
+ my @matches = grep(/^ONLY_.*$/, @features);
+ if (@matches) {
+ # There is at least one only_* flag on this symbol, check if any of
+ # them match the name
+ for (@matches) {
+ if ($_ eq "ONLY_${name}") {
+ return 1;
+ }
+ }
+ return 0;
+ }
+ return 1;
+}
+
sub sorter_unix {
my $by_name = OpenSSL::Ordinals::by_name();
my %weight = (
Index: openssl-3.1.4/util/providers.num
===================================================================
--- openssl-3.1.4.orig/util/providers.num
+++ openssl-3.1.4/util/providers.num
@@ -1 +1,2 @@
OSSL_provider_init 1 * EXIST::FUNCTION:
+suse_ossl_query_fipsindicator 1 * EXIST::FUNCTION:ONLY_PROVIDERS/FIPS

101
openssl-FIPS-RSA-disable-shake.patch Normal file
View File

@ -0,0 +1,101 @@
From 2306fde5556cbcb875d095c09fed01a0f16fe7ec Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 15:51:55 +0200
Subject: [PATCH 40/48] 0085-FIPS-RSA-disable-shake.patch
Patch-name: 0085-FIPS-RSA-disable-shake.patch
Patch-id: 85
---
crypto/rsa/rsa_oaep.c | 28 ++++++++++++++++++++++++++++
crypto/rsa/rsa_pss.c | 16 ++++++++++++++++
2 files changed, 44 insertions(+)
diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
index b2f7f7dc4b..af2b0b026c 100644
--- a/crypto/rsa/rsa_oaep.c
+++ b/crypto/rsa/rsa_oaep.c
@@ -78,9 +78,23 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx,
return 0;
#endif
}
+
+#ifdef FIPS_MODULE
+ if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256")) {
+ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
+ return 0;
+ }
+#endif
if (mgf1md == NULL)
mgf1md = md;
+#ifdef FIPS_MODULE
+ if (EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) {
+ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
+ return 0;
+ }
+#endif
+
mdlen = EVP_MD_get_size(md);
if (mdlen <= 0) {
ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_LENGTH);
@@ -203,9 +217,23 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
#endif
}
+#ifdef FIPS_MODULE
+ if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256")) {
+ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
+ return -1;
+ }
+#endif
+
if (mgf1md == NULL)
mgf1md = md;
+#ifdef FIPS_MODULE
+ if (EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) {
+ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
+ return -1;
+ }
+#endif
+
mdlen = EVP_MD_get_size(md);
if (tlen <= 0 || flen <= 0)
diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c
index bb46ec64c7..c0fdf232da 100644
--- a/crypto/rsa/rsa_pss.c
+++ b/crypto/rsa/rsa_pss.c
@@ -53,6 +53,14 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
if (mgf1Hash == NULL)
mgf1Hash = Hash;
+#ifdef FIPS_MODULE
+ if (EVP_MD_is_a(Hash, "SHAKE-128") || EVP_MD_is_a(Hash, "SHAKE-256"))
+ goto err;
+
+ if (EVP_MD_is_a(mgf1Hash, "SHAKE-128") || EVP_MD_is_a(mgf1Hash, "SHAKE-256"))
+ goto err;
+#endif
+
hLen = EVP_MD_get_size(Hash);
if (hLen < 0)
goto err;
@@ -168,6 +176,14 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
if (mgf1Hash == NULL)
mgf1Hash = Hash;
+#ifdef FIPS_MODULE
+ if (EVP_MD_is_a(Hash, "SHAKE-128") || EVP_MD_is_a(Hash, "SHAKE-256"))
+ goto err;
+
+ if (EVP_MD_is_a(mgf1Hash, "SHAKE-128") || EVP_MD_is_a(mgf1Hash, "SHAKE-256"))
+ goto err;
+#endif
+
hLen = EVP_MD_get_size(Hash);
if (hLen < 0)
goto err;
--
2.41.0

47
openssl-FIPS-RSA-encapsulate.patch Normal file
View File

@ -0,0 +1,47 @@
From afab56d09edb525dd794fcb2ae2295ab7f39400a Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 16:01:48 +0200
Subject: [PATCH 42/48] 0091-FIPS-RSA-encapsulate.patch
Patch-name: 0091-FIPS-RSA-encapsulate.patch
Patch-id: 91
---
providers/implementations/kem/rsa_kem.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c
index 365ae3d7d6..8a6f585d0b 100644
--- a/providers/implementations/kem/rsa_kem.c
+++ b/providers/implementations/kem/rsa_kem.c
@@ -265,6 +265,14 @@ static int rsasve_generate(PROV_RSA_CTX *prsactx,
*secretlen = nlen;
return 1;
}
+
+#ifdef FIPS_MODULE
+ if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
+ return 0;
+ }
+#endif
+
/*
* Step (2): Generate a random byte string z of nlen bytes where
* 1 < z < n - 1
@@ -308,6 +316,13 @@ static int rsasve_recover(PROV_RSA_CTX *prsactx,
return 1;
}
+#ifdef FIPS_MODULE
+ if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
+ return 0;
+ }
+#endif
+
/* Step (2): check the input ciphertext 'inlen' matches the nlen */
if (inlen != nlen) {
ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH);
--
2.41.0

296
openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch Normal file
View File

@ -0,0 +1,296 @@
From 4de5fa26873297f5c2eeed53e5c988437f837f55 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Thu, 17 Nov 2022 13:53:31 +0100
Subject: [PATCH] signature: Remove X9.31 padding from FIPS prov
The current draft of FIPS 186-5 [1] no longer contains specifications
for X9.31 signature padding. Instead, it contains the following
information in Appendix E:
> ANSI X9.31 was withdrawn, so X9.31 RSA signatures were removed from
> this standard.
Since this situation is unlikely to change in future revisions of the
draft, and future FIPS 140-3 validations of the provider will require
X9.31 to be disabled or marked as not approved with an explicit
indicator, disallow this padding mode now.
Remove the X9.31 tests from the acvp test, since they will always fail
now.
[1]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5-draft.pdf
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
providers/implementations/signature/rsa_sig.c | 6 +
test/acvp_test.inc | 214 ------------------
2 files changed, 6 insertions(+), 214 deletions(-)
Index: openssl-3.1.4/providers/implementations/signature/rsa_sig.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/signature/rsa_sig.c
+++ openssl-3.1.4/providers/implementations/signature/rsa_sig.c
@@ -1250,7 +1250,13 @@ static int rsa_set_ctx_params(void *vprs
err_extra_text = "No padding not allowed with RSA-PSS";
goto cont;
case RSA_X931_PADDING:
+#ifndef FIPS_MODULE
err_extra_text = "X.931 padding not allowed with RSA-PSS";
+#else /* !defined(FIPS_MODULE) */
+ err_extra_text = "X.931 padding no longer allowed in FIPS mode,"
+ " since it was removed from FIPS 186-5";
+ goto bad_pad;
+#endif /* !defined(FIPS_MODULE) */
cont:
if (RSA_test_flags(prsactx->rsa,
RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSA)
Index: openssl-3.1.4/test/acvp_test.inc
===================================================================
--- openssl-3.1.4.orig/test/acvp_test.inc
+++ openssl-3.1.4/test/acvp_test.inc
@@ -1214,13 +1214,6 @@ static const struct rsa_siggen_st rsa_si
NO_PSS_SALT_LEN,
},
{
- "x931",
- 2048,
- "SHA384",
- ITM(rsa_siggen0_msg),
- NO_PSS_SALT_LEN,
- },
- {
"pss",
2048,
"SHA384",
@@ -1631,202 +1624,6 @@ static const unsigned char rsa_sigverpss
0x5c, 0xea, 0x8a, 0x92, 0x31, 0xd2, 0x11, 0x4b,
};
-static const unsigned char rsa_sigverx931_0_n[] = {
- 0xa0, 0x16, 0x14, 0x80, 0x8b, 0x17, 0x2b, 0xad,
- 0xd7, 0x07, 0x31, 0x6d, 0xfc, 0xba, 0x25, 0x83,
- 0x09, 0xa0, 0xf7, 0x71, 0xc6, 0x06, 0x22, 0x87,
- 0xd6, 0xbd, 0x13, 0xd9, 0xfe, 0x7c, 0xf7, 0xe6,
- 0x48, 0xdb, 0x27, 0xd8, 0xa5, 0x49, 0x8e, 0x8c,
- 0xea, 0xbe, 0xe0, 0x04, 0x6f, 0x3d, 0x3b, 0x73,
- 0xdc, 0xc5, 0xd4, 0xdc, 0x85, 0xef, 0xea, 0x10,
- 0x46, 0xf3, 0x88, 0xb9, 0x93, 0xbc, 0xa0, 0xb6,
- 0x06, 0x02, 0x82, 0xb4, 0x2d, 0x54, 0xec, 0x79,
- 0x50, 0x8a, 0xfc, 0xfa, 0x62, 0x45, 0xbb, 0xd7,
- 0x26, 0xcd, 0x88, 0xfa, 0xe8, 0x0f, 0x26, 0x5b,
- 0x1f, 0x21, 0x3f, 0x3b, 0x5d, 0x98, 0x3f, 0x02,
- 0x8c, 0xa1, 0xbf, 0xc0, 0x70, 0x4d, 0xd1, 0x41,
- 0xfd, 0xb9, 0x55, 0x12, 0x90, 0xc8, 0x6e, 0x0f,
- 0x19, 0xa8, 0x5c, 0x31, 0xd6, 0x16, 0x0e, 0xdf,
- 0x08, 0x84, 0xcd, 0x4b, 0xfd, 0x28, 0x8d, 0x7d,
- 0x6e, 0xea, 0xc7, 0x95, 0x4a, 0xc3, 0x84, 0x54,
- 0x7f, 0xb0, 0x20, 0x29, 0x96, 0x39, 0x4c, 0x3e,
- 0x85, 0xec, 0x22, 0xdd, 0xb9, 0x14, 0xbb, 0x04,
- 0x2f, 0x4c, 0x0c, 0xe3, 0xfa, 0xae, 0x47, 0x79,
- 0x59, 0x8e, 0x4e, 0x7d, 0x4a, 0x17, 0xae, 0x16,
- 0x38, 0x66, 0x4e, 0xff, 0x45, 0x7f, 0xac, 0x5e,
- 0x75, 0x9f, 0x51, 0x18, 0xe6, 0xad, 0x6b, 0x8b,
- 0x3d, 0x08, 0x4d, 0x9a, 0xd2, 0x11, 0xba, 0xa8,
- 0xc3, 0xb5, 0x17, 0xb5, 0xdf, 0xe7, 0x39, 0x89,
- 0x27, 0x7b, 0xeb, 0xf4, 0xe5, 0x7e, 0xa9, 0x7b,
- 0x39, 0x40, 0x6f, 0xe4, 0x82, 0x14, 0x3d, 0x62,
- 0xb6, 0xd4, 0x43, 0xd0, 0x0a, 0x2f, 0xc1, 0x73,
- 0x3d, 0x99, 0x37, 0xbe, 0x62, 0x13, 0x6a, 0x8b,
- 0xeb, 0xc5, 0x64, 0xd5, 0x2a, 0x8b, 0x4f, 0x7f,
- 0x82, 0x48, 0x69, 0x3e, 0x08, 0x1b, 0xb5, 0x77,
- 0xd3, 0xdc, 0x1b, 0x2c, 0xe5, 0x59, 0xf6, 0x33,
- 0x47, 0xa0, 0x0f, 0xff, 0x8a, 0x6a, 0x1d, 0x66,
- 0x24, 0x67, 0x36, 0x7d, 0x21, 0xda, 0xc1, 0xd4,
- 0x11, 0x6c, 0xe8, 0x5f, 0xd7, 0x8a, 0x53, 0x5c,
- 0xb2, 0xe2, 0xf9, 0x14, 0x29, 0x0f, 0xcf, 0x28,
- 0x32, 0x4f, 0xc6, 0x17, 0xf6, 0xbc, 0x0e, 0xb8,
- 0x99, 0x7c, 0x14, 0xa3, 0x40, 0x3f, 0xf3, 0xe4,
- 0x31, 0xbe, 0x54, 0x64, 0x5a, 0xad, 0x1d, 0xb0,
- 0x37, 0xcc, 0xd9, 0x0b, 0xa4, 0xbc, 0xe0, 0x07,
- 0x37, 0xd1, 0xe1, 0x65, 0xc6, 0x53, 0xfe, 0x60,
- 0x6a, 0x64, 0xa4, 0x01, 0x00, 0xf3, 0x5b, 0x9a,
- 0x28, 0x61, 0xde, 0x7a, 0xd7, 0x0d, 0x56, 0x1e,
- 0x4d, 0xa8, 0x6a, 0xb5, 0xf2, 0x86, 0x2a, 0x4e,
- 0xaa, 0x37, 0x23, 0x5a, 0x3b, 0x69, 0x66, 0x81,
- 0xc8, 0x8e, 0x1b, 0x31, 0x0f, 0x28, 0x31, 0x9a,
- 0x2d, 0xe5, 0x79, 0xcc, 0xa4, 0xca, 0x60, 0x45,
- 0xf7, 0x83, 0x73, 0x5a, 0x01, 0x29, 0xda, 0xf7,
-
-};
-static const unsigned char rsa_sigverx931_0_e[] = {
- 0x01, 0x00, 0x01,
-};
-static const unsigned char rsa_sigverx931_0_msg[] = {
- 0x82, 0x2e, 0x41, 0x70, 0x9d, 0x1f, 0xe9, 0x47,
- 0xec, 0xf1, 0x79, 0xcc, 0x05, 0xef, 0xdb, 0xcd,
- 0xca, 0x8b, 0x8e, 0x61, 0x45, 0xad, 0xa6, 0xd9,
- 0xd7, 0x4b, 0x15, 0xf4, 0x92, 0x3a, 0x2a, 0x52,
- 0xe3, 0x44, 0x57, 0x2b, 0x74, 0x7a, 0x37, 0x41,
- 0x50, 0xcb, 0xcf, 0x13, 0x49, 0xd6, 0x15, 0x54,
- 0x97, 0xfd, 0xae, 0x9b, 0xc1, 0xbb, 0xfc, 0x5c,
- 0xc1, 0x37, 0x58, 0x17, 0x63, 0x19, 0x9c, 0xcf,
- 0xee, 0x9c, 0xe5, 0xbe, 0x06, 0xe4, 0x97, 0x47,
- 0xd1, 0x93, 0xa1, 0x2c, 0x59, 0x97, 0x02, 0x01,
- 0x31, 0x45, 0x8c, 0xe1, 0x5c, 0xac, 0xe7, 0x5f,
- 0x6a, 0x23, 0xda, 0xbf, 0xe4, 0x25, 0xc6, 0x67,
- 0xea, 0x5f, 0x73, 0x90, 0x1b, 0x06, 0x0f, 0x41,
- 0xb5, 0x6e, 0x74, 0x7e, 0xfd, 0xd9, 0xaa, 0xbd,
- 0xe2, 0x8d, 0xad, 0x99, 0xdd, 0x29, 0x70, 0xca,
- 0x1b, 0x38, 0x21, 0x55, 0xde, 0x07, 0xaf, 0x00,
-
-};
-static const unsigned char rsa_sigverx931_0_sig[] = {
- 0x29, 0xa9, 0x3a, 0x8e, 0x9e, 0x90, 0x1b, 0xdb,
- 0xaf, 0x0b, 0x47, 0x5b, 0xb5, 0xc3, 0x8c, 0xc3,
- 0x70, 0xbe, 0x73, 0xf9, 0x65, 0x8e, 0xc6, 0x1e,
- 0x95, 0x0b, 0xdb, 0x24, 0x76, 0x79, 0xf1, 0x00,
- 0x71, 0xcd, 0xc5, 0x6a, 0x7b, 0xd2, 0x8b, 0x18,
- 0xc4, 0xdd, 0xf1, 0x2a, 0x31, 0x04, 0x3f, 0xfc,
- 0x36, 0x06, 0x20, 0x71, 0x3d, 0x62, 0xf2, 0xb5,
- 0x79, 0x0a, 0xd5, 0xd2, 0x81, 0xf1, 0xb1, 0x4f,
- 0x9a, 0x17, 0xe8, 0x67, 0x64, 0x48, 0x09, 0x75,
- 0xff, 0x2d, 0xee, 0x36, 0xca, 0xca, 0x1d, 0x74,
- 0x99, 0xbe, 0x5c, 0x94, 0x31, 0xcc, 0x12, 0xf4,
- 0x59, 0x7e, 0x17, 0x00, 0x4f, 0x7b, 0xa4, 0xb1,
- 0xda, 0xdb, 0x3e, 0xa4, 0x34, 0x10, 0x4a, 0x19,
- 0x0a, 0xd2, 0xa7, 0xa0, 0xc5, 0xe6, 0xef, 0x82,
- 0xd4, 0x2e, 0x21, 0xbe, 0x15, 0x73, 0xac, 0xef,
- 0x05, 0xdb, 0x6a, 0x8a, 0x1a, 0xcb, 0x8e, 0xa5,
- 0xee, 0xfb, 0x28, 0xbf, 0x96, 0xa4, 0x2b, 0xd2,
- 0x85, 0x2b, 0x20, 0xc3, 0xaf, 0x9a, 0x32, 0x04,
- 0xa0, 0x49, 0x24, 0x47, 0xd0, 0x09, 0xf7, 0xcf,
- 0x73, 0xb6, 0xf6, 0x70, 0xda, 0x3b, 0xf8, 0x5a,
- 0x28, 0x2e, 0x14, 0x6c, 0x52, 0xbd, 0x2a, 0x7c,
- 0x8e, 0xc1, 0xa8, 0x0e, 0xb1, 0x1e, 0x6b, 0x8d,
- 0x76, 0xea, 0x70, 0x81, 0xa0, 0x02, 0x63, 0x74,
- 0xbc, 0x7e, 0xb9, 0xac, 0x0e, 0x7b, 0x1b, 0x75,
- 0x82, 0xe2, 0x98, 0x4e, 0x24, 0x55, 0xd4, 0xbd,
- 0x14, 0xde, 0x58, 0x56, 0x3a, 0x5d, 0x4e, 0x57,
- 0x0d, 0x54, 0x74, 0xe8, 0x86, 0x8c, 0xcb, 0x07,
- 0x9f, 0x0b, 0xfb, 0xc2, 0x08, 0x5c, 0xd7, 0x05,
- 0x3b, 0xc8, 0xd2, 0x15, 0x68, 0x8f, 0x3d, 0x3c,
- 0x4e, 0x85, 0xa9, 0x25, 0x6f, 0xf5, 0x2e, 0xca,
- 0xca, 0xa8, 0x27, 0x89, 0x61, 0x4e, 0x1f, 0x57,
- 0x2d, 0x99, 0x10, 0x3f, 0xbc, 0x9e, 0x96, 0x5e,
- 0x2f, 0x0a, 0x25, 0xa7, 0x5c, 0xea, 0x65, 0x2a,
- 0x22, 0x35, 0xa3, 0xf9, 0x13, 0x89, 0x05, 0x2e,
- 0x19, 0x73, 0x1d, 0x70, 0x74, 0x98, 0x15, 0x4b,
- 0xab, 0x56, 0x52, 0xe0, 0x01, 0x42, 0x95, 0x6a,
- 0x46, 0x2c, 0x78, 0xff, 0x26, 0xbc, 0x48, 0x10,
- 0x38, 0x25, 0xab, 0x32, 0x7c, 0x79, 0x7c, 0x5d,
- 0x6f, 0x45, 0x54, 0x74, 0x2d, 0x93, 0x56, 0x52,
- 0x11, 0x34, 0x1e, 0xe3, 0x4b, 0x6a, 0x17, 0x4f,
- 0x37, 0x14, 0x75, 0xac, 0xa3, 0xa1, 0xca, 0xda,
- 0x38, 0x06, 0xa9, 0x78, 0xb9, 0x5d, 0xd0, 0x59,
- 0x1b, 0x5d, 0x1e, 0xc2, 0x0b, 0xfb, 0x39, 0x37,
- 0x44, 0x85, 0xb6, 0x36, 0x06, 0x95, 0xbc, 0x15,
- 0x35, 0xb9, 0xe6, 0x27, 0x42, 0xe3, 0xc8, 0xec,
- 0x30, 0x37, 0x20, 0x26, 0x9a, 0x11, 0x61, 0xc0,
- 0xdb, 0xb2, 0x5a, 0x26, 0x78, 0x27, 0xb9, 0x13,
- 0xc9, 0x1a, 0xa7, 0x67, 0x93, 0xe8, 0xbe, 0xcb,
-};
-
-#define rsa_sigverx931_1_n rsa_sigverx931_0_n
-#define rsa_sigverx931_1_e rsa_sigverx931_0_e
-static const unsigned char rsa_sigverx931_1_msg[] = {
- 0x79, 0x02, 0xb9, 0xd2, 0x3e, 0x84, 0x02, 0xc8,
- 0x2a, 0x94, 0x92, 0x14, 0x8d, 0xd5, 0xd3, 0x8d,
- 0xb2, 0xf6, 0x00, 0x8b, 0x61, 0x2c, 0xd2, 0xf9,
- 0xa8, 0xe0, 0x5d, 0xac, 0xdc, 0xa5, 0x34, 0xf3,
- 0xda, 0x6c, 0xd4, 0x70, 0x92, 0xfb, 0x40, 0x26,
- 0xc7, 0x9b, 0xe8, 0xd2, 0x10, 0x11, 0xcf, 0x7f,
- 0x23, 0xd0, 0xed, 0x55, 0x52, 0x6d, 0xd3, 0xb2,
- 0x56, 0x53, 0x8d, 0x7c, 0x4c, 0xb8, 0xcc, 0xb5,
- 0xfd, 0xd0, 0x45, 0x4f, 0x62, 0x40, 0x54, 0x42,
- 0x68, 0xd5, 0xe5, 0xdd, 0xf0, 0x76, 0x94, 0x59,
- 0x1a, 0x57, 0x13, 0xb4, 0xc3, 0x70, 0xcc, 0xbd,
- 0x4c, 0x2e, 0xc8, 0x6b, 0x9d, 0x68, 0xd0, 0x72,
- 0x6a, 0x94, 0xd2, 0x18, 0xb5, 0x3b, 0x86, 0x45,
- 0x95, 0xaa, 0x50, 0xda, 0x35, 0xeb, 0x69, 0x44,
- 0x1f, 0xf3, 0x3a, 0x51, 0xbb, 0x1d, 0x08, 0x42,
- 0x12, 0xd7, 0xd6, 0x21, 0xd8, 0x9b, 0x87, 0x55,
-};
-
-static const unsigned char rsa_sigverx931_1_sig[] = {
- 0x3b, 0xba, 0xb3, 0xb1, 0xb2, 0x6a, 0x29, 0xb5,
- 0xf9, 0x94, 0xf1, 0x00, 0x5c, 0x16, 0x67, 0x67,
- 0x73, 0xd3, 0xde, 0x7e, 0x07, 0xfa, 0xaa, 0x95,
- 0xeb, 0x5a, 0x55, 0xdc, 0xb2, 0xa9, 0x70, 0x5a,
- 0xee, 0x8f, 0x8d, 0x69, 0x85, 0x2b, 0x00, 0xe3,
- 0xdc, 0xe2, 0x73, 0x9b, 0x68, 0xeb, 0x93, 0x69,
- 0x08, 0x03, 0x17, 0xd6, 0x50, 0x21, 0x14, 0x23,
- 0x8c, 0xe6, 0x54, 0x3a, 0xd9, 0xfc, 0x8b, 0x14,
- 0x81, 0xb1, 0x8b, 0x9d, 0xd2, 0xbe, 0x58, 0x75,
- 0x94, 0x74, 0x93, 0xc9, 0xbb, 0x4e, 0xf6, 0x1f,
- 0x73, 0x7d, 0x1a, 0x5f, 0xbd, 0xbf, 0x59, 0x37,
- 0x5b, 0x98, 0x54, 0xad, 0x3a, 0xef, 0xa0, 0xef,
- 0xcb, 0xc3, 0xe8, 0x84, 0xd8, 0x3d, 0xf5, 0x60,
- 0xb8, 0xc3, 0x8d, 0x1e, 0x78, 0xa0, 0x91, 0x94,
- 0xb7, 0xd7, 0xb1, 0xd4, 0xe2, 0xee, 0x81, 0x93,
- 0xfc, 0x41, 0xf0, 0x31, 0xbb, 0x03, 0x52, 0xde,
- 0x80, 0x20, 0x3a, 0x68, 0xe6, 0xc5, 0x50, 0x1b,
- 0x08, 0x3f, 0x40, 0xde, 0xb3, 0xe5, 0x81, 0x99,
- 0x7f, 0xdb, 0xb6, 0x5d, 0x61, 0x27, 0xd4, 0xfb,
- 0xcd, 0xc5, 0x7a, 0xea, 0xde, 0x7a, 0x66, 0xef,
- 0x55, 0x3f, 0x85, 0xea, 0x84, 0xc5, 0x0a, 0xf6,
- 0x3c, 0x40, 0x38, 0xf7, 0x6c, 0x66, 0xe5, 0xbe,
- 0x61, 0x41, 0xd3, 0xb1, 0x08, 0xe1, 0xb4, 0xf9,
- 0x6e, 0xf6, 0x0e, 0x4a, 0x72, 0x6c, 0x61, 0x63,
- 0x3e, 0x41, 0x33, 0x94, 0xd6, 0x27, 0xa4, 0xd9,
- 0x3a, 0x20, 0x2b, 0x39, 0xea, 0xe5, 0x82, 0x48,
- 0xd6, 0x5b, 0x58, 0x85, 0x44, 0xb0, 0xd2, 0xfd,
- 0xfb, 0x3e, 0xeb, 0x78, 0xac, 0xbc, 0xba, 0x16,
- 0x92, 0x0e, 0x20, 0xc1, 0xb2, 0xd1, 0x92, 0xa8,
- 0x00, 0x88, 0xc0, 0x41, 0x46, 0x38, 0xb6, 0x54,
- 0x70, 0x0c, 0x00, 0x62, 0x97, 0x6a, 0x8e, 0x66,
- 0x5a, 0xa1, 0x6c, 0xf7, 0x6d, 0xc2, 0x27, 0x56,
- 0x60, 0x5b, 0x0c, 0x52, 0xac, 0x5c, 0xae, 0x99,
- 0x55, 0x11, 0x62, 0x52, 0x09, 0x48, 0x53, 0x90,
- 0x3c, 0x0b, 0xd4, 0xdc, 0x7b, 0xe3, 0x4c, 0xe3,
- 0xa8, 0x6d, 0xc5, 0xdf, 0xc1, 0x5c, 0x59, 0x25,
- 0x99, 0x30, 0xde, 0x57, 0x6a, 0x84, 0x25, 0x34,
- 0x3e, 0x64, 0x11, 0xdb, 0x7a, 0x82, 0x8e, 0x70,
- 0xd2, 0x5c, 0x0e, 0x81, 0xa0, 0x24, 0x53, 0x75,
- 0x98, 0xd6, 0x10, 0x01, 0x6a, 0x14, 0xed, 0xc3,
- 0x6f, 0xc4, 0x18, 0xb8, 0xd2, 0x9f, 0x59, 0x53,
- 0x81, 0x3a, 0x86, 0x31, 0xfc, 0x9e, 0xbf, 0x6c,
- 0x52, 0x93, 0x86, 0x9c, 0xaa, 0x6c, 0x6f, 0x07,
- 0x8a, 0x40, 0x33, 0x64, 0xb2, 0x70, 0x48, 0x85,
- 0x05, 0x59, 0x65, 0x2d, 0x6b, 0x9a, 0xad, 0xab,
- 0x20, 0x7e, 0x02, 0x6d, 0xde, 0xcf, 0x22, 0x0b,
- 0xea, 0x6e, 0xbd, 0x1c, 0x39, 0x3a, 0xfd, 0xa4,
- 0xde, 0x54, 0xae, 0xde, 0x5e, 0xf7, 0xb0, 0x6d,
-};
-
static const struct rsa_sigver_st rsa_sigver_data[] = {
{
"pkcs1", /* pkcs1v1.5 */
@@ -1850,28 +1647,6 @@ static const struct rsa_sigver_st rsa_si
NO_PSS_SALT_LEN,
FAIL
},
- {
- "x931",
- 3072,
- "SHA1",
- ITM(rsa_sigverx931_0_msg),
- ITM(rsa_sigverx931_0_n),
- ITM(rsa_sigverx931_0_e),
- ITM(rsa_sigverx931_0_sig),
- NO_PSS_SALT_LEN,
- PASS
- },
- {
- "x931",
- 3072,
- "SHA256",
- ITM(rsa_sigverx931_1_msg),
- ITM(rsa_sigverx931_1_n),
- ITM(rsa_sigverx931_1_e),
- ITM(rsa_sigverx931_1_sig),
- NO_PSS_SALT_LEN,
- FAIL
- },
{
"pss",
4096,

378
openssl-FIPS-Use-FFDHE2048-in-self-test.patch Normal file
View File

@ -0,0 +1,378 @@
From e385647549c467fe263b68b72dd21bdfb875ee88 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Fri, 22 Jul 2022 17:51:16 +0200
Subject: [PATCH 2/2] FIPS: Use FFDHE2048 in self test
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
providers/fips/self_test_data.inc | 342 +++++++++++++++---------------
1 file changed, 172 insertions(+), 170 deletions(-)
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
index a29cc650b5..1b5623833f 100644
--- a/providers/fips/self_test_data.inc
+++ b/providers/fips/self_test_data.inc
@@ -821,188 +821,190 @@ static const ST_KAT_DRBG st_kat_drbg_tests[] =
#ifndef OPENSSL_NO_DH
/* DH KAT */
+/* RFC7919 FFDHE2048 p */
static const unsigned char dh_p[] = {
- 0xdc, 0xca, 0x15, 0x11, 0xb2, 0x31, 0x32, 0x25,
- 0xf5, 0x21, 0x16, 0xe1, 0x54, 0x27, 0x89, 0xe0,
- 0x01, 0xf0, 0x42, 0x5b, 0xcc, 0xc7, 0xf3, 0x66,
- 0xf7, 0x40, 0x64, 0x07, 0xf1, 0xc9, 0xfa, 0x8b,
- 0xe6, 0x10, 0xf1, 0x77, 0x8b, 0xb1, 0x70, 0xbe,
- 0x39, 0xdb, 0xb7, 0x6f, 0x85, 0xbf, 0x24, 0xce,
- 0x68, 0x80, 0xad, 0xb7, 0x62, 0x9f, 0x7c, 0x6d,
- 0x01, 0x5e, 0x61, 0xd4, 0x3f, 0xa3, 0xee, 0x4d,
- 0xe1, 0x85, 0xf2, 0xcf, 0xd0, 0x41, 0xff, 0xde,
- 0x9d, 0x41, 0x84, 0x07, 0xe1, 0x51, 0x38, 0xbb,
- 0x02, 0x1d, 0xae, 0xb3, 0x5f, 0x76, 0x2d, 0x17,
- 0x82, 0xac, 0xc6, 0x58, 0xd3, 0x2b, 0xd4, 0xb0,
- 0x23, 0x2c, 0x92, 0x7d, 0xd3, 0x8f, 0xa0, 0x97,
- 0xb3, 0xd1, 0x85, 0x9f, 0xa8, 0xac, 0xaf, 0xb9,
- 0x8f, 0x06, 0x66, 0x08, 0xfc, 0x64, 0x4e, 0xc7,
- 0xdd, 0xb6, 0xf0, 0x85, 0x99, 0xf9, 0x2a, 0xc1,
- 0xb5, 0x98, 0x25, 0xda, 0x84, 0x32, 0x07, 0x7d,
- 0xef, 0x69, 0x56, 0x46, 0x06, 0x3c, 0x20, 0x82,
- 0x3c, 0x95, 0x07, 0xab, 0x6f, 0x01, 0x76, 0xd4,
- 0x73, 0x0d, 0x99, 0x0d, 0xbb, 0xe6, 0x36, 0x1c,
- 0xd8, 0xb2, 0xb9, 0x4d, 0x3d, 0x2f, 0x32, 0x9b,
- 0x82, 0x09, 0x9b, 0xd6, 0x61, 0xf4, 0x29, 0x50,
- 0xf4, 0x03, 0xdf, 0x3e, 0xde, 0x62, 0xa3, 0x31,
- 0x88, 0xb0, 0x27, 0x98, 0xba, 0x82, 0x3f, 0x44,
- 0xb9, 0x46, 0xfe, 0x9d, 0xf6, 0x77, 0xa0, 0xc5,
- 0xa1, 0x23, 0x8e, 0xaa, 0x97, 0xb7, 0x0f, 0x80,
- 0xda, 0x8c, 0xac, 0x88, 0xe0, 0x92, 0xb1, 0x12,
- 0x70, 0x60, 0xff, 0xbf, 0x45, 0x57, 0x99, 0x94,
- 0x01, 0x1d, 0xc2, 0xfa, 0xa5, 0xe7, 0xf6, 0xc7,
- 0x62, 0x45, 0xe1, 0xcc, 0x31, 0x22, 0x31, 0xc1,
- 0x7d, 0x1c, 0xa6, 0xb1, 0x90, 0x07, 0xef, 0x0d,
- 0xb9, 0x9f, 0x9c, 0xb6, 0x0e, 0x1d, 0x5f, 0x69
-};
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xad, 0xf8, 0x54, 0x58, 0xa2, 0xbb, 0x4a, 0x9a,
+ 0xaf, 0xdc, 0x56, 0x20, 0x27, 0x3d, 0x3c, 0xf1,
+ 0xd8, 0xb9, 0xc5, 0x83, 0xce, 0x2d, 0x36, 0x95,
+ 0xa9, 0xe1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xfb,
+ 0xcc, 0x93, 0x9d, 0xce, 0x24, 0x9b, 0x3e, 0xf9,
+ 0x7d, 0x2f, 0xe3, 0x63, 0x63, 0x0c, 0x75, 0xd8,
+ 0xf6, 0x81, 0xb2, 0x02, 0xae, 0xc4, 0x61, 0x7a,
+ 0xd3, 0xdf, 0x1e, 0xd5, 0xd5, 0xfd, 0x65, 0x61,
+ 0x24, 0x33, 0xf5, 0x1f, 0x5f, 0x06, 0x6e, 0xd0,
+ 0x85, 0x63, 0x65, 0x55, 0x3d, 0xed, 0x1a, 0xf3,
+ 0xb5, 0x57, 0x13, 0x5e, 0x7f, 0x57, 0xc9, 0x35,
+ 0x98, 0x4f, 0x0c, 0x70, 0xe0, 0xe6, 0x8b, 0x77,
+ 0xe2, 0xa6, 0x89, 0xda, 0xf3, 0xef, 0xe8, 0x72,
+ 0x1d, 0xf1, 0x58, 0xa1, 0x36, 0xad, 0xe7, 0x35,
+ 0x30, 0xac, 0xca, 0x4f, 0x48, 0x3a, 0x79, 0x7a,
+ 0xbc, 0x0a, 0xb1, 0x82, 0xb3, 0x24, 0xfb, 0x61,
+ 0xd1, 0x08, 0xa9, 0x4b, 0xb2, 0xc8, 0xe3, 0xfb,
+ 0xb9, 0x6a, 0xda, 0xb7, 0x60, 0xd7, 0xf4, 0x68,
+ 0x1d, 0x4f, 0x42, 0xa3, 0xde, 0x39, 0x4d, 0xf4,
+ 0xae, 0x56, 0xed, 0xe7, 0x63, 0x72, 0xbb, 0x19,
+ 0x0b, 0x07, 0xa7, 0xc8, 0xee, 0x0a, 0x6d, 0x70,
+ 0x9e, 0x02, 0xfc, 0xe1, 0xcd, 0xf7, 0xe2, 0xec,
+ 0xc0, 0x34, 0x04, 0xcd, 0x28, 0x34, 0x2f, 0x61,
+ 0x91, 0x72, 0xfe, 0x9c, 0xe9, 0x85, 0x83, 0xff,
+ 0x8e, 0x4f, 0x12, 0x32, 0xee, 0xf2, 0x81, 0x83,
+ 0xc3, 0xfe, 0x3b, 0x1b, 0x4c, 0x6f, 0xad, 0x73,
+ 0x3b, 0xb5, 0xfc, 0xbc, 0x2e, 0xc2, 0x20, 0x05,
+ 0xc5, 0x8e, 0xf1, 0x83, 0x7d, 0x16, 0x83, 0xb2,
+ 0xc6, 0xf3, 0x4a, 0x26, 0xc1, 0xb2, 0xef, 0xfa,
+ 0x88, 0x6b, 0x42, 0x38, 0x61, 0x28, 0x5c, 0x97,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
+};
+/* RFC7919 FFDHE2048 q */
static const unsigned char dh_q[] = {
- 0x89, 0x8b, 0x22, 0x67, 0x17, 0xef, 0x03, 0x9e,
- 0x60, 0x3e, 0x82, 0xe5, 0xc7, 0xaf, 0xe4, 0x83,
- 0x74, 0xac, 0x5f, 0x62, 0x5c, 0x54, 0xf1, 0xea,
- 0x11, 0xac, 0xb5, 0x7d
-};
+ 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xd6, 0xfc, 0x2a, 0x2c, 0x51, 0x5d, 0xa5, 0x4d,
+ 0x57, 0xee, 0x2b, 0x10, 0x13, 0x9e, 0x9e, 0x78,
+ 0xec, 0x5c, 0xe2, 0xc1, 0xe7, 0x16, 0x9b, 0x4a,
+ 0xd4, 0xf0, 0x9b, 0x20, 0x8a, 0x32, 0x19, 0xfd,
+ 0xe6, 0x49, 0xce, 0xe7, 0x12, 0x4d, 0x9f, 0x7c,
+ 0xbe, 0x97, 0xf1, 0xb1, 0xb1, 0x86, 0x3a, 0xec,
+ 0x7b, 0x40, 0xd9, 0x01, 0x57, 0x62, 0x30, 0xbd,
+ 0x69, 0xef, 0x8f, 0x6a, 0xea, 0xfe, 0xb2, 0xb0,
+ 0x92, 0x19, 0xfa, 0x8f, 0xaf, 0x83, 0x37, 0x68,
+ 0x42, 0xb1, 0xb2, 0xaa, 0x9e, 0xf6, 0x8d, 0x79,
+ 0xda, 0xab, 0x89, 0xaf, 0x3f, 0xab, 0xe4, 0x9a,
+ 0xcc, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xbb,
+ 0xf1, 0x53, 0x44, 0xed, 0x79, 0xf7, 0xf4, 0x39,
+ 0x0e, 0xf8, 0xac, 0x50, 0x9b, 0x56, 0xf3, 0x9a,
+ 0x98, 0x56, 0x65, 0x27, 0xa4, 0x1d, 0x3c, 0xbd,
+ 0x5e, 0x05, 0x58, 0xc1, 0x59, 0x92, 0x7d, 0xb0,
+ 0xe8, 0x84, 0x54, 0xa5, 0xd9, 0x64, 0x71, 0xfd,
+ 0xdc, 0xb5, 0x6d, 0x5b, 0xb0, 0x6b, 0xfa, 0x34,
+ 0x0e, 0xa7, 0xa1, 0x51, 0xef, 0x1c, 0xa6, 0xfa,
+ 0x57, 0x2b, 0x76, 0xf3, 0xb1, 0xb9, 0x5d, 0x8c,
+ 0x85, 0x83, 0xd3, 0xe4, 0x77, 0x05, 0x36, 0xb8,
+ 0x4f, 0x01, 0x7e, 0x70, 0xe6, 0xfb, 0xf1, 0x76,
+ 0x60, 0x1a, 0x02, 0x66, 0x94, 0x1a, 0x17, 0xb0,
+ 0xc8, 0xb9, 0x7f, 0x4e, 0x74, 0xc2, 0xc1, 0xff,
+ 0xc7, 0x27, 0x89, 0x19, 0x77, 0x79, 0x40, 0xc1,
+ 0xe1, 0xff, 0x1d, 0x8d, 0xa6, 0x37, 0xd6, 0xb9,
+ 0x9d, 0xda, 0xfe, 0x5e, 0x17, 0x61, 0x10, 0x02,
+ 0xe2, 0xc7, 0x78, 0xc1, 0xbe, 0x8b, 0x41, 0xd9,
+ 0x63, 0x79, 0xa5, 0x13, 0x60, 0xd9, 0x77, 0xfd,
+ 0x44, 0x35, 0xa1, 0x1c, 0x30, 0x94, 0x2e, 0x4b,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
+};
+/* RFC7919 FFDHE2048 g */
static const unsigned char dh_g[] = {
- 0x5e, 0xf7, 0xb8, 0x8f, 0x2d, 0xf6, 0x01, 0x39,
- 0x35, 0x1d, 0xfb, 0xfe, 0x12, 0x66, 0x80, 0x5f,
- 0xdf, 0x35, 0x6c, 0xdf, 0xd1, 0x3a, 0x4d, 0xa0,
- 0x05, 0x0c, 0x7e, 0xde, 0x24, 0x6d, 0xf5, 0x9f,
- 0x6a, 0xbf, 0x96, 0xad, 0xe5, 0xf2, 0xb2, 0x8f,
- 0xfe, 0x88, 0xd6, 0xbc, 0xe7, 0xf7, 0x89, 0x4a,
- 0x3d, 0x53, 0x5f, 0xc8, 0x21, 0x26, 0xdd, 0xd4,
- 0x24, 0x87, 0x2e, 0x16, 0xb8, 0x38, 0xdf, 0x8c,
- 0x51, 0xe9, 0x01, 0x6f, 0x88, 0x9c, 0x7c, 0x20,
- 0x3e, 0x98, 0xa8, 0xb6, 0x31, 0xf9, 0xc7, 0x25,
- 0x63, 0xd3, 0x8a, 0x49, 0x58, 0x9a, 0x07, 0x53,
- 0xd3, 0x58, 0xe7, 0x83, 0x31, 0x8c, 0xef, 0xd9,
- 0x67, 0x7c, 0x7b, 0x2d, 0xbb, 0x77, 0xd6, 0xdc,
- 0xe2, 0xa1, 0x96, 0x37, 0x95, 0xca, 0x64, 0xb9,
- 0x2d, 0x1c, 0x9a, 0xac, 0x6d, 0x0e, 0x8d, 0x43,
- 0x1d, 0xe5, 0xe5, 0x00, 0x60, 0xdf, 0xf7, 0x86,
- 0x89, 0xc9, 0xec, 0xa1, 0xc1, 0x24, 0x8c, 0x16,
- 0xed, 0x09, 0xc7, 0xad, 0x41, 0x2a, 0x17, 0x40,
- 0x6d, 0x2b, 0x52, 0x5a, 0xa1, 0xca, 0xbb, 0x23,
- 0x7b, 0x97, 0x34, 0xec, 0x7b, 0x8c, 0xe3, 0xfa,
- 0xe0, 0x2f, 0x29, 0xc5, 0xef, 0xed, 0x30, 0xd6,
- 0x91, 0x87, 0xda, 0x10, 0x9c, 0x2c, 0x9f, 0xe2,
- 0xaa, 0xdb, 0xb0, 0xc2, 0x2a, 0xf5, 0x4c, 0x61,
- 0x66, 0x55, 0x00, 0x0c, 0x43, 0x1c, 0x6b, 0x4a,
- 0x37, 0x97, 0x63, 0xb0, 0xa9, 0x16, 0x58, 0xef,
- 0xc8, 0x4e, 0x8b, 0x06, 0x35, 0x8c, 0x8b, 0x4f,
- 0x21, 0x37, 0x10, 0xfd, 0x10, 0x17, 0x2c, 0xf3,
- 0x9b, 0x83, 0x0c, 0x2d, 0xd8, 0x4a, 0x0c, 0x8a,
- 0xb8, 0x25, 0x16, 0xec, 0xab, 0x99, 0x5f, 0xa4,
- 0x21, 0x5e, 0x02, 0x3e, 0x4e, 0xcf, 0x80, 0x74,
- 0xc3, 0x9d, 0x6c, 0x88, 0xb7, 0x0d, 0x1e, 0xe4,
- 0xe9, 0x6f, 0xdc, 0x20, 0xea, 0x11, 0x5c, 0x32
+ 0x02
};
static const unsigned char dh_priv[] = {
- 0x14, 0x33, 0xe0, 0xb5, 0xa9, 0x17, 0xb6, 0x0a,
- 0x30, 0x23, 0xf2, 0xf8, 0xaa, 0x2c, 0x2d, 0x70,
- 0xd2, 0x96, 0x8a, 0xba, 0x9a, 0xea, 0xc8, 0x15,
- 0x40, 0xb8, 0xfc, 0xe6
+ 0x01, 0xdc, 0x2a, 0xb9, 0x87, 0x71, 0x57, 0x0f,
+ 0xcd, 0x93, 0x65, 0x4c, 0xa1, 0xd6, 0x56, 0x6d,
+ 0xc5, 0x35, 0xd5, 0xcb, 0x4c, 0xb8, 0xad, 0x8d,
+ 0x6c, 0xdc, 0x5d, 0x6e, 0x94
};
static const unsigned char dh_pub[] = {
- 0x95, 0xdd, 0x33, 0x8d, 0x29, 0xe5, 0x71, 0x04,
- 0x92, 0xb9, 0x18, 0x31, 0x7b, 0x72, 0xa3, 0x69,
- 0x36, 0xe1, 0x95, 0x1a, 0x2e, 0xe5, 0xa5, 0x59,
- 0x16, 0x99, 0xc0, 0x48, 0x6d, 0x0d, 0x4f, 0x9b,
- 0xdd, 0x6d, 0x5a, 0x3f, 0x6b, 0x98, 0x89, 0x0c,
- 0x62, 0xb3, 0x76, 0x52, 0xd3, 0x6e, 0x71, 0x21,
- 0x11, 0xe6, 0x8a, 0x73, 0x55, 0x37, 0x25, 0x06,
- 0x99, 0xef, 0xe3, 0x30, 0x53, 0x73, 0x91, 0xfb,
- 0xc2, 0xc5, 0x48, 0xbc, 0x5a, 0xc3, 0xe5, 0xb2,
- 0x33, 0x86, 0xc3, 0xee, 0xf5, 0xeb, 0x43, 0xc0,
- 0x99, 0xd7, 0x0a, 0x52, 0x02, 0x68, 0x7e, 0x83,
- 0x96, 0x42, 0x48, 0xfc, 0xa9, 0x1f, 0x40, 0x90,
- 0x8e, 0x8f, 0xb3, 0x31, 0x93, 0x15, 0xf6, 0xd2,
- 0x60, 0x6d, 0x7f, 0x7c, 0xd5, 0x2c, 0xc6, 0xe7,
- 0xc5, 0x84, 0x3a, 0xfb, 0x22, 0x51, 0x9c, 0xf0,
- 0xf0, 0xf9, 0xd3, 0xa0, 0xa4, 0xe8, 0xc8, 0x88,
- 0x99, 0xef, 0xed, 0xe7, 0x36, 0x43, 0x51, 0xfb,
- 0x6a, 0x36, 0x3e, 0xe7, 0x17, 0xe5, 0x44, 0x5a,
- 0xda, 0xb4, 0xc9, 0x31, 0xa6, 0x48, 0x39, 0x97,
- 0xb8, 0x7d, 0xad, 0x83, 0x67, 0x7e, 0x4d, 0x1d,
- 0x3a, 0x77, 0x75, 0xe0, 0xf6, 0xd0, 0x0f, 0xdf,
- 0x73, 0xc7, 0xad, 0x80, 0x1e, 0x66, 0x5a, 0x0e,
- 0x5a, 0x79, 0x6d, 0x0a, 0x03, 0x80, 0xa1, 0x9f,
- 0xa1, 0x82, 0xef, 0xc8, 0xa0, 0x4f, 0x5e, 0x4d,
- 0xb9, 0x0d, 0x1a, 0x86, 0x37, 0xf9, 0x5d, 0xb1,
- 0x64, 0x36, 0xbd, 0xc8, 0xf3, 0xfc, 0x09, 0x6c,
- 0x4f, 0xf7, 0xf2, 0x34, 0xbe, 0x8f, 0xef, 0x47,
- 0x9a, 0xc4, 0xb0, 0xdc, 0x4b, 0x77, 0x26, 0x3e,
- 0x07, 0xd9, 0x95, 0x9d, 0xe0, 0xf1, 0xbf, 0x3f,
- 0x0a, 0xe3, 0xd9, 0xd5, 0x0e, 0x4b, 0x89, 0xc9,
- 0x9e, 0x3e, 0xa1, 0x21, 0x73, 0x43, 0xdd, 0x8c,
- 0x65, 0x81, 0xac, 0xc4, 0x95, 0x9c, 0x91, 0xd3
+ 0x00, 0xc4, 0x82, 0x14, 0x69, 0x16, 0x4c, 0x05,
+ 0x55, 0x2a, 0x7e, 0x55, 0x6d, 0x02, 0xbb, 0x7f,
+ 0xcc, 0x63, 0x74, 0xee, 0xcb, 0xb4, 0x98, 0x43,
+ 0x0e, 0x29, 0x43, 0x0d, 0x44, 0xc7, 0xf1, 0x23,
+ 0x81, 0xca, 0x1c, 0x5c, 0xc3, 0xff, 0x01, 0x4a,
+ 0x1a, 0x03, 0x9e, 0x5f, 0xd1, 0x4e, 0xa0, 0x0b,
+ 0xb9, 0x5c, 0x0d, 0xef, 0x14, 0x01, 0x62, 0x3c,
+ 0x8a, 0x8e, 0x60, 0xbb, 0x39, 0xd6, 0x38, 0x63,
+ 0xb7, 0x65, 0xd0, 0x0b, 0x1a, 0xaf, 0x53, 0x38,
+ 0x10, 0x0f, 0x3e, 0xeb, 0x9d, 0x0c, 0x24, 0xf6,
+ 0xe3, 0x70, 0x08, 0x8a, 0x4d, 0x01, 0xf8, 0x7a,
+ 0x87, 0x49, 0x64, 0x72, 0xb1, 0x75, 0x3b, 0x94,
+ 0xc8, 0x09, 0x2d, 0x6a, 0x63, 0xd8, 0x9a, 0x92,
+ 0xb9, 0x5b, 0x1a, 0xc3, 0x47, 0x0b, 0x63, 0x44,
+ 0x3b, 0xe3, 0xc0, 0x09, 0xc9, 0xf9, 0x02, 0x53,
+ 0xd8, 0xfb, 0x06, 0x44, 0xdb, 0xdf, 0xe8, 0x13,
+ 0x2b, 0x40, 0x6a, 0xd4, 0x13, 0x4e, 0x52, 0x30,
+ 0xd6, 0xc1, 0xd8, 0x59, 0x9d, 0x59, 0xba, 0x1b,
+ 0xbf, 0xaa, 0x6f, 0xe9, 0x3d, 0xfd, 0xff, 0x01,
+ 0x0b, 0x54, 0xe0, 0x6a, 0x4e, 0x27, 0x2b, 0x3d,
+ 0xe8, 0xef, 0xb0, 0xbe, 0x52, 0xc3, 0x52, 0x18,
+ 0x6f, 0xa3, 0x27, 0xab, 0x6c, 0x12, 0xc3, 0x81,
+ 0xcb, 0xae, 0x23, 0x11, 0xa0, 0x5d, 0xc3, 0x6f,
+ 0x23, 0x17, 0x40, 0xb3, 0x05, 0x4f, 0x5d, 0xb7,
+ 0x34, 0xbe, 0x87, 0x2c, 0xa9, 0x9e, 0x98, 0x39,
+ 0xbf, 0x2e, 0x9d, 0xad, 0x4f, 0x70, 0xad, 0xed,
+ 0x1b, 0x5e, 0x47, 0x90, 0x49, 0x2e, 0x61, 0x71,
+ 0x5f, 0x07, 0x0b, 0x35, 0x04, 0xfc, 0x53, 0xce,
+ 0x58, 0x60, 0x6c, 0x5b, 0x8b, 0xfe, 0x70, 0x04,
+ 0x2a, 0x6a, 0x98, 0x0a, 0xd0, 0x80, 0xae, 0x69,
+ 0x95, 0xf9, 0x99, 0x18, 0xfc, 0xe4, 0x8e, 0xed,
+ 0x61, 0xd9, 0x02, 0x9d, 0x4e, 0x05, 0xe9, 0xf2,
+ 0x32
};
static const unsigned char dh_peer_pub[] = {
- 0x1f, 0xc1, 0xda, 0x34, 0x1d, 0x1a, 0x84, 0x6a,
- 0x96, 0xb7, 0xbe, 0x24, 0x34, 0x0f, 0x87, 0x7d,
- 0xd0, 0x10, 0xaa, 0x03, 0x56, 0xd5, 0xad, 0x58,
- 0xaa, 0xe9, 0xc7, 0xb0, 0x8f, 0x74, 0x9a, 0x32,
- 0x23, 0x51, 0x10, 0xb5, 0xd8, 0x8e, 0xb5, 0xdb,
- 0xfa, 0x97, 0x8d, 0x27, 0xec, 0xc5, 0x30, 0xf0,
- 0x2d, 0x31, 0x14, 0x00, 0x5b, 0x64, 0xb1, 0xc0,
- 0xe0, 0x24, 0xcb, 0x8a, 0xe2, 0x16, 0x98, 0xbc,
- 0xa9, 0xe6, 0x0d, 0x42, 0x80, 0x86, 0x22, 0xf1,
- 0x81, 0xc5, 0x6e, 0x1d, 0xe7, 0xa9, 0x6e, 0x6e,
- 0xfe, 0xe9, 0xd6, 0x65, 0x67, 0xe9, 0x1b, 0x97,
- 0x70, 0x42, 0xc7, 0xe3, 0xd0, 0x44, 0x8f, 0x05,
- 0xfb, 0x77, 0xf5, 0x22, 0xb9, 0xbf, 0xc8, 0xd3,
- 0x3c, 0xc3, 0xc3, 0x1e, 0xd3, 0xb3, 0x1f, 0x0f,
- 0xec, 0xb6, 0xdb, 0x4f, 0x6e, 0xa3, 0x11, 0xe7,
- 0x7a, 0xfd, 0xbc, 0xd4, 0x7a, 0xee, 0x1b, 0xb1,
- 0x50, 0xf2, 0x16, 0x87, 0x35, 0x78, 0xfb, 0x96,
- 0x46, 0x8e, 0x8f, 0x9f, 0x3d, 0xe8, 0xef, 0xbf,
- 0xce, 0x75, 0x62, 0x4b, 0x1d, 0xf0, 0x53, 0x22,
- 0xa3, 0x4f, 0x14, 0x63, 0xe8, 0x39, 0xe8, 0x98,
- 0x4c, 0x4a, 0xd0, 0xa9, 0x6e, 0x1a, 0xc8, 0x42,
- 0xe5, 0x31, 0x8c, 0xc2, 0x3c, 0x06, 0x2a, 0x8c,
- 0xa1, 0x71, 0xb8, 0xd5, 0x75, 0x98, 0x0d, 0xde,
- 0x7f, 0xc5, 0x6f, 0x15, 0x36, 0x52, 0x38, 0x20,
- 0xd4, 0x31, 0x92, 0xbf, 0xd5, 0x1e, 0x8e, 0x22,
- 0x89, 0x78, 0xac, 0xa5, 0xb9, 0x44, 0x72, 0xf3,
- 0x39, 0xca, 0xeb, 0x99, 0x31, 0xb4, 0x2b, 0xe3,
- 0x01, 0x26, 0x8b, 0xc9, 0x97, 0x89, 0xc9, 0xb2,
- 0x55, 0x71, 0xc3, 0xc0, 0xe4, 0xcb, 0x3f, 0x00,
- 0x7f, 0x1a, 0x51, 0x1c, 0xbb, 0x53, 0xc8, 0x51,
- 0x9c, 0xdd, 0x13, 0x02, 0xab, 0xca, 0x6c, 0x0f,
- 0x34, 0xf9, 0x67, 0x39, 0xf1, 0x7f, 0xf4, 0x8b
+ 0x00, 0xef, 0x15, 0x02, 0xf5, 0x56, 0xa3, 0x79,
+ 0x40, 0x58, 0xbc, 0xeb, 0x56, 0xad, 0xcb, 0xda,
+ 0x8c, 0xda, 0xb8, 0xd1, 0xda, 0x6f, 0x25, 0x29,
+ 0x9e, 0x43, 0x76, 0x2d, 0xb2, 0xd8, 0xbc, 0x84,
+ 0xbc, 0x85, 0xd0, 0x94, 0x8d, 0x44, 0x27, 0x57,
+ 0xe4, 0xdf, 0xc1, 0x78, 0x42, 0x8f, 0x08, 0xf5,
+ 0x74, 0xfe, 0x02, 0x56, 0xd2, 0x09, 0xc8, 0x68,
+ 0xef, 0xed, 0x18, 0xc9, 0xfd, 0x2e, 0x95, 0x6c,
+ 0xba, 0x6c, 0x00, 0x0e, 0xf5, 0xd1, 0x1b, 0xf6,
+ 0x15, 0x14, 0x5b, 0x67, 0x22, 0x7c, 0x6a, 0x20,
+ 0x76, 0x43, 0x51, 0xef, 0x5e, 0x1e, 0xf9, 0x2d,
+ 0xd6, 0xb4, 0xc5, 0xc6, 0x18, 0x33, 0xd1, 0xa3,
+ 0x3b, 0xe6, 0xdd, 0x57, 0x9d, 0xad, 0x13, 0x7a,
+ 0x53, 0xde, 0xb3, 0x97, 0xc0, 0x7e, 0xd7, 0x77,
+ 0x6b, 0xf8, 0xbd, 0x13, 0x70, 0x8c, 0xba, 0x73,
+ 0x80, 0xb3, 0x80, 0x6f, 0xfb, 0x1c, 0xda, 0x53,
+ 0x4d, 0x3c, 0x8a, 0x2e, 0xa1, 0x37, 0xce, 0xb1,
+ 0xde, 0x45, 0x97, 0x58, 0x65, 0x4d, 0xcf, 0x05,
+ 0xbb, 0xc3, 0xd7, 0x38, 0x6d, 0x0a, 0x59, 0x7a,
+ 0x99, 0x15, 0xb7, 0x9a, 0x3d, 0xfd, 0x61, 0xe5,
+ 0x1a, 0xa2, 0xcc, 0xf6, 0xfe, 0xb1, 0xee, 0xe9,
+ 0xa9, 0xe2, 0xeb, 0x06, 0xbc, 0x14, 0x6e, 0x91,
+ 0x0d, 0xf1, 0xe3, 0xbb, 0xe0, 0x7e, 0x1d, 0x31,
+ 0x79, 0xf1, 0x6d, 0x5f, 0xcb, 0xaf, 0xb2, 0x4f,
+ 0x22, 0x12, 0xbf, 0x72, 0xbd, 0xd0, 0x30, 0xe4,
+ 0x1c, 0x35, 0x96, 0x61, 0x98, 0x39, 0xfb, 0x7e,
+ 0x6d, 0x66, 0xc4, 0x69, 0x41, 0x0d, 0x0d, 0x59,
+ 0xbb, 0xa7, 0xbf, 0x34, 0xe0, 0x39, 0x36, 0x84,
+ 0x5e, 0x0e, 0x03, 0x2d, 0xcf, 0xaa, 0x02, 0x8a,
+ 0xba, 0x59, 0x88, 0x47, 0xc4, 0x4d, 0xd7, 0xbd,
+ 0x78, 0x76, 0x24, 0xf1, 0x45, 0x56, 0x44, 0xc2,
+ 0x4a, 0xc2, 0xd5, 0x3a, 0x59, 0x40, 0xab, 0x87,
+ 0x64
};
static const unsigned char dh_secret_expected[] = {
- 0x08, 0xff, 0x33, 0xbb, 0x2e, 0xcf, 0xf4, 0x9a,
- 0x7d, 0x4a, 0x79, 0x12, 0xae, 0xb1, 0xbb, 0x6a,
- 0xb5, 0x11, 0x64, 0x1b, 0x4a, 0x76, 0x77, 0x0c,
- 0x8c, 0xc1, 0xbc, 0xc2, 0x33, 0x34, 0x3d, 0xfe,
- 0x70, 0x0d, 0x11, 0x81, 0x3d, 0x2c, 0x9e, 0xd2,
- 0x3b, 0x21, 0x1c, 0xa9, 0xe8, 0x78, 0x69, 0x21,
- 0xed, 0xca, 0x28, 0x3c, 0x68, 0xb1, 0x61, 0x53,
- 0xfa, 0x01, 0xe9, 0x1a, 0xb8, 0x2c, 0x90, 0xdd,
- 0xab, 0x4a, 0x95, 0x81, 0x67, 0x70, 0xa9, 0x87,
- 0x10, 0xe1, 0x4c, 0x92, 0xab, 0x83, 0xb6, 0xe4,
- 0x6e, 0x1e, 0x42, 0x6e, 0xe8, 0x52, 0x43, 0x0d,
- 0x61, 0x87, 0xda, 0xa3, 0x72, 0x0a, 0x6b, 0xcd,
- 0x73, 0x23, 0x5c, 0x6b, 0x0f, 0x94, 0x1f, 0x33,
- 0x64, 0xf5, 0x04, 0x20, 0x55, 0x1a, 0x4b, 0xfe,
- 0xaf, 0xe2, 0xbc, 0x43, 0x85, 0x05, 0xa5, 0x9a,
- 0x4a, 0x40, 0xda, 0xca, 0x7a, 0x89, 0x5a, 0x73,
- 0xdb, 0x57, 0x5c, 0x74, 0xc1, 0x3a, 0x23, 0xad,
- 0x88, 0x32, 0x95, 0x7d, 0x58, 0x2d, 0x38, 0xf0,
- 0xa6, 0x16, 0x5f, 0xb0, 0xd7, 0xe9, 0xb8, 0x79,
- 0x9e, 0x42, 0xfd, 0x32, 0x20, 0xe3, 0x32, 0xe9,
- 0x81, 0x85, 0xa0, 0xc9, 0x42, 0x97, 0x57, 0xb2,
- 0xd0, 0xd0, 0x2c, 0x17, 0xdb, 0xaa, 0x1f, 0xf6,
- 0xed, 0x93, 0xd7, 0xe7, 0x3e, 0x24, 0x1e, 0xae,
- 0xd9, 0x0c, 0xaf, 0x39, 0x4d, 0x2b, 0xc6, 0x57,
- 0x0f, 0x18, 0xc8, 0x1f, 0x2b, 0xe5, 0xd0, 0x1a,
- 0x2c, 0xa9, 0x9f, 0xf1, 0x42, 0xb5, 0xd9, 0x63,
- 0xf9, 0xf5, 0x00, 0x32, 0x5e, 0x75, 0x56, 0xf9,
- 0x58, 0x49, 0xb3, 0xff, 0xc7, 0x47, 0x94, 0x86,
- 0xbe, 0x1d, 0x45, 0x96, 0xa3, 0x10, 0x6b, 0xd5,
- 0xcb, 0x4f, 0x61, 0xc5, 0x7e, 0xc5, 0xf1, 0x00,
- 0xfb, 0x7a, 0x0c, 0x82, 0xa1, 0x0b, 0x82, 0x52,
- 0x6a, 0x97, 0xd1, 0xd9, 0x7d, 0x98, 0xea, 0xf6
+ 0x56, 0x13, 0xe3, 0x12, 0x6b, 0x5f, 0x67, 0xe5,
+ 0x08, 0xe5, 0x35, 0x0e, 0x11, 0x90, 0x9d, 0xf5,
+ 0x1a, 0x24, 0xfa, 0x42, 0xd1, 0x4a, 0x50, 0x93,
+ 0x5b, 0xf4, 0x11, 0x6f, 0xd0, 0xc3, 0xc5, 0xa5,
+ 0x80, 0xae, 0x01, 0x3d, 0x66, 0x92, 0xc0, 0x3e,
+ 0x5f, 0xe9, 0x75, 0xb6, 0x5b, 0x37, 0x82, 0x39,
+ 0x72, 0x66, 0x0b, 0xa2, 0x73, 0x94, 0xe5, 0x04,
+ 0x7c, 0x0c, 0x19, 0x9a, 0x03, 0x53, 0xc4, 0x9d,
+ 0xc1, 0x0f, 0xc3, 0xec, 0x0e, 0x2e, 0xa3, 0x7c,
+ 0x07, 0x0e, 0xaf, 0x18, 0x1d, 0xc7, 0x8b, 0x47,
+ 0x4b, 0x94, 0x05, 0x6d, 0xec, 0xdd, 0xa1, 0xae,
+ 0x7b, 0x21, 0x86, 0x53, 0xd3, 0x62, 0x38, 0x08,
+ 0xea, 0xda, 0xdc, 0xb2, 0x5a, 0x7c, 0xef, 0x19,
+ 0xf8, 0x29, 0xef, 0xf8, 0xd0, 0xfb, 0xde, 0xe8,
+ 0xb8, 0x2f, 0xb3, 0xa1, 0x16, 0xa2, 0xd0, 0x8f,
+ 0x48, 0xdc, 0x7d, 0xcb, 0xee, 0x5c, 0x06, 0x1e,
+ 0x2a, 0x66, 0xe8, 0x1f, 0xdb, 0x18, 0xe9, 0xd2,
+ 0xfd, 0xa2, 0x4e, 0x39, 0xa3, 0x2e, 0x88, 0x3d,
+ 0x7d, 0xac, 0x15, 0x18, 0x25, 0xe6, 0xba, 0xd4,
+ 0x0e, 0x89, 0x26, 0x60, 0x8f, 0xdc, 0x4a, 0xb4,
+ 0x49, 0x8f, 0x98, 0xe8, 0x62, 0x8c, 0xc6, 0x66,
+ 0x20, 0x4c, 0xe1, 0xed, 0xfc, 0x01, 0x88, 0x46,
+ 0xa7, 0x67, 0x48, 0x39, 0xc5, 0x22, 0x95, 0xa0,
+ 0x23, 0xb9, 0xd1, 0xed, 0x87, 0xcf, 0xa7, 0x70,
+ 0x1c, 0xac, 0xd3, 0xaf, 0x5c, 0x26, 0x50, 0x3c,
+ 0xe4, 0x23, 0xb6, 0xcc, 0xd7, 0xc5, 0xda, 0x2f,
+ 0xf4, 0x45, 0xf1, 0xe4, 0x40, 0xb5, 0x0a, 0x25,
+ 0x86, 0xe6, 0xde, 0x11, 0x3c, 0x46, 0x16, 0xbc,
+ 0x41, 0xc2, 0x28, 0x19, 0x81, 0x5a, 0x46, 0x02,
+ 0x87, 0xd0, 0x15, 0x0c, 0xd2, 0xfe, 0x75, 0x04,
+ 0x82, 0xd2, 0x0a, 0xb7, 0xbc, 0xc5, 0x6c, 0xb1,
+ 0x41, 0xa8, 0x2b, 0x28, 0xbb, 0x86, 0x0c, 0x89
};
static const ST_KAT_PARAM dh_group[] = {
--
2.35.3

350
openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch Normal file
View File

@ -0,0 +1,350 @@
From abeda0b0475adb0d4f89b0c97cfc349779915bbf Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 31 Jul 2023 09:41:28 +0200
Subject: [PATCH 29/35]
0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
Patch-name: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
Patch-id: 73
Patch-status: |
# https://bugzilla.redhat.com/show_bug.cgi?id=2102535
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
crypto/rsa/rsa_local.h | 8 ++
crypto/rsa/rsa_oaep.c | 34 ++++++--
include/openssl/core_names.h | 3 +
providers/fips/self_test_data.inc | 79 ++++++++++---------
providers/fips/self_test_kats.c | 7 ++
.../implementations/asymciphers/rsa_enc.c | 41 +++++++++-
6 files changed, 128 insertions(+), 44 deletions(-)
diff --git a/crypto/rsa/rsa_local.h b/crypto/rsa/rsa_local.h
index ea70da05ad..dde57a1a0e 100644
--- a/crypto/rsa/rsa_local.h
+++ b/crypto/rsa/rsa_local.h
@@ -193,4 +193,12 @@ int ossl_rsa_padding_add_PKCS1_type_2_ex(OSSL_LIB_CTX *libctx, unsigned char *to
int tlen, const unsigned char *from,
int flen);
+int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx,
+ unsigned char *to, int tlen,
+ const unsigned char *from, int flen,
+ const unsigned char *param,
+ int plen, const EVP_MD *md,
+ const EVP_MD *mgf1md,
+ const char *suse_st_seed);
+
#endif /* OSSL_CRYPTO_RSA_LOCAL_H */
diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
index d9be1a4f98..b2f7f7dc4b 100644
--- a/crypto/rsa/rsa_oaep.c
+++ b/crypto/rsa/rsa_oaep.c
@@ -44,6 +44,10 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
param, plen, NULL, NULL);
}
+#ifdef FIPS_MODULE
+extern int SUSE_FIPS_asym_cipher_st;
+#endif /* FIPS_MODULE */
+
/*
* Perform the padding as per NIST 800-56B 7.2.2.3
* from (K) is the key material.
@@ -51,12 +55,13 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
* Step numbers are included here but not in the constant time inverse below
* to avoid complicating an already difficult enough function.
*/
-int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
- unsigned char *to, int tlen,
- const unsigned char *from, int flen,
- const unsigned char *param,
- int plen, const EVP_MD *md,
- const EVP_MD *mgf1md)
+int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx,
+ unsigned char *to, int tlen,
+ const unsigned char *from, int flen,
+ const unsigned char *param,
+ int plen, const EVP_MD *md,
+ const EVP_MD *mgf1md,
+ const char *suse_st_seed)
{
int rv = 0;
int i, emlen = tlen - 1;
@@ -107,6 +112,11 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
db[emlen - flen - mdlen - 1] = 0x01;
memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen);
/* step 3d: generate random byte string */
+#ifdef FIPS_MODULE
+ if (suse_st_seed != NULL && SUSE_FIPS_asym_cipher_st) {
+ memcpy(seed, suse_st_seed, mdlen);
+ } else
+#endif
if (RAND_bytes_ex(libctx, seed, mdlen, 0) <= 0)
goto err;
@@ -138,6 +148,18 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
return rv;
}
+int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
+ unsigned char *to, int tlen,
+ const unsigned char *from, int flen,
+ const unsigned char *param,
+ int plen, const EVP_MD *md,
+ const EVP_MD *mgf1md)
+{
+ return ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(libctx, to, tlen, from,
+ flen, param, plen, md,
+ mgf1md, NULL);
+}
+
int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
const unsigned char *from, int flen,
const unsigned char *param, int plen,
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
index 5e3c132f5b..c0cce14297 100644
--- a/include/openssl/core_names.h
+++ b/include/openssl/core_names.h
@@ -471,6 +471,9 @@ extern "C" {
#define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label"
#define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version"
#define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version"
+#ifdef FIPS_MODULE
+#define OSSL_ASYM_CIPHER_PARAM_SUSE_KAT_OEAP_SEED "suse-kat-oaep-seed"
+#endif
/*
* Encoder / decoder parameters
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
index e0fdc0daa4..aa2012c04a 100644
--- a/providers/fips/self_test_data.inc
+++ b/providers/fips/self_test_data.inc
@@ -1296,14 +1296,21 @@ static const ST_KAT_PARAM rsa_priv_key[] = {
};
/*-
- * Using OSSL_PKEY_RSA_PAD_MODE_NONE directly in the expansion of the
+ * Using OSSL_PKEY_RSA_PAD_MODE_OAEP directly in the expansion of the
* ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient
* HP/UX PA-RISC compilers.
*/
-static const char pad_mode_none[] = OSSL_PKEY_RSA_PAD_MODE_NONE;
+static const char pad_mode_oaep[] = OSSL_PKEY_RSA_PAD_MODE_OAEP;
+static const char oaep_fixed_seed[] = {
+ 0xf6, 0x10, 0xef, 0x0a, 0x97, 0xbf, 0x91, 0x25,
+ 0x97, 0xcf, 0x8e, 0x0a, 0x75, 0x51, 0x2f, 0xab,
+ 0x2e, 0x4b, 0x2c, 0xe6
+};
static const ST_KAT_PARAM rsa_enc_params[] = {
- ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_none),
+ ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_oaep),
+ ST_KAT_PARAM_OCTET(OSSL_ASYM_CIPHER_PARAM_SUSE_KAT_OEAP_SEED,
+ oaep_fixed_seed),
ST_KAT_PARAM_END()
};
@@ -1342,43 +1349,43 @@ static const unsigned char rsa_expected_sig[256] = {
0x2c, 0x68, 0xf0, 0x37, 0xa9, 0xd2, 0x56, 0xd6
};
-static const unsigned char rsa_asym_plaintext_encrypt[256] = {
+static const unsigned char rsa_asym_plaintext_encrypt[208] = {
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
};
static const unsigned char rsa_asym_expected_encrypt[256] = {
- 0x54, 0xac, 0x23, 0x96, 0x1d, 0x82, 0x5d, 0x8b,
- 0x8f, 0x36, 0x33, 0xd0, 0xf4, 0x02, 0xa2, 0x61,
- 0xb1, 0x13, 0xd4, 0x4a, 0x46, 0x06, 0x37, 0x3c,
- 0xbf, 0x40, 0x05, 0x3c, 0xc6, 0x3b, 0x64, 0xdc,
- 0x22, 0x22, 0xaf, 0x36, 0x79, 0x62, 0x45, 0xf0,
- 0x97, 0x82, 0x22, 0x44, 0x86, 0x4a, 0x7c, 0xfa,
- 0xac, 0x03, 0x21, 0x84, 0x3f, 0x31, 0xad, 0x2a,
- 0xa4, 0x6e, 0x7a, 0xc5, 0x93, 0xf3, 0x0f, 0xfc,
- 0xf1, 0x62, 0xce, 0x82, 0x12, 0x45, 0xc9, 0x35,
- 0xb0, 0x7a, 0xcd, 0x99, 0x8c, 0x91, 0x6b, 0x5a,
- 0xd3, 0x46, 0xdb, 0xf9, 0x9e, 0x52, 0x49, 0xbd,
- 0x1e, 0xe8, 0xda, 0xac, 0x61, 0x47, 0xc2, 0xda,
- 0xfc, 0x1e, 0xfb, 0x74, 0xd7, 0xd6, 0xc1, 0x18,
- 0x86, 0x3e, 0x20, 0x9c, 0x7a, 0xe1, 0x04, 0xb7,
- 0x38, 0x43, 0xb1, 0x4e, 0xa0, 0xd8, 0xc1, 0x39,
- 0x4d, 0xe1, 0xd3, 0xb0, 0xb3, 0xf1, 0x82, 0x87,
- 0x1f, 0x74, 0xb5, 0x69, 0xfd, 0x33, 0xd6, 0x21,
- 0x7c, 0x61, 0x60, 0x28, 0xca, 0x70, 0xdb, 0xa0,
- 0xbb, 0xc8, 0x73, 0xa9, 0x82, 0xf8, 0x6b, 0xd8,
- 0xf0, 0xc9, 0x7b, 0x20, 0xdf, 0x9d, 0xfb, 0x8c,
- 0xd4, 0xa2, 0x89, 0xe1, 0x9b, 0x04, 0xad, 0xaa,
- 0x11, 0x6c, 0x8f, 0xce, 0x83, 0x29, 0x56, 0x69,
- 0xbb, 0x00, 0x3b, 0xef, 0xca, 0x2d, 0xcd, 0x52,
- 0xc8, 0xf1, 0xb3, 0x9b, 0xb4, 0x4f, 0x6d, 0x9c,
- 0x3d, 0x69, 0xcc, 0x6d, 0x1f, 0x38, 0x4d, 0xe6,
- 0xbb, 0x0c, 0x87, 0xdc, 0x5f, 0xa9, 0x24, 0x93,
- 0x03, 0x46, 0xa2, 0x33, 0x6c, 0xf4, 0xd8, 0x5d,
- 0x68, 0xf3, 0xd3, 0xe0, 0xf2, 0x30, 0xdb, 0xf5,
- 0x4f, 0x0f, 0xad, 0xc7, 0xd0, 0xaa, 0x47, 0xd9,
- 0x9f, 0x85, 0x1b, 0x2e, 0x6c, 0x3c, 0x57, 0x04,
- 0x29, 0xf4, 0xf5, 0x66, 0x7d, 0x93, 0x4a, 0xaa,
- 0x05, 0x52, 0x55, 0xc1, 0xc6, 0x06, 0x90, 0xab,
+ 0x6c, 0x21, 0xc1, 0x9e, 0x94, 0xee, 0xdf, 0x74,
+ 0x3a, 0x3c, 0x7c, 0x04, 0x1a, 0x53, 0x9e, 0x7c,
+ 0x42, 0xac, 0x7e, 0x28, 0x9a, 0xb7, 0xe2, 0x4e,
+ 0x87, 0xd4, 0x00, 0x69, 0x71, 0xf0, 0x3e, 0x0b,
+ 0xc1, 0xda, 0xd6, 0xbd, 0x21, 0x39, 0x4f, 0x25,
+ 0x22, 0x1f, 0x76, 0x0d, 0x62, 0x1f, 0xa2, 0x89,
+ 0xdb, 0x38, 0x32, 0x88, 0x21, 0x1d, 0x89, 0xf1,
+ 0xe0, 0x14, 0xd4, 0xb7, 0x90, 0xfc, 0xbc, 0x50,
+ 0xb0, 0x8d, 0x5c, 0x2f, 0x49, 0x9e, 0x90, 0x17,
+ 0x9e, 0x60, 0x9f, 0xe1, 0x77, 0x4f, 0x11, 0xa2,
+ 0xcf, 0x16, 0x65, 0x2d, 0x4a, 0x2c, 0x12, 0xcb,
+ 0x1e, 0x3c, 0x29, 0x8b, 0xdc, 0x27, 0x06, 0x9d,
+ 0xf4, 0x0d, 0xe1, 0xc9, 0xeb, 0x14, 0x6a, 0x7e,
+ 0xfd, 0xa7, 0xa8, 0xa7, 0x51, 0x82, 0x62, 0x0f,
+ 0x29, 0x8d, 0x8c, 0x5e, 0xf2, 0xb8, 0xcd, 0xd3,
+ 0x51, 0x92, 0xa7, 0x25, 0x39, 0x9d, 0xdd, 0x06,
+ 0xff, 0xb1, 0xb0, 0xd5, 0x61, 0x03, 0x8f, 0x25,
+ 0x5c, 0x49, 0x12, 0xc1, 0x50, 0x67, 0x61, 0x78,
+ 0xb3, 0xe3, 0xc4, 0xf6, 0x36, 0x16, 0xa9, 0x04,
+ 0x91, 0x0a, 0x4b, 0x27, 0x28, 0x97, 0x50, 0x7c,
+ 0x65, 0x2d, 0xd0, 0x08, 0x71, 0x84, 0xe7, 0x47,
+ 0x79, 0x83, 0x91, 0x46, 0xd9, 0x8f, 0x79, 0xce,
+ 0x49, 0xcb, 0xcd, 0x8b, 0x34, 0xac, 0x61, 0xe0,
+ 0xe6, 0x55, 0xbf, 0x10, 0xe4, 0xac, 0x9a, 0xd6,
+ 0xed, 0xc1, 0xc2, 0xb6, 0xb6, 0xf7, 0x41, 0x99,
+ 0xde, 0xfa, 0xde, 0x11, 0x16, 0xa2, 0x18, 0x30,
+ 0x30, 0xdc, 0x95, 0x76, 0x2f, 0x46, 0x43, 0x20,
+ 0xc4, 0xe7, 0x50, 0xb9, 0x1e, 0xcd, 0x69, 0xbb,
+ 0x29, 0x94, 0x27, 0x9c, 0xc9, 0xab, 0xb4, 0x27,
+ 0x8b, 0x4d, 0xe1, 0xcb, 0xc1, 0x04, 0x2c, 0x66,
+ 0x41, 0x3a, 0x4d, 0xeb, 0x61, 0x4c, 0x77, 0x5a,
+ 0xee, 0xb0, 0xca, 0x99, 0x0e, 0x7f, 0xbe, 0x06
};
#ifndef OPENSSL_NO_EC
diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
index 74ee25dcb6..a9bc8be7fa 100644
--- a/providers/fips/self_test_kats.c
+++ b/providers/fips/self_test_kats.c
@@ -641,14 +641,21 @@ static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
return ret;
}
+int SUSE_FIPS_asym_cipher_st = 0;
+
static int self_test_asym_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
{
int i, ret = 1;
+ SUSE_FIPS_asym_cipher_st = 1;
+
for (i = 0; i < (int)OSSL_NELEM(st_kat_asym_cipher_tests); ++i) {
if (!self_test_asym_cipher(&st_kat_asym_cipher_tests[i], st, libctx))
ret = 0;
}
+
+ SUSE_FIPS_asym_cipher_st = 0;
+
return ret;
}
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
index 9cd8904131..40de5ce8fa 100644
--- a/providers/implementations/asymciphers/rsa_enc.c
+++ b/providers/implementations/asymciphers/rsa_enc.c
@@ -30,6 +30,9 @@
#include "prov/implementations.h"
#include "prov/providercommon.h"
#include "prov/securitycheck.h"
+#ifdef FIPS_MODULE
+# include "crypto/rsa/rsa_local.h"
+#endif
#include <stdlib.h>
@@ -75,6 +78,9 @@ typedef struct {
/* TLS padding */
unsigned int client_version;
unsigned int alt_version;
+#ifdef FIPS_MODULE
+ char *suse_st_oaep_seed;
+#endif /* FIPS_MODULE */
} PROV_RSA_CTX;
static void *rsa_newctx(void *provctx)
@@ -192,12 +198,21 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
}
}
ret =
- ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(prsactx->libctx, tbuf,
+#ifdef FIPS_MODULE
+ ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(
+#else
+ ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(
+#endif
+ prsactx->libctx, tbuf,
rsasize, in, inlen,
prsactx->oaep_label,
prsactx->oaep_labellen,
prsactx->oaep_md,
- prsactx->mgf1_md);
+ prsactx->mgf1_md
+#ifdef FIPS_MODULE
+ , prsactx->suse_st_oaep_seed
+#endif
+ );
if (!ret) {
OPENSSL_free(tbuf);
@@ -328,6 +343,9 @@ static void rsa_freectx(void *vprsactx)
EVP_MD_free(prsactx->oaep_md);
EVP_MD_free(prsactx->mgf1_md);
OPENSSL_free(prsactx->oaep_label);
+#ifdef FIPS_MODULE
+ OPENSSL_free(prsactx->suse_st_oaep_seed);
+#endif /* FIPS_MODULE */
OPENSSL_free(prsactx);
}
@@ -447,6 +465,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
NULL, 0),
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL),
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),
+#ifdef FIPS_MODULE
+ OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_SUSE_KAT_OEAP_SEED, NULL, 0),
+#endif /* FIPS_MODULE */
OSSL_PARAM_END
};
@@ -456,6 +477,10 @@ static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx,
return known_gettable_ctx_params;
}
+#ifdef FIPS_MODULE
+extern int SUSE_FIPS_asym_cipher_st;
+#endif /* FIPS_MODULE */
+
static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
@@ -567,6 +592,18 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
prsactx->oaep_labellen = tmp_labellen;
}
+#ifdef FIPS_MODULE
+ p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_SUSE_KAT_OEAP_SEED);
+ if (p != NULL && SUSE_FIPS_asym_cipher_st) {
+ void *tmp_oaep_seed = NULL;
+
+ if (!OSSL_PARAM_get_octet_string(p, &tmp_oaep_seed, 0, NULL))
+ return 0;
+ OPENSSL_free(prsactx->suse_st_oaep_seed);
+ prsactx->suse_st_oaep_seed = (char *)tmp_oaep_seed;
+ }
+#endif /* FIPS_MODULE */
+
p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION);
if (p != NULL) {
unsigned int client_version;
--
2.41.0

309
openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch Normal file
View File

@ -0,0 +1,309 @@
From 97ac06e5a8e3a8699279c06eeb64c8e958bad7bd Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Fri, 15 Jul 2022 17:45:40 +0200
Subject: [PATCH] FIPS: Use digest_sign & digest_verify in self test
In review for FIPS 140-3, the lack of a self-test for the digest_sign
and digest_verify provider functions was highlighted as a problem. NIST
no longer provides ACVP tests for the RSA SigVer primitive (see
https://github.com/usnistgov/ACVP/issues/1347). Because FIPS 140-3
recommends the use of functions that compute the digest and signature
within the module, we have been advised in our module review that the
self tests should also use the combined digest and signature APIs, i.e.
the digest_sign and digest_verify provider functions.
Modify the signature self-test to use these instead by switching to
EVP_DigestSign and EVP_DigestVerify. This requires adding more ifdefs to
crypto/evp/m_sigver.c to make these functions usable in the FIPS module.
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
crypto/evp/m_sigver.c | 43 +++++++++++++++++++++++++++------
providers/fips/self_test_kats.c | 37 +++++++++++++++-------------
2 files changed, 56 insertions(+), 24 deletions(-)
Index: openssl-3.1.4/crypto/evp/m_sigver.c
===================================================================
--- openssl-3.1.4.orig/crypto/evp/m_sigver.c
+++ openssl-3.1.4/crypto/evp/m_sigver.c
@@ -90,6 +90,7 @@ static int update(EVP_MD_CTX *ctx, const
ERR_raise(ERR_LIB_EVP, EVP_R_ONLY_ONESHOT_SUPPORTED);
return 0;
}
+#endif /* !defined(FIPS_MODULE) */
/*
* If we get the "NULL" md then the name comes back as "UNDEF". We want to use
@@ -125,8 +126,10 @@ static int do_sigver_init(EVP_MD_CTX *ct
reinit = 0;
if (e == NULL)
ctx->pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, props);
+#ifndef FIPS_MODULE
else
ctx->pctx = EVP_PKEY_CTX_new(pkey, e);
+#endif /* !defined(FIPS_MODULE) */
}
if (ctx->pctx == NULL)
return 0;
@@ -134,8 +137,10 @@ static int do_sigver_init(EVP_MD_CTX *ct
locpctx = ctx->pctx;
ERR_set_mark();
+#ifndef FIPS_MODULE
if (evp_pkey_ctx_is_legacy(locpctx))
goto legacy;
+#endif /* !defined(FIPS_MODULE) */
/* do not reinitialize if pkey is set or operation is different */
if (reinit
@@ -220,8 +225,10 @@ static int do_sigver_init(EVP_MD_CTX *ct
signature =
evp_signature_fetch_from_prov((OSSL_PROVIDER *)tmp_prov,
supported_sig, locpctx->propquery);
+#ifndef FIPS_MODULE
if (signature == NULL)
goto legacy;
+#endif /* !defined(FIPS_MODULE) */
break;
}
if (signature == NULL)
@@ -305,6 +312,7 @@ static int do_sigver_init(EVP_MD_CTX *ct
ctx->fetched_digest = EVP_MD_fetch(locpctx->libctx, mdname, props);
if (ctx->fetched_digest != NULL) {
ctx->digest = ctx->reqdigest = ctx->fetched_digest;
+#ifndef FIPS_MODULE
} else {
/* legacy engine support : remove the mark when this is deleted */
ctx->reqdigest = ctx->digest = EVP_get_digestbyname(mdname);
@@ -313,11 +321,13 @@ static int do_sigver_init(EVP_MD_CTX *ct
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
goto err;
}
+#endif /* !defined(FIPS_MODULE) */
}
(void)ERR_pop_to_mark();
}
}
+#ifndef FIPS_MODULE
if (ctx->reqdigest != NULL
&& !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
&& !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
@@ -329,6 +339,7 @@ static int do_sigver_init(EVP_MD_CTX *ct
goto err;
}
}
+#endif /* !defined(FIPS_MODULE) */
if (ver) {
if (signature->digest_verify_init == NULL) {
@@ -361,6 +372,7 @@ static int do_sigver_init(EVP_MD_CTX *ct
EVP_KEYMGMT_free(tmp_keymgmt);
return 0;
+#ifndef FIPS_MODULE
legacy:
/*
* If we don't have the full support we need with provided methods,
@@ -432,6 +444,7 @@ static int do_sigver_init(EVP_MD_CTX *ct
ctx->pctx->flag_call_digest_custom = 1;
ret = 1;
+#endif /* !defined(FIPS_MODULE) */
end:
#ifndef FIPS_MODULE
@@ -474,7 +487,6 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx
return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 1,
NULL);
}
-#endif /* FIPS_MDOE */
int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
{
@@ -536,23 +548,29 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *c
return EVP_DigestUpdate(ctx, data, dsize);
}
-#ifndef FIPS_MODULE
int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
size_t *siglen)
{
- int sctx = 0, r = 0;
- EVP_PKEY_CTX *dctx, *pctx = ctx->pctx;
+ int r = 0;
+#ifndef FIPS_MODULE
+ int sctx = 0;
+ EVP_PKEY_CTX *dctx;
+#endif /* !defined(FIPS_MODULE) */
+ EVP_PKEY_CTX *pctx = ctx->pctx;
+#ifndef FIPS_MODULE
if (pctx == NULL
|| pctx->operation != EVP_PKEY_OP_SIGNCTX
|| pctx->op.sig.algctx == NULL
|| pctx->op.sig.signature == NULL)
goto legacy;
+#endif /* !defined(FIPS_MODULE) */
if (sigret == NULL || (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) != 0)
return pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx,
sigret, siglen,
sigret == NULL ? 0 : *siglen);
+#ifndef FIPS_MODULE
dctx = EVP_PKEY_CTX_dup(pctx);
if (dctx == NULL)
return 0;
@@ -561,8 +579,10 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx,
sigret, siglen,
*siglen);
EVP_PKEY_CTX_free(dctx);
+#endif /* defined(FIPS_MODULE) */
return r;
+#ifndef FIPS_MODULE
legacy:
if (pctx == NULL || pctx->pmeth == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
@@ -634,6 +654,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx,
}
}
return 1;
+#endif /* !defined(FIPS_MODULE) */
}
int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
@@ -664,21 +685,27 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsi
int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
size_t siglen)
{
- unsigned char md[EVP_MAX_MD_SIZE];
int r = 0;
+#ifndef FIPS_MODULE
+ unsigned char md[EVP_MAX_MD_SIZE];
unsigned int mdlen = 0;
int vctx = 0;
- EVP_PKEY_CTX *dctx, *pctx = ctx->pctx;
+ EVP_PKEY_CTX *dctx;
+#endif /* !defined(FIPS_MODULE) */
+ EVP_PKEY_CTX *pctx = ctx->pctx;
+#ifndef FIPS_MODULE
if (pctx == NULL
|| pctx->operation != EVP_PKEY_OP_VERIFYCTX
|| pctx->op.sig.algctx == NULL
|| pctx->op.sig.signature == NULL)
goto legacy;
+#endif /* !defined(FIPS_MODULE) */
if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) != 0)
return pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx,
sig, siglen);
+#ifndef FIPS_MODULE
dctx = EVP_PKEY_CTX_dup(pctx);
if (dctx == NULL)
return 0;
@@ -686,8 +713,10 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct
r = dctx->op.sig.signature->digest_verify_final(dctx->op.sig.algctx,
sig, siglen);
EVP_PKEY_CTX_free(dctx);
+#endif /* !defined(FIPS_MODULE) */
return r;
+#ifndef FIPS_MODULE
legacy:
if (pctx == NULL || pctx->pmeth == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
@@ -727,6 +756,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct
if (vctx || !r)
return r;
return EVP_PKEY_verify(pctx, sig, siglen, md, mdlen);
+#endif /* !defined(FIPS_MODULE) */
}
int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
@@ -752,4 +782,3 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, co
return -1;
return EVP_DigestVerifyFinal(ctx, sigret, siglen);
}
-#endif /* FIPS_MODULE */
Index: openssl-3.1.4/providers/fips/self_test_kats.c
===================================================================
--- openssl-3.1.4.orig/providers/fips/self_test_kats.c
+++ openssl-3.1.4/providers/fips/self_test_kats.c
@@ -450,10 +450,13 @@ static int self_test_sign(const ST_KAT_S
int ret = 0;
OSSL_PARAM *params = NULL, *params_sig = NULL;
OSSL_PARAM_BLD *bld = NULL;
+ EVP_MD *md = NULL;
+ EVP_MD_CTX *ctx = NULL;
EVP_PKEY_CTX *sctx = NULL, *kctx = NULL;
EVP_PKEY *pkey = NULL;
- unsigned char sig[256];
BN_CTX *bnctx = NULL;
+ const char *msg = "Hello World!";
+ unsigned char sig[256];
size_t siglen = sizeof(sig);
static const unsigned char dgst[] = {
0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
@@ -487,23 +490,26 @@ static int self_test_sign(const ST_KAT_S
|| EVP_PKEY_fromdata(kctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
goto err;
- /* Create a EVP_PKEY_CTX to use for the signing operation */
- sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL);
- if (sctx == NULL
- || EVP_PKEY_sign_init(sctx) <= 0)
- goto err;
-
- /* set signature parameters */
- if (!OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_SIGNATURE_PARAM_DIGEST,
- t->mdalgorithm,
- strlen(t->mdalgorithm) + 1))
- goto err;
+ /* Create a EVP_MD_CTX to use for the signature operation, assign signature
+ * parameters and sign */
params_sig = OSSL_PARAM_BLD_to_param(bld);
- if (EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
+ md = EVP_MD_fetch(libctx, "SHA256", NULL);
+ ctx = EVP_MD_CTX_new();
+ if (md == NULL || ctx == NULL)
+ goto err;
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT);
+ if (EVP_DigestSignInit(ctx, &sctx, md, NULL, pkey) <= 0
+ || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0
+ || EVP_DigestSign(ctx, sig, &siglen, (const unsigned char *)msg, strlen(msg)) <= 0
+ || EVP_MD_CTX_reset(ctx) <= 0)
goto err;
- if (EVP_PKEY_sign(sctx, sig, &siglen, dgst, sizeof(dgst)) <= 0
- || EVP_PKEY_verify_init(sctx) <= 0
+ /* sctx is not freed automatically inside the FIPS module */
+ EVP_PKEY_CTX_free(sctx);
+ sctx = NULL;
+
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT);
+ if (EVP_DigestVerifyInit(ctx, &sctx, md, NULL, pkey) <= 0
|| EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
goto err;
@@ -513,14 +519,17 @@ static int self_test_sign(const ST_KAT_S
goto err;
OSSL_SELF_TEST_oncorrupt_byte(st, sig);
- if (EVP_PKEY_verify(sctx, sig, siglen, dgst, sizeof(dgst)) <= 0)
+ if (EVP_DigestVerify(ctx, sig, siglen, (const unsigned char *)msg, strlen(msg)) <= 0)
goto err;
ret = 1;
err:
BN_CTX_free(bnctx);
EVP_PKEY_free(pkey);
- EVP_PKEY_CTX_free(kctx);
+ EVP_MD_free(md);
+ EVP_MD_CTX_free(ctx);
+ /* sctx is not freed automatically inside the FIPS module */
EVP_PKEY_CTX_free(sctx);
+ EVP_PKEY_CTX_free(kctx);
OSSL_PARAM_free(params);
OSSL_PARAM_free(params_sig);
OSSL_PARAM_BLD_free(bld);

40
openssl-FIPS-early-KATS.patch Normal file
View File

@ -0,0 +1,40 @@
Index: openssl-3.1.4/providers/fips/self_test.c
===================================================================
--- openssl-3.1.4.orig/providers/fips/self_test.c
+++ openssl-3.1.4/providers/fips/self_test.c
@@ -401,6 +401,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
if (ev == NULL)
goto end;
+ /*
+ * Run the KAT's before HMAC verification according to FIPS-140-3 requirements
+ */
+ if (kats_already_passed == 0) {
+ if (!SELF_TEST_kats(ev, st->libctx)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
+ goto end;
+ }
+ }
+
module_checksum = fips_hmac_container;
checksum_len = sizeof(fips_hmac_container);
@@ -451,18 +461,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
}
}
- /*
- * Only runs the KAT's during installation OR on_demand().
- * NOTE: If the installation option 'self_test_onload' is chosen then this
- * path will always be run, since kats_already_passed will always be 0.
- */
- if (on_demand_test || kats_already_passed == 0) {
- if (!SELF_TEST_kats(ev, st->libctx)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
- goto end;
- }
- }
-
/* Verify that the RNG has been restored properly */
rng = ossl_rand_get0_private_noncreating(st->libctx);
if (rng != NULL)

250
openssl-FIPS-embed-hmac.patch Normal file
View File

@ -0,0 +1,250 @@
From e364a858262c8f563954544cc81e66f1b3b8db8c Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Thu, 19 Oct 2023 13:12:40 +0200
Subject: [PATCH 16/46] 0033-FIPS-embed-hmac.patch
Patch-name: 0033-FIPS-embed-hmac.patch
Patch-id: 33
Patch-status: |
# # Embed HMAC into the fips.so
From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911
---
providers/fips/self_test.c | 70 ++++++++++++++++++++++++---
test/fipsmodule.cnf | 2 +
test/recipes/00-prep_fipsmodule_cnf.t | 2 +-
test/recipes/01-test_fipsmodule_cnf.t | 2 +-
test/recipes/03-test_fipsinstall.t | 2 +-
test/recipes/30-test_defltfips.t | 2 +-
test/recipes/80-test_ssl_new.t | 2 +-
test/recipes/90-test_sslapi.t | 2 +-
8 files changed, 71 insertions(+), 13 deletions(-)
create mode 100644 test/fipsmodule.cnf
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
index b8dc9817b2..e3a629018a 100644
--- a/providers/fips/self_test.c
+++ b/providers/fips/self_test.c
@@ -230,11 +230,27 @@ err:
return ok;
}
+#define HMAC_LEN 32
+/*
+ * The __attribute__ ensures we've created the .rodata1 section
+ * static ensures it's zero filled
+*/
+static const unsigned char __attribute__ ((section (".rodata1"))) fips_hmac_container[HMAC_LEN] = {0};
+
/*
* Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify
* the result matches the expected value.
* Return 1 if verified, or 0 if it fails.
*/
+#ifndef __USE_GNU
+#define __USE_GNU
+#include <dlfcn.h>
+#undef __USE_GNU
+#else
+#include <dlfcn.h>
+#endif
+#include <link.h>
+
static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
unsigned char *expected, size_t expected_len,
OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
@@ -247,12 +263,23 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
EVP_MAC *mac = NULL;
EVP_MAC_CTX *ctx = NULL;
OSSL_PARAM params[2], *p = params;
+ Dl_info info;
+ void *extra_info = NULL;
+ struct link_map *lm = NULL;
+ unsigned long paddr;
+ unsigned long off = 0;
if (!integrity_self_test(ev, libctx))
goto err;
OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
+ if (!dladdr1 ((const void *)fips_hmac_container,
+ &info, &extra_info, RTLD_DL_LINKMAP))
+ goto err;
+ lm = extra_info;
+ paddr = (unsigned long)fips_hmac_container - lm->l_addr;
+
mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
if (mac == NULL)
goto err;
@@ -266,13 +293,42 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
goto err;
- while (1) {
- status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
+ while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
+ if (status != 1)
+ break;
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
+ goto err;
+ off += bytes_read;
+ }
+
+ if (off + INTEGRITY_BUF_SIZE > paddr) {
+ int delta = paddr - off;
+ status = read_ex_cb(bio, buf, delta, &bytes_read);
+ if (status != 1)
+ goto err;
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
+ goto err;
+ off += bytes_read;
+
+ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
+ memset(buf, 0, HMAC_LEN);
+ if (status != 1)
+ goto err;
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
+ goto err;
+ off += bytes_read;
+ }
+
+ while (bytes_read > 0) {
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
if (status != 1)
break;
if (!EVP_MAC_update(ctx, buf, bytes_read))
goto err;
+ off += bytes_read;
}
+
if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
goto err;
@@ -282,6 +338,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
goto err;
ret = 1;
err:
+ OPENSSL_cleanse(out, sizeof(out));
OSSL_SELF_TEST_onend(ev, ret);
EVP_MAC_CTX_free(ctx);
EVP_MAC_free(mac);
@@ -335,8 +392,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
return 0;
}
- if (st == NULL
- || st->module_checksum_data == NULL) {
+ if (st == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
goto end;
}
@@ -345,8 +401,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
if (ev == NULL)
goto end;
- module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
- &checksum_len);
+ module_checksum = fips_hmac_container;
+ checksum_len = sizeof(fips_hmac_container);
+
if (module_checksum == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
goto end;
@@ -420,7 +477,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
end:
EVP_RAND_free(testrand);
OSSL_SELF_TEST_free(ev);
- OPENSSL_free(module_checksum);
OPENSSL_free(indicator_checksum);
if (st != NULL) {
diff --git a/test/fipsmodule.cnf b/test/fipsmodule.cnf
new file mode 100644
index 0000000000..f05d0dedbe
--- /dev/null
+++ b/test/fipsmodule.cnf
@@ -0,0 +1,2 @@
+[fips_sect]
+activate = 1
diff --git a/test/recipes/00-prep_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t
index 4e3a6d85e8..e8255ba974 100644
--- a/test/recipes/00-prep_fipsmodule_cnf.t
+++ b/test/recipes/00-prep_fipsmodule_cnf.t
@@ -20,7 +20,7 @@ use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
use platform;
-my $no_check = disabled("fips");
+my $no_check = 1;
plan skip_all => "FIPS module config file only supported in a fips build"
if $no_check;
diff --git a/test/recipes/01-test_fipsmodule_cnf.t b/test/recipes/01-test_fipsmodule_cnf.t
index ce594817d5..00cebacff8 100644
--- a/test/recipes/01-test_fipsmodule_cnf.t
+++ b/test/recipes/01-test_fipsmodule_cnf.t
@@ -23,7 +23,7 @@ use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
use platform;
-my $no_check = disabled("fips");
+my $no_check = 1;
plan skip_all => "Test only supported in a fips build"
if $no_check;
plan tests => 1;
diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t
index b8b136d110..8242f4ebc3 100644
--- a/test/recipes/03-test_fipsinstall.t
+++ b/test/recipes/03-test_fipsinstall.t
@@ -22,7 +22,7 @@ use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
use platform;
-plan skip_all => "Test only supported in a fips build" if disabled("fips");
+plan skip_all => "Test only supported in a fips build" if 1;
# Compatible options for pedantic FIPS compliance
my @pedantic_okay =
diff --git a/test/recipes/30-test_defltfips.t b/test/recipes/30-test_defltfips.t
index c8f145405b..56a2ec5dc4 100644
--- a/test/recipes/30-test_defltfips.t
+++ b/test/recipes/30-test_defltfips.t
@@ -24,7 +24,7 @@ use lib bldtop_dir('.');
plan skip_all => "Configuration loading is turned off"
if disabled("autoload-config");
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
plan tests =>
($no_fips ? 1 : 5);
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
index 0c6d6402d9..e45f9cb560 100644
--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@@ -27,7 +27,7 @@ setup("test_ssl_new");
use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
$ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t
index 9e9e32b51e..1a1a7159b5 100644
--- a/test/recipes/90-test_sslapi.t
+++ b/test/recipes/90-test_sslapi.t
@@ -17,7 +17,7 @@ setup("test_sslapi");
use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
my $fipsmodcfg_filename = "fipsmodule.cnf";
my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename);
--
2.41.0

227
openssl-FIPS-enforce-EMS-support.patch Normal file
View File

@ -0,0 +1,227 @@
From 9b02ad7225b74a5b9088b361caead0a41e570e93 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 16:40:56 +0200
Subject: [PATCH 48/48] 0114-FIPS-enforce-EMS-support.patch
Patch-name: 0114-FIPS-enforce-EMS-support.patch
Patch-id: 114
Patch-status: |
# We believe that some changes present in CentOS are not necessary
# because ustream has a check for FIPS version
---
doc/man3/SSL_CONF_cmd.pod | 3 +++
doc/man5/fips_config.pod | 13 +++++++++++
include/openssl/fips_names.h | 8 +++++++
include/openssl/ssl.h.in | 1 +
providers/fips/fipsprov.c | 2 +-
providers/implementations/kdfs/tls1_prf.c | 22 +++++++++++++++++++
ssl/ssl_conf.c | 1 +
ssl/statem/extensions_srvr.c | 8 ++++++-
ssl/t1_enc.c | 11 ++++++++--
.../30-test_evp_data/evpkdf_tls12_prf.txt | 10 +++++++++
test/sslapitest.c | 2 +-
11 files changed, 76 insertions(+), 5 deletions(-)
Index: openssl-3.1.4/doc/man3/SSL_CONF_cmd.pod
===================================================================
--- openssl-3.1.4.orig/doc/man3/SSL_CONF_cmd.pod
+++ openssl-3.1.4/doc/man3/SSL_CONF_cmd.pod
@@ -524,6 +524,9 @@ B<ExtendedMasterSecret>: use extended ma
default. Inverse of B<SSL_OP_NO_EXTENDED_MASTER_SECRET>: that is,
B<-ExtendedMasterSecret> is the same as setting B<SSL_OP_NO_EXTENDED_MASTER_SECRET>.
+B<RHNoEnforceEMSinFIPS>: allow establishing connections without EMS in FIPS mode.
+This is a downstream specific option, and normally it should be set up via crypto-policies.
+
B<CANames>: use CA names extension, enabled by
default. Inverse of B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>: that is,
B<-CANames> is the same as setting B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>.
Index: openssl-3.1.4/doc/man5/fips_config.pod
===================================================================
--- openssl-3.1.4.orig/doc/man5/fips_config.pod
+++ openssl-3.1.4/doc/man5/fips_config.pod
@@ -15,6 +15,19 @@ See the documentation for more informati
This functionality was added in OpenSSL 3.0.
+SUSE Linux Enterprise uses a supplementary downstream config for FIPS module located
+in OpenSSL configuration directory and managed by crypto-policies. If present, it
+should have the following format:
+
+ [fips_sect]
+ tls1-prf-ems-check = 0
+ activate = 1
+
+The B<tls1-prf-ems-check> option specifies whether FIPS module will require the
+presence of extended master secret or not.
+
+The B<activate> option enforces FIPS provider activation.
+
=head1 COPYRIGHT
Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
Index: openssl-3.1.4/include/openssl/fips_names.h
===================================================================
--- openssl-3.1.4.orig/include/openssl/fips_names.h
+++ openssl-3.1.4/include/openssl/fips_names.h
@@ -70,6 +70,14 @@ extern "C" {
*/
# define OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST "drbg-no-trunc-md"
+/*
+ * A boolean that determines if the runtime FIPS check for TLS1_PRF EMS is performed.
+ * This is disabled by default.
+ *
+ * Type: OSSL_PARAM_UTF8_STRING
+ */
+# define OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check"
+
# ifdef __cplusplus
}
# endif
Index: openssl-3.1.4/include/openssl/ssl.h.in
===================================================================
--- openssl-3.1.4.orig/include/openssl/ssl.h.in
+++ openssl-3.1.4/include/openssl/ssl.h.in
@@ -420,6 +420,7 @@ typedef int (*SSL_async_callback_fn)(SSL
* interoperability with CryptoPro CSP 3.x
*/
# define SSL_OP_CRYPTOPRO_TLSEXT_BUG SSL_OP_BIT(31)
+# define SSL_OP_PERMIT_NOEMS_FIPS SSL_OP_BIT(48)
/*
* Option "collections."
Index: openssl-3.1.4/providers/fips/fipsprov.c
===================================================================
--- openssl-3.1.4.orig/providers/fips/fipsprov.c
+++ openssl-3.1.4/providers/fips/fipsprov.c
@@ -105,7 +105,7 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_L
if (fgbl == NULL)
return NULL;
init_fips_option(&fgbl->fips_security_checks, 1);
- init_fips_option(&fgbl->fips_tls1_prf_ems_check, 0); /* Disabled by default */
+ init_fips_option(&fgbl->fips_tls1_prf_ems_check, 1); /* Enabled by default */
init_fips_option(&fgbl->fips_restricted_drgb_digests, 0);
return fgbl;
}
Index: openssl-3.1.4/providers/implementations/kdfs/tls1_prf.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/kdfs/tls1_prf.c
+++ openssl-3.1.4/providers/implementations/kdfs/tls1_prf.c
@@ -222,6 +222,27 @@ static int kdf_tls1_prf_derive(void *vct
}
}
+ /*
+ * The seed buffer is prepended with a label.
+ * If EMS mode is enforced then the label "master secret" is not allowed,
+ * We do the check this way since the PRF is used for other purposes, as well
+ * as "extended master secret".
+ */
+#ifdef FIPS_MODULE
+ if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE
+ && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST,
+ TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
+ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+#endif /* defined(FIPS_MODULE) */
+ if (ossl_tls1_prf_ems_check_enabled(libctx)) {
+ if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE
+ && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST,
+ TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_EMS_NOT_ENABLED);
+ return 0;
+ }
+ }
+
return tls1_prf_alg(ctx->P_hash, ctx->P_sha1,
ctx->sec, ctx->seclen,
ctx->seed, ctx->seedlen,
Index: openssl-3.1.4/ssl/ssl_conf.c
===================================================================
--- openssl-3.1.4.orig/ssl/ssl_conf.c
+++ openssl-3.1.4/ssl/ssl_conf.c
@@ -389,6 +389,7 @@ static int cmd_Options(SSL_CONF_CTX *cct
SSL_FLAG_TBL("ClientRenegotiation",
SSL_OP_ALLOW_CLIENT_RENEGOTIATION),
SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC),
+ SSL_FLAG_TBL("RHNoEnforceEMSinFIPS", SSL_OP_PERMIT_NOEMS_FIPS),
SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION),
SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX),
SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA),
Index: openssl-3.1.4/ssl/statem/extensions_srvr.c
===================================================================
--- openssl-3.1.4.orig/ssl/statem/extensions_srvr.c
+++ openssl-3.1.4/ssl/statem/extensions_srvr.c
@@ -11,6 +11,7 @@
#include "../ssl_local.h"
#include "statem_local.h"
#include "internal/cryptlib.h"
+#include <openssl/fips.h>
#define COOKIE_STATE_FORMAT_VERSION 1
@@ -1552,8 +1553,13 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s
EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx)
{
- if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
+ if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) {
+ if (FIPS_mode() && !(SSL_get_options(s) & SSL_OP_PERMIT_NOEMS_FIPS) ) {
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED);
+ return EXT_RETURN_FAIL;
+ }
return EXT_RETURN_NOT_SENT;
+ }
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
|| !WPACKET_put_bytes_u16(pkt, 0)) {
Index: openssl-3.1.4/ssl/t1_enc.c
===================================================================
--- openssl-3.1.4.orig/ssl/t1_enc.c
+++ openssl-3.1.4/ssl/t1_enc.c
@@ -20,6 +20,7 @@
#include <openssl/obj_mac.h>
#include <openssl/core_names.h>
#include <openssl/trace.h>
+#include <openssl/fips.h>
/* seed1 through seed5 are concatenated */
static int tls1_PRF(SSL *s,
@@ -75,8 +76,14 @@ static int tls1_PRF(SSL *s,
}
err:
- if (fatal)
- SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ if (fatal) {
+ /* The calls to this function are local so it's safe to implement the check */
+ if (FIPS_mode() && seed1_len >= TLS_MD_MASTER_SECRET_CONST_SIZE
+ && memcmp(seed1, TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED);
+ else
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ }
else
ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
EVP_KDF_CTX_free(kctx);
Index: openssl-3.1.4/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
===================================================================
--- openssl-3.1.4.orig/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
+++ openssl-3.1.4/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
@@ -22,6 +22,16 @@ Ctrl.client_random = hexseed:36c129d01a3
Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
+Availablein = fips
+KDF = TLS1-PRF
+Ctrl.digest = digest:SHA256
+Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc
+Ctrl.label = seed:master secret
+Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c
+Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
+Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
+Result = KDF_DERIVE_ERROR
+
FIPSversion = <=3.1.0
KDF = TLS1-PRF
Ctrl.digest = digest:SHA256

22
openssl-FIPS-enforce-security-checks-during-initialization.patch Normal file
View File

@ -0,0 +1,22 @@
Index: openssl-3.1.4/providers/fips/fipsprov.c
===================================================================
--- openssl-3.1.4.orig/providers/fips/fipsprov.c
+++ openssl-3.1.4/providers/fips/fipsprov.c
@@ -107,7 +107,7 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_L
return NULL;
init_fips_option(&fgbl->fips_security_checks, 1);
init_fips_option(&fgbl->fips_tls1_prf_ems_check, 1); /* Enabled by default */
- init_fips_option(&fgbl->fips_restricted_drgb_digests, 0);
+ init_fips_option(&fgbl->fips_restricted_drgb_digests, 1); /* Enabled by default */
return fgbl;
}
@@ -820,8 +820,6 @@ int OSSL_provider_init_int(const OSSL_CO
if (fgbl->field.option != NULL) { \
if (strcmp(fgbl->field.option, "1") == 0) \
fgbl->field.enabled = 1; \
- else if (strcmp(fgbl->field.option, "0") == 0) \
- fgbl->field.enabled = 0; \
else \
goto err; \
}

568
openssl-FIPS-limit-rsa-encrypt.patch Normal file
View File

@ -0,0 +1,568 @@
From 56511d480823bedafce604374fa3b15d3b3ffd6b Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 31 Jul 2023 09:41:28 +0200
Subject: [PATCH 26/48] 0058-FIPS-limit-rsa-encrypt.patch
Patch-name: 0058-FIPS-limit-rsa-encrypt.patch
Patch-id: 58
Patch-status: |
# https://bugzilla.redhat.com/show_bug.cgi?id=2053289
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
providers/common/securitycheck.c | 1 +
.../implementations/asymciphers/rsa_enc.c | 35 +++++++++++
.../30-test_evp_data/evppkey_rsa_common.txt | 58 ++++++++++++++++++-
test/recipes/80-test_cms.t | 5 +-
test/recipes/80-test_ssl_old.t | 27 +++++++--
5 files changed, 118 insertions(+), 8 deletions(-)
diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
index e534ad0a5f..c017c658e5 100644
--- a/providers/common/securitycheck.c
+++ b/providers/common/securitycheck.c
@@ -27,6 +27,7 @@
* Set protect = 1 for encryption or signing operations, or 0 otherwise. See
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf.
*/
+/* SUSE build implements some extra limitations in providers/implementations/asymciphers/rsa_enc.c */
int ossl_rsa_check_key(OSSL_LIB_CTX *ctx, const RSA *rsa, int operation)
{
int protect = 0;
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
index d865968058..872967bcb3 100644
--- a/providers/implementations/asymciphers/rsa_enc.c
+++ b/providers/implementations/asymciphers/rsa_enc.c
@@ -132,6 +132,17 @@ static int rsa_decrypt_init(void *vprsactx, void *vrsa,
return rsa_init(vprsactx, vrsa, params, EVP_PKEY_OP_DECRYPT);
}
+# ifdef FIPS_MODULE
+static int fips_padding_allowed(const PROV_RSA_CTX *prsactx)
+{
+ if (prsactx->pad_mode == RSA_PKCS1_PADDING || prsactx->pad_mode == RSA_NO_PADDING
+ || prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING)
+ return 0;
+
+ return 1;
+}
+# endif
+
static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
size_t outsize, const unsigned char *in, size_t inlen)
{
@@ -141,6 +152,18 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
if (!ossl_prov_is_running())
return 0;
+# ifdef FIPS_MODULE
+ if (fips_padding_allowed(prsactx) == 0) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
+ return 0;
+ }
+
+ if (RSA_bits(prsactx->rsa) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
+# endif
+
if (out == NULL) {
size_t len = RSA_size(prsactx->rsa);
@@ -204,6 +227,18 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen,
if (!ossl_prov_is_running())
return 0;
+# ifdef FIPS_MODULE
+ if (fips_padding_allowed(prsactx) == 0) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
+ return 0;
+ }
+
+ if (RSA_bits(prsactx->rsa) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
+# endif
+
if (prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING) {
if (out == NULL) {
*outlen = SSL_MAX_MASTER_KEY_LENGTH;
diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
index 8680797b90..95d5d51102 100644
--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
@@ -248,13 +248,13 @@ Input = 64b0e9f9892371110c40ba5739dc0974002aa6e6160b481447c6819947c2d3b537a6e377
Output = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
# RSA decrypt
-
+Availablein = default
Decrypt = RSA-2048
Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78
Output = "Hello World"
# Corrupted ciphertext
-FIPSversion = <3.2.0
+Availablein = default
Decrypt = RSA-2048
Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79
Output = "Hello World"
@@ -619,36 +619,42 @@ vcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mNXb79cyY+NygUJ0OBgWbtfdY2
h90qjKHS9PvY4Q==
-----END PRIVATE KEY-----
+Availablein = default
Decrypt=RSA-OAEP-1
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=354fe67b4a126d5d35fe36c777791a3f7ba13def484e2d3908aff722fad468fb21696de95d0be911c2d3174f8afcc201035f7b6d8e69402de5451618c21a535fa9d7bfc5b8dd9fc243f8cf927db31322d6e881eaa91a996170e657a05a266426d98c88003f8477c1227094a0d9fa1e8c4024309ce1ecccb5210035d47ac72e8a
Output=6628194e12073db03ba94cda9ef9532397d50dba79b987004afefe34
+Availablein = default
Decrypt=RSA-OAEP-1
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=640db1acc58e0568fe5407e5f9b701dff8c3c91e716c536fc7fcec6cb5b71c1165988d4a279e1577d730fc7a29932e3f00c81515236d8d8e31017a7a09df4352d904cdeb79aa583adcc31ea698a4c05283daba9089be5491f67c1a4ee48dc74bbbe6643aef846679b4cb395a352d5ed115912df696ffe0702932946d71492b44
Output=750c4047f547e8e41411856523298ac9bae245efaf1397fbe56f9dd5
+Availablein = default
Decrypt=RSA-OAEP-1
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=423736ed035f6026af276c35c0b3741b365e5f76ca091b4e8c29e2f0befee603595aa8322d602d2e625e95eb81b2f1c9724e822eca76db8618cf09c5343503a4360835b5903bc637e3879fb05e0ef32685d5aec5067cd7cc96fe4b2670b6eac3066b1fcf5686b68589aafb7d629b02d8f8625ca3833624d4800fb081b1cf94eb
Output=d94ae0832e6445ce42331cb06d531a82b1db4baad30f746dc916df24d4e3c2451fff59a6423eb0e1d02d4fe646cf699dfd818c6e97b051
+Availablein = default
Decrypt=RSA-OAEP-1
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=45ead4ca551e662c9800f1aca8283b0525e6abae30be4b4aba762fa40fd3d38e22abefc69794f6ebbbc05ddbb11216247d2f412fd0fba87c6e3acd888813646fd0e48e785204f9c3f73d6d8239562722dddd8771fec48b83a31ee6f592c4cfd4bc88174f3b13a112aae3b9f7b80e0fc6f7255ba880dc7d8021e22ad6a85f0755
Output=52e650d98e7f2a048b4f86852153b97e01dd316f346a19f67a85
+Availablein = default
Decrypt=RSA-OAEP-1
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=36f6e34d94a8d34daacba33a2139d00ad85a9345a86051e73071620056b920e219005855a213a0f23897cdcd731b45257c777fe908202befdd0b58386b1244ea0cf539a05d5d10329da44e13030fd760dcd644cfef2094d1910d3f433e1c7c6dd18bc1f2df7f643d662fb9dd37ead9059190f4fa66ca39e869c4eb449cbdc439
Output=8da89fd9e5f974a29feffb462b49180f6cf9e802
+Availablein = default
Decrypt=RSA-OAEP-1
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
@@ -673,36 +679,42 @@ SwGNdhGLJDiac1Dsg2sAY6IXISNv2O222JtR5+64e2EbcTLLfqc1bCMVHB53UVB8
eG2e4XlBcKjI6A==
-----END PRIVATE KEY-----
+Availablein = default
Decrypt=RSA-OAEP-2
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=0181af8922b9fcb4d79d92ebe19815992fc0c1439d8bcd491398a0f4ad3a329a5bd9385560db532683c8b7da04e4b12aed6aacdf471c34c9cda891addcc2df3456653aa6382e9ae59b54455257eb099d562bbe10453f2b6d13c59c02e10f1f8abb5da0d0570932dacf2d0901db729d0fefcc054e70968ea540c81b04bcaefe720e
Output=8ff00caa605c702830634d9a6c3d42c652b58cf1d92fec570beee7
+Availablein = default
Decrypt=RSA-OAEP-2
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=018759ff1df63b2792410562314416a8aeaf2ac634b46f940ab82d64dbf165eee33011da749d4bab6e2fcd18129c9e49277d8453112b429a222a8471b070993998e758861c4d3f6d749d91c4290d332c7a4ab3f7ea35ff3a07d497c955ff0ffc95006b62c6d296810d9bfab024196c7934012c2df978ef299aba239940cba10245
Output=2d
+Availablein = default
Decrypt=RSA-OAEP-2
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=018802bab04c60325e81c4962311f2be7c2adce93041a00719c88f957575f2c79f1b7bc8ced115c706b311c08a2d986ca3b6a9336b147c29c6f229409ddec651bd1fdd5a0b7f610c9937fdb4a3a762364b8b3206b4ea485fd098d08f63d4aa8bb2697d027b750c32d7f74eaf5180d2e9b66b17cb2fa55523bc280da10d14be2053
Output=74fc88c51bc90f77af9d5e9a4a70133d4b4e0b34da3c37c7ef8e
+Availablein = default
Decrypt=RSA-OAEP-2
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=00a4578cbc176318a638fba7d01df15746af44d4f6cd96d7e7c495cbf425b09c649d32bf886da48fbaf989a2117187cafb1fb580317690e3ccd446920b7af82b31db5804d87d01514acbfa9156e782f867f6bed9449e0e9a2c09bcecc6aa087636965e34b3ec766f2fe2e43018a2fddeb140616a0e9d82e5331024ee0652fc7641
Output=a7eb2a5036931d27d4e891326d99692ffadda9bf7efd3e34e622c4adc085f721dfe885072c78a203b151739be540fa8c153a10f00a
+Availablein = default
Decrypt=RSA-OAEP-2
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=00ebc5f5fda77cfdad3c83641a9025e77d72d8a6fb33a810f5950f8d74c73e8d931e8634d86ab1246256ae07b6005b71b7f2fb98351218331ce69b8ffbdc9da08bbc9c704f876deb9df9fc2ec065cad87f9090b07acc17aa7f997b27aca48806e897f771d95141fe4526d8a5301b678627efab707fd40fbebd6e792a25613e7aec
Output=2ef2b066f854c33f3bdcbb5994a435e73d6c6c
+Availablein = default
Decrypt=RSA-OAEP-2
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
@@ -727,36 +739,42 @@ iUGx07dw5a0x7jc7KKzaaf+bb0D+V4ufGvuFg2+WJ9N6z/c8J3nmNLsmARwsj38z
Ya4qnqZe1onjY5o=
-----END PRIVATE KEY-----
+Availablein = default
Decrypt=RSA-OAEP-3
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=026a0485d96aebd96b4382085099b962e6a2bdec3d90c8db625e14372de85e2d5b7baab65c8faf91bb5504fb495afce5c988b3f6a52e20e1d6cbd3566c5cd1f2b8318bb542cc0ea25c4aab9932afa20760eaddec784396a07ea0ef24d4e6f4d37e5052a7a31e146aa480a111bbe926401307e00f410033842b6d82fe5ce4dfae80
Output=087820b569e8fa8d
+Availablein = default
Decrypt=RSA-OAEP-3
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=024db89c7802989be0783847863084941bf209d761987e38f97cb5f6f1bc88da72a50b73ebaf11c879c4f95df37b850b8f65d7622e25b1b889e80fe80baca2069d6e0e1d829953fc459069de98ea9798b451e557e99abf8fe3d9ccf9096ebbf3e5255d3b4e1c6d2ecadf067a359eea86405acd47d5e165517ccafd47d6dbee4bf5
Output=4653acaf171960b01f52a7be63a3ab21dc368ec43b50d82ec3781e04
+Availablein = default
Decrypt=RSA-OAEP-3
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=0239bce681032441528877d6d1c8bb28aa3bc97f1df584563618995797683844ca86664732f4bed7a0aab083aaabfb7238f582e30958c2024e44e57043b97950fd543da977c90cdde5337d618442f99e60d7783ab59ce6dd9d69c47ad1e962bec22d05895cff8d3f64ed5261d92b2678510393484990ba3f7f06818ae6ffce8a3a
Output=d94cd0e08fa404ed89
+Availablein = default
Decrypt=RSA-OAEP-3
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=02994c62afd76f498ba1fd2cf642857fca81f4373cb08f1cbaee6f025c3b512b42c3e8779113476648039dbe0493f9246292fac28950600e7c0f32edf9c81b9dec45c3bde0cc8d8847590169907b7dc5991ceb29bb0714d613d96df0f12ec5d8d3507c8ee7ae78dd83f216fa61de100363aca48a7e914ae9f42ddfbe943b09d9a0
Output=6cc641b6b61e6f963974dad23a9013284ef1
+Availablein = default
Decrypt=RSA-OAEP-3
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=0162042ff6969592a6167031811a239834ce638abf54fec8b99478122afe2ee67f8c5b18b0339805bfdbc5a4e6720b37c59cfba942464c597ff532a119821545fd2e59b114e61daf71820529f5029cf524954327c34ec5e6f5ba7efcc4de943ab8ad4ed787b1454329f70db798a3a8f4d92f8274e2b2948ade627ce8ee33e43c60
Output=df5151832b61f4f25891fb4172f328d2eddf8371ffcfdbe997939295f30eca6918017cfda1153bf7a6af87593223
+Availablein = default
Decrypt=RSA-OAEP-3
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
@@ -781,36 +799,42 @@ s/XkIiO6MDAcQabYfLtw4wy308Z9JUc9sfbL8D4/kSbj6XloJ5qGWywrQmUkz8Uq
aD0x7TDrmEvkEro=
-----END PRIVATE KEY-----
+Availablein = default
Decrypt=RSA-OAEP-4
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=04cce19614845e094152a3fe18e54e3330c44e5efbc64ae16886cb1869014cc5781b1f8f9e045384d0112a135ca0d12e9c88a8e4063416deaae3844f60d6e96fe155145f4525b9a34431ca3766180f70e15a5e5d8e8b1a516ff870609f13f896935ced188279a58ed13d07114277d75c6568607e0ab092fd803a223e4a8ee0b1a8
Output=4a86609534ee434a6cbca3f7e962e76d455e3264c19f605f6e5ff6137c65c56d7fb344cd52bc93374f3d166c9f0c6f9c506bad19330972d2
+Availablein = default
Decrypt=RSA-OAEP-4
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=0097b698c6165645b303486fbf5a2a4479c0ee85889b541a6f0b858d6b6597b13b854eb4f839af03399a80d79bda6578c841f90d645715b280d37143992dd186c80b949b775cae97370e4ec97443136c6da484e970ffdb1323a20847821d3b18381de13bb49aaea66530c4a4b8271f3eae172cd366e07e6636f1019d2a28aed15e
Output=b0adc4f3fe11da59ce992773d9059943c03046497ee9d9f9a06df1166db46d98f58d27ec074c02eee6cbe2449c8b9fc5080c5c3f4433092512ec46aa793743c8
+Availablein = default
Decrypt=RSA-OAEP-4
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=0301f935e9c47abcb48acbbe09895d9f5971af14839da4ff95417ee453d1fd77319072bb7297e1b55d7561cd9d1bb24c1a9a37c619864308242804879d86ebd001dce5183975e1506989b70e5a83434154d5cbfd6a24787e60eb0c658d2ac193302d1192c6e622d4a12ad4b53923bca246df31c6395e37702c6a78ae081fb9d065
Output=bf6d42e701707b1d0206b0c8b45a1c72641ff12889219a82bdea965b5e79a96b0d0163ed9d578ec9ada20f2fbcf1ea3c4089d83419ba81b0c60f3606da99
+Availablein = default
Decrypt=RSA-OAEP-4
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=02d110ad30afb727beb691dd0cf17d0af1a1e7fa0cc040ec1a4ba26a42c59d0a796a2e22c8f357ccc98b6519aceb682e945e62cb734614a529407cd452bee3e44fece8423cc19e55548b8b994b849c7ecde4933e76037e1d0ce44275b08710c68e430130b929730ed77e09b015642c5593f04e4ffb9410798102a8e96ffdfe11e4
Output=fb2ef112f5e766eb94019297934794f7be2f6fc1c58e
+Availablein = default
Decrypt=RSA-OAEP-4
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=00dbb8a7439d90efd919a377c54fae8fe11ec58c3b858362e23ad1b8a44310799066b99347aa525691d2adc58d9b06e34f288c170390c5f0e11c0aa3645959f18ee79e8f2be8d7ac5c23d061f18dd74b8c5f2a58fcb5eb0c54f99f01a83247568292536583340948d7a8c97c4acd1e98d1e29dc320e97a260532a8aa7a758a1ec2
Output=28ccd447bb9e85166dabb9e5b7d1adadc4b9d39f204e96d5e440ce9ad928bc1c2284
+Availablein = default
Decrypt=RSA-OAEP-4
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
@@ -835,36 +859,42 @@ OPlAQGLrhaQpJFILOPW7iGoBlvSLuNzqYP2SzAJ/GOeBWKNKXF1fhgoPbAQHGn0B
MSwGUGLx60i3nRyDyw==
-----END PRIVATE KEY-----
+Availablein = default
Decrypt=RSA-OAEP-5
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=036046a4a47d9ed3ba9a89139c105038eb7492b05a5d68bfd53accff4597f7a68651b47b4a4627d927e485eed7b4566420e8b409879e5d606eae251d22a5df799f7920bfc117b992572a53b1263146bcea03385cc5e853c9a101c8c3e1bda31a519807496c6cb5e5efb408823a352b8fa0661fb664efadd593deb99fff5ed000e5
Output=af71a901e3a61d3132f0fc1fdb474f9ea6579257ffc24d164170145b3dbde8
+Availablein = default
Decrypt=RSA-OAEP-5
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=03d6eb654edce615bc59f455265ed4e5a18223cbb9be4e4069b473804d5de96f54dcaaa603d049c5d94aa1470dfcd2254066b7c7b61ff1f6f6770e3215c51399fd4e34ec5082bc48f089840ad04354ae66dc0f1bd18e461a33cc1258b443a2837a6df26759aa2302334986f87380c9cc9d53be9f99605d2c9a97da7b0915a4a7ad
Output=a3b844a08239a8ac41605af17a6cfda4d350136585903a417a79268760519a4b4ac3303ec73f0f87cfb32399
+Availablein = default
Decrypt=RSA-OAEP-5
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=0770952181649f9f9f07ff626ff3a22c35c462443d905d456a9fd0bff43cac2ca7a9f554e9478b9acc3ac838b02040ffd3e1847de2e4253929f9dd9ee4044325a9b05cabb808b2ee840d34e15d105a3f1f7b27695a1a07a2d73fe08ecaaa3c9c9d4d5a89ff890d54727d7ae40c0ec1a8dd86165d8ee2c6368141016a48b55b6967
Output=308b0ecbd2c76cb77fc6f70c5edd233fd2f20929d629f026953bb62a8f4a3a314bde195de85b5f816da2aab074d26cb6acddf323ae3b9c678ac3cf12fbdde7
+Availablein = default
Decrypt=RSA-OAEP-5
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=0812b76768ebcb642d040258e5f4441a018521bd96687e6c5e899fcd6c17588ff59a82cc8ae03a4b45b31299af1788c329f7dcd285f8cf4ced82606b97612671a45bedca133442144d1617d114f802857f0f9d739751c57a3f9ee400912c61e2e6992be031a43dd48fa6ba14eef7c422b5edc4e7afa04fdd38f402d1c8bb719abf
Output=15c5b9ee1185
+Availablein = default
Decrypt=RSA-OAEP-5
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=07b60e14ec954bfd29e60d0047e789f51d57186c63589903306793ced3f68241c743529aba6a6374f92e19e0163efa33697e196f7661dfaaa47aac6bde5e51deb507c72c589a2ca1693d96b1460381249b2cdb9eac44769f2489c5d3d2f99f0ee3c7ee5bf64a5ac79c42bd433f149be8cb59548361640595513c97af7bc2509723
Output=21026e6800c7fa728fcaaba0d196ae28d7a2ac4ffd8abce794f0985f60c8a6737277365d3fea11db8923a2029a
+Availablein = default
Decrypt=RSA-OAEP-5
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
@@ -889,36 +919,42 @@ xT1F29tenZbQ/s9Cdd8JdLxKBza0p0wyaQU++2hqziQG4iyeBY3bSuVAYnri/bCC
Yejn5Ly8mU2q+jBcRQ==
-----END PRIVATE KEY-----
+Availablein = default
Decrypt=RSA-OAEP-6
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=0630eebcd2856c24f798806e41f9e67345eda9ceda386acc9facaea1eeed06ace583709718d9d169fadf414d5c76f92996833ef305b75b1e4b95f662a20faedc3bae0c4827a8bf8a88edbd57ec203a27a841f02e43a615bab1a8cac0701de34debdef62a088089b55ec36ea7522fd3ec8d06b6a073e6df833153bc0aefd93bd1a3
Output=4046ca8baa3347ca27f49e0d81f9cc1d71be9ba517d4
+Availablein = default
Decrypt=RSA-OAEP-6
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=0ebc37376173a4fd2f89cc55c2ca62b26b11d51c3c7ce49e8845f74e7607317c436bc8d23b9667dfeb9d087234b47bc6837175ae5c0559f6b81d7d22416d3e50f4ac533d8f0812f2db9e791fe9c775ac8b6ad0f535ad9ceb23a4a02014c58ab3f8d3161499a260f39348e714ae2a1d3443208fd8b722ccfdfb393e98011f99e63f
Output=5cc72c60231df03b3d40f9b57931bc31109f972527f28b19e7480c7288cb3c92b22512214e4be6c914792ddabdf57faa8aa7
+Availablein = default
Decrypt=RSA-OAEP-6
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=0a98bf1093619394436cf68d8f38e2f158fde8ea54f3435f239b8d06b8321844202476aeed96009492480ce3a8d705498c4c8c68f01501dc81db608f60087350c8c3b0bd2e9ef6a81458b7c801b89f2e4fe99d4900ba6a4b5e5a96d865dc676c7755928794130d6280a8160a190f2df3ea7cf9aa0271d88e9e6905ecf1c5152d65
Output=b20e651303092f4bccb43070c0f86d23049362ed96642fc5632c27db4a52e3d831f2ab068b23b149879c002f6bf3feee97591112562c
+Availablein = default
Decrypt=RSA-OAEP-6
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=008e7a67cacfb5c4e24bec7dee149117f19598ce8c45808fef88c608ff9cd6e695263b9a3c0ad4b8ba4c95238e96a8422b8535629c8d5382374479ad13fa39974b242f9a759eeaf9c83ad5a8ca18940a0162ba755876df263f4bd50c6525c56090267c1f0e09ce0899a0cf359e88120abd9bf893445b3cae77d3607359ae9a52f8
Output=684e3038c5c041f7
+Availablein = default
Decrypt=RSA-OAEP-6
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=00003474416c7b68bdf961c385737944d7f1f40cb395343c693cc0b4fe63b31fedf1eaeeac9ccc0678b31dc32e0977489514c4f09085f6298a9653f01aea4045ff582ee887be26ae575b73eef7f3774921e375a3d19adda0ca31aa1849887c1f42cac9677f7a2f4e923f6e5a868b38c084ef187594dc9f7f048fea2e02955384ab
Output=32488cb262d041d6e4dd35f987bf3ca696db1f06ac29a44693
+Availablein = default
Decrypt=RSA-OAEP-6
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
@@ -943,36 +979,42 @@ tu4XIedy0DiaVZw9PN+VUNRXxGsDe3RkGx1SFmr4ohPIOWIGzfukQi8Y1vYdvLXS
FMlxv0gq65dqc3DC
-----END PRIVATE KEY-----
+Availablein = default
Decrypt=RSA-OAEP-7
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=1688e4ce7794bba6cb7014169ecd559cede2a30b56a52b68d9fe18cf1973ef97b2a03153951c755f6294aa49adbdb55845ab6875fb3986c93ecf927962840d282f9e54ce8b690f7c0cb8bbd73440d9571d1b16cd9260f9eab4783cc482e5223dc60973871783ec27b0ae0fd47732cbc286a173fc92b00fb4ba6824647cd93c85c1
Output=47aae909
+Availablein = default
Decrypt=RSA-OAEP-7
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=1052ed397b2e01e1d0ee1c50bf24363f95e504f4a03434a08fd822574ed6b9736edbb5f390db10321479a8a139350e2bd4977c3778ef331f3e78ae118b268451f20a2f01d471f5d53c566937171b2dbc2d4bde459a5799f0372d6574239b2323d245d0bb81c286b63c89a361017337e4902f88a467f4c7f244bfd5ab46437ff3b6
Output=1d9b2e2223d9bc13bfb9f162ce735db48ba7c68f6822a0a1a7b6ae165834e7
+Availablein = default
Decrypt=RSA-OAEP-7
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=2155cd843ff24a4ee8badb7694260028a490813ba8b369a4cbf106ec148e5298707f5965be7d101c1049ea8584c24cd63455ad9c104d686282d3fb803a4c11c1c2e9b91c7178801d1b6640f003f5728df007b8a4ccc92bce05e41a27278d7c85018c52414313a5077789001d4f01910b72aad05d220aa14a58733a7489bc54556b
Output=d976fc
+Availablein = default
Decrypt=RSA-OAEP-7
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=0ab14c373aeb7d4328d0aaad8c094d88b9eb098b95f21054a29082522be7c27a312878b637917e3d819e6c3c568db5d843802b06d51d9e98a2be0bf40c031423b00edfbff8320efb9171bd2044653a4cb9c5122f6c65e83cda2ec3c126027a9c1a56ba874d0fea23f380b82cf240b8cf540004758c4c77d934157a74f3fc12bfac
Output=d4738623df223aa43843df8467534c41d013e0c803c624e263666b239bde40a5f29aeb8de79e3daa61dd0370f49bd4b013834b98212aef6b1c5ee373b3cb
+Availablein = default
Decrypt=RSA-OAEP-7
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=028387a318277434798b4d97f460068df5298faba5041ba11761a1cb7316b24184114ec500257e2589ed3b607a1ebbe97a6cc2e02bf1b681f42312a33b7a77d8e7855c4a6de03e3c04643f786b91a264a0d6805e2cea91e68177eb7a64d9255e4f27e713b7ccec00dc200ebd21c2ea2bb890feae4942df941dc3f97890ed347478
Output=bb47231ca5ea1d3ad46c99345d9a8a61
+Availablein = default
Decrypt=RSA-OAEP-7
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
@@ -997,36 +1039,42 @@ njraT2MgdSwJ2AX/fR8a4NAXru7pzvoNfdf/d15EtXgyL2QF1iEdoZUZZmqof9xM
2MiPa249Z+lh3Luj0A==
-----END PRIVATE KEY-----
+Availablein = default
Decrypt=RSA-OAEP-8
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=09b3683d8a2eb0fb295b62ed1fb9290b714457b7825319f4647872af889b30409472020ad12912bf19b11d4819f49614824ffd84d09c0a17e7d17309d12919790410aa2995699f6a86dbe3242b5acc23af45691080d6b1ae810fb3e3057087f0970092ce00be9562ff4053b6262ce0caa93e13723d2e3a5ba075d45f0d61b54b61
Output=050b755e5e6880f7b9e9d692a74c37aae449b31bfea6deff83747a897f6c2c825bb1adbf850a3c96994b5de5b33cbc7d4a17913a7967
+Availablein = default
Decrypt=RSA-OAEP-8
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=2ecf15c97c5a15b1476ae986b371b57a24284f4a162a8d0c8182e7905e792256f1812ba5f83f1f7a130e42dcc02232844edc14a31a68ee97ae564a383a3411656424c5f62ddb646093c367be1fcda426cf00a06d8acb7e57776fbbd855ac3df506fc16b1d7c3f2110f3d8068e91e186363831c8409680d8da9ecd8cf1fa20ee39d
Output=4eb68dcd93ca9b19df111bd43608f557026fe4aa1d5cfac227a3eb5ab9548c18a06dded23f81825986b2fcd71109ecef7eff88873f075c2aa0c469f69c92bc
+Availablein = default
Decrypt=RSA-OAEP-8
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=4bc89130a5b2dabb7c2fcf90eb5d0eaf9e681b7146a38f3173a3d9cfec52ea9e0a41932e648a9d69344c50da763f51a03c95762131e8052254dcd2248cba40fd31667786ce05a2b7b531ac9dac9ed584a59b677c1a8aed8c5d15d68c05569e2be780bf7db638fd2bfd2a85ab276860f3777338fca989ffd743d13ee08e0ca9893f
Output=8604ac56328c1ab5ad917861
+Availablein = default
Decrypt=RSA-OAEP-8
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=2e456847d8fc36ff0147d6993594b9397227d577752c79d0f904fcb039d4d812fea605a7b574dd82ca786f93752348438ee9f5b5454985d5f0e1699e3e7ad175a32e15f03deb042ab9fe1dd9db1bb86f8c089ccb45e7ef0c5ee7ca9b7290ca6b15bed47039788a8a93ff83e0e8d6244c71006362deef69b6f416fb3c684383fbd0
Output=fdda5fbf6ec361a9d9a4ac68af216a0686f438b1e0e5c36b955f74e107f39c0dddcc
+Availablein = default
Decrypt=RSA-OAEP-8
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=1fb9356fd5c4b1796db2ebf7d0d393cc810adf6145defc2fce714f79d93800d5e2ac211ea8bbecca4b654b94c3b18b30dd576ce34dc95436ef57a09415645923359a5d7b4171ef22c24670f1b229d3603e91f76671b7df97e7317c97734476d5f3d17d21cf82b5ba9f83df2e588d36984fd1b584468bd23b2e875f32f68953f7b2
Output=4a5f4914bee25de3c69341de07
+Availablein = default
Decrypt=RSA-OAEP-8
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
@@ -1057,36 +1105,42 @@ Z7CDuaemy2HkLbNiuMmJbbcGTgKtWuYVh9oVtGSckFlJCf6zfby2VL63Jo7IAeWo
tKo5Eb69iFQvBb4=
-----END PRIVATE KEY-----
+Availablein = default
Decrypt=RSA-OAEP-9
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=267bcd118acab1fc8ba81c85d73003cb8610fa55c1d97da8d48a7c7f06896a4db751aa284255b9d36ad65f37653d829f1b37f97b8001942545b2fc2c55a7376ca7a1be4b1760c8e05a33e5aa2526b8d98e317088e7834c755b2a59b12631a182c05d5d43ab1779264f8456f515ce57dfdf512d5493dab7b7338dc4b7d78db9c091ac3baf537a69fc7f549d979f0eff9a94fda4169bd4d1d19a69c99e33c3b55490d501b39b1edae118ff6793a153261584d3a5f39f6e682e3d17c8cd1261fa72
Output=f735fd55ba92592c3b52b8f9c4f69aaa1cbef8fe88add095595412467f9cf4ec0b896c59eda16210e7549c8abb10cdbc21a12ec9b6b5b8fd2f10399eb6
+Availablein = default
Decrypt=RSA-OAEP-9
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=93ac9f0671ec29acbb444effc1a5741351d60fdb0e393fbf754acf0de49761a14841df7772e9bc82773966a1584c4d72baea00118f83f35cca6e537cbd4d811f5583b29783d8a6d94cd31be70d6f526c10ff09c6fa7ce069795a3fcd0511fd5fcb564bcc80ea9c78f38b80012539d8a4ddf6fe81e9cddb7f50dbbbbcc7e5d86097ccf4ec49189fb8bf318be6d5a0715d516b49af191258cd32dc833ce6eb4673c03a19bbace88cc54895f636cc0c1ec89096d11ce235a265ca1764232a689ae8
Output=81b906605015a63aabe42ddf11e1978912f5404c7474b26dce3ed482bf961ecc818bf420c54659
+Availablein = default
Decrypt=RSA-OAEP-9
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=81ebdd95054b0c822ef9ad7693f5a87adfb4b4c4ce70df2df84ed49c04da58ba5fc20a19e1a6e8b7a3900b22796dc4e869ee6b42792d15a8eceb56c09c69914e813cea8f6931e4b8ed6f421af298d595c97f4789c7caa612c7ef360984c21b93edc5401068b5af4c78a8771b984d53b8ea8adf2f6a7d4a0ba76c75e1dd9f658f20ded4a46071d46d7791b56803d8fea7f0b0f8e41ae3f09383a6f9585fe7753eaaffd2bf94563108beecc207bbb535f5fcc705f0dde9f708c62f49a9c90371d3
Output=fd326429df9b890e09b54b18b8f34f1e24
+Availablein = default
Decrypt=RSA-OAEP-9
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=bcc35f94cde66cb1136625d625b94432a35b22f3d2fa11a613ff0fca5bd57f87b902ccdc1cd0aebcb0715ee869d1d1fe395f6793003f5eca465059c88660d446ff5f0818552022557e38c08a67ead991262254f10682975ec56397768537f4977af6d5f6aaceb7fb25dec5937230231fd8978af49119a29f29e424ab8272b47562792d5c94f774b8829d0b0d9f1a8c9eddf37574d5fa248eefa9c5271fc5ec2579c81bdd61b410fa61fe36e424221c113addb275664c801d34ca8c6351e4a858
Output=f1459b5f0c92f01a0f723a2e5662484d8f8c0a20fc29dad6acd43bb5f3effdf4e1b63e07fdfe6628d0d74ca19bf2d69e4a0abf86d293925a796772f8088e
+Availablein = default
Decrypt=RSA-OAEP-9
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Input=232afbc927fa08c2f6a27b87d4a5cb09c07dc26fae73d73a90558839f4fd66d281b87ec734bce237ba166698ed829106a7de6942cd6cdce78fed8d2e4d81428e66490d036264cef92af941d3e35055fe3981e14d29cbb9a4f67473063baec79a1179f5a17c9c1832f2838fd7d5e59bb9659d56dce8a019edef1bb3accc697cc6cc7a778f60a064c7f6f5d529c6210262e003de583e81e3167b89971fb8c0e15d44fffef89b53d8d64dd797d159b56d2b08ea5307ea12c241bd58d4ee278a1f2e
Output=53e6e8c729d6f9c319dd317e74b0db8e4ccca25f3c8305746e137ac63a63ef3739e7b595abb96e8d55e54f7bd41ab433378ffb911d
+Availablein = default
Decrypt=RSA-OAEP-9
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
index cbec426137..9ba7fbeed2 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -233,7 +233,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
- [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients",
+ [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients, no SUSE FIPS",
[ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
"-aes256", "-stream", "-out", "{output}.cms",
$smrsa1,
@@ -1022,6 +1022,9 @@ sub check_availability {
return "$tnam: skipped, DSA disabled\n"
if ($no_dsa && $tnam =~ / DSA/);
+ return "$tnam: skipped, SUSE FIPS\n"
+ if ($tnam =~ /no SUSE FIPS/);
+
return "";
}
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index e2dcb68fb5..0775112b40 100644
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -493,6 +493,18 @@ sub testssl {
# the default choice if TLSv1.3 enabled
my $flag = $protocol eq "-tls1_3" ? "" : $protocol;
my $ciphersuites = "";
+ my %suse_skip_cipher = map {$_ => 1} qw(
+AES256-GCM-SHA384:@SECLEVEL=0
+AES256-CCM8:@SECLEVEL=0
+AES256-CCM:@SECLEVEL=0
+AES128-GCM-SHA256:@SECLEVEL=0
+AES128-CCM8:@SECLEVEL=0
+AES128-CCM:@SECLEVEL=0
+AES256-SHA256:@SECLEVEL=0
+AES128-SHA256:@SECLEVEL=0
+AES256-SHA:@SECLEVEL=0
+AES128-SHA:@SECLEVEL=0
+ );
foreach my $cipher (@{$ciphersuites{$protocol}}) {
if ($protocol eq "-ssl3" && $cipher =~ /ECDH/ ) {
note "*****SKIPPING $protocol $cipher";
@@ -504,11 +516,16 @@ sub testssl {
} else {
$cipher = $cipher.':@SECLEVEL=0';
}
- ok(run(test([@ssltest, @exkeys, "-cipher",
- $cipher,
- "-ciphersuites", $ciphersuites,
- $flag || ()])),
- "Testing $cipher");
+ if ($provider eq "fips" && exists $suse_skip_cipher{$cipher}) {
+ note "*****SKIPPING $cipher in SUSE FIPS mode";
+ ok(1);
+ } else {
+ ok(run(test([@ssltest, @exkeys, "-cipher",
+ $cipher,
+ "-ciphersuites", $ciphersuites,
+ $flag || ()])),
+ "Testing $cipher");
+ }
}
}
next if $protocol eq "-tls1_3";
--
2.41.0

27
openssl-FIPS-release_num_in_version_string.patch Normal file
View File

@ -0,0 +1,27 @@
Index: openssl-3.1.4/providers/fips/fipsprov.c
===================================================================
--- openssl-3.1.4.orig/providers/fips/fipsprov.c
+++ openssl-3.1.4/providers/fips/fipsprov.c
@@ -194,18 +194,19 @@ static const OSSL_PARAM *fips_gettable_p
static int fips_get_params(void *provctx, OSSL_PARAM params[])
{
+#define SUSE_OPENSSL_VERSION_STR OPENSSL_VERSION_STR " SUSE release " SUSE_OPENSSL_RELEASE
OSSL_PARAM *p;
FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(ossl_prov_ctx_get0_libctx(provctx),
OSSL_LIB_CTX_FIPS_PROV_INDEX);
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "SUSE Linux Enterprise - OpenSSL FIPS Provider"))
return 0;
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_OPENSSL_VERSION_STR))
return 0;
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_OPENSSL_VERSION_STR))
return 0;
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))

744
openssl-FIPS-services-minimize.patch Normal file
View File

@ -0,0 +1,744 @@
From a9dc983f82cabe29d6b48f3af3e30e26074ce5cf Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 12:55:57 +0200
Subject: [PATCH 21/48] 0045-FIPS-services-minimize.patch
Patch-name: 0045-FIPS-services-minimize.patch
Patch-id: 45
Patch-status: |
# Minimize fips services
---
apps/ecparam.c | 7 +++
apps/req.c | 2 +-
providers/common/capabilities.c | 2 +-
providers/fips/fipsprov.c | 44 +++++++++++--------
providers/fips/self_test_data.inc | 9 +++-
providers/implementations/signature/rsa_sig.c | 26 +++++++++++
ssl/ssl_ciph.c | 3 ++
test/acvp_test.c | 2 +
test/endecode_test.c | 4 ++
test/evp_libctx_test.c | 9 +++-
test/recipes/15-test_gendsa.t | 2 +-
test/recipes/20-test_cli_fips.t | 3 +-
test/recipes/30-test_evp.t | 16 +++----
.../30-test_evp_data/evpmac_common.txt | 22 ++++++++++
test/recipes/80-test_cms.t | 22 +++++-----
test/recipes/80-test_ssl_old.t | 2 +-
16 files changed, 128 insertions(+), 47 deletions(-)
diff --git a/apps/ecparam.c b/apps/ecparam.c
index 9e9ad13683..9c66cf2434 100644
--- a/apps/ecparam.c
+++ b/apps/ecparam.c
@@ -79,6 +79,13 @@ static int list_builtin_curves(BIO *out)
const char *comment = curves[n].comment;
const char *sname = OBJ_nid2sn(curves[n].nid);
+ if (((curves[n].nid == NID_secp256k1) || (curves[n].nid == NID_brainpoolP256r1)
+ || (curves[n].nid == NID_brainpoolP256t1) || (curves[n].nid == NID_brainpoolP320r1)
+ || (curves[n].nid == NID_brainpoolP320t1) || (curves[n].nid == NID_brainpoolP384r1)
+ || (curves[n].nid == NID_brainpoolP384t1) || (curves[n].nid == NID_brainpoolP512r1)
+ || (curves[n].nid == NID_brainpoolP512t1)) && EVP_default_properties_is_fips_enabled(NULL))
+ continue;
+
if (comment == NULL)
comment = "CURVE DESCRIPTION NOT AVAILABLE";
if (sname == NULL)
diff --git a/apps/req.c b/apps/req.c
index 23757044ab..5916914978 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -266,7 +266,7 @@ int req_main(int argc, char **argv)
unsigned long chtype = MBSTRING_ASC, reqflag = 0;
#ifndef OPENSSL_NO_DES
- cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
+ cipher = (EVP_CIPHER *)EVP_aes_256_cbc();
#endif
prog = opt_init(argc, argv, req_options);
diff --git a/providers/common/capabilities.c b/providers/common/capabilities.c
index ed37e76969..eb836dfa6a 100644
--- a/providers/common/capabilities.c
+++ b/providers/common/capabilities.c
@@ -186,9 +186,9 @@ static const OSSL_PARAM param_group_list[][10] = {
TLS_GROUP_ENTRY("brainpoolP256r1", "brainpoolP256r1", "EC", 25),
TLS_GROUP_ENTRY("brainpoolP384r1", "brainpoolP384r1", "EC", 26),
TLS_GROUP_ENTRY("brainpoolP512r1", "brainpoolP512r1", "EC", 27),
-# endif
TLS_GROUP_ENTRY("x25519", "X25519", "X25519", 28),
TLS_GROUP_ENTRY("x448", "X448", "X448", 29),
+# endif
# endif /* OPENSSL_NO_EC */
# ifndef OPENSSL_NO_DH
/* Security bit values for FFDHE groups are as per RFC 7919 */
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index 518226dfc6..29438faea8 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -298,10 +298,11 @@ static const OSSL_ALGORITHM fips_digests[] = {
* KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
* KMAC128 and KMAC256.
*/
- { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
+ /* We don't certify KECCAK in our FIPS provider */
+ /* { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
ossl_keccak_kmac_128_functions },
{ PROV_NAMES_KECCAK_KMAC_256, FIPS_DEFAULT_PROPERTIES,
- ossl_keccak_kmac_256_functions },
+ ossl_keccak_kmac_256_functions }, */
{ NULL, NULL, NULL }
};
@@ -360,8 +361,9 @@ static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = {
ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions,
ossl_cipher_capable_aes_cbc_hmac_sha256),
#ifndef OPENSSL_NO_DES
- UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
- UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),
+ /* We don't certify 3DES in our FIPS provider */
+ /* UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
+ UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), */
#endif /* OPENSSL_NO_DES */
{ { NULL, NULL, NULL }, NULL }
};
@@ -373,8 +375,9 @@ static const OSSL_ALGORITHM fips_macs[] = {
#endif
{ PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions },
{ PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions },
- { PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions },
- { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions },
+ /* We don't certify KMAC in our FIPS provider */
+ /*{ PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions },
+ { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, */
{ NULL, NULL, NULL }
};
@@ -409,8 +412,9 @@ static const OSSL_ALGORITHM fips_keyexch[] = {
#endif
#ifndef OPENSSL_NO_EC
{ PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions },
- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions },
- { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },
+ /* We don't certify Edwards curves in our FIPS provider */
+ /*{ PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions },
+ { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },*/
#endif
{ PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES,
ossl_kdf_tls1_prf_keyexch_functions },
@@ -420,13 +424,15 @@ static const OSSL_ALGORITHM fips_keyexch[] = {
static const OSSL_ALGORITHM fips_signature[] = {
#ifndef OPENSSL_NO_DSA
- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },
+ /* We don't certify DSA in our FIPS provider */
+ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions }, */
#endif
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions },
#ifndef OPENSSL_NO_EC
- { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES,
+ /* We don't certify Edwards curves in our FIPS provider */
+ /* { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES,
ossl_ed25519_signature_functions },
- { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },
+ { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions }, */
{ PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions },
#endif
{ PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES,
@@ -456,8 +462,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
PROV_DESCS_DHX },
#endif
#ifndef OPENSSL_NO_DSA
- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
- PROV_DESCS_DSA },
+ /* We don't certify DSA in our FIPS provider */
+ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
+ PROV_DESCS_DSA }, */
#endif
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions,
PROV_DESCS_RSA },
@@ -466,14 +473,15 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
#ifndef OPENSSL_NO_EC
{ PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions,
PROV_DESCS_EC },
- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions,
+ /* We don't certify Edwards curves in our FIPS provider */
+ /* { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions,
PROV_DESCS_X25519 },
{ PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions,
PROV_DESCS_X448 },
{ PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_keymgmt_functions,
PROV_DESCS_ED25519 },
{ PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_keymgmt_functions,
- PROV_DESCS_ED448 },
+ PROV_DESCS_ED448 }, */
#endif
{ PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions,
PROV_DESCS_TLS1_PRF_SIGN },
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
index 2057378d3d..4b80bb70b9 100644
--- a/providers/fips/self_test_data.inc
+++ b/providers/fips/self_test_data.inc
@@ -177,6 +177,7 @@ static const ST_KAT_DIGEST st_kat_digest_tests[] =
/*- CIPHER TEST DATA */
/* DES3 test data */
+#if 0
static const unsigned char des_ede3_cbc_pt[] = {
0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
@@ -197,7 +198,7 @@ static const unsigned char des_ede3_cbc_ct[] = {
0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F,
0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7
};
-
+#endif
/* AES-256 GCM test data */
static const unsigned char aes_256_gcm_key[] = {
0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c,
@@ -1454,8 +1455,9 @@ static const ST_KAT_PARAM ecdsa_bin_key[] = {
# endif /* OPENSSL_NO_EC2M */
#endif /* OPENSSL_NO_EC */
-#ifndef OPENSSL_NO_DSA
/* dsa 2048 */
+#if 0
+#ifndef OPENSSL_NO_DSA
static const unsigned char dsa_p[] = {
0xa2, 0x9b, 0x88, 0x72, 0xce, 0x8b, 0x84, 0x23,
0xb7, 0xd5, 0xd2, 0x1d, 0x4b, 0x02, 0xf5, 0x7e,
@@ -1590,6 +1592,7 @@ static const ST_KAT_PARAM dsa_key[] = {
ST_KAT_PARAM_END()
};
#endif /* OPENSSL_NO_DSA */
+#endif
/* Hash DRBG inputs for signature KATs */
static const unsigned char sig_kat_entropyin[] = {
@@ -1642,6 +1645,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
},
# endif
#endif /* OPENSSL_NO_EC */
+#if 0
#ifndef OPENSSL_NO_DSA
{
OSSL_SELF_TEST_DESC_SIGN_DSA,
@@ -1654,6 +1658,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
ITM(dsa_expected_sig)
},
#endif /* OPENSSL_NO_DSA */
+#endif
};
static const ST_KAT_ASYM_CIPHER st_kat_asym_cipher_tests[] = {
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index d4261e8f7d..2a5504d104 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -689,6 +689,14 @@ static int rsa_verify_recover(void *vprsactx,
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
int ret;
+# ifdef FIPS_MODULE
+ size_t rsabits = RSA_bits(prsactx->rsa);
+
+ if (rsabits < 2048) {
+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
+# endif
if (!ossl_prov_is_running())
return 0;
@@ -777,6 +790,14 @@ static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen,
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
size_t rslen;
+# ifdef FIPS_MODULE
+ size_t rsabits = RSA_bits(prsactx->rsa);
+
+ if (rsabits < 2048) {
+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
+# endif
if (!ossl_prov_is_running())
return 0;
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index a5e60e8839..f9af07d12b 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -356,6 +356,9 @@ int ssl_load_ciphers(SSL_CTX *ctx)
ctx->disabled_mkey_mask = 0;
ctx->disabled_auth_mask = 0;
+ if (EVP_default_properties_is_fips_enabled(ctx->libctx))
+ ctx->disabled_mkey_mask |= SSL_kRSA | SSL_kRSAPSK;
+
/*
* We ignore any errors from the fetches below. They are expected to fail
* if theose algorithms are not available.
diff --git a/test/acvp_test.c b/test/acvp_test.c
index fee880d441..13d7a0ea8b 100644
--- a/test/acvp_test.c
+++ b/test/acvp_test.c
@@ -1476,6 +1476,7 @@ int setup_tests(void)
OSSL_NELEM(dh_safe_prime_keyver_data));
#endif /* OPENSSL_NO_DH */
+#if 0 /* SUSE FIPS provider doesn't have fips=yes property on DSA */
#ifndef OPENSSL_NO_DSA
ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data));
ADD_ALL_TESTS(dsa_paramgen_test, OSSL_NELEM(dsa_paramgen_data));
@@ -1483,6 +1484,7 @@ int setup_tests(void)
ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data));
ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data));
#endif /* OPENSSL_NO_DSA */
+#endif
#ifndef OPENSSL_NO_EC
ADD_ALL_TESTS(ecdsa_keygen_test, OSSL_NELEM(ecdsa_keygen_data));
diff --git a/test/endecode_test.c b/test/endecode_test.c
index 9a437d8c64..53385028fc 100644
--- a/test/endecode_test.c
+++ b/test/endecode_test.c
@@ -1407,6 +1407,7 @@ int setup_tests(void)
* so no legacy tests.
*/
#endif
+ if (is_fips == 0) {
#ifndef OPENSSL_NO_DSA
ADD_TEST_SUITE(DSA);
ADD_TEST_SUITE_PARAMS(DSA);
@@ -1417,6 +1418,7 @@ int setup_tests(void)
ADD_TEST_SUITE_PROTECTED_PVK(DSA);
# endif
#endif
+ }
#ifndef OPENSSL_NO_EC
ADD_TEST_SUITE(EC);
ADD_TEST_SUITE_PARAMS(EC);
@@ -1431,10 +1433,12 @@ int setup_tests(void)
ADD_TEST_SUITE(ECExplicitTri2G);
ADD_TEST_SUITE_LEGACY(ECExplicitTri2G);
# endif
+ if (is_fips == 0) {
ADD_TEST_SUITE(ED25519);
ADD_TEST_SUITE(ED448);
ADD_TEST_SUITE(X25519);
ADD_TEST_SUITE(X448);
+ }
/*
* ED25519, ED448, X25519 and X448 have no support for
* PEM_write_bio_PrivateKey_traditional(), so no legacy tests.
diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c
index 2448c35a14..a7913cda4c 100644
--- a/test/evp_libctx_test.c
+++ b/test/evp_libctx_test.c
@@ -21,6 +21,7 @@
*/
#include "internal/deprecated.h"
#include <assert.h>
+#include <string.h>
#include <openssl/evp.h>
#include <openssl/provider.h>
#include <openssl/dsa.h>
@@ -726,7 +727,9 @@ int setup_tests(void)
return 0;
#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DH)
- ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3);
+ if (strcmp(prov_name, "fips") != 0) {
+ ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3);
+ }
#endif
#ifndef OPENSSL_NO_DH
ADD_ALL_TESTS(test_dh_safeprime_param_keygen, 3 * 3 * 3);
@@ -746,7 +749,9 @@ int setup_tests(void)
ADD_TEST(kem_invalid_keytype);
#endif
#ifndef OPENSSL_NO_DES
- ADD_TEST(test_cipher_tdes_randkey);
+ if (strcmp(prov_name, "fips") != 0) {
+ ADD_TEST(test_cipher_tdes_randkey);
+ }
#endif
return 1;
}
diff --git a/test/recipes/15-test_gendsa.t b/test/recipes/15-test_gendsa.t
index b495b08bda..69bd299521 100644
--- a/test/recipes/15-test_gendsa.t
+++ b/test/recipes/15-test_gendsa.t
@@ -24,7 +24,7 @@ use lib bldtop_dir('.');
plan skip_all => "This test is unsupported in a no-dsa build"
if disabled("dsa");
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+my $no_fips = 1;
plan tests =>
($no_fips ? 0 : 2) # FIPS related tests
diff --git a/test/recipes/20-test_cli_fips.t b/test/recipes/20-test_cli_fips.t
index 6d3c5ba1bb..2ba47b5fca 100644
--- a/test/recipes/20-test_cli_fips.t
+++ b/test/recipes/20-test_cli_fips.t
@@ -273,8 +273,7 @@ SKIP: {
}
SKIP : {
- skip "FIPS DSA tests because of no dsa in this build", 1
- if disabled("dsa");
+ skip "FIPS DSA tests because of no dsa in this build", 1;
subtest DSA => sub {
my $testtext_prefix = 'DSA';
diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t
index 9d7040ced2..f8beb538d4 100644
--- a/test/recipes/30-test_evp.t
+++ b/test/recipes/30-test_evp.t
@@ -42,10 +42,8 @@ my @files = qw(
evpciph_aes_cts.txt
evpciph_aes_wrap.txt
evpciph_aes_stitched.txt
- evpciph_des3_common.txt
evpkdf_hkdf.txt
evpkdf_kbkdf_counter.txt
- evpkdf_kbkdf_kmac.txt
evpkdf_pbkdf1.txt
evpkdf_pbkdf2.txt
evpkdf_ss.txt
@@ -65,12 +63,6 @@ push @files, qw(
evppkey_ffdhe.txt
evppkey_dh.txt
) unless $no_dh;
-push @files, qw(
- evpkdf_x942_des.txt
- evpmac_cmac_des.txt
- ) unless $no_des;
-push @files, qw(evppkey_dsa.txt) unless $no_dsa;
-push @files, qw(evppkey_ecx.txt) unless $no_ec;
push @files, qw(
evppkey_ecc.txt
evppkey_ecdh.txt
@@ -91,6 +83,7 @@ my @defltfiles = qw(
evpciph_cast5.txt
evpciph_chacha.txt
evpciph_des.txt
+ evpciph_des3_common.txt
evpciph_idea.txt
evpciph_rc2.txt
evpciph_rc4.txt
@@ -114,10 +107,17 @@ my @defltfiles = qw(
evpmd_whirlpool.txt
evppbe_scrypt.txt
evppbe_pkcs12.txt
+ evpkdf_kbkdf_kmac.txt
evppkey_kdf_scrypt.txt
evppkey_kdf_tls1_prf.txt
evppkey_rsa.txt
);
+push @defltfiles, qw(evppkey_dsa.txt) unless $no_dsa;
+push @defltfiles, qw(evppkey_ecx.txt) unless $no_ec;
+push @defltfiles, qw(
+ evpkdf_x942_des.txt
+ evpmac_cmac_des.txt
+ ) unless $no_des;
push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec;
push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2;
diff --git a/test/recipes/30-test_evp_data/evpmac_common.txt b/test/recipes/30-test_evp_data/evpmac_common.txt
index 93195df97c..315413cd9b 100644
--- a/test/recipes/30-test_evp_data/evpmac_common.txt
+++ b/test/recipes/30-test_evp_data/evpmac_common.txt
@@ -340,6 +340,7 @@ IV = 7AE8E2CA4EC500012E58495C
Input = 68F2E77696CE7AE8E2CA4EC588E541002E58495C08000F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D0007
Result = MAC_INIT_ERROR
+Availablein = default
Title = KMAC Tests (From NIST)
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
@@ -350,12 +351,14 @@ Ctrl = xof:0
OutputSize = 32
BlockSize = 168
+Availablein = default
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
Custom = "My Tagged Application"
Output = 3B1FBA963CD8B0B59E8C1A6D71888B7143651AF8BA0A7070C0979E2811324AA5
+Availablein = default
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -363,6 +366,7 @@ Custom = "My Tagged Application"
Output = 1F5B4E6CCA02209E0DCB5CA635B89A15E271ECC760071DFD805FAA38F9729230
Ctrl = size:32
+Availablein = default
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
@@ -371,12 +375,14 @@ Output = 20C570C31346F703C9AC36C61C03CB64C3970D0CFC787E9B79599D273A68D2F7F69D4CC
OutputSize = 64
BlockSize = 136
+Availablein = default
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
Custom = ""
Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69
+Availablein = default
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -386,12 +392,14 @@ Ctrl = size:64
Title = KMAC XOF Tests (From NIST)
+Availablein = default
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35
XOF = 1
+Availablein = default
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
@@ -399,6 +407,7 @@ Custom = "My Tagged Application"
Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
XOF = 1
+Availablein = default
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -407,6 +416,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F
XOF = 1
Ctrl = size:32
+Availablein = default
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
@@ -414,6 +424,7 @@ Custom = "My Tagged Application"
Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
XOF = 1
+Availablein = default
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -421,6 +432,7 @@ Custom = ""
Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
XOF = 1
+Availablein = default
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -431,6 +443,7 @@ XOF = 1
Title = KMAC long customisation string (from NIST ACVP)
+Availablein = default
MAC = KMAC256
Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
@@ -441,12 +454,14 @@ XOF = 1
Title = KMAC XOF Tests via ctrl (From NIST)
+Availablein = default
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35
Ctrl = xof:1
+Availablein = default
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
@@ -454,6 +469,7 @@ Custom = "My Tagged Application"
Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
Ctrl = xof:1
+Availablein = default
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -462,6 +478,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F
Ctrl = xof:1
Ctrl = size:32
+Availablein = default
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
@@ -469,6 +486,7 @@ Custom = "My Tagged Application"
Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
Ctrl = xof:1
+Availablein = default
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -476,6 +494,7 @@ Custom = ""
Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
Ctrl = xof:1
+Availablein = default
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -486,6 +505,7 @@ Ctrl = xof:1
Title = KMAC long customisation string via ctrl (from NIST ACVP)
+Availablein = default
MAC = KMAC256
Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
@@ -496,6 +516,7 @@ Ctrl = xof:1
Title = KMAC long customisation string negative test
+Availablein = default
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -504,6 +525,7 @@ Result = MAC_INIT_ERROR
Title = KMAC output is too large
+Availablein = default
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
index 40dd585c18..cbec426137 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -96,7 +96,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
- [ "signed content DER format, DSA key",
+ [ "signed content DER format, DSA key, no SUSE FIPS",
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
@@ -104,7 +104,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
- [ "signed detached content DER format, DSA key",
+ [ "signed detached content DER format, DSA key, no SUSE FIPS",
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
@@ -113,7 +113,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
- [ "signed detached content DER format, add RSA signer (with DSA existing)",
+ [ "signed detached content DER format, add RSA signer (with DSA existing), no SUSE FIPS",
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
[ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER",
@@ -124,7 +124,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
- [ "signed content test streaming BER format, DSA key",
+ [ "signed content test streaming BER format, DSA key, no SUSE FIPS",
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-nodetach", "-stream",
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
@@ -133,7 +133,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys",
+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no SUSE FIPS",
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-nodetach", "-stream",
"-signer", $smrsa1,
@@ -146,7 +146,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes",
+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes, no SUSE FIPS",
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-noattr", "-nodetach", "-stream",
"-signer", $smrsa1,
@@ -176,7 +176,7 @@ my @smime_pkcs7_tests = (
\&zero_compare
],
- [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys",
+ [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys, no SUSE FIPS",
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
"-signer", $smrsa1,
"-signer", catfile($smdir, "smrsa2.pem"),
@@ -188,7 +188,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
- [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys",
+ [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys, no SUSE FIPS",
[ "{cmd1}", @prov, "-sign", "-in", $smcont,
"-signer", $smrsa1,
"-signer", catfile($smdir, "smrsa2.pem"),
@@ -248,7 +248,7 @@ my @smime_pkcs7_tests = (
my @smime_cms_tests = (
- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid",
+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid, no SUSE FIPS",
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-nodetach", "-keyid",
"-signer", $smrsa1,
@@ -261,7 +261,7 @@ my @smime_cms_tests = (
\&final_compare
],
- [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys",
+ [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys, no SUSE FIPS",
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
"-signer", $smrsa1,
"-signer", catfile($smdir, "smrsa2.pem"),
@@ -371,7 +371,7 @@ my @smime_cms_tests = (
\&final_compare
],
- [ "encrypted content test streaming PEM format, triple DES key",
+ [ "encrypted content test streaming PEM format, triple DES key, no SUSE FIPS",
[ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
"-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
"-stream", "-out", "{output}.cms" ],
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index 50b74a1e29..e2dcb68fb5 100644
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -436,7 +436,7 @@ sub testssl {
my @exkeys = ();
my $ciphers = '-PSK:-SRP:@SECLEVEL=0';
- if (!$no_dsa) {
+ if (!$no_dsa && $provider ne "fips") {
push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey;
}
--
2.41.0

149
openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch Normal file
View File

@ -0,0 +1,149 @@
From a325a23bc83f4efd60130001c417ca5b96bdbff1 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Thu, 17 Nov 2022 19:33:02 +0100
Subject: [PATCH] signature: Add indicator for PSS salt length
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
5.5 "PKCS #1" says: "For RSASSA-PSS [...] the length (in bytes) of the
salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
the hash function output block (in bytes)."
It is not exactly clear from this text whether hLen refers to the
message digest or the hash function used for the mask generation
function MGF1. PKCS#1 v2.1 suggests it is the former:
| Typical salt lengths in octets are hLen (the length of the output of
| the hash function Hash) and 0. In both cases the security of
| RSASSA-PSS can be closely related to the hardness of inverting RSAVP1.
| Bellare and Rogaway [4] give a tight lower bound for the security of
| the original RSA-PSS scheme, which corresponds roughly to the former
| case, while Coron [12] gives a lower bound for the related Full Domain
| Hashing scheme, which corresponds roughly to the latter case. In [13]
| Coron provides a general treatment with various salt lengths ranging
| from 0 to hLen; see [27] for discussion. See also [31], which adapts
| the security proofs in [4][13] to address the differences between the
| original and the present version of RSA-PSS as listed in Note 1 above.
Since OpenSSL defaults to creating signatures with the maximum salt
length, blocking the use of longer salts would probably lead to
significant problems in practice. Instead, introduce an explicit
indicator that can be obtained from the EVP_PKEY_CTX object using
EVP_PKEY_CTX_get_params() with the
OSSL_SIGNATURE_PARAM_SUSE_FIPS_INDICATOR
parameter.
We also add indicator for RSA_NO_PADDING here to avoid patch-over-patch.
Dmitry Belyavskiy <dbelyavs@redhat.com>
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
include/openssl/evp.h | 4 ++++
providers/implementations/signature/rsa_sig.c | 21 +++++++++++++++++
util/perl/OpenSSL/paramnames.pm | 23 ++++++++++---------
3 files changed, 37 insertions(+), 11 deletions(-)
Index: openssl-3.1.4/include/openssl/evp.h
===================================================================
--- openssl-3.1.4.orig/include/openssl/evp.h
+++ openssl-3.1.4/include/openssl/evp.h
@@ -801,6 +801,10 @@ __owur int EVP_CipherFinal(EVP_CIPHER_CT
__owur int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
int *outl);
+# define EVP_SIGNATURE_SUSE_FIPS_INDICATOR_UNDETERMINED 0
+# define EVP_SIGNATURE_SUSE_FIPS_INDICATOR_APPROVED 1
+# define EVP_SIGNATURE_SUSE_FIPS_INDICATOR_NOT_APPROVED 2
+
__owur int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
EVP_PKEY *pkey);
__owur int EVP_SignFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
Index: openssl-3.1.4/providers/implementations/signature/rsa_sig.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/signature/rsa_sig.c
+++ openssl-3.1.4/providers/implementations/signature/rsa_sig.c
@@ -1167,6 +1167,24 @@ static int rsa_get_ctx_params(void *vprs
}
}
+#ifdef FIPS_MODULE
+ p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_SUSE_FIPS_INDICATOR);
+ if (p != NULL) {
+ int fips_indicator = EVP_SIGNATURE_SUSE_FIPS_INDICATOR_APPROVED;
+ if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) {
+ if (prsactx->md == NULL) {
+ fips_indicator = EVP_SIGNATURE_SUSE_FIPS_INDICATOR_UNDETERMINED;
+ } else if (rsa_pss_compute_saltlen(prsactx) > EVP_MD_get_size(prsactx->md)) {
+ fips_indicator = EVP_SIGNATURE_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+ }
+ } else if (prsactx->pad_mode == RSA_NO_PADDING) {
+ if (prsactx->md == NULL) /* Should always be the case */
+ fips_indicator = EVP_SIGNATURE_SUSE_FIPS_INDICATOR_NOT_APPROVED;
+ }
+ return OSSL_PARAM_set_int(p, fips_indicator);
+ }
+#endif
+
return 1;
}
@@ -1176,6 +1194,9 @@ static const OSSL_PARAM known_gettable_c
OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
+#ifdef FIPS_MODULE
+ OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_SUSE_FIPS_INDICATOR, NULL),
+#endif
OSSL_PARAM_END
};
Index: openssl-3.1.4/include/openssl/core_names.h
===================================================================
--- openssl-3.1.4.orig/include/openssl/core_names.h
+++ openssl-3.1.4/include/openssl/core_names.h
@@ -458,6 +458,7 @@ extern "C" {
#define OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES \
OSSL_PKEY_PARAM_MGF1_PROPERTIES
#define OSSL_SIGNATURE_PARAM_DIGEST_SIZE OSSL_PKEY_PARAM_DIGEST_SIZE
+#define OSSL_SIGNATURE_PARAM_SUSE_FIPS_INDICATOR "suse-fips-indicator"
/* Asym cipher parameters */
#define OSSL_ASYM_CIPHER_PARAM_DIGEST OSSL_PKEY_PARAM_DIGEST
Index: openssl-3.1.4/providers/implementations/signature/rsa_sig.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/signature/rsa_sig.c
+++ openssl-3.1.4/providers/implementations/signature/rsa_sig.c
@@ -696,8 +696,13 @@ static int rsa_verify_recover(void *vprs
size_t rsabits = RSA_bits(prsactx->rsa);
if (rsabits < 2048) {
- ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
- return 0;
+ if (rsabits != 1024
+ && rsabits != 1280
+ && rsabits != 1536
+ && rsabits != 1792) {
+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
}
# endif
@@ -792,8 +797,13 @@ static int rsa_verify(void *vprsactx, co
size_t rsabits = RSA_bits(prsactx->rsa);
if (rsabits < 2048) {
- ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
- return 0;
+ if (rsabits != 1024
+ && rsabits != 1280
+ && rsabits != 1536
+ && rsabits != 1792) {
+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
}
# endif

309
openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch Normal file
View File

@ -0,0 +1,309 @@
From 4580c303fa88f77a98461fee5fe26b5db725967c Mon Sep 17 00:00:00 2001
From: Todd Short <todd.short@me.com>
Date: Thu, 1 Feb 2024 23:09:38 -0500
Subject: [PATCH 1/2] Fix EVP_PKEY_CTX_add1_hkdf_info() behavior
Fix #23448
`EVP_PKEY_CTX_add1_hkdf_info()` behaves like a `set1` function.
Fix the setting of the parameter in the params code.
Update the TLS_PRF code to also use the params code.
Add tests.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23456)
(cherry picked from commit 6b566687b58fde08b28e3331377f050768fad89b)
---
crypto/evp/pmeth_lib.c | 65 ++++++++++++++++++-
providers/implementations/exchange/kdf_exch.c | 42 ++++++++++++
providers/implementations/kdfs/hkdf.c | 8 +++
test/pkey_meth_kdf_test.c | 53 +++++++++++----
4 files changed, 156 insertions(+), 12 deletions(-)
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index ba1971c..d0eeaf7 100644
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -1028,6 +1028,69 @@ static int evp_pkey_ctx_set1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
return EVP_PKEY_CTX_set_params(ctx, octet_string_params);
}
+static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
+ const char *param, int op, int ctrl,
+ const unsigned char *data,
+ int datalen)
+{
+ OSSL_PARAM os_params[2];
+ unsigned char *info = NULL;
+ size_t info_len = 0;
+ size_t info_alloc = 0;
+ int ret = 0;
+
+ if (ctx == NULL || (ctx->operation & op) == 0) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
+ /* Uses the same return values as EVP_PKEY_CTX_ctrl */
+ return -2;
+ }
+
+ /* Code below to be removed when legacy support is dropped. */
+ if (fallback)
+ return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, datalen, (void *)(data));
+ /* end of legacy support */
+
+ if (datalen < 0) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH);
+ return 0;
+ }
+
+ /* Get the original value length */
+ os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0);
+ os_params[1] = OSSL_PARAM_construct_end();
+
+ if (!EVP_PKEY_CTX_get_params(ctx, os_params))
+ return 0;
+
+ /* Older provider that doesn't support getting this parameter */
+ if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED)
+ return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen);
+
+ info_alloc = os_params[0].return_size + datalen;
+ if (info_alloc == 0)
+ return 0;
+ info = OPENSSL_zalloc(info_alloc);
+ if (info == NULL)
+ return 0;
+ info_len = os_params[0].return_size;
+
+ os_params[0] = OSSL_PARAM_construct_octet_string(param, info, info_alloc);
+
+ /* if we have data, then go get it */
+ if (info_len > 0) {
+ if (!EVP_PKEY_CTX_get_params(ctx, os_params))
+ goto error;
+ }
+
+ /* Copy the input data */
+ memcpy(&info[info_len], data, datalen);
+ ret = EVP_PKEY_CTX_set_params(ctx, os_params);
+
+ error:
+ OPENSSL_clear_free(info, info_alloc);
+ return ret;
+}
+
int EVP_PKEY_CTX_set1_tls1_prf_secret(EVP_PKEY_CTX *ctx,
const unsigned char *sec, int seclen)
{
@@ -1078,7 +1141,7 @@ int EVP_PKEY_CTX_set1_hkdf_key(EVP_PKEY_CTX *ctx,
int EVP_PKEY_CTX_add1_hkdf_info(EVP_PKEY_CTX *ctx,
const unsigned char *info, int infolen)
{
- return evp_pkey_ctx_set1_octet_string(ctx, ctx->op.kex.algctx == NULL,
+ return evp_pkey_ctx_add1_octet_string(ctx, ctx->op.kex.algctx == NULL,
OSSL_KDF_PARAM_INFO,
EVP_PKEY_OP_DERIVE,
EVP_PKEY_CTRL_HKDF_INFO,
diff --git a/providers/implementations/exchange/kdf_exch.c b/providers/implementations/exchange/kdf_exch.c
index 527a866..4bc8102 100644
--- a/providers/implementations/exchange/kdf_exch.c
+++ b/providers/implementations/exchange/kdf_exch.c
@@ -28,9 +28,13 @@ static OSSL_FUNC_keyexch_derive_fn kdf_derive;
static OSSL_FUNC_keyexch_freectx_fn kdf_freectx;
static OSSL_FUNC_keyexch_dupctx_fn kdf_dupctx;
static OSSL_FUNC_keyexch_set_ctx_params_fn kdf_set_ctx_params;
+static OSSL_FUNC_keyexch_get_ctx_params_fn kdf_get_ctx_params;
static OSSL_FUNC_keyexch_settable_ctx_params_fn kdf_tls1_prf_settable_ctx_params;
static OSSL_FUNC_keyexch_settable_ctx_params_fn kdf_hkdf_settable_ctx_params;
static OSSL_FUNC_keyexch_settable_ctx_params_fn kdf_scrypt_settable_ctx_params;
+static OSSL_FUNC_keyexch_gettable_ctx_params_fn kdf_tls1_prf_gettable_ctx_params;
+static OSSL_FUNC_keyexch_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params;
+static OSSL_FUNC_keyexch_gettable_ctx_params_fn kdf_scrypt_gettable_ctx_params;
typedef struct {
void *provctx;
@@ -169,6 +173,13 @@ static int kdf_set_ctx_params(void *vpkdfctx, const OSSL_PARAM params[])
return EVP_KDF_CTX_set_params(pkdfctx->kdfctx, params);
}
+static int kdf_get_ctx_params(void *vpkdfctx, OSSL_PARAM params[])
+{
+ PROV_KDF_CTX *pkdfctx = (PROV_KDF_CTX *)vpkdfctx;
+
+ return EVP_KDF_CTX_get_params(pkdfctx->kdfctx, params);
+}
+
static const OSSL_PARAM *kdf_settable_ctx_params(ossl_unused void *vpkdfctx,
void *provctx,
const char *kdfname)
@@ -197,6 +208,34 @@ KDF_SETTABLE_CTX_PARAMS(tls1_prf, "TLS1-PRF")
KDF_SETTABLE_CTX_PARAMS(hkdf, "HKDF")
KDF_SETTABLE_CTX_PARAMS(scrypt, "SCRYPT")
+static const OSSL_PARAM *kdf_gettable_ctx_params(ossl_unused void *vpkdfctx,
+ void *provctx,
+ const char *kdfname)
+{
+ EVP_KDF *kdf = EVP_KDF_fetch(PROV_LIBCTX_OF(provctx), kdfname,
+ NULL);
+ const OSSL_PARAM *params;
+
+ if (kdf == NULL)
+ return NULL;
+
+ params = EVP_KDF_gettable_ctx_params(kdf);
+ EVP_KDF_free(kdf);
+
+ return params;
+}
+
+#define KDF_GETTABLE_CTX_PARAMS(funcname, kdfname) \
+ static const OSSL_PARAM *kdf_##funcname##_gettable_ctx_params(void *vpkdfctx, \
+ void *provctx) \
+ { \
+ return kdf_gettable_ctx_params(vpkdfctx, provctx, kdfname); \
+ }
+
+KDF_GETTABLE_CTX_PARAMS(tls1_prf, "TLS1-PRF")
+KDF_GETTABLE_CTX_PARAMS(hkdf, "HKDF")
+KDF_GETTABLE_CTX_PARAMS(scrypt, "SCRYPT")
+
#define KDF_KEYEXCH_FUNCTIONS(funcname) \
const OSSL_DISPATCH ossl_kdf_##funcname##_keyexch_functions[] = { \
{ OSSL_FUNC_KEYEXCH_NEWCTX, (void (*)(void))kdf_##funcname##_newctx }, \
@@ -205,8 +244,11 @@ KDF_SETTABLE_CTX_PARAMS(scrypt, "SCRYPT")
{ OSSL_FUNC_KEYEXCH_FREECTX, (void (*)(void))kdf_freectx }, \
{ OSSL_FUNC_KEYEXCH_DUPCTX, (void (*)(void))kdf_dupctx }, \
{ OSSL_FUNC_KEYEXCH_SET_CTX_PARAMS, (void (*)(void))kdf_set_ctx_params }, \
+ { OSSL_FUNC_KEYEXCH_GET_CTX_PARAMS, (void (*)(void))kdf_get_ctx_params }, \
{ OSSL_FUNC_KEYEXCH_SETTABLE_CTX_PARAMS, \
(void (*)(void))kdf_##funcname##_settable_ctx_params }, \
+ { OSSL_FUNC_KEYEXCH_GETTABLE_CTX_PARAMS, \
+ (void (*)(void))kdf_##funcname##_gettable_ctx_params }, \
{ 0, NULL } \
};
diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
index daa619b..dd65a2a 100644
--- a/providers/implementations/kdfs/hkdf.c
+++ b/providers/implementations/kdfs/hkdf.c
@@ -371,6 +371,13 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
return 0;
return OSSL_PARAM_set_size_t(p, sz);
}
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) {
+ if (ctx->info == NULL || ctx->info_len == 0) {
+ p->return_size = 0;
+ return 1;
+ }
+ return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len);
+ }
return -2;
}
@@ -379,6 +386,7 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
{
static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0),
OSSL_PARAM_END
};
return known_gettable_ctx_params;
diff --git a/test/pkey_meth_kdf_test.c b/test/pkey_meth_kdf_test.c
index f816d24..c09e2f3 100644
--- a/test/pkey_meth_kdf_test.c
+++ b/test/pkey_meth_kdf_test.c
@@ -16,7 +16,7 @@
#include <openssl/kdf.h>
#include "testutil.h"
-static int test_kdf_tls1_prf(void)
+static int test_kdf_tls1_prf(int index)
{
int ret = 0;
EVP_PKEY_CTX *pctx;
@@ -40,10 +40,23 @@ static int test_kdf_tls1_prf(void)
TEST_error("EVP_PKEY_CTX_set1_tls1_prf_secret");
goto err;
}
- if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx,
- (unsigned char *)"seed", 4) <= 0) {
- TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
- goto err;
+ if (index == 0) {
+ if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx,
+ (unsigned char *)"seed", 4) <= 0) {
+ TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
+ goto err;
+ }
+ } else {
+ if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx,
+ (unsigned char *)"se", 2) <= 0) {
+ TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
+ goto err;
+ }
+ if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx,
+ (unsigned char *)"ed", 2) <= 0) {
+ TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
+ goto err;
+ }
}
if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) {
TEST_error("EVP_PKEY_derive");
@@ -65,7 +78,7 @@ err:
return ret;
}
-static int test_kdf_hkdf(void)
+static int test_kdf_hkdf(int index)
{
int ret = 0;
EVP_PKEY_CTX *pctx;
@@ -94,10 +107,23 @@ static int test_kdf_hkdf(void)
TEST_error("EVP_PKEY_CTX_set1_hkdf_key");
goto err;
}
- if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"label", 5)
+ if (index == 0) {
+ if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"label", 5)
<= 0) {
- TEST_error("EVP_PKEY_CTX_set1_hkdf_info");
- goto err;
+ TEST_error("EVP_PKEY_CTX_add1_hkdf_info");
+ goto err;
+ }
+ } else {
+ if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"lab", 3)
+ <= 0) {
+ TEST_error("EVP_PKEY_CTX_add1_hkdf_info");
+ goto err;
+ }
+ if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"el", 2)
+ <= 0) {
+ TEST_error("EVP_PKEY_CTX_add1_hkdf_info");
+ goto err;
+ }
}
if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) {
TEST_error("EVP_PKEY_derive");
@@ -195,8 +221,13 @@ err:
int setup_tests(void)
{
- ADD_TEST(test_kdf_tls1_prf);
- ADD_TEST(test_kdf_hkdf);
+ int tests = 1;
+
+ if (fips_provider_version_ge(NULL, 3, 3, 1))
+ tests = 2;
+
+ ADD_ALL_TESTS(test_kdf_tls1_prf, tests);
+ ADD_ALL_TESTS(test_kdf_hkdf, tests);
#ifndef OPENSSL_NO_SCRYPT
ADD_TEST(test_kdf_scrypt);
#endif
--
2.45.1

78
openssl-Force-FIPS.patch Normal file
View File

@ -0,0 +1,78 @@
From 2c110cf5551a3869514e697d8dc06682b62ca57d Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 11:59:02 +0200
Subject: [PATCH 16/48] 0032-Force-fips.patch
Patch-name: 0032-Force-fips.patch
Patch-id: 32
Patch-status: |
# We load FIPS provider and set FIPS properties implicitly
---
crypto/provider_conf.c | 28 +++++++++++++++++++++++++++-
1 file changed, 27 insertions(+), 1 deletion(-)
Index: openssl-3.1.4/crypto/provider_conf.c
===================================================================
--- openssl-3.1.4.orig/crypto/provider_conf.c
+++ openssl-3.1.4/crypto/provider_conf.c
@@ -10,6 +10,8 @@
#include <string.h>
#include <openssl/trace.h>
#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <unistd.h>
#include <openssl/conf.h>
#include <openssl/safestack.h>
#include <openssl/provider.h>
@@ -169,7 +171,7 @@ static int provider_conf_activate(OSSL_L
if (path != NULL)
ossl_provider_set_module_path(prov, path);
- ok = provider_conf_params(prov, NULL, NULL, value, cnf);
+ ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;
if (ok) {
if (!ossl_provider_activate(prov, 1, 0)) {
@@ -197,6 +199,8 @@ static int provider_conf_activate(OSSL_L
}
if (!ok)
ossl_provider_free(prov);
+ } else {
+ ok = 1;
}
CRYPTO_THREAD_unlock(pcgbl->lock);
@@ -309,6 +313,33 @@ static int provider_conf_init(CONF_IMODU
return 0;
}
+ if (ossl_get_kernel_fips_flag() != 0) { /* XXX from provider_conf_load */
+ OSSL_LIB_CTX *libctx = NCONF_get0_libctx((CONF *)cnf);
+# define FIPS_LOCAL_CONF OPENSSLDIR "/fips_local.cnf"
+
+ if (access(FIPS_LOCAL_CONF, R_OK) == 0) {
+ CONF *fips_conf = NCONF_new_ex(libctx, NCONF_default());
+ if (NCONF_load(fips_conf, FIPS_LOCAL_CONF, NULL) <= 0)
+ return 0;
+
+ if (provider_conf_load(libctx, "fips", "fips_sect", fips_conf) != 1) {
+ NCONF_free(fips_conf);
+ return 0;
+ }
+ NCONF_free(fips_conf);
+ } else {
+ if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1)
+ return 0;
+ }
+ /* provider_conf_load can return 1 even when the test is failed so check explicitly */
+ if (OSSL_PROVIDER_available(libctx, "fips") != 1)
+ return 0;
+ if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1)
+ return 0;
+ if (EVP_default_properties_enable_fips(libctx, 1) != 1)
+ return 0;
+ }
+
return 1;
}

94
openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch Normal file
View File

@ -0,0 +1,94 @@
From d6a9c21302e01c33a9a919e7ba380ba3b0ed65b0 Mon Sep 17 00:00:00 2001
From: trinity-1686a <trinity@deuxfleurs.fr>
Date: Mon, 15 Apr 2024 11:13:14 +0200
Subject: [PATCH 2/2] Handle empty param in EVP_PKEY_CTX_add1_hkdf_info
Fixes #24130
The regression was introduced in PR #23456.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24141)
(cherry picked from commit 299996fb1fcd76eeadfd547958de2a1b822f37f5)
---
crypto/evp/pmeth_lib.c | 2 ++
test/evp_extra_test.c | 42 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 44 insertions(+)
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index d0eeaf7..bce1ebc 100644
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -1053,6 +1053,8 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
if (datalen < 0) {
ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH);
return 0;
+ } else if (datalen == 0) {
+ return 1;
}
/* Get the original value length */
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index 9b3bee7..22121ce 100644
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -2565,6 +2565,47 @@ static int test_emptyikm_HKDF(void)
return ret;
}
+static int test_empty_salt_info_HKDF(void)
+{
+ EVP_PKEY_CTX *pctx;
+ unsigned char out[20];
+ size_t outlen;
+ int ret = 0;
+ unsigned char salt[] = "";
+ unsigned char key[] = "012345678901234567890123456789";
+ unsigned char info[] = "";
+ const unsigned char expected[] = {
+ 0x67, 0x12, 0xf9, 0x27, 0x8a, 0x8a, 0x3a, 0x8f, 0x7d, 0x2c, 0xa3, 0x6a,
+ 0xaa, 0xe9, 0xb3, 0xb9, 0x52, 0x5f, 0xe0, 0x06,
+ };
+ size_t expectedlen = sizeof(expected);
+
+ if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, "HKDF", testpropq)))
+ goto done;
+
+ outlen = sizeof(out);
+ memset(out, 0, outlen);
+
+ if (!TEST_int_gt(EVP_PKEY_derive_init(pctx), 0)
+ || !TEST_int_gt(EVP_PKEY_CTX_set_hkdf_md(pctx, EVP_sha256()), 0)
+ || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt,
+ sizeof(salt) - 1), 0)
+ || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_key(pctx, key,
+ sizeof(key) - 1), 0)
+ || !TEST_int_gt(EVP_PKEY_CTX_add1_hkdf_info(pctx, info,
+ sizeof(info) - 1), 0)
+ || !TEST_int_gt(EVP_PKEY_derive(pctx, out, &outlen), 0)
+ || !TEST_mem_eq(out, outlen, expected, expectedlen))
+ goto done;
+
+ ret = 1;
+
+ done:
+ EVP_PKEY_CTX_free(pctx);
+
+ return ret;
+}
+
#ifndef OPENSSL_NO_EC
static int test_X509_PUBKEY_inplace(void)
{
@@ -5166,6 +5207,7 @@ int setup_tests(void)
#endif
ADD_TEST(test_HKDF);
ADD_TEST(test_emptyikm_HKDF);
+ ADD_TEST(test_empty_salt_info_HKDF);
#ifndef OPENSSL_NO_EC
ADD_TEST(test_X509_PUBKEY_inplace);
ADD_TEST(test_X509_PUBKEY_dup);
--
2.45.1

495
openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch Normal file
View File

@ -0,0 +1,495 @@
From 3d3a7ecd1ae5ab08d22041f7b3b035c34f12fa02 Mon Sep 17 00:00:00 2001
From: Danny Tsen <dtsen@linux.ibm.com>
Date: Tue, 22 Aug 2023 15:58:53 -0400
Subject: [PATCH] Improve performance for 6x unrolling with vpermxor
instruction
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21812)
---
crypto/aes/asm/aesp8-ppc.pl | 145 +++++++++++++++++++++++-------------
1 file changed, 95 insertions(+), 50 deletions(-)
diff --git a/crypto/aes/asm/aesp8-ppc.pl b/crypto/aes/asm/aesp8-ppc.pl
index 60cf86f52aed2..38b9405a283b7 100755
--- a/crypto/aes/asm/aesp8-ppc.pl
+++ b/crypto/aes/asm/aesp8-ppc.pl
@@ -99,11 +99,12 @@
.long 0x1b000000, 0x1b000000, 0x1b000000, 0x1b000000 ?rev
.long 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c ?rev
.long 0,0,0,0 ?asis
+.long 0x0f102132, 0x43546576, 0x8798a9ba, 0xcbdcedfe
Lconsts:
mflr r0
bcl 20,31,\$+4
mflr $ptr #vvvvv "distance between . and rcon
- addi $ptr,$ptr,-0x48
+ addi $ptr,$ptr,-0x58
mtlr r0
blr
.long 0
@@ -2405,7 +2406,7 @@ ()
my $key_=$key2;
my ($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,3,26..31));
$x00=0 if ($flavour =~ /osx/);
-my ($in0, $in1, $in2, $in3, $in4, $in5 )=map("v$_",(0..5));
+my ($in0, $in1, $in2, $in3, $in4, $in5)=map("v$_",(0..5));
my ($out0, $out1, $out2, $out3, $out4, $out5)=map("v$_",(7,12..16));
my ($twk0, $twk1, $twk2, $twk3, $twk4, $twk5)=map("v$_",(17..22));
my $rndkey0="v23"; # v24-v25 rotating buffer for first found keys
@@ -2460,6 +2461,18 @@ ()
li $x70,0x70
mtspr 256,r0
+ # Reverse eighty7 to 0x010101..87
+ xxlor 2, 32+$eighty7, 32+$eighty7
+ vsldoi $eighty7,$tmp,$eighty7,1 # 0x010101..87
+ xxlor 1, 32+$eighty7, 32+$eighty7
+
+ # Load XOR contents. 0xf102132435465768798a9bacbdcedfe
+ mr $x70, r6
+ bl Lconsts
+ lxvw4x 0, $x40, r6 # load XOR contents
+ mr r6, $x70
+ li $x70,0x70
+
subi $rounds,$rounds,3 # -4 in total
lvx $rndkey0,$x00,$key1 # load key schedule
@@ -2502,69 +2515,77 @@ ()
?vperm v31,v31,$twk5,$keyperm
lvx v25,$x10,$key_ # pre-load round[2]
+ # Switch to use the following codes with 0x010101..87 to generate tweak.
+ # eighty7 = 0x010101..87
+ # vsrab tmp, tweak, seven # next tweak value, right shift 7 bits
+ # vand tmp, tmp, eighty7 # last byte with carry
+ # vaddubm tweak, tweak, tweak # left shift 1 bit (x2)
+ # xxlor vsx, 0, 0
+ # vpermxor tweak, tweak, tmp, vsx
+
vperm $in0,$inout,$inptail,$inpperm
subi $inp,$inp,31 # undo "caller"
vxor $twk0,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vand $tmp,$tmp,$eighty7
vxor $out0,$in0,$twk0
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in1, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in1
lvx_u $in1,$x10,$inp
vxor $twk1,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in1,$in1,$in1,$leperm
vand $tmp,$tmp,$eighty7
vxor $out1,$in1,$twk1
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in2, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in2
lvx_u $in2,$x20,$inp
andi. $taillen,$len,15
vxor $twk2,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in2,$in2,$in2,$leperm
vand $tmp,$tmp,$eighty7
vxor $out2,$in2,$twk2
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in3, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in3
lvx_u $in3,$x30,$inp
sub $len,$len,$taillen
vxor $twk3,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in3,$in3,$in3,$leperm
vand $tmp,$tmp,$eighty7
vxor $out3,$in3,$twk3
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in4, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in4
lvx_u $in4,$x40,$inp
subi $len,$len,0x60
vxor $twk4,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in4,$in4,$in4,$leperm
vand $tmp,$tmp,$eighty7
vxor $out4,$in4,$twk4
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in5, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in5
lvx_u $in5,$x50,$inp
addi $inp,$inp,0x60
vxor $twk5,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in5,$in5,$in5,$leperm
vand $tmp,$tmp,$eighty7
vxor $out5,$in5,$twk5
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in0, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in0
vxor v31,v31,$rndkey0
mtctr $rounds
@@ -2590,6 +2611,8 @@ ()
lvx v25,$x10,$key_ # round[4]
bdnz Loop_xts_enc6x
+ xxlor 32+$eighty7, 1, 1 # 0x010101..87
+
subic $len,$len,96 # $len-=96
vxor $in0,$twk0,v31 # xor with last round key
vcipher $out0,$out0,v24
@@ -2599,7 +2622,6 @@ ()
vaddubm $tweak,$tweak,$tweak
vcipher $out2,$out2,v24
vcipher $out3,$out3,v24
- vsldoi $tmp,$tmp,$tmp,15
vcipher $out4,$out4,v24
vcipher $out5,$out5,v24
@@ -2607,7 +2629,8 @@ ()
vand $tmp,$tmp,$eighty7
vcipher $out0,$out0,v25
vcipher $out1,$out1,v25
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in1, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in1
vcipher $out2,$out2,v25
vcipher $out3,$out3,v25
vxor $in1,$twk1,v31
@@ -2618,13 +2641,13 @@ ()
and r0,r0,$len
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vcipher $out0,$out0,v26
vcipher $out1,$out1,v26
vand $tmp,$tmp,$eighty7
vcipher $out2,$out2,v26
vcipher $out3,$out3,v26
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in2, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in2
vcipher $out4,$out4,v26
vcipher $out5,$out5,v26
@@ -2638,7 +2661,6 @@ ()
vaddubm $tweak,$tweak,$tweak
vcipher $out0,$out0,v27
vcipher $out1,$out1,v27
- vsldoi $tmp,$tmp,$tmp,15
vcipher $out2,$out2,v27
vcipher $out3,$out3,v27
vand $tmp,$tmp,$eighty7
@@ -2646,7 +2668,8 @@ ()
vcipher $out5,$out5,v27
addi $key_,$sp,$FRAME+15 # rewind $key_
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in3, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in3
vcipher $out0,$out0,v28
vcipher $out1,$out1,v28
vxor $in3,$twk3,v31
@@ -2655,7 +2678,6 @@ ()
vcipher $out2,$out2,v28
vcipher $out3,$out3,v28
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vcipher $out4,$out4,v28
vcipher $out5,$out5,v28
lvx v24,$x00,$key_ # re-pre-load round[1]
@@ -2663,7 +2685,8 @@ ()
vcipher $out0,$out0,v29
vcipher $out1,$out1,v29
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in4, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in4
vcipher $out2,$out2,v29
vcipher $out3,$out3,v29
vxor $in4,$twk4,v31
@@ -2673,14 +2696,14 @@ ()
vcipher $out5,$out5,v29
lvx v25,$x10,$key_ # re-pre-load round[2]
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vcipher $out0,$out0,v30
vcipher $out1,$out1,v30
vand $tmp,$tmp,$eighty7
vcipher $out2,$out2,v30
vcipher $out3,$out3,v30
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in5, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in5
vcipher $out4,$out4,v30
vcipher $out5,$out5,v30
vxor $in5,$twk5,v31
@@ -2690,7 +2713,6 @@ ()
vcipherlast $out0,$out0,$in0
lvx_u $in0,$x00,$inp # load next input block
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vcipherlast $out1,$out1,$in1
lvx_u $in1,$x10,$inp
vcipherlast $out2,$out2,$in2
@@ -2703,7 +2725,10 @@ ()
vcipherlast $out4,$out4,$in4
le?vperm $in2,$in2,$in2,$leperm
lvx_u $in4,$x40,$inp
- vxor $tweak,$tweak,$tmp
+ xxlor 10, 32+$in0, 32+$in0
+ xxlor 32+$in0, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in0
+ xxlor 32+$in0, 10, 10
vcipherlast $tmp,$out5,$in5 # last block might be needed
# in stealing mode
le?vperm $in3,$in3,$in3,$leperm
@@ -2736,6 +2761,8 @@ ()
mtctr $rounds
beq Loop_xts_enc6x # did $len-=96 borrow?
+ xxlor 32+$eighty7, 2, 2 # 0x870101..01
+
addic. $len,$len,0x60
beq Lxts_enc6x_zero
cmpwi $len,0x20
@@ -3112,6 +3139,18 @@ ()
li $x70,0x70
mtspr 256,r0
+ # Reverse eighty7 to 0x010101..87
+ xxlor 2, 32+$eighty7, 32+$eighty7
+ vsldoi $eighty7,$tmp,$eighty7,1 # 0x010101..87
+ xxlor 1, 32+$eighty7, 32+$eighty7
+
+ # Load XOR contents. 0xf102132435465768798a9bacbdcedfe
+ mr $x70, r6
+ bl Lconsts
+ lxvw4x 0, $x40, r6 # load XOR contents
+ mr r6, $x70
+ li $x70,0x70
+
subi $rounds,$rounds,3 # -4 in total
lvx $rndkey0,$x00,$key1 # load key schedule
@@ -3159,64 +3198,64 @@ ()
vxor $twk0,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vand $tmp,$tmp,$eighty7
vxor $out0,$in0,$twk0
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in1, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in1
lvx_u $in1,$x10,$inp
vxor $twk1,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in1,$in1,$in1,$leperm
vand $tmp,$tmp,$eighty7
vxor $out1,$in1,$twk1
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in2, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in2
lvx_u $in2,$x20,$inp
andi. $taillen,$len,15
vxor $twk2,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in2,$in2,$in2,$leperm
vand $tmp,$tmp,$eighty7
vxor $out2,$in2,$twk2
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in3, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in3
lvx_u $in3,$x30,$inp
sub $len,$len,$taillen
vxor $twk3,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in3,$in3,$in3,$leperm
vand $tmp,$tmp,$eighty7
vxor $out3,$in3,$twk3
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in4, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in4
lvx_u $in4,$x40,$inp
subi $len,$len,0x60
vxor $twk4,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in4,$in4,$in4,$leperm
vand $tmp,$tmp,$eighty7
vxor $out4,$in4,$twk4
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in5, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in5
lvx_u $in5,$x50,$inp
addi $inp,$inp,0x60
vxor $twk5,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in5,$in5,$in5,$leperm
vand $tmp,$tmp,$eighty7
vxor $out5,$in5,$twk5
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in0, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in0
vxor v31,v31,$rndkey0
mtctr $rounds
@@ -3242,6 +3281,8 @@ ()
lvx v25,$x10,$key_ # round[4]
bdnz Loop_xts_dec6x
+ xxlor 32+$eighty7, 1, 1
+
subic $len,$len,96 # $len-=96
vxor $in0,$twk0,v31 # xor with last round key
vncipher $out0,$out0,v24
@@ -3251,7 +3292,6 @@ ()
vaddubm $tweak,$tweak,$tweak
vncipher $out2,$out2,v24
vncipher $out3,$out3,v24
- vsldoi $tmp,$tmp,$tmp,15
vncipher $out4,$out4,v24
vncipher $out5,$out5,v24
@@ -3259,7 +3299,8 @@ ()
vand $tmp,$tmp,$eighty7
vncipher $out0,$out0,v25
vncipher $out1,$out1,v25
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in1, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in1
vncipher $out2,$out2,v25
vncipher $out3,$out3,v25
vxor $in1,$twk1,v31
@@ -3270,13 +3311,13 @@ ()
and r0,r0,$len
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vncipher $out0,$out0,v26
vncipher $out1,$out1,v26
vand $tmp,$tmp,$eighty7
vncipher $out2,$out2,v26
vncipher $out3,$out3,v26
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in2, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in2
vncipher $out4,$out4,v26
vncipher $out5,$out5,v26
@@ -3290,7 +3331,6 @@ ()
vaddubm $tweak,$tweak,$tweak
vncipher $out0,$out0,v27
vncipher $out1,$out1,v27
- vsldoi $tmp,$tmp,$tmp,15
vncipher $out2,$out2,v27
vncipher $out3,$out3,v27
vand $tmp,$tmp,$eighty7
@@ -3298,7 +3338,8 @@ ()
vncipher $out5,$out5,v27
addi $key_,$sp,$FRAME+15 # rewind $key_
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in3, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in3
vncipher $out0,$out0,v28
vncipher $out1,$out1,v28
vxor $in3,$twk3,v31
@@ -3307,7 +3348,6 @@ ()
vncipher $out2,$out2,v28
vncipher $out3,$out3,v28
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vncipher $out4,$out4,v28
vncipher $out5,$out5,v28
lvx v24,$x00,$key_ # re-pre-load round[1]
@@ -3315,7 +3355,8 @@ ()
vncipher $out0,$out0,v29
vncipher $out1,$out1,v29
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in4, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in4
vncipher $out2,$out2,v29
vncipher $out3,$out3,v29
vxor $in4,$twk4,v31
@@ -3325,14 +3366,14 @@ ()
vncipher $out5,$out5,v29
lvx v25,$x10,$key_ # re-pre-load round[2]
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vncipher $out0,$out0,v30
vncipher $out1,$out1,v30
vand $tmp,$tmp,$eighty7
vncipher $out2,$out2,v30
vncipher $out3,$out3,v30
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in5, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in5
vncipher $out4,$out4,v30
vncipher $out5,$out5,v30
vxor $in5,$twk5,v31
@@ -3342,7 +3383,6 @@ ()
vncipherlast $out0,$out0,$in0
lvx_u $in0,$x00,$inp # load next input block
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vncipherlast $out1,$out1,$in1
lvx_u $in1,$x10,$inp
vncipherlast $out2,$out2,$in2
@@ -3355,7 +3395,10 @@ ()
vncipherlast $out4,$out4,$in4
le?vperm $in2,$in2,$in2,$leperm
lvx_u $in4,$x40,$inp
- vxor $tweak,$tweak,$tmp
+ xxlor 10, 32+$in0, 32+$in0
+ xxlor 32+$in0, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in0
+ xxlor 32+$in0, 10, 10
vncipherlast $out5,$out5,$in5
le?vperm $in3,$in3,$in3,$leperm
lvx_u $in5,$x50,$inp
@@ -3386,6 +3429,8 @@ ()
mtctr $rounds
beq Loop_xts_dec6x # did $len-=96 borrow?
+ xxlor 32+$eighty7, 2, 2
+
addic. $len,$len,0x60
beq Lxts_dec6x_zero
cmpwi $len,0x20

270
openssl-Remove-EC-curves.patch Normal file
View File

@ -0,0 +1,270 @@
From 4a275f852b61238161c053774736dc07b3ade200 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 11:46:40 +0200
Subject: [PATCH 11/48] 0011-Remove-EC-curves.patch
Patch-name: 0011-Remove-EC-curves.patch
Patch-id: 11
Patch-status: |
# remove unsupported EC curves
---
apps/speed.c | 8 +---
crypto/evp/ec_support.c | 87 ------------------------------------
test/acvp_test.inc | 9 ----
test/ecdsatest.h | 17 -------
test/recipes/15-test_genec.t | 27 -----------
5 files changed, 1 insertion(+), 147 deletions(-)
diff --git a/apps/speed.c b/apps/speed.c
index cace25eda1..d527f12f18 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -385,7 +385,7 @@ static double ffdh_results[FFDH_NUM][1]; /* 1 op: derivation */
#endif /* OPENSSL_NO_DH */
enum ec_curves_t {
- R_EC_P160, R_EC_P192, R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521,
+ R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521,
#ifndef OPENSSL_NO_EC2M
R_EC_K163, R_EC_K233, R_EC_K283, R_EC_K409, R_EC_K571,
R_EC_B163, R_EC_B233, R_EC_B283, R_EC_B409, R_EC_B571,
@@ -395,8 +395,6 @@ enum ec_curves_t {
};
/* list of ecdsa curves */
static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = {
- {"ecdsap160", R_EC_P160},
- {"ecdsap192", R_EC_P192},
{"ecdsap224", R_EC_P224},
{"ecdsap256", R_EC_P256},
{"ecdsap384", R_EC_P384},
@@ -423,8 +421,6 @@ static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = {
enum { R_EC_X25519 = ECDSA_NUM, R_EC_X448, EC_NUM };
/* list of ecdh curves, extension of |ecdsa_choices| list above */
static const OPT_PAIR ecdh_choices[EC_NUM] = {
- {"ecdhp160", R_EC_P160},
- {"ecdhp192", R_EC_P192},
{"ecdhp224", R_EC_P224},
{"ecdhp256", R_EC_P256},
{"ecdhp384", R_EC_P384},
@@ -1442,8 +1438,6 @@ int speed_main(int argc, char **argv)
*/
static const EC_CURVE ec_curves[EC_NUM] = {
/* Prime Curves */
- {"secp160r1", NID_secp160r1, 160},
- {"nistp192", NID_X9_62_prime192v1, 192},
{"nistp224", NID_secp224r1, 224},
{"nistp256", NID_X9_62_prime256v1, 256},
{"nistp384", NID_secp384r1, 384},
diff --git a/crypto/evp/ec_support.c b/crypto/evp/ec_support.c
index 1ec10143d2..82b95294b4 100644
--- a/crypto/evp/ec_support.c
+++ b/crypto/evp/ec_support.c
@@ -20,89 +20,15 @@ typedef struct ec_name2nid_st {
static const EC_NAME2NID curve_list[] = {
/* prime field curves */
/* secg curves */
- {"secp112r1", NID_secp112r1 },
- {"secp112r2", NID_secp112r2 },
- {"secp128r1", NID_secp128r1 },
- {"secp128r2", NID_secp128r2 },
- {"secp160k1", NID_secp160k1 },
- {"secp160r1", NID_secp160r1 },
- {"secp160r2", NID_secp160r2 },
- {"secp192k1", NID_secp192k1 },
- {"secp224k1", NID_secp224k1 },
{"secp224r1", NID_secp224r1 },
{"secp256k1", NID_secp256k1 },
{"secp384r1", NID_secp384r1 },
{"secp521r1", NID_secp521r1 },
/* X9.62 curves */
- {"prime192v1", NID_X9_62_prime192v1 },
- {"prime192v2", NID_X9_62_prime192v2 },
- {"prime192v3", NID_X9_62_prime192v3 },
- {"prime239v1", NID_X9_62_prime239v1 },
- {"prime239v2", NID_X9_62_prime239v2 },
- {"prime239v3", NID_X9_62_prime239v3 },
{"prime256v1", NID_X9_62_prime256v1 },
/* characteristic two field curves */
/* NIST/SECG curves */
- {"sect113r1", NID_sect113r1 },
- {"sect113r2", NID_sect113r2 },
- {"sect131r1", NID_sect131r1 },
- {"sect131r2", NID_sect131r2 },
- {"sect163k1", NID_sect163k1 },
- {"sect163r1", NID_sect163r1 },
- {"sect163r2", NID_sect163r2 },
- {"sect193r1", NID_sect193r1 },
- {"sect193r2", NID_sect193r2 },
- {"sect233k1", NID_sect233k1 },
- {"sect233r1", NID_sect233r1 },
- {"sect239k1", NID_sect239k1 },
- {"sect283k1", NID_sect283k1 },
- {"sect283r1", NID_sect283r1 },
- {"sect409k1", NID_sect409k1 },
- {"sect409r1", NID_sect409r1 },
- {"sect571k1", NID_sect571k1 },
- {"sect571r1", NID_sect571r1 },
- /* X9.62 curves */
- {"c2pnb163v1", NID_X9_62_c2pnb163v1 },
- {"c2pnb163v2", NID_X9_62_c2pnb163v2 },
- {"c2pnb163v3", NID_X9_62_c2pnb163v3 },
- {"c2pnb176v1", NID_X9_62_c2pnb176v1 },
- {"c2tnb191v1", NID_X9_62_c2tnb191v1 },
- {"c2tnb191v2", NID_X9_62_c2tnb191v2 },
- {"c2tnb191v3", NID_X9_62_c2tnb191v3 },
- {"c2pnb208w1", NID_X9_62_c2pnb208w1 },
- {"c2tnb239v1", NID_X9_62_c2tnb239v1 },
- {"c2tnb239v2", NID_X9_62_c2tnb239v2 },
- {"c2tnb239v3", NID_X9_62_c2tnb239v3 },
- {"c2pnb272w1", NID_X9_62_c2pnb272w1 },
- {"c2pnb304w1", NID_X9_62_c2pnb304w1 },
- {"c2tnb359v1", NID_X9_62_c2tnb359v1 },
- {"c2pnb368w1", NID_X9_62_c2pnb368w1 },
- {"c2tnb431r1", NID_X9_62_c2tnb431r1 },
- /*
- * the WAP/WTLS curves [unlike SECG, spec has its own OIDs for curves
- * from X9.62]
- */
- {"wap-wsg-idm-ecid-wtls1", NID_wap_wsg_idm_ecid_wtls1 },
- {"wap-wsg-idm-ecid-wtls3", NID_wap_wsg_idm_ecid_wtls3 },
- {"wap-wsg-idm-ecid-wtls4", NID_wap_wsg_idm_ecid_wtls4 },
- {"wap-wsg-idm-ecid-wtls5", NID_wap_wsg_idm_ecid_wtls5 },
- {"wap-wsg-idm-ecid-wtls6", NID_wap_wsg_idm_ecid_wtls6 },
- {"wap-wsg-idm-ecid-wtls7", NID_wap_wsg_idm_ecid_wtls7 },
- {"wap-wsg-idm-ecid-wtls8", NID_wap_wsg_idm_ecid_wtls8 },
- {"wap-wsg-idm-ecid-wtls9", NID_wap_wsg_idm_ecid_wtls9 },
- {"wap-wsg-idm-ecid-wtls10", NID_wap_wsg_idm_ecid_wtls10 },
- {"wap-wsg-idm-ecid-wtls11", NID_wap_wsg_idm_ecid_wtls11 },
- {"wap-wsg-idm-ecid-wtls12", NID_wap_wsg_idm_ecid_wtls12 },
- /* IPSec curves */
- {"Oakley-EC2N-3", NID_ipsec3 },
- {"Oakley-EC2N-4", NID_ipsec4 },
/* brainpool curves */
- {"brainpoolP160r1", NID_brainpoolP160r1 },
- {"brainpoolP160t1", NID_brainpoolP160t1 },
- {"brainpoolP192r1", NID_brainpoolP192r1 },
- {"brainpoolP192t1", NID_brainpoolP192t1 },
- {"brainpoolP224r1", NID_brainpoolP224r1 },
- {"brainpoolP224t1", NID_brainpoolP224t1 },
{"brainpoolP256r1", NID_brainpoolP256r1 },
{"brainpoolP256t1", NID_brainpoolP256t1 },
{"brainpoolP320r1", NID_brainpoolP320r1 },
@@ -150,17 +74,6 @@ int ossl_ec_curve_name2nid(const char *name)
/* Functions to translate between common NIST curve names and NIDs */
static const EC_NAME2NID nist_curves[] = {
- {"B-163", NID_sect163r2},
- {"B-233", NID_sect233r1},
- {"B-283", NID_sect283r1},
- {"B-409", NID_sect409r1},
- {"B-571", NID_sect571r1},
- {"K-163", NID_sect163k1},
- {"K-233", NID_sect233k1},
- {"K-283", NID_sect283k1},
- {"K-409", NID_sect409k1},
- {"K-571", NID_sect571k1},
- {"P-192", NID_X9_62_prime192v1},
{"P-224", NID_secp224r1},
{"P-256", NID_X9_62_prime256v1},
{"P-384", NID_secp384r1},
diff --git a/test/acvp_test.inc b/test/acvp_test.inc
index ad11d3ae1e..894a0bff9d 100644
--- a/test/acvp_test.inc
+++ b/test/acvp_test.inc
@@ -211,15 +211,6 @@ static const unsigned char ecdsa_sigver_s1[] = {
0xB1, 0xAC,
};
static const struct ecdsa_sigver_st ecdsa_sigver_data[] = {
- {
- "SHA-1",
- "P-192",
- ITM(ecdsa_sigver_msg0),
- ITM(ecdsa_sigver_pub0),
- ITM(ecdsa_sigver_r0),
- ITM(ecdsa_sigver_s0),
- PASS,
- },
{
"SHA2-512",
"P-521",
diff --git a/test/ecdsatest.h b/test/ecdsatest.h
index 63fe319025..06b5c0aac5 100644
--- a/test/ecdsatest.h
+++ b/test/ecdsatest.h
@@ -32,23 +32,6 @@ typedef struct {
} ecdsa_cavs_kat_t;
static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = {
- /* prime KATs from X9.62 */
- {NID_X9_62_prime192v1, NID_sha1,
- "616263", /* "abc" */
- "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb",
- "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e"
- "5ca5c0d69716dfcb3474373902",
- "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e",
- "885052380ff147b734c330c43d39b2c4a89f29b0f749fead",
- "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"},
- {NID_X9_62_prime239v1, NID_sha1,
- "616263", /* "abc" */
- "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d",
- "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e"
- "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee",
- "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af",
- "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0",
- "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"},
/* prime KATs from NIST CAVP */
{NID_secp224r1, NID_sha224,
"699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"
diff --git a/test/recipes/15-test_genec.t b/test/recipes/15-test_genec.t
index 2dfed387ca..c733b68f83 100644
--- a/test/recipes/15-test_genec.t
+++ b/test/recipes/15-test_genec.t
@@ -41,37 +41,11 @@ plan skip_all => "This test is unsupported in a no-ec build"
if disabled("ec");
my @prime_curves = qw(
- secp112r1
- secp112r2
- secp128r1
- secp128r2
- secp160k1
- secp160r1
- secp160r2
- secp192k1
- secp224k1
secp224r1
secp256k1
secp384r1
secp521r1
- prime192v1
- prime192v2
- prime192v3
- prime239v1
- prime239v2
- prime239v3
prime256v1
- wap-wsg-idm-ecid-wtls6
- wap-wsg-idm-ecid-wtls7
- wap-wsg-idm-ecid-wtls8
- wap-wsg-idm-ecid-wtls9
- wap-wsg-idm-ecid-wtls12
- brainpoolP160r1
- brainpoolP160t1
- brainpoolP192r1
- brainpoolP192t1
- brainpoolP224r1
- brainpoolP224t1
brainpoolP256r1
brainpoolP256t1
brainpoolP320r1
@@ -136,7 +110,6 @@ push(@other_curves, 'SM2')
if !disabled("sm2");
my @curve_aliases = qw(
- P-192
P-224
P-256
P-384
--
2.41.0

171
openssl-Revert-Improve-FIPS-RSA-keygen-performance.patch Normal file
View File

@ -0,0 +1,171 @@
Subject: [PATCH] Revert "Improve FIPS RSA keygen performance."
This reverts commit 3431dd4b3ee7933822586aab62972de4d8c0e9e5.
---
crypto/bn/bn_prime.c | 11 --------
crypto/bn/bn_rsa_fips186_4.c | 49 ++++++------------------------------
include/crypto/bn.h | 2 --
3 files changed, 8 insertions(+), 54 deletions(-)
diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c
index 79776f1ce5..ddd31a0252 100644
--- a/crypto/bn/bn_prime.c
+++ b/crypto/bn/bn_prime.c
@@ -252,17 +252,6 @@ int ossl_bn_check_prime(const BIGNUM *w, int checks, BN_CTX *ctx,
return bn_is_prime_int(w, checks, ctx, do_trial_division, cb);
}
-/*
- * Use this only for key generation.
- * It always uses trial division. The number of checks
- * (MR rounds) passed in is used without being clamped to a minimum value.
- */
-int ossl_bn_check_generated_prime(const BIGNUM *w, int checks, BN_CTX *ctx,
- BN_GENCB *cb)
-{
- return bn_is_prime_int(w, checks, ctx, 1, cb);
-}
-
int BN_check_prime(const BIGNUM *p, BN_CTX *ctx, BN_GENCB *cb)
{
return ossl_bn_check_prime(p, 0, ctx, 1, cb);
diff --git a/crypto/bn/bn_rsa_fips186_4.c b/crypto/bn/bn_rsa_fips186_4.c
index e9f0d4038c..8a7b2ecf2f 100644
--- a/crypto/bn/bn_rsa_fips186_4.c
+++ b/crypto/bn/bn_rsa_fips186_4.c
@@ -48,34 +48,6 @@ const BIGNUM ossl_bn_inv_sqrt_2 = {
BN_FLG_STATIC_DATA
};
-/*
- * Refer to FIPS 186-5 Table B.1 for minimum rounds of Miller Rabin
- * required for generation of RSA aux primes (p1, p2, q1 and q2).
- */
-static int bn_rsa_fips186_5_aux_prime_MR_rounds(int nbits)
-{
- if (nbits >= 4096)
- return 44;
- if (nbits >= 3072)
- return 41;
- if (nbits >= 2048)
- return 38;
- return 0; /* Error */
-}
-
-/*
- * Refer to FIPS 186-5 Table B.1 for minimum rounds of Miller Rabin
- * required for generation of RSA primes (p and q)
- */
-static int bn_rsa_fips186_5_prime_MR_rounds(int nbits)
-{
- if (nbits >= 3072)
- return 4;
- if (nbits >= 2048)
- return 5;
- return 0; /* Error */
-}
-
/*
* FIPS 186-5 Table A.1. "Min length of auxiliary primes p1, p2, q1, q2".
* (FIPS 186-5 has an entry for >= 4096 bits).
@@ -125,13 +97,11 @@ static int bn_rsa_fips186_5_aux_prime_max_sum_size_for_prob_primes(int nbits)
* Xp1 The passed in starting point to find a probably prime.
* p1 The returned probable prime (first odd integer >= Xp1)
* ctx A BN_CTX object.
- * rounds The number of Miller Rabin rounds
* cb An optional BIGNUM callback.
* Returns: 1 on success otherwise it returns 0.
*/
static int bn_rsa_fips186_4_find_aux_prob_prime(const BIGNUM *Xp1,
BIGNUM *p1, BN_CTX *ctx,
- int rounds,
BN_GENCB *cb)
{
int ret = 0;
@@ -147,7 +117,7 @@ static int bn_rsa_fips186_4_find_aux_prob_prime(const BIGNUM *Xp1,
i++;
BN_GENCB_call(cb, 0, i);
/* MR test with trial division */
- tmp = ossl_bn_check_generated_prime(p1, rounds, ctx, cb);
+ tmp = BN_check_prime(p1, ctx, cb);
if (tmp > 0)
break;
if (tmp < 0)
@@ -190,7 +160,7 @@ int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout,
{
int ret = 0;
BIGNUM *p1i = NULL, *p2i = NULL, *Xp1i = NULL, *Xp2i = NULL;
- int bitlen, rounds;
+ int bitlen;
if (p == NULL || Xpout == NULL)
return 0;
@@ -207,7 +177,6 @@ int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout,
bitlen = bn_rsa_fips186_5_aux_prime_min_size(nlen);
if (bitlen == 0)
goto err;
- rounds = bn_rsa_fips186_5_aux_prime_MR_rounds(nlen);
/* (Steps 4.1/5.1): Randomly generate Xp1 if it is not passed in */
if (Xp1 == NULL) {
@@ -225,8 +194,8 @@ int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout,
}
/* (Steps 4.2/5.2) - find first auxiliary probable primes */
- if (!bn_rsa_fips186_4_find_aux_prob_prime(Xp1i, p1i, ctx, rounds, cb)
- || !bn_rsa_fips186_4_find_aux_prob_prime(Xp2i, p2i, ctx, rounds, cb))
+ if (!bn_rsa_fips186_4_find_aux_prob_prime(Xp1i, p1i, ctx, cb)
+ || !bn_rsa_fips186_4_find_aux_prob_prime(Xp2i, p2i, ctx, cb))
goto err;
/* (Table B.1) auxiliary prime Max length check */
if ((BN_num_bits(p1i) + BN_num_bits(p2i)) >=
@@ -274,11 +243,11 @@ err:
*/
int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin,
const BIGNUM *r1, const BIGNUM *r2,
- int nlen, const BIGNUM *e,
- BN_CTX *ctx, BN_GENCB *cb)
+ int nlen, const BIGNUM *e, BN_CTX *ctx,
+ BN_GENCB *cb)
{
int ret = 0;
- int i, imax, rounds;
+ int i, imax;
int bits = nlen >> 1;
BIGNUM *tmp, *R, *r1r2x2, *y1, *r1x2;
BIGNUM *base, *range;
@@ -348,7 +317,6 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin,
* The number has been updated to 20 * nlen/2 as used in
* FIPS186-5 Appendix B.9 Step 9.
*/
- rounds = bn_rsa_fips186_5_prime_MR_rounds(nlen);
imax = 20 * bits; /* max = 20/2 * nbits */
for (;;) {
if (Xin == NULL) {
@@ -378,9 +346,8 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin,
if (BN_copy(y1, Y) == NULL
|| !BN_sub_word(y1, 1))
goto err;
-
if (BN_are_coprime(y1, e, ctx)) {
- int rv = ossl_bn_check_generated_prime(Y, rounds, ctx, cb);
+ int rv = BN_check_prime(Y, ctx, cb);
if (rv > 0)
goto end;
diff --git a/include/crypto/bn.h b/include/crypto/bn.h
index 4d11e0e4b1..cf69bea848 100644
--- a/include/crypto/bn.h
+++ b/include/crypto/bn.h
@@ -95,8 +95,6 @@ int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
int ossl_bn_miller_rabin_is_prime(const BIGNUM *w, int iterations, BN_CTX *ctx,
BN_GENCB *cb, int enhanced, int *status);
-int ossl_bn_check_generated_prime(const BIGNUM *w, int checks, BN_CTX *ctx,
- BN_GENCB *cb);
const BIGNUM *ossl_bn_get0_small_factors(void);
--
2.44.0

35
openssl-crypto-policies-support.patch Normal file
View File

@ -0,0 +1,35 @@
Add default section to load crypto-policies configuration for TLS.
It needs to be reverted before running tests.
---
apps/openssl.cnf | 20 ++++++++++++++++++--
2 files changed, 19 insertions(+), 3 deletions(-)
Index: openssl-3.2.0/apps/openssl.cnf
===================================================================
--- openssl-3.2.0.orig/apps/openssl.cnf
+++ openssl-3.2.0/apps/openssl.cnf
@@ -52,6 +52,8 @@ tsa_policy3 = 1.2.3.4.5.7
[openssl_init]
providers = provider_sect
+# Load default TLS policy configuration
+ssl_conf = ssl_module
# List of providers to load
[provider_sect]
@@ -71,6 +73,13 @@ default = default_sect
[default_sect]
# activate = 1
+[ ssl_module ]
+
+system_default = crypto_policy
+
+[ crypto_policy ]
+
+.include = /etc/crypto-policies/back-ends/opensslcnf.config
####################################################################
[ ca ]

470
openssl-disable-fipsinstall.patch Normal file
View File

@ -0,0 +1,470 @@
From a9825123e7ab3474d2794a5706d9bed047959c9c Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 31 Jul 2023 09:41:28 +0200
Subject: [PATCH 18/35] 0034.fipsinstall_disable.patch
Patch-name: 0034.fipsinstall_disable.patch
Patch-id: 34
Patch-status: |
# Comment out fipsinstall command-line utility
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
apps/fipsinstall.c | 3 +
doc/man1/openssl-fipsinstall.pod.in | 272 +---------------------------
doc/man1/openssl.pod | 4 -
doc/man5/config.pod | 1 -
doc/man5/fips_config.pod | 104 +----------
doc/man7/OSSL_PROVIDER-FIPS.pod | 1 -
6 files changed, 10 insertions(+), 375 deletions(-)
Index: openssl-3.1.4/apps/fipsinstall.c
===================================================================
--- openssl-3.1.4.orig/apps/fipsinstall.c
+++ openssl-3.1.4/apps/fipsinstall.c
@@ -375,6 +375,9 @@ int fipsinstall_main(int argc, char **ar
EVP_MAC *mac = NULL;
CONF *conf = NULL;
+ BIO_printf(bio_err, "This command is not enabled in SUSE/openSUSE OpenSSL build, please see 'man 8 fips-mode-setup' to learn how to enable FIPS mode\n");
+ return 1;
+
if ((opts = sk_OPENSSL_STRING_new_null()) == NULL)
goto end;
Index: openssl-3.1.4/doc/man1/openssl-fipsinstall.pod.in
===================================================================
--- openssl-3.1.4.orig/doc/man1/openssl-fipsinstall.pod.in
+++ openssl-3.1.4/doc/man1/openssl-fipsinstall.pod.in
@@ -8,275 +8,9 @@ openssl-fipsinstall - perform FIPS confi
=head1 SYNOPSIS
B<openssl fipsinstall>
-[B<-help>]
-[B<-in> I<configfilename>]
-[B<-out> I<configfilename>]
-[B<-module> I<modulefilename>]
-[B<-provider_name> I<providername>]
-[B<-section_name> I<sectionname>]
-[B<-verify>]
-[B<-mac_name> I<macname>]
-[B<-macopt> I<nm>:I<v>]
-[B<-noout>]
-[B<-quiet>]
-[B<-pedantic>]
-[B<-no_conditional_errors>]
-[B<-no_security_checks>]
-[B<-ems_check>]
-[B<-no_drbg_truncated_digests>]
-[B<-self_test_onload>]
-[B<-self_test_oninstall>]
-[B<-corrupt_desc> I<selftest_description>]
-[B<-corrupt_type> I<selftest_type>]
-[B<-config> I<parent_config>]
-
-=head1 DESCRIPTION
-
-This command is used to generate a FIPS module configuration file.
-This configuration file can be used each time a FIPS module is loaded
-in order to pass data to the FIPS module self tests. The FIPS module always
-verifies its MAC, but optionally only needs to run the KAT's once,
-at installation.
-
-The generated configuration file consists of:
-
-=over 4
-
-=item - A MAC of the FIPS module file.
-
-=item - A test status indicator.
-
-This indicates if the Known Answer Self Tests (KAT's) have successfully run.
-
-=item - A MAC of the status indicator.
-
-=item - A control for conditional self tests errors.
-
-By default if a continuous test (e.g a key pair test) fails then the FIPS module
-will enter an error state, and no services or cryptographic algorithms will be
-able to be accessed after this point.
-The default value of '1' will cause the fips module error state to be entered.
-If the value is '0' then the module error state will not be entered.
-Regardless of whether the error state is entered or not, the current operation
-(e.g. key generation) will return an error. The user is responsible for retrying
-the operation if the module error state is not entered.
-
-=item - A control to indicate whether run-time security checks are done.
-
-This indicates if run-time checks related to enforcement of security parameters
-such as minimum security strength of keys and approved curve names are used.
-The default value of '1' will perform the checks.
-If the value is '0' the checks are not performed and FIPS compliance must
-be done by procedures documented in the relevant Security Policy.
-
-=back
-
-This file is described in L<fips_config(5)>.
-
-=head1 OPTIONS
-
-=over 4
-
-=item B<-help>
-
-Print a usage message.
-
-=item B<-module> I<filename>
-
-Filename of the FIPS module to perform an integrity check on.
-The path provided in the filename is used to load the module when it is
-activated, and this overrides the environment variable B<OPENSSL_MODULES>.
-
-=item B<-out> I<configfilename>
-
-Filename to output the configuration data to; the default is standard output.
-
-=item B<-in> I<configfilename>
-
-Input filename to load configuration data from.
-Must be used if the B<-verify> option is specified.
-
-=item B<-verify>
-
-Verify that the input configuration file contains the correct information.
-
-=item B<-provider_name> I<providername>
-
-Name of the provider inside the configuration file.
-The default value is C<fips>.
-
-=item B<-section_name> I<sectionname>
-
-Name of the section inside the configuration file.
-The default value is C<fips_sect>.
-
-=item B<-mac_name> I<name>
-
-Specifies the name of a supported MAC algorithm which will be used.
-The MAC mechanisms that are available will depend on the options
-used when building OpenSSL.
-To see the list of supported MAC's use the command
-C<openssl list -mac-algorithms>. The default is B<HMAC>.
-
-=item B<-macopt> I<nm>:I<v>
-
-Passes options to the MAC algorithm.
-A comprehensive list of controls can be found in the EVP_MAC implementation
-documentation.
-Common control strings used for this command are:
-
-=over 4
-
-=item B<key>:I<string>
-
-Specifies the MAC key as an alphanumeric string (use if the key contains
-printable characters only).
-The string length must conform to any restrictions of the MAC algorithm.
-A key must be specified for every MAC algorithm.
-If no key is provided, the default that was specified when OpenSSL was
-configured is used.
-
-=item B<hexkey>:I<string>
-
-Specifies the MAC key in hexadecimal form (two hex digits per byte).
-The key length must conform to any restrictions of the MAC algorithm.
-A key must be specified for every MAC algorithm.
-If no key is provided, the default that was specified when OpenSSL was
-configured is used.
-
-=item B<digest>:I<string>
-
-Used by HMAC as an alphanumeric string (use if the key contains printable
-characters only).
-The string length must conform to any restrictions of the MAC algorithm.
-To see the list of supported digests, use the command
-C<openssl list -digest-commands>.
-The default digest is SHA-256.
-
-=back
-
-=item B<-noout>
-
-Disable logging of the self tests.
-
-=item B<-pedantic>
-
-Configure the module so that it is strictly FIPS compliant rather
-than being backwards compatible. This enables conditional errors,
-security checks etc. Note that any previous configuration options will
-be overwritten and any subsequent configuration options that violate
-FIPS compliance will result in an error.
-
-=item B<-no_conditional_errors>
-
-Configure the module to not enter an error state if a conditional self test
-fails as described above.
-
-=item B<-no_security_checks>
-
-Configure the module to not perform run-time security checks as described above.
-
-Enabling the configuration option "no-fips-securitychecks" provides another way to
-turn off the check at compile time.
-
-=item B<-ems_check>
-
-Configure the module to enable a run-time Extended Master Secret (EMS) check
-when using the TLS1_PRF KDF algorithm. This check is disabled by default.
-See RFC 7627 for information related to EMS.
-
-=item B<-no_drbg_truncated_digests>
-
-Configure the module to not allow truncated digests to be used with Hash and
-HMAC DRBGs. See FIPS 140-3 IG D.R for details.
-
-=item B<-self_test_onload>
-
-Do not write the two fields related to the "test status indicator" and
-"MAC status indicator" to the output configuration file. Without these fields
-the self tests KATS will run each time the module is loaded. This option could be
-used for cross compiling, since the self tests need to run at least once on each
-target machine. Once the self tests have run on the target machine the user
-could possibly then add the 2 fields into the configuration using some other
-mechanism.
-
-This is the default.
-
-=item B<-self_test_oninstall>
-
-The converse of B<-self_test_oninstall>. The two fields related to the
-"test status indicator" and "MAC status indicator" are written to the
-output configuration file.
-
-=item B<-quiet>
-
-Do not output pass/fail messages. Implies B<-noout>.
-
-=item B<-corrupt_desc> I<selftest_description>,
-B<-corrupt_type> I<selftest_type>
-
-The corrupt options can be used to test failure of one or more self tests by
-name.
-Either option or both may be used to select the tests to corrupt.
-Refer to the entries for B<st-desc> and B<st-type> in L<OSSL_PROVIDER-FIPS(7)> for
-values that can be used.
-
-=item B<-config> I<parent_config>
-
-Test that a FIPS provider can be loaded from the specified configuration file.
-A previous call to this application needs to generate the extra configuration
-data that is included by the base C<parent_config> configuration file.
-See L<config(5)> for further information on how to set up a provider section.
-All other options are ignored if '-config' is used.
-
-=back
-
-=head1 NOTES
-
-Self tests results are logged by default if the options B<-quiet> and B<-noout>
-are not specified, or if either of the options B<-corrupt_desc> or
-B<-corrupt_type> are used.
-If the base configuration file is set up to autoload the fips module, then the
-fips module will be loaded and self tested BEFORE the fipsinstall application
-has a chance to set up its own self test callback. As a result of this the self
-test output and the options B<-corrupt_desc> and B<-corrupt_type> will be ignored.
-For normal usage the base configuration file should use the default provider
-when generating the fips configuration file.
-
-The B<-self_test_oninstall> option was added and the
-B<-self_test_onload> option was made the default in OpenSSL 3.1.
-
-The command and all remaining options were added in OpenSSL 3.0.
-
-=head1 EXAMPLES
-
-Calculate the mac of a FIPS module F<fips.so> and run a FIPS self test
-for the module, and save the F<fips.cnf> configuration file:
-
- openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips
-
-Verify that the configuration file F<fips.cnf> contains the correct info:
-
- openssl fipsinstall -module ./fips.so -in fips.cnf -provider_name fips -verify
-
-Corrupt any self tests which have the description C<SHA1>:
-
- openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips \
- -corrupt_desc 'SHA1'
-
-Validate that the fips module can be loaded from a base configuration file:
-
- export OPENSSL_CONF_INCLUDE=<path of configuration files>
- export OPENSSL_MODULES=<provider-path>
- openssl fipsinstall -config' 'default.cnf'
-
-
-=head1 SEE ALSO
-
-L<config(5)>,
-L<fips_config(5)>,
-L<OSSL_PROVIDER-FIPS(7)>,
-L<EVP_MAC(3)>
+This command is disabled.
+Please consult the SUSE/openSUSE documentation to learn how to correctly
+enable FIPS mode.
=head1 COPYRIGHT
Index: openssl-3.1.4/doc/man1/openssl.pod
===================================================================
--- openssl-3.1.4.orig/doc/man1/openssl.pod
+++ openssl-3.1.4/doc/man1/openssl.pod
@@ -135,10 +135,6 @@ Engine (loadable module) information and
Error Number to Error String Conversion.
-=item B<fipsinstall>
-
-FIPS configuration installation.
-
=item B<gendsa>
Generation of DSA Private Key from Parameters. Superseded by
Index: openssl-3.1.4/doc/man5/config.pod
===================================================================
--- openssl-3.1.4.orig/doc/man5/config.pod
+++ openssl-3.1.4/doc/man5/config.pod
@@ -565,7 +565,6 @@ configuration files using that syntax wi
=head1 SEE ALSO
L<openssl-x509(1)>, L<openssl-req(1)>, L<openssl-ca(1)>,
-L<openssl-fipsinstall(1)>,
L<ASN1_generate_nconf(3)>,
L<EVP_set_default_properties(3)>,
L<CONF_modules_load(3)>,
Index: openssl-3.1.4/doc/man5/fips_config.pod
===================================================================
--- openssl-3.1.4.orig/doc/man5/fips_config.pod
+++ openssl-3.1.4/doc/man5/fips_config.pod
@@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration
=head1 DESCRIPTION
-A separate configuration file, using the OpenSSL L<config(5)> syntax,
-is used to hold information about the FIPS module. This includes a digest
-of the shared library file, and status about the self-testing.
-This data is used automatically by the module itself for two
-purposes:
-
-=over 4
-
-=item - Run the startup FIPS self-test known answer tests (KATS).
-
-This is normally done once, at installation time, but may also be set up to
-run each time the module is used.
-
-=item - Verify the module's checksum.
-
-This is done each time the module is used.
-
-=back
-
-This file is generated by the L<openssl-fipsinstall(1)> program, and
-used internally by the FIPS module during its initialization.
-
-The following options are supported. They should all appear in a section
-whose name is identified by the B<fips> option in the B<providers>
-section, as described in L<config(5)/Provider Configuration Module>.
-
-=over 4
-
-=item B<activate>
-
-If present, the module is activated. The value assigned to this name is not
-significant.
-
-=item B<install-version>
-
-A version number for the fips install process. Should be 1.
-
-=item B<conditional-errors>
-
-The FIPS module normally enters an internal error mode if any self test fails.
-Once this error mode is active, no services or cryptographic algorithms are
-accessible from this point on.
-Continuous tests are a subset of the self tests (e.g., a key pair test during key
-generation, or the CRNG output test).
-Setting this value to C<0> allows the error mode to not be triggered if any
-continuous test fails. The default value of C<1> will trigger the error mode.
-Regardless of the value, the operation (e.g., key generation) that called the
-continuous test will return an error code if its continuous test fails. The
-operation may then be retried if the error mode has not been triggered.
-
-=item B<security-checks>
-
-This indicates if run-time checks related to enforcement of security parameters
-such as minimum security strength of keys and approved curve names are used.
-A value of '1' will perform the checks, otherwise if the value is '0' the checks
-are not performed and FIPS compliance must be done by procedures documented in
-the relevant Security Policy.
-
-=item B<module-mac>
-
-The calculated MAC of the FIPS provider file.
-
-=item B<install-status>
-
-An indicator that the self-tests were successfully run.
-This should only be written after the module has
-successfully passed its self tests during installation.
-If this field is not present, then the self tests will run when the module
-loads.
-
-=item B<install-mac>
-
-A MAC of the value of the B<install-status> option, to prevent accidental
-changes to that value.
-It is written-to at the same time as B<install-status> is updated.
-
-=back
-
-For example:
-
- [fips_sect]
- activate = 1
- install-version = 1
- conditional-errors = 1
- security-checks = 1
- module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC
- install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C
- install-status = INSTALL_SELF_TEST_KATS_RUN
-
-=head1 NOTES
-
-When using the FIPS provider, it is recommended that the
-B<config_diagnostics> option is enabled to prevent accidental use of
-non-FIPS validated algorithms via broken or mistaken configuration.
-See L<config(5)>.
-
-=head1 SEE ALSO
-
-L<config(5)>
-L<openssl-fipsinstall(1)>
+This command is disabled in SUSE/openSUSE. The FIPS provider is
+automatically loaded when the system is booted in FIPS mode, or when the
+environment variable B<OPENSSL_FORCE_FIPS_MODE> is set.
+See the documentation for more information.
=head1 HISTORY
Index: openssl-3.1.4/doc/man7/OSSL_PROVIDER-FIPS.pod
===================================================================
--- openssl-3.1.4.orig/doc/man7/OSSL_PROVIDER-FIPS.pod
+++ openssl-3.1.4/doc/man7/OSSL_PROVIDER-FIPS.pod
@@ -455,7 +455,6 @@ want to operate in a FIPS approved manne
=head1 SEE ALSO
-L<openssl-fipsinstall(1)>,
L<fips_config(5)>,
L<OSSL_SELF_TEST_set_callback(3)>,
L<OSSL_SELF_TEST_new(3)>,

2159
openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch Normal file
View File

File diff suppressed because it is too large Load Diff

65
openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch Normal file
View File

@ -0,0 +1,65 @@
From 3e47a286dc3274bda72a196c3a4030a1fc8302f1 Mon Sep 17 00:00:00 2001
From: Rohan McLure <rohanmclure@linux.ibm.com>
Date: Fri, 23 Jun 2023 16:41:48 +1000
Subject: [PATCH] ec: Use static linkage on nistp521 felem_{square,mul}
wrappers
Runtime selection of implementations for felem_{square,mul} depends on
felem_{square,mul}_wrapper functions, which overwrite function points in
a similar design to that of .plt.got sections used by program loaders
during dynamic linking.
There's no reason why these functions need to have external linkage.
Mark static.
Signed-off-by: Rohan McLure <rohanmclure@linux.ibm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/21471)
---
crypto/ec/ecp_nistp521.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c
index 97815cac1f13..32a9268ecf17 100644
--- a/crypto/ec/ecp_nistp521.c
+++ b/crypto/ec/ecp_nistp521.c
@@ -676,8 +676,8 @@ static void felem_reduce(felem out, const largefelem in)
}
#if defined(ECP_NISTP521_ASM)
-void felem_square_wrapper(largefelem out, const felem in);
-void felem_mul_wrapper(largefelem out, const felem in1, const felem in2);
+static void felem_square_wrapper(largefelem out, const felem in);
+static void felem_mul_wrapper(largefelem out, const felem in1, const felem in2);
static void (*felem_square_p)(largefelem out, const felem in) =
felem_square_wrapper;
@@ -691,7 +691,7 @@ void p521_felem_mul(largefelem out, const felem in1, const felem in2);
# include "crypto/ppc_arch.h"
# endif
-void felem_select(void)
+static void felem_select(void)
{
# if defined(_ARCH_PPC64)
if ((OPENSSL_ppccap_P & PPC_MADD300) && (OPENSSL_ppccap_P & PPC_ALTIVEC)) {
@@ -707,13 +707,13 @@ void felem_select(void)
felem_mul_p = felem_mul_ref;
}
-void felem_square_wrapper(largefelem out, const felem in)
+static void felem_square_wrapper(largefelem out, const felem in)
{
felem_select();
felem_square_p(out, in);
}
-void felem_mul_wrapper(largefelem out, const felem in1, const felem in2)
+static void felem_mul_wrapper(largefelem out, const felem in1, const felem in2)
{
felem_select();
felem_mul_p(out, in1, in2);

428
openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch Normal file
View File

@ -0,0 +1,428 @@
From 966047ee13188e8634af25af348940acceb9316d Mon Sep 17 00:00:00 2001
From: Rohan McLure <rohanmclure@linux.ibm.com>
Date: Wed, 31 May 2023 14:32:26 +1000
Subject: [PATCH] ec: powerpc64le: Add asm implementation of felem_{square,mul}
Add an assembly implementation of felem_{square,mul}, which will be
implemented whenever Altivec support is present and the core implements
ISA 3.0 (Power 9) or greater.
Signed-off-by: Rohan McLure <rohanmclure@linux.ibm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/21471)
---
crypto/ec/asm/ecp_nistp384-ppc64.pl | 355 ++++++++++++++++++++++++++++
crypto/ec/build.info | 6 +-
crypto/ec/ecp_nistp384.c | 9 +
3 files changed, 368 insertions(+), 2 deletions(-)
create mode 100755 crypto/ec/asm/ecp_nistp384-ppc64.pl
diff --git a/crypto/ec/asm/ecp_nistp384-ppc64.pl b/crypto/ec/asm/ecp_nistp384-ppc64.pl
new file mode 100755
index 000000000000..3f86b391af69
--- /dev/null
+++ b/crypto/ec/asm/ecp_nistp384-ppc64.pl
@@ -0,0 +1,355 @@
+#! /usr/bin/env perl
+# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+#
+# ====================================================================
+# Written by Rohan McLure <rmclure@linux.ibm.com> for the OpenSSL
+# project.
+# ====================================================================
+#
+# p384 lower-level primitives for PPC64 using vector instructions.
+#
+
+use strict;
+use warnings;
+
+my $flavour = shift;
+my $output = "";
+while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {}
+if (!$output) {
+ $output = "-";
+}
+
+my ($xlate, $dir);
+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
+( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
+die "can't locate ppc-xlate.pl";
+
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
+
+my $code = "";
+
+my ($sp, $outp, $savelr, $savesp) = ("r1", "r3", "r10", "r12");
+
+my $vzero = "v32";
+
+sub startproc($)
+{
+ my ($name) = @_;
+
+ $code.=<<___;
+ .globl ${name}
+ .align 5
+${name}:
+
+___
+}
+
+sub endproc($)
+{
+ my ($name) = @_;
+
+ $code.=<<___;
+ blr
+ .size ${name},.-${name}
+
+___
+}
+
+
+sub push_vrs($$)
+{
+ my ($min, $max) = @_;
+
+ my $count = $max - $min + 1;
+
+ $code.=<<___;
+ mr $savesp,$sp
+ stdu $sp,-16*`$count+1`($sp)
+
+___
+ for (my $i = $min; $i <= $max; $i++) {
+ my $mult = $max - $i + 1;
+ $code.=<<___;
+ stxv $i,-16*$mult($savesp)
+___
+
+ }
+
+ $code.=<<___;
+
+___
+}
+
+sub pop_vrs($$)
+{
+ my ($min, $max) = @_;
+
+ $code.=<<___;
+ ld $savesp,0($sp)
+___
+ for (my $i = $min; $i <= $max; $i++) {
+ my $mult = $max - $i + 1;
+ $code.=<<___;
+ lxv $i,-16*$mult($savesp)
+___
+ }
+
+ $code.=<<___;
+ mr $sp,$savesp
+
+___
+}
+
+sub load_vrs($$)
+{
+ my ($pointer, $reg_list) = @_;
+
+ for (my $i = 0; $i <= 6; $i++) {
+ my $offset = $i * 8;
+ $code.=<<___;
+ lxsd $reg_list->[$i],$offset($pointer)
+___
+ }
+
+ $code.=<<___;
+
+___
+}
+
+sub store_vrs($$)
+{
+ my ($pointer, $reg_list) = @_;
+
+ for (my $i = 0; $i <= 12; $i++) {
+ my $offset = $i * 16;
+ $code.=<<___;
+ stxv $reg_list->[$i],$offset($pointer)
+___
+ }
+
+ $code.=<<___;
+
+___
+}
+
+$code.=<<___;
+.machine "any"
+.text
+
+___
+
+{
+ # mul/square common
+ my ($t1, $t2, $t3, $t4) = ("v33", "v34", "v42", "v43");
+ my ($zero, $one) = ("r8", "r9");
+ my $out = "v51";
+
+ {
+ #
+ # p384_felem_mul
+ #
+
+ my ($in1p, $in2p) = ("r4", "r5");
+ my @in1 = map("v$_",(44..50));
+ my @in2 = map("v$_",(35..41));
+
+ startproc("p384_felem_mul");
+
+ push_vrs(52, 63);
+
+ $code.=<<___;
+ vspltisw $vzero,0
+
+___
+
+ load_vrs($in1p, \@in1);
+ load_vrs($in2p, \@in2);
+
+ $code.=<<___;
+ vmsumudm $out,$in1[0],$in2[0],$vzero
+ stxv $out,0($outp)
+
+ xxpermdi $t1,$in1[0],$in1[1],0b00
+ xxpermdi $t2,$in2[1],$in2[0],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ stxv $out,16($outp)
+
+ xxpermdi $t2,$in2[2],$in2[1],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ vmsumudm $out,$in1[2],$in2[0],$out
+ stxv $out,32($outp)
+
+ xxpermdi $t2,$in2[1],$in2[0],0b00
+ xxpermdi $t3,$in1[2],$in1[3],0b00
+ xxpermdi $t4,$in2[3],$in2[2],0b00
+ vmsumudm $out,$t1,$t4,$vzero
+ vmsumudm $out,$t3,$t2,$out
+ stxv $out,48($outp)
+
+ xxpermdi $t2,$in2[4],$in2[3],0b00
+ xxpermdi $t4,$in2[2],$in2[1],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ vmsumudm $out,$t3,$t4,$out
+ vmsumudm $out,$in1[4],$in2[0],$out
+ stxv $out,64($outp)
+
+ xxpermdi $t2,$in2[5],$in2[4],0b00
+ xxpermdi $t4,$in2[3],$in2[2],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ vmsumudm $out,$t3,$t4,$out
+ xxpermdi $t4,$in2[1],$in2[0],0b00
+ xxpermdi $t1,$in1[4],$in1[5],0b00
+ vmsumudm $out,$t1,$t4,$out
+ stxv $out,80($outp)
+
+ xxpermdi $t1,$in1[0],$in1[1],0b00
+ xxpermdi $t2,$in2[6],$in2[5],0b00
+ xxpermdi $t4,$in2[4],$in2[3],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ vmsumudm $out,$t3,$t4,$out
+ xxpermdi $t2,$in2[2],$in2[1],0b00
+ xxpermdi $t1,$in1[4],$in1[5],0b00
+ vmsumudm $out,$t1,$t2,$out
+ vmsumudm $out,$in1[6],$in2[0],$out
+ stxv $out,96($outp)
+
+ xxpermdi $t1,$in1[1],$in1[2],0b00
+ xxpermdi $t2,$in2[6],$in2[5],0b00
+ xxpermdi $t3,$in1[3],$in1[4],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ vmsumudm $out,$t3,$t4,$out
+ xxpermdi $t3,$in2[2],$in2[1],0b00
+ xxpermdi $t1,$in1[5],$in1[6],0b00
+ vmsumudm $out,$t1,$t3,$out
+ stxv $out,112($outp)
+
+ xxpermdi $t1,$in1[2],$in1[3],0b00
+ xxpermdi $t3,$in1[4],$in1[5],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ vmsumudm $out,$t3,$t4,$out
+ vmsumudm $out,$in1[6],$in2[2],$out
+ stxv $out,128($outp)
+
+ xxpermdi $t1,$in1[3],$in1[4],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ xxpermdi $t1,$in1[5],$in1[6],0b00
+ vmsumudm $out,$t1,$t4,$out
+ stxv $out,144($outp)
+
+ vmsumudm $out,$t3,$t2,$vzero
+ vmsumudm $out,$in1[6],$in2[4],$out
+ stxv $out,160($outp)
+
+ vmsumudm $out,$t1,$t2,$vzero
+ stxv $out,176($outp)
+
+ vmsumudm $out,$in1[6],$in2[6],$vzero
+ stxv $out,192($outp)
+___
+
+ endproc("p384_felem_mul");
+ }
+
+ {
+ #
+ # p384_felem_square
+ #
+
+ my ($inp) = ("r4");
+ my @in = map("v$_",(44..50));
+ my @inx2 = map("v$_",(35..41));
+
+ startproc("p384_felem_square");
+
+ push_vrs(52, 63);
+
+ $code.=<<___;
+ vspltisw $vzero,0
+
+___
+
+ load_vrs($inp, \@in);
+
+ $code.=<<___;
+ li $zero,0
+ li $one,1
+ mtvsrdd $t1,$one,$zero
+___
+
+ for (my $i = 0; $i <= 6; $i++) {
+ $code.=<<___;
+ vsld $inx2[$i],$in[$i],$t1
+___
+ }
+
+ $code.=<<___;
+ vmsumudm $out,$in[0],$in[0],$vzero
+ stxv $out,0($outp)
+
+ vmsumudm $out,$in[0],$inx2[1],$vzero
+ stxv $out,16($outp)
+
+ vmsumudm $out,$in[0],$inx2[2],$vzero
+ vmsumudm $out,$in[1],$in[1],$out
+ stxv $out,32($outp)
+
+ xxpermdi $t1,$in[0],$in[1],0b00
+ xxpermdi $t2,$inx2[3],$inx2[2],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ stxv $out,48($outp)
+
+ xxpermdi $t4,$inx2[4],$inx2[3],0b00
+ vmsumudm $out,$t1,$t4,$vzero
+ vmsumudm $out,$in[2],$in[2],$out
+ stxv $out,64($outp)
+
+ xxpermdi $t2,$inx2[5],$inx2[4],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ vmsumudm $out,$in[2],$inx2[3],$out
+ stxv $out,80($outp)
+
+ xxpermdi $t2,$inx2[6],$inx2[5],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ vmsumudm $out,$in[2],$inx2[4],$out
+ vmsumudm $out,$in[3],$in[3],$out
+ stxv $out,96($outp)
+
+ xxpermdi $t3,$in[1],$in[2],0b00
+ vmsumudm $out,$t3,$t2,$vzero
+ vmsumudm $out,$in[3],$inx2[4],$out
+ stxv $out,112($outp)
+
+ xxpermdi $t1,$in[2],$in[3],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ vmsumudm $out,$in[4],$in[4],$out
+ stxv $out,128($outp)
+
+ xxpermdi $t1,$in[3],$in[4],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ stxv $out,144($outp)
+
+ vmsumudm $out,$in[4],$inx2[6],$vzero
+ vmsumudm $out,$in[5],$in[5],$out
+ stxv $out,160($outp)
+
+ vmsumudm $out,$in[5],$inx2[6],$vzero
+ stxv $out,176($outp)
+
+ vmsumudm $out,$in[6],$in[6],$vzero
+ stxv $out,192($outp)
+___
+
+ endproc("p384_felem_square");
+ }
+}
+
+$code =~ s/\`([^\`]*)\`/eval $1/gem;
+print $code;
+close STDOUT or die "error closing STDOUT: $!";
diff --git a/crypto/ec/build.info b/crypto/ec/build.info
index 1fa60a1deddd..4077bead7bdb 100644
--- a/crypto/ec/build.info
+++ b/crypto/ec/build.info
@@ -39,8 +39,9 @@ IF[{- !$disabled{asm} -}]
$ECASM_ppc64=ecp_nistz256.c ecp_ppc.c ecp_nistz256-ppc64.s x25519-ppc64.s
$ECDEF_ppc64=ECP_NISTZ256_ASM X25519_ASM
IF[{- !$disabled{'ec_nistp_64_gcc_128'} -}]
- $ECASM_ppc64=$ECASM_ppc64 ecp_nistp521-ppc64.s
- $ECDEF_ppc64=$ECDEF_ppc64 ECP_NISTP521_ASM
+ $ECASM_ppc64=$ECASM_ppc64 ecp_nistp384-ppc64.s ecp_nistp521-ppc64.s
+ $ECDEF_ppc64=$ECDEF_ppc64 ECP_NISTP384_ASM ECP_NISTP521_ASM
+ INCLUDE[ecp_nistp384.o]=..
INCLUDE[ecp_nistp521.o]=..
ENDIF
@@ -119,6 +120,7 @@ GENERATE[ecp_nistz256-armv8.S]=asm/ecp_nistz256-armv8.pl
INCLUDE[ecp_nistz256-armv8.o]=..
GENERATE[ecp_nistz256-ppc64.s]=asm/ecp_nistz256-ppc64.pl
+GENERATE[ecp_nistp384-ppc64.s]=asm/ecp_nistp384-ppc64.pl
GENERATE[ecp_nistp521-ppc64.s]=asm/ecp_nistp521-ppc64.pl
GENERATE[x25519-x86_64.s]=asm/x25519-x86_64.pl
diff --git a/crypto/ec/ecp_nistp384.c b/crypto/ec/ecp_nistp384.c
index a0559487ed4e..14f9530d07c6 100644
--- a/crypto/ec/ecp_nistp384.c
+++ b/crypto/ec/ecp_nistp384.c
@@ -691,6 +691,15 @@ void p384_felem_mul(widefelem out, const felem in1, const felem in2);
static void felem_select(void)
{
+# if defined(_ARCH_PPC64)
+ if ((OPENSSL_ppccap_P & PPC_MADD300) && (OPENSSL_ppccap_P & PPC_ALTIVEC)) {
+ felem_square_p = p384_felem_square;
+ felem_mul_p = p384_felem_mul;
+
+ return;
+ }
+# endif
+
/* Default */
felem_square_p = felem_square_ref;
felem_mul_p = felem_mul_ref;

76
openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch Normal file
View File

@ -0,0 +1,76 @@
From 670e73d9084465384b11ef24802ca4a313e1d2f4 Mon Sep 17 00:00:00 2001
From: Rohan McLure <rohanmclure@linux.ibm.com>
Date: Tue, 15 Aug 2023 15:20:20 +1000
Subject: [PATCH] ecc: Remove extraneous parentheses in secp384r1
Substitutions in the felem_reduce() method feature unecessary
parentheses, remove them.
Signed-off-by: Rohan McLure <rohan.mclure@linux.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21749)
---
crypto/ec/ecp_nistp384.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/crypto/ec/ecp_nistp384.c b/crypto/ec/ecp_nistp384.c
index 14f9530d07c6..ff68f9cc7ad0 100644
--- a/crypto/ec/ecp_nistp384.c
+++ b/crypto/ec/ecp_nistp384.c
@@ -540,7 +540,7 @@ static void felem_reduce(felem out, const widefelem in)
acc[7] += in[12] >> 8;
acc[6] += (in[12] & 0xff) << 48;
acc[6] -= in[12] >> 16;
- acc[5] -= ((in[12] & 0xffff) << 40);
+ acc[5] -= (in[12] & 0xffff) << 40;
acc[6] += in[12] >> 48;
acc[5] += (in[12] & 0xffffffffffff) << 8;
@@ -549,7 +549,7 @@ static void felem_reduce(felem out, const widefelem in)
acc[6] += in[11] >> 8;
acc[5] += (in[11] & 0xff) << 48;
acc[5] -= in[11] >> 16;
- acc[4] -= ((in[11] & 0xffff) << 40);
+ acc[4] -= (in[11] & 0xffff) << 40;
acc[5] += in[11] >> 48;
acc[4] += (in[11] & 0xffffffffffff) << 8;
@@ -558,7 +558,7 @@ static void felem_reduce(felem out, const widefelem in)
acc[5] += in[10] >> 8;
acc[4] += (in[10] & 0xff) << 48;
acc[4] -= in[10] >> 16;
- acc[3] -= ((in[10] & 0xffff) << 40);
+ acc[3] -= (in[10] & 0xffff) << 40;
acc[4] += in[10] >> 48;
acc[3] += (in[10] & 0xffffffffffff) << 8;
@@ -567,7 +567,7 @@ static void felem_reduce(felem out, const widefelem in)
acc[4] += in[9] >> 8;
acc[3] += (in[9] & 0xff) << 48;
acc[3] -= in[9] >> 16;
- acc[2] -= ((in[9] & 0xffff) << 40);
+ acc[2] -= (in[9] & 0xffff) << 40;
acc[3] += in[9] >> 48;
acc[2] += (in[9] & 0xffffffffffff) << 8;
@@ -582,7 +582,7 @@ static void felem_reduce(felem out, const widefelem in)
acc[3] += acc[8] >> 8;
acc[2] += (acc[8] & 0xff) << 48;
acc[2] -= acc[8] >> 16;
- acc[1] -= ((acc[8] & 0xffff) << 40);
+ acc[1] -= (acc[8] & 0xffff) << 40;
acc[2] += acc[8] >> 48;
acc[1] += (acc[8] & 0xffffffffffff) << 8;
@@ -591,7 +591,7 @@ static void felem_reduce(felem out, const widefelem in)
acc[2] += acc[7] >> 8;
acc[1] += (acc[7] & 0xff) << 48;
acc[1] -= acc[7] >> 16;
- acc[0] -= ((acc[7] & 0xffff) << 40);
+ acc[0] -= (acc[7] & 0xffff) << 40;
acc[1] += acc[7] >> 48;
acc[0] += (acc[7] & 0xffffffffffff) << 8;

90
openssl-load-legacy-provider.patch Normal file
View File

@ -0,0 +1,90 @@
287863366dcdd6548dee78c7a4 Mon Sep 17 00:00:00 2001
From: rpm-build &lt;rpm-build&gt;
Date: Mon, 31 Jul 2023 09:41:28 +0200
Subject: [PATCH 14/35] 0024-load-legacy-prov.patch
Patch-name: 0024-load-legacy-prov.patch
Patch-id: 24
Patch-status: |
# Instructions to load legacy provider in openssl.cnf
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
apps/openssl.cnf | 37 +++++++++++++++----------------------
doc/man5/config.pod | 8 ++++++++
2 files changed, 23 insertions(+), 22 deletions(-)
Index: openssl-3.1.4/apps/openssl.cnf
===================================================================
--- openssl-3.1.4.orig/apps/openssl.cnf
+++ openssl-3.1.4/apps/openssl.cnf
@@ -42,36 +42,29 @@ tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
-# For FIPS
-# Optionally include a file that is generated by the OpenSSL fipsinstall
-# application. This file contains configuration data required by the OpenSSL
-# fips provider. It contains a named section e.g. [fips_sect] which is
-# referenced from the [provider_sect] below.
-# Refer to the OpenSSL security policy for more information.
-# .include fipsmodule.cnf
-
[openssl_init]
providers = provider_sect
# Load default TLS policy configuration
ssl_conf = ssl_module
-# List of providers to load
+# Uncomment the sections that start with ## below to enable the legacy provider.
+# Loading the legacy provider enables support for the following algorithms:
+# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
+# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED
+# Key Derivation Function (KDF): PBKDF1
+# In general it is not recommended to use the above mentioned algorithms for
+# security critical operations, as they are cryptographically weak or vulnerable
+# to side-channel attacks and as such have been deprecated.
+
[provider_sect]
default = default_sect
-# The fips section name should match the section name inside the
-# included fipsmodule.cnf.
-# fips = fips_sect
-
-# If no providers are activated explicitly, the default one is activated implicitly.
-# See man 7 OSSL_PROVIDER-default for more details.
-#
-# If you add a section explicitly activating any other provider(s), you most
-# probably need to explicitly activate the default provider, otherwise it
-# becomes unavailable in openssl. As a consequence applications depending on
-# OpenSSL may not work correctly which could lead to significant system
-# problems including inability to remotely access the system.
+##legacy = legacy_sect
+
[default_sect]
-# activate = 1
+activate = 1
+
+##[legacy_sect]
+##activate = 1
[ ssl_module ]
Index: openssl-3.1.4/doc/man5/config.pod
===================================================================
--- openssl-3.1.4.orig/doc/man5/config.pod
+++ openssl-3.1.4/doc/man5/config.pod
@@ -273,6 +273,14 @@ significant.
All parameters in the section as well as sub-sections are made
available to the provider.
+=head3 Loading the legacy provider
+
+Uncomment the sections that start with ## in openssl.cnf
+to enable the legacy provider.
+Note: In general it is not recommended to use the above mentioned algorithms for
+security critical operations, as they are cryptographically weak or vulnerable
+to side-channel attacks and as such have been deprecated.
+
=head3 Default provider and its activation
If no providers are activated explicitly, the default one is activated implicitly.

13
openssl-no-date.patch Normal file
View File

@ -0,0 +1,13 @@
Index: openssl-1.1.1-pre1/util/mkbuildinf.pl
===================================================================
--- openssl-1.1.1-pre1.orig/util/mkbuildinf.pl 2018-02-13 16:31:28.011389734 +0100
+++ openssl-1.1.1-pre1/util/mkbuildinf.pl 2018-02-13 16:31:51.539764582 +0100
@@ -28,7 +28,7 @@ print <<"END_OUTPUT";
*/
#define PLATFORM "platform: $platform"
-#define DATE "built on: $date"
+#define DATE ""
/*
* Generate compiler_flags as an array of individual characters. This is a

13
openssl-no-html-docs.patch Normal file
View File

@ -0,0 +1,13 @@
Index: openssl-3.1.4/Configurations/unix-Makefile.tmpl
===================================================================
--- openssl-3.1.4.orig/Configurations/unix-Makefile.tmpl
+++ openssl-3.1.4/Configurations/unix-Makefile.tmpl
@@ -611,7 +611,7 @@ install_sw: install_dev install_engines
uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev
-install_docs: install_man_docs install_html_docs
+install_docs: install_man_docs
uninstall_docs: uninstall_man_docs uninstall_html_docs
$(RM) -r "$(DESTDIR)$(DOCDIR)"

75
openssl-pbkdf2-Set-indicator-if-pkcs5-param-disabled-checks.patch Normal file
View File

@ -0,0 +1,75 @@
From 48c763ed9cc889806bc01222382ce6f918a408a2 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 16:12:33 +0200
Subject: [PATCH 46/48]
0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
Patch-name: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
Patch-id: 112
---
providers/implementations/kdfs/pbkdf2.c | 40 +++++++++++++++++++++++--
1 file changed, 37 insertions(+), 3 deletions(-)
diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
index 11820d1e69..bae2238ab5 100644
--- a/providers/implementations/kdfs/pbkdf2.c
+++ b/providers/implementations/kdfs/pbkdf2.c
@@ -284,11 +284,42 @@ static const OSSL_PARAM *kdf_pbkdf2_settable_ctx_params(ossl_unused void *ctx,
static int kdf_pbkdf2_get_ctx_params(void *vctx, OSSL_PARAM params[])
{
+#ifdef FIPS_MODULE
+ KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx;
+#endif /* defined(FIPS_MODULE) */
OSSL_PARAM *p;
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
+
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
+ any_valid = 1;
+
+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
+ return 0;
+ }
+
+#ifdef FIPS_MODULE
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR))
+ != NULL) {
+ int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
+
+ /* The lower_bound_checks parameter enables checks required by FIPS. If
+ * those checks are disabled, the PBKDF2 implementation will also
+ * support non-approved parameters (e.g., salt lengths < 16 bytes, see
+ * NIST SP 800-132 section 5.1). */
+ if (!ctx->lower_bound_checks)
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
- return -2;
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
+ return 0;
+
+ any_valid = 1;
+ }
+#endif /* defined(FIPS_MODULE) */
+
+ if (!any_valid)
+ return -2;
+
+ return 1;
}
static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx,
@@ -296,6 +327,9 @@ static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx,
{
static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
+#ifdef FIPS_MODULE
+ OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, NULL),
+#endif /* defined(FIPS_MODULE) */
OSSL_PARAM_END
};
return known_gettable_ctx_params;
--
2.41.0

69
openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch Normal file
View File

@ -0,0 +1,69 @@
From 915990e450e769e370fcacbfd8ed58ab6afaf2bf Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 15:47:55 +0200
Subject: [PATCH 39/48]
0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
Patch-name: 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
Patch-id: 84
---
providers/implementations/kdfs/pbkdf2.c | 27 ++++++++++++++++++++++++-
1 file changed, 26 insertions(+), 1 deletion(-)
diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
index 349c3dd657..11820d1e69 100644
--- a/providers/implementations/kdfs/pbkdf2.c
+++ b/providers/implementations/kdfs/pbkdf2.c
@@ -35,6 +35,21 @@
#define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF
#define KDF_PBKDF2_MIN_ITERATIONS 1000
#define KDF_PBKDF2_MIN_SALT_LEN (128 / 8)
+/* The Implementation Guidance for FIPS 140-3 says in section D.N
+ * "Password-Based Key Derivation for Storage Applications" that "the vendor
+ * shall document in the modules Security Policy the length of
+ * a password/passphrase used in key derivation and establish an upper bound
+ * for the probability of having this parameter guessed at random. This
+ * probability shall take into account not only the length of the
+ * password/passphrase, but also the difficulty of guessing it. The decision on
+ * the minimum length of a password used for key derivation is the vendors,
+ * but the vendor shall at a minimum informally justify the decision."
+ *
+ * We are choosing a minimum password length of 8 bytes, because NIST's ACVP
+ * testing uses passwords as short as 8 bytes, and requiring longer passwords
+ * combined with an implicit indicator (i.e., returning an error) would cause
+ * the module to fail ACVP testing. */
+#define KDF_PBKDF2_MIN_PASSWORD_LEN (20)
static OSSL_FUNC_kdf_newctx_fn kdf_pbkdf2_new;
static OSSL_FUNC_kdf_dupctx_fn kdf_pbkdf2_dup;
@@ -219,9 +234,15 @@ static int kdf_pbkdf2_set_ctx_params(void *vctx, const OSSL_PARAM params[])
ctx->lower_bound_checks = pkcs5 == 0;
}
- if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL)
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL) {
+ if (ctx->lower_bound_checks != 0
+ && p->data_size < KDF_PBKDF2_MIN_PASSWORD_LEN) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
if (!pbkdf2_set_membuf(&ctx->pass, &ctx->pass_len, p))
return 0;
+ }
if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) {
if (ctx->lower_bound_checks != 0
@@ -331,6 +352,10 @@ static int pbkdf2_derive(const char *pass, size_t passlen,
}
if (lower_bound_checks) {
+ if (passlen < KDF_PBKDF2_MIN_PASSWORD_LEN) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) {
ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
return 0;
--
2.41.0

22
openssl-pkgconfig.patch Normal file
View File

@ -0,0 +1,22 @@
Index: openssl-1.1.1-pre3/Configurations/unix-Makefile.tmpl
===================================================================
--- openssl-1.1.1-pre3.orig/Configurations/unix-Makefile.tmpl 2018-03-20 15:20:03.037124698 +0100
+++ openssl-1.1.1-pre3/Configurations/unix-Makefile.tmpl 2018-03-20 15:21:04.206084731 +0100
@@ -843,7 +843,7 @@ libcrypto.pc:
echo 'Version: '$(VERSION); \
echo 'Libs: -L$${libdir} -lcrypto'; \
echo 'Libs.private: $(LIB_EX_LIBS)'; \
- echo 'Cflags: -I$${includedir}' ) > libcrypto.pc
+ echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir}' ) > libcrypto.pc
libssl.pc:
@ ( echo 'prefix=$(INSTALLTOP)'; \
@@ -860,7 +860,7 @@ libssl.pc:
echo 'Version: '$(VERSION); \
echo 'Requires.private: libcrypto'; \
echo 'Libs: -L$${libdir} -lssl'; \
- echo 'Cflags: -I$${includedir}' ) > libssl.pc
+ echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir}' ) > libssl.pc
openssl.pc:
@ ( echo 'prefix=$(INSTALLTOP)'; \

96
openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch Normal file
View File

@ -0,0 +1,96 @@
From 50f8b936b00dc18ce1f622a7a6aa46daf03da48b Mon Sep 17 00:00:00 2001
From: Rohan McLure <rohanmclure@linux.ibm.com>
Date: Wed, 16 Aug 2023 16:52:47 +1000
Subject: [PATCH] powerpc: ecc: Fix stack allocation secp384r1 asm
Assembly acceleration secp384r1 opts to not use any callee-save VSRs, as
VSX enabled systems make extensive use of renaming, and so writebacks in
felem_{mul,square}() can be reordered for best cache effects.
Remove stack allocations. This in turn fixes unmatched push/pops in
felem_{mul,square}().
Signed-off-by: Rohan McLure <rohan.mclure@linux.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21749)
---
crypto/ec/asm/ecp_nistp384-ppc64.pl | 49 -----------------------------
1 file changed, 49 deletions(-)
diff --git a/crypto/ec/asm/ecp_nistp384-ppc64.pl b/crypto/ec/asm/ecp_nistp384-ppc64.pl
index 3f86b391af69..28f4168e5218 100755
--- a/crypto/ec/asm/ecp_nistp384-ppc64.pl
+++ b/crypto/ec/asm/ecp_nistp384-ppc64.pl
@@ -62,51 +62,6 @@ ($)
___
}
-
-sub push_vrs($$)
-{
- my ($min, $max) = @_;
-
- my $count = $max - $min + 1;
-
- $code.=<<___;
- mr $savesp,$sp
- stdu $sp,-16*`$count+1`($sp)
-
-___
- for (my $i = $min; $i <= $max; $i++) {
- my $mult = $max - $i + 1;
- $code.=<<___;
- stxv $i,-16*$mult($savesp)
-___
-
- }
-
- $code.=<<___;
-
-___
-}
-
-sub pop_vrs($$)
-{
- my ($min, $max) = @_;
-
- $code.=<<___;
- ld $savesp,0($sp)
-___
- for (my $i = $min; $i <= $max; $i++) {
- my $mult = $max - $i + 1;
- $code.=<<___;
- lxv $i,-16*$mult($savesp)
-___
- }
-
- $code.=<<___;
- mr $sp,$savesp
-
-___
-}
-
sub load_vrs($$)
{
my ($pointer, $reg_list) = @_;
@@ -162,8 +117,6 @@ ($$)
startproc("p384_felem_mul");
- push_vrs(52, 63);
-
$code.=<<___;
vspltisw $vzero,0
@@ -268,8 +221,6 @@ ($$)
startproc("p384_felem_square");
- push_vrs(52, 63);
-
$code.=<<___;
vspltisw $vzero,0

32
openssl-ppc64-config.patch Normal file
View File

@ -0,0 +1,32 @@
Index: openssl-3.0.0-alpha5/util/perl/OpenSSL/config.pm
===================================================================
--- openssl-3.0.0-alpha5.orig/util/perl/OpenSSL/config.pm
+++ openssl-3.0.0-alpha5/util/perl/OpenSSL/config.pm
@@ -525,14 +525,19 @@ EOF
return { target => "linux-ppc64" } if $KERNEL_BITS eq '64';
my %config = ();
- if (!okrun('echo __LP64__',
- 'gcc -E -x c - 2>/dev/null',
- 'grep "^__LP64__" 2>&1 >/dev/null') ) {
- %config = ( cflags => [ '-m32' ],
- cxxflags => [ '-m32' ] );
- }
- return { target => "linux-ppc",
- %config };
+ # ##
+ # if (!okrun('echo __LP64__', 'gcc -E -x c - 2>/dev/null', 'grep "^__LP64__" 2>&1 >/dev/null') ) { %config = ( cflags => [ '-m32' ], cxxflags => [ '-m32' ] ); }
+ # return { target => "linux-ppc",
+ # %config };
+ # ##
+ if (okrun('echo __LP64__', 'gcc -E -x c - 2>/dev/null',
+ 'grep "^__LP64__" 2>&1 >/dev/null') )
+ {
+ return { target => "linux-ppc", %config };
+ } else {
+ return { target => "linux-ppc64", %config };
+ }
+ ##
}
],
[ 'ppc64le-.*-linux2', { target => "linux-ppc64le" } ],

1102
openssl-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch Normal file
View File

File diff suppressed because it is too large Load Diff

58
openssl-skipped-tests-EC-curves.patch Normal file
View File

@ -0,0 +1,58 @@
From 9ede2b1e13f72db37718853faff74b4429084d59 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 31 Jul 2023 09:41:28 +0200
Subject: [PATCH 13/35] 0013-skipped-tests-EC-curves.patch
Patch-name: 0013-skipped-tests-EC-curves.patch
Patch-id: 13
Patch-status: |
# Skipped tests from former 0011-Remove-EC-curves.patch
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
test/recipes/15-test_ec.t | 2 +-
test/recipes/65-test_cmp_protect.t | 2 +-
test/recipes/65-test_cmp_vfy.t | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/test/recipes/15-test_ec.t b/test/recipes/15-test_ec.t
index 0638d626e7..c0efd77649 100644
--- a/test/recipes/15-test_ec.t
+++ b/test/recipes/15-test_ec.t
@@ -90,7 +90,7 @@ subtest 'Ed448 conversions -- public key' => sub {
subtest 'Check loading of fips and non-fips keys' => sub {
plan skip_all => "FIPS is disabled"
- if $no_fips;
+ if 1; #SUSE specific, original value is $no_fips;
plan tests => 2;
diff --git a/test/recipes/65-test_cmp_protect.t b/test/recipes/65-test_cmp_protect.t
index 631603df7c..4cb2ffebbc 100644
--- a/test/recipes/65-test_cmp_protect.t
+++ b/test/recipes/65-test_cmp_protect.t
@@ -27,7 +27,7 @@ plan skip_all => "This test is not supported in a no-cmp build"
plan skip_all => "This test is not supported in a shared library build on Windows"
if $^O eq 'MSWin32' && !disabled("shared");
-plan tests => 2 + ($no_fips ? 0 : 1); #fips test
+plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test
my @basic_cmd = ("cmp_protect_test",
data_file("server.pem"),
diff --git a/test/recipes/65-test_cmp_vfy.t b/test/recipes/65-test_cmp_vfy.t
index f722800e27..26a01786bb 100644
--- a/test/recipes/65-test_cmp_vfy.t
+++ b/test/recipes/65-test_cmp_vfy.t
@@ -27,7 +27,7 @@ plan skip_all => "This test is not supported in a no-cmp build"
plan skip_all => "This test is not supported in a no-ec build"
if disabled("ec");
-plan tests => 2 + ($no_fips ? 0 : 1); #fips test
+plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test
my @basic_cmd = ("cmp_vfy_test",
data_file("server.crt"), data_file("client.crt"),
--
2.41.0

17
openssl-truststore.patch Normal file
View File

@ -0,0 +1,17 @@
Don't use the legacy /etc/ssl/certs directory anymore but rather the
p11-kit generated /var/lib/ca-certificates/openssl one (fate#314991)
Index: openssl-1.1.1-pre1/include/internal/cryptlib.h
===================================================================
--- openssl-1.1.1-pre1.orig/include/internal/cryptlib.h 2018-02-13 14:48:12.000000000 +0100
+++ openssl-1.1.1-pre1/include/internal/cryptlib.h 2018-02-13 16:30:11.738161984 +0100
@@ -59,8 +59,8 @@ DEFINE_LHASH_OF(MEM);
# ifndef OPENSSL_SYS_VMS
# define X509_CERT_AREA OPENSSLDIR
-# define X509_CERT_DIR OPENSSLDIR "/certs"
-# define X509_CERT_FILE OPENSSLDIR "/cert.pem"
+# define X509_CERT_DIR "/var/lib/ca-certificates/openssl"
+# define X509_CERT_FILE "/var/lib/ca-certificates/ca-bundle.pem"
# define X509_PRIVATE_DIR OPENSSLDIR "/private"
# define CTLOG_FILE OPENSSLDIR "/ct_log_list.cnf"
# else

305
openssl.keyring Normal file
View File

@ -0,0 +1,305 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: 8657 ABB2 60F0 56B1 E519 0839 D9C4 D26D 0E60 4491
Comment: Matt Caswell <matt@openssl.org>
Comment: Matt Caswell <frodo@baggins.org>
mQENBFGALsIBCADBkh6zfxbewW2KJjaMaishSrpxuiVaUyvWgpe6Moae7JNCW8ay
hJbwAtsQ69SGA4gUkyrR6PBvDMVYEiYqZwXB/3IErStESjcu+gkbmsa0XcwHpkE3
iN7I8aU66yMt710nGEmcrR5E4u4NuNoHtnOBKEh+RCLGp5mo6hwbUYUzG3eUI/zi
2hLApPpaATXnD3ZkhgtHV3ln3Z16nUWQAdIVToxYhvVno2EQsqe8Q3ifl2Uf0Ypa
N19BDBrxM3WPOAKbJk0Ab1bjgEadavrFBCOl9CrbThewRGmkOdxJWaVkERXMShlz
UzjJvKOUEUGOxJCmnfQimPQoCdQyVFLgHfRFABEBAAG0H01hdHQgQ2Fzd2VsbCA8
bWF0dEBvcGVuc3NsLm9yZz6JATgEEwECACIFAlPevrwCGwMGCwkIBwMCBhUIAgkK
CwQWAgMBAh4BAheAAAoJENnE0m0OYESRoD0H/1lEJXfr66rdvskyOi0zU0ARvUXH
jbmmYkZ7ETkdXh7Va/Tjn81T3pwmr3F4IcLGNLDz4Eg67xbq/T8rrsEPOx5nV/mR
nUT97UmsQuLnR2wLGbRBu24FKM7oX3KQvgIdJWdxHHJsjpGCViE1mIFARAzlN+6p
3tPbnQzANjRy7i/PYU/niGdqVcMhcnZCX5F7YH6w6t0ZmYH3m1QeREnWqfxu7eyH
sIvebMgKTI/bMG8Z7KlLZha9HwrFXQAPIST6sfc1blKJ9INUDM9iK6DR/ulkw7e0
hmHLqjWqYs5PzyXeoNnsPXJt69wiADYqj4KNDIdNp1RoF9qfb1nE+DM6rga0IE1h
dHQgQ2Fzd2VsbCA8ZnJvZG9AYmFnZ2lucy5vcmc+iQE4BBMBAgAiBQJRgC7CAhsD
BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDZxNJtDmBEkWP+B/0SsWSeLGo+
viob8935Uirei4FvnzGOUV1w/dgDLSzavmysVxb4q9psp1vj1KEtm18vzZO79AeA
RGwWTQYGmFmrNRWZ2DgbjGyJ4LS5kLBqQ9FaF7vUFtml6R04yx+RTgQTg601XsAj
eU8uSarmeZgGVMAInsdMrUc74lJeWKSnovr4IFOdgiU/env19tK355bsfTvb0ksE
5Q7wnnoRXdLyNet0AWf4ednWDEnRb6cIVDF28URjxH6yIfqAVe7VnuDB4Sfuck4R
4gYFS/xGfTgocPUDZ4rUz8wleGLwDIiU7GpilmtZTl1FTPkFa/mqbcJgdVTJqLZO
5vISJkZvqE5UuQENBFGALsIBCADPZ1CQBKbFQWMCvdjz/TJaNf3rV6eiYASOvLDg
icU8Mwa208yJXr1UF6lvc3Tgw+jmynIBjbhvhujcJ+eD+jHEaXdncaK/WAPsmiNM
k+glZ4cbF48HP77kOLQQC+rX7jAF0VSHhFZNtnCpOByQevCJlwgkXckYvRyBOYk6
2R7BwuLIwLIq4ZXNKPIVN4KpCodhIcGuvlPJczcdOoaBRGcSFUbXqM9Y8whyJhex
F87RHAyGpjvLnJFSgLimyYBRpFN25LzYFpXPD4MeLUVDSRgtSxOJ2KmkhMHntUqQ
P1XsIgzm4/ez6Mwkxc0QlAQp0r2gJU56QPdE5zgx+2q/i+WhABEBAAGJAR8EGAEC
AAkFAlGALsICGwwACgkQ2cTSbQ5gRJELNgf/elwfYchaV/24buNWDa+50gOuXQ4v
Xfj5DKry6aYnJBt1UeMV1ssMxCU8OltgzTMhTupjrXV1oDXYAxexymWLxwa+qcrb
SwDD+wX1gb1O2GOfbiplEnOb5dDc7Gkm8eTw0kBJEiAiyPv4SMLhFzm+me4Dq1+x
dbsvN05hxTjow9pi5eYrFMxYWi1ZNH2UmPpgoIN/4p28G/IN9fdWG5Ni315p3WhL
HRMzC609IOsCIJsm8+lHVblT30jxpctFVlQBtbDTzgqQLiaTVevlca3VYgMd70D2
8d186gxUtSEpZ3dKkv+0V8DLhQ6VR/wQ780HKIpFp6UWP5aDxpEoOEwe2g==
=Z0q9
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: B7C1 C143 60F3 53A3 6862 E4D5 231C 84CD DCC6 9C45
Comment: Paul Dale <pauli@openssl.org>
mQINBGApr7sBEACoyczHMNgWiVg4jMjtdkb5j7csKPdFx8B7FJNMFrL/Z/I1BjwM
TQ7fxKvDN6z3mjAMKhU+wCL9vUSSMUtyze/fox09n84jYDwN3n37ozkrhcDB01ia
iKCCeRNEW6meTs3/aJPGCznIOk/kMHlnZnQPcSphIexo/ZUyB59h6smz2LvoTZg0
aeZeJwe0cfaVnWYA1a9wr+QJDQwRkEqdy772cM03Phs/sRWd4+nBqP1XxWlX30Yj
VGjDsY3gH9AAy4oUnb7tOmk5S9FIKuMdkkWeU0Abm8/36OfZyMFbZDAMbO8i3un4
eIQOg5tjynSXYel3nlJ/fwoSHefPgavCkBdknk842LM9xr22t+IKmy99uW7FDqvj
wbPoMg6z2Jarl0Fqu3GhIjCmKMe6TBfkYwB4fp5KtzRwrSjDo16vkMoM69mXqA7w
f1JV+BKvE6QTePNt8ix4ib5c6mPOrFnYG1X3tkNOc4/q6KcGbvS1xMax12q2/zSZ
PmoJvzWTrSF8lQDZKjMnXnhrZMY8h7lu/QE4DQ1M9U1PFdf6vwLrNaHHfi/rWKTe
fsrGp2TIqU4lm45p0fDroYqDML+gp8RMUZBU8M4wGwhludEiCoOFjXu2ECvvgrB7
JHrh+FtMuuRPx4q2eRO75NepDfZqmp48PIqkt2b3VjisNceB70uYiUQ2eQARAQAB
tB1QYXVsIERhbGUgPHBhdWxpQG9wZW5zc2wub3JnPokCTgQTAQoAOBYhBLfBwUNg
81OjaGLk1SMchM3cxpxFBQJgKa+7AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA
AAoJECMchM3cxpxFa0YQAIAnnNek3+UXZL/u4R6hs/lJopC9p/MFbCnL0b1zZnbz
Kbbva10PA3PEv+szhylDKeDIbDKF1yEjI4BTNCLS8sLKEZWSLTMW1MZhmxWm5TdF
ebhoj6Tjjfxme4ETyk3+v3hC3Ylm0jiqHHErutRAPIW1VDFQVxKZPasv1yj3YNiB
SktTSH1MjZZtlDYjp9z3VTczvrO3BBJJSxQ5CY749pEwtjwdLTqOVtoJL8thZ3J9
jSnSDsgFVp/pPNVxxV98Yd89JqM34MvOuD3jYSOEtMUCJgMFXNZ/c2+BpWrX+ssP
qrY9vBrq7o91K+OQHbb4Z1pjK/dzDq183E32uTOYbco7ga/JqE7c997zY0fgQsIz
hdEveC4oMydzwHQ9WzHUYR7AtTgF9kKsTHy8H6ye3uaJMIMSEdAvI4mxG/k/zG/Q
KrIt1nUJh/M7uu2IT9fM+AoR+2VV1u1vimxpCpOXpTB4mTIR5YfiaRfXnHm55iq/
odxVj/yVqFUcujy+YC9SAoKRGJRQV0KZur1xAOJsgwUJ1iXJZwypowkI59jpwl2q
WCfZIS1ZrpIebiVk4ZBaHDe1v178uLO3IasZR7HLvcD7ESX8U88ng8J1nXHq+Uc7
4j5Dc6CMTd5WYTkFvhjO33JiHncK8CLYOFsndIGXts/OEhp08N5JELHCeSuu4UIb
uQINBGApr7sBEADNQ6w6jQNqxWxHDjJzcXclQJFPB2qlT/5eMa7QeOYiJ5DmY2VQ
P0Mltkmrc8T/I9NfRFpaB7Z+8zE5lmjSi3N5fYWjhoZp9oP0WYfSLef4KpD7KfEE
TaBohn8cw0Kt+nmEN904w9kpLE+WAvD0qRKnilcCUWE5Es719W8dMh/8cB6FiCI5
8myIvV63yDV1DiNyEcKNeasIFF8n3FCd0gWPXXS9Fe7muQpIJ4Lb2p3ylqcY9UaU
8n+LQAb1LL1kC468MU0LBhhkCnZ2BacWnJu7JrzQ1Nihk+JRyXt0QARcgsITt8+3
rQdZDb6o6jTixClNXOJ2LGZMAI2NrQppfn3uBny06veyde9l3riwtOYwqEfETt6O
Ndy0gOd4zelPOnfMtzwDePC0m0b5ibNsMGVYGu5bmu4XFZrk8ivcAiEg4TJHcYtU
meONyuhmaCbcG8in0GZvUgb/YLcBpLBhFFUUd1ALBfi6cXlvFlSU0HHQoNRIAyFt
C1DQaAOWQ9v21KSF6zFG9Qg3yHKy+xBjXjfp0IZOqN5jrmXxbfl/+LWqUHD54tmS
iHrUf1CiW6no+4WBI9f6/+QCVLFBoStlNgoRt/OcIXmq1cTJ2pTSPl3S0+HobCEa
llEGEDXqsGxmV2kNmxsUks/knEGFElp/XtMrhykicIdQYntMaRebljrpiwARAQAB
iQI2BBgBCgAgFiEEt8HBQ2DzU6NoYuTVIxyEzdzGnEUFAmApr7sCGwwACgkQIxyE
zdzGnEW2ew/+IzGVXgB34NeHnaLVDTtiUXgrNoOV4xFTS+kvZXrGC5i+mMhae9Pc
gvAyjssJ7dVP2RJBSNkfdxrRd2D4HFcf3dn/n646HNiTinirfvoUf4VIA1jdDp9q
ixi//tO7fsPyn35d672OA9AC3ccBgji6V9XA58REonF+ap2bE0JBJYTJZrET9Wny
BPEjefdpORSHaXqimfHN59QV5gXEFZ4Ci1jCt9n6WEb0oo+kQTkUb8z7F9P+7ojj
Q+4KrgtlXb9ijxCwMfGRPNInnumqyKJ0PhTVwhM1JNdi53nwVY98OGEZXWiKPFQ6
lAGyLLXwaOSztKGSdsFPK/tpyVihwoqHjJCU5St/PVlpvRKhbtq24FfDu7YyDO2Q
Dp2/F+QIdVnUFO2I1xeb2k+/Tx+3nfKYNui+AFaudOblrYQzPrlswJzCmmB/OTkt
wuOqr2nvQr2JUwmSaRvdCAe8EI/HAa/ujlA87T69L4T66KwBWuBkIYZQxFtCiC+B
mksPCYe9TBTZm2+8xk6UiSMKurwESTkDj/uUGmtGHi3cSJPSQ5x41COSEc+/yZ0k
eQTSnnkVrB71cMr2yVe9WWiUqUoHbkwiiy9YAHkp76jHbTRsCjs8O2otioAW06Yb
7r1iWp6twh/giBzsVJndeP5Ss/85TQfrl8x8yJjv1OQiIRrTTz6GdU0=
=AbiA
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: A21F AB74 B008 8AA3 6115 2586 B8EF 1A6B A9DA 2D5C
Comment: Tomáš Mráz <tm@t8m.info>
Comment: Tomáš Mráz <tomas@arleto.cz>
Comment: Tomáš Mráz <tomas@openssl.org>
mQINBGDxTCUBEACi0J1AgwXxjrAV/Gam5o4aZSVcPFBcO0bfWML5mT8ZUc3xO1cr
55DscbkXb27OK/FSdrq1YP7+pCtSZOstNPY/7k4VzNS1o8VoMzJZ3LAiXI5WB/LH
F8XSyzGuFEco/VT1hjTvb8EW2KlcBCR6Y22z5Wm1rVLqu7Q8b/ff1+M/kaWM6BFi
UKqfBZdqJuDDNFRGqFr0JjCol0D1v1vollm612OARKpzuUSOERdc11utidkGihag
pJDyP5a+qHZ4GNzZkZ+BBduuZDMUdEKgK28Pi0P0Nm17XRzX1Of1uXojMvroov7K
/Bkbpv+uvZoiSEAeD+G/+Tyk9VLhmyji9P+0lwYyHb3ACgS3wElz7CZwFgB3kjJv
MX93OlCAMruFht/+6hQu0zx1KPxx+55j/w7oSVzH8ZmYND5kM4zlGVnJxJk6aBu8
laOARZw7EENz3c+hdgo+C+kXostNsbiuQTQnlFFaIM7Uy029wWnlCKSEmyElW9ZB
HnPhcihi8WbfoRdTcdfMraxCEIU1G/oVxYKfzV2koZTSkwPpqJYckyjHs7Zez5A3
zVlAXPFEVLECEr02ESpWxFabk8itAz0oMZSn5tb3lBHs1XFqDvJaqME1unasjj06
YUuDgKHxCWZLxo/cfJRrVxlRcsDgZ3s4PjxKkAmzUXt5yb7K3EVWDQri0wARAQAB
tBtUb23DocWhIE1yw6F6IDx0bUB0OG0uaW5mbz6JAlQEEwEIAD4WIQSiH6t0sAiK
o2EVJYa47xprqdotXAUCYPFMkQIbAwUJEswDAAULCQgHAgYVCgkICwIEFgIDAQIe
AQIXgAAKCRC47xprqdotXEGoD/9CyRFM8tzcdQsQBeQewKGTGdJvPx9saDLO6EVy
U9lEy8vLKMHnmAk+9myVBf0UHxCjVZblvXEL6U/eCINW8TBu9ZH56AMkPQgvfZkE
KrpBoP2yfkA9/2rfChec7jkFUwArWKAB8hyLPiABXdm3vRZMhiBAsFTv9rdrr89W
nAvcd9OXPxrEM7mNkkCDUlRkfRwdxSezStmJ/18bM5lrlR4Dj9MYUOieYICsu/nh
1u9C+QDOGruo/xku7B87qVSnKM4My28/RtSeGjTBNw3QPEmumArINNUDNZbe3e+I
m23l6tyP7nmtLbo0wPcRB9q4K1GlmecqzSgLsdf8YCOZKax9DLaA2fWVJCyp22Uj
kCmHkVgeXmByndWVdfYyJO4LGJhM7BfmWGa/yIRKRKZGlJavRY+UAkfqkXCbzhFD
IMyRTU3zqJfJcXrVDslvB1mMbBGIR7gmL2HSToNvN5E2xiEamHbSOv0ze0Vw5A1M
8S71i+jLUSenGTgjLdu52+K7SGLtyhG/kA5NpvMyCLBOYZ+4HPgbIwKLlcm5SRJ6
z4sKLSZmU7HLMp69jXfGQqjYbJoUEHsCsLOeVMGiOVZqoZWQWcMHy9VvOA0FVx41
xrpdDLft9ad+cM/oaiYXEWhqYRnBM5eIH0B3HOk/kmLZ6crNE+X5xG1qhoZgAurM
MriPFbQfVG9tw6HFoSBNcsOheiA8dG9tYXNAYXJsZXRvLmN6PokCVAQTAQgAPhYh
BKIfq3SwCIqjYRUlhrjvGmup2i1cBQJg8UxqAhsDBQkSzAMABQsJCAcCBhUKCQgL
AgQWAgMBAh4BAheAAAoJELjvGmup2i1cessP/jG7dFv/YEIn7p47wA+q+43Korjk
8LLpdb+YhVEpXgLK3yUNOcghs+e+UxSlS4jDV9ThpKgBEgTCn6V8vEWe5djvLVcO
UNG/wx33ksZKDOrZt2qGzz9VBd2ur100HjA3ibGClMjchMQCctlAHBCI/jV7g9Sv
FIHr/qECDnr50lh4kNeBZH/6gYEnB1Uqkc+7y/0gopk3kEcxO00qKj9d8QPatsoW
FOBW6OT0ldX5m19EL+x4Ku2/ayBwmobsQyj3cDV8cJN9QxJxB1AqLAKXK3XpEQ8Q
UERor6Z2gQu9bCRoQCl3Xu+lfqh2gmfoXoWiZFinoBzEETtILEUdNa2MsJheNuVy
Tf+W/vrfyAKVl7DgPk+n360frxmR8n7pkSpDq12s9J4eimX7aUlbhDX2XiMo/kGS
2oo2ulB083oJq09UieI2acwRIn6fFAOXx4Cr9IRAnKtvGxT3XzkDJ8WkC/+QE7wW
kjtD994kD2Jf1GCqFIWPx+J88VXp5UbobOENYBGWvc5Pki541aFKkXe5mvK9n2Fm
T3fOeBnyhT27J79UYSkOg9Zk0o7lcLKvgX3TqOwRrwMOGqyBIrHkLprIbeX5KOBI
yvtovyTuq3piF6OcfOYuZJOcV4LnnW6Ok9sgia1WgqNyJ+FSdSl6tLabzcM6sZ1I
8tmXB4BcoHFB9N0AtCFUb23DocWhIE1yw6F6IDx0b21hc0BvcGVuc3NsLm9yZz6J
AlQEEwEIAD4WIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFMJQIbAwUJEswDAAUL
CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC47xprqdotXJUfD/9qFJURXryr8/Uh
KJIAYQawc3rgSCeMaSi60fgPhteBf9VPA5w84OKLtnZFcPcpvGpaHuRxj+mchOSo
2HkYz7eseTsWbfguDiBNf1sA0IW6/WfIjqfGliw/ikLn/mA8GgLzgPPEiEbZH+gZ
+J1ttxv15E8dWVSYILJcn7VLX8EgYc93uaiPbcc6wG3qBz5UD7FW6pg6AjEhz6j4
yQBq/dAUUL9nfrrx8p6548aslAR5A7e1kWPSMkrXD6ECdlJ8LReaPjiWrvLCtf1M
cmAQJkXX9PLHtPtkXzfT97GdcEWtPF3qpu9k8gK3QC/dPoACIsDUU1+muaqlRB3A
ozLVFbSJ2kA0BqnHvhB+7cIB/ZkAasiI1jJ9XPwJJnzZGlRFGJnUg6MRX//FIvly
Vi+hFt1DQ2tWMo6peu1sNDDONYKL7/NhFedJhIRoYUiQtcEuWqtTjOUn7ErkaC2y
q8hzWgYCe2afy1sUvyDtUjuldVTNzV1ic4MPC+QZ5ZEw2uHfP2oELlK2zUlLZIpt
Bwvgzqw5qcxj0nBHoaDTRyJXrXDWf/DsyS6Df1t8Uidoc6W3zNEhKbabvTb4gtWj
hh/QezJNtyRSg4SZ2Zx+ExgAngFdhKUk01XytLcEqYHjOjO6ZHpP0/+E7T8yZ7sI
w5AnBC/mkTbqp5Nsbk/spoN0Wl7PZbkCDQRg8UyoARAApiWRrHjdEu9Fp2yd7K93
VpttsAWGeZo6adA7kKrdB+DFwyQdQQIGF1MoxzKb3rcO2sxoU/SnY/TpxdVbSO27
1MLUcqoEc5F+uxuXsp4Tx5s6iXY9xTwQeBi8pAUQSLlWc/yoakF4sahG+5+0NUDp
djCEevRw2nHVbMbyzACgB0VRErhpY6gOBK7LkHwXAEXh1pN836P1s3DLLInjoM50
IGQJLJ38/dBeWf9lqJrDif3lZ9Br7h2xHVhaj+08iWKFXb+MDkW6lXOuT+A8pzHK
bz1TVhopid9NOcw8ws00Vnq9R0/dhk+FT81XJC6GmoBi2GjjKpLNMzfBE6IkJjhn
gMY9Wz5sSfXhyd0x7ZGdS3w9SiIXXoxw35woC1/Ue6QVasm/ldCNSNH63y8G5b7w
NA84/fhVa9/Tug8zyzRj9p5Ge7b1yMbtVy9Ret8e1xB3yOJH8rjwmd13ocNBrFYh
D4b1+P0DScr4TburR3S4gwzawB2juIToELQGseR8nQg8k6Fk5vZ8MaYslMU2za7H
a379C8+A9h0C2mobqtw7Gq8NzDH2H4Bgpy0Ce8ByWnRHEIrZcK4vZDTzBfW+lYJB
HFlNc0mheV2ih6vjmz940cakzLvGF65UA69tsS8Q/3sWH2QLFTywdcEUZNgZRWnc
nAaLOI/nw1ydegw8F+s1ALEAEQEAAYkEcgQYAQgAJhYhBKIfq3SwCIqjYRUlhrjv
Gmup2i1cBQJg8UyoAhsCBQkLRzUAAkAJELjvGmup2i1cwXQgBBkBCAAdFiEE3HAy
Zir4heL0fyQ/UnRmohynnm0FAmDxTKgACgkQUnRmohynnm3v+Q/+NpYQuO+0a57+
otwvuN3xoMsOmiingnd6u5fefi8qCjHgYJxnZQhihk4MOyiY46CxJImFKI6M13H5
SlsuaGMbl17f5V8dE7rUDD9D9tD4+hVe504UsAdqaKHFhE8xyWJ24it9LmIXY358
cQ7gm/EzA/wCKEez1Z/IUlx6hrG6BnAuE6FYhLTQt5WcCGbA17I72M1H50rX8fa0
8qOg4rzyNEOesz1auI3pt1VOy/VJo7V+oO2yz4NNGBqjCN1mMOmBl1vBldZz4oZJ
vqoCFgx4Bj4h8LHilyg2OWZV4Xh7fUGH2/RIdfAYhCTz495N1sdDHew9Qc3PP0vV
yzwoCJY2moCiZ16K0o215rgYAJcY2KCCithjw+ktHZ/E108cmJJE0ZXG9sFVdF6A
HEEofaYRgXEvwFOwEBnytAq2l1ePmlTe6eu5/hSMYlan93YpsF2tol+jw7F+aspg
K2JPWqB4FsupxnvvAvzGBrTTGfCL4z7K8/6QmYrJBByx0W/lkFsebEfOz0SY/Rvs
aGQ3LEmQkbn+Cz2c2PwmIuYJisunHNC1rH6lF1a19D2lpe82Eh3TsXEsgjty2+sh
uHsKCX/snSa+zySqMbsE6o/8AquuT7tkdHO1rYfr3ffvIeX8HVj6NKm1eyk6uyCE
cb08jqBWOG8tzpNt6PIviyrQRrK+ncSLjw/9GT4LhZKnfLM5pVAFV0jVqf29lVhk
RHDeiNmdprqpvW35cAS7LH2wv2xGj4+wGaJmksruiJj2KtNAWa+7Uvd4xvntrL3F
9kG5qC04iTx9nng4qliZAI1wGxT/fAKS165L5sdTXRvcywokshxtsPgCXcH/J2v/
JC6BGn44o8qo/CLGIaTBk6V8NfY4YqNFyMaMRAQSQ9Pk0KXQxswdxASaYzTTb93g
muoO7XrIu7ae1lppeL3HB5hQ0/zF1cVzCrLXffsEZNVW/1/9VamicTOWP8dV/ylN
86d7NvfJk8L7O+YIsEKYhKEDfCXIZrF7Ynu9SCWiR8LAqxZpBx2/6lommQJ7RlKr
HBkWUGyC8WHYr/sxORy0uxSevGFcfK2sFMnpLJhC6C830O05B6SFTWTrD9c/NC2S
DDWQCr1Tud3GZ634BowTlQRgJpGJc2s4wOMaARnhVtr/GZQhfCzOhcaHAVMBX0FE
ce+LktihEnzEJJgc/bzTH+t3fIW8bS4c65YlwCzMCJ1oYyALlD1BlZ6whFSVUZro
uYVu8diJ4Alf9+hcYOU/Gnbyi3bFbRGhBVz8lB3TcEeP02+gSSFD7iDi2Wt3hkmY
YaT7k3YGM2ksXdQ25SGM1aW4drxaqAj5sZ48OXTMNT9ira3TL/o/Xp6GRhVE8iOl
JKbGoqC+wchHmOK5Ag0EYPFMJQEQAN/J6BypHYuzqwVDH8hrCQJ0s9I1fFdiu60u
aeLTQPeB2JVwV4t9WZsM6mVMEUZJGIobk2Y5FFzLsHtbPlSs7MXtLhlLa05iiMXq
oZsS7EYI+GDNO6OP1j8h9On2Ik5EnK/0dWGQglSY/ryw+5ShdAjHSd4hCRvBxfX7
FJGNrvIkIp8AxlTvNBQyuR4rluOnfS1LXFDlaTWxRAZBJdB/GyAbCqKmkfbkXZbM
ZFA93E2skrLJ66CPgaK83r+DUi6+EyvOKTkZw0OU6S0k7xT4Z1f0AbS/ON5G8wjL
vxKu+Tmd2LHLMUTMiSQ7/K0iw4+pms1+MOBWFDX8aS/poRe0NS779RIk+Hy4OG7+
i9Rpf4wU+Z2QHbUYrun6h7+RySv+E27QWCgNuAdm2F8cIsxQ3B0mAapqf2ECIkNb
PftDlv/iDqzAxAobNJzlsKQrcRmEPIOqNxi3TP+H85ekwHTdwwdPb5u8pgehpDum
ciyHfYZ7A3eNl6RubQMIWQgQzxUbreUJkKjHwLoqkTHDafJeKI7+2nII4r3peQfE
N0jZ5HSXHTHu4520FUBHNutvuHqCy0nQrhvoXEfD4woYk27OOwSKHu1ZdEFa6iJH
eAW0f6pSOMkEMDRtFWv0/hVpNDbhA+jAswzD4+XYDk+xZdDONua9inO930MGI2Bs
LQ1kotFTABEBAAGJAjwEGAEIACYWIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFM
JQIbDAUJEswDAAAKCRC47xprqdotXBU2D/4vF/5FrkPz78jSl7YN77gc/sTpBGMh
QxhZxKpf+8xE/oig9/F90BMKaFAflChiEMPc+Dj0VrCGwP2xMTVO4J7lw7bTr3RB
uETuVq8S3XgtmTlXwoRQL91XtoGjAjhfgpXbi/DEyZ6+34QwMYr474rsKiMsBcMS
nWTDuqRqkFYAaF4LRbD6RkWck+C7k4ps/KIflEKiSEuvpjk1TpibwoSt+zIeZI6u
sSLWbGcADqnXHe0GClUqcMYbIgLzVyXQQzUvfrwAzi8XvfW+8QhP+B5oZT6y8YBD
NHQDcITC4OYaVHYnZWS+tPtPQZK4duAlZRd/lBxKPbNWee5ufPh5ALFAINpBWP0C
nHKVj/P3fBcCrz2ZYaH5iQmqhSbJ3lyFKJoQQgrcnWbnOWI91DdhmvE2GIyn1JJE
FT2YQqRH52dDX5gOl5OcwT7PxV1jc03bhZsOCylBoq1Yd9iD3U0bgiqI71dGZrXZ
qaQzuigCRxlv8nF97SUGLDCuvqC5ejmecQBYmLCrgIiRcI+FXSVnZhUYkeBbg9sX
Cla8mCgxF1RhH2S9z9blrLEf2r+l/8P0+IWmmaTvCbZ7kIrUsbGv7FNCubVA3UXc
zPrDR7hQC/xNAX1RXMGNmPru9wVtgnn72UneoD/dLYY65U/ZFLNeQAnq9c3VJKQ2
TIdjvGbJ/k4qxw==
=Ctij
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: EFC0 A467 D613 CB83 C7ED 6D30 D894 E2CE 8B3D 79F5
Comment: OpenSSL security team <openssl-security@openssl.org>
Comment: OpenSSL OMC <openssl-omc@openssl.org>
Comment: OpenSSL Security <openssl-security@openssl.org>
mQINBFQv6Z8BEACuJwJkw/Iniec6U1RzocYHBFKl1eE0WBu1vthYmcn0D/GJKvWM
kRhx9GSlWMqj9mgSFUOsFWrpPIm3Jzh4bLweUjH5I7R0Frh39dDFh1hhwHEholBy
yUGFTb8TppptXnzzDoNz4yUQcRP2oeG1vC/ePXPWHKgtp+0hmM3MQ3WIN+gSmpdt
4vMIoWKKCq+E1tYcsFk9URBWWEwBw+OJ37o7TrernyxwtXwdPOjYhA4mLtnKHs+5
QivuOvK7gNf5hggyv6fp6d2ixvJZ9CdUYFdlOwaHA97B694RcAMxaMtzUpfkiJ/Q
2zR83QG4az6COKK38W6Kp7bLveMF6Rb4Y+gOjV4KvHKpzNAP2sNkmCIohlmoPhT9
Ce9tWq6oK+o1MEc1Ejb1/kn9CeCloKlF8HkzhFLpqqkZ//3j73/6kuK45UVg5PbO
3GLcyTJW4enmTUFxy0d24Bfdgu7FpH1vHIisDkON3QO4TMwCJoLWGULqpJKP7kUf
5HCnafDroN5wF9jMVxFhmDOOdXyIeYkBVF6swwIlyq8VlYSjYWGAUtIb3rOiUNWc
zYY6spdAN6VtKTMnXTm608yH118p+UOB5rJuKBqk3tMaiIjoyOcya4ImenX85rfK
eCOVNtdOC/0N8McfO0eFc6fZxcy7ykZ1a7FLyqQDexpZM7OLoM5SXObX1QARAQAB
tDRPcGVuU1NMIHNlY3VyaXR5IHRlYW0gPG9wZW5zc2wtc2VjdXJpdHlAb3BlbnNz
bC5vcmc+iQJUBBMBCgA+AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEE78Ck
Z9YTy4PH7W0w2JTizos9efUFAmPX/PkFCRGJRs4ACgkQ2JTizos9efWXgg/+Negn
a1HZIWs18LDktjV49a3IeKhjJV+UrTvQnFpSNXbwpnKa6iVX9PlE+3nLkIrkz6HJ
uBl1MZElcmrqIsVCKHcrbcJSgZM4fV0AgEEm5gNfK19gbJjs1qdbtwTYccDiHwGl
4EeTkPsOCo20QEC8jvkdHvMsvoD11c57NprQVVsOyuyz7B7LwV+6hZ2MAv6BZrNE
XBjzqxHGKcq4iyOKTGwRAufiXdq2+kV7GVjihH41YjV08f/b7O2uAm4k/IbULtvY
3Y/9rVvtU/Na044FQBGObH7/DbEOc8uFAH8Vy7M32rZmQet7pO8M5BrBMAaU2OAz
ZQ5CqauGvjTJ4GXi+pBoCVafPvsGkB1W6IxnPPJZsFw9kxOKSV1Md4jh90OdaIGe
HW4qagRaLDtDRtkFnIkbtc38HC/e30ANoNS3Enws7XSNvQ+O7HfeSsATsM/2cjL8
c281Nv9o+xaNI4TN3KsfRswcQtnsN2cCkPZWKgTJcjpdANkX9CK7mYNS8bu6YsAV
nRF2iAB25Vjcz/92Dd28/nPI2CkKkOMhDtnFty8B2LZ2tbfoU1DsNzg+b3ejaXLZ
jhnZdL3b3F4iKpyzDhTpDHo4P/yxrtV8LOmHJN63oc1JljqgkU+RcxndSZ/LDHqt
VH02VwVHMVt4no62mZj2UNT2+Ci5p+tze4Rhfl60JU9wZW5TU0wgT01DIDxvcGVu
c3NsLW9tY0BvcGVuc3NsLm9yZz6JAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsFFgID
AQACHgECF4AWIQTvwKRn1hPLg8ftbTDYlOLOiz159QUCY9f87QUJEYlGzgAKCRDY
lOLOiz159XBzD/9InUdyS1hdC7f2uEbD5A+5UFUwy9hqzy8sXLrGfUMtJC3Ur+CA
RqpHw6LC9oqFlAMhdSpIINzswLvpYqYKUllQWw0bStqWed6wuonC7nQk4fJhaWhT
MEyVNC7gpy1FcFQYZZ/rwVxftvV6EesOIL+cM9Tg2IKvdrJsuFtmhcrEmrAVrPuO
VkIBbOjylU5iHbs3hW15DqMXiu6s9wLlxSJtqWWcGT4Xp3SjUy2XRzsWwFPrdsnZ
cj1h1C1onglIpNuq7yQF6rrBmKUdy7FClXswEg+He6qV6zLhZo6bRAZO2b/g4aNX
NVOh5BS9ZpQds5FejHx3la6GzfPM/szC0WJR2r/6RqR/dizrPlhsJX3g5I+fRnNG
mOrUa7S/OrR3QlWyE5pvytKTno0UvPuITA7MGtQf3z4n4UbM7bYyLmCIVEkDQl9K
ax1vtEYLKKx7sVLmJUQVqo8RmmjottRZ6+B5UWOB+dXvt3Z+mJLHt92y6NLk4iOX
q3bgO9eMPgk+GdLXjgtgeu7S33BNE984/0B+jDLqhgEjK2spA50uPXBUtDm+Au+s
1zfePJVfQxdaoKY00iOltujRS6sqE1PtbebTHgDakxnr9MClzTmRz6ymAglxo72o
gk0OJCNELdckK0HHd5hGLEKBlSVGYSx2J985o7VE/raBr7/YULm4k0LXJbQvT3Bl
blNTTCBTZWN1cml0eSA8b3BlbnNzbC1zZWN1cml0eUBvcGVuc3NsLm9yZz6JAlUE
EwEKAD8CGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAFiEE78CkZ9YTy4PH7W0w
2JTizos9efUFAmIp6vAFCRdgAsUACgkQ2JTizos9efWbyA//cw5h9kzqjHNPrWyU
nqchSA/BAxGAfv8IW5vTXKIGou/vbF+2eV4pGe8cjYErfiEMI2XEqgW3NqtB8Ie1
JpvHb/JARDpXRAeO0nAz68UZiv0s+BYG1cL0MJgxSmwLEo1XIxx+NYQRPaIPhWId
gdJmhOylGHRbZPfUu0gsX3JvFYYJvqSbZYJx47JzLgvsaRtY06oOt89hqVOp9geS
4HtwcZiIohq1E4Fy8+TYR7iMv62lBAG0xOoLCy4UzM3pVbChzcfmLLtH4ZbDO2ks
vhafec6lUetxMJuvqClp4oYDp9ucrcZF3pJA0feSGF6EXOmYo3KMiVbG35DqfJrI
8gva6QPTFo8WRsTZ7hUrn/BioXx7Orrmtl5++IPAU7c/0JPHCVordxinD/XDdcFV
s2IIf5iL914/CaI8AXmeM4H0m9kuaS9N0UI8+3gIBhO19cP1VJBw/EWdwjwHtUlf
d6mOAbwuVAjPEWQmcf0jIxoUR9t+3ieZjPdcHus5d9/xH2iOLdEHYQRHRiLlKFtu
PhWgqy7UgpWRye/628at5C9m5TfGQBldSoOkUzPQGGpV3pUiHeJlQPBAYl1AAvAK
8+Y2T9iSZXUuMXiMp3lplDEzXKHjUaXXUkgFuGs/L8YB+BBNBSE/GS078kQrc6Wu
y7mmnE22aFf7G0N/hin+9QeIWJq0J09wZW5TU0wgdGVhbSA8b3BlbnNzbC10ZWFt
QG9wZW5zc2wub3JnPokCWQQwAQoAQxYhBO/ApGfWE8uDx+1tMNiU4s6LPXn1BQJZ
2fY1JR0gUmVwbGFjZWQgYnkgb3BlbnNzbC1vbWNAb3BlbnNzbC5vcmcACgkQ2JTi
zos9efVQIg/8C1c/ChPOM/ojwXA1yUeIa4rD6BXlLDetE3KIqD1MvR251xV8Ox21
3GYFHW+6CEfQ82xiy02CB+VsYh58tMi41NDWq6fkZOW4vFnJbFx/pYk8xFMl0ml3
LkGsh9cVoesSiEBAsF4vQ/bmCNfM68DsLtjAK7GQobcW5ArIqvgc3LlYXUspkgE9
yMcQcPqyMsNrEPgrFCcd3fWzXF1qsO8Rtd4bwyaJACkpQnZ832wY91uuMGzWcG2A
+SxkdOFPuDkWm5l8hbA6+DpdFp/YiDnfwAZqr6uoqdkcT0e8IRsGqJ2FJ7qHeGSv
kFjkGHaOPkJM69lJIEFMCrjvBQVN4b8HhcqbnJbnrWVGFDxgSdjNvXqzBDJgDqMh
GN5ZHJhGhiZDi02uzqJ0p+OUzK1CiEo0/Mc7Nb5sVfvYrP4LoqKRceNePgwZp8Jw
OnC5U84TWa6pHYm3rijfrBPPMFex9NDQQ/KEFINhAMQVMUtj2iy5ANPpqsftOIjs
RfWWn+7QIi4EuYRADcllRaHJaTBAzI56ngkDaA55oyaMnSUnu0fjgWTiD4CEVbsS
rR0nWJKhCg5DbVwq/dImoN1iK78ziR6cJdeQhe3GY+AdWe7Ci+75TiYy8Zlh9Sz4
mpl81xRz9eYcO/g0xG6wpPE/fqua8/AgeKArEKJWN1uvKCCFZzRB7uq5Ag0EVC/p
nwEQAMB3s+8dq5T8fW+b3OcGujEcbhyguc6D5shlNWsuCV3W7+izsVUe+0hD1YwD
30C6zj2+CJrMxPQ/BB3u3SbyHMDP5fKL7GQiA/n192hX2DuHxvQwnDNkHxYghtrF
KOlXAyte2awA0fC+e0o8lHa1Yd2ZZNqlDC23qJtLMJH8bX8CIr59KckNyv64bF+h
VPIN3evnh1Ajn4A85848EZMQcjedg72MsA3TW2D4omayY7eXE5uut7FYcY6SM4pT
hIB2X9DM39Rgy3qC4ObvEkEfaWnJfHxyXiA8XF+FZukXc/iM68P0VS/sMml9QPsY
MWnMHcGlOcuzQJRAalqZJwuK0ZIvobh/Y9rYLxrHtNCgSjaFuSN9K/YhpAxs80H6
lVa7GCSASTRrS3OvmY++fTsUPzSOvit0kqQfimziYx7QcJIagG92mvUmuf2PEfzv
Si6iaIqMhaTaJq5qxOR0q430KakQktNPX53HflWL7YenDPYw1rEyQFxGqjaBY1X8
NtuzZ0P4cahgsBFc8HgYu2u3Ysd5wmvSTsOXld8Qsns1KIUOpzgWw56AJ6dxS3lK
4QSUFwjzbZW9H0jJ49eBMAaA+hCjv8c/4BFuZq9Gvsafn425Lx1V/3PFJlPu55V+
7qWjeOkSzNctMlmCqPQVetbZ/pHLAJO5IUO3SoTs5kl6bARzABEBAAGJAjwEGAEK
ACYCGwwWIQTvwKRn1hPLg8ftbTDYlOLOiz159QUCY9f9DQUJEYlG7gAKCRDYlOLO
iz159f5RD/9Dhv5+muyWX9U4wNH7Dt7KHOtFyQ6+YrlLGj6WgZlFQD3sz1hVabJs
HwFuiaIjnZmQwiUJm72jCMUncL3OsWrQXm6SU60aG20XeQl1oXWmSD9D/len23hO
Yo/3WsC3o1AIkLA9cJ3h/oo3I7RE30skw4MwQ4oCFlmidmOLvkz3TD22qxf+WaK7
KO0vJRVHQIVl1ZdsBSSULcr8BcupKXaKSBJQDya2TkEh6OUf1B/7EIk811oeNSaL
9eJXS9VGDytVyjGGXSbudBw2XAV0/oiPPDKYElbOZH66d6marGwCCdc29cNono/7
zf0+/hyunzY3m1PkYGyzUmfWq4WNulJ9GEAz0O1rss/4hxnGqn/m3gue+aQx4hji
/K/vAV+531YT9MEp6m6e3074a7Hvn2l/tsBoL1Xseb6J9ZGL8fnZiuG6RF4sP1Lz
sQXmyjgr1yTlCShgNQCYXAgprWXPCwv176kL0WxkGhcI+GmSe3kNWr3HYoeTfBQ/
G8GWaIZ2qJRY/d/P9bgWu3oztWcVqEDorK3Pbu5/VeIeEfIkc717EgvdZU4EB70v
E/jnY1V9GLFzdPcygy7bz5aA4IA/Y12VFdhQ9/E7HFvEv0KUa294rQiH86lRyCJI
aEUqeymypLjoU2oeR4Cujkne+5spQHBfn2/RWGqH28v+vqHysb/8GA==
=Q+Oa
-----END PGP PUBLIC KEY BLOCK-----

929
reproducible.patch Normal file
View File

@ -0,0 +1,929 @@
commit 0fbc50ef0cb8894973d4739af62e95be825b7ccf
Author: trigpolynom <trigpolynom@gmail.com>
Date: Tue Oct 17 22:44:45 2023 -0400
aes-gcm-avx512.pl: fix non-reproducibility issue
Replace the random suffix with a counter, to make the
build reproducible.
Fixes #20954
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22415)
diff --git a/crypto/modes/asm/aes-gcm-avx512.pl b/crypto/modes/asm/aes-gcm-avx512.pl
index afd2af941a..9f9124373b 100644
--- a/crypto/modes/asm/aes-gcm-avx512.pl
+++ b/crypto/modes/asm/aes-gcm-avx512.pl
@@ -155,6 +155,9 @@ my $STACK_LOCAL_OFFSET = ($STACK_HKEYS_OFFSET + $HKEYS_STORAGE);
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
my ($arg1, $arg2, $arg3, $arg4, $arg5, $arg6, $arg7, $arg8, $arg9, $arg10, $arg11);
+# ; Counter used for assembly label generation
+my $label_count = 0;
+
# ; This implementation follows the convention: for non-leaf functions (they
# ; must call PROLOG) %rbp is used as a frame pointer, and has fixed offset from
# ; the function entry: $GP_STORAGE + [8 bytes alignment (Windows only)]. This
@@ -200,15 +203,6 @@ my $CTX_OFFSET_HTable = (16 * 6); # ; (Htable) Precomputed table (a
# ;;; Helper functions
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-# ; Generates "random" local labels
-sub random_string() {
- my @chars = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '_');
- my $length = 15;
- my $str;
- map { $str .= $chars[rand(33)] } 1 .. $length;
- return $str;
-}
-
sub BYTE {
my ($reg) = @_;
if ($reg =~ /%r[abcd]x/i) {
@@ -417,7 +411,7 @@ ___
sub EPILOG {
my ($hkeys_storage_on_stack, $payload_len) = @_;
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
if ($hkeys_storage_on_stack && $CLEAR_HKEYS_STORAGE_ON_EXIT) {
@@ -425,13 +419,13 @@ sub EPILOG {
# ; were stored in the local frame storage
$code .= <<___;
cmpq \$`16*16`,$payload_len
- jbe .Lskip_hkeys_cleanup_${rndsuffix}
+ jbe .Lskip_hkeys_cleanup_${label_suffix}
vpxor %xmm0,%xmm0,%xmm0
___
for (my $i = 0; $i < int($HKEYS_STORAGE / 64); $i++) {
$code .= "vmovdqa64 %zmm0,`$STACK_HKEYS_OFFSET + 64*$i`(%rsp)\n";
}
- $code .= ".Lskip_hkeys_cleanup_${rndsuffix}:\n";
+ $code .= ".Lskip_hkeys_cleanup_${label_suffix}:\n";
}
if ($CLEAR_SCRATCH_REGISTERS) {
@@ -537,11 +531,11 @@ sub precompute_hkeys_on_stack {
&& $HKEYS_RANGE ne "first32"
&& $HKEYS_RANGE ne "last32");
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
$code .= <<___;
test $HKEYS_READY,$HKEYS_READY
- jnz .L_skip_hkeys_precomputation_${rndsuffix}
+ jnz .L_skip_hkeys_precomputation_${label_suffix}
___
if ($HKEYS_RANGE eq "first16" || $HKEYS_RANGE eq "first32" || $HKEYS_RANGE eq "all") {
@@ -615,7 +609,7 @@ ___
}
}
- $code .= ".L_skip_hkeys_precomputation_${rndsuffix}:\n";
+ $code .= ".L_skip_hkeys_precomputation_${label_suffix}:\n";
}
# ;; =============================================================================
@@ -1418,20 +1412,20 @@ sub CALC_AAD_HASH {
my $SHFMSK = $ZT13;
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
$code .= <<___;
mov $A_IN,$T1 # ; T1 = AAD
mov $A_LEN,$T2 # ; T2 = aadLen
or $T2,$T2
- jz .L_CALC_AAD_done_${rndsuffix}
+ jz .L_CALC_AAD_done_${label_suffix}
xor $HKEYS_READY,$HKEYS_READY
vmovdqa64 SHUF_MASK(%rip),$SHFMSK
-.L_get_AAD_loop48x16_${rndsuffix}:
+.L_get_AAD_loop48x16_${label_suffix}:
cmp \$`(48*16)`,$T2
- jl .L_exit_AAD_loop48x16_${rndsuffix}
+ jl .L_exit_AAD_loop48x16_${label_suffix}
___
$code .= <<___;
@@ -1499,15 +1493,15 @@ ___
$code .= <<___;
sub \$`(48*16)`,$T2
- je .L_CALC_AAD_done_${rndsuffix}
+ je .L_CALC_AAD_done_${label_suffix}
add \$`(48*16)`,$T1
- jmp .L_get_AAD_loop48x16_${rndsuffix}
+ jmp .L_get_AAD_loop48x16_${label_suffix}
-.L_exit_AAD_loop48x16_${rndsuffix}:
+.L_exit_AAD_loop48x16_${label_suffix}:
# ; Less than 48x16 bytes remaining
cmp \$`(32*16)`,$T2
- jl .L_less_than_32x16_${rndsuffix}
+ jl .L_less_than_32x16_${label_suffix}
___
$code .= <<___;
@@ -1556,14 +1550,14 @@ ___
$code .= <<___;
sub \$`(32*16)`,$T2
- je .L_CALC_AAD_done_${rndsuffix}
+ je .L_CALC_AAD_done_${label_suffix}
add \$`(32*16)`,$T1
- jmp .L_less_than_16x16_${rndsuffix}
+ jmp .L_less_than_16x16_${label_suffix}
-.L_less_than_32x16_${rndsuffix}:
+.L_less_than_32x16_${label_suffix}:
cmp \$`(16*16)`,$T2
- jl .L_less_than_16x16_${rndsuffix}
+ jl .L_less_than_16x16_${label_suffix}
# ; Get next 16 blocks
vmovdqu64 `64*0`($T1),$ZT1
vmovdqu64 `64*1`($T1),$ZT2
@@ -1588,11 +1582,11 @@ ___
$code .= <<___;
sub \$`(16*16)`,$T2
- je .L_CALC_AAD_done_${rndsuffix}
+ je .L_CALC_AAD_done_${label_suffix}
add \$`(16*16)`,$T1
# ; Less than 16x16 bytes remaining
-.L_less_than_16x16_${rndsuffix}:
+.L_less_than_16x16_${label_suffix}:
# ;; prep mask source address
lea byte64_len_to_mask_table(%rip),$T3
lea ($T3,$T2,8),$T3
@@ -1601,28 +1595,28 @@ ___
add \$15,@{[DWORD($T2)]}
shr \$4,@{[DWORD($T2)]}
cmp \$2,@{[DWORD($T2)]}
- jb .L_AAD_blocks_1_${rndsuffix}
- je .L_AAD_blocks_2_${rndsuffix}
+ jb .L_AAD_blocks_1_${label_suffix}
+ je .L_AAD_blocks_2_${label_suffix}
cmp \$4,@{[DWORD($T2)]}
- jb .L_AAD_blocks_3_${rndsuffix}
- je .L_AAD_blocks_4_${rndsuffix}
+ jb .L_AAD_blocks_3_${label_suffix}
+ je .L_AAD_blocks_4_${label_suffix}
cmp \$6,@{[DWORD($T2)]}
- jb .L_AAD_blocks_5_${rndsuffix}
- je .L_AAD_blocks_6_${rndsuffix}
+ jb .L_AAD_blocks_5_${label_suffix}
+ je .L_AAD_blocks_6_${label_suffix}
cmp \$8,@{[DWORD($T2)]}
- jb .L_AAD_blocks_7_${rndsuffix}
- je .L_AAD_blocks_8_${rndsuffix}
+ jb .L_AAD_blocks_7_${label_suffix}
+ je .L_AAD_blocks_8_${label_suffix}
cmp \$10,@{[DWORD($T2)]}
- jb .L_AAD_blocks_9_${rndsuffix}
- je .L_AAD_blocks_10_${rndsuffix}
+ jb .L_AAD_blocks_9_${label_suffix}
+ je .L_AAD_blocks_10_${label_suffix}
cmp \$12,@{[DWORD($T2)]}
- jb .L_AAD_blocks_11_${rndsuffix}
- je .L_AAD_blocks_12_${rndsuffix}
+ jb .L_AAD_blocks_11_${label_suffix}
+ je .L_AAD_blocks_12_${label_suffix}
cmp \$14,@{[DWORD($T2)]}
- jb .L_AAD_blocks_13_${rndsuffix}
- je .L_AAD_blocks_14_${rndsuffix}
+ jb .L_AAD_blocks_13_${label_suffix}
+ je .L_AAD_blocks_14_${label_suffix}
cmp \$15,@{[DWORD($T2)]}
- je .L_AAD_blocks_15_${rndsuffix}
+ je .L_AAD_blocks_15_${label_suffix}
___
# ;; fall through for 16 blocks
@@ -1635,7 +1629,7 @@ ___
# ;; - jump to reduction code
for (my $aad_blocks = 16; $aad_blocks > 0; $aad_blocks--) {
- $code .= ".L_AAD_blocks_${aad_blocks}_${rndsuffix}:\n";
+ $code .= ".L_AAD_blocks_${aad_blocks}_${label_suffix}:\n";
if ($aad_blocks > 12) {
$code .= "sub \$`12*16*8`, $T3\n";
} elsif ($aad_blocks > 8) {
@@ -1656,11 +1650,11 @@ ___
if ($aad_blocks > 1) {
# ;; fall through to CALC_AAD_done in 1 block case
- $code .= "jmp .L_CALC_AAD_done_${rndsuffix}\n";
+ $code .= "jmp .L_CALC_AAD_done_${label_suffix}\n";
}
}
- $code .= ".L_CALC_AAD_done_${rndsuffix}:\n";
+ $code .= ".L_CALC_AAD_done_${label_suffix}:\n";
# ;; result in AAD_HASH
}
@@ -1710,13 +1704,13 @@ sub PARTIAL_BLOCK {
my $IA1 = $GPTMP2;
my $IA2 = $GPTMP0;
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
$code .= <<___;
# ;; if no partial block present then LENGTH/DATA_OFFSET will be set to zero
mov ($PBLOCK_LEN),$LENGTH
or $LENGTH,$LENGTH
- je .L_partial_block_done_${rndsuffix} # ;Leave Macro if no partial blocks
+ je .L_partial_block_done_${label_suffix} # ;Leave Macro if no partial blocks
___
&READ_SMALL_DATA_INPUT($XTMP0, $PLAIN_CIPH_IN, $PLAIN_CIPH_LEN, $IA0, $IA2, $MASKREG);
@@ -1755,9 +1749,9 @@ ___
}
$code .= <<___;
sub \$16,$IA1
- jge .L_no_extra_mask_${rndsuffix}
+ jge .L_no_extra_mask_${label_suffix}
sub $IA1,$IA0
-.L_no_extra_mask_${rndsuffix}:
+.L_no_extra_mask_${label_suffix}:
# ;; get the appropriate mask to mask out bottom $LENGTH bytes of $XTMP1
# ;; - mask out bottom $LENGTH bytes of $XTMP1
# ;; sizeof(SHIFT_MASK) == 16 bytes
@@ -1781,7 +1775,7 @@ ___
}
$code .= <<___;
cmp \$0,$IA1
- jl .L_partial_incomplete_${rndsuffix}
+ jl .L_partial_incomplete_${label_suffix}
___
# ;; GHASH computation for the last <16 Byte block
@@ -1793,9 +1787,9 @@ ___
mov $LENGTH,$IA0
mov \$16,$LENGTH
sub $IA0,$LENGTH
- jmp .L_enc_dec_done_${rndsuffix}
+ jmp .L_enc_dec_done_${label_suffix}
-.L_partial_incomplete_${rndsuffix}:
+.L_partial_incomplete_${label_suffix}:
___
if ($win64) {
$code .= <<___;
@@ -1808,7 +1802,7 @@ ___
$code .= <<___;
mov $PLAIN_CIPH_LEN,$LENGTH
-.L_enc_dec_done_${rndsuffix}:
+.L_enc_dec_done_${label_suffix}:
# ;; output encrypted Bytes
lea byte_len_to_mask_table(%rip),$IA0
@@ -1826,7 +1820,7 @@ ___
$code .= <<___;
mov $CIPH_PLAIN_OUT,$IA0
vmovdqu8 $XTMP1,($IA0){$MASKREG}
-.L_partial_block_done_${rndsuffix}:
+.L_partial_block_done_${label_suffix}:
___
}
@@ -2016,7 +2010,7 @@ sub INITIAL_BLOCKS_PARTIAL_GHASH {
my $GM = $_[23]; # [in] ZMM with mid prodcut part
my $GL = $_[24]; # [in] ZMM with lo product part
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
# ;;; - Hash all but the last partial block of data
@@ -2034,7 +2028,7 @@ sub INITIAL_BLOCKS_PARTIAL_GHASH {
# ;; NOTE: the 'jl' is always taken for num_initial_blocks = 16.
# ;; This is run in the context of GCM_ENC_DEC_SMALL for length < 256.
cmp \$16,$LENGTH
- jl .L_small_initial_partial_block_${rndsuffix}
+ jl .L_small_initial_partial_block_${label_suffix}
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
# ;;; Handle a full length final block - encrypt and hash all blocks
@@ -2056,11 +2050,11 @@ ___
&GHASH_1_TO_16($GCM128_CTX, $HASH_IN_OUT, $ZT0, $ZT1, $ZT2, $ZT3, $ZT4,
$ZT5, $ZT6, $ZT7, $ZT8, &ZWORD($HASH_IN_OUT), $DAT0, $DAT1, $DAT2, $DAT3, $NUM_BLOCKS, $GH, $GM, $GL);
}
- $code .= "jmp .L_small_initial_compute_done_${rndsuffix}\n";
+ $code .= "jmp .L_small_initial_compute_done_${label_suffix}\n";
}
$code .= <<___;
-.L_small_initial_partial_block_${rndsuffix}:
+.L_small_initial_partial_block_${label_suffix}:
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
# ;;; Handle ghash for a <16B final block
@@ -2125,7 +2119,7 @@ ___
# ;; a partial block of data, so xor that into the hash.
vpxorq $LAST_GHASH_BLK,$HASH_IN_OUT,$HASH_IN_OUT
# ;; The result is in $HASH_IN_OUT
- jmp .L_after_reduction_${rndsuffix}
+ jmp .L_after_reduction_${label_suffix}
___
}
@@ -2133,7 +2127,7 @@ ___
# ;;; After GHASH reduction
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
- $code .= ".L_small_initial_compute_done_${rndsuffix}:\n";
+ $code .= ".L_small_initial_compute_done_${label_suffix}:\n";
# ;; If using init/update/finalize, we need to xor any partial block data
# ;; into the hash.
@@ -2144,13 +2138,13 @@ ___
$code .= <<___;
# ;; NOTE: for $NUM_BLOCKS = 16, $LENGTH, stored in [PBlockLen] is never zero
or $LENGTH,$LENGTH
- je .L_after_reduction_${rndsuffix}
+ je .L_after_reduction_${label_suffix}
___
}
$code .= "vpxorq $LAST_GHASH_BLK,$HASH_IN_OUT,$HASH_IN_OUT\n";
}
- $code .= ".L_after_reduction_${rndsuffix}:\n";
+ $code .= ".L_after_reduction_${label_suffix}:\n";
# ;; Final hash is now in HASH_IN_OUT
}
@@ -2266,7 +2260,7 @@ sub GHASH_16_ENCRYPT_N_GHASH_N {
die "GHASH_16_ENCRYPT_N_GHASH_N: num_blocks is out of bounds = $NUM_BLOCKS\n"
if ($NUM_BLOCKS > 16 || $NUM_BLOCKS < 0);
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
my $GH1H = $HASH_IN_OUT;
@@ -2326,16 +2320,16 @@ ___
$code .= <<___;
cmp \$`(256 - $NUM_BLOCKS)`,@{[DWORD($CTR_CHECK)]}
- jae .L_16_blocks_overflow_${rndsuffix}
+ jae .L_16_blocks_overflow_${label_suffix}
___
&ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16(
$NUM_BLOCKS, "vpaddd", $B00_03, $B04_07, $B08_11, $B12_15, $CTR_BE,
$B00_03, $B04_07, $B08_11, $ADDBE_1234, $ADDBE_4x4, $ADDBE_4x4, $ADDBE_4x4);
$code .= <<___;
- jmp .L_16_blocks_ok_${rndsuffix}
+ jmp .L_16_blocks_ok_${label_suffix}
-.L_16_blocks_overflow_${rndsuffix}:
+.L_16_blocks_overflow_${label_suffix}:
vpshufb $SHFMSK,$CTR_BE,$CTR_BE
vpaddd ddq_add_1234(%rip),$CTR_BE,$B00_03
___
@@ -2355,7 +2349,7 @@ ___
$NUM_BLOCKS, "vpshufb", $B00_03, $B04_07, $B08_11, $B12_15, $B00_03,
$B04_07, $B08_11, $B12_15, $SHFMSK, $SHFMSK, $SHFMSK, $SHFMSK);
$code .= <<___;
-.L_16_blocks_ok_${rndsuffix}:
+.L_16_blocks_ok_${label_suffix}:
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
# ;; - pre-load constants
@@ -2805,53 +2799,53 @@ sub GCM_ENC_DEC_LAST {
my $MASKREG = $_[44]; # [clobbered] mask register
my $PBLOCK_LEN = $_[45]; # [in] partial block length
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
$code .= <<___;
mov @{[DWORD($LENGTH)]},@{[DWORD($IA0)]}
add \$15,@{[DWORD($IA0)]}
shr \$4,@{[DWORD($IA0)]}
- je .L_last_num_blocks_is_0_${rndsuffix}
+ je .L_last_num_blocks_is_0_${label_suffix}
cmp \$8,@{[DWORD($IA0)]}
- je .L_last_num_blocks_is_8_${rndsuffix}
- jb .L_last_num_blocks_is_7_1_${rndsuffix}
+ je .L_last_num_blocks_is_8_${label_suffix}
+ jb .L_last_num_blocks_is_7_1_${label_suffix}
cmp \$12,@{[DWORD($IA0)]}
- je .L_last_num_blocks_is_12_${rndsuffix}
- jb .L_last_num_blocks_is_11_9_${rndsuffix}
+ je .L_last_num_blocks_is_12_${label_suffix}
+ jb .L_last_num_blocks_is_11_9_${label_suffix}
# ;; 16, 15, 14 or 13
cmp \$15,@{[DWORD($IA0)]}
- je .L_last_num_blocks_is_15_${rndsuffix}
- ja .L_last_num_blocks_is_16_${rndsuffix}
+ je .L_last_num_blocks_is_15_${label_suffix}
+ ja .L_last_num_blocks_is_16_${label_suffix}
cmp \$14,@{[DWORD($IA0)]}
- je .L_last_num_blocks_is_14_${rndsuffix}
- jmp .L_last_num_blocks_is_13_${rndsuffix}
+ je .L_last_num_blocks_is_14_${label_suffix}
+ jmp .L_last_num_blocks_is_13_${label_suffix}
-.L_last_num_blocks_is_11_9_${rndsuffix}:
+.L_last_num_blocks_is_11_9_${label_suffix}:
# ;; 11, 10 or 9
cmp \$10,@{[DWORD($IA0)]}
- je .L_last_num_blocks_is_10_${rndsuffix}
- ja .L_last_num_blocks_is_11_${rndsuffix}
- jmp .L_last_num_blocks_is_9_${rndsuffix}
+ je .L_last_num_blocks_is_10_${label_suffix}
+ ja .L_last_num_blocks_is_11_${label_suffix}
+ jmp .L_last_num_blocks_is_9_${label_suffix}
-.L_last_num_blocks_is_7_1_${rndsuffix}:
+.L_last_num_blocks_is_7_1_${label_suffix}:
cmp \$4,@{[DWORD($IA0)]}
- je .L_last_num_blocks_is_4_${rndsuffix}
- jb .L_last_num_blocks_is_3_1_${rndsuffix}
+ je .L_last_num_blocks_is_4_${label_suffix}
+ jb .L_last_num_blocks_is_3_1_${label_suffix}
# ;; 7, 6 or 5
cmp \$6,@{[DWORD($IA0)]}
- ja .L_last_num_blocks_is_7_${rndsuffix}
- je .L_last_num_blocks_is_6_${rndsuffix}
- jmp .L_last_num_blocks_is_5_${rndsuffix}
+ ja .L_last_num_blocks_is_7_${label_suffix}
+ je .L_last_num_blocks_is_6_${label_suffix}
+ jmp .L_last_num_blocks_is_5_${label_suffix}
-.L_last_num_blocks_is_3_1_${rndsuffix}:
+.L_last_num_blocks_is_3_1_${label_suffix}:
# ;; 3, 2 or 1
cmp \$2,@{[DWORD($IA0)]}
- ja .L_last_num_blocks_is_3_${rndsuffix}
- je .L_last_num_blocks_is_2_${rndsuffix}
+ ja .L_last_num_blocks_is_3_${label_suffix}
+ je .L_last_num_blocks_is_2_${label_suffix}
___
# ;; fall through for `jmp .L_last_num_blocks_is_1`
@@ -2859,7 +2853,7 @@ ___
# ;; Use rep to generate different block size variants
# ;; - one block size has to be the first one
for my $num_blocks (1 .. 16) {
- $code .= ".L_last_num_blocks_is_${num_blocks}_${rndsuffix}:\n";
+ $code .= ".L_last_num_blocks_is_${num_blocks}_${label_suffix}:\n";
&GHASH_16_ENCRYPT_N_GHASH_N(
$AES_KEYS, $GCM128_CTX, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, $DATA_OFFSET,
$LENGTH, $CTR_BE, $CTR_CHECK, $HASHKEY_OFFSET, $GHASHIN_BLK_OFFSET,
@@ -2872,10 +2866,10 @@ ___
$ENC_DEC, $HASH_IN_OUT, $IA0, $IA1, $MASKREG,
$num_blocks, $PBLOCK_LEN);
- $code .= "jmp .L_last_blocks_done_${rndsuffix}\n";
+ $code .= "jmp .L_last_blocks_done_${label_suffix}\n";
}
- $code .= ".L_last_num_blocks_is_0_${rndsuffix}:\n";
+ $code .= ".L_last_num_blocks_is_0_${label_suffix}:\n";
# ;; if there is 0 blocks to cipher then there are only 16 blocks for ghash and reduction
# ;; - convert mid into end_reduce
@@ -2891,7 +2885,7 @@ ___
$GHASHIN_BLK_OFFSET, 0, "%rsp", $HASHKEY_OFFSET, 0, $HASH_IN_OUT, $ZT00, $ZT01,
$ZT02, $ZT03, $ZT04, $ZT05, $ZT06, $ZT07, $ZT08, $ZT09);
- $code .= ".L_last_blocks_done_${rndsuffix}:\n";
+ $code .= ".L_last_blocks_done_${label_suffix}:\n";
}
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -2985,20 +2979,20 @@ sub GHASH_16_ENCRYPT_16_PARALLEL {
my $GHDAT1 = $ZT21;
my $GHDAT2 = $ZT22;
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
# ;; prepare counter blocks
$code .= <<___;
cmpb \$`(256 - 16)`,@{[BYTE($CTR_CHECK)]}
- jae .L_16_blocks_overflow_${rndsuffix}
+ jae .L_16_blocks_overflow_${label_suffix}
vpaddd $ADDBE_1234,$CTR_BE,$B00_03
vpaddd $ADDBE_4x4,$B00_03,$B04_07
vpaddd $ADDBE_4x4,$B04_07,$B08_11
vpaddd $ADDBE_4x4,$B08_11,$B12_15
- jmp .L_16_blocks_ok_${rndsuffix}
-.L_16_blocks_overflow_${rndsuffix}:
+ jmp .L_16_blocks_ok_${label_suffix}
+.L_16_blocks_overflow_${label_suffix}:
vpshufb $SHFMSK,$CTR_BE,$CTR_BE
vmovdqa64 ddq_add_4444(%rip),$B12_15
vpaddd ddq_add_1234(%rip),$CTR_BE,$B00_03
@@ -3009,7 +3003,7 @@ sub GHASH_16_ENCRYPT_16_PARALLEL {
vpshufb $SHFMSK,$B04_07,$B04_07
vpshufb $SHFMSK,$B08_11,$B08_11
vpshufb $SHFMSK,$B12_15,$B12_15
-.L_16_blocks_ok_${rndsuffix}:
+.L_16_blocks_ok_${label_suffix}:
___
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -3338,25 +3332,25 @@ sub ENCRYPT_SINGLE_BLOCK {
my $XMM0 = $_[1]; # ; [in/out]
my $GPR1 = $_[2]; # ; [clobbered]
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
$code .= <<___;
# ; load number of rounds from AES_KEY structure (offset in bytes is
# ; size of the |rd_key| buffer)
mov `4*15*4`($AES_KEY),@{[DWORD($GPR1)]}
cmp \$9,@{[DWORD($GPR1)]}
- je .Laes_128_${rndsuffix}
+ je .Laes_128_${label_suffix}
cmp \$11,@{[DWORD($GPR1)]}
- je .Laes_192_${rndsuffix}
+ je .Laes_192_${label_suffix}
cmp \$13,@{[DWORD($GPR1)]}
- je .Laes_256_${rndsuffix}
- jmp .Lexit_aes_${rndsuffix}
+ je .Laes_256_${label_suffix}
+ jmp .Lexit_aes_${label_suffix}
___
for my $keylen (sort keys %aes_rounds) {
my $nr = $aes_rounds{$keylen};
$code .= <<___;
.align 32
-.Laes_${keylen}_${rndsuffix}:
+.Laes_${keylen}_${label_suffix}:
___
$code .= "vpxorq `16*0`($AES_KEY),$XMM0, $XMM0\n\n";
for (my $i = 1; $i <= $nr; $i++) {
@@ -3364,10 +3358,10 @@ ___
}
$code .= <<___;
vaesenclast `16*($nr+1)`($AES_KEY),$XMM0,$XMM0
- jmp .Lexit_aes_${rndsuffix}
+ jmp .Lexit_aes_${label_suffix}
___
}
- $code .= ".Lexit_aes_${rndsuffix}:\n\n";
+ $code .= ".Lexit_aes_${label_suffix}:\n\n";
}
sub CALC_J0 {
@@ -3562,52 +3556,52 @@ sub GCM_ENC_DEC_SMALL {
my $SHUFMASK = $_[29]; # [in] ZMM with BE/LE shuffle mask
my $PBLOCK_LEN = $_[30]; # [in] partial block length
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
$code .= <<___;
cmp \$8,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_8_${rndsuffix}
- jl .L_small_initial_num_blocks_is_7_1_${rndsuffix}
+ je .L_small_initial_num_blocks_is_8_${label_suffix}
+ jl .L_small_initial_num_blocks_is_7_1_${label_suffix}
cmp \$12,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_12_${rndsuffix}
- jl .L_small_initial_num_blocks_is_11_9_${rndsuffix}
+ je .L_small_initial_num_blocks_is_12_${label_suffix}
+ jl .L_small_initial_num_blocks_is_11_9_${label_suffix}
# ;; 16, 15, 14 or 13
cmp \$16,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_16_${rndsuffix}
+ je .L_small_initial_num_blocks_is_16_${label_suffix}
cmp \$15,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_15_${rndsuffix}
+ je .L_small_initial_num_blocks_is_15_${label_suffix}
cmp \$14,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_14_${rndsuffix}
- jmp .L_small_initial_num_blocks_is_13_${rndsuffix}
+ je .L_small_initial_num_blocks_is_14_${label_suffix}
+ jmp .L_small_initial_num_blocks_is_13_${label_suffix}
-.L_small_initial_num_blocks_is_11_9_${rndsuffix}:
+.L_small_initial_num_blocks_is_11_9_${label_suffix}:
# ;; 11, 10 or 9
cmp \$11,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_11_${rndsuffix}
+ je .L_small_initial_num_blocks_is_11_${label_suffix}
cmp \$10,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_10_${rndsuffix}
- jmp .L_small_initial_num_blocks_is_9_${rndsuffix}
+ je .L_small_initial_num_blocks_is_10_${label_suffix}
+ jmp .L_small_initial_num_blocks_is_9_${label_suffix}
-.L_small_initial_num_blocks_is_7_1_${rndsuffix}:
+.L_small_initial_num_blocks_is_7_1_${label_suffix}:
cmp \$4,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_4_${rndsuffix}
- jl .L_small_initial_num_blocks_is_3_1_${rndsuffix}
+ je .L_small_initial_num_blocks_is_4_${label_suffix}
+ jl .L_small_initial_num_blocks_is_3_1_${label_suffix}
# ;; 7, 6 or 5
cmp \$7,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_7_${rndsuffix}
+ je .L_small_initial_num_blocks_is_7_${label_suffix}
cmp \$6,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_6_${rndsuffix}
- jmp .L_small_initial_num_blocks_is_5_${rndsuffix}
+ je .L_small_initial_num_blocks_is_6_${label_suffix}
+ jmp .L_small_initial_num_blocks_is_5_${label_suffix}
-.L_small_initial_num_blocks_is_3_1_${rndsuffix}:
+.L_small_initial_num_blocks_is_3_1_${label_suffix}:
# ;; 3, 2 or 1
cmp \$3,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_3_${rndsuffix}
+ je .L_small_initial_num_blocks_is_3_${label_suffix}
cmp \$2,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_2_${rndsuffix}
+ je .L_small_initial_num_blocks_is_2_${label_suffix}
# ;; for $NUM_BLOCKS == 1, just fall through and no 'jmp' needed
@@ -3616,7 +3610,7 @@ sub GCM_ENC_DEC_SMALL {
___
for (my $num_blocks = 1; $num_blocks <= 16; $num_blocks++) {
- $code .= ".L_small_initial_num_blocks_is_${num_blocks}_${rndsuffix}:\n";
+ $code .= ".L_small_initial_num_blocks_is_${num_blocks}_${label_suffix}:\n";
&INITIAL_BLOCKS_PARTIAL(
$AES_KEYS, $GCM128_CTX, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, $LENGTH, $DATA_OFFSET,
$num_blocks, $CTR, $HASH_IN_OUT, $ENC_DEC, $ZTMP0, $ZTMP1,
@@ -3625,11 +3619,11 @@ ___
$ZTMP14, $IA0, $IA1, $MASKREG, $SHUFMASK, $PBLOCK_LEN);
if ($num_blocks != 16) {
- $code .= "jmp .L_small_initial_blocks_encrypted_${rndsuffix}\n";
+ $code .= "jmp .L_small_initial_blocks_encrypted_${label_suffix}\n";
}
}
- $code .= ".L_small_initial_blocks_encrypted_${rndsuffix}:\n";
+ $code .= ".L_small_initial_blocks_encrypted_${label_suffix}:\n";
}
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -3710,7 +3704,7 @@ sub GCM_ENC_DEC {
my $MASKREG = "%k1";
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
# ;; reduction every 48 blocks, depth 32 blocks
# ;; @note 48 blocks is the maximum capacity of the stack frame
@@ -3751,7 +3745,7 @@ sub GCM_ENC_DEC {
} else {
$code .= "or $PLAIN_CIPH_LEN,$PLAIN_CIPH_LEN\n";
}
- $code .= "je .L_enc_dec_done_${rndsuffix}\n";
+ $code .= "je .L_enc_dec_done_${label_suffix}\n";
# Length value from context $CTX_OFFSET_InLen`($GCM128_CTX) is updated in
# 'providers/implementations/ciphers/cipher_aes_gcm_hw_vaes_avx512.inc'
@@ -3778,12 +3772,12 @@ sub GCM_ENC_DEC {
# ;; There may be no more data if it was consumed in the partial block.
$code .= <<___;
sub $DATA_OFFSET,$LENGTH
- je .L_enc_dec_done_${rndsuffix}
+ je .L_enc_dec_done_${label_suffix}
___
$code .= <<___;
cmp \$`(16 * 16)`,$LENGTH
- jbe .L_message_below_equal_16_blocks_${rndsuffix}
+ jbe .L_message_below_equal_16_blocks_${label_suffix}
vmovdqa64 SHUF_MASK(%rip),$SHUF_MASK
vmovdqa64 ddq_addbe_4444(%rip),$ADDBE_4x4
@@ -3815,7 +3809,7 @@ ___
$code .= <<___;
cmp \$`(32 * 16)`,$LENGTH
- jb .L_message_below_32_blocks_${rndsuffix}
+ jb .L_message_below_32_blocks_${label_suffix}
___
# ;; ==== AES-CTR - next 16 blocks
@@ -3836,13 +3830,13 @@ ___
sub \$`(32 * 16)`,$LENGTH
cmp \$`($big_loop_nblocks * 16)`,$LENGTH
- jb .L_no_more_big_nblocks_${rndsuffix}
+ jb .L_no_more_big_nblocks_${label_suffix}
___
# ;; ====
# ;; ==== AES-CTR + GHASH - 48 blocks loop
# ;; ====
- $code .= ".L_encrypt_big_nblocks_${rndsuffix}:\n";
+ $code .= ".L_encrypt_big_nblocks_${label_suffix}:\n";
# ;; ==== AES-CTR + GHASH - 16 blocks, start
$aesout_offset = ($STACK_LOCAL_OFFSET + (32 * 16));
@@ -3893,15 +3887,15 @@ ___
add \$`($big_loop_nblocks * 16)`,$DATA_OFFSET
sub \$`($big_loop_nblocks * 16)`,$LENGTH
cmp \$`($big_loop_nblocks * 16)`,$LENGTH
- jae .L_encrypt_big_nblocks_${rndsuffix}
+ jae .L_encrypt_big_nblocks_${label_suffix}
-.L_no_more_big_nblocks_${rndsuffix}:
+.L_no_more_big_nblocks_${label_suffix}:
cmp \$`(32 * 16)`,$LENGTH
- jae .L_encrypt_32_blocks_${rndsuffix}
+ jae .L_encrypt_32_blocks_${label_suffix}
cmp \$`(16 * 16)`,$LENGTH
- jae .L_encrypt_16_blocks_${rndsuffix}
+ jae .L_encrypt_16_blocks_${label_suffix}
___
# ;; =====================================================
@@ -3909,7 +3903,7 @@ ___
# ;; ==== GHASH 1 x 16 blocks
# ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks
# ;; ==== then GHASH N blocks
- $code .= ".L_encrypt_0_blocks_ghash_32_${rndsuffix}:\n";
+ $code .= ".L_encrypt_0_blocks_ghash_32_${label_suffix}:\n";
# ;; calculate offset to the right hash key
$code .= <<___;
@@ -3937,7 +3931,7 @@ ___
$IA0, $IA5, $MASKREG, $PBLOCK_LEN);
$code .= "vpshufb @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n";
- $code .= "jmp .L_ghash_done_${rndsuffix}\n";
+ $code .= "jmp .L_ghash_done_${label_suffix}\n";
# ;; =====================================================
# ;; =====================================================
@@ -3946,7 +3940,7 @@ ___
# ;; ==== GHASH 1 x 16 blocks (reduction)
# ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks
# ;; ==== then GHASH N blocks
- $code .= ".L_encrypt_32_blocks_${rndsuffix}:\n";
+ $code .= ".L_encrypt_32_blocks_${label_suffix}:\n";
# ;; ==== AES-CTR + GHASH - 16 blocks, start
$aesout_offset = ($STACK_LOCAL_OFFSET + (32 * 16));
@@ -4007,7 +4001,7 @@ ___
$IA0, $IA5, $MASKREG, $PBLOCK_LEN);
$code .= "vpshufb @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n";
- $code .= "jmp .L_ghash_done_${rndsuffix}\n";
+ $code .= "jmp .L_ghash_done_${label_suffix}\n";
# ;; =====================================================
# ;; =====================================================
@@ -4015,7 +4009,7 @@ ___
# ;; ==== GHASH 1 x 16 blocks
# ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks
# ;; ==== then GHASH N blocks
- $code .= ".L_encrypt_16_blocks_${rndsuffix}:\n";
+ $code .= ".L_encrypt_16_blocks_${label_suffix}:\n";
# ;; ==== AES-CTR + GHASH - 16 blocks, start
$aesout_offset = ($STACK_LOCAL_OFFSET + (32 * 16));
@@ -4059,9 +4053,9 @@ ___
$code .= "vpshufb @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n";
$code .= <<___;
- jmp .L_ghash_done_${rndsuffix}
+ jmp .L_ghash_done_${label_suffix}
-.L_message_below_32_blocks_${rndsuffix}:
+.L_message_below_32_blocks_${label_suffix}:
# ;; 32 > number of blocks > 16
sub \$`(16 * 16)`,$LENGTH
@@ -4094,9 +4088,9 @@ ___
$code .= "vpshufb @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n";
$code .= <<___;
- jmp .L_ghash_done_${rndsuffix}
+ jmp .L_ghash_done_${label_suffix}
-.L_message_below_equal_16_blocks_${rndsuffix}:
+.L_message_below_equal_16_blocks_${label_suffix}:
# ;; Determine how many blocks to process
# ;; - process one additional block if there is a partial block
mov @{[DWORD($LENGTH)]},@{[DWORD($IA1)]}
@@ -4113,13 +4107,13 @@ ___
# ;; fall through to exit
- $code .= ".L_ghash_done_${rndsuffix}:\n";
+ $code .= ".L_ghash_done_${label_suffix}:\n";
# ;; save the last counter block
$code .= "vmovdqu64 $CTR_BLOCKx,`$CTX_OFFSET_CurCount`($GCM128_CTX)\n";
$code .= <<___;
vmovdqu64 $AAD_HASHx,`$CTX_OFFSET_AadHash`($GCM128_CTX)
-.L_enc_dec_done_${rndsuffix}:
+.L_enc_dec_done_${label_suffix}:
___
}
@@ -4155,7 +4149,7 @@ sub INITIAL_BLOCKS_16 {
my $B08_11 = $T7;
my $B12_15 = $T8;
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
my $stack_offset = $BLK_OFFSET;
$code .= <<___;
@@ -4163,13 +4157,13 @@ sub INITIAL_BLOCKS_16 {
# ;; prepare counter blocks
cmpb \$`(256 - 16)`,@{[BYTE($CTR_CHECK)]}
- jae .L_next_16_overflow_${rndsuffix}
+ jae .L_next_16_overflow_${label_suffix}
vpaddd $ADDBE_1234,$CTR,$B00_03
vpaddd $ADDBE_4x4,$B00_03,$B04_07
vpaddd $ADDBE_4x4,$B04_07,$B08_11
vpaddd $ADDBE_4x4,$B08_11,$B12_15
- jmp .L_next_16_ok_${rndsuffix}
-.L_next_16_overflow_${rndsuffix}:
+ jmp .L_next_16_ok_${label_suffix}
+.L_next_16_overflow_${label_suffix}:
vpshufb $SHUF_MASK,$CTR,$CTR
vmovdqa64 ddq_add_4444(%rip),$B12_15
vpaddd ddq_add_1234(%rip),$CTR,$B00_03
@@ -4180,7 +4174,7 @@ sub INITIAL_BLOCKS_16 {
vpshufb $SHUF_MASK,$B04_07,$B04_07
vpshufb $SHUF_MASK,$B08_11,$B08_11
vpshufb $SHUF_MASK,$B12_15,$B12_15
-.L_next_16_ok_${rndsuffix}:
+.L_next_16_ok_${label_suffix}:
vshufi64x2 \$0b11111111,$B12_15,$B12_15,$CTR
addb \$16,@{[BYTE($CTR_CHECK)]}
# ;; === load 16 blocks of data
@@ -4264,7 +4258,7 @@ sub GCM_COMPLETE {
my $GCM128_CTX = $_[0];
my $PBLOCK_LEN = $_[1];
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
$code .= <<___;
vmovdqu @{[HashKeyByIdx(1,$GCM128_CTX)]},%xmm2
@@ -4276,14 +4270,14 @@ ___
# ;; Process the final partial block.
cmp \$0,$PBLOCK_LEN
- je .L_partial_done_${rndsuffix}
+ je .L_partial_done_${label_suffix}
___
# ;GHASH computation for the last <16 Byte block
&GHASH_MUL("%xmm4", "%xmm2", "%xmm0", "%xmm16", "%xmm17");
$code .= <<___;
-.L_partial_done_${rndsuffix}:
+.L_partial_done_${label_suffix}:
vmovq `$CTX_OFFSET_InLen`($GCM128_CTX), %xmm5
vpinsrq \$1, `$CTX_OFFSET_AadLen`($GCM128_CTX), %xmm5, %xmm5 # ; xmm5 = len(A)||len(C)
vpsllq \$3, %xmm5, %xmm5 # ; convert bytes into bits
@@ -4297,7 +4291,7 @@ ___
vpshufb SHUF_MASK(%rip),%xmm4,%xmm4 # ; perform a 16Byte swap
vpxor %xmm4,%xmm3,%xmm3
-.L_return_T_${rndsuffix}:
+.L_return_T_${label_suffix}:
vmovdqu %xmm3,`$CTX_OFFSET_AadHash`($GCM128_CTX)
___
}

27
showciphers.c Normal file
View File

@ -0,0 +1,27 @@
#include <openssl/err.h>
#include <openssl/ssl.h>
int main() {
SSL_CTX *ctx = NULL;
SSL *ssl = NULL;
STACK_OF(SSL_CIPHER) *sk = NULL;
const SSL_METHOD *meth = TLS_server_method();
int i;
const char *p;
ctx = SSL_CTX_new(meth);
if (ctx == NULL)
return 1;
ssl = SSL_new(ctx);
if (ssl == NULL)
return 1;
sk = SSL_get_ciphers(ssl);
for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i);
p = SSL_CIPHER_get_name(c);
if (p == NULL)
break;
printf("%s\n", p);
}
return 0;
}