pool/openssl-3
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: pool:factory
Branches Tags
pool:factory
pool:devel
testing:factory
testing:main
..
compare: testing:main
Branches Tags
testing:factory
testing:main
pool:factory
pool:devel

No commits in common. "factory" and "main" have entirely different histories.
factory ... main

86 changed files with 8986 additions and 6185 deletions
Show Stats Expand all files Collapse all files

100
openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
View File

@ -49,11 +49,11 @@ Signed-off-by: Clemens Lang <cllang@redhat.com>
test/smime-certs/smrsa3.pem | 38 ++++++------
19 files changed, 286 insertions(+), 256 deletions(-)
Index: openssl-3.2.3/providers/implementations/signature/dsa_sig.c
Index: openssl-3.1.4/providers/implementations/signature/dsa_sig.c
===================================================================
--- openssl-3.2.3.orig/providers/implementations/signature/dsa_sig.c
+++ openssl-3.2.3/providers/implementations/signature/dsa_sig.c
@@ -129,11 +129,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ct
--- openssl-3.1.4.orig/providers/implementations/signature/dsa_sig.c
+++ openssl-3.1.4/providers/implementations/signature/dsa_sig.c
@@ -127,11 +127,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ct
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
int md_nid;
size_t mdname_len = strlen(mdname);
@ -65,11 +65,11 @@ Index: openssl-3.2.3/providers/implementations/signature/dsa_sig.c
md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
sha1_allowed);
Index: openssl-3.2.3/providers/implementations/signature/ecdsa_sig.c
Index: openssl-3.1.4/providers/implementations/signature/ecdsa_sig.c
===================================================================
--- openssl-3.2.3.orig/providers/implementations/signature/ecdsa_sig.c
+++ openssl-3.2.3/providers/implementations/signature/ecdsa_sig.c
@@ -247,11 +247,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX
--- openssl-3.1.4.orig/providers/implementations/signature/ecdsa_sig.c
+++ openssl-3.1.4/providers/implementations/signature/ecdsa_sig.c
@@ -237,11 +237,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX
"%s could not be fetched", mdname);
return 0;
}
@ -81,11 +81,11 @@ Index: openssl-3.2.3/providers/implementations/signature/ecdsa_sig.c
md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
sha1_allowed);
if (md_nid < 0) {
Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c
Index: openssl-3.1.4/providers/implementations/signature/rsa_sig.c
===================================================================
--- openssl-3.2.3.orig/providers/implementations/signature/rsa_sig.c
+++ openssl-3.2.3/providers/implementations/signature/rsa_sig.c
@@ -321,11 +321,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ct
--- openssl-3.1.4.orig/providers/implementations/signature/rsa_sig.c
+++ openssl-3.1.4/providers/implementations/signature/rsa_sig.c
@@ -306,11 +306,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ct
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
int md_nid;
size_t mdname_len = strlen(mdname);
@ -97,7 +97,7 @@ Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c
md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
sha1_allowed);
@@ -1416,8 +1412,10 @@ static int rsa_set_ctx_params(void *vprs
@@ -1414,8 +1410,10 @@ static int rsa_set_ctx_params(void *vprs
if (prsactx->md == NULL && pmdname == NULL
&& pad_mode == RSA_PKCS1_PSS_PADDING) {
@ -109,10 +109,10 @@ Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c
if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) {
pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
}
Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
Index: openssl-3.1.4/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
===================================================================
--- openssl-3.2.3.orig/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+++ openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
--- openssl-3.1.4.orig/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+++ openssl-3.1.4/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
@@ -37,12 +37,14 @@ PrivPubKeyPair = P-256:P-256-PUBLIC
Title = ECDSA tests
@ -167,10 +167,10 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
Verify = P-256-PUBLIC
Ctrl = digest:SHA1
Input = "0123456789ABCDEF1234"
Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
Index: openssl-3.1.4/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
===================================================================
--- openssl-3.2.3.orig/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+++ openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
--- openssl-3.1.4.orig/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+++ openssl-3.1.4/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
@@ -96,6 +96,7 @@ NDL6WCBbets=
Title = RSA tests
@ -282,27 +282,27 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
Verify = RSA-2048-PUBLIC
Ctrl = digest:SHA1
Input = "0123456789ABCDEF1234"
@@ -858,6 +873,8 @@ Input="0123456789ABCDEF0123456789ABCDEF"
@@ -371,6 +386,8 @@ Input="0123456789ABCDEF0123456789ABCDEF"
Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A
# Verify using salt length auto detect
+# In the FIPS provider on SUSE/openSUSE, the default digest for PSS signatures is SHA-256
+# In the FIPS provider on RHEL-9, the default digest for PSS signatures is SHA-256
+Availablein = default
Verify = RSA-2048-PUBLIC
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_pss_saltlen:auto
@@ -892,6 +909,10 @@ Output=4DE433D5844043EF08D354DA03CB29068
@@ -405,6 +422,10 @@ Output=4DE433D5844043EF08D354DA03CB29068
Result = VERIFY_ERROR
# Verify using default parameters, explicitly setting parameters
+# NOTE: RSA-PSS-DEFAULT contains a restriction to use SHA1 as digest, which
+# SUSE/openSUSE do not support in FIPS mode; all these tests are thus marked
+# RHEL-9 does not support in FIPS mode; all these tests are thus marked
+# Availablein = default.
+Availablein = default
Verify = RSA-PSS-DEFAULT
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_pss_saltlen:20
@@ -900,6 +921,7 @@ Input="0123456789ABCDEF0123"
@@ -413,6 +434,7 @@ Input="0123456789ABCDEF0123"
Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF
# Verify explicitly setting parameters "digest" salt length
@ -310,7 +310,7 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
Verify = RSA-PSS-DEFAULT
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_pss_saltlen:digest
@@ -908,18 +930,21 @@ Input="0123456789ABCDEF0123"
@@ -421,18 +443,21 @@ Input="0123456789ABCDEF0123"
Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF
# Verify using salt length larger than minimum
@ -332,7 +332,7 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
Verify = RSA-PSS-DEFAULT
Ctrl = rsa_pss_saltlen:0
Result = PKEY_CTRL_ERROR
@@ -927,21 +952,25 @@ Result = PKEY_CTRL_ERROR
@@ -440,21 +465,25 @@ Result = PKEY_CTRL_ERROR
# Attempt to change padding mode
# Note this used to return PKEY_CTRL_INVALID
# but it is limited because setparams only returns 0 or 1.
@ -358,7 +358,7 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
Verify = RSA-PSS-BAD2
Result = KEYOP_INIT_ERROR
Reason = invalid salt length
@@ -960,36 +989,42 @@ CAltWyuLbfXWce9jd8CSHLI8Jwpw4lmOb/idGfEF
@@ -473,36 +502,42 @@ CAltWyuLbfXWce9jd8CSHLI8Jwpw4lmOb/idGfEF
4fINDOjP+yJJvZohNwIDAQAB
-----END PUBLIC KEY-----
@ -401,7 +401,7 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
Verify=RSA-PSS-1
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
@@ -1005,36 +1040,42 @@ swU7R97S7NSkyu/WFIM9yLtiLzF+0Ha4BX/o3j+E
@@ -518,36 +553,42 @@ swU7R97S7NSkyu/WFIM9yLtiLzF+0Ha4BX/o3j+E
0w5GMTmBXG/U/VrFuBcqRSMOy2MYoE8UVdhOWosCAwEAAQ==
-----END PUBLIC KEY-----
@ -444,7 +444,7 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
Verify=RSA-PSS-9
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
@@ -1052,36 +1093,42 @@ F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5
@@ -565,36 +606,42 @@ F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5
BQIDAQAB
-----END PUBLIC KEY-----
@ -487,12 +487,12 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
Verify=RSA-PSS-10
Ctrl = rsa_padding_mode:pss
Ctrl = rsa_mgf1_md:sha1
@@ -1817,11 +1864,13 @@ Title = RSA FIPS tests
@@ -1384,11 +1431,13 @@ Title = RSA FIPS tests
# FIPS tests
-# Verifying with SHA1 is permitted in fips mode for older applications
+# Verifying with SHA1 is not permitted on SUSE/openSUSE in FIPS mode
+# Verifying with SHA1 is not permitted on RHEL-9 in FIPS mode
+Availablein = fips
DigestVerify = SHA1
Key = RSA-2048
@ -502,10 +502,10 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
# Verifying with a 1024 bit key is permitted in fips mode for older applications
DigestVerify = SHA256
Index: openssl-3.2.3/test/recipes/80-test_cms.t
Index: openssl-3.1.4/test/recipes/80-test_cms.t
===================================================================
--- openssl-3.2.3.orig/test/recipes/80-test_cms.t
+++ openssl-3.2.3/test/recipes/80-test_cms.t
--- openssl-3.1.4.orig/test/recipes/80-test_cms.t
+++ openssl-3.1.4/test/recipes/80-test_cms.t
@@ -163,7 +163,7 @@ my @smime_pkcs7_tests = (
[ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1",
"-certfile", $smroot,
@ -524,11 +524,11 @@ Index: openssl-3.2.3/test/recipes/80-test_cms.t
"-CAfile", $smroot, "-out", "{output}.txt" ],
\&zero_compare
],
Index: openssl-3.2.3/test/recipes/80-test_ssl_old.t
Index: openssl-3.1.4/test/recipes/80-test_ssl_old.t
===================================================================
--- openssl-3.2.3.orig/test/recipes/80-test_ssl_old.t
+++ openssl-3.2.3/test/recipes/80-test_ssl_old.t
@@ -394,6 +394,9 @@ sub testssl {
--- openssl-3.1.4.orig/test/recipes/80-test_ssl_old.t
+++ openssl-3.1.4/test/recipes/80-test_ssl_old.t
@@ -397,6 +397,9 @@ sub testssl {
'test sslv2/sslv3 with 1024bit DHE via BIO pair');
}
@ -538,7 +538,7 @@ Index: openssl-3.2.3/test/recipes/80-test_ssl_old.t
ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])),
'test sslv2/sslv3 with server authentication');
ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])),
@@ -402,6 +405,7 @@ sub testssl {
@@ -405,6 +408,7 @@ sub testssl {
'test sslv2/sslv3 with both client and server authentication via BIO pair');
ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])),
'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify');
@ -546,25 +546,3 @@ Index: openssl-3.2.3/test/recipes/80-test_ssl_old.t
SKIP: {
skip "No IPv4 available on this machine", 4
Index: openssl-3.2.3/test/acvp_test.inc
===================================================================
--- openssl-3.2.3.orig/test/acvp_test.inc
+++ openssl-3.2.3/test/acvp_test.inc
@@ -1844,17 +1844,6 @@ static const struct rsa_sigver_st rsa_si
{
"x931",
3072,
- "SHA1",
- ITM(rsa_sigverx931_0_msg),
- ITM(rsa_sigverx931_0_n),
- ITM(rsa_sigverx931_0_e),
- ITM(rsa_sigverx931_0_sig),
- NO_PSS_SALT_LEN,
- PASS
- },
- {
- "x931",
- 3072,
"SHA256",
ITM(rsa_sigverx931_1_msg),
ITM(rsa_sigverx931_1_n),

54
openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch
View File

@ -18,11 +18,23 @@ Signed-off-by: Clemens Lang <cllang@redhat.com>
.../ciphers/ciphercommon_gcm.c | 25 +++++++++++++++++++
4 files changed, 34 insertions(+)
Index: openssl-3.2.3/include/openssl/evp.h
Index: openssl-3.1.4/include/openssl/core_names.h
===================================================================
--- openssl-3.2.3.orig/include/openssl/evp.h
+++ openssl-3.2.3/include/openssl/evp.h
@@ -753,6 +753,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER
--- openssl-3.1.4.orig/include/openssl/core_names.h
+++ openssl-3.1.4/include/openssl/core_names.h
@@ -99,6 +99,7 @@ extern "C" {
#define OSSL_CIPHER_PARAM_CTS_MODE "cts_mode" /* utf8_string */
/* For passing the AlgorithmIdentifier parameter in DER form */
#define OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS "alg_id_param" /* octet_string */
+#define OSSL_CIPHER_PARAM_SUSE_FIPS_INDICATOR "suse-fips-indicator" /* int */
#define OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT \
"tls1multi_maxsndfrag" /* uint */
Index: openssl-3.1.4/include/openssl/evp.h
===================================================================
--- openssl-3.1.4.orig/include/openssl/evp.h
+++ openssl-3.1.4/include/openssl/evp.h
@@ -750,6 +750,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER
void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags);
int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags);
@ -32,12 +44,12 @@ Index: openssl-3.2.3/include/openssl/evp.h
+
__owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
const unsigned char *key, const unsigned char *iv);
__owur int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,
Index: openssl-3.2.3/providers/implementations/ciphers/ciphercommon.c
/*__owur*/ int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,
Index: openssl-3.1.4/providers/implementations/ciphers/ciphercommon.c
===================================================================
--- openssl-3.2.3.orig/providers/implementations/ciphers/ciphercommon.c
+++ openssl-3.2.3/providers/implementations/ciphers/ciphercommon.c
@@ -152,6 +152,10 @@ static const OSSL_PARAM cipher_aead_know
--- openssl-3.1.4.orig/providers/implementations/ciphers/ciphercommon.c
+++ openssl-3.1.4/providers/implementations/ciphers/ciphercommon.c
@@ -149,6 +149,10 @@ static const OSSL_PARAM cipher_aead_know
OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL),
OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN, NULL, 0),
@ -48,13 +60,13 @@ Index: openssl-3.2.3/providers/implementations/ciphers/ciphercommon.c
OSSL_PARAM_END
};
const OSSL_PARAM *ossl_cipher_aead_gettable_ctx_params(
Index: openssl-3.2.3/providers/implementations/ciphers/ciphercommon_gcm.c
Index: openssl-3.1.4/providers/implementations/ciphers/ciphercommon_gcm.c
===================================================================
--- openssl-3.2.3.orig/providers/implementations/ciphers/ciphercommon_gcm.c
+++ openssl-3.2.3/providers/implementations/ciphers/ciphercommon_gcm.c
@@ -238,6 +238,31 @@ int ossl_gcm_get_ctx_params(void *vctx,
break;
}
--- openssl-3.1.4.orig/providers/implementations/ciphers/ciphercommon_gcm.c
+++ openssl-3.1.4/providers/implementations/ciphers/ciphercommon_gcm.c
@@ -224,6 +224,31 @@ int ossl_gcm_get_ctx_params(void *vctx,
|| !getivgen(ctx, p->data, p->data_size))
return 0;
}
+
+ /* We would usually hide this under #ifdef FIPS_MODULE, but
@ -84,15 +96,3 @@ Index: openssl-3.2.3/providers/implementations/ciphers/ciphercommon_gcm.c
return 1;
}
Index: openssl-3.2.3/util/perl/OpenSSL/paramnames.pm
===================================================================
--- openssl-3.2.3.orig/util/perl/OpenSSL/paramnames.pm
+++ openssl-3.2.3/util/perl/OpenSSL/paramnames.pm
@@ -102,6 +102,7 @@ my %params = (
'CIPHER_PARAM_CTS_MODE' => "cts_mode", # utf8_string
# For passing the AlgorithmIdentifier parameter in DER form
'CIPHER_PARAM_ALGORITHM_ID_PARAMS' => "alg_id_param",# octet_string
+ 'CIPHER_PARAM_SUSE_FIPS_INDICATOR' => "suse-fips-indicator",# int
'CIPHER_PARAM_XTS_STANDARD' => "xts_standard",# utf8_string
'CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT' => "tls1multi_maxsndfrag",# uint

28
openssl-3-FIPS-PCT_rsa_keygen.patch Normal file
View File

@ -0,0 +1,28 @@
Index: openssl-3.1.4/crypto/rsa/rsa_gen.c
===================================================================
--- openssl-3.1.4.orig/crypto/rsa/rsa_gen.c
+++ openssl-3.1.4/crypto/rsa/rsa_gen.c
@@ -428,7 +428,12 @@ static int rsa_keygen(OSSL_LIB_CTX *libc
#ifdef FIPS_MODULE
ok = ossl_rsa_sp800_56b_generate_key(rsa, bits, e_value, cb);
- pairwise_test = 1; /* FIPS MODE needs to always run the pairwise test */
+ /* FIPS MODE needs to always run the pairwise test. But, the
+ * rsa_keygen_pairwise_test() PCT as self-test requirements will be
+ * covered by do_rsa_pct() for both RSA-OAEP and RSA signatures and
+ * this PCT can be skipped here. See bsc#1221760 for more info.
+ */
+ pairwise_test = 0;
#else
/*
* Only multi-prime keys or insecure keys with a small key length or a
@@ -463,6 +468,9 @@ static int rsa_keygen(OSSL_LIB_CTX *libc
rsa->dmp1 = NULL;
rsa->dmq1 = NULL;
rsa->iqmp = NULL;
+#ifdef FIPS_MODULE
+ abort();
+#endif /* FIPS_MODULE */
}
}
return ok;

82
openssl-3-add-defines-CPACF-funcs.patch
View File

@ -1,82 +0,0 @@
commit 518b53b139d7b4ac082ccedd401d2ee08fc66985
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed Jan 31 16:26:52 2024 +0100
s390x: Add defines for new CPACF functions
Add defines for new CPACF functions codes, its required MSA levels, and
document how to disable these functions via the OPENSSL_s390xcap environment
variable.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25161)
diff --git a/crypto/s390x_arch.h b/crypto/s390x_arch.h
index fdc682af06..88ed866b0d 100644
--- a/crypto/s390x_arch.h
+++ b/crypto/s390x_arch.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -115,6 +115,7 @@ extern int OPENSSL_s390xcex;
# define S390X_MSA5 57 /* message-security-assist-ext. 5 */
# define S390X_MSA3 76 /* message-security-assist-ext. 3 */
# define S390X_MSA4 77 /* message-security-assist-ext. 4 */
+# define S390X_MSA12 86 /* message-security-assist-ext. 12 */
# define S390X_VX 129 /* vector */
# define S390X_VXD 134 /* vector packed decimal */
# define S390X_VXE 135 /* vector enhancements 1 */
@@ -150,6 +151,14 @@ extern int OPENSSL_s390xcex;
/* km */
# define S390X_XTS_AES_128 50
# define S390X_XTS_AES_256 52
+# define S390X_XTS_AES_128_MSA10 82
+# define S390X_XTS_AES_256_MSA10 84
+
+/* kmac */
+# define S390X_HMAC_SHA_224 112
+# define S390X_HMAC_SHA_256 113
+# define S390X_HMAC_SHA_384 114
+# define S390X_HMAC_SHA_512 115
/* prno */
# define S390X_SHA_512_DRNG 3
diff --git a/doc/man3/OPENSSL_s390xcap.pod b/doc/man3/OPENSSL_s390xcap.pod
index d7185530ec..363003d8d3 100644
--- a/doc/man3/OPENSSL_s390xcap.pod
+++ b/doc/man3/OPENSSL_s390xcap.pod
@@ -74,6 +74,7 @@ the numbering is continuous across 64-bit mask boundaries.
:
# 76 1<<51 message-security assist extension 3
# 77 1<<50 message-security assist extension 4
+ # 86 1<<41 message-security-assist extension 12
:
#129 1<<62 vector facility
#134 1<<57 vector packed decimal facility
@@ -110,6 +111,8 @@ the numbering is continuous across 64-bit mask boundaries.
# 50 1<<13 KM-XTS-AES-128
# 52 1<<11 KM-XTS-AES-256
:
+ # 82 1<<45 KM-XTS-AES-128-MSA10
+ # 84 1<<43 KM-XTS-AES-256-MSA10
kmc :
# 18 1<<45 KMC-AES-128
@@ -122,6 +125,10 @@ the numbering is continuous across 64-bit mask boundaries.
# 19 1<<44 KMAC-AES-192
# 20 1<<43 KMAC-AES-256
:
+ # 112 1<<15 KMAC-SHA-224
+ # 113 1<<14 KMAC-SHA-256
+ # 114 1<<13 KMAC-SHA-384
+ # 115 1<<12 KMAC-SHA-512
kmctr:
:

506
openssl-3-add-hw-acceleration-hmac.patch
View File

@ -1,506 +0,0 @@
commit 0499de5adda26b1ef09660f70c12b4710b5f7c8a
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Thu Feb 1 15:15:27 2024 +0100
s390x: Add hardware acceleration for HMAC
The CPACF instruction KMAC provides support for accelerating the HMAC
algorithm on newer machines for HMAC with SHA-224, SHA-256, SHA-384, and
SHA-512.
Preliminary measurements showed performance improvements of up to a factor
of 2, dependent on the message size, whether chunking is used and the size
of the chunks.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25161)
Index: openssl-3.2.3/crypto/hmac/build.info
===================================================================
--- openssl-3.2.3.orig/crypto/hmac/build.info
+++ openssl-3.2.3/crypto/hmac/build.info
@@ -2,5 +2,22 @@ LIBS=../../libcrypto
$COMMON=hmac.c
-SOURCE[../../libcrypto]=$COMMON
-SOURCE[../../providers/libfips.a]=$COMMON
+IF[{- !$disabled{asm} -}]
+ IF[{- ($target{perlasm_scheme} // '') ne '31' -}]
+ $HMACASM_s390x=hmac_s390x.c
+ $HMACDEF_s390x=OPENSSL_HMAC_S390X
+ ENDIF
+
+ # Now that we have defined all the arch specific variables, use the
+ # appropriate ones, and define the appropriate macros
+ IF[$HMACASM_{- $target{asm_arch} -}]
+ $HMACASM=$HMACASM_{- $target{asm_arch} -}
+ $HMACDEF=$HMACDEF_{- $target{asm_arch} -}
+ ENDIF
+ENDIF
+
+DEFINE[../../libcrypto]=$HMACDEF
+DEFINE[../../providers/libfips.a]=$HMACDEF
+
+SOURCE[../../libcrypto]=$COMMON $HMACASM
+SOURCE[../../providers/libfips.a]=$COMMON $HMACASM
Index: openssl-3.2.3/crypto/hmac/hmac.c
===================================================================
--- openssl-3.2.3.orig/crypto/hmac/hmac.c
+++ openssl-3.2.3/crypto/hmac/hmac.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -49,6 +49,12 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
if ((EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0)
return 0;
+#ifdef OPENSSL_HMAC_S390X
+ rv = s390x_HMAC_init(ctx, key, len, impl);
+ if (rv >= 1)
+ return rv;
+#endif
+
if (key != NULL) {
reset = 1;
@@ -111,6 +117,12 @@ int HMAC_Update(HMAC_CTX *ctx, const uns
{
if (!ctx->md)
return 0;
+
+#ifdef OPENSSL_HMAC_S390X
+ if (ctx->plat.s390x.fc)
+ return s390x_HMAC_update(ctx, data, len);
+#endif
+
return EVP_DigestUpdate(ctx->md_ctx, data, len);
}
@@ -122,6 +134,11 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned c
if (!ctx->md)
goto err;
+#ifdef OPENSSL_HMAC_S390X
+ if (ctx->plat.s390x.fc)
+ return s390x_HMAC_final(ctx, md, len);
+#endif
+
if (!EVP_DigestFinal_ex(ctx->md_ctx, buf, &i))
goto err;
if (!EVP_MD_CTX_copy_ex(ctx->md_ctx, ctx->o_ctx))
@@ -161,6 +178,10 @@ static void hmac_ctx_cleanup(HMAC_CTX *c
EVP_MD_CTX_reset(ctx->o_ctx);
EVP_MD_CTX_reset(ctx->md_ctx);
ctx->md = NULL;
+
+#ifdef OPENSSL_HMAC_S390X
+ s390x_HMAC_CTX_cleanup(ctx);
+#endif
}
void HMAC_CTX_free(HMAC_CTX *ctx)
@@ -212,6 +233,12 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_C
if (!EVP_MD_CTX_copy_ex(dctx->md_ctx, sctx->md_ctx))
goto err;
dctx->md = sctx->md;
+
+#ifdef OPENSSL_HMAC_S390X
+ if (s390x_HMAC_CTX_copy(dctx, sctx) == 0)
+ goto err;
+#endif
+
return 1;
err:
hmac_ctx_cleanup(dctx);
Index: openssl-3.2.3/crypto/hmac/hmac_local.h
===================================================================
--- openssl-3.2.3.orig/crypto/hmac/hmac_local.h
+++ openssl-3.2.3/crypto/hmac/hmac_local.h
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -10,6 +10,10 @@
#ifndef OSSL_CRYPTO_HMAC_LOCAL_H
# define OSSL_CRYPTO_HMAC_LOCAL_H
+# include "internal/common.h"
+# include "internal/numbers.h"
+# include "openssl/sha.h"
+
/* The current largest case is for SHA3-224 */
#define HMAC_MAX_MD_CBLOCK_SIZE 144
@@ -18,6 +22,45 @@ struct hmac_ctx_st {
EVP_MD_CTX *md_ctx;
EVP_MD_CTX *i_ctx;
EVP_MD_CTX *o_ctx;
+
+ /* Platform specific data */
+ union {
+ int dummy;
+# ifdef OPENSSL_HMAC_S390X
+ struct {
+ unsigned int fc; /* 0 if not supported by kmac instruction */
+ int blk_size;
+ int ikp;
+ int iimp;
+ unsigned char *buf;
+ size_t size; /* must be multiple of digest block size */
+ size_t num;
+ union {
+ OSSL_UNION_ALIGN;
+ struct {
+ uint32_t h[8];
+ uint64_t imbl;
+ unsigned char key[64];
+ } hmac_224_256;
+ struct {
+ uint64_t h[8];
+ uint128_t imbl;
+ unsigned char key[128];
+ } hmac_384_512;
+ } param;
+ } s390x;
+# endif /* OPENSSL_HMAC_S390X */
+ } plat;
};
+# ifdef OPENSSL_HMAC_S390X
+# define HMAC_S390X_BUF_NUM_BLOCKS 64
+
+int s390x_HMAC_init(HMAC_CTX *ctx, const void *key, int key_len, ENGINE *impl);
+int s390x_HMAC_update(HMAC_CTX *ctx, const unsigned char *data, size_t len);
+int s390x_HMAC_final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len);
+int s390x_HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx);
+int s390x_HMAC_CTX_cleanup(HMAC_CTX *ctx);
+# endif /* OPENSSL_HMAC_S390X */
+
#endif
Index: openssl-3.2.3/crypto/hmac/hmac_s390x.c
===================================================================
--- /dev/null
+++ openssl-3.2.3/crypto/hmac/hmac_s390x.c
@@ -0,0 +1,298 @@
+/*
+ * Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "crypto/s390x_arch.h"
+#include "hmac_local.h"
+#include "openssl/obj_mac.h"
+#include "openssl/evp.h"
+
+#ifdef OPENSSL_HMAC_S390X
+
+static int s390x_fc_from_md(const EVP_MD *md)
+{
+ int fc;
+
+ switch (EVP_MD_get_type(md)) {
+ case NID_sha224:
+ fc = S390X_HMAC_SHA_224;
+ break;
+ case NID_sha256:
+ fc = S390X_HMAC_SHA_256;
+ break;
+ case NID_sha384:
+ fc = S390X_HMAC_SHA_384;
+ break;
+ case NID_sha512:
+ fc = S390X_HMAC_SHA_512;
+ break;
+ default:
+ return 0;
+ }
+
+ if ((OPENSSL_s390xcap_P.kmac[1] & S390X_CAPBIT(fc)) == 0)
+ return 0;
+
+ return fc;
+}
+
+static void s390x_call_kmac(HMAC_CTX *ctx, const unsigned char *in, size_t len)
+{
+ unsigned int fc = ctx->plat.s390x.fc;
+
+ if (ctx->plat.s390x.ikp)
+ fc |= S390X_KMAC_IKP;
+
+ if (ctx->plat.s390x.iimp)
+ fc |= S390X_KMAC_IIMP;
+
+ switch (ctx->plat.s390x.fc) {
+ case S390X_HMAC_SHA_224:
+ case S390X_HMAC_SHA_256:
+ ctx->plat.s390x.param.hmac_224_256.imbl += ((uint64_t)len * 8);
+ break;
+ case S390X_HMAC_SHA_384:
+ case S390X_HMAC_SHA_512:
+ ctx->plat.s390x.param.hmac_384_512.imbl += ((uint128_t)len * 8);
+ break;
+ default:
+ break;
+ }
+
+ s390x_kmac(in, len, fc, &ctx->plat.s390x.param);
+
+ ctx->plat.s390x.ikp = 1;
+}
+
+int s390x_HMAC_init(HMAC_CTX *ctx, const void *key, int key_len, ENGINE *impl)
+{
+ unsigned char *key_param;
+ unsigned int key_param_len;
+
+ ctx->plat.s390x.fc = s390x_fc_from_md(ctx->md);
+ if (ctx->plat.s390x.fc == 0)
+ return -1; /* Not supported by kmac instruction */
+
+ ctx->plat.s390x.blk_size = EVP_MD_get_block_size(ctx->md);
+ if (ctx->plat.s390x.blk_size < 0)
+ return 0;
+
+ if (ctx->plat.s390x.size !=
+ (size_t)(ctx->plat.s390x.blk_size * HMAC_S390X_BUF_NUM_BLOCKS)) {
+ OPENSSL_clear_free(ctx->plat.s390x.buf, ctx->plat.s390x.size);
+ ctx->plat.s390x.size = 0;
+ ctx->plat.s390x.buf = OPENSSL_zalloc(ctx->plat.s390x.blk_size *
+ HMAC_S390X_BUF_NUM_BLOCKS);
+ if (ctx->plat.s390x.buf == NULL)
+ return 0;
+ ctx->plat.s390x.size = ctx->plat.s390x.blk_size *
+ HMAC_S390X_BUF_NUM_BLOCKS;
+ }
+ ctx->plat.s390x.num = 0;
+
+ ctx->plat.s390x.ikp = 0;
+ ctx->plat.s390x.iimp = 1;
+
+ switch (ctx->plat.s390x.fc) {
+ case S390X_HMAC_SHA_224:
+ case S390X_HMAC_SHA_256:
+ ctx->plat.s390x.param.hmac_224_256.imbl = 0;
+ OPENSSL_cleanse(ctx->plat.s390x.param.hmac_224_256.h,
+ sizeof(ctx->plat.s390x.param.hmac_224_256.h));
+ break;
+ case S390X_HMAC_SHA_384:
+ case S390X_HMAC_SHA_512:
+ ctx->plat.s390x.param.hmac_384_512.imbl = 0;
+ OPENSSL_cleanse(ctx->plat.s390x.param.hmac_384_512.h,
+ sizeof(ctx->plat.s390x.param.hmac_384_512.h));
+ break;
+ default:
+ return 0;
+ }
+
+ if (key != NULL) {
+ switch (ctx->plat.s390x.fc) {
+ case S390X_HMAC_SHA_224:
+ case S390X_HMAC_SHA_256:
+ OPENSSL_cleanse(&ctx->plat.s390x.param.hmac_224_256.key,
+ sizeof(ctx->plat.s390x.param.hmac_224_256.key));
+ key_param = ctx->plat.s390x.param.hmac_224_256.key;
+ key_param_len = sizeof(ctx->plat.s390x.param.hmac_224_256.key);
+ break;
+ case S390X_HMAC_SHA_384:
+ case S390X_HMAC_SHA_512:
+ OPENSSL_cleanse(&ctx->plat.s390x.param.hmac_384_512.key,
+ sizeof(ctx->plat.s390x.param.hmac_384_512.key));
+ key_param = ctx->plat.s390x.param.hmac_384_512.key;
+ key_param_len = sizeof(ctx->plat.s390x.param.hmac_384_512.key);
+ break;
+ default:
+ return 0;
+ }
+
+ if (!ossl_assert(ctx->plat.s390x.blk_size <= (int)key_param_len))
+ return 0;
+
+ if (key_len > ctx->plat.s390x.blk_size) {
+ if (!EVP_DigestInit_ex(ctx->md_ctx, ctx->md, impl)
+ || !EVP_DigestUpdate(ctx->md_ctx, key, key_len)
+ || !EVP_DigestFinal_ex(ctx->md_ctx, key_param,
+ &key_param_len))
+ return 0;
+ } else {
+ if (key_len < 0 || key_len > (int)key_param_len)
+ return 0;
+ memcpy(key_param, key, key_len);
+ /* remaining key bytes already zeroed out above */
+ }
+ }
+
+ return 1;
+}
+
+int s390x_HMAC_update(HMAC_CTX *ctx, const unsigned char *data, size_t len)
+{
+ size_t remain, num;
+
+ if (len == 0)
+ return 1;
+
+ /* buffer is full, process it now */
+ if (ctx->plat.s390x.num == ctx->plat.s390x.size) {
+ s390x_call_kmac(ctx, ctx->plat.s390x.buf, ctx->plat.s390x.num);
+
+ ctx->plat.s390x.num = 0;
+ }
+
+ remain = ctx->plat.s390x.size - ctx->plat.s390x.num;
+ if (len > remain) {
+ /* data does not fit into buffer */
+ if (ctx->plat.s390x.num > 0) {
+ /* first fill buffer and process it */
+ memcpy(&ctx->plat.s390x.buf[ctx->plat.s390x.num], data, remain);
+ ctx->plat.s390x.num += remain;
+
+ s390x_call_kmac(ctx, ctx->plat.s390x.buf, ctx->plat.s390x.num);
+
+ ctx->plat.s390x.num = 0;
+
+ data += remain;
+ len -= remain;
+ }
+
+ if (!ossl_assert(ctx->plat.s390x.num == 0))
+ return 0;
+
+ if (len > ctx->plat.s390x.size) {
+ /*
+ * remaining data is still larger than buffer, process remaining
+ * full blocks of input directly
+ */
+ remain = len % ctx->plat.s390x.blk_size;
+ num = len - remain;
+
+ s390x_call_kmac(ctx, data, num);
+
+ data += num;
+ len -= num;
+ }
+ }
+
+ /* add remaining input data (which is < buffer size) to buffer */
+ if (!ossl_assert(len <= ctx->plat.s390x.size))
+ return 0;
+
+ if (len > 0) {
+ memcpy(&ctx->plat.s390x.buf[ctx->plat.s390x.num], data, len);
+ ctx->plat.s390x.num += len;
+ }
+
+ return 1;
+}
+
+int s390x_HMAC_final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len)
+{
+ void *result;
+ unsigned int res_len;
+
+ ctx->plat.s390x.iimp = 0; /* last block */
+ s390x_call_kmac(ctx, ctx->plat.s390x.buf, ctx->plat.s390x.num);
+
+ ctx->plat.s390x.num = 0;
+
+ switch (ctx->plat.s390x.fc) {
+ case S390X_HMAC_SHA_224:
+ result = &ctx->plat.s390x.param.hmac_224_256.h[0];
+ res_len = SHA224_DIGEST_LENGTH;
+ break;
+ case S390X_HMAC_SHA_256:
+ result = &ctx->plat.s390x.param.hmac_224_256.h[0];
+ res_len = SHA256_DIGEST_LENGTH;
+ break;
+ case S390X_HMAC_SHA_384:
+ result = &ctx->plat.s390x.param.hmac_384_512.h[0];
+ res_len = SHA384_DIGEST_LENGTH;
+ break;
+ case S390X_HMAC_SHA_512:
+ result = &ctx->plat.s390x.param.hmac_384_512.h[0];
+ res_len = SHA512_DIGEST_LENGTH;
+ break;
+ default:
+ return 0;
+ }
+
+ memcpy(md, result, res_len);
+ if (len != NULL)
+ *len = res_len;
+
+ return 1;
+}
+
+int s390x_HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx)
+{
+ dctx->plat.s390x.fc = sctx->plat.s390x.fc;
+ dctx->plat.s390x.blk_size = sctx->plat.s390x.blk_size;
+ dctx->plat.s390x.ikp = sctx->plat.s390x.ikp;
+ dctx->plat.s390x.iimp = sctx->plat.s390x.iimp;
+
+ memcpy(&dctx->plat.s390x.param, &sctx->plat.s390x.param,
+ sizeof(dctx->plat.s390x.param));
+
+ dctx->plat.s390x.buf = NULL;
+ if (sctx->plat.s390x.buf != NULL) {
+ dctx->plat.s390x.buf = OPENSSL_memdup(sctx->plat.s390x.buf,
+ sctx->plat.s390x.size);
+ if (dctx->plat.s390x.buf == NULL)
+ return 0;
+ }
+
+ dctx->plat.s390x.size = sctx->plat.s390x.size;
+ dctx->plat.s390x.num = sctx->plat.s390x.num;
+
+ return 1;
+}
+
+int s390x_HMAC_CTX_cleanup(HMAC_CTX *ctx)
+{
+ OPENSSL_clear_free(ctx->plat.s390x.buf, ctx->plat.s390x.size);
+ ctx->plat.s390x.buf = NULL;
+ ctx->plat.s390x.size = 0;
+ ctx->plat.s390x.num = 0;
+
+ OPENSSL_cleanse(&ctx->plat.s390x.param, sizeof(ctx->plat.s390x.param));
+
+ ctx->plat.s390x.blk_size = 0;
+ ctx->plat.s390x.ikp = 0;
+ ctx->plat.s390x.iimp = 1;
+
+ ctx->plat.s390x.fc = 0;
+
+ return 1;
+}
+
+#endif
Index: openssl-3.2.3/crypto/s390x_arch.h
===================================================================
--- openssl-3.2.3.orig/crypto/s390x_arch.h
+++ openssl-3.2.3/crypto/s390x_arch.h
@@ -192,5 +192,8 @@ extern int OPENSSL_s390xcex;
# define S390X_KMA_HS 0x400
# define S390X_KDSA_D 0x80
# define S390X_KLMD_PS 0x100
+# define S390X_KMAC_IKP 0x8000
+# define S390X_KMAC_IIMP 0x4000
+# define S390X_KMAC_CCUP 0x2000
#endif

32
openssl-3-add-xof-state-handling-s3_absorb.patch
View File

@ -1,32 +0,0 @@
commit 1337b50936ed190a98af1ee6601d857b42a3d296
Author: Holger Dengler <dengler@linux.ibm.com>
Date: Wed Sep 27 21:54:34 2023 +0200
Add xof state handing for generic sha3 absorb.
The digest life-cycle diagram specifies state transitions to `updated`
(aka XOF_STATE_ABSORB) only from `initialised` and `updated`. Add this
checking to the generic sha3 absorb implementation.
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22221)
Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c
===================================================================
--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c
+++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c
@@ -143,6 +143,10 @@ static size_t generic_sha3_absorb(void *
{
KECCAK1600_CTX *ctx = vctx;
+ if (!(ctx->xof_state == XOF_STATE_INIT ||
+ ctx->xof_state == XOF_STATE_ABSORB))
+ return 0;
+ ctx->xof_state = XOF_STATE_ABSORB;
return SHA3_absorb(ctx->A, inp, len, ctx->block_size);
}

1781
openssl-3-add_EVP_DigestSqueeze_api.patch
View File

File diff suppressed because it is too large Load Diff

90
openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch
View File

@ -1,90 +0,0 @@
commit a75d62637aa165a7f37e39a3a36e2a8b089913bc
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon Aug 26 11:26:03 2024 +0200
s390x: Disable HMAC hardware acceleration when an engine is used for the digest
The TLSProxy uses the 'ossltest' engine to produce known output for digests
and HMAC calls. However, when running on a s390x system that supports
hardware acceleration of HMAC, the engine is not used for calculating HMACs,
but the s390x specific HMAC implementation is used, which does produce correct
output, but not the known output that the engine would produce. This causes
some tests (i.e. test_key_share, test_sslextension, test_sslrecords,
test_sslvertol, and test_tlsextms) to fail.
Disable the s390x HMAC hardware acceleration if an engine is used for the
digest of the HMAC calculation. This provides compatibility for engines that
provide digest implementations, and assume that these implementations are also
used when calculating an HMAC.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25287)
diff --git a/crypto/hmac/hmac_s390x.c b/crypto/hmac/hmac_s390x.c
index 5db7e9a221..02e1cd1dd6 100644
--- a/crypto/hmac/hmac_s390x.c
+++ b/crypto/hmac/hmac_s390x.c
@@ -7,10 +7,16 @@
* https://www.openssl.org/source/license.html
*/
+/* We need to use some engine deprecated APIs */
+#define OPENSSL_SUPPRESS_DEPRECATED
+
#include "crypto/s390x_arch.h"
#include "hmac_local.h"
#include "openssl/obj_mac.h"
#include "openssl/evp.h"
+#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
+# include <openssl/engine.h>
+#endif
#ifdef OPENSSL_HMAC_S390X
@@ -63,6 +69,31 @@ static void s390x_call_kmac(HMAC_CTX *ctx, const unsigned char *in, size_t len)
ctx->plat.s390x.ikp = 1;
}
+static int s390x_check_engine_used(const EVP_MD *md, ENGINE *impl)
+{
+# if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
+ const EVP_MD *d;
+
+ if (impl != NULL) {
+ if (!ENGINE_init(impl))
+ return 0;
+ } else {
+ impl = ENGINE_get_digest_engine(EVP_MD_get_type(md));
+ }
+
+ if (impl == NULL)
+ return 0;
+
+ d = ENGINE_get_digest(impl, EVP_MD_get_type(md));
+ ENGINE_finish(impl);
+
+ if (d != NULL)
+ return 1;
+# endif
+
+ return 0;
+}
+
int s390x_HMAC_init(HMAC_CTX *ctx, const void *key, int key_len, ENGINE *impl)
{
unsigned char *key_param;
@@ -72,6 +103,11 @@ int s390x_HMAC_init(HMAC_CTX *ctx, const void *key, int key_len, ENGINE *impl)
if (ctx->plat.s390x.fc == 0)
return -1; /* Not supported by kmac instruction */
+ if (s390x_check_engine_used(ctx->md, impl)) {
+ ctx->plat.s390x.fc = 0;
+ return -1; /* An engine handles the digest, disable acceleration */
+ }
+
ctx->plat.s390x.blk_size = EVP_MD_get_block_size(ctx->md);
if (ctx->plat.s390x.blk_size < 0)
return 0;

49
openssl-3-fix-hmac-digest-detection-s390x.patch
View File

@ -1,49 +0,0 @@
commit d5b3c0e24bc56614e92ffafdd705622beaef420a
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed Aug 28 14:56:33 2024 +0200
s390x: Fix HMAC digest detection
Use EVP_MD_is_a() instead of EVP_MD_get_type() to detect the digest
type. EVP_MD_get_type() does not always return the expected NID, e.g.
when running in the FIPS provider, EVP_MD_get_type() returns zero,
causing to skip the HMAC acceleration path.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25304)
diff --git a/crypto/hmac/hmac_s390x.c b/crypto/hmac/hmac_s390x.c
index 8b0da0d59d..5db7e9a221 100644
--- a/crypto/hmac/hmac_s390x.c
+++ b/crypto/hmac/hmac_s390x.c
@@ -18,22 +18,16 @@ static int s390x_fc_from_md(const EVP_MD *md)
{
int fc;
- switch (EVP_MD_get_type(md)) {
- case NID_sha224:
+ if (EVP_MD_is_a(md, "SHA2-224"))
fc = S390X_HMAC_SHA_224;
- break;
- case NID_sha256:
+ else if (EVP_MD_is_a(md, "SHA2-256"))
fc = S390X_HMAC_SHA_256;
- break;
- case NID_sha384:
+ else if (EVP_MD_is_a(md, "SHA2-384"))
fc = S390X_HMAC_SHA_384;
- break;
- case NID_sha512:
+ else if (EVP_MD_is_a(md, "SHA2-512"))
fc = S390X_HMAC_SHA_512;
- break;
- default:
+ else
return 0;
- }
if ((OPENSSL_s390xcap_P.kmac[1] & S390X_CAPBIT(fc)) == 0)
return 0;

28
openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch
View File

@ -1,28 +0,0 @@
commit 19b87d2d2b022c20dd9043c3b6d021315011b45f
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Tue Aug 20 11:35:20 2024 +0200
s390x: Fix memory leak in s390x_HMAC_CTX_copy()
When s390x_HMAC_CTX_copy() is called, but the destination context already
has a buffer allocated, it is not freed before duplicating the buffer from
the source context.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25238)
diff --git a/crypto/hmac/hmac_s390x.c b/crypto/hmac/hmac_s390x.c
index 1124d9bc5d..8b0da0d59d 100644
--- a/crypto/hmac/hmac_s390x.c
+++ b/crypto/hmac/hmac_s390x.c
@@ -263,6 +263,7 @@ int s390x_HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx)
memcpy(&dctx->plat.s390x.param, &sctx->plat.s390x.param,
sizeof(dctx->plat.s390x.param));
+ OPENSSL_clear_free(dctx->plat.s390x.buf, dctx->plat.s390x.size);
dctx->plat.s390x.buf = NULL;
if (sctx->plat.s390x.buf != NULL) {
dctx->plat.s390x.buf = OPENSSL_memdup(sctx->plat.s390x.buf,

25
openssl-3-fix-quic_multistream_test.patch
View File

@ -1,25 +0,0 @@
From b5795e3ed3ec38ef4686a5b7ff03bfd60183cb71 Mon Sep 17 00:00:00 2001
From: "Randall S. Becker" <randall.becker@nexbridge.ca>
Date: Mon, 20 May 2024 22:23:04 +0000
Subject: [PATCH] Added an explicit yield (OP_SLEEP) to QUIC testing for
cooperative threading.
Fixes: #24442
Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca>
---
test/quic_multistream_test.c | 1 +
1 file changed, 1 insertion(+)
Index: openssl-3.2.3/test/quic_multistream_test.c
===================================================================
--- openssl-3.2.3.orig/test/quic_multistream_test.c
+++ openssl-3.2.3/test/quic_multistream_test.c
@@ -2397,6 +2397,7 @@ static const struct script_op script_13_
OP_C_ACCEPT_STREAM_WAIT (a)
OP_C_READ_EXPECT (a, "foo", 3)
+ OP_SLEEP (10)
OP_C_EXPECT_FIN (a)
OP_C_FREE_STREAM (a)

50
openssl-3-fix-s390x_sha3_absorb.patch
View File

@ -1,50 +0,0 @@
From 979dc530010e3c0f045edf6e38c7ab894ffba7f2 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Thu, 5 Sep 2024 08:45:29 +0200
Subject: [PATCH] s390x: Fix s390x_sha3_absorb() when no data is processed by
KIMD
If the data to absorb is less than a block, then the KIMD instruction is
called with zero bytes. This is superfluous, and causes incorrect hash
output later on if this is the very first absorb call, i.e. when the
xof_state is still XOF_STATE_INIT and MSA 12 is available. In this case
the NIP flag is set in the function code for KIMD, but KIMD ignores the
NIP flag when it is called with zero bytes to process.
Skip any KIMD calls for zero length data. Also do not set the xof_state
to XOF_STATE_ABSORB until the first call to KIMD with data. That way,
the next KIMD (with non-zero length data) or KLMD call will get the NIP
flag set and will then honor it to produce correct output.
Fixes: https://github.com/openssl/openssl/commit/25f5d7b85f6657cd2f9f1ab7ae87f319d9bafe54
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25388)
---
providers/implementations/digests/sha3_prov.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c
===================================================================
--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c
+++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c
@@ -192,10 +192,12 @@ static size_t s390x_sha3_absorb(void *vc
if (!(ctx->xof_state == XOF_STATE_INIT ||
ctx->xof_state == XOF_STATE_ABSORB))
return 0;
- fc = ctx->pad;
- fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0;
- ctx->xof_state = XOF_STATE_ABSORB;
- s390x_kimd(inp, len - rem, fc, ctx->A);
+ if (len - rem > 0) {
+ fc = ctx->pad;
+ fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0;
+ ctx->xof_state = XOF_STATE_ABSORB;
+ s390x_kimd(inp, len - rem, fc, ctx->A);
+ }
return rem;
}

98
openssl-3-fix-s390x_shake_squeeze.patch
View File

@ -1,98 +0,0 @@
From dc5afb7e87ee448f4fecad0dc624c643505ba7f1 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed, 4 Sep 2024 13:42:09 +0200
Subject: [PATCH] s390x: Fix s390x_shake_squeeze() when MSA 12 is available
On the first squeeze call, when finishing the absorb process, also set
the NIP flag, if we are still in XOF_STATE_INIT state. When MSA 12 is
available, the state buffer A has not been zeroed during initialization,
thus we must also pass the NIP flag here. This situation can happen
when a squeeze is performed without a preceding absorb (i.e. a SHAKE
of the empty message).
Add a test that performs a squeeze without a preceding absorb and check
if the result is correct.
Fixes: https://github.com/openssl/openssl/commit/25f5d7b85f6657cd2f9f1ab7ae87f319d9bafe54
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25388)
---
providers/implementations/digests/sha3_prov.c | 5 +++-
test/evp_xof_test.c | 29 +++++++++++++++++++
2 files changed, 33 insertions(+), 1 deletion(-)
Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c
===================================================================
--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c
+++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c
@@ -239,6 +239,7 @@ static int s390x_shake_final(void *vctx,
static int s390x_shake_squeeze(void *vctx, unsigned char *out, size_t outlen)
{
KECCAK1600_CTX *ctx = vctx;
+ unsigned int fc;
size_t len;
if (!ossl_prov_is_running())
@@ -249,8 +250,10 @@ static int s390x_shake_squeeze(void *vct
* On the first squeeze call, finish the absorb process (incl. padding).
*/
if (ctx->xof_state != XOF_STATE_SQUEEZE) {
+ fc = ctx->pad;
+ fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KLMD_NIP : 0;
ctx->xof_state = XOF_STATE_SQUEEZE;
- s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, ctx->pad, ctx->A);
+ s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, fc, ctx->A);
ctx->bufsz = outlen % ctx->block_size;
/* reuse ctx->bufsz to count bytes squeezed from current sponge */
return 1;
Index: openssl-3.2.3/test/evp_xof_test.c
===================================================================
--- openssl-3.2.3.orig/test/evp_xof_test.c
+++ openssl-3.2.3/test/evp_xof_test.c
@@ -479,6 +479,34 @@ err:
return ret;
}
+/* Test that a squeeze without a preceding absorb works */
+static int shake_squeeze_no_absorb_test(void)
+{
+ int ret = 0;
+ EVP_MD_CTX *ctx = NULL;
+ unsigned char out[1000];
+ unsigned char out2[1000];
+ const char *alg = "SHAKE128";
+
+ if (!TEST_ptr(ctx = shake_setup(alg))
+ || !TEST_true(EVP_DigestFinalXOF(ctx, out, sizeof(out))))
+ goto err;
+
+ if (!TEST_true(EVP_DigestInit_ex2(ctx, NULL, NULL))
+ || !TEST_true(EVP_DigestSqueeze(ctx, out2, sizeof(out2) / 2))
+ || !TEST_true(EVP_DigestSqueeze(ctx, out2 + sizeof(out2) / 2,
+ sizeof(out2) / 2)))
+ goto err;
+
+ if (!TEST_mem_eq(out2, sizeof(out2), out, sizeof(out)))
+ goto err;
+ ret = 1;
+
+err:
+ EVP_MD_CTX_free(ctx);
+ return ret;
+}
+
int setup_tests(void)
{
ADD_TEST(shake_kat_test);
@@ -488,5 +516,7 @@ int setup_tests(void)
ADD_ALL_TESTS(shake_squeeze_kat_test, OSSL_NELEM(stride_tests));
ADD_ALL_TESTS(shake_squeeze_large_test, OSSL_NELEM(stride_tests));
ADD_ALL_TESTS(shake_squeeze_dup_test, OSSL_NELEM(dupoffset_tests));
+ ADD_TEST(shake_squeeze_no_absorb_test);
+
return 1;
}

31
openssl-3-fix-sha3-squeeze-ppc64.patch
View File

@ -1,31 +0,0 @@
commit ed5e478261127cafe9c3f86c4992eab1e5c7ebb1
Author: Rohan McLure <rmclure@linux.ibm.com>
Date: Tue Nov 14 14:14:33 2023 +1100
ppc64: Fix SHA3_squeeze
Fix the conditional on the 'next' parameter passed into SHA3_squeeze.
Reported-by: David Benjamin <davidben@davidben.net>
Signed-off-by: Rohan McLure <rmclure@linux.ibm.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22722)
diff --git a/crypto/sha/asm/keccak1600-ppc64.pl b/crypto/sha/asm/keccak1600-ppc64.pl
index 3f8ba817f8..fe7d6db20e 100755
--- a/crypto/sha/asm/keccak1600-ppc64.pl
+++ b/crypto/sha/asm/keccak1600-ppc64.pl
@@ -668,8 +668,8 @@ SHA3_squeeze:
subi $out,r4,1 ; prepare for stbu
mr $len,r5
mr $bsz,r6
- ${UCMP}i r7,1 ; r7 = 'next' argument
- blt .Lnext_block
+ ${UCMP}i r7,0 ; r7 = 'next' argument
+ bne .Lnext_block
b .Loop_squeeze
.align 4

32
openssl-3-fix-state-handling-keccak_final_s390x.patch
View File

@ -1,32 +0,0 @@
commit 1022131d16e30cfbf896e02419019de48e8e1149
Author: Holger Dengler <dengler@linux.ibm.com>
Date: Wed Sep 27 15:43:18 2023 +0200
Fix state handling of keccak_final for s390x.
The digest life-cycle state diagram has been updated for XOF. Fix the
state handling in s390x_keccac_final() according to the updated state
diagram.
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22221)
diff --git a/providers/implementations/digests/sha3_prov.c b/providers/implementations/digests/sha3_prov.c
index 34620cf95a..f691273baf 100644
--- a/providers/implementations/digests/sha3_prov.c
+++ b/providers/implementations/digests/sha3_prov.c
@@ -235,6 +235,10 @@ static int s390x_keccakc_final(void *vctx, unsigned char *out, size_t outlen,
if (!ossl_prov_is_running())
return 0;
+ if (!(ctx->xof_state == XOF_STATE_INIT ||
+ ctx->xof_state == XOF_STATE_ABSORB))
+ return 0;
+ ctx->xof_state = XOF_STATE_FINAL;
if (outlen == 0)
return 1;
memset(ctx->buf + num, 0, bsz - num);

32
openssl-3-fix-state-handling-sha3_absorb_s390x.patch
View File

@ -1,32 +0,0 @@
commit 7aa45b8bb3269e881d0378aa785ff344efdd2897
Author: Holger Dengler <dengler@linux.ibm.com>
Date: Wed Sep 27 15:36:23 2023 +0200
Fix state handling of sha3_absorb for s390x.
The digest life-cycle state diagram has been updated for XOF. Fix the
state handling in s390x_sha3_aborb() according to the updated state
diagram.
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22221)
Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c
===================================================================
--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c
+++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c
@@ -188,6 +188,10 @@ static size_t s390x_sha3_absorb(void *vc
KECCAK1600_CTX *ctx = vctx;
size_t rem = len % ctx->block_size;
+ if (!(ctx->xof_state == XOF_STATE_INIT ||
+ ctx->xof_state == XOF_STATE_ABSORB))
+ return 0;
+ ctx->xof_state = XOF_STATE_ABSORB;
s390x_kimd(inp, len - rem, ctx->pad, ctx->A);
return rem;
}

32
openssl-3-fix-state-handling-sha3_final_s390x.patch
View File

@ -1,32 +0,0 @@
commit 017acc58f6b67d5b347db411a7a1c4e890434f42
Author: Holger Dengler <dengler@linux.ibm.com>
Date: Wed Sep 27 15:36:59 2023 +0200
Fix state handling of sha3_final for s390x.
The digest life-cycle state diagram has been updated for XOF. Fix the
state handling in s390x_sha3_final() according to the updated state
diagram.
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22221)
Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c
===================================================================
--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c
+++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c
@@ -202,6 +202,10 @@ static int s390x_sha3_final(void *vctx,
if (!ossl_prov_is_running())
return 0;
+ if (!(ctx->xof_state == XOF_STATE_INIT ||
+ ctx->xof_state == XOF_STATE_ABSORB))
+ return 0;
+ ctx->xof_state = XOF_STATE_FINAL;
s390x_klmd(ctx->buf, ctx->bufsz, NULL, 0, ctx->pad, ctx->A);
memcpy(out, ctx->A, outlen);
return 1;

32
openssl-3-fix-state-handling-shake_final_s390x.patch
View File

@ -1,32 +0,0 @@
commit 288fbb4b71343516cee6f6a44b9ec55d82fb1532
Author: Holger Dengler <dengler@linux.ibm.com>
Date: Wed Sep 27 15:37:29 2023 +0200
Fix state handling of shake_final for s390x.
The digest life-cycle state diagram has been updated for XOF. Fix the
state handling in s390x_shake_final() according to the updated state
diagram.
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22221)
Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c
===================================================================
--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c
+++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c
@@ -217,6 +217,10 @@ static int s390x_shake_final(void *vctx,
if (!ossl_prov_is_running())
return 0;
+ if (!(ctx->xof_state == XOF_STATE_INIT ||
+ ctx->xof_state == XOF_STATE_ABSORB))
+ return 0;
+ ctx->xof_state = XOF_STATE_FINAL;
s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, ctx->pad, ctx->A);
return 1;
}

327
openssl-3-hw-acceleration-aes-xts-s390x.patch
View File

@ -1,327 +0,0 @@
commit 9cd4051e47c8da8398f93f42f0f56750552965f4
Author: Holger Dengler <dengler@linux.ibm.com>
Date: Tue Aug 6 14:00:49 2024 +0200
s390x: Add hardware acceleration for full AES-XTS
The CPACF instruction KM provides support for accelerating the full
AES-XTS algorithm on newer machines for AES_XTS_128 and AES_XTS_256.
Preliminary measurements showed performance improvements of up to 50%,
dependent on the message size.
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25414)
diff --git a/providers/implementations/ciphers/build.info b/providers/implementations/ciphers/build.info
index 5eb705969f..1837070c21 100644
--- a/providers/implementations/ciphers/build.info
+++ b/providers/implementations/ciphers/build.info
@@ -71,6 +71,19 @@ IF[{- !$disabled{asm} -}]
ENDIF
ENDIF
+IF[{- !$disabled{asm} -}]
+ IF[{- ($target{perlasm_scheme} // '') ne '31' -}]
+ $AESXTSDEF_s390x=AES_XTS_S390X
+ ENDIF
+
+ # Now that we have defined all the arch specific variables, use the
+ # appropriate one, and define the appropriate macros
+
+ IF[$AESXTSDEF_{- $target{asm_arch} -}]
+ $AESXTSDEF=$AESXTSDEF_{- $target{asm_arch} -}
+ ENDIF
+ENDIF
+
# This source is common building blocks for all ciphers in all our providers.
SOURCE[$COMMON_GOAL]=\
ciphercommon.c ciphercommon_hw.c ciphercommon_block.c \
@@ -93,6 +106,7 @@ SOURCE[$AES_GOAL]=\
cipher_aes_cbc_hmac_sha.c \
cipher_aes_cbc_hmac_sha256_hw.c cipher_aes_cbc_hmac_sha1_hw.c \
cipher_cts.c
+DEFINE[$AES_GOAL]=$AESXTSDEF
# Extra code to satisfy the FIPS and non-FIPS separation.
# When the AES-xxx-XTS moves to legacy, cipher_aes_xts_fips.c can be removed.
diff --git a/providers/implementations/ciphers/cipher_aes_xts.c b/providers/implementations/ciphers/cipher_aes_xts.c
index cce2537ea7..2287834d62 100644
--- a/providers/implementations/ciphers/cipher_aes_xts.c
+++ b/providers/implementations/ciphers/cipher_aes_xts.c
@@ -62,6 +62,10 @@ static int aes_xts_check_keys_differ(const unsigned char *key, size_t bytes,
return 1;
}
+#ifdef AES_XTS_S390X
+# include "cipher_aes_xts_s390x.inc"
+#endif
+
/*-
* Provider dispatch functions
*/
@@ -98,6 +102,10 @@ static int aes_xts_einit(void *vctx, const unsigned char *key, size_t keylen,
const unsigned char *iv, size_t ivlen,
const OSSL_PARAM params[])
{
+#ifdef AES_XTS_S390X
+ if (s390x_aes_xts_einit(vctx, key, keylen, iv, ivlen, params) == 1)
+ return 1;
+#endif
return aes_xts_init(vctx, key, keylen, iv, ivlen, params, 1);
}
@@ -105,6 +113,10 @@ static int aes_xts_dinit(void *vctx, const unsigned char *key, size_t keylen,
const unsigned char *iv, size_t ivlen,
const OSSL_PARAM params[])
{
+#ifdef AES_XTS_S390X
+ if (s390x_aes_xts_dinit(vctx, key, keylen, iv, ivlen, params) == 1)
+ return 1;
+#endif
return aes_xts_init(vctx, key, keylen, iv, ivlen, params, 0);
}
@@ -137,6 +149,11 @@ static void *aes_xts_dupctx(void *vctx)
if (!ossl_prov_is_running())
return NULL;
+#ifdef AES_XTS_S390X
+ if (in->plat.s390x.fc)
+ return s390x_aes_xts_dupctx(vctx);
+#endif
+
if (in->xts.key1 != NULL) {
if (in->xts.key1 != &in->ks1)
return NULL;
@@ -157,6 +174,11 @@ static int aes_xts_cipher(void *vctx, unsigned char *out, size_t *outl,
{
PROV_AES_XTS_CTX *ctx = (PROV_AES_XTS_CTX *)vctx;
+#ifdef AES_XTS_S390X
+ if (ctx->plat.s390x.fc)
+ return s390x_aes_xts_cipher(vctx, out, outl, outsize, in, inl);
+#endif
+
if (!ossl_prov_is_running()
|| ctx->xts.key1 == NULL
|| ctx->xts.key2 == NULL
diff --git a/providers/implementations/ciphers/cipher_aes_xts.h b/providers/implementations/ciphers/cipher_aes_xts.h
index afc42ef444..56891ca98c 100644
--- a/providers/implementations/ciphers/cipher_aes_xts.h
+++ b/providers/implementations/ciphers/cipher_aes_xts.h
@@ -22,6 +22,14 @@ PROV_CIPHER_FUNC(void, xts_stream,
const AES_KEY *key1, const AES_KEY *key2,
const unsigned char iv[16]));
+#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
+typedef struct S390X_km_xts_params_st {
+ unsigned char key[64];
+ unsigned char tweak[16];
+ unsigned char nap[16];
+} S390X_KM_XTS_PARAMS;
+#endif
+
typedef struct prov_aes_xts_ctx_st {
PROV_CIPHER_CTX base; /* Must be first */
union {
@@ -30,6 +38,23 @@ typedef struct prov_aes_xts_ctx_st {
} ks1, ks2; /* AES key schedules to use */
XTS128_CONTEXT xts;
OSSL_xts_stream_fn stream;
+
+ /* Platform specific data */
+ union {
+ int dummy;
+#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
+ struct {
+ union {
+ OSSL_UNION_ALIGN;
+ S390X_KM_XTS_PARAMS km;
+ } param;
+ size_t offset;
+ unsigned int fc;
+ unsigned int iv_set : 1;
+ unsigned int key_set : 1;
+ } s390x;
+#endif
+ } plat;
} PROV_AES_XTS_CTX;
const PROV_CIPHER_HW *ossl_prov_cipher_hw_aes_xts(size_t keybits);
diff --git a/providers/implementations/ciphers/cipher_aes_xts_s390x.inc b/providers/implementations/ciphers/cipher_aes_xts_s390x.inc
new file mode 100644
index 0000000000..77341b3bbd
--- /dev/null
+++ b/providers/implementations/ciphers/cipher_aes_xts_s390x.inc
@@ -0,0 +1,167 @@
+/*
+ * Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "crypto/s390x_arch.h"
+
+static OSSL_FUNC_cipher_encrypt_init_fn s390x_aes_xts_einit;
+static OSSL_FUNC_cipher_decrypt_init_fn s390x_aes_xts_dinit;
+static OSSL_FUNC_cipher_cipher_fn s390x_aes_xts_cipher;
+static OSSL_FUNC_cipher_dupctx_fn s390x_aes_xts_dupctx;
+
+static int s390x_aes_xts_init(void *vctx, const unsigned char *key,
+ size_t keylen, const unsigned char *iv,
+ size_t ivlen, const OSSL_PARAM params[],
+ unsigned int dec)
+{
+ PROV_AES_XTS_CTX *xctx = (PROV_AES_XTS_CTX *)vctx;
+ S390X_KM_XTS_PARAMS *km = &xctx->plat.s390x.param.km;
+ unsigned int fc, offs;
+
+ switch (xctx->base.keylen) {
+ case 128 / 8 * 2:
+ fc = S390X_XTS_AES_128_MSA10;
+ offs = 32;
+ break;
+ case 256 / 8 * 2:
+ fc = S390X_XTS_AES_256_MSA10;
+ offs = 0;
+ break;
+ default:
+ goto not_supported;
+ }
+
+ if (!(OPENSSL_s390xcap_P.km[1] && S390X_CAPBIT(fc)))
+ goto not_supported;
+
+ if (iv != NULL) {
+ if (ivlen != xctx->base.ivlen
+ || ivlen > sizeof(km->tweak)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
+ return 0;
+ }
+ memcpy(km->tweak, iv, ivlen);
+ xctx->plat.s390x.iv_set = 1;
+ }
+
+ if (key != NULL) {
+ if (keylen != xctx->base.keylen) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
+ if (!aes_xts_check_keys_differ(key, keylen / 2, !dec))
+ return 0;
+
+ memcpy(km->key + offs, key, keylen);
+ xctx->plat.s390x.key_set = 1;
+ }
+
+ xctx->plat.s390x.fc = fc | dec;
+ xctx->plat.s390x.offset = offs;
+
+ memset(km->nap, 0, sizeof(km->nap));
+ km->nap[0] = 0x1;
+
+ return aes_xts_set_ctx_params(xctx, params);
+
+not_supported:
+ xctx->plat.s390x.fc = 0;
+ xctx->plat.s390x.offset = 0;
+ return 0;
+}
+
+static int s390x_aes_xts_einit(void *vctx, const unsigned char *key,
+ size_t keylen, const unsigned char *iv,
+ size_t ivlen, const OSSL_PARAM params[])
+{
+ return s390x_aes_xts_init(vctx, key, keylen, iv, ivlen, params, 0);
+}
+
+static int s390x_aes_xts_dinit(void *vctx, const unsigned char *key,
+ size_t keylen, const unsigned char *iv,
+ size_t ivlen, const OSSL_PARAM params[])
+{
+ return s390x_aes_xts_init(vctx, key, keylen, iv, ivlen, params,
+ S390X_DECRYPT);
+}
+
+static void *s390x_aes_xts_dupctx(void *vctx)
+{
+ PROV_AES_XTS_CTX *in = (PROV_AES_XTS_CTX *)vctx;
+ PROV_AES_XTS_CTX *ret = OPENSSL_zalloc(sizeof(*in));
+
+ if (ret != NULL)
+ *ret = *in;
+
+ return ret;
+}
+
+static int s390x_aes_xts_cipher(void *vctx, unsigned char *out, size_t *outl,
+ size_t outsize, const unsigned char *in,
+ size_t inl)
+{
+ PROV_AES_XTS_CTX *xctx = (PROV_AES_XTS_CTX *)vctx;
+ S390X_KM_XTS_PARAMS *km = &xctx->plat.s390x.param.km;
+ unsigned char *param = (unsigned char *)km + xctx->plat.s390x.offset;
+ unsigned int fc = xctx->plat.s390x.fc;
+ unsigned char tmp[2][AES_BLOCK_SIZE];
+ unsigned char nap_n1[AES_BLOCK_SIZE];
+ unsigned char drop[AES_BLOCK_SIZE];
+ size_t len_incomplete, len_complete;
+
+ if (!ossl_prov_is_running()
+ || inl < AES_BLOCK_SIZE
+ || in == NULL
+ || out == NULL
+ || !xctx->plat.s390x.iv_set
+ || !xctx->plat.s390x.key_set)
+ return 0;
+
+ /*
+ * Impose a limit of 2^20 blocks per data unit as specified by
+ * IEEE Std 1619-2018. The earlier and obsolete IEEE Std 1619-2007
+ * indicated that this was a SHOULD NOT rather than a MUST NOT.
+ * NIST SP 800-38E mandates the same limit.
+ */
+ if (inl > XTS_MAX_BLOCKS_PER_DATA_UNIT * AES_BLOCK_SIZE) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_XTS_DATA_UNIT_IS_TOO_LARGE);
+ return 0;
+ }
+
+ len_incomplete = inl % AES_BLOCK_SIZE;
+ len_complete = (len_incomplete == 0) ? inl :
+ (inl / AES_BLOCK_SIZE - 1) * AES_BLOCK_SIZE;
+
+ if (len_complete > 0)
+ s390x_km(in, len_complete, out, fc, param);
+ if (len_incomplete == 0)
+ goto out;
+
+ memcpy(tmp, in + len_complete, AES_BLOCK_SIZE + len_incomplete);
+ /* swap NAP for decrypt */
+ if (fc & S390X_DECRYPT) {
+ memcpy(nap_n1, km->nap, AES_BLOCK_SIZE);
+ s390x_km(tmp[0], AES_BLOCK_SIZE, drop, fc, param);
+ }
+ s390x_km(tmp[0], AES_BLOCK_SIZE, tmp[0], fc, param);
+ if (fc & S390X_DECRYPT)
+ memcpy(km->nap, nap_n1, AES_BLOCK_SIZE);
+
+ memcpy(tmp[1] + len_incomplete, tmp[0] + len_incomplete,
+ AES_BLOCK_SIZE - len_incomplete);
+ s390x_km(tmp[1], AES_BLOCK_SIZE, out + len_complete, fc, param);
+ memcpy(out + len_complete + AES_BLOCK_SIZE, tmp[0], len_incomplete);
+
+ /* do not expose temporary data */
+ OPENSSL_cleanse(tmp, sizeof(tmp));
+out:
+ memcpy(xctx->base.iv, km->tweak, AES_BLOCK_SIZE);
+ *outl = inl;
+
+ return 1;
+}

124
openssl-3-jitterentropy-3.4.0.patch
View File

@ -1,19 +1,27 @@
Index: openssl-3.2.3/Configurations/00-base-templates.conf
Index: openssl-3.1.4/Configurations/00-base-templates.conf
===================================================================
--- openssl-3.2.3.orig/Configurations/00-base-templates.conf
+++ openssl-3.2.3/Configurations/00-base-templates.conf
@@ -88,6 +88,7 @@ my %targets=(
sub {
my @libs = ();
push(@libs, "-lz") if !defined($disabled{zlib}) && defined($disabled{"zlib-dynamic"});
+ push(@libs, "-ljitterentropy") if !defined($disabled{jitterentropy});
if (!defined($disabled{brotli}) && defined($disabled{"brotli-dynamic"})) {
push(@libs, "-lbrotlienc");
push(@libs, "-lbrotlidec");
Index: openssl-3.2.3/crypto/rand/rand_jitter_entropy.c
--- openssl-3.1.4.orig/Configurations/00-base-templates.conf
+++ openssl-3.1.4/Configurations/00-base-templates.conf
@@ -71,9 +71,12 @@ my %targets=(
lflags =>
sub { $withargs{zlib_lib} ? "-L".$withargs{zlib_lib} : () },
ex_libs =>
- sub { !defined($disabled{zlib})
- && defined($disabled{"zlib-dynamic"})
- ? "-lz" : () },
+ sub {
+ my @libs = ();
+ push(@libs, "-lz") if !defined($disabled{zlib}) && defined($disabled{"zlib-dynamic"});
+ push(@libs, "-ljitterentropy") if !defined($disabled{jitterentropy});
+ return join(" ", @libs);
+ },
HASHBANGPERL => "/usr/bin/env perl", # Only Unix actually cares
RANLIB => sub { which("$config{cross_compile_prefix}ranlib")
? "ranlib" : "" },
Index: openssl-3.1.4/crypto/rand/rand_jitter_entropy.c
===================================================================
--- /dev/null
+++ openssl-3.2.3/crypto/rand/rand_jitter_entropy.c
+++ openssl-3.1.4/crypto/rand/rand_jitter_entropy.c
@@ -0,0 +1,97 @@
+# include "jitterentropy.h"
+# include "prov/jitter_entropy.h"
@ -112,10 +120,10 @@ Index: openssl-3.2.3/crypto/rand/rand_jitter_entropy.c
+ CRYPTO_THREAD_lock_free(jent_lock);
+ jent_lock = NULL;
+}
Index: openssl-3.2.3/providers/implementations/rands/seeding/rand_unix.c
Index: openssl-3.1.4/providers/implementations/rands/seeding/rand_unix.c
===================================================================
--- openssl-3.2.3.orig/providers/implementations/rands/seeding/rand_unix.c
+++ openssl-3.2.3/providers/implementations/rands/seeding/rand_unix.c
--- openssl-3.1.4.orig/providers/implementations/rands/seeding/rand_unix.c
+++ openssl-3.1.4/providers/implementations/rands/seeding/rand_unix.c
@@ -20,6 +20,7 @@
#include "internal/dso.h"
#include "internal/nelem.h"
@ -124,7 +132,7 @@ Index: openssl-3.2.3/providers/implementations/rands/seeding/rand_unix.c
#ifdef __linux
# include <sys/syscall.h>
@@ -633,6 +634,31 @@ size_t ossl_pool_acquire_entropy(RAND_PO
@@ -631,6 +632,31 @@ size_t ossl_pool_acquire_entropy(RAND_PO
(void)entropy_available; /* avoid compiler warning */
@ -156,10 +164,10 @@ Index: openssl-3.2.3/providers/implementations/rands/seeding/rand_unix.c
# if defined(OPENSSL_RAND_SEED_GETRANDOM)
{
size_t bytes_needed;
Index: openssl-3.2.3/providers/implementations/include/prov/jitter_entropy.h
Index: openssl-3.1.4/providers/implementations/include/prov/jitter_entropy.h
===================================================================
--- /dev/null
+++ openssl-3.2.3/providers/implementations/include/prov/jitter_entropy.h
+++ openssl-3.1.4/providers/implementations/include/prov/jitter_entropy.h
@@ -0,0 +1,17 @@
+#ifndef OSSL_PROVIDERS_JITTER_ENTROPY_H
+# define OSSL_PROVIDERS_JITTER_ENTROPY_H
@ -178,10 +186,10 @@ Index: openssl-3.2.3/providers/implementations/include/prov/jitter_entropy.h
+void FIPS_entropy_cleanup(void);
+
+#endif
Index: openssl-3.2.3/providers/fips/self_test.c
Index: openssl-3.1.4/providers/fips/self_test.c
===================================================================
--- openssl-3.2.3.orig/providers/fips/self_test.c
+++ openssl-3.2.3/providers/fips/self_test.c
--- openssl-3.1.4.orig/providers/fips/self_test.c
+++ openssl-3.1.4/providers/fips/self_test.c
@@ -20,6 +20,7 @@
#include "internal/tsan_assist.h"
#include "prov/providercommon.h"
@ -190,7 +198,7 @@ Index: openssl-3.2.3/providers/fips/self_test.c
/*
* We're cheating here. Normally we don't allow RUN_ONCE usage inside the FIPS
@@ -498,6 +499,11 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
@@ -392,6 +393,11 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
return 0;
}
@ -202,10 +210,10 @@ Index: openssl-3.2.3/providers/fips/self_test.c
if (st == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
goto end;
Index: openssl-3.2.3/include/openssl/proverr.h
Index: openssl-3.1.4/include/openssl/proverr.h
===================================================================
--- openssl-3.2.3.orig/include/openssl/proverr.h
+++ openssl-3.2.3/include/openssl/proverr.h
--- openssl-3.1.4.orig/include/openssl/proverr.h
+++ openssl-3.1.4/include/openssl/proverr.h
@@ -44,6 +44,7 @@
# define PROV_R_FAILED_TO_GET_PARAMETER 103
# define PROV_R_FAILED_TO_SET_PARAMETER 104
@ -214,10 +222,10 @@ Index: openssl-3.2.3/include/openssl/proverr.h
# define PROV_R_FIPS_MODULE_CONDITIONAL_ERROR 227
# define PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE 224
# define PROV_R_FIPS_MODULE_IN_ERROR_STATE 225
Index: openssl-3.2.3/providers/common/provider_err.c
Index: openssl-3.1.4/providers/common/provider_err.c
===================================================================
--- openssl-3.2.3.orig/providers/common/provider_err.c
+++ openssl-3.2.3/providers/common/provider_err.c
--- openssl-3.1.4.orig/providers/common/provider_err.c
+++ openssl-3.1.4/providers/common/provider_err.c
@@ -54,6 +54,8 @@ static const ERR_STRING_DATA PROV_str_re
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FAILED_TO_SET_PARAMETER),
"failed to set parameter"},
@ -227,22 +235,22 @@ Index: openssl-3.2.3/providers/common/provider_err.c
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_CONDITIONAL_ERROR),
"fips module conditional error"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE),
Index: openssl-3.2.3/crypto/rand/build.info
Index: openssl-3.1.4/crypto/rand/build.info
===================================================================
--- openssl-3.2.3.orig/crypto/rand/build.info
+++ openssl-3.2.3/crypto/rand/build.info
--- openssl-3.1.4.orig/crypto/rand/build.info
+++ openssl-3.1.4/crypto/rand/build.info
@@ -1,6 +1,6 @@
LIBS=../../libcrypto
-$COMMON=rand_lib.c
+$COMMON=rand_lib.c rand_jitter_entropy.c
$CRYPTO=randfile.c rand_err.c rand_deprecated.c prov_seed.c rand_pool.c \
rand_uniform.c
$CRYPTO=randfile.c rand_err.c rand_deprecated.c prov_seed.c rand_pool.c
Index: openssl-3.2.3/providers/fips/fipsprov.c
IF[{- !$disabled{'egd'} -}]
Index: openssl-3.1.4/providers/fips/fipsprov.c
===================================================================
--- openssl-3.2.3.orig/providers/fips/fipsprov.c
+++ openssl-3.2.3/providers/fips/fipsprov.c
--- openssl-3.1.4.orig/providers/fips/fipsprov.c
+++ openssl-3.1.4/providers/fips/fipsprov.c
@@ -27,6 +27,7 @@
#include "crypto/context.h"
#include "internal/core.h"
@ -251,7 +259,7 @@ Index: openssl-3.2.3/providers/fips/fipsprov.c
static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes";
static const char FIPS_UNAPPROVED_PROPERTIES[] = "provider=fips,fips=no";
@@ -609,6 +610,7 @@ const OSSL_SUSE_FIPSINDICATOR_ALGORITHM
@@ -603,6 +604,7 @@ const OSSL_SUSE_FIPSINDICATOR_ALGORITHM
static void fips_teardown(void *provctx)
{
@ -259,29 +267,29 @@ Index: openssl-3.2.3/providers/fips/fipsprov.c
OSSL_LIB_CTX_free(PROV_LIBCTX_OF(provctx));
ossl_prov_ctx_free(provctx);
}
Index: openssl-3.2.3/util/libcrypto.num
Index: openssl-3.1.4/util/libcrypto.num
===================================================================
--- openssl-3.2.3.orig/util/libcrypto.num
+++ openssl-3.2.3/util/libcrypto.num
@@ -5539,3 +5539,5 @@ BIO_ADDR_copy
ossl_safe_getenv ? 3_2_0 EXIST::FUNCTION:
--- openssl-3.1.4.orig/util/libcrypto.num
+++ openssl-3.1.4/util/libcrypto.num
@@ -5441,3 +5441,5 @@ X509_get_default_cert_path_env
ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
+FIPS_entropy_init ? 3_1_4 EXIST::FUNCTION:
+FIPS_entropy_cleanup ? 3_1_4 EXIST::FUNCTION:
Index: openssl-3.2.3/Configure
Index: openssl-3.1.4/Configure
===================================================================
--- openssl-3.2.3.orig/Configure
+++ openssl-3.2.3/Configure
@@ -469,6 +469,7 @@ my @disablables = (
--- openssl-3.1.4.orig/Configure
+++ openssl-3.1.4/Configure
@@ -454,6 +454,7 @@ my @disablables = (
"fuzz-libfuzzer",
"gost",
"http",
"idea",
+ "jitterentropy",
"ktls",
"legacy",
"loadereng",
@@ -573,6 +574,7 @@ our %disabled = ( # "what" => "c
@@ -550,6 +551,7 @@ our %disabled = ( # "what" => "c
"external-tests" => "default",
"fuzz-afl" => "default",
"fuzz-libfuzzer" => "default",
@ -289,7 +297,7 @@ Index: openssl-3.2.3/Configure
"ktls" => "default",
"md2" => "default",
"msan" => "default",
@@ -801,7 +803,7 @@ my %cmdvars = (); # Stores
@@ -763,7 +765,7 @@ my %cmdvars = (); # Stores
my %unsupported_options = ();
my %deprecated_options = ();
# If you change this, update apps/version.c
@ -298,7 +306,7 @@ Index: openssl-3.2.3/Configure
my @seed_sources = ();
while (@argvcopy)
{
@@ -1291,6 +1293,9 @@ if (scalar(@seed_sources) == 0) {
@@ -1231,6 +1233,9 @@ if (scalar(@seed_sources) == 0) {
if (scalar(grep { $_ eq 'egd' } @seed_sources) > 0) {
delete $disabled{'egd'};
}
@ -308,10 +316,10 @@ Index: openssl-3.2.3/Configure
if (scalar(grep { $_ eq 'none' } @seed_sources) > 0) {
die "Cannot seed with none and anything else" if scalar(@seed_sources) > 1;
warn <<_____ if scalar(@seed_sources) == 1;
Index: openssl-3.2.3/crypto/info.c
Index: openssl-3.1.4/crypto/info.c
===================================================================
--- openssl-3.2.3.orig/crypto/info.c
+++ openssl-3.2.3/crypto/info.c
--- openssl-3.1.4.orig/crypto/info.c
+++ openssl-3.1.4/crypto/info.c
@@ -15,6 +15,9 @@
#include "internal/e_os.h"
#include "buildinf.h"
@ -345,11 +353,11 @@ Index: openssl-3.2.3/crypto/info.c
seed_sources = seeds;
}
return 1;
Index: openssl-3.2.3/INSTALL.md
Index: openssl-3.1.4/INSTALL.md
===================================================================
--- openssl-3.2.3.orig/INSTALL.md
+++ openssl-3.2.3/INSTALL.md
@@ -511,6 +511,12 @@ if provided by the CPU.
--- openssl-3.1.4.orig/INSTALL.md
+++ openssl-3.1.4/INSTALL.md
@@ -463,6 +463,12 @@ if provided by the CPU.
Use librandom (not implemented yet).
This source is ignored by the FIPS provider.

196
openssl-3-support-CPACF-sha3-shake-perf-improvement.patch
View File

@ -1,196 +0,0 @@
From 25f5d7b85f6657cd2f9f1ab7ae87f319d9bafe54 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Thu, 29 Feb 2024 12:50:05 +0100
Subject: [PATCH] s390x: support CPACF sha3/shake performance improvements
On newer machines the SHA3/SHAKE performance of CPACF instructions KIMD and KLMD
can be enhanced by using additional modifier bits. This allows the application
to omit initializing the ICV, but also affects the internal processing of the
instructions. Performance is mostly gained when processing short messages.
The new CPACF feature is backwards compatible with older machines, i.e. the new
modifier bits are ignored on older machines. However, to save the ICV
initialization, the application must detect the MSA level and omit the ICV
initialization only if this feature is supported.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25235)
---
crypto/s390x_arch.h | 3 ++
crypto/s390xcpuid.pl | 4 +--
crypto/sha/sha3.c | 8 +++++-
providers/implementations/digests/sha3_prov.c | 28 +++++++++++++++----
4 files changed, 34 insertions(+), 9 deletions(-)
Index: openssl-3.2.3/crypto/s390x_arch.h
===================================================================
--- openssl-3.2.3.orig/crypto/s390x_arch.h
+++ openssl-3.2.3/crypto/s390x_arch.h
@@ -191,6 +191,9 @@ extern int OPENSSL_s390xcex;
# define S390X_KMA_LAAD 0x200
# define S390X_KMA_HS 0x400
# define S390X_KDSA_D 0x80
+# define S390X_KIMD_NIP 0x8000
+# define S390X_KLMD_DUFOP 0x4000
+# define S390X_KLMD_NIP 0x8000
# define S390X_KLMD_PS 0x100
# define S390X_KMAC_IKP 0x8000
# define S390X_KMAC_IIMP 0x4000
Index: openssl-3.2.3/crypto/s390xcpuid.pl
===================================================================
--- openssl-3.2.3.orig/crypto/s390xcpuid.pl
+++ openssl-3.2.3/crypto/s390xcpuid.pl
@@ -308,7 +308,7 @@ s390x_kimd:
llgfr %r0,$fc
lgr %r1,$param
- .long 0xb93e0002 # kimd %r0,%r2
+ .long 0xb93e8002 # kimd %r0,%r2[,M3]
brc 1,.-4 # pay attention to "partial completion"
br $ra
@@ -329,7 +329,7 @@ s390x_klmd:
llgfr %r0,$fc
l${g} %r1,$stdframe($sp)
- .long 0xb93f0042 # klmd %r4,%r2
+ .long 0xb93f8042 # klmd %r4,%r2[,M3]
brc 1,.-4 # pay attention to "partial completion"
br $ra
Index: openssl-3.2.3/crypto/sha/sha3.c
===================================================================
--- openssl-3.2.3.orig/crypto/sha/sha3.c
+++ openssl-3.2.3/crypto/sha/sha3.c
@@ -8,13 +8,19 @@
*/
#include <string.h>
+#if defined(__s390x__) && defined(OPENSSL_CPUID_OBJ)
+# include "crypto/s390x_arch.h"
+#endif
#include "internal/sha3.h"
void SHA3_squeeze(uint64_t A[5][5], unsigned char *out, size_t len, size_t r, int next);
void ossl_sha3_reset(KECCAK1600_CTX *ctx)
{
- memset(ctx->A, 0, sizeof(ctx->A));
+#if defined(__s390x__) && defined(OPENSSL_CPUID_OBJ)
+ if (!(OPENSSL_s390xcap_P.stfle[1] & S390X_CAPBIT(S390X_MSA12)))
+#endif
+ memset(ctx->A, 0, sizeof(ctx->A));
ctx->bufsz = 0;
ctx->xof_state = XOF_STATE_INIT;
}
Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c
===================================================================
--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c
+++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c
@@ -187,26 +187,32 @@ static size_t s390x_sha3_absorb(void *vc
{
KECCAK1600_CTX *ctx = vctx;
size_t rem = len % ctx->block_size;
+ unsigned int fc;
if (!(ctx->xof_state == XOF_STATE_INIT ||
ctx->xof_state == XOF_STATE_ABSORB))
return 0;
+ fc = ctx->pad;
+ fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0;
ctx->xof_state = XOF_STATE_ABSORB;
- s390x_kimd(inp, len - rem, ctx->pad, ctx->A);
+ s390x_kimd(inp, len - rem, fc, ctx->A);
return rem;
}
static int s390x_sha3_final(void *vctx, unsigned char *out, size_t outlen)
{
KECCAK1600_CTX *ctx = vctx;
+ unsigned int fc;
if (!ossl_prov_is_running())
return 0;
if (!(ctx->xof_state == XOF_STATE_INIT ||
ctx->xof_state == XOF_STATE_ABSORB))
return 0;
+ fc = ctx->pad | S390X_KLMD_DUFOP;
+ fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KLMD_NIP : 0;
ctx->xof_state = XOF_STATE_FINAL;
- s390x_klmd(ctx->buf, ctx->bufsz, NULL, 0, ctx->pad, ctx->A);
+ s390x_klmd(ctx->buf, ctx->bufsz, NULL, 0, fc, ctx->A);
memcpy(out, ctx->A, outlen);
return 1;
}
@@ -214,14 +220,17 @@ static int s390x_sha3_final(void *vctx,
static int s390x_shake_final(void *vctx, unsigned char *out, size_t outlen)
{
KECCAK1600_CTX *ctx = vctx;
+ unsigned int fc;
if (!ossl_prov_is_running())
return 0;
if (!(ctx->xof_state == XOF_STATE_INIT ||
ctx->xof_state == XOF_STATE_ABSORB))
return 0;
+ fc = ctx->pad | S390X_KLMD_DUFOP;
+ fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KLMD_NIP : 0;
ctx->xof_state = XOF_STATE_FINAL;
- s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, ctx->pad, ctx->A);
+ s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, fc, ctx->A);
return 1;
}
@@ -271,24 +280,28 @@ static int s390x_keccakc_final(void *vct
size_t bsz = ctx->block_size;
size_t num = ctx->bufsz;
size_t needed = outlen;
+ unsigned int fc;
if (!ossl_prov_is_running())
return 0;
if (!(ctx->xof_state == XOF_STATE_INIT ||
ctx->xof_state == XOF_STATE_ABSORB))
return 0;
+ fc = ctx->pad;
+ fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0;
ctx->xof_state = XOF_STATE_FINAL;
if (outlen == 0)
return 1;
memset(ctx->buf + num, 0, bsz - num);
ctx->buf[num] = padding;
ctx->buf[bsz - 1] |= 0x80;
- s390x_kimd(ctx->buf, bsz, ctx->pad, ctx->A);
+ s390x_kimd(ctx->buf, bsz, fc, ctx->A);
num = needed > bsz ? bsz : needed;
memcpy(out, ctx->A, num);
needed -= num;
if (needed > 0)
- s390x_klmd(NULL, 0, out + bsz, needed, ctx->pad | S390X_KLMD_PS, ctx->A);
+ s390x_klmd(NULL, 0, out + bsz, needed,
+ ctx->pad | S390X_KLMD_PS | S390X_KLMD_DUFOP, ctx->A);
return 1;
}
@@ -308,6 +321,7 @@ static int s390x_keccakc_squeeze(void *v
{
KECCAK1600_CTX *ctx = vctx;
size_t len;
+ unsigned int fc;
if (!ossl_prov_is_running())
return 0;
@@ -323,7 +337,9 @@ static int s390x_keccakc_squeeze(void *v
memset(ctx->buf + ctx->bufsz, 0, len);
ctx->buf[ctx->bufsz] = padding;
ctx->buf[ctx->block_size - 1] |= 0x80;
- s390x_kimd(ctx->buf, ctx->block_size, ctx->pad, ctx->A);
+ fc = ctx->pad;
+ fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0;
+ s390x_kimd(ctx->buf, ctx->block_size, fc, ctx->A);
ctx->bufsz = 0;
/* reuse ctx->bufsz to count bytes squeezed from current sponge */
}

160
openssl-3-support-EVP_DigestSqueeze-in-digest-prov-s390x.patch
View File

@ -1,160 +0,0 @@
commit 94898923538f686b74b6ddef34571f804d9b3811
Author: Holger Dengler <dengler@linux.ibm.com>
Date: Wed Sep 27 15:40:47 2023 +0200
Support EVP_DigestSqueeze() for in the digest provider for s390x.
The new EVP_DigestSqueeze() API requires changes to all keccak-based
digest provider implementations. Update the s390x-part of the SHA3
digest provider.
Squeeze for SHA3 is not supported, so add an empty function pointer
(NULL).
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22221)
diff --git a/providers/implementations/digests/sha3_prov.c b/providers/implementations/digests/sha3_prov.c
index f691273baf..2fd0f928e7 100644
--- a/providers/implementations/digests/sha3_prov.c
+++ b/providers/implementations/digests/sha3_prov.c
@@ -225,6 +225,45 @@ static int s390x_shake_final(void *vctx, unsigned char *out, size_t outlen)
return 1;
}
+static int s390x_shake_squeeze(void *vctx, unsigned char *out, size_t outlen)
+{
+ KECCAK1600_CTX *ctx = vctx;
+ size_t len;
+
+ if (!ossl_prov_is_running())
+ return 0;
+ if (ctx->xof_state == XOF_STATE_FINAL)
+ return 0;
+ /*
+ * On the first squeeze call, finish the absorb process (incl. padding).
+ */
+ if (ctx->xof_state != XOF_STATE_SQUEEZE) {
+ ctx->xof_state = XOF_STATE_SQUEEZE;
+ s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, ctx->pad, ctx->A);
+ ctx->bufsz = outlen % ctx->block_size;
+ /* reuse ctx->bufsz to count bytes squeezed from current sponge */
+ return 1;
+ }
+ ctx->xof_state = XOF_STATE_SQUEEZE;
+ if (ctx->bufsz != 0) {
+ len = ctx->block_size - ctx->bufsz;
+ if (outlen < len)
+ len = outlen;
+ memcpy(out, (char *)ctx->A + ctx->bufsz, len);
+ out += len;
+ outlen -= len;
+ ctx->bufsz += len;
+ if (ctx->bufsz == ctx->block_size)
+ ctx->bufsz = 0;
+ }
+ if (outlen == 0)
+ return 1;
+ s390x_klmd(NULL, 0, out, outlen, ctx->pad | S390X_KLMD_PS, ctx->A);
+ ctx->bufsz = outlen % ctx->block_size;
+
+ return 1;
+}
+
static int s390x_keccakc_final(void *vctx, unsigned char *out, size_t outlen,
int padding)
{
@@ -264,28 +303,86 @@ static int s390x_kmac_final(void *vctx, unsigned char *out, size_t outlen)
return s390x_keccakc_final(vctx, out, outlen, 0x04);
}
+static int s390x_keccakc_squeeze(void *vctx, unsigned char *out, size_t outlen,
+ int padding)
+{
+ KECCAK1600_CTX *ctx = vctx;
+ size_t len;
+
+ if (!ossl_prov_is_running())
+ return 0;
+ if (ctx->xof_state == XOF_STATE_FINAL)
+ return 0;
+ /*
+ * On the first squeeze call, finish the absorb process
+ * by adding the trailing padding and then doing
+ * a final absorb.
+ */
+ if (ctx->xof_state != XOF_STATE_SQUEEZE) {
+ len = ctx->block_size - ctx->bufsz;
+ memset(ctx->buf + ctx->bufsz, 0, len);
+ ctx->buf[ctx->bufsz] = padding;
+ ctx->buf[ctx->block_size - 1] |= 0x80;
+ s390x_kimd(ctx->buf, ctx->block_size, ctx->pad, ctx->A);
+ ctx->bufsz = 0;
+ /* reuse ctx->bufsz to count bytes squeezed from current sponge */
+ }
+ if (ctx->bufsz != 0 || ctx->xof_state != XOF_STATE_SQUEEZE) {
+ len = ctx->block_size - ctx->bufsz;
+ if (outlen < len)
+ len = outlen;
+ memcpy(out, (char *)ctx->A + ctx->bufsz, len);
+ out += len;
+ outlen -= len;
+ ctx->bufsz += len;
+ if (ctx->bufsz == ctx->block_size)
+ ctx->bufsz = 0;
+ }
+ ctx->xof_state = XOF_STATE_SQUEEZE;
+ if (outlen == 0)
+ return 1;
+ s390x_klmd(NULL, 0, out, outlen, ctx->pad | S390X_KLMD_PS, ctx->A);
+ ctx->bufsz = outlen % ctx->block_size;
+
+ return 1;
+}
+
+static int s390x_keccak_squeeze(void *vctx, unsigned char *out, size_t outlen)
+{
+ return s390x_keccakc_squeeze(vctx, out, outlen, 0x01);
+}
+
+static int s390x_kmac_squeeze(void *vctx, unsigned char *out, size_t outlen)
+{
+ return s390x_keccakc_squeeze(vctx, out, outlen, 0x04);
+}
+
static PROV_SHA3_METHOD sha3_s390x_md =
{
s390x_sha3_absorb,
- s390x_sha3_final
+ s390x_sha3_final,
+ NULL,
};
static PROV_SHA3_METHOD keccak_s390x_md =
{
s390x_sha3_absorb,
s390x_keccak_final,
+ s390x_keccak_squeeze,
};
static PROV_SHA3_METHOD shake_s390x_md =
{
s390x_sha3_absorb,
- s390x_shake_final
+ s390x_shake_final,
+ s390x_shake_squeeze,
};
static PROV_SHA3_METHOD kmac_s390x_md =
{
s390x_sha3_absorb,
- s390x_kmac_final
+ s390x_kmac_final,
+ s390x_kmac_squeeze,
};
# define SHAKE_SET_MD(uname, typ) \

46
openssl-3-support-multiple-sha3_squeeze_s390x.patch
View File

@ -1,46 +0,0 @@
commit bff62480333680463c82e88fdc67ed5ec14a0017
Author: Holger Dengler <dengler@linux.ibm.com>
Date: Wed Sep 27 11:18:18 2023 +0200
Support multiple calls of low level SHA3_squeeze() for s390x.
The low level SHA3_Squeeze() function needed to change slightly so
that it can handle multiple squeezes. Support this on s390x
architecture as well.
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22221)
diff --git a/crypto/sha/asm/keccak1600-s390x.pl b/crypto/sha/asm/keccak1600-s390x.pl
index 86233c7e38..7d5ebde117 100755
--- a/crypto/sha/asm/keccak1600-s390x.pl
+++ b/crypto/sha/asm/keccak1600-s390x.pl
@@ -472,7 +472,7 @@ SHA3_absorb:
.size SHA3_absorb,.-SHA3_absorb
___
}
-{ my ($A_flat,$out,$len,$bsz) = map("%r$_",(2..5));
+{ my ($A_flat,$out,$len,$bsz,$next) = map("%r$_",(2..6));
$code.=<<___;
.globl SHA3_squeeze
@@ -484,6 +484,7 @@ SHA3_squeeze:
lghi %r14,8
st${g} $bsz,5*$SIZE_T($sp)
la %r1,0($A_flat)
+ cijne $next,0,.Lnext_block
j .Loop_squeeze
@@ -501,6 +502,7 @@ SHA3_squeeze:
brct $bsz,.Loop_squeeze # bsz--
+.Lnext_block:
stm${g} $out,$len,3*$SIZE_T($sp)
bras %r14,.LKeccakF1600
lm${g} $out,$bsz,3*$SIZE_T($sp)

35
openssl-3-use-include-directive.patch Normal file
View File

@ -0,0 +1,35 @@
---
apps/openssl.cnf | 13 +++++++++++++
1 file changed, 13 insertions(+)
Index: openssl-3.1.4/apps/openssl.cnf
===================================================================
--- openssl-3.1.4.orig/apps/openssl.cnf
+++ openssl-3.1.4/apps/openssl.cnf
@@ -19,6 +19,7 @@ openssl_conf = openssl_init
# Comment out the next line to ignore configuration errors
config_diagnostics = 1
+[ oid_section ]
# Extra OBJECT IDENTIFIER info:
# oid_file = $ENV::HOME/.oid
oid_section = new_oids
@@ -47,6 +48,18 @@ providers = provider_sect
# Load default TLS policy configuration
ssl_conf = ssl_module
+engines = engine_section
+
+[ engine_section ]
+
+# This include will look through the directory that will contain the
+# engine declarations for any engines provided by other packages.
+.include /etc/ssl/engines3.d
+
+# This include will look through the directory that will contain the
+# definitions of the engines declared in the engine section.
+.include /etc/ssl/engdef3.d
+
# Uncomment the sections that start with ## below to enable the legacy provider.
# Loading the legacy provider enables support for the following algorithms:
# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160

BIN
openssl-3.1.4.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

16
openssl-3.1.4.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE78CkZ9YTy4PH7W0w2JTizos9efUFAmU3yaoACgkQ2JTizos9
efXt8BAAqcF9RBzduklMCXSfG4Rzs2KcWmR1+BB0izxG3KwPr+r54qBbSRCCImHA
U22An//xsDsQZ0K4rrkkkumpJCxLV/4F3TlEBdoCS4wzDXz/LfONzTuZ8Z3QP/Si
ElHTKdqPo2tp6LrDIUSGa9BmK1AsxkhOoC/uJlGpLP0mLJGI3PGo5ordyERAjL/C
hTumE16ErrXY3kHVPAeD6tJlxtV3M9UxsZAOK6LVfnhXLzz8hWMu2H5ZigXZWCDx
NG6ylV4xxfqO9eLxT2wUrJzg24w0VZzmbD+ZeZ24v9aAxGsbl3ZHLgMKkDehNNuP
0ADh3aGq9FkIg5n53UQu0pbOc6aBPgWwVuaNfxOheG2GqBCoca42ikW20QZyJAec
h3uLQ76vnWOjUIjeRCjpw0+OCUaWr0wx5WzzfdgYc813VwN6FaC9ZmB46oaLfIeD
MBAyuUxdTif/7SXmGgUIQDIf4Vxr2H7I0NyyDxD+y+C2gwn+zVvuVcBBc2cNq4QN
UINxZvm75CwaCsys+MDjSneDhpcSlAPqTJqM3DvKf/r3+27buz+sFw463fTHnv0F
FpyBPgvvusY4Z4h/jqLcfkl2MBOxlo+lpZJdPpQoEvGz751GsKmmtb0YgZ7BjrYs
5vFvo0EJ066J9bWLbp6VZd825B9P2Uy7u3sUz+E5nuavT4eHv7o=
=EH33
-----END PGP SIGNATURE-----

BIN
openssl-3.2.3.tar.gz (Stored with Git LFS)
View File

Binary file not shown.

16
openssl-3.2.3.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEulRzorBYewf7J88tIWCU39DLge8FAmbXBpkACgkQIWCU39DL
ge81Ww//d6tE9XznGxx/+xfBFADDTALPDaO8yogJtECMMxixXn1zuWYheH40z5zO
MTmIeHVLowXlfBl4YO8I+SDGbZy4CKFix3j+r/dojvteiPXrBKd83e67e0mDotAD
w3NYar1Gh8kXnq63zEV8JRBjRhLb2b7uJhi1UUtaCgOfK/wvRVWiBDWyVAkVjR0V
NGCQg6FXCjxXY9G01wyqBlZt4T/h/SxN+iZUWRRPrekTxVNAQxFsMLYupuULpeaz
uHvXXJ1Os/Mh4zD8a/SHrbdw3ncHb7JmCNZu4cPUkNVw0Dc0y64SP+Wviet1oOio
/pTnfq6ptUTpzkSFiI9ZmTS1eiqQ24BLdwu3J/6ss9hZUlFZPUozsH6HTVpRxWhI
edp5fa8rpQ5wX+ftGNxA1tRhWjCrR1VgFhdZX5T4rS5fU3OX5TXPwHKqaFyGlxQd
GV467+BgxixgEU5xMirkJ/WbYrcSEFS1i9EbL6HwJ2vO02jHNfK7Biy+krOZKnx1
Oniv4DoPR1s2De+OinDI30Zo9STizpiFiv27vw+l8Wj6+SnCFoyAZMVYcdYXSAws
Im054SFCpw1cqhhHMBMOodqUv2CEMyBLuUyjjOF6oFteUp/VEe8JUrkQBA+LhDgX
kPNzpSTnX9lB/ALvaedOUyIQf8sV3IEGn7zWGOTBp1QLu6hiId8=
=1Xgs
-----END PGP SIGNATURE-----

400
openssl-3.changes
View File

@ -1,403 +1,3 @@
-------------------------------------------------------------------
Mon Dec 23 20:14:08 UTC 2024 - Giuliano Belinassi <giuliano.belinassi@suse.com>
- Add support for userspace livepatching on ppc64le (jsc#PED-11850).
- Use gcc-13 for ppc64le.
-------------------------------------------------------------------
Tue Dec 17 12:42:19 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Fix evp_properties section in the openssl.cnf file [bsc#1234647]
* Rebase patches:
- openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
- openssl-TESTS-Disable-default-provider-crypto-policies.patch
-------------------------------------------------------------------
Tue Nov 12 15:46:20 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Do not use HASHBANGPERL to avoid introducing a dependency on the
perl-base package. [bsc#1233235]
-------------------------------------------------------------------
Thu Nov 7 16:43:15 UTC 2024 - Angel Yankov <angel.yankov@suse.com>
- Add missing fixes for SHA3_squeeze and quic_multistream_test on
pcc64 arch. [jsc#PED-10280]
* Added openssl-3-fix-sha3-squeeze-ppc64.patch
* Added openssl-3-fix-quic_multistream_test.patch
-------------------------------------------------------------------
Tue Nov 5 15:11:46 UTC 2024 - Angel Yankov <angel.yankov@suse.com>
- Support MSA 11 HMAC on s390x [jsc#PED-10274]
* Add openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch
* Add openssl-3-fix-hmac-digest-detection-s390x.patch
* Add openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch
-------------------------------------------------------------------
Tue Nov 5 10:39:14 UTC 2024 - Angel Yankov <angel.yankov@suse.com>
- Add hardware acceleration for full AES-XTS [jsc#PED-10273]
* Add openssl-3-hw-acceleration-aes-xts-s390x.patch
-------------------------------------------------------------------
Fri Nov 1 14:32:50 UTC 2024 - Angel Yankov <angel.yankov@suse.com>
- Support MSA 12 SHA3 on s390x [jsc#PED-10280]
* Add openssl-3-add_EVP_DigestSqueeze_api.patch
* Add openssl-3-support-multiple-sha3_squeeze_s390x.patch
* Add openssl-3-add-xof-state-handling-s3_absorb.patch
* Add openssl-3-fix-state-handling-sha3_absorb_s390x.patch
* Add openssl-3-fix-state-handling-sha3_final_s390x.patch
* Add openssl-3-fix-state-handling-shake_final_s390x.patch
* Add openssl-3-fix-state-handling-keccak_final_s390x.patch
* Add openssl-3-support-EVP_DigestSqueeze-in-digest-prov-s390x.patch
* Add openssl-3-add-defines-CPACF-funcs.patch
* Add openssl-3-add-hw-acceleration-hmac.patch
* Add openssl-3-support-CPACF-sha3-shake-perf-improvement.patch
* Add openssl-3-fix-s390x_sha3_absorb.patch
* Add openssl-3-fix-s390x_shake_squeeze.patch
-------------------------------------------------------------------
Mon Oct 28 09:38:20 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Update to 3.2.3:
* Changes between 3.2.2 and 3.2.3:
- Fixed possible denial of service in X.509 name checks. [CVE-2024-6119]
- Fixed possible buffer overread in SSL_select_next_proto(). [CVE-2024-5535]
* Changes between 3.2.1 and 3.2.2:
- Fixed potential use after free after SSL_free_buffers() is called. [CVE-2024-4741]
- Fixed an issue where checking excessively long DSA keys or parameters may
be very slow. [CVE-2024-4603]
- Improved EC/DSA nonce generation routines to avoid bias and timing
side channel leaks.
- Fixed an issue where some non-default TLS server configurations can cause
unbounded memory growth when processing TLSv1.3 sessions. [CVE-2024-2511]
- New atexit configuration switch, which controls whether the OPENSSL_cleanup
is registered when libcrypto is unloaded. This can be used on platforms
where using atexit() from shared libraries causes crashes on exit.
- Fixed bug where SSL_export_keying_material() could not be used with QUIC
connections.
* Add openssl-skip-quic-pairwise.patch to adapt the pairwise tests.
* Merge openssl-FIPS-release_num_in_version_string.patch into
openssl-FIPS-services-minimize.patch
* Rebase patches:
- openssl-Add-changes-to-ectest-and-eccurve.patch
- openssl-FIPS-140-3-keychecks.patch
- openssl-FIPS-embed-hmac.patch
- openssl-Remove-EC-curves.patch
- openssl-skipped-tests-EC-curves.patch
- openssl-FIPS-early-KATS.patch
- openssl-Allow-disabling-of-SHA1-signatures.patch
- openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
- openssl-FIPS-limit-rsa-encrypt.patch
- openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
- openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
- openssl-FIPS-140-3-DRBG.patch
- openssl-FIPS-140-3-zeroization.patch
- openssl-Add-FIPS-indicator-parameter-to-HKDF.patch
- openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch
- openssl-FIPS-Add-explicit-indicator-for-key-length.patch
- openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
- openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch
- openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch
- openssl-FIPS-enforce-EMS-support.patch
- openssl-3-jitterentropy-3.4.0.patch
* Remove not needed patches:
- openssl-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
- openssl-3-FIPS-PCT_rsa_keygen.patch
-------------------------------------------------------------------
Mon Oct 28 09:22:33 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Remove the engines' directories and symlinks that were added to
allow parallel installations with openssl-1_1.
* Remove openssl-3-use-include-directive.patch
-------------------------------------------------------------------
Mon Oct 28 08:43:34 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Remove the hardcoded DEFAULT_SUSE cipherlist selection.
* Remove openssl-DEFAULT_SUSE_cipher.patch
-------------------------------------------------------------------
Fri Oct 25 09:32:01 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Update to 3.2.1:
* Changes between 3.2.0 and 3.2.1:
- A file in PKCS12 format can contain certificates and keys and may come from
an untrusted source. The PKCS12 specification allows certain fields to be
NULL, but OpenSSL did not correctly check for this case. [CVE-2024-0727]
- When function EVP_PKEY_public_check() is called on RSA public keys,
a computation is done to confirm that the RSA modulus, n, is composite.
For valid RSA keys, n is a product of two or more large primes and this
computation completes quickly. However, if n is an overly large prime,
then this computation would take a long time. [CVE-2023-6237]
- Restore the encoding of SM2 PrivateKeyInfo and SubjectPublicKeyInfo to
have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey
rather than SM2.
- The POLY1305 MAC (message authentication code) implementation in OpenSSL
for PowerPC CPUs saves the contents of vector registers in different
order than they are restored. [CVE-2023-6129]
- Disable building QUIC server utility when OpenSSL is configured with 'no-apps'.
* The openssl-crypto-policies-support.patch has been merged into
openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
* Rename openssl-Disable-default-provider-for-test-suite.patch and rebase to
openssl-TESTS-Disable-default-provider-crypto-policies.patch
* Patches removed in the update:
- openssl-Add_support_for_Windows_CA_certificate_store.patch
- openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch
- openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch
- openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch
- openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch
- openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch
- openssl-CVE-2024-41996.patch
- openssl-CVE-2023-50782.patch
- openssl-CVE-2024-9143.patch
* Patches rebased:
- openssl-3-use-include-directive.patch
- openssl-Add-Kernel-FIPS-mode-flag-support.patch
- openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
- openssl-DEFAULT_SUSE_cipher.patch
- openssl-FIPS-embed-hmac.patch
- openssl-Force-FIPS.patch
- openssl-load-legacy-provider.patch
- openssl-no-html-docs.patch
- openssl-pkgconfig.patch
- openssl-ppc64-config.patch
- openssl-truststore.patch
-------------------------------------------------------------------
Fri Oct 25 09:14:20 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Update to 3.2.0:
* Changes between 3.1.x and 3.2.0:
- Fix excessive time spent in DH check/ generation with large Q parameter
value. [CVE-2023-5678]
- The BLAKE2b hash algorithm supports a configurable output length
by setting the "size" parameter.
- Added a function to delete objects from store by URI - OSSL_STORE_delete()
and the corresponding provider-storemgmt API function OSSL_FUNC_store_delete().
- Added OSSL_FUNC_store_open_ex() provider-storemgmt API function to pass
a passphrase callback when opening a store.
- Changed the default salt length used by PBES2 KDF's (PBKDF2 and scrypt)
from 8 bytes to 16 bytes.
- Changed the default value of the 'ess_cert_id_alg' configuration
option which is used to calculate the TSA's public key certificate
identifier. The default algorithm is updated to be sha256 instead of sha1.
- Added optimization for SM2 algorithm on aarch64. A new configure option
'no-sm2-precomp' has been added to disable the precomputed table.
- Added client side support for QUIC
- Added secp384r1 implementation using Solinas' reduction to improve
speed of the NIST P-384 elliptic curve. To enable the implementation
the build option 'enable-ec_nistp_64_gcc_128' must be used.
- Improved RFC7468 compliance of the asn1parse command.
- Added SHA256/192 algorithm support.
- Added support for securely getting root CA certificate update in CMP.
- Improved contention on global write locks by using more read locks where
appropriate.
- Improved performance of OSSL_PARAM lookups in performance critical
provider functions.
- Added the SSL_get0_group_name() function to provide access to the
name of the group used for the TLS key exchange.
- Provide a new configure option 'no-http' that can be used to disable the
HTTP support. Provide new configure options 'no-apps' and 'no-docs' to
disable building the openssl command line application and the documentation.
- Provide a new configure option 'no-ecx' that can be used to disable the
X25519, X448, and EdDSA support.
- When multiple OSSL_KDF_PARAM_INFO parameters are passed to
the EVP_KDF_CTX_set_params() function they are now concatenated not just
for the HKDF algorithm but also for SSKDF and X9.63 KDF algorithms.
- Added OSSL_FUNC_keymgmt_im/export_types_ex() provider functions that get
the provider context as a parameter.
- TLS round-trip time calculation was added by a Brigham Young University
Capstone team partnering with Sandia National Laboratories. A new function
in ssl_lib titled SSL_get_handshake_rtt will calculate and retrieve this
value.
- Added the "-quic" option to s_client to enable connectivity to QUIC servers.
QUIC requires the use of ALPN, so this must be specified via the "-alpn"
option. Use of the "advanced" s_client command command via the "-adv" option
is recommended.
- Added an "advanced" command mode to s_client. Use this with the "-adv" option.
- Add Raw Public Key (RFC7250) support.
- Added support for modular exponentiation and CRT offloading for the
S390x architecture.
- Added further assembler code for the RISC-V architecture.
- Added EC_GROUP_to_params() which creates an OSSL_PARAM array
from a given EC_GROUP.
- Improved support for non-default library contexts and property queries
when parsing PKCS#12 files.
- Implemented support for all five instances of EdDSA from RFC8032:
Ed25519, Ed25519ctx, Ed25519ph, Ed448, and Ed448ph.
The streaming is not yet supported for the HashEdDSA variants
(Ed25519ph and Ed448ph).
- Added SM4 optimization for ARM processors using ASIMD and AES HW instructions.
- Implemented SM4-XTS support.
- Added platform-agnostic OSSL_sleep() function.
- Implemented deterministic ECDSA signatures (RFC6979) support.
- Implemented AES-GCM-SIV (RFC8452) support.
- Added support for pluggable (provider-based) TLS signature algorithms.
This enables TLS 1.3 authentication operations with algorithms embedded
in providers not included by default in OpenSSL. In combination with
the already available pluggable KEM and X.509 support, this enables
for example suitable providers to deliver post-quantum or quantum-safe
cryptography to OpenSSL users.
- Added support for pluggable (provider-based) CMS signature algorithms.
This enables CMS sign and verify operations with algorithms embedded
in providers not included by default in OpenSSL.
- Implemented HPKE DHKEM support in providers used by HPKE (RFC9180) API.
- Add support for certificate compression (RFC8879), including
library support for Brotli and Zstandard compression.
- Add the ability to add custom attributes to PKCS12 files. Add a new API
PKCS12_create_ex2, identical to the existing PKCS12_create_ex but allows
for a user specified callback and optional argument.
Added a new PKCS12_SAFEBAG_set0_attr, which allows for a new attr to be
added to the existing STACK_OF attrs.
- Major refactor of the libssl record layer.
- Add a mac salt length option for the pkcs12 command.
- Add more SRTP protection profiles from RFC8723 and RFC8269.
- Extended Kernel TLS (KTLS) to support TLS 1.3 receive offload.
- Add support for TCP Fast Open (RFC7413) to macOS, Linux, and FreeBSD where
supported and enabled.
- Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489)
to the list of ciphersuites providing Perfect Forward Secrecy as
required by SECLEVEL >= 3.
- Add new SSL APIs to aid in efficiently implementing TLS/SSL fingerprinting.
The SSL_CTRL_GET_IANA_GROUPS control code, exposed as the
SSL_get0_iana_groups() function-like macro, retrieves the list of
supported groups sent by the peer.
- Fixed PEM_write_bio_PKCS8PrivateKey() and PEM_write_bio_PKCS8PrivateKey_nid()
to make it possible to use empty passphrase strings.
- The PKCS12_parse() function now supports MAC-less PKCS12 files.
- Added ASYNC_set_mem_functions() and ASYNC_get_mem_functions() calls to be able
to change functions used for allocating the memory of asynchronous call stack.
- Added support for signed BIGNUMs in the OSSL_PARAM APIs.
- A failure exit code is returned when using the openssl x509 command to check
certificate attributes and the checks fail.
- The default SSL/TLS security level has been changed from 1 to 2. RSA,
DSA and DH keys of 1024 bits and above and less than 2048 bits and ECC keys
of 160 bits and above and less than 224 bits were previously accepted by
default but are now no longer allowed. By default TLS compression was
already disabled in previous OpenSSL versions. At security level 2 it cannot
be enabled.
- The SSL_CTX_set_cipher_list family functions now accept ciphers using their
IANA standard names.
- The PVK key derivation function has been moved from b2i_PVK_bio_ex() into
the legacy crypto provider as an EVP_KDF. Applications requiring this KDF
will need to load the legacy crypto provider.
- CCM8 cipher suites in TLS have been downgraded to security level zero
because they use a short authentication tag which lowers their strength.
- Subject or issuer names in X.509 objects are now displayed as UTF-8 strings
by default. Also spaces surrounding '=' in DN output are removed.
- Add X.509 certificate codeSigning purpose and related checks on key usage and
extended key usage of the leaf certificate according to the CA/Browser Forum.
- The 'x509', 'ca', and 'req' apps now produce X.509 v3 certificates.
The '-x509v1' option of 'req' prefers generation of X.509 v1 certificates.
'X509_sign()' and 'X509_sign_ctx()' make sure that the certificate has
X.509 version 3 if the certificate information includes X.509 extensions.
- Fix and extend certificate handling and the apps 'x509', 'verify' etc.
such as adding a trace facility for debugging certificate chain building.
- Various fixes and extensions to the CMP+CRMF implementation and the 'cmp' app
in particular supporting requests for central key generation, generalized
polling, and various types of genm/genp exchanges defined in CMP Updates.
- Fixes and extensions to the HTTP client and to the HTTP server in 'apps/'
like correcting the TLS and proxy support and adding tracing for debugging.
- Extended the CMS API for handling 'CMS_SignedData' and 'CMS_EnvelopedData'.
- 'CMS_add0_cert()' and 'CMS_add1_cert()' no longer throw an error if
a certificate to be added is already present. 'CMS_sign_ex()' and
'CMS_sign()' now ignore any duplicate certificates in their 'certs' argument
and no longer throw an error for them.
- Added BIO_s_dgram_pair() and BIO_s_dgram_mem() that provide memory-based
BIOs with datagram semantics and support for BIO_sendmmsg() and BIO_recvmmsg()
calls. They can be used as the transport BIOs for QUIC.
- Add new BIO_sendmmsg() and BIO_recvmmsg() BIO methods which allow
sending and receiving multiple messages in a single call. An implementation
is provided for BIO_dgram. For further details, see BIO_sendmmsg(3).
- Support for loading root certificates from the Windows certificate store
has been added.
- Enable KTLS with the TLS 1.3 CCM mode ciphersuites. Note that some linux
kernel versions that support KTLS have a known bug in CCM processing. That
has been fixed in stable releases starting from 5.4.164, 5.10.84, 5.15.7,
and all releases since 5.16. KTLS with CCM ciphersuites should be only used
on these releases.
- Added '-ktls' option to 's_server' and 's_client' commands to enable the
KTLS support.
- Zerocopy KTLS sendfile() support on Linux.
- The OBJ_ calls are now thread safe using a global lock.
- New parameter '-digest' for openssl cms command allowing signing
pre-computed digests and new CMS API functions supporting that
functionality.
- OPENSSL_malloc() and other allocation functions now raise errors on
allocation failures. The callers do not need to explicitly raise errors
unless they want to for tracing purposes.
- Added support for Brainpool curves in TLS-1.3.
- Support for Argon2d, Argon2i, Argon2id KDFs has been added along with
a basic thread pool implementation for select platforms.
-------------------------------------------------------------------
Mon Oct 21 11:01:59 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Update to 3.1.7:
* Major changes between OpenSSL 3.1.6 and OpenSSL 3.1.7 [3 Sep 2024]
- Fixed possible denial of service in X.509 name checks (CVE-2024-6119)
- Fixed possible buffer overread in SSL_select_next_proto()
(CVE-2024-5535)
* Major changes between OpenSSL 3.1.5 and OpenSSL 3.1.6 [4 Jun 2024]
- Fixed potential use after free after SSL_free_buffers() is
called (CVE-2024-4741)
- Fixed an issue where checking excessively long DSA keys or
parameters may be very slow (CVE-2024-4603)
- Fixed unbounded memory growth with session handling in TLSv1.3
(CVE-2024-2511)
* Major changes between OpenSSL 3.1.4 and OpenSSL 3.1.5 [30 Jan 2024]
- Fixed PKCS12 Decoding crashes (CVE-2024-0727)
- Fixed Excessive time spent checking invalid RSA public keys
[CVE-2023-6237)
- Fixed POLY1305 MAC implementation corrupting vector registers
on PowerPC CPUs which support PowerISA 2.07 (CVE-2023-6129)
- Fix excessive time spent in DH check / generation with large
Q parameter value (CVE-2023-5678)
* Update openssl.keyring with BA5473A2B0587B07FB27CF2D216094DFD0CB81EF
* Rebase patches:
- openssl-Force-FIPS.patch
- openssl-FIPS-embed-hmac.patch
- openssl-FIPS-services-minimize.patch
- openssl-FIPS-RSA-disable-shake.patch
- openssl-CVE-2023-50782.patch
* Remove patches fixed in the update:
- openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch
- openssl-CVE-2024-6119.patch openssl-CVE-2024-5535.patch
- openssl-CVE-2024-4741.patch openssl-CVE-2024-4603.patch
- openssl-CVE-2024-2511.patch openssl-CVE-2024-0727.patch
- openssl-CVE-2023-6237.patch openssl-CVE-2023-6129.patch
- openssl-CVE-2023-5678.patch
- openssl-Enable-BTI-feature-for-md5-on-aarch64.patch
- openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch
- openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch
- reproducible.patch
-------------------------------------------------------------------
Thu Oct 17 12:32:21 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Security fix: [bsc#1231741, CVE-2024-9143]
* Low-level invalid GF(2^m) parameters lead to OOB memory access
* Add openssl-CVE-2024-9143.patch
-------------------------------------------------------------------
Thu Oct 17 12:21:14 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Security fix: [bsc#1220262, CVE-2023-50782]
* Implicit rejection in PKCS#1 v1.5
* Add openssl-CVE-2023-50782.patch
-------------------------------------------------------------------
Thu Sep 19 08:05:52 UTC 2024 - Angel Yankov <angel.yankov@suse.com>
- Security fix: [bsc#1230698, CVE-2024-41996]
* Validating the order of the public keys in the Diffie-Hellman
Key Agreement Protocol, when an approved safe prime is used.
* Added openssl-CVE-2024-41996.patch
-------------------------------------------------------------------
Thu Aug 22 15:18:03 UTC 2024 - Alexander Bergmann <abergmann@suse.com>

256
openssl-3.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package openssl-3
#
# Copyright (c) 2025 SUSE LLC
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -20,146 +20,161 @@
%define sover 3
%define _rname openssl
%define man_suffix 3ssl
%global sslengcnf %{ssletcdir}/engines%{sover}.d
%global sslengdef %{ssletcdir}/engdef%{sover}.d
# Enable userspace livepatching.
%define livepatchable 1
Name: openssl-3
Version: 3.2.3
# Don't forget to update the version in the "openssl" meta-package!
Version: 3.1.4
Release: 0
Summary: Secure Sockets and Transport Layer Security
License: Apache-2.0
URL: https://www.openssl.org/
Source: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz
Source1: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz.asc
# https://keys.openpgp.org/search?q=openssl@openssl.org
# BA54 73A2 B058 7B07 FB27 CF2D 2160 94DF D0CB 81EF
Source2: %{_rname}.keyring
# to get mtime of file:
Source3: %{name}.changes
Source4: baselibs.conf
Source1: %{name}.changes
Source2: baselibs.conf
Source3: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz.asc
# https://www.openssl.org/about/
# http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA2D29B7BF295C759#/openssl.keyring
Source4: %{_rname}.keyring
Source5: showciphers.c
Source6: openssl-TESTS-Disable-default-provider-crypto-policies.patch
Source6: openssl-Disable-default-provider-for-test-suite.patch
# PATCH-FIX-OPENSUSE: Do not install html docs as it takes ages
Patch1: openssl-no-html-docs.patch
Patch2: openssl-truststore.patch
Patch3: openssl-pkgconfig.patch
Patch4: openssl-ppc64-config.patch
Patch5: openssl-no-date.patch
Patch4: openssl-DEFAULT_SUSE_cipher.patch
Patch5: openssl-ppc64-config.patch
Patch6: openssl-no-date.patch
# Add crypto-policies support
Patch6: openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
Patch7: openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
Patch8: openssl-crypto-policies-support.patch
# PATCH-FIX-UPSTREAM: bsc#1209430 Upgrade OpenSSL from 3.0.8 to 3.1.0 in TW
Patch9: openssl-Add_support_for_Windows_CA_certificate_store.patch
# PATCH-FIX-FEDORA Add FIPS_mode compatibility macro and flag support
Patch7: openssl-Add-FIPS_mode-compatibility-macro.patch
Patch8: openssl-Add-Kernel-FIPS-mode-flag-support.patch
Patch10: openssl-Add-FIPS_mode-compatibility-macro.patch
Patch11: openssl-Add-Kernel-FIPS-mode-flag-support.patch
# PATCH-FIX-UPSTREAM jsc#PED-5086, jsc#PED-3514
# POWER10 performance enhancements for cryptography
Patch12: openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch
Patch13: openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch
Patch14: openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch
Patch15: openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch
Patch16: openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch
Patch17: openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch
# PATCH-FIX-UPSTREAM: bsc#1216922 CVE-2023-5678 Generating excessively long X9.42 DH keys or
# checking excessively long X9.42 DH keys or parameters may be very slow
Patch18: openssl-CVE-2023-5678.patch
# PATCH-FIX-UPSTREAM https://github.com/openssl/openssl/pull/22971
Patch19: openssl-Enable-BTI-feature-for-md5-on-aarch64.patch
# PATCH-FIX-UPSTREAM: bsc#1218690 CVE-2023-6129 - POLY1305 MAC implementation corrupts vector registers on PowerPC
Patch20: openssl-CVE-2023-6129.patch
# PATCH-FIX-FEDORA Load FIPS the provider and set FIPS properties implicitly
Patch9: openssl-Force-FIPS.patch
Patch21: openssl-Force-FIPS.patch
# PATCH-FIX-FEDORA Disable the fipsinstall command-line utility
Patch10: openssl-disable-fipsinstall.patch
Patch22: openssl-disable-fipsinstall.patch
# PATCH-FIX-FEDORA Instructions to load legacy provider in openssl.cnf
Patch11: openssl-load-legacy-provider.patch
Patch23: openssl-load-legacy-provider.patch
# PATCH-FIX-FEDORA Embed the FIPS hmac
Patch12: openssl-FIPS-embed-hmac.patch
Patch24: openssl-FIPS-embed-hmac.patch
# PATCH-FIX-UPSTREAM: bsc#1218810 CVE-2023-6237: Excessive time spent checking invalid RSA public keys
Patch25: openssl-CVE-2023-6237.patch
# PATCH-FIX-SUSE bsc#1194187, bsc#1207472, bsc#1218933 - Add engines section in openssl.cnf
Patch26: openssl-3-use-include-directive.patch
# PATCH-FIX-UPSTREAM: bsc#1219243 CVE-2024-0727: denial of service via null dereference
Patch27: openssl-CVE-2024-0727.patch
# PATCH-FIX-UPSTREAM: bsc#1222548 CVE-2024-2511: Unbounded memory growth with session handling in TLSv1.3
Patch28: openssl-CVE-2024-2511.patch
# PATCH-FIX-UPSTREAM: bsc#1224388 CVE-2024-4603: excessive time spent checking DSA keys and parameters
Patch29: openssl-CVE-2024-4603.patch
# PATCH-FIX-UPSTREAM: bsc#1225291 NVMe/TCP TLS connection fails due to handshake failure
Patch30: openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch
Patch31: openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch
# PATCH-FIX-UPSTREAM bsc#1225551 CVE-2024-4741: use After Free with SSL_free_buffers
Patch32: openssl-CVE-2024-4741.patch
# PATCH-FIX-UPSTREAM: bsc#1223336 aes-gcm-avx512.pl: fix non-reproducibility issue
Patch33: reproducible.patch
# PATCH-FIX-UPSTREAM: bsc#1227138 CVE-2024-5535: SSL_select_next_proto buffer overread
Patch34: openssl-CVE-2024-5535.patch
# PATCH-FIX-FEDORA bsc#1221786 FIPS: Use of non-Approved Elliptic Curves
Patch13: openssl-Add-changes-to-ectest-and-eccurve.patch
Patch14: openssl-Remove-EC-curves.patch
Patch15: openssl-Disable-explicit-ec.patch
Patch16: openssl-skipped-tests-EC-curves.patch
Patch35: openssl-Add-changes-to-ectest-and-eccurve.patch
Patch36: openssl-Remove-EC-curves.patch
Patch37: openssl-Disable-explicit-ec.patch
Patch38: openssl-skipped-tests-EC-curves.patch
# PATCH-FIX-FEDORA bsc#1221753 bsc#1221760 bsc#1221822 FIPS: Extra public/private key checks required by FIPS-140-3
Patch17: openssl-FIPS-140-3-keychecks.patch
Patch39: openssl-FIPS-140-3-keychecks.patch
# PATCH-FIX-FEDORA bsc#1221365 bsc#1221786 bsc#1221787 FIPS: Minimize fips services
Patch18: openssl-FIPS-services-minimize.patch
Patch40: openssl-FIPS-services-minimize.patch
# PATCH-FIX-SUSE bsc#1221751 FIPS: Add release number to version string
Patch41: openssl-FIPS-release_num_in_version_string.patch
# PATCH-FIX-FEDORA bsc#1221760 FIPS: Execute KATS before HMAC verification
Patch19: openssl-FIPS-early-KATS.patch
Patch42: openssl-FIPS-early-KATS.patch
# PATCH-FIX-SUSE bsc#1221787 FIPS: Approved Modulus Sizes for RSA Digital Signature for FIPS 186-4
Patch20: openssl-Revert-Improve-FIPS-RSA-keygen-performance.patch
Patch43: openssl-Revert-Improve-FIPS-RSA-keygen-performance.patch
# PATCH-FIX-FEDORA bsc#1221787 FIPS: Selectively disallow SHA1 signatures
Patch21: openssl-Allow-disabling-of-SHA1-signatures.patch
# # PATCH-FIX-FEDORA bsc#1221365 FIPS: Deny SHA-1 signature verification in FIPS provider
Patch22: openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
Patch44: openssl-Allow-disabling-of-SHA1-signatures.patch
Patch45: openssl-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
# PATCH-FIX-FEDORA bsc#1221365 bsc#1221824 FIPS: Service Level Indicator is needed
Patch23: openssl-FIPS-limit-rsa-encrypt.patch
Patch24: openssl-FIPS-Expose-a-FIPS-indicator.patch
Patch46: openssl-FIPS-limit-rsa-encrypt.patch
Patch47: openssl-FIPS-Expose-a-FIPS-indicator.patch
# PATCH-FIX-FEDORA bsc#1221760 FIPS: Execute KATS before HMAC verification
Patch25: openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
Patch48: openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
# PATCH-FIX-FEDORA bsc#1221365 bsc#1221760 FIPS: Selftests are required
Patch26: openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
Patch49: openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
# PATCH-FIX-FEDORA bsc#1221760 FIPS: Selftests are required
Patch27: openssl-FIPS-Use-FFDHE2048-in-self-test.patch
Patch50: openssl-FIPS-Use-FFDHE2048-in-self-test.patch
# PATCH-FIX-FEDORA bsc#1220690 bsc#1220693 bsc#1220696 FIPS: Reseed DRBG
Patch28: openssl-FIPS-140-3-DRBG.patch
Patch51: openssl-FIPS-140-3-DRBG.patch
# PATCH-FIX-FEDORA bsc#1221752 FIPS: Zeroisation is required
Patch29: openssl-FIPS-140-3-zeroization.patch
Patch52: openssl-FIPS-140-3-zeroization.patch
# PATCH-FIX-FEDORA bsc#1221365 FIPS: Service Level Indicator is needed
Patch30: openssl-Add-FIPS-indicator-parameter-to-HKDF.patch
Patch31: openssl-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
Patch53: openssl-Add-FIPS-indicator-parameter-to-HKDF.patch
Patch54: openssl-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
# PATCH-FIX-FEDORA bsc#1221365 bsc#1221365 FIPS: Service Level Indicator is needed
Patch32: openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch
Patch55: openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch
# PATCH-FIX-FEDORA bsc#1221365 FIPS: Service Level Indicator is needed
Patch33: openssl-FIPS-Add-explicit-indicator-for-key-length.patch
Patch56: openssl-FIPS-Add-explicit-indicator-for-key-length.patch
# PATCH-FIX-FEDORA bsc#1221827 FIPS: Recommendation for Password-Based Key Derivation
Patch34: openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
Patch57: openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
# PATCH-FIX-FEDORA bsc#1221365 FIPS: Service Level Indicator is needed
Patch35: openssl-FIPS-RSA-disable-shake.patch
Patch36: openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch
Patch58: openssl-FIPS-RSA-disable-shake.patch
Patch59: openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch
# PATCH-FIX-FEDORA bsc#1221824 FIPS: NIST SP 800-56Brev2 Section 6.4.1.2.1
Patch37: openssl-FIPS-RSA-encapsulate.patch
Patch60: openssl-FIPS-RSA-encapsulate.patch
# PATCH-FIX-FEDORA bsc#1221821 FIPS: Disable FIPS 186-4 Domain Parameters
Patch38: openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
Patch61: openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
# PATCH-FIX-SUSE bsc#1221365 FIPS: Service Level Indicator is needed
Patch39: openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch
Patch62: openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch
# PATCH-FIX-FEDORA bsc#1221827 FIPS: Recommendation for Password-Based Key Derivation
Patch40: openssl-pbkdf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
Patch63: openssl-pbkdf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
# PATCH-FIX-FEDORA bsc#1221365 FIPS: Service Level Indicator is needed
Patch41: openssl-FIPS-enforce-EMS-support.patch
Patch64: openssl-FIPS-enforce-EMS-support.patch
# PATCH-FIX-SUSE bsc#1221824 FIPS: Add check for SP 800-56Brev2 Section 6.4.1.2.1
Patch42: openssl-FIPS-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch
Patch65: openssl-FIPS-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch
# PATCH-FIX-SUSE bsc#1220523 FIPS: Port openssl to use jitterentropy
Patch43: openssl-3-jitterentropy-3.4.0.patch
Patch66: openssl-3-jitterentropy-3.4.0.patch
# PATCH-FIX-SUSE bsc#1221753 FIPS: Enforce error state
Patch44: openssl-FIPS-Enforce-error-state.patch
Patch67: openssl-FIPS-Enforce-error-state.patch
# PATCH-FIX-SUSE bsc#1221365 FIPS: Service Level Indicator is needed
Patch45: openssl-FIPS-enforce-security-checks-during-initialization.patch
# PATCH-FIX-FEDORA Adapt pairwise tests
Patch46: openssl-skip-quic-pairwise.patch
# PATCH-FIX-UPSTREAM support MSA 12 (SHA3) jsc#PED-10280
Patch48: openssl-3-add_EVP_DigestSqueeze_api.patch
Patch49: openssl-3-support-multiple-sha3_squeeze_s390x.patch
Patch50: openssl-3-add-xof-state-handling-s3_absorb.patch
Patch51: openssl-3-fix-state-handling-sha3_absorb_s390x.patch
Patch52: openssl-3-fix-state-handling-sha3_final_s390x.patch
Patch53: openssl-3-fix-state-handling-shake_final_s390x.patch
Patch54: openssl-3-fix-state-handling-keccak_final_s390x.patch
Patch55: openssl-3-support-EVP_DigestSqueeze-in-digest-prov-s390x.patch
Patch56: openssl-3-add-defines-CPACF-funcs.patch
Patch57: openssl-3-add-hw-acceleration-hmac.patch
Patch58: openssl-3-support-CPACF-sha3-shake-perf-improvement.patch
Patch59: openssl-3-fix-s390x_sha3_absorb.patch
Patch60: openssl-3-fix-s390x_shake_squeeze.patch
# PATCH-FIX-UPSTREAM: support MSA 10 XTS jsc#PED-10273
Patch61: openssl-3-hw-acceleration-aes-xts-s390x.patch
# PATCH-FIX-UPSTREAM: support MSA 11 HMAC jsc#PED-10274
Patch62: openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch
Patch63: openssl-3-fix-hmac-digest-detection-s390x.patch
Patch64: openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch
# PATCH-FIX-UPSTREAM: Fix failing tests on ppc64 jsc#PED-10280
Patch65: openssl-3-fix-sha3-squeeze-ppc64.patch
Patch66: openssl-3-fix-quic_multistream_test.patch
Patch68: openssl-FIPS-enforce-security-checks-during-initialization.patch
# PATCH-FIX-SUSE bsc#1221753 bsc#1221760 FIPS: RSA keygen PCT requirements
Patch69: openssl-3-FIPS-PCT_rsa_keygen.patch
# PATCH-FIX-FEDORA bsc#1221365 FIPS: Deny SHA-1 signature verification in FIPS provider
Patch70: openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
# PATCH-FIX-UPSTREAM bsc#1229465 CVE-2024-6119: possible denial of service in X.509 name checks
Patch71: openssl-CVE-2024-6119.patch
BuildRequires: pkgconfig
# ulp-macros is available according to SUSE version.
%ifarch x86_64
%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1540
%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550
BuildRequires: ulp-macros
%else
# Define ulp-macros macros as empty
%define cflags_livepatching ""
%define pack_ipa_dumps echo "Livepatching is disabled in this build"
%endif
%endif
%ifarch ppc64le
%if 0%{?sle_version} >= 150700 || 0%{?suse_version} >= 1570
BuildRequires: gcc13
BuildRequires: ulp-macros
%endif
%endif
BuildRequires: pkgconfig
BuildRequires: pkgconfig(zlib)
Requires: libopenssl3 = %{version}-%{release}
@ -253,33 +268,22 @@ export MACHINE=armv5el
export MACHINE=armv6l
%endif
# In ppc64le we need gcc-13 for userspace livepatching until we have the
# required -fpatchable-functions-entry patch merged into the mainline
%ifarch ppc64le
%if 0%{?sle_version} >= 150700 || 0%{?suse_version} >= 1570
export CC=gcc-13
export CXX=g++-13
%endif
%endif
./Configure \
enable-camellia \
no-mdc2 no-ec2m \
no-afalgeng \
enable-rfc3779 enable-camellia enable-seed \
%ifarch x86_64 aarch64 ppc64le
enable-ec_nistp_64_gcc_128 \
%endif
enable-fips \
enable-jitterentropy \
enable-ktls \
enable-rfc3779 \
enable-seed \
no-afalgeng \
no-ec2m \
no-mdc2 \
zlib \
--prefix=%{_prefix} \
--libdir=%{_lib} \
--openssldir=%{ssletcdir} \
%{optflags} \
%{?cflags_livepatching} \
%{cflags_livepatching} \
-Wa,--noexecstack \
-Wl,-z,relro,-z,now \
-fno-common \
@ -303,8 +307,14 @@ perl configdata.pm --dump
%make_build all
%check
# Relax the crypto-policies requirements and disable the default
# provider for the test suite regression tests
# Relax the crypto-policies requirements for the regression tests
# Revert patch8 before running tests
patch -p1 -R < %{PATCH8}
# Revert openssl-3-use-include-directive.patch because these directories
# exists only in buildroot but not in build system and some tests are failing
# because of it.
patch -p1 -R < %{PATCH26}
# Disable the default provider for the test suite.
patch -p1 < %{SOURCE6}
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
export MALLOC_CHECK_=3
@ -339,7 +349,7 @@ gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{build
LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers
%install
%{?pack_ipa_dumps}
%{pack_ipa_dumps}
%make_install %{?_smp_mflags} MANSUFFIX=%{man_suffix}
rename so.%{sover} so.%{version} %{buildroot}%{_libdir}/*.so.%{sover}
@ -350,7 +360,7 @@ for lib in %{buildroot}%{_libdir}/*.so.%{version} ; do
done
# Remove static libraries
rm -f %{buildroot}%{_libdir}/*.a
rm -f %{buildroot}%{_libdir}/lib*.a
# Remove the cnf.dist
rm -f %{buildroot}%{ssletcdir}/openssl.cnf.dist
@ -363,13 +373,21 @@ cp %{buildroot}%{ssletcdir}/openssl.cnf %{buildroot}%{ssletcdir}/openssl-orig.cn
mkdir -p %{buildroot}%{_localstatedir}/lib/ca-certificates/openssl
install -d -m 555 %{buildroot}%{_localstatedir}/lib/ca-certificates/openssl
# Remove the fipsmodule.cnf because FIPS module is loaded automatically in FIPS mode
# Remove the fipsmodule.cnf because FIPS module is loaded automatically
rm -f %{buildroot}%{ssletcdir}/fipsmodule.cnf
ln -sf ./%{_rname} %{buildroot}/%{_includedir}/ssl
mkdir %{buildroot}/%{_datadir}/ssl
mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl/
# Create the two directories into which packages will drop their configuration
# files.
mkdir %{buildroot}/%{sslengcnf}
mkdir %{buildroot}/%{sslengdef}
# Create unversioned symbolic links to above directories
ln -s %{sslengcnf} %{buildroot}/%{ssletcdir}/engines.d
ln -s %{sslengdef} %{buildroot}/%{ssletcdir}/engdef.d
# Add the FIPS module configuration from crypto-policies since SP6
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150600
ln -s %{_sysconfdir}/crypto-policies/back-ends/openssl_fips.config %{buildroot}%{ssletcdir}/fips_local.cnf
@ -404,6 +422,17 @@ if [ "$1" -gt 1 ] ; then
fi
%pre
# Migrate old engines.d to engines1.1.d.rpmsave
if [ ! -L %{ssletcdir}/engines.d ] && [ -d %{ssletcdir}/engines.d ]; then
mkdir %{ssletcdir}/engines1.1.d.rpmsave ||:
mv %{ssletcdir}/engines.d %{ssletcdir}/engines1.1.d.rpmsave ||:
fi
# Migrate old engdef.d to engdef1.1.d.rpmsave
if [ ! -L %{ssletcdir}/engdef.d ] && [ -d %{ssletcdir}/engdef.d ]; then
mkdir %{ssletcdir}/engdef1.1.d.rpmsave ||:
mv %{ssletcdir}/engdef.d %{ssletcdir}/engdef1.1.d.rpmsave ||:
fi
%post -n libopenssl3 -p /sbin/ldconfig
%postun -n libopenssl3 -p /sbin/ldconfig
@ -438,7 +467,7 @@ fi
%files
%license LICENSE.txt
%doc CHANGES.md NEWS.md README.md
%doc CHANGES.md NEWS.md FAQ.md README.md
%dir %{ssletcdir}
%config %{ssletcdir}/openssl-orig.cnf
%config (noreplace) %{ssletcdir}/openssl.cnf
@ -447,6 +476,11 @@ fi
%config %{ssletcdir}/fips_local.cnf
%endif
%attr(700,root,root) %{ssletcdir}/private
%dir %{sslengcnf}
%dir %{sslengdef}
# symbolic link to above directories
%{ssletcdir}/engines.d
%{ssletcdir}/engdef.d
%dir %{_datadir}/ssl
%{_datadir}/ssl/misc
%dir %{_localstatedir}/lib/ca-certificates/

224
openssl-Add-FIPS-indicator-parameter-to-HKDF.patch
View File

@ -1,47 +1,16 @@
From 2290280617183863eb15425b8925765966723725 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Thu, 11 Aug 2022 09:27:12 +0200
Subject: KDF: Add FIPS indicators
From 2000eaead63732669283e6b54c8ef02e268eaeb8 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 31 Jul 2023 09:41:29 +0200
Subject: [PATCH 34/48] 0078-Add-FIPS-indicator-parameter-to-HKDF.patch
FIPS requires a number of restrictions on the parameters of the various
key derivation functions implemented in OpenSSL. The KDFs that use
digest algorithms usually should not allow SHAKE (due to FIPS 140-3 IG
C.C). Additionally, some application-specific KDFs have further
restrictions defined in SP 800-135r1.
Generally, all KDFs shall use a key-derivation key length of at least
112 bits due to SP 800-131Ar2 section 8. Additionally any use of a KDF
to generate and output length of less than 112 bits will also set the
indicator to unapproved.
Add explicit indicators to all KDFs usable in FIPS mode except for
PBKDF2 (which has its specific FIPS limits already implemented). The
indicator can be queried using EVP_KDF_CTX_get_params() after setting
the required parameters and keys for the KDF.
Our FIPS provider implements SHA1, SHA2 (both -256 and -512, and the
truncated variants -224 and -384) and SHA3 (-256 and -512, and the
truncated versions -224 and -384), as well as SHAKE-128 and -256.
The SHAKE functions are generally not allowed in KDFs. For the rest, the
support matrix is:
KDF | SHA-1 | SHA-2 | SHA-2 truncated | SHA-3 | SHA-3 truncated
==========================================================================
KBKDF | x | x | x | x | x
HKDF | x | x | x | x | x
TLS1PRF | | SHA-{256,384,512} only | |
SSHKDF | x | x | x | |
SSKDF | x | x | x | x | x
X9.63KDF | | x | x | x | x
X9.42-ASN1 | x | x | x | x | x
TLS1.3PRF | | SHA-{256,384} only | |
Signed-off-by: Clemens Lang <cllang@redhat.com>
Resolves: rhbz#2160733 rhbz#2164763
Related: rhbz#2114772 rhbz#2141695
Patch-name: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch
Patch-id: 78
Patch-status: |
# https://bugzilla.redhat.com/show_bug.cgi?id=2114772
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
include/crypto/evp.h | 7 ++
include/openssl/core_names.h | 1 +
include/openssl/kdf.h | 4 +
providers/implementations/kdfs/hkdf.c | 100 +++++++++++++++++++++-
providers/implementations/kdfs/kbkdf.c | 82 ++++++++++++++++--
@ -49,13 +18,12 @@ Related: rhbz#2114772 rhbz#2141695
providers/implementations/kdfs/sskdf.c | 100 +++++++++++++++++++++-
providers/implementations/kdfs/tls1_prf.c | 74 +++++++++++++++-
providers/implementations/kdfs/x942kdf.c | 66 +++++++++++++-
util/perl/OpenSSL/paramnames.pm | 1 +
9 files changed, 487 insertions(+), 22 deletions(-)
diff --git a/include/crypto/evp.h b/include/crypto/evp.h
index e70d8e9e84..76fb990de4 100644
--- a/include/crypto/evp.h
+++ b/include/crypto/evp.h
Index: openssl-3.1.4/include/crypto/evp.h
===================================================================
--- openssl-3.1.4.orig/include/crypto/evp.h
+++ openssl-3.1.4/include/crypto/evp.h
@@ -219,6 +219,13 @@ struct evp_mac_st {
OSSL_FUNC_mac_set_ctx_params_fn *set_ctx_params;
};
@ -70,11 +38,23 @@ index e70d8e9e84..76fb990de4 100644
struct evp_kdf_st {
OSSL_PROVIDER *prov;
int name_id;
diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h
index 0983230a48..86171635ea 100644
--- a/include/openssl/kdf.h
+++ b/include/openssl/kdf.h
@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf,
Index: openssl-3.1.4/include/openssl/core_names.h
===================================================================
--- openssl-3.1.4.orig/include/openssl/core_names.h
+++ openssl-3.1.4/include/openssl/core_names.h
@@ -226,6 +226,7 @@ extern "C" {
#define OSSL_KDF_PARAM_X942_SUPP_PUBINFO "supp-pubinfo"
#define OSSL_KDF_PARAM_X942_SUPP_PRIVINFO "supp-privinfo"
#define OSSL_KDF_PARAM_X942_USE_KEYBITS "use-keybits"
+#define OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR "suse-fips-indicator"
/* Known KDF names */
#define OSSL_KDF_NAME_HKDF "HKDF"
Index: openssl-3.1.4/include/openssl/kdf.h
===================================================================
--- openssl-3.1.4.orig/include/openssl/kdf.h
+++ openssl-3.1.4/include/openssl/kdf.h
@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *
# define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1
# define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2
@ -85,11 +65,11 @@ index 0983230a48..86171635ea 100644
#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65
#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66
#define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67
diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
index dfa7786bde..f01e40ff5a 100644
--- a/providers/implementations/kdfs/hkdf.c
+++ b/providers/implementations/kdfs/hkdf.c
@@ -42,6 +42,7 @@ static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params;
Index: openssl-3.1.4/providers/implementations/kdfs/hkdf.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/kdfs/hkdf.c
+++ openssl-3.1.4/providers/implementations/kdfs/hkdf.c
@@ -43,6 +43,7 @@ static OSSL_FUNC_kdf_settable_ctx_params
static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params;
static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params;
static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params;
@ -97,7 +77,7 @@ index dfa7786bde..f01e40ff5a 100644
static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive;
static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params;
static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params;
@@ -85,6 +86,10 @@ typedef struct {
@@ -86,6 +87,10 @@ typedef struct {
size_t data_len;
unsigned char *info;
size_t info_len;
@ -108,7 +88,7 @@ index dfa7786bde..f01e40ff5a 100644
} KDF_HKDF;
static void *kdf_hkdf_new(void *provctx)
@@ -170,6 +175,11 @@ static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen,
@@ -201,6 +206,11 @@ static int kdf_hkdf_derive(void *vctx, u
return 0;
}
@ -120,7 +100,7 @@ index dfa7786bde..f01e40ff5a 100644
switch (ctx->mode) {
case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND:
default:
@@ -318,22 +318,85 @@ static int kdf_hkdf_get_ctx_params(void
@@ -363,13 +373,15 @@ static int kdf_hkdf_get_ctx_params(void
{
KDF_HKDF *ctx = (KDF_HKDF *)vctx;
OSSL_PARAM *p;
@ -129,20 +109,21 @@ index dfa7786bde..f01e40ff5a 100644
if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
size_t sz = kdf_hkdf_size(ctx);
- if (sz == 0)
+ any_valid = 1;
if (sz == 0)
+
+ if (sz == 0 || !OSSL_PARAM_set_size_t(p, sz))
return 0;
return OSSL_PARAM_set_size_t(p, sz);
- return OSSL_PARAM_set_size_t(p, sz);
}
if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) {
+ any_valid = 1;
if (ctx->info == NULL || ctx->info_len == 0) {
p->return_size = 0;
return 1;
@@ -378,7 +390,68 @@ static int kdf_hkdf_get_ctx_params(void
}
return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len);
}
- return -2;
+
+#ifdef FIPS_MODULE
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR))
+ != NULL) {
@ -207,7 +188,7 @@ index dfa7786bde..f01e40ff5a 100644
}
static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
@@ -348,6 +421,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
@@ -387,6 +460,9 @@ static const OSSL_PARAM *kdf_hkdf_gettab
static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0),
@ -217,7 +198,7 @@ index dfa7786bde..f01e40ff5a 100644
OSSL_PARAM_END
};
return known_gettable_ctx_params;
@@ -677,6 +753,17 @@ static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx,
@@ -717,6 +793,17 @@ static int prov_tls13_hkdf_generate_secr
return ret;
}
@ -235,7 +216,7 @@ index dfa7786bde..f01e40ff5a 100644
static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
const OSSL_PARAM params[])
{
@@ -692,6 +779,11 @@ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
@@ -732,6 +819,11 @@ static int kdf_tls1_3_derive(void *vctx,
return 0;
}
@ -247,7 +228,7 @@ index dfa7786bde..f01e40ff5a 100644
switch (ctx->mode) {
default:
return 0;
@@ -769,7 +861,7 @@ static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx,
@@ -809,7 +901,7 @@ static const OSSL_PARAM *kdf_tls1_3_sett
}
const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = {
@ -256,10 +237,10 @@ index dfa7786bde..f01e40ff5a 100644
{ OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_hkdf_dup },
{ OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free },
{ OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset },
diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c
index a542f84dfa..6b6dfb94ac 100644
--- a/providers/implementations/kdfs/kbkdf.c
+++ b/providers/implementations/kdfs/kbkdf.c
Index: openssl-3.1.4/providers/implementations/kdfs/kbkdf.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/kdfs/kbkdf.c
+++ openssl-3.1.4/providers/implementations/kdfs/kbkdf.c
@@ -59,6 +59,9 @@ typedef struct {
kbkdf_mode mode;
EVP_MAC_CTX *ctx_init;
@ -270,7 +251,7 @@ index a542f84dfa..6b6dfb94ac 100644
/* Names are lowercased versions of those found in SP800-108. */
int r;
unsigned char *ki;
@@ -73,6 +76,9 @@ typedef struct {
@@ -72,6 +75,9 @@ typedef struct {
int use_l;
int is_kmac;
int use_separator;
@ -280,7 +261,7 @@ index a542f84dfa..6b6dfb94ac 100644
} KBKDF;
/* Definitions needed for typechecking. */
@@ -138,6 +144,7 @@ static void kbkdf_reset(void *vctx)
@@ -143,6 +149,7 @@ static void kbkdf_reset(void *vctx)
void *provctx = ctx->provctx;
EVP_MAC_CTX_free(ctx->ctx_init);
@ -288,7 +269,7 @@ index a542f84dfa..6b6dfb94ac 100644
OPENSSL_clear_free(ctx->context, ctx->context_len);
OPENSSL_clear_free(ctx->label, ctx->label_len);
OPENSSL_clear_free(ctx->ki, ctx->ki_len);
@@ -240,6 +247,11 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen,
@@ -308,6 +315,11 @@ static int kbkdf_derive(void *vctx, unsi
goto done;
}
@ -300,7 +281,7 @@ index a542f84dfa..6b6dfb94ac 100644
h = EVP_MAC_CTX_get_mac_size(ctx->ctx_init);
if (h == 0)
goto done;
@@ -297,6 +309,9 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
@@ -381,6 +393,9 @@ static int kbkdf_set_ctx_params(void *vc
}
}
@ -310,7 +291,7 @@ index a542f84dfa..6b6dfb94ac 100644
p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE);
if (p != NULL
&& OPENSSL_strncasecmp("counter", p->data, p->data_size) == 0) {
@@ -363,20 +378,77 @@ static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx,
@@ -461,20 +476,77 @@ static const OSSL_PARAM *kbkdf_settable_
static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
{
OSSL_PARAM *p;
@ -393,11 +374,11 @@ index a542f84dfa..6b6dfb94ac 100644
return known_gettable_ctx_params;
}
diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c
index c592ba72f1..4a52b38266 100644
--- a/providers/implementations/kdfs/sshkdf.c
+++ b/providers/implementations/kdfs/sshkdf.c
@@ -48,6 +48,9 @@ typedef struct {
Index: openssl-3.1.4/providers/implementations/kdfs/sshkdf.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/kdfs/sshkdf.c
+++ openssl-3.1.4/providers/implementations/kdfs/sshkdf.c
@@ -49,6 +49,9 @@ typedef struct {
char type; /* X */
unsigned char *session_id;
size_t session_id_len;
@ -407,7 +388,7 @@ index c592ba72f1..4a52b38266 100644
} KDF_SSHKDF;
static void *kdf_sshkdf_new(void *provctx)
@@ -126,6 +129,12 @@ static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen,
@@ -151,6 +154,12 @@ static int kdf_sshkdf_derive(void *vctx,
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE);
return 0;
}
@ -420,7 +401,7 @@ index c592ba72f1..4a52b38266 100644
return SSHKDF(md, ctx->key, ctx->key_len,
ctx->xcghash, ctx->xcghash_len,
ctx->session_id, ctx->session_id_len,
@@ -194,10 +203,67 @@ static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *ctx,
@@ -219,10 +228,67 @@ static const OSSL_PARAM *kdf_sshkdf_sett
static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
{
OSSL_PARAM *p;
@ -491,7 +472,7 @@ index c592ba72f1..4a52b38266 100644
}
static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
@@ -205,6 +271,9 @@ static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
@@ -230,6 +296,9 @@ static const OSSL_PARAM *kdf_sshkdf_gett
{
static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
@ -501,11 +482,11 @@ index c592ba72f1..4a52b38266 100644
OSSL_PARAM_END
};
return known_gettable_ctx_params;
diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c
index eb54972e1c..23865cd70f 100644
--- a/providers/implementations/kdfs/sskdf.c
+++ b/providers/implementations/kdfs/sskdf.c
@@ -64,6 +64,10 @@ typedef struct {
Index: openssl-3.1.4/providers/implementations/kdfs/sskdf.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/kdfs/sskdf.c
+++ openssl-3.1.4/providers/implementations/kdfs/sskdf.c
@@ -63,6 +63,10 @@ typedef struct {
size_t salt_len;
size_t out_len; /* optional KMAC parameter */
int is_kmac;
@ -524,7 +505,7 @@ index eb54972e1c..23865cd70f 100644
static OSSL_FUNC_kdf_dupctx_fn sskdf_dup;
static OSSL_FUNC_kdf_freectx_fn sskdf_free;
static OSSL_FUNC_kdf_reset_fn sskdf_reset;
@@ -296,6 +301,16 @@ static void *sskdf_new(void *provctx)
@@ -297,6 +302,16 @@ static void *sskdf_new(void *provctx)
return ctx;
}
@ -541,7 +522,7 @@ index eb54972e1c..23865cd70f 100644
static void sskdf_reset(void *vctx)
{
KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
@@ -361,6 +376,11 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen,
@@ -392,6 +407,11 @@ static int sskdf_derive(void *vctx, unsi
}
md = ossl_prov_digest_md(&ctx->digest);
@ -553,7 +534,7 @@ index eb54972e1c..23865cd70f 100644
if (ctx->macctx != NULL) {
/* H(x) = KMAC or H(x) = HMAC */
int ret;
@@ -442,6 +462,11 @@ static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen,
@@ -473,6 +493,11 @@ static int x963kdf_derive(void *vctx, un
return 0;
}
@ -565,7 +546,7 @@ index eb54972e1c..23865cd70f 100644
return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len,
ctx->info, ctx->info_len, 1, key, keylen);
}
@@ -514,10 +539,74 @@ static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
@@ -545,10 +570,74 @@ static int sskdf_get_ctx_params(void *vc
{
KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
OSSL_PARAM *p;
@ -643,7 +624,7 @@ index eb54972e1c..23865cd70f 100644
}
static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
@@ -525,6 +614,9 @@ static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
@@ -556,6 +645,9 @@ static const OSSL_PARAM *sskdf_gettable_
{
static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
@ -653,7 +634,7 @@ index eb54972e1c..23865cd70f 100644
OSSL_PARAM_END
};
return known_gettable_ctx_params;
@@ -545,7 +637,7 @@ const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = {
@@ -577,7 +669,7 @@ const OSSL_DISPATCH ossl_kdf_sskdf_funct
};
const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = {
@ -662,11 +643,11 @@ index eb54972e1c..23865cd70f 100644
{ OSSL_FUNC_KDF_DUPCTX, (void(*)(void))sskdf_dup },
{ OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free },
{ OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset },
diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c
index a4d64b9352..f6782a6ca2 100644
--- a/providers/implementations/kdfs/tls1_prf.c
+++ b/providers/implementations/kdfs/tls1_prf.c
@@ -93,6 +93,13 @@ typedef struct {
Index: openssl-3.1.4/providers/implementations/kdfs/tls1_prf.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/kdfs/tls1_prf.c
+++ openssl-3.1.4/providers/implementations/kdfs/tls1_prf.c
@@ -104,6 +104,13 @@ typedef struct {
/* Buffer of concatenated seed data */
unsigned char seed[TLS1_PRF_MAXBUF];
size_t seedlen;
@ -680,7 +661,7 @@ index a4d64b9352..f6782a6ca2 100644
} TLS1_PRF;
static void *kdf_tls1_prf_new(void *provctx)
@@ -129,6 +136,7 @@ static void kdf_tls1_prf_reset(void *vctx)
@@ -140,6 +147,7 @@ static void kdf_tls1_prf_reset(void *vct
EVP_MAC_CTX_free(ctx->P_sha1);
OPENSSL_clear_free(ctx->sec, ctx->seclen);
OPENSSL_cleanse(ctx->seed, ctx->seedlen);
@ -688,7 +669,7 @@ index a4d64b9352..f6782a6ca2 100644
memset(ctx, 0, sizeof(*ctx));
ctx->provctx = provctx;
}
@@ -157,6 +165,10 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,
@@ -194,6 +202,10 @@ static int kdf_tls1_prf_derive(void *vct
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
@ -699,7 +680,7 @@ index a4d64b9352..f6782a6ca2 100644
/*
* The seed buffer is prepended with a label.
@@ -191,6 +203,9 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
@@ -243,6 +255,9 @@ static int kdf_tls1_prf_set_ctx_params(v
}
}
@ -709,7 +690,7 @@ index a4d64b9352..f6782a6ca2 100644
if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) {
OPENSSL_clear_free(ctx->sec, ctx->seclen);
ctx->sec = NULL;
@@ -232,10 +247,60 @@ static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params(
@@ -284,10 +299,60 @@ static const OSSL_PARAM *kdf_tls1_prf_se
static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[])
{
OSSL_PARAM *p;
@ -773,7 +754,7 @@ index a4d64b9352..f6782a6ca2 100644
}
static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
@@ -243,6 +308,9 @@ static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
@@ -295,6 +360,9 @@ static const OSSL_PARAM *kdf_tls1_prf_ge
{
static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
@ -783,10 +764,10 @@ index a4d64b9352..f6782a6ca2 100644
OSSL_PARAM_END
};
return known_gettable_ctx_params;
diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c
index b1bc6f7e1b..8173fc2cc7 100644
--- a/providers/implementations/kdfs/x942kdf.c
+++ b/providers/implementations/kdfs/x942kdf.c
Index: openssl-3.1.4/providers/implementations/kdfs/x942kdf.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/kdfs/x942kdf.c
+++ openssl-3.1.4/providers/implementations/kdfs/x942kdf.c
@@ -13,11 +13,13 @@
#include <openssl/core_dispatch.h>
#include <openssl/err.h>
@ -801,7 +782,7 @@ index b1bc6f7e1b..8173fc2cc7 100644
#include "prov/provider_ctx.h"
#include "prov/providercommon.h"
#include "prov/implementations.h"
@@ -47,6 +50,9 @@ typedef struct {
@@ -49,6 +51,9 @@ typedef struct {
const unsigned char *cek_oid;
size_t cek_oid_len;
int use_keybits;
@ -811,7 +792,7 @@ index b1bc6f7e1b..8173fc2cc7 100644
} KDF_X942;
/*
@@ -460,6 +466,10 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen,
@@ -497,6 +502,10 @@ static int x942kdf_derive(void *vctx, un
ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING);
return 0;
}
@ -822,7 +803,7 @@ index b1bc6f7e1b..8173fc2cc7 100644
ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len,
der, der_len, ctr, key, keylen);
OPENSSL_free(der);
@@ -563,10 +573,58 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
@@ -600,10 +609,58 @@ static int x942kdf_get_ctx_params(void *
{
KDF_X942 *ctx = (KDF_X942 *)vctx;
OSSL_PARAM *p;
@ -884,7 +865,7 @@ index b1bc6f7e1b..8173fc2cc7 100644
}
static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
@@ -574,6 +632,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
@@ -611,6 +668,9 @@ static const OSSL_PARAM *x942kdf_gettabl
{
static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
@ -894,18 +875,3 @@ index b1bc6f7e1b..8173fc2cc7 100644
OSSL_PARAM_END
};
return known_gettable_ctx_params;
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
index 70f7c50fe4..6618122417 100644
--- a/util/perl/OpenSSL/paramnames.pm
+++ b/util/perl/OpenSSL/paramnames.pm
@@ -183,6 +183,7 @@ my %params = (
'KDF_PARAM_X942_SUPP_PUBINFO' => "supp-pubinfo",
'KDF_PARAM_X942_SUPP_PRIVINFO' => "supp-privinfo",
'KDF_PARAM_X942_USE_KEYBITS' => "use-keybits",
+ 'KDF_PARAM_SUSE_FIPS_INDICATOR' => "suse-fips-indicator",
'KDF_PARAM_HMACDRBG_ENTROPY' => "entropy",
'KDF_PARAM_HMACDRBG_NONCE' => "nonce",
'KDF_PARAM_THREADS' => "threads", # uint32_t
--
2.39.2

54
openssl-Add-Kernel-FIPS-mode-flag-support.patch
View File

@ -13,12 +13,12 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
include/internal/provider.h | 3 +++
2 files changed, 39 insertions(+)
Index: openssl-3.2.3/crypto/context.c
===================================================================
--- openssl-3.2.3.orig/crypto/context.c
+++ openssl-3.2.3/crypto/context.c
@@ -17,6 +17,40 @@
#include "crypto/decoder.h"
diff --git a/crypto/context.c b/crypto/context.c
index e294ea1512..51002ba79a 100644
--- a/crypto/context.c
+++ b/crypto/context.c
@@ -16,6 +16,41 @@
#include "internal/provider.h"
#include "crypto/context.h"
+# include <sys/types.h>
@ -33,32 +33,33 @@ Index: openssl-3.2.3/crypto/context.c
+
+static void read_kernel_fips_flag(void)
+{
+ char buf[2] = "0";
+ int fd;
+ char buf[2] = "0";
+ int fd;
+
+ if (ossl_safe_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
+ buf[0] = '1';
+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
+ close(fd);
+ }
+ if (ossl_safe_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
+ buf[0] = '1';
+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
+ close(fd);
+ }
+
+ if (buf[0] == '1') {
+ kernel_fips_flag = 1;
+ }
+ if (buf[0] == '1') {
+ kernel_fips_flag = 1;
+ }
+
+ return;
+ return;
+}
+
+int ossl_get_kernel_fips_flag()
+{
+ return kernel_fips_flag;
+ return kernel_fips_flag;
+}
+
+
struct ossl_lib_ctx_st {
CRYPTO_RWLOCK *lock, *rand_crngt_lock;
OSSL_EX_DATA_GLOBAL global;
@@ -368,6 +402,7 @@ static int default_context_inited = 0;
@@ -336,6 +371,7 @@ static int default_context_inited = 0;
DEFINE_RUN_ONCE_STATIC(default_context_do_init)
{
@ -66,11 +67,11 @@ Index: openssl-3.2.3/crypto/context.c
if (!CRYPTO_THREAD_init_local(&default_context_thread_local, NULL))
goto err;
Index: openssl-3.2.3/include/internal/provider.h
===================================================================
--- openssl-3.2.3.orig/include/internal/provider.h
+++ openssl-3.2.3/include/internal/provider.h
@@ -112,6 +112,9 @@ int ossl_provider_init_as_child(OSSL_LIB
diff --git a/include/internal/provider.h b/include/internal/provider.h
index 18937f84c7..1446bf7afb 100644
--- a/include/internal/provider.h
+++ b/include/internal/provider.h
@@ -112,6 +112,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx,
const OSSL_DISPATCH *in);
void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx);
@ -80,3 +81,6 @@ Index: openssl-3.2.3/include/internal/provider.h
# ifdef __cplusplus
}
# endif
--
2.41.0

3
openssl-Add-changes-to-ectest-and-eccurve.patch
View File

@ -1135,9 +1135,9 @@ index afef85b0e6..4890b0555e 100644
|| !TEST_int_eq(1, BN_check_prime(p, ctx, NULL))
|| !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFF"
@@ -3015,7 +2857,7 @@ int setup_tests(void)
return 0;
ADD_TEST(parameter_test);
ADD_TEST(ossl_parameter_test);
- ADD_TEST(cofactor_range_test);
+ /* ADD_TEST(cofactor_range_test); */
ADD_ALL_TESTS(cardinality_test, crv_len);
@ -1145,3 +1145,4 @@ index afef85b0e6..4890b0555e 100644
#ifndef OPENSSL_NO_EC2M
--
2.41.0

140
openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
View File

@ -15,11 +15,9 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
util/libcrypto.num | 1
8 files changed, 110 insertions(+), 14 deletions(-)
Index: openssl-3.2.3/Configurations/unix-Makefile.tmpl
===================================================================
--- openssl-3.2.3.orig/Configurations/unix-Makefile.tmpl
+++ openssl-3.2.3/Configurations/unix-Makefile.tmpl
@@ -324,6 +324,10 @@ MANDIR=$(INSTALLTOP)/share/man
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -315,6 +315,10 @@ MANDIR=$(INSTALLTOP)/share/man
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
HTMLDIR=$(DOCDIR)/html
@ -30,7 +28,7 @@ Index: openssl-3.2.3/Configurations/unix-Makefile.tmpl
# MANSUFFIX is for the benefit of anyone who may want to have a suffix
# appended after the manpage file section number. "ssl" is popular,
# resulting in files such as config.5ssl rather than config.5.
@@ -347,6 +351,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
@@ -338,6 +342,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -}
CPPFLAGS={- our $cppflags1 = join(" ",
(map { "-D".$_} @{$config{CPPDEFINES}}),
@ -38,16 +36,14 @@ Index: openssl-3.2.3/Configurations/unix-Makefile.tmpl
(map { "-I".$_} @{$config{CPPINCLUDES}}),
@{$config{CPPFLAGS}}) -}
CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
Index: openssl-3.2.3/Configure
===================================================================
--- openssl-3.2.3.orig/Configure
+++ openssl-3.2.3/Configure
--- a/Configure
+++ b/Configure
@@ -27,7 +27,7 @@ use OpenSSL::config;
my $orig_death_handler = $SIG{__DIE__};
$SIG{__DIE__} = \&death_handler;
-my $usage="Usage: Configure [no-<feature> ...] [enable-<feature> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]thread-pool] [[no-]default-thread-pool] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
+my $usage="Usage: Configure [no-<feature> ...] [enable-<feature> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]thread-pool] [[no-]default-thread-pool] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
my $banner = <<"EOF";
@ -62,7 +58,7 @@ Index: openssl-3.2.3/Configure
# --banner=".." Output specified text instead of default completion banner
#
# -w Don't wait after showing a Configure warning
@@ -393,6 +397,7 @@ $config{prefix}="";
@@ -387,6 +391,7 @@ $config{prefix}="";
$config{openssldir}="";
$config{processor}="";
$config{libdir}="";
@ -70,7 +66,7 @@ Index: openssl-3.2.3/Configure
my $auto_threads=1; # enable threads automatically? true by default
my $default_ranlib;
@@ -1047,6 +1052,10 @@ while (@argvcopy)
@@ -989,6 +994,10 @@ while (@argvcopy)
die "FIPS key too long (64 bytes max)\n"
if length $1 > 64;
}
@ -81,11 +77,9 @@ Index: openssl-3.2.3/Configure
elsif (/^--banner=(.*)$/)
{
$banner = $1 . "\n";
Index: openssl-3.2.3/doc/man1/openssl-ciphers.pod.in
===================================================================
--- openssl-3.2.3.orig/doc/man1/openssl-ciphers.pod.in
+++ openssl-3.2.3/doc/man1/openssl-ciphers.pod.in
@@ -190,6 +190,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
--- a/doc/man1/openssl-ciphers.pod.in
+++ b/doc/man1/openssl-ciphers.pod.in
@@ -186,6 +186,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
The cipher suites not enabled by B<ALL>, currently B<eNULL>.
@ -101,11 +95,9 @@ Index: openssl-3.2.3/doc/man1/openssl-ciphers.pod.in
=item B<HIGH>
"High" encryption cipher suites. This currently means those with key lengths
Index: openssl-3.2.3/include/openssl/ssl.h.in
===================================================================
--- openssl-3.2.3.orig/include/openssl/ssl.h.in
+++ openssl-3.2.3/include/openssl/ssl.h.in
@@ -214,6 +214,11 @@ extern "C" {
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -213,6 +213,11 @@ extern "C" {
* throwing out anonymous and unencrypted ciphersuites! (The latter are not
* actually enabled by ALL, but "ALL:RSA" would enable some of them.)
*/
@ -117,11 +109,9 @@ Index: openssl-3.2.3/include/openssl/ssl.h.in
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
# define SSL_SENT_SHUTDOWN 1
Index: openssl-3.2.3/ssl/ssl_ciph.c
===================================================================
--- openssl-3.2.3.orig/ssl/ssl_ciph.c
+++ openssl-3.2.3/ssl/ssl_ciph.c
@@ -1455,6 +1455,53 @@ int SSL_set_ciphersuites(SSL *s, const c
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1443,6 +1443,53 @@ int SSL_set_ciphersuites(SSL *s, const c
return ret;
}
@ -175,7 +165,7 @@ Index: openssl-3.2.3/ssl/ssl_ciph.c
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
STACK_OF(SSL_CIPHER) **cipher_list,
@@ -1469,15 +1516,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
@@ -1457,15 +1504,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
const SSL_CIPHER **ca_list = NULL;
const SSL_METHOD *ssl_method = ctx->method;
@ -203,16 +193,16 @@ Index: openssl-3.2.3/ssl/ssl_ciph.c
/*
* To reduce the work to do we only want to process the compiled
@@ -1499,7 +1556,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
if (num_of_ciphers > 0) {
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
if (co_list == NULL)
- return NULL; /* Failure */
+ goto err;
@@ -1487,7 +1544,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
if (co_list == NULL) {
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
- return NULL; /* Failure */
+ goto err;
}
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
@@ -1565,8 +1622,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
@@ -1553,8 +1610,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
* in force within each class
*/
if (!ssl_cipher_strength_sort(&head, &tail)) {
@ -222,17 +212,18 @@ Index: openssl-3.2.3/ssl/ssl_ciph.c
}
/*
@@ -1610,8 +1666,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
@@ -1598,9 +1654,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
if (ca_list == NULL) {
- OPENSSL_free(co_list);
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
- return NULL; /* Failure */
+ goto err;
}
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
disabled_mkey, disabled_auth, disabled_enc,
@@ -1644,8 +1699,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
@@ -1633,8 +1688,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
OPENSSL_free(ca_list); /* Not needed anymore */
if (!ok) { /* Rule processing failure */
@ -242,7 +233,7 @@ Index: openssl-3.2.3/ssl/ssl_ciph.c
}
/*
@@ -1653,10 +1707,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
@@ -1642,10 +1696,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
* if we cannot get one.
*/
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
@ -258,7 +249,7 @@ Index: openssl-3.2.3/ssl/ssl_ciph.c
/* Add TLSv1.3 ciphers first - we always prefer those if possible */
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
@@ -1708,6 +1765,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
@@ -1697,6 +1754,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
*cipher_list = cipherstack;
return cipherstack;
@ -273,11 +264,9 @@ Index: openssl-3.2.3/ssl/ssl_ciph.c
}
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
Index: openssl-3.2.3/ssl/ssl_lib.c
===================================================================
--- openssl-3.2.3.orig/ssl/ssl_lib.c
+++ openssl-3.2.3/ssl/ssl_lib.c
@@ -670,7 +670,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -661,7 +661,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
ctx->tls13_ciphersuites,
&(ctx->cipher_list),
&(ctx->cipher_list_by_id),
@ -286,7 +275,7 @@ Index: openssl-3.2.3/ssl/ssl_lib.c
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
return 0;
@@ -3955,7 +3955,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li
@@ -3286,7 +3286,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li
if (!ssl_create_cipher_list(ret,
ret->tls13_ciphersuites,
&ret->cipher_list, &ret->cipher_list_by_id,
@ -294,12 +283,10 @@ Index: openssl-3.2.3/ssl/ssl_lib.c
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert)
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
goto err;
Index: openssl-3.2.3/test/cipherlist_test.c
===================================================================
--- openssl-3.2.3.orig/test/cipherlist_test.c
+++ openssl-3.2.3/test/cipherlist_test.c
@@ -261,7 +261,9 @@ end:
goto err2;
--- a/test/cipherlist_test.c
+++ b/test/cipherlist_test.c
@@ -246,7 +246,9 @@ end:
int setup_tests(void)
{
@ -308,42 +295,11 @@ Index: openssl-3.2.3/test/cipherlist_test.c
+#endif
ADD_TEST(test_default_cipherlist_explicit);
ADD_TEST(test_default_cipherlist_clear);
ADD_TEST(test_stdname_cipherlist);
Index: openssl-3.2.3/util/libcrypto.num
===================================================================
--- openssl-3.2.3.orig/util/libcrypto.num
+++ openssl-3.2.3/util/libcrypto.num
@@ -5536,3 +5536,4 @@ X509_STORE_CTX_set_get_crl
X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION:
OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION:
BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK
+ossl_safe_getenv ? 3_2_0 EXIST::FUNCTION:
Index: openssl-3.2.3/apps/openssl.cnf
===================================================================
--- openssl-3.2.3.orig/apps/openssl.cnf
+++ openssl-3.2.3/apps/openssl.cnf
@@ -52,6 +52,12 @@ tsa_policy3 = 1.2.3.4.5.7
[openssl_init]
providers = provider_sect
+# Load default TLS policy configuration
+ssl_conf = ssl_module
+alg_section = evp_properties
+
+[ evp_properties ]
+# This section is intentionally added empty here to be tuned on particular systems
# List of providers to load
[provider_sect]
@@ -71,6 +76,11 @@ default = default_sect
[default_sect]
# activate = 1
+[ ssl_module ]
+system_default = crypto_policy
+
+[ crypto_policy ]
+.include = /etc/crypto-policies/back-ends/opensslcnf.config
####################################################################
[ ca ]
return 1;
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -5435,3 +5435,4 @@ EVP_MD_CTX_dup
EVP_CIPHER_CTX_dup 5563 3_1_0 EXIST::FUNCTION:
BN_are_coprime 5564 3_1_0 EXIST::FUNCTION:
OSSL_CMP_MSG_update_recipNonce 5565 3_0_9 EXIST::FUNCTION:CMP
+ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:

743
openssl-Add_support_for_Windows_CA_certificate_store.patch Normal file
View File

@ -0,0 +1,743 @@
From 2a071544f7d2e963a1f68f266f4e375568909d38 Mon Sep 17 00:00:00 2001
From: Hugo Landau <hlandau@openssl.org>
Date: Fri, 8 Apr 2022 13:10:52 +0100
Subject: [PATCH 1/8] Fix URI handling in SSL_CERT_DIR/introduce SSL_CERT_URI
env
Fixes #18068.
---
CHANGES.md | 21
Configure | 7
crypto/x509/by_dir.c | 17
crypto/x509/by_store.c | 14
crypto/x509/x509_def.c | 15
doc/build.info | 6
doc/man3/X509_get_default_cert_file.pod | 113 +++++
include/internal/cryptlib.h | 11
include/internal/e_os.h | 2
include/openssl/x509.h.in | 3
providers/implementations/include/prov/implementations.h | 1
providers/implementations/storemgmt/build.info | 3
providers/implementations/storemgmt/winstore_store.c | 327 +++++++++++++++
providers/stores.inc | 3
util/libcrypto.num | 3
util/missingcrypto.txt | 4
16 files changed, 536 insertions(+), 14 deletions(-)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -24,6 +24,27 @@ OpenSSL 3.1
### Changes between 3.1.0 and 3.1.1 [30 May 2023]
+ * The `SSL_CERT_PATH` and `SSL_CERT_URI` environment variables are introduced.
+ `SSL_CERT_URI` can be used to specify a URI for a root certificate store. The
+ `SSL_CERT_PATH` environment variable specifies a delimiter-separated list of
+ paths which are searched for root certificates.
+
+ The existing `SSL_CERT_DIR` environment variable is deprecated.
+ `SSL_CERT_DIR` was previously used to specify either a delimiter-separated
+ list of paths or an URI, which is ambiguous. Setting `SSL_CERT_PATH` causes
+ `SSL_CERT_DIR` to be ignored for the purposes of determining root certificate
+ directories, and setting `SSL_CERT_URI` causes `SSL_CERT_DIR` to be ignored
+ for the purposes of determining root certificate stores.
+
+ *Hugo Landau*
+
+ * Support for loading root certificates from the Windows certificate store
+ has been added. The support is in the form of a store which recognises the
+ URI string of `org.openssl.winstore://`. This store is enabled by default and
+ can be disabled using the new compile-time option `no-winstore`.
+
+ *Hugo Landau*
+
* Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
--- a/Configure
+++ b/Configure
@@ -420,6 +420,7 @@ my @disablables = (
"cached-fetch",
"camellia",
"capieng",
+ "winstore",
"cast",
"chacha",
"cmac",
@@ -1726,6 +1727,12 @@ unless ($disabled{ktls}) {
}
}
+unless ($disabled{winstore}) {
+ unless ($target =~ /^(?:Cygwin|mingw|VC-|BC-)/) {
+ disable('not-windows', 'winstore');
+ }
+}
+
push @{$config{openssl_other_defines}}, "OPENSSL_NO_KTLS" if ($disabled{ktls});
# Get the extra flags used when building shared libraries and modules. We
--- a/crypto/x509/by_dir.c
+++ b/crypto/x509/by_dir.c
@@ -88,13 +88,18 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
switch (cmd) {
case X509_L_ADD_DIR:
if (argl == X509_FILETYPE_DEFAULT) {
- const char *dir = ossl_safe_getenv(X509_get_default_cert_dir_env());
+ /* If SSL_CERT_PATH is provided and non-empty, use that. */
+ const char *dir = ossl_safe_getenv(X509_get_default_cert_path_env());
- if (dir)
- ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
- else
- ret = add_cert_dir(ld, X509_get_default_cert_dir(),
- X509_FILETYPE_PEM);
+ /* Fallback to SSL_CERT_DIR. */
+ if (dir == NULL)
+ dir = ossl_safe_getenv(X509_get_default_cert_dir_env());
+
+ /* Fallback to built-in default. */
+ if (dir == NULL)
+ dir = X509_get_default_cert_dir();
+
+ ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
if (!ret) {
ERR_raise(ERR_LIB_X509, X509_R_LOADING_CERT_DIR);
}
--- a/crypto/x509/by_store.c
+++ b/crypto/x509/by_store.c
@@ -111,11 +111,21 @@ static int by_store_ctrl_ex(X509_LOOKUP
{
switch (cmd) {
case X509_L_ADD_STORE:
- /* If no URI is given, use the default cert dir as default URI */
+ /* First try the newer default cert URI envvar. */
+ if (argp == NULL)
+ argp = ossl_safe_getenv(X509_get_default_cert_uri_env());
+
+ /* If not set, see if we have a URI in the older cert dir envvar. */
if (argp == NULL)
argp = ossl_safe_getenv(X509_get_default_cert_dir_env());
+
+ /* Fallback to default store URI. */
if (argp == NULL)
- argp = X509_get_default_cert_dir();
+ argp = X509_get_default_cert_uri();
+
+ /* No point adding an empty URI. */
+ if (!*argp)
+ return 1;
{
STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
--- a/crypto/x509/x509_def.c
+++ b/crypto/x509/x509_def.c
@@ -22,6 +22,11 @@ const char *X509_get_default_cert_area(v
return X509_CERT_AREA;
}
+const char *X509_get_default_cert_uri(void)
+{
+ return X509_CERT_URI;
+}
+
const char *X509_get_default_cert_dir(void)
{
return X509_CERT_DIR;
@@ -32,6 +37,16 @@ const char *X509_get_default_cert_file(v
return X509_CERT_FILE;
}
+const char *X509_get_default_cert_uri_env(void)
+{
+ return X509_CERT_URI_EVP;
+}
+
+const char *X509_get_default_cert_path_env(void)
+{
+ return X509_CERT_PATH_EVP;
+}
+
const char *X509_get_default_cert_dir_env(void)
{
return X509_CERT_DIR_EVP;
--- a/doc/build.info
+++ b/doc/build.info
@@ -2791,6 +2791,10 @@ DEPEND[html/man3/X509_get0_uids.html]=ma
GENERATE[html/man3/X509_get0_uids.html]=man3/X509_get0_uids.pod
DEPEND[man/man3/X509_get0_uids.3]=man3/X509_get0_uids.pod
GENERATE[man/man3/X509_get0_uids.3]=man3/X509_get0_uids.pod
+DEPEND[html/man3/X509_get_default_cert_file.html]=man3/X509_get_default_cert_file.pod
+GENERATE[html/man3/X509_get_default_cert_file.html]=man3/X509_get_default_cert_file.pod
+DEPEND[man/man3/X509_get_default_cert_file.3]=man3/X509_get_default_cert_file.pod
+GENERATE[man/man3/X509_get_default_cert_file.3]=man3/X509_get_default_cert_file.pod
DEPEND[html/man3/X509_get_extension_flags.html]=man3/X509_get_extension_flags.pod
GENERATE[html/man3/X509_get_extension_flags.html]=man3/X509_get_extension_flags.pod
DEPEND[man/man3/X509_get_extension_flags.3]=man3/X509_get_extension_flags.pod
@@ -3461,6 +3465,7 @@ html/man3/X509_get0_distinguishing_id.ht
html/man3/X509_get0_notBefore.html \
html/man3/X509_get0_signature.html \
html/man3/X509_get0_uids.html \
+html/man3/X509_get_default_cert_file.html \
html/man3/X509_get_extension_flags.html \
html/man3/X509_get_pubkey.html \
html/man3/X509_get_serialNumber.html \
@@ -4064,6 +4069,7 @@ man/man3/X509_get0_distinguishing_id.3 \
man/man3/X509_get0_notBefore.3 \
man/man3/X509_get0_signature.3 \
man/man3/X509_get0_uids.3 \
+man/man3/X509_get_default_cert_file.3 \
man/man3/X509_get_extension_flags.3 \
man/man3/X509_get_pubkey.3 \
man/man3/X509_get_serialNumber.3 \
--- /dev/null
+++ b/doc/man3/X509_get_default_cert_file.pod
@@ -0,0 +1,113 @@
+=pod
+
+=head1 NAME
+
+X509_get_default_cert_file, X509_get_default_cert_file_env,
+X509_get_default_cert_path_env,
+X509_get_default_cert_dir, X509_get_default_cert_dir_env,
+X509_get_default_cert_uri, X509_get_default_cert_uri_env -
+retrieve default locations for trusted CA certificates
+
+=head1 SYNOPSIS
+
+ #include <openssl/x509.h>
+
+ const char *X509_get_default_cert_file(void);
+ const char *X509_get_default_cert_dir(void);
+ const char *X509_get_default_cert_uri(void);
+
+ const char *X509_get_default_cert_file_env(void);
+ const char *X509_get_default_cert_path_env(void);
+ const char *X509_get_default_cert_dir_env(void);
+ const char *X509_get_default_cert_uri_env(void);
+
+=head1 DESCRIPTION
+
+The X509_get_default_cert_file() function returns the default path
+to a file containing trusted CA certificates. OpenSSL will use this as
+the default path when it is asked to load trusted CA certificates
+from a file and no other path is specified. If the file exists, CA certificates
+are loaded from the file.
+
+The X509_get_default_cert_dir() function returns a default delimeter-separated
+list of paths to a directories containing trusted CA certificates named in the
+hashed format. OpenSSL will use this as the default list of paths when it is
+asked to load trusted CA certificates from a directory and no other path is
+specified. If a given directory in the list exists, OpenSSL attempts to lookup
+CA certificates in this directory by calculating a filename based on a hash of
+the certificate's subject name.
+
+The X509_get_default_cert_uri() function returns the default URI for a
+certificate store accessed programmatically via an OpenSSL provider. If there is
+no default store applicable to the system for which OpenSSL was compiled, this
+returns an empty string.
+
+X509_get_default_cert_file_env() and X509_get_default_cert_uri_env() return
+environment variable names which are recommended to specify nondefault values to
+be used instead of the values returned by X509_get_default_cert_file() and
+X509_get_default_cert_uri() respectively. The values returned by the latter
+functions are not affected by these environment variables; you must check for
+these environment variables yourself, using these functions to retrieve the
+correct environment variable names. If an environment variable is not set, the
+value returned by the corresponding function above should be used.
+
+X509_get_default_cert_path_env() returns the environment variable name which is
+recommended to specify a nondefault value to be used instead of the value
+returned by X509_get_default_cert_dir(). This environment variable supercedes
+the deprecated environment variable whose name is returned by
+X509_get_default_cert_dir_env(). This environment variable was deprecated as its
+contents can be interpreted ambiguously; see NOTES.
+
+By default, OpenSSL uses the path list specified in the environment variable
+whose name is returned by X509_get_default_cert_path_env() if it is set;
+otherwise, it uses the path list specified in the environment variable whose
+name is returned by X509_get_default_cert_dir_env() if it is set; otherwise, it
+uses the value returned by X509_get_default_cert_dir()).
+
+=head1 NOTES
+
+X509_get_default_cert_uri(), X509_get_default_cert_uri_env() and
+X509_get_default_cert_path_env() were introduced in OpenSSL 3.1. Prior to this
+release, store URIs were expressed via the environment variable returned by
+X509_get_default_cert_dir_env(); this environment variable could be used to
+specify either a list of directories or a store URI. This creates an ambiguity
+in which the environment variable returned by X509_get_default_cert_dir_env() is
+interpreted both as a list of directories and as a store URI.
+
+This usage and the environment variable returned by
+X509_get_default_cert_dir_env() are now deprecated; to specify a store URI, use
+the environment variable returned by X509_get_default_cert_uri_env(), and to
+specify a list of directories, use the environment variable returned by
+X509_get_default_cert_path_env().
+
+=head1 RETURN VALUES
+
+These functions return pointers to constant strings with static storage
+duration.
+
+=head1 SEE ALSO
+
+L<X509_LOOKUP(3)>,
+L<SSL_CTX_set_default_verify_file(3)>,
+L<SSL_CTX_set_default_verify_dir(3)>,
+L<SSL_CTX_set_default_verify_store(3)>,
+L<SSL_CTX_load_verify_file(3)>,
+L<SSL_CTX_load_verify_dir(3)>,
+L<SSL_CTX_load_verify_store(3)>,
+L<SSL_CTX_load_verify_locations(3)>
+
+=head1 HISTORY
+
+X509_get_default_cert_uri(), X509_get_default_cert_path_env() and
+X509_get_default_cert_uri_env() were introduced in OpenSSL 3.1.
+
+=head1 COPYRIGHT
+
+Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
--- a/include/internal/cryptlib.h
+++ b/include/internal/cryptlib.h
@@ -13,6 +13,8 @@
# include <stdlib.h>
# include <string.h>
+# include "openssl/configuration.h"
+# include "internal/e_os.h" /* ossl_inline in many files */
# ifdef OPENSSL_USE_APPLINK
# define BIO_FLAGS_UPLINK_INTERNAL 0x8000
@@ -77,6 +79,14 @@ DEFINE_LHASH_OF_EX(MEM);
# define CTLOG_FILE "OSSL$DATAROOT:[000000]ct_log_list.cnf"
# endif
+#ifndef OPENSSL_NO_WINSTORE
+# define X509_CERT_URI "org.openssl.winstore://"
+#else
+# define X509_CERT_URI ""
+#endif
+
+# define X509_CERT_URI_EVP "SSL_CERT_URI"
+# define X509_CERT_PATH_EVP "SSL_CERT_PATH"
# define X509_CERT_DIR_EVP "SSL_CERT_DIR"
# define X509_CERT_FILE_EVP "SSL_CERT_FILE"
# define CTLOG_FILE_EVP "CTLOG_FILE"
@@ -240,5 +250,4 @@ static ossl_inline int ossl_is_absolute_
# endif
return path[0] == '/';
}
-
#endif
--- a/include/internal/e_os.h
+++ b/include/internal/e_os.h
@@ -249,7 +249,7 @@ FILE *__iob_func();
/***********************************************/
# if defined(OPENSSL_SYS_WINDOWS)
-# if (_MSC_VER >= 1310) && !defined(_WIN32_WCE)
+# if defined(_MSC_VER) && (_MSC_VER >= 1310) && !defined(_WIN32_WCE)
# define open _open
# define fdopen _fdopen
# define close _close
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -491,8 +491,11 @@ ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s
ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj);
const char *X509_get_default_cert_area(void);
+const char *X509_get_default_cert_uri(void);
const char *X509_get_default_cert_dir(void);
const char *X509_get_default_cert_file(void);
+const char *X509_get_default_cert_uri_env(void);
+const char *X509_get_default_cert_path_env(void);
const char *X509_get_default_cert_dir_env(void);
const char *X509_get_default_cert_file_env(void);
const char *X509_get_default_private_dir(void);
--- a/providers/implementations/include/prov/implementations.h
+++ b/providers/implementations/include/prov/implementations.h
@@ -517,3 +517,4 @@ extern const OSSL_DISPATCH ossl_SubjectP
extern const OSSL_DISPATCH ossl_pem_to_der_decoder_functions[];
extern const OSSL_DISPATCH ossl_file_store_functions[];
+extern const OSSL_DISPATCH ossl_winstore_store_functions[];
--- a/providers/implementations/storemgmt/build.info
+++ b/providers/implementations/storemgmt/build.info
@@ -4,3 +4,6 @@
$STORE_GOAL=../../libdefault.a
SOURCE[$STORE_GOAL]=file_store.c file_store_any2obj.c
+IF[{- !$disabled{winstore} -}]
+ SOURCE[$STORE_GOAL]=winstore_store.c
+ENDIF
--- /dev/null
+++ b/providers/implementations/storemgmt/winstore_store.c
@@ -0,0 +1,327 @@
+/*
+ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+#include <openssl/store.h>
+#include <openssl/core_dispatch.h>
+#include <openssl/core_names.h>
+#include <openssl/core_object.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/params.h>
+#include <openssl/decoder.h>
+#include <openssl/proverr.h>
+#include <openssl/store.h> /* The OSSL_STORE_INFO type numbers */
+#include "internal/cryptlib.h"
+#include "internal/o_dir.h"
+#include "crypto/decoder.h"
+#include "crypto/ctype.h" /* ossl_isdigit() */
+#include "prov/implementations.h"
+#include "prov/bio.h"
+#include "file_store_local.h"
+
+#include <wincrypt.h>
+
+enum {
+ STATE_IDLE,
+ STATE_READ,
+ STATE_EOF,
+};
+
+struct winstore_ctx_st {
+ void *provctx;
+ char *propq;
+ unsigned char *subject;
+ size_t subject_len;
+
+ HCERTSTORE win_store;
+ const CERT_CONTEXT *win_ctx;
+ int state;
+
+ OSSL_DECODER_CTX *dctx;
+};
+
+static void winstore_win_reset(struct winstore_ctx_st *ctx)
+{
+ if (ctx->win_ctx != NULL) {
+ CertFreeCertificateContext(ctx->win_ctx);
+ ctx->win_ctx = NULL;
+ }
+
+ ctx->state = STATE_IDLE;
+}
+
+static void winstore_win_advance(struct winstore_ctx_st *ctx)
+{
+ CERT_NAME_BLOB name = {0};
+
+ if (ctx->state == STATE_EOF)
+ return;
+
+ name.cbData = ctx->subject_len;
+ name.pbData = ctx->subject;
+
+ ctx->win_ctx = (name.cbData == 0 ? NULL :
+ CertFindCertificateInStore(ctx->win_store,
+ X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+ 0, CERT_FIND_SUBJECT_NAME,
+ &name, ctx->win_ctx));
+
+ ctx->state = (ctx->win_ctx == NULL) ? STATE_EOF : STATE_READ;
+}
+
+static void *winstore_open(void *provctx, const char *uri)
+{
+ struct winstore_ctx_st *ctx = NULL;
+
+ if (!HAS_CASE_PREFIX(uri, "org.openssl.winstore:"))
+ return NULL;
+
+ ctx = OPENSSL_zalloc(sizeof(*ctx));
+ if (ctx == NULL)
+ return NULL;
+
+ ctx->provctx = provctx;
+ ctx->win_store = CertOpenSystemStoreW(0, L"ROOT");
+ if (ctx->win_store == NULL) {
+ OPENSSL_free(ctx);
+ return NULL;
+ }
+
+ winstore_win_reset(ctx);
+ return ctx;
+}
+
+static void *winstore_attach(void *provctx, OSSL_CORE_BIO *cin)
+{
+ return NULL; /* not supported */
+}
+
+static const OSSL_PARAM *winstore_settable_ctx_params(void *loaderctx, const OSSL_PARAM params[])
+{
+ static const OSSL_PARAM known_settable_ctx_params[] = {
+ OSSL_PARAM_octet_string(OSSL_STORE_PARAM_SUBJECT, NULL, 0),
+ OSSL_PARAM_utf8_string(OSSL_STORE_PARAM_PROPERTIES, NULL, 0),
+ OSSL_PARAM_END
+ };
+ return known_settable_ctx_params;
+}
+
+static int winstore_set_ctx_params(void *loaderctx, const OSSL_PARAM params[])
+{
+ struct winstore_ctx_st *ctx = loaderctx;
+ const OSSL_PARAM *p;
+ int do_reset = 0;
+
+ if (params == NULL)
+ return 1;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_PROPERTIES);
+ if (p != NULL) {
+ do_reset = 1;
+ OPENSSL_free(ctx->propq);
+ ctx->propq = NULL;
+ if (!OSSL_PARAM_get_utf8_string(p, &ctx->propq, 0))
+ return 0;
+ }
+
+ p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_SUBJECT);
+ if (p != NULL) {
+ const unsigned char *der = NULL;
+ size_t der_len = 0;
+
+ if (!OSSL_PARAM_get_octet_string_ptr(p, (const void **)&der, &der_len))
+ return 0;
+
+ do_reset = 1;
+
+ OPENSSL_free(ctx->subject);
+
+ ctx->subject = OPENSSL_malloc(der_len);
+ if (ctx->subject == NULL) {
+ ctx->subject_len = 0;
+ return 0;
+ }
+
+ ctx->subject_len = der_len;
+ memcpy(ctx->subject, der, der_len);
+ }
+
+ if (do_reset) {
+ winstore_win_reset(ctx);
+ winstore_win_advance(ctx);
+ }
+
+ return 1;
+}
+
+struct load_data_st {
+ OSSL_CALLBACK *object_cb;
+ void *object_cbarg;
+};
+
+static int load_construct(OSSL_DECODER_INSTANCE *decoder_inst,
+ const OSSL_PARAM *params, void *construct_data)
+{
+ struct load_data_st *data = construct_data;
+ return data->object_cb(params, data->object_cbarg);
+}
+
+static void load_cleanup(void *construct_data)
+{
+ /* No-op. */
+}
+
+static int setup_decoder(struct winstore_ctx_st *ctx)
+{
+ OSSL_LIB_CTX *libctx = ossl_prov_ctx_get0_libctx(ctx->provctx);
+ const OSSL_ALGORITHM *to_algo = NULL;
+
+ if (ctx->dctx != NULL)
+ return 1;
+
+ ctx->dctx = OSSL_DECODER_CTX_new();
+ if (ctx->dctx == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+
+ if (!OSSL_DECODER_CTX_set_input_type(ctx->dctx, "DER")) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
+ goto err;
+ }
+
+ if (!OSSL_DECODER_CTX_set_input_structure(ctx->dctx, "Certificate")) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
+ goto err;
+ }
+
+ for (to_algo = ossl_any_to_obj_algorithm;
+ to_algo->algorithm_names != NULL;
+ to_algo++) {
+ OSSL_DECODER *to_obj = NULL;
+ OSSL_DECODER_INSTANCE *to_obj_inst = NULL;
+
+ /*
+ * Create the internal last resort decoder implementation
+ * together with a "decoder instance".
+ * The decoder doesn't need any identification or to be
+ * attached to any provider, since it's only used locally.
+ */
+ to_obj = ossl_decoder_from_algorithm(0, to_algo, NULL);
+ if (to_obj != NULL)
+ to_obj_inst = ossl_decoder_instance_new(to_obj, ctx->provctx);
+
+ OSSL_DECODER_free(to_obj);
+ if (to_obj_inst == NULL)
+ goto err;
+
+ if (!ossl_decoder_ctx_add_decoder_inst(ctx->dctx,
+ to_obj_inst)) {
+ ossl_decoder_instance_free(to_obj_inst);
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
+ goto err;
+ }
+ }
+
+ if (!OSSL_DECODER_CTX_add_extra(ctx->dctx, libctx, ctx->propq)) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
+ goto err;
+ }
+
+ if (!OSSL_DECODER_CTX_set_construct(ctx->dctx, load_construct)) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
+ goto err;
+ }
+
+ if (!OSSL_DECODER_CTX_set_cleanup(ctx->dctx, load_cleanup)) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
+ goto err;
+ }
+
+ return 1;
+
+err:
+ OSSL_DECODER_CTX_free(ctx->dctx);
+ ctx->dctx = NULL;
+ return 0;
+}
+
+static int winstore_load_using(struct winstore_ctx_st *ctx,
+ OSSL_CALLBACK *object_cb, void *object_cbarg,
+ OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg,
+ const void *der, size_t der_len)
+{
+ struct load_data_st data;
+ const unsigned char *der_ = der;
+ size_t der_len_ = der_len;
+
+ if (setup_decoder(ctx) == 0)
+ return 0;
+
+ data.object_cb = object_cb;
+ data.object_cbarg = object_cbarg;
+
+ OSSL_DECODER_CTX_set_construct_data(ctx->dctx, &data);
+ OSSL_DECODER_CTX_set_passphrase_cb(ctx->dctx, pw_cb, pw_cbarg);
+
+ if (OSSL_DECODER_from_data(ctx->dctx, &der_, &der_len_) == 0)
+ return 0;
+
+ return 1;
+}
+
+static int winstore_load(void *loaderctx,
+ OSSL_CALLBACK *object_cb, void *object_cbarg,
+ OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg)
+{
+ int ret = 0;
+ struct winstore_ctx_st *ctx = loaderctx;
+
+ if (ctx->state != STATE_READ)
+ return 0;
+
+ ret = winstore_load_using(ctx, object_cb, object_cbarg, pw_cb, pw_cbarg,
+ ctx->win_ctx->pbCertEncoded,
+ ctx->win_ctx->cbCertEncoded);
+
+ if (ret == 1)
+ winstore_win_advance(ctx);
+
+ return ret;
+}
+
+static int winstore_eof(void *loaderctx)
+{
+ struct winstore_ctx_st *ctx = loaderctx;
+
+ return ctx->state != STATE_READ;
+}
+
+static int winstore_close(void *loaderctx)
+{
+ struct winstore_ctx_st *ctx = loaderctx;
+
+ winstore_win_reset(ctx);
+ CertCloseStore(ctx->win_store, 0);
+ OSSL_DECODER_CTX_free(ctx->dctx);
+ OPENSSL_free(ctx->propq);
+ OPENSSL_free(ctx->subject);
+ OPENSSL_free(ctx);
+ return 1;
+}
+
+const OSSL_DISPATCH ossl_winstore_store_functions[] = {
+ { OSSL_FUNC_STORE_OPEN, (void (*)(void))winstore_open },
+ { OSSL_FUNC_STORE_ATTACH, (void (*)(void))winstore_attach },
+ { OSSL_FUNC_STORE_SETTABLE_CTX_PARAMS, (void (*)(void))winstore_settable_ctx_params },
+ { OSSL_FUNC_STORE_SET_CTX_PARAMS, (void (*)(void))winstore_set_ctx_params },
+ { OSSL_FUNC_STORE_LOAD, (void (*)(void))winstore_load },
+ { OSSL_FUNC_STORE_EOF, (void (*)(void))winstore_eof },
+ { OSSL_FUNC_STORE_CLOSE, (void (*)(void))winstore_close },
+ { 0, NULL },
+};
--- a/providers/stores.inc
+++ b/providers/stores.inc
@@ -12,3 +12,6 @@
#endif
STORE("file", "yes", ossl_file_store_functions)
+#ifndef OPENSSL_NO_WINSTORE
+STORE("org.openssl.winstore", "yes", ossl_winstore_store_functions)
+#endif
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -5435,4 +5435,7 @@ EVP_MD_CTX_dup
EVP_CIPHER_CTX_dup 5563 3_1_0 EXIST::FUNCTION:
BN_are_coprime 5564 3_1_0 EXIST::FUNCTION:
OSSL_CMP_MSG_update_recipNonce 5565 3_0_9 EXIST::FUNCTION:CMP
+X509_get_default_cert_uri ? 3_1_0 EXIST::FUNCTION:
+X509_get_default_cert_uri_env ? 3_1_0 EXIST::FUNCTION:
+X509_get_default_cert_path_env ? 3_1_0 EXIST::FUNCTION:
ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
--- a/util/missingcrypto.txt
+++ b/util/missingcrypto.txt
@@ -1273,10 +1273,6 @@ X509_get0_trust_objects(3)
X509_get1_email(3)
X509_get1_ocsp(3)
X509_get_default_cert_area(3)
-X509_get_default_cert_dir(3)
-X509_get_default_cert_dir_env(3)
-X509_get_default_cert_file(3)
-X509_get_default_cert_file_env(3)
X509_get_default_private_dir(3)
X509_get_pubkey_parameters(3)
X509_get_signature_type(3)

217
openssl-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch Normal file
View File

@ -0,0 +1,217 @@
From f470b130139919f32926b3f5a75ba4d161cbcf88 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Tue, 1 Mar 2022 15:44:18 +0100
Subject: Allow SHA1 in seclevel 1 if rh-allow-sha1-signatures = yes
NOTE: This patch is ported from CentOS 9 / RHEL 9, where it allows SHA1
in seclevel 2 if rh-allow-sha1-signatures = yes. This was chosen because
on CentOS 9 and RHEL 9, the LEGACY crypto policy sets the security level
to 2.
On Fedora 35 (with OpenSSL 1.1) the legacy crypto policy uses security
level 1. Because Fedora 36 supports both OpenSSL 1.1 and OpenSSL 3, and
we want the legacy crypto policy to allow SHA-1 in TLS, the only option
to make this happen consistently in both OpenSSL 1.1 and OpenSSL 3 is
SECLEVEL=1 (which will allow SHA-1 in OpenSSL 1.1) and this change to
allow SHA-1 in SECLEVEL=1 with rh-allow-sha1-signatures = yes (which
will allow SHA-1 in OpenSSL 3).
The change from CentOS 9 / RHEL 9 cannot be applied unmodified, because
rh-allow-sha1-signatures will default to yes in Fedora (according to our
current plans including until F38), and the security level in the
DEFAULT crypto policy is 2, i.e., the unmodified change would weaken the
default configuration.
Related: rhbz#2055796
Related: rhbz#2070977
---
crypto/x509/x509_vfy.c | 20 ++++++++++-
doc/man5/config.pod | 7 ++++
ssl/t1_lib.c | 67 ++++++++++++++++++++++++++++-------
test/recipes/25-test_verify.t | 4 +--
4 files changed, 82 insertions(+), 16 deletions(-)
Index: openssl-3.1.4/crypto/x509/x509_vfy.c
===================================================================
--- openssl-3.1.4.orig/crypto/x509/x509_vfy.c
+++ openssl-3.1.4/crypto/x509/x509_vfy.c
@@ -25,6 +25,7 @@
#include <openssl/objects.h>
#include <openssl/core_names.h>
#include "internal/dane.h"
+#include "internal/sslconf.h"
#include "crypto/x509.h"
#include "x509_local.h"
@@ -3438,14 +3439,31 @@ static int check_sig_level(X509_STORE_CT
{
int secbits = -1;
int level = ctx->param->auth_level;
+ int nid;
+ OSSL_LIB_CTX *libctx = NULL;
if (level <= 0)
return 1;
if (level > NUM_AUTH_LEVELS)
level = NUM_AUTH_LEVELS;
- if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
+ if (ctx->libctx)
+ libctx = ctx->libctx;
+ else if (cert->libctx)
+ libctx = cert->libctx;
+ else
+ libctx = OSSL_LIB_CTX_get0_global_default();
+
+ if (!X509_get_signature_info(cert, &nid, NULL, &secbits, NULL))
return 0;
+ if ((nid == NID_sha1 || nid == NID_md5_sha1)
+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
+ && ctx->param->auth_level < 2)
+ /* When rh-allow-sha1-signatures = yes and security level <= 1,
+ * explicitly allow SHA1 for backwards compatibility. Also allow
+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
+ return 1;
+
return secbits >= minbits_table[level - 1];
}
Index: openssl-3.1.4/doc/man5/config.pod
===================================================================
--- openssl-3.1.4.orig/doc/man5/config.pod
+++ openssl-3.1.4/doc/man5/config.pod
@@ -317,6 +317,13 @@ this option is set to B<no>. Because TL
pseudorandom function (PRF) to derive key material, disabling
B<rh-allow-sha1-signatures> requires the use of TLS 1.2 or newer.
+Note that enabling B<rh-allow-sha1-signatures> will allow TLS signature
+algorithms that use SHA1 in security level 1, despite the definition of
+security level 1 of 80 bits of security, which SHA1 and MD5-SHA1 do not meet.
+This allows using SHA1 and MD5-SHA1 in TLS in the LEGACY crypto-policy on
+Fedora without requiring to set the security level to 0, which would include
+further insecure algorithms, and thus restores support for TLS 1.0 and 1.1.
+
This is a downstream specific option, and normally it should be set up via crypto-policies.
=item B<fips_mode> (deprecated)
Index: openssl-3.1.4/ssl/t1_lib.c
===================================================================
--- openssl-3.1.4.orig/ssl/t1_lib.c
+++ openssl-3.1.4/ssl/t1_lib.c
@@ -20,6 +20,7 @@
#include <openssl/bn.h>
#include <openssl/provider.h>
#include <openssl/param_build.h>
+#include "crypto/x509.h"
#include "internal/sslconf.h"
#include "internal/nelem.h"
#include "internal/sizes.h"
@@ -1588,19 +1589,28 @@ int tls12_check_peer_sigalg(SSL *s, uint
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST);
return 0;
}
- /*
- * Make sure security callback allows algorithm. For historical
- * reasons we have to pass the sigalg as a two byte char array.
- */
- sigalgstr[0] = (sig >> 8) & 0xff;
- sigalgstr[1] = sig & 0xff;
- secbits = sigalg_security_bits(s->ctx, lu);
- if (secbits == 0 ||
- !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
- md != NULL ? EVP_MD_get_type(md) : NID_undef,
- (void *)sigalgstr)) {
- SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
- return 0;
+
+ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)
+ && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0)
+ && SSL_get_security_level(s) < 2) {
+ /* When rh-allow-sha1-signatures = yes and security level <= 1,
+ * explicitly allow SHA1 for backwards compatibility. Also allow
+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
+ } else {
+ /*
+ * Make sure security callback allows algorithm. For historical
+ * reasons we have to pass the sigalg as a two byte char array.
+ */
+ sigalgstr[0] = (sig >> 8) & 0xff;
+ sigalgstr[1] = sig & 0xff;
+ secbits = sigalg_security_bits(s->ctx, lu);
+ if (secbits == 0 ||
+ !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
+ md != NULL ? EVP_MD_get_type(md) : NID_undef,
+ (void *)sigalgstr)) {
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
+ return 0;
+ }
}
/* Store the sigalg the peer uses */
s->s3.tmp.peer_sigalg = lu;
@@ -2138,6 +2148,15 @@ static int tls12_sigalg_allowed(const SS
}
}
+ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)
+ && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0)
+ && SSL_get_security_level(s) < 2) {
+ /* When rh-allow-sha1-signatures = yes and security level <= 1,
+ * explicitly allow SHA1 for backwards compatibility. Also allow
+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
+ return 1;
+ }
+
/* Finally see if security callback allows it */
secbits = sigalg_security_bits(s->ctx, lu);
sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
@@ -3007,6 +3026,8 @@ static int ssl_security_cert_sig(SSL *s,
{
/* Lookup signature algorithm digest */
int secbits, nid, pknid;
+ OSSL_LIB_CTX *libctx = NULL;
+
/* Don't check signature if self signed */
if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
return 1;
@@ -3015,6 +3036,26 @@ static int ssl_security_cert_sig(SSL *s,
/* If digest NID not defined use signature NID */
if (nid == NID_undef)
nid = pknid;
+
+ if (x && x->libctx)
+ libctx = x->libctx;
+ else if (ctx && ctx->libctx)
+ libctx = ctx->libctx;
+ else if (s && s->ctx && s->ctx->libctx)
+ libctx = s->ctx->libctx;
+ else
+ libctx = OSSL_LIB_CTX_get0_global_default();
+
+ if ((nid == NID_sha1 || nid == NID_md5_sha1)
+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
+ && ((s != NULL && SSL_get_security_level(s) < 2)
+ || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 2)
+ ))
+ /* When rh-allow-sha1-signatures = yes and security level <= 1,
+ * explicitly allow SHA1 for backwards compatibility. Also allow
+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
+ return 1;
+
if (s)
return ssl_security(s, op, secbits, nid, x);
else
Index: openssl-3.1.4/test/recipes/25-test_verify.t
===================================================================
--- openssl-3.1.4.orig/test/recipes/25-test_verify.t
+++ openssl-3.1.4/test/recipes/25-test_verify.t
@@ -439,8 +439,8 @@ ok(verify("ee-pss-sha1-cert", "", ["root
ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ),
"CA with PSS signature using SHA256");
-ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"),
- "Reject PSS signature using SHA1 and auth level 1");
+ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
+ "Reject PSS signature using SHA1 and auth level 2");
ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
"PSS signature using SHA256 and auth level 2");

150
openssl-Allow-disabling-of-SHA1-signatures.patch
View File

@ -26,11 +26,11 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
util/libcrypto.num | 2 +
15 files changed, 209 insertions(+), 9 deletions(-)
Index: openssl-3.2.3/crypto/context.c
Index: openssl-3.1.4/crypto/context.c
===================================================================
--- openssl-3.2.3.orig/crypto/context.c
+++ openssl-3.2.3/crypto/context.c
@@ -82,6 +82,8 @@ struct ossl_lib_ctx_st {
--- openssl-3.1.4.orig/crypto/context.c
+++ openssl-3.1.4/crypto/context.c
@@ -78,6 +78,8 @@ struct ossl_lib_ctx_st {
void *fips_prov;
#endif
@ -39,7 +39,7 @@ Index: openssl-3.2.3/crypto/context.c
unsigned int ischild:1;
};
@@ -222,6 +224,10 @@ static int context_init(OSSL_LIB_CTX *ct
@@ -206,6 +208,10 @@ static int context_init(OSSL_LIB_CTX *ct
goto err;
#endif
@ -50,7 +50,7 @@ Index: openssl-3.2.3/crypto/context.c
/* Low priority. */
#ifndef FIPS_MODULE
ctx->child_provider = ossl_child_prov_ctx_new(ctx);
@@ -365,6 +371,11 @@ static void context_deinit_objs(OSSL_LIB
@@ -334,6 +340,11 @@ static void context_deinit_objs(OSSL_LIB
}
#endif
@ -62,7 +62,7 @@ Index: openssl-3.2.3/crypto/context.c
/* Low priority. */
#ifndef FIPS_MODULE
if (ctx->child_provider != NULL) {
@@ -662,6 +673,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX
@@ -625,6 +636,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX
return ctx->fips_prov;
#endif
@ -72,10 +72,10 @@ Index: openssl-3.2.3/crypto/context.c
default:
return NULL;
}
Index: openssl-3.2.3/crypto/evp/evp_cnf.c
Index: openssl-3.1.4/crypto/evp/evp_cnf.c
===================================================================
--- openssl-3.2.3.orig/crypto/evp/evp_cnf.c
+++ openssl-3.2.3/crypto/evp/evp_cnf.c
--- openssl-3.1.4.orig/crypto/evp/evp_cnf.c
+++ openssl-3.1.4/crypto/evp/evp_cnf.c
@@ -10,6 +10,7 @@
#include <stdio.h>
#include <openssl/crypto.h>
@ -103,10 +103,10 @@ Index: openssl-3.2.3/crypto/evp/evp_cnf.c
} else {
ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,
"name=%s, value=%s", oval->name, oval->value);
Index: openssl-3.2.3/crypto/evp/m_sigver.c
Index: openssl-3.1.4/crypto/evp/m_sigver.c
===================================================================
--- openssl-3.2.3.orig/crypto/evp/m_sigver.c
+++ openssl-3.2.3/crypto/evp/m_sigver.c
--- openssl-3.1.4.orig/crypto/evp/m_sigver.c
+++ openssl-3.1.4/crypto/evp/m_sigver.c
@@ -15,6 +15,69 @@
#include "internal/provider.h"
#include "internal/numbers.h" /* includes SIZE_MAX */
@ -177,7 +177,7 @@ Index: openssl-3.2.3/crypto/evp/m_sigver.c
#ifndef FIPS_MODULE
@@ -253,6 +316,18 @@ static int do_sigver_init(EVP_MD_CTX *ct
@@ -251,6 +314,18 @@ static int do_sigver_init(EVP_MD_CTX *ct
}
}
@ -196,10 +196,10 @@ Index: openssl-3.2.3/crypto/evp/m_sigver.c
if (ver) {
if (signature->digest_verify_init == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
Index: openssl-3.2.3/crypto/evp/pmeth_lib.c
Index: openssl-3.1.4/crypto/evp/pmeth_lib.c
===================================================================
--- openssl-3.2.3.orig/crypto/evp/pmeth_lib.c
+++ openssl-3.2.3/crypto/evp/pmeth_lib.c
--- openssl-3.1.4.orig/crypto/evp/pmeth_lib.c
+++ openssl-3.1.4/crypto/evp/pmeth_lib.c
@@ -33,6 +33,7 @@
#include "internal/ffc.h"
#include "internal/numbers.h"
@ -208,7 +208,7 @@ Index: openssl-3.2.3/crypto/evp/pmeth_lib.c
#include "evp_local.h"
#ifndef FIPS_MODULE
@@ -951,6 +952,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_
@@ -959,6 +960,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_
return -2;
}
@ -229,10 +229,10 @@ Index: openssl-3.2.3/crypto/evp/pmeth_lib.c
if (fallback)
return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md));
Index: openssl-3.2.3/doc/man5/config.pod
Index: openssl-3.1.4/doc/man5/config.pod
===================================================================
--- openssl-3.2.3.orig/doc/man5/config.pod
+++ openssl-3.2.3/doc/man5/config.pod
--- openssl-3.1.4.orig/doc/man5/config.pod
+++ openssl-3.1.4/doc/man5/config.pod
@@ -304,6 +304,21 @@ Within the algorithm properties section,
The value may be anything that is acceptable as a property query
string for EVP_set_default_properties().
@ -255,35 +255,35 @@ Index: openssl-3.2.3/doc/man5/config.pod
=item B<fips_mode> (deprecated)
The value is a boolean that can be B<yes> or B<no>. If the value is
Index: openssl-3.2.3/include/crypto/context.h
Index: openssl-3.1.4/include/crypto/context.h
===================================================================
--- openssl-3.2.3.orig/include/crypto/context.h
+++ openssl-3.2.3/include/crypto/context.h
@@ -46,3 +46,6 @@ void ossl_release_default_drbg_ctx(void)
#if defined(OPENSSL_THREADS)
void ossl_threads_ctx_free(void *);
#endif
--- openssl-3.1.4.orig/include/crypto/context.h
+++ openssl-3.1.4/include/crypto/context.h
@@ -40,3 +40,6 @@ void ossl_rand_crng_ctx_free(void *);
void ossl_thread_event_ctx_free(void *);
void ossl_fips_prov_ossl_ctx_free(void *);
void ossl_release_default_drbg_ctx(void);
+
+void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *);
+void ossl_ctx_legacy_digest_signatures_free(void *);
Index: openssl-3.2.3/include/internal/cryptlib.h
Index: openssl-3.1.4/include/internal/cryptlib.h
===================================================================
--- openssl-3.2.3.orig/include/internal/cryptlib.h
+++ openssl-3.2.3/include/internal/cryptlib.h
@@ -117,7 +117,8 @@ typedef struct ossl_ex_data_global_st {
--- openssl-3.1.4.orig/include/internal/cryptlib.h
+++ openssl-3.1.4/include/internal/cryptlib.h
@@ -178,7 +178,8 @@ typedef struct ossl_ex_data_global_st {
# define OSSL_LIB_CTX_PROVIDER_CONF_INDEX 16
# define OSSL_LIB_CTX_BIO_CORE_INDEX 17
# define OSSL_LIB_CTX_CHILD_PROVIDER_INDEX 18
# define OSSL_LIB_CTX_THREAD_INDEX 19
# define OSSL_LIB_CTX_DECODER_CACHE_INDEX 20
-# define OSSL_LIB_CTX_MAX_INDEXES 20
+# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX 21
+# define OSSL_LIB_CTX_MAX_INDEXES 21
-# define OSSL_LIB_CTX_MAX_INDEXES 19
+# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX 19
+# define OSSL_LIB_CTX_MAX_INDEXES 20
OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx);
int ossl_lib_ctx_is_default(OSSL_LIB_CTX *ctx);
Index: openssl-3.2.3/include/internal/sslconf.h
Index: openssl-3.1.4/include/internal/sslconf.h
===================================================================
--- openssl-3.2.3.orig/include/internal/sslconf.h
+++ openssl-3.2.3/include/internal/sslconf.h
--- openssl-3.1.4.orig/include/internal/sslconf.h
+++ openssl-3.1.4/include/internal/sslconf.h
@@ -18,4 +18,8 @@ int conf_ssl_name_find(const char *name,
void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr,
char **arg);
@ -293,10 +293,10 @@ Index: openssl-3.2.3/include/internal/sslconf.h
+int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow,
+ int loadconfig);
#endif
Index: openssl-3.2.3/providers/common/securitycheck.c
Index: openssl-3.1.4/providers/common/securitycheck.c
===================================================================
--- openssl-3.2.3.orig/providers/common/securitycheck.c
+++ openssl-3.2.3/providers/common/securitycheck.c
--- openssl-3.1.4.orig/providers/common/securitycheck.c
+++ openssl-3.1.4/providers/common/securitycheck.c
@@ -19,6 +19,7 @@
#include <openssl/core_names.h>
#include <openssl/obj_mac.h>
@ -336,10 +336,10 @@ Index: openssl-3.2.3/providers/common/securitycheck.c
+
return 1;
}
Index: openssl-3.2.3/providers/common/securitycheck_default.c
Index: openssl-3.1.4/providers/common/securitycheck_default.c
===================================================================
--- openssl-3.2.3.orig/providers/common/securitycheck_default.c
+++ openssl-3.2.3/providers/common/securitycheck_default.c
--- openssl-3.1.4.orig/providers/common/securitycheck_default.c
+++ openssl-3.1.4/providers/common/securitycheck_default.c
@@ -15,6 +15,7 @@
#include <openssl/obj_mac.h>
#include "prov/securitycheck.h"
@ -373,11 +373,11 @@ Index: openssl-3.2.3/providers/common/securitycheck_default.c
+ mdnid = -1;
return mdnid;
}
Index: openssl-3.2.3/providers/implementations/signature/dsa_sig.c
Index: openssl-3.1.4/providers/implementations/signature/dsa_sig.c
===================================================================
--- openssl-3.2.3.orig/providers/implementations/signature/dsa_sig.c
+++ openssl-3.2.3/providers/implementations/signature/dsa_sig.c
@@ -125,12 +125,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ct
--- openssl-3.1.4.orig/providers/implementations/signature/dsa_sig.c
+++ openssl-3.1.4/providers/implementations/signature/dsa_sig.c
@@ -123,12 +123,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ct
mdprops = ctx->propq;
if (mdname != NULL) {
@ -398,11 +398,11 @@ Index: openssl-3.2.3/providers/implementations/signature/dsa_sig.c
if (md == NULL || md_nid < 0) {
if (md == NULL)
Index: openssl-3.2.3/providers/implementations/signature/ecdsa_sig.c
Index: openssl-3.1.4/providers/implementations/signature/ecdsa_sig.c
===================================================================
--- openssl-3.2.3.orig/providers/implementations/signature/ecdsa_sig.c
+++ openssl-3.2.3/providers/implementations/signature/ecdsa_sig.c
@@ -247,7 +247,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX
--- openssl-3.1.4.orig/providers/implementations/signature/ecdsa_sig.c
+++ openssl-3.1.4/providers/implementations/signature/ecdsa_sig.c
@@ -237,7 +237,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX
"%s could not be fetched", mdname);
return 0;
}
@ -414,10 +414,10 @@ Index: openssl-3.2.3/providers/implementations/signature/ecdsa_sig.c
md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
sha1_allowed);
if (md_nid < 0) {
Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c
Index: openssl-3.1.4/providers/implementations/signature/rsa_sig.c
===================================================================
--- openssl-3.2.3.orig/providers/implementations/signature/rsa_sig.c
+++ openssl-3.2.3/providers/implementations/signature/rsa_sig.c
--- openssl-3.1.4.orig/providers/implementations/signature/rsa_sig.c
+++ openssl-3.1.4/providers/implementations/signature/rsa_sig.c
@@ -25,6 +25,7 @@
#include "internal/cryptlib.h"
#include "internal/nelem.h"
@ -434,7 +434,7 @@ Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c
OSSL_FUNC_signature_newctx_fn rsa_newctx;
static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
@@ -317,10 +319,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ct
@@ -302,10 +304,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ct
if (mdname != NULL) {
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
@ -452,7 +452,7 @@ Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c
if (md == NULL
|| md_nid <= 0
@@ -1408,8 +1415,15 @@ static int rsa_set_ctx_params(void *vprs
@@ -1386,8 +1393,15 @@ static int rsa_set_ctx_params(void *vprs
prsactx->pad_mode = pad_mode;
if (prsactx->md == NULL && pmdname == NULL
@ -469,10 +469,10 @@ Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c
if (pmgf1mdname != NULL
&& !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))
Index: openssl-3.2.3/ssl/t1_lib.c
Index: openssl-3.1.4/ssl/t1_lib.c
===================================================================
--- openssl-3.2.3.orig/ssl/t1_lib.c
+++ openssl-3.2.3/ssl/t1_lib.c
--- openssl-3.1.4.orig/ssl/t1_lib.c
+++ openssl-3.1.4/ssl/t1_lib.c
@@ -20,6 +20,7 @@
#include <openssl/bn.h>
#include <openssl/provider.h>
@ -481,23 +481,21 @@ Index: openssl-3.2.3/ssl/t1_lib.c
#include "internal/nelem.h"
#include "internal/sizes.h"
#include "internal/tlsgroups.h"
@@ -1508,6 +1509,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
uint16_t *tls12_sigalgs_list = NULL;
@@ -1172,11 +1173,13 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)
= OPENSSL_malloc(sizeof(*lu) * OSSL_NELEM(sigalg_lookup_tbl));
EVP_PKEY *tmpkey = EVP_PKEY_new();
int ret = 0;
+ int ldsigs_allowed;
if (ctx == NULL)
goto err;
@@ -1523,6 +1525,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
if (cache == NULL || tmpkey == NULL)
goto err;
ERR_set_mark();
+ ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0);
/* First fill cache and tls12_sigalgs list from legacy algorithm list */
for (i = 0, lu = sigalg_lookup_tbl;
i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) {
@@ -1544,6 +1547,11 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
EVP_PKEY_CTX *pctx;
@@ -1196,6 +1199,11 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)
cache[i].enabled = 0;
continue;
}
@ -509,13 +507,13 @@ Index: openssl-3.2.3/ssl/t1_lib.c
if (!EVP_PKEY_set_type(tmpkey, lu->sig)) {
cache[i].enabled = 0;
Index: openssl-3.2.3/util/libcrypto.num
Index: openssl-3.1.4/util/libcrypto.num
===================================================================
--- openssl-3.2.3.orig/util/libcrypto.num
+++ openssl-3.2.3/util/libcrypto.num
@@ -5537,3 +5537,5 @@ X509_STORE_CTX_set_current_reasons
OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION:
BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK
ossl_safe_getenv ? 3_2_0 EXIST::FUNCTION:
--- openssl-3.1.4.orig/util/libcrypto.num
+++ openssl-3.1.4/util/libcrypto.num
@@ -5439,3 +5439,5 @@ X509_get_default_cert_uri
X509_get_default_cert_uri_env ? 3_1_0 EXIST::FUNCTION:
X509_get_default_cert_path_env ? 3_1_0 EXIST::FUNCTION:
ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
+ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
+ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:

172
openssl-CVE-2023-5678.patch Normal file
View File

@ -0,0 +1,172 @@
From ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6 Mon Sep 17 00:00:00 2001
From: Richard Levitte <levitte@openssl.org>
Date: Fri, 20 Oct 2023 09:18:19 +0200
Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet
We already check for an excessively large P in DH_generate_key(), but not in
DH_check_pub_key(), and none of them check for an excessively large Q.
This change adds all the missing excessive size checks of P and Q.
It's to be noted that behaviours surrounding excessively sized P and Q
differ. DH_check() raises an error on the excessively sized P, but only
sets a flag for the excessively sized Q. This behaviour is mimicked in
DH_check_pub_key().
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22518)
---
crypto/dh/dh_check.c | 12 ++++++++++++
crypto/dh/dh_err.c | 3 ++-
crypto/dh/dh_key.c | 12 ++++++++++++
crypto/err/openssl.txt | 1 +
include/crypto/dherr.h | 2 +-
include/openssl/dh.h | 6 +++---
include/openssl/dherr.h | 3 ++-
7 files changed, 33 insertions(+), 6 deletions(-)
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
index 7ba2beae7fd6b..e20eb62081c5e 100644
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -249,6 +249,18 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key)
*/
int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
{
+ /* Don't do any checks at all with an excessively large modulus */
+ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
+ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
+ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID;
+ return 0;
+ }
+
+ if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) {
+ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID;
+ return 1;
+ }
+
return ossl_ffc_validate_public_key(&dh->params, pub_key, ret);
}
diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
index 4152397426cc9..f76ac0dd1463f 100644
--- a/crypto/dh/dh_err.c
+++ b/crypto/dh/dh_err.c
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -54,6 +54,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = {
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
"parameter encoding error"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),
"unable to check generator"},
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
index d84ea99241b9e..afc49f5cdc87d 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -49,6 +49,12 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
goto err;
}
+ if (dh->params.q != NULL
+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
+ goto err;
+ }
+
if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
return 0;
@@ -267,6 +273,12 @@ static int generate_key(DH *dh)
return 0;
}
+ if (dh->params.q != NULL
+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
+ return 0;
+ }
+
if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
return 0;
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index a1e6bbb617fcb..69e4f61aa1801 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -513,6 +513,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set
DH_R_NO_PRIVATE_VALUE:100:no private value
DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
DH_R_PEER_KEY_ERROR:111:peer key error
+DH_R_Q_TOO_LARGE:130:q too large
DH_R_SHARED_INFO_ERROR:113:shared info error
DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters
diff --git a/include/crypto/dherr.h b/include/crypto/dherr.h
index bb24d131eb887..519327f795742 100644
--- a/include/crypto/dherr.h
+++ b/include/crypto/dherr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff --git a/include/openssl/dh.h b/include/openssl/dh.h
index 8bc17448a0817..f1c0ed06b375a 100644
--- a/include/openssl/dh.h
+++ b/include/openssl/dh.h
@@ -144,7 +144,7 @@ DECLARE_ASN1_ITEM(DHparams)
# define DH_GENERATOR_3 3
# define DH_GENERATOR_5 5
-/* DH_check error codes */
+/* DH_check error codes, some of them shared with DH_check_pub_key */
/*
* NB: These values must align with the equivalently named macros in
* internal/ffc.h.
@@ -154,10 +154,10 @@ DECLARE_ASN1_ITEM(DHparams)
# define DH_UNABLE_TO_CHECK_GENERATOR 0x04
# define DH_NOT_SUITABLE_GENERATOR 0x08
# define DH_CHECK_Q_NOT_PRIME 0x10
-# define DH_CHECK_INVALID_Q_VALUE 0x20
+# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */
# define DH_CHECK_INVALID_J_VALUE 0x40
# define DH_MODULUS_TOO_SMALL 0x80
-# define DH_MODULUS_TOO_LARGE 0x100
+# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */
/* DH_check_pub_key error codes */
# define DH_CHECK_PUBKEY_TOO_SMALL 0x01
diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
index 5d2a762a96f8c..074a70145f9f5 100644
--- a/include/openssl/dherr.h
+++ b/include/openssl/dherr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -50,6 +50,7 @@
# define DH_R_NO_PRIVATE_VALUE 100
# define DH_R_PARAMETER_ENCODING_ERROR 105
# define DH_R_PEER_KEY_ERROR 111
+# define DH_R_Q_TOO_LARGE 130
# define DH_R_SHARED_INFO_ERROR 113
# define DH_R_UNABLE_TO_CHECK_GENERATOR 121

109
openssl-CVE-2023-6129.patch Normal file
View File

@ -0,0 +1,109 @@
From 050d26383d4e264966fb83428e72d5d48f402d35 Mon Sep 17 00:00:00 2001
From: Rohan McLure <rmclure@linux.ibm.com>
Date: Thu, 4 Jan 2024 10:25:50 +0100
Subject: [PATCH] poly1305-ppc.pl: Fix vector register clobbering
Fixes CVE-2023-6129
The POLY1305 MAC (message authentication code) implementation in OpenSSL for
PowerPC CPUs saves the the contents of vector registers in different order
than they are restored. Thus the contents of some of these vector registers
is corrupted when returning to the caller. The vulnerable code is used only
on newer PowerPC processors supporting the PowerISA 2.07 instructions.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23200)
(cherry picked from commit 8d847a3ffd4f0b17ee33962cf69c36224925b34f)
---
crypto/poly1305/asm/poly1305-ppc.pl | 42 ++++++++++++++---------------
1 file changed, 21 insertions(+), 21 deletions(-)
diff --git a/crypto/poly1305/asm/poly1305-ppc.pl b/crypto/poly1305/asm/poly1305-ppc.pl
index 9f86134d923fb..2e601bb9c24be 100755
--- a/crypto/poly1305/asm/poly1305-ppc.pl
+++ b/crypto/poly1305/asm/poly1305-ppc.pl
@@ -744,7 +744,7 @@
my $LOCALS= 6*$SIZE_T;
my $VSXFRAME = $LOCALS + 6*$SIZE_T;
$VSXFRAME += 128; # local variables
- $VSXFRAME += 13*16; # v20-v31 offload
+ $VSXFRAME += 12*16; # v20-v31 offload
my $BIG_ENDIAN = ($flavour !~ /le/) ? 4 : 0;
@@ -919,12 +919,12 @@
addi r11,r11,32
stvx v22,r10,$sp
addi r10,r10,32
- stvx v23,r10,$sp
- addi r10,r10,32
- stvx v24,r11,$sp
+ stvx v23,r11,$sp
addi r11,r11,32
- stvx v25,r10,$sp
+ stvx v24,r10,$sp
addi r10,r10,32
+ stvx v25,r11,$sp
+ addi r11,r11,32
stvx v26,r10,$sp
addi r10,r10,32
stvx v27,r11,$sp
@@ -1153,12 +1153,12 @@
addi r11,r11,32
stvx v22,r10,$sp
addi r10,r10,32
- stvx v23,r10,$sp
- addi r10,r10,32
- stvx v24,r11,$sp
+ stvx v23,r11,$sp
addi r11,r11,32
- stvx v25,r10,$sp
+ stvx v24,r10,$sp
addi r10,r10,32
+ stvx v25,r11,$sp
+ addi r11,r11,32
stvx v26,r10,$sp
addi r10,r10,32
stvx v27,r11,$sp
@@ -1899,26 +1899,26 @@
mtspr 256,r12 # restore vrsave
lvx v20,r10,$sp
addi r10,r10,32
- lvx v21,r10,$sp
- addi r10,r10,32
- lvx v22,r11,$sp
+ lvx v21,r11,$sp
addi r11,r11,32
- lvx v23,r10,$sp
+ lvx v22,r10,$sp
addi r10,r10,32
- lvx v24,r11,$sp
+ lvx v23,r11,$sp
addi r11,r11,32
- lvx v25,r10,$sp
+ lvx v24,r10,$sp
addi r10,r10,32
- lvx v26,r11,$sp
+ lvx v25,r11,$sp
addi r11,r11,32
- lvx v27,r10,$sp
+ lvx v26,r10,$sp
addi r10,r10,32
- lvx v28,r11,$sp
+ lvx v27,r11,$sp
addi r11,r11,32
- lvx v29,r10,$sp
+ lvx v28,r10,$sp
addi r10,r10,32
- lvx v30,r11,$sp
- lvx v31,r10,$sp
+ lvx v29,r11,$sp
+ addi r11,r11,32
+ lvx v30,r10,$sp
+ lvx v31,r11,$sp
$POP r27,`$VSXFRAME-$SIZE_T*5`($sp)
$POP r28,`$VSXFRAME-$SIZE_T*4`($sp)
$POP r29,`$VSXFRAME-$SIZE_T*3`($sp)

122
openssl-CVE-2023-6237.patch Normal file
View File

@ -0,0 +1,122 @@
From 18c02492138d1eb8b6548cb26e7b625fb2414a2a Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Fri, 22 Dec 2023 16:25:56 +0100
Subject: [PATCH] Limit the execution time of RSA public key check
Fixes CVE-2023-6237
If a large and incorrect RSA public key is checked with
EVP_PKEY_public_check() the computation could take very long time
due to no limit being applied to the RSA public key size and
unnecessarily high number of Miller-Rabin algorithm rounds
used for non-primality check of the modulus.
Now the keys larger than 16384 bits (OPENSSL_RSA_MAX_MODULUS_BITS)
will fail the check with RSA_R_MODULUS_TOO_LARGE error reason.
Also the number of Miller-Rabin rounds was set to 5.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23243)
(cherry picked from commit e09fc1d746a4fd15bb5c3d7bbbab950aadd005db)
---
crypto/rsa/rsa_sp800_56b_check.c | 8 +++-
test/recipes/91-test_pkey_check.t | 2 +-
.../91-test_pkey_check_data/rsapub_17k.pem | 48 +++++++++++++++++++
3 files changed, 56 insertions(+), 2 deletions(-)
create mode 100644 test/recipes/91-test_pkey_check_data/rsapub_17k.pem
diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c
index fc8f19b48770b..bcbdd24fb8199 100644
--- a/crypto/rsa/rsa_sp800_56b_check.c
+++ b/crypto/rsa/rsa_sp800_56b_check.c
@@ -289,6 +289,11 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
return 0;
nbits = BN_num_bits(rsa->n);
+ if (nbits > OPENSSL_RSA_MAX_MODULUS_BITS) {
+ ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE);
+ return 0;
+ }
+
#ifdef FIPS_MODULE
/*
* (Step a): modulus must be 2048 or 3072 (caveat from SP800-56Br1)
@@ -324,7 +329,8 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
goto err;
}
- ret = ossl_bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, &status);
+ /* Highest number of MR rounds from FIPS 186-5 Section B.3 Table B.1 */
+ ret = ossl_bn_miller_rabin_is_prime(rsa->n, 5, ctx, NULL, 1, &status);
#ifdef FIPS_MODULE
if (ret != 1 || status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) {
#else
diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t
index dc7cc64533af2..f8088df14d36c 100644
--- a/test/recipes/91-test_pkey_check.t
+++ b/test/recipes/91-test_pkey_check.t
@@ -70,7 +70,7 @@ push(@positive_tests, (
"dhpkey.pem"
)) unless disabled("dh");
-my @negative_pubtests = ();
+my @negative_pubtests = ("rsapub_17k.pem"); # Too big RSA public key
push(@negative_pubtests, (
"dsapub_noparam.der"
diff --git a/test/recipes/91-test_pkey_check_data/rsapub_17k.pem b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
new file mode 100644
index 0000000000000..9a2eaedaf1b22
--- /dev/null
+++ b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
@@ -0,0 +1,48 @@
+-----BEGIN PUBLIC KEY-----
+MIIIbzANBgkqhkiG9w0BAQEFAAOCCFwAMIIIVwKCCE4Ang+cE5H+hg3RbapDAHqR
+B9lUnp2MlAwsZxQ/FhYepaR60bFQeumbu7817Eo5YLMObVI99hF1C4u/qcpD4Jph
+gZt87/JAYDbP+DIh/5gUXCL9m5Fp4u7mvZaZdnlcftBvR1uKUTCAwc9pZ/Cfr8W2
+GzrRODzsNYnk2DcZMfe2vRDuDZRopE+Y+I72rom2SZLxoN547N1daM/M/CL9KVQ/
+XMI/YOpJrBI0jI3brMRhLkvLckwies9joufydlGbJkeil9H7/grj3fQZtFkZ2Pkj
+b87XDzRVX7wsEpAgPJxskL3jApokCp1kQYKG+Uc3dKM9Ade6IAPK7VKcmbAQTYw2
+gZxsc28dtstazmfGz0ACCTSMrmbgWAM3oPL7RRzhrXDWgmYQ0jHefGh8SNTIgtPq
+TuHxPYkDMQNaf0LmDGCxqlnf4b5ld3YaU8zZ/RqIRx5v/+w0rJUvU53qY1bYSnL1
+vbqKSnN2mip0GYyQ4AUgkS1NBV4rGYU/VTvzEjLfkg02KOtHKandvEoUjmZPzCT0
+V2ZhGc8K1UJNGYlIiHqCdwCBoghvly/pYajTkDXyd6BsukzA5H3IkZB1xDgl035j
+/0Cr7QeZLEOdi9fPdSSaBT6OmD0WFuZfJF0wMr7ucRhWzPXvSensD9v7MBE7tNfH
+SLeTSx8tLt8UeWriiM+0CnkPR1IOqMOxubOyf1eV8NQqEWm5wEQG/0IskbOKnaHa
+PqLFJZn/bvyL3XK5OxVIJG3z6bnRDOMS9SzkjqgPdIO8tkySEHVSi/6iuGUltx3Y
+Fmq6ye/r34ekyHPbfn6UuTON7joM6SIXb5bHM64x4iMVWx4hMvDjfy0UqfywAUyu
+C1o7BExSMxxFG8GJcqR0K8akpPp7EM588PC+YuItoxzXgfUJnP3BQ1Beev2Ve7/J
+xeGZH0N4ntfr+cuaLAakAER9zDglwChWflw3NNFgIdAgSxXv3XXx5xDXpdP4lxUo
+F5zAN4Mero3yV90FaJl7Vhq/UFVidbwFc15jUDwaE0mKRcsBeVd3GOhoECAgE0id
+aIPT20z8oVY0FyTJlRk7QSjo8WjJSrHY/Fn14gctX07ZdfkufyL6w+NijBdYluvB
+nIrgHEvpkDEWoIa8qcx0EppoIcmqgMV2mTShfFYSybsO33Pm8WXec2FXjwhzs1Pi
+R/BuIW8rHPI67xqWm0h8dEw11vtfi9a/BBBikFHe59KBjMTG+lW/gADNvRoTzGh7
+kN4+UVDS3jlSisRZZOn1XoeQtpubNYWgUsecjKy45IwIj8h1SHgn3wkmUesY0woN
+mOdoNtq+NezN4RFtbCOHhxFVpKKDi/HQP2ro0ykkXMDjwEIVf2Lii1Mg9UP8m+Ux
+AOqkTrIkdogkRx+70h7/wUOfDIFUq2JbKzqxJYamyEphcdAko7/B8efQKc61Z93O
+f2SHa4++4WI7wIIx18v5KV4M/cRmrfc8w9WRkQN3gBT5AJMuqwcSHVXBWvNQeGmi
+ScMh7X6cCZ0daEujqb8svq4WgsJ8UT4GaGBRIYtt7QUKEh+JQwNJzneRYZ3pzpaH
+UJeeoYobMlkp3rM9cYzdq90nBQiI9Jsbim9m9ggb2dMOS5CsI9S/IuG2O5uTjfxx
+wkwsd5nLDFtNXHYZ7W6XlVJ1Rc6zShnEmdCn3mmibb6OaMUmun2yl9ryEjVSoXLP
+fSA8W9K9yNhKTRkzdXJfqlC+s/ovX2xBGxsuOoUDaXhRVz0qmpKIHeSFjIP4iXq4
+y8gDiwvM3HbZfvVonbg6siPwpn4uvw3hesojk1DKAENS52i6U3uK2fs1ALVxsFNS
+Yh914rDu0Q3e4RXVhURaYzoEbLCot6WGYeCCfQOK0rkETMv+sTYYscC8/THuW7SL
+HG5zy9Ed95N1Xmf8J+My7gM7ZFodGdHsWvdzEmqsdOFh6IVx/VfHFX0MDBq0t6lZ
+eRvVgVCfu3gkYLwPScn/04E02vOom51ISKHsF/I11erC66jjNYV9BSpH8O7sAHxZ
+EmPT2ZVVRSgivOHdQW/FZ3UZQQhVaVSympo2Eb4yWEMFn84Q8T+9Honj6gnB5PXz
+chmeCsOMlcg1mwWwhn0k+OAWEZy7VRUk5Ahp0fBAGJgwBdqrZ3kM356DjUkVBiYq
+4eHyvafNKmjf2mnFsI3g2NKRNyl1Lh63wyCFx60yYvBUfXF/W9PFJbD9CiP83kEW
+gV36gxTsbOSfhpO1OXR90ODy0kx06XzWmJCUugK8u9bx4F/CjV+LIHExuNJiethC
+A8sIup/MT0fWp4RO/SsVblGqfoqJTaPnhptQzeH2N07pbWkxeMuL6ppPuwFmfVjK
+FJndqCVrAukcPEOQ16iVURuloJMudqYRc9QKkJFsnv0W/iMNbqQGmXe8Q/5qFiys
+26NIQBiE2ad9hNLnoccEnmYSRgnW3ZPSKuq5TDdYyDqTZH2r8cam65pr3beKw2XC
+xw4cc7VaxiwGC2Mg2wRmwwPaTjrcEt6sMa3RjwFEVBxBFyM26wnTEZsTBquCxV0J
+pgERaeplkixP2Q0m7XAdlDaob973SM2vOoUgypzDchWmpx7u775bnOfU5CihwXl+
+k0i09WZuT8bPmhEAiGCw5sNzMkz1BC2cCZFfJIkE2vc/wXYOrGxBTJo0EKaUFswa
+2dnP/u0bn+VksBUM7ywW9LJSXh4mN+tpzdeJtxEObKwX1I0dQxSPWmjd2++wMr9q
+Unre5fCrDToy2H7C2VKSpuOCT2/Kv4JDQRWwI4KxQOpn0UknAGNmfBoTtpIZ3LEb
+77oBUJdMQD7tQBBLL0a6f1TdK0dHVprWWawJ+gGFMiMQXqAqblHcxFKWuHv9bQID
+AQAB
+-----END PUBLIC KEY-----

120
openssl-CVE-2024-0727.patch Normal file
View File

@ -0,0 +1,120 @@
From 09df4395b5071217b76dc7d3d2e630eb8c5a79c2 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 19 Jan 2024 11:28:58 +0000
Subject: [PATCH] Add NULL checks where ContentInfo data can be NULL
PKCS12 structures contain PKCS7 ContentInfo fields. These fields are
optional and can be NULL even if the "type" is a valid value. OpenSSL
was not properly accounting for this and a NULL dereference can occur
causing a crash.
CVE-2024-0727
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23362)
(cherry picked from commit d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)
---
crypto/pkcs12/p12_add.c | 18 ++++++++++++++++++
crypto/pkcs12/p12_mutl.c | 5 +++++
crypto/pkcs12/p12_npas.c | 5 +++--
crypto/pkcs7/pk7_mime.c | 7 +++++--
4 files changed, 31 insertions(+), 4 deletions(-)
diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c
index 6fd4184af5a52..80ce31b3bca66 100644
--- a/crypto/pkcs12/p12_add.c
+++ b/crypto/pkcs12/p12_add.c
@@ -78,6 +78,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7)
ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA);
return NULL;
}
+
+ if (p7->d.data == NULL) {
+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
+ return NULL;
+ }
+
return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS));
}
@@ -150,6 +156,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass,
{
if (!PKCS7_type_is_encrypted(p7))
return NULL;
+
+ if (p7->d.encrypted == NULL) {
+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
+ return NULL;
+ }
+
return PKCS12_item_decrypt_d2i_ex(p7->d.encrypted->enc_data->algorithm,
ASN1_ITEM_rptr(PKCS12_SAFEBAGS),
pass, passlen,
@@ -188,6 +200,12 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12)
ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA);
return NULL;
}
+
+ if (p12->authsafes->d.data == NULL) {
+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
+ return NULL;
+ }
+
p7s = ASN1_item_unpack(p12->authsafes->d.data,
ASN1_ITEM_rptr(PKCS12_AUTHSAFES));
if (p7s != NULL) {
diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
index 67a885a45f89e..68ff54d0e90ee 100644
--- a/crypto/pkcs12/p12_mutl.c
+++ b/crypto/pkcs12/p12_mutl.c
@@ -98,6 +98,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
return 0;
}
+ if (p12->authsafes->d.data == NULL) {
+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
+ return 0;
+ }
+
salt = p12->mac->salt->data;
saltlen = p12->mac->salt->length;
if (p12->mac->iter == NULL)
diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c
index 62230bc6187ff..1e5b5495991a4 100644
--- a/crypto/pkcs12/p12_npas.c
+++ b/crypto/pkcs12/p12_npas.c
@@ -77,8 +77,9 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass)
bags = PKCS12_unpack_p7data(p7);
} else if (bagnid == NID_pkcs7_encrypted) {
bags = PKCS12_unpack_p7encdata(p7, oldpass, -1);
- if (!alg_get(p7->d.encrypted->enc_data->algorithm,
- &pbe_nid, &pbe_iter, &pbe_saltlen))
+ if (p7->d.encrypted == NULL
+ || !alg_get(p7->d.encrypted->enc_data->algorithm,
+ &pbe_nid, &pbe_iter, &pbe_saltlen))
goto err;
} else {
continue;
diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c
index 49a0da5f819c4..8228315eeaa3a 100644
--- a/crypto/pkcs7/pk7_mime.c
+++ b/crypto/pkcs7/pk7_mime.c
@@ -33,10 +33,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
int ctype_nid = OBJ_obj2nid(p7->type);
const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7);
- if (ctype_nid == NID_pkcs7_signed)
+ if (ctype_nid == NID_pkcs7_signed) {
+ if (p7->d.sign == NULL)
+ return 0;
mdalgs = p7->d.sign->md_algs;
- else
+ } else {
mdalgs = NULL;
+ }
flags ^= SMIME_OLDMIME;

116
openssl-CVE-2024-2511.patch Normal file
View File

@ -0,0 +1,116 @@
From 7e4d731b1c07201ad9374c1cd9ac5263bdf35bce Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Tue, 5 Mar 2024 15:43:53 +0000
Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3
In TLSv1.3 we create a new session object for each ticket that we send.
We do this by duplicating the original session. If SSL_OP_NO_TICKET is in
use then the new session will be added to the session cache. However, if
early data is not in use (and therefore anti-replay protection is being
used), then multiple threads could be resuming from the same session
simultaneously. If this happens and a problem occurs on one of the threads,
then the original session object could be marked as not_resumable. When we
duplicate the session object this not_resumable status gets copied into the
new session object. The new session object is then added to the session
cache even though it is not_resumable.
Subsequently, another bug means that the session_id_length is set to 0 for
sessions that are marked as not_resumable - even though that session is
still in the cache. Once this happens the session can never be removed from
the cache. When that object gets to be the session cache tail object the
cache never shrinks again and grows indefinitely.
CVE-2024-2511
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24044)
---
ssl/ssl_lib.c | 5 +++--
ssl/ssl_sess.c | 28 ++++++++++++++++++++++------
ssl/statem/statem_srvr.c | 5 ++---
3 files changed, 27 insertions(+), 11 deletions(-)
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index b5cc4af2f0302..e747b7f90aa71 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3737,9 +3737,10 @@ void ssl_update_cache(SSL *s, int mode)
/*
* If the session_id_length is 0, we are not supposed to cache it, and it
- * would be rather hard to do anyway :-)
+ * would be rather hard to do anyway :-). Also if the session has already
+ * been marked as not_resumable we should not cache it for later reuse.
*/
- if (s->session->session_id_length == 0)
+ if (s->session->session_id_length == 0 || s->session->not_resumable)
return;
/*
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index bf84e792251b8..241cf43c46296 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -154,16 +154,11 @@ SSL_SESSION *SSL_SESSION_new(void)
return ss;
}
-SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
-{
- return ssl_session_dup(src, 1);
-}
-
/*
* Create a new SSL_SESSION and duplicate the contents of |src| into it. If
* ticket == 0 then no ticket information is duplicated, otherwise it is.
*/
-SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
+static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket)
{
SSL_SESSION *dest;
@@ -287,6 +282,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
return NULL;
}
+SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
+{
+ return ssl_session_dup_intern(src, 1);
+}
+
+/*
+ * Used internally when duplicating a session which might be already shared.
+ * We will have resumed the original session. Subsequently we might have marked
+ * it as non-resumable (e.g. in another thread) - but this copy should be ok to
+ * resume from.
+ */
+SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
+{
+ SSL_SESSION *sess = ssl_session_dup_intern(src, ticket);
+
+ if (sess != NULL)
+ sess->not_resumable = 0;
+
+ return sess;
+}
+
const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
{
if (len)
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 5d59d53563ed8..8e493176f658e 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -2338,9 +2338,8 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt)
* so the following won't overwrite an ID that we're supposed
* to send back.
*/
- if (s->session->not_resumable ||
- (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
- && !s->hit))
+ if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
+ && !s->hit)
s->session->session_id_length = 0;
if (usetls13) {

199
openssl-CVE-2024-4603.patch Normal file
View File

@ -0,0 +1,199 @@
From 9c39b3858091c152f52513c066ff2c5a47969f0d Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Wed, 8 May 2024 15:23:45 +0200
Subject: [PATCH] Check DSA parameters for excessive sizes before validating
This avoids overly long computation of various validation
checks.
Fixes CVE-2024-4603
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/24346)
(cherry picked from commit 85ccbab216da245cf9a6503dd327072f21950d9b)
---
CHANGES.md | 17 ++++++
crypto/dsa/dsa_check.c | 44 ++++++++++++--
.../invalid/p10240_q256_too_big.pem | 57 +++++++++++++++++++
3 files changed, 114 insertions(+), 4 deletions(-)
create mode 100644 test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
Index: openssl-3.1.4/crypto/dsa/dsa_check.c
===================================================================
--- openssl-3.1.4.orig/crypto/dsa/dsa_check.c
+++ openssl-3.1.4/crypto/dsa/dsa_check.c
@@ -19,8 +19,34 @@
#include "dsa_local.h"
#include "crypto/dsa.h"
+static int dsa_precheck_params(const DSA *dsa, int *ret)
+{
+ if (dsa->params.p == NULL || dsa->params.q == NULL) {
+ ERR_raise(ERR_LIB_DSA, DSA_R_BAD_FFC_PARAMETERS);
+ *ret = FFC_CHECK_INVALID_PQ;
+ return 0;
+ }
+
+ if (BN_num_bits(dsa->params.p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
+ ERR_raise(ERR_LIB_DSA, DSA_R_MODULUS_TOO_LARGE);
+ *ret = FFC_CHECK_INVALID_PQ;
+ return 0;
+ }
+
+ if (BN_num_bits(dsa->params.q) >= BN_num_bits(dsa->params.p)) {
+ ERR_raise(ERR_LIB_DSA, DSA_R_BAD_Q_VALUE);
+ *ret = FFC_CHECK_INVALID_PQ;
+ return 0;
+ }
+
+ return 1;
+}
+
int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret)
{
+ if (!dsa_precheck_params(dsa, ret))
+ return 0;
+
if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK)
return ossl_ffc_params_simple_validate(dsa->libctx, &dsa->params,
FFC_PARAM_TYPE_DSA, ret);
@@ -39,6 +65,9 @@ int ossl_dsa_check_params(const DSA *dsa
*/
int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret)
{
+ if (!dsa_precheck_params(dsa, ret))
+ return 0;
+
return ossl_ffc_validate_public_key(&dsa->params, pub_key, ret)
&& *ret == 0;
}
@@ -50,6 +79,9 @@ int ossl_dsa_check_pub_key(const DSA *ds
*/
int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int *ret)
{
+ if (!dsa_precheck_params(dsa, ret))
+ return 0;
+
return ossl_ffc_validate_public_key_partial(&dsa->params, pub_key, ret)
&& *ret == 0;
}
@@ -58,8 +90,10 @@ int ossl_dsa_check_priv_key(const DSA *d
{
*ret = 0;
- return (dsa->params.q != NULL
- && ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret));
+ if (!dsa_precheck_params(dsa, ret))
+ return 0;
+
+ return ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret);
}
/*
@@ -72,8 +106,10 @@ int ossl_dsa_check_pairwise(const DSA *d
BN_CTX *ctx = NULL;
BIGNUM *pub_key = NULL;
- if (dsa->params.p == NULL
- || dsa->params.g == NULL
+ if (!dsa_precheck_params(dsa, &ret))
+ return 0;
+
+ if (dsa->params.g == NULL
|| dsa->priv_key == NULL
|| dsa->pub_key == NULL)
return 0;
Index: openssl-3.1.4/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
===================================================================
--- /dev/null
+++ openssl-3.1.4/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
@@ -0,0 +1,57 @@
+-----BEGIN DSA PARAMETERS-----
+MIIKLAKCBQEAym47LzPFZdbz16WvjczLKuzLtsP8yRk/exxL4bBthJhP1qOwctja
+p1586SF7gDxCMn7yWVEYdfRbFefGoq0gj1XOE917XqlbnkmZhMgxut2KbNJo/xil
+XNFUjGvKs3F413U9rAodC8f07cWHP1iTcWL+vPe6u2yilKWYYfnLWHQH+Z6aPrrF
+x/R08LI6DZ6nEsIo+hxaQnEtx+iqNTJC6Q1RIjWDqxQkFVTkJ0Y7miRDXmRdneWk
+oLrMZRpaXr5l5tSjEghh1pBgJcdyOv0lh4dlDy/alAiqE2Qlb667yHl6A9dDPlpW
+dAntpffy4LwOxfbuEhISvKjjQoBwIvYE4TBPqL0Q6bC6HgQ4+tqd9b44pQjdIQjb
+Xcjc6azheITSnPEex3OdKtKoQeRq01qCeLBpMXu1c+CTf4ApKArZvT3vZSg0hM1O
+pR71bRZrEEegDj0LH2HCgI5W6H3blOS9A0kUTddCoQXr2lsVdiPtRbPKH1gcd9FQ
+P8cGrvbakpTiC0dCczOMDaCteM1QNILlkM7ZoV6VghsKvDnFPxFsiIr5GgjasXP5
+hhbn3g7sDoq1LiTEo+IKQY28pBWx7etSOSRuXW/spnvCkivZla7lSEGljoy9QlQ2
+UZmsEQI9G3YyzgpxHvKZBK1CiZVTywdYKTZ4TYCxvqzhYhjv2bqbpjI12HRFLojB
+koyEmMSp53lldCzp158PrIanqSp2rksMR8SmmCL3FwfAp2OjqFMEglG9DT8x0WaN
+TLSkjGC6t2csMte7WyU1ekNoFDKfMjDSAz0+xIx21DEmZtYqFOg1DNPK1xYLS0pl
+RSMRRkJVN2mk/G7/1oxlB8Wb9wgi3GKUqqCYT11SnBjzq0NdoJ3E4GMedp5Lx3AZ
+4mFuRPUd4iV86tE0XDSHSFE7Y3ZkrOjD7Q/26/L53L/UH5z4HW6CHP5os7QERJjg
+c1S3x87wXWo9QXbB9b2xmf+c+aWwAAr1cviw38tru58jF3/IGyduj9H8claKQqBG
+cIOUF4aNe1hK2K3ArAOApUxr4KE+tCvrltRfiTmVFip0g9Jt1CPY3Zu7Bd4Z2ZkE
+DtSztpwa49HrWF5E9xpquvBL2U8jQ68E7Xd8Wp4orI/TIChriamBmdkgRz3H2LvN
+Ozb6+hsnEGrz3sp2RVAToSqA9ysa6nHZdfufPNtMEbQdO/k1ehmGRb0ljBRsO6b2
+rsG2eYuC8tg8eCrIkua0TGRI7g6a4K32AJdzaX6NsISaaIW+OYJuoDSscvD3oOg8
+PPEhU+zM7xJskTA+jxvPlikKx8V7MNHOCQECldJlUBwzJvqp40JvwfnDsF+8VYwd
+UaiieR3pzMzyTjpReXRmZbnRPusRcsVzxb2OhB79wmuy4UPjjQBX+7eD0rs8xxvW
+5a5q1Cjq4AvbwmmcA/wDrHDOjcbD/zodad2O1QtBWa/R4xyWea4zKsflgACE1zY9
+wW2br7+YQFekcrXkkkEzgxd6zxv8KVEDpXRZjmAM1cI5LvkoN64To4GedN8Qe/G7
+R9SZh9gnS17PTP64hK+aYqhFafMdu87q/+qLfxaSux727qE5hiW01u4nnWhACf9s
+xuOozowKqxZxkolMIyZv6Lddwy1Zv5qjCyd0DvM/1skpXWkb9kfabYC+OhjsjVhs
+0Ktfs6a5B3eixiw5x94hhIcTEcS4hmvhGUL72FiTca6ZeSERTKmNBy8CIQC9/ZUN
+uU/V5JTcnYyUGHzm7+XcZBjyGBagBj9rCmW3SQKCBQAJ/k9rb39f1cO+/3XDEMjy
+9bIEXSuS48g5RAc1UGd5nrrBQwuDxGWFyz0yvAY7LgyidZuJS21+MAp9EY7AOMmx
+TDttifNaBJYt4GZ8of166PcqTKkHQwq5uBpxeSDv/ZE8YbYfaCtLTcUC8KlO+l36
+gjJHSkdkflSsGy1yObSNDQDfVAAwQs//TjDMnuEtvlNXZllsTvFFBceXVETn10K2
+ZMmdSIJNfLnjReUKEN6PfeGqv7F4xoyGwUybEfRE4u5RmXrqCODaIjY3SNMrOq8B
+R3Ata/cCozsM1jIdIW2z+OybDJH+BYsYm2nkSZQjZS6javTYClLrntEKG/hAQwL8
+F16YLOQXpHhgiAaWnTZzANtLppB2+5qCVy5ElzKongOwT8JTjTFXOaRnqe/ngm9W
+SSbrxfDaoWUOyK9XD8Cydzpv3n4Y8nWNGayi7/yAFCU36Ri040ufgv/TZLuKacnl
++3ga3ZUpRlSigzx0kb1+KjTSWeQ8vE/psdWjvBukVEbzdUauMLyRLo/6znSVvvPX
+UGhviThE5uhrsUg+wEPFINriSHfF7JDKVhDcJnLBdaXvfN52pkF/naLBF5Rt3Gvq
+fjCxjx0Sy9Lag1hDN4dor7dzuO7wmwOS01DJW1PtNLuuH0Bbqh1kYSaQkmyXBZWX
+qo8K3nkoDM0niOtJJubOhTNrGmSaZpNXkK3Mcy9rBbdvEs5O0Jmqaax/eOdU0Yot
+B3lX+3ddOseT2ZEFjzObqTtkWuFBeBxuYNcRTsu3qMdIBsEb8URQdsTtjoIja2fK
+hreVgjK36GW70KXEl8V/vq5qjQulmqkBEjmilcDuiREKqQuyeagUOnhQaBplqVco
+4xznh5DMBMRbpGb5lHxKv4cPNi+uNAJ5i98zWUM1JRt6aXnRCuWcll1z8fRZ+5kD
+vK9FaZU3VRMK/eknEG49cGr8OuJ6ZRSaC+tKwV1y+amkSZpKPWnk2bUnQI3ApJv3
+k1e1EToeECpMUkLMDgNbpKBoz4nqMEvAAlYgw9xKNbLlQlahqTVEAmaJHh4yDMDy
+i7IZ9Wrn47IGoR7s3cvhDHUpRPeW4nsmgzj+tf5EAxemI61STZJTTWo0iaPGJxct
+9nhOOhw1I38Mvm4vkAbFH7YJ0B6QrjjYL2MbOTp5JiIh4vdOeWwNo9/y4ffyaN5+
+ADpxuuIAmcbdr6GPOhkOFFixRJa0B2eP1i032HESlLs8RB9oYtdTXdXQotnIgJGd
+Y8tSKOa1zjzeLHn3AVpRZTUW++/BxmApV3GKIeG8fsUjg/df0QRrBcdC/1uccdaG
+KKlAOwlywVn5jUlwHkTmDiTM9w5AqVVGHZ2b+4ZgQW8jnPKN0SrKf6U555D+zp7E
+x4uXoE8ojN9y8m8UKf0cTLnujH2XgZorjPfuMOt5VZEhQFMS2QaljSeni5CJJ8gk
+XtztNqfBlAtWR4V5iAHeQOfIB2YaOy8GESda89tyKraKeaez41VblpTVHTeq9IIF
+YB4cQA2PfuNaGVRGLMAgT3Dvl+mxxxeJyxnGAiUcETU/jJJt9QombiuszBlYGQ5d
+ELOSm/eQSRARV9zNSt5jaQlMSjMBqenIEM09BzYqa7jDwqoztFxNdO8bcuQPuKwa
+4z3bBZ1yYm63WFdNbQqqGEwc0OYmqg1raJ0zltgHyjFyw8IGu4g/wETs+nVQcH7D
+vKuje86bePD6kD/LH3wmkA==
+-----END DSA PARAMETERS-----
Index: openssl-3.1.4/CHANGES.md
===================================================================
--- openssl-3.1.4.orig/CHANGES.md
+++ openssl-3.1.4/CHANGES.md
@@ -22,6 +22,23 @@ OpenSSL Releases
OpenSSL 3.1
-----------
+ * Fixed an issue where checking excessively long DSA keys or parameters may
+ be very slow.
+
+ Applications that use the functions EVP_PKEY_param_check() or
+ EVP_PKEY_public_check() to check a DSA public key or DSA parameters may
+ experience long delays. Where the key or parameters that are being checked
+ have been obtained from an untrusted source this may lead to a Denial of
+ Service.
+
+ To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS
+ will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error
+ reason.
+
+ ([CVE-2024-4603])
+
+ *Tomáš Mráz*
+
### Changes between 3.1.3 and 3.1.4 [24 Oct 2023]
* Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(),

28
openssl-CVE-2024-4741.patch Normal file
View File

@ -0,0 +1,28 @@
@@ -, +, @@
---
ssl/record/methods/tls_common.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- openssl-3.0.8/ssl/record/ssl3_buffer.c
+++ openssl-3.0.8/ssl/record/ssl3_buffer.c
@@ -186,5 +186,7 @@ int ssl3_release_read_buffer(SSL *s)
OPENSSL_cleanse(b->buf, b->len);
OPENSSL_free(b->buf);
b->buf = NULL;
+ s->rlayer.packet = NULL;
+ s->rlayer.packet_length = 0;
return 1;
}
--- openssl-3.0.8/ssl/record/rec_layer_s3.c
+++ openssl-3.0.8/ssl/record/rec_layer_s3.c
@@ -238,6 +238,11 @@ int ssl3_read_n(SSL *s, size_t n, size_t
s->rlayer.packet_length = 0;
/* ... now we can act as if 'extend' was set */
}
+ if (!ossl_assert(s->rlayer.packet != NULL)) {
+ /* does not happen */
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return -1;
+ }
len = s->rlayer.packet_length;
pkt = rb->buf + align;

326
openssl-CVE-2024-5535.patch Normal file
View File

@ -0,0 +1,326 @@
From 4ada436a1946cbb24db5ab4ca082b69c1bc10f37 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 31 May 2024 11:14:33 +0100
Subject: [PATCH] Fix SSL_select_next_proto
Ensure that the provided client list is non-NULL and starts with a valid
entry. When called from the ALPN callback the client list should already
have been validated by OpenSSL so this should not cause a problem. When
called from the NPN callback the client list is locally configured and
will not have already been validated. Therefore SSL_select_next_proto
should not assume that it is correctly formatted.
We implement stricter checking of the client protocol list. We also do the
same for the server list while we are about it.
CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24718)
---
ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++-------------------
1 file changed, 40 insertions(+), 23 deletions(-)
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 5493d9b9c7..f218dcf1db 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2953,37 +2953,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
unsigned int server_len,
const unsigned char *client, unsigned int client_len)
{
- unsigned int i, j;
- const unsigned char *result;
- int status = OPENSSL_NPN_UNSUPPORTED;
+ PACKET cpkt, csubpkt, spkt, ssubpkt;
+
+ if (!PACKET_buf_init(&cpkt, client, client_len)
+ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
+ || PACKET_remaining(&csubpkt) == 0) {
+ *out = NULL;
+ *outlen = 0;
+ return OPENSSL_NPN_NO_OVERLAP;
+ }
+
+ /*
+ * Set the default opportunistic protocol. Will be overwritten if we find
+ * a match.
+ */
+ *out = (unsigned char *)PACKET_data(&csubpkt);
+ *outlen = (unsigned char)PACKET_remaining(&csubpkt);
/*
* For each protocol in server preference order, see if we support it.
*/
- for (i = 0; i < server_len;) {
- for (j = 0; j < client_len;) {
- if (server[i] == client[j] &&
- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
- /* We found a match */
- result = &server[i];
- status = OPENSSL_NPN_NEGOTIATED;
- goto found;
+ if (PACKET_buf_init(&spkt, server, server_len)) {
+ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
+ if (PACKET_remaining(&ssubpkt) == 0)
+ continue; /* Invalid - ignore it */
+ if (PACKET_buf_init(&cpkt, client, client_len)) {
+ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
+ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
+ PACKET_remaining(&ssubpkt))) {
+ /* We found a match */
+ *out = (unsigned char *)PACKET_data(&ssubpkt);
+ *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
+ return OPENSSL_NPN_NEGOTIATED;
+ }
+ }
+ /* Ignore spurious trailing bytes in the client list */
+ } else {
+ /* This should never happen */
+ return OPENSSL_NPN_NO_OVERLAP;
}
- j += client[j];
- j++;
}
- i += server[i];
- i++;
+ /* Ignore spurious trailing bytes in the server list */
}
- /* There's no overlap between our protocols and the server's list. */
- result = client;
- status = OPENSSL_NPN_NO_OVERLAP;
-
- found:
- *out = (unsigned char *)result + 1;
- *outlen = result[0];
- return status;
+ /*
+ * There's no overlap between our protocols and the server's list. We use
+ * the default opportunistic protocol selected earlier
+ */
+ return OPENSSL_NPN_NO_OVERLAP;
}
#ifndef OPENSSL_NO_NEXTPROTONEG
--
2.45.2
From 4279c89a726025c758db3dafb263b17e52211304 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 31 May 2024 11:18:27 +0100
Subject: [PATCH] More correctly handle a selected_len of 0 when
processing NPN
In the case where the NPN callback returns with SSL_TLEXT_ERR_OK, but
the selected_len is 0 we should fail. Previously this would fail with an
internal_error alert because calling OPENSSL_malloc(selected_len) will
return NULL when selected_len is 0. We make this error detection more
explicit and return a handshake failure alert.
Follow on from CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24718)
---
ssl/statem/extensions_clnt.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 842be0722b..a07dc62e9a 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -1536,7 +1536,8 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
PACKET_data(pkt),
PACKET_remaining(pkt),
s->ctx->ext.npn_select_cb_arg) !=
- SSL_TLSEXT_ERR_OK) {
+ SSL_TLSEXT_ERR_OK
+ || selected_len == 0) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
return 0;
}
--
2.45.2
From 889ed19ba25abebd2690997acd6d4791cbe5c493 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 31 May 2024 11:46:38 +0100
Subject: [PATCH] Clarify the SSL_select_next_proto() documentation
We clarify the input preconditions and the expected behaviour in the event
of no overlap.
Follow on from CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24718)
---
doc/man3/SSL_CTX_set_alpn_select_cb.pod | 26 +++++++++++++++++--------
1 file changed, 18 insertions(+), 8 deletions(-)
diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
index 102e657851..a29557dd91 100644
--- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod
+++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
@@ -52,7 +52,8 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated
SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to
set the list of protocols available to be negotiated. The B<protos> must be in
protocol-list format, described below. The length of B<protos> is specified in
-B<protos_len>.
+B<protos_len>. Setting B<protos_len> to 0 clears any existing list of ALPN
+protocols and no ALPN extension will be sent to the server.
SSL_CTX_set_alpn_select_cb() sets the application callback B<cb> used by a
server to select which protocol to use for the incoming connection. When B<cb>
@@ -73,9 +74,16 @@ B<server_len> and B<client>, B<client_len> must be in the protocol-list format
described below. The first item in the B<server>, B<server_len> list that
matches an item in the B<client>, B<client_len> list is selected, and returned
in B<out>, B<outlen>. The B<out> value will point into either B<server> or
-B<client>, so it should be copied immediately. If no match is found, the first
-item in B<client>, B<client_len> is returned in B<out>, B<outlen>. This
-function can also be used in the NPN callback.
+B<client>, so it should be copied immediately. The client list must include at
+least one valid (nonempty) protocol entry in the list.
+
+The SSL_select_next_proto() helper function can be useful from either the ALPN
+callback or the NPN callback (described below). If no match is found, the first
+item in B<client>, B<client_len> is returned in B<out>, B<outlen> and
+B<OPENSSL_NPN_NO_OVERLAP> is returned. This can be useful when implementating
+the NPN callback. In the ALPN case, the value returned in B<out> and B<outlen>
+must be ignored if B<OPENSSL_NPN_NO_OVERLAP> has been returned from
+SSL_select_next_proto().
SSL_CTX_set_next_proto_select_cb() sets a callback B<cb> that is called when a
client needs to select a protocol from the server's provided list, and a
@@ -85,9 +93,10 @@ must be set to point to the selected protocol (which may be within B<in>).
The length of the protocol name must be written into B<outlen>. The
server's advertised protocols are provided in B<in> and B<inlen>. The
callback can assume that B<in> is syntactically valid. The client must
-select a protocol. It is fatal to the connection if this callback returns
-a value other than B<SSL_TLSEXT_ERR_OK>. The B<arg> parameter is the pointer
-set via SSL_CTX_set_next_proto_select_cb().
+select a protocol (although it may be an empty, zero length protocol). It is
+fatal to the connection if this callback returns a value other than
+B<SSL_TLSEXT_ERR_OK> or if the zero length protocol is selected. The B<arg>
+parameter is the pointer set via SSL_CTX_set_next_proto_select_cb().
SSL_CTX_set_next_protos_advertised_cb() sets a callback B<cb> that is called
when a TLS server needs a list of supported protocols for Next Protocol
@@ -149,7 +158,8 @@ A match was found and is returned in B<out>, B<outlen>.
=item OPENSSL_NPN_NO_OVERLAP
No match was found. The first item in B<client>, B<client_len> is returned in
-B<out>, B<outlen>.
+B<out>, B<outlen> (or B<NULL> and 0 in the case where the first entry in
+B<client> is invalid).
=back
--
2.45.2
From 087501b4f572825e27ca8cc2c5874fcf6fd47cf7 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 21 Jun 2024 10:41:55 +0100
Subject: [PATCH] Correct return values for
tls_construct_stoc_next_proto_neg
Return EXT_RETURN_NOT_SENT in the event that we don't send the extension,
rather than EXT_RETURN_SENT. This actually makes no difference at all to
the current control flow since this return value is ignored in this case
anyway. But lets make it correct anyway.
Follow on from CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24718)
---
ssl/statem/extensions_srvr.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 4ea085e1a1..2da880450f 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -1476,9 +1476,10 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
return EXT_RETURN_FAIL;
}
s->s3.npn_seen = 1;
+ return EXT_RETURN_SENT;
}
- return EXT_RETURN_SENT;
+ return EXT_RETURN_NOT_SENT;
}
#endif
--
2.45.2
From 017e54183b95617825fb9316d618c154a34c634e Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 21 Jun 2024 11:51:54 +0100
Subject: [PATCH] Add ALPN validation in the client
The ALPN protocol selected by the server must be one that we originally
advertised. We should verify that it is.
Follow on from CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24718)
---
ssl/statem/extensions_clnt.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index a07dc62e9a..b21ccf9273 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -1566,6 +1566,8 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx)
{
size_t len;
+ PACKET confpkt, protpkt;
+ int valid = 0;
/* We must have requested it. */
if (!s->s3.alpn_sent) {
@@ -1584,6 +1586,28 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
return 0;
}
+
+ /* It must be a protocol that we sent */
+ if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) {
+ if (PACKET_remaining(&protpkt) != len)
+ continue;
+ if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) {
+ /* Valid protocol found */
+ valid = 1;
+ break;
+ }
+ }
+
+ if (!valid) {
+ /* The protocol sent from the server does not match one we advertised */
+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
+ return 0;
+ }
+
OPENSSL_free(s->s3.alpn_selected);
s->s3.alpn_selected = OPENSSL_malloc(len);
if (s->s3.alpn_selected == NULL) {
--
2.45.2

255
openssl-CVE-2024-6119.patch Normal file
View File

@ -0,0 +1,255 @@
commit 97ebe37033e8884f4cca5544a74376633c665e11
Author: Viktor Dukhovni <viktor@openssl.org>
Date: Wed Jun 19 21:04:11 2024 +1000
Avoid type errors in EAI-related name check logic.
The incorrectly typed data is read only, used in a compare operation, so
neither remote code execution, nor memory content disclosure were possible.
However, applications performing certificate name checks were vulnerable to
denial of service.
The GENERAL_TYPE data type is a union, and we must take care to access the
correct member, based on `gen->type`, not all the member fields have the same
structure, and a segfault is possible if the wrong member field is read.
The code in question was lightly refactored with the intent to make it more
obviously correct.
CVE-2024-6119
(cherry picked from commit 1486960d6cdb052e4fc0109a56a0597b4e902ba1)
diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c
index 1a18174995..a09414c972 100644
--- a/crypto/x509/v3_utl.c
+++ b/crypto/x509/v3_utl.c
@@ -916,36 +916,64 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
ASN1_STRING *cstr;
gen = sk_GENERAL_NAME_value(gens, i);
- if ((gen->type == GEN_OTHERNAME) && (check_type == GEN_EMAIL)) {
- if (OBJ_obj2nid(gen->d.otherName->type_id) ==
- NID_id_on_SmtpUTF8Mailbox) {
- san_present = 1;
-
- /*
- * If it is not a UTF8String then that is unexpected and we
- * treat it as no match
- */
- if (gen->d.otherName->value->type == V_ASN1_UTF8STRING) {
- cstr = gen->d.otherName->value->value.utf8string;
-
- /* Positive on success, negative on error! */
- if ((rv = do_check_string(cstr, 0, equal, flags,
- chk, chklen, peername)) != 0)
- break;
- }
- } else
+ switch (gen->type) {
+ default:
+ continue;
+ case GEN_OTHERNAME:
+ switch (OBJ_obj2nid(gen->d.otherName->type_id)) {
+ default:
continue;
- } else {
- if ((gen->type != check_type) && (gen->type != GEN_OTHERNAME))
+ case NID_id_on_SmtpUTF8Mailbox:
+ /*-
+ * https://datatracker.ietf.org/doc/html/rfc8398#section-3
+ *
+ * Due to name constraint compatibility reasons described
+ * in Section 6, SmtpUTF8Mailbox subjectAltName MUST NOT
+ * be used unless the local-part of the email address
+ * contains non-ASCII characters. When the local-part is
+ * ASCII, rfc822Name subjectAltName MUST be used instead
+ * of SmtpUTF8Mailbox. This is compatible with legacy
+ * software that supports only rfc822Name (and not
+ * SmtpUTF8Mailbox). [...]
+ *
+ * SmtpUTF8Mailbox is encoded as UTF8String.
+ *
+ * If it is not a UTF8String then that is unexpected, and
+ * we ignore the invalid SAN (neither set san_present nor
+ * consider it a candidate for equality). This does mean
+ * that the subject CN may be considered, as would be the
+ * case when the malformed SmtpUtf8Mailbox SAN is instead
+ * simply absent.
+ *
+ * When CN-ID matching is not desirable, applications can
+ * choose to turn it off, doing so is at this time a best
+ * practice.
+ */
+ if (check_type != GEN_EMAIL
+ || gen->d.otherName->value->type != V_ASN1_UTF8STRING)
+ continue;
+ alt_type = 0;
+ cstr = gen->d.otherName->value->value.utf8string;
+ break;
+ }
+ break;
+ case GEN_EMAIL:
+ if (check_type != GEN_EMAIL)
continue;
- }
- san_present = 1;
- if (check_type == GEN_EMAIL)
cstr = gen->d.rfc822Name;
- else if (check_type == GEN_DNS)
+ break;
+ case GEN_DNS:
+ if (check_type != GEN_DNS)
+ continue;
cstr = gen->d.dNSName;
- else
+ break;
+ case GEN_IPADD:
+ if (check_type != GEN_IPADD)
+ continue;
cstr = gen->d.iPAddress;
+ break;
+ }
+ san_present = 1;
/* Positive on success, negative on error! */
if ((rv = do_check_string(cstr, alt_type, equal, flags,
chk, chklen, peername)) != 0)
diff --git a/test/recipes/25-test_eai_data.t b/test/recipes/25-test_eai_data.t
index 522982ddfb..e18735d89a 100644
--- a/test/recipes/25-test_eai_data.t
+++ b/test/recipes/25-test_eai_data.t
@@ -21,16 +21,18 @@ setup("test_eai_data");
#./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/utf8_chain.pem test/recipes/25-test_eai_data/ascii_leaf.pem
#./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/ascii_chain.pem test/recipes/25-test_eai_data/utf8_leaf.pem
-plan tests => 12;
+plan tests => 16;
require_ok(srctop_file('test','recipes','tconversion.pl'));
my $folder = "test/recipes/25-test_eai_data";
my $ascii_pem = srctop_file($folder, "ascii_leaf.pem");
my $utf8_pem = srctop_file($folder, "utf8_leaf.pem");
+my $kdc_pem = srctop_file($folder, "kdc-cert.pem");
my $ascii_chain_pem = srctop_file($folder, "ascii_chain.pem");
my $utf8_chain_pem = srctop_file($folder, "utf8_chain.pem");
+my $kdc_chain_pem = srctop_file($folder, "kdc-root-cert.pem");
my $out;
my $outcnt = 0;
@@ -56,10 +58,18 @@ SKIP: {
ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $ascii_pem])));
ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $utf8_pem])));
+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $kdc_chain_pem, $kdc_pem])));
ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $utf8_pem])));
ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $ascii_pem])));
+# Check an otherName does not get misparsed as an DNS name, (should trigger ASAN errors if violated).
+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_hostname", 'mx1.example.com', "-CAfile", $kdc_chain_pem, $kdc_pem])));
+# Check an otherName does not get misparsed as an email address, (should trigger ASAN errors if violated).
+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'joe@example.com', "-CAfile", $kdc_chain_pem, $kdc_pem])));
+# We expect SmtpUTF8Mailbox to be a UTF8 String, not an IA5String.
+ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'moe@example.com', "-CAfile", $kdc_chain_pem, $kdc_pem])));
+
#Check that we get the expected failure return code
with({ exit_checker => sub { return shift == 2; } },
sub {
diff --git a/test/recipes/25-test_eai_data/kdc-cert.pem b/test/recipes/25-test_eai_data/kdc-cert.pem
new file mode 100644
index 0000000000..e8a2c6f55d
--- /dev/null
+++ b/test/recipes/25-test_eai_data/kdc-cert.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDbDCCAlSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARSb290
+MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAXMRUwEwYDVQQDDAxU
+RVNULkVYQU1QTEUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6wfP+
+6go79dkpo/dGLMlPZ7Gw/Q6gUYrCWZWUEgEeRVHCrqOlgUEyA+PcWas/XDPUxXry
+BQlJHLvlqamAQn8gs4QPBARFYWKNiTVGyaRkgNA1N5gqyZdrP9UE+ZJmdqxRAAe8
+vvpGZWSgevPhLUiSCFYDiD0Rtji2Hm3rGUrReQFBQDEw2pNGwz9zIaxUs08kQZcx
+Yzyiplz5Oau+R/6sAgUwDlrD9xOlUxx/tA/MSDIfkK8qioU11uUZtO5VjkNQy/bT
+7zQMmXxWgm2MIgOs1u4YN7YGOtgqHE9v9iPHHfgrkbQDtVDGQsa8AQEhkUDSCtW9
+3VFAKx6dGNXYzFwfAgMBAAGjgcgwgcUwHQYDVR0OBBYEFFR5tZycW19DmtbL4Zqj
+te1c2vZLMAkGA1UdIwQCMAAwCQYDVR0TBAIwADCBjQYDVR0RBIGFMIGCoD8GBisG
+AQUCAqA1MDOgDhsMVEVTVC5FWEFNUExFoSEwH6ADAgEBoRgwFhsGa3JidGd0GwxU
+RVNULkVYQU1QTEWgHQYIKwYBBQUHCAmgERYPbW9lQGV4YW1wbGUuY29tgQ9qb2VA
+ZXhhbXBsZS5jb22CD214MS5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA
+T0xzVtVpRtaOzIhgzw7XQUdzWD5UEGSJJ1cBCOmKUWwDLTAouCYLFB4TbEE7MMUb
+iuMy60bjmVtvfJIXorGUgSadRe5RWJ5DamJWvPA0Q9x7blnEcXqEF+9Td+ypevgU
+UYHFmg83OYwxOsFXZ5cRuXMk3WCsDHQIBi6D1L6oDDZ2pfArs5mqm3thQKVlqyl1
+El3XRYEdqAz/5eCOFNfwxF0ALxjxVr/Z50StUZU8I7Zfev6+kHhyrR7dqzYJImv9
+0fTCOBEMjIETDsrA70OxAMu4V16nrWZdJdvzblS2qrt97Omkj+2kiPAJFB76RpwI
+oDQ9fKfUOAmUFth2/R/eGA==
+-----END CERTIFICATE-----
diff --git a/test/recipes/25-test_eai_data/kdc-root-cert.pem b/test/recipes/25-test_eai_data/kdc-root-cert.pem
new file mode 100644
index 0000000000..a74c96bf31
--- /dev/null
+++ b/test/recipes/25-test_eai_data/kdc-root-cert.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICnDCCAYQCCQCBswYcrlZSHjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARS
+b290MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAPMQ0wCwYDVQQD
+DARSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqRj8S4kBbIUj
+61kZfi6nE35Q38U140+qt4uAiwAhKumfVHlBM0zQ98WFt5zMHIBQwIb3yjc2zj+0
+qzUnQfwm1r/RfcMmBPEti9Ge+aEMSsds2gMXziOFM8wd2aAFPy7UVE0XpEWofsRK
+MGi61MKVdPSbGIxBwY9VW38/7D/wf1HtJe7y0xpuecR7GB2XAs+qST59NjuF+7wS
+dLM8Hb3TATgeYbXXWsRJgwz+SPzExg5WmLnU+7y4brZ32dHtdSmkRVSgSlaIf7Xj
+3Tc6Zi7I+W/JYk7hy1zUexVdWCak4PHcoWrXe0gNNN/t8VfLfMExt5z/HIylXnU7
+pGUyqZlTGQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAHpLF1UCRy7b6Hk0rLokxI
+lgwiH9BU9mktigAGASvkbllpt+YbUbWnuYAvpHBGiP1qZtfX2r96UrSJaGO9BEzT
+Gp9ThnSjoj4Srul0+s/NArU22irFLmDzbalgevAmm9gMGkdqkiIm/mXbwrPj0ncl
+KGicevXryVpvaP62eZ8cc3C4p97frMmXxRX8sTdQpD/gRI7prdEILRSKveqT+AEW
+7rFGM5AOevb4U8ddop8A3D/kX0wcCAIBF6jCNk3uEJ57jVcagL04kPnVfdRiedTS
+vfq1DRNcD29d1H/9u0fHdSn1/+8Ep3X+afQ3C6//5NvOEaXcIGO4QSwkprQydfv8
+-----END CERTIFICATE-----
diff --git a/test/recipes/25-test_eai_data/kdc.sh b/test/recipes/25-test_eai_data/kdc.sh
new file mode 100755
index 0000000000..7a8dbc719f
--- /dev/null
+++ b/test/recipes/25-test_eai_data/kdc.sh
@@ -0,0 +1,41 @@
+#! /usr/bin/env bash
+
+# Create a root CA, signing a leaf cert with a KDC principal otherName SAN, and
+# also a non-UTF8 smtpUtf8Mailbox SAN followed by an rfc822Name SAN and a DNS
+# name SAN. In the vulnerable EAI code, the KDC principal `otherName` should
+# trigger ASAN errors in DNS name checks, while the non-UTF8 `smtpUtf8Mailbox`
+# should likewise lead to ASAN issues with email name checks.
+
+rm -f root-key.pem root-cert.pem
+openssl req -nodes -new -newkey rsa:2048 -keyout kdc-root-key.pem \
+ -x509 -subj /CN=Root -days 36524 -out kdc-root-cert.pem
+
+exts=$(
+ printf "%s\n%s\n%s\n%s = " \
+ "subjectKeyIdentifier = hash" \
+ "authorityKeyIdentifier = keyid" \
+ "basicConstraints = CA:false" \
+ "subjectAltName"
+ printf "%s, " "otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name"
+ printf "%s, " "otherName:1.3.6.1.5.5.7.8.9;IA5:moe@example.com"
+ printf "%s, " "email:joe@example.com"
+ printf "%s\n" "DNS:mx1.example.com"
+ printf "[kdc_princ_name]\n"
+ printf "realm = EXP:0, GeneralString:TEST.EXAMPLE\n"
+ printf "principal_name = EXP:1, SEQUENCE:kdc_principal_seq\n"
+ printf "[kdc_principal_seq]\n"
+ printf "name_type = EXP:0, INTEGER:1\n"
+ printf "name_string = EXP:1, SEQUENCE:kdc_principal_components\n"
+ printf "[kdc_principal_components]\n"
+ printf "princ1 = GeneralString:krbtgt\n"
+ printf "princ2 = GeneralString:TEST.EXAMPLE\n"
+ )
+
+printf "%s\n" "$exts"
+
+openssl req -nodes -new -newkey rsa:2048 -keyout kdc-key.pem \
+ -subj "/CN=TEST.EXAMPLE" |
+ openssl x509 -req -out kdc-cert.pem \
+ -CA "kdc-root-cert.pem" -CAkey "kdc-root-key.pem" \
+ -set_serial 2 -days 36524 \
+ -extfile <(printf "%s\n" "$exts")

64
openssl-DEFAULT_SUSE_cipher.patch Normal file
View File

@ -0,0 +1,64 @@
Index: openssl-3.0.0-alpha7/ssl/ssl_ciph.c
===================================================================
--- openssl-3.0.0-alpha7.orig/ssl/ssl_ciph.c
+++ openssl-3.0.0-alpha7/ssl/ssl_ciph.c
@@ -1592,7 +1592,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
*/
ok = 1;
rule_p = rule_str;
- if (strncmp(rule_str, "DEFAULT", 7) == 0) {
+ if (strncmp(rule_str,"DEFAULT_SUSE", 12) == 0) {
+ ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST,
+ &head, &tail, ca_list, c);
+ rule_p += 12;
+ if (*rule_p == ':')
+ rule_p++;
+ }
+ else if (strncmp(rule_str, "DEFAULT", 7) == 0) {
ok = ssl_cipher_process_rulestr(OSSL_default_cipher_list(),
&head, &tail, ca_list, c);
rule_p += 7;
Index: openssl-3.0.0-alpha7/test/recipes/99-test_suse_default_ciphers.t
===================================================================
--- /dev/null
+++ openssl-3.0.0-alpha7/test/recipes/99-test_suse_default_ciphers.t
@@ -0,0 +1,23 @@
+#! /usr/bin/env perl
+
+use strict;
+use warnings;
+
+use OpenSSL::Test qw/:DEFAULT/;
+use OpenSSL::Test::Utils;
+
+setup("test_default_ciphersuites");
+
+plan tests => 6;
+
+my @cipher_suites = ("DEFAULT_SUSE", "DEFAULT");
+
+foreach my $cipherlist (@cipher_suites) {
+ ok(run(app(["openssl", "ciphers", "-s", $cipherlist])),
+ "openssl ciphers works with ciphersuite $cipherlist");
+ ok(!grep(/(MD5|RC4|DES)/, run(app(["openssl", "ciphers", "-s", $cipherlist]), capture => 1)),
+ "$cipherlist shouldn't contain MD5, DES or RC4\n");
+ ok(grep(/(TLSv1.3)/, run(app(["openssl", "ciphers", "-tls1_3", "-s", "-v", $cipherlist]), capture => 1)),
+ "$cipherlist should contain TLSv1.3 ciphers\n");
+}
+
Index: openssl-3.0.0-alpha7/include/openssl/ssl.h.in
===================================================================
--- openssl-3.0.0-alpha7.orig/include/openssl/ssl.h.in
+++ openssl-3.0.0-alpha7/include/openssl/ssl.h.in
@@ -189,6 +189,11 @@ extern "C" {
*/
# ifndef OPENSSL_NO_DEPRECATED_3_0
# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
+# define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:"\
+ "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:"\
+ "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\
+ "DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\
+ "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA"
/*
* This is the default set of TLSv1.3 ciphersuites
* DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites()

19
openssl-Disable-default-provider-for-test-suite.patch Normal file
View File

@ -0,0 +1,19 @@
Index: openssl-3.1.4/apps/openssl.cnf
===================================================================
--- openssl-3.1.4.orig/apps/openssl.cnf
+++ openssl-3.1.4/apps/openssl.cnf
@@ -70,11 +70,11 @@ engines = engine_section
# to side-channel attacks and as such have been deprecated.
[provider_sect]
-default = default_sect
+##default = default_sect
##legacy = legacy_sect
-[default_sect]
-activate = 1
+##[default_sect]
+##activate = 1
##[legacy_sect]
##activate = 1

28
openssl-Enable-BTI-feature-for-md5-on-aarch64.patch Normal file
View File

@ -0,0 +1,28 @@
From d2bfec6e464aeb247a2d6853668d4e473f19e15f Mon Sep 17 00:00:00 2001
From: "fangming.fang" <fangming.fang@arm.com>
Date: Thu, 7 Dec 2023 06:17:51 +0000
Subject: [PATCH] Enable BTI feature for md5 on aarch64
Fixes: #22959
---
crypto/md5/asm/md5-aarch64.pl | 3 +++
1 file changed, 3 insertions(+)
diff --git a/crypto/md5/asm/md5-aarch64.pl b/crypto/md5/asm/md5-aarch64.pl
index 3200a0fa9bff0..5a8608069691d 100755
--- a/crypto/md5/asm/md5-aarch64.pl
+++ b/crypto/md5/asm/md5-aarch64.pl
@@ -28,10 +28,13 @@
*STDOUT=*OUT;
$code .= <<EOF;
+#include "arm_arch.h"
+
.text
.globl ossl_md5_block_asm_data_order
.type ossl_md5_block_asm_data_order,\@function
ossl_md5_block_asm_data_order:
+ AARCH64_VALID_CALL_TARGET
// Save all callee-saved registers
stp x19,x20,[sp,#-80]!
stp x21,x22,[sp,#16]

125
openssl-FIPS-140-3-DRBG.patch
View File

@ -1,66 +1,8 @@
Index: openssl-3.2.3/crypto/rand/prov_seed.c
Index: openssl-3.1.4/providers/implementations/rands/drbg.c
===================================================================
--- openssl-3.2.3.orig/crypto/rand/prov_seed.c
+++ openssl-3.2.3/crypto/rand/prov_seed.c
@@ -23,7 +23,14 @@ size_t ossl_rand_get_entropy(ossl_unused
size_t entropy_available;
RAND_POOL *pool;
- pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
+ /*
+ * OpenSSL still implements an internal entropy pool of
+ * some size that is hashed to get seed data.
+ * Note that this is a conditioning step for which SP800-90C requires
+ * 64 additional bits from the entropy source to claim the requested
+ * amount of entropy.
+ */
+ pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len);
if (pool == NULL) {
ERR_raise(ERR_LIB_RAND, ERR_R_RAND_LIB);
return 0;
Index: openssl-3.2.3/crypto/rand/rand_lib.c
===================================================================
--- openssl-3.2.3.orig/crypto/rand/rand_lib.c
+++ openssl-3.2.3/crypto/rand/rand_lib.c
@@ -723,15 +723,7 @@ EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB
return ret;
}
-#ifndef FIPS_MODULE
- if (dgbl->seed == NULL) {
- ERR_set_mark();
- dgbl->seed = rand_new_seed(ctx);
- ERR_pop_to_mark();
- }
-#endif
-
- ret = dgbl->primary = rand_new_drbg(ctx, dgbl->seed,
+ ret = dgbl->primary = rand_new_drbg(ctx, NULL,
PRIMARY_RESEED_INTERVAL,
PRIMARY_RESEED_TIME_INTERVAL, 1);
/*
Index: openssl-3.2.3/providers/implementations/rands/crngt.c
===================================================================
--- openssl-3.2.3.orig/providers/implementations/rands/crngt.c
+++ openssl-3.2.3/providers/implementations/rands/crngt.c
@@ -133,7 +133,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG
* to the nearest byte. If the entropy is of less than full quality,
* the amount required should be scaled up appropriately here.
*/
- bytes_needed = (entropy + 7) / 8;
+ /*
+ * FIPS 140-3: the yet draft SP800-90C requires requested entropy
+ * + 128 bits during initial seeding
+ */
+ bytes_needed = (entropy + 128 + 7) / 8;
if (bytes_needed < min_len)
bytes_needed = min_len;
if (bytes_needed > max_len)
Index: openssl-3.2.3/providers/implementations/rands/drbg.c
===================================================================
--- openssl-3.2.3.orig/providers/implementations/rands/drbg.c
+++ openssl-3.2.3/providers/implementations/rands/drbg.c
@@ -569,6 +569,9 @@ static int ossl_prov_drbg_reseed_unlocke
--- openssl-3.1.4.orig/providers/implementations/rands/drbg.c
+++ openssl-3.1.4/providers/implementations/rands/drbg.c
@@ -570,6 +570,9 @@ int ossl_prov_drbg_reseed(PROV_DRBG *drb
#endif
}
@ -70,7 +12,7 @@ Index: openssl-3.2.3/providers/implementations/rands/drbg.c
/* Reseed using our sources in addition */
entropylen = get_entropy(drbg, &entropy, drbg->strength,
drbg->min_entropylen, drbg->max_entropylen,
@@ -690,8 +693,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d
@@ -662,8 +665,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d
reseed_required = 1;
}
if (drbg->parent != NULL
@ -85,11 +27,48 @@ Index: openssl-3.2.3/providers/implementations/rands/drbg.c
+ }
if (reseed_required || prediction_resistance) {
if (!ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, NULL,
Index: openssl-3.2.3/providers/implementations/rands/drbg_local.h
if (!ossl_prov_drbg_reseed(drbg, prediction_resistance, NULL, 0,
Index: openssl-3.1.4/crypto/rand/prov_seed.c
===================================================================
--- openssl-3.2.3.orig/providers/implementations/rands/drbg_local.h
+++ openssl-3.2.3/providers/implementations/rands/drbg_local.h
--- openssl-3.1.4.orig/crypto/rand/prov_seed.c
+++ openssl-3.1.4/crypto/rand/prov_seed.c
@@ -23,7 +23,14 @@ size_t ossl_rand_get_entropy(ossl_unused
size_t entropy_available;
RAND_POOL *pool;
- pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
+ /*
+ * OpenSSL still implements an internal entropy pool of
+ * some size that is hashed to get seed data.
+ * Note that this is a conditioning step for which SP800-90C requires
+ * 64 additional bits from the entropy source to claim the requested
+ * amount of entropy.
+ */
+ pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len);
if (pool == NULL) {
ERR_raise(ERR_LIB_RAND, ERR_R_MALLOC_FAILURE);
return 0;
Index: openssl-3.1.4/providers/implementations/rands/crngt.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/rands/crngt.c
+++ openssl-3.1.4/providers/implementations/rands/crngt.c
@@ -133,7 +133,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG
* to the nearest byte. If the entropy is of less than full quality,
* the amount required should be scaled up appropriately here.
*/
- bytes_needed = (entropy + 7) / 8;
+ /*
+ * FIPS 140-3: the yet draft SP800-90C requires requested entropy
+ * + 128 bits during initial seeding
+ */
+ bytes_needed = (entropy + 128 + 7) / 8;
if (bytes_needed < min_len)
bytes_needed = min_len;
if (bytes_needed > max_len)
Index: openssl-3.1.4/providers/implementations/rands/drbg_local.h
===================================================================
--- openssl-3.1.4.orig/providers/implementations/rands/drbg_local.h
+++ openssl-3.1.4/providers/implementations/rands/drbg_local.h
@@ -38,7 +38,7 @@
*
* The value is in bytes.
@ -99,11 +78,11 @@ Index: openssl-3.2.3/providers/implementations/rands/drbg_local.h
/*
* Maximum input size for the DRBG (entropy, nonce, personalization string)
Index: openssl-3.2.3/providers/implementations/rands/seed_src.c
Index: openssl-3.1.4/providers/implementations/rands/seed_src.c
===================================================================
--- openssl-3.2.3.orig/providers/implementations/rands/seed_src.c
+++ openssl-3.2.3/providers/implementations/rands/seed_src.c
@@ -102,7 +102,14 @@ static int seed_src_generate(void *vseed
--- openssl-3.1.4.orig/providers/implementations/rands/seed_src.c
+++ openssl-3.1.4/providers/implementations/rands/seed_src.c
@@ -104,7 +104,14 @@ static int seed_src_generate(void *vseed
return 0;
}
@ -117,9 +96,9 @@ Index: openssl-3.2.3/providers/implementations/rands/seed_src.c
+ */
+ pool = ossl_rand_pool_new(strength + 64, 1, outlen, outlen);
if (pool == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB);
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
return 0;
@@ -182,7 +189,14 @@ static size_t seed_get_seed(void *vseed,
@@ -184,7 +191,14 @@ static size_t seed_get_seed(void *vseed,
size_t i;
RAND_POOL *pool;

76
openssl-FIPS-140-3-keychecks.patch
View File

@ -1,25 +1,23 @@
From 4512f620199126e6b87433ef184f0450652ee28a Mon Sep 17 00:00:00 2001
From b300beb172d5813b01b93bfd62fe191f8187fe1e Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Thu, 4 Apr 2024 11:42:18 +0200
Subject: [PATCH 19/50] 0044-FIPS-140-3-keychecks.patch
Date: Mon, 21 Aug 2023 12:05:23 +0200
Subject: [PATCH 20/48] 0044-FIPS-140-3-keychecks.patch
Patch-name: 0044-FIPS-140-3-keychecks.patch
Patch-id: 44
Patch-status: |
# Extra public/private key checks required by FIPS-140-3
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
crypto/dh/dh_key.c | 26 ++++++++++
crypto/rsa/rsa_gen.c | 3 ++
.../implementations/exchange/ecdh_exch.c | 19 ++++++++
providers/implementations/keymgmt/ec_kmgmt.c | 24 +++++++++-
providers/implementations/keymgmt/rsa_kmgmt.c | 18 +++++++
.../implementations/signature/ecdsa_sig.c | 37 +++++++++++++--
providers/implementations/signature/rsa_sig.c | 47 +++++++++++++++++--
7 files changed, 165 insertions(+), 9 deletions(-)
6 files changed, 162 insertions(+), 9 deletions(-)
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
index 7132b9b68e..189bfc3e8b 100644
index 4e9705beef..83773cceea 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -43,6 +43,9 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
@ -32,7 +30,7 @@ index 7132b9b68e..189bfc3e8b 100644
if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
@@ -60,6 +63,13 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
@@ -54,6 +57,13 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
return 0;
}
@ -46,7 +44,7 @@ index 7132b9b68e..189bfc3e8b 100644
ctx = BN_CTX_new_ex(dh->libctx);
if (ctx == NULL)
goto err;
@@ -271,6 +281,9 @@ static int generate_key(DH *dh)
@@ -262,6 +272,9 @@ static int generate_key(DH *dh)
#endif
BN_CTX *ctx = NULL;
BIGNUM *pub_key = NULL, *priv_key = NULL;
@ -56,7 +54,7 @@ index 7132b9b68e..189bfc3e8b 100644
if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
@@ -369,8 +382,21 @@ static int generate_key(DH *dh)
@@ -354,8 +367,21 @@ static int generate_key(DH *dh)
if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key))
goto err;
@ -78,22 +76,8 @@ index 7132b9b68e..189bfc3e8b 100644
dh->dirty_cnt++;
ok = 1;
err:
diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
index 0cdbb3fde2..65ff9d2d47 100644
--- a/crypto/rsa/rsa_gen.c
+++ b/crypto/rsa/rsa_gen.c
@@ -464,6 +464,9 @@ static int rsa_keygen(OSSL_LIB_CTX *libctx, RSA *rsa, int bits, int primes,
rsa->dmp1 = NULL;
rsa->dmq1 = NULL;
rsa->iqmp = NULL;
+#ifdef FIPS_MODULE
+ abort();
+#endif /* defined(FIPS_MODULE) */
}
}
return ok;
diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c
index 5b8412aba1..1d98eba132 100644
index 43caedb6df..73873f9758 100644
--- a/providers/implementations/exchange/ecdh_exch.c
+++ b/providers/implementations/exchange/ecdh_exch.c
@@ -489,6 +489,25 @@ int ecdh_plain_derive(void *vpecdhctx, unsigned char *secret,
@ -123,13 +107,13 @@ index 5b8412aba1..1d98eba132 100644
retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL);
diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
index 9390935394..1399be1751 100644
index a37cbbdba8..bca3f3c674 100644
--- a/providers/implementations/keymgmt/ec_kmgmt.c
+++ b/providers/implementations/keymgmt/ec_kmgmt.c
@@ -991,8 +991,17 @@ struct ec_gen_ctx {
@@ -989,8 +989,17 @@ struct ec_gen_ctx {
int selection;
int ecdh_mode;
EC_GROUP *gen_group;
unsigned char *dhkem_ikm;
size_t dhkem_ikmlen;
+#ifdef FIPS_MODULE
+ void *ecdsa_sig_ctx;
+#endif
@ -144,7 +128,7 @@ index 9390935394..1399be1751 100644
static void *ec_gen_init(void *provctx, int selection,
const OSSL_PARAM params[])
{
@@ -1011,6 +1020,10 @@ static void *ec_gen_init(void *provctx, int selection,
@@ -1009,6 +1018,10 @@ static void *ec_gen_init(void *provctx, int selection,
gctx = NULL;
}
}
@ -155,7 +139,7 @@ index 9390935394..1399be1751 100644
return gctx;
}
@@ -1291,6 +1304,12 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
@@ -1279,6 +1292,12 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
if (gctx->ecdh_mode != -1)
ret = ret && ossl_ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode);
@ -167,8 +151,8 @@ index 9390935394..1399be1751 100644
+#endif
if (gctx->group_check != NULL)
ret = ret && ossl_ec_set_check_group_type_from_name(ec,
@@ -1361,7 +1380,10 @@ static void ec_gen_cleanup(void *genctx)
ret = ret && ossl_ec_set_check_group_type_from_name(ec, gctx->group_check);
@@ -1348,7 +1367,10 @@ static void ec_gen_cleanup(void *genctx)
if (gctx == NULL)
return;
@ -177,11 +161,11 @@ index 9390935394..1399be1751 100644
+ ecdsa_freectx(gctx->ecdsa_sig_ctx);
+ gctx->ecdsa_sig_ctx = NULL;
+#endif
OPENSSL_clear_free(gctx->dhkem_ikm, gctx->dhkem_ikmlen);
EC_GROUP_free(gctx->gen_group);
BN_free(gctx->p);
BN_free(gctx->a);
diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c
index c24cb8da88..4462afa041 100644
index 3ba12c4889..ff49f8fcd8 100644
--- a/providers/implementations/keymgmt/rsa_kmgmt.c
+++ b/providers/implementations/keymgmt/rsa_kmgmt.c
@@ -434,6 +434,7 @@ struct rsa_gen_ctx {
@ -238,10 +222,10 @@ index c24cb8da88..4462afa041 100644
BN_clear_free(gctx->pub_exp);
OPENSSL_free(gctx);
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
index fe65ed8dc6..f158105e71 100644
index 865d49d100..ebeb30e002 100644
--- a/providers/implementations/signature/ecdsa_sig.c
+++ b/providers/implementations/signature/ecdsa_sig.c
@@ -33,7 +33,7 @@
@@ -32,7 +32,7 @@
#include "crypto/ec.h"
#include "prov/der_ec.h"
@ -250,7 +234,7 @@ index fe65ed8dc6..f158105e71 100644
static OSSL_FUNC_signature_sign_init_fn ecdsa_sign_init;
static OSSL_FUNC_signature_verify_init_fn ecdsa_verify_init;
static OSSL_FUNC_signature_sign_fn ecdsa_sign;
@@ -44,7 +44,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn ecdsa_digest_sign_final;
@@ -43,7 +43,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn ecdsa_digest_sign_final;
static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_verify_init;
static OSSL_FUNC_signature_digest_verify_update_fn ecdsa_digest_signverify_update;
static OSSL_FUNC_signature_digest_verify_final_fn ecdsa_digest_verify_final;
@ -259,8 +243,8 @@ index fe65ed8dc6..f158105e71 100644
static OSSL_FUNC_signature_dupctx_fn ecdsa_dupctx;
static OSSL_FUNC_signature_get_ctx_params_fn ecdsa_get_ctx_params;
static OSSL_FUNC_signature_gettable_ctx_params_fn ecdsa_gettable_ctx_params;
@@ -107,7 +107,7 @@ typedef struct {
unsigned int nonce_type;
@@ -104,7 +104,7 @@ typedef struct {
#endif
} PROV_ECDSA_CTX;
-static void *ecdsa_newctx(void *provctx, const char *propq)
@ -268,7 +252,7 @@ index fe65ed8dc6..f158105e71 100644
{
PROV_ECDSA_CTX *ctx;
@@ -380,7 +380,7 @@ int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig,
@@ -370,7 +370,7 @@ int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig,
return ecdsa_verify(ctx, sig, siglen, digest, (size_t)dlen);
}
@ -277,7 +261,7 @@ index fe65ed8dc6..f158105e71 100644
{
PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
@@ -601,6 +601,35 @@ static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx)
@@ -581,6 +581,35 @@ static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx)
return EVP_MD_settable_ctx_params(ctx->md);
}
@ -314,7 +298,7 @@ index fe65ed8dc6..f158105e71 100644
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx },
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init },
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index 76db37dd02..22d93ead53 100644
index cd5de6bd51..d4261e8f7d 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -34,7 +34,7 @@
@ -344,7 +328,7 @@ index 76db37dd02..22d93ead53 100644
{
PROV_RSA_CTX *prsactx = NULL;
char *propq_copy = NULL;
@@ -974,7 +974,7 @@ int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,
@@ -977,7 +977,7 @@ int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,
return rsa_verify(vprsactx, sig, siglen, digest, (size_t)dlen);
}
@ -353,7 +337,7 @@ index 76db37dd02..22d93ead53 100644
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
@@ -1451,6 +1451,45 @@ static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx)
@@ -1455,6 +1455,45 @@ static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx)
return EVP_MD_settable_ctx_params(prsactx->md);
}
@ -400,5 +384,5 @@ index 76db37dd02..22d93ead53 100644
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx },
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },
--
2.44.0
2.41.0

128
openssl-FIPS-140-3-zeroization.patch
View File

@ -1,8 +1,68 @@
Index: openssl-3.2.3/crypto/ec/ec_lib.c
Index: openssl-3.1.4/crypto/ffc/ffc_params.c
===================================================================
--- openssl-3.2.3.orig/crypto/ec/ec_lib.c
+++ openssl-3.2.3/crypto/ec/ec_lib.c
@@ -743,12 +743,16 @@ EC_POINT *EC_POINT_new(const EC_GROUP *g
--- openssl-3.1.4.orig/crypto/ffc/ffc_params.c
+++ openssl-3.1.4/crypto/ffc/ffc_params.c
@@ -27,10 +27,10 @@ void ossl_ffc_params_init(FFC_PARAMS *pa
void ossl_ffc_params_cleanup(FFC_PARAMS *params)
{
- BN_free(params->p);
- BN_free(params->q);
- BN_free(params->g);
- BN_free(params->j);
+ BN_clear_free(params->p);
+ BN_clear_free(params->q);
+ BN_clear_free(params->g);
+ BN_clear_free(params->j);
OPENSSL_free(params->seed);
ossl_ffc_params_init(params);
}
Index: openssl-3.1.4/crypto/rsa/rsa_lib.c
===================================================================
--- openssl-3.1.4.orig/crypto/rsa/rsa_lib.c
+++ openssl-3.1.4/crypto/rsa/rsa_lib.c
@@ -155,8 +155,8 @@ void RSA_free(RSA *r)
CRYPTO_THREAD_lock_free(r->lock);
- BN_free(r->n);
- BN_free(r->e);
+ BN_clear_free(r->n);
+ BN_clear_free(r->e);
BN_clear_free(r->d);
BN_clear_free(r->p);
BN_clear_free(r->q);
Index: openssl-3.1.4/providers/implementations/kdfs/hkdf.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/kdfs/hkdf.c
+++ openssl-3.1.4/providers/implementations/kdfs/hkdf.c
@@ -118,7 +118,7 @@ static void kdf_hkdf_reset(void *vctx)
void *provctx = ctx->provctx;
ossl_prov_digest_reset(&ctx->digest);
- OPENSSL_free(ctx->salt);
+ OPENSSL_clear_free(ctx->salt, ctx->salt_len);
OPENSSL_free(ctx->prefix);
OPENSSL_free(ctx->label);
OPENSSL_clear_free(ctx->data, ctx->data_len);
Index: openssl-3.1.4/providers/implementations/kdfs/pbkdf2.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/kdfs/pbkdf2.c
+++ openssl-3.1.4/providers/implementations/kdfs/pbkdf2.c
@@ -92,7 +92,7 @@ static void *kdf_pbkdf2_new(void *provct
static void kdf_pbkdf2_cleanup(KDF_PBKDF2 *ctx)
{
ossl_prov_digest_reset(&ctx->digest);
- OPENSSL_free(ctx->salt);
+ OPENSSL_clear_free(ctx->salt, ctx->salt_len);
OPENSSL_clear_free(ctx->pass, ctx->pass_len);
memset(ctx, 0, sizeof(*ctx));
}
Index: openssl-3.1.4/crypto/ec/ec_lib.c
===================================================================
--- openssl-3.1.4.orig/crypto/ec/ec_lib.c
+++ openssl-3.1.4/crypto/ec/ec_lib.c
@@ -752,12 +752,16 @@ EC_POINT *EC_POINT_new(const EC_GROUP *g
void EC_POINT_free(EC_POINT *point)
{
@ -19,63 +79,3 @@ Index: openssl-3.2.3/crypto/ec/ec_lib.c
}
void EC_POINT_clear_free(EC_POINT *point)
Index: openssl-3.2.3/crypto/ffc/ffc_params.c
===================================================================
--- openssl-3.2.3.orig/crypto/ffc/ffc_params.c
+++ openssl-3.2.3/crypto/ffc/ffc_params.c
@@ -27,10 +27,10 @@ void ossl_ffc_params_init(FFC_PARAMS *pa
void ossl_ffc_params_cleanup(FFC_PARAMS *params)
{
- BN_free(params->p);
- BN_free(params->q);
- BN_free(params->g);
- BN_free(params->j);
+ BN_clear_free(params->p);
+ BN_clear_free(params->q);
+ BN_clear_free(params->g);
+ BN_clear_free(params->j);
OPENSSL_free(params->seed);
ossl_ffc_params_init(params);
}
Index: openssl-3.2.3/crypto/rsa/rsa_lib.c
===================================================================
--- openssl-3.2.3.orig/crypto/rsa/rsa_lib.c
+++ openssl-3.2.3/crypto/rsa/rsa_lib.c
@@ -159,8 +159,8 @@ void RSA_free(RSA *r)
CRYPTO_THREAD_lock_free(r->lock);
CRYPTO_FREE_REF(&r->references);
- BN_free(r->n);
- BN_free(r->e);
+ BN_clear_free(r->n);
+ BN_clear_free(r->e);
BN_clear_free(r->d);
BN_clear_free(r->p);
BN_clear_free(r->q);
Index: openssl-3.2.3/providers/implementations/kdfs/hkdf.c
===================================================================
--- openssl-3.2.3.orig/providers/implementations/kdfs/hkdf.c
+++ openssl-3.2.3/providers/implementations/kdfs/hkdf.c
@@ -117,7 +117,7 @@ static void kdf_hkdf_reset(void *vctx)
void *provctx = ctx->provctx;
ossl_prov_digest_reset(&ctx->digest);
- OPENSSL_free(ctx->salt);
+ OPENSSL_clear_free(ctx->salt, ctx->salt_len);
OPENSSL_free(ctx->prefix);
OPENSSL_free(ctx->label);
OPENSSL_clear_free(ctx->data, ctx->data_len);
Index: openssl-3.2.3/providers/implementations/kdfs/pbkdf2.c
===================================================================
--- openssl-3.2.3.orig/providers/implementations/kdfs/pbkdf2.c
+++ openssl-3.2.3/providers/implementations/kdfs/pbkdf2.c
@@ -90,7 +90,7 @@ static void *kdf_pbkdf2_new(void *provct
static void kdf_pbkdf2_cleanup(KDF_PBKDF2 *ctx)
{
ossl_prov_digest_reset(&ctx->digest);
- OPENSSL_free(ctx->salt);
+ OPENSSL_clear_free(ctx->salt, ctx->salt_len);
OPENSSL_clear_free(ctx->pass, ctx->pass_len);
memset(ctx, 0, sizeof(*ctx));
}

52
openssl-FIPS-Add-explicit-indicator-for-key-length.patch
View File

@ -20,11 +20,11 @@ Signed-off-by: Clemens Lang <cllang@redhat.com>
providers/implementations/macs/hmac_prov.c | 17 +++++++++++++++++
4 files changed, 28 insertions(+)
Index: openssl-3.2.3/include/crypto/evp.h
Index: openssl-3.1.4/include/crypto/evp.h
===================================================================
--- openssl-3.2.3.orig/include/crypto/evp.h
+++ openssl-3.2.3/include/crypto/evp.h
@@ -206,6 +206,13 @@ const EVP_PKEY_METHOD *ossl_ed448_pkey_m
--- openssl-3.1.4.orig/include/crypto/evp.h
+++ openssl-3.1.4/include/crypto/evp.h
@@ -196,6 +196,13 @@ const EVP_PKEY_METHOD *ossl_ed448_pkey_m
const EVP_PKEY_METHOD *ossl_rsa_pkey_method(void);
const EVP_PKEY_METHOD *ossl_rsa_pss_pkey_method(void);
@ -38,11 +38,11 @@ Index: openssl-3.2.3/include/crypto/evp.h
struct evp_mac_st {
OSSL_PROVIDER *prov;
int name_id;
Index: openssl-3.2.3/include/openssl/evp.h
Index: openssl-3.1.4/include/openssl/evp.h
===================================================================
--- openssl-3.2.3.orig/include/openssl/evp.h
+++ openssl-3.2.3/include/openssl/evp.h
@@ -1199,6 +1199,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX
--- openssl-3.1.4.orig/include/openssl/evp.h
+++ openssl-3.1.4/include/openssl/evp.h
@@ -1196,6 +1196,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX
void *arg);
/* MAC stuff */
@ -52,20 +52,20 @@ Index: openssl-3.2.3/include/openssl/evp.h
EVP_MAC *EVP_MAC_fetch(OSSL_LIB_CTX *libctx, const char *algorithm,
const char *properties);
Index: openssl-3.2.3/providers/implementations/macs/hmac_prov.c
Index: openssl-3.1.4/providers/implementations/macs/hmac_prov.c
===================================================================
--- openssl-3.2.3.orig/providers/implementations/macs/hmac_prov.c
+++ openssl-3.2.3/providers/implementations/macs/hmac_prov.c
@@ -23,6 +23,8 @@
#include "internal/ssl3_cbc.h"
--- openssl-3.1.4.orig/providers/implementations/macs/hmac_prov.c
+++ openssl-3.1.4/providers/implementations/macs/hmac_prov.c
@@ -21,6 +21,8 @@
#include <openssl/evp.h>
#include <openssl/hmac.h>
+#include "crypto/evp.h"
+
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "prov/provider_util.h"
@@ -235,6 +237,9 @@ static int hmac_final(void *vmacctx, uns
@@ -244,6 +246,9 @@ static int hmac_final(void *vmacctx, uns
static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL),
OSSL_PARAM_size_t(OSSL_MAC_PARAM_BLOCK_SIZE, NULL),
@ -75,7 +75,7 @@ Index: openssl-3.2.3/providers/implementations/macs/hmac_prov.c
OSSL_PARAM_END
};
static const OSSL_PARAM *hmac_gettable_ctx_params(ossl_unused void *ctx,
@@ -256,6 +261,18 @@ static int hmac_get_ctx_params(void *vma
@@ -265,6 +270,18 @@ static int hmac_get_ctx_params(void *vma
&& !OSSL_PARAM_set_int(p, hmac_block_size(macctx)))
return 0;
@ -94,15 +94,15 @@ Index: openssl-3.2.3/providers/implementations/macs/hmac_prov.c
return 1;
}
Index: openssl-3.2.3/util/perl/OpenSSL/paramnames.pm
Index: openssl-3.1.4/include/openssl/core_names.h
===================================================================
--- openssl-3.2.3.orig/util/perl/OpenSSL/paramnames.pm
+++ openssl-3.2.3/util/perl/OpenSSL/paramnames.pm
@@ -143,6 +143,7 @@ my %params = (
'MAC_PARAM_SIZE' => "size", # size_t
'MAC_PARAM_BLOCK_SIZE' => "block-size", # size_t
'MAC_PARAM_TLS_DATA_SIZE' => "tls-data-size", # size_t
+ 'MAC_PARAM_SUSE_FIPS_INDICATOR' => "suse-fips-indicator", # size_t
--- openssl-3.1.4.orig/include/openssl/core_names.h
+++ openssl-3.1.4/include/openssl/core_names.h
@@ -175,6 +175,7 @@ extern "C" {
#define OSSL_MAC_PARAM_SIZE "size" /* size_t */
#define OSSL_MAC_PARAM_BLOCK_SIZE "block-size" /* size_t */
#define OSSL_MAC_PARAM_TLS_DATA_SIZE "tls-data-size" /* size_t */
+#define OSSL_MAC_PARAM_SUSE_FIPS_INDICATOR "suse-fips-indicator" /* size_t */
# KDF / PRF parameters
'KDF_PARAM_SECRET' => "secret", # octet string
/* Known MAC names */
#define OSSL_MAC_NAME_BLAKE2BMAC "BLAKE2BMAC"

29
openssl-FIPS-RSA-disable-shake.patch
View File

@ -10,11 +10,11 @@ Patch-id: 85
crypto/rsa/rsa_pss.c | 16 ++++++++++++++++
2 files changed, 44 insertions(+)
Index: openssl-3.1.7/crypto/rsa/rsa_oaep.c
===================================================================
--- openssl-3.1.7.orig/crypto/rsa/rsa_oaep.c
+++ openssl-3.1.7/crypto/rsa/rsa_oaep.c
@@ -78,9 +78,23 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1
diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
index b2f7f7dc4b..af2b0b026c 100644
--- a/crypto/rsa/rsa_oaep.c
+++ b/crypto/rsa/rsa_oaep.c
@@ -78,9 +78,23 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx,
return 0;
#endif
}
@ -38,7 +38,7 @@ Index: openssl-3.1.7/crypto/rsa/rsa_oaep.c
mdlen = EVP_MD_get_size(md);
if (mdlen <= 0) {
ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_LENGTH);
@@ -203,9 +217,23 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(un
@@ -203,9 +217,23 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
#endif
}
@ -61,12 +61,12 @@ Index: openssl-3.1.7/crypto/rsa/rsa_oaep.c
+
mdlen = EVP_MD_get_size(md);
if (tlen <= 0 || flen <= 0 || mdlen <= 0)
Index: openssl-3.1.7/crypto/rsa/rsa_pss.c
===================================================================
--- openssl-3.1.7.orig/crypto/rsa/rsa_pss.c
+++ openssl-3.1.7/crypto/rsa/rsa_pss.c
@@ -53,6 +53,14 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa,
if (tlen <= 0 || flen <= 0)
diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c
index bb46ec64c7..c0fdf232da 100644
--- a/crypto/rsa/rsa_pss.c
+++ b/crypto/rsa/rsa_pss.c
@@ -53,6 +53,14 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
if (mgf1Hash == NULL)
mgf1Hash = Hash;
@ -81,7 +81,7 @@ Index: openssl-3.1.7/crypto/rsa/rsa_pss.c
hLen = EVP_MD_get_size(Hash);
if (hLen < 0)
goto err;
@@ -168,6 +176,14 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *
@@ -168,6 +176,14 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
if (mgf1Hash == NULL)
mgf1Hash = Hash;
@ -96,3 +96,6 @@ Index: openssl-3.1.7/crypto/rsa/rsa_pss.c
hLen = EVP_MD_get_size(Hash);
if (hLen < 0)
goto err;
--
2.41.0

56
openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch
View File

@ -1,21 +1,36 @@
From 930e7acf7dd225102b6e88d23f5e2a3f4acea9fa Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 15:43:57 +0200
Subject: [PATCH 37/48]
0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
From 4de5fa26873297f5c2eeed53e5c988437f837f55 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Thu, 17 Nov 2022 13:53:31 +0100
Subject: [PATCH] signature: Remove X9.31 padding from FIPS prov
Patch-name: 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
Patch-id: 81
The current draft of FIPS 186-5 [1] no longer contains specifications
for X9.31 signature padding. Instead, it contains the following
information in Appendix E:
> ANSI X9.31 was withdrawn, so X9.31 RSA signatures were removed from
> this standard.
Since this situation is unlikely to change in future revisions of the
draft, and future FIPS 140-3 validations of the provider will require
X9.31 to be disabled or marked as not approved with an explicit
indicator, disallow this padding mode now.
Remove the X9.31 tests from the acvp test, since they will always fail
now.
[1]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5-draft.pdf
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
providers/implementations/signature/rsa_sig.c | 6 +
test/acvp_test.inc | 214 ------------------
2 files changed, 6 insertions(+), 214 deletions(-)
Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c
Index: openssl-3.1.4/providers/implementations/signature/rsa_sig.c
===================================================================
--- openssl-3.2.3.orig/providers/implementations/signature/rsa_sig.c
+++ openssl-3.2.3/providers/implementations/signature/rsa_sig.c
@@ -1291,7 +1291,13 @@ static int rsa_set_ctx_params(void *vprs
--- openssl-3.1.4.orig/providers/implementations/signature/rsa_sig.c
+++ openssl-3.1.4/providers/implementations/signature/rsa_sig.c
@@ -1250,7 +1250,13 @@ static int rsa_set_ctx_params(void *vprs
err_extra_text = "No padding not allowed with RSA-PSS";
goto cont;
case RSA_X931_PADDING:
@ -29,10 +44,10 @@ Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c
cont:
if (RSA_test_flags(prsactx->rsa,
RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSA)
Index: openssl-3.2.3/test/acvp_test.inc
Index: openssl-3.1.4/test/acvp_test.inc
===================================================================
--- openssl-3.2.3.orig/test/acvp_test.inc
+++ openssl-3.2.3/test/acvp_test.inc
--- openssl-3.1.4.orig/test/acvp_test.inc
+++ openssl-3.1.4/test/acvp_test.inc
@@ -1214,13 +1214,6 @@ static const struct rsa_siggen_st rsa_si
NO_PSS_SALT_LEN,
},
@ -250,13 +265,24 @@ Index: openssl-3.2.3/test/acvp_test.inc
static const struct rsa_sigver_st rsa_sigver_data[] = {
{
"pkcs1", /* pkcs1v1.5 */
@@ -1850,17 +1647,6 @@ static const struct rsa_sigver_st rsa_si
@@ -1850,28 +1647,6 @@ static const struct rsa_sigver_st rsa_si
NO_PSS_SALT_LEN,
FAIL
},
- {
- "x931",
- 3072,
- "SHA1",
- ITM(rsa_sigverx931_0_msg),
- ITM(rsa_sigverx931_0_n),
- ITM(rsa_sigverx931_0_e),
- ITM(rsa_sigverx931_0_sig),
- NO_PSS_SALT_LEN,
- PASS
- },
- {
- "x931",
- 3072,
- "SHA256",
- ITM(rsa_sigverx931_1_msg),
- ITM(rsa_sigverx931_1_n),

70
openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
View File

@ -1,22 +1,22 @@
From 62721a92ebec8746888d94bea0082c8d8763219e Mon Sep 17 00:00:00 2001
From abeda0b0475adb0d4f89b0c97cfc349779915bbf Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 27/49]
Date: Mon, 31 Jul 2023 09:41:28 +0200
Subject: [PATCH 29/35]
0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
Patch-name: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
Patch-id: 73
Patch-status: |
# # https://bugzilla.redhat.com/show_bug.cgi?id=2102535
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
# https://bugzilla.redhat.com/show_bug.cgi?id=2102535
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
crypto/rsa/rsa_local.h | 8 ++
crypto/rsa/rsa_oaep.c | 34 ++++++--
include/openssl/core_names.h | 3 +
providers/fips/self_test_data.inc | 79 ++++++++++---------
providers/fips/self_test_kats.c | 7 ++
.../implementations/asymciphers/rsa_enc.c | 41 +++++++++-
util/perl/OpenSSL/paramnames.pm | 1 +
6 files changed, 126 insertions(+), 44 deletions(-)
6 files changed, 128 insertions(+), 44 deletions(-)
diff --git a/crypto/rsa/rsa_local.h b/crypto/rsa/rsa_local.h
index ea70da05ad..dde57a1a0e 100644
@ -36,7 +36,7 @@ index ea70da05ad..dde57a1a0e 100644
+
#endif /* OSSL_CRYPTO_RSA_LOCAL_H */
diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
index b9030440c4..3d665c3860 100644
index d9be1a4f98..b2f7f7dc4b 100644
--- a/crypto/rsa/rsa_oaep.c
+++ b/crypto/rsa/rsa_oaep.c
@@ -44,6 +44,10 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
@ -82,7 +82,7 @@ index b9030440c4..3d665c3860 100644
if (RAND_bytes_ex(libctx, seed, mdlen, 0) <= 0)
goto err;
@@ -136,6 +146,18 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
@@ -138,6 +148,18 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
return rv;
}
@ -101,8 +101,22 @@ index b9030440c4..3d665c3860 100644
int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
const unsigned char *from, int flen,
const unsigned char *param, int plen,
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
index 5e3c132f5b..c0cce14297 100644
--- a/include/openssl/core_names.h
+++ b/include/openssl/core_names.h
@@ -471,6 +471,9 @@ extern "C" {
#define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label"
#define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version"
#define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version"
+#ifdef FIPS_MODULE
+#define OSSL_ASYM_CIPHER_PARAM_SUSE_KAT_OEAP_SEED "suse-kat-oaep-seed"
+#endif
/*
* Encoder / decoder parameters
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
index 4b80bb70b9..c33ecd0791 100644
index e0fdc0daa4..aa2012c04a 100644
--- a/providers/fips/self_test_data.inc
+++ b/providers/fips/self_test_data.inc
@@ -1296,14 +1296,21 @@ static const ST_KAT_PARAM rsa_priv_key[] = {
@ -208,10 +222,10 @@ index 4b80bb70b9..c33ecd0791 100644
#ifndef OPENSSL_NO_EC
diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
index f13c41abd6..4ea10670c0 100644
index 74ee25dcb6..a9bc8be7fa 100644
--- a/providers/fips/self_test_kats.c
+++ b/providers/fips/self_test_kats.c
@@ -642,14 +642,21 @@ static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
@@ -641,14 +641,21 @@ static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
return ret;
}
@ -234,7 +248,7 @@ index f13c41abd6..4ea10670c0 100644
}
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
index d548560f1f..f3443b0c66 100644
index 9cd8904131..40de5ce8fa 100644
--- a/providers/implementations/asymciphers/rsa_enc.c
+++ b/providers/implementations/asymciphers/rsa_enc.c
@@ -30,6 +30,9 @@
@ -254,10 +268,10 @@ index d548560f1f..f3443b0c66 100644
+#ifdef FIPS_MODULE
+ char *suse_st_oaep_seed;
+#endif /* FIPS_MODULE */
/* PKCS#1 v1.5 decryption mode */
unsigned int implicit_rejection;
} PROV_RSA_CTX;
@@ -193,12 +199,21 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
static void *rsa_newctx(void *provctx)
@@ -192,12 +198,21 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
}
}
ret =
@ -281,7 +295,7 @@ index d548560f1f..f3443b0c66 100644
if (!ret) {
OPENSSL_free(tbuf);
@@ -332,6 +347,9 @@ static void rsa_freectx(void *vprsactx)
@@ -328,6 +343,9 @@ static void rsa_freectx(void *vprsactx)
EVP_MD_free(prsactx->oaep_md);
EVP_MD_free(prsactx->mgf1_md);
OPENSSL_free(prsactx->oaep_label);
@ -291,17 +305,17 @@ index d548560f1f..f3443b0c66 100644
OPENSSL_free(prsactx);
}
@@ -455,6 +473,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
@@ -447,6 +465,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
NULL, 0),
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL),
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),
+#ifdef FIPS_MODULE
+ OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_SUSE_KAT_OEAP_SEED, NULL, 0),
+#endif /* FIPS_MODULE */
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL),
OSSL_PARAM_END
};
@@ -465,6 +486,10 @@ static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx,
@@ -456,6 +477,10 @@ static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx,
return known_gettable_ctx_params;
}
@ -312,7 +326,7 @@ index d548560f1f..f3443b0c66 100644
static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
@@ -576,6 +601,18 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
@@ -567,6 +592,18 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
prsactx->oaep_labellen = tmp_labellen;
}
@ -331,18 +345,6 @@ index d548560f1f..f3443b0c66 100644
p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION);
if (p != NULL) {
unsigned int client_version;
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
index c37ed7815f..70f7c50fe4 100644
--- a/util/perl/OpenSSL/paramnames.pm
+++ b/util/perl/OpenSSL/paramnames.pm
@@ -401,6 +401,7 @@ my %params = (
'ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION' => "tls-client-version",
'ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION' => "tls-negotiated-version",
'ASYM_CIPHER_PARAM_IMPLICIT_REJECTION' => "implicit-rejection",
+ 'ASYM_CIPHER_PARAM_SUSE_KAT_OEAP_SEED' => "suse-kat-oaep-seed",
# Encoder / decoder parameters
--
2.44.0
2.41.0

141
openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
View File

@ -1,25 +1,32 @@
From dc41625dc4a793f0e21188165711181ca085339b Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:16 +0100
Subject: [PATCH 28/49]
0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
From 97ac06e5a8e3a8699279c06eeb64c8e958bad7bd Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Fri, 15 Jul 2022 17:45:40 +0200
Subject: [PATCH] FIPS: Use digest_sign & digest_verify in self test
Patch-name: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
Patch-id: 74
Patch-status: |
# [PATCH 29/46]
# 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
In review for FIPS 140-3, the lack of a self-test for the digest_sign
and digest_verify provider functions was highlighted as a problem. NIST
no longer provides ACVP tests for the RSA SigVer primitive (see
https://github.com/usnistgov/ACVP/issues/1347). Because FIPS 140-3
recommends the use of functions that compute the digest and signature
within the module, we have been advised in our module review that the
self tests should also use the combined digest and signature APIs, i.e.
the digest_sign and digest_verify provider functions.
Modify the signature self-test to use these instead by switching to
EVP_DigestSign and EVP_DigestVerify. This requires adding more ifdefs to
crypto/evp/m_sigver.c to make these functions usable in the FIPS module.
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
crypto/evp/m_sigver.c | 54 ++++++++++++++++++++++++++++-----
providers/fips/self_test_kats.c | 43 +++++++++++++++-----------
2 files changed, 73 insertions(+), 24 deletions(-)
crypto/evp/m_sigver.c | 43 +++++++++++++++++++++++++++------
providers/fips/self_test_kats.c | 37 +++++++++++++++-------------
2 files changed, 56 insertions(+), 24 deletions(-)
Index: openssl-3.2.3/crypto/evp/m_sigver.c
Index: openssl-3.1.4/crypto/evp/m_sigver.c
===================================================================
--- openssl-3.2.3.orig/crypto/evp/m_sigver.c
+++ openssl-3.2.3/crypto/evp/m_sigver.c
@@ -86,6 +86,7 @@ static int update(EVP_MD_CTX *ctx, const
--- openssl-3.1.4.orig/crypto/evp/m_sigver.c
+++ openssl-3.1.4/crypto/evp/m_sigver.c
@@ -90,6 +90,7 @@ static int update(EVP_MD_CTX *ctx, const
ERR_raise(ERR_LIB_EVP, EVP_R_ONLY_ONESHOT_SUPPORTED);
return 0;
}
@ -27,7 +34,7 @@ Index: openssl-3.2.3/crypto/evp/m_sigver.c
/*
* If we get the "NULL" md then the name comes back as "UNDEF". We want to use
@@ -121,8 +122,10 @@ static int do_sigver_init(EVP_MD_CTX *ct
@@ -125,8 +126,10 @@ static int do_sigver_init(EVP_MD_CTX *ct
reinit = 0;
if (e == NULL)
ctx->pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, props);
@ -38,7 +45,7 @@ Index: openssl-3.2.3/crypto/evp/m_sigver.c
}
if (ctx->pctx == NULL)
return 0;
@@ -132,8 +135,10 @@ static int do_sigver_init(EVP_MD_CTX *ct
@@ -134,8 +137,10 @@ static int do_sigver_init(EVP_MD_CTX *ct
locpctx = ctx->pctx;
ERR_set_mark();
@ -49,7 +56,7 @@ Index: openssl-3.2.3/crypto/evp/m_sigver.c
/* do not reinitialize if pkey is set or operation is different */
if (reinit
@@ -218,8 +223,10 @@ static int do_sigver_init(EVP_MD_CTX *ct
@@ -220,8 +225,10 @@ static int do_sigver_init(EVP_MD_CTX *ct
signature =
evp_signature_fetch_from_prov((OSSL_PROVIDER *)tmp_prov,
supported_sig, locpctx->propquery);
@ -60,7 +67,7 @@ Index: openssl-3.2.3/crypto/evp/m_sigver.c
break;
}
if (signature == NULL)
@@ -303,6 +310,7 @@ static int do_sigver_init(EVP_MD_CTX *ct
@@ -305,6 +312,7 @@ static int do_sigver_init(EVP_MD_CTX *ct
ctx->fetched_digest = EVP_MD_fetch(locpctx->libctx, mdname, props);
if (ctx->fetched_digest != NULL) {
ctx->digest = ctx->reqdigest = ctx->fetched_digest;
@ -68,7 +75,7 @@ Index: openssl-3.2.3/crypto/evp/m_sigver.c
} else {
/* legacy engine support : remove the mark when this is deleted */
ctx->reqdigest = ctx->digest = EVP_get_digestbyname(mdname);
@@ -311,11 +319,13 @@ static int do_sigver_init(EVP_MD_CTX *ct
@@ -313,11 +321,13 @@ static int do_sigver_init(EVP_MD_CTX *ct
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
goto err;
}
@ -82,7 +89,7 @@ Index: openssl-3.2.3/crypto/evp/m_sigver.c
if (ctx->reqdigest != NULL
&& !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
&& !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
@@ -327,6 +337,7 @@ static int do_sigver_init(EVP_MD_CTX *ct
@@ -329,6 +339,7 @@ static int do_sigver_init(EVP_MD_CTX *ct
goto err;
}
}
@ -90,7 +97,7 @@ Index: openssl-3.2.3/crypto/evp/m_sigver.c
if (ver) {
if (signature->digest_verify_init == NULL) {
@@ -359,6 +370,7 @@ static int do_sigver_init(EVP_MD_CTX *ct
@@ -361,6 +372,7 @@ static int do_sigver_init(EVP_MD_CTX *ct
EVP_KEYMGMT_free(tmp_keymgmt);
return 0;
@ -98,7 +105,7 @@ Index: openssl-3.2.3/crypto/evp/m_sigver.c
legacy:
/*
* If we don't have the full support we need with provided methods,
@@ -430,6 +442,7 @@ static int do_sigver_init(EVP_MD_CTX *ct
@@ -432,6 +444,7 @@ static int do_sigver_init(EVP_MD_CTX *ct
ctx->pctx->flag_call_digest_custom = 1;
ret = 1;
@ -106,7 +113,7 @@ Index: openssl-3.2.3/crypto/evp/m_sigver.c
end:
#ifndef FIPS_MODULE
@@ -472,7 +485,6 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx
@@ -474,7 +487,6 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx
return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 1,
NULL);
}
@ -114,7 +121,7 @@ Index: openssl-3.2.3/crypto/evp/m_sigver.c
int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
{
@@ -544,24 +556,30 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *c
@@ -536,23 +548,29 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *c
return EVP_DigestUpdate(ctx, data, dsize);
}
@ -123,19 +130,14 @@ Index: openssl-3.2.3/crypto/evp/m_sigver.c
size_t *siglen)
{
- int sctx = 0, r = 0;
- EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx;
- EVP_PKEY_CTX *dctx, *pctx = ctx->pctx;
+ int r = 0;
+#ifndef FIPS_MODULE
+ int sctx = 0;
+ EVP_PKEY_CTX *dctx = NULL;
+ EVP_PKEY_CTX *dctx;
+#endif /* !defined(FIPS_MODULE) */
+ EVP_PKEY_CTX *pctx = ctx->pctx;
if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) {
ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
return 0;
}
+#ifndef FIPS_MODULE
if (pctx == NULL
|| pctx->operation != EVP_PKEY_OP_SIGNCTX
@ -144,26 +146,26 @@ Index: openssl-3.2.3/crypto/evp/m_sigver.c
goto legacy;
+#endif /* !defined(FIPS_MODULE) */
if (sigret == NULL || (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) != 0)
return pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx,
sigret, siglen,
sigret == NULL ? 0 : *siglen);
+#ifndef FIPS_MODULE
if (sigret != NULL && (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) {
/* try dup */
dctx = EVP_PKEY_CTX_dup(pctx);
@@ -576,7 +594,14 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx,
else
EVP_PKEY_CTX_free(dctx);
dctx = EVP_PKEY_CTX_dup(pctx);
if (dctx == NULL)
return 0;
@@ -561,8 +579,10 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx,
sigret, siglen,
*siglen);
EVP_PKEY_CTX_free(dctx);
+#endif /* defined(FIPS_MODULE) */
return r;
+#else
+ r = pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx,
+ sigret, siglen,
+ sigret == NULL ? 0 : *siglen);
+ return r;
+#endif /* !defined(FIPS_MODULE) */
+#ifndef FIPS_MODULE
legacy:
if (pctx == NULL || pctx->pmeth == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
@@ -649,6 +674,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx,
@@ -634,6 +654,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx,
}
}
return 1;
@ -171,7 +173,7 @@ Index: openssl-3.2.3/crypto/evp/m_sigver.c
}
int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
@@ -687,23 +713,29 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsi
@@ -664,21 +685,27 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsi
int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
size_t siglen)
{
@ -181,16 +183,11 @@ Index: openssl-3.2.3/crypto/evp/m_sigver.c
+ unsigned char md[EVP_MAX_MD_SIZE];
unsigned int mdlen = 0;
int vctx = 0;
- EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx;
+ EVP_PKEY_CTX *dctx = NULL;
- EVP_PKEY_CTX *dctx, *pctx = ctx->pctx;
+ EVP_PKEY_CTX *dctx;
+#endif /* !defined(FIPS_MODULE) */
+ EVP_PKEY_CTX *pctx = ctx->pctx;
if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) {
ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
return 0;
}
+#ifndef FIPS_MODULE
if (pctx == NULL
|| pctx->operation != EVP_PKEY_OP_VERIFYCTX
@ -199,25 +196,25 @@ Index: openssl-3.2.3/crypto/evp/m_sigver.c
goto legacy;
+#endif /* !defined(FIPS_MODULE) */
if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) != 0)
return pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx,
sig, siglen);
+#ifndef FIPS_MODULE
if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) {
/* try dup */
dctx = EVP_PKEY_CTX_dup(pctx);
@@ -717,7 +749,13 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct
else
EVP_PKEY_CTX_free(dctx);
return r;
+#else
+ r = pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx,
+ sig, siglen);
+ return r;
dctx = EVP_PKEY_CTX_dup(pctx);
if (dctx == NULL)
return 0;
@@ -686,8 +713,10 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct
r = dctx->op.sig.signature->digest_verify_final(dctx->op.sig.algctx,
sig, siglen);
EVP_PKEY_CTX_free(dctx);
+#endif /* !defined(FIPS_MODULE) */
return r;
+#ifndef FIPS_MODULE
legacy:
if (pctx == NULL || pctx->pmeth == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
@@ -758,6 +796,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct
@@ -727,6 +756,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct
if (vctx || !r)
return r;
return EVP_PKEY_verify(pctx, sig, siglen, md, mdlen);
@ -225,15 +222,15 @@ Index: openssl-3.2.3/crypto/evp/m_sigver.c
}
int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
@@ -790,4 +829,3 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, co
@@ -752,4 +782,3 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, co
return -1;
return EVP_DigestVerifyFinal(ctx, sigret, siglen);
}
-#endif /* FIPS_MODULE */
Index: openssl-3.2.3/providers/fips/self_test_kats.c
Index: openssl-3.1.4/providers/fips/self_test_kats.c
===================================================================
--- openssl-3.2.3.orig/providers/fips/self_test_kats.c
+++ openssl-3.2.3/providers/fips/self_test_kats.c
--- openssl-3.1.4.orig/providers/fips/self_test_kats.c
+++ openssl-3.1.4/providers/fips/self_test_kats.c
@@ -450,10 +450,13 @@ static int self_test_sign(const ST_KAT_S
int ret = 0;
OSSL_PARAM *params = NULL, *params_sig = NULL;

30
openssl-FIPS-early-KATS.patch
View File

@ -1,22 +1,8 @@
From ba6e65e2f7e7fe8d9cd62e1e7e345bc41dda424f Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Thu, 19 Oct 2023 13:12:40 +0200
Subject: [PATCH 21/46] 0047-FIPS-early-KATS.patch
Patch-name: 0047-FIPS-early-KATS.patch
Patch-id: 47
Patch-status: |
# # Execute KATS before HMAC verification
From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911
---
providers/fips/self_test.c | 22 ++++++++++------------
1 file changed, 10 insertions(+), 12 deletions(-)
Index: openssl-3.2.3/providers/fips/self_test.c
Index: openssl-3.1.4/providers/fips/self_test.c
===================================================================
--- openssl-3.2.3.orig/providers/fips/self_test.c
+++ openssl-3.2.3/providers/fips/self_test.c
@@ -507,6 +507,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
--- openssl-3.1.4.orig/providers/fips/self_test.c
+++ openssl-3.1.4/providers/fips/self_test.c
@@ -401,6 +401,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
if (ev == NULL)
goto end;
@ -30,10 +16,10 @@ Index: openssl-3.2.3/providers/fips/self_test.c
+ }
+ }
+
if (st->module_checksum_data == NULL) {
module_checksum = fips_hmac_container;
checksum_len = sizeof(fips_hmac_container);
@@ -575,18 +585,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
module_checksum = fips_hmac_container;
checksum_len = sizeof(fips_hmac_container);
@@ -451,18 +461,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
}
}

290
openssl-FIPS-embed-hmac.patch
View File

@ -1,32 +1,30 @@
From 831d0025257fd3746ab3fe30c05dbbfc0043f78e Mon Sep 17 00:00:00 2001
From e364a858262c8f563954544cc81e66f1b3b8db8c Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 16/49] 0033-FIPS-embed-hmac.patch
Date: Thu, 19 Oct 2023 13:12:40 +0200
Subject: [PATCH 16/46] 0033-FIPS-embed-hmac.patch
Patch-name: 0033-FIPS-embed-hmac.patch
Patch-id: 33
Patch-status: |
# # Embed HMAC into the fips.so
# Modify fips self test as per
# https://github.com/simo5/openssl/commit/9b95ef8bd2f5ac862e5eee74c724b535f1a8578a
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911
---
providers/fips/self_test.c | 204 ++++++++++++++++++++++++--
test/fipsmodule.cnf | 2 +
test/recipes/00-prep_fipsmodule_cnf.t | 2 +-
test/recipes/01-test_fipsmodule_cnf.t | 2 +-
test/recipes/03-test_fipsinstall.t | 2 +-
test/recipes/30-test_defltfips.t | 2 +-
test/recipes/80-test_ssl_new.t | 2 +-
test/recipes/90-test_sslapi.t | 2 +-
8 files changed, 200 insertions(+), 18 deletions(-)
providers/fips/self_test.c | 70 ++++++++++++++++++++++++---
test/fipsmodule.cnf | 2 +
test/recipes/00-prep_fipsmodule_cnf.t | 2 +-
test/recipes/01-test_fipsmodule_cnf.t | 2 +-
test/recipes/03-test_fipsinstall.t | 2 +-
test/recipes/30-test_defltfips.t | 2 +-
test/recipes/80-test_ssl_new.t | 2 +-
test/recipes/90-test_sslapi.t | 2 +-
8 files changed, 71 insertions(+), 13 deletions(-)
create mode 100644 test/fipsmodule.cnf
Index: openssl-3.2.3/providers/fips/self_test.c
===================================================================
--- openssl-3.2.3.orig/providers/fips/self_test.c
+++ openssl-3.2.3/providers/fips/self_test.c
@@ -230,11 +230,133 @@ err:
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
index b8dc9817b2..e3a629018a 100644
--- a/providers/fips/self_test.c
+++ b/providers/fips/self_test.c
@@ -230,11 +230,27 @@ err:
return ok;
}
@ -42,7 +40,6 @@ Index: openssl-3.2.3/providers/fips/self_test.c
* the result matches the expected value.
* Return 1 if verified, or 0 if it fails.
*/
+
+#ifndef __USE_GNU
+#define __USE_GNU
+#include <dlfcn.h>
@ -51,116 +48,11 @@ Index: openssl-3.2.3/providers/fips/self_test.c
+#include <dlfcn.h>
+#endif
+#include <link.h>
+
+static int verify_integrity_rodata(OSSL_CORE_BIO *bio,
+ OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
+ unsigned char *expected, size_t expected_len,
+ OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
+ const char *event_type)
+{
+ int ret = 0, status;
+ unsigned char out[MAX_MD_SIZE];
+ unsigned char buf[INTEGRITY_BUF_SIZE];
+ size_t bytes_read = 0, out_len = 0;
+ EVP_MAC *mac = NULL;
+ EVP_MAC_CTX *ctx = NULL;
+ OSSL_PARAM params[2], *p = params;
+ Dl_info info;
+ void *extra_info = NULL;
+ struct link_map *lm = NULL;
+ unsigned long paddr;
+ unsigned long off = 0;
+
+ if (expected_len != HMAC_LEN)
+ goto err;
+
+ if (!integrity_self_test(ev, libctx))
+ goto err;
+
+ OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
+
+ if (!dladdr1 ((const void *)fips_hmac_container,
+ &info, &extra_info, RTLD_DL_LINKMAP))
+ goto err;
+ lm = extra_info;
+ paddr = (unsigned long)fips_hmac_container - lm->l_addr;
+
+ mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
+ if (mac == NULL)
+ goto err;
+ ctx = EVP_MAC_CTX_new(mac);
+ if (ctx == NULL)
+ goto err;
+
+ *p++ = OSSL_PARAM_construct_utf8_string("digest", DIGEST_NAME, 0);
+ *p = OSSL_PARAM_construct_end();
+
+ if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
+ goto err;
+
+ while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
+ if (status != 1)
+ break;
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
+ goto err;
+ off += bytes_read;
+ }
+
+ if (off < paddr) {
+ int delta = paddr - off;
+ status = read_ex_cb(bio, buf, delta, &bytes_read);
+ if (status != 1)
+ goto err;
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
+ goto err;
+ off += bytes_read;
+ }
+
+ /* read away the buffer */
+ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
+ if (status != 1)
+ goto err;
+
+ /* check that it is the expect bytes, no point in continuing otherwise */
+ if (memcmp(expected, buf, HMAC_LEN) != 0)
+ goto err;
+
+ /* replace in-file HMAC buffer with the original zeros */
+ memset(buf, 0, HMAC_LEN);
+ if (!EVP_MAC_update(ctx, buf, HMAC_LEN))
+ goto err;
+ off += HMAC_LEN;
+
+ while (bytes_read > 0) {
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
+ if (status != 1)
+ break;
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
+ goto err;
+ off += bytes_read;
+ }
+
+ if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
+ goto err;
+
+ OSSL_SELF_TEST_oncorrupt_byte(ev, out);
+ if (expected_len != out_len
+ || memcmp(expected, out, out_len) != 0)
+ goto err;
+ ret = 1;
+err:
+ OPENSSL_cleanse(out, MAX_MD_SIZE);
+ OSSL_SELF_TEST_onend(ev, ret);
+ EVP_MAC_CTX_free(ctx);
+ EVP_MAC_free(mac);
+ return ret;
+}
+
static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
unsigned char *expected, size_t expected_len,
OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
@@ -247,12 +369,23 @@ static int verify_integrity(OSSL_CORE_BI
@@ -247,12 +263,23 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
EVP_MAC *mac = NULL;
EVP_MAC_CTX *ctx = NULL;
OSSL_PARAM params[2], *p = params;
@ -184,7 +76,7 @@ Index: openssl-3.2.3/providers/fips/self_test.c
mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
if (mac == NULL)
goto err;
@@ -266,13 +399,42 @@ static int verify_integrity(OSSL_CORE_BI
@@ -266,13 +293,42 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
goto err;
@ -192,12 +84,12 @@ Index: openssl-3.2.3/providers/fips/self_test.c
- status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
+ while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
if (status != 1)
break;
if (!EVP_MAC_update(ctx, buf, bytes_read))
goto err;
+ off += bytes_read;
}
+ if (status != 1)
+ break;
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
+ goto err;
+ off += bytes_read;
+ }
+
+ if (off + INTEGRITY_BUF_SIZE > paddr) {
+ int delta = paddr - off;
@ -206,7 +98,7 @@ Index: openssl-3.2.3/providers/fips/self_test.c
+ goto err;
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
+ goto err;
+ off += bytes_read;
+ off += bytes_read;
+
+ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
+ memset(buf, 0, HMAC_LEN);
@ -214,22 +106,22 @@ Index: openssl-3.2.3/providers/fips/self_test.c
+ goto err;
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
+ goto err;
+ off += bytes_read;
+ off += bytes_read;
+ }
+
+ while (bytes_read > 0) {
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
+ if (status != 1)
+ break;
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
+ goto err;
+ off += bytes_read;
+ }
if (status != 1)
break;
if (!EVP_MAC_update(ctx, buf, bytes_read))
goto err;
+ off += bytes_read;
}
+
if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
goto err;
@@ -282,6 +444,7 @@ static int verify_integrity(OSSL_CORE_BI
@@ -282,6 +338,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
goto err;
ret = 1;
err:
@ -237,7 +129,7 @@ Index: openssl-3.2.3/providers/fips/self_test.c
OSSL_SELF_TEST_onend(ev, ret);
EVP_MAC_CTX_free(ctx);
EVP_MAC_free(mac);
@@ -335,8 +498,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
@@ -335,8 +392,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
return 0;
}
@ -247,57 +139,19 @@ Index: openssl-3.2.3/providers/fips/self_test.c
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
goto end;
}
@@ -345,8 +507,14 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
@@ -345,8 +401,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
if (ev == NULL)
goto end;
- module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
- &checksum_len);
+ if (st->module_checksum_data == NULL) {
+ module_checksum = fips_hmac_container;
+ checksum_len = sizeof(fips_hmac_container);
+ } else {
+ module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
+ &checksum_len);
+ }
+ module_checksum = fips_hmac_container;
+ checksum_len = sizeof(fips_hmac_container);
+
if (module_checksum == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
goto end;
@@ -354,14 +522,27 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
bio_module = (*st->bio_new_file_cb)(st->module_filename, "rb");
/* Always check the integrity of the fips module */
- if (bio_module == NULL
- || !verify_integrity(bio_module, st->bio_read_ex_cb,
- module_checksum, checksum_len, st->libctx,
- ev, OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
+ if (bio_module == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE);
goto end;
}
-
+ if (st->module_checksum_data == NULL) {
+ if (!verify_integrity_rodata(bio_module, st->bio_read_ex_cb,
+ module_checksum, checksum_len,
+ st->libctx, ev,
+ OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE);
+ goto end;
+ }
+ } else {
+ if (!verify_integrity(bio_module, st->bio_read_ex_cb,
+ module_checksum, checksum_len,
+ st->libctx, ev,
+ OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE);
+ goto end;
+ }
+ }
/* This will be NULL during installation - so the self test KATS will run */
if (st->indicator_data != NULL) {
/*
@@ -420,7 +601,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
@@ -420,7 +477,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
end:
EVP_RAND_free(testrand);
OSSL_SELF_TEST_free(ev);
@ -305,17 +159,18 @@ Index: openssl-3.2.3/providers/fips/self_test.c
OPENSSL_free(indicator_checksum);
if (st != NULL) {
Index: openssl-3.2.3/test/fipsmodule.cnf
===================================================================
diff --git a/test/fipsmodule.cnf b/test/fipsmodule.cnf
new file mode 100644
index 0000000000..f05d0dedbe
--- /dev/null
+++ openssl-3.2.3/test/fipsmodule.cnf
+++ b/test/fipsmodule.cnf
@@ -0,0 +1,2 @@
+[fips_sect]
+activate = 1
Index: openssl-3.2.3/test/recipes/00-prep_fipsmodule_cnf.t
===================================================================
--- openssl-3.2.3.orig/test/recipes/00-prep_fipsmodule_cnf.t
+++ openssl-3.2.3/test/recipes/00-prep_fipsmodule_cnf.t
diff --git a/test/recipes/00-prep_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t
index 4e3a6d85e8..e8255ba974 100644
--- a/test/recipes/00-prep_fipsmodule_cnf.t
+++ b/test/recipes/00-prep_fipsmodule_cnf.t
@@ -20,7 +20,7 @@ use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
use platform;
@ -325,10 +180,10 @@ Index: openssl-3.2.3/test/recipes/00-prep_fipsmodule_cnf.t
plan skip_all => "FIPS module config file only supported in a fips build"
if $no_check;
Index: openssl-3.2.3/test/recipes/01-test_fipsmodule_cnf.t
===================================================================
--- openssl-3.2.3.orig/test/recipes/01-test_fipsmodule_cnf.t
+++ openssl-3.2.3/test/recipes/01-test_fipsmodule_cnf.t
diff --git a/test/recipes/01-test_fipsmodule_cnf.t b/test/recipes/01-test_fipsmodule_cnf.t
index ce594817d5..00cebacff8 100644
--- a/test/recipes/01-test_fipsmodule_cnf.t
+++ b/test/recipes/01-test_fipsmodule_cnf.t
@@ -23,7 +23,7 @@ use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
use platform;
@ -338,10 +193,10 @@ Index: openssl-3.2.3/test/recipes/01-test_fipsmodule_cnf.t
plan skip_all => "Test only supported in a fips build"
if $no_check;
plan tests => 1;
Index: openssl-3.2.3/test/recipes/03-test_fipsinstall.t
===================================================================
--- openssl-3.2.3.orig/test/recipes/03-test_fipsinstall.t
+++ openssl-3.2.3/test/recipes/03-test_fipsinstall.t
diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t
index b8b136d110..8242f4ebc3 100644
--- a/test/recipes/03-test_fipsinstall.t
+++ b/test/recipes/03-test_fipsinstall.t
@@ -22,7 +22,7 @@ use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
use platform;
@ -351,10 +206,10 @@ Index: openssl-3.2.3/test/recipes/03-test_fipsinstall.t
# Compatible options for pedantic FIPS compliance
my @pedantic_okay =
Index: openssl-3.2.3/test/recipes/30-test_defltfips.t
===================================================================
--- openssl-3.2.3.orig/test/recipes/30-test_defltfips.t
+++ openssl-3.2.3/test/recipes/30-test_defltfips.t
diff --git a/test/recipes/30-test_defltfips.t b/test/recipes/30-test_defltfips.t
index c8f145405b..56a2ec5dc4 100644
--- a/test/recipes/30-test_defltfips.t
+++ b/test/recipes/30-test_defltfips.t
@@ -24,7 +24,7 @@ use lib bldtop_dir('.');
plan skip_all => "Configuration loading is turned off"
if disabled("autoload-config");
@ -364,10 +219,10 @@ Index: openssl-3.2.3/test/recipes/30-test_defltfips.t
plan tests =>
($no_fips ? 1 : 5);
Index: openssl-3.2.3/test/recipes/80-test_ssl_new.t
===================================================================
--- openssl-3.2.3.orig/test/recipes/80-test_ssl_new.t
+++ openssl-3.2.3/test/recipes/80-test_ssl_new.t
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
index 0c6d6402d9..e45f9cb560 100644
--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@@ -27,7 +27,7 @@ setup("test_ssl_new");
use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
@ -377,16 +232,19 @@ Index: openssl-3.2.3/test/recipes/80-test_ssl_new.t
$ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
Index: openssl-3.2.3/test/recipes/90-test_sslapi.t
===================================================================
--- openssl-3.2.3.orig/test/recipes/90-test_sslapi.t
+++ openssl-3.2.3/test/recipes/90-test_sslapi.t
@@ -14,7 +14,7 @@ BEGIN {
setup("test_sslapi");
}
diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t
index 9e9e32b51e..1a1a7159b5 100644
--- a/test/recipes/90-test_sslapi.t
+++ b/test/recipes/90-test_sslapi.t
@@ -17,7 +17,7 @@ setup("test_sslapi");
use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
my $fipsmodcfg_filename = "fipsmodule.cnf";
my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename);
--
2.41.0

133
openssl-FIPS-enforce-EMS-support.patch
View File

@ -22,31 +22,31 @@ Patch-status: |
test/sslapitest.c | 2 +-
11 files changed, 76 insertions(+), 5 deletions(-)
diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
index ae6ca43282..b83c04a308 100644
--- a/doc/man3/SSL_CONF_cmd.pod
+++ b/doc/man3/SSL_CONF_cmd.pod
@@ -524,6 +524,9 @@ B<ExtendedMasterSecret>: use extended master secret extension, enabled by
Index: openssl-3.1.4/doc/man3/SSL_CONF_cmd.pod
===================================================================
--- openssl-3.1.4.orig/doc/man3/SSL_CONF_cmd.pod
+++ openssl-3.1.4/doc/man3/SSL_CONF_cmd.pod
@@ -524,6 +524,9 @@ B<ExtendedMasterSecret>: use extended ma
default. Inverse of B<SSL_OP_NO_EXTENDED_MASTER_SECRET>: that is,
B<-ExtendedMasterSecret> is the same as setting B<SSL_OP_NO_EXTENDED_MASTER_SECRET>.
+B<RHNoEnforceEMSinFIPS>: allow establishing connections without EMS in FIPS mode.
+This is a downstream specific option, and normally it should be set up via crypto policies.
+This is a downstream specific option, and normally it should be set up via crypto-policies.
+
B<CANames>: use CA names extension, enabled by
default. Inverse of B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>: that is,
B<-CANames> is the same as setting B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>.
diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod
index 1c15e32a5c..f2cedaf88d 100644
--- a/doc/man5/fips_config.pod
+++ b/doc/man5/fips_config.pod
@@ -15,6 +15,19 @@ for more information.
Index: openssl-3.1.4/doc/man5/fips_config.pod
===================================================================
--- openssl-3.1.4.orig/doc/man5/fips_config.pod
+++ openssl-3.1.4/doc/man5/fips_config.pod
@@ -15,6 +15,19 @@ See the documentation for more informati
This functionality was added in OpenSSL 3.0.
+SUSE Enterprise Linux uses a supplementary config for FIPS module located in
+OpenSSL configuration directory and managed by crypto policies. If present, it
+should have format
+SUSE Linux Enterprise uses a supplementary downstream config for FIPS module located
+in OpenSSL configuration directory and managed by crypto-policies. If present, it
+should have the following format:
+
+ [fips_sect]
+ tls1-prf-ems-check = 0
@ -59,11 +59,11 @@ index 1c15e32a5c..f2cedaf88d 100644
+
=head1 COPYRIGHT
Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h
index 5c77f6d691..8cdd5a6bf7 100644
--- a/include/openssl/fips_names.h
+++ b/include/openssl/fips_names.h
Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
Index: openssl-3.1.4/include/openssl/fips_names.h
===================================================================
--- openssl-3.1.4.orig/include/openssl/fips_names.h
+++ openssl-3.1.4/include/openssl/fips_names.h
@@ -70,6 +70,14 @@ extern "C" {
*/
# define OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST "drbg-no-trunc-md"
@ -79,23 +79,23 @@ index 5c77f6d691..8cdd5a6bf7 100644
# ifdef __cplusplus
}
# endif
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index 0b6de603e2..26a69ca282 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -415,6 +415,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);
Index: openssl-3.1.4/include/openssl/ssl.h.in
===================================================================
--- openssl-3.1.4.orig/include/openssl/ssl.h.in
+++ openssl-3.1.4/include/openssl/ssl.h.in
@@ -420,6 +420,7 @@ typedef int (*SSL_async_callback_fn)(SSL
* interoperability with CryptoPro CSP 3.x
*/
# define SSL_OP_CRYPTOPRO_TLSEXT_BUG SSL_OP_BIT(31)
+# define SSL_OP_PERMIT_NOEMS_FIPS SSL_OP_BIT(48)
/*
* Disable RFC8879 certificate compression
* SSL_OP_NO_TX_CERTIFICATE_COMPRESSION: don't send compressed certificates,
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index 5ff9872bd8..eb9653a9df 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -105,7 +105,7 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx)
* Option "collections."
Index: openssl-3.1.4/providers/fips/fipsprov.c
===================================================================
--- openssl-3.1.4.orig/providers/fips/fipsprov.c
+++ openssl-3.1.4/providers/fips/fipsprov.c
@@ -105,7 +105,7 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_L
if (fgbl == NULL)
return NULL;
init_fips_option(&fgbl->fips_security_checks, 1);
@ -104,11 +104,11 @@ index 5ff9872bd8..eb9653a9df 100644
init_fips_option(&fgbl->fips_restricted_drgb_digests, 0);
return fgbl;
}
diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c
index 25a6c79a2e..79bc7a9719 100644
--- a/providers/implementations/kdfs/tls1_prf.c
+++ b/providers/implementations/kdfs/tls1_prf.c
@@ -222,6 +223,27 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,
Index: openssl-3.1.4/providers/implementations/kdfs/tls1_prf.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/kdfs/tls1_prf.c
+++ openssl-3.1.4/providers/implementations/kdfs/tls1_prf.c
@@ -222,6 +222,27 @@ static int kdf_tls1_prf_derive(void *vct
}
}
@ -136,11 +136,11 @@ index 25a6c79a2e..79bc7a9719 100644
return tls1_prf_alg(ctx->P_hash, ctx->P_sha1,
ctx->sec, ctx->seclen,
ctx->seed, ctx->seedlen,
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
index 5146cedb96..086db98c33 100644
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@@ -389,6 +389,7 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)
Index: openssl-3.1.4/ssl/ssl_conf.c
===================================================================
--- openssl-3.1.4.orig/ssl/ssl_conf.c
+++ openssl-3.1.4/ssl/ssl_conf.c
@@ -389,6 +389,7 @@ static int cmd_Options(SSL_CONF_CTX *cct
SSL_FLAG_TBL("ClientRenegotiation",
SSL_OP_ALLOW_CLIENT_RENEGOTIATION),
SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC),
@ -148,10 +148,10 @@ index 5146cedb96..086db98c33 100644
SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION),
SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX),
SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA),
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 00b1ee531e..22cdabb308 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
Index: openssl-3.1.4/ssl/statem/extensions_srvr.c
===================================================================
--- openssl-3.1.4.orig/ssl/statem/extensions_srvr.c
+++ openssl-3.1.4/ssl/statem/extensions_srvr.c
@@ -11,6 +11,7 @@
#include "../ssl_local.h"
#include "statem_local.h"
@ -160,13 +160,13 @@ index 00b1ee531e..22cdabb308 100644
#define COOKIE_STATE_FORMAT_VERSION 1
@@ -1552,8 +1553,13 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
unsigned int context,
@@ -1552,8 +1553,13 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s
EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx)
{
- if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
+ if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) {
+ if (FIPS_mode() && !(SSL_get_options(SSL_CONNECTION_GET_SSL(s)) & SSL_OP_PERMIT_NOEMS_FIPS) ) {
+ if (FIPS_mode() && !(SSL_get_options(s) & SSL_OP_PERMIT_NOEMS_FIPS) ) {
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED);
+ return EXT_RETURN_FAIL;
+ }
@ -175,10 +175,10 @@ index 00b1ee531e..22cdabb308 100644
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
|| !WPACKET_put_bytes_u16(pkt, 0)) {
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 91238e6457..e8ad8ecd9e 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
Index: openssl-3.1.4/ssl/t1_enc.c
===================================================================
--- openssl-3.1.4.orig/ssl/t1_enc.c
+++ openssl-3.1.4/ssl/t1_enc.c
@@ -20,6 +20,7 @@
#include <openssl/obj_mac.h>
#include <openssl/core_names.h>
@ -186,7 +186,7 @@ index 91238e6457..e8ad8ecd9e 100644
+#include <openssl/fips.h>
/* seed1 through seed5 are concatenated */
static int tls1_PRF(SSL_CONNECTION *s,
static int tls1_PRF(SSL *s,
@@ -75,8 +76,14 @@ static int tls1_PRF(SSL *s,
}
@ -198,17 +198,17 @@ index 91238e6457..e8ad8ecd9e 100644
+ if (FIPS_mode() && seed1_len >= TLS_MD_MASTER_SECRET_CONST_SIZE
+ && memcmp(seed1, TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED);
+ else
+ else
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ }
else
ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
EVP_KDF_CTX_free(kctx);
diff --git a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
index 44040ff66b..deb6bf3fcb 100644
--- a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
+++ b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
@@ -22,6 +22,16 @@ Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587c
Index: openssl-3.1.4/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
===================================================================
--- openssl-3.1.4.orig/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
+++ openssl-3.1.4/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
@@ -22,6 +22,16 @@ Ctrl.client_random = hexseed:36c129d01a3
Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
@ -225,18 +225,3 @@ index 44040ff66b..deb6bf3fcb 100644
FIPSversion = <=3.1.0
KDF = TLS1-PRF
Ctrl.digest = digest:SHA256
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 169e3c7466..e67b5bb44c 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -574,7 +574,7 @@ static int test_client_cert_verify_cb(void)
STACK_OF(X509) *server_chain;
SSL_CTX *cctx = NULL, *sctx = NULL;
SSL *clientssl = NULL, *serverssl = NULL;
- int testresult = 0;
+ int testresult = 0, status;
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(), TLS1_VERSION, 0,
--
2.41.0

517
openssl-FIPS-limit-rsa-encrypt.patch
View File

@ -1,41 +1,38 @@
From 012e319b3d5b936a9208b1c75c13d9c4a2d0cc04 Mon Sep 17 00:00:00 2001
From 56511d480823bedafce604374fa3b15d3b3ffd6b Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 24/49] 0058-FIPS-limit-rsa-encrypt.patch
Date: Mon, 31 Jul 2023 09:41:28 +0200
Subject: [PATCH 26/48] 0058-FIPS-limit-rsa-encrypt.patch
Patch-name: 0058-FIPS-limit-rsa-encrypt.patch
Patch-id: 58
Patch-status: |
# # https://bugzilla.redhat.com/show_bug.cgi?id=2053289
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
# https://bugzilla.redhat.com/show_bug.cgi?id=2053289
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
providers/common/securitycheck.c | 1 +
.../implementations/asymciphers/rsa_enc.c | 35 +++++
.../30-test_evp_data/evppkey_rsa_common.txt | 140 +++++++++++++-----
test/recipes/80-test_cms.t | 5 +-
test/recipes/80-test_ssl_old.t | 27 +++-
5 files changed, 168 insertions(+), 40 deletions(-)
providers/common/securitycheck.c | 1 +
.../implementations/asymciphers/rsa_enc.c | 35 +++++++++++
.../30-test_evp_data/evppkey_rsa_common.txt | 58 ++++++++++++++++++-
test/recipes/80-test_cms.t | 5 +-
test/recipes/80-test_ssl_old.t | 27 +++++++--
5 files changed, 118 insertions(+), 8 deletions(-)
Index: openssl-3.2.3/providers/common/securitycheck.c
===================================================================
--- openssl-3.2.3.orig/providers/common/securitycheck.c
+++ openssl-3.2.3/providers/common/securitycheck.c
@@ -27,6 +27,10 @@
diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
index e534ad0a5f..c017c658e5 100644
--- a/providers/common/securitycheck.c
+++ b/providers/common/securitycheck.c
@@ -27,6 +27,7 @@
* Set protect = 1 for encryption or signing operations, or 0 otherwise. See
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf.
*/
+/*
+ * SUSE/openSUSE builds implement some extra limitations in
+ * providers/implementations/asymciphers/rsa_enc.c
+ */
+/* SUSE build implements some extra limitations in providers/implementations/asymciphers/rsa_enc.c */
int ossl_rsa_check_key(OSSL_LIB_CTX *ctx, const RSA *rsa, int operation)
{
int protect = 0;
Index: openssl-3.2.3/providers/implementations/asymciphers/rsa_enc.c
===================================================================
--- openssl-3.2.3.orig/providers/implementations/asymciphers/rsa_enc.c
+++ openssl-3.2.3/providers/implementations/asymciphers/rsa_enc.c
@@ -135,6 +135,17 @@ static int rsa_decrypt_init(void *vprsac
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
index d865968058..872967bcb3 100644
--- a/providers/implementations/asymciphers/rsa_enc.c
+++ b/providers/implementations/asymciphers/rsa_enc.c
@@ -132,6 +132,17 @@ static int rsa_decrypt_init(void *vprsactx, void *vrsa,
return rsa_init(vprsactx, vrsa, params, EVP_PKEY_OP_DECRYPT);
}
@ -53,7 +50,7 @@ Index: openssl-3.2.3/providers/implementations/asymciphers/rsa_enc.c
static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
size_t outsize, const unsigned char *in, size_t inlen)
{
@@ -144,6 +155,18 @@ static int rsa_encrypt(void *vprsactx, u
@@ -141,6 +152,18 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
if (!ossl_prov_is_running())
return 0;
@ -72,7 +69,7 @@ Index: openssl-3.2.3/providers/implementations/asymciphers/rsa_enc.c
if (out == NULL) {
size_t len = RSA_size(prsactx->rsa);
@@ -206,6 +229,18 @@ static int rsa_decrypt(void *vprsactx, u
@@ -204,6 +227,18 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen,
if (!ossl_prov_is_running())
return 0;
@ -91,11 +88,11 @@ Index: openssl-3.2.3/providers/implementations/asymciphers/rsa_enc.c
if (prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING) {
if (out == NULL) {
*outlen = SSL_MAX_MASTER_KEY_LENGTH;
Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
===================================================================
--- openssl-3.2.3.orig/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+++ openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
@@ -263,13 +263,13 @@ Input = 64b0e9f9892371110c40ba5739dc0974
diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
index 8680797b90..95d5d51102 100644
--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
@@ -248,13 +248,13 @@ Input = 64b0e9f9892371110c40ba5739dc0974002aa6e6160b481447c6819947c2d3b537a6e377
Output = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
# RSA decrypt
@ -105,394 +102,13 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78
Output = "Hello World"
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
# Corrupted ciphertext
-FIPSversion = <3.2.0
+Availablein = default
# Note: disable the Bleichenbacher workaround to see if it passes
Decrypt = RSA-2048
Ctrl = rsa_pkcs1_implicit_rejection:0
@@ -277,7 +277,7 @@ Input = 550AF55A2904E7B9762352F8FB7FA235
Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79
Output = "Hello World"
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
+Availablein = default
# Corrupted ciphertext
# Note: output is generated synthethically by the Bleichenbacher workaround
Decrypt = RSA-2048
@@ -285,7 +285,7 @@ Input = 550AF55A2904E7B9762352F8FB7FA235
Output = 4cbb988d6a46228379132b0b5f8c249b3860043848c93632fb982c807c7c82fffc7a9ef83f4908f890373ac181ffea6381e103bcaa27e65638b6ecebef38b59ed4226a9d12af675cfcb634d8c40e7a7aff
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
+Availablein = default
# Corrupted ciphertext
# Note: disable the Bleichenbacher workaround to see if it fails
Decrypt = RSA-2048
@@ -360,82 +360,90 @@ PrivPubKeyPair = RSA-2048-2:RSA-2048-2-P
# RSA decrypt
# a random positive test case
+Availablein = default
Decrypt = RSA-2048-2
Input = 8bfe264e85d3bdeaa6b8851b8e3b956ee3d226fd3f69063a86880173a273d9f283b2eebdd1ed35f7e02d91c571981b6737d5320bd8396b0f3ad5b019daec1b0aab3cbbc026395f4fd14f13673f2dfc81f9b660ec26ac381e6db3299b4e460b43fab9955df2b3cfaa20e900e19c856238fd371899c2bf2ce8c868b76754e5db3b036533fd603746be13c10d4e3e6022ebc905d20c2a7f32b215a4cd53b3f44ca1c327d2c2b651145821c08396c89071f665349c25e44d2733cd9305985ceef6430c3cf57af5fa224089221218fa34737c79c446d28a94c41c96e4e92ac53fbcf384dea8419ea089f8784445a492c812eb0d409467f75afd7d4d1078886205a066
Output = "lorem ipsum dolor sit amet"
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
+Availablein = default
# a random negative test case decrypting to empty
Decrypt = RSA-2048-2
Input = 20aaa8adbbc593a924ba1c5c7990b5c2242ae4b99d0fe636a19a4cf754edbcee774e472fe028160ed42634f8864900cb514006da642cae6ae8c7d087caebcfa6dad1551301e130344989a1d462d4164505f6393933450c67bc6d39d8f5160907cabc251b737925a1cf21e5c6aa5781b7769f6a2a583d97cce008c0f8b6add5f0b2bd80bee60237aa39bb20719fe75749f4bc4e42466ef5a861ae3a92395c7d858d430bfe38040f445ea93fa2958b503539800ffa5ce5f8cf51fa8171a91f36cb4f4575e8de6b4d3f096ee140b938fd2f50ee13f0d050222e2a72b0a3069ff3a6738e82c87090caa5aed4fcbe882c49646aa250b98f12f83c8d528113614a29e7
Output =
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
+Availablein = default
# invalid decrypting to max length message
Decrypt = RSA-2048-2
Input = 48cceab10f39a4db32f60074feea473cbcdb7accf92e150417f76b44756b190e843e79ec12aa85083a21f5437e7bad0a60482e601198f9d86923239c8786ee728285afd0937f7dde12717f28389843d7375912b07b991f4fdb0190fced8ba665314367e8c5f9d2981d0f5128feeb46cb50fc237e64438a86df198dd0209364ae3a842d77532b66b7ef263b83b1541ed671b120dfd660462e2107a4ee7b964e734a7bd68d90dda61770658a3c242948532da32648687e0318286473f675b412d6468f013f14d760a358dfcad3cda2afeec5e268a37d250c37f722f468a70dfd92d7294c3c1ee1e7f8843b7d16f9f37ef35748c3ae93aa155cdcdfeb4e78567303
Output = 22d850137b9eebe092b24f602dc5bb7918c16bd89ddbf20467b119d205f9c2e4bd7d2592cf1e532106e0f33557565923c73a02d4f09c0c22bea89148183e60317f7028b3aa1f261f91c979393101d7e15f4067e63979b32751658ef769610fe97cf9cef3278b3117d384051c3b1d82c251c2305418c8f6840530e631aad63e70e20e025bcd8efb54c92ec6d3b106a2f8e64eeff7d38495b0fc50c97138af4b1c0a67a1c4e27b077b8439332edfa8608dfeae653cd6a628ac550395f7e74390e42c11682234870925eeaa1fa71b76cf1f2ee3bda69f6717033ff8b7c95c9799e7a3bea5e7e4a1c359772fb6b1c6e6c516661dfe30c3
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
# invalid decrypting to message with length specified by second to last value from PRF
+Availablein = default
Decrypt = RSA-2048-2
Input = 1439e08c3f84c1a7fec74ce07614b20e01f6fa4e8c2a6cffdc3520d8889e5d9a950c6425798f85d4be38d300ea5695f13ecd4cb389d1ff5b82484b494d6280ab7fa78e645933981cb934cce8bfcd114cc0e6811eefa47aae20af638a1cd163d2d3366186d0a07df0c81f6c9f3171cf3561472e98a6006bf75ddb457bed036dcce199369de7d94ef2c68e8467ee0604eea2b3009479162a7891ba5c40cab17f49e1c438cb6eaea4f76ce23cce0e483ff0e96fa790ea15be67671814342d0a23f4a20262b6182e72f3a67cd289711503c85516a9ed225422f98b116f1ab080a80abd6f0216df88d8cfd67c139243be8dd78502a7aaf6bc99d7da71bcdf627e7354
Output = 0f9b
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
+Availablein = default
# invalid decrypting to message with length specified by third to last value from PRF
Decrypt = RSA-2048-2
Input = 1690ebcceece2ce024f382e467cf8510e74514120937978576caf684d4a02ad569e8d76cbe365a060e00779de2f0865ccf0d923de3b4783a4e2c74f422e2f326086c390b658ba47f31ab013aa80f468c71256e5fa5679b24e83cd82c3d1e05e398208155de2212993cd2b8bab6987cf4cc1293f19909219439d74127545e9ed8a706961b8ee2119f6bfacafbef91b75a789ba65b8b833bc6149cf49b5c4d2c6359f62808659ba6541e1cd24bf7f7410486b5103f6c0ea29334ea6f4975b17387474fe920710ea61568d7b7c0a7916acf21665ad5a31c4eabcde44f8fb6120d8457afa1f3c85d517cda364af620113ae5a3c52a048821731922737307f77a1081
Output = 4f02
# positive test with 11 byte long value
+Availablein = default
Decrypt = RSA-2048-2
Input = 6213634593332c485cef783ea2846e3d6e8b0e005cd8293eaebbaa5079712fd681579bdfbbda138ae4d9d952917a03c92398ec0cb2bb0c6b5a8d55061fed0d0d8d72473563152648cfe640b335dc95331c21cb133a91790fa93ae44497c128708970d2beeb77e8721b061b1c44034143734a77be8220877415a6dba073c3871605380542a9f25252a4babe8331cdd53cf828423f3cc70b560624d0581fb126b2ed4f4ed358f0eb8065cf176399ac1a846a31055f9ae8c9c24a1ba050bc20842125bc1753158f8065f3adb9cc16bfdf83816bdf38b624f12022c5a6fbfe29bc91542be8c0208a770bcd677dc597f5557dc2ce28a11bf3e3857f158717a33f6592
Output = "lorem ipsum"
# positive test with 11 byte long value and zero padded ciphertext
+Availablein = default
Decrypt = RSA-2048-2
Input = 00a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b
Output = "lorem ipsum"
# positive test with 11 byte long value and zero truncated ciphertext
+Availablein = default
Decrypt = RSA-2048-2
Input = a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b
Output = "lorem ipsum"
# positive test with 11 byte long value and double zero padded ciphertext
+Availablein = default
Decrypt = RSA-2048-2
Input = 00001f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc
Output = "lorem ipsum"
# positive test with 11 byte long value and double zero truncated ciphertext
+Availablein = default
Decrypt = RSA-2048-2
Input = 1f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc
Output = "lorem ipsum"
# positive that generates a 0 byte long synthetic message internally
+Availablein = default
Decrypt = RSA-2048-2
Input = b5e49308f6e9590014ffaffc5b8560755739dd501f1d4e9227a7d291408cf4b753f292322ff8bead613bf2caa181b221bc38caf6392deafb28eb21ad60930841ed02fd6225cc9c463409adbe7d8f32440212fbe3881c51375bb09565efb22e62b071472fb38676e5b4e23a0617db5d14d93519ac0007a30a9c822eb31c38b57fcb1be29608fcf1ca2abdcaf5d5752bbc2b5ac7dba5afcff4a5641da360dd01f7112539b1ed46cdb550a3b1006559b9fe1891030ec80f0727c42401ddd6cbb5e3c80f312df6ec89394c5a7118f573105e7ab00fe57833c126141b50a935224842addfb479f75160659ba28877b512bb9a93084ad8bec540f92640f63a11a010e0
Output = "lorem ipsum"
# positive that generates a 245 byte long synthetic message internally
+Availablein = default
Decrypt = RSA-2048-2
Input = 1ea0b50ca65203d0a09280d39704b24fe6e47800189db5033f202761a78bafb270c5e25abd1f7ecc6e7abc4f26d1b0cd9b8c648d529416ee64ccbdd7aa72a771d0353262b543f0e436076f40a1095f5c7dfd10dcf0059ccb30e92dfa5e0156618215f1c3ff3aa997a9d999e506924f5289e3ac72e5e2086cc7b499d71583ed561028671155db4005bee01800a7cdbdae781dd32199b8914b5d4011dd6ff11cd26d46aad54934d293b0bc403dd211bf13b5a5c6836a5e769930f437ffd8634fb7371776f4bc88fa6c271d8aa6013df89ae6470154497c4ac861be2a1c65ebffec139bf7aaba3a81c7c5cdd84da9af5d3edfb957848074686b5837ecbcb6a41c50
Output = "lorem ipsum"
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
+Availablein = default
# a random negative test that generates an 11 byte long message
Decrypt = RSA-2048-2
Input = 5f02f4b1f46935c742ebe62b6f05aa0a3286aab91a49b34780adde6410ab46f7386e05748331864ac98e1da63686e4babe3a19ed40a7f5ceefb89179596aab07ab1015e03b8f825084dab028b6731288f2e511a4b314b6ea3997d2e8fe2825cef8897cbbdfb6c939d441d6e04948414bb69e682927ef8576c9a7090d4aad0e74c520d6d5ce63a154720f00b76de8cc550b1aa14f016d63a7b6d6eaa1f7dbe9e50200d3159b3d099c900116bf4eba3b94204f18b1317b07529751abf64a26b0a0bf1c8ce757333b3d673211b67cc0653f2fe2620d57c8b6ee574a0323a167eab1106d9bc7fd90d415be5f1e9891a0e6c709f4fc0404e8226f8477b4e939b36eb2
Output = af9ac70191c92413cb9f2d
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
+Availablein = default
# an otherwise correct plaintext, but with wrong first byte
# (0x01 instead of 0x00), generates a random 11 byte long plaintext
Decrypt = RSA-2048-2
@@ -443,7 +451,7 @@ Input = 9b2ec9c0c917c98f1ad3d0119aec6be5
Output = a1f8c9255c35cfba403ccc
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
+Availablein = default
# an otherwise correct plaintext, but with wrong second byte
# (0x01 instead of 0x02), generates a random 11 byte long plaintext
Decrypt = RSA-2048-2
@@ -451,7 +459,7 @@ Input = 782c2b59a21a511243820acedd567c13
Output = e6d700309ca0ed62452254
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
+Availablein = default
# an invalid ciphertext, with a zero byte in first byte of
# ciphertext, decrypts to a random 11 byte long synthetic
# plaintext
@@ -460,7 +468,7 @@ Input = 0096136621faf36d5290b16bd26295de
Output = ba27b1842e7c21c0e7ef6a
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
+Availablein = default
# an invalid ciphertext, with a zero byte removed from first byte of
# ciphertext, decrypts to a random 11 byte long synthetic
# plaintext
@@ -469,7 +477,7 @@ Input = 96136621faf36d5290b16bd26295de27
Output = ba27b1842e7c21c0e7ef6a
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
+Availablein = default
# an invalid ciphertext, with two zero bytes in first bytes of
# ciphertext, decrypts to a random 11 byte long synthetic
# plaintext
@@ -478,7 +486,7 @@ Input = 0000587cccc6b264bdfe0dc2149a9880
Output = d5cf555b1d6151029a429a
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
+Availablein = default
# an invalid ciphertext, with two zero bytes removed from first bytes of
# ciphertext, decrypts to a random 11 byte long synthetic
# plaintext
@@ -487,7 +495,7 @@ Input = 587cccc6b264bdfe0dc2149a988047fa
Output = d5cf555b1d6151029a429a
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
+Availablein = default
# and invalid ciphertext, otherwise valid but starting with 000002, decrypts
# to random 11 byte long synthetic plaintext
Decrypt = RSA-2048-2
@@ -495,7 +503,7 @@ Input = 1786550ce8d8433052e01ecba8b76d30
Output = 3d4a054d9358209e9cbbb9
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
+Availablein = default
# negative test with otherwise valid padding but a zero byte in first byte
# of padding
Decrypt = RSA-2048-2
@@ -503,7 +511,7 @@ Input = 179598823812d2c58a7eb50521150a48
Output = 1f037dd717b07d3e7f7359
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
+Availablein = default
# negative test with otherwise valid padding but a zero byte at the eighth
# byte of padding
Decrypt = RSA-2048-2
@@ -511,7 +519,7 @@ Input = a7a340675a82c30e22219a55bc07cdf3
Output = 63cb0bf65fc8255dd29e17
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
+Availablein = default
# negative test with an otherwise valid plaintext but with missing separator
# byte
Decrypt = RSA-2048-2
@@ -566,53 +574,58 @@ PrivPubKeyPair = RSA-2049:RSA-2049-PUBLI
# RSA decrypt
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
+Availablein = default
# malformed that generates length specified by 3rd last value from PRF
Decrypt = RSA-2049
Input = 00b26f6404b82649629f2704494282443776929122e279a9cf30b0c6fe8122a0a9042870d97cc8ef65490fe58f031eb2442352191f5fbc311026b5147d32df914599f38b825ebb824af0d63f2d541a245c5775d1c4b78630e4996cc5fe413d38455a776cf4edcc0aa7fccb31c584d60502ed2b77398f536e137ff7ba6430e9258e21c2db5b82f5380f566876110ac4c759178900fbad7ab70ea07b1daf7a1639cbb4196543a6cbe8271f35dddb8120304f6eef83059e1c5c5678710f904a6d760c4d1d8ad076be17904b9e69910040b47914a0176fb7eea0c06444a6c4b86d674d19a556a1de5490373cb01ce31bbd15a5633362d3d2cd7d4af1b4c5121288b894
Output = 42
# simple positive test case
+Availablein = default
Decrypt = RSA-2049
Input = 013300edbf0bb3571e59889f7ed76970bf6d57e1c89bbb6d1c3991d9df8e65ed54b556d928da7d768facb395bbcc81e9f8573b45cf8195dbd85d83a59281cddf4163aec11b53b4140053e3bd109f787a7c3cec31d535af1f50e0598d85d96d91ea01913d07097d25af99c67464ebf2bb396fb28a9233e56f31f7e105d71a23e9ef3b736d1e80e713d1691713df97334779552fc94b40dd733c7251bc522b673d3ec9354af3dd4ad44fa71c0662213a57ada1d75149697d0eb55c053aaed5ffd0b815832f454179519d3736fb4faf808416071db0d0f801aca8548311ee708c131f4be658b15f6b54256872c2903ac708bd43b017b073b5707bc84c2cd9da70e967
Output = "lorem ipsum"
# positive test case with null padded ciphertext
+Availablein = default
Decrypt = RSA-2049
Input = 0002aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162
Output = "lorem ipsum"
# positive test case with null truncated ciphertext
+Availablein = default
Decrypt = RSA-2049
Input = 02aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162
Output = "lorem ipsum"
# positive test case with double null padded ciphertext
+Availablein = default
Decrypt = RSA-2049
Input = 0000f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052
Output = "lorem ipsum"
# positive test case with double null truncated ciphertext
+Availablein = default
Decrypt = RSA-2049
Input = f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052
Output = "lorem ipsum"
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
+Availablein = default
# a random negative test case that generates an 11 byte long message
Decrypt = RSA-2049
Input = 00f910200830fc8fff478e99e145f1474b312e2512d0f90b8cef77f8001d09861688c156d1cbaf8a8957f7ebf35f724466952d0524cad48aad4fba1e45ce8ea27e8f3ba44131b7831b62d60c0762661f4c1d1a88cd06263a259abf1ba9e6b0b172069afb86a7e88387726f8ab3adb30bfd6b3f6be6d85d5dfd044e7ef052395474a9cbb1c3667a92780b43a22693015af6c513041bdaf87d43b24ddd244e791eeaea1066e1f4917117b3a468e22e0f7358852bb981248de4d720add2d15dccba6280355935b67c96f9dcb6c419cc38ab9f6fba2d649ef2066e0c34c9f788ae49babd9025fa85b21113e56ce4f43aa134c512b030dd7ac7ce82e76f0be9ce09ebca
Output = 1189b6f5498fd6df532b00
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
+Availablein = default
# otherwise correct plaintext, but with wrong first byte (0x01 instead of 0x00)
Decrypt = RSA-2049
Input = 002c9ddc36ba4cf0038692b2d3a1c61a4bb3786a97ce2e46a3ba74d03158aeef456ce0f4db04dda3fe062268a1711250a18c69778a6280d88e133a16254e1f0e30ce8dac9b57d2e39a2f7d7be3ee4e08aec2fdbe8dadad7fdbf442a29a8fb40857407bf6be35596b8eefb5c2b3f58b894452c2dc54a6123a1a38d642e23751746597e08d71ac92704adc17803b19e131b4d1927881f43b0200e6f95658f559f912c889b4cd51862784364896cd6e8618f485a992f82997ad6a0917e32ae5872eaf850092b2d6c782ad35f487b79682333c1750c685d7d32ab3e1538f31dcaa5e7d5d2825875242c83947308dcf63ba4bfff20334c9c140c837dbdbae7a8dee72ff
Output = f6d0f5b78082fe61c04674
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
+Availablein = default
# otherwise correct plaintext, but with wrong second byte (0x01 instead of 0x02)
Decrypt = RSA-2049
Input = 00c5d77826c1ab7a34d6390f9d342d5dbe848942e2618287952ba0350d7de6726112e9cebc391a0fae1839e2bf168229e3e0d71d4161801509f1f28f6e1487ca52df05c466b6b0a6fbbe57a3268a970610ec0beac39ec0fa67babce1ef2a86bf77466dc127d7d0d2962c20e66593126f276863cd38dc6351428f884c1384f67cad0a0ffdbc2af16711fb68dc559b96b37b4f04cd133ffc7d79c43c42ca4948fa895b9daeb853150c8a5169849b730cc77d68b0217d6c0e3dbf38d751a1998186633418367e7576530566c23d6d4e0da9b038d0bb5169ce40133ea076472d055001f0135645940fd08ea44269af2604c8b1ba225053d6db9ab43577689401bdc0f3
@@ -676,14 +689,14 @@ ooCElYcob01/JWzoXl61Z5sdrMH5CVZJty5foHKu
PrivPubKeyPair = RSA-3072:RSA-3072-PUBLIC
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
+Availablein = default
# a random invalid ciphertext that generates an empty synthetic one
Decrypt = RSA-3072
Input = 5e956cd9652f4a2ece902931013e09662b6a9257ad1e987fb75f73a0606df2a4b04789770820c2e02322c4e826f767bd895734a01e20609c3be4517a7a2a589ea1cdc137beb73eb38dac781b52e863de9620f79f9b90fd5b953651fcbfef4a9f1cc07421d511a87dd6942caab6a5a0f4df473e62defb529a7de1509ab99c596e1dff1320402298d8be73a896cc86c38ae3f2f576e9ea70cc28ad575cb0f854f0be43186baa9c18e29c47c6ca77135db79c811231b7c1730955887d321fdc06568382b86643cf089b10e35ab23e827d2e5aa7b4e99ff2e914f302351819eb4d1693243b35f8bf1d42d08f8ec4acafa35f747a4a975a28643ec630d8e4fa5be59d81995660a14bb64c1fea5146d6b11f92da6a3956dd5cb5e0d747cf2ea23f81617769185336263d46ef4c144b754de62a6337342d6c85a95f19f015724546ee3fc4823eca603dbc1dc01c2d5ed50bd72d8e96df2dc048edde0081284068283fc5e73a6139851abf2f29977d0b3d160c883a42a37efba1be05c1a0b1741d7ddf59
Output =
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
+Availablein = default
# a random invalid that has PRF output with a length one byte too long
# in the last value
Decrypt = RSA-3072
@@ -691,46 +704,51 @@ Input = 7db0390d75fcf9d4c59cf27b264190d8
Output = 56a3bea054e01338be9b7d7957539c
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
+Availablein = default
# a random invalid that generates a synthetic of maximum size
Decrypt = RSA-3072
Input = 1715065322522dff85049800f6a29ab5f98c465020467414b2a44127fe9446da47fa18047900f99afe67c2df6f50160bb8e90bff296610fde632b3859d4d0d2e644f23835028c46cca01b84b88231d7e03154edec6627bcba23de76740d839851fa12d74c8f92e540c73fe837b91b7d699b311997d5f0f7864c486d499c3a79c111faaacbe4799597a25066c6200215c3d158f3817c1aa57f18bdaad0be1658da9da93f5cc6c3c4dd72788af57adbb6a0c26f42d32d95b8a4f95e8c6feb2f8a5d53b19a50a0b7cbc25e055ad03e5ace8f3f7db13e57759f67b65d143f08cca15992c6b2aae643390483de111c2988d4e76b42596266005103c8de6044fb7398eb3c28a864fa672de5fd8774510ff45e05969a11a4c7d3f343e331190d2dcf24fb9154ba904dc94af98afc5774a9617d0418fe6d13f8245c7d7626c176138dd698a23547c25f27c2b98ea4d8a45c7842b81888e4cc14e5b72e9cf91f56956c93dbf2e5f44a8282a7813157fc481ff1371a0f66b31797e81ebdb09a673d4db96d6
Output = 7b036fcd6243900e4236c894e2462c17738acc87e01a76f4d95cb9a328d9acde81650283b8e8f60a217e3bdee835c7b222ad4c85d0acdb9a309bd2a754609a65dec50f3aa04c6d5891034566b9563d42668ede1f8992b17753a2132e28970584e255efc8b45a41c5dbd7567f014acec5fe6fdb6d484790360a913ebb9defcd74ff377f2a8ba46d2ed85f733c9a3da08eb57ecedfafda806778f03c66b2c5d2874cec1c291b2d49eb194c7b5d0dd2908ae90f4843268a2c45563092ade08acb6ab481a08176102fc803fbb2f8ad11b0e1531bd37df543498daf180b12017f4d4d426ca29b4161075534bfb914968088a9d13785d0adc0e2580d3548494b2a9e91605f2b27e6cc701c796f0de7c6f471f6ab6cb9272a1ed637ca32a60d117505d82af3c1336104afb537d01a8f70b510e1eebf4869cb976c419473795a66c7f5e6e20a8094b1bb603a74330c537c5c0698c31538bd2e138c1275a1bdf24c5fa8ab3b7b526324e7918a382d1363b3d463764222150e04
# a positive test case that decrypts to 9 byte long value
+Availablein = default
Decrypt = RSA-3072
Input = 6c60845a854b4571f678941ae35a2ac03f67c21e21146f9db1f2306be9f136453b86ad55647d4f7b5c9e62197aaff0c0e40a3b54c4cde14e774b1c5959b6c2a2302896ffae1f73b00b862a20ff4304fe06cea7ff30ecb3773ca9af27a0b54547350d7c07dfb0a39629c7e71e83fc5af9b2adbaf898e037f1de696a3f328cf45af7ec9aff7173854087fb8fbf34be981efbd8493f9438d1b2ba2a86af082662aa46ae9adfbec51e5f3d9550a4dd1dcb7c8969c9587a6edc82a8cabbc785c40d9fbd12064559fb769450ac3e47e87bc046148130d7eaa843e4b3ccef3675d0630500803cb7ffee3882378c1a404e850c3e20707bb745e42b13c18786c4976076ed9fa8fd0ff15e571bef02cbbe2f90c908ac3734a433b73e778d4d17fcc28f49185ebc6e8536a06d293202d94496453bfdf1c2c7833a3f99fa38ca8a81f42eaa529d603b890308a319c0ab63a35ff8ebac965f6278f5a7e5d622be5d5fe55f0ca3ec993d55430d2bf59c5d3e860e90c16d91a04596f6fdf60d89ed95d88c036dde
Output = "forty two"
# a positive test case with null padded ciphertext
+Availablein = default
Decrypt = RSA-3072
Input = 00f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727
Output = "forty two"
# a positive test case with null truncated ciphertext
+Availablein = default
Decrypt = RSA-3072
Input = f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727
Output = "forty two"
# a positive test case with double null padded ciphertext
+Availablein = default
Decrypt = RSA-3072
Input = 00001ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0
Output = "forty two"
# a positive test case with double null truncated ciphertext
+Availablein = default
Decrypt = RSA-3072
Input = 1ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0
Output = "forty two"
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
+Availablein = default
# a random negative test case that generates a 9 byte long message
Decrypt = RSA-3072
Input = 5c8555f5cef627c15d37f85c7f5fd6e499264ea4b8e3f9112023aeb722eb38d8eac2be3751fd5a3785ab7f2d59fa3728e5be8c3de78a67464e30b21ee23b5484bb3cd06d0e1c6ad25649c8518165653eb80488bfb491b20c04897a6772f69292222fc5ef50b5cf9efc6d60426a449b6c489569d48c83488df629d695653d409ce49a795447fcec2c58a1a672e4a391401d428baaf781516e11e323d302fcf20f6eab2b2dbe53a48c987e407c4d7e1cb41131329138313d330204173a4f3ff06c6fadf970f0ed1005d0b27e35c3d11693e0429e272d583e57b2c58d24315c397856b34485dcb077665592b747f889d34febf2be8fce66c265fd9fc3575a6286a5ce88b4b413a08efc57a07a8f57a999605a837b0542695c0d189e678b53662ecf7c3d37d9dbeea585eebfaf79141118e06762c2381fe27ca6288edddc19fd67cd64f16b46e06d8a59ac530f22cd83cc0bc4e37feb52015cbb2283043ccf5e78a4eb7146827d7a466b66c8a4a4826c1bad68123a7f2d00fc1736525ff90c058f56
Output = 257906ca6de8307728
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
+Availablein = default
# a random negative test case that generates a 9 byte long message based on
# second to last value from PRF
Decrypt = RSA-3072
@@ -738,7 +756,7 @@ Input = 758c215aa6acd61248062b88284bf43c
Output = 043383c929060374ed
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
+Availablein = default
# a random negative test that generates message based on 3rd last value from
# PRF
Decrypt = RSA-3072
@@ -746,35 +764,35 @@ Input = 7b22d5e62d287968c6622171a1f75db4
Output = 70263fa6050534b9e0
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
+Availablein = default
# an otherwise valid plaintext, but with wrong first byte (0x01 instead of 0x00)
Decrypt = RSA-3072
Input = 6db80adb5ff0a768caf1378ecc382a694e7d1bde2eff4ba12c48aaf794ded7a994a5b2b57acec20dbec4ae385c9dd531945c0f197a5496908725fc99d88601a17d3bb0b2d38d2c1c3100f39955a4cb3dbed5a38bf900f23d91e173640e4ec655c84fdfe71fcdb12a386108fcf718c9b7af37d39703e882436224c877a2235e8344fba6c951eb7e2a4d1d1de81fb463ac1b880f6cc0e59ade05c8ce35179ecd09546731fc07b141d3d6b342a97ae747e61a9130f72d37ac5a2c30215b6cbd66c7db893810df58b4c457b4b54f34428247d584e0fa71062446210db08254fb9ead1ba1a393c724bd291f0cf1a7143f32df849051dc896d7d176fef3b57ab6dffd626d0c3044e9edb2e3d012ace202d2581df01bec7e9aa0727a6650dd373d374f0bc0f4a611f8139dfe97d63e70c6188f4df5b672e47c51d8aa567097293fbff127c75ec690b43407578b73c85451710a0cece58fd497d7f7bd36a8a92783ef7dc6265dff52aac8b70340b996508d39217f2783ce6fc91a1cc94bb2ac487b84f62
Output = 6d8d3a094ff3afff4c
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
+Availablein = default
# an otherwise valid plaintext, but with wrong second byte (0x01 instead of 0x02)
Decrypt = RSA-3072
Input = 417328c034458563079a4024817d0150340c34e25ae16dcad690623f702e5c748a6ebb3419ff48f486f83ba9df35c05efbd7f40613f0fc996c53706c30df6bba6dcd4a40825f96133f3c21638a342bd4663dffbd0073980dac47f8c1dd8e97ce1412e4f91f2a8adb1ac2b1071066efe8d718bbb88ca4a59bd61500e826f2365255a409bece0f972df97c3a55e09289ef5fa815a2353ef393fd1aecfc888d611c16aec532e5148be15ef1bf2834b8f75bb26db08b66d2baad6464f8439d1986b533813321dbb180080910f233bcc4dd784fb21871aef41be08b7bfad4ecc3b68f228cb5317ac6ec1227bc7d0e452037ba918ee1da9fdb8393ae93b1e937a8d4691a17871d5092d2384b6190a53df888f65b951b05ed4ad57fe4b0c6a47b5b22f32a7f23c1a234c9feb5d8713d949686760680da4db454f4acad972470033472b9864d63e8d23eefc87ebcf464ecf33f67fbcdd48eab38c5292586b36aef5981ed2fa07b2f9e23fc57d9eb71bfff4111c857e9fff23ceb31e72592e70c874b4936
Output = c6ae80ffa80bc184b0
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
+Availablein = default
# an otherwise valid plaintext, but with zero byte in first byte of padding
Decrypt = RSA-3072
Input = 8542c626fe533467acffcd4e617692244c9b5a3bf0a215c5d64891ced4bf4f9591b4b2aedff9843057986d81631b0acb3704ec2180e5696e8bd15b217a0ec36d2061b0e2182faa3d1c59bd3f9086a10077a3337a3f5da503ec3753535ffd25b837a12f2541afefd0cffb0224b8f874e4bed13949e105c075ed44e287c5ae03b155e06b90ed247d2c07f1ef3323e3508cce4e4074606c54172ad74d12f8c3a47f654ad671104bf7681e5b061862747d9afd37e07d8e0e2291e01f14a95a1bb4cbb47c304ef067595a3947ee2d722067e38a0f046f43ec29cac6a8801c6e3e9a2331b1d45a7aa2c6af3205be382dd026e389614ee095665a611ab2e8dced2ee1c9d08ac9de11aef5b3803fc9a9ce8231ec87b5fed386fb92ee3db995a89307bcba844bd0a691c29ae51216e949dfc813133cb06a07265fd807bcb3377f6adb0a481d9b7f442003115895939773e6b95371c4febef29edae946fa245e7c50729e2e558cfaad773d1fd5f67b457a6d9d17a847c6fcbdb103a86f35f228cefc06cea0
Output = a8a9301daa01bb25c7
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
+Availablein = default
# an otherwise valid plaintext, but with zero byte in eight byte of padding
Decrypt = RSA-3072
Input = 449dfa237a70a99cb0351793ec8677882021c2aa743580bf6a0ea672055cffe8303ac42855b1d1f3373aae6af09cb9074180fc963e9d1478a4f98b3b4861d3e7f0aa8560cf603711f139db77667ca14ba3a1acdedfca9ef4603d6d7eb0645bfc805304f9ad9d77d34762ce5cd84bd3ec9d35c30e3be72a1e8d355d5674a141b5530659ad64ebb6082e6f73a80832ab6388912538914654d34602f4b3b1c78589b4a5d964b2efcca1dc7004c41f6cafcb5a7159a7fc7c0398604d0edbd4c8f4f04067da6a153a05e7cbeea13b5ee412400ef7d4f3106f4798da707ec37a11286df2b7a204856d5ff773613fd1e453a7114b78e347d3e8078e1cb3276b3562486ba630bf719697e0073a123c3e60ebb5c7a1ccff4279faffa2402bc1109f8d559d6766e73591943dfcf25ba10c3762f02af85187799b8b4b135c3990793a6fd32642f1557405ba55cc7cf7336a0e967073c5fa50743f9cc5e3017c172d9898d2af83345e71b3e0c22ab791eacb6484a32ec60ebc226ec9deaee91b1a0560c2b571
Output = 6c716fe01d44398018
# The old FIPS provider doesn't include the workaround (#13817)
-FIPSversion = >=3.2.0
+Availablein = default
# an otherwise valid plaintext, but with null separator missing
Decrypt = RSA-3072
Input = a7a5c99e50da48769ecb779d9abe86ef9ec8c38c6f43f17c7f2d7af608a4a1bd6cf695b47e97c191c61fb5a27318d02f495a176b9fae5a55b5d3fabd1d8aae4957e3879cb0c60f037724e11be5f30f08fc51c033731f14b44b414d11278cd3dba7e1c8bfe208d2b2bb7ec36366dacb6c88b24cd79ab394adf19dbbc21dfa5788bacbadc6a62f79cf54fd8cf585c615b5c0eb94c35aa9de25321c8ffefb8916bbaa2697cb2dd82ee98939df9b6704cee77793edd2b4947d82e00e5749664970736c59a84197bd72b5c71e36aae29cd39af6ac73a368edbc1ca792e1309f442aafcd77c992c88f8e4863149f221695cb7b0236e75b2339a02c4ea114854372c306b9412d8eedb600a31532002f2cea07b4df963a093185e4607732e46d753b540974fb5a5c3f9432df22e85bb17611370966c5522fd23f2ad3484341ba7fd8885fc8e6d379a611d13a2aca784fba2073208faad2137bf1979a0fa146c1880d4337db3274269493bab44a1bcd0681f7227ffdf589c2e925ed9d36302509d1109ba4
@@ -1153,36 +1171,42 @@ vcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mN
@@ -619,36 +619,42 @@ vcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mNXb79cyY+NygUJ0OBgWbtfdY2
h90qjKHS9PvY4Q==
-----END PRIVATE KEY-----
@ -535,7 +151,7 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
Decrypt=RSA-OAEP-1
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
@@ -1207,36 +1231,42 @@ SwGNdhGLJDiac1Dsg2sAY6IXISNv2O222JtR5+64
@@ -673,36 +679,42 @@ SwGNdhGLJDiac1Dsg2sAY6IXISNv2O222JtR5+64e2EbcTLLfqc1bCMVHB53UVB8
eG2e4XlBcKjI6A==
-----END PRIVATE KEY-----
@ -578,7 +194,7 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
Decrypt=RSA-OAEP-2
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
@@ -1261,36 +1291,42 @@ iUGx07dw5a0x7jc7KKzaaf+bb0D+V4ufGvuFg2+W
@@ -727,36 +739,42 @@ iUGx07dw5a0x7jc7KKzaaf+bb0D+V4ufGvuFg2+WJ9N6z/c8J3nmNLsmARwsj38z
Ya4qnqZe1onjY5o=
-----END PRIVATE KEY-----
@ -621,7 +237,7 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
Decrypt=RSA-OAEP-3
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
@@ -1315,36 +1351,42 @@ s/XkIiO6MDAcQabYfLtw4wy308Z9JUc9sfbL8D4/
@@ -781,36 +799,42 @@ s/XkIiO6MDAcQabYfLtw4wy308Z9JUc9sfbL8D4/kSbj6XloJ5qGWywrQmUkz8Uq
aD0x7TDrmEvkEro=
-----END PRIVATE KEY-----
@ -664,7 +280,7 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
Decrypt=RSA-OAEP-4
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
@@ -1369,36 +1411,42 @@ OPlAQGLrhaQpJFILOPW7iGoBlvSLuNzqYP2SzAJ/
@@ -835,36 +859,42 @@ OPlAQGLrhaQpJFILOPW7iGoBlvSLuNzqYP2SzAJ/GOeBWKNKXF1fhgoPbAQHGn0B
MSwGUGLx60i3nRyDyw==
-----END PRIVATE KEY-----
@ -707,7 +323,7 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
Decrypt=RSA-OAEP-5
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
@@ -1423,36 +1471,42 @@ xT1F29tenZbQ/s9Cdd8JdLxKBza0p0wyaQU++2hq
@@ -889,36 +919,42 @@ xT1F29tenZbQ/s9Cdd8JdLxKBza0p0wyaQU++2hqziQG4iyeBY3bSuVAYnri/bCC
Yejn5Ly8mU2q+jBcRQ==
-----END PRIVATE KEY-----
@ -750,7 +366,7 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
Decrypt=RSA-OAEP-6
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
@@ -1477,36 +1531,42 @@ tu4XIedy0DiaVZw9PN+VUNRXxGsDe3RkGx1SFmr4
@@ -943,36 +979,42 @@ tu4XIedy0DiaVZw9PN+VUNRXxGsDe3RkGx1SFmr4ohPIOWIGzfukQi8Y1vYdvLXS
FMlxv0gq65dqc3DC
-----END PRIVATE KEY-----
@ -793,7 +409,7 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
Decrypt=RSA-OAEP-7
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
@@ -1531,36 +1591,42 @@ njraT2MgdSwJ2AX/fR8a4NAXru7pzvoNfdf/d15E
@@ -997,36 +1039,42 @@ njraT2MgdSwJ2AX/fR8a4NAXru7pzvoNfdf/d15EtXgyL2QF1iEdoZUZZmqof9xM
2MiPa249Z+lh3Luj0A==
-----END PRIVATE KEY-----
@ -836,7 +452,7 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
Decrypt=RSA-OAEP-8
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
@@ -1591,36 +1657,42 @@ Z7CDuaemy2HkLbNiuMmJbbcGTgKtWuYVh9oVtGSc
@@ -1057,36 +1105,42 @@ Z7CDuaemy2HkLbNiuMmJbbcGTgKtWuYVh9oVtGSckFlJCf6zfby2VL63Jo7IAeWo
tKo5Eb69iFQvBb4=
-----END PRIVATE KEY-----
@ -879,11 +495,11 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
Decrypt=RSA-OAEP-9
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
Index: openssl-3.2.3/test/recipes/80-test_cms.t
===================================================================
--- openssl-3.2.3.orig/test/recipes/80-test_cms.t
+++ openssl-3.2.3/test/recipes/80-test_cms.t
@@ -235,7 +235,7 @@ my @smime_pkcs7_tests = (
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
index cbec426137..9ba7fbeed2 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -233,7 +233,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
@ -892,7 +508,7 @@ Index: openssl-3.2.3/test/recipes/80-test_cms.t
[ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
"-aes256", "-stream", "-out", "{output}.cms",
$smrsa1,
@@ -1125,6 +1125,9 @@ sub check_availability {
@@ -1022,6 +1022,9 @@ sub check_availability {
return "$tnam: skipped, DSA disabled\n"
if ($no_dsa && $tnam =~ / DSA/);
@ -902,30 +518,30 @@ Index: openssl-3.2.3/test/recipes/80-test_cms.t
return "";
}
Index: openssl-3.2.3/test/recipes/80-test_ssl_old.t
===================================================================
--- openssl-3.2.3.orig/test/recipes/80-test_ssl_old.t
+++ openssl-3.2.3/test/recipes/80-test_ssl_old.t
@@ -497,6 +497,18 @@ sub testssl {
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index e2dcb68fb5..0775112b40 100644
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -493,6 +493,18 @@ sub testssl {
# the default choice if TLSv1.3 enabled
my $flag = $protocol eq "-tls1_3" ? "" : $protocol;
my $ciphersuites = "";
+ my %FIPS_skip_cipher = map {$_ => 1} qw(
+ AES256-GCM-SHA384:@SECLEVEL=0
+ AES256-CCM8:@SECLEVEL=0
+ AES256-CCM:@SECLEVEL=0
+ AES128-GCM-SHA256:@SECLEVEL=0
+ AES128-CCM8:@SECLEVEL=0
+ AES128-CCM:@SECLEVEL=0
+ AES256-SHA256:@SECLEVEL=0
+ AES128-SHA256:@SECLEVEL=0
+ AES256-SHA:@SECLEVEL=0
+ AES128-SHA:@SECLEVEL=0
+ my %suse_skip_cipher = map {$_ => 1} qw(
+AES256-GCM-SHA384:@SECLEVEL=0
+AES256-CCM8:@SECLEVEL=0
+AES256-CCM:@SECLEVEL=0
+AES128-GCM-SHA256:@SECLEVEL=0
+AES128-CCM8:@SECLEVEL=0
+AES128-CCM:@SECLEVEL=0
+AES256-SHA256:@SECLEVEL=0
+AES128-SHA256:@SECLEVEL=0
+AES256-SHA:@SECLEVEL=0
+AES128-SHA:@SECLEVEL=0
+ );
foreach my $cipher (@{$ciphersuites{$protocol}}) {
if ($protocol eq "-ssl3" && $cipher =~ /ECDH/ ) {
note "*****SKIPPING $protocol $cipher";
@@ -508,11 +520,16 @@ sub testssl {
@@ -504,11 +516,16 @@ sub testssl {
} else {
$cipher = $cipher.':@SECLEVEL=0';
}
@ -934,7 +550,7 @@ Index: openssl-3.2.3/test/recipes/80-test_ssl_old.t
- "-ciphersuites", $ciphersuites,
- $flag || ()])),
- "Testing $cipher");
+ if ($provider eq "fips" && exists $FIPS_skip_cipher{$cipher}) {
+ if ($provider eq "fips" && exists $suse_skip_cipher{$cipher}) {
+ note "*****SKIPPING $cipher in SUSE FIPS mode";
+ ok(1);
+ } else {
@ -947,3 +563,6 @@ Index: openssl-3.2.3/test/recipes/80-test_ssl_old.t
}
}
next if $protocol eq "-tls1_3";
--
2.41.0

27
openssl-FIPS-release_num_in_version_string.patch Normal file
View File

@ -0,0 +1,27 @@
Index: openssl-3.1.4/providers/fips/fipsprov.c
===================================================================
--- openssl-3.1.4.orig/providers/fips/fipsprov.c
+++ openssl-3.1.4/providers/fips/fipsprov.c
@@ -194,18 +194,19 @@ static const OSSL_PARAM *fips_gettable_p
static int fips_get_params(void *provctx, OSSL_PARAM params[])
{
+#define SUSE_OPENSSL_VERSION_STR OPENSSL_VERSION_STR " SUSE release " SUSE_OPENSSL_RELEASE
OSSL_PARAM *p;
FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(ossl_prov_ctx_get0_libctx(provctx),
OSSL_LIB_CTX_FIPS_PROV_INDEX);
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "SUSE Linux Enterprise - OpenSSL FIPS Provider"))
return 0;
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_OPENSSL_VERSION_STR))
return 0;
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_OPENSSL_VERSION_STR))
return 0;
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))

326
openssl-FIPS-services-minimize.patch
View File

@ -1,13 +1,12 @@
From e25b25227043a2b2cf156527c31d7686a4265bf3 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 20/49] 0045-FIPS-services-minimize.patch
From a9dc983f82cabe29d6b48f3af3e30e26074ce5cf Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 12:55:57 +0200
Subject: [PATCH 21/48] 0045-FIPS-services-minimize.patch
Patch-name: 0045-FIPS-services-minimize.patch
Patch-id: 45
Patch-status: |
# # Minimize fips services
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
# Minimize fips services
---
apps/ecparam.c | 7 +++
apps/req.c | 2 +-
@ -21,16 +20,16 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
test/evp_libctx_test.c | 9 +++-
test/recipes/15-test_gendsa.t | 2 +-
test/recipes/20-test_cli_fips.t | 3 +-
test/recipes/30-test_evp.t | 20 ++++-----
test/recipes/30-test_evp.t | 16 +++----
.../30-test_evp_data/evpmac_common.txt | 22 ++++++++++
test/recipes/80-test_cms.t | 22 +++++-----
test/recipes/80-test_ssl_old.t | 2 +-
16 files changed, 128 insertions(+), 51 deletions(-)
16 files changed, 128 insertions(+), 47 deletions(-)
Index: openssl-3.2.3/apps/ecparam.c
===================================================================
--- openssl-3.2.3.orig/apps/ecparam.c
+++ openssl-3.2.3/apps/ecparam.c
diff --git a/apps/ecparam.c b/apps/ecparam.c
index 9e9ad13683..9c66cf2434 100644
--- a/apps/ecparam.c
+++ b/apps/ecparam.c
@@ -79,6 +79,13 @@ static int list_builtin_curves(BIO *out)
const char *comment = curves[n].comment;
const char *sname = OBJ_nid2sn(curves[n].nid);
@ -45,11 +44,11 @@ Index: openssl-3.2.3/apps/ecparam.c
if (comment == NULL)
comment = "CURVE DESCRIPTION NOT AVAILABLE";
if (sname == NULL)
Index: openssl-3.2.3/apps/req.c
===================================================================
--- openssl-3.2.3.orig/apps/req.c
+++ openssl-3.2.3/apps/req.c
@@ -268,7 +268,7 @@ int req_main(int argc, char **argv)
diff --git a/apps/req.c b/apps/req.c
index 23757044ab..5916914978 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -266,7 +266,7 @@ int req_main(int argc, char **argv)
unsigned long chtype = MBSTRING_ASC, reqflag = 0;
#ifndef OPENSSL_NO_DES
@ -57,12 +56,12 @@ Index: openssl-3.2.3/apps/req.c
+ cipher = (EVP_CIPHER *)EVP_aes_256_cbc();
#endif
opt_set_unknown_name("digest");
Index: openssl-3.2.3/providers/common/capabilities.c
===================================================================
--- openssl-3.2.3.orig/providers/common/capabilities.c
+++ openssl-3.2.3/providers/common/capabilities.c
@@ -189,9 +189,9 @@ static const OSSL_PARAM param_group_list
prog = opt_init(argc, argv, req_options);
diff --git a/providers/common/capabilities.c b/providers/common/capabilities.c
index ed37e76969..eb836dfa6a 100644
--- a/providers/common/capabilities.c
+++ b/providers/common/capabilities.c
@@ -186,9 +186,9 @@ static const OSSL_PARAM param_group_list[][10] = {
TLS_GROUP_ENTRY("brainpoolP256r1", "brainpoolP256r1", "EC", 25),
TLS_GROUP_ENTRY("brainpoolP384r1", "brainpoolP384r1", "EC", 26),
TLS_GROUP_ENTRY("brainpoolP512r1", "brainpoolP512r1", "EC", 27),
@ -70,37 +69,14 @@ Index: openssl-3.2.3/providers/common/capabilities.c
TLS_GROUP_ENTRY("x25519", "X25519", "X25519", 28),
TLS_GROUP_ENTRY("x448", "X448", "X448", 29),
+# endif
# ifndef FIPS_MODULE
TLS_GROUP_ENTRY("brainpoolP256r1tls13", "brainpoolP256r1", "EC", 30),
TLS_GROUP_ENTRY("brainpoolP384r1tls13", "brainpoolP384r1", "EC", 31),
Index: openssl-3.2.3/providers/fips/fipsprov.c
===================================================================
--- openssl-3.2.3.orig/providers/fips/fipsprov.c
+++ openssl-3.2.3/providers/fips/fipsprov.c
@@ -194,18 +194,19 @@ static const OSSL_PARAM *fips_gettable_p
static int fips_get_params(void *provctx, OSSL_PARAM params[])
{
+#define SUSE_OPENSSL_VERSION_STR OPENSSL_VERSION_STR " SUSE release " SUSE_OPENSSL_RELEASE
OSSL_PARAM *p;
FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(ossl_prov_ctx_get0_libctx(provctx),
OSSL_LIB_CTX_FIPS_PROV_INDEX);
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "SUSE Linux Enterprise - OpenSSL FIPS Provider"))
return 0;
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_OPENSSL_VERSION_STR))
return 0;
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_OPENSSL_VERSION_STR))
return 0;
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))
@@ -298,10 +299,11 @@ static const OSSL_ALGORITHM fips_digests
# endif /* OPENSSL_NO_EC */
# ifndef OPENSSL_NO_DH
/* Security bit values for FFDHE groups are as per RFC 7919 */
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index 518226dfc6..29438faea8 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -298,10 +298,11 @@ static const OSSL_ALGORITHM fips_digests[] = {
* KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
* KMAC128 and KMAC256.
*/
@ -114,7 +90,7 @@ Index: openssl-3.2.3/providers/fips/fipsprov.c
{ NULL, NULL, NULL }
};
@@ -360,8 +362,9 @@ static const OSSL_ALGORITHM_CAPABLE fips
@@ -360,8 +361,9 @@ static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = {
ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions,
ossl_cipher_capable_aes_cbc_hmac_sha256),
#ifndef OPENSSL_NO_DES
@ -126,7 +102,7 @@ Index: openssl-3.2.3/providers/fips/fipsprov.c
#endif /* OPENSSL_NO_DES */
{ { NULL, NULL, NULL }, NULL }
};
@@ -373,8 +376,9 @@ static const OSSL_ALGORITHM fips_macs[]
@@ -373,8 +375,9 @@ static const OSSL_ALGORITHM fips_macs[] = {
#endif
{ PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions },
{ PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions },
@ -138,39 +114,38 @@ Index: openssl-3.2.3/providers/fips/fipsprov.c
{ NULL, NULL, NULL }
};
@@ -410,8 +414,9 @@ static const OSSL_ALGORITHM fips_keyexch
@@ -409,8 +412,9 @@ static const OSSL_ALGORITHM fips_keyexch[] = {
#endif
#ifndef OPENSSL_NO_EC
{ PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions },
# ifndef OPENSSL_NO_ECX
- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions },
- { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },
+ /* We don't certify Edwards curves in our FIPS provider */
+ /*{ PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions },
+ { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },*/
# endif
#endif
{ PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES,
@@ -422,14 +427,16 @@ static const OSSL_ALGORITHM fips_keyexch
ossl_kdf_tls1_prf_keyexch_functions },
@@ -420,13 +424,15 @@ static const OSSL_ALGORITHM fips_keyexch[] = {
static const OSSL_ALGORITHM fips_signature[] = {
#ifndef OPENSSL_NO_DSA
- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },
+ /* We don't certify DSA in our FIPS provider */
+ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },*/
+ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions }, */
#endif
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions },
#ifndef OPENSSL_NO_EC
# ifndef OPENSSL_NO_ECX
- { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES,
+ /* We don't certify Edwards curves in our FIPS provider */
+ /* { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES,
ossl_ed25519_signature_functions },
- { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },
+ { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },*/
# endif
+ { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions }, */
{ PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions },
#endif
@@ -460,8 +467,9 @@ static const OSSL_ALGORITHM fips_keymgmt
{ PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES,
@@ -456,8 +462,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
PROV_DESCS_DHX },
#endif
#ifndef OPENSSL_NO_DSA
@ -182,10 +157,10 @@ Index: openssl-3.2.3/providers/fips/fipsprov.c
#endif
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions,
PROV_DESCS_RSA },
@@ -471,14 +479,15 @@ static const OSSL_ALGORITHM fips_keymgmt
@@ -466,14 +473,15 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
#ifndef OPENSSL_NO_EC
{ PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions,
PROV_DESCS_EC },
# ifndef OPENSSL_NO_ECX
- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions,
+ /* We don't certify Edwards curves in our FIPS provider */
+ /* { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions,
@ -197,14 +172,14 @@ Index: openssl-3.2.3/providers/fips/fipsprov.c
{ PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_keymgmt_functions,
- PROV_DESCS_ED448 },
+ PROV_DESCS_ED448 }, */
# endif
#endif
{ PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions,
Index: openssl-3.2.3/providers/fips/self_test_data.inc
===================================================================
--- openssl-3.2.3.orig/providers/fips/self_test_data.inc
+++ openssl-3.2.3/providers/fips/self_test_data.inc
@@ -177,6 +177,7 @@ static const ST_KAT_DIGEST st_kat_digest
PROV_DESCS_TLS1_PRF_SIGN },
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
index 2057378d3d..4b80bb70b9 100644
--- a/providers/fips/self_test_data.inc
+++ b/providers/fips/self_test_data.inc
@@ -177,6 +177,7 @@ static const ST_KAT_DIGEST st_kat_digest_tests[] =
/*- CIPHER TEST DATA */
/* DES3 test data */
@ -212,7 +187,7 @@ Index: openssl-3.2.3/providers/fips/self_test_data.inc
static const unsigned char des_ede3_cbc_pt[] = {
0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
@@ -197,7 +198,7 @@ static const unsigned char des_ede3_cbc_
@@ -197,7 +198,7 @@ static const unsigned char des_ede3_cbc_ct[] = {
0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F,
0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7
};
@ -221,7 +196,7 @@ Index: openssl-3.2.3/providers/fips/self_test_data.inc
/* AES-256 GCM test data */
static const unsigned char aes_256_gcm_key[] = {
0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c,
@@ -1454,8 +1455,9 @@ static const ST_KAT_PARAM ecdsa_bin_key[
@@ -1454,8 +1455,9 @@ static const ST_KAT_PARAM ecdsa_bin_key[] = {
# endif /* OPENSSL_NO_EC2M */
#endif /* OPENSSL_NO_EC */
@ -240,7 +215,7 @@ Index: openssl-3.2.3/providers/fips/self_test_data.inc
/* Hash DRBG inputs for signature KATs */
static const unsigned char sig_kat_entropyin[] = {
@@ -1642,6 +1645,7 @@ static const ST_KAT_SIGN st_kat_sign_tes
@@ -1642,6 +1645,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
},
# endif
#endif /* OPENSSL_NO_EC */
@ -248,7 +223,7 @@ Index: openssl-3.2.3/providers/fips/self_test_data.inc
#ifndef OPENSSL_NO_DSA
{
OSSL_SELF_TEST_DESC_SIGN_DSA,
@@ -1654,6 +1658,7 @@ static const ST_KAT_SIGN st_kat_sign_tes
@@ -1654,6 +1658,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
ITM(dsa_expected_sig)
},
#endif /* OPENSSL_NO_DSA */
@ -256,11 +231,11 @@ Index: openssl-3.2.3/providers/fips/self_test_data.inc
};
static const ST_KAT_ASYM_CIPHER st_kat_asym_cipher_tests[] = {
Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c
===================================================================
--- openssl-3.2.3.orig/providers/implementations/signature/rsa_sig.c
+++ openssl-3.2.3/providers/implementations/signature/rsa_sig.c
@@ -702,6 +702,19 @@ static int rsa_verify_recover(void *vprs
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index d4261e8f7d..2a5504d104 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -689,6 +689,14 @@ static int rsa_verify_recover(void *vprsactx,
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
int ret;
@ -268,19 +243,14 @@ Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c
+ size_t rsabits = RSA_bits(prsactx->rsa);
+
+ if (rsabits < 2048) {
+ if (rsabits != 1024
+ && rsabits != 1280
+ && rsabits != 1536
+ && rsabits != 1792) {
+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
+# endif
if (!ossl_prov_is_running())
return 0;
@@ -790,6 +803,19 @@ static int rsa_verify(void *vprsactx, co
@@ -777,6 +790,14 @@ static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen,
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
size_t rslen;
@ -288,22 +258,17 @@ Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c
+ size_t rsabits = RSA_bits(prsactx->rsa);
+
+ if (rsabits < 2048) {
+ if (rsabits != 1024
+ && rsabits != 1280
+ && rsabits != 1536
+ && rsabits != 1792) {
+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
+# endif
if (!ossl_prov_is_running())
return 0;
Index: openssl-3.2.3/ssl/ssl_ciph.c
===================================================================
--- openssl-3.2.3.orig/ssl/ssl_ciph.c
+++ openssl-3.2.3/ssl/ssl_ciph.c
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index a5e60e8839..f9af07d12b 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -356,6 +356,9 @@ int ssl_load_ciphers(SSL_CTX *ctx)
ctx->disabled_mkey_mask = 0;
ctx->disabled_auth_mask = 0;
@ -313,12 +278,12 @@ Index: openssl-3.2.3/ssl/ssl_ciph.c
+
/*
* We ignore any errors from the fetches below. They are expected to fail
* if these algorithms are not available.
Index: openssl-3.2.3/test/acvp_test.c
===================================================================
--- openssl-3.2.3.orig/test/acvp_test.c
+++ openssl-3.2.3/test/acvp_test.c
@@ -1478,6 +1478,7 @@ int setup_tests(void)
* if theose algorithms are not available.
diff --git a/test/acvp_test.c b/test/acvp_test.c
index fee880d441..13d7a0ea8b 100644
--- a/test/acvp_test.c
+++ b/test/acvp_test.c
@@ -1476,6 +1476,7 @@ int setup_tests(void)
OSSL_NELEM(dh_safe_prime_keyver_data));
#endif /* OPENSSL_NO_DH */
@ -326,7 +291,7 @@ Index: openssl-3.2.3/test/acvp_test.c
#ifndef OPENSSL_NO_DSA
ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data));
ADD_ALL_TESTS(dsa_paramgen_test, OSSL_NELEM(dsa_paramgen_data));
@@ -1485,6 +1486,7 @@ int setup_tests(void)
@@ -1483,6 +1484,7 @@ int setup_tests(void)
ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data));
ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data));
#endif /* OPENSSL_NO_DSA */
@ -334,11 +299,11 @@ Index: openssl-3.2.3/test/acvp_test.c
#ifndef OPENSSL_NO_EC
ADD_ALL_TESTS(ecdsa_keygen_test, OSSL_NELEM(ecdsa_keygen_data));
Index: openssl-3.2.3/test/endecode_test.c
===================================================================
--- openssl-3.2.3.orig/test/endecode_test.c
+++ openssl-3.2.3/test/endecode_test.c
@@ -1424,6 +1424,7 @@ int setup_tests(void)
diff --git a/test/endecode_test.c b/test/endecode_test.c
index 9a437d8c64..53385028fc 100644
--- a/test/endecode_test.c
+++ b/test/endecode_test.c
@@ -1407,6 +1407,7 @@ int setup_tests(void)
* so no legacy tests.
*/
#endif
@ -346,7 +311,7 @@ Index: openssl-3.2.3/test/endecode_test.c
#ifndef OPENSSL_NO_DSA
ADD_TEST_SUITE(DSA);
ADD_TEST_SUITE_PARAMS(DSA);
@@ -1434,6 +1435,7 @@ int setup_tests(void)
@@ -1417,6 +1418,7 @@ int setup_tests(void)
ADD_TEST_SUITE_PROTECTED_PVK(DSA);
# endif
#endif
@ -354,9 +319,9 @@ Index: openssl-3.2.3/test/endecode_test.c
#ifndef OPENSSL_NO_EC
ADD_TEST_SUITE(EC);
ADD_TEST_SUITE_PARAMS(EC);
@@ -1454,10 +1456,12 @@ int setup_tests(void)
ADD_TEST_SUITE(SM2);
}
@@ -1431,10 +1433,12 @@ int setup_tests(void)
ADD_TEST_SUITE(ECExplicitTri2G);
ADD_TEST_SUITE_LEGACY(ECExplicitTri2G);
# endif
+ if (is_fips == 0) {
ADD_TEST_SUITE(ED25519);
@ -367,10 +332,10 @@ Index: openssl-3.2.3/test/endecode_test.c
/*
* ED25519, ED448, X25519 and X448 have no support for
* PEM_write_bio_PrivateKey_traditional(), so no legacy tests.
Index: openssl-3.2.3/test/evp_libctx_test.c
===================================================================
--- openssl-3.2.3.orig/test/evp_libctx_test.c
+++ openssl-3.2.3/test/evp_libctx_test.c
diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c
index 2448c35a14..a7913cda4c 100644
--- a/test/evp_libctx_test.c
+++ b/test/evp_libctx_test.c
@@ -21,6 +21,7 @@
*/
#include "internal/deprecated.h"
@ -401,10 +366,10 @@ Index: openssl-3.2.3/test/evp_libctx_test.c
#endif
return 1;
}
Index: openssl-3.2.3/test/recipes/15-test_gendsa.t
===================================================================
--- openssl-3.2.3.orig/test/recipes/15-test_gendsa.t
+++ openssl-3.2.3/test/recipes/15-test_gendsa.t
diff --git a/test/recipes/15-test_gendsa.t b/test/recipes/15-test_gendsa.t
index b495b08bda..69bd299521 100644
--- a/test/recipes/15-test_gendsa.t
+++ b/test/recipes/15-test_gendsa.t
@@ -24,7 +24,7 @@ use lib bldtop_dir('.');
plan skip_all => "This test is unsupported in a no-dsa build"
if disabled("dsa");
@ -414,11 +379,11 @@ Index: openssl-3.2.3/test/recipes/15-test_gendsa.t
plan tests =>
($no_fips ? 0 : 2) # FIPS related tests
Index: openssl-3.2.3/test/recipes/20-test_cli_fips.t
===================================================================
--- openssl-3.2.3.orig/test/recipes/20-test_cli_fips.t
+++ openssl-3.2.3/test/recipes/20-test_cli_fips.t
@@ -278,8 +278,7 @@ SKIP: {
diff --git a/test/recipes/20-test_cli_fips.t b/test/recipes/20-test_cli_fips.t
index 6d3c5ba1bb..2ba47b5fca 100644
--- a/test/recipes/20-test_cli_fips.t
+++ b/test/recipes/20-test_cli_fips.t
@@ -273,8 +273,7 @@ SKIP: {
}
SKIP : {
@ -428,11 +393,11 @@ Index: openssl-3.2.3/test/recipes/20-test_cli_fips.t
subtest DSA => sub {
my $testtext_prefix = 'DSA';
Index: openssl-3.2.3/test/recipes/30-test_evp.t
===================================================================
--- openssl-3.2.3.orig/test/recipes/30-test_evp.t
+++ openssl-3.2.3/test/recipes/30-test_evp.t
@@ -46,10 +46,8 @@ my @files = qw(
diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t
index 9d7040ced2..f8beb538d4 100644
--- a/test/recipes/30-test_evp.t
+++ b/test/recipes/30-test_evp.t
@@ -42,10 +42,8 @@ my @files = qw(
evpciph_aes_cts.txt
evpciph_aes_wrap.txt
evpciph_aes_stitched.txt
@ -443,23 +408,20 @@ Index: openssl-3.2.3/test/recipes/30-test_evp.t
evpkdf_pbkdf1.txt
evpkdf_pbkdf2.txt
evpkdf_ss.txt
@@ -70,15 +68,6 @@ push @files, qw(
@@ -65,12 +63,6 @@ push @files, qw(
evppkey_ffdhe.txt
evppkey_dh.txt
) unless $no_dh;
push @files, qw(
-push @files, qw(
- evpkdf_x942_des.txt
- evpmac_cmac_des.txt
- ) unless $no_des;
-push @files, qw(evppkey_dsa.txt) unless $no_dsa;
-push @files, qw(
- evppkey_ecx.txt
- evppkey_mismatch_ecx.txt
- ) unless $no_ecx;
-push @files, qw(
-push @files, qw(evppkey_ecx.txt) unless $no_ec;
push @files, qw(
evppkey_ecc.txt
evppkey_ecdh.txt
evppkey_ecdsa.txt
@@ -97,6 +86,7 @@ my @defltfiles = qw(
@@ -91,6 +83,7 @@ my @defltfiles = qw(
evpciph_cast5.txt
evpciph_chacha.txt
evpciph_des.txt
@ -467,7 +429,7 @@ Index: openssl-3.2.3/test/recipes/30-test_evp.t
evpciph_idea.txt
evpciph_rc2.txt
evpciph_rc4.txt
@@ -121,13 +111,19 @@ my @defltfiles = qw(
@@ -114,10 +107,17 @@ my @defltfiles = qw(
evpmd_whirlpool.txt
evppbe_scrypt.txt
evppbe_pkcs12.txt
@ -483,16 +445,13 @@ Index: openssl-3.2.3/test/recipes/30-test_evp.t
+ evpmac_cmac_des.txt
+ ) unless $no_des;
push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec;
push @defltfiles, qw(evppkey_ecdsa_rfc6979.txt) unless $no_ec;
-push @defltfiles, qw(evppkey_dsa_rfc6979.txt) unless $no_dsa;
push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2;
push @defltfiles, qw(evpciph_aes_gcm_siv.txt) unless $no_siv;
push @defltfiles, qw(evpciph_aes_siv.txt) unless $no_siv;
Index: openssl-3.2.3/test/recipes/30-test_evp_data/evpmac_common.txt
===================================================================
--- openssl-3.2.3.orig/test/recipes/30-test_evp_data/evpmac_common.txt
+++ openssl-3.2.3/test/recipes/30-test_evp_data/evpmac_common.txt
@@ -363,6 +363,7 @@ IV = 7AE8E2CA4EC500012E58495C
diff --git a/test/recipes/30-test_evp_data/evpmac_common.txt b/test/recipes/30-test_evp_data/evpmac_common.txt
index 93195df97c..315413cd9b 100644
--- a/test/recipes/30-test_evp_data/evpmac_common.txt
+++ b/test/recipes/30-test_evp_data/evpmac_common.txt
@@ -340,6 +340,7 @@ IV = 7AE8E2CA4EC500012E58495C
Input = 68F2E77696CE7AE8E2CA4EC588E541002E58495C08000F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D0007
Result = MAC_INIT_ERROR
@ -500,7 +459,7 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evpmac_common.txt
Title = KMAC Tests (From NIST)
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
@@ -373,12 +374,14 @@ Ctrl = xof:0
@@ -350,12 +351,14 @@ Ctrl = xof:0
OutputSize = 32
BlockSize = 168
@ -515,7 +474,7 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evpmac_common.txt
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -386,6 +389,7 @@ Custom = "My Tagged Application"
@@ -363,6 +366,7 @@ Custom = "My Tagged Application"
Output = 1F5B4E6CCA02209E0DCB5CA635B89A15E271ECC760071DFD805FAA38F9729230
Ctrl = size:32
@ -523,7 +482,7 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evpmac_common.txt
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
@@ -394,12 +398,14 @@ Output = 20C570C31346F703C9AC36C61C03CB6
@@ -371,12 +375,14 @@ Output = 20C570C31346F703C9AC36C61C03CB64C3970D0CFC787E9B79599D273A68D2F7F69D4CC
OutputSize = 64
BlockSize = 136
@ -538,7 +497,7 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evpmac_common.txt
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -409,12 +415,14 @@ Ctrl = size:64
@@ -386,12 +392,14 @@ Ctrl = size:64
Title = KMAC XOF Tests (From NIST)
@ -553,7 +512,7 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evpmac_common.txt
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
@@ -422,6 +430,7 @@ Custom = "My Tagged Application"
@@ -399,6 +407,7 @@ Custom = "My Tagged Application"
Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
XOF = 1
@ -561,7 +520,7 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evpmac_common.txt
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -430,6 +439,7 @@ Output = 47026C7CD793084AA0283C253EF6584
@@ -407,6 +416,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F
XOF = 1
Ctrl = size:32
@ -569,7 +528,7 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evpmac_common.txt
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
@@ -437,6 +447,7 @@ Custom = "My Tagged Application"
@@ -414,6 +424,7 @@ Custom = "My Tagged Application"
Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
XOF = 1
@ -577,7 +536,7 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evpmac_common.txt
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -444,6 +455,7 @@ Custom = ""
@@ -421,6 +432,7 @@ Custom = ""
Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
XOF = 1
@ -585,7 +544,7 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evpmac_common.txt
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -454,6 +466,7 @@ XOF = 1
@@ -431,6 +443,7 @@ XOF = 1
Title = KMAC long customisation string (from NIST ACVP)
@ -593,7 +552,7 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evpmac_common.txt
MAC = KMAC256
Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
@@ -464,12 +477,14 @@ XOF = 1
@@ -441,12 +454,14 @@ XOF = 1
Title = KMAC XOF Tests via ctrl (From NIST)
@ -608,7 +567,7 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evpmac_common.txt
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
@@ -477,6 +492,7 @@ Custom = "My Tagged Application"
@@ -454,6 +469,7 @@ Custom = "My Tagged Application"
Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
Ctrl = xof:1
@ -616,7 +575,7 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evpmac_common.txt
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -485,6 +501,7 @@ Output = 47026C7CD793084AA0283C253EF6584
@@ -462,6 +478,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F
Ctrl = xof:1
Ctrl = size:32
@ -624,7 +583,7 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evpmac_common.txt
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
@@ -492,6 +509,7 @@ Custom = "My Tagged Application"
@@ -469,6 +486,7 @@ Custom = "My Tagged Application"
Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
Ctrl = xof:1
@ -632,7 +591,7 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evpmac_common.txt
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -499,6 +517,7 @@ Custom = ""
@@ -476,6 +494,7 @@ Custom = ""
Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
Ctrl = xof:1
@ -640,7 +599,7 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evpmac_common.txt
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -509,6 +528,7 @@ Ctrl = xof:1
@@ -486,6 +505,7 @@ Ctrl = xof:1
Title = KMAC long customisation string via ctrl (from NIST ACVP)
@ -648,7 +607,7 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evpmac_common.txt
MAC = KMAC256
Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
@@ -519,6 +539,7 @@ Ctrl = xof:1
@@ -496,6 +516,7 @@ Ctrl = xof:1
Title = KMAC long customisation string negative test
@ -656,7 +615,7 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evpmac_common.txt
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -527,6 +548,7 @@ Result = MAC_INIT_ERROR
@@ -504,6 +525,7 @@ Result = MAC_INIT_ERROR
Title = KMAC output is too large
@ -664,10 +623,10 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_data/evpmac_common.txt
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
Index: openssl-3.2.3/test/recipes/80-test_cms.t
===================================================================
--- openssl-3.2.3.orig/test/recipes/80-test_cms.t
+++ openssl-3.2.3/test/recipes/80-test_cms.t
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
index 40dd585c18..cbec426137 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -96,7 +96,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
@ -740,7 +699,7 @@ Index: openssl-3.2.3/test/recipes/80-test_cms.t
[ "{cmd1}", @prov, "-sign", "-in", $smcont,
"-signer", $smrsa1,
"-signer", catfile($smdir, "smrsa2.pem"),
@@ -250,7 +250,7 @@ my @smime_pkcs7_tests = (
@@ -248,7 +248,7 @@ my @smime_pkcs7_tests = (
my @smime_cms_tests = (
@ -749,7 +708,7 @@ Index: openssl-3.2.3/test/recipes/80-test_cms.t
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-nodetach", "-keyid",
"-signer", $smrsa1,
@@ -263,7 +263,7 @@ my @smime_cms_tests = (
@@ -261,7 +261,7 @@ my @smime_cms_tests = (
\&final_compare
],
@ -758,7 +717,7 @@ Index: openssl-3.2.3/test/recipes/80-test_cms.t
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
"-signer", $smrsa1,
"-signer", catfile($smdir, "smrsa2.pem"),
@@ -373,7 +373,7 @@ my @smime_cms_tests = (
@@ -371,7 +371,7 @@ my @smime_cms_tests = (
\&final_compare
],
@ -767,10 +726,10 @@ Index: openssl-3.2.3/test/recipes/80-test_cms.t
[ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
"-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
"-stream", "-out", "{output}.cms" ],
Index: openssl-3.2.3/test/recipes/80-test_ssl_old.t
===================================================================
--- openssl-3.2.3.orig/test/recipes/80-test_ssl_old.t
+++ openssl-3.2.3/test/recipes/80-test_ssl_old.t
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index 50b74a1e29..e2dcb68fb5 100644
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -436,7 +436,7 @@ sub testssl {
my @exkeys = ();
my $ciphers = '-PSK:-SRP:@SECLEVEL=0';
@ -780,3 +739,6 @@ Index: openssl-3.2.3/test/recipes/80-test_ssl_old.t
push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey;
}
--
2.41.0

74
openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch
View File

@ -45,11 +45,11 @@ Signed-off-by: Clemens Lang <cllang@redhat.com>
util/perl/OpenSSL/paramnames.pm | 23 ++++++++++---------
3 files changed, 37 insertions(+), 11 deletions(-)
Index: openssl-3.2.3/include/openssl/evp.h
Index: openssl-3.1.4/include/openssl/evp.h
===================================================================
--- openssl-3.2.3.orig/include/openssl/evp.h
+++ openssl-3.2.3/include/openssl/evp.h
@@ -804,6 +804,10 @@ __owur int EVP_CipherFinal(EVP_CIPHER_CT
--- openssl-3.1.4.orig/include/openssl/evp.h
+++ openssl-3.1.4/include/openssl/evp.h
@@ -801,6 +801,10 @@ __owur int EVP_CipherFinal(EVP_CIPHER_CT
__owur int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
int *outl);
@ -60,11 +60,11 @@ Index: openssl-3.2.3/include/openssl/evp.h
__owur int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
EVP_PKEY *pkey);
__owur int EVP_SignFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c
Index: openssl-3.1.4/providers/implementations/signature/rsa_sig.c
===================================================================
--- openssl-3.2.3.orig/providers/implementations/signature/rsa_sig.c
+++ openssl-3.2.3/providers/implementations/signature/rsa_sig.c
@@ -1185,6 +1185,24 @@ static int rsa_get_ctx_params(void *vprs
--- openssl-3.1.4.orig/providers/implementations/signature/rsa_sig.c
+++ openssl-3.1.4/providers/implementations/signature/rsa_sig.c
@@ -1167,6 +1167,24 @@ static int rsa_get_ctx_params(void *vprs
}
}
@ -89,7 +89,7 @@ Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c
return 1;
}
@@ -1194,6 +1212,9 @@ static const OSSL_PARAM known_gettable_c
@@ -1176,6 +1194,9 @@ static const OSSL_PARAM known_gettable_c
OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
@ -99,15 +99,51 @@ Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c
OSSL_PARAM_END
};
Index: openssl-3.2.3/util/perl/OpenSSL/paramnames.pm
Index: openssl-3.1.4/include/openssl/core_names.h
===================================================================
--- openssl-3.2.3.orig/util/perl/OpenSSL/paramnames.pm
+++ openssl-3.2.3/util/perl/OpenSSL/paramnames.pm
@@ -386,6 +386,7 @@ my %params = (
'SIGNATURE_PARAM_MGF1_PROPERTIES' => '*PKEY_PARAM_MGF1_PROPERTIES',
'SIGNATURE_PARAM_DIGEST_SIZE' => '*PKEY_PARAM_DIGEST_SIZE',
'SIGNATURE_PARAM_NONCE_TYPE' => "nonce-type",
+ 'SIGNATURE_PARAM_SUSE_FIPS_INDICATOR' => "suse-fips-indicator",
'SIGNATURE_PARAM_INSTANCE' => "instance",
'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string",
--- openssl-3.1.4.orig/include/openssl/core_names.h
+++ openssl-3.1.4/include/openssl/core_names.h
@@ -458,6 +458,7 @@ extern "C" {
#define OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES \
OSSL_PKEY_PARAM_MGF1_PROPERTIES
#define OSSL_SIGNATURE_PARAM_DIGEST_SIZE OSSL_PKEY_PARAM_DIGEST_SIZE
+#define OSSL_SIGNATURE_PARAM_SUSE_FIPS_INDICATOR "suse-fips-indicator"
/* Asym cipher parameters */
#define OSSL_ASYM_CIPHER_PARAM_DIGEST OSSL_PKEY_PARAM_DIGEST
Index: openssl-3.1.4/providers/implementations/signature/rsa_sig.c
===================================================================
--- openssl-3.1.4.orig/providers/implementations/signature/rsa_sig.c
+++ openssl-3.1.4/providers/implementations/signature/rsa_sig.c
@@ -696,8 +696,13 @@ static int rsa_verify_recover(void *vprs
size_t rsabits = RSA_bits(prsactx->rsa);
if (rsabits < 2048) {
- ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
- return 0;
+ if (rsabits != 1024
+ && rsabits != 1280
+ && rsabits != 1536
+ && rsabits != 1792) {
+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
}
# endif
@@ -792,8 +797,13 @@ static int rsa_verify(void *vprsactx, co
size_t rsabits = RSA_bits(prsactx->rsa);
if (rsabits < 2048) {
- ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
- return 0;
+ if (rsabits != 1024
+ && rsabits != 1280
+ && rsabits != 1536
+ && rsabits != 1792) {
+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
}
# endif

309
openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch Normal file
View File

@ -0,0 +1,309 @@
From 4580c303fa88f77a98461fee5fe26b5db725967c Mon Sep 17 00:00:00 2001
From: Todd Short <todd.short@me.com>
Date: Thu, 1 Feb 2024 23:09:38 -0500
Subject: [PATCH 1/2] Fix EVP_PKEY_CTX_add1_hkdf_info() behavior
Fix #23448
`EVP_PKEY_CTX_add1_hkdf_info()` behaves like a `set1` function.
Fix the setting of the parameter in the params code.
Update the TLS_PRF code to also use the params code.
Add tests.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23456)
(cherry picked from commit 6b566687b58fde08b28e3331377f050768fad89b)
---
crypto/evp/pmeth_lib.c | 65 ++++++++++++++++++-
providers/implementations/exchange/kdf_exch.c | 42 ++++++++++++
providers/implementations/kdfs/hkdf.c | 8 +++
test/pkey_meth_kdf_test.c | 53 +++++++++++----
4 files changed, 156 insertions(+), 12 deletions(-)
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index ba1971c..d0eeaf7 100644
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -1028,6 +1028,69 @@ static int evp_pkey_ctx_set1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
return EVP_PKEY_CTX_set_params(ctx, octet_string_params);
}
+static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
+ const char *param, int op, int ctrl,
+ const unsigned char *data,
+ int datalen)
+{
+ OSSL_PARAM os_params[2];
+ unsigned char *info = NULL;
+ size_t info_len = 0;
+ size_t info_alloc = 0;
+ int ret = 0;
+
+ if (ctx == NULL || (ctx->operation & op) == 0) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
+ /* Uses the same return values as EVP_PKEY_CTX_ctrl */
+ return -2;
+ }
+
+ /* Code below to be removed when legacy support is dropped. */
+ if (fallback)
+ return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, datalen, (void *)(data));
+ /* end of legacy support */
+
+ if (datalen < 0) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH);
+ return 0;
+ }
+
+ /* Get the original value length */
+ os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0);
+ os_params[1] = OSSL_PARAM_construct_end();
+
+ if (!EVP_PKEY_CTX_get_params(ctx, os_params))
+ return 0;
+
+ /* Older provider that doesn't support getting this parameter */
+ if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED)
+ return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen);
+
+ info_alloc = os_params[0].return_size + datalen;
+ if (info_alloc == 0)
+ return 0;
+ info = OPENSSL_zalloc(info_alloc);
+ if (info == NULL)
+ return 0;
+ info_len = os_params[0].return_size;
+
+ os_params[0] = OSSL_PARAM_construct_octet_string(param, info, info_alloc);
+
+ /* if we have data, then go get it */
+ if (info_len > 0) {
+ if (!EVP_PKEY_CTX_get_params(ctx, os_params))
+ goto error;
+ }
+
+ /* Copy the input data */
+ memcpy(&info[info_len], data, datalen);
+ ret = EVP_PKEY_CTX_set_params(ctx, os_params);
+
+ error:
+ OPENSSL_clear_free(info, info_alloc);
+ return ret;
+}
+
int EVP_PKEY_CTX_set1_tls1_prf_secret(EVP_PKEY_CTX *ctx,
const unsigned char *sec, int seclen)
{
@@ -1078,7 +1141,7 @@ int EVP_PKEY_CTX_set1_hkdf_key(EVP_PKEY_CTX *ctx,
int EVP_PKEY_CTX_add1_hkdf_info(EVP_PKEY_CTX *ctx,
const unsigned char *info, int infolen)
{
- return evp_pkey_ctx_set1_octet_string(ctx, ctx->op.kex.algctx == NULL,
+ return evp_pkey_ctx_add1_octet_string(ctx, ctx->op.kex.algctx == NULL,
OSSL_KDF_PARAM_INFO,
EVP_PKEY_OP_DERIVE,
EVP_PKEY_CTRL_HKDF_INFO,
diff --git a/providers/implementations/exchange/kdf_exch.c b/providers/implementations/exchange/kdf_exch.c
index 527a866..4bc8102 100644
--- a/providers/implementations/exchange/kdf_exch.c
+++ b/providers/implementations/exchange/kdf_exch.c
@@ -28,9 +28,13 @@ static OSSL_FUNC_keyexch_derive_fn kdf_derive;
static OSSL_FUNC_keyexch_freectx_fn kdf_freectx;
static OSSL_FUNC_keyexch_dupctx_fn kdf_dupctx;
static OSSL_FUNC_keyexch_set_ctx_params_fn kdf_set_ctx_params;
+static OSSL_FUNC_keyexch_get_ctx_params_fn kdf_get_ctx_params;
static OSSL_FUNC_keyexch_settable_ctx_params_fn kdf_tls1_prf_settable_ctx_params;
static OSSL_FUNC_keyexch_settable_ctx_params_fn kdf_hkdf_settable_ctx_params;
static OSSL_FUNC_keyexch_settable_ctx_params_fn kdf_scrypt_settable_ctx_params;
+static OSSL_FUNC_keyexch_gettable_ctx_params_fn kdf_tls1_prf_gettable_ctx_params;
+static OSSL_FUNC_keyexch_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params;
+static OSSL_FUNC_keyexch_gettable_ctx_params_fn kdf_scrypt_gettable_ctx_params;
typedef struct {
void *provctx;
@@ -169,6 +173,13 @@ static int kdf_set_ctx_params(void *vpkdfctx, const OSSL_PARAM params[])
return EVP_KDF_CTX_set_params(pkdfctx->kdfctx, params);
}
+static int kdf_get_ctx_params(void *vpkdfctx, OSSL_PARAM params[])
+{
+ PROV_KDF_CTX *pkdfctx = (PROV_KDF_CTX *)vpkdfctx;
+
+ return EVP_KDF_CTX_get_params(pkdfctx->kdfctx, params);
+}
+
static const OSSL_PARAM *kdf_settable_ctx_params(ossl_unused void *vpkdfctx,
void *provctx,
const char *kdfname)
@@ -197,6 +208,34 @@ KDF_SETTABLE_CTX_PARAMS(tls1_prf, "TLS1-PRF")
KDF_SETTABLE_CTX_PARAMS(hkdf, "HKDF")
KDF_SETTABLE_CTX_PARAMS(scrypt, "SCRYPT")
+static const OSSL_PARAM *kdf_gettable_ctx_params(ossl_unused void *vpkdfctx,
+ void *provctx,
+ const char *kdfname)
+{
+ EVP_KDF *kdf = EVP_KDF_fetch(PROV_LIBCTX_OF(provctx), kdfname,
+ NULL);
+ const OSSL_PARAM *params;
+
+ if (kdf == NULL)
+ return NULL;
+
+ params = EVP_KDF_gettable_ctx_params(kdf);
+ EVP_KDF_free(kdf);
+
+ return params;
+}
+
+#define KDF_GETTABLE_CTX_PARAMS(funcname, kdfname) \
+ static const OSSL_PARAM *kdf_##funcname##_gettable_ctx_params(void *vpkdfctx, \
+ void *provctx) \
+ { \
+ return kdf_gettable_ctx_params(vpkdfctx, provctx, kdfname); \
+ }
+
+KDF_GETTABLE_CTX_PARAMS(tls1_prf, "TLS1-PRF")
+KDF_GETTABLE_CTX_PARAMS(hkdf, "HKDF")
+KDF_GETTABLE_CTX_PARAMS(scrypt, "SCRYPT")
+
#define KDF_KEYEXCH_FUNCTIONS(funcname) \
const OSSL_DISPATCH ossl_kdf_##funcname##_keyexch_functions[] = { \
{ OSSL_FUNC_KEYEXCH_NEWCTX, (void (*)(void))kdf_##funcname##_newctx }, \
@@ -205,8 +244,11 @@ KDF_SETTABLE_CTX_PARAMS(scrypt, "SCRYPT")
{ OSSL_FUNC_KEYEXCH_FREECTX, (void (*)(void))kdf_freectx }, \
{ OSSL_FUNC_KEYEXCH_DUPCTX, (void (*)(void))kdf_dupctx }, \
{ OSSL_FUNC_KEYEXCH_SET_CTX_PARAMS, (void (*)(void))kdf_set_ctx_params }, \
+ { OSSL_FUNC_KEYEXCH_GET_CTX_PARAMS, (void (*)(void))kdf_get_ctx_params }, \
{ OSSL_FUNC_KEYEXCH_SETTABLE_CTX_PARAMS, \
(void (*)(void))kdf_##funcname##_settable_ctx_params }, \
+ { OSSL_FUNC_KEYEXCH_GETTABLE_CTX_PARAMS, \
+ (void (*)(void))kdf_##funcname##_gettable_ctx_params }, \
{ 0, NULL } \
};
diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
index daa619b..dd65a2a 100644
--- a/providers/implementations/kdfs/hkdf.c
+++ b/providers/implementations/kdfs/hkdf.c
@@ -371,6 +371,13 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
return 0;
return OSSL_PARAM_set_size_t(p, sz);
}
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) {
+ if (ctx->info == NULL || ctx->info_len == 0) {
+ p->return_size = 0;
+ return 1;
+ }
+ return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len);
+ }
return -2;
}
@@ -379,6 +386,7 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
{
static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0),
OSSL_PARAM_END
};
return known_gettable_ctx_params;
diff --git a/test/pkey_meth_kdf_test.c b/test/pkey_meth_kdf_test.c
index f816d24..c09e2f3 100644
--- a/test/pkey_meth_kdf_test.c
+++ b/test/pkey_meth_kdf_test.c
@@ -16,7 +16,7 @@
#include <openssl/kdf.h>
#include "testutil.h"
-static int test_kdf_tls1_prf(void)
+static int test_kdf_tls1_prf(int index)
{
int ret = 0;
EVP_PKEY_CTX *pctx;
@@ -40,10 +40,23 @@ static int test_kdf_tls1_prf(void)
TEST_error("EVP_PKEY_CTX_set1_tls1_prf_secret");
goto err;
}
- if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx,
- (unsigned char *)"seed", 4) <= 0) {
- TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
- goto err;
+ if (index == 0) {
+ if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx,
+ (unsigned char *)"seed", 4) <= 0) {
+ TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
+ goto err;
+ }
+ } else {
+ if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx,
+ (unsigned char *)"se", 2) <= 0) {
+ TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
+ goto err;
+ }
+ if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx,
+ (unsigned char *)"ed", 2) <= 0) {
+ TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
+ goto err;
+ }
}
if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) {
TEST_error("EVP_PKEY_derive");
@@ -65,7 +78,7 @@ err:
return ret;
}
-static int test_kdf_hkdf(void)
+static int test_kdf_hkdf(int index)
{
int ret = 0;
EVP_PKEY_CTX *pctx;
@@ -94,10 +107,23 @@ static int test_kdf_hkdf(void)
TEST_error("EVP_PKEY_CTX_set1_hkdf_key");
goto err;
}
- if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"label", 5)
+ if (index == 0) {
+ if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"label", 5)
<= 0) {
- TEST_error("EVP_PKEY_CTX_set1_hkdf_info");
- goto err;
+ TEST_error("EVP_PKEY_CTX_add1_hkdf_info");
+ goto err;
+ }
+ } else {
+ if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"lab", 3)
+ <= 0) {
+ TEST_error("EVP_PKEY_CTX_add1_hkdf_info");
+ goto err;
+ }
+ if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"el", 2)
+ <= 0) {
+ TEST_error("EVP_PKEY_CTX_add1_hkdf_info");
+ goto err;
+ }
}
if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) {
TEST_error("EVP_PKEY_derive");
@@ -195,8 +221,13 @@ err:
int setup_tests(void)
{
- ADD_TEST(test_kdf_tls1_prf);
- ADD_TEST(test_kdf_hkdf);
+ int tests = 1;
+
+ if (fips_provider_version_ge(NULL, 3, 3, 1))
+ tests = 2;
+
+ ADD_ALL_TESTS(test_kdf_tls1_prf, tests);
+ ADD_ALL_TESTS(test_kdf_hkdf, tests);
#ifndef OPENSSL_NO_SCRYPT
ADD_TEST(test_kdf_scrypt);
#endif
--
2.45.1

19
openssl-Force-FIPS.patch
View File

@ -11,10 +11,10 @@ Patch-status: |
crypto/provider_conf.c | 28 +++++++++++++++++++++++++++-
1 file changed, 27 insertions(+), 1 deletion(-)
Index: openssl-3.1.7/crypto/provider_conf.c
Index: openssl-3.1.4/crypto/provider_conf.c
===================================================================
--- openssl-3.1.7.orig/crypto/provider_conf.c
+++ openssl-3.1.7/crypto/provider_conf.c
--- openssl-3.1.4.orig/crypto/provider_conf.c
+++ openssl-3.1.4/crypto/provider_conf.c
@@ -10,6 +10,8 @@
#include <string.h>
#include <openssl/trace.h>
@ -24,25 +24,25 @@ Index: openssl-3.1.7/crypto/provider_conf.c
#include <openssl/conf.h>
#include <openssl/safestack.h>
#include <openssl/provider.h>
@@ -237,7 +239,7 @@ static int provider_conf_activate(OSSL_L
@@ -169,7 +171,7 @@ static int provider_conf_activate(OSSL_L
if (path != NULL)
ossl_provider_set_module_path(prov, path);
- ok = provider_conf_params(prov, NULL, NULL, value, cnf);
+ ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;
if (ok == 1) {
if (ok) {
if (!ossl_provider_activate(prov, 1, 0)) {
@@ -266,6 +268,8 @@ static int provider_conf_activate(OSSL_L
if (ok <= 0)
@@ -197,6 +199,8 @@ static int provider_conf_activate(OSSL_L
}
if (!ok)
ossl_provider_free(prov);
+ } else {
+ ok = 1;
}
CRYPTO_THREAD_unlock(pcgbl->lock);
@@ -383,6 +387,32 @@ static int provider_conf_init(CONF_IMODU
@@ -309,6 +313,33 @@ static int provider_conf_init(CONF_IMODU
return 0;
}
@ -54,6 +54,7 @@ Index: openssl-3.1.7/crypto/provider_conf.c
+ CONF *fips_conf = NCONF_new_ex(libctx, NCONF_default());
+ if (NCONF_load(fips_conf, FIPS_LOCAL_CONF, NULL) <= 0)
+ return 0;
+
+ if (provider_conf_load(libctx, "fips", "fips_sect", fips_conf) != 1) {
+ NCONF_free(fips_conf);
+ return 0;

94
openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch Normal file
View File

@ -0,0 +1,94 @@
From d6a9c21302e01c33a9a919e7ba380ba3b0ed65b0 Mon Sep 17 00:00:00 2001
From: trinity-1686a <trinity@deuxfleurs.fr>
Date: Mon, 15 Apr 2024 11:13:14 +0200
Subject: [PATCH 2/2] Handle empty param in EVP_PKEY_CTX_add1_hkdf_info
Fixes #24130
The regression was introduced in PR #23456.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24141)
(cherry picked from commit 299996fb1fcd76eeadfd547958de2a1b822f37f5)
---
crypto/evp/pmeth_lib.c | 2 ++
test/evp_extra_test.c | 42 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 44 insertions(+)
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index d0eeaf7..bce1ebc 100644
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -1053,6 +1053,8 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
if (datalen < 0) {
ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH);
return 0;
+ } else if (datalen == 0) {
+ return 1;
}
/* Get the original value length */
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index 9b3bee7..22121ce 100644
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -2565,6 +2565,47 @@ static int test_emptyikm_HKDF(void)
return ret;
}
+static int test_empty_salt_info_HKDF(void)
+{
+ EVP_PKEY_CTX *pctx;
+ unsigned char out[20];
+ size_t outlen;
+ int ret = 0;
+ unsigned char salt[] = "";
+ unsigned char key[] = "012345678901234567890123456789";
+ unsigned char info[] = "";
+ const unsigned char expected[] = {
+ 0x67, 0x12, 0xf9, 0x27, 0x8a, 0x8a, 0x3a, 0x8f, 0x7d, 0x2c, 0xa3, 0x6a,
+ 0xaa, 0xe9, 0xb3, 0xb9, 0x52, 0x5f, 0xe0, 0x06,
+ };
+ size_t expectedlen = sizeof(expected);
+
+ if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, "HKDF", testpropq)))
+ goto done;
+
+ outlen = sizeof(out);
+ memset(out, 0, outlen);
+
+ if (!TEST_int_gt(EVP_PKEY_derive_init(pctx), 0)
+ || !TEST_int_gt(EVP_PKEY_CTX_set_hkdf_md(pctx, EVP_sha256()), 0)
+ || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt,
+ sizeof(salt) - 1), 0)
+ || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_key(pctx, key,
+ sizeof(key) - 1), 0)
+ || !TEST_int_gt(EVP_PKEY_CTX_add1_hkdf_info(pctx, info,
+ sizeof(info) - 1), 0)
+ || !TEST_int_gt(EVP_PKEY_derive(pctx, out, &outlen), 0)
+ || !TEST_mem_eq(out, outlen, expected, expectedlen))
+ goto done;
+
+ ret = 1;
+
+ done:
+ EVP_PKEY_CTX_free(pctx);
+
+ return ret;
+}
+
#ifndef OPENSSL_NO_EC
static int test_X509_PUBKEY_inplace(void)
{
@@ -5166,6 +5207,7 @@ int setup_tests(void)
#endif
ADD_TEST(test_HKDF);
ADD_TEST(test_emptyikm_HKDF);
+ ADD_TEST(test_empty_salt_info_HKDF);
#ifndef OPENSSL_NO_EC
ADD_TEST(test_X509_PUBKEY_inplace);
ADD_TEST(test_X509_PUBKEY_dup);
--
2.45.1

495
openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch Normal file
View File

@ -0,0 +1,495 @@
From 3d3a7ecd1ae5ab08d22041f7b3b035c34f12fa02 Mon Sep 17 00:00:00 2001
From: Danny Tsen <dtsen@linux.ibm.com>
Date: Tue, 22 Aug 2023 15:58:53 -0400
Subject: [PATCH] Improve performance for 6x unrolling with vpermxor
instruction
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21812)
---
crypto/aes/asm/aesp8-ppc.pl | 145 +++++++++++++++++++++++-------------
1 file changed, 95 insertions(+), 50 deletions(-)
diff --git a/crypto/aes/asm/aesp8-ppc.pl b/crypto/aes/asm/aesp8-ppc.pl
index 60cf86f52aed2..38b9405a283b7 100755
--- a/crypto/aes/asm/aesp8-ppc.pl
+++ b/crypto/aes/asm/aesp8-ppc.pl
@@ -99,11 +99,12 @@
.long 0x1b000000, 0x1b000000, 0x1b000000, 0x1b000000 ?rev
.long 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c ?rev
.long 0,0,0,0 ?asis
+.long 0x0f102132, 0x43546576, 0x8798a9ba, 0xcbdcedfe
Lconsts:
mflr r0
bcl 20,31,\$+4
mflr $ptr #vvvvv "distance between . and rcon
- addi $ptr,$ptr,-0x48
+ addi $ptr,$ptr,-0x58
mtlr r0
blr
.long 0
@@ -2405,7 +2406,7 @@ ()
my $key_=$key2;
my ($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,3,26..31));
$x00=0 if ($flavour =~ /osx/);
-my ($in0, $in1, $in2, $in3, $in4, $in5 )=map("v$_",(0..5));
+my ($in0, $in1, $in2, $in3, $in4, $in5)=map("v$_",(0..5));
my ($out0, $out1, $out2, $out3, $out4, $out5)=map("v$_",(7,12..16));
my ($twk0, $twk1, $twk2, $twk3, $twk4, $twk5)=map("v$_",(17..22));
my $rndkey0="v23"; # v24-v25 rotating buffer for first found keys
@@ -2460,6 +2461,18 @@ ()
li $x70,0x70
mtspr 256,r0
+ # Reverse eighty7 to 0x010101..87
+ xxlor 2, 32+$eighty7, 32+$eighty7
+ vsldoi $eighty7,$tmp,$eighty7,1 # 0x010101..87
+ xxlor 1, 32+$eighty7, 32+$eighty7
+
+ # Load XOR contents. 0xf102132435465768798a9bacbdcedfe
+ mr $x70, r6
+ bl Lconsts
+ lxvw4x 0, $x40, r6 # load XOR contents
+ mr r6, $x70
+ li $x70,0x70
+
subi $rounds,$rounds,3 # -4 in total
lvx $rndkey0,$x00,$key1 # load key schedule
@@ -2502,69 +2515,77 @@ ()
?vperm v31,v31,$twk5,$keyperm
lvx v25,$x10,$key_ # pre-load round[2]
+ # Switch to use the following codes with 0x010101..87 to generate tweak.
+ # eighty7 = 0x010101..87
+ # vsrab tmp, tweak, seven # next tweak value, right shift 7 bits
+ # vand tmp, tmp, eighty7 # last byte with carry
+ # vaddubm tweak, tweak, tweak # left shift 1 bit (x2)
+ # xxlor vsx, 0, 0
+ # vpermxor tweak, tweak, tmp, vsx
+
vperm $in0,$inout,$inptail,$inpperm
subi $inp,$inp,31 # undo "caller"
vxor $twk0,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vand $tmp,$tmp,$eighty7
vxor $out0,$in0,$twk0
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in1, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in1
lvx_u $in1,$x10,$inp
vxor $twk1,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in1,$in1,$in1,$leperm
vand $tmp,$tmp,$eighty7
vxor $out1,$in1,$twk1
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in2, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in2
lvx_u $in2,$x20,$inp
andi. $taillen,$len,15
vxor $twk2,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in2,$in2,$in2,$leperm
vand $tmp,$tmp,$eighty7
vxor $out2,$in2,$twk2
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in3, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in3
lvx_u $in3,$x30,$inp
sub $len,$len,$taillen
vxor $twk3,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in3,$in3,$in3,$leperm
vand $tmp,$tmp,$eighty7
vxor $out3,$in3,$twk3
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in4, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in4
lvx_u $in4,$x40,$inp
subi $len,$len,0x60
vxor $twk4,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in4,$in4,$in4,$leperm
vand $tmp,$tmp,$eighty7
vxor $out4,$in4,$twk4
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in5, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in5
lvx_u $in5,$x50,$inp
addi $inp,$inp,0x60
vxor $twk5,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in5,$in5,$in5,$leperm
vand $tmp,$tmp,$eighty7
vxor $out5,$in5,$twk5
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in0, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in0
vxor v31,v31,$rndkey0
mtctr $rounds
@@ -2590,6 +2611,8 @@ ()
lvx v25,$x10,$key_ # round[4]
bdnz Loop_xts_enc6x
+ xxlor 32+$eighty7, 1, 1 # 0x010101..87
+
subic $len,$len,96 # $len-=96
vxor $in0,$twk0,v31 # xor with last round key
vcipher $out0,$out0,v24
@@ -2599,7 +2622,6 @@ ()
vaddubm $tweak,$tweak,$tweak
vcipher $out2,$out2,v24
vcipher $out3,$out3,v24
- vsldoi $tmp,$tmp,$tmp,15
vcipher $out4,$out4,v24
vcipher $out5,$out5,v24
@@ -2607,7 +2629,8 @@ ()
vand $tmp,$tmp,$eighty7
vcipher $out0,$out0,v25
vcipher $out1,$out1,v25
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in1, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in1
vcipher $out2,$out2,v25
vcipher $out3,$out3,v25
vxor $in1,$twk1,v31
@@ -2618,13 +2641,13 @@ ()
and r0,r0,$len
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vcipher $out0,$out0,v26
vcipher $out1,$out1,v26
vand $tmp,$tmp,$eighty7
vcipher $out2,$out2,v26
vcipher $out3,$out3,v26
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in2, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in2
vcipher $out4,$out4,v26
vcipher $out5,$out5,v26
@@ -2638,7 +2661,6 @@ ()
vaddubm $tweak,$tweak,$tweak
vcipher $out0,$out0,v27
vcipher $out1,$out1,v27
- vsldoi $tmp,$tmp,$tmp,15
vcipher $out2,$out2,v27
vcipher $out3,$out3,v27
vand $tmp,$tmp,$eighty7
@@ -2646,7 +2668,8 @@ ()
vcipher $out5,$out5,v27
addi $key_,$sp,$FRAME+15 # rewind $key_
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in3, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in3
vcipher $out0,$out0,v28
vcipher $out1,$out1,v28
vxor $in3,$twk3,v31
@@ -2655,7 +2678,6 @@ ()
vcipher $out2,$out2,v28
vcipher $out3,$out3,v28
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vcipher $out4,$out4,v28
vcipher $out5,$out5,v28
lvx v24,$x00,$key_ # re-pre-load round[1]
@@ -2663,7 +2685,8 @@ ()
vcipher $out0,$out0,v29
vcipher $out1,$out1,v29
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in4, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in4
vcipher $out2,$out2,v29
vcipher $out3,$out3,v29
vxor $in4,$twk4,v31
@@ -2673,14 +2696,14 @@ ()
vcipher $out5,$out5,v29
lvx v25,$x10,$key_ # re-pre-load round[2]
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vcipher $out0,$out0,v30
vcipher $out1,$out1,v30
vand $tmp,$tmp,$eighty7
vcipher $out2,$out2,v30
vcipher $out3,$out3,v30
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in5, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in5
vcipher $out4,$out4,v30
vcipher $out5,$out5,v30
vxor $in5,$twk5,v31
@@ -2690,7 +2713,6 @@ ()
vcipherlast $out0,$out0,$in0
lvx_u $in0,$x00,$inp # load next input block
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vcipherlast $out1,$out1,$in1
lvx_u $in1,$x10,$inp
vcipherlast $out2,$out2,$in2
@@ -2703,7 +2725,10 @@ ()
vcipherlast $out4,$out4,$in4
le?vperm $in2,$in2,$in2,$leperm
lvx_u $in4,$x40,$inp
- vxor $tweak,$tweak,$tmp
+ xxlor 10, 32+$in0, 32+$in0
+ xxlor 32+$in0, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in0
+ xxlor 32+$in0, 10, 10
vcipherlast $tmp,$out5,$in5 # last block might be needed
# in stealing mode
le?vperm $in3,$in3,$in3,$leperm
@@ -2736,6 +2761,8 @@ ()
mtctr $rounds
beq Loop_xts_enc6x # did $len-=96 borrow?
+ xxlor 32+$eighty7, 2, 2 # 0x870101..01
+
addic. $len,$len,0x60
beq Lxts_enc6x_zero
cmpwi $len,0x20
@@ -3112,6 +3139,18 @@ ()
li $x70,0x70
mtspr 256,r0
+ # Reverse eighty7 to 0x010101..87
+ xxlor 2, 32+$eighty7, 32+$eighty7
+ vsldoi $eighty7,$tmp,$eighty7,1 # 0x010101..87
+ xxlor 1, 32+$eighty7, 32+$eighty7
+
+ # Load XOR contents. 0xf102132435465768798a9bacbdcedfe
+ mr $x70, r6
+ bl Lconsts
+ lxvw4x 0, $x40, r6 # load XOR contents
+ mr r6, $x70
+ li $x70,0x70
+
subi $rounds,$rounds,3 # -4 in total
lvx $rndkey0,$x00,$key1 # load key schedule
@@ -3159,64 +3198,64 @@ ()
vxor $twk0,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vand $tmp,$tmp,$eighty7
vxor $out0,$in0,$twk0
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in1, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in1
lvx_u $in1,$x10,$inp
vxor $twk1,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in1,$in1,$in1,$leperm
vand $tmp,$tmp,$eighty7
vxor $out1,$in1,$twk1
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in2, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in2
lvx_u $in2,$x20,$inp
andi. $taillen,$len,15
vxor $twk2,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in2,$in2,$in2,$leperm
vand $tmp,$tmp,$eighty7
vxor $out2,$in2,$twk2
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in3, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in3
lvx_u $in3,$x30,$inp
sub $len,$len,$taillen
vxor $twk3,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in3,$in3,$in3,$leperm
vand $tmp,$tmp,$eighty7
vxor $out3,$in3,$twk3
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in4, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in4
lvx_u $in4,$x40,$inp
subi $len,$len,0x60
vxor $twk4,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in4,$in4,$in4,$leperm
vand $tmp,$tmp,$eighty7
vxor $out4,$in4,$twk4
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in5, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in5
lvx_u $in5,$x50,$inp
addi $inp,$inp,0x60
vxor $twk5,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in5,$in5,$in5,$leperm
vand $tmp,$tmp,$eighty7
vxor $out5,$in5,$twk5
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in0, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in0
vxor v31,v31,$rndkey0
mtctr $rounds
@@ -3242,6 +3281,8 @@ ()
lvx v25,$x10,$key_ # round[4]
bdnz Loop_xts_dec6x
+ xxlor 32+$eighty7, 1, 1
+
subic $len,$len,96 # $len-=96
vxor $in0,$twk0,v31 # xor with last round key
vncipher $out0,$out0,v24
@@ -3251,7 +3292,6 @@ ()
vaddubm $tweak,$tweak,$tweak
vncipher $out2,$out2,v24
vncipher $out3,$out3,v24
- vsldoi $tmp,$tmp,$tmp,15
vncipher $out4,$out4,v24
vncipher $out5,$out5,v24
@@ -3259,7 +3299,8 @@ ()
vand $tmp,$tmp,$eighty7
vncipher $out0,$out0,v25
vncipher $out1,$out1,v25
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in1, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in1
vncipher $out2,$out2,v25
vncipher $out3,$out3,v25
vxor $in1,$twk1,v31
@@ -3270,13 +3311,13 @@ ()
and r0,r0,$len
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vncipher $out0,$out0,v26
vncipher $out1,$out1,v26
vand $tmp,$tmp,$eighty7
vncipher $out2,$out2,v26
vncipher $out3,$out3,v26
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in2, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in2
vncipher $out4,$out4,v26
vncipher $out5,$out5,v26
@@ -3290,7 +3331,6 @@ ()
vaddubm $tweak,$tweak,$tweak
vncipher $out0,$out0,v27
vncipher $out1,$out1,v27
- vsldoi $tmp,$tmp,$tmp,15
vncipher $out2,$out2,v27
vncipher $out3,$out3,v27
vand $tmp,$tmp,$eighty7
@@ -3298,7 +3338,8 @@ ()
vncipher $out5,$out5,v27
addi $key_,$sp,$FRAME+15 # rewind $key_
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in3, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in3
vncipher $out0,$out0,v28
vncipher $out1,$out1,v28
vxor $in3,$twk3,v31
@@ -3307,7 +3348,6 @@ ()
vncipher $out2,$out2,v28
vncipher $out3,$out3,v28
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vncipher $out4,$out4,v28
vncipher $out5,$out5,v28
lvx v24,$x00,$key_ # re-pre-load round[1]
@@ -3315,7 +3355,8 @@ ()
vncipher $out0,$out0,v29
vncipher $out1,$out1,v29
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in4, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in4
vncipher $out2,$out2,v29
vncipher $out3,$out3,v29
vxor $in4,$twk4,v31
@@ -3325,14 +3366,14 @@ ()
vncipher $out5,$out5,v29
lvx v25,$x10,$key_ # re-pre-load round[2]
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vncipher $out0,$out0,v30
vncipher $out1,$out1,v30
vand $tmp,$tmp,$eighty7
vncipher $out2,$out2,v30
vncipher $out3,$out3,v30
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in5, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in5
vncipher $out4,$out4,v30
vncipher $out5,$out5,v30
vxor $in5,$twk5,v31
@@ -3342,7 +3383,6 @@ ()
vncipherlast $out0,$out0,$in0
lvx_u $in0,$x00,$inp # load next input block
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vncipherlast $out1,$out1,$in1
lvx_u $in1,$x10,$inp
vncipherlast $out2,$out2,$in2
@@ -3355,7 +3395,10 @@ ()
vncipherlast $out4,$out4,$in4
le?vperm $in2,$in2,$in2,$leperm
lvx_u $in4,$x40,$inp
- vxor $tweak,$tweak,$tmp
+ xxlor 10, 32+$in0, 32+$in0
+ xxlor 32+$in0, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in0
+ xxlor 32+$in0, 10, 10
vncipherlast $out5,$out5,$in5
le?vperm $in3,$in3,$in3,$leperm
lvx_u $in5,$x50,$inp
@@ -3386,6 +3429,8 @@ ()
mtctr $rounds
beq Loop_xts_dec6x # did $len-=96 borrow?
+ xxlor 32+$eighty7, 2, 2
+
addic. $len,$len,0x60
beq Lxts_dec6x_zero
cmpwi $len,0x20

65
openssl-Remove-EC-curves.patch
View File

@ -15,11 +15,11 @@ Patch-status: |
test/recipes/15-test_genec.t | 27 -----------
5 files changed, 1 insertion(+), 147 deletions(-)
Index: openssl-3.2.3/apps/speed.c
===================================================================
--- openssl-3.2.3.orig/apps/speed.c
+++ openssl-3.2.3/apps/speed.c
@@ -401,7 +401,7 @@ static double ffdh_results[FFDH_NUM][1];
diff --git a/apps/speed.c b/apps/speed.c
index cace25eda1..d527f12f18 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -385,7 +385,7 @@ static double ffdh_results[FFDH_NUM][1]; /* 1 op: derivation */
#endif /* OPENSSL_NO_DH */
enum ec_curves_t {
@ -28,7 +28,7 @@ Index: openssl-3.2.3/apps/speed.c
#ifndef OPENSSL_NO_EC2M
R_EC_K163, R_EC_K233, R_EC_K283, R_EC_K409, R_EC_K571,
R_EC_B163, R_EC_B233, R_EC_B283, R_EC_B409, R_EC_B571,
@@ -411,8 +411,6 @@ enum ec_curves_t {
@@ -395,8 +395,6 @@ enum ec_curves_t {
};
/* list of ecdsa curves */
static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = {
@ -37,8 +37,8 @@ Index: openssl-3.2.3/apps/speed.c
{"ecdsap224", R_EC_P224},
{"ecdsap256", R_EC_P256},
{"ecdsap384", R_EC_P384},
@@ -445,8 +443,6 @@ enum {
};
@@ -423,8 +421,6 @@ static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = {
enum { R_EC_X25519 = ECDSA_NUM, R_EC_X448, EC_NUM };
/* list of ecdh curves, extension of |ecdsa_choices| list above */
static const OPT_PAIR ecdh_choices[EC_NUM] = {
- {"ecdhp160", R_EC_P160},
@ -46,7 +46,7 @@ Index: openssl-3.2.3/apps/speed.c
{"ecdhp224", R_EC_P224},
{"ecdhp256", R_EC_P256},
{"ecdhp384", R_EC_P384},
@@ -1781,8 +1777,6 @@ int speed_main(int argc, char **argv)
@@ -1442,8 +1438,6 @@ int speed_main(int argc, char **argv)
*/
static const EC_CURVE ec_curves[EC_NUM] = {
/* Prime Curves */
@ -55,10 +55,10 @@ Index: openssl-3.2.3/apps/speed.c
{"nistp224", NID_secp224r1, 224},
{"nistp256", NID_X9_62_prime256v1, 256},
{"nistp384", NID_secp384r1, 384},
Index: openssl-3.2.3/crypto/evp/ec_support.c
===================================================================
--- openssl-3.2.3.orig/crypto/evp/ec_support.c
+++ openssl-3.2.3/crypto/evp/ec_support.c
diff --git a/crypto/evp/ec_support.c b/crypto/evp/ec_support.c
index 1ec10143d2..82b95294b4 100644
--- a/crypto/evp/ec_support.c
+++ b/crypto/evp/ec_support.c
@@ -20,89 +20,15 @@ typedef struct ec_name2nid_st {
static const EC_NAME2NID curve_list[] = {
/* prime field curves */
@ -149,7 +149,7 @@ Index: openssl-3.2.3/crypto/evp/ec_support.c
{"brainpoolP256r1", NID_brainpoolP256r1 },
{"brainpoolP256t1", NID_brainpoolP256t1 },
{"brainpoolP320r1", NID_brainpoolP320r1 },
@@ -150,17 +76,6 @@ int ossl_ec_curve_name2nid(const char *n
@@ -150,17 +74,6 @@ int ossl_ec_curve_name2nid(const char *name)
/* Functions to translate between common NIST curve names and NIDs */
static const EC_NAME2NID nist_curves[] = {
@ -167,14 +167,15 @@ Index: openssl-3.2.3/crypto/evp/ec_support.c
{"P-224", NID_secp224r1},
{"P-256", NID_X9_62_prime256v1},
{"P-384", NID_secp384r1},
Index: openssl-3.2.3/test/acvp_test.inc
===================================================================
--- openssl-3.2.3.orig/test/acvp_test.inc
+++ openssl-3.2.3/test/acvp_test.inc
@@ -212,15 +212,6 @@ static const unsigned char ecdsa_sigver_
diff --git a/test/acvp_test.inc b/test/acvp_test.inc
index ad11d3ae1e..894a0bff9d 100644
--- a/test/acvp_test.inc
+++ b/test/acvp_test.inc
@@ -211,15 +211,6 @@ static const unsigned char ecdsa_sigver_s1[] = {
0xB1, 0xAC,
};
static const struct ecdsa_sigver_st ecdsa_sigver_data[] = {
{
- {
- "SHA-1",
- "P-192",
- ITM(ecdsa_sigver_msg0),
@ -183,14 +184,13 @@ Index: openssl-3.2.3/test/acvp_test.inc
- ITM(ecdsa_sigver_s0),
- PASS,
- },
- {
{
"SHA2-512",
"P-521",
ITM(ecdsa_sigver_msg1),
Index: openssl-3.2.3/test/ecdsatest.h
===================================================================
--- openssl-3.2.3.orig/test/ecdsatest.h
+++ openssl-3.2.3/test/ecdsatest.h
diff --git a/test/ecdsatest.h b/test/ecdsatest.h
index 63fe319025..06b5c0aac5 100644
--- a/test/ecdsatest.h
+++ b/test/ecdsatest.h
@@ -32,23 +32,6 @@ typedef struct {
} ecdsa_cavs_kat_t;
@ -215,11 +215,11 @@ Index: openssl-3.2.3/test/ecdsatest.h
/* prime KATs from NIST CAVP */
{NID_secp224r1, NID_sha224,
"699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"
Index: openssl-3.2.3/test/recipes/15-test_genec.t
===================================================================
--- openssl-3.2.3.orig/test/recipes/15-test_genec.t
+++ openssl-3.2.3/test/recipes/15-test_genec.t
@@ -41,37 +41,11 @@ plan skip_all => "This test is unsupport
diff --git a/test/recipes/15-test_genec.t b/test/recipes/15-test_genec.t
index 2dfed387ca..c733b68f83 100644
--- a/test/recipes/15-test_genec.t
+++ b/test/recipes/15-test_genec.t
@@ -41,37 +41,11 @@ plan skip_all => "This test is unsupported in a no-ec build"
if disabled("ec");
my @prime_curves = qw(
@ -265,3 +265,6 @@ Index: openssl-3.2.3/test/recipes/15-test_genec.t
P-224
P-256
P-384
--
2.41.0

43
openssl-TESTS-Disable-default-provider-crypto-policies.patch
View File

@ -1,43 +0,0 @@
Index: openssl-3.2.3/apps/openssl.cnf
===================================================================
--- openssl-3.2.3.orig/apps/openssl.cnf
+++ openssl-3.2.3/apps/openssl.cnf
@@ -45,8 +45,8 @@ tsa_policy3 = 1.2.3.4.5.7
[openssl_init]
providers = provider_sect
# Load default TLS policy configuration
-ssl_conf = ssl_module
-alg_section = evp_properties
+##ssl_conf = ssl_module
+##alg_section = evp_properties
[ evp_properties ]
# This section is intentionally added empty here to be tuned on particular systems
@@ -61,20 +61,20 @@ alg_section = evp_properties
# to side-channel attacks and as such have been deprecated.
[provider_sect]
-default = default_sect
+##default = default_sect
##legacy = legacy_sect
-[default_sect]
-activate = 1
+##[default_sect]
+##activate = 1
##[legacy_sect]
##activate = 1
-[ ssl_module ]
-system_default = crypto_policy
+##[ ssl_module ]
+##system_default = crypto_policy
-[ crypto_policy ]
-.include = /etc/crypto-policies/back-ends/opensslcnf.config
+##[ crypto_policy ]
+##.include = /etc/crypto-policies/back-ends/opensslcnf.config
####################################################################
[ ca ]

35
openssl-crypto-policies-support.patch Normal file
View File

@ -0,0 +1,35 @@
Add default section to load crypto-policies configuration for TLS.
It needs to be reverted before running tests.
---
apps/openssl.cnf | 20 ++++++++++++++++++--
2 files changed, 19 insertions(+), 3 deletions(-)
Index: openssl-3.2.0/apps/openssl.cnf
===================================================================
--- openssl-3.2.0.orig/apps/openssl.cnf
+++ openssl-3.2.0/apps/openssl.cnf
@@ -52,6 +52,8 @@ tsa_policy3 = 1.2.3.4.5.7
[openssl_init]
providers = provider_sect
+# Load default TLS policy configuration
+ssl_conf = ssl_module
# List of providers to load
[provider_sect]
@@ -71,6 +73,13 @@ default = default_sect
[default_sect]
# activate = 1
+[ ssl_module ]
+
+system_default = crypto_policy
+
+[ crypto_policy ]
+
+.include = /etc/crypto-policies/back-ends/opensslcnf.config
####################################################################
[ ca ]

2159
openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch Normal file
View File

File diff suppressed because it is too large Load Diff

65
openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch Normal file
View File

@ -0,0 +1,65 @@
From 3e47a286dc3274bda72a196c3a4030a1fc8302f1 Mon Sep 17 00:00:00 2001
From: Rohan McLure <rohanmclure@linux.ibm.com>
Date: Fri, 23 Jun 2023 16:41:48 +1000
Subject: [PATCH] ec: Use static linkage on nistp521 felem_{square,mul}
wrappers
Runtime selection of implementations for felem_{square,mul} depends on
felem_{square,mul}_wrapper functions, which overwrite function points in
a similar design to that of .plt.got sections used by program loaders
during dynamic linking.
There's no reason why these functions need to have external linkage.
Mark static.
Signed-off-by: Rohan McLure <rohanmclure@linux.ibm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/21471)
---
crypto/ec/ecp_nistp521.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c
index 97815cac1f13..32a9268ecf17 100644
--- a/crypto/ec/ecp_nistp521.c
+++ b/crypto/ec/ecp_nistp521.c
@@ -676,8 +676,8 @@ static void felem_reduce(felem out, const largefelem in)
}
#if defined(ECP_NISTP521_ASM)
-void felem_square_wrapper(largefelem out, const felem in);
-void felem_mul_wrapper(largefelem out, const felem in1, const felem in2);
+static void felem_square_wrapper(largefelem out, const felem in);
+static void felem_mul_wrapper(largefelem out, const felem in1, const felem in2);
static void (*felem_square_p)(largefelem out, const felem in) =
felem_square_wrapper;
@@ -691,7 +691,7 @@ void p521_felem_mul(largefelem out, const felem in1, const felem in2);
# include "crypto/ppc_arch.h"
# endif
-void felem_select(void)
+static void felem_select(void)
{
# if defined(_ARCH_PPC64)
if ((OPENSSL_ppccap_P & PPC_MADD300) && (OPENSSL_ppccap_P & PPC_ALTIVEC)) {
@@ -707,13 +707,13 @@ void felem_select(void)
felem_mul_p = felem_mul_ref;
}
-void felem_square_wrapper(largefelem out, const felem in)
+static void felem_square_wrapper(largefelem out, const felem in)
{
felem_select();
felem_square_p(out, in);
}
-void felem_mul_wrapper(largefelem out, const felem in1, const felem in2)
+static void felem_mul_wrapper(largefelem out, const felem in1, const felem in2)
{
felem_select();
felem_mul_p(out, in1, in2);

428
openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch Normal file
View File

@ -0,0 +1,428 @@
From 966047ee13188e8634af25af348940acceb9316d Mon Sep 17 00:00:00 2001
From: Rohan McLure <rohanmclure@linux.ibm.com>
Date: Wed, 31 May 2023 14:32:26 +1000
Subject: [PATCH] ec: powerpc64le: Add asm implementation of felem_{square,mul}
Add an assembly implementation of felem_{square,mul}, which will be
implemented whenever Altivec support is present and the core implements
ISA 3.0 (Power 9) or greater.
Signed-off-by: Rohan McLure <rohanmclure@linux.ibm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/21471)
---
crypto/ec/asm/ecp_nistp384-ppc64.pl | 355 ++++++++++++++++++++++++++++
crypto/ec/build.info | 6 +-
crypto/ec/ecp_nistp384.c | 9 +
3 files changed, 368 insertions(+), 2 deletions(-)
create mode 100755 crypto/ec/asm/ecp_nistp384-ppc64.pl
diff --git a/crypto/ec/asm/ecp_nistp384-ppc64.pl b/crypto/ec/asm/ecp_nistp384-ppc64.pl
new file mode 100755
index 000000000000..3f86b391af69
--- /dev/null
+++ b/crypto/ec/asm/ecp_nistp384-ppc64.pl
@@ -0,0 +1,355 @@
+#! /usr/bin/env perl
+# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+#
+# ====================================================================
+# Written by Rohan McLure <rmclure@linux.ibm.com> for the OpenSSL
+# project.
+# ====================================================================
+#
+# p384 lower-level primitives for PPC64 using vector instructions.
+#
+
+use strict;
+use warnings;
+
+my $flavour = shift;
+my $output = "";
+while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {}
+if (!$output) {
+ $output = "-";
+}
+
+my ($xlate, $dir);
+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
+( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
+die "can't locate ppc-xlate.pl";
+
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
+
+my $code = "";
+
+my ($sp, $outp, $savelr, $savesp) = ("r1", "r3", "r10", "r12");
+
+my $vzero = "v32";
+
+sub startproc($)
+{
+ my ($name) = @_;
+
+ $code.=<<___;
+ .globl ${name}
+ .align 5
+${name}:
+
+___
+}
+
+sub endproc($)
+{
+ my ($name) = @_;
+
+ $code.=<<___;
+ blr
+ .size ${name},.-${name}
+
+___
+}
+
+
+sub push_vrs($$)
+{
+ my ($min, $max) = @_;
+
+ my $count = $max - $min + 1;
+
+ $code.=<<___;
+ mr $savesp,$sp
+ stdu $sp,-16*`$count+1`($sp)
+
+___
+ for (my $i = $min; $i <= $max; $i++) {
+ my $mult = $max - $i + 1;
+ $code.=<<___;
+ stxv $i,-16*$mult($savesp)
+___
+
+ }
+
+ $code.=<<___;
+
+___
+}
+
+sub pop_vrs($$)
+{
+ my ($min, $max) = @_;
+
+ $code.=<<___;
+ ld $savesp,0($sp)
+___
+ for (my $i = $min; $i <= $max; $i++) {
+ my $mult = $max - $i + 1;
+ $code.=<<___;
+ lxv $i,-16*$mult($savesp)
+___
+ }
+
+ $code.=<<___;
+ mr $sp,$savesp
+
+___
+}
+
+sub load_vrs($$)
+{
+ my ($pointer, $reg_list) = @_;
+
+ for (my $i = 0; $i <= 6; $i++) {
+ my $offset = $i * 8;
+ $code.=<<___;
+ lxsd $reg_list->[$i],$offset($pointer)
+___
+ }
+
+ $code.=<<___;
+
+___
+}
+
+sub store_vrs($$)
+{
+ my ($pointer, $reg_list) = @_;
+
+ for (my $i = 0; $i <= 12; $i++) {
+ my $offset = $i * 16;
+ $code.=<<___;
+ stxv $reg_list->[$i],$offset($pointer)
+___
+ }
+
+ $code.=<<___;
+
+___
+}
+
+$code.=<<___;
+.machine "any"
+.text
+
+___
+
+{
+ # mul/square common
+ my ($t1, $t2, $t3, $t4) = ("v33", "v34", "v42", "v43");
+ my ($zero, $one) = ("r8", "r9");
+ my $out = "v51";
+
+ {
+ #
+ # p384_felem_mul
+ #
+
+ my ($in1p, $in2p) = ("r4", "r5");
+ my @in1 = map("v$_",(44..50));
+ my @in2 = map("v$_",(35..41));
+
+ startproc("p384_felem_mul");
+
+ push_vrs(52, 63);
+
+ $code.=<<___;
+ vspltisw $vzero,0
+
+___
+
+ load_vrs($in1p, \@in1);
+ load_vrs($in2p, \@in2);
+
+ $code.=<<___;
+ vmsumudm $out,$in1[0],$in2[0],$vzero
+ stxv $out,0($outp)
+
+ xxpermdi $t1,$in1[0],$in1[1],0b00
+ xxpermdi $t2,$in2[1],$in2[0],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ stxv $out,16($outp)
+
+ xxpermdi $t2,$in2[2],$in2[1],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ vmsumudm $out,$in1[2],$in2[0],$out
+ stxv $out,32($outp)
+
+ xxpermdi $t2,$in2[1],$in2[0],0b00
+ xxpermdi $t3,$in1[2],$in1[3],0b00
+ xxpermdi $t4,$in2[3],$in2[2],0b00
+ vmsumudm $out,$t1,$t4,$vzero
+ vmsumudm $out,$t3,$t2,$out
+ stxv $out,48($outp)
+
+ xxpermdi $t2,$in2[4],$in2[3],0b00
+ xxpermdi $t4,$in2[2],$in2[1],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ vmsumudm $out,$t3,$t4,$out
+ vmsumudm $out,$in1[4],$in2[0],$out
+ stxv $out,64($outp)
+
+ xxpermdi $t2,$in2[5],$in2[4],0b00
+ xxpermdi $t4,$in2[3],$in2[2],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ vmsumudm $out,$t3,$t4,$out
+ xxpermdi $t4,$in2[1],$in2[0],0b00
+ xxpermdi $t1,$in1[4],$in1[5],0b00
+ vmsumudm $out,$t1,$t4,$out
+ stxv $out,80($outp)
+
+ xxpermdi $t1,$in1[0],$in1[1],0b00
+ xxpermdi $t2,$in2[6],$in2[5],0b00
+ xxpermdi $t4,$in2[4],$in2[3],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ vmsumudm $out,$t3,$t4,$out
+ xxpermdi $t2,$in2[2],$in2[1],0b00
+ xxpermdi $t1,$in1[4],$in1[5],0b00
+ vmsumudm $out,$t1,$t2,$out
+ vmsumudm $out,$in1[6],$in2[0],$out
+ stxv $out,96($outp)
+
+ xxpermdi $t1,$in1[1],$in1[2],0b00
+ xxpermdi $t2,$in2[6],$in2[5],0b00
+ xxpermdi $t3,$in1[3],$in1[4],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ vmsumudm $out,$t3,$t4,$out
+ xxpermdi $t3,$in2[2],$in2[1],0b00
+ xxpermdi $t1,$in1[5],$in1[6],0b00
+ vmsumudm $out,$t1,$t3,$out
+ stxv $out,112($outp)
+
+ xxpermdi $t1,$in1[2],$in1[3],0b00
+ xxpermdi $t3,$in1[4],$in1[5],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ vmsumudm $out,$t3,$t4,$out
+ vmsumudm $out,$in1[6],$in2[2],$out
+ stxv $out,128($outp)
+
+ xxpermdi $t1,$in1[3],$in1[4],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ xxpermdi $t1,$in1[5],$in1[6],0b00
+ vmsumudm $out,$t1,$t4,$out
+ stxv $out,144($outp)
+
+ vmsumudm $out,$t3,$t2,$vzero
+ vmsumudm $out,$in1[6],$in2[4],$out
+ stxv $out,160($outp)
+
+ vmsumudm $out,$t1,$t2,$vzero
+ stxv $out,176($outp)
+
+ vmsumudm $out,$in1[6],$in2[6],$vzero
+ stxv $out,192($outp)
+___
+
+ endproc("p384_felem_mul");
+ }
+
+ {
+ #
+ # p384_felem_square
+ #
+
+ my ($inp) = ("r4");
+ my @in = map("v$_",(44..50));
+ my @inx2 = map("v$_",(35..41));
+
+ startproc("p384_felem_square");
+
+ push_vrs(52, 63);
+
+ $code.=<<___;
+ vspltisw $vzero,0
+
+___
+
+ load_vrs($inp, \@in);
+
+ $code.=<<___;
+ li $zero,0
+ li $one,1
+ mtvsrdd $t1,$one,$zero
+___
+
+ for (my $i = 0; $i <= 6; $i++) {
+ $code.=<<___;
+ vsld $inx2[$i],$in[$i],$t1
+___
+ }
+
+ $code.=<<___;
+ vmsumudm $out,$in[0],$in[0],$vzero
+ stxv $out,0($outp)
+
+ vmsumudm $out,$in[0],$inx2[1],$vzero
+ stxv $out,16($outp)
+
+ vmsumudm $out,$in[0],$inx2[2],$vzero
+ vmsumudm $out,$in[1],$in[1],$out
+ stxv $out,32($outp)
+
+ xxpermdi $t1,$in[0],$in[1],0b00
+ xxpermdi $t2,$inx2[3],$inx2[2],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ stxv $out,48($outp)
+
+ xxpermdi $t4,$inx2[4],$inx2[3],0b00
+ vmsumudm $out,$t1,$t4,$vzero
+ vmsumudm $out,$in[2],$in[2],$out
+ stxv $out,64($outp)
+
+ xxpermdi $t2,$inx2[5],$inx2[4],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ vmsumudm $out,$in[2],$inx2[3],$out
+ stxv $out,80($outp)
+
+ xxpermdi $t2,$inx2[6],$inx2[5],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ vmsumudm $out,$in[2],$inx2[4],$out
+ vmsumudm $out,$in[3],$in[3],$out
+ stxv $out,96($outp)
+
+ xxpermdi $t3,$in[1],$in[2],0b00
+ vmsumudm $out,$t3,$t2,$vzero
+ vmsumudm $out,$in[3],$inx2[4],$out
+ stxv $out,112($outp)
+
+ xxpermdi $t1,$in[2],$in[3],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ vmsumudm $out,$in[4],$in[4],$out
+ stxv $out,128($outp)
+
+ xxpermdi $t1,$in[3],$in[4],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ stxv $out,144($outp)
+
+ vmsumudm $out,$in[4],$inx2[6],$vzero
+ vmsumudm $out,$in[5],$in[5],$out
+ stxv $out,160($outp)
+
+ vmsumudm $out,$in[5],$inx2[6],$vzero
+ stxv $out,176($outp)
+
+ vmsumudm $out,$in[6],$in[6],$vzero
+ stxv $out,192($outp)
+___
+
+ endproc("p384_felem_square");
+ }
+}
+
+$code =~ s/\`([^\`]*)\`/eval $1/gem;
+print $code;
+close STDOUT or die "error closing STDOUT: $!";
diff --git a/crypto/ec/build.info b/crypto/ec/build.info
index 1fa60a1deddd..4077bead7bdb 100644
--- a/crypto/ec/build.info
+++ b/crypto/ec/build.info
@@ -39,8 +39,9 @@ IF[{- !$disabled{asm} -}]
$ECASM_ppc64=ecp_nistz256.c ecp_ppc.c ecp_nistz256-ppc64.s x25519-ppc64.s
$ECDEF_ppc64=ECP_NISTZ256_ASM X25519_ASM
IF[{- !$disabled{'ec_nistp_64_gcc_128'} -}]
- $ECASM_ppc64=$ECASM_ppc64 ecp_nistp521-ppc64.s
- $ECDEF_ppc64=$ECDEF_ppc64 ECP_NISTP521_ASM
+ $ECASM_ppc64=$ECASM_ppc64 ecp_nistp384-ppc64.s ecp_nistp521-ppc64.s
+ $ECDEF_ppc64=$ECDEF_ppc64 ECP_NISTP384_ASM ECP_NISTP521_ASM
+ INCLUDE[ecp_nistp384.o]=..
INCLUDE[ecp_nistp521.o]=..
ENDIF
@@ -119,6 +120,7 @@ GENERATE[ecp_nistz256-armv8.S]=asm/ecp_nistz256-armv8.pl
INCLUDE[ecp_nistz256-armv8.o]=..
GENERATE[ecp_nistz256-ppc64.s]=asm/ecp_nistz256-ppc64.pl
+GENERATE[ecp_nistp384-ppc64.s]=asm/ecp_nistp384-ppc64.pl
GENERATE[ecp_nistp521-ppc64.s]=asm/ecp_nistp521-ppc64.pl
GENERATE[x25519-x86_64.s]=asm/x25519-x86_64.pl
diff --git a/crypto/ec/ecp_nistp384.c b/crypto/ec/ecp_nistp384.c
index a0559487ed4e..14f9530d07c6 100644
--- a/crypto/ec/ecp_nistp384.c
+++ b/crypto/ec/ecp_nistp384.c
@@ -691,6 +691,15 @@ void p384_felem_mul(widefelem out, const felem in1, const felem in2);
static void felem_select(void)
{
+# if defined(_ARCH_PPC64)
+ if ((OPENSSL_ppccap_P & PPC_MADD300) && (OPENSSL_ppccap_P & PPC_ALTIVEC)) {
+ felem_square_p = p384_felem_square;
+ felem_mul_p = p384_felem_mul;
+
+ return;
+ }
+# endif
+
/* Default */
felem_square_p = felem_square_ref;
felem_mul_p = felem_mul_ref;

76
openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch Normal file
View File

@ -0,0 +1,76 @@
From 670e73d9084465384b11ef24802ca4a313e1d2f4 Mon Sep 17 00:00:00 2001
From: Rohan McLure <rohanmclure@linux.ibm.com>
Date: Tue, 15 Aug 2023 15:20:20 +1000
Subject: [PATCH] ecc: Remove extraneous parentheses in secp384r1
Substitutions in the felem_reduce() method feature unecessary
parentheses, remove them.
Signed-off-by: Rohan McLure <rohan.mclure@linux.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21749)
---
crypto/ec/ecp_nistp384.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/crypto/ec/ecp_nistp384.c b/crypto/ec/ecp_nistp384.c
index 14f9530d07c6..ff68f9cc7ad0 100644
--- a/crypto/ec/ecp_nistp384.c
+++ b/crypto/ec/ecp_nistp384.c
@@ -540,7 +540,7 @@ static void felem_reduce(felem out, const widefelem in)
acc[7] += in[12] >> 8;
acc[6] += (in[12] & 0xff) << 48;
acc[6] -= in[12] >> 16;
- acc[5] -= ((in[12] & 0xffff) << 40);
+ acc[5] -= (in[12] & 0xffff) << 40;
acc[6] += in[12] >> 48;
acc[5] += (in[12] & 0xffffffffffff) << 8;
@@ -549,7 +549,7 @@ static void felem_reduce(felem out, const widefelem in)
acc[6] += in[11] >> 8;
acc[5] += (in[11] & 0xff) << 48;
acc[5] -= in[11] >> 16;
- acc[4] -= ((in[11] & 0xffff) << 40);
+ acc[4] -= (in[11] & 0xffff) << 40;
acc[5] += in[11] >> 48;
acc[4] += (in[11] & 0xffffffffffff) << 8;
@@ -558,7 +558,7 @@ static void felem_reduce(felem out, const widefelem in)
acc[5] += in[10] >> 8;
acc[4] += (in[10] & 0xff) << 48;
acc[4] -= in[10] >> 16;
- acc[3] -= ((in[10] & 0xffff) << 40);
+ acc[3] -= (in[10] & 0xffff) << 40;
acc[4] += in[10] >> 48;
acc[3] += (in[10] & 0xffffffffffff) << 8;
@@ -567,7 +567,7 @@ static void felem_reduce(felem out, const widefelem in)
acc[4] += in[9] >> 8;
acc[3] += (in[9] & 0xff) << 48;
acc[3] -= in[9] >> 16;
- acc[2] -= ((in[9] & 0xffff) << 40);
+ acc[2] -= (in[9] & 0xffff) << 40;
acc[3] += in[9] >> 48;
acc[2] += (in[9] & 0xffffffffffff) << 8;
@@ -582,7 +582,7 @@ static void felem_reduce(felem out, const widefelem in)
acc[3] += acc[8] >> 8;
acc[2] += (acc[8] & 0xff) << 48;
acc[2] -= acc[8] >> 16;
- acc[1] -= ((acc[8] & 0xffff) << 40);
+ acc[1] -= (acc[8] & 0xffff) << 40;
acc[2] += acc[8] >> 48;
acc[1] += (acc[8] & 0xffffffffffff) << 8;
@@ -591,7 +591,7 @@ static void felem_reduce(felem out, const widefelem in)
acc[2] += acc[7] >> 8;
acc[1] += (acc[7] & 0xff) << 48;
acc[1] -= acc[7] >> 16;
- acc[0] -= ((acc[7] & 0xffff) << 40);
+ acc[0] -= (acc[7] & 0xffff) << 40;
acc[1] += acc[7] >> 48;
acc[0] += (acc[7] & 0xffffffffffff) << 8;

20
openssl-load-legacy-provider.patch
View File

@ -13,11 +13,11 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
doc/man5/config.pod | 8 ++++++++
2 files changed, 23 insertions(+), 22 deletions(-)
Index: openssl-3.2.3/apps/openssl.cnf
Index: openssl-3.1.4/apps/openssl.cnf
===================================================================
--- openssl-3.2.3.orig/apps/openssl.cnf
+++ openssl-3.2.3/apps/openssl.cnf
@@ -42,14 +42,6 @@ tsa_policy1 = 1.2.3.4.1
--- openssl-3.1.4.orig/apps/openssl.cnf
+++ openssl-3.1.4/apps/openssl.cnf
@@ -42,36 +42,29 @@ tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
@ -32,9 +32,7 @@ Index: openssl-3.2.3/apps/openssl.cnf
[openssl_init]
providers = provider_sect
# Load default TLS policy configuration
@@ -58,23 +50,24 @@ ssl_conf = ssl_module
[ evp_properties ]
# This section is intentionally added empty here to be tuned on particular systems
ssl_conf = ssl_module
-# List of providers to load
+# Uncomment the sections that start with ## below to enable the legacy provider.
@ -70,11 +68,11 @@ Index: openssl-3.2.3/apps/openssl.cnf
+##activate = 1
[ ssl_module ]
system_default = crypto_policy
Index: openssl-3.2.3/doc/man5/config.pod
Index: openssl-3.1.4/doc/man5/config.pod
===================================================================
--- openssl-3.2.3.orig/doc/man5/config.pod
+++ openssl-3.2.3/doc/man5/config.pod
--- openssl-3.1.4.orig/doc/man5/config.pod
+++ openssl-3.1.4/doc/man5/config.pod
@@ -273,6 +273,14 @@ significant.
All parameters in the section as well as sub-sections are made
available to the provider.

16
openssl-no-html-docs.patch
View File

@ -1,13 +1,13 @@
Index: openssl-3.2.3/Configurations/unix-Makefile.tmpl
Index: openssl-3.1.4/Configurations/unix-Makefile.tmpl
===================================================================
--- openssl-3.2.3.orig/Configurations/unix-Makefile.tmpl
+++ openssl-3.2.3/Configurations/unix-Makefile.tmpl
@@ -633,7 +633,7 @@ install_sw: install_dev install_engines
--- openssl-3.1.4.orig/Configurations/unix-Makefile.tmpl
+++ openssl-3.1.4/Configurations/unix-Makefile.tmpl
@@ -611,7 +611,7 @@ install_sw: install_dev install_engines
uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev ## Uninstall the software and libraries
uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev
-install_docs: install_man_docs install_html_docs ## Install manpages and HTML documentation
+install_docs: install_man_docs # install_html_docs ## Install manpages and HTML documentation
-install_docs: install_man_docs install_html_docs
+install_docs: install_man_docs
uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and HTML documentation
uninstall_docs: uninstall_man_docs uninstall_html_docs
$(RM) -r "$(DESTDIR)$(DOCDIR)"

17
openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
View File

@ -10,10 +10,10 @@ Patch-id: 84
providers/implementations/kdfs/pbkdf2.c | 27 ++++++++++++++++++++++++-
1 file changed, 26 insertions(+), 1 deletion(-)
Index: openssl-3.2.3/providers/implementations/kdfs/pbkdf2.c
===================================================================
--- openssl-3.2.3.orig/providers/implementations/kdfs/pbkdf2.c
+++ openssl-3.2.3/providers/implementations/kdfs/pbkdf2.c
diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
index 349c3dd657..11820d1e69 100644
--- a/providers/implementations/kdfs/pbkdf2.c
+++ b/providers/implementations/kdfs/pbkdf2.c
@@ -35,6 +35,21 @@
#define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF
#define KDF_PBKDF2_MIN_ITERATIONS 1000
@ -32,11 +32,11 @@ Index: openssl-3.2.3/providers/implementations/kdfs/pbkdf2.c
+ * testing uses passwords as short as 8 bytes, and requiring longer passwords
+ * combined with an implicit indicator (i.e., returning an error) would cause
+ * the module to fail ACVP testing. */
+#define KDF_PBKDF2_MIN_PASSWORD_LEN (8)
+#define KDF_PBKDF2_MIN_PASSWORD_LEN (20)
static OSSL_FUNC_kdf_newctx_fn kdf_pbkdf2_new;
static OSSL_FUNC_kdf_dupctx_fn kdf_pbkdf2_dup;
@@ -215,9 +230,15 @@ static int kdf_pbkdf2_set_ctx_params(voi
@@ -219,9 +234,15 @@ static int kdf_pbkdf2_set_ctx_params(void *vctx, const OSSL_PARAM params[])
ctx->lower_bound_checks = pkcs5 == 0;
}
@ -53,7 +53,7 @@ Index: openssl-3.2.3/providers/implementations/kdfs/pbkdf2.c
if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) {
if (ctx->lower_bound_checks != 0
@@ -327,6 +348,10 @@ static int pbkdf2_derive(const char *pas
@@ -331,6 +352,10 @@ static int pbkdf2_derive(const char *pass, size_t passlen,
}
if (lower_bound_checks) {
@ -64,3 +64,6 @@ Index: openssl-3.2.3/providers/implementations/kdfs/pbkdf2.c
if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) {
ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
return 0;
--
2.41.0

10
openssl-pkgconfig.patch
View File

@ -1,8 +1,8 @@
Index: openssl-3.2.3/Configurations/unix-Makefile.tmpl
Index: openssl-1.1.1-pre3/Configurations/unix-Makefile.tmpl
===================================================================
--- openssl-3.2.3.orig/Configurations/unix-Makefile.tmpl
+++ openssl-3.2.3/Configurations/unix-Makefile.tmpl
@@ -1453,7 +1453,7 @@ libcrypto.pc:
--- openssl-1.1.1-pre3.orig/Configurations/unix-Makefile.tmpl 2018-03-20 15:20:03.037124698 +0100
+++ openssl-1.1.1-pre3/Configurations/unix-Makefile.tmpl 2018-03-20 15:21:04.206084731 +0100
@@ -843,7 +843,7 @@ libcrypto.pc:
echo 'Version: '$(VERSION); \
echo 'Libs: -L$${libdir} -lcrypto'; \
echo 'Libs.private: $(LIB_EX_LIBS)'; \
@ -11,7 +11,7 @@ Index: openssl-3.2.3/Configurations/unix-Makefile.tmpl
libssl.pc:
@ ( echo 'prefix=$(INSTALLTOP)'; \
@@ -1470,7 +1470,7 @@ libssl.pc:
@@ -860,7 +860,7 @@ libssl.pc:
echo 'Version: '$(VERSION); \
echo 'Requires.private: libcrypto'; \
echo 'Libs: -L$${libdir} -lssl'; \

96
openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch Normal file
View File

@ -0,0 +1,96 @@
From 50f8b936b00dc18ce1f622a7a6aa46daf03da48b Mon Sep 17 00:00:00 2001
From: Rohan McLure <rohanmclure@linux.ibm.com>
Date: Wed, 16 Aug 2023 16:52:47 +1000
Subject: [PATCH] powerpc: ecc: Fix stack allocation secp384r1 asm
Assembly acceleration secp384r1 opts to not use any callee-save VSRs, as
VSX enabled systems make extensive use of renaming, and so writebacks in
felem_{mul,square}() can be reordered for best cache effects.
Remove stack allocations. This in turn fixes unmatched push/pops in
felem_{mul,square}().
Signed-off-by: Rohan McLure <rohan.mclure@linux.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21749)
---
crypto/ec/asm/ecp_nistp384-ppc64.pl | 49 -----------------------------
1 file changed, 49 deletions(-)
diff --git a/crypto/ec/asm/ecp_nistp384-ppc64.pl b/crypto/ec/asm/ecp_nistp384-ppc64.pl
index 3f86b391af69..28f4168e5218 100755
--- a/crypto/ec/asm/ecp_nistp384-ppc64.pl
+++ b/crypto/ec/asm/ecp_nistp384-ppc64.pl
@@ -62,51 +62,6 @@ ($)
___
}
-
-sub push_vrs($$)
-{
- my ($min, $max) = @_;
-
- my $count = $max - $min + 1;
-
- $code.=<<___;
- mr $savesp,$sp
- stdu $sp,-16*`$count+1`($sp)
-
-___
- for (my $i = $min; $i <= $max; $i++) {
- my $mult = $max - $i + 1;
- $code.=<<___;
- stxv $i,-16*$mult($savesp)
-___
-
- }
-
- $code.=<<___;
-
-___
-}
-
-sub pop_vrs($$)
-{
- my ($min, $max) = @_;
-
- $code.=<<___;
- ld $savesp,0($sp)
-___
- for (my $i = $min; $i <= $max; $i++) {
- my $mult = $max - $i + 1;
- $code.=<<___;
- lxv $i,-16*$mult($savesp)
-___
- }
-
- $code.=<<___;
- mr $sp,$savesp
-
-___
-}
-
sub load_vrs($$)
{
my ($pointer, $reg_list) = @_;
@@ -162,8 +117,6 @@ ($$)
startproc("p384_felem_mul");
- push_vrs(52, 63);
-
$code.=<<___;
vspltisw $vzero,0
@@ -268,8 +221,6 @@ ($$)
startproc("p384_felem_square");
- push_vrs(52, 63);
-
$code.=<<___;
vspltisw $vzero,0

8
openssl-ppc64-config.patch
View File

@ -1,8 +1,8 @@
Index: openssl-3.2.3/util/perl/OpenSSL/config.pm
Index: openssl-3.0.0-alpha5/util/perl/OpenSSL/config.pm
===================================================================
--- openssl-3.2.3.orig/util/perl/OpenSSL/config.pm
+++ openssl-3.2.3/util/perl/OpenSSL/config.pm
@@ -592,14 +592,19 @@ EOF
--- openssl-3.0.0-alpha5.orig/util/perl/OpenSSL/config.pm
+++ openssl-3.0.0-alpha5/util/perl/OpenSSL/config.pm
@@ -525,14 +525,19 @@ EOF
return { target => "linux-ppc64" } if $KERNEL_BITS eq '64';
my %config = ();

85
openssl-skip-quic-pairwise.patch
View File

@ -1,85 +0,0 @@
From 42ed594a3a905830374fb65cced431748f8c639c Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Thu, 4 Apr 2024 11:50:58 +0200
Subject: [PATCH 45/50] 0115-skip-quic-pairwise.patch
Patch-name: 0115-skip-quic-pairwise.patch
Patch-id: 115
Patch-status: |
# Amend tests according to Fedora/RHEL code
---
test/quicapitest.c | 4 +++-
test/recipes/01-test_symbol_presence.t | 1 +
test/recipes/30-test_pairwise_fail.t | 13 +++++++++++--
3 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/test/quicapitest.c b/test/quicapitest.c
index 41cf0fc7a8..0fb7492700 100644
--- a/test/quicapitest.c
+++ b/test/quicapitest.c
@@ -2139,7 +2139,9 @@ int setup_tests(void)
ADD_TEST(test_cipher_find);
ADD_TEST(test_version);
#if defined(DO_SSL_TRACE_TEST)
- ADD_TEST(test_ssl_trace);
+ if (is_fips == 0) {
+ ADD_TEST(test_ssl_trace);
+ }
#endif
ADD_TEST(test_quic_forbidden_apis_ctx);
ADD_TEST(test_quic_forbidden_apis);
diff --git a/test/recipes/30-test_pairwise_fail.t b/test/recipes/30-test_pairwise_fail.t
index c837d48fb4..f06ef04b1a 100644
--- a/test/recipes/30-test_pairwise_fail.t
+++ b/test/recipes/30-test_pairwise_fail.t
@@ -9,7 +9,7 @@
use strict;
use warnings;
-use OpenSSL::Test qw(:DEFAULT bldtop_dir srctop_file srctop_dir data_file);
+use OpenSSL::Test qw(:DEFAULT bldtop_dir srctop_file srctop_dir data_file with);
use OpenSSL::Test::Utils;
BEGIN {
@@ -31,28 +31,37 @@ run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]),
SKIP: {
skip "Skip RSA test because of no rsa in this build", 1
if disabled("rsa");
+ with({ exit_checker => sub {my $val = shift; return $val == 134; } },
+ sub {
ok(run(test(["pairwise_fail_test", "-config", $provconf,
"-pairwise", "rsa"])),
"fips provider rsa keygen pairwise failure test");
+ });
}
SKIP: {
skip "Skip EC test because of no ec in this build", 2
if disabled("ec");
+ with({ exit_checker => sub {my $val = shift; return $val == 134; } },
+ sub {
ok(run(test(["pairwise_fail_test", "-config", $provconf,
"-pairwise", "ec"])),
"fips provider ec keygen pairwise failure test");
+ });
skip "FIPS provider version is too old", 1
if !$fips_exit;
+ with({ exit_checker => sub {my $val = shift; return $val == 134; } },
+ sub {
ok(run(test(["pairwise_fail_test", "-config", $provconf,
"-pairwise", "eckat"])),
"fips provider ec keygen kat failure test");
+ });
}
SKIP: {
skip "Skip DSA tests because of no dsa in this build", 2
- if disabled("dsa");
+ if 1; #if disabled("dsa");
ok(run(test(["pairwise_fail_test", "-config", $provconf,
"-pairwise", "dsa", "-dsaparam", data_file("dsaparam.pem")])),
"fips provider dsa keygen pairwise failure test");
--
2.44.0

35
openssl-skipped-tests-EC-curves.patch
View File

@ -14,11 +14,11 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
test/recipes/65-test_cmp_vfy.t | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
Index: openssl-3.2.3/test/recipes/15-test_ec.t
===================================================================
--- openssl-3.2.3.orig/test/recipes/15-test_ec.t
+++ openssl-3.2.3/test/recipes/15-test_ec.t
@@ -94,7 +94,7 @@ SKIP: {
diff --git a/test/recipes/15-test_ec.t b/test/recipes/15-test_ec.t
index 0638d626e7..c0efd77649 100644
--- a/test/recipes/15-test_ec.t
+++ b/test/recipes/15-test_ec.t
@@ -90,7 +90,7 @@ subtest 'Ed448 conversions -- public key' => sub {
subtest 'Check loading of fips and non-fips keys' => sub {
plan skip_all => "FIPS is disabled"
@ -27,11 +27,11 @@ Index: openssl-3.2.3/test/recipes/15-test_ec.t
plan tests => 2;
Index: openssl-3.2.3/test/recipes/65-test_cmp_protect.t
===================================================================
--- openssl-3.2.3.orig/test/recipes/65-test_cmp_protect.t
+++ openssl-3.2.3/test/recipes/65-test_cmp_protect.t
@@ -27,7 +27,7 @@ plan skip_all => "This test is not suppo
diff --git a/test/recipes/65-test_cmp_protect.t b/test/recipes/65-test_cmp_protect.t
index 631603df7c..4cb2ffebbc 100644
--- a/test/recipes/65-test_cmp_protect.t
+++ b/test/recipes/65-test_cmp_protect.t
@@ -27,7 +27,7 @@ plan skip_all => "This test is not supported in a no-cmp build"
plan skip_all => "This test is not supported in a shared library build on Windows"
if $^O eq 'MSWin32' && !disabled("shared");
@ -39,12 +39,12 @@ Index: openssl-3.2.3/test/recipes/65-test_cmp_protect.t
+plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test
my @basic_cmd = ("cmp_protect_test",
data_file("prot_RSA.pem"),
Index: openssl-3.2.3/test/recipes/65-test_cmp_vfy.t
===================================================================
--- openssl-3.2.3.orig/test/recipes/65-test_cmp_vfy.t
+++ openssl-3.2.3/test/recipes/65-test_cmp_vfy.t
@@ -27,7 +27,7 @@ plan skip_all => "This test is not suppo
data_file("server.pem"),
diff --git a/test/recipes/65-test_cmp_vfy.t b/test/recipes/65-test_cmp_vfy.t
index f722800e27..26a01786bb 100644
--- a/test/recipes/65-test_cmp_vfy.t
+++ b/test/recipes/65-test_cmp_vfy.t
@@ -27,7 +27,7 @@ plan skip_all => "This test is not supported in a no-cmp build"
plan skip_all => "This test is not supported in a no-ec build"
if disabled("ec");
@ -53,3 +53,6 @@ Index: openssl-3.2.3/test/recipes/65-test_cmp_vfy.t
my @basic_cmd = ("cmp_vfy_test",
data_file("server.crt"), data_file("client.crt"),
--
2.41.0

8
openssl-truststore.patch
View File

@ -1,10 +1,10 @@
Don't use the legacy /etc/ssl/certs directory anymore but rather the
p11-kit generated /var/lib/ca-certificates/openssl one (fate#314991)
Index: openssl-3.2.3/include/internal/common.h
Index: openssl-1.1.1-pre1/include/internal/cryptlib.h
===================================================================
--- openssl-3.2.3.orig/include/internal/common.h
+++ openssl-3.2.3/include/internal/common.h
@@ -82,8 +82,8 @@ __owur static ossl_inline int ossl_asser
--- openssl-1.1.1-pre1.orig/include/internal/cryptlib.h 2018-02-13 14:48:12.000000000 +0100
+++ openssl-1.1.1-pre1/include/internal/cryptlib.h 2018-02-13 16:30:11.738161984 +0100
@@ -59,8 +59,8 @@ DEFINE_LHASH_OF(MEM);
# ifndef OPENSSL_SYS_VMS
# define X509_CERT_AREA OPENSSLDIR

330
openssl.keyring
View File

@ -1,31 +1,305 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: BA54 73A2 B058 7B07 FB27 CF2D 2160 94DF D0CB 81EF
Comment: OpenSSL <openssl@openssl.org>
Comment: 8657 ABB2 60F0 56B1 E519 0839 D9C4 D26D 0E60 4491
Comment: Matt Caswell <matt@openssl.org>
Comment: Matt Caswell <frodo@baggins.org>
xsFNBGYT46cBEADnGgpkGwVTO5hu+sqoC3UWXM1nxr3v+tLveHQQlMA/MLDwK+TS
1sMFSsOEE1ehAlhaEVCaiHSh+8PSqs8bvxrkbC8FXj6UkHvdZOoBgoDqEVUXawen
UmW/3OEQtC/815ByacwHsbgabTY+bXQBAvKnDsKMIg04YlE1UVLnO6Rf0v/AvnlK
400c0J/KOPOXP2+e5dYMxRN/8CMFA+Jo8m1N2/gDKb3y1Ga6Ug9Qg/7VmL+zp/9A
+JnVQFhVQgpt2hVGKcKteJvDJODRAmBG371E+KV+lnh0jvALUxGiC+h/XrHmm8Em
7hQM7LLoVKGDPxYYUQKA6U6+//Q3J7JgrstLTxAZ6Xz3516o8gM4EeNXo/rXNqNw
Ng4zKeYAU0klk0hDIf7JHluT/Xxy9ezgRK6V3RJEvvjA1RjpsTVe7uDw5GPEoRO/
xXtcLghhPixbL6y1FOspZqx3BzroX6Ic4V03Ub61YL6Zx3Q3tTcaj+4QFGXVA3SN
WL6is2XBdvZAiOgO/7lbRXGq/vFtvynYPLEx6LbZdKtdfADUCgD7If4gvif5yaL2
isSfD3UmoXPdDDLGdga5/dhmg2658AigHw6t0fPWnxPx4EUc1tL2bb+dEG+soRoj
s4QHHoAhEeVEKdeFfu7lE3i0omS/mp63IFUFI7AybnHYiZ2ujyc5sBBsnwARAQAB
zR1PcGVuU1NMIDxvcGVuc3NsQG9wZW5zc2wub3JnPsLBlAQTAQoAPhYhBLpUc6Kw
WHsH+yfPLSFglN/Qy4HvBQJmE+OnAhsDBQkDwmcABQsJCAcCBhUKCQgLAgQWAgMB
Ah4BAheAAAoJECFglN/Qy4HvXIcP/jCgVgZ7wMwMaDqbwBJOVKQ7sVzNvjy1xMr+
XkXn1FHme1MlRl4Uw9Wzeh8TUckzx59+CAqe/pRRYhR9kL0S8WUhoa4VK61c47WS
0wFWzOOuQ4JQO9v9zP6hsKubnQdA9ggq3rvkFrRDIV0DPU6iFxXs2/kYmuqHxIkO
GgLx+aCWPx0XNAdJyov46EbQnIjJOdialeC2dIEdIU0Vk5N0jWYv6MKweAmXRVLM
Jusz3yfNZ0FmydSo90aNQcQz4fp3vgF8qP7Z5BmMOSWOnXJawJd8+ic0RXRWdsMS
oxyAEKH/98IUPZII8N8c5u8pAJ52m7LQRm8CKk4GzylStaV+Pe6PuNTVkx1sIE62
Sv0RFbd2yJ5Wou5Z/1lRZvzjF5R3G+dobKZLym2HwNkJtFROODFqiPkcKYCSSd4c
sqlOVh2X6/8VlJZ9Q4r7pAm/ulPnf/PSEo8l7kr/JS7Q09nlwNaa5l9nwvrt2z+u
+5dNZt5syyVgpNd4mPZMFb9TXqoFrhrZfLGZ2I3GQ7tLX2boHhBXNl32a1sb2Qsv
9fbz++sFbYrfDhsjH5eEwBjW7o4Kkd/cTMJGufLczy3Cb+RyrjyBrSwfMQf0xHkp
QKidfWOKv9j+yeEhGVCHaIPilYNVeZFRHzL1H9oIkda2BZamj7iYveVnnDBjgpN7
k6YNfbUM
=Fi54
mQENBFGALsIBCADBkh6zfxbewW2KJjaMaishSrpxuiVaUyvWgpe6Moae7JNCW8ay
hJbwAtsQ69SGA4gUkyrR6PBvDMVYEiYqZwXB/3IErStESjcu+gkbmsa0XcwHpkE3
iN7I8aU66yMt710nGEmcrR5E4u4NuNoHtnOBKEh+RCLGp5mo6hwbUYUzG3eUI/zi
2hLApPpaATXnD3ZkhgtHV3ln3Z16nUWQAdIVToxYhvVno2EQsqe8Q3ifl2Uf0Ypa
N19BDBrxM3WPOAKbJk0Ab1bjgEadavrFBCOl9CrbThewRGmkOdxJWaVkERXMShlz
UzjJvKOUEUGOxJCmnfQimPQoCdQyVFLgHfRFABEBAAG0H01hdHQgQ2Fzd2VsbCA8
bWF0dEBvcGVuc3NsLm9yZz6JATgEEwECACIFAlPevrwCGwMGCwkIBwMCBhUIAgkK
CwQWAgMBAh4BAheAAAoJENnE0m0OYESRoD0H/1lEJXfr66rdvskyOi0zU0ARvUXH
jbmmYkZ7ETkdXh7Va/Tjn81T3pwmr3F4IcLGNLDz4Eg67xbq/T8rrsEPOx5nV/mR
nUT97UmsQuLnR2wLGbRBu24FKM7oX3KQvgIdJWdxHHJsjpGCViE1mIFARAzlN+6p
3tPbnQzANjRy7i/PYU/niGdqVcMhcnZCX5F7YH6w6t0ZmYH3m1QeREnWqfxu7eyH
sIvebMgKTI/bMG8Z7KlLZha9HwrFXQAPIST6sfc1blKJ9INUDM9iK6DR/ulkw7e0
hmHLqjWqYs5PzyXeoNnsPXJt69wiADYqj4KNDIdNp1RoF9qfb1nE+DM6rga0IE1h
dHQgQ2Fzd2VsbCA8ZnJvZG9AYmFnZ2lucy5vcmc+iQE4BBMBAgAiBQJRgC7CAhsD
BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDZxNJtDmBEkWP+B/0SsWSeLGo+
viob8935Uirei4FvnzGOUV1w/dgDLSzavmysVxb4q9psp1vj1KEtm18vzZO79AeA
RGwWTQYGmFmrNRWZ2DgbjGyJ4LS5kLBqQ9FaF7vUFtml6R04yx+RTgQTg601XsAj
eU8uSarmeZgGVMAInsdMrUc74lJeWKSnovr4IFOdgiU/env19tK355bsfTvb0ksE
5Q7wnnoRXdLyNet0AWf4ednWDEnRb6cIVDF28URjxH6yIfqAVe7VnuDB4Sfuck4R
4gYFS/xGfTgocPUDZ4rUz8wleGLwDIiU7GpilmtZTl1FTPkFa/mqbcJgdVTJqLZO
5vISJkZvqE5UuQENBFGALsIBCADPZ1CQBKbFQWMCvdjz/TJaNf3rV6eiYASOvLDg
icU8Mwa208yJXr1UF6lvc3Tgw+jmynIBjbhvhujcJ+eD+jHEaXdncaK/WAPsmiNM
k+glZ4cbF48HP77kOLQQC+rX7jAF0VSHhFZNtnCpOByQevCJlwgkXckYvRyBOYk6
2R7BwuLIwLIq4ZXNKPIVN4KpCodhIcGuvlPJczcdOoaBRGcSFUbXqM9Y8whyJhex
F87RHAyGpjvLnJFSgLimyYBRpFN25LzYFpXPD4MeLUVDSRgtSxOJ2KmkhMHntUqQ
P1XsIgzm4/ez6Mwkxc0QlAQp0r2gJU56QPdE5zgx+2q/i+WhABEBAAGJAR8EGAEC
AAkFAlGALsICGwwACgkQ2cTSbQ5gRJELNgf/elwfYchaV/24buNWDa+50gOuXQ4v
Xfj5DKry6aYnJBt1UeMV1ssMxCU8OltgzTMhTupjrXV1oDXYAxexymWLxwa+qcrb
SwDD+wX1gb1O2GOfbiplEnOb5dDc7Gkm8eTw0kBJEiAiyPv4SMLhFzm+me4Dq1+x
dbsvN05hxTjow9pi5eYrFMxYWi1ZNH2UmPpgoIN/4p28G/IN9fdWG5Ni315p3WhL
HRMzC609IOsCIJsm8+lHVblT30jxpctFVlQBtbDTzgqQLiaTVevlca3VYgMd70D2
8d186gxUtSEpZ3dKkv+0V8DLhQ6VR/wQ780HKIpFp6UWP5aDxpEoOEwe2g==
=Z0q9
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: B7C1 C143 60F3 53A3 6862 E4D5 231C 84CD DCC6 9C45
Comment: Paul Dale <pauli@openssl.org>
mQINBGApr7sBEACoyczHMNgWiVg4jMjtdkb5j7csKPdFx8B7FJNMFrL/Z/I1BjwM
TQ7fxKvDN6z3mjAMKhU+wCL9vUSSMUtyze/fox09n84jYDwN3n37ozkrhcDB01ia
iKCCeRNEW6meTs3/aJPGCznIOk/kMHlnZnQPcSphIexo/ZUyB59h6smz2LvoTZg0
aeZeJwe0cfaVnWYA1a9wr+QJDQwRkEqdy772cM03Phs/sRWd4+nBqP1XxWlX30Yj
VGjDsY3gH9AAy4oUnb7tOmk5S9FIKuMdkkWeU0Abm8/36OfZyMFbZDAMbO8i3un4
eIQOg5tjynSXYel3nlJ/fwoSHefPgavCkBdknk842LM9xr22t+IKmy99uW7FDqvj
wbPoMg6z2Jarl0Fqu3GhIjCmKMe6TBfkYwB4fp5KtzRwrSjDo16vkMoM69mXqA7w
f1JV+BKvE6QTePNt8ix4ib5c6mPOrFnYG1X3tkNOc4/q6KcGbvS1xMax12q2/zSZ
PmoJvzWTrSF8lQDZKjMnXnhrZMY8h7lu/QE4DQ1M9U1PFdf6vwLrNaHHfi/rWKTe
fsrGp2TIqU4lm45p0fDroYqDML+gp8RMUZBU8M4wGwhludEiCoOFjXu2ECvvgrB7
JHrh+FtMuuRPx4q2eRO75NepDfZqmp48PIqkt2b3VjisNceB70uYiUQ2eQARAQAB
tB1QYXVsIERhbGUgPHBhdWxpQG9wZW5zc2wub3JnPokCTgQTAQoAOBYhBLfBwUNg
81OjaGLk1SMchM3cxpxFBQJgKa+7AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA
AAoJECMchM3cxpxFa0YQAIAnnNek3+UXZL/u4R6hs/lJopC9p/MFbCnL0b1zZnbz
Kbbva10PA3PEv+szhylDKeDIbDKF1yEjI4BTNCLS8sLKEZWSLTMW1MZhmxWm5TdF
ebhoj6Tjjfxme4ETyk3+v3hC3Ylm0jiqHHErutRAPIW1VDFQVxKZPasv1yj3YNiB
SktTSH1MjZZtlDYjp9z3VTczvrO3BBJJSxQ5CY749pEwtjwdLTqOVtoJL8thZ3J9
jSnSDsgFVp/pPNVxxV98Yd89JqM34MvOuD3jYSOEtMUCJgMFXNZ/c2+BpWrX+ssP
qrY9vBrq7o91K+OQHbb4Z1pjK/dzDq183E32uTOYbco7ga/JqE7c997zY0fgQsIz
hdEveC4oMydzwHQ9WzHUYR7AtTgF9kKsTHy8H6ye3uaJMIMSEdAvI4mxG/k/zG/Q
KrIt1nUJh/M7uu2IT9fM+AoR+2VV1u1vimxpCpOXpTB4mTIR5YfiaRfXnHm55iq/
odxVj/yVqFUcujy+YC9SAoKRGJRQV0KZur1xAOJsgwUJ1iXJZwypowkI59jpwl2q
WCfZIS1ZrpIebiVk4ZBaHDe1v178uLO3IasZR7HLvcD7ESX8U88ng8J1nXHq+Uc7
4j5Dc6CMTd5WYTkFvhjO33JiHncK8CLYOFsndIGXts/OEhp08N5JELHCeSuu4UIb
uQINBGApr7sBEADNQ6w6jQNqxWxHDjJzcXclQJFPB2qlT/5eMa7QeOYiJ5DmY2VQ
P0Mltkmrc8T/I9NfRFpaB7Z+8zE5lmjSi3N5fYWjhoZp9oP0WYfSLef4KpD7KfEE
TaBohn8cw0Kt+nmEN904w9kpLE+WAvD0qRKnilcCUWE5Es719W8dMh/8cB6FiCI5
8myIvV63yDV1DiNyEcKNeasIFF8n3FCd0gWPXXS9Fe7muQpIJ4Lb2p3ylqcY9UaU
8n+LQAb1LL1kC468MU0LBhhkCnZ2BacWnJu7JrzQ1Nihk+JRyXt0QARcgsITt8+3
rQdZDb6o6jTixClNXOJ2LGZMAI2NrQppfn3uBny06veyde9l3riwtOYwqEfETt6O
Ndy0gOd4zelPOnfMtzwDePC0m0b5ibNsMGVYGu5bmu4XFZrk8ivcAiEg4TJHcYtU
meONyuhmaCbcG8in0GZvUgb/YLcBpLBhFFUUd1ALBfi6cXlvFlSU0HHQoNRIAyFt
C1DQaAOWQ9v21KSF6zFG9Qg3yHKy+xBjXjfp0IZOqN5jrmXxbfl/+LWqUHD54tmS
iHrUf1CiW6no+4WBI9f6/+QCVLFBoStlNgoRt/OcIXmq1cTJ2pTSPl3S0+HobCEa
llEGEDXqsGxmV2kNmxsUks/knEGFElp/XtMrhykicIdQYntMaRebljrpiwARAQAB
iQI2BBgBCgAgFiEEt8HBQ2DzU6NoYuTVIxyEzdzGnEUFAmApr7sCGwwACgkQIxyE
zdzGnEW2ew/+IzGVXgB34NeHnaLVDTtiUXgrNoOV4xFTS+kvZXrGC5i+mMhae9Pc
gvAyjssJ7dVP2RJBSNkfdxrRd2D4HFcf3dn/n646HNiTinirfvoUf4VIA1jdDp9q
ixi//tO7fsPyn35d672OA9AC3ccBgji6V9XA58REonF+ap2bE0JBJYTJZrET9Wny
BPEjefdpORSHaXqimfHN59QV5gXEFZ4Ci1jCt9n6WEb0oo+kQTkUb8z7F9P+7ojj
Q+4KrgtlXb9ijxCwMfGRPNInnumqyKJ0PhTVwhM1JNdi53nwVY98OGEZXWiKPFQ6
lAGyLLXwaOSztKGSdsFPK/tpyVihwoqHjJCU5St/PVlpvRKhbtq24FfDu7YyDO2Q
Dp2/F+QIdVnUFO2I1xeb2k+/Tx+3nfKYNui+AFaudOblrYQzPrlswJzCmmB/OTkt
wuOqr2nvQr2JUwmSaRvdCAe8EI/HAa/ujlA87T69L4T66KwBWuBkIYZQxFtCiC+B
mksPCYe9TBTZm2+8xk6UiSMKurwESTkDj/uUGmtGHi3cSJPSQ5x41COSEc+/yZ0k
eQTSnnkVrB71cMr2yVe9WWiUqUoHbkwiiy9YAHkp76jHbTRsCjs8O2otioAW06Yb
7r1iWp6twh/giBzsVJndeP5Ss/85TQfrl8x8yJjv1OQiIRrTTz6GdU0=
=AbiA
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: A21F AB74 B008 8AA3 6115 2586 B8EF 1A6B A9DA 2D5C
Comment: Tomáš Mráz <tm@t8m.info>
Comment: Tomáš Mráz <tomas@arleto.cz>
Comment: Tomáš Mráz <tomas@openssl.org>
mQINBGDxTCUBEACi0J1AgwXxjrAV/Gam5o4aZSVcPFBcO0bfWML5mT8ZUc3xO1cr
55DscbkXb27OK/FSdrq1YP7+pCtSZOstNPY/7k4VzNS1o8VoMzJZ3LAiXI5WB/LH
F8XSyzGuFEco/VT1hjTvb8EW2KlcBCR6Y22z5Wm1rVLqu7Q8b/ff1+M/kaWM6BFi
UKqfBZdqJuDDNFRGqFr0JjCol0D1v1vollm612OARKpzuUSOERdc11utidkGihag
pJDyP5a+qHZ4GNzZkZ+BBduuZDMUdEKgK28Pi0P0Nm17XRzX1Of1uXojMvroov7K
/Bkbpv+uvZoiSEAeD+G/+Tyk9VLhmyji9P+0lwYyHb3ACgS3wElz7CZwFgB3kjJv
MX93OlCAMruFht/+6hQu0zx1KPxx+55j/w7oSVzH8ZmYND5kM4zlGVnJxJk6aBu8
laOARZw7EENz3c+hdgo+C+kXostNsbiuQTQnlFFaIM7Uy029wWnlCKSEmyElW9ZB
HnPhcihi8WbfoRdTcdfMraxCEIU1G/oVxYKfzV2koZTSkwPpqJYckyjHs7Zez5A3
zVlAXPFEVLECEr02ESpWxFabk8itAz0oMZSn5tb3lBHs1XFqDvJaqME1unasjj06
YUuDgKHxCWZLxo/cfJRrVxlRcsDgZ3s4PjxKkAmzUXt5yb7K3EVWDQri0wARAQAB
tBtUb23DocWhIE1yw6F6IDx0bUB0OG0uaW5mbz6JAlQEEwEIAD4WIQSiH6t0sAiK
o2EVJYa47xprqdotXAUCYPFMkQIbAwUJEswDAAULCQgHAgYVCgkICwIEFgIDAQIe
AQIXgAAKCRC47xprqdotXEGoD/9CyRFM8tzcdQsQBeQewKGTGdJvPx9saDLO6EVy
U9lEy8vLKMHnmAk+9myVBf0UHxCjVZblvXEL6U/eCINW8TBu9ZH56AMkPQgvfZkE
KrpBoP2yfkA9/2rfChec7jkFUwArWKAB8hyLPiABXdm3vRZMhiBAsFTv9rdrr89W
nAvcd9OXPxrEM7mNkkCDUlRkfRwdxSezStmJ/18bM5lrlR4Dj9MYUOieYICsu/nh
1u9C+QDOGruo/xku7B87qVSnKM4My28/RtSeGjTBNw3QPEmumArINNUDNZbe3e+I
m23l6tyP7nmtLbo0wPcRB9q4K1GlmecqzSgLsdf8YCOZKax9DLaA2fWVJCyp22Uj
kCmHkVgeXmByndWVdfYyJO4LGJhM7BfmWGa/yIRKRKZGlJavRY+UAkfqkXCbzhFD
IMyRTU3zqJfJcXrVDslvB1mMbBGIR7gmL2HSToNvN5E2xiEamHbSOv0ze0Vw5A1M
8S71i+jLUSenGTgjLdu52+K7SGLtyhG/kA5NpvMyCLBOYZ+4HPgbIwKLlcm5SRJ6
z4sKLSZmU7HLMp69jXfGQqjYbJoUEHsCsLOeVMGiOVZqoZWQWcMHy9VvOA0FVx41
xrpdDLft9ad+cM/oaiYXEWhqYRnBM5eIH0B3HOk/kmLZ6crNE+X5xG1qhoZgAurM
MriPFbQfVG9tw6HFoSBNcsOheiA8dG9tYXNAYXJsZXRvLmN6PokCVAQTAQgAPhYh
BKIfq3SwCIqjYRUlhrjvGmup2i1cBQJg8UxqAhsDBQkSzAMABQsJCAcCBhUKCQgL
AgQWAgMBAh4BAheAAAoJELjvGmup2i1cessP/jG7dFv/YEIn7p47wA+q+43Korjk
8LLpdb+YhVEpXgLK3yUNOcghs+e+UxSlS4jDV9ThpKgBEgTCn6V8vEWe5djvLVcO
UNG/wx33ksZKDOrZt2qGzz9VBd2ur100HjA3ibGClMjchMQCctlAHBCI/jV7g9Sv
FIHr/qECDnr50lh4kNeBZH/6gYEnB1Uqkc+7y/0gopk3kEcxO00qKj9d8QPatsoW
FOBW6OT0ldX5m19EL+x4Ku2/ayBwmobsQyj3cDV8cJN9QxJxB1AqLAKXK3XpEQ8Q
UERor6Z2gQu9bCRoQCl3Xu+lfqh2gmfoXoWiZFinoBzEETtILEUdNa2MsJheNuVy
Tf+W/vrfyAKVl7DgPk+n360frxmR8n7pkSpDq12s9J4eimX7aUlbhDX2XiMo/kGS
2oo2ulB083oJq09UieI2acwRIn6fFAOXx4Cr9IRAnKtvGxT3XzkDJ8WkC/+QE7wW
kjtD994kD2Jf1GCqFIWPx+J88VXp5UbobOENYBGWvc5Pki541aFKkXe5mvK9n2Fm
T3fOeBnyhT27J79UYSkOg9Zk0o7lcLKvgX3TqOwRrwMOGqyBIrHkLprIbeX5KOBI
yvtovyTuq3piF6OcfOYuZJOcV4LnnW6Ok9sgia1WgqNyJ+FSdSl6tLabzcM6sZ1I
8tmXB4BcoHFB9N0AtCFUb23DocWhIE1yw6F6IDx0b21hc0BvcGVuc3NsLm9yZz6J
AlQEEwEIAD4WIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFMJQIbAwUJEswDAAUL
CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC47xprqdotXJUfD/9qFJURXryr8/Uh
KJIAYQawc3rgSCeMaSi60fgPhteBf9VPA5w84OKLtnZFcPcpvGpaHuRxj+mchOSo
2HkYz7eseTsWbfguDiBNf1sA0IW6/WfIjqfGliw/ikLn/mA8GgLzgPPEiEbZH+gZ
+J1ttxv15E8dWVSYILJcn7VLX8EgYc93uaiPbcc6wG3qBz5UD7FW6pg6AjEhz6j4
yQBq/dAUUL9nfrrx8p6548aslAR5A7e1kWPSMkrXD6ECdlJ8LReaPjiWrvLCtf1M
cmAQJkXX9PLHtPtkXzfT97GdcEWtPF3qpu9k8gK3QC/dPoACIsDUU1+muaqlRB3A
ozLVFbSJ2kA0BqnHvhB+7cIB/ZkAasiI1jJ9XPwJJnzZGlRFGJnUg6MRX//FIvly
Vi+hFt1DQ2tWMo6peu1sNDDONYKL7/NhFedJhIRoYUiQtcEuWqtTjOUn7ErkaC2y
q8hzWgYCe2afy1sUvyDtUjuldVTNzV1ic4MPC+QZ5ZEw2uHfP2oELlK2zUlLZIpt
Bwvgzqw5qcxj0nBHoaDTRyJXrXDWf/DsyS6Df1t8Uidoc6W3zNEhKbabvTb4gtWj
hh/QezJNtyRSg4SZ2Zx+ExgAngFdhKUk01XytLcEqYHjOjO6ZHpP0/+E7T8yZ7sI
w5AnBC/mkTbqp5Nsbk/spoN0Wl7PZbkCDQRg8UyoARAApiWRrHjdEu9Fp2yd7K93
VpttsAWGeZo6adA7kKrdB+DFwyQdQQIGF1MoxzKb3rcO2sxoU/SnY/TpxdVbSO27
1MLUcqoEc5F+uxuXsp4Tx5s6iXY9xTwQeBi8pAUQSLlWc/yoakF4sahG+5+0NUDp
djCEevRw2nHVbMbyzACgB0VRErhpY6gOBK7LkHwXAEXh1pN836P1s3DLLInjoM50
IGQJLJ38/dBeWf9lqJrDif3lZ9Br7h2xHVhaj+08iWKFXb+MDkW6lXOuT+A8pzHK
bz1TVhopid9NOcw8ws00Vnq9R0/dhk+FT81XJC6GmoBi2GjjKpLNMzfBE6IkJjhn
gMY9Wz5sSfXhyd0x7ZGdS3w9SiIXXoxw35woC1/Ue6QVasm/ldCNSNH63y8G5b7w
NA84/fhVa9/Tug8zyzRj9p5Ge7b1yMbtVy9Ret8e1xB3yOJH8rjwmd13ocNBrFYh
D4b1+P0DScr4TburR3S4gwzawB2juIToELQGseR8nQg8k6Fk5vZ8MaYslMU2za7H
a379C8+A9h0C2mobqtw7Gq8NzDH2H4Bgpy0Ce8ByWnRHEIrZcK4vZDTzBfW+lYJB
HFlNc0mheV2ih6vjmz940cakzLvGF65UA69tsS8Q/3sWH2QLFTywdcEUZNgZRWnc
nAaLOI/nw1ydegw8F+s1ALEAEQEAAYkEcgQYAQgAJhYhBKIfq3SwCIqjYRUlhrjv
Gmup2i1cBQJg8UyoAhsCBQkLRzUAAkAJELjvGmup2i1cwXQgBBkBCAAdFiEE3HAy
Zir4heL0fyQ/UnRmohynnm0FAmDxTKgACgkQUnRmohynnm3v+Q/+NpYQuO+0a57+
otwvuN3xoMsOmiingnd6u5fefi8qCjHgYJxnZQhihk4MOyiY46CxJImFKI6M13H5
SlsuaGMbl17f5V8dE7rUDD9D9tD4+hVe504UsAdqaKHFhE8xyWJ24it9LmIXY358
cQ7gm/EzA/wCKEez1Z/IUlx6hrG6BnAuE6FYhLTQt5WcCGbA17I72M1H50rX8fa0
8qOg4rzyNEOesz1auI3pt1VOy/VJo7V+oO2yz4NNGBqjCN1mMOmBl1vBldZz4oZJ
vqoCFgx4Bj4h8LHilyg2OWZV4Xh7fUGH2/RIdfAYhCTz495N1sdDHew9Qc3PP0vV
yzwoCJY2moCiZ16K0o215rgYAJcY2KCCithjw+ktHZ/E108cmJJE0ZXG9sFVdF6A
HEEofaYRgXEvwFOwEBnytAq2l1ePmlTe6eu5/hSMYlan93YpsF2tol+jw7F+aspg
K2JPWqB4FsupxnvvAvzGBrTTGfCL4z7K8/6QmYrJBByx0W/lkFsebEfOz0SY/Rvs
aGQ3LEmQkbn+Cz2c2PwmIuYJisunHNC1rH6lF1a19D2lpe82Eh3TsXEsgjty2+sh
uHsKCX/snSa+zySqMbsE6o/8AquuT7tkdHO1rYfr3ffvIeX8HVj6NKm1eyk6uyCE
cb08jqBWOG8tzpNt6PIviyrQRrK+ncSLjw/9GT4LhZKnfLM5pVAFV0jVqf29lVhk
RHDeiNmdprqpvW35cAS7LH2wv2xGj4+wGaJmksruiJj2KtNAWa+7Uvd4xvntrL3F
9kG5qC04iTx9nng4qliZAI1wGxT/fAKS165L5sdTXRvcywokshxtsPgCXcH/J2v/
JC6BGn44o8qo/CLGIaTBk6V8NfY4YqNFyMaMRAQSQ9Pk0KXQxswdxASaYzTTb93g
muoO7XrIu7ae1lppeL3HB5hQ0/zF1cVzCrLXffsEZNVW/1/9VamicTOWP8dV/ylN
86d7NvfJk8L7O+YIsEKYhKEDfCXIZrF7Ynu9SCWiR8LAqxZpBx2/6lommQJ7RlKr
HBkWUGyC8WHYr/sxORy0uxSevGFcfK2sFMnpLJhC6C830O05B6SFTWTrD9c/NC2S
DDWQCr1Tud3GZ634BowTlQRgJpGJc2s4wOMaARnhVtr/GZQhfCzOhcaHAVMBX0FE
ce+LktihEnzEJJgc/bzTH+t3fIW8bS4c65YlwCzMCJ1oYyALlD1BlZ6whFSVUZro
uYVu8diJ4Alf9+hcYOU/Gnbyi3bFbRGhBVz8lB3TcEeP02+gSSFD7iDi2Wt3hkmY
YaT7k3YGM2ksXdQ25SGM1aW4drxaqAj5sZ48OXTMNT9ira3TL/o/Xp6GRhVE8iOl
JKbGoqC+wchHmOK5Ag0EYPFMJQEQAN/J6BypHYuzqwVDH8hrCQJ0s9I1fFdiu60u
aeLTQPeB2JVwV4t9WZsM6mVMEUZJGIobk2Y5FFzLsHtbPlSs7MXtLhlLa05iiMXq
oZsS7EYI+GDNO6OP1j8h9On2Ik5EnK/0dWGQglSY/ryw+5ShdAjHSd4hCRvBxfX7
FJGNrvIkIp8AxlTvNBQyuR4rluOnfS1LXFDlaTWxRAZBJdB/GyAbCqKmkfbkXZbM
ZFA93E2skrLJ66CPgaK83r+DUi6+EyvOKTkZw0OU6S0k7xT4Z1f0AbS/ON5G8wjL
vxKu+Tmd2LHLMUTMiSQ7/K0iw4+pms1+MOBWFDX8aS/poRe0NS779RIk+Hy4OG7+
i9Rpf4wU+Z2QHbUYrun6h7+RySv+E27QWCgNuAdm2F8cIsxQ3B0mAapqf2ECIkNb
PftDlv/iDqzAxAobNJzlsKQrcRmEPIOqNxi3TP+H85ekwHTdwwdPb5u8pgehpDum
ciyHfYZ7A3eNl6RubQMIWQgQzxUbreUJkKjHwLoqkTHDafJeKI7+2nII4r3peQfE
N0jZ5HSXHTHu4520FUBHNutvuHqCy0nQrhvoXEfD4woYk27OOwSKHu1ZdEFa6iJH
eAW0f6pSOMkEMDRtFWv0/hVpNDbhA+jAswzD4+XYDk+xZdDONua9inO930MGI2Bs
LQ1kotFTABEBAAGJAjwEGAEIACYWIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFM
JQIbDAUJEswDAAAKCRC47xprqdotXBU2D/4vF/5FrkPz78jSl7YN77gc/sTpBGMh
QxhZxKpf+8xE/oig9/F90BMKaFAflChiEMPc+Dj0VrCGwP2xMTVO4J7lw7bTr3RB
uETuVq8S3XgtmTlXwoRQL91XtoGjAjhfgpXbi/DEyZ6+34QwMYr474rsKiMsBcMS
nWTDuqRqkFYAaF4LRbD6RkWck+C7k4ps/KIflEKiSEuvpjk1TpibwoSt+zIeZI6u
sSLWbGcADqnXHe0GClUqcMYbIgLzVyXQQzUvfrwAzi8XvfW+8QhP+B5oZT6y8YBD
NHQDcITC4OYaVHYnZWS+tPtPQZK4duAlZRd/lBxKPbNWee5ufPh5ALFAINpBWP0C
nHKVj/P3fBcCrz2ZYaH5iQmqhSbJ3lyFKJoQQgrcnWbnOWI91DdhmvE2GIyn1JJE
FT2YQqRH52dDX5gOl5OcwT7PxV1jc03bhZsOCylBoq1Yd9iD3U0bgiqI71dGZrXZ
qaQzuigCRxlv8nF97SUGLDCuvqC5ejmecQBYmLCrgIiRcI+FXSVnZhUYkeBbg9sX
Cla8mCgxF1RhH2S9z9blrLEf2r+l/8P0+IWmmaTvCbZ7kIrUsbGv7FNCubVA3UXc
zPrDR7hQC/xNAX1RXMGNmPru9wVtgnn72UneoD/dLYY65U/ZFLNeQAnq9c3VJKQ2
TIdjvGbJ/k4qxw==
=Ctij
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: EFC0 A467 D613 CB83 C7ED 6D30 D894 E2CE 8B3D 79F5
Comment: OpenSSL security team <openssl-security@openssl.org>
Comment: OpenSSL OMC <openssl-omc@openssl.org>
Comment: OpenSSL Security <openssl-security@openssl.org>
mQINBFQv6Z8BEACuJwJkw/Iniec6U1RzocYHBFKl1eE0WBu1vthYmcn0D/GJKvWM
kRhx9GSlWMqj9mgSFUOsFWrpPIm3Jzh4bLweUjH5I7R0Frh39dDFh1hhwHEholBy
yUGFTb8TppptXnzzDoNz4yUQcRP2oeG1vC/ePXPWHKgtp+0hmM3MQ3WIN+gSmpdt
4vMIoWKKCq+E1tYcsFk9URBWWEwBw+OJ37o7TrernyxwtXwdPOjYhA4mLtnKHs+5
QivuOvK7gNf5hggyv6fp6d2ixvJZ9CdUYFdlOwaHA97B694RcAMxaMtzUpfkiJ/Q
2zR83QG4az6COKK38W6Kp7bLveMF6Rb4Y+gOjV4KvHKpzNAP2sNkmCIohlmoPhT9
Ce9tWq6oK+o1MEc1Ejb1/kn9CeCloKlF8HkzhFLpqqkZ//3j73/6kuK45UVg5PbO
3GLcyTJW4enmTUFxy0d24Bfdgu7FpH1vHIisDkON3QO4TMwCJoLWGULqpJKP7kUf
5HCnafDroN5wF9jMVxFhmDOOdXyIeYkBVF6swwIlyq8VlYSjYWGAUtIb3rOiUNWc
zYY6spdAN6VtKTMnXTm608yH118p+UOB5rJuKBqk3tMaiIjoyOcya4ImenX85rfK
eCOVNtdOC/0N8McfO0eFc6fZxcy7ykZ1a7FLyqQDexpZM7OLoM5SXObX1QARAQAB
tDRPcGVuU1NMIHNlY3VyaXR5IHRlYW0gPG9wZW5zc2wtc2VjdXJpdHlAb3BlbnNz
bC5vcmc+iQJUBBMBCgA+AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEE78Ck
Z9YTy4PH7W0w2JTizos9efUFAmPX/PkFCRGJRs4ACgkQ2JTizos9efWXgg/+Negn
a1HZIWs18LDktjV49a3IeKhjJV+UrTvQnFpSNXbwpnKa6iVX9PlE+3nLkIrkz6HJ
uBl1MZElcmrqIsVCKHcrbcJSgZM4fV0AgEEm5gNfK19gbJjs1qdbtwTYccDiHwGl
4EeTkPsOCo20QEC8jvkdHvMsvoD11c57NprQVVsOyuyz7B7LwV+6hZ2MAv6BZrNE
XBjzqxHGKcq4iyOKTGwRAufiXdq2+kV7GVjihH41YjV08f/b7O2uAm4k/IbULtvY
3Y/9rVvtU/Na044FQBGObH7/DbEOc8uFAH8Vy7M32rZmQet7pO8M5BrBMAaU2OAz
ZQ5CqauGvjTJ4GXi+pBoCVafPvsGkB1W6IxnPPJZsFw9kxOKSV1Md4jh90OdaIGe
HW4qagRaLDtDRtkFnIkbtc38HC/e30ANoNS3Enws7XSNvQ+O7HfeSsATsM/2cjL8
c281Nv9o+xaNI4TN3KsfRswcQtnsN2cCkPZWKgTJcjpdANkX9CK7mYNS8bu6YsAV
nRF2iAB25Vjcz/92Dd28/nPI2CkKkOMhDtnFty8B2LZ2tbfoU1DsNzg+b3ejaXLZ
jhnZdL3b3F4iKpyzDhTpDHo4P/yxrtV8LOmHJN63oc1JljqgkU+RcxndSZ/LDHqt
VH02VwVHMVt4no62mZj2UNT2+Ci5p+tze4Rhfl60JU9wZW5TU0wgT01DIDxvcGVu
c3NsLW9tY0BvcGVuc3NsLm9yZz6JAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsFFgID
AQACHgECF4AWIQTvwKRn1hPLg8ftbTDYlOLOiz159QUCY9f87QUJEYlGzgAKCRDY
lOLOiz159XBzD/9InUdyS1hdC7f2uEbD5A+5UFUwy9hqzy8sXLrGfUMtJC3Ur+CA
RqpHw6LC9oqFlAMhdSpIINzswLvpYqYKUllQWw0bStqWed6wuonC7nQk4fJhaWhT
MEyVNC7gpy1FcFQYZZ/rwVxftvV6EesOIL+cM9Tg2IKvdrJsuFtmhcrEmrAVrPuO
VkIBbOjylU5iHbs3hW15DqMXiu6s9wLlxSJtqWWcGT4Xp3SjUy2XRzsWwFPrdsnZ
cj1h1C1onglIpNuq7yQF6rrBmKUdy7FClXswEg+He6qV6zLhZo6bRAZO2b/g4aNX
NVOh5BS9ZpQds5FejHx3la6GzfPM/szC0WJR2r/6RqR/dizrPlhsJX3g5I+fRnNG
mOrUa7S/OrR3QlWyE5pvytKTno0UvPuITA7MGtQf3z4n4UbM7bYyLmCIVEkDQl9K
ax1vtEYLKKx7sVLmJUQVqo8RmmjottRZ6+B5UWOB+dXvt3Z+mJLHt92y6NLk4iOX
q3bgO9eMPgk+GdLXjgtgeu7S33BNE984/0B+jDLqhgEjK2spA50uPXBUtDm+Au+s
1zfePJVfQxdaoKY00iOltujRS6sqE1PtbebTHgDakxnr9MClzTmRz6ymAglxo72o
gk0OJCNELdckK0HHd5hGLEKBlSVGYSx2J985o7VE/raBr7/YULm4k0LXJbQvT3Bl
blNTTCBTZWN1cml0eSA8b3BlbnNzbC1zZWN1cml0eUBvcGVuc3NsLm9yZz6JAlUE
EwEKAD8CGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAFiEE78CkZ9YTy4PH7W0w
2JTizos9efUFAmIp6vAFCRdgAsUACgkQ2JTizos9efWbyA//cw5h9kzqjHNPrWyU
nqchSA/BAxGAfv8IW5vTXKIGou/vbF+2eV4pGe8cjYErfiEMI2XEqgW3NqtB8Ie1
JpvHb/JARDpXRAeO0nAz68UZiv0s+BYG1cL0MJgxSmwLEo1XIxx+NYQRPaIPhWId
gdJmhOylGHRbZPfUu0gsX3JvFYYJvqSbZYJx47JzLgvsaRtY06oOt89hqVOp9geS
4HtwcZiIohq1E4Fy8+TYR7iMv62lBAG0xOoLCy4UzM3pVbChzcfmLLtH4ZbDO2ks
vhafec6lUetxMJuvqClp4oYDp9ucrcZF3pJA0feSGF6EXOmYo3KMiVbG35DqfJrI
8gva6QPTFo8WRsTZ7hUrn/BioXx7Orrmtl5++IPAU7c/0JPHCVordxinD/XDdcFV
s2IIf5iL914/CaI8AXmeM4H0m9kuaS9N0UI8+3gIBhO19cP1VJBw/EWdwjwHtUlf
d6mOAbwuVAjPEWQmcf0jIxoUR9t+3ieZjPdcHus5d9/xH2iOLdEHYQRHRiLlKFtu
PhWgqy7UgpWRye/628at5C9m5TfGQBldSoOkUzPQGGpV3pUiHeJlQPBAYl1AAvAK
8+Y2T9iSZXUuMXiMp3lplDEzXKHjUaXXUkgFuGs/L8YB+BBNBSE/GS078kQrc6Wu
y7mmnE22aFf7G0N/hin+9QeIWJq0J09wZW5TU0wgdGVhbSA8b3BlbnNzbC10ZWFt
QG9wZW5zc2wub3JnPokCWQQwAQoAQxYhBO/ApGfWE8uDx+1tMNiU4s6LPXn1BQJZ
2fY1JR0gUmVwbGFjZWQgYnkgb3BlbnNzbC1vbWNAb3BlbnNzbC5vcmcACgkQ2JTi
zos9efVQIg/8C1c/ChPOM/ojwXA1yUeIa4rD6BXlLDetE3KIqD1MvR251xV8Ox21
3GYFHW+6CEfQ82xiy02CB+VsYh58tMi41NDWq6fkZOW4vFnJbFx/pYk8xFMl0ml3
LkGsh9cVoesSiEBAsF4vQ/bmCNfM68DsLtjAK7GQobcW5ArIqvgc3LlYXUspkgE9
yMcQcPqyMsNrEPgrFCcd3fWzXF1qsO8Rtd4bwyaJACkpQnZ832wY91uuMGzWcG2A
+SxkdOFPuDkWm5l8hbA6+DpdFp/YiDnfwAZqr6uoqdkcT0e8IRsGqJ2FJ7qHeGSv
kFjkGHaOPkJM69lJIEFMCrjvBQVN4b8HhcqbnJbnrWVGFDxgSdjNvXqzBDJgDqMh
GN5ZHJhGhiZDi02uzqJ0p+OUzK1CiEo0/Mc7Nb5sVfvYrP4LoqKRceNePgwZp8Jw
OnC5U84TWa6pHYm3rijfrBPPMFex9NDQQ/KEFINhAMQVMUtj2iy5ANPpqsftOIjs
RfWWn+7QIi4EuYRADcllRaHJaTBAzI56ngkDaA55oyaMnSUnu0fjgWTiD4CEVbsS
rR0nWJKhCg5DbVwq/dImoN1iK78ziR6cJdeQhe3GY+AdWe7Ci+75TiYy8Zlh9Sz4
mpl81xRz9eYcO/g0xG6wpPE/fqua8/AgeKArEKJWN1uvKCCFZzRB7uq5Ag0EVC/p
nwEQAMB3s+8dq5T8fW+b3OcGujEcbhyguc6D5shlNWsuCV3W7+izsVUe+0hD1YwD
30C6zj2+CJrMxPQ/BB3u3SbyHMDP5fKL7GQiA/n192hX2DuHxvQwnDNkHxYghtrF
KOlXAyte2awA0fC+e0o8lHa1Yd2ZZNqlDC23qJtLMJH8bX8CIr59KckNyv64bF+h
VPIN3evnh1Ajn4A85848EZMQcjedg72MsA3TW2D4omayY7eXE5uut7FYcY6SM4pT
hIB2X9DM39Rgy3qC4ObvEkEfaWnJfHxyXiA8XF+FZukXc/iM68P0VS/sMml9QPsY
MWnMHcGlOcuzQJRAalqZJwuK0ZIvobh/Y9rYLxrHtNCgSjaFuSN9K/YhpAxs80H6
lVa7GCSASTRrS3OvmY++fTsUPzSOvit0kqQfimziYx7QcJIagG92mvUmuf2PEfzv
Si6iaIqMhaTaJq5qxOR0q430KakQktNPX53HflWL7YenDPYw1rEyQFxGqjaBY1X8
NtuzZ0P4cahgsBFc8HgYu2u3Ysd5wmvSTsOXld8Qsns1KIUOpzgWw56AJ6dxS3lK
4QSUFwjzbZW9H0jJ49eBMAaA+hCjv8c/4BFuZq9Gvsafn425Lx1V/3PFJlPu55V+
7qWjeOkSzNctMlmCqPQVetbZ/pHLAJO5IUO3SoTs5kl6bARzABEBAAGJAjwEGAEK
ACYCGwwWIQTvwKRn1hPLg8ftbTDYlOLOiz159QUCY9f9DQUJEYlG7gAKCRDYlOLO
iz159f5RD/9Dhv5+muyWX9U4wNH7Dt7KHOtFyQ6+YrlLGj6WgZlFQD3sz1hVabJs
HwFuiaIjnZmQwiUJm72jCMUncL3OsWrQXm6SU60aG20XeQl1oXWmSD9D/len23hO
Yo/3WsC3o1AIkLA9cJ3h/oo3I7RE30skw4MwQ4oCFlmidmOLvkz3TD22qxf+WaK7
KO0vJRVHQIVl1ZdsBSSULcr8BcupKXaKSBJQDya2TkEh6OUf1B/7EIk811oeNSaL
9eJXS9VGDytVyjGGXSbudBw2XAV0/oiPPDKYElbOZH66d6marGwCCdc29cNono/7
zf0+/hyunzY3m1PkYGyzUmfWq4WNulJ9GEAz0O1rss/4hxnGqn/m3gue+aQx4hji
/K/vAV+531YT9MEp6m6e3074a7Hvn2l/tsBoL1Xseb6J9ZGL8fnZiuG6RF4sP1Lz
sQXmyjgr1yTlCShgNQCYXAgprWXPCwv176kL0WxkGhcI+GmSe3kNWr3HYoeTfBQ/
G8GWaIZ2qJRY/d/P9bgWu3oztWcVqEDorK3Pbu5/VeIeEfIkc717EgvdZU4EB70v
E/jnY1V9GLFzdPcygy7bz5aA4IA/Y12VFdhQ9/E7HFvEv0KUa294rQiH86lRyCJI
aEUqeymypLjoU2oeR4Cujkne+5spQHBfn2/RWGqH28v+vqHysb/8GA==
=Q+Oa
-----END PGP PUBLIC KEY BLOCK-----

929
reproducible.patch Normal file
View File

@ -0,0 +1,929 @@
commit 0fbc50ef0cb8894973d4739af62e95be825b7ccf
Author: trigpolynom <trigpolynom@gmail.com>
Date: Tue Oct 17 22:44:45 2023 -0400
aes-gcm-avx512.pl: fix non-reproducibility issue
Replace the random suffix with a counter, to make the
build reproducible.
Fixes #20954
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22415)
diff --git a/crypto/modes/asm/aes-gcm-avx512.pl b/crypto/modes/asm/aes-gcm-avx512.pl
index afd2af941a..9f9124373b 100644
--- a/crypto/modes/asm/aes-gcm-avx512.pl
+++ b/crypto/modes/asm/aes-gcm-avx512.pl
@@ -155,6 +155,9 @@ my $STACK_LOCAL_OFFSET = ($STACK_HKEYS_OFFSET + $HKEYS_STORAGE);
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
my ($arg1, $arg2, $arg3, $arg4, $arg5, $arg6, $arg7, $arg8, $arg9, $arg10, $arg11);
+# ; Counter used for assembly label generation
+my $label_count = 0;
+
# ; This implementation follows the convention: for non-leaf functions (they
# ; must call PROLOG) %rbp is used as a frame pointer, and has fixed offset from
# ; the function entry: $GP_STORAGE + [8 bytes alignment (Windows only)]. This
@@ -200,15 +203,6 @@ my $CTX_OFFSET_HTable = (16 * 6); # ; (Htable) Precomputed table (a
# ;;; Helper functions
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-# ; Generates "random" local labels
-sub random_string() {
- my @chars = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '_');
- my $length = 15;
- my $str;
- map { $str .= $chars[rand(33)] } 1 .. $length;
- return $str;
-}
-
sub BYTE {
my ($reg) = @_;
if ($reg =~ /%r[abcd]x/i) {
@@ -417,7 +411,7 @@ ___
sub EPILOG {
my ($hkeys_storage_on_stack, $payload_len) = @_;
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
if ($hkeys_storage_on_stack && $CLEAR_HKEYS_STORAGE_ON_EXIT) {
@@ -425,13 +419,13 @@ sub EPILOG {
# ; were stored in the local frame storage
$code .= <<___;
cmpq \$`16*16`,$payload_len
- jbe .Lskip_hkeys_cleanup_${rndsuffix}
+ jbe .Lskip_hkeys_cleanup_${label_suffix}
vpxor %xmm0,%xmm0,%xmm0
___
for (my $i = 0; $i < int($HKEYS_STORAGE / 64); $i++) {
$code .= "vmovdqa64 %zmm0,`$STACK_HKEYS_OFFSET + 64*$i`(%rsp)\n";
}
- $code .= ".Lskip_hkeys_cleanup_${rndsuffix}:\n";
+ $code .= ".Lskip_hkeys_cleanup_${label_suffix}:\n";
}
if ($CLEAR_SCRATCH_REGISTERS) {
@@ -537,11 +531,11 @@ sub precompute_hkeys_on_stack {
&& $HKEYS_RANGE ne "first32"
&& $HKEYS_RANGE ne "last32");
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
$code .= <<___;
test $HKEYS_READY,$HKEYS_READY
- jnz .L_skip_hkeys_precomputation_${rndsuffix}
+ jnz .L_skip_hkeys_precomputation_${label_suffix}
___
if ($HKEYS_RANGE eq "first16" || $HKEYS_RANGE eq "first32" || $HKEYS_RANGE eq "all") {
@@ -615,7 +609,7 @@ ___
}
}
- $code .= ".L_skip_hkeys_precomputation_${rndsuffix}:\n";
+ $code .= ".L_skip_hkeys_precomputation_${label_suffix}:\n";
}
# ;; =============================================================================
@@ -1418,20 +1412,20 @@ sub CALC_AAD_HASH {
my $SHFMSK = $ZT13;
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
$code .= <<___;
mov $A_IN,$T1 # ; T1 = AAD
mov $A_LEN,$T2 # ; T2 = aadLen
or $T2,$T2
- jz .L_CALC_AAD_done_${rndsuffix}
+ jz .L_CALC_AAD_done_${label_suffix}
xor $HKEYS_READY,$HKEYS_READY
vmovdqa64 SHUF_MASK(%rip),$SHFMSK
-.L_get_AAD_loop48x16_${rndsuffix}:
+.L_get_AAD_loop48x16_${label_suffix}:
cmp \$`(48*16)`,$T2
- jl .L_exit_AAD_loop48x16_${rndsuffix}
+ jl .L_exit_AAD_loop48x16_${label_suffix}
___
$code .= <<___;
@@ -1499,15 +1493,15 @@ ___
$code .= <<___;
sub \$`(48*16)`,$T2
- je .L_CALC_AAD_done_${rndsuffix}
+ je .L_CALC_AAD_done_${label_suffix}
add \$`(48*16)`,$T1
- jmp .L_get_AAD_loop48x16_${rndsuffix}
+ jmp .L_get_AAD_loop48x16_${label_suffix}
-.L_exit_AAD_loop48x16_${rndsuffix}:
+.L_exit_AAD_loop48x16_${label_suffix}:
# ; Less than 48x16 bytes remaining
cmp \$`(32*16)`,$T2
- jl .L_less_than_32x16_${rndsuffix}
+ jl .L_less_than_32x16_${label_suffix}
___
$code .= <<___;
@@ -1556,14 +1550,14 @@ ___
$code .= <<___;
sub \$`(32*16)`,$T2
- je .L_CALC_AAD_done_${rndsuffix}
+ je .L_CALC_AAD_done_${label_suffix}
add \$`(32*16)`,$T1
- jmp .L_less_than_16x16_${rndsuffix}
+ jmp .L_less_than_16x16_${label_suffix}
-.L_less_than_32x16_${rndsuffix}:
+.L_less_than_32x16_${label_suffix}:
cmp \$`(16*16)`,$T2
- jl .L_less_than_16x16_${rndsuffix}
+ jl .L_less_than_16x16_${label_suffix}
# ; Get next 16 blocks
vmovdqu64 `64*0`($T1),$ZT1
vmovdqu64 `64*1`($T1),$ZT2
@@ -1588,11 +1582,11 @@ ___
$code .= <<___;
sub \$`(16*16)`,$T2
- je .L_CALC_AAD_done_${rndsuffix}
+ je .L_CALC_AAD_done_${label_suffix}
add \$`(16*16)`,$T1
# ; Less than 16x16 bytes remaining
-.L_less_than_16x16_${rndsuffix}:
+.L_less_than_16x16_${label_suffix}:
# ;; prep mask source address
lea byte64_len_to_mask_table(%rip),$T3
lea ($T3,$T2,8),$T3
@@ -1601,28 +1595,28 @@ ___
add \$15,@{[DWORD($T2)]}
shr \$4,@{[DWORD($T2)]}
cmp \$2,@{[DWORD($T2)]}
- jb .L_AAD_blocks_1_${rndsuffix}
- je .L_AAD_blocks_2_${rndsuffix}
+ jb .L_AAD_blocks_1_${label_suffix}
+ je .L_AAD_blocks_2_${label_suffix}
cmp \$4,@{[DWORD($T2)]}
- jb .L_AAD_blocks_3_${rndsuffix}
- je .L_AAD_blocks_4_${rndsuffix}
+ jb .L_AAD_blocks_3_${label_suffix}
+ je .L_AAD_blocks_4_${label_suffix}
cmp \$6,@{[DWORD($T2)]}
- jb .L_AAD_blocks_5_${rndsuffix}
- je .L_AAD_blocks_6_${rndsuffix}
+ jb .L_AAD_blocks_5_${label_suffix}
+ je .L_AAD_blocks_6_${label_suffix}
cmp \$8,@{[DWORD($T2)]}
- jb .L_AAD_blocks_7_${rndsuffix}
- je .L_AAD_blocks_8_${rndsuffix}
+ jb .L_AAD_blocks_7_${label_suffix}
+ je .L_AAD_blocks_8_${label_suffix}
cmp \$10,@{[DWORD($T2)]}
- jb .L_AAD_blocks_9_${rndsuffix}
- je .L_AAD_blocks_10_${rndsuffix}
+ jb .L_AAD_blocks_9_${label_suffix}
+ je .L_AAD_blocks_10_${label_suffix}
cmp \$12,@{[DWORD($T2)]}
- jb .L_AAD_blocks_11_${rndsuffix}
- je .L_AAD_blocks_12_${rndsuffix}
+ jb .L_AAD_blocks_11_${label_suffix}
+ je .L_AAD_blocks_12_${label_suffix}
cmp \$14,@{[DWORD($T2)]}
- jb .L_AAD_blocks_13_${rndsuffix}
- je .L_AAD_blocks_14_${rndsuffix}
+ jb .L_AAD_blocks_13_${label_suffix}
+ je .L_AAD_blocks_14_${label_suffix}
cmp \$15,@{[DWORD($T2)]}
- je .L_AAD_blocks_15_${rndsuffix}
+ je .L_AAD_blocks_15_${label_suffix}
___
# ;; fall through for 16 blocks
@@ -1635,7 +1629,7 @@ ___
# ;; - jump to reduction code
for (my $aad_blocks = 16; $aad_blocks > 0; $aad_blocks--) {
- $code .= ".L_AAD_blocks_${aad_blocks}_${rndsuffix}:\n";
+ $code .= ".L_AAD_blocks_${aad_blocks}_${label_suffix}:\n";
if ($aad_blocks > 12) {
$code .= "sub \$`12*16*8`, $T3\n";
} elsif ($aad_blocks > 8) {
@@ -1656,11 +1650,11 @@ ___
if ($aad_blocks > 1) {
# ;; fall through to CALC_AAD_done in 1 block case
- $code .= "jmp .L_CALC_AAD_done_${rndsuffix}\n";
+ $code .= "jmp .L_CALC_AAD_done_${label_suffix}\n";
}
}
- $code .= ".L_CALC_AAD_done_${rndsuffix}:\n";
+ $code .= ".L_CALC_AAD_done_${label_suffix}:\n";
# ;; result in AAD_HASH
}
@@ -1710,13 +1704,13 @@ sub PARTIAL_BLOCK {
my $IA1 = $GPTMP2;
my $IA2 = $GPTMP0;
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
$code .= <<___;
# ;; if no partial block present then LENGTH/DATA_OFFSET will be set to zero
mov ($PBLOCK_LEN),$LENGTH
or $LENGTH,$LENGTH
- je .L_partial_block_done_${rndsuffix} # ;Leave Macro if no partial blocks
+ je .L_partial_block_done_${label_suffix} # ;Leave Macro if no partial blocks
___
&READ_SMALL_DATA_INPUT($XTMP0, $PLAIN_CIPH_IN, $PLAIN_CIPH_LEN, $IA0, $IA2, $MASKREG);
@@ -1755,9 +1749,9 @@ ___
}
$code .= <<___;
sub \$16,$IA1
- jge .L_no_extra_mask_${rndsuffix}
+ jge .L_no_extra_mask_${label_suffix}
sub $IA1,$IA0
-.L_no_extra_mask_${rndsuffix}:
+.L_no_extra_mask_${label_suffix}:
# ;; get the appropriate mask to mask out bottom $LENGTH bytes of $XTMP1
# ;; - mask out bottom $LENGTH bytes of $XTMP1
# ;; sizeof(SHIFT_MASK) == 16 bytes
@@ -1781,7 +1775,7 @@ ___
}
$code .= <<___;
cmp \$0,$IA1
- jl .L_partial_incomplete_${rndsuffix}
+ jl .L_partial_incomplete_${label_suffix}
___
# ;; GHASH computation for the last <16 Byte block
@@ -1793,9 +1787,9 @@ ___
mov $LENGTH,$IA0
mov \$16,$LENGTH
sub $IA0,$LENGTH
- jmp .L_enc_dec_done_${rndsuffix}
+ jmp .L_enc_dec_done_${label_suffix}
-.L_partial_incomplete_${rndsuffix}:
+.L_partial_incomplete_${label_suffix}:
___
if ($win64) {
$code .= <<___;
@@ -1808,7 +1802,7 @@ ___
$code .= <<___;
mov $PLAIN_CIPH_LEN,$LENGTH
-.L_enc_dec_done_${rndsuffix}:
+.L_enc_dec_done_${label_suffix}:
# ;; output encrypted Bytes
lea byte_len_to_mask_table(%rip),$IA0
@@ -1826,7 +1820,7 @@ ___
$code .= <<___;
mov $CIPH_PLAIN_OUT,$IA0
vmovdqu8 $XTMP1,($IA0){$MASKREG}
-.L_partial_block_done_${rndsuffix}:
+.L_partial_block_done_${label_suffix}:
___
}
@@ -2016,7 +2010,7 @@ sub INITIAL_BLOCKS_PARTIAL_GHASH {
my $GM = $_[23]; # [in] ZMM with mid prodcut part
my $GL = $_[24]; # [in] ZMM with lo product part
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
# ;;; - Hash all but the last partial block of data
@@ -2034,7 +2028,7 @@ sub INITIAL_BLOCKS_PARTIAL_GHASH {
# ;; NOTE: the 'jl' is always taken for num_initial_blocks = 16.
# ;; This is run in the context of GCM_ENC_DEC_SMALL for length < 256.
cmp \$16,$LENGTH
- jl .L_small_initial_partial_block_${rndsuffix}
+ jl .L_small_initial_partial_block_${label_suffix}
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
# ;;; Handle a full length final block - encrypt and hash all blocks
@@ -2056,11 +2050,11 @@ ___
&GHASH_1_TO_16($GCM128_CTX, $HASH_IN_OUT, $ZT0, $ZT1, $ZT2, $ZT3, $ZT4,
$ZT5, $ZT6, $ZT7, $ZT8, &ZWORD($HASH_IN_OUT), $DAT0, $DAT1, $DAT2, $DAT3, $NUM_BLOCKS, $GH, $GM, $GL);
}
- $code .= "jmp .L_small_initial_compute_done_${rndsuffix}\n";
+ $code .= "jmp .L_small_initial_compute_done_${label_suffix}\n";
}
$code .= <<___;
-.L_small_initial_partial_block_${rndsuffix}:
+.L_small_initial_partial_block_${label_suffix}:
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
# ;;; Handle ghash for a <16B final block
@@ -2125,7 +2119,7 @@ ___
# ;; a partial block of data, so xor that into the hash.
vpxorq $LAST_GHASH_BLK,$HASH_IN_OUT,$HASH_IN_OUT
# ;; The result is in $HASH_IN_OUT
- jmp .L_after_reduction_${rndsuffix}
+ jmp .L_after_reduction_${label_suffix}
___
}
@@ -2133,7 +2127,7 @@ ___
# ;;; After GHASH reduction
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
- $code .= ".L_small_initial_compute_done_${rndsuffix}:\n";
+ $code .= ".L_small_initial_compute_done_${label_suffix}:\n";
# ;; If using init/update/finalize, we need to xor any partial block data
# ;; into the hash.
@@ -2144,13 +2138,13 @@ ___
$code .= <<___;
# ;; NOTE: for $NUM_BLOCKS = 16, $LENGTH, stored in [PBlockLen] is never zero
or $LENGTH,$LENGTH
- je .L_after_reduction_${rndsuffix}
+ je .L_after_reduction_${label_suffix}
___
}
$code .= "vpxorq $LAST_GHASH_BLK,$HASH_IN_OUT,$HASH_IN_OUT\n";
}
- $code .= ".L_after_reduction_${rndsuffix}:\n";
+ $code .= ".L_after_reduction_${label_suffix}:\n";
# ;; Final hash is now in HASH_IN_OUT
}
@@ -2266,7 +2260,7 @@ sub GHASH_16_ENCRYPT_N_GHASH_N {
die "GHASH_16_ENCRYPT_N_GHASH_N: num_blocks is out of bounds = $NUM_BLOCKS\n"
if ($NUM_BLOCKS > 16 || $NUM_BLOCKS < 0);
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
my $GH1H = $HASH_IN_OUT;
@@ -2326,16 +2320,16 @@ ___
$code .= <<___;
cmp \$`(256 - $NUM_BLOCKS)`,@{[DWORD($CTR_CHECK)]}
- jae .L_16_blocks_overflow_${rndsuffix}
+ jae .L_16_blocks_overflow_${label_suffix}
___
&ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16(
$NUM_BLOCKS, "vpaddd", $B00_03, $B04_07, $B08_11, $B12_15, $CTR_BE,
$B00_03, $B04_07, $B08_11, $ADDBE_1234, $ADDBE_4x4, $ADDBE_4x4, $ADDBE_4x4);
$code .= <<___;
- jmp .L_16_blocks_ok_${rndsuffix}
+ jmp .L_16_blocks_ok_${label_suffix}
-.L_16_blocks_overflow_${rndsuffix}:
+.L_16_blocks_overflow_${label_suffix}:
vpshufb $SHFMSK,$CTR_BE,$CTR_BE
vpaddd ddq_add_1234(%rip),$CTR_BE,$B00_03
___
@@ -2355,7 +2349,7 @@ ___
$NUM_BLOCKS, "vpshufb", $B00_03, $B04_07, $B08_11, $B12_15, $B00_03,
$B04_07, $B08_11, $B12_15, $SHFMSK, $SHFMSK, $SHFMSK, $SHFMSK);
$code .= <<___;
-.L_16_blocks_ok_${rndsuffix}:
+.L_16_blocks_ok_${label_suffix}:
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
# ;; - pre-load constants
@@ -2805,53 +2799,53 @@ sub GCM_ENC_DEC_LAST {
my $MASKREG = $_[44]; # [clobbered] mask register
my $PBLOCK_LEN = $_[45]; # [in] partial block length
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
$code .= <<___;
mov @{[DWORD($LENGTH)]},@{[DWORD($IA0)]}
add \$15,@{[DWORD($IA0)]}
shr \$4,@{[DWORD($IA0)]}
- je .L_last_num_blocks_is_0_${rndsuffix}
+ je .L_last_num_blocks_is_0_${label_suffix}
cmp \$8,@{[DWORD($IA0)]}
- je .L_last_num_blocks_is_8_${rndsuffix}
- jb .L_last_num_blocks_is_7_1_${rndsuffix}
+ je .L_last_num_blocks_is_8_${label_suffix}
+ jb .L_last_num_blocks_is_7_1_${label_suffix}
cmp \$12,@{[DWORD($IA0)]}
- je .L_last_num_blocks_is_12_${rndsuffix}
- jb .L_last_num_blocks_is_11_9_${rndsuffix}
+ je .L_last_num_blocks_is_12_${label_suffix}
+ jb .L_last_num_blocks_is_11_9_${label_suffix}
# ;; 16, 15, 14 or 13
cmp \$15,@{[DWORD($IA0)]}
- je .L_last_num_blocks_is_15_${rndsuffix}
- ja .L_last_num_blocks_is_16_${rndsuffix}
+ je .L_last_num_blocks_is_15_${label_suffix}
+ ja .L_last_num_blocks_is_16_${label_suffix}
cmp \$14,@{[DWORD($IA0)]}
- je .L_last_num_blocks_is_14_${rndsuffix}
- jmp .L_last_num_blocks_is_13_${rndsuffix}
+ je .L_last_num_blocks_is_14_${label_suffix}
+ jmp .L_last_num_blocks_is_13_${label_suffix}
-.L_last_num_blocks_is_11_9_${rndsuffix}:
+.L_last_num_blocks_is_11_9_${label_suffix}:
# ;; 11, 10 or 9
cmp \$10,@{[DWORD($IA0)]}
- je .L_last_num_blocks_is_10_${rndsuffix}
- ja .L_last_num_blocks_is_11_${rndsuffix}
- jmp .L_last_num_blocks_is_9_${rndsuffix}
+ je .L_last_num_blocks_is_10_${label_suffix}
+ ja .L_last_num_blocks_is_11_${label_suffix}
+ jmp .L_last_num_blocks_is_9_${label_suffix}
-.L_last_num_blocks_is_7_1_${rndsuffix}:
+.L_last_num_blocks_is_7_1_${label_suffix}:
cmp \$4,@{[DWORD($IA0)]}
- je .L_last_num_blocks_is_4_${rndsuffix}
- jb .L_last_num_blocks_is_3_1_${rndsuffix}
+ je .L_last_num_blocks_is_4_${label_suffix}
+ jb .L_last_num_blocks_is_3_1_${label_suffix}
# ;; 7, 6 or 5
cmp \$6,@{[DWORD($IA0)]}
- ja .L_last_num_blocks_is_7_${rndsuffix}
- je .L_last_num_blocks_is_6_${rndsuffix}
- jmp .L_last_num_blocks_is_5_${rndsuffix}
+ ja .L_last_num_blocks_is_7_${label_suffix}
+ je .L_last_num_blocks_is_6_${label_suffix}
+ jmp .L_last_num_blocks_is_5_${label_suffix}
-.L_last_num_blocks_is_3_1_${rndsuffix}:
+.L_last_num_blocks_is_3_1_${label_suffix}:
# ;; 3, 2 or 1
cmp \$2,@{[DWORD($IA0)]}
- ja .L_last_num_blocks_is_3_${rndsuffix}
- je .L_last_num_blocks_is_2_${rndsuffix}
+ ja .L_last_num_blocks_is_3_${label_suffix}
+ je .L_last_num_blocks_is_2_${label_suffix}
___
# ;; fall through for `jmp .L_last_num_blocks_is_1`
@@ -2859,7 +2853,7 @@ ___
# ;; Use rep to generate different block size variants
# ;; - one block size has to be the first one
for my $num_blocks (1 .. 16) {
- $code .= ".L_last_num_blocks_is_${num_blocks}_${rndsuffix}:\n";
+ $code .= ".L_last_num_blocks_is_${num_blocks}_${label_suffix}:\n";
&GHASH_16_ENCRYPT_N_GHASH_N(
$AES_KEYS, $GCM128_CTX, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, $DATA_OFFSET,
$LENGTH, $CTR_BE, $CTR_CHECK, $HASHKEY_OFFSET, $GHASHIN_BLK_OFFSET,
@@ -2872,10 +2866,10 @@ ___
$ENC_DEC, $HASH_IN_OUT, $IA0, $IA1, $MASKREG,
$num_blocks, $PBLOCK_LEN);
- $code .= "jmp .L_last_blocks_done_${rndsuffix}\n";
+ $code .= "jmp .L_last_blocks_done_${label_suffix}\n";
}
- $code .= ".L_last_num_blocks_is_0_${rndsuffix}:\n";
+ $code .= ".L_last_num_blocks_is_0_${label_suffix}:\n";
# ;; if there is 0 blocks to cipher then there are only 16 blocks for ghash and reduction
# ;; - convert mid into end_reduce
@@ -2891,7 +2885,7 @@ ___
$GHASHIN_BLK_OFFSET, 0, "%rsp", $HASHKEY_OFFSET, 0, $HASH_IN_OUT, $ZT00, $ZT01,
$ZT02, $ZT03, $ZT04, $ZT05, $ZT06, $ZT07, $ZT08, $ZT09);
- $code .= ".L_last_blocks_done_${rndsuffix}:\n";
+ $code .= ".L_last_blocks_done_${label_suffix}:\n";
}
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -2985,20 +2979,20 @@ sub GHASH_16_ENCRYPT_16_PARALLEL {
my $GHDAT1 = $ZT21;
my $GHDAT2 = $ZT22;
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
# ;; prepare counter blocks
$code .= <<___;
cmpb \$`(256 - 16)`,@{[BYTE($CTR_CHECK)]}
- jae .L_16_blocks_overflow_${rndsuffix}
+ jae .L_16_blocks_overflow_${label_suffix}
vpaddd $ADDBE_1234,$CTR_BE,$B00_03
vpaddd $ADDBE_4x4,$B00_03,$B04_07
vpaddd $ADDBE_4x4,$B04_07,$B08_11
vpaddd $ADDBE_4x4,$B08_11,$B12_15
- jmp .L_16_blocks_ok_${rndsuffix}
-.L_16_blocks_overflow_${rndsuffix}:
+ jmp .L_16_blocks_ok_${label_suffix}
+.L_16_blocks_overflow_${label_suffix}:
vpshufb $SHFMSK,$CTR_BE,$CTR_BE
vmovdqa64 ddq_add_4444(%rip),$B12_15
vpaddd ddq_add_1234(%rip),$CTR_BE,$B00_03
@@ -3009,7 +3003,7 @@ sub GHASH_16_ENCRYPT_16_PARALLEL {
vpshufb $SHFMSK,$B04_07,$B04_07
vpshufb $SHFMSK,$B08_11,$B08_11
vpshufb $SHFMSK,$B12_15,$B12_15
-.L_16_blocks_ok_${rndsuffix}:
+.L_16_blocks_ok_${label_suffix}:
___
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -3338,25 +3332,25 @@ sub ENCRYPT_SINGLE_BLOCK {
my $XMM0 = $_[1]; # ; [in/out]
my $GPR1 = $_[2]; # ; [clobbered]
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
$code .= <<___;
# ; load number of rounds from AES_KEY structure (offset in bytes is
# ; size of the |rd_key| buffer)
mov `4*15*4`($AES_KEY),@{[DWORD($GPR1)]}
cmp \$9,@{[DWORD($GPR1)]}
- je .Laes_128_${rndsuffix}
+ je .Laes_128_${label_suffix}
cmp \$11,@{[DWORD($GPR1)]}
- je .Laes_192_${rndsuffix}
+ je .Laes_192_${label_suffix}
cmp \$13,@{[DWORD($GPR1)]}
- je .Laes_256_${rndsuffix}
- jmp .Lexit_aes_${rndsuffix}
+ je .Laes_256_${label_suffix}
+ jmp .Lexit_aes_${label_suffix}
___
for my $keylen (sort keys %aes_rounds) {
my $nr = $aes_rounds{$keylen};
$code .= <<___;
.align 32
-.Laes_${keylen}_${rndsuffix}:
+.Laes_${keylen}_${label_suffix}:
___
$code .= "vpxorq `16*0`($AES_KEY),$XMM0, $XMM0\n\n";
for (my $i = 1; $i <= $nr; $i++) {
@@ -3364,10 +3358,10 @@ ___
}
$code .= <<___;
vaesenclast `16*($nr+1)`($AES_KEY),$XMM0,$XMM0
- jmp .Lexit_aes_${rndsuffix}
+ jmp .Lexit_aes_${label_suffix}
___
}
- $code .= ".Lexit_aes_${rndsuffix}:\n\n";
+ $code .= ".Lexit_aes_${label_suffix}:\n\n";
}
sub CALC_J0 {
@@ -3562,52 +3556,52 @@ sub GCM_ENC_DEC_SMALL {
my $SHUFMASK = $_[29]; # [in] ZMM with BE/LE shuffle mask
my $PBLOCK_LEN = $_[30]; # [in] partial block length
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
$code .= <<___;
cmp \$8,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_8_${rndsuffix}
- jl .L_small_initial_num_blocks_is_7_1_${rndsuffix}
+ je .L_small_initial_num_blocks_is_8_${label_suffix}
+ jl .L_small_initial_num_blocks_is_7_1_${label_suffix}
cmp \$12,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_12_${rndsuffix}
- jl .L_small_initial_num_blocks_is_11_9_${rndsuffix}
+ je .L_small_initial_num_blocks_is_12_${label_suffix}
+ jl .L_small_initial_num_blocks_is_11_9_${label_suffix}
# ;; 16, 15, 14 or 13
cmp \$16,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_16_${rndsuffix}
+ je .L_small_initial_num_blocks_is_16_${label_suffix}
cmp \$15,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_15_${rndsuffix}
+ je .L_small_initial_num_blocks_is_15_${label_suffix}
cmp \$14,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_14_${rndsuffix}
- jmp .L_small_initial_num_blocks_is_13_${rndsuffix}
+ je .L_small_initial_num_blocks_is_14_${label_suffix}
+ jmp .L_small_initial_num_blocks_is_13_${label_suffix}
-.L_small_initial_num_blocks_is_11_9_${rndsuffix}:
+.L_small_initial_num_blocks_is_11_9_${label_suffix}:
# ;; 11, 10 or 9
cmp \$11,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_11_${rndsuffix}
+ je .L_small_initial_num_blocks_is_11_${label_suffix}
cmp \$10,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_10_${rndsuffix}
- jmp .L_small_initial_num_blocks_is_9_${rndsuffix}
+ je .L_small_initial_num_blocks_is_10_${label_suffix}
+ jmp .L_small_initial_num_blocks_is_9_${label_suffix}
-.L_small_initial_num_blocks_is_7_1_${rndsuffix}:
+.L_small_initial_num_blocks_is_7_1_${label_suffix}:
cmp \$4,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_4_${rndsuffix}
- jl .L_small_initial_num_blocks_is_3_1_${rndsuffix}
+ je .L_small_initial_num_blocks_is_4_${label_suffix}
+ jl .L_small_initial_num_blocks_is_3_1_${label_suffix}
# ;; 7, 6 or 5
cmp \$7,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_7_${rndsuffix}
+ je .L_small_initial_num_blocks_is_7_${label_suffix}
cmp \$6,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_6_${rndsuffix}
- jmp .L_small_initial_num_blocks_is_5_${rndsuffix}
+ je .L_small_initial_num_blocks_is_6_${label_suffix}
+ jmp .L_small_initial_num_blocks_is_5_${label_suffix}
-.L_small_initial_num_blocks_is_3_1_${rndsuffix}:
+.L_small_initial_num_blocks_is_3_1_${label_suffix}:
# ;; 3, 2 or 1
cmp \$3,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_3_${rndsuffix}
+ je .L_small_initial_num_blocks_is_3_${label_suffix}
cmp \$2,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_2_${rndsuffix}
+ je .L_small_initial_num_blocks_is_2_${label_suffix}
# ;; for $NUM_BLOCKS == 1, just fall through and no 'jmp' needed
@@ -3616,7 +3610,7 @@ sub GCM_ENC_DEC_SMALL {
___
for (my $num_blocks = 1; $num_blocks <= 16; $num_blocks++) {
- $code .= ".L_small_initial_num_blocks_is_${num_blocks}_${rndsuffix}:\n";
+ $code .= ".L_small_initial_num_blocks_is_${num_blocks}_${label_suffix}:\n";
&INITIAL_BLOCKS_PARTIAL(
$AES_KEYS, $GCM128_CTX, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, $LENGTH, $DATA_OFFSET,
$num_blocks, $CTR, $HASH_IN_OUT, $ENC_DEC, $ZTMP0, $ZTMP1,
@@ -3625,11 +3619,11 @@ ___
$ZTMP14, $IA0, $IA1, $MASKREG, $SHUFMASK, $PBLOCK_LEN);
if ($num_blocks != 16) {
- $code .= "jmp .L_small_initial_blocks_encrypted_${rndsuffix}\n";
+ $code .= "jmp .L_small_initial_blocks_encrypted_${label_suffix}\n";
}
}
- $code .= ".L_small_initial_blocks_encrypted_${rndsuffix}:\n";
+ $code .= ".L_small_initial_blocks_encrypted_${label_suffix}:\n";
}
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -3710,7 +3704,7 @@ sub GCM_ENC_DEC {
my $MASKREG = "%k1";
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
# ;; reduction every 48 blocks, depth 32 blocks
# ;; @note 48 blocks is the maximum capacity of the stack frame
@@ -3751,7 +3745,7 @@ sub GCM_ENC_DEC {
} else {
$code .= "or $PLAIN_CIPH_LEN,$PLAIN_CIPH_LEN\n";
}
- $code .= "je .L_enc_dec_done_${rndsuffix}\n";
+ $code .= "je .L_enc_dec_done_${label_suffix}\n";
# Length value from context $CTX_OFFSET_InLen`($GCM128_CTX) is updated in
# 'providers/implementations/ciphers/cipher_aes_gcm_hw_vaes_avx512.inc'
@@ -3778,12 +3772,12 @@ sub GCM_ENC_DEC {
# ;; There may be no more data if it was consumed in the partial block.
$code .= <<___;
sub $DATA_OFFSET,$LENGTH
- je .L_enc_dec_done_${rndsuffix}
+ je .L_enc_dec_done_${label_suffix}
___
$code .= <<___;
cmp \$`(16 * 16)`,$LENGTH
- jbe .L_message_below_equal_16_blocks_${rndsuffix}
+ jbe .L_message_below_equal_16_blocks_${label_suffix}
vmovdqa64 SHUF_MASK(%rip),$SHUF_MASK
vmovdqa64 ddq_addbe_4444(%rip),$ADDBE_4x4
@@ -3815,7 +3809,7 @@ ___
$code .= <<___;
cmp \$`(32 * 16)`,$LENGTH
- jb .L_message_below_32_blocks_${rndsuffix}
+ jb .L_message_below_32_blocks_${label_suffix}
___
# ;; ==== AES-CTR - next 16 blocks
@@ -3836,13 +3830,13 @@ ___
sub \$`(32 * 16)`,$LENGTH
cmp \$`($big_loop_nblocks * 16)`,$LENGTH
- jb .L_no_more_big_nblocks_${rndsuffix}
+ jb .L_no_more_big_nblocks_${label_suffix}
___
# ;; ====
# ;; ==== AES-CTR + GHASH - 48 blocks loop
# ;; ====
- $code .= ".L_encrypt_big_nblocks_${rndsuffix}:\n";
+ $code .= ".L_encrypt_big_nblocks_${label_suffix}:\n";
# ;; ==== AES-CTR + GHASH - 16 blocks, start
$aesout_offset = ($STACK_LOCAL_OFFSET + (32 * 16));
@@ -3893,15 +3887,15 @@ ___
add \$`($big_loop_nblocks * 16)`,$DATA_OFFSET
sub \$`($big_loop_nblocks * 16)`,$LENGTH
cmp \$`($big_loop_nblocks * 16)`,$LENGTH
- jae .L_encrypt_big_nblocks_${rndsuffix}
+ jae .L_encrypt_big_nblocks_${label_suffix}
-.L_no_more_big_nblocks_${rndsuffix}:
+.L_no_more_big_nblocks_${label_suffix}:
cmp \$`(32 * 16)`,$LENGTH
- jae .L_encrypt_32_blocks_${rndsuffix}
+ jae .L_encrypt_32_blocks_${label_suffix}
cmp \$`(16 * 16)`,$LENGTH
- jae .L_encrypt_16_blocks_${rndsuffix}
+ jae .L_encrypt_16_blocks_${label_suffix}
___
# ;; =====================================================
@@ -3909,7 +3903,7 @@ ___
# ;; ==== GHASH 1 x 16 blocks
# ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks
# ;; ==== then GHASH N blocks
- $code .= ".L_encrypt_0_blocks_ghash_32_${rndsuffix}:\n";
+ $code .= ".L_encrypt_0_blocks_ghash_32_${label_suffix}:\n";
# ;; calculate offset to the right hash key
$code .= <<___;
@@ -3937,7 +3931,7 @@ ___
$IA0, $IA5, $MASKREG, $PBLOCK_LEN);
$code .= "vpshufb @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n";
- $code .= "jmp .L_ghash_done_${rndsuffix}\n";
+ $code .= "jmp .L_ghash_done_${label_suffix}\n";
# ;; =====================================================
# ;; =====================================================
@@ -3946,7 +3940,7 @@ ___
# ;; ==== GHASH 1 x 16 blocks (reduction)
# ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks
# ;; ==== then GHASH N blocks
- $code .= ".L_encrypt_32_blocks_${rndsuffix}:\n";
+ $code .= ".L_encrypt_32_blocks_${label_suffix}:\n";
# ;; ==== AES-CTR + GHASH - 16 blocks, start
$aesout_offset = ($STACK_LOCAL_OFFSET + (32 * 16));
@@ -4007,7 +4001,7 @@ ___
$IA0, $IA5, $MASKREG, $PBLOCK_LEN);
$code .= "vpshufb @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n";
- $code .= "jmp .L_ghash_done_${rndsuffix}\n";
+ $code .= "jmp .L_ghash_done_${label_suffix}\n";
# ;; =====================================================
# ;; =====================================================
@@ -4015,7 +4009,7 @@ ___
# ;; ==== GHASH 1 x 16 blocks
# ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks
# ;; ==== then GHASH N blocks
- $code .= ".L_encrypt_16_blocks_${rndsuffix}:\n";
+ $code .= ".L_encrypt_16_blocks_${label_suffix}:\n";
# ;; ==== AES-CTR + GHASH - 16 blocks, start
$aesout_offset = ($STACK_LOCAL_OFFSET + (32 * 16));
@@ -4059,9 +4053,9 @@ ___
$code .= "vpshufb @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n";
$code .= <<___;
- jmp .L_ghash_done_${rndsuffix}
+ jmp .L_ghash_done_${label_suffix}
-.L_message_below_32_blocks_${rndsuffix}:
+.L_message_below_32_blocks_${label_suffix}:
# ;; 32 > number of blocks > 16
sub \$`(16 * 16)`,$LENGTH
@@ -4094,9 +4088,9 @@ ___
$code .= "vpshufb @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n";
$code .= <<___;
- jmp .L_ghash_done_${rndsuffix}
+ jmp .L_ghash_done_${label_suffix}
-.L_message_below_equal_16_blocks_${rndsuffix}:
+.L_message_below_equal_16_blocks_${label_suffix}:
# ;; Determine how many blocks to process
# ;; - process one additional block if there is a partial block
mov @{[DWORD($LENGTH)]},@{[DWORD($IA1)]}
@@ -4113,13 +4107,13 @@ ___
# ;; fall through to exit
- $code .= ".L_ghash_done_${rndsuffix}:\n";
+ $code .= ".L_ghash_done_${label_suffix}:\n";
# ;; save the last counter block
$code .= "vmovdqu64 $CTR_BLOCKx,`$CTX_OFFSET_CurCount`($GCM128_CTX)\n";
$code .= <<___;
vmovdqu64 $AAD_HASHx,`$CTX_OFFSET_AadHash`($GCM128_CTX)
-.L_enc_dec_done_${rndsuffix}:
+.L_enc_dec_done_${label_suffix}:
___
}
@@ -4155,7 +4149,7 @@ sub INITIAL_BLOCKS_16 {
my $B08_11 = $T7;
my $B12_15 = $T8;
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
my $stack_offset = $BLK_OFFSET;
$code .= <<___;
@@ -4163,13 +4157,13 @@ sub INITIAL_BLOCKS_16 {
# ;; prepare counter blocks
cmpb \$`(256 - 16)`,@{[BYTE($CTR_CHECK)]}
- jae .L_next_16_overflow_${rndsuffix}
+ jae .L_next_16_overflow_${label_suffix}
vpaddd $ADDBE_1234,$CTR,$B00_03
vpaddd $ADDBE_4x4,$B00_03,$B04_07
vpaddd $ADDBE_4x4,$B04_07,$B08_11
vpaddd $ADDBE_4x4,$B08_11,$B12_15
- jmp .L_next_16_ok_${rndsuffix}
-.L_next_16_overflow_${rndsuffix}:
+ jmp .L_next_16_ok_${label_suffix}
+.L_next_16_overflow_${label_suffix}:
vpshufb $SHUF_MASK,$CTR,$CTR
vmovdqa64 ddq_add_4444(%rip),$B12_15
vpaddd ddq_add_1234(%rip),$CTR,$B00_03
@@ -4180,7 +4174,7 @@ sub INITIAL_BLOCKS_16 {
vpshufb $SHUF_MASK,$B04_07,$B04_07
vpshufb $SHUF_MASK,$B08_11,$B08_11
vpshufb $SHUF_MASK,$B12_15,$B12_15
-.L_next_16_ok_${rndsuffix}:
+.L_next_16_ok_${label_suffix}:
vshufi64x2 \$0b11111111,$B12_15,$B12_15,$CTR
addb \$16,@{[BYTE($CTR_CHECK)]}
# ;; === load 16 blocks of data
@@ -4264,7 +4258,7 @@ sub GCM_COMPLETE {
my $GCM128_CTX = $_[0];
my $PBLOCK_LEN = $_[1];
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
$code .= <<___;
vmovdqu @{[HashKeyByIdx(1,$GCM128_CTX)]},%xmm2
@@ -4276,14 +4270,14 @@ ___
# ;; Process the final partial block.
cmp \$0,$PBLOCK_LEN
- je .L_partial_done_${rndsuffix}
+ je .L_partial_done_${label_suffix}
___
# ;GHASH computation for the last <16 Byte block
&GHASH_MUL("%xmm4", "%xmm2", "%xmm0", "%xmm16", "%xmm17");
$code .= <<___;
-.L_partial_done_${rndsuffix}:
+.L_partial_done_${label_suffix}:
vmovq `$CTX_OFFSET_InLen`($GCM128_CTX), %xmm5
vpinsrq \$1, `$CTX_OFFSET_AadLen`($GCM128_CTX), %xmm5, %xmm5 # ; xmm5 = len(A)||len(C)
vpsllq \$3, %xmm5, %xmm5 # ; convert bytes into bits
@@ -4297,7 +4291,7 @@ ___
vpshufb SHUF_MASK(%rip),%xmm4,%xmm4 # ; perform a 16Byte swap
vpxor %xmm4,%xmm3,%xmm3
-.L_return_T_${rndsuffix}:
+.L_return_T_${label_suffix}:
vmovdqu %xmm3,`$CTX_OFFSET_AadHash`($GCM128_CTX)
___
}