diff --git a/openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch b/openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch deleted file mode 100644 index b4699db..0000000 --- a/openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch +++ /dev/null @@ -1,548 +0,0 @@ -From 5f4f350ce797a7cd2fdca84c474ee196da9d6fae Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Wed, 18 May 2022 17:25:59 +0200 -Subject: [PATCH] Deny SHA-1 signature verification in FIPS provider - -For RHEL, we already disable SHA-1 signatures by default in the default -provider, so it is unexpected that the FIPS provider would have a more -lenient configuration in this regard. Additionally, we do not think -continuing to accept SHA-1 signatures is a good idea due to the -published chosen-prefix collision attacks. - -As a consequence, disable verification of SHA-1 signatures in the FIPS -provider. - -This requires adjusting a few tests that would otherwise fail: -- 30-test_acvp: Remove the test vectors that use SHA-1. -- 30-test_evp: Mark tests in evppkey_rsa_common.txt and - evppkey_ecdsa.txt that use SHA-1 digests as "Availablein = default", - which will not run them when the FIPS provider is enabled. -- 80-test_cms: Re-create all certificates in test/smime-certificates - with SHA256 signatures while keeping the same private keys. These - certificates were signed with SHA-1 and thus fail verification in the - FIPS provider. - Fix some other tests by explicitly running them in the default - provider, where SHA-1 is available. -- 80-test_ssl_old: Skip tests that rely on SSLv3 and SHA-1 when run with - the FIPS provider. - -Signed-off-by: Clemens Lang ---- - providers/implementations/signature/dsa_sig.c | 4 -- - .../implementations/signature/ecdsa_sig.c | 4 -- - providers/implementations/signature/rsa_sig.c | 8 +-- - test/acvp_test.inc | 20 ------- - .../30-test_evp_data/evppkey_ecdsa.txt | 7 +++ - .../30-test_evp_data/evppkey_rsa_common.txt | 51 +++++++++++++++- - test/recipes/80-test_cms.t | 4 +- - test/recipes/80-test_ssl_old.t | 4 ++ - test/smime-certs/smdh.pem | 18 +++--- - test/smime-certs/smdsa1.pem | 60 +++++++++---------- - test/smime-certs/smdsa2.pem | 60 +++++++++---------- - test/smime-certs/smdsa3.pem | 60 +++++++++---------- - test/smime-certs/smec1.pem | 30 +++++----- - test/smime-certs/smec2.pem | 30 +++++----- - test/smime-certs/smec3.pem | 30 +++++----- - test/smime-certs/smroot.pem | 38 ++++++------ - test/smime-certs/smrsa1.pem | 38 ++++++------ - test/smime-certs/smrsa2.pem | 38 ++++++------ - test/smime-certs/smrsa3.pem | 38 ++++++------ - 19 files changed, 286 insertions(+), 256 deletions(-) - -Index: openssl-3.1.4/providers/implementations/signature/dsa_sig.c -=================================================================== ---- openssl-3.1.4.orig/providers/implementations/signature/dsa_sig.c -+++ openssl-3.1.4/providers/implementations/signature/dsa_sig.c -@@ -127,11 +127,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ct - EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); - int md_nid; - size_t mdname_len = strlen(mdname); --#ifdef FIPS_MODULE -- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); --#else - int sha1_allowed = 0; --#endif - md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, - sha1_allowed); - -Index: openssl-3.1.4/providers/implementations/signature/ecdsa_sig.c -=================================================================== ---- openssl-3.1.4.orig/providers/implementations/signature/ecdsa_sig.c -+++ openssl-3.1.4/providers/implementations/signature/ecdsa_sig.c -@@ -237,11 +237,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX - "%s could not be fetched", mdname); - return 0; - } --#ifdef FIPS_MODULE -- sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); --#else - sha1_allowed = 0; --#endif - md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, - sha1_allowed); - if (md_nid < 0) { -Index: openssl-3.1.4/providers/implementations/signature/rsa_sig.c -=================================================================== ---- openssl-3.1.4.orig/providers/implementations/signature/rsa_sig.c -+++ openssl-3.1.4/providers/implementations/signature/rsa_sig.c -@@ -306,11 +306,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ct - EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); - int md_nid; - size_t mdname_len = strlen(mdname); --#ifdef FIPS_MODULE -- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); --#else - int sha1_allowed = 0; --#endif - md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, - sha1_allowed); - -@@ -1414,8 +1410,10 @@ static int rsa_set_ctx_params(void *vprs - - if (prsactx->md == NULL && pmdname == NULL - && pad_mode == RSA_PKCS1_PSS_PADDING) { -+#ifdef FIPS_MODULE -+ pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY; -+#else - pmdname = RSA_DEFAULT_DIGEST_NAME; --#ifndef FIPS_MODULE - if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) { - pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY; - } -Index: openssl-3.1.4/test/recipes/30-test_evp_data/evppkey_ecdsa.txt -=================================================================== ---- openssl-3.1.4.orig/test/recipes/30-test_evp_data/evppkey_ecdsa.txt -+++ openssl-3.1.4/test/recipes/30-test_evp_data/evppkey_ecdsa.txt -@@ -37,12 +37,14 @@ PrivPubKeyPair = P-256:P-256-PUBLIC - - Title = ECDSA tests - -+Availablein = default - Verify = P-256 - Ctrl = digest:SHA1 - Input = "0123456789ABCDEF1234" - Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8 - - # Digest too long -+Availablein = default - Verify = P-256 - Ctrl = digest:SHA1 - Input = "0123456789ABCDEF12345" -@@ -50,6 +52,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a - Result = VERIFY_ERROR - - # Digest too short -+Availablein = default - Verify = P-256 - Ctrl = digest:SHA1 - Input = "0123456789ABCDEF123" -@@ -57,6 +60,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a - Result = VERIFY_ERROR - - # Digest invalid -+Availablein = default - Verify = P-256 - Ctrl = digest:SHA1 - Input = "0123456789ABCDEF1235" -@@ -64,6 +68,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a - Result = VERIFY_ERROR - - # Invalid signature -+Availablein = default - Verify = P-256 - Ctrl = digest:SHA1 - Input = "0123456789ABCDEF1234" -@@ -79,12 +84,14 @@ Output = 3045022100b1d1cb1a577035bccdd5a - Result = VERIFY_ERROR - - # BER signature -+Availablein = default - Verify = P-256 - Ctrl = digest:SHA1 - Input = "0123456789ABCDEF1234" - Output = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000 - Result = VERIFY_ERROR - -+Availablein = default - Verify = P-256-PUBLIC - Ctrl = digest:SHA1 - Input = "0123456789ABCDEF1234" -Index: openssl-3.1.4/test/recipes/30-test_evp_data/evppkey_rsa_common.txt -=================================================================== ---- openssl-3.1.4.orig/test/recipes/30-test_evp_data/evppkey_rsa_common.txt -+++ openssl-3.1.4/test/recipes/30-test_evp_data/evppkey_rsa_common.txt -@@ -96,6 +96,7 @@ NDL6WCBbets= - - Title = RSA tests - -+Availablein = default - Verify = RSA-2048 - Ctrl = digest:SHA1 - Input = "0123456789ABCDEF1234" -@@ -112,24 +113,28 @@ Ctrl = digest:SHA512-224 - Input = "0123456789ABCDEF123456789ABC" - Output = 5f720e9488139bb21e1c2f027fd5ce5993e6d31c5a8faaee833487b3a944d66891178868ace8070cad3ee2ffbe54aa4885a15fd1a7cc5166970fe1fd8c0423e72bd3e3b56fc4a53ed80aaaeca42497f0ec3c62113edc05cd006608f5eef7ce3ad4cba1069f68731dd28a524a1f93fcdc5547112d48d45586dd943ba0d443be9635720d8a61697c54c96627f0d85c5fbeaa3b4af86a65cf2fc3800dd5de34c046985f25d0efc0bb6edccc1d08b3a4fb9c8faffe181c7e68b31e374ad1440a4a664eec9ca0dc53a9d2f5bc7d9940d866f64201bcbc63612754df45727ea24b531d7de83d1bb707444859fa35521320c33bf6f4dbeb6fb56e653adbf7af15843f17 - -+Availablein = default - VerifyRecover = RSA-2048 - Ctrl = digest:SHA1 - Input = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad - Output = "0123456789ABCDEF1234" - - # Leading zero in the signature -+Availablein = default - Verify = RSA-2048 - Ctrl = digest:SHA1 - Input = "0123456789ABCDEF1234" - Output = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad - Result = VERIFY_ERROR - -+Availablein = default - VerifyRecover = RSA-2048 - Ctrl = digest:SHA1 - Input = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad - Result = KEYOP_ERROR - - # Mismatched digest -+Availablein = default - Verify = RSA-2048 - Ctrl = digest:SHA1 - Input = "0123456789ABCDEF1233" -@@ -137,6 +142,7 @@ Output = c09d402423cbf233d26cae21f954547 - Result = VERIFY_ERROR - - # Corrupted signature -+Availablein = default - Verify = RSA-2048 - Ctrl = digest:SHA1 - Input = "0123456789ABCDEF1233" -@@ -144,6 +150,7 @@ Output = c09d402423cbf233d26cae21f954547 - Result = VERIFY_ERROR - - # parameter is not NULLt -+Availablein = default - Verify = RSA-2048 - Ctrl = digest:sha1 - Input = "0123456789ABCDEF1234" -@@ -151,42 +158,49 @@ Output = 3ec3fc29eb6e122bd7aa361cd09fe1b - Result = VERIFY_ERROR - - # embedded digest too long -+Availablein = default - Verify = RSA-2048 - Ctrl = digest:sha1 - Input = "0123456789ABCDEF1234" - Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d - Result = VERIFY_ERROR - -+Availablein = default - VerifyRecover = RSA-2048 - Ctrl = digest:sha1 - Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d - Result = KEYOP_ERROR - - # embedded digest too short -+Availablein = default - Verify = RSA-2048 - Ctrl = digest:sha1 - Input = "0123456789ABCDEF1234" - Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d - Result = VERIFY_ERROR - -+Availablein = default - VerifyRecover = RSA-2048 - Ctrl = digest:sha1 - Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d - Result = KEYOP_ERROR - - # Garbage after DigestInfo -+Availablein = default - Verify = RSA-2048 - Ctrl = digest:sha1 - Input = "0123456789ABCDEF1234" - Output = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274 - Result = VERIFY_ERROR - -+Availablein = default - VerifyRecover = RSA-2048 - Ctrl = digest:sha1 - Input = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274 - Result = KEYOP_ERROR - - # invalid tag for parameter -+Availablein = default - Verify = RSA-2048 - Ctrl = digest:sha1 - Input = "0123456789ABCDEF1234" -@@ -195,6 +209,7 @@ Result = VERIFY_ERROR - - # Verify using public key - -+Availablein = default - Verify = RSA-2048-PUBLIC - Ctrl = digest:SHA1 - Input = "0123456789ABCDEF1234" -@@ -371,6 +386,8 @@ Input="0123456789ABCDEF0123456789ABCDEF" - Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A - - # Verify using salt length auto detect -+# In the FIPS provider on RHEL-9, the default digest for PSS signatures is SHA-256 -+Availablein = default - Verify = RSA-2048-PUBLIC - Ctrl = rsa_padding_mode:pss - Ctrl = rsa_pss_saltlen:auto -@@ -405,6 +422,10 @@ Output=4DE433D5844043EF08D354DA03CB29068 - Result = VERIFY_ERROR - - # Verify using default parameters, explicitly setting parameters -+# NOTE: RSA-PSS-DEFAULT contains a restriction to use SHA1 as digest, which -+# RHEL-9 does not support in FIPS mode; all these tests are thus marked -+# Availablein = default. -+Availablein = default - Verify = RSA-PSS-DEFAULT - Ctrl = rsa_padding_mode:pss - Ctrl = rsa_pss_saltlen:20 -@@ -413,6 +434,7 @@ Input="0123456789ABCDEF0123" - Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF - - # Verify explicitly setting parameters "digest" salt length -+Availablein = default - Verify = RSA-PSS-DEFAULT - Ctrl = rsa_padding_mode:pss - Ctrl = rsa_pss_saltlen:digest -@@ -421,18 +443,21 @@ Input="0123456789ABCDEF0123" - Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF - - # Verify using salt length larger than minimum -+Availablein = default - Verify = RSA-PSS-DEFAULT - Ctrl = rsa_pss_saltlen:30 - Input="0123456789ABCDEF0123" - Output = 6BF7EDC63A0BA184EEEC7F3020FEC8F5EBF38C2B76481881F48BCCE5796E7AB294548BA9AE810457C7723CABD1BDE94CF59CF7C0FC7461B22760C8ED703DD98E97BFDD61FA8D1181C411F6DEE5FF159F4850746D78EDEE385A363DC28E2CB373D5CAD7953F3BD5E639BE345732C03A1BDEA268814DA036EB1891C82D4012F3B903D86636055F87B96FC98806AD1B217685A4D754046A5DE0B0D7870664BE07902153EC85BA457BE7D7F89D7FE0F626D02A9CBBB2BB479DDA1A5CAE75247FB7BF6BFB15C1D3FD9E6B1573CCDBC72011C3B97716058BB11C7EA2E4E56ADAFE1F5DE6A7FD405AC5890100F9C3408EFFB5C73BF73F48177FF743B4B819D0699D507B - - # Verify using maximum salt length -+Availablein = default - Verify = RSA-PSS-DEFAULT - Ctrl = rsa_pss_saltlen:max - Input="0123456789ABCDEF0123" - Output = 4470DCFE812DEE2E58E4301D4ED274AB348FE040B724B2CD1D8CD0914BFF375F0B86FCB32BFA8AEA9BD22BD7C4F1ADD4F3D215A5CFCC99055BAFECFC23800E9BECE19A08C66BEBC5802122D13A732E5958FC228DCC0B49B5B4B1154F032D8FA2F3564AA949C1310CC9266B0C47F86D449AC9D2E7678347E7266E2D7C888CCE1ADF44A109A293F8516AE2BD94CE220F26E137DB8E7A66BB9FCE052CDC1D0BE24D8CEBB20D10125F26B069F117044B9E1D16FDDAABCA5340AE1702F37D0E1C08A2E93801C0A41035C6C73DA02A0E32227EAFB0B85E79107B59650D0EE7DC32A6772CCCE90F06369B2880FE87ED76997BA61F5EA818091EE88F8B0D6F24D02A3FC6 - - # Attempt to change salt length below minimum -+Availablein = default - Verify = RSA-PSS-DEFAULT - Ctrl = rsa_pss_saltlen:0 - Result = PKEY_CTRL_ERROR -@@ -440,21 +465,25 @@ Result = PKEY_CTRL_ERROR - # Attempt to change padding mode - # Note this used to return PKEY_CTRL_INVALID - # but it is limited because setparams only returns 0 or 1. -+Availablein = default - Verify = RSA-PSS-DEFAULT - Ctrl = rsa_padding_mode:pkcs1 - Result = PKEY_CTRL_ERROR - - # Attempt to change digest -+Availablein = default - Verify = RSA-PSS-DEFAULT - Ctrl = digest:sha256 - Result = PKEY_CTRL_ERROR - - # Invalid key: rejected when we try to init -+Availablein = default - Verify = RSA-PSS-BAD - Result = KEYOP_INIT_ERROR - Reason = invalid salt length - - # Invalid key: rejected when we try to init -+Availablein = default - Verify = RSA-PSS-BAD2 - Result = KEYOP_INIT_ERROR - Reason = invalid salt length -@@ -473,36 +502,42 @@ CAltWyuLbfXWce9jd8CSHLI8Jwpw4lmOb/idGfEF - 4fINDOjP+yJJvZohNwIDAQAB - -----END PUBLIC KEY----- - -+Availablein = default - Verify=RSA-PSS-1 - Ctrl = rsa_padding_mode:pss - Ctrl = rsa_mgf1_md:sha1 - Input=cd8b6538cb8e8de566b68bd067569dbf1ee2718e - Output=9074308fb598e9701b2294388e52f971faac2b60a5145af185df5287b5ed2887e57ce7fd44dc8634e407c8e0e4360bc226f3ec227f9d9e54638e8d31f5051215df6ebb9c2f9579aa77598a38f914b5b9c1bd83c4e2f9f382a0d0aa3542ffee65984a601bc69eb28deb27dca12c82c2d4c3f66cd500f1ff2b994d8a4e30cbb33c - -+Availablein = default - Verify=RSA-PSS-1 - Ctrl = rsa_padding_mode:pss - Ctrl = rsa_mgf1_md:sha1 - Input=e35befc17a1d160b9ce35fbd8eb16e7ee491d3fd - Output=3ef7f46e831bf92b32274142a585ffcefbdca7b32ae90d10fb0f0c729984f04ef29a9df0780775ce43739b97838390db0a5505e63de927028d9d29b219ca2c4517832558a55d694a6d25b9dab66003c4cccd907802193be5170d26147d37b93590241be51c25055f47ef62752cfbe21418fafe98c22c4d4d47724fdb5669e843 - -+Availablein = default - Verify=RSA-PSS-1 - Ctrl = rsa_padding_mode:pss - Ctrl = rsa_mgf1_md:sha1 - Input=0652ec67bcee30f9d2699122b91c19abdba89f91 - Output=666026fba71bd3e7cf13157cc2c51a8e4aa684af9778f91849f34335d141c00154c4197621f9624a675b5abc22ee7d5baaffaae1c9baca2cc373b3f33e78e6143c395a91aa7faca664eb733afd14d8827259d99a7550faca501ef2b04e33c23aa51f4b9e8282efdb728cc0ab09405a91607c6369961bc8270d2d4f39fce612b1 - -+Availablein = default - Verify=RSA-PSS-1 - Ctrl = rsa_padding_mode:pss - Ctrl = rsa_mgf1_md:sha1 - Input=39c21c4cceda9c1adf839c744e1212a6437575ec - Output=4609793b23e9d09362dc21bb47da0b4f3a7622649a47d464019b9aeafe53359c178c91cd58ba6bcb78be0346a7bc637f4b873d4bab38ee661f199634c547a1ad8442e03da015b136e543f7ab07c0c13e4225b8de8cce25d4f6eb8400f81f7e1833b7ee6e334d370964ca79fdb872b4d75223b5eeb08101591fb532d155a6de87 - -+Availablein = default - Verify=RSA-PSS-1 - Ctrl = rsa_padding_mode:pss - Ctrl = rsa_mgf1_md:sha1 - Input=36dae913b77bd17cae6e7b09453d24544cebb33c - Output=1d2aad221ca4d31ddf13509239019398e3d14b32dc34dc5af4aeaea3c095af73479cf0a45e5629635a53a018377615b16cb9b13b3e09d671eb71e387b8545c5960da5a64776e768e82b2c93583bf104c3fdb23512b7b4e89f633dd0063a530db4524b01c3f384c09310e315a79dcd3d684022a7f31c865a664e316978b759fad - -+Availablein = default - Verify=RSA-PSS-1 - Ctrl = rsa_padding_mode:pss - Ctrl = rsa_mgf1_md:sha1 -@@ -518,36 +553,42 @@ swU7R97S7NSkyu/WFIM9yLtiLzF+0Ha4BX/o3j+E - 0w5GMTmBXG/U/VrFuBcqRSMOy2MYoE8UVdhOWosCAwEAAQ== - -----END PUBLIC KEY----- - -+Availablein = default - Verify=RSA-PSS-9 - Ctrl = rsa_padding_mode:pss - Ctrl = rsa_mgf1_md:sha1 - Input=2715a49b8b0012cd7aee84c116446e6dfe3faec0 - Output=586107226c3ce013a7c8f04d1a6a2959bb4b8e205ba43a27b50f124111bc35ef589b039f5932187cb696d7d9a32c0c38300a5cdda4834b62d2eb240af33f79d13dfbf095bf599e0d9686948c1964747b67e89c9aba5cd85016236f566cc5802cb13ead51bc7ca6bef3b94dcbdbb1d570469771df0e00b1a8a06777472d2316279edae86474668d4e1efff95f1de61c6020da32ae92bbf16520fef3cf4d88f61121f24bbd9fe91b59caf1235b2a93ff81fc403addf4ebdea84934a9cdaf8e1a9e - -+Availablein = default - Verify=RSA-PSS-9 - Ctrl = rsa_padding_mode:pss - Ctrl = rsa_mgf1_md:sha1 - Input=2dac956d53964748ac364d06595827c6b4f143cd - Output=80b6d643255209f0a456763897ac9ed259d459b49c2887e5882ecb4434cfd66dd7e1699375381e51cd7f554f2c271704b399d42b4be2540a0eca61951f55267f7c2878c122842dadb28b01bd5f8c025f7e228418a673c03d6bc0c736d0a29546bd67f786d9d692ccea778d71d98c2063b7a71092187a4d35af108111d83e83eae46c46aa34277e06044589903788f1d5e7cee25fb485e92949118814d6f2c3ee361489016f327fb5bc517eb50470bffa1afa5f4ce9aa0ce5b8ee19bf5501b958 - -+Availablein = default - Verify=RSA-PSS-9 - Ctrl = rsa_padding_mode:pss - Ctrl = rsa_mgf1_md:sha1 - Input=28d98c46cccafbd3bc04e72f967a54bd3ea12298 - Output=484408f3898cd5f53483f80819efbf2708c34d27a8b2a6fae8b322f9240237f981817aca1846f1084daa6d7c0795f6e5bf1af59c38e1858437ce1f7ec419b98c8736adf6dd9a00b1806d2bd3ad0a73775e05f52dfef3a59ab4b08143f0df05cd1ad9d04bececa6daa4a2129803e200cbc77787caf4c1d0663a6c5987b605952019782caf2ec1426d68fb94ed1d4be816a7ed081b77e6ab330b3ffc073820fecde3727fcbe295ee61a050a343658637c3fd659cfb63736de32d9f90d3c2f63eca - -+Availablein = default - Verify=RSA-PSS-9 - Ctrl = rsa_padding_mode:pss - Ctrl = rsa_mgf1_md:sha1 - Input=0866d2ff5a79f25ef668cd6f31b42dee421e4c0e - Output=84ebeb481be59845b46468bafb471c0112e02b235d84b5d911cbd1926ee5074ae0424495cb20e82308b8ebb65f419a03fb40e72b78981d88aad143053685172c97b29c8b7bf0ae73b5b2263c403da0ed2f80ff7450af7828eb8b86f0028bd2a8b176a4d228cccea18394f238b09ff758cc00bc04301152355742f282b54e663a919e709d8da24ade5500a7b9aa50226e0ca52923e6c2d860ec50ff480fa57477e82b0565f4379f79c772d5c2da80af9fbf325ece6fc20b00961614bee89a183e - -+Availablein = default - Verify=RSA-PSS-9 - Ctrl = rsa_padding_mode:pss - Ctrl = rsa_mgf1_md:sha1 - Input=6a5b4be4cd36cc97dfde9995efbf8f097a4a991a - Output=82102df8cb91e7179919a04d26d335d64fbc2f872c44833943241de8454810274cdf3db5f42d423db152af7135f701420e39b494a67cbfd19f9119da233a23da5c6439b5ba0d2bc373eee3507001378d4a4073856b7fe2aba0b5ee93b27f4afec7d4d120921c83f606765b02c19e4d6a1a3b95fa4c422951be4f52131077ef17179729cddfbdb56950dbaceefe78cb16640a099ea56d24389eef10f8fecb31ba3ea3b227c0a86698bb89e3e9363905bf22777b2a3aa521b65b4cef76d83bde4c - -+Availablein = default - Verify=RSA-PSS-9 - Ctrl = rsa_padding_mode:pss - Ctrl = rsa_mgf1_md:sha1 -@@ -565,36 +606,42 @@ F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5 - BQIDAQAB - -----END PUBLIC KEY----- - -+Availablein = default - Verify=RSA-PSS-10 - Ctrl = rsa_padding_mode:pss - Ctrl = rsa_mgf1_md:sha1 - Input=9596bb630cf6a8d4ea4600422b9eba8b13675dd4 - Output=82c2b160093b8aa3c0f7522b19f87354066c77847abf2a9fce542d0e84e920c5afb49ffdfdace16560ee94a1369601148ebad7a0e151cf16331791a5727d05f21e74e7eb811440206935d744765a15e79f015cb66c532c87a6a05961c8bfad741a9a6657022894393e7223739796c02a77455d0f555b0ec01ddf259b6207fd0fd57614cef1a5573baaff4ec00069951659b85f24300a25160ca8522dc6e6727e57d019d7e63629b8fe5e89e25cc15beb3a647577559299280b9b28f79b0409000be25bbd96408ba3b43cc486184dd1c8e62553fa1af4040f60663de7f5e49c04388e257f1ce89c95dab48a315d9b66b1b7628233876ff2385230d070d07e1666 - -+Availablein = default - Verify=RSA-PSS-10 - Ctrl = rsa_padding_mode:pss - Ctrl = rsa_mgf1_md:sha1 - Input=b503319399277fd6c1c8f1033cbf04199ea21716 - Output=14ae35d9dd06ba92f7f3b897978aed7cd4bf5ff0b585a40bd46ce1b42cd2703053bb9044d64e813d8f96db2dd7007d10118f6f8f8496097ad75e1ff692341b2892ad55a633a1c55e7f0a0ad59a0e203a5b8278aec54dd8622e2831d87174f8caff43ee6c46445345d84a59659bfb92ecd4c818668695f34706f66828a89959637f2bf3e3251c24bdba4d4b7649da0022218b119c84e79a6527ec5b8a5f861c159952e23ec05e1e717346faefe8b1686825bd2b262fb2531066c0de09acde2e4231690728b5d85e115a2f6b92b79c25abc9bd9399ff8bcf825a52ea1f56ea76dd26f43baafa18bfa92a504cbd35699e26d1dcc5a2887385f3c63232f06f3244c3 - -+Availablein = default - Verify=RSA-PSS-10 - Ctrl = rsa_padding_mode:pss - Ctrl = rsa_mgf1_md:sha1 - Input=50aaede8536b2c307208b275a67ae2df196c7628 - Output=6e3e4d7b6b15d2fb46013b8900aa5bbb3939cf2c095717987042026ee62c74c54cffd5d7d57efbbf950a0f5c574fa09d3fc1c9f513b05b4ff50dd8df7edfa20102854c35e592180119a70ce5b085182aa02d9ea2aa90d1df03f2daae885ba2f5d05afdac97476f06b93b5bc94a1a80aa9116c4d615f333b098892b25fface266f5db5a5a3bcc10a824ed55aad35b727834fb8c07da28fcf416a5d9b2224f1f8b442b36f91e456fdea2d7cfe3367268de0307a4c74e924159ed33393d5e0655531c77327b89821bdedf880161c78cd4196b5419f7acc3f13e5ebf161b6e7c6724716ca33b85c2e25640192ac2859651d50bde7eb976e51cec828b98b6563b86bb - -+Availablein = default - Verify=RSA-PSS-10 - Ctrl = rsa_padding_mode:pss - Ctrl = rsa_mgf1_md:sha1 - Input=aa0b72b8b371ddd10c8ae474425ccccf8842a294 - Output=34047ff96c4dc0dc90b2d4ff59a1a361a4754b255d2ee0af7d8bf87c9bc9e7ddeede33934c63ca1c0e3d262cb145ef932a1f2c0a997aa6a34f8eaee7477d82ccf09095a6b8acad38d4eec9fb7eab7ad02da1d11d8e54c1825e55bf58c2a23234b902be124f9e9038a8f68fa45dab72f66e0945bf1d8bacc9044c6f07098c9fcec58a3aab100c805178155f030a124c450e5acbda47d0e4f10b80a23f803e774d023b0015c20b9f9bbe7c91296338d5ecb471cafb032007b67a60be5f69504a9f01abb3cb467b260e2bce860be8d95bf92c0c8e1496ed1e528593a4abb6df462dde8a0968dffe4683116857a232f5ebf6c85be238745ad0f38f767a5fdbf486fb - -+Availablein = default - Verify=RSA-PSS-10 - Ctrl = rsa_padding_mode:pss - Ctrl = rsa_mgf1_md:sha1 - Input=fad3902c9750622a2bc672622c48270cc57d3ea8 - Output=7e0935ea18f4d6c1d17ce82eb2b3836c55b384589ce19dfe743363ac9948d1f346b7bfddfe92efd78adb21faefc89ade42b10f374003fe122e67429a1cb8cbd1f8d9014564c44d120116f4990f1a6e38774c194bd1b8213286b077b0499d2e7b3f434ab12289c556684deed78131934bb3dd6537236f7c6f3dcb09d476be07721e37e1ceed9b2f7b406887bd53157305e1c8b4f84d733bc1e186fe06cc59b6edb8f4bd7ffefdf4f7ba9cfb9d570689b5a1a4109a746a690893db3799255a0cb9215d2d1cd490590e952e8c8786aa0011265252470c041dfbc3eec7c3cbf71c24869d115c0cb4a956f56d530b80ab589acfefc690751ddf36e8d383f83cedd2cc - -+Availablein = default - Verify=RSA-PSS-10 - Ctrl = rsa_padding_mode:pss - Ctrl = rsa_mgf1_md:sha1 -@@ -1384,11 +1431,13 @@ Title = RSA FIPS tests - - # FIPS tests - --# Verifying with SHA1 is permitted in fips mode for older applications -+# Verifying with SHA1 is not permitted on RHEL-9 in FIPS mode -+Availablein = fips - DigestVerify = SHA1 - Key = RSA-2048 - Input = "Hello " - Output = 87ea0e2226ef35e5a2aec9ca1222fcbe39ba723f05b3203564f671dd3601271806ead3240e61d424359ee3b17bd3e32f54b82df83998a8ac4148410710361de0400f9ddf98278618fbc87747a0531972543e6e5f18ab2fdfbfda02952f6ac69690e43864690af271bf43d4be9705b303d4ff994ab3abd4d5851562b73e59be3edc01cec41a4cc13b68206329bad1a46c6608d3609e951faa321d0fdbc765d54e9a7c59248d2f67913c9903e932b769c9c8a45520cabea06e8c0b231dd3bcc7f7ec55b46b0157ccb5fc5011fa57353cd3df32edcbadcb8d168133cbd0acfb64444cb040e1298f621508a38f79e14ae8c2c5c857f90aa9d24ef5fc07d34bf23859 -+Result = DIGESTVERIFYINIT_ERROR - - # Verifying with a 1024 bit key is permitted in fips mode for older applications - DigestVerify = SHA256 -Index: openssl-3.1.4/test/recipes/80-test_cms.t -=================================================================== ---- openssl-3.1.4.orig/test/recipes/80-test_cms.t -+++ openssl-3.1.4/test/recipes/80-test_cms.t -@@ -163,7 +163,7 @@ my @smime_pkcs7_tests = ( - [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1", - "-certfile", $smroot, - "-signer", $smrsa1, "-out", "{output}.cms" ], -- [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", -+ [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", - "-CAfile", $smroot, "-out", "{output}.txt" ], - \&final_compare - ], -@@ -171,7 +171,7 @@ my @smime_pkcs7_tests = ( - [ "signed zero-length content S/MIME format, RSA key SHA1", - [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont_zero, "-md", "sha1", - "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ], -- [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", -+ [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", - "-CAfile", $smroot, "-out", "{output}.txt" ], - \&zero_compare - ], -Index: openssl-3.1.4/test/recipes/80-test_ssl_old.t -=================================================================== ---- openssl-3.1.4.orig/test/recipes/80-test_ssl_old.t -+++ openssl-3.1.4/test/recipes/80-test_ssl_old.t -@@ -397,6 +397,9 @@ sub testssl { - 'test sslv2/sslv3 with 1024bit DHE via BIO pair'); - } - -+ SKIP: { -+ skip "SSLv3 is not supported by the FIPS provider", 4 -+ if $provider eq "fips"; - ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])), - 'test sslv2/sslv3 with server authentication'); - ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])), -@@ -405,6 +408,7 @@ sub testssl { - 'test sslv2/sslv3 with both client and server authentication via BIO pair'); - ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])), - 'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify'); -+ } - - SKIP: { - skip "No IPv4 available on this machine", 4 diff --git a/openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch b/openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch deleted file mode 100644 index f9f2f29..0000000 --- a/openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 589eb3898896c1ac916bc20069ecd5adb8534850 Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Fri, 17 Feb 2023 15:31:08 +0100 -Subject: [PATCH] GCM: Implement explicit FIPS indicator for IV gen - -Implementation Guidance for FIPS 140-3 and the Cryptographic Module -Verification Program, Section C.H requires guarantees about the -uniqueness of key/iv pairs, and proposes a few approaches to ensure -this. Provide an indicator for option 2 "The IV may be generated -internally at its entirety randomly." - -Resolves: rhbz#2168289 -Signed-off-by: Clemens Lang ---- - include/openssl/core_names.h | 1 + - include/openssl/evp.h | 4 +++ - .../implementations/ciphers/ciphercommon.c | 4 +++ - .../ciphers/ciphercommon_gcm.c | 25 +++++++++++++++++++ - 4 files changed, 34 insertions(+) - -Index: openssl-3.1.4/include/openssl/core_names.h -=================================================================== ---- openssl-3.1.4.orig/include/openssl/core_names.h -+++ openssl-3.1.4/include/openssl/core_names.h -@@ -99,6 +99,7 @@ extern "C" { - #define OSSL_CIPHER_PARAM_CTS_MODE "cts_mode" /* utf8_string */ - /* For passing the AlgorithmIdentifier parameter in DER form */ - #define OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS "alg_id_param" /* octet_string */ -+#define OSSL_CIPHER_PARAM_SUSE_FIPS_INDICATOR "suse-fips-indicator" /* int */ - - #define OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT \ - "tls1multi_maxsndfrag" /* uint */ -Index: openssl-3.1.4/include/openssl/evp.h -=================================================================== ---- openssl-3.1.4.orig/include/openssl/evp.h -+++ openssl-3.1.4/include/openssl/evp.h -@@ -750,6 +750,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER - void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags); - int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags); - -+# define EVP_CIPHER_SUSE_FIPS_INDICATOR_UNDETERMINED 0 -+# define EVP_CIPHER_SUSE_FIPS_INDICATOR_APPROVED 1 -+# define EVP_CIPHER_SUSE_FIPS_INDICATOR_NOT_APPROVED 2 -+ - __owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, - const unsigned char *key, const unsigned char *iv); - /*__owur*/ int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, -Index: openssl-3.1.4/providers/implementations/ciphers/ciphercommon.c -=================================================================== ---- openssl-3.1.4.orig/providers/implementations/ciphers/ciphercommon.c -+++ openssl-3.1.4/providers/implementations/ciphers/ciphercommon.c -@@ -149,6 +149,10 @@ static const OSSL_PARAM cipher_aead_know - OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0), - OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL), - OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN, NULL, 0), -+ /* normally we would hide this under an #ifdef FIPS_MODULE, but that does -+ * not work in ciphercommon.c because it is compiled only once into -+ * libcommon.a */ -+ OSSL_PARAM_int(OSSL_CIPHER_PARAM_SUSE_FIPS_INDICATOR, NULL), - OSSL_PARAM_END - }; - const OSSL_PARAM *ossl_cipher_aead_gettable_ctx_params( -Index: openssl-3.1.4/providers/implementations/ciphers/ciphercommon_gcm.c -=================================================================== ---- openssl-3.1.4.orig/providers/implementations/ciphers/ciphercommon_gcm.c -+++ openssl-3.1.4/providers/implementations/ciphers/ciphercommon_gcm.c -@@ -224,6 +224,31 @@ int ossl_gcm_get_ctx_params(void *vctx, - || !getivgen(ctx, p->data, p->data_size)) - return 0; - } -+ -+ /* We would usually hide this under #ifdef FIPS_MODULE, but -+ * ciphercommon_gcm.c is only compiled once into libcommon.a, so ifdefs do -+ * not work here. */ -+ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_SUSE_FIPS_INDICATOR); -+ if (p != NULL) { -+ int fips_indicator = EVP_CIPHER_SUSE_FIPS_INDICATOR_APPROVED; -+ -+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module -+ * Verification Program, Section C.H requires guarantees about the -+ * uniqueness of key/iv pairs, and proposes a few approaches to ensure -+ * this. This provides an indicator for option 2 "The IV may be -+ * generated internally at its entirety randomly." Note that one of the -+ * conditions of this option is that "The IV length shall be at least -+ * 96 bits (per SP 800-38D)." We do not specically check for this -+ * condition here, because gcm_iv_generate will fail in this case. */ -+ if (ctx->enc && !ctx->iv_gen_rand) -+ fips_indicator = EVP_CIPHER_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+ -+ if (!OSSL_PARAM_set_int(p, fips_indicator)) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); -+ return 0; -+ } -+ } -+ - return 1; - } - diff --git a/openssl-3-FIPS-PCT_rsa_keygen.patch b/openssl-3-FIPS-PCT_rsa_keygen.patch deleted file mode 100644 index 55dbe54..0000000 --- a/openssl-3-FIPS-PCT_rsa_keygen.patch +++ /dev/null @@ -1,28 +0,0 @@ -Index: openssl-3.1.4/crypto/rsa/rsa_gen.c -=================================================================== ---- openssl-3.1.4.orig/crypto/rsa/rsa_gen.c -+++ openssl-3.1.4/crypto/rsa/rsa_gen.c -@@ -428,7 +428,12 @@ static int rsa_keygen(OSSL_LIB_CTX *libc - - #ifdef FIPS_MODULE - ok = ossl_rsa_sp800_56b_generate_key(rsa, bits, e_value, cb); -- pairwise_test = 1; /* FIPS MODE needs to always run the pairwise test */ -+ /* FIPS MODE needs to always run the pairwise test. But, the -+ * rsa_keygen_pairwise_test() PCT as self-test requirements will be -+ * covered by do_rsa_pct() for both RSA-OAEP and RSA signatures and -+ * this PCT can be skipped here. See bsc#1221760 for more info. -+ */ -+ pairwise_test = 0; - #else - /* - * Only multi-prime keys or insecure keys with a small key length or a -@@ -463,6 +468,9 @@ static int rsa_keygen(OSSL_LIB_CTX *libc - rsa->dmp1 = NULL; - rsa->dmq1 = NULL; - rsa->iqmp = NULL; -+#ifdef FIPS_MODULE -+ abort(); -+#endif /* FIPS_MODULE */ - } - } - return ok; diff --git a/openssl-3-jitterentropy-3.4.0.patch b/openssl-3-jitterentropy-3.4.0.patch deleted file mode 100644 index dfd8b7f..0000000 --- a/openssl-3-jitterentropy-3.4.0.patch +++ /dev/null @@ -1,372 +0,0 @@ -Index: openssl-3.1.4/Configurations/00-base-templates.conf -=================================================================== ---- openssl-3.1.4.orig/Configurations/00-base-templates.conf -+++ openssl-3.1.4/Configurations/00-base-templates.conf -@@ -71,9 +71,12 @@ my %targets=( - lflags => - sub { $withargs{zlib_lib} ? "-L".$withargs{zlib_lib} : () }, - ex_libs => -- sub { !defined($disabled{zlib}) -- && defined($disabled{"zlib-dynamic"}) -- ? "-lz" : () }, -+ sub { -+ my @libs = (); -+ push(@libs, "-lz") if !defined($disabled{zlib}) && defined($disabled{"zlib-dynamic"}); -+ push(@libs, "-ljitterentropy") if !defined($disabled{jitterentropy}); -+ return join(" ", @libs); -+ }, - HASHBANGPERL => "/usr/bin/env perl", # Only Unix actually cares - RANLIB => sub { which("$config{cross_compile_prefix}ranlib") - ? "ranlib" : "" }, -Index: openssl-3.1.4/crypto/rand/rand_jitter_entropy.c -=================================================================== ---- /dev/null -+++ openssl-3.1.4/crypto/rand/rand_jitter_entropy.c -@@ -0,0 +1,97 @@ -+# include "jitterentropy.h" -+# include "prov/jitter_entropy.h" -+ -+struct rand_data* ec = NULL; -+CRYPTO_RWLOCK *jent_lock = NULL; -+int stop = 0; -+ -+struct rand_data* FIPS_entropy_init(void) -+{ -+ if (ec != NULL) { -+ /* Entropy source has been initiated and collector allocated */ -+ return ec; -+ } -+ if (stop != 0) { -+ /* FIPS_entropy_cleanup() already called, don't initialize it again */ -+ return NULL; -+ } -+ if (jent_lock == NULL) { -+ /* Allocates a new lock to serialize access to jent library */ -+ jent_lock = CRYPTO_THREAD_lock_new(); -+ if (jent_lock == NULL) { -+ return NULL; -+ } -+ } -+ if (CRYPTO_THREAD_write_lock(jent_lock) == 0) { -+ return NULL; -+ } -+ /* If the initialization is successful, the call returns with 0 */ -+ if (jent_entropy_init_ex(1, JENT_FORCE_FIPS) == 0) { -+ /* Allocate entropy collector */ -+ ec = jent_entropy_collector_alloc(1, JENT_FORCE_FIPS); -+ } else { -+ /* abort if jitter rng fails initialization */ -+ abort(); -+ } -+ if (ec == NULL) { -+ /* abort if jitter rng fails initialization */ -+ abort(); -+ } -+ CRYPTO_THREAD_unlock(jent_lock); -+ -+ return ec; -+} -+ -+/* -+ * The following error codes can be returned by jent_read_entropy_safe(): -+ * -1 entropy_collector is NULL -+ * -2 RCT failed -+ * -3 APT failed -+ * -4 The timer cannot be initialized -+ * -5 LAG failure -+ * -6 RCT permanent failure -+ * -7 APT permanent failure -+ * -8 LAG permanent failure -+ */ -+ssize_t FIPS_jitter_entropy(unsigned char *buf, size_t buflen) -+{ -+ ssize_t ent_bytes = -1; -+ -+ /* -+ * Order is important. We need to call FIPS_entropy_init() before we -+ * acquire jent_lock, otherwise it can lead to deadlock. Once we have -+ * jent_lock, we need to ensure that FIPS_entropy_cleanup() was not called -+ * in the meantime. Then it's safe to read entropy. -+ */ -+ if (buf != NULL -+ && buflen != 0 -+ && FIPS_entropy_init() -+ && CRYPTO_THREAD_write_lock(jent_lock) != 0 -+ && stop == 0) { -+ /* Get entropy */ -+ ent_bytes = jent_read_entropy_safe(&ec, (char *)buf, buflen); -+ if (ent_bytes < 0) { -+ /* abort if jitter rng fails entropy gathering because health tests failed. */ -+ abort(); -+ } -+ CRYPTO_THREAD_unlock(jent_lock); -+ } -+ -+ return ent_bytes; -+} -+ -+void FIPS_entropy_cleanup(void) -+{ -+ if (jent_lock != NULL && stop == 0) { -+ CRYPTO_THREAD_write_lock(jent_lock); -+ } -+ /* Disable re-initialization in FIPS_entropy_init() */ -+ stop = 1; -+ /* Free entropy collector */ -+ if (ec != NULL) { -+ jent_entropy_collector_free(ec); -+ ec = NULL; -+ } -+ CRYPTO_THREAD_lock_free(jent_lock); -+ jent_lock = NULL; -+} -Index: openssl-3.1.4/providers/implementations/rands/seeding/rand_unix.c -=================================================================== ---- openssl-3.1.4.orig/providers/implementations/rands/seeding/rand_unix.c -+++ openssl-3.1.4/providers/implementations/rands/seeding/rand_unix.c -@@ -20,6 +20,7 @@ - #include "internal/dso.h" - #include "internal/nelem.h" - #include "prov/seeding.h" -+#include "prov/jitter_entropy.h" - - #ifdef __linux - # include -@@ -631,6 +632,31 @@ size_t ossl_pool_acquire_entropy(RAND_PO - - (void)entropy_available; /* avoid compiler warning */ - -+ /* Use jitter entropy in FIPS mode */ -+ if (EVP_default_properties_is_fips_enabled(NULL)) -+ { -+ size_t bytes_needed; -+ unsigned char *buffer; -+ ssize_t bytes; -+ /* Maximum allowed number of consecutive unsuccessful attempts */ -+ int attempts = 3; -+ -+ bytes_needed = ossl_rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); -+ while (bytes_needed != 0 && attempts-- > 0) { -+ buffer = ossl_rand_pool_add_begin(pool, bytes_needed); -+ bytes = FIPS_jitter_entropy(buffer, bytes_needed); -+ if (bytes > 0) { -+ ossl_rand_pool_add_end(pool, bytes, 8 * bytes); -+ bytes_needed -= bytes; -+ attempts = 3; /* reset counter after successful attempt */ -+ } else if (bytes < 0) { -+ break; -+ } -+ } -+ entropy_available = ossl_rand_pool_entropy_available(pool); -+ return entropy_available; -+ } -+ - # if defined(OPENSSL_RAND_SEED_GETRANDOM) - { - size_t bytes_needed; -Index: openssl-3.1.4/providers/implementations/include/prov/jitter_entropy.h -=================================================================== ---- /dev/null -+++ openssl-3.1.4/providers/implementations/include/prov/jitter_entropy.h -@@ -0,0 +1,17 @@ -+#ifndef OSSL_PROVIDERS_JITTER_ENTROPY_H -+# define OSSL_PROVIDERS_JITTER_ENTROPY_H -+ -+# include -+# include -+# include -+# include -+ -+extern struct rand_data* ec; -+extern CRYPTO_RWLOCK *jent_lock; -+extern int stop; -+ -+struct rand_data* FIPS_entropy_init(void); -+ssize_t FIPS_jitter_entropy(unsigned char *buf, size_t buflen); -+void FIPS_entropy_cleanup(void); -+ -+#endif -Index: openssl-3.1.4/providers/fips/self_test.c -=================================================================== ---- openssl-3.1.4.orig/providers/fips/self_test.c -+++ openssl-3.1.4/providers/fips/self_test.c -@@ -20,6 +20,7 @@ - #include "internal/tsan_assist.h" - #include "prov/providercommon.h" - #include "crypto/rand.h" -+#include "prov/jitter_entropy.h" - - /* - * We're cheating here. Normally we don't allow RUN_ONCE usage inside the FIPS -@@ -392,6 +393,11 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS - return 0; - } - -+ if (!FIPS_entropy_init()) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_ENTROPY_INIT_FAILED); -+ goto end; -+ } -+ - if (st == NULL) { - ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA); - goto end; -Index: openssl-3.1.4/include/openssl/proverr.h -=================================================================== ---- openssl-3.1.4.orig/include/openssl/proverr.h -+++ openssl-3.1.4/include/openssl/proverr.h -@@ -44,6 +44,7 @@ - # define PROV_R_FAILED_TO_GET_PARAMETER 103 - # define PROV_R_FAILED_TO_SET_PARAMETER 104 - # define PROV_R_FAILED_TO_SIGN 175 -+# define PROV_R_FIPS_ENTROPY_INIT_FAILED 234 - # define PROV_R_FIPS_MODULE_CONDITIONAL_ERROR 227 - # define PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE 224 - # define PROV_R_FIPS_MODULE_IN_ERROR_STATE 225 -Index: openssl-3.1.4/providers/common/provider_err.c -=================================================================== ---- openssl-3.1.4.orig/providers/common/provider_err.c -+++ openssl-3.1.4/providers/common/provider_err.c -@@ -54,6 +54,8 @@ static const ERR_STRING_DATA PROV_str_re - {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FAILED_TO_SET_PARAMETER), - "failed to set parameter"}, - {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FAILED_TO_SIGN), "failed to sign"}, -+ {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_ENTROPY_INIT_FAILED), -+ "fips module jitter entropy init failed"}, - {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_CONDITIONAL_ERROR), - "fips module conditional error"}, - {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE), -Index: openssl-3.1.4/crypto/rand/build.info -=================================================================== ---- openssl-3.1.4.orig/crypto/rand/build.info -+++ openssl-3.1.4/crypto/rand/build.info -@@ -1,6 +1,6 @@ - LIBS=../../libcrypto - --$COMMON=rand_lib.c -+$COMMON=rand_lib.c rand_jitter_entropy.c - $CRYPTO=randfile.c rand_err.c rand_deprecated.c prov_seed.c rand_pool.c - - IF[{- !$disabled{'egd'} -}] -Index: openssl-3.1.4/providers/fips/fipsprov.c -=================================================================== ---- openssl-3.1.4.orig/providers/fips/fipsprov.c -+++ openssl-3.1.4/providers/fips/fipsprov.c -@@ -27,6 +27,7 @@ - #include "crypto/context.h" - #include "internal/core.h" - #include "indicator.h" -+#include "prov/jitter_entropy.h" - - static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes"; - static const char FIPS_UNAPPROVED_PROPERTIES[] = "provider=fips,fips=no"; -@@ -603,6 +604,7 @@ const OSSL_SUSE_FIPSINDICATOR_ALGORITHM - - static void fips_teardown(void *provctx) - { -+ FIPS_entropy_cleanup(); - OSSL_LIB_CTX_free(PROV_LIBCTX_OF(provctx)); - ossl_prov_ctx_free(provctx); - } -Index: openssl-3.1.4/util/libcrypto.num -=================================================================== ---- openssl-3.1.4.orig/util/libcrypto.num -+++ openssl-3.1.4/util/libcrypto.num -@@ -5441,3 +5441,5 @@ X509_get_default_cert_path_env - ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: - ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION: - ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION: -+FIPS_entropy_init ? 3_1_4 EXIST::FUNCTION: -+FIPS_entropy_cleanup ? 3_1_4 EXIST::FUNCTION: -Index: openssl-3.1.4/Configure -=================================================================== ---- openssl-3.1.4.orig/Configure -+++ openssl-3.1.4/Configure -@@ -454,6 +454,7 @@ my @disablables = ( - "fuzz-libfuzzer", - "gost", - "idea", -+ "jitterentropy", - "ktls", - "legacy", - "loadereng", -@@ -550,6 +551,7 @@ our %disabled = ( # "what" => "c - "external-tests" => "default", - "fuzz-afl" => "default", - "fuzz-libfuzzer" => "default", -+ "jitterentropy" => "default", - "ktls" => "default", - "md2" => "default", - "msan" => "default", -@@ -763,7 +765,7 @@ my %cmdvars = (); # Stores - my %unsupported_options = (); - my %deprecated_options = (); - # If you change this, update apps/version.c --my @known_seed_sources = qw(getrandom devrandom os egd none rdcpu librandom); -+my @known_seed_sources = qw(getrandom devrandom os egd none rdcpu librandom jitterentropy); - my @seed_sources = (); - while (@argvcopy) - { -@@ -1231,6 +1233,9 @@ if (scalar(@seed_sources) == 0) { - if (scalar(grep { $_ eq 'egd' } @seed_sources) > 0) { - delete $disabled{'egd'}; - } -+if (scalar(grep { $_ eq 'jitterentropy' } @seed_sources) > 0) { -+ delete $disabled{'jitterentropy'}; -+} - if (scalar(grep { $_ eq 'none' } @seed_sources) > 0) { - die "Cannot seed with none and anything else" if scalar(@seed_sources) > 1; - warn <<_____ if scalar(@seed_sources) == 1; -Index: openssl-3.1.4/crypto/info.c -=================================================================== ---- openssl-3.1.4.orig/crypto/info.c -+++ openssl-3.1.4/crypto/info.c -@@ -15,6 +15,9 @@ - #include "internal/e_os.h" - #include "buildinf.h" - -+# include -+# include -+ - #if defined(__arm__) || defined(__arm) || defined(__aarch64__) - # include "arm_arch.h" - # define CPU_INFO_STR_LEN 128 -@@ -128,6 +131,14 @@ DEFINE_RUN_ONCE_STATIC(init_info_strings - OPENSSL_strlcat(seeds, ")", sizeof(seeds)); \ - } while (0) - -+ /* In FIPS mode, only jitterentropy is used for seeding and -+ * reseeding the primary DRBG. -+ */ -+ if (EVP_default_properties_is_fips_enabled(NULL)) { -+ char jent_version_string[32]; -+ sprintf(jent_version_string, "jitterentropy (%d)", jent_version()); -+ add_seeds_string(jent_version_string); -+ } else { - #ifdef OPENSSL_RAND_SEED_NONE - add_seeds_string("none"); - #endif -@@ -156,6 +167,7 @@ DEFINE_RUN_ONCE_STATIC(init_info_strings - #ifdef OPENSSL_RAND_SEED_OS - add_seeds_string("os-specific"); - #endif -+ } - seed_sources = seeds; - } - return 1; -Index: openssl-3.1.4/INSTALL.md -=================================================================== ---- openssl-3.1.4.orig/INSTALL.md -+++ openssl-3.1.4/INSTALL.md -@@ -463,6 +463,12 @@ if provided by the CPU. - Use librandom (not implemented yet). - This source is ignored by the FIPS provider. - -+### jitterentropy -+ -+Use [jitterentropy-library](https://github.com/smuellerDD/jitterentropy-library) -+dynamically linked. In FIPS mode, only the jitter RNG is used to seed and reseed -+the primary DRBG. -+ - ### none - - Disable automatic seeding. This is the default on some operating systems where diff --git a/openssl-3-use-include-directive.patch b/openssl-3-use-include-directive.patch deleted file mode 100644 index d3ed451..0000000 --- a/openssl-3-use-include-directive.patch +++ /dev/null @@ -1,35 +0,0 @@ ---- - apps/openssl.cnf | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -Index: openssl-3.1.4/apps/openssl.cnf -=================================================================== ---- openssl-3.1.4.orig/apps/openssl.cnf -+++ openssl-3.1.4/apps/openssl.cnf -@@ -19,6 +19,7 @@ openssl_conf = openssl_init - # Comment out the next line to ignore configuration errors - config_diagnostics = 1 - -+[ oid_section ] - # Extra OBJECT IDENTIFIER info: - # oid_file = $ENV::HOME/.oid - oid_section = new_oids -@@ -47,6 +48,18 @@ providers = provider_sect - # Load default TLS policy configuration - ssl_conf = ssl_module - -+engines = engine_section -+ -+[ engine_section ] -+ -+# This include will look through the directory that will contain the -+# engine declarations for any engines provided by other packages. -+.include /etc/ssl/engines3.d -+ -+# This include will look through the directory that will contain the -+# definitions of the engines declared in the engine section. -+.include /etc/ssl/engdef3.d -+ - # Uncomment the sections that start with ## below to enable the legacy provider. - # Loading the legacy provider enables support for the following algorithms: - # Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160 diff --git a/openssl-3.1.4.tar.gz b/openssl-3.1.4.tar.gz deleted file mode 100644 index dde84fd..0000000 --- a/openssl-3.1.4.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:840af5366ab9b522bde525826be3ef0fb0af81c6a9ebd84caa600fea1731eee3 -size 15569450 diff --git a/openssl-3.1.4.tar.gz.asc b/openssl-3.1.4.tar.gz.asc deleted file mode 100644 index d7c5025..0000000 --- a/openssl-3.1.4.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEE78CkZ9YTy4PH7W0w2JTizos9efUFAmU3yaoACgkQ2JTizos9 -efXt8BAAqcF9RBzduklMCXSfG4Rzs2KcWmR1+BB0izxG3KwPr+r54qBbSRCCImHA -U22An//xsDsQZ0K4rrkkkumpJCxLV/4F3TlEBdoCS4wzDXz/LfONzTuZ8Z3QP/Si -ElHTKdqPo2tp6LrDIUSGa9BmK1AsxkhOoC/uJlGpLP0mLJGI3PGo5ordyERAjL/C -hTumE16ErrXY3kHVPAeD6tJlxtV3M9UxsZAOK6LVfnhXLzz8hWMu2H5ZigXZWCDx -NG6ylV4xxfqO9eLxT2wUrJzg24w0VZzmbD+ZeZ24v9aAxGsbl3ZHLgMKkDehNNuP -0ADh3aGq9FkIg5n53UQu0pbOc6aBPgWwVuaNfxOheG2GqBCoca42ikW20QZyJAec -h3uLQ76vnWOjUIjeRCjpw0+OCUaWr0wx5WzzfdgYc813VwN6FaC9ZmB46oaLfIeD -MBAyuUxdTif/7SXmGgUIQDIf4Vxr2H7I0NyyDxD+y+C2gwn+zVvuVcBBc2cNq4QN -UINxZvm75CwaCsys+MDjSneDhpcSlAPqTJqM3DvKf/r3+27buz+sFw463fTHnv0F -FpyBPgvvusY4Z4h/jqLcfkl2MBOxlo+lpZJdPpQoEvGz751GsKmmtb0YgZ7BjrYs -5vFvo0EJ066J9bWLbp6VZd825B9P2Uy7u3sUz+E5nuavT4eHv7o= -=EH33 ------END PGP SIGNATURE----- diff --git a/openssl-3.5.3.tar.gz b/openssl-3.5.3.tar.gz new file mode 100644 index 0000000..1daeda0 --- /dev/null +++ b/openssl-3.5.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c9489d2abcf943cdc8329a57092331c598a402938054dc3a22218aea8a8ec3bf +size 53183370 diff --git a/openssl-3.5.3.tar.gz.asc b/openssl-3.5.3.tar.gz.asc new file mode 100644 index 0000000..6027ccf --- /dev/null +++ b/openssl-3.5.3.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEulRzorBYewf7J88tIWCU39DLge8FAmjJU0kACgkQIWCU39DL +ge+Wrw//b+8N4fLG4Q914hf8n76oRNROq7Z0Y4vY9oZPIb828YrMwg9DsTmyv0/f +BJw7tnrch0e0FA2T8evBwrnER2rcjRLq6g8m84uMV//Ok/FI11fqN0Wph/0wnwo1 +PBjjd5fehaU6bSnwbZTLIxYvN9EOoVvP2DRNnYUlTWzvDd0s+3IZIBU5fIbdfRN3 +knFqNojcJES5JXr736BUZUH0axrlzQikNU/HTfzihPrVK5G/zl2ywOBijUi7lWJO +WP6t8YRKwvkQllijo9jE8cstpTDqxvuOKJa2FZjeJovNugxSRMDQCtCdsIklVLY9 +IusJsO3mmcnQzxRIJkfi5n49A8Hb4QRD63yUc74U4BBXrSr1QjzrThzFfYg8TJnb +h+mOerfV/I6A7jUXGSu1TAJpwJ7KoFAD2vvzk+U2+A93UZyjSZAHdMHsv61mpV0X +ObnDsTiR5wl/y2NfH9KjvSz/ur1RCB50YNq3dbdaMXJUDY7j00t9W3RgAeotXxyL +dzXyFd4ZyE2J3A7l8bi7uES9DvQ8TlUeC2q/EjoeXreauN9Upj9bwgGE/mUwoUwT +Pf1ZY6465KE5i54utbMswui9wEfRR0vKlHe+hJ+ycUVl36fY7nXpOwJKVKbPjoMd +2LO3ywmPxO3hUx2UXdPynZwxtkMdE+SAqGsvXP7WElzmEgd7WE0= +=KeII +-----END PGP SIGNATURE----- diff --git a/openssl-3.changes b/openssl-3.changes index 3d1fa16..9b47ba0 100644 --- a/openssl-3.changes +++ b/openssl-3.changes @@ -1,3 +1,724 @@ +------------------------------------------------------------------- +Wed Sep 17 00:56:31 UTC 2025 - Lucas Mulling + +- Update to 3.5.3: + * Added FIPS 140-3 PCT on DH key generation. + * Fixed the synthesised OPENSSL_VERSION_NUMBER. +- Rebase patches: + * openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch + * openssl-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch + * openssl-FIPS-limit-rsa-encrypt.patch + +------------------------------------------------------------------- +Tue Aug 5 16:34:57 UTC 2025 - Lucas Mulling + +- Update to 3.5.2: + * Miscellaneous minor bug fixes. + * The FIPS provider now performs a PCT on key import for RSA, EC and ECX. + This is mandated by FIPS 140-3 IG 10.3.A additional comment 1. +- Rebase patches: + * openssl-FIPS-140-3-keychecks.patch + * openssl-FIPS-NO-DES-support.patch + * openssl-FIPS-enforce-EMS-support.patch + * openssl-disable-fipsinstall.patch +- Move ssl configuration files to the libopenssl package [bsc#1247463] +- Don't install unneeded NOTES + +------------------------------------------------------------------- +Wed Jul 30 09:17:24 UTC 2025 - Pedro Monreal + +- Disable LTO for userspace livepatching [jsc#PED-13245] + +------------------------------------------------------------------- +Mon Jul 28 07:45:23 UTC 2025 - Andreas Schwab + +- Use termios instead of obsolete termio + +------------------------------------------------------------------- +Mon Jul 7 13:33:21 UTC 2025 - Lucas Mulling + +- Update to 3.5.1: + * Fix x509 application adds trusted use instead of rejected use. + [bsc#1243564, CVE-2025-4575] +- Remove patches: + * openssl-Fix-P384-on-P8-targets.patch + * openssl-CVE-2025-4575.patch +- Rebase patches: + * openssl-Allow-disabling-of-SHA1-signatures.patch + * openssl-FIPS-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch + * openssl-FIPS-NO-DES-support.patch +- Fix a bogus warning caused by -Wfree-nonheap-object + * Add patch openssl-Fix-Wfree-nonheap-object-warning.patch + +------------------------------------------------------------------- +Thu May 29 06:46:14 UTC 2025 - Pedro Monreal + +- Fix P-384 curve on lower-than-P9 PPC64 targets [bsc#1243014] + * Add openssl-Fix-P384-on-P8-targets.patch [a72f753c] + +------------------------------------------------------------------- +Mon May 26 10:16:09 UTC 2025 - Lucas Mulling + +- Security fix: [bsc#1243564, CVE-2025-4575] + * Fix the x509 application adding trusted use instead of rejected use + * Add openssl-CVE-2025-4575.patch + +------------------------------------------------------------------- +Thu May 15 09:41:20 UTC 2025 - Pedro Monreal + +- FIPS: Fix the speed command in FIPS mode for KMAC + * Add openssl-FIPS-Fix-openssl-speed-KMAC.patch + +------------------------------------------------------------------- +Mon May 12 10:47:50 UTC 2025 - Pedro Monreal + +- FIPS: Restore the check to deny SHA1 signatures in FIPS mode and + the functionality to allow/deny via crypto-policies. [jsc#PED-12224] + * Remove openssl-rh-allow-sha1-signatures.patch + * Add patches: + - openssl-Allow-disabling-of-SHA1-signatures.patch + - openssl-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch + - openssl-FIPS-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch + +------------------------------------------------------------------- +Fri Apr 4 13:34:27 UTC 2025 - Lucas Mulling + +- Update to 3.5.0: + * Security fixes: + - [bsc#1243459, CVE-2025-27587] Minerva side channel vulnerability in P-384 + * Changes: + - Default encryption cipher for the req, cms, and smime applications + changed from des-ede3-cbc to aes-256-cbc. + - The default TLS supported groups list has been changed to include + and prefer hybrid PQC KEM groups. Some practically unused groups + were removed from the default list. + - The default TLS keyshares have been changed to offer X25519MLKEM768 + and and X25519. + - All BIO_meth_get_*() functions were deprecated. + * New features: + - Support for server side QUIC (RFC 9000) + - Support for 3rd party QUIC stacks including 0-RTT support + - Support for PQC algorithms (ML-KEM, ML-DSA and SLH-DSA) + - A new configuration option no-tls-deprecated-ec to disable support + for TLS groups deprecated in RFC8422 + - A new configuration option enable-fips-jitter to make the FIPS + provider to use the JITTER seed source + - Support for central key generation in CMP + - Support added for opaque symmetric key objects (EVP_SKEY) + - Support for multiple TLS keyshares and improved TLS key establishment + group configurability + - API support for pipelining in provided cipher algorithms + * Remove patches: + - openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch + - openssl-3-support-CPACF-sha3-shake-perf-improvement.patch + - openssl-3-add-defines-CPACF-funcs.patch + - openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch + - openssl-3-add-xof-state-handling-s3_absorb.patch + - openssl-3-fix-state-handling-sha3_absorb_s390x.patch + - openssl-3-fix-s390x_shake_squeeze.patch + - openssl-3-hw-acceleration-aes-xts-s390x.patch + - openssl-3-support-EVP_DigestSqueeze-in-digest-prov-s390x.patch + - openssl-3-fix-state-handling-keccak_final_s390x.patch + - openssl-3-add-hw-acceleration-hmac.patch + - openssl-3-fix-state-handling-sha3_final_s390x.patch + - openssl-3-fix-hmac-digest-detection-s390x.patch + - openssl-3-support-multiple-sha3_squeeze_s390x.patch + - openssl-3-fix-sha3-squeeze-ppc64.patch + - openssl-3-fix-s390x_sha3_absorb.patch + - openssl-3-fix-state-handling-shake_final_s390x.patch + - openssl-3-add_EVP_DigestSqueeze_api.patch + - openssl-FIPS-enforce-security-checks-during-initialization.patch + - openssl-FIPS-140-3-zeroization.patch + - openssl-FIPS-Add-explicit-indicator-for-key-length.patch + - openssl-FIPS-Mark-SHA1-as-nonapproved.patch + - openssl-Remove-EC-curves.patch + - openssl-FIPS-services-minimize.patch + - openssl-Revert-Improve-FIPS-RSA-keygen-performance.patch + - openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch + - openssl-3-fix-quic_multistream_test.patch + - openssl-3-jitterentropy-3.4.0.patch + - openssl-Add-FIPS-indicator-parameter-to-HKDF.patch + - openssl-FIPS-140-3-DRBG.patch + - openssl-FIPS-Use-FFDHE2048-in-self-test.patch + - openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch + - openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch + - openssl-pbkdf2-Set-indicator-if-pkcs5-param-disabled-checks.patch + - openssl-FIPS-enforce-EMS-support.patch + - openssl-Allow-disabling-of-SHA1-signatures.patch + - openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch + * Rebased patches: + - openssl-pkgconfig.patch + - openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch + - openssl-Add-Kernel-FIPS-mode-flag-support.patch + - openssl-Force-FIPS.patch + - openssl-disable-fipsinstall.patch + - openssl-FIPS-embed-hmac.patch + - openssl-Add-changes-to-ectest-and-eccurve.patch + - openssl-Disable-explicit-ec.patch + - openssl-skipped-tests-EC-curves.patch + - openssl-FIPS-140-3-keychecks.patch + - openssl-FIPS-early-KATS.patch + - openssl-FIPS-limit-rsa-encrypt.patch + - openssl-FIPS-Expose-a-FIPS-indicator.patch + - openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch + - openssl-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch + - openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch + - openssl-FIPS-RSA-disable-shake.patch + - openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch + - openssl-FIPS-Enforce-error-state.patch + - openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch + - openssl-FIPS-enforce-EMS-support.patch + - openssl-TESTS-Disable-default-provider-crypto-policies.patch + - openssl-skip-quic-pairwise.patch + * Add patches: + - openssl-FIPS-Fix-encoder-decoder-negative-test.patch + - openssl-FIPS-SUSE-FIPS-module-version.patch + - openssl-FIPS-EC-disable-weak-curves.patch + - openssl-FIPS-NO-DES-support.patch + - openssl-FIPS-NO-DSA-Support.patch + - openssl-FIPS-NO-Kmac.patch + - openssl-FIPS-NO-PQ-ML-SLH-DSA.patch + - openssl-shared-jitterentropy.patch + - openssl-rh-allow-sha1-signatures.patch + - openssl-disable-75-test_quicapi-test.patch + +- Changes between 3.3.0 and 3.4.0: + * Changes: + - Deprecation of TS_VERIFY_CTX_set_* functions and addition of + replacement TS_VERIFY_CTX_set0_* functions with improved semantics + - The X25519 and X448 key exchange implementation in the FIPS provider + is unapproved and has fips=no property. + - SHAKE-128 and SHAKE-256 implementations have no default digest length + anymore. That means these algorithms cannot be used with + EVP_DigestFinal/_ex() unless the xoflen param is set before. + - Setting config_diagnostics=1 in the config file will cause errors to + be returned from SSL_CTX_new() and SSL_CTX_new_ex() if there is an + error in the ssl module configuration. + - An empty renegotiate extension will be used in TLS client hellos + instead of the empty renegotiation SCSV, for all connections with a + minimum TLS version > 1.0. + - Deprecation of SSL_SESSION_get_time(), SSL_SESSION_set_time() and + SSL_CTX_flush_sessions() functions in favor of their respective _ex + functions which are Y2038-safe on platforms with Y2038-safe time_t + * New features: + - Support for directly fetched composite signature algorithms such as + RSA-SHA2-256 including new API functions + - FIPS indicators support in the FIPS provider and various updates of + the FIPS provider required for future FIPS 140-3 validations + - Implementation of RFC 9579 (PBMAC1) in PKCS#12 + - An optional additional random seed source RNG JITTER using a statically + linked jitterentropy library + - New options -not_before and -not_after for explicit setting start and + end dates of certificates created with the req and x509 apps + - Support for integrity-only cipher suites TLS_SHA256_SHA256 and + TLS_SHA384_SHA384 in TLS 1.3, as defined in RFC 9150 + - Support for retrieving certificate request templates and CRLs in CMP + - Support for additional X.509v3 extensions related to Attribute Certificates + - Initial Attribute Certificate (RFC 5755) support + - Possibility to customize ECC groups initialization to use precomputed + values to save CPU time and use of this feature by the P-256 implementation + +- Changes between 3.2.0 and 3.3.0: + * Changes: + - Optimized AES-CTR for ARM Neoverse V1 and V2 + - Various optimizations for cryptographic routines using RISC-V vector + crypto extensions + - Added assembly implementation for md5 on loongarch64 + - Accept longer context for TLS 1.2 exporters + - The activate and soft_load configuration settings for providers in + openssl.cnf have been updated to require a value of [1|yes|true|on] + (in lower or UPPER case) to enable the setting. Conversely a value of + [0|no|false|off] will disable the setting. + - In openssl speed, changed the default hash function used with hmac from + md5 to sha256. + - The -verify option to the openssl crl and openssl req will make the + program exit with 1 on failure. + - The d2i_ASN1_GENERALIZEDTIME(), d2i_ASN1_UTCTIME(), ASN1_TIME_check(), + and related functions have been augmented to check for a minimum length + of the input string, in accordance with ITU-T X.690 section 11.7 and 11.8. + - OPENSSL_sk_push() and sk__push() functions now return 0 instead of -1 + if called with a NULL stack argument. + - New limit on HTTP response headers is introduced to HTTP client. + The default limit is set to 256 header lines. + * Bug fixes and mitigations: + - The BIO_get_new_index() function can only be called 127 times before + it reaches its upper bound of BIO_TYPE_MASK and will now return -1 + once its exhausted. + * new features: + - Support for qlog for tracing QUIC connections has been added + - Added APIs to allow configuring the negotiated idle timeout for QUIC + connections, and to allow determining the number of additional streams + that can currently be created for a QUIC connection. + - Added APIs to allow disabling implicit QUIC event processing for QUIC + SSL objects + - Added APIs to allow querying the size and utilisation of a QUIC + stream's write buffer + - New API SSL_write_ex2, which can be used to send an end-of-stream (FIN) + condition in an optimised way when using QUIC. + - Limited support for polling of QUIC connection and stream objects in a + non-blocking manner. + - Added a new EVP_DigestSqueeze() API. This allows SHAKE to squeeze multiple + times with different output sizes. + - The BLAKE2s hash algorithm matches BLAKE2b's support for configurable + output length. + - The EVP_PKEY_fromdata function has been augmented to allow for the + derivation of CRT (Chinese Remainder Theorem) parameters when requested + - Added API functions SSL_SESSION_get_time_ex(), SSL_SESSION_set_time_ex() + using time_t which is Y2038 safe on 32 bit systems when 64 bit time + is enabled. + - Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms + config + options and the respective calls to SSL[_CTX]_set1_sigalgs() and + SSL[_CTX]_set1_client_sigalgs() that start with ? character are ignored + and the configuration will still be used. + - Added -set_issuer and -set_subject options to openssl x509 to override + the Issuer and Subject when creating a certificate. The -subj option + now is an alias for -set_subject. + - Added several new features of CMPv3 defined in RFC 9480 and RFC 9483 + - New option SSL_OP_PREFER_NO_DHE_KEX, which allows configuring a TLS1.3 + server to prefer session resumption using PSK-only key exchange over + PSK with DHE, if both are available. + - New atexit configuration switch, which controls whether the OPENSSL_cleanup + is registered when libcrypto is unloaded. + - Added X509_STORE_get1_objects to avoid issues with the existing + X509_STORE_get0_objects API in multi-threaded applications. + - Support for using certificate profiles and extened delayed delivery in CMP + +------------------------------------------------------------------- +Fri Mar 21 17:19:40 UTC 2025 - Lucas Mulling + +- FIPS: Mark SHA-1 as non-approved in the SLI. [jsc#PED-12224] + * Add openssl-FIPS-Mark-SHA1-as-nonapproved.patch + +------------------------------------------------------------------- +Wed Mar 5 18:18:52 UTC 2025 - Lucas Mulling + +- Introduce --without lto. When %{optflags} contains -flto=*, tests cases are + also built using -flto=* which significantly increases build times, this + option disables lto which improve iteration times when developing. + +------------------------------------------------------------------- +Tue Feb 11 18:21:12 UTC 2025 - Lucas Mulling + +- Update to 3.2.4: + * Fixed RFC7250 handshakes with unauthenticated servers don't abort as + expected. [bsc#1236599, CVE-2024-12797] + * Fixed timing side-channel in ECDSA signature computation. [CVE-2024-13176] + * Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic + curve parameters. [CVE-2024-9143] +- Remove patch openssl-CVE-2024-13176.patch +- Rebase patches: + * openssl-3-add_EVP_DigestSqueeze_api.patch + * openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch + * openssl-FIPS-RSA-encapsulate.patch + * openssl-disable-fipsinstall.patch + +------------------------------------------------------------------- +Wed Jan 22 13:15:51 UTC 2025 - Lucas Mulling + +- bsc#1236136 CVE-2024-13176: Fix timing side-channel in ECDSA signature computation + * Add patch openssl-CVE-2024-13176.patch + +------------------------------------------------------------------- +Mon Dec 23 20:14:08 UTC 2024 - Giuliano Belinassi + +- Add support for userspace livepatching on ppc64le (jsc#PED-11850). +- Use gcc-13 for ppc64le. + +------------------------------------------------------------------- +Tue Dec 17 12:42:19 UTC 2024 - Pedro Monreal + +- Fix evp_properties section in the openssl.cnf file [bsc#1234647] + * Rebase patches: + - openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch + - openssl-TESTS-Disable-default-provider-crypto-policies.patch + +------------------------------------------------------------------- +Tue Nov 12 15:46:20 UTC 2024 - Pedro Monreal + +- Do not use HASHBANGPERL to avoid introducing a dependency on the + perl-base package. [bsc#1233235] + +------------------------------------------------------------------- +Thu Nov 7 16:43:15 UTC 2024 - Angel Yankov + +- Add missing fixes for SHA3_squeeze and quic_multistream_test on + pcc64 arch. [jsc#PED-10280] + * Added openssl-3-fix-sha3-squeeze-ppc64.patch + * Added openssl-3-fix-quic_multistream_test.patch + +------------------------------------------------------------------- +Tue Nov 5 15:11:46 UTC 2024 - Angel Yankov + +- Support MSA 11 HMAC on s390x [jsc#PED-10274] + * Add openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch + * Add openssl-3-fix-hmac-digest-detection-s390x.patch + * Add openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch + +------------------------------------------------------------------- +Tue Nov 5 10:39:14 UTC 2024 - Angel Yankov + +- Add hardware acceleration for full AES-XTS [jsc#PED-10273] + * Add openssl-3-hw-acceleration-aes-xts-s390x.patch + +------------------------------------------------------------------- +Fri Nov 1 14:32:50 UTC 2024 - Angel Yankov + +- Support MSA 12 SHA3 on s390x [jsc#PED-10280] + * Add openssl-3-add_EVP_DigestSqueeze_api.patch + * Add openssl-3-support-multiple-sha3_squeeze_s390x.patch + * Add openssl-3-add-xof-state-handling-s3_absorb.patch + * Add openssl-3-fix-state-handling-sha3_absorb_s390x.patch + * Add openssl-3-fix-state-handling-sha3_final_s390x.patch + * Add openssl-3-fix-state-handling-shake_final_s390x.patch + * Add openssl-3-fix-state-handling-keccak_final_s390x.patch + * Add openssl-3-support-EVP_DigestSqueeze-in-digest-prov-s390x.patch + * Add openssl-3-add-defines-CPACF-funcs.patch + * Add openssl-3-add-hw-acceleration-hmac.patch + * Add openssl-3-support-CPACF-sha3-shake-perf-improvement.patch + * Add openssl-3-fix-s390x_sha3_absorb.patch + * Add openssl-3-fix-s390x_shake_squeeze.patch + +------------------------------------------------------------------- +Mon Oct 28 09:38:20 UTC 2024 - Pedro Monreal + +- Update to 3.2.3: + * Changes between 3.2.2 and 3.2.3: + - Fixed possible denial of service in X.509 name checks. [CVE-2024-6119] + - Fixed possible buffer overread in SSL_select_next_proto(). [CVE-2024-5535] + * Changes between 3.2.1 and 3.2.2: + - Fixed potential use after free after SSL_free_buffers() is called. [CVE-2024-4741] + - Fixed an issue where checking excessively long DSA keys or parameters may + be very slow. [CVE-2024-4603] + - Improved EC/DSA nonce generation routines to avoid bias and timing + side channel leaks. + - Fixed an issue where some non-default TLS server configurations can cause + unbounded memory growth when processing TLSv1.3 sessions. [CVE-2024-2511] + - New atexit configuration switch, which controls whether the OPENSSL_cleanup + is registered when libcrypto is unloaded. This can be used on platforms + where using atexit() from shared libraries causes crashes on exit. + - Fixed bug where SSL_export_keying_material() could not be used with QUIC + connections. + * Add openssl-skip-quic-pairwise.patch to adapt the pairwise tests. + * Merge openssl-FIPS-release_num_in_version_string.patch into + openssl-FIPS-services-minimize.patch + * Rebase patches: + - openssl-Add-changes-to-ectest-and-eccurve.patch + - openssl-FIPS-140-3-keychecks.patch + - openssl-FIPS-embed-hmac.patch + - openssl-Remove-EC-curves.patch + - openssl-skipped-tests-EC-curves.patch + - openssl-FIPS-early-KATS.patch + - openssl-Allow-disabling-of-SHA1-signatures.patch + - openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch + - openssl-FIPS-limit-rsa-encrypt.patch + - openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch + - openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch + - openssl-FIPS-140-3-DRBG.patch + - openssl-FIPS-140-3-zeroization.patch + - openssl-Add-FIPS-indicator-parameter-to-HKDF.patch + - openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch + - openssl-FIPS-Add-explicit-indicator-for-key-length.patch + - openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch + - openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch + - openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch + - openssl-FIPS-enforce-EMS-support.patch + - openssl-3-jitterentropy-3.4.0.patch + * Remove not needed patches: + - openssl-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch + - openssl-3-FIPS-PCT_rsa_keygen.patch + +------------------------------------------------------------------- +Mon Oct 28 09:22:33 UTC 2024 - Pedro Monreal + +- Remove the engines' directories and symlinks that were added to + allow parallel installations with openssl-1_1. + * Remove openssl-3-use-include-directive.patch + +------------------------------------------------------------------- +Mon Oct 28 08:43:34 UTC 2024 - Pedro Monreal + +- Remove the hardcoded DEFAULT_SUSE cipherlist selection. + * Remove openssl-DEFAULT_SUSE_cipher.patch + +------------------------------------------------------------------- +Fri Oct 25 09:32:01 UTC 2024 - Pedro Monreal + +- Update to 3.2.1: + * Changes between 3.2.0 and 3.2.1: + - A file in PKCS12 format can contain certificates and keys and may come from + an untrusted source. The PKCS12 specification allows certain fields to be + NULL, but OpenSSL did not correctly check for this case. [CVE-2024-0727] + - When function EVP_PKEY_public_check() is called on RSA public keys, + a computation is done to confirm that the RSA modulus, n, is composite. + For valid RSA keys, n is a product of two or more large primes and this + computation completes quickly. However, if n is an overly large prime, + then this computation would take a long time. [CVE-2023-6237] + - Restore the encoding of SM2 PrivateKeyInfo and SubjectPublicKeyInfo to + have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey + rather than SM2. + - The POLY1305 MAC (message authentication code) implementation in OpenSSL + for PowerPC CPUs saves the contents of vector registers in different + order than they are restored. [CVE-2023-6129] + - Disable building QUIC server utility when OpenSSL is configured with 'no-apps'. + * The openssl-crypto-policies-support.patch has been merged into + openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch + * Rename openssl-Disable-default-provider-for-test-suite.patch and rebase to + openssl-TESTS-Disable-default-provider-crypto-policies.patch + * Patches removed in the update: + - openssl-Add_support_for_Windows_CA_certificate_store.patch + - openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch + - openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch + - openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch + - openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch + - openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch + - openssl-CVE-2024-41996.patch + - openssl-CVE-2023-50782.patch + - openssl-CVE-2024-9143.patch + * Patches rebased: + - openssl-3-use-include-directive.patch + - openssl-Add-Kernel-FIPS-mode-flag-support.patch + - openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch + - openssl-DEFAULT_SUSE_cipher.patch + - openssl-FIPS-embed-hmac.patch + - openssl-Force-FIPS.patch + - openssl-load-legacy-provider.patch + - openssl-no-html-docs.patch + - openssl-pkgconfig.patch + - openssl-ppc64-config.patch + - openssl-truststore.patch + +------------------------------------------------------------------- +Fri Oct 25 09:14:20 UTC 2024 - Pedro Monreal + +- Update to 3.2.0: + * Changes between 3.1.x and 3.2.0: + - Fix excessive time spent in DH check/ generation with large Q parameter + value. [CVE-2023-5678] + - The BLAKE2b hash algorithm supports a configurable output length + by setting the "size" parameter. + - Added a function to delete objects from store by URI - OSSL_STORE_delete() + and the corresponding provider-storemgmt API function OSSL_FUNC_store_delete(). + - Added OSSL_FUNC_store_open_ex() provider-storemgmt API function to pass + a passphrase callback when opening a store. + - Changed the default salt length used by PBES2 KDF's (PBKDF2 and scrypt) + from 8 bytes to 16 bytes. + - Changed the default value of the 'ess_cert_id_alg' configuration + option which is used to calculate the TSA's public key certificate + identifier. The default algorithm is updated to be sha256 instead of sha1. + - Added optimization for SM2 algorithm on aarch64. A new configure option + 'no-sm2-precomp' has been added to disable the precomputed table. + - Added client side support for QUIC + - Added secp384r1 implementation using Solinas' reduction to improve + speed of the NIST P-384 elliptic curve. To enable the implementation + the build option 'enable-ec_nistp_64_gcc_128' must be used. + - Improved RFC7468 compliance of the asn1parse command. + - Added SHA256/192 algorithm support. + - Added support for securely getting root CA certificate update in CMP. + - Improved contention on global write locks by using more read locks where + appropriate. + - Improved performance of OSSL_PARAM lookups in performance critical + provider functions. + - Added the SSL_get0_group_name() function to provide access to the + name of the group used for the TLS key exchange. + - Provide a new configure option 'no-http' that can be used to disable the + HTTP support. Provide new configure options 'no-apps' and 'no-docs' to + disable building the openssl command line application and the documentation. + - Provide a new configure option 'no-ecx' that can be used to disable the + X25519, X448, and EdDSA support. + - When multiple OSSL_KDF_PARAM_INFO parameters are passed to + the EVP_KDF_CTX_set_params() function they are now concatenated not just + for the HKDF algorithm but also for SSKDF and X9.63 KDF algorithms. + - Added OSSL_FUNC_keymgmt_im/export_types_ex() provider functions that get + the provider context as a parameter. + - TLS round-trip time calculation was added by a Brigham Young University + Capstone team partnering with Sandia National Laboratories. A new function + in ssl_lib titled SSL_get_handshake_rtt will calculate and retrieve this + value. + - Added the "-quic" option to s_client to enable connectivity to QUIC servers. + QUIC requires the use of ALPN, so this must be specified via the "-alpn" + option. Use of the "advanced" s_client command command via the "-adv" option + is recommended. + - Added an "advanced" command mode to s_client. Use this with the "-adv" option. + - Add Raw Public Key (RFC7250) support. + - Added support for modular exponentiation and CRT offloading for the + S390x architecture. + - Added further assembler code for the RISC-V architecture. + - Added EC_GROUP_to_params() which creates an OSSL_PARAM array + from a given EC_GROUP. + - Improved support for non-default library contexts and property queries + when parsing PKCS#12 files. + - Implemented support for all five instances of EdDSA from RFC8032: + Ed25519, Ed25519ctx, Ed25519ph, Ed448, and Ed448ph. + The streaming is not yet supported for the HashEdDSA variants + (Ed25519ph and Ed448ph). + - Added SM4 optimization for ARM processors using ASIMD and AES HW instructions. + - Implemented SM4-XTS support. + - Added platform-agnostic OSSL_sleep() function. + - Implemented deterministic ECDSA signatures (RFC6979) support. + - Implemented AES-GCM-SIV (RFC8452) support. + - Added support for pluggable (provider-based) TLS signature algorithms. + This enables TLS 1.3 authentication operations with algorithms embedded + in providers not included by default in OpenSSL. In combination with + the already available pluggable KEM and X.509 support, this enables + for example suitable providers to deliver post-quantum or quantum-safe + cryptography to OpenSSL users. + - Added support for pluggable (provider-based) CMS signature algorithms. + This enables CMS sign and verify operations with algorithms embedded + in providers not included by default in OpenSSL. + - Implemented HPKE DHKEM support in providers used by HPKE (RFC9180) API. + - Add support for certificate compression (RFC8879), including + library support for Brotli and Zstandard compression. + - Add the ability to add custom attributes to PKCS12 files. Add a new API + PKCS12_create_ex2, identical to the existing PKCS12_create_ex but allows + for a user specified callback and optional argument. + Added a new PKCS12_SAFEBAG_set0_attr, which allows for a new attr to be + added to the existing STACK_OF attrs. + - Major refactor of the libssl record layer. + - Add a mac salt length option for the pkcs12 command. + - Add more SRTP protection profiles from RFC8723 and RFC8269. + - Extended Kernel TLS (KTLS) to support TLS 1.3 receive offload. + - Add support for TCP Fast Open (RFC7413) to macOS, Linux, and FreeBSD where + supported and enabled. + - Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489) + to the list of ciphersuites providing Perfect Forward Secrecy as + required by SECLEVEL >= 3. + - Add new SSL APIs to aid in efficiently implementing TLS/SSL fingerprinting. + The SSL_CTRL_GET_IANA_GROUPS control code, exposed as the + SSL_get0_iana_groups() function-like macro, retrieves the list of + supported groups sent by the peer. + - Fixed PEM_write_bio_PKCS8PrivateKey() and PEM_write_bio_PKCS8PrivateKey_nid() + to make it possible to use empty passphrase strings. + - The PKCS12_parse() function now supports MAC-less PKCS12 files. + - Added ASYNC_set_mem_functions() and ASYNC_get_mem_functions() calls to be able + to change functions used for allocating the memory of asynchronous call stack. + - Added support for signed BIGNUMs in the OSSL_PARAM APIs. + - A failure exit code is returned when using the openssl x509 command to check + certificate attributes and the checks fail. + - The default SSL/TLS security level has been changed from 1 to 2. RSA, + DSA and DH keys of 1024 bits and above and less than 2048 bits and ECC keys + of 160 bits and above and less than 224 bits were previously accepted by + default but are now no longer allowed. By default TLS compression was + already disabled in previous OpenSSL versions. At security level 2 it cannot + be enabled. + - The SSL_CTX_set_cipher_list family functions now accept ciphers using their + IANA standard names. + - The PVK key derivation function has been moved from b2i_PVK_bio_ex() into + the legacy crypto provider as an EVP_KDF. Applications requiring this KDF + will need to load the legacy crypto provider. + - CCM8 cipher suites in TLS have been downgraded to security level zero + because they use a short authentication tag which lowers their strength. + - Subject or issuer names in X.509 objects are now displayed as UTF-8 strings + by default. Also spaces surrounding '=' in DN output are removed. + - Add X.509 certificate codeSigning purpose and related checks on key usage and + extended key usage of the leaf certificate according to the CA/Browser Forum. + - The 'x509', 'ca', and 'req' apps now produce X.509 v3 certificates. + The '-x509v1' option of 'req' prefers generation of X.509 v1 certificates. + 'X509_sign()' and 'X509_sign_ctx()' make sure that the certificate has + X.509 version 3 if the certificate information includes X.509 extensions. + - Fix and extend certificate handling and the apps 'x509', 'verify' etc. + such as adding a trace facility for debugging certificate chain building. + - Various fixes and extensions to the CMP+CRMF implementation and the 'cmp' app + in particular supporting requests for central key generation, generalized + polling, and various types of genm/genp exchanges defined in CMP Updates. + - Fixes and extensions to the HTTP client and to the HTTP server in 'apps/' + like correcting the TLS and proxy support and adding tracing for debugging. + - Extended the CMS API for handling 'CMS_SignedData' and 'CMS_EnvelopedData'. + - 'CMS_add0_cert()' and 'CMS_add1_cert()' no longer throw an error if + a certificate to be added is already present. 'CMS_sign_ex()' and + 'CMS_sign()' now ignore any duplicate certificates in their 'certs' argument + and no longer throw an error for them. + - Added BIO_s_dgram_pair() and BIO_s_dgram_mem() that provide memory-based + BIOs with datagram semantics and support for BIO_sendmmsg() and BIO_recvmmsg() + calls. They can be used as the transport BIOs for QUIC. + - Add new BIO_sendmmsg() and BIO_recvmmsg() BIO methods which allow + sending and receiving multiple messages in a single call. An implementation + is provided for BIO_dgram. For further details, see BIO_sendmmsg(3). + - Support for loading root certificates from the Windows certificate store + has been added. + - Enable KTLS with the TLS 1.3 CCM mode ciphersuites. Note that some linux + kernel versions that support KTLS have a known bug in CCM processing. That + has been fixed in stable releases starting from 5.4.164, 5.10.84, 5.15.7, + and all releases since 5.16. KTLS with CCM ciphersuites should be only used + on these releases. + - Added '-ktls' option to 's_server' and 's_client' commands to enable the + KTLS support. + - Zerocopy KTLS sendfile() support on Linux. + - The OBJ_ calls are now thread safe using a global lock. + - New parameter '-digest' for openssl cms command allowing signing + pre-computed digests and new CMS API functions supporting that + functionality. + - OPENSSL_malloc() and other allocation functions now raise errors on + allocation failures. The callers do not need to explicitly raise errors + unless they want to for tracing purposes. + - Added support for Brainpool curves in TLS-1.3. + - Support for Argon2d, Argon2i, Argon2id KDFs has been added along with + a basic thread pool implementation for select platforms. + +------------------------------------------------------------------- +Mon Oct 21 11:01:59 UTC 2024 - Pedro Monreal + +- Update to 3.1.7: + * Major changes between OpenSSL 3.1.6 and OpenSSL 3.1.7 [3 Sep 2024] + - Fixed possible denial of service in X.509 name checks (CVE-2024-6119) + - Fixed possible buffer overread in SSL_select_next_proto() + (CVE-2024-5535) + * Major changes between OpenSSL 3.1.5 and OpenSSL 3.1.6 [4 Jun 2024] + - Fixed potential use after free after SSL_free_buffers() is + called (CVE-2024-4741) + - Fixed an issue where checking excessively long DSA keys or + parameters may be very slow (CVE-2024-4603) + - Fixed unbounded memory growth with session handling in TLSv1.3 + (CVE-2024-2511) + * Major changes between OpenSSL 3.1.4 and OpenSSL 3.1.5 [30 Jan 2024] + - Fixed PKCS12 Decoding crashes (CVE-2024-0727) + - Fixed Excessive time spent checking invalid RSA public keys + [CVE-2023-6237) + - Fixed POLY1305 MAC implementation corrupting vector registers + on PowerPC CPUs which support PowerISA 2.07 (CVE-2023-6129) + - Fix excessive time spent in DH check / generation with large + Q parameter value (CVE-2023-5678) + * Update openssl.keyring with BA5473A2B0587B07FB27CF2D216094DFD0CB81EF + * Rebase patches: + - openssl-Force-FIPS.patch + - openssl-FIPS-embed-hmac.patch + - openssl-FIPS-services-minimize.patch + - openssl-FIPS-RSA-disable-shake.patch + - openssl-CVE-2023-50782.patch + * Remove patches fixed in the update: + - openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch + - openssl-CVE-2024-6119.patch openssl-CVE-2024-5535.patch + - openssl-CVE-2024-4741.patch openssl-CVE-2024-4603.patch + - openssl-CVE-2024-2511.patch openssl-CVE-2024-0727.patch + - openssl-CVE-2023-6237.patch openssl-CVE-2023-6129.patch + - openssl-CVE-2023-5678.patch + - openssl-Enable-BTI-feature-for-md5-on-aarch64.patch + - openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch + - openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch + - reproducible.patch + +------------------------------------------------------------------- +Thu Oct 17 12:32:21 UTC 2024 - Pedro Monreal + +- Security fix: [bsc#1231741, CVE-2024-9143] + * Low-level invalid GF(2^m) parameters lead to OOB memory access + * Add openssl-CVE-2024-9143.patch + +------------------------------------------------------------------- +Thu Oct 17 12:21:14 UTC 2024 - Pedro Monreal + +- Security fix: [bsc#1220262, CVE-2023-50782] + * Implicit rejection in PKCS#1 v1.5 + * Add openssl-CVE-2023-50782.patch + +------------------------------------------------------------------- +Thu Sep 19 08:05:52 UTC 2024 - Angel Yankov + +- Security fix: [bsc#1230698, CVE-2024-41996] + * Validating the order of the public keys in the Diffie-Hellman + Key Agreement Protocol, when an approved safe prime is used. + * Added openssl-CVE-2024-41996.patch + ------------------------------------------------------------------- Thu Aug 22 15:18:03 UTC 2024 - Alexander Bergmann diff --git a/openssl-3.spec b/openssl-3.spec index 3ba1d9e..1d3fb19 100644 --- a/openssl-3.spec +++ b/openssl-3.spec @@ -1,7 +1,7 @@ # # spec file for package openssl-3 # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2025 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,160 +20,118 @@ %define sover 3 %define _rname openssl %define man_suffix 3ssl -%global sslengcnf %{ssletcdir}/engines%{sover}.d -%global sslengdef %{ssletcdir}/engdef%{sover}.d + +%bcond_with lto +%if %{without lto} +%define _lto_cflags %{nil} +%endif + +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 +%global sle_needs_crypto_policies 1 +%endif + +%if 0%{?suse_version} > 1600 +%global openssl_test_flags HARNESS_JOBS=${RPM_BUILD_NCPUS} +%endif # Enable userspace livepatching. %define livepatchable 1 Name: openssl-3 -# Don't forget to update the version in the "openssl" meta-package! -Version: 3.1.4 +Version: 3.5.3 Release: 0 Summary: Secure Sockets and Transport Layer Security License: Apache-2.0 URL: https://www.openssl.org/ Source: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz +Source1: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz.asc +# https://keys.openpgp.org/search?q=openssl@openssl.org +# BA54 73A2 B058 7B07 FB27 CF2D 2160 94DF D0CB 81EF +Source2: %{_rname}.keyring # to get mtime of file: -Source1: %{name}.changes -Source2: baselibs.conf -Source3: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz.asc -# https://www.openssl.org/about/ -# http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA2D29B7BF295C759#/openssl.keyring -Source4: %{_rname}.keyring +Source3: %{name}.changes +Source4: baselibs.conf Source5: showciphers.c -Source6: openssl-Disable-default-provider-for-test-suite.patch +Source6: openssl-TESTS-Disable-default-provider-crypto-policies.patch # PATCH-FIX-OPENSUSE: Do not install html docs as it takes ages Patch1: openssl-no-html-docs.patch Patch2: openssl-truststore.patch Patch3: openssl-pkgconfig.patch -Patch4: openssl-DEFAULT_SUSE_cipher.patch -Patch5: openssl-ppc64-config.patch -Patch6: openssl-no-date.patch -# Add crypto-policies support -Patch7: openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch -Patch8: openssl-crypto-policies-support.patch -# PATCH-FIX-UPSTREAM: bsc#1209430 Upgrade OpenSSL from 3.0.8 to 3.1.0 in TW -Patch9: openssl-Add_support_for_Windows_CA_certificate_store.patch +Patch4: openssl-ppc64-config.patch +Patch5: openssl-no-date.patch +# PATCH-FIX-FEDORA Add crypto-policies support +Patch6: openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch # PATCH-FIX-FEDORA Add FIPS_mode compatibility macro and flag support -Patch10: openssl-Add-FIPS_mode-compatibility-macro.patch -Patch11: openssl-Add-Kernel-FIPS-mode-flag-support.patch -# PATCH-FIX-UPSTREAM jsc#PED-5086, jsc#PED-3514 -# POWER10 performance enhancements for cryptography -Patch12: openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch -Patch13: openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch -Patch14: openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch -Patch15: openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch -Patch16: openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch -Patch17: openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch -# PATCH-FIX-UPSTREAM: bsc#1216922 CVE-2023-5678 Generating excessively long X9.42 DH keys or -# checking excessively long X9.42 DH keys or parameters may be very slow -Patch18: openssl-CVE-2023-5678.patch -# PATCH-FIX-UPSTREAM https://github.com/openssl/openssl/pull/22971 -Patch19: openssl-Enable-BTI-feature-for-md5-on-aarch64.patch -# PATCH-FIX-UPSTREAM: bsc#1218690 CVE-2023-6129 - POLY1305 MAC implementation corrupts vector registers on PowerPC -Patch20: openssl-CVE-2023-6129.patch +Patch7: openssl-Add-FIPS_mode-compatibility-macro.patch +Patch8: openssl-Add-Kernel-FIPS-mode-flag-support.patch # PATCH-FIX-FEDORA Load FIPS the provider and set FIPS properties implicitly -Patch21: openssl-Force-FIPS.patch +Patch9: openssl-Force-FIPS.patch # PATCH-FIX-FEDORA Disable the fipsinstall command-line utility -Patch22: openssl-disable-fipsinstall.patch +Patch10: openssl-disable-fipsinstall.patch # PATCH-FIX-FEDORA Instructions to load legacy provider in openssl.cnf -Patch23: openssl-load-legacy-provider.patch +Patch11: openssl-load-legacy-provider.patch # PATCH-FIX-FEDORA Embed the FIPS hmac -Patch24: openssl-FIPS-embed-hmac.patch -# PATCH-FIX-UPSTREAM: bsc#1218810 CVE-2023-6237: Excessive time spent checking invalid RSA public keys -Patch25: openssl-CVE-2023-6237.patch -# PATCH-FIX-SUSE bsc#1194187, bsc#1207472, bsc#1218933 - Add engines section in openssl.cnf -Patch26: openssl-3-use-include-directive.patch -# PATCH-FIX-UPSTREAM: bsc#1219243 CVE-2024-0727: denial of service via null dereference -Patch27: openssl-CVE-2024-0727.patch -# PATCH-FIX-UPSTREAM: bsc#1222548 CVE-2024-2511: Unbounded memory growth with session handling in TLSv1.3 -Patch28: openssl-CVE-2024-2511.patch -# PATCH-FIX-UPSTREAM: bsc#1224388 CVE-2024-4603: excessive time spent checking DSA keys and parameters -Patch29: openssl-CVE-2024-4603.patch -# PATCH-FIX-UPSTREAM: bsc#1225291 NVMe/TCP TLS connection fails due to handshake failure -Patch30: openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch -Patch31: openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch -# PATCH-FIX-UPSTREAM bsc#1225551 CVE-2024-4741: use After Free with SSL_free_buffers -Patch32: openssl-CVE-2024-4741.patch -# PATCH-FIX-UPSTREAM: bsc#1223336 aes-gcm-avx512.pl: fix non-reproducibility issue -Patch33: reproducible.patch -# PATCH-FIX-UPSTREAM: bsc#1227138 CVE-2024-5535: SSL_select_next_proto buffer overread -Patch34: openssl-CVE-2024-5535.patch +Patch12: openssl-FIPS-embed-hmac.patch # PATCH-FIX-FEDORA bsc#1221786 FIPS: Use of non-Approved Elliptic Curves -Patch35: openssl-Add-changes-to-ectest-and-eccurve.patch -Patch36: openssl-Remove-EC-curves.patch -Patch37: openssl-Disable-explicit-ec.patch -Patch38: openssl-skipped-tests-EC-curves.patch +Patch13: openssl-Add-changes-to-ectest-and-eccurve.patch +Patch14: openssl-Disable-explicit-ec.patch +Patch15: openssl-skipped-tests-EC-curves.patch # PATCH-FIX-FEDORA bsc#1221753 bsc#1221760 bsc#1221822 FIPS: Extra public/private key checks required by FIPS-140-3 -Patch39: openssl-FIPS-140-3-keychecks.patch -# PATCH-FIX-FEDORA bsc#1221365 bsc#1221786 bsc#1221787 FIPS: Minimize fips services -Patch40: openssl-FIPS-services-minimize.patch -# PATCH-FIX-SUSE bsc#1221751 FIPS: Add release number to version string -Patch41: openssl-FIPS-release_num_in_version_string.patch +Patch16: openssl-FIPS-140-3-keychecks.patch # PATCH-FIX-FEDORA bsc#1221760 FIPS: Execute KATS before HMAC verification -Patch42: openssl-FIPS-early-KATS.patch -# PATCH-FIX-SUSE bsc#1221787 FIPS: Approved Modulus Sizes for RSA Digital Signature for FIPS 186-4 -Patch43: openssl-Revert-Improve-FIPS-RSA-keygen-performance.patch -# PATCH-FIX-FEDORA bsc#1221787 FIPS: Selectively disallow SHA1 signatures -Patch44: openssl-Allow-disabling-of-SHA1-signatures.patch -Patch45: openssl-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch +Patch17: openssl-FIPS-early-KATS.patch # PATCH-FIX-FEDORA bsc#1221365 bsc#1221824 FIPS: Service Level Indicator is needed -Patch46: openssl-FIPS-limit-rsa-encrypt.patch -Patch47: openssl-FIPS-Expose-a-FIPS-indicator.patch +Patch19: openssl-FIPS-limit-rsa-encrypt.patch +Patch20: openssl-FIPS-Expose-a-FIPS-indicator.patch # PATCH-FIX-FEDORA bsc#1221760 FIPS: Execute KATS before HMAC verification -Patch48: openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch -# PATCH-FIX-FEDORA bsc#1221365 bsc#1221760 FIPS: Selftests are required -Patch49: openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch -# PATCH-FIX-FEDORA bsc#1221760 FIPS: Selftests are required -Patch50: openssl-FIPS-Use-FFDHE2048-in-self-test.patch -# PATCH-FIX-FEDORA bsc#1220690 bsc#1220693 bsc#1220696 FIPS: Reseed DRBG -Patch51: openssl-FIPS-140-3-DRBG.patch -# PATCH-FIX-FEDORA bsc#1221752 FIPS: Zeroisation is required -Patch52: openssl-FIPS-140-3-zeroization.patch -# PATCH-FIX-FEDORA bsc#1221365 FIPS: Service Level Indicator is needed -Patch53: openssl-Add-FIPS-indicator-parameter-to-HKDF.patch -Patch54: openssl-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch +Patch21: openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch +Patch22: openssl-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch # PATCH-FIX-FEDORA bsc#1221365 bsc#1221365 FIPS: Service Level Indicator is needed -Patch55: openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch -# PATCH-FIX-FEDORA bsc#1221365 FIPS: Service Level Indicator is needed -Patch56: openssl-FIPS-Add-explicit-indicator-for-key-length.patch +Patch23: openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch # PATCH-FIX-FEDORA bsc#1221827 FIPS: Recommendation for Password-Based Key Derivation -Patch57: openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch +Patch24: openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch # PATCH-FIX-FEDORA bsc#1221365 FIPS: Service Level Indicator is needed -Patch58: openssl-FIPS-RSA-disable-shake.patch -Patch59: openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch +Patch25: openssl-FIPS-RSA-disable-shake.patch # PATCH-FIX-FEDORA bsc#1221824 FIPS: NIST SP 800-56Brev2 Section 6.4.1.2.1 -Patch60: openssl-FIPS-RSA-encapsulate.patch +Patch26: openssl-FIPS-RSA-encapsulate.patch # PATCH-FIX-FEDORA bsc#1221821 FIPS: Disable FIPS 186-4 Domain Parameters -Patch61: openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch -# PATCH-FIX-SUSE bsc#1221365 FIPS: Service Level Indicator is needed -Patch62: openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch -# PATCH-FIX-FEDORA bsc#1221827 FIPS: Recommendation for Password-Based Key Derivation -Patch63: openssl-pbkdf2-Set-indicator-if-pkcs5-param-disabled-checks.patch -# PATCH-FIX-FEDORA bsc#1221365 FIPS: Service Level Indicator is needed -Patch64: openssl-FIPS-enforce-EMS-support.patch +Patch27: openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch # PATCH-FIX-SUSE bsc#1221824 FIPS: Add check for SP 800-56Brev2 Section 6.4.1.2.1 -Patch65: openssl-FIPS-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch -# PATCH-FIX-SUSE bsc#1220523 FIPS: Port openssl to use jitterentropy -Patch66: openssl-3-jitterentropy-3.4.0.patch +Patch28: openssl-FIPS-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch # PATCH-FIX-SUSE bsc#1221753 FIPS: Enforce error state -Patch67: openssl-FIPS-Enforce-error-state.patch -# PATCH-FIX-SUSE bsc#1221365 FIPS: Service Level Indicator is needed -Patch68: openssl-FIPS-enforce-security-checks-during-initialization.patch -# PATCH-FIX-SUSE bsc#1221753 bsc#1221760 FIPS: RSA keygen PCT requirements -Patch69: openssl-3-FIPS-PCT_rsa_keygen.patch +Patch29: openssl-FIPS-Enforce-error-state.patch +# PATCH-FIX-FEDORA Adapt pairwise tests +Patch30: openssl-skip-quic-pairwise.patch +# PATCH-FIX-FEDORA Fix broken selftests in fips provider init +Patch31: openssl-FIPS-Fix-encoder-decoder-negative-test.patch +Patch32: openssl-FIPS-SUSE-FIPS-module-version.patch +Patch33: openssl-FIPS-EC-disable-weak-curves.patch +Patch34: openssl-FIPS-NO-DSA-Support.patch +Patch35: openssl-FIPS-NO-DES-support.patch +Patch36: openssl-FIPS-NO-Kmac.patch +Patch37: openssl-FIPS-NO-PQ-ML-SLH-DSA.patch +# PATCH-FIX-SUSE Use the shared jitterentropy library instead of static +Patch38: openssl-shared-jitterentropy.patch +# PATCH-FIX-SUSE Disable dubious broken test +Patch39: openssl-disable-75-test_quicapi-test.patch +# PATCH-FIX-FEDORA bsc#1221365 FIPS: Service Level Indicator is needed +Patch40: openssl-FIPS-enforce-EMS-support.patch +# PATCH-FIX-FEDORA bsc#1221787 FIPS: Selectively disallow SHA1 signatures +Patch41: openssl-Allow-disabling-of-SHA1-signatures.patch # PATCH-FIX-FEDORA bsc#1221365 FIPS: Deny SHA-1 signature verification in FIPS provider -Patch70: openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch -# PATCH-FIX-UPSTREAM bsc#1229465 CVE-2024-6119: possible denial of service in X.509 name checks -Patch71: openssl-CVE-2024-6119.patch -BuildRequires: pkgconfig -%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550 +Patch42: openssl-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch +# PATCH-FIX-FEDORA FIPS: Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes +Patch43: openssl-FIPS-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch +# PATCH-FIX-FEDORA FIPS: Fix the speed command in FIPS mode for KMAC +Patch44: openssl-FIPS-Fix-openssl-speed-KMAC.patch +# PATCH-FIX-SUSE Fix a bogus warning caused by -Wfree-nonheap-object +Patch45: openssl-Fix-Wfree-nonheap-object-warning.patch + +# ulp-macros is available according to SUSE version. +%ifarch x86_64 +%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1540 BuildRequires: ulp-macros -%else -# Define ulp-macros macros as empty -%define cflags_livepatching "" -%define pack_ipa_dumps echo "Livepatching is disabled in this build" +%endif %endif BuildRequires: pkgconfig BuildRequires: pkgconfig(zlib) @@ -185,9 +143,10 @@ Obsoletes: openssl-1_0_0 # Needed for clean upgrade from former openssl-1_1_0, boo#1081335 Obsoletes: openssl-1_1_0 %{?suse_build_hwcaps_libs} -%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 +%if 0%{?sle_needs_crypto_policies} Requires: crypto-policies %endif +BuildRequires: jitterentropy-devel >= 3.4.0 %description OpenSSL is a software library to be used in applications that need to @@ -201,7 +160,7 @@ Recommends: ca-certificates-mozilla Conflicts: %{name} < %{version}-%{release} # Needed for clean upgrade from former openssl-1_1_0, boo#1081335 Obsoletes: libopenssl1_1_0 -%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 +%if 0%{?sle_needs_crypto_policies} Requires: crypto-policies %endif # Merge back the hmac files bsc#1185116 @@ -269,32 +228,38 @@ export MACHINE=armv6l %endif ./Configure \ - no-mdc2 no-ec2m \ - no-afalgeng \ - enable-rfc3779 enable-camellia enable-seed \ + enable-camellia \ %ifarch x86_64 aarch64 ppc64le enable-ec_nistp_64_gcc_128 \ %endif enable-fips \ - enable-jitterentropy \ + enable-fips-jitter \ + enable-jitter \ enable-ktls \ + enable-pie \ + enable-rfc3779 \ + enable-seed \ + no-afalgeng \ + no-atexit \ + no-ec2m \ + no-mdc2 \ zlib \ --prefix=%{_prefix} \ --libdir=%{_lib} \ --openssldir=%{ssletcdir} \ %{optflags} \ - %{cflags_livepatching} \ + %{?cflags_livepatching} \ -Wa,--noexecstack \ -Wl,-z,relro,-z,now \ -fno-common \ - -DTERMIO \ + -DTERMIOS \ -DPURIFY \ -D_GNU_SOURCE \ + -DOPENSSL_PEDANTIC_ZEROIZATION \ '-DSUSE_OPENSSL_RELEASE="\"%{release}\""' \ -DOPENSSL_NO_BUF_FREELISTS \ $(getconf LFS_CFLAGS) \ -Wall \ - --with-rand-seed=getrandom,jitterentropy \ --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config # Show build configuration @@ -307,14 +272,8 @@ perl configdata.pm --dump %make_build all %check -# Relax the crypto-policies requirements for the regression tests -# Revert patch8 before running tests -patch -p1 -R < %{PATCH8} -# Revert openssl-3-use-include-directive.patch because these directories -# exists only in buildroot but not in build system and some tests are failing -# because of it. -patch -p1 -R < %{PATCH26} -# Disable the default provider for the test suite. +# Relax the crypto-policies requirements and disable the default +# provider for the test suite regression tests patch -p1 < %{SOURCE6} export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file export MALLOC_CHECK_=3 @@ -326,7 +285,7 @@ objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so provi mv providers/fips.so.mac providers/fips.so # Run the tests in non FIPS mode -LD_LIBRARY_PATH="$PWD" make test -j16 +LD_LIBRARY_PATH="$PWD" make test %{?_smp_mflags} %{?openssl_test_flags} # Run the tests also in FIPS mode # OPENSSL_FORCE_FIPS_MODE=1 LD_LIBRARY_PATH="$PWD" make TESTS='-test_evp_fetch_prov -test_tsa' test -j16 || : @@ -349,7 +308,7 @@ gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{build LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers %install -%{pack_ipa_dumps} +%{?pack_ipa_dumps} %make_install %{?_smp_mflags} MANSUFFIX=%{man_suffix} rename so.%{sover} so.%{version} %{buildroot}%{_libdir}/*.so.%{sover} @@ -360,12 +319,17 @@ for lib in %{buildroot}%{_libdir}/*.so.%{version} ; do done # Remove static libraries -rm -f %{buildroot}%{_libdir}/lib*.a +rm -f %{buildroot}%{_libdir}/*.a # Remove the cnf.dist rm -f %{buildroot}%{ssletcdir}/openssl.cnf.dist rm -f %{buildroot}%{ssletcdir}/ct_log_list.cnf.dist +# Remove unneeded NOTES files +for file in NOTES-ANDROID.md NOTES-DJGPP.md NOTES-NONSTOP.md NOTES-VMS.md NOTES-WINDOWS.md ; do + rm -f %{_datadir}/packages/libopenssl-3-devel/${file} +done + # Make a copy of the default openssl.cnf file cp %{buildroot}%{ssletcdir}/openssl.cnf %{buildroot}%{ssletcdir}/openssl-orig.cnf @@ -373,21 +337,13 @@ cp %{buildroot}%{ssletcdir}/openssl.cnf %{buildroot}%{ssletcdir}/openssl-orig.cn mkdir -p %{buildroot}%{_localstatedir}/lib/ca-certificates/openssl install -d -m 555 %{buildroot}%{_localstatedir}/lib/ca-certificates/openssl -# Remove the fipsmodule.cnf because FIPS module is loaded automatically +# Remove the fipsmodule.cnf because FIPS module is loaded automatically in FIPS mode rm -f %{buildroot}%{ssletcdir}/fipsmodule.cnf ln -sf ./%{_rname} %{buildroot}/%{_includedir}/ssl mkdir %{buildroot}/%{_datadir}/ssl mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl/ -# Create the two directories into which packages will drop their configuration -# files. -mkdir %{buildroot}/%{sslengcnf} -mkdir %{buildroot}/%{sslengdef} -# Create unversioned symbolic links to above directories -ln -s %{sslengcnf} %{buildroot}/%{ssletcdir}/engines.d -ln -s %{sslengdef} %{buildroot}/%{ssletcdir}/engdef.d - # Add the FIPS module configuration from crypto-policies since SP6 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150600 ln -s %{_sysconfdir}/crypto-policies/back-ends/openssl_fips.config %{buildroot}%{ssletcdir}/fips_local.cnf @@ -422,17 +378,6 @@ if [ "$1" -gt 1 ] ; then fi %pre -# Migrate old engines.d to engines1.1.d.rpmsave -if [ ! -L %{ssletcdir}/engines.d ] && [ -d %{ssletcdir}/engines.d ]; then - mkdir %{ssletcdir}/engines1.1.d.rpmsave ||: - mv %{ssletcdir}/engines.d %{ssletcdir}/engines1.1.d.rpmsave ||: -fi - -# Migrate old engdef.d to engdef1.1.d.rpmsave -if [ ! -L %{ssletcdir}/engdef.d ] && [ -d %{ssletcdir}/engdef.d ]; then - mkdir %{ssletcdir}/engdef1.1.d.rpmsave ||: - mv %{ssletcdir}/engdef.d %{ssletcdir}/engdef1.1.d.rpmsave ||: -fi %post -n libopenssl3 -p /sbin/ldconfig %postun -n libopenssl3 -p /sbin/ldconfig @@ -448,9 +393,21 @@ fi %{_libdir}/ossl-modules/legacy.so %{_libdir}/.libssl.so.%{sover}.hmac %{_libdir}/.libcrypto.so.%{sover}.hmac +%dir %{ssletcdir} +%attr(700,root,root) %{ssletcdir}/private +%config %{ssletcdir}/openssl-orig.cnf +%config (noreplace) %{ssletcdir}/openssl.cnf +%config (noreplace) %{ssletcdir}/ct_log_list.cnf +%dir %{_datadir}/ssl +%{_datadir}/ssl/misc +%dir %{_localstatedir}/lib/ca-certificates/ +%dir %{_localstatedir}/lib/ca-certificates/openssl %files -n libopenssl-3-fips-provider %{_libdir}/ossl-modules/fips.so +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150600 +%config %{ssletcdir}/fips_local.cnf +%endif %files -n libopenssl-3-devel %doc NOTES*.md CONTRIBUTING.md HACKING.md AUTHORS.md ACKNOWLEDGEMENTS.md @@ -458,6 +415,9 @@ fi %{_includedir}/ssl %{_libdir}/*.so %{_libdir}/pkgconfig/*.pc +%dir %{_libdir}/cmake +%{_libdir}/cmake/OpenSSL +%{_libdir}/cmake/OpenSSL/*.cmake %files doc %doc README.md @@ -467,24 +427,7 @@ fi %files %license LICENSE.txt -%doc CHANGES.md NEWS.md FAQ.md README.md -%dir %{ssletcdir} -%config %{ssletcdir}/openssl-orig.cnf -%config (noreplace) %{ssletcdir}/openssl.cnf -%config (noreplace) %{ssletcdir}/ct_log_list.cnf -%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150600 -%config %{ssletcdir}/fips_local.cnf -%endif -%attr(700,root,root) %{ssletcdir}/private -%dir %{sslengcnf} -%dir %{sslengdef} -# symbolic link to above directories -%{ssletcdir}/engines.d -%{ssletcdir}/engdef.d -%dir %{_datadir}/ssl -%{_datadir}/ssl/misc -%dir %{_localstatedir}/lib/ca-certificates/ -%dir %{_localstatedir}/lib/ca-certificates/openssl +%doc CHANGES.md NEWS.md README.md %{_bindir}/%{_rname} %{_bindir}/c_rehash %{_mandir}/man1/* diff --git a/openssl-Add-FIPS-indicator-parameter-to-HKDF.patch b/openssl-Add-FIPS-indicator-parameter-to-HKDF.patch deleted file mode 100644 index 6f2ad6f..0000000 --- a/openssl-Add-FIPS-indicator-parameter-to-HKDF.patch +++ /dev/null @@ -1,877 +0,0 @@ -From 2000eaead63732669283e6b54c8ef02e268eaeb8 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Mon, 31 Jul 2023 09:41:29 +0200 -Subject: [PATCH 34/48] 0078-Add-FIPS-indicator-parameter-to-HKDF.patch - -Patch-name: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch -Patch-id: 78 -Patch-status: | - # https://bugzilla.redhat.com/show_bug.cgi?id=2114772 -From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd ---- - include/crypto/evp.h | 7 ++ - include/openssl/core_names.h | 1 + - include/openssl/kdf.h | 4 + - providers/implementations/kdfs/hkdf.c | 100 +++++++++++++++++++++- - providers/implementations/kdfs/kbkdf.c | 82 ++++++++++++++++-- - providers/implementations/kdfs/sshkdf.c | 75 +++++++++++++++- - providers/implementations/kdfs/sskdf.c | 100 +++++++++++++++++++++- - providers/implementations/kdfs/tls1_prf.c | 74 +++++++++++++++- - providers/implementations/kdfs/x942kdf.c | 66 +++++++++++++- - 9 files changed, 487 insertions(+), 22 deletions(-) - -Index: openssl-3.1.4/include/crypto/evp.h -=================================================================== ---- openssl-3.1.4.orig/include/crypto/evp.h -+++ openssl-3.1.4/include/crypto/evp.h -@@ -219,6 +219,13 @@ struct evp_mac_st { - OSSL_FUNC_mac_set_ctx_params_fn *set_ctx_params; - }; - -+#ifdef FIPS_MODULE -+/* According to NIST Special Publication 800-131Ar2, Section 8: Deriving -+ * Additional Keys from a Cryptographic Key, "[t]he length of the -+ * key-derivation key [i.e., the input key] shall be at least 112 bits". */ -+# define EVP_KDF_FIPS_MIN_KEY_LEN (112 / 8) -+#endif -+ - struct evp_kdf_st { - OSSL_PROVIDER *prov; - int name_id; -Index: openssl-3.1.4/include/openssl/core_names.h -=================================================================== ---- openssl-3.1.4.orig/include/openssl/core_names.h -+++ openssl-3.1.4/include/openssl/core_names.h -@@ -226,6 +226,7 @@ extern "C" { - #define OSSL_KDF_PARAM_X942_SUPP_PUBINFO "supp-pubinfo" - #define OSSL_KDF_PARAM_X942_SUPP_PRIVINFO "supp-privinfo" - #define OSSL_KDF_PARAM_X942_USE_KEYBITS "use-keybits" -+#define OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR "suse-fips-indicator" - - /* Known KDF names */ - #define OSSL_KDF_NAME_HKDF "HKDF" -Index: openssl-3.1.4/include/openssl/kdf.h -=================================================================== ---- openssl-3.1.4.orig/include/openssl/kdf.h -+++ openssl-3.1.4/include/openssl/kdf.h -@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF * - # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1 - # define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2 - -+# define EVP_KDF_SUSE_FIPS_INDICATOR_UNDETERMINED 0 -+# define EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED 1 -+# define EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED 2 -+ - #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65 - #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66 - #define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67 -Index: openssl-3.1.4/providers/implementations/kdfs/hkdf.c -=================================================================== ---- openssl-3.1.4.orig/providers/implementations/kdfs/hkdf.c -+++ openssl-3.1.4/providers/implementations/kdfs/hkdf.c -@@ -43,6 +43,7 @@ static OSSL_FUNC_kdf_settable_ctx_params - static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params; - static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params; - static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params; -+static OSSL_FUNC_kdf_newctx_fn kdf_tls1_3_new; - static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive; - static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params; - static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params; -@@ -86,6 +87,10 @@ typedef struct { - size_t data_len; - unsigned char *info; - size_t info_len; -+ int is_tls13; -+#ifdef FIPS_MODULE -+ int fips_indicator; -+#endif /* defined(FIPS_MODULE) */ - } KDF_HKDF; - - static void *kdf_hkdf_new(void *provctx) -@@ -201,6 +206,11 @@ static int kdf_hkdf_derive(void *vctx, u - return 0; - } - -+#ifdef FIPS_MODULE -+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) -+ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+#endif /* defined(FIPS_MODULE) */ -+ - switch (ctx->mode) { - case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND: - default: -@@ -363,13 +373,15 @@ static int kdf_hkdf_get_ctx_params(void - { - KDF_HKDF *ctx = (KDF_HKDF *)vctx; - OSSL_PARAM *p; -+ int any_valid = 0; /* set to 1 when at least one parameter was valid */ - - if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { - size_t sz = kdf_hkdf_size(ctx); - -- if (sz == 0) -+ any_valid = 1; -+ -+ if (sz == 0 || !OSSL_PARAM_set_size_t(p, sz)) - return 0; -- return OSSL_PARAM_set_size_t(p, sz); - } - if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) { - if (ctx->info == NULL || ctx->info_len == 0) { -@@ -378,7 +390,68 @@ static int kdf_hkdf_get_ctx_params(void - } - return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len); - } -- return -2; -+ -+#ifdef FIPS_MODULE -+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR)) -+ != NULL) { -+ int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED; -+ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); -+ -+ any_valid = 1; -+ -+ /* According to NIST Special Publication 800-131Ar2, Section 8: -+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of -+ * the key-derivation key [i.e., the input key] shall be at least 112 -+ * bits". */ -+ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN) -+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+ -+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module -+ * Verification Program, Section D.B and NIST Special Publication -+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security -+ * strength < 112 bits is legacy use only, so all derived keys should -+ * be longer than that. If a derived key has ever been shorter than -+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we -+ * should also set the returned FIPS indicator to unapproved. */ -+ if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED) -+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+ -+ if (ctx->is_tls13) { -+ if (md != NULL -+ && !EVP_MD_is_a(md, "SHA2-256") -+ && !EVP_MD_is_a(md, "SHA2-384")) { -+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic -+ * Module Validation Program, Section 2.4.B, (5): "The TLS 1.3 -+ * key derivation function documented in Section 7.1 of RFC -+ * 8446. This is considered an approved CVL because the -+ * underlying functions performed within the TLS 1.3 KDF map to -+ * NIST approved standards, namely: SP 800-133rev2 (Section 6.3 -+ * Option #3), SP 800-56Crev2, and SP 800-108." -+ * -+ * RFC 8446 appendix B.4 only lists SHA-256 and SHA-384. */ -+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+ } -+ } else { -+ if (md != NULL -+ && (EVP_MD_is_a(md, "SHAKE-128") || -+ EVP_MD_is_a(md, "SHAKE-256"))) { -+ /* HKDF is a SP 800-56Cr2 TwoStep KDF, for which all SHA-1, -+ * SHA-2 and SHA-3 are approved. SHAKE is not approved, because -+ * of FIPS 140-3 IG, section C.C: "The SHAKE128 and SHAKE256 -+ * extendable-output functions may only be used as the -+ * standalone algorithms." */ -+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+ } -+ } -+ if (!OSSL_PARAM_set_int(p, fips_indicator)) -+ return 0; -+ } -+#endif /* defined(FIPS_MODULE) */ -+ -+ if (!any_valid) -+ return -2; -+ -+ return 1; - } - - static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, -@@ -387,6 +460,9 @@ static const OSSL_PARAM *kdf_hkdf_gettab - static const OSSL_PARAM known_gettable_ctx_params[] = { - OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), - OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0), -+#ifdef FIPS_MODULE -+ OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, NULL), -+#endif /* defined(FIPS_MODULE) */ - OSSL_PARAM_END - }; - return known_gettable_ctx_params; -@@ -717,6 +793,17 @@ static int prov_tls13_hkdf_generate_secr - return ret; - } - -+static void *kdf_tls1_3_new(void *provctx) -+{ -+ KDF_HKDF *hkdf = kdf_hkdf_new(provctx); -+ -+ if (hkdf != NULL) -+ hkdf->is_tls13 = 1; -+ -+ return hkdf; -+} -+ -+ - static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen, - const OSSL_PARAM params[]) - { -@@ -732,6 +819,11 @@ static int kdf_tls1_3_derive(void *vctx, - return 0; - } - -+#ifdef FIPS_MODULE -+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) -+ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+#endif /* defined(FIPS_MODULE) */ -+ - switch (ctx->mode) { - default: - return 0; -@@ -809,7 +901,7 @@ static const OSSL_PARAM *kdf_tls1_3_sett - } - - const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = { -- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new }, -+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_tls1_3_new }, - { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_hkdf_dup }, - { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free }, - { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset }, -Index: openssl-3.1.4/providers/implementations/kdfs/kbkdf.c -=================================================================== ---- openssl-3.1.4.orig/providers/implementations/kdfs/kbkdf.c -+++ openssl-3.1.4/providers/implementations/kdfs/kbkdf.c -@@ -59,6 +59,9 @@ typedef struct { - kbkdf_mode mode; - EVP_MAC_CTX *ctx_init; - -+ /* HMAC digest algorithm, if any; used to compute FIPS indicator */ -+ PROV_DIGEST digest; -+ - /* Names are lowercased versions of those found in SP800-108. */ - int r; - unsigned char *ki; -@@ -72,6 +75,9 @@ typedef struct { - int use_l; - int is_kmac; - int use_separator; -+#ifdef FIPS_MODULE -+ int fips_indicator; -+#endif /* defined(FIPS_MODULE) */ - } KBKDF; - - /* Definitions needed for typechecking. */ -@@ -143,6 +149,7 @@ static void kbkdf_reset(void *vctx) - void *provctx = ctx->provctx; - - EVP_MAC_CTX_free(ctx->ctx_init); -+ ossl_prov_digest_reset(&ctx->digest); - OPENSSL_clear_free(ctx->context, ctx->context_len); - OPENSSL_clear_free(ctx->label, ctx->label_len); - OPENSSL_clear_free(ctx->ki, ctx->ki_len); -@@ -308,6 +315,11 @@ static int kbkdf_derive(void *vctx, unsi - goto done; - } - -+#ifdef FIPS_MODULE -+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) -+ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+#endif /* defined(FIPS_MODULE) */ -+ - h = EVP_MAC_CTX_get_mac_size(ctx->ctx_init); - if (h == 0) - goto done; -@@ -381,6 +393,9 @@ static int kbkdf_set_ctx_params(void *vc - } - } - -+ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx)) -+ return 0; -+ - p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE); - if (p != NULL - && OPENSSL_strncasecmp("counter", p->data, p->data_size) == 0) { -@@ -461,20 +476,77 @@ static const OSSL_PARAM *kbkdf_settable_ - static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) - { - OSSL_PARAM *p; -+ int any_valid = 0; /* set to 1 when at least one parameter was valid */ - - p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE); -- if (p == NULL) -+ if (p != NULL) { -+ any_valid = 1; -+ -+ /* KBKDF can produce results as large as you like. */ -+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX)) -+ return 0; -+ } -+ -+#ifdef FIPS_MODULE -+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR); -+ if (p != NULL) { -+ KBKDF *ctx = (KBKDF *)vctx; -+ int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED; -+ -+ any_valid = 1; -+ -+ /* According to NIST Special Publication 800-131Ar2, Section 8: -+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of -+ * the key-derivation key [i.e., the input key] shall be at least 112 -+ * bits". */ -+ if (ctx->ki_len < EVP_KDF_FIPS_MIN_KEY_LEN) -+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+ -+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module -+ * Verification Program, Section D.B and NIST Special Publication -+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security -+ * strength < 112 bits is legacy use only, so all derived keys should -+ * be longer than that. If a derived key has ever been shorter than -+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we -+ * should also set the returned FIPS indicator to unapproved. */ -+ if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED) -+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+ -+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module -+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256 -+ * extendable-output functions may only be used as the standalone -+ * algorithms." Note that the digest is only used when the MAC -+ * algorithm is HMAC. */ -+ if (ctx->ctx_init != NULL -+ && EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->ctx_init), OSSL_MAC_NAME_HMAC)) { -+ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); -+ if (md != NULL -+ && (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256"))) { -+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+ } -+ } -+ -+ if (!OSSL_PARAM_set_int(p, fips_indicator)) -+ return 0; -+ } -+#endif -+ -+ if (!any_valid) - return -2; - -- /* KBKDF can produce results as large as you like. */ -- return OSSL_PARAM_set_size_t(p, SIZE_MAX); -+ return 1; - } - - static const OSSL_PARAM *kbkdf_gettable_ctx_params(ossl_unused void *ctx, - ossl_unused void *provctx) - { -- static const OSSL_PARAM known_gettable_ctx_params[] = -- { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_END }; -+ static const OSSL_PARAM known_gettable_ctx_params[] = { -+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), -+#ifdef FIPS_MODULE -+ OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, NULL), -+#endif /* defined(FIPS_MODULE) */ -+ OSSL_PARAM_END -+ }; - return known_gettable_ctx_params; - } - -Index: openssl-3.1.4/providers/implementations/kdfs/sshkdf.c -=================================================================== ---- openssl-3.1.4.orig/providers/implementations/kdfs/sshkdf.c -+++ openssl-3.1.4/providers/implementations/kdfs/sshkdf.c -@@ -49,6 +49,9 @@ typedef struct { - char type; /* X */ - unsigned char *session_id; - size_t session_id_len; -+#ifdef FIPS_MODULE -+ int fips_indicator; -+#endif /* defined(FIPS_MODULE) */ - } KDF_SSHKDF; - - static void *kdf_sshkdf_new(void *provctx) -@@ -151,6 +154,12 @@ static int kdf_sshkdf_derive(void *vctx, - ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE); - return 0; - } -+ -+#ifdef FIPS_MODULE -+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) -+ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+#endif /* defined(FIPS_MODULE) */ -+ - return SSHKDF(md, ctx->key, ctx->key_len, - ctx->xcghash, ctx->xcghash_len, - ctx->session_id, ctx->session_id_len, -@@ -219,10 +228,67 @@ static const OSSL_PARAM *kdf_sshkdf_sett - static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) - { - OSSL_PARAM *p; -+ int any_valid = 0; /* set to 1 when at least one parameter was valid */ - -- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) -- return OSSL_PARAM_set_size_t(p, SIZE_MAX); -- return -2; -+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { -+ any_valid = 1; -+ -+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX)) -+ return 0; -+ } -+ -+#ifdef FIPS_MODULE -+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR); -+ if (p != NULL) { -+ KDF_SSHKDF *ctx = vctx; -+ int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED; -+ -+ any_valid = 1; -+ -+ /* According to NIST Special Publication 800-131Ar2, Section 8: -+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of -+ * the key-derivation key [i.e., the input key] shall be at least 112 -+ * bits". */ -+ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN) -+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+ -+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module -+ * Verification Program, Section D.B and NIST Special Publication -+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security -+ * strength < 112 bits is legacy use only, so all derived keys should -+ * be longer than that. If a derived key has ever been shorter than -+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we -+ * should also set the returned FIPS indicator to unapproved. */ -+ if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED) -+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+ -+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module -+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256 -+ * extendable-output functions may only be used as the standalone -+ * algorithms." -+ * -+ * Additionally, SP 800-135r1 section 5.2 specifies that the hash -+ * function used in SSHKDF "is one of the hash functions specified in -+ * FIPS 180-3.", which rules out SHA-3 and truncated variants of SHA-2. -+ * */ -+ if (ctx->digest.md != NULL -+ && !EVP_MD_is_a(ctx->digest.md, "SHA-1") -+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-224") -+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256") -+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384") -+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) { -+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+ } -+ -+ if (!OSSL_PARAM_set_int(p, fips_indicator)) -+ return 0; -+ } -+#endif -+ -+ if (!any_valid) -+ return -2; -+ -+ return 1; - } - - static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx, -@@ -230,6 +296,9 @@ static const OSSL_PARAM *kdf_sshkdf_gett - { - static const OSSL_PARAM known_gettable_ctx_params[] = { - OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), -+#ifdef FIPS_MODULE -+ OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, NULL), -+#endif /* defined(FIPS_MODULE) */ - OSSL_PARAM_END - }; - return known_gettable_ctx_params; -Index: openssl-3.1.4/providers/implementations/kdfs/sskdf.c -=================================================================== ---- openssl-3.1.4.orig/providers/implementations/kdfs/sskdf.c -+++ openssl-3.1.4/providers/implementations/kdfs/sskdf.c -@@ -63,6 +63,10 @@ typedef struct { - size_t salt_len; - size_t out_len; /* optional KMAC parameter */ - int is_kmac; -+ int is_x963kdf; -+#ifdef FIPS_MODULE -+ int fips_indicator; -+#endif /* defined(FIPS_MODULE) */ - } KDF_SSKDF; - - #define SSKDF_MAX_INLEN (1<<30) -@@ -73,6 +77,7 @@ typedef struct { - static const unsigned char kmac_custom_str[] = { 0x4B, 0x44, 0x46 }; - - static OSSL_FUNC_kdf_newctx_fn sskdf_new; -+static OSSL_FUNC_kdf_newctx_fn x963kdf_new; - static OSSL_FUNC_kdf_dupctx_fn sskdf_dup; - static OSSL_FUNC_kdf_freectx_fn sskdf_free; - static OSSL_FUNC_kdf_reset_fn sskdf_reset; -@@ -297,6 +302,16 @@ static void *sskdf_new(void *provctx) - return ctx; - } - -+static void *x963kdf_new(void *provctx) -+{ -+ KDF_SSKDF *ctx = sskdf_new(provctx); -+ -+ if (ctx) -+ ctx->is_x963kdf = 1; -+ -+ return ctx; -+} -+ - static void sskdf_reset(void *vctx) - { - KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; -@@ -392,6 +407,11 @@ static int sskdf_derive(void *vctx, unsi - } - md = ossl_prov_digest_md(&ctx->digest); - -+#ifdef FIPS_MODULE -+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) -+ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+#endif /* defined(FIPS_MODULE) */ -+ - if (ctx->macctx != NULL) { - /* H(x) = KMAC or H(x) = HMAC */ - int ret; -@@ -473,6 +493,11 @@ static int x963kdf_derive(void *vctx, un - return 0; - } - -+#ifdef FIPS_MODULE -+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) -+ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+#endif /* defined(FIPS_MODULE) */ -+ - return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len, - ctx->info, ctx->info_len, 1, key, keylen); - } -@@ -545,10 +570,74 @@ static int sskdf_get_ctx_params(void *vc - { - KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; - OSSL_PARAM *p; -+ int any_valid = 0; /* set to 1 when at least one parameter was valid */ -+ -+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { -+ any_valid = 1; -+ -+ if (!OSSL_PARAM_set_size_t(p, sskdf_size(ctx))) -+ return 0; -+ } - -- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) -- return OSSL_PARAM_set_size_t(p, sskdf_size(ctx)); -- return -2; -+#ifdef FIPS_MODULE -+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR); -+ if (p != NULL) { -+ int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED; -+ -+ any_valid = 1; -+ -+ /* According to NIST Special Publication 800-131Ar2, Section 8: -+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of -+ * the key-derivation key [i.e., the input key] shall be at least 112 -+ * bits". */ -+ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN) -+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+ -+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module -+ * Verification Program, Section D.B and NIST Special Publication -+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security -+ * strength < 112 bits is legacy use only, so all derived keys should -+ * be longer than that. If a derived key has ever been shorter than -+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we -+ * should also set the returned FIPS indicator to unapproved. */ -+ if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED) -+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+ -+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module -+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256 -+ * extendable-output functions may only be used as the standalone -+ * algorithms." */ -+ if (ctx->macctx == NULL -+ || (ctx->macctx != NULL && -+ EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx), OSSL_MAC_NAME_HMAC))) { -+ if (ctx->digest.md != NULL -+ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") || -+ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) { -+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+ } -+ -+ /* Table H-3 in ANS X9.63-2001 says that 160-bit hash functions -+ * should only be used for 80-bit key agreement, but FIPS 140-3 -+ * requires a security strength of 112 bits, so SHA-1 cannot be -+ * used with X9.63. See the discussion in -+ * https://github.com/usnistgov/ACVP/issues/1403#issuecomment-1435300395. -+ */ -+ if (ctx->is_x963kdf -+ && ctx->digest.md != NULL -+ && EVP_MD_is_a(ctx->digest.md, "SHA-1")) { -+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+ } -+ } -+ -+ if (!OSSL_PARAM_set_int(p, fips_indicator)) -+ return 0; -+ } -+#endif -+ -+ if (!any_valid) -+ return -2; -+ -+ return 1; - } - - static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx, -@@ -556,6 +645,9 @@ static const OSSL_PARAM *sskdf_gettable_ - { - static const OSSL_PARAM known_gettable_ctx_params[] = { - OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), -+#ifdef FIPS_MODULE -+ OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, 0), -+#endif /* defined(FIPS_MODULE) */ - OSSL_PARAM_END - }; - return known_gettable_ctx_params; -@@ -577,7 +669,7 @@ const OSSL_DISPATCH ossl_kdf_sskdf_funct - }; - - const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = { -- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new }, -+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))x963kdf_new }, - { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))sskdf_dup }, - { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free }, - { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset }, -Index: openssl-3.1.4/providers/implementations/kdfs/tls1_prf.c -=================================================================== ---- openssl-3.1.4.orig/providers/implementations/kdfs/tls1_prf.c -+++ openssl-3.1.4/providers/implementations/kdfs/tls1_prf.c -@@ -104,6 +104,13 @@ typedef struct { - /* Buffer of concatenated seed data */ - unsigned char seed[TLS1_PRF_MAXBUF]; - size_t seedlen; -+ -+ /* MAC digest algorithm; used to compute FIPS indicator */ -+ PROV_DIGEST digest; -+ -+#ifdef FIPS_MODULE -+ int fips_indicator; -+#endif /* defined(FIPS_MODULE) */ - } TLS1_PRF; - - static void *kdf_tls1_prf_new(void *provctx) -@@ -140,6 +147,7 @@ static void kdf_tls1_prf_reset(void *vct - EVP_MAC_CTX_free(ctx->P_sha1); - OPENSSL_clear_free(ctx->sec, ctx->seclen); - OPENSSL_cleanse(ctx->seed, ctx->seedlen); -+ ossl_prov_digest_reset(&ctx->digest); - memset(ctx, 0, sizeof(*ctx)); - ctx->provctx = provctx; - } -@@ -194,6 +202,10 @@ static int kdf_tls1_prf_derive(void *vct - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); - return 0; - } -+#ifdef FIPS_MODULE -+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) -+ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+#endif /* defined(FIPS_MODULE) */ - - /* - * The seed buffer is prepended with a label. -@@ -243,6 +255,9 @@ static int kdf_tls1_prf_set_ctx_params(v - } - } - -+ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx)) -+ return 0; -+ - if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) { - OPENSSL_clear_free(ctx->sec, ctx->seclen); - ctx->sec = NULL; -@@ -284,10 +299,60 @@ static const OSSL_PARAM *kdf_tls1_prf_se - static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[]) - { - OSSL_PARAM *p; -+#ifdef FIPS_MODULE -+ TLS1_PRF *ctx = vctx; -+#endif /* defined(FIPS_MODULE) */ -+ int any_valid = 0; /* set to 1 when at least one parameter was valid */ -+ -+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { -+ any_valid = 1; -+ -+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX)) -+ return 0; -+ } -+ -+#ifdef FIPS_MODULE -+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR); -+ if (p != NULL) { -+ int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED; -+ -+ any_valid = 1; -+ -+ /* According to NIST Special Publication 800-131Ar2, Section 8: -+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of -+ * the key-derivation key [i.e., the input key] shall be at least 112 -+ * bits". */ -+ if (ctx->seclen < EVP_KDF_FIPS_MIN_KEY_LEN) -+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+ -+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module -+ * Verification Program, Section D.B and NIST Special Publication -+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security -+ * strength < 112 bits is legacy use only, so all derived keys should -+ * be longer than that. If a derived key has ever been shorter than -+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we -+ * should also set the returned FIPS indicator to unapproved. */ -+ if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED) -+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+ -+ /* SP 800-135r1 section 4.2.2 says TLS 1.2 KDF is approved when "(3) -+ * P_HASH uses either SHA-256, SHA-384 or SHA-512." */ -+ if (ctx->digest.md != NULL -+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256") -+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384") -+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) { -+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+ } -+ -+ if (!OSSL_PARAM_set_int(p, fips_indicator)) -+ return 0; -+ } -+#endif - -- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) -- return OSSL_PARAM_set_size_t(p, SIZE_MAX); -- return -2; -+ if (!any_valid) -+ return -2; -+ -+ return 1; - } - - static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params( -@@ -295,6 +360,9 @@ static const OSSL_PARAM *kdf_tls1_prf_ge - { - static const OSSL_PARAM known_gettable_ctx_params[] = { - OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), -+#ifdef FIPS_MODULE -+ OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, 0), -+#endif /* defined(FIPS_MODULE) */ - OSSL_PARAM_END - }; - return known_gettable_ctx_params; -Index: openssl-3.1.4/providers/implementations/kdfs/x942kdf.c -=================================================================== ---- openssl-3.1.4.orig/providers/implementations/kdfs/x942kdf.c -+++ openssl-3.1.4/providers/implementations/kdfs/x942kdf.c -@@ -13,11 +13,13 @@ - #include - #include - #include -+#include - #include - #include - #include "internal/packet.h" - #include "internal/der.h" - #include "internal/nelem.h" -+#include "crypto/evp.h" - #include "prov/provider_ctx.h" - #include "prov/providercommon.h" - #include "prov/implementations.h" -@@ -49,6 +51,9 @@ typedef struct { - const unsigned char *cek_oid; - size_t cek_oid_len; - int use_keybits; -+#ifdef FIPS_MODULE -+ int fips_indicator; -+#endif /* defined(FIPS_MODULE) */ - } KDF_X942; - - /* -@@ -497,6 +502,10 @@ static int x942kdf_derive(void *vctx, un - ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING); - return 0; - } -+#ifdef FIPS_MODULE -+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) -+ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+#endif /* defined(FIPS_MODULE) */ - ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len, - der, der_len, ctr, key, keylen); - OPENSSL_free(der); -@@ -600,10 +609,58 @@ static int x942kdf_get_ctx_params(void * - { - KDF_X942 *ctx = (KDF_X942 *)vctx; - OSSL_PARAM *p; -+ int any_valid = 0; /* set to 1 when at least one parameter was valid */ - -- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) -- return OSSL_PARAM_set_size_t(p, x942kdf_size(ctx)); -- return -2; -+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { -+ any_valid = 1; -+ -+ if (!OSSL_PARAM_set_size_t(p, x942kdf_size(ctx))) -+ return 0; -+ } -+ -+#ifdef FIPS_MODULE -+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR); -+ if (p != NULL) { -+ int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED; -+ -+ any_valid = 1; -+ -+ /* According to NIST Special Publication 800-131Ar2, Section 8: -+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of -+ * the key-derivation key [i.e., the input key] shall be at least 112 -+ * bits". */ -+ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN) -+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+ -+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module -+ * Verification Program, Section D.B and NIST Special Publication -+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security -+ * strength < 112 bits is legacy use only, so all derived keys should -+ * be longer than that. If a derived key has ever been shorter than -+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we -+ * should also set the returned FIPS indicator to unapproved. */ -+ if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED) -+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+ -+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module -+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256 -+ * extendable-output functions may only be used as the standalone -+ * algorithms." */ -+ if (ctx->digest.md != NULL -+ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") || -+ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) { -+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+ } -+ -+ if (!OSSL_PARAM_set_int(p, fips_indicator)) -+ return 0; -+ } -+#endif -+ -+ if (!any_valid) -+ return -2; -+ -+ return 1; - } - - static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx, -@@ -611,6 +668,9 @@ static const OSSL_PARAM *x942kdf_gettabl - { - static const OSSL_PARAM known_gettable_ctx_params[] = { - OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), -+#ifdef FIPS_MODULE -+ OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, 0), -+#endif /* defined(FIPS_MODULE) */ - OSSL_PARAM_END - }; - return known_gettable_ctx_params; diff --git a/openssl-Add-Kernel-FIPS-mode-flag-support.patch b/openssl-Add-Kernel-FIPS-mode-flag-support.patch index 94a80cf..96c5e7e 100644 --- a/openssl-Add-Kernel-FIPS-mode-flag-support.patch +++ b/openssl-Add-Kernel-FIPS-mode-flag-support.patch @@ -1,24 +1,32 @@ -From aa3aebf132959e7e44876042efaf9ff24ffe0f2b Mon Sep 17 00:00:00 2001 +From 0e3f6972299bc243023c6ce38663948317bd6794 Mon Sep 17 00:00:00 2001 From: rpm-build -Date: Mon, 31 Jul 2023 09:41:27 +0200 -Subject: [PATCH 09/35] 0009-Add-Kernel-FIPS-mode-flag-support.patch +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 10/53] RH: Add Kernel FIPS mode flag support - FIXSTYLE Patch-name: 0009-Add-Kernel-FIPS-mode-flag-support.patch Patch-id: 9 Patch-status: | - # Add check to see if fips flag is enabled in kernel -From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd + # # Add check to see if fips flag is enabled in kernel +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- - crypto/context.c | 36 ++++++++++++++++++++++++++++++++++++ + crypto/context.c | 35 +++++++++++++++++++++++++++++++++++ include/internal/provider.h | 3 +++ - 2 files changed, 39 insertions(+) + 2 files changed, 38 insertions(+) diff --git a/crypto/context.c b/crypto/context.c -index e294ea1512..51002ba79a 100644 +index f15bc3d755..614c8a2c88 100644 --- a/crypto/context.c +++ b/crypto/context.c -@@ -16,6 +16,41 @@ - #include "internal/provider.h" +@@ -7,6 +7,7 @@ + * https://www.openssl.org/source/license.html + */ + ++#define _GNU_SOURCE /* needed for secure_getenv */ + #include "crypto/cryptlib.h" + #include + #include +@@ -19,6 +20,38 @@ + #include "crypto/decoder.h" #include "crypto/context.h" +# include @@ -33,45 +41,43 @@ index e294ea1512..51002ba79a 100644 + +static void read_kernel_fips_flag(void) +{ -+ char buf[2] = "0"; -+ int fd; ++ char buf[2] = "0"; ++ int fd; + -+ if (ossl_safe_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { -+ buf[0] = '1'; -+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { -+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; -+ close(fd); -+ } ++ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { ++ buf[0] = '1'; ++ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { ++ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; ++ close(fd); ++ } + -+ if (buf[0] == '1') { -+ kernel_fips_flag = 1; -+ } -+ -+ return; ++ if (buf[0] == '1') { ++ kernel_fips_flag = 1; ++ } +} + +int ossl_get_kernel_fips_flag() +{ -+ return kernel_fips_flag; ++ return kernel_fips_flag; +} -+ + struct ossl_lib_ctx_st { - CRYPTO_RWLOCK *lock, *rand_crngt_lock; + CRYPTO_RWLOCK *lock; OSSL_EX_DATA_GLOBAL global; -@@ -336,6 +371,7 @@ static int default_context_inited = 0; +@@ -393,6 +426,8 @@ static int default_context_inited = 0; DEFINE_RUN_ONCE_STATIC(default_context_do_init) { + read_kernel_fips_flag(); ++ if (!CRYPTO_THREAD_init_local(&default_context_thread_local, NULL)) goto err; diff --git a/include/internal/provider.h b/include/internal/provider.h -index 18937f84c7..1446bf7afb 100644 +index 6909a1919c..9d2e355251 100644 --- a/include/internal/provider.h +++ b/include/internal/provider.h -@@ -112,6 +112,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx, +@@ -111,6 +111,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx, const OSSL_DISPATCH *in); void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx); @@ -82,5 +88,5 @@ index 18937f84c7..1446bf7afb 100644 } # endif -- -2.41.0 +2.49.0 diff --git a/openssl-Add-changes-to-ectest-and-eccurve.patch b/openssl-Add-changes-to-ectest-and-eccurve.patch index 1544caf..4c71f74 100644 --- a/openssl-Add-changes-to-ectest-and-eccurve.patch +++ b/openssl-Add-changes-to-ectest-and-eccurve.patch @@ -1,29 +1,79 @@ -From 37fae351c6fef272baf383469181aecfcac87592 Mon Sep 17 00:00:00 2001 +From bdb62f3f3184852ff6aac39ab3940b5dc7791fbb Mon Sep 17 00:00:00 2001 From: rpm-build -Date: Mon, 31 Jul 2023 09:41:27 +0200 -Subject: [PATCH 10/35] 0010-Add-changes-to-ectest-and-eccurve.patch +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 11/53] RH: Drop weak curve definitions - RENAMED/SQUASHED Patch-name: 0010-Add-changes-to-ectest-and-eccurve.patch Patch-id: 10 Patch-status: | - # Instead of replacing ectest.c and ec_curve.c, add the changes as a patch so - # that new modifications made to these files by upstream are not lost. -From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd ---- - crypto/ec/ec_curve.c | 844 ------------------------------------------- - test/ectest.c | 174 +-------- - 2 files changed, 8 insertions(+), 1010 deletions(-) + # # Instead of replacing ectest.c and ec_curve.c, add the changes as a patch so + # # that new modifications made to these files by upstream are not lost. +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce -diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c -index b5b2f3342d..d32a768fe6 100644 ---- a/crypto/ec/ec_curve.c -+++ b/crypto/ec/ec_curve.c -@@ -30,38 +30,6 @@ typedef struct { - } EC_CURVE_DATA; +commit #2: +Patch-name: 0011-Remove-EC-curves.patch +Patch-id: 11 +Patch-status: | + # # remove unsupported EC curves +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce +--- + apps/speed.c | 8 +- + crypto/ec/ec_curve.c | 844 ----------------------------------- + crypto/evp/ec_support.c | 87 ---- + test/acvp_test.inc | 9 - + test/ecdsatest.h | 17 - + test/ectest.c | 174 +------- + test/recipes/15-test_genec.t | 27 -- + 7 files changed, 9 insertions(+), 1157 deletions(-) + +Index: openssl-3.5.0-beta1/apps/speed.c +=================================================================== +--- openssl-3.5.0-beta1.orig/apps/speed.c ++++ openssl-3.5.0-beta1/apps/speed.c +@@ -405,7 +405,7 @@ static double ffdh_results[FFDH_NUM][1]; + #endif /* OPENSSL_NO_DH */ + enum ec_curves_t { +- R_EC_P160, R_EC_P192, R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521, ++ R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521, + #ifndef OPENSSL_NO_EC2M + R_EC_K163, R_EC_K233, R_EC_K283, R_EC_K409, R_EC_K571, + R_EC_B163, R_EC_B233, R_EC_B283, R_EC_B409, R_EC_B571, +@@ -415,8 +415,6 @@ enum ec_curves_t { + }; + /* list of ecdsa curves */ + static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = { +- {"ecdsap160", R_EC_P160}, +- {"ecdsap192", R_EC_P192}, + {"ecdsap224", R_EC_P224}, + {"ecdsap256", R_EC_P256}, + {"ecdsap384", R_EC_P384}, +@@ -449,8 +447,6 @@ enum { + }; + /* list of ecdh curves, extension of |ecdsa_choices| list above */ + static const OPT_PAIR ecdh_choices[EC_NUM] = { +- {"ecdhp160", R_EC_P160}, +- {"ecdhp192", R_EC_P192}, + {"ecdhp224", R_EC_P224}, + {"ecdhp256", R_EC_P256}, + {"ecdhp384", R_EC_P384}, +@@ -1966,8 +1962,6 @@ int speed_main(int argc, char **argv) + */ + static const EC_CURVE ec_curves[EC_NUM] = { + /* Prime Curves */ +- {"secp160r1", NID_secp160r1, 160}, +- {"nistp192", NID_X9_62_prime192v1, 192}, + {"nistp224", NID_secp224r1, 224}, + {"nistp256", NID_X9_62_prime256v1, 256}, + {"nistp384", NID_secp384r1, 384}, +Index: openssl-3.5.0-beta1/crypto/ec/ec_curve.c +=================================================================== +--- openssl-3.5.0-beta1.orig/crypto/ec/ec_curve.c ++++ openssl-3.5.0-beta1/crypto/ec/ec_curve.c +@@ -32,38 +32,6 @@ typedef struct { /* the nist prime curves */ --static const struct { -- EC_CURVE_DATA h; + static const struct { + EC_CURVE_DATA h; - unsigned char data[20 + 24 * 6]; -} _EC_NIST_PRIME_192 = { - { @@ -54,9 +104,11 @@ index b5b2f3342d..d32a768fe6 100644 - } -}; - - static const struct { - EC_CURVE_DATA h; +-static const struct { +- EC_CURVE_DATA h; unsigned char data[20 + 28 * 6]; + } _EC_NIST_PRIME_224 = { + { @@ -200,187 +168,6 @@ static const struct { } }; @@ -244,13 +296,11 @@ index b5b2f3342d..d32a768fe6 100644 - static const struct { EC_CURVE_DATA h; - unsigned char data[20 + 32 * 6]; -@@ -421,294 +208,6 @@ static const struct { - - #ifndef FIPS_MODULE + unsigned char data[20 + 32 * 8]; +@@ -431,294 +218,6 @@ static const struct { /* the secg prime curves (minus the nist and x9.62 prime curves) */ --static const struct { -- EC_CURVE_DATA h; + static const struct { + EC_CURVE_DATA h; - unsigned char data[20 + 14 * 6]; -} _EC_SECG_PRIME_112R1 = { - { @@ -537,10 +587,12 @@ index b5b2f3342d..d32a768fe6 100644 - } -}; - - static const struct { - EC_CURVE_DATA h; +-static const struct { +- EC_CURVE_DATA h; unsigned char data[0 + 32 * 6]; -@@ -745,102 +244,6 @@ static const struct { + } _EC_SECG_PRIME_256K1 = { + { +@@ -753,102 +252,6 @@ static const struct { } }; @@ -643,12 +695,10 @@ index b5b2f3342d..d32a768fe6 100644 #endif /* FIPS_MODULE */ #ifndef OPENSSL_NO_EC2M -@@ -2236,198 +1639,6 @@ static const struct { - */ - +@@ -2246,198 +1649,6 @@ static const struct { #ifndef FIPS_MODULE --static const struct { -- EC_CURVE_DATA h; + static const struct { + EC_CURVE_DATA h; - unsigned char data[0 + 20 * 6]; -} _EC_brainpoolP160r1 = { - { @@ -839,10 +889,12 @@ index b5b2f3342d..d32a768fe6 100644 - } -}; - - static const struct { - EC_CURVE_DATA h; +-static const struct { +- EC_CURVE_DATA h; unsigned char data[0 + 32 * 6]; -@@ -2854,8 +2065,6 @@ static const ec_list_element curve_list[] = { + } _EC_brainpoolP256r1 = { + { +@@ -2864,8 +2075,6 @@ static const ec_list_element curve_list[ "NIST/SECG curve over a 521 bit prime field"}, /* X9.62 curves */ @@ -851,7 +903,7 @@ index b5b2f3342d..d32a768fe6 100644 {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, # if defined(ECP_NISTZ256_ASM) EC_GFp_nistz256_method, -@@ -2899,25 +2108,6 @@ static const ec_list_element curve_list[] = { +@@ -2909,25 +2118,6 @@ static const ec_list_element curve_list[ static const ec_list_element curve_list[] = { /* prime field curves */ /* secg curves */ @@ -877,7 +929,7 @@ index b5b2f3342d..d32a768fe6 100644 # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method, "NIST/SECG curve over a 224 bit prime field"}, -@@ -2945,18 +2135,6 @@ static const ec_list_element curve_list[] = { +@@ -2957,18 +2147,6 @@ static const ec_list_element curve_list[ # endif "NIST/SECG curve over a 521 bit prime field"}, /* X9.62 curves */ @@ -896,7 +948,7 @@ index b5b2f3342d..d32a768fe6 100644 {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, # if defined(ECP_NISTZ256_ASM) EC_GFp_nistz256_method, -@@ -3053,22 +2231,12 @@ static const ec_list_element curve_list[] = { +@@ -3065,22 +2243,12 @@ static const ec_list_element curve_list[ {NID_wap_wsg_idm_ecid_wtls5, &_EC_X9_62_CHAR2_163V1.h, 0, "X9.62 curve over a 163 bit binary field"}, # endif @@ -919,7 +971,7 @@ index b5b2f3342d..d32a768fe6 100644 # ifndef OPENSSL_NO_EC2M /* IPSec curves */ {NID_ipsec3, &_EC_IPSEC_155_ID3.h, 0, -@@ -3079,18 +2247,6 @@ static const ec_list_element curve_list[] = { +@@ -3091,18 +2259,6 @@ static const ec_list_element curve_list[ "\tNot suitable for ECDSA.\n\tQuestionable extension field!"}, # endif /* brainpool curves */ @@ -938,10 +990,170 @@ index b5b2f3342d..d32a768fe6 100644 {NID_brainpoolP256r1, &_EC_brainpoolP256r1.h, 0, "RFC 5639 curve over a 256 bit prime field"}, {NID_brainpoolP256t1, &_EC_brainpoolP256t1.h, 0, -diff --git a/test/ectest.c b/test/ectest.c -index afef85b0e6..4890b0555e 100644 ---- a/test/ectest.c -+++ b/test/ectest.c +Index: openssl-3.5.0-beta1/crypto/evp/ec_support.c +=================================================================== +--- openssl-3.5.0-beta1.orig/crypto/evp/ec_support.c ++++ openssl-3.5.0-beta1/crypto/evp/ec_support.c +@@ -20,89 +20,15 @@ typedef struct ec_name2nid_st { + static const EC_NAME2NID curve_list[] = { + /* prime field curves */ + /* secg curves */ +- {"secp112r1", NID_secp112r1 }, +- {"secp112r2", NID_secp112r2 }, +- {"secp128r1", NID_secp128r1 }, +- {"secp128r2", NID_secp128r2 }, +- {"secp160k1", NID_secp160k1 }, +- {"secp160r1", NID_secp160r1 }, +- {"secp160r2", NID_secp160r2 }, +- {"secp192k1", NID_secp192k1 }, +- {"secp224k1", NID_secp224k1 }, + {"secp224r1", NID_secp224r1 }, + {"secp256k1", NID_secp256k1 }, + {"secp384r1", NID_secp384r1 }, + {"secp521r1", NID_secp521r1 }, + /* X9.62 curves */ +- {"prime192v1", NID_X9_62_prime192v1 }, +- {"prime192v2", NID_X9_62_prime192v2 }, +- {"prime192v3", NID_X9_62_prime192v3 }, +- {"prime239v1", NID_X9_62_prime239v1 }, +- {"prime239v2", NID_X9_62_prime239v2 }, +- {"prime239v3", NID_X9_62_prime239v3 }, + {"prime256v1", NID_X9_62_prime256v1 }, + /* characteristic two field curves */ + /* NIST/SECG curves */ +- {"sect113r1", NID_sect113r1 }, +- {"sect113r2", NID_sect113r2 }, +- {"sect131r1", NID_sect131r1 }, +- {"sect131r2", NID_sect131r2 }, +- {"sect163k1", NID_sect163k1 }, +- {"sect163r1", NID_sect163r1 }, +- {"sect163r2", NID_sect163r2 }, +- {"sect193r1", NID_sect193r1 }, +- {"sect193r2", NID_sect193r2 }, +- {"sect233k1", NID_sect233k1 }, +- {"sect233r1", NID_sect233r1 }, +- {"sect239k1", NID_sect239k1 }, +- {"sect283k1", NID_sect283k1 }, +- {"sect283r1", NID_sect283r1 }, +- {"sect409k1", NID_sect409k1 }, +- {"sect409r1", NID_sect409r1 }, +- {"sect571k1", NID_sect571k1 }, +- {"sect571r1", NID_sect571r1 }, +- /* X9.62 curves */ +- {"c2pnb163v1", NID_X9_62_c2pnb163v1 }, +- {"c2pnb163v2", NID_X9_62_c2pnb163v2 }, +- {"c2pnb163v3", NID_X9_62_c2pnb163v3 }, +- {"c2pnb176v1", NID_X9_62_c2pnb176v1 }, +- {"c2tnb191v1", NID_X9_62_c2tnb191v1 }, +- {"c2tnb191v2", NID_X9_62_c2tnb191v2 }, +- {"c2tnb191v3", NID_X9_62_c2tnb191v3 }, +- {"c2pnb208w1", NID_X9_62_c2pnb208w1 }, +- {"c2tnb239v1", NID_X9_62_c2tnb239v1 }, +- {"c2tnb239v2", NID_X9_62_c2tnb239v2 }, +- {"c2tnb239v3", NID_X9_62_c2tnb239v3 }, +- {"c2pnb272w1", NID_X9_62_c2pnb272w1 }, +- {"c2pnb304w1", NID_X9_62_c2pnb304w1 }, +- {"c2tnb359v1", NID_X9_62_c2tnb359v1 }, +- {"c2pnb368w1", NID_X9_62_c2pnb368w1 }, +- {"c2tnb431r1", NID_X9_62_c2tnb431r1 }, +- /* +- * the WAP/WTLS curves [unlike SECG, spec has its own OIDs for curves +- * from X9.62] +- */ +- {"wap-wsg-idm-ecid-wtls1", NID_wap_wsg_idm_ecid_wtls1 }, +- {"wap-wsg-idm-ecid-wtls3", NID_wap_wsg_idm_ecid_wtls3 }, +- {"wap-wsg-idm-ecid-wtls4", NID_wap_wsg_idm_ecid_wtls4 }, +- {"wap-wsg-idm-ecid-wtls5", NID_wap_wsg_idm_ecid_wtls5 }, +- {"wap-wsg-idm-ecid-wtls6", NID_wap_wsg_idm_ecid_wtls6 }, +- {"wap-wsg-idm-ecid-wtls7", NID_wap_wsg_idm_ecid_wtls7 }, +- {"wap-wsg-idm-ecid-wtls8", NID_wap_wsg_idm_ecid_wtls8 }, +- {"wap-wsg-idm-ecid-wtls9", NID_wap_wsg_idm_ecid_wtls9 }, +- {"wap-wsg-idm-ecid-wtls10", NID_wap_wsg_idm_ecid_wtls10 }, +- {"wap-wsg-idm-ecid-wtls11", NID_wap_wsg_idm_ecid_wtls11 }, +- {"wap-wsg-idm-ecid-wtls12", NID_wap_wsg_idm_ecid_wtls12 }, +- /* IPSec curves */ +- {"Oakley-EC2N-3", NID_ipsec3 }, +- {"Oakley-EC2N-4", NID_ipsec4 }, + /* brainpool curves */ +- {"brainpoolP160r1", NID_brainpoolP160r1 }, +- {"brainpoolP160t1", NID_brainpoolP160t1 }, +- {"brainpoolP192r1", NID_brainpoolP192r1 }, +- {"brainpoolP192t1", NID_brainpoolP192t1 }, +- {"brainpoolP224r1", NID_brainpoolP224r1 }, +- {"brainpoolP224t1", NID_brainpoolP224t1 }, + {"brainpoolP256r1", NID_brainpoolP256r1 }, + {"brainpoolP256t1", NID_brainpoolP256t1 }, + {"brainpoolP320r1", NID_brainpoolP320r1 }, +@@ -150,17 +76,6 @@ int ossl_ec_curve_name2nid(const char *n + /* Functions to translate between common NIST curve names and NIDs */ + + static const EC_NAME2NID nist_curves[] = { +- {"B-163", NID_sect163r2}, +- {"B-233", NID_sect233r1}, +- {"B-283", NID_sect283r1}, +- {"B-409", NID_sect409r1}, +- {"B-571", NID_sect571r1}, +- {"K-163", NID_sect163k1}, +- {"K-233", NID_sect233k1}, +- {"K-283", NID_sect283k1}, +- {"K-409", NID_sect409k1}, +- {"K-571", NID_sect571k1}, +- {"P-192", NID_X9_62_prime192v1}, + {"P-224", NID_secp224r1}, + {"P-256", NID_X9_62_prime256v1}, + {"P-384", NID_secp384r1}, +Index: openssl-3.5.0-beta1/test/acvp_test.inc +=================================================================== +--- openssl-3.5.0-beta1.orig/test/acvp_test.inc ++++ openssl-3.5.0-beta1/test/acvp_test.inc +@@ -218,15 +218,6 @@ static const unsigned char ecdsa_sigver_ + }; + static const struct ecdsa_sigver_st ecdsa_sigver_data[] = { + { +- "SHA-1", +- "P-192", +- ITM(ecdsa_sigver_msg0), +- ITM(ecdsa_sigver_pub0), +- ITM(ecdsa_sigver_r0), +- ITM(ecdsa_sigver_s0), +- PASS, +- }, +- { + "SHA2-512", + "P-521", + ITM(ecdsa_sigver_msg1), +Index: openssl-3.5.0-beta1/test/ecdsatest.h +=================================================================== +--- openssl-3.5.0-beta1.orig/test/ecdsatest.h ++++ openssl-3.5.0-beta1/test/ecdsatest.h +@@ -32,23 +32,6 @@ typedef struct { + } ecdsa_cavs_kat_t; + + static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = { +- /* prime KATs from X9.62 */ +- {NID_X9_62_prime192v1, NID_sha1, +- "616263", /* "abc" */ +- "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb", +- "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e" +- "5ca5c0d69716dfcb3474373902", +- "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e", +- "885052380ff147b734c330c43d39b2c4a89f29b0f749fead", +- "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"}, +- {NID_X9_62_prime239v1, NID_sha1, +- "616263", /* "abc" */ +- "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d", +- "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e" +- "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee", +- "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af", +- "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0", +- "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"}, + /* prime KATs from NIST CAVP */ + {NID_secp224r1, NID_sha224, + "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1" +Index: openssl-3.5.0-beta1/test/ectest.c +=================================================================== +--- openssl-3.5.0-beta1.orig/test/ectest.c ++++ openssl-3.5.0-beta1/test/ectest.c @@ -175,184 +175,26 @@ static int prime_field_tests(void) || !TEST_ptr(p = BN_new()) || !TEST_ptr(a = BN_new()) @@ -1134,15 +1346,62 @@ index afef85b0e6..4890b0555e 100644 "FFFFFFFF000000000000000000000001")) || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFF" -@@ -3015,7 +2857,7 @@ int setup_tests(void) - return 0; +@@ -3128,7 +2970,7 @@ int setup_tests(void) ADD_TEST(parameter_test); + ADD_TEST(ossl_parameter_test); - ADD_TEST(cofactor_range_test); + /* ADD_TEST(cofactor_range_test); */ ADD_ALL_TESTS(cardinality_test, crv_len); ADD_TEST(prime_field_tests); #ifndef OPENSSL_NO_EC2M --- -2.41.0 - +Index: openssl-3.5.0-beta1/test/recipes/15-test_genec.t +=================================================================== +--- openssl-3.5.0-beta1.orig/test/recipes/15-test_genec.t ++++ openssl-3.5.0-beta1/test/recipes/15-test_genec.t +@@ -41,37 +41,11 @@ plan skip_all => "This test is unsupport + if disabled("ec"); + + my @prime_curves = qw( +- secp112r1 +- secp112r2 +- secp128r1 +- secp128r2 +- secp160k1 +- secp160r1 +- secp160r2 +- secp192k1 +- secp224k1 + secp224r1 + secp256k1 + secp384r1 + secp521r1 +- prime192v1 +- prime192v2 +- prime192v3 +- prime239v1 +- prime239v2 +- prime239v3 + prime256v1 +- wap-wsg-idm-ecid-wtls6 +- wap-wsg-idm-ecid-wtls7 +- wap-wsg-idm-ecid-wtls8 +- wap-wsg-idm-ecid-wtls9 +- wap-wsg-idm-ecid-wtls12 +- brainpoolP160r1 +- brainpoolP160t1 +- brainpoolP192r1 +- brainpoolP192t1 +- brainpoolP224r1 +- brainpoolP224t1 + brainpoolP256r1 + brainpoolP256t1 + brainpoolP320r1 +@@ -136,7 +110,6 @@ push(@other_curves, 'SM2') + if !disabled("sm2"); + + my @curve_aliases = qw( +- P-192 + P-224 + P-256 + P-384 diff --git a/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch b/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch index 1bb6aee..93dd0a6 100644 --- a/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch +++ b/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch @@ -15,9 +15,11 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist util/libcrypto.num | 1 8 files changed, 110 insertions(+), 14 deletions(-) ---- a/Configurations/unix-Makefile.tmpl -+++ b/Configurations/unix-Makefile.tmpl -@@ -315,6 +315,10 @@ MANDIR=$(INSTALLTOP)/share/man +Index: openssl-3.5.0-beta1/Configurations/unix-Makefile.tmpl +=================================================================== +--- openssl-3.5.0-beta1.orig/Configurations/unix-Makefile.tmpl ++++ openssl-3.5.0-beta1/Configurations/unix-Makefile.tmpl +@@ -344,6 +344,10 @@ MANDIR=$(INSTALLTOP)/share/man DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME) HTMLDIR=$(DOCDIR)/html @@ -28,7 +30,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist # MANSUFFIX is for the benefit of anyone who may want to have a suffix # appended after the manpage file section number. "ssl" is popular, # resulting in files such as config.5ssl rather than config.5. -@@ -338,6 +342,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -} +@@ -367,6 +371,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -} CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -} CPPFLAGS={- our $cppflags1 = join(" ", (map { "-D".$_} @{$config{CPPDEFINES}}), @@ -36,14 +38,16 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist (map { "-I".$_} @{$config{CPPINCLUDES}}), @{$config{CPPFLAGS}}) -} CFLAGS={- join(' ', @{$config{CFLAGS}}) -} ---- a/Configure -+++ b/Configure +Index: openssl-3.5.0-beta1/Configure +=================================================================== +--- openssl-3.5.0-beta1.orig/Configure ++++ openssl-3.5.0-beta1/Configure @@ -27,7 +27,7 @@ use OpenSSL::config; my $orig_death_handler = $SIG{__DIE__}; $SIG{__DIE__} = \&death_handler; --my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; -+my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; +-my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]thread-pool] [[no-]default-thread-pool] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; ++my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]thread-pool] [[no-]default-thread-pool] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; my $banner = <<"EOF"; @@ -58,7 +62,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist # --banner=".." Output specified text instead of default completion banner # # -w Don't wait after showing a Configure warning -@@ -387,6 +391,7 @@ $config{prefix}=""; +@@ -408,6 +412,7 @@ $config{prefix}=""; $config{openssldir}=""; $config{processor}=""; $config{libdir}=""; @@ -66,7 +70,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist my $auto_threads=1; # enable threads automatically? true by default my $default_ranlib; -@@ -989,6 +994,10 @@ while (@argvcopy) +@@ -1104,6 +1109,10 @@ while (@argvcopy) die "FIPS key too long (64 bytes max)\n" if length $1 > 64; } @@ -77,9 +81,11 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist elsif (/^--banner=(.*)$/) { $banner = $1 . "\n"; ---- a/doc/man1/openssl-ciphers.pod.in -+++ b/doc/man1/openssl-ciphers.pod.in -@@ -186,6 +186,15 @@ As of OpenSSL 1.0.0, the B cipher s +Index: openssl-3.5.0-beta1/doc/man1/openssl-ciphers.pod.in +=================================================================== +--- openssl-3.5.0-beta1.orig/doc/man1/openssl-ciphers.pod.in ++++ openssl-3.5.0-beta1/doc/man1/openssl-ciphers.pod.in +@@ -190,6 +190,15 @@ As of OpenSSL 1.0.0, the B cipher s The cipher suites not enabled by B, currently B. @@ -95,9 +101,11 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist =item B "High" encryption cipher suites. This currently means those with key lengths ---- a/include/openssl/ssl.h.in -+++ b/include/openssl/ssl.h.in -@@ -213,6 +213,11 @@ extern "C" { +Index: openssl-3.5.0-beta1/include/openssl/ssl.h.in +=================================================================== +--- openssl-3.5.0-beta1.orig/include/openssl/ssl.h.in ++++ openssl-3.5.0-beta1/include/openssl/ssl.h.in +@@ -209,6 +209,11 @@ extern "C" { * throwing out anonymous and unencrypted ciphersuites! (The latter are not * actually enabled by ALL, but "ALL:RSA" would enable some of them.) */ @@ -109,9 +117,11 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ # define SSL_SENT_SHUTDOWN 1 ---- a/ssl/ssl_ciph.c -+++ b/ssl/ssl_ciph.c -@@ -1443,6 +1443,53 @@ int SSL_set_ciphersuites(SSL *s, const c +Index: openssl-3.5.0-beta1/ssl/ssl_ciph.c +=================================================================== +--- openssl-3.5.0-beta1.orig/ssl/ssl_ciph.c ++++ openssl-3.5.0-beta1/ssl/ssl_ciph.c +@@ -1421,6 +1421,53 @@ int SSL_set_ciphersuites(SSL *s, const c return ret; } @@ -165,7 +175,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, STACK_OF(SSL_CIPHER) *tls13_ciphersuites, STACK_OF(SSL_CIPHER) **cipher_list, -@@ -1457,15 +1504,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1435,15 +1482,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; const SSL_CIPHER **ca_list = NULL; const SSL_METHOD *ssl_method = ctx->method; @@ -193,16 +203,16 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist /* * To reduce the work to do we only want to process the compiled -@@ -1487,7 +1544,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ - co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers); - if (co_list == NULL) { - ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); -- return NULL; /* Failure */ -+ goto err; +@@ -1465,7 +1522,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + if (num_of_ciphers > 0) { + co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers); + if (co_list == NULL) +- return NULL; /* Failure */ ++ goto err; } ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, -@@ -1553,8 +1610,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1531,8 +1588,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ * in force within each class */ if (!ssl_cipher_strength_sort(&head, &tail)) { @@ -212,18 +222,17 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist } /* -@@ -1598,9 +1654,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1576,8 +1632,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max); if (ca_list == NULL) { - OPENSSL_free(co_list); - ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); - return NULL; /* Failure */ + goto err; } ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, disabled_mkey, disabled_auth, disabled_enc, -@@ -1633,8 +1688,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1603,8 +1658,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ OPENSSL_free(ca_list); /* Not needed anymore */ if (!ok) { /* Rule processing failure */ @@ -233,7 +242,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist } /* -@@ -1642,10 +1696,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1612,10 +1666,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ * if we cannot get one. */ if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) { @@ -249,7 +258,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist /* Add TLSv1.3 ciphers first - we always prefer those if possible */ for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) { const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i); -@@ -1697,6 +1754,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1667,6 +1724,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ *cipher_list = cipherstack; return cipherstack; @@ -264,9 +273,11 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist } char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) ---- a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -661,7 +661,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx +Index: openssl-3.5.0-beta1/ssl/ssl_lib.c +=================================================================== +--- openssl-3.5.0-beta1.orig/ssl/ssl_lib.c ++++ openssl-3.5.0-beta1/ssl/ssl_lib.c +@@ -679,7 +679,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx ctx->tls13_ciphersuites, &(ctx->cipher_list), &(ctx->cipher_list_by_id), @@ -275,7 +286,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); return 0; -@@ -3286,7 +3286,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li +@@ -4099,7 +4099,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li if (!ssl_create_cipher_list(ret, ret->tls13_ciphersuites, &ret->cipher_list, &ret->cipher_list_by_id, @@ -283,10 +294,12 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist + SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert) || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS); - goto err2; ---- a/test/cipherlist_test.c -+++ b/test/cipherlist_test.c -@@ -246,7 +246,9 @@ end: + goto err; +Index: openssl-3.5.0-beta1/test/cipherlist_test.c +=================================================================== +--- openssl-3.5.0-beta1.orig/test/cipherlist_test.c ++++ openssl-3.5.0-beta1/test/cipherlist_test.c +@@ -261,7 +261,9 @@ end: int setup_tests(void) { @@ -295,11 +308,45 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist +#endif ADD_TEST(test_default_cipherlist_explicit); ADD_TEST(test_default_cipherlist_clear); - return 1; ---- a/util/libcrypto.num -+++ b/util/libcrypto.num -@@ -5435,3 +5435,4 @@ EVP_MD_CTX_dup - EVP_CIPHER_CTX_dup 5563 3_1_0 EXIST::FUNCTION: - BN_are_coprime 5564 3_1_0 EXIST::FUNCTION: - OSSL_CMP_MSG_update_recipNonce 5565 3_0_9 EXIST::FUNCTION:CMP -+ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: + ADD_TEST(test_stdname_cipherlist); +Index: openssl-3.5.0-beta1/util/libcrypto.num +=================================================================== +--- openssl-3.5.0-beta1.orig/util/libcrypto.num ++++ openssl-3.5.0-beta1/util/libcrypto.num +@@ -5536,6 +5536,7 @@ X509_STORE_CTX_set_get_crl + X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION: + OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION: + BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK ++ossl_safe_getenv ? 3_2_0 EXIST::FUNCTION: + OSSL_CMP_CTX_get0_geninfo_ITAVs 5667 3_3_0 EXIST::FUNCTION:CMP + OSSL_CMP_HDR_get0_geninfo_ITAVs 5668 3_3_0 EXIST::FUNCTION:CMP + OSSL_CMP_ITAV_new0_certProfile 5669 3_3_0 EXIST::FUNCTION:CMP +Index: openssl-3.5.0-beta1/apps/openssl.cnf +=================================================================== +--- openssl-3.5.0-beta1.orig/apps/openssl.cnf ++++ openssl-3.5.0-beta1/apps/openssl.cnf +@@ -52,6 +52,12 @@ tsa_policy3 = 1.2.3.4.5.7 + + [openssl_init] + providers = provider_sect ++# Load default TLS policy configuration ++ssl_conf = ssl_module ++alg_section = evp_properties ++ ++[ evp_properties ] ++# This section is intentionally added empty here to be tuned on particular systems + + # List of providers to load + [provider_sect] +@@ -71,6 +77,11 @@ default = default_sect + [default_sect] + # activate = 1 + ++[ ssl_module ] ++system_default = crypto_policy ++ ++[ crypto_policy ] ++.include = /etc/crypto-policies/back-ends/opensslcnf.config + + #################################################################### + [ ca ] diff --git a/openssl-Add_support_for_Windows_CA_certificate_store.patch b/openssl-Add_support_for_Windows_CA_certificate_store.patch deleted file mode 100644 index cd143e0..0000000 --- a/openssl-Add_support_for_Windows_CA_certificate_store.patch +++ /dev/null @@ -1,743 +0,0 @@ -From 2a071544f7d2e963a1f68f266f4e375568909d38 Mon Sep 17 00:00:00 2001 -From: Hugo Landau -Date: Fri, 8 Apr 2022 13:10:52 +0100 -Subject: [PATCH 1/8] Fix URI handling in SSL_CERT_DIR/introduce SSL_CERT_URI - env - -Fixes #18068. ---- - CHANGES.md | 21 - Configure | 7 - crypto/x509/by_dir.c | 17 - crypto/x509/by_store.c | 14 - crypto/x509/x509_def.c | 15 - doc/build.info | 6 - doc/man3/X509_get_default_cert_file.pod | 113 +++++ - include/internal/cryptlib.h | 11 - include/internal/e_os.h | 2 - include/openssl/x509.h.in | 3 - providers/implementations/include/prov/implementations.h | 1 - providers/implementations/storemgmt/build.info | 3 - providers/implementations/storemgmt/winstore_store.c | 327 +++++++++++++++ - providers/stores.inc | 3 - util/libcrypto.num | 3 - util/missingcrypto.txt | 4 - 16 files changed, 536 insertions(+), 14 deletions(-) - ---- a/CHANGES.md -+++ b/CHANGES.md -@@ -24,6 +24,27 @@ OpenSSL 3.1 - - ### Changes between 3.1.0 and 3.1.1 [30 May 2023] - -+ * The `SSL_CERT_PATH` and `SSL_CERT_URI` environment variables are introduced. -+ `SSL_CERT_URI` can be used to specify a URI for a root certificate store. The -+ `SSL_CERT_PATH` environment variable specifies a delimiter-separated list of -+ paths which are searched for root certificates. -+ -+ The existing `SSL_CERT_DIR` environment variable is deprecated. -+ `SSL_CERT_DIR` was previously used to specify either a delimiter-separated -+ list of paths or an URI, which is ambiguous. Setting `SSL_CERT_PATH` causes -+ `SSL_CERT_DIR` to be ignored for the purposes of determining root certificate -+ directories, and setting `SSL_CERT_URI` causes `SSL_CERT_DIR` to be ignored -+ for the purposes of determining root certificate stores. -+ -+ *Hugo Landau* -+ -+ * Support for loading root certificates from the Windows certificate store -+ has been added. The support is in the form of a store which recognises the -+ URI string of `org.openssl.winstore://`. This store is enabled by default and -+ can be disabled using the new compile-time option `no-winstore`. -+ -+ *Hugo Landau* -+ - * Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic - OBJECT IDENTIFIER sub-identifiers to canonical numeric text form. - ---- a/Configure -+++ b/Configure -@@ -420,6 +420,7 @@ my @disablables = ( - "cached-fetch", - "camellia", - "capieng", -+ "winstore", - "cast", - "chacha", - "cmac", -@@ -1726,6 +1727,12 @@ unless ($disabled{ktls}) { - } - } - -+unless ($disabled{winstore}) { -+ unless ($target =~ /^(?:Cygwin|mingw|VC-|BC-)/) { -+ disable('not-windows', 'winstore'); -+ } -+} -+ - push @{$config{openssl_other_defines}}, "OPENSSL_NO_KTLS" if ($disabled{ktls}); - - # Get the extra flags used when building shared libraries and modules. We ---- a/crypto/x509/by_dir.c -+++ b/crypto/x509/by_dir.c -@@ -88,13 +88,18 @@ static int dir_ctrl(X509_LOOKUP *ctx, in - switch (cmd) { - case X509_L_ADD_DIR: - if (argl == X509_FILETYPE_DEFAULT) { -- const char *dir = ossl_safe_getenv(X509_get_default_cert_dir_env()); -+ /* If SSL_CERT_PATH is provided and non-empty, use that. */ -+ const char *dir = ossl_safe_getenv(X509_get_default_cert_path_env()); - -- if (dir) -- ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM); -- else -- ret = add_cert_dir(ld, X509_get_default_cert_dir(), -- X509_FILETYPE_PEM); -+ /* Fallback to SSL_CERT_DIR. */ -+ if (dir == NULL) -+ dir = ossl_safe_getenv(X509_get_default_cert_dir_env()); -+ -+ /* Fallback to built-in default. */ -+ if (dir == NULL) -+ dir = X509_get_default_cert_dir(); -+ -+ ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM); - if (!ret) { - ERR_raise(ERR_LIB_X509, X509_R_LOADING_CERT_DIR); - } ---- a/crypto/x509/by_store.c -+++ b/crypto/x509/by_store.c -@@ -111,11 +111,21 @@ static int by_store_ctrl_ex(X509_LOOKUP - { - switch (cmd) { - case X509_L_ADD_STORE: -- /* If no URI is given, use the default cert dir as default URI */ -+ /* First try the newer default cert URI envvar. */ -+ if (argp == NULL) -+ argp = ossl_safe_getenv(X509_get_default_cert_uri_env()); -+ -+ /* If not set, see if we have a URI in the older cert dir envvar. */ - if (argp == NULL) - argp = ossl_safe_getenv(X509_get_default_cert_dir_env()); -+ -+ /* Fallback to default store URI. */ - if (argp == NULL) -- argp = X509_get_default_cert_dir(); -+ argp = X509_get_default_cert_uri(); -+ -+ /* No point adding an empty URI. */ -+ if (!*argp) -+ return 1; - - { - STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx); ---- a/crypto/x509/x509_def.c -+++ b/crypto/x509/x509_def.c -@@ -22,6 +22,11 @@ const char *X509_get_default_cert_area(v - return X509_CERT_AREA; - } - -+const char *X509_get_default_cert_uri(void) -+{ -+ return X509_CERT_URI; -+} -+ - const char *X509_get_default_cert_dir(void) - { - return X509_CERT_DIR; -@@ -32,6 +37,16 @@ const char *X509_get_default_cert_file(v - return X509_CERT_FILE; - } - -+const char *X509_get_default_cert_uri_env(void) -+{ -+ return X509_CERT_URI_EVP; -+} -+ -+const char *X509_get_default_cert_path_env(void) -+{ -+ return X509_CERT_PATH_EVP; -+} -+ - const char *X509_get_default_cert_dir_env(void) - { - return X509_CERT_DIR_EVP; ---- a/doc/build.info -+++ b/doc/build.info -@@ -2791,6 +2791,10 @@ DEPEND[html/man3/X509_get0_uids.html]=ma - GENERATE[html/man3/X509_get0_uids.html]=man3/X509_get0_uids.pod - DEPEND[man/man3/X509_get0_uids.3]=man3/X509_get0_uids.pod - GENERATE[man/man3/X509_get0_uids.3]=man3/X509_get0_uids.pod -+DEPEND[html/man3/X509_get_default_cert_file.html]=man3/X509_get_default_cert_file.pod -+GENERATE[html/man3/X509_get_default_cert_file.html]=man3/X509_get_default_cert_file.pod -+DEPEND[man/man3/X509_get_default_cert_file.3]=man3/X509_get_default_cert_file.pod -+GENERATE[man/man3/X509_get_default_cert_file.3]=man3/X509_get_default_cert_file.pod - DEPEND[html/man3/X509_get_extension_flags.html]=man3/X509_get_extension_flags.pod - GENERATE[html/man3/X509_get_extension_flags.html]=man3/X509_get_extension_flags.pod - DEPEND[man/man3/X509_get_extension_flags.3]=man3/X509_get_extension_flags.pod -@@ -3461,6 +3465,7 @@ html/man3/X509_get0_distinguishing_id.ht - html/man3/X509_get0_notBefore.html \ - html/man3/X509_get0_signature.html \ - html/man3/X509_get0_uids.html \ -+html/man3/X509_get_default_cert_file.html \ - html/man3/X509_get_extension_flags.html \ - html/man3/X509_get_pubkey.html \ - html/man3/X509_get_serialNumber.html \ -@@ -4064,6 +4069,7 @@ man/man3/X509_get0_distinguishing_id.3 \ - man/man3/X509_get0_notBefore.3 \ - man/man3/X509_get0_signature.3 \ - man/man3/X509_get0_uids.3 \ -+man/man3/X509_get_default_cert_file.3 \ - man/man3/X509_get_extension_flags.3 \ - man/man3/X509_get_pubkey.3 \ - man/man3/X509_get_serialNumber.3 \ ---- /dev/null -+++ b/doc/man3/X509_get_default_cert_file.pod -@@ -0,0 +1,113 @@ -+=pod -+ -+=head1 NAME -+ -+X509_get_default_cert_file, X509_get_default_cert_file_env, -+X509_get_default_cert_path_env, -+X509_get_default_cert_dir, X509_get_default_cert_dir_env, -+X509_get_default_cert_uri, X509_get_default_cert_uri_env - -+retrieve default locations for trusted CA certificates -+ -+=head1 SYNOPSIS -+ -+ #include -+ -+ const char *X509_get_default_cert_file(void); -+ const char *X509_get_default_cert_dir(void); -+ const char *X509_get_default_cert_uri(void); -+ -+ const char *X509_get_default_cert_file_env(void); -+ const char *X509_get_default_cert_path_env(void); -+ const char *X509_get_default_cert_dir_env(void); -+ const char *X509_get_default_cert_uri_env(void); -+ -+=head1 DESCRIPTION -+ -+The X509_get_default_cert_file() function returns the default path -+to a file containing trusted CA certificates. OpenSSL will use this as -+the default path when it is asked to load trusted CA certificates -+from a file and no other path is specified. If the file exists, CA certificates -+are loaded from the file. -+ -+The X509_get_default_cert_dir() function returns a default delimeter-separated -+list of paths to a directories containing trusted CA certificates named in the -+hashed format. OpenSSL will use this as the default list of paths when it is -+asked to load trusted CA certificates from a directory and no other path is -+specified. If a given directory in the list exists, OpenSSL attempts to lookup -+CA certificates in this directory by calculating a filename based on a hash of -+the certificate's subject name. -+ -+The X509_get_default_cert_uri() function returns the default URI for a -+certificate store accessed programmatically via an OpenSSL provider. If there is -+no default store applicable to the system for which OpenSSL was compiled, this -+returns an empty string. -+ -+X509_get_default_cert_file_env() and X509_get_default_cert_uri_env() return -+environment variable names which are recommended to specify nondefault values to -+be used instead of the values returned by X509_get_default_cert_file() and -+X509_get_default_cert_uri() respectively. The values returned by the latter -+functions are not affected by these environment variables; you must check for -+these environment variables yourself, using these functions to retrieve the -+correct environment variable names. If an environment variable is not set, the -+value returned by the corresponding function above should be used. -+ -+X509_get_default_cert_path_env() returns the environment variable name which is -+recommended to specify a nondefault value to be used instead of the value -+returned by X509_get_default_cert_dir(). This environment variable supercedes -+the deprecated environment variable whose name is returned by -+X509_get_default_cert_dir_env(). This environment variable was deprecated as its -+contents can be interpreted ambiguously; see NOTES. -+ -+By default, OpenSSL uses the path list specified in the environment variable -+whose name is returned by X509_get_default_cert_path_env() if it is set; -+otherwise, it uses the path list specified in the environment variable whose -+name is returned by X509_get_default_cert_dir_env() if it is set; otherwise, it -+uses the value returned by X509_get_default_cert_dir()). -+ -+=head1 NOTES -+ -+X509_get_default_cert_uri(), X509_get_default_cert_uri_env() and -+X509_get_default_cert_path_env() were introduced in OpenSSL 3.1. Prior to this -+release, store URIs were expressed via the environment variable returned by -+X509_get_default_cert_dir_env(); this environment variable could be used to -+specify either a list of directories or a store URI. This creates an ambiguity -+in which the environment variable returned by X509_get_default_cert_dir_env() is -+interpreted both as a list of directories and as a store URI. -+ -+This usage and the environment variable returned by -+X509_get_default_cert_dir_env() are now deprecated; to specify a store URI, use -+the environment variable returned by X509_get_default_cert_uri_env(), and to -+specify a list of directories, use the environment variable returned by -+X509_get_default_cert_path_env(). -+ -+=head1 RETURN VALUES -+ -+These functions return pointers to constant strings with static storage -+duration. -+ -+=head1 SEE ALSO -+ -+L, -+L, -+L, -+L, -+L, -+L, -+L, -+L -+ -+=head1 HISTORY -+ -+X509_get_default_cert_uri(), X509_get_default_cert_path_env() and -+X509_get_default_cert_uri_env() were introduced in OpenSSL 3.1. -+ -+=head1 COPYRIGHT -+ -+Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. -+ -+Licensed under the Apache License 2.0 (the "License"). You may not use -+this file except in compliance with the License. You can obtain a copy -+in the file LICENSE in the source distribution or at -+L. -+ -+=cut ---- a/include/internal/cryptlib.h -+++ b/include/internal/cryptlib.h -@@ -13,6 +13,8 @@ - - # include - # include -+# include "openssl/configuration.h" -+# include "internal/e_os.h" /* ossl_inline in many files */ - - # ifdef OPENSSL_USE_APPLINK - # define BIO_FLAGS_UPLINK_INTERNAL 0x8000 -@@ -77,6 +79,14 @@ DEFINE_LHASH_OF_EX(MEM); - # define CTLOG_FILE "OSSL$DATAROOT:[000000]ct_log_list.cnf" - # endif - -+#ifndef OPENSSL_NO_WINSTORE -+# define X509_CERT_URI "org.openssl.winstore://" -+#else -+# define X509_CERT_URI "" -+#endif -+ -+# define X509_CERT_URI_EVP "SSL_CERT_URI" -+# define X509_CERT_PATH_EVP "SSL_CERT_PATH" - # define X509_CERT_DIR_EVP "SSL_CERT_DIR" - # define X509_CERT_FILE_EVP "SSL_CERT_FILE" - # define CTLOG_FILE_EVP "CTLOG_FILE" -@@ -240,5 +250,4 @@ static ossl_inline int ossl_is_absolute_ - # endif - return path[0] == '/'; - } -- - #endif ---- a/include/internal/e_os.h -+++ b/include/internal/e_os.h -@@ -249,7 +249,7 @@ FILE *__iob_func(); - /***********************************************/ - - # if defined(OPENSSL_SYS_WINDOWS) --# if (_MSC_VER >= 1310) && !defined(_WIN32_WCE) -+# if defined(_MSC_VER) && (_MSC_VER >= 1310) && !defined(_WIN32_WCE) - # define open _open - # define fdopen _fdopen - # define close _close ---- a/include/openssl/x509.h.in -+++ b/include/openssl/x509.h.in -@@ -491,8 +491,11 @@ ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s - ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj); - - const char *X509_get_default_cert_area(void); -+const char *X509_get_default_cert_uri(void); - const char *X509_get_default_cert_dir(void); - const char *X509_get_default_cert_file(void); -+const char *X509_get_default_cert_uri_env(void); -+const char *X509_get_default_cert_path_env(void); - const char *X509_get_default_cert_dir_env(void); - const char *X509_get_default_cert_file_env(void); - const char *X509_get_default_private_dir(void); ---- a/providers/implementations/include/prov/implementations.h -+++ b/providers/implementations/include/prov/implementations.h -@@ -517,3 +517,4 @@ extern const OSSL_DISPATCH ossl_SubjectP - extern const OSSL_DISPATCH ossl_pem_to_der_decoder_functions[]; - - extern const OSSL_DISPATCH ossl_file_store_functions[]; -+extern const OSSL_DISPATCH ossl_winstore_store_functions[]; ---- a/providers/implementations/storemgmt/build.info -+++ b/providers/implementations/storemgmt/build.info -@@ -4,3 +4,6 @@ - $STORE_GOAL=../../libdefault.a - - SOURCE[$STORE_GOAL]=file_store.c file_store_any2obj.c -+IF[{- !$disabled{winstore} -}] -+ SOURCE[$STORE_GOAL]=winstore_store.c -+ENDIF ---- /dev/null -+++ b/providers/implementations/storemgmt/winstore_store.c -@@ -0,0 +1,327 @@ -+/* -+ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include /* The OSSL_STORE_INFO type numbers */ -+#include "internal/cryptlib.h" -+#include "internal/o_dir.h" -+#include "crypto/decoder.h" -+#include "crypto/ctype.h" /* ossl_isdigit() */ -+#include "prov/implementations.h" -+#include "prov/bio.h" -+#include "file_store_local.h" -+ -+#include -+ -+enum { -+ STATE_IDLE, -+ STATE_READ, -+ STATE_EOF, -+}; -+ -+struct winstore_ctx_st { -+ void *provctx; -+ char *propq; -+ unsigned char *subject; -+ size_t subject_len; -+ -+ HCERTSTORE win_store; -+ const CERT_CONTEXT *win_ctx; -+ int state; -+ -+ OSSL_DECODER_CTX *dctx; -+}; -+ -+static void winstore_win_reset(struct winstore_ctx_st *ctx) -+{ -+ if (ctx->win_ctx != NULL) { -+ CertFreeCertificateContext(ctx->win_ctx); -+ ctx->win_ctx = NULL; -+ } -+ -+ ctx->state = STATE_IDLE; -+} -+ -+static void winstore_win_advance(struct winstore_ctx_st *ctx) -+{ -+ CERT_NAME_BLOB name = {0}; -+ -+ if (ctx->state == STATE_EOF) -+ return; -+ -+ name.cbData = ctx->subject_len; -+ name.pbData = ctx->subject; -+ -+ ctx->win_ctx = (name.cbData == 0 ? NULL : -+ CertFindCertificateInStore(ctx->win_store, -+ X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, -+ 0, CERT_FIND_SUBJECT_NAME, -+ &name, ctx->win_ctx)); -+ -+ ctx->state = (ctx->win_ctx == NULL) ? STATE_EOF : STATE_READ; -+} -+ -+static void *winstore_open(void *provctx, const char *uri) -+{ -+ struct winstore_ctx_st *ctx = NULL; -+ -+ if (!HAS_CASE_PREFIX(uri, "org.openssl.winstore:")) -+ return NULL; -+ -+ ctx = OPENSSL_zalloc(sizeof(*ctx)); -+ if (ctx == NULL) -+ return NULL; -+ -+ ctx->provctx = provctx; -+ ctx->win_store = CertOpenSystemStoreW(0, L"ROOT"); -+ if (ctx->win_store == NULL) { -+ OPENSSL_free(ctx); -+ return NULL; -+ } -+ -+ winstore_win_reset(ctx); -+ return ctx; -+} -+ -+static void *winstore_attach(void *provctx, OSSL_CORE_BIO *cin) -+{ -+ return NULL; /* not supported */ -+} -+ -+static const OSSL_PARAM *winstore_settable_ctx_params(void *loaderctx, const OSSL_PARAM params[]) -+{ -+ static const OSSL_PARAM known_settable_ctx_params[] = { -+ OSSL_PARAM_octet_string(OSSL_STORE_PARAM_SUBJECT, NULL, 0), -+ OSSL_PARAM_utf8_string(OSSL_STORE_PARAM_PROPERTIES, NULL, 0), -+ OSSL_PARAM_END -+ }; -+ return known_settable_ctx_params; -+} -+ -+static int winstore_set_ctx_params(void *loaderctx, const OSSL_PARAM params[]) -+{ -+ struct winstore_ctx_st *ctx = loaderctx; -+ const OSSL_PARAM *p; -+ int do_reset = 0; -+ -+ if (params == NULL) -+ return 1; -+ -+ p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_PROPERTIES); -+ if (p != NULL) { -+ do_reset = 1; -+ OPENSSL_free(ctx->propq); -+ ctx->propq = NULL; -+ if (!OSSL_PARAM_get_utf8_string(p, &ctx->propq, 0)) -+ return 0; -+ } -+ -+ p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_SUBJECT); -+ if (p != NULL) { -+ const unsigned char *der = NULL; -+ size_t der_len = 0; -+ -+ if (!OSSL_PARAM_get_octet_string_ptr(p, (const void **)&der, &der_len)) -+ return 0; -+ -+ do_reset = 1; -+ -+ OPENSSL_free(ctx->subject); -+ -+ ctx->subject = OPENSSL_malloc(der_len); -+ if (ctx->subject == NULL) { -+ ctx->subject_len = 0; -+ return 0; -+ } -+ -+ ctx->subject_len = der_len; -+ memcpy(ctx->subject, der, der_len); -+ } -+ -+ if (do_reset) { -+ winstore_win_reset(ctx); -+ winstore_win_advance(ctx); -+ } -+ -+ return 1; -+} -+ -+struct load_data_st { -+ OSSL_CALLBACK *object_cb; -+ void *object_cbarg; -+}; -+ -+static int load_construct(OSSL_DECODER_INSTANCE *decoder_inst, -+ const OSSL_PARAM *params, void *construct_data) -+{ -+ struct load_data_st *data = construct_data; -+ return data->object_cb(params, data->object_cbarg); -+} -+ -+static void load_cleanup(void *construct_data) -+{ -+ /* No-op. */ -+} -+ -+static int setup_decoder(struct winstore_ctx_st *ctx) -+{ -+ OSSL_LIB_CTX *libctx = ossl_prov_ctx_get0_libctx(ctx->provctx); -+ const OSSL_ALGORITHM *to_algo = NULL; -+ -+ if (ctx->dctx != NULL) -+ return 1; -+ -+ ctx->dctx = OSSL_DECODER_CTX_new(); -+ if (ctx->dctx == NULL) { -+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); -+ return 0; -+ } -+ -+ if (!OSSL_DECODER_CTX_set_input_type(ctx->dctx, "DER")) { -+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); -+ goto err; -+ } -+ -+ if (!OSSL_DECODER_CTX_set_input_structure(ctx->dctx, "Certificate")) { -+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); -+ goto err; -+ } -+ -+ for (to_algo = ossl_any_to_obj_algorithm; -+ to_algo->algorithm_names != NULL; -+ to_algo++) { -+ OSSL_DECODER *to_obj = NULL; -+ OSSL_DECODER_INSTANCE *to_obj_inst = NULL; -+ -+ /* -+ * Create the internal last resort decoder implementation -+ * together with a "decoder instance". -+ * The decoder doesn't need any identification or to be -+ * attached to any provider, since it's only used locally. -+ */ -+ to_obj = ossl_decoder_from_algorithm(0, to_algo, NULL); -+ if (to_obj != NULL) -+ to_obj_inst = ossl_decoder_instance_new(to_obj, ctx->provctx); -+ -+ OSSL_DECODER_free(to_obj); -+ if (to_obj_inst == NULL) -+ goto err; -+ -+ if (!ossl_decoder_ctx_add_decoder_inst(ctx->dctx, -+ to_obj_inst)) { -+ ossl_decoder_instance_free(to_obj_inst); -+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); -+ goto err; -+ } -+ } -+ -+ if (!OSSL_DECODER_CTX_add_extra(ctx->dctx, libctx, ctx->propq)) { -+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); -+ goto err; -+ } -+ -+ if (!OSSL_DECODER_CTX_set_construct(ctx->dctx, load_construct)) { -+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); -+ goto err; -+ } -+ -+ if (!OSSL_DECODER_CTX_set_cleanup(ctx->dctx, load_cleanup)) { -+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); -+ goto err; -+ } -+ -+ return 1; -+ -+err: -+ OSSL_DECODER_CTX_free(ctx->dctx); -+ ctx->dctx = NULL; -+ return 0; -+} -+ -+static int winstore_load_using(struct winstore_ctx_st *ctx, -+ OSSL_CALLBACK *object_cb, void *object_cbarg, -+ OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg, -+ const void *der, size_t der_len) -+{ -+ struct load_data_st data; -+ const unsigned char *der_ = der; -+ size_t der_len_ = der_len; -+ -+ if (setup_decoder(ctx) == 0) -+ return 0; -+ -+ data.object_cb = object_cb; -+ data.object_cbarg = object_cbarg; -+ -+ OSSL_DECODER_CTX_set_construct_data(ctx->dctx, &data); -+ OSSL_DECODER_CTX_set_passphrase_cb(ctx->dctx, pw_cb, pw_cbarg); -+ -+ if (OSSL_DECODER_from_data(ctx->dctx, &der_, &der_len_) == 0) -+ return 0; -+ -+ return 1; -+} -+ -+static int winstore_load(void *loaderctx, -+ OSSL_CALLBACK *object_cb, void *object_cbarg, -+ OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg) -+{ -+ int ret = 0; -+ struct winstore_ctx_st *ctx = loaderctx; -+ -+ if (ctx->state != STATE_READ) -+ return 0; -+ -+ ret = winstore_load_using(ctx, object_cb, object_cbarg, pw_cb, pw_cbarg, -+ ctx->win_ctx->pbCertEncoded, -+ ctx->win_ctx->cbCertEncoded); -+ -+ if (ret == 1) -+ winstore_win_advance(ctx); -+ -+ return ret; -+} -+ -+static int winstore_eof(void *loaderctx) -+{ -+ struct winstore_ctx_st *ctx = loaderctx; -+ -+ return ctx->state != STATE_READ; -+} -+ -+static int winstore_close(void *loaderctx) -+{ -+ struct winstore_ctx_st *ctx = loaderctx; -+ -+ winstore_win_reset(ctx); -+ CertCloseStore(ctx->win_store, 0); -+ OSSL_DECODER_CTX_free(ctx->dctx); -+ OPENSSL_free(ctx->propq); -+ OPENSSL_free(ctx->subject); -+ OPENSSL_free(ctx); -+ return 1; -+} -+ -+const OSSL_DISPATCH ossl_winstore_store_functions[] = { -+ { OSSL_FUNC_STORE_OPEN, (void (*)(void))winstore_open }, -+ { OSSL_FUNC_STORE_ATTACH, (void (*)(void))winstore_attach }, -+ { OSSL_FUNC_STORE_SETTABLE_CTX_PARAMS, (void (*)(void))winstore_settable_ctx_params }, -+ { OSSL_FUNC_STORE_SET_CTX_PARAMS, (void (*)(void))winstore_set_ctx_params }, -+ { OSSL_FUNC_STORE_LOAD, (void (*)(void))winstore_load }, -+ { OSSL_FUNC_STORE_EOF, (void (*)(void))winstore_eof }, -+ { OSSL_FUNC_STORE_CLOSE, (void (*)(void))winstore_close }, -+ { 0, NULL }, -+}; ---- a/providers/stores.inc -+++ b/providers/stores.inc -@@ -12,3 +12,6 @@ - #endif - - STORE("file", "yes", ossl_file_store_functions) -+#ifndef OPENSSL_NO_WINSTORE -+STORE("org.openssl.winstore", "yes", ossl_winstore_store_functions) -+#endif ---- a/util/libcrypto.num -+++ b/util/libcrypto.num -@@ -5435,4 +5435,7 @@ EVP_MD_CTX_dup - EVP_CIPHER_CTX_dup 5563 3_1_0 EXIST::FUNCTION: - BN_are_coprime 5564 3_1_0 EXIST::FUNCTION: - OSSL_CMP_MSG_update_recipNonce 5565 3_0_9 EXIST::FUNCTION:CMP -+X509_get_default_cert_uri ? 3_1_0 EXIST::FUNCTION: -+X509_get_default_cert_uri_env ? 3_1_0 EXIST::FUNCTION: -+X509_get_default_cert_path_env ? 3_1_0 EXIST::FUNCTION: - ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: ---- a/util/missingcrypto.txt -+++ b/util/missingcrypto.txt -@@ -1273,10 +1273,6 @@ X509_get0_trust_objects(3) - X509_get1_email(3) - X509_get1_ocsp(3) - X509_get_default_cert_area(3) --X509_get_default_cert_dir(3) --X509_get_default_cert_dir_env(3) --X509_get_default_cert_file(3) --X509_get_default_cert_file_env(3) - X509_get_default_private_dir(3) - X509_get_pubkey_parameters(3) - X509_get_signature_type(3) diff --git a/openssl-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch b/openssl-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch deleted file mode 100644 index 7779fba..0000000 --- a/openssl-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch +++ /dev/null @@ -1,217 +0,0 @@ -From f470b130139919f32926b3f5a75ba4d161cbcf88 Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Tue, 1 Mar 2022 15:44:18 +0100 -Subject: Allow SHA1 in seclevel 1 if rh-allow-sha1-signatures = yes - -NOTE: This patch is ported from CentOS 9 / RHEL 9, where it allows SHA1 -in seclevel 2 if rh-allow-sha1-signatures = yes. This was chosen because -on CentOS 9 and RHEL 9, the LEGACY crypto policy sets the security level -to 2. - -On Fedora 35 (with OpenSSL 1.1) the legacy crypto policy uses security -level 1. Because Fedora 36 supports both OpenSSL 1.1 and OpenSSL 3, and -we want the legacy crypto policy to allow SHA-1 in TLS, the only option -to make this happen consistently in both OpenSSL 1.1 and OpenSSL 3 is -SECLEVEL=1 (which will allow SHA-1 in OpenSSL 1.1) and this change to -allow SHA-1 in SECLEVEL=1 with rh-allow-sha1-signatures = yes (which -will allow SHA-1 in OpenSSL 3). - -The change from CentOS 9 / RHEL 9 cannot be applied unmodified, because -rh-allow-sha1-signatures will default to yes in Fedora (according to our -current plans including until F38), and the security level in the -DEFAULT crypto policy is 2, i.e., the unmodified change would weaken the -default configuration. - -Related: rhbz#2055796 -Related: rhbz#2070977 ---- - crypto/x509/x509_vfy.c | 20 ++++++++++- - doc/man5/config.pod | 7 ++++ - ssl/t1_lib.c | 67 ++++++++++++++++++++++++++++------- - test/recipes/25-test_verify.t | 4 +-- - 4 files changed, 82 insertions(+), 16 deletions(-) - -Index: openssl-3.1.4/crypto/x509/x509_vfy.c -=================================================================== ---- openssl-3.1.4.orig/crypto/x509/x509_vfy.c -+++ openssl-3.1.4/crypto/x509/x509_vfy.c -@@ -25,6 +25,7 @@ - #include - #include - #include "internal/dane.h" -+#include "internal/sslconf.h" - #include "crypto/x509.h" - #include "x509_local.h" - -@@ -3438,14 +3439,31 @@ static int check_sig_level(X509_STORE_CT - { - int secbits = -1; - int level = ctx->param->auth_level; -+ int nid; -+ OSSL_LIB_CTX *libctx = NULL; - - if (level <= 0) - return 1; - if (level > NUM_AUTH_LEVELS) - level = NUM_AUTH_LEVELS; - -- if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL)) -+ if (ctx->libctx) -+ libctx = ctx->libctx; -+ else if (cert->libctx) -+ libctx = cert->libctx; -+ else -+ libctx = OSSL_LIB_CTX_get0_global_default(); -+ -+ if (!X509_get_signature_info(cert, &nid, NULL, &secbits, NULL)) - return 0; - -+ if ((nid == NID_sha1 || nid == NID_md5_sha1) -+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0) -+ && ctx->param->auth_level < 2) -+ /* When rh-allow-sha1-signatures = yes and security level <= 1, -+ * explicitly allow SHA1 for backwards compatibility. Also allow -+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */ -+ return 1; -+ - return secbits >= minbits_table[level - 1]; - } -Index: openssl-3.1.4/doc/man5/config.pod -=================================================================== ---- openssl-3.1.4.orig/doc/man5/config.pod -+++ openssl-3.1.4/doc/man5/config.pod -@@ -317,6 +317,13 @@ this option is set to B. Because TL - pseudorandom function (PRF) to derive key material, disabling - B requires the use of TLS 1.2 or newer. - -+Note that enabling B will allow TLS signature -+algorithms that use SHA1 in security level 1, despite the definition of -+security level 1 of 80 bits of security, which SHA1 and MD5-SHA1 do not meet. -+This allows using SHA1 and MD5-SHA1 in TLS in the LEGACY crypto-policy on -+Fedora without requiring to set the security level to 0, which would include -+further insecure algorithms, and thus restores support for TLS 1.0 and 1.1. -+ - This is a downstream specific option, and normally it should be set up via crypto-policies. - - =item B (deprecated) -Index: openssl-3.1.4/ssl/t1_lib.c -=================================================================== ---- openssl-3.1.4.orig/ssl/t1_lib.c -+++ openssl-3.1.4/ssl/t1_lib.c -@@ -20,6 +20,7 @@ - #include - #include - #include -+#include "crypto/x509.h" - #include "internal/sslconf.h" - #include "internal/nelem.h" - #include "internal/sizes.h" -@@ -1588,19 +1589,28 @@ int tls12_check_peer_sigalg(SSL *s, uint - SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST); - return 0; - } -- /* -- * Make sure security callback allows algorithm. For historical -- * reasons we have to pass the sigalg as a two byte char array. -- */ -- sigalgstr[0] = (sig >> 8) & 0xff; -- sigalgstr[1] = sig & 0xff; -- secbits = sigalg_security_bits(s->ctx, lu); -- if (secbits == 0 || -- !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, -- md != NULL ? EVP_MD_get_type(md) : NID_undef, -- (void *)sigalgstr)) { -- SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); -- return 0; -+ -+ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1) -+ && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0) -+ && SSL_get_security_level(s) < 2) { -+ /* When rh-allow-sha1-signatures = yes and security level <= 1, -+ * explicitly allow SHA1 for backwards compatibility. Also allow -+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */ -+ } else { -+ /* -+ * Make sure security callback allows algorithm. For historical -+ * reasons we have to pass the sigalg as a two byte char array. -+ */ -+ sigalgstr[0] = (sig >> 8) & 0xff; -+ sigalgstr[1] = sig & 0xff; -+ secbits = sigalg_security_bits(s->ctx, lu); -+ if (secbits == 0 || -+ !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, -+ md != NULL ? EVP_MD_get_type(md) : NID_undef, -+ (void *)sigalgstr)) { -+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); -+ return 0; -+ } - } - /* Store the sigalg the peer uses */ - s->s3.tmp.peer_sigalg = lu; -@@ -2138,6 +2148,15 @@ static int tls12_sigalg_allowed(const SS - } - } - -+ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1) -+ && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0) -+ && SSL_get_security_level(s) < 2) { -+ /* When rh-allow-sha1-signatures = yes and security level <= 1, -+ * explicitly allow SHA1 for backwards compatibility. Also allow -+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */ -+ return 1; -+ } -+ - /* Finally see if security callback allows it */ - secbits = sigalg_security_bits(s->ctx, lu); - sigalgstr[0] = (lu->sigalg >> 8) & 0xff; -@@ -3007,6 +3026,8 @@ static int ssl_security_cert_sig(SSL *s, - { - /* Lookup signature algorithm digest */ - int secbits, nid, pknid; -+ OSSL_LIB_CTX *libctx = NULL; -+ - /* Don't check signature if self signed */ - if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) - return 1; -@@ -3015,6 +3036,26 @@ static int ssl_security_cert_sig(SSL *s, - /* If digest NID not defined use signature NID */ - if (nid == NID_undef) - nid = pknid; -+ -+ if (x && x->libctx) -+ libctx = x->libctx; -+ else if (ctx && ctx->libctx) -+ libctx = ctx->libctx; -+ else if (s && s->ctx && s->ctx->libctx) -+ libctx = s->ctx->libctx; -+ else -+ libctx = OSSL_LIB_CTX_get0_global_default(); -+ -+ if ((nid == NID_sha1 || nid == NID_md5_sha1) -+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0) -+ && ((s != NULL && SSL_get_security_level(s) < 2) -+ || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 2) -+ )) -+ /* When rh-allow-sha1-signatures = yes and security level <= 1, -+ * explicitly allow SHA1 for backwards compatibility. Also allow -+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */ -+ return 1; -+ - if (s) - return ssl_security(s, op, secbits, nid, x); - else -Index: openssl-3.1.4/test/recipes/25-test_verify.t -=================================================================== ---- openssl-3.1.4.orig/test/recipes/25-test_verify.t -+++ openssl-3.1.4/test/recipes/25-test_verify.t -@@ -439,8 +439,8 @@ ok(verify("ee-pss-sha1-cert", "", ["root - ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ), - "CA with PSS signature using SHA256"); - --ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"), -- "Reject PSS signature using SHA1 and auth level 1"); -+ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"), -+ "Reject PSS signature using SHA1 and auth level 2"); - - ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"), - "PSS signature using SHA256 and auth level 2"); diff --git a/openssl-Allow-disabling-of-SHA1-signatures.patch b/openssl-Allow-disabling-of-SHA1-signatures.patch index 6a995e6..f85339f 100644 --- a/openssl-Allow-disabling-of-SHA1-signatures.patch +++ b/openssl-Allow-disabling-of-SHA1-signatures.patch @@ -1,45 +1,41 @@ -From 2e8388e06eafb703aeb315498915bf079561bdb5 Mon Sep 17 00:00:00 2001 -From: Dmitry Belyavskiy -Date: Mon, 21 Aug 2023 13:07:07 +0200 -Subject: 0049-Allow-disabling-of-SHA1-signatures.patch - -Patch-name: 0049-Allow-disabling-of-SHA1-signatures.patch -Patch-id: 49 -Patch-status: | - # Selectively disallow SHA1 signatures rhbz#2070977 -From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd ---- - crypto/context.c | 14 ++++ - crypto/evp/evp_cnf.c | 13 +++ - crypto/evp/m_sigver.c | 79 +++++++++++++++++++ - crypto/evp/pmeth_lib.c | 15 ++++ - doc/man5/config.pod | 13 +++ - include/crypto/context.h | 3 + - include/internal/cryptlib.h | 3 +- - include/internal/sslconf.h | 4 + - providers/common/securitycheck.c | 20 +++++ - providers/common/securitycheck_default.c | 9 ++- - providers/implementations/signature/dsa_sig.c | 11 ++- - .../implementations/signature/ecdsa_sig.c | 4 + - providers/implementations/signature/rsa_sig.c | 20 ++++- - ssl/t1_lib.c | 8 ++ - util/libcrypto.num | 2 + - 15 files changed, 209 insertions(+), 9 deletions(-) - -Index: openssl-3.1.4/crypto/context.c +Index: openssl-3.5.1/crypto/context.c =================================================================== ---- openssl-3.1.4.orig/crypto/context.c -+++ openssl-3.1.4/crypto/context.c -@@ -78,6 +78,8 @@ struct ossl_lib_ctx_st { - void *fips_prov; +--- openssl-3.5.1.orig/crypto/context.c ++++ openssl-3.5.1/crypto/context.c +@@ -85,6 +85,8 @@ struct ossl_lib_ctx_st { #endif + STACK_OF(SSL_COMP) *comp_methods; + void *legacy_digest_signatures; + - unsigned int ischild:1; + int ischild; + int conf_diagnostics; }; +@@ -119,6 +121,23 @@ int ossl_lib_ctx_is_child(OSSL_LIB_CTX * + return ctx->ischild; + } -@@ -206,6 +208,10 @@ static int context_init(OSSL_LIB_CTX *ct ++static void ossl_ctx_legacy_digest_signatures_free(void *vldsigs) ++{ ++ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs = vldsigs; ++ ++ if (ldsigs != NULL) { ++ OPENSSL_free(ldsigs); ++ } ++} ++ ++static void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx) ++{ ++ OSSL_LEGACY_DIGEST_SIGNATURES* ldsigs = OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES)); ++ /* Default to allow SHA-1 and support disabling it via config. */ ++ ldsigs->allowed = 1; ++ return ldsigs; ++} ++ + static void context_deinit_objs(OSSL_LIB_CTX *ctx); + + static int context_init(OSSL_LIB_CTX *ctx) +@@ -235,6 +254,10 @@ static int context_init(OSSL_LIB_CTX *ct goto err; #endif @@ -50,7 +46,7 @@ Index: openssl-3.1.4/crypto/context.c /* Low priority. */ #ifndef FIPS_MODULE ctx->child_provider = ossl_child_prov_ctx_new(ctx); -@@ -334,6 +340,11 @@ static void context_deinit_objs(OSSL_LIB +@@ -382,6 +405,11 @@ static void context_deinit_objs(OSSL_LIB } #endif @@ -62,9 +58,9 @@ Index: openssl-3.1.4/crypto/context.c /* Low priority. */ #ifndef FIPS_MODULE if (ctx->child_provider != NULL) { -@@ -625,6 +636,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX - return ctx->fips_prov; - #endif +@@ -660,6 +688,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX + case OSSL_LIB_CTX_COMP_METHODS: + return (void *)&ctx->comp_methods; + case OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX: + return ctx->legacy_digest_signatures; @@ -72,10 +68,55 @@ Index: openssl-3.1.4/crypto/context.c default: return NULL; } -Index: openssl-3.1.4/crypto/evp/evp_cnf.c +@@ -714,3 +745,44 @@ void OSSL_LIB_CTX_set_conf_diagnostics(O + return; + libctx->conf_diagnostics = value; + } ++ ++static OSSL_LEGACY_DIGEST_SIGNATURES *ossl_ctx_legacy_digest_signatures( ++ OSSL_LIB_CTX *libctx, int loadconfig) ++{ ++#ifndef FIPS_MODULE ++ if (loadconfig && !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL)) ++ return NULL; ++#endif ++ ++ return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX); ++} ++ ++int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig) ++{ ++ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs ++ = ossl_ctx_legacy_digest_signatures(libctx, loadconfig); ++ ++ #ifndef FIPS_MODULE ++ if (ossl_safe_getenv("OPENSSL_ENABLE_SHA1_SIGNATURES") != NULL) ++ /* This is to be used in tests if SHA-1 is disabled. */ ++ return 1; ++ #endif ++ ++ /* Default to allow SHA-1 and support disabling it via config. */ ++ return ldsigs != NULL ? ldsigs->allowed : 1; ++} ++ ++int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow, ++ int loadconfig) ++{ ++ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs ++ = ossl_ctx_legacy_digest_signatures(libctx, loadconfig); ++ ++ if (ldsigs == NULL) { ++ ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); ++ return 0; ++ } ++ ++ ldsigs->allowed = allow; ++ return 1; ++} +Index: openssl-3.5.1/crypto/evp/evp_cnf.c =================================================================== ---- openssl-3.1.4.orig/crypto/evp/evp_cnf.c -+++ openssl-3.1.4/crypto/evp/evp_cnf.c +--- openssl-3.5.1.orig/crypto/evp/evp_cnf.c ++++ openssl-3.5.1/crypto/evp/evp_cnf.c @@ -10,6 +10,7 @@ #include #include @@ -103,81 +144,19 @@ Index: openssl-3.1.4/crypto/evp/evp_cnf.c } else { ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION, "name=%s, value=%s", oval->name, oval->value); -Index: openssl-3.1.4/crypto/evp/m_sigver.c +Index: openssl-3.5.1/crypto/evp/m_sigver.c =================================================================== ---- openssl-3.1.4.orig/crypto/evp/m_sigver.c -+++ openssl-3.1.4/crypto/evp/m_sigver.c -@@ -15,6 +15,69 @@ +--- openssl-3.5.1.orig/crypto/evp/m_sigver.c ++++ openssl-3.5.1/crypto/evp/m_sigver.c +@@ -15,6 +15,7 @@ #include "internal/provider.h" #include "internal/numbers.h" /* includes SIZE_MAX */ #include "evp_local.h" -+#include "crypto/context.h" -+ -+typedef struct ossl_legacy_digest_signatures_st { -+ int allowed; -+} OSSL_LEGACY_DIGEST_SIGNATURES; -+ -+void ossl_ctx_legacy_digest_signatures_free(void *vldsigs) -+{ -+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs = vldsigs; -+ -+ if (ldsigs != NULL) { -+ OPENSSL_free(ldsigs); -+ } -+} -+ -+void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx) -+{ -+ OSSL_LEGACY_DIGEST_SIGNATURES* ldsigs = OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES)); -+ /* Default to allow SHA-1 and support disabling it via config. */ -+ ldsigs->allowed = 1; -+ return ldsigs; -+} -+ -+static OSSL_LEGACY_DIGEST_SIGNATURES *ossl_ctx_legacy_digest_signatures( -+ OSSL_LIB_CTX *libctx, int loadconfig) -+{ -+#ifndef FIPS_MODULE -+ if (loadconfig && !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL)) -+ return NULL; -+#endif -+ -+ return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX); -+} -+ -+int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig) -+{ -+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs -+ = ossl_ctx_legacy_digest_signatures(libctx, loadconfig); -+ -+#ifndef FIPS_MODULE -+ if (ossl_safe_getenv("OPENSSL_ENABLE_SHA1_SIGNATURES") != NULL) -+ /* This is to be used in tests if SHA-1 is disabled. */ -+ return 1; -+#endif -+ -+ /* Default to allow SHA-1 and support disabling it via config. */ -+ return ldsigs != NULL ? ldsigs->allowed : 1; -+} -+ -+int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow, -+ int loadconfig) -+{ -+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs -+ = ossl_ctx_legacy_digest_signatures(libctx, loadconfig); -+ -+ if (ldsigs == NULL) { -+ ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); -+ return 0; -+ } -+ -+ ldsigs->allowed = allow; -+ return 1; -+} ++#include "internal/sslconf.h" - #ifndef FIPS_MODULE - -@@ -251,6 +314,18 @@ static int do_sigver_init(EVP_MD_CTX *ct + static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen) + { +@@ -320,6 +321,18 @@ static int do_sigver_init(EVP_MD_CTX *ct } } @@ -194,12 +173,12 @@ Index: openssl-3.1.4/crypto/evp/m_sigver.c + } + if (ver) { - if (signature->digest_verify_init == NULL) { - ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); -Index: openssl-3.1.4/crypto/evp/pmeth_lib.c + if (ctx->pctx->pmeth->verifyctx_init) { + if (ctx->pctx->pmeth->verifyctx_init(ctx->pctx, ctx) <= 0) +Index: openssl-3.5.1/crypto/evp/pmeth_lib.c =================================================================== ---- openssl-3.1.4.orig/crypto/evp/pmeth_lib.c -+++ openssl-3.1.4/crypto/evp/pmeth_lib.c +--- openssl-3.5.1.orig/crypto/evp/pmeth_lib.c ++++ openssl-3.5.1/crypto/evp/pmeth_lib.c @@ -33,6 +33,7 @@ #include "internal/ffc.h" #include "internal/numbers.h" @@ -208,7 +187,7 @@ Index: openssl-3.1.4/crypto/evp/pmeth_lib.c #include "evp_local.h" #ifndef FIPS_MODULE -@@ -959,6 +960,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_ +@@ -963,6 +964,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_ return -2; } @@ -229,11 +208,11 @@ Index: openssl-3.1.4/crypto/evp/pmeth_lib.c if (fallback) return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md)); -Index: openssl-3.1.4/doc/man5/config.pod +Index: openssl-3.5.1/doc/man5/config.pod =================================================================== ---- openssl-3.1.4.orig/doc/man5/config.pod -+++ openssl-3.1.4/doc/man5/config.pod -@@ -304,6 +304,21 @@ Within the algorithm properties section, +--- openssl-3.5.1.orig/doc/man5/config.pod ++++ openssl-3.5.1/doc/man5/config.pod +@@ -315,6 +315,21 @@ Within the algorithm properties section, The value may be anything that is acceptable as a property query string for EVP_set_default_properties(). @@ -255,35 +234,40 @@ Index: openssl-3.1.4/doc/man5/config.pod =item B (deprecated) The value is a boolean that can be B or B. If the value is -Index: openssl-3.1.4/include/crypto/context.h +Index: openssl-3.5.1/include/crypto/context.h =================================================================== ---- openssl-3.1.4.orig/include/crypto/context.h -+++ openssl-3.1.4/include/crypto/context.h -@@ -40,3 +40,6 @@ void ossl_rand_crng_ctx_free(void *); - void ossl_thread_event_ctx_free(void *); - void ossl_fips_prov_ossl_ctx_free(void *); - void ossl_release_default_drbg_ctx(void); +--- openssl-3.5.1.orig/include/crypto/context.h ++++ openssl-3.5.1/include/crypto/context.h +@@ -48,3 +48,11 @@ void ossl_release_default_drbg_ctx(void) + #if defined(OPENSSL_THREADS) + void ossl_threads_ctx_free(void *); + #endif + -+void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *); -+void ossl_ctx_legacy_digest_signatures_free(void *); -Index: openssl-3.1.4/include/internal/cryptlib.h ++#ifndef OSSL_LEGACY_DIGEST_SIGNATURES_STRUCT ++#define OSSL_LEGACY_DIGEST_SIGNATURES_STRUCT ++typedef struct ossl_legacy_digest_signatures_st { ++ int allowed; ++} OSSL_LEGACY_DIGEST_SIGNATURES; ++#endif ++ +Index: openssl-3.5.1/include/internal/cryptlib.h =================================================================== ---- openssl-3.1.4.orig/include/internal/cryptlib.h -+++ openssl-3.1.4/include/internal/cryptlib.h -@@ -178,7 +178,8 @@ typedef struct ossl_ex_data_global_st { - # define OSSL_LIB_CTX_PROVIDER_CONF_INDEX 16 - # define OSSL_LIB_CTX_BIO_CORE_INDEX 17 - # define OSSL_LIB_CTX_CHILD_PROVIDER_INDEX 18 --# define OSSL_LIB_CTX_MAX_INDEXES 19 -+# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX 19 -+# define OSSL_LIB_CTX_MAX_INDEXES 20 +--- openssl-3.5.1.orig/include/internal/cryptlib.h ++++ openssl-3.5.1/include/internal/cryptlib.h +@@ -120,7 +120,8 @@ typedef struct ossl_ex_data_global_st { + # define OSSL_LIB_CTX_DECODER_CACHE_INDEX 20 + # define OSSL_LIB_CTX_COMP_METHODS 21 + # define OSSL_LIB_CTX_INDICATOR_CB_INDEX 22 +-# define OSSL_LIB_CTX_MAX_INDEXES 22 ++# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX 23 ++# define OSSL_LIB_CTX_MAX_INDEXES 23 OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx); int ossl_lib_ctx_is_default(OSSL_LIB_CTX *ctx); -Index: openssl-3.1.4/include/internal/sslconf.h +Index: openssl-3.5.1/include/internal/sslconf.h =================================================================== ---- openssl-3.1.4.orig/include/internal/sslconf.h -+++ openssl-3.1.4/include/internal/sslconf.h +--- openssl-3.5.1.orig/include/internal/sslconf.h ++++ openssl-3.5.1/include/internal/sslconf.h @@ -18,4 +18,8 @@ int conf_ssl_name_find(const char *name, void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr, char **arg); @@ -293,53 +277,49 @@ Index: openssl-3.1.4/include/internal/sslconf.h +int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow, + int loadconfig); #endif -Index: openssl-3.1.4/providers/common/securitycheck.c +Index: openssl-3.5.1/providers/common/include/prov/securitycheck.h =================================================================== ---- openssl-3.1.4.orig/providers/common/securitycheck.c -+++ openssl-3.1.4/providers/common/securitycheck.c +--- openssl-3.5.1.orig/providers/common/include/prov/securitycheck.h ++++ openssl-3.5.1/providers/common/include/prov/securitycheck.h +@@ -37,3 +37,5 @@ int ossl_digest_get_approved_nid(const E + /* Functions that have different implementations for the FIPS_MODULE */ + int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md); + int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx); ++ ++int rh_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int mdnid); +Index: openssl-3.5.1/providers/common/securitycheck.c +=================================================================== +--- openssl-3.5.1.orig/providers/common/securitycheck.c ++++ openssl-3.5.1/providers/common/securitycheck.c @@ -19,6 +19,7 @@ #include #include #include "prov/securitycheck.h" +#include "internal/sslconf.h" - /* - * FIPS requires a minimum security strength of 112 bits (for encryption or -@@ -243,6 +244,14 @@ int ossl_digest_get_approved_nid_with_sh - mdnid = -1; /* disallowed by security checks */ - } - # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ -+ -+#ifndef FIPS_MODULE -+ if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0)) -+ /* SHA1 is globally enabled by default, check whether we want to locally disable it. */ -+ if (mdnid == NID_sha1 && !sha1_allowed) -+ mdnid = -1; -+#endif -+ - return mdnid; - } + #define OSSL_FIPS_MIN_SECURITY_STRENGTH_BITS 112 -@@ -252,5 +261,15 @@ int ossl_digest_is_allowed(OSSL_LIB_CTX - if (ossl_securitycheck_enabled(ctx)) - return ossl_digest_get_approved_nid(md) != NID_undef; - # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ -+ -+#ifndef FIPS_MODULE -+ { -+ int mdnid = EVP_MD_nid(md); -+ if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1) -+ && !ossl_ctx_legacy_digest_signatures_allowed(ctx, 0)) -+ return 0; -+ } -+#endif -+ - return 1; +@@ -220,3 +221,16 @@ int ossl_dh_check_key(const DH *dh) + return (L == 2048 && (N == 224 || N == 256)); } -Index: openssl-3.1.4/providers/common/securitycheck_default.c + #endif /* OPENSSL_NO_DH */ ++ ++int rh_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int mdnid) ++{ ++#ifndef FIPS_MODULE ++ if (!ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)) ++ /* SHA1 is globally disabled, check whether we want to locally allow ++ * it. */ ++#endif ++ if (mdnid == NID_sha1) ++ mdnid = -1; ++ ++ return mdnid; ++} +Index: openssl-3.5.1/providers/common/securitycheck_default.c =================================================================== ---- openssl-3.1.4.orig/providers/common/securitycheck_default.c -+++ openssl-3.1.4/providers/common/securitycheck_default.c +--- openssl-3.5.1.orig/providers/common/securitycheck_default.c ++++ openssl-3.5.1/providers/common/securitycheck_default.c @@ -15,6 +15,7 @@ #include #include "prov/securitycheck.h" @@ -347,78 +327,46 @@ Index: openssl-3.1.4/providers/common/securitycheck_default.c +#include "internal/sslconf.h" /* Disable the security checks in the default provider */ - int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) -@@ -29,9 +30,10 @@ int ossl_tls1_prf_ems_check_enabled(OSSL - } - - int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, -- ossl_unused int sha1_allowed) -+ int sha1_allowed) - { - int mdnid; -+ int ldsigs_allowed; - - static const OSSL_ITEM name_to_nid[] = { - { NID_md5, OSSL_DIGEST_NAME_MD5 }, -@@ -42,8 +44,11 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL - { NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 }, - }; - -- mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, 1); -+ ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx, 0); -+ mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, sha1_allowed || ldsigs_allowed); - if (mdnid == NID_undef) - mdnid = ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid)); -+ if (mdnid == NID_md5_sha1 && !ldsigs_allowed) -+ mdnid = -1; - return mdnid; - } -Index: openssl-3.1.4/providers/implementations/signature/dsa_sig.c + int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx) +Index: openssl-3.5.1/providers/implementations/signature/dsa_sig.c =================================================================== ---- openssl-3.1.4.orig/providers/implementations/signature/dsa_sig.c -+++ openssl-3.1.4/providers/implementations/signature/dsa_sig.c -@@ -123,12 +123,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ct - mdprops = ctx->propq; +--- openssl-3.5.1.orig/providers/implementations/signature/dsa_sig.c ++++ openssl-3.5.1/providers/implementations/signature/dsa_sig.c +@@ -163,6 +163,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ct - if (mdname != NULL) { -- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); - WPACKET pkt; - EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); -- int md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, -- sha1_allowed); -+ int md_nid; - size_t mdname_len = strlen(mdname); -+#ifdef FIPS_MODULE -+ int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); -+#else -+ int sha1_allowed = 0; -+#endif -+ md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, -+ sha1_allowed); + md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); + md_nid = ossl_digest_get_approved_nid(md); ++ md_nid = rh_digest_signatures_allowed(ctx->libctx, md_nid); - if (md == NULL || md_nid < 0) { - if (md == NULL) -Index: openssl-3.1.4/providers/implementations/signature/ecdsa_sig.c + if (md == NULL) { + ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, +Index: openssl-3.5.1/providers/implementations/signature/ecdsa_sig.c =================================================================== ---- openssl-3.1.4.orig/providers/implementations/signature/ecdsa_sig.c -+++ openssl-3.1.4/providers/implementations/signature/ecdsa_sig.c -@@ -237,7 +237,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX - "%s could not be fetched", mdname); - return 0; +--- openssl-3.5.1.orig/providers/implementations/signature/ecdsa_sig.c ++++ openssl-3.5.1/providers/implementations/signature/ecdsa_sig.c +@@ -197,13 +197,16 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX + goto err; } -+#ifdef FIPS_MODULE - sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); -+#else -+ sha1_allowed = 0; -+#endif - md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, - sha1_allowed); - if (md_nid < 0) { -Index: openssl-3.1.4/providers/implementations/signature/rsa_sig.c + md_nid = ossl_digest_get_approved_nid(md); ++ + #ifdef FIPS_MODULE +- if (md_nid == NID_undef) { ++ md_nid = rh_digest_signatures_allowed(ctx->libctx, md_nid); ++ if (md_nid <= 0) { + ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, + "digest=%s", mdname); + goto err; + } + #endif ++ + /* XOF digests don't work */ + if (EVP_MD_xof(md)) { + ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED); +Index: openssl-3.5.1/providers/implementations/signature/rsa_sig.c =================================================================== ---- openssl-3.1.4.orig/providers/implementations/signature/rsa_sig.c -+++ openssl-3.1.4/providers/implementations/signature/rsa_sig.c -@@ -25,6 +25,7 @@ +--- openssl-3.5.1.orig/providers/implementations/signature/rsa_sig.c ++++ openssl-3.5.1/providers/implementations/signature/rsa_sig.c +@@ -26,6 +26,7 @@ #include "internal/cryptlib.h" #include "internal/nelem.h" #include "internal/sizes.h" @@ -426,7 +374,7 @@ Index: openssl-3.1.4/providers/implementations/signature/rsa_sig.c #include "crypto/rsa.h" #include "prov/providercommon.h" #include "prov/implementations.h" -@@ -33,6 +34,7 @@ +@@ -34,6 +35,7 @@ #include "prov/securitycheck.h" #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 @@ -434,46 +382,48 @@ Index: openssl-3.1.4/providers/implementations/signature/rsa_sig.c OSSL_FUNC_signature_newctx_fn rsa_newctx; static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; -@@ -302,10 +304,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ct - - if (mdname != NULL) { - EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); -+ int md_nid; -+ size_t mdname_len = strlen(mdname); -+#ifdef FIPS_MODULE - int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); -- int md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, -+#else -+ int sha1_allowed = 0; -+#endif -+ md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, - sha1_allowed); -- size_t mdname_len = strlen(mdname); - - if (md == NULL - || md_nid <= 0 -@@ -1386,8 +1393,15 @@ static int rsa_set_ctx_params(void *vprs +@@ -387,7 +389,8 @@ static int rsa_setup_md(PROV_RSA_CTX *ct + goto err; + } + md_nid = ossl_digest_rsa_sign_get_md_nid(md); +- if (md_nid == NID_undef) { ++ md_nid = rh_digest_signatures_allowed(ctx->libctx, md_nid); ++ if (md_nid <= 0) { + ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, + "digest=%s", mdname); + goto err; +@@ -475,8 +478,9 @@ static int rsa_setup_mgf1_md(PROV_RSA_CT + "%s could not be fetched", mdname); + return 0; + } +- /* The default for mgf1 is SHA1 - so allow SHA1 */ ++ /* The default for mgf1 is SHA1 - so check if we allow SHA1 */ + if ((mdnid = ossl_digest_rsa_sign_get_md_nid(md)) <= 0 ++ || (mdnid = rh_digest_signatures_allowed(ctx->libctx, mdnid)) <= 0 + || !rsa_check_padding(ctx, NULL, mdname, mdnid)) { + if (mdnid <= 0) + ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, +@@ -1765,8 +1769,13 @@ static int rsa_set_ctx_params(void *vprs prsactx->pad_mode = pad_mode; if (prsactx->md == NULL && pmdname == NULL - && pad_mode == RSA_PKCS1_PSS_PADDING) +- pmdname = RSA_DEFAULT_DIGEST_NAME; + && pad_mode == RSA_PKCS1_PSS_PADDING) { - pmdname = RSA_DEFAULT_DIGEST_NAME; -+#ifndef FIPS_MODULE -+ if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) { ++ if (ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) { ++ pmdname = RSA_DEFAULT_DIGEST_NAME; ++ } else { + pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY; + } -+#endif + } -+ if (pmgf1mdname != NULL && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops)) -Index: openssl-3.1.4/ssl/t1_lib.c +Index: openssl-3.5.1/ssl/t1_lib.c =================================================================== ---- openssl-3.1.4.orig/ssl/t1_lib.c -+++ openssl-3.1.4/ssl/t1_lib.c -@@ -20,6 +20,7 @@ +--- openssl-3.5.1.orig/ssl/t1_lib.c ++++ openssl-3.5.1/ssl/t1_lib.c +@@ -21,6 +21,7 @@ #include #include #include @@ -481,39 +431,41 @@ Index: openssl-3.1.4/ssl/t1_lib.c #include "internal/nelem.h" #include "internal/sizes.h" #include "internal/tlsgroups.h" -@@ -1172,11 +1173,13 @@ int ssl_setup_sig_algs(SSL_CTX *ctx) - = OPENSSL_malloc(sizeof(*lu) * OSSL_NELEM(sigalg_lookup_tbl)); +@@ -2178,6 +2179,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx) EVP_PKEY *tmpkey = EVP_PKEY_new(); + int istls; int ret = 0; + int ldsigs_allowed; - if (cache == NULL || tmpkey == NULL) + if (ctx == NULL) + goto err; +@@ -2195,6 +2197,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx) goto err; ERR_set_mark(); + ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0); + /* First fill cache and tls12_sigalgs list from legacy algorithm list */ for (i = 0, lu = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) { - EVP_PKEY_CTX *pctx; -@@ -1196,6 +1199,11 @@ int ssl_setup_sig_algs(SSL_CTX *ctx) - cache[i].enabled = 0; +@@ -2215,6 +2218,11 @@ int ssl_setup_sigalgs(SSL_CTX *ctx) + cache[i].available = 0; continue; } + if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1) + && !ldsigs_allowed) { -+ cache[i].enabled = 0; ++ cache[i].available = 0; + continue; + } if (!EVP_PKEY_set_type(tmpkey, lu->sig)) { - cache[i].enabled = 0; -Index: openssl-3.1.4/util/libcrypto.num + cache[i].available = 0; +Index: openssl-3.5.1/util/libcrypto.num =================================================================== ---- openssl-3.1.4.orig/util/libcrypto.num -+++ openssl-3.1.4/util/libcrypto.num -@@ -5439,3 +5439,5 @@ X509_get_default_cert_uri - X509_get_default_cert_uri_env ? 3_1_0 EXIST::FUNCTION: - X509_get_default_cert_path_env ? 3_1_0 EXIST::FUNCTION: - ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: +--- openssl-3.5.1.orig/util/libcrypto.num ++++ openssl-3.5.1/util/libcrypto.num +@@ -5925,3 +5925,5 @@ OSSL_AA_DIST_POINT_free + OSSL_AA_DIST_POINT_new 6052 3_5_0 EXIST::FUNCTION: + OSSL_AA_DIST_POINT_it 6053 3_5_0 EXIST::FUNCTION: + PEM_ASN1_write_bio_ctx 6054 3_5_0 EXIST::FUNCTION: +ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION: +ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION: diff --git a/openssl-CVE-2023-5678.patch b/openssl-CVE-2023-5678.patch deleted file mode 100644 index f4cd8eb..0000000 --- a/openssl-CVE-2023-5678.patch +++ /dev/null @@ -1,172 +0,0 @@ -From ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6 Mon Sep 17 00:00:00 2001 -From: Richard Levitte -Date: Fri, 20 Oct 2023 09:18:19 +0200 -Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet - -We already check for an excessively large P in DH_generate_key(), but not in -DH_check_pub_key(), and none of them check for an excessively large Q. - -This change adds all the missing excessive size checks of P and Q. - -It's to be noted that behaviours surrounding excessively sized P and Q -differ. DH_check() raises an error on the excessively sized P, but only -sets a flag for the excessively sized Q. This behaviour is mimicked in -DH_check_pub_key(). - -Reviewed-by: Tomas Mraz -Reviewed-by: Matt Caswell -Reviewed-by: Hugo Landau -(Merged from https://github.com/openssl/openssl/pull/22518) ---- - crypto/dh/dh_check.c | 12 ++++++++++++ - crypto/dh/dh_err.c | 3 ++- - crypto/dh/dh_key.c | 12 ++++++++++++ - crypto/err/openssl.txt | 1 + - include/crypto/dherr.h | 2 +- - include/openssl/dh.h | 6 +++--- - include/openssl/dherr.h | 3 ++- - 7 files changed, 33 insertions(+), 6 deletions(-) - -diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c -index 7ba2beae7fd6b..e20eb62081c5e 100644 ---- a/crypto/dh/dh_check.c -+++ b/crypto/dh/dh_check.c -@@ -249,6 +249,18 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key) - */ - int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) - { -+ /* Don't do any checks at all with an excessively large modulus */ -+ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { -+ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); -+ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID; -+ return 0; -+ } -+ -+ if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) { -+ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID; -+ return 1; -+ } -+ - return ossl_ffc_validate_public_key(&dh->params, pub_key, ret); - } - -diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c -index 4152397426cc9..f76ac0dd1463f 100644 ---- a/crypto/dh/dh_err.c -+++ b/crypto/dh/dh_err.c -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -54,6 +54,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = { - {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR), - "parameter encoding error"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"}, -+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR), - "unable to check generator"}, -diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c -index d84ea99241b9e..afc49f5cdc87d 100644 ---- a/crypto/dh/dh_key.c -+++ b/crypto/dh/dh_key.c -@@ -49,6 +49,12 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) - goto err; - } - -+ if (dh->params.q != NULL -+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) { -+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE); -+ goto err; -+ } -+ - if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) { - ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL); - return 0; -@@ -267,6 +273,12 @@ static int generate_key(DH *dh) - return 0; - } - -+ if (dh->params.q != NULL -+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) { -+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE); -+ return 0; -+ } -+ - if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) { - ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL); - return 0; -diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt -index a1e6bbb617fcb..69e4f61aa1801 100644 ---- a/crypto/err/openssl.txt -+++ b/crypto/err/openssl.txt -@@ -513,6 +513,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set - DH_R_NO_PRIVATE_VALUE:100:no private value - DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error - DH_R_PEER_KEY_ERROR:111:peer key error -+DH_R_Q_TOO_LARGE:130:q too large - DH_R_SHARED_INFO_ERROR:113:shared info error - DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator - DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters -diff --git a/include/crypto/dherr.h b/include/crypto/dherr.h -index bb24d131eb887..519327f795742 100644 ---- a/include/crypto/dherr.h -+++ b/include/crypto/dherr.h -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -diff --git a/include/openssl/dh.h b/include/openssl/dh.h -index 8bc17448a0817..f1c0ed06b375a 100644 ---- a/include/openssl/dh.h -+++ b/include/openssl/dh.h -@@ -144,7 +144,7 @@ DECLARE_ASN1_ITEM(DHparams) - # define DH_GENERATOR_3 3 - # define DH_GENERATOR_5 5 - --/* DH_check error codes */ -+/* DH_check error codes, some of them shared with DH_check_pub_key */ - /* - * NB: These values must align with the equivalently named macros in - * internal/ffc.h. -@@ -154,10 +154,10 @@ DECLARE_ASN1_ITEM(DHparams) - # define DH_UNABLE_TO_CHECK_GENERATOR 0x04 - # define DH_NOT_SUITABLE_GENERATOR 0x08 - # define DH_CHECK_Q_NOT_PRIME 0x10 --# define DH_CHECK_INVALID_Q_VALUE 0x20 -+# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */ - # define DH_CHECK_INVALID_J_VALUE 0x40 - # define DH_MODULUS_TOO_SMALL 0x80 --# define DH_MODULUS_TOO_LARGE 0x100 -+# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */ - - /* DH_check_pub_key error codes */ - # define DH_CHECK_PUBKEY_TOO_SMALL 0x01 -diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h -index 5d2a762a96f8c..074a70145f9f5 100644 ---- a/include/openssl/dherr.h -+++ b/include/openssl/dherr.h -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -50,6 +50,7 @@ - # define DH_R_NO_PRIVATE_VALUE 100 - # define DH_R_PARAMETER_ENCODING_ERROR 105 - # define DH_R_PEER_KEY_ERROR 111 -+# define DH_R_Q_TOO_LARGE 130 - # define DH_R_SHARED_INFO_ERROR 113 - # define DH_R_UNABLE_TO_CHECK_GENERATOR 121 - diff --git a/openssl-CVE-2023-6129.patch b/openssl-CVE-2023-6129.patch deleted file mode 100644 index 84cdec0..0000000 --- a/openssl-CVE-2023-6129.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 050d26383d4e264966fb83428e72d5d48f402d35 Mon Sep 17 00:00:00 2001 -From: Rohan McLure -Date: Thu, 4 Jan 2024 10:25:50 +0100 -Subject: [PATCH] poly1305-ppc.pl: Fix vector register clobbering - -Fixes CVE-2023-6129 - -The POLY1305 MAC (message authentication code) implementation in OpenSSL for -PowerPC CPUs saves the the contents of vector registers in different order -than they are restored. Thus the contents of some of these vector registers -is corrupted when returning to the caller. The vulnerable code is used only -on newer PowerPC processors supporting the PowerISA 2.07 instructions. - -Reviewed-by: Matt Caswell -Reviewed-by: Richard Levitte -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/23200) - -(cherry picked from commit 8d847a3ffd4f0b17ee33962cf69c36224925b34f) ---- - crypto/poly1305/asm/poly1305-ppc.pl | 42 ++++++++++++++--------------- - 1 file changed, 21 insertions(+), 21 deletions(-) - -diff --git a/crypto/poly1305/asm/poly1305-ppc.pl b/crypto/poly1305/asm/poly1305-ppc.pl -index 9f86134d923fb..2e601bb9c24be 100755 ---- a/crypto/poly1305/asm/poly1305-ppc.pl -+++ b/crypto/poly1305/asm/poly1305-ppc.pl -@@ -744,7 +744,7 @@ - my $LOCALS= 6*$SIZE_T; - my $VSXFRAME = $LOCALS + 6*$SIZE_T; - $VSXFRAME += 128; # local variables -- $VSXFRAME += 13*16; # v20-v31 offload -+ $VSXFRAME += 12*16; # v20-v31 offload - - my $BIG_ENDIAN = ($flavour !~ /le/) ? 4 : 0; - -@@ -919,12 +919,12 @@ - addi r11,r11,32 - stvx v22,r10,$sp - addi r10,r10,32 -- stvx v23,r10,$sp -- addi r10,r10,32 -- stvx v24,r11,$sp -+ stvx v23,r11,$sp - addi r11,r11,32 -- stvx v25,r10,$sp -+ stvx v24,r10,$sp - addi r10,r10,32 -+ stvx v25,r11,$sp -+ addi r11,r11,32 - stvx v26,r10,$sp - addi r10,r10,32 - stvx v27,r11,$sp -@@ -1153,12 +1153,12 @@ - addi r11,r11,32 - stvx v22,r10,$sp - addi r10,r10,32 -- stvx v23,r10,$sp -- addi r10,r10,32 -- stvx v24,r11,$sp -+ stvx v23,r11,$sp - addi r11,r11,32 -- stvx v25,r10,$sp -+ stvx v24,r10,$sp - addi r10,r10,32 -+ stvx v25,r11,$sp -+ addi r11,r11,32 - stvx v26,r10,$sp - addi r10,r10,32 - stvx v27,r11,$sp -@@ -1899,26 +1899,26 @@ - mtspr 256,r12 # restore vrsave - lvx v20,r10,$sp - addi r10,r10,32 -- lvx v21,r10,$sp -- addi r10,r10,32 -- lvx v22,r11,$sp -+ lvx v21,r11,$sp - addi r11,r11,32 -- lvx v23,r10,$sp -+ lvx v22,r10,$sp - addi r10,r10,32 -- lvx v24,r11,$sp -+ lvx v23,r11,$sp - addi r11,r11,32 -- lvx v25,r10,$sp -+ lvx v24,r10,$sp - addi r10,r10,32 -- lvx v26,r11,$sp -+ lvx v25,r11,$sp - addi r11,r11,32 -- lvx v27,r10,$sp -+ lvx v26,r10,$sp - addi r10,r10,32 -- lvx v28,r11,$sp -+ lvx v27,r11,$sp - addi r11,r11,32 -- lvx v29,r10,$sp -+ lvx v28,r10,$sp - addi r10,r10,32 -- lvx v30,r11,$sp -- lvx v31,r10,$sp -+ lvx v29,r11,$sp -+ addi r11,r11,32 -+ lvx v30,r10,$sp -+ lvx v31,r11,$sp - $POP r27,`$VSXFRAME-$SIZE_T*5`($sp) - $POP r28,`$VSXFRAME-$SIZE_T*4`($sp) - $POP r29,`$VSXFRAME-$SIZE_T*3`($sp) diff --git a/openssl-CVE-2023-6237.patch b/openssl-CVE-2023-6237.patch deleted file mode 100644 index 17459be..0000000 --- a/openssl-CVE-2023-6237.patch +++ /dev/null @@ -1,122 +0,0 @@ -From 18c02492138d1eb8b6548cb26e7b625fb2414a2a Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Fri, 22 Dec 2023 16:25:56 +0100 -Subject: [PATCH] Limit the execution time of RSA public key check - -Fixes CVE-2023-6237 - -If a large and incorrect RSA public key is checked with -EVP_PKEY_public_check() the computation could take very long time -due to no limit being applied to the RSA public key size and -unnecessarily high number of Miller-Rabin algorithm rounds -used for non-primality check of the modulus. - -Now the keys larger than 16384 bits (OPENSSL_RSA_MAX_MODULUS_BITS) -will fail the check with RSA_R_MODULUS_TOO_LARGE error reason. -Also the number of Miller-Rabin rounds was set to 5. - -Reviewed-by: Neil Horman -Reviewed-by: Matt Caswell -(Merged from https://github.com/openssl/openssl/pull/23243) - -(cherry picked from commit e09fc1d746a4fd15bb5c3d7bbbab950aadd005db) ---- - crypto/rsa/rsa_sp800_56b_check.c | 8 +++- - test/recipes/91-test_pkey_check.t | 2 +- - .../91-test_pkey_check_data/rsapub_17k.pem | 48 +++++++++++++++++++ - 3 files changed, 56 insertions(+), 2 deletions(-) - create mode 100644 test/recipes/91-test_pkey_check_data/rsapub_17k.pem - -diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c -index fc8f19b48770b..bcbdd24fb8199 100644 ---- a/crypto/rsa/rsa_sp800_56b_check.c -+++ b/crypto/rsa/rsa_sp800_56b_check.c -@@ -289,6 +289,11 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa) - return 0; - - nbits = BN_num_bits(rsa->n); -+ if (nbits > OPENSSL_RSA_MAX_MODULUS_BITS) { -+ ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE); -+ return 0; -+ } -+ - #ifdef FIPS_MODULE - /* - * (Step a): modulus must be 2048 or 3072 (caveat from SP800-56Br1) -@@ -324,7 +329,8 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa) - goto err; - } - -- ret = ossl_bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, &status); -+ /* Highest number of MR rounds from FIPS 186-5 Section B.3 Table B.1 */ -+ ret = ossl_bn_miller_rabin_is_prime(rsa->n, 5, ctx, NULL, 1, &status); - #ifdef FIPS_MODULE - if (ret != 1 || status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) { - #else -diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t -index dc7cc64533af2..f8088df14d36c 100644 ---- a/test/recipes/91-test_pkey_check.t -+++ b/test/recipes/91-test_pkey_check.t -@@ -70,7 +70,7 @@ push(@positive_tests, ( - "dhpkey.pem" - )) unless disabled("dh"); - --my @negative_pubtests = (); -+my @negative_pubtests = ("rsapub_17k.pem"); # Too big RSA public key - - push(@negative_pubtests, ( - "dsapub_noparam.der" -diff --git a/test/recipes/91-test_pkey_check_data/rsapub_17k.pem b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem -new file mode 100644 -index 0000000000000..9a2eaedaf1b22 ---- /dev/null -+++ b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem -@@ -0,0 +1,48 @@ -+-----BEGIN PUBLIC KEY----- -+MIIIbzANBgkqhkiG9w0BAQEFAAOCCFwAMIIIVwKCCE4Ang+cE5H+hg3RbapDAHqR -+B9lUnp2MlAwsZxQ/FhYepaR60bFQeumbu7817Eo5YLMObVI99hF1C4u/qcpD4Jph -+gZt87/JAYDbP+DIh/5gUXCL9m5Fp4u7mvZaZdnlcftBvR1uKUTCAwc9pZ/Cfr8W2 -+GzrRODzsNYnk2DcZMfe2vRDuDZRopE+Y+I72rom2SZLxoN547N1daM/M/CL9KVQ/ -+XMI/YOpJrBI0jI3brMRhLkvLckwies9joufydlGbJkeil9H7/grj3fQZtFkZ2Pkj -+b87XDzRVX7wsEpAgPJxskL3jApokCp1kQYKG+Uc3dKM9Ade6IAPK7VKcmbAQTYw2 -+gZxsc28dtstazmfGz0ACCTSMrmbgWAM3oPL7RRzhrXDWgmYQ0jHefGh8SNTIgtPq -+TuHxPYkDMQNaf0LmDGCxqlnf4b5ld3YaU8zZ/RqIRx5v/+w0rJUvU53qY1bYSnL1 -+vbqKSnN2mip0GYyQ4AUgkS1NBV4rGYU/VTvzEjLfkg02KOtHKandvEoUjmZPzCT0 -+V2ZhGc8K1UJNGYlIiHqCdwCBoghvly/pYajTkDXyd6BsukzA5H3IkZB1xDgl035j -+/0Cr7QeZLEOdi9fPdSSaBT6OmD0WFuZfJF0wMr7ucRhWzPXvSensD9v7MBE7tNfH -+SLeTSx8tLt8UeWriiM+0CnkPR1IOqMOxubOyf1eV8NQqEWm5wEQG/0IskbOKnaHa -+PqLFJZn/bvyL3XK5OxVIJG3z6bnRDOMS9SzkjqgPdIO8tkySEHVSi/6iuGUltx3Y -+Fmq6ye/r34ekyHPbfn6UuTON7joM6SIXb5bHM64x4iMVWx4hMvDjfy0UqfywAUyu -+C1o7BExSMxxFG8GJcqR0K8akpPp7EM588PC+YuItoxzXgfUJnP3BQ1Beev2Ve7/J -+xeGZH0N4ntfr+cuaLAakAER9zDglwChWflw3NNFgIdAgSxXv3XXx5xDXpdP4lxUo -+F5zAN4Mero3yV90FaJl7Vhq/UFVidbwFc15jUDwaE0mKRcsBeVd3GOhoECAgE0id -+aIPT20z8oVY0FyTJlRk7QSjo8WjJSrHY/Fn14gctX07ZdfkufyL6w+NijBdYluvB -+nIrgHEvpkDEWoIa8qcx0EppoIcmqgMV2mTShfFYSybsO33Pm8WXec2FXjwhzs1Pi -+R/BuIW8rHPI67xqWm0h8dEw11vtfi9a/BBBikFHe59KBjMTG+lW/gADNvRoTzGh7 -+kN4+UVDS3jlSisRZZOn1XoeQtpubNYWgUsecjKy45IwIj8h1SHgn3wkmUesY0woN -+mOdoNtq+NezN4RFtbCOHhxFVpKKDi/HQP2ro0ykkXMDjwEIVf2Lii1Mg9UP8m+Ux -+AOqkTrIkdogkRx+70h7/wUOfDIFUq2JbKzqxJYamyEphcdAko7/B8efQKc61Z93O -+f2SHa4++4WI7wIIx18v5KV4M/cRmrfc8w9WRkQN3gBT5AJMuqwcSHVXBWvNQeGmi -+ScMh7X6cCZ0daEujqb8svq4WgsJ8UT4GaGBRIYtt7QUKEh+JQwNJzneRYZ3pzpaH -+UJeeoYobMlkp3rM9cYzdq90nBQiI9Jsbim9m9ggb2dMOS5CsI9S/IuG2O5uTjfxx -+wkwsd5nLDFtNXHYZ7W6XlVJ1Rc6zShnEmdCn3mmibb6OaMUmun2yl9ryEjVSoXLP -+fSA8W9K9yNhKTRkzdXJfqlC+s/ovX2xBGxsuOoUDaXhRVz0qmpKIHeSFjIP4iXq4 -+y8gDiwvM3HbZfvVonbg6siPwpn4uvw3hesojk1DKAENS52i6U3uK2fs1ALVxsFNS -+Yh914rDu0Q3e4RXVhURaYzoEbLCot6WGYeCCfQOK0rkETMv+sTYYscC8/THuW7SL -+HG5zy9Ed95N1Xmf8J+My7gM7ZFodGdHsWvdzEmqsdOFh6IVx/VfHFX0MDBq0t6lZ -+eRvVgVCfu3gkYLwPScn/04E02vOom51ISKHsF/I11erC66jjNYV9BSpH8O7sAHxZ -+EmPT2ZVVRSgivOHdQW/FZ3UZQQhVaVSympo2Eb4yWEMFn84Q8T+9Honj6gnB5PXz -+chmeCsOMlcg1mwWwhn0k+OAWEZy7VRUk5Ahp0fBAGJgwBdqrZ3kM356DjUkVBiYq -+4eHyvafNKmjf2mnFsI3g2NKRNyl1Lh63wyCFx60yYvBUfXF/W9PFJbD9CiP83kEW -+gV36gxTsbOSfhpO1OXR90ODy0kx06XzWmJCUugK8u9bx4F/CjV+LIHExuNJiethC -+A8sIup/MT0fWp4RO/SsVblGqfoqJTaPnhptQzeH2N07pbWkxeMuL6ppPuwFmfVjK -+FJndqCVrAukcPEOQ16iVURuloJMudqYRc9QKkJFsnv0W/iMNbqQGmXe8Q/5qFiys -+26NIQBiE2ad9hNLnoccEnmYSRgnW3ZPSKuq5TDdYyDqTZH2r8cam65pr3beKw2XC -+xw4cc7VaxiwGC2Mg2wRmwwPaTjrcEt6sMa3RjwFEVBxBFyM26wnTEZsTBquCxV0J -+pgERaeplkixP2Q0m7XAdlDaob973SM2vOoUgypzDchWmpx7u775bnOfU5CihwXl+ -+k0i09WZuT8bPmhEAiGCw5sNzMkz1BC2cCZFfJIkE2vc/wXYOrGxBTJo0EKaUFswa -+2dnP/u0bn+VksBUM7ywW9LJSXh4mN+tpzdeJtxEObKwX1I0dQxSPWmjd2++wMr9q -+Unre5fCrDToy2H7C2VKSpuOCT2/Kv4JDQRWwI4KxQOpn0UknAGNmfBoTtpIZ3LEb -+77oBUJdMQD7tQBBLL0a6f1TdK0dHVprWWawJ+gGFMiMQXqAqblHcxFKWuHv9bQID -+AQAB -+-----END PUBLIC KEY----- diff --git a/openssl-CVE-2024-0727.patch b/openssl-CVE-2024-0727.patch deleted file mode 100644 index 6e1eb5b..0000000 --- a/openssl-CVE-2024-0727.patch +++ /dev/null @@ -1,120 +0,0 @@ -From 09df4395b5071217b76dc7d3d2e630eb8c5a79c2 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 19 Jan 2024 11:28:58 +0000 -Subject: [PATCH] Add NULL checks where ContentInfo data can be NULL - -PKCS12 structures contain PKCS7 ContentInfo fields. These fields are -optional and can be NULL even if the "type" is a valid value. OpenSSL -was not properly accounting for this and a NULL dereference can occur -causing a crash. - -CVE-2024-0727 - -Reviewed-by: Tomas Mraz -Reviewed-by: Hugo Landau -Reviewed-by: Neil Horman -(Merged from https://github.com/openssl/openssl/pull/23362) - -(cherry picked from commit d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c) ---- - crypto/pkcs12/p12_add.c | 18 ++++++++++++++++++ - crypto/pkcs12/p12_mutl.c | 5 +++++ - crypto/pkcs12/p12_npas.c | 5 +++-- - crypto/pkcs7/pk7_mime.c | 7 +++++-- - 4 files changed, 31 insertions(+), 4 deletions(-) - -diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c -index 6fd4184af5a52..80ce31b3bca66 100644 ---- a/crypto/pkcs12/p12_add.c -+++ b/crypto/pkcs12/p12_add.c -@@ -78,6 +78,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7) - ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA); - return NULL; - } -+ -+ if (p7->d.data == NULL) { -+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); -+ return NULL; -+ } -+ - return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS)); - } - -@@ -150,6 +156,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass, - { - if (!PKCS7_type_is_encrypted(p7)) - return NULL; -+ -+ if (p7->d.encrypted == NULL) { -+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); -+ return NULL; -+ } -+ - return PKCS12_item_decrypt_d2i_ex(p7->d.encrypted->enc_data->algorithm, - ASN1_ITEM_rptr(PKCS12_SAFEBAGS), - pass, passlen, -@@ -188,6 +200,12 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12) - ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA); - return NULL; - } -+ -+ if (p12->authsafes->d.data == NULL) { -+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); -+ return NULL; -+ } -+ - p7s = ASN1_item_unpack(p12->authsafes->d.data, - ASN1_ITEM_rptr(PKCS12_AUTHSAFES)); - if (p7s != NULL) { -diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c -index 67a885a45f89e..68ff54d0e90ee 100644 ---- a/crypto/pkcs12/p12_mutl.c -+++ b/crypto/pkcs12/p12_mutl.c -@@ -98,6 +98,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen, - return 0; - } - -+ if (p12->authsafes->d.data == NULL) { -+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); -+ return 0; -+ } -+ - salt = p12->mac->salt->data; - saltlen = p12->mac->salt->length; - if (p12->mac->iter == NULL) -diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c -index 62230bc6187ff..1e5b5495991a4 100644 ---- a/crypto/pkcs12/p12_npas.c -+++ b/crypto/pkcs12/p12_npas.c -@@ -77,8 +77,9 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass) - bags = PKCS12_unpack_p7data(p7); - } else if (bagnid == NID_pkcs7_encrypted) { - bags = PKCS12_unpack_p7encdata(p7, oldpass, -1); -- if (!alg_get(p7->d.encrypted->enc_data->algorithm, -- &pbe_nid, &pbe_iter, &pbe_saltlen)) -+ if (p7->d.encrypted == NULL -+ || !alg_get(p7->d.encrypted->enc_data->algorithm, -+ &pbe_nid, &pbe_iter, &pbe_saltlen)) - goto err; - } else { - continue; -diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c -index 49a0da5f819c4..8228315eeaa3a 100644 ---- a/crypto/pkcs7/pk7_mime.c -+++ b/crypto/pkcs7/pk7_mime.c -@@ -33,10 +33,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags) - int ctype_nid = OBJ_obj2nid(p7->type); - const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7); - -- if (ctype_nid == NID_pkcs7_signed) -+ if (ctype_nid == NID_pkcs7_signed) { -+ if (p7->d.sign == NULL) -+ return 0; - mdalgs = p7->d.sign->md_algs; -- else -+ } else { - mdalgs = NULL; -+ } - - flags ^= SMIME_OLDMIME; - diff --git a/openssl-CVE-2024-2511.patch b/openssl-CVE-2024-2511.patch deleted file mode 100644 index 0ffdd7f..0000000 --- a/openssl-CVE-2024-2511.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 7e4d731b1c07201ad9374c1cd9ac5263bdf35bce Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Tue, 5 Mar 2024 15:43:53 +0000 -Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3 - -In TLSv1.3 we create a new session object for each ticket that we send. -We do this by duplicating the original session. If SSL_OP_NO_TICKET is in -use then the new session will be added to the session cache. However, if -early data is not in use (and therefore anti-replay protection is being -used), then multiple threads could be resuming from the same session -simultaneously. If this happens and a problem occurs on one of the threads, -then the original session object could be marked as not_resumable. When we -duplicate the session object this not_resumable status gets copied into the -new session object. The new session object is then added to the session -cache even though it is not_resumable. - -Subsequently, another bug means that the session_id_length is set to 0 for -sessions that are marked as not_resumable - even though that session is -still in the cache. Once this happens the session can never be removed from -the cache. When that object gets to be the session cache tail object the -cache never shrinks again and grows indefinitely. - -CVE-2024-2511 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24044) ---- - ssl/ssl_lib.c | 5 +++-- - ssl/ssl_sess.c | 28 ++++++++++++++++++++++------ - ssl/statem/statem_srvr.c | 5 ++--- - 3 files changed, 27 insertions(+), 11 deletions(-) - -diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index b5cc4af2f0302..e747b7f90aa71 100644 ---- a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -3737,9 +3737,10 @@ void ssl_update_cache(SSL *s, int mode) - - /* - * If the session_id_length is 0, we are not supposed to cache it, and it -- * would be rather hard to do anyway :-) -+ * would be rather hard to do anyway :-). Also if the session has already -+ * been marked as not_resumable we should not cache it for later reuse. - */ -- if (s->session->session_id_length == 0) -+ if (s->session->session_id_length == 0 || s->session->not_resumable) - return; - - /* -diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c -index bf84e792251b8..241cf43c46296 100644 ---- a/ssl/ssl_sess.c -+++ b/ssl/ssl_sess.c -@@ -154,16 +154,11 @@ SSL_SESSION *SSL_SESSION_new(void) - return ss; - } - --SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src) --{ -- return ssl_session_dup(src, 1); --} -- - /* - * Create a new SSL_SESSION and duplicate the contents of |src| into it. If - * ticket == 0 then no ticket information is duplicated, otherwise it is. - */ --SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) -+static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket) - { - SSL_SESSION *dest; - -@@ -287,6 +282,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) - return NULL; - } - -+SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src) -+{ -+ return ssl_session_dup_intern(src, 1); -+} -+ -+/* -+ * Used internally when duplicating a session which might be already shared. -+ * We will have resumed the original session. Subsequently we might have marked -+ * it as non-resumable (e.g. in another thread) - but this copy should be ok to -+ * resume from. -+ */ -+SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) -+{ -+ SSL_SESSION *sess = ssl_session_dup_intern(src, ticket); -+ -+ if (sess != NULL) -+ sess->not_resumable = 0; -+ -+ return sess; -+} -+ - const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len) - { - if (len) -diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c -index 5d59d53563ed8..8e493176f658e 100644 ---- a/ssl/statem/statem_srvr.c -+++ b/ssl/statem/statem_srvr.c -@@ -2338,9 +2338,8 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) - * so the following won't overwrite an ID that we're supposed - * to send back. - */ -- if (s->session->not_resumable || -- (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) -- && !s->hit)) -+ if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) -+ && !s->hit) - s->session->session_id_length = 0; - - if (usetls13) { diff --git a/openssl-CVE-2024-4603.patch b/openssl-CVE-2024-4603.patch deleted file mode 100644 index 23fa5d3..0000000 --- a/openssl-CVE-2024-4603.patch +++ /dev/null @@ -1,199 +0,0 @@ -From 9c39b3858091c152f52513c066ff2c5a47969f0d Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Wed, 8 May 2024 15:23:45 +0200 -Subject: [PATCH] Check DSA parameters for excessive sizes before validating - -This avoids overly long computation of various validation -checks. - -Fixes CVE-2024-4603 - -Reviewed-by: Paul Dale -Reviewed-by: Matt Caswell -Reviewed-by: Neil Horman -Reviewed-by: Shane Lontis -(Merged from https://github.com/openssl/openssl/pull/24346) - -(cherry picked from commit 85ccbab216da245cf9a6503dd327072f21950d9b) ---- - CHANGES.md | 17 ++++++ - crypto/dsa/dsa_check.c | 44 ++++++++++++-- - .../invalid/p10240_q256_too_big.pem | 57 +++++++++++++++++++ - 3 files changed, 114 insertions(+), 4 deletions(-) - create mode 100644 test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem - -Index: openssl-3.1.4/crypto/dsa/dsa_check.c -=================================================================== ---- openssl-3.1.4.orig/crypto/dsa/dsa_check.c -+++ openssl-3.1.4/crypto/dsa/dsa_check.c -@@ -19,8 +19,34 @@ - #include "dsa_local.h" - #include "crypto/dsa.h" - -+static int dsa_precheck_params(const DSA *dsa, int *ret) -+{ -+ if (dsa->params.p == NULL || dsa->params.q == NULL) { -+ ERR_raise(ERR_LIB_DSA, DSA_R_BAD_FFC_PARAMETERS); -+ *ret = FFC_CHECK_INVALID_PQ; -+ return 0; -+ } -+ -+ if (BN_num_bits(dsa->params.p) > OPENSSL_DSA_MAX_MODULUS_BITS) { -+ ERR_raise(ERR_LIB_DSA, DSA_R_MODULUS_TOO_LARGE); -+ *ret = FFC_CHECK_INVALID_PQ; -+ return 0; -+ } -+ -+ if (BN_num_bits(dsa->params.q) >= BN_num_bits(dsa->params.p)) { -+ ERR_raise(ERR_LIB_DSA, DSA_R_BAD_Q_VALUE); -+ *ret = FFC_CHECK_INVALID_PQ; -+ return 0; -+ } -+ -+ return 1; -+} -+ - int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret) - { -+ if (!dsa_precheck_params(dsa, ret)) -+ return 0; -+ - if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK) - return ossl_ffc_params_simple_validate(dsa->libctx, &dsa->params, - FFC_PARAM_TYPE_DSA, ret); -@@ -39,6 +65,9 @@ int ossl_dsa_check_params(const DSA *dsa - */ - int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret) - { -+ if (!dsa_precheck_params(dsa, ret)) -+ return 0; -+ - return ossl_ffc_validate_public_key(&dsa->params, pub_key, ret) - && *ret == 0; - } -@@ -50,6 +79,9 @@ int ossl_dsa_check_pub_key(const DSA *ds - */ - int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int *ret) - { -+ if (!dsa_precheck_params(dsa, ret)) -+ return 0; -+ - return ossl_ffc_validate_public_key_partial(&dsa->params, pub_key, ret) - && *ret == 0; - } -@@ -58,8 +90,10 @@ int ossl_dsa_check_priv_key(const DSA *d - { - *ret = 0; - -- return (dsa->params.q != NULL -- && ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret)); -+ if (!dsa_precheck_params(dsa, ret)) -+ return 0; -+ -+ return ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret); - } - - /* -@@ -72,8 +106,10 @@ int ossl_dsa_check_pairwise(const DSA *d - BN_CTX *ctx = NULL; - BIGNUM *pub_key = NULL; - -- if (dsa->params.p == NULL -- || dsa->params.g == NULL -+ if (!dsa_precheck_params(dsa, &ret)) -+ return 0; -+ -+ if (dsa->params.g == NULL - || dsa->priv_key == NULL - || dsa->pub_key == NULL) - return 0; -Index: openssl-3.1.4/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem -=================================================================== ---- /dev/null -+++ openssl-3.1.4/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem -@@ -0,0 +1,57 @@ -+-----BEGIN DSA PARAMETERS----- -+MIIKLAKCBQEAym47LzPFZdbz16WvjczLKuzLtsP8yRk/exxL4bBthJhP1qOwctja -+p1586SF7gDxCMn7yWVEYdfRbFefGoq0gj1XOE917XqlbnkmZhMgxut2KbNJo/xil -+XNFUjGvKs3F413U9rAodC8f07cWHP1iTcWL+vPe6u2yilKWYYfnLWHQH+Z6aPrrF -+x/R08LI6DZ6nEsIo+hxaQnEtx+iqNTJC6Q1RIjWDqxQkFVTkJ0Y7miRDXmRdneWk -+oLrMZRpaXr5l5tSjEghh1pBgJcdyOv0lh4dlDy/alAiqE2Qlb667yHl6A9dDPlpW -+dAntpffy4LwOxfbuEhISvKjjQoBwIvYE4TBPqL0Q6bC6HgQ4+tqd9b44pQjdIQjb -+Xcjc6azheITSnPEex3OdKtKoQeRq01qCeLBpMXu1c+CTf4ApKArZvT3vZSg0hM1O -+pR71bRZrEEegDj0LH2HCgI5W6H3blOS9A0kUTddCoQXr2lsVdiPtRbPKH1gcd9FQ -+P8cGrvbakpTiC0dCczOMDaCteM1QNILlkM7ZoV6VghsKvDnFPxFsiIr5GgjasXP5 -+hhbn3g7sDoq1LiTEo+IKQY28pBWx7etSOSRuXW/spnvCkivZla7lSEGljoy9QlQ2 -+UZmsEQI9G3YyzgpxHvKZBK1CiZVTywdYKTZ4TYCxvqzhYhjv2bqbpjI12HRFLojB -+koyEmMSp53lldCzp158PrIanqSp2rksMR8SmmCL3FwfAp2OjqFMEglG9DT8x0WaN -+TLSkjGC6t2csMte7WyU1ekNoFDKfMjDSAz0+xIx21DEmZtYqFOg1DNPK1xYLS0pl -+RSMRRkJVN2mk/G7/1oxlB8Wb9wgi3GKUqqCYT11SnBjzq0NdoJ3E4GMedp5Lx3AZ -+4mFuRPUd4iV86tE0XDSHSFE7Y3ZkrOjD7Q/26/L53L/UH5z4HW6CHP5os7QERJjg -+c1S3x87wXWo9QXbB9b2xmf+c+aWwAAr1cviw38tru58jF3/IGyduj9H8claKQqBG -+cIOUF4aNe1hK2K3ArAOApUxr4KE+tCvrltRfiTmVFip0g9Jt1CPY3Zu7Bd4Z2ZkE -+DtSztpwa49HrWF5E9xpquvBL2U8jQ68E7Xd8Wp4orI/TIChriamBmdkgRz3H2LvN -+Ozb6+hsnEGrz3sp2RVAToSqA9ysa6nHZdfufPNtMEbQdO/k1ehmGRb0ljBRsO6b2 -+rsG2eYuC8tg8eCrIkua0TGRI7g6a4K32AJdzaX6NsISaaIW+OYJuoDSscvD3oOg8 -+PPEhU+zM7xJskTA+jxvPlikKx8V7MNHOCQECldJlUBwzJvqp40JvwfnDsF+8VYwd -+UaiieR3pzMzyTjpReXRmZbnRPusRcsVzxb2OhB79wmuy4UPjjQBX+7eD0rs8xxvW -+5a5q1Cjq4AvbwmmcA/wDrHDOjcbD/zodad2O1QtBWa/R4xyWea4zKsflgACE1zY9 -+wW2br7+YQFekcrXkkkEzgxd6zxv8KVEDpXRZjmAM1cI5LvkoN64To4GedN8Qe/G7 -+R9SZh9gnS17PTP64hK+aYqhFafMdu87q/+qLfxaSux727qE5hiW01u4nnWhACf9s -+xuOozowKqxZxkolMIyZv6Lddwy1Zv5qjCyd0DvM/1skpXWkb9kfabYC+OhjsjVhs -+0Ktfs6a5B3eixiw5x94hhIcTEcS4hmvhGUL72FiTca6ZeSERTKmNBy8CIQC9/ZUN -+uU/V5JTcnYyUGHzm7+XcZBjyGBagBj9rCmW3SQKCBQAJ/k9rb39f1cO+/3XDEMjy -+9bIEXSuS48g5RAc1UGd5nrrBQwuDxGWFyz0yvAY7LgyidZuJS21+MAp9EY7AOMmx -+TDttifNaBJYt4GZ8of166PcqTKkHQwq5uBpxeSDv/ZE8YbYfaCtLTcUC8KlO+l36 -+gjJHSkdkflSsGy1yObSNDQDfVAAwQs//TjDMnuEtvlNXZllsTvFFBceXVETn10K2 -+ZMmdSIJNfLnjReUKEN6PfeGqv7F4xoyGwUybEfRE4u5RmXrqCODaIjY3SNMrOq8B -+R3Ata/cCozsM1jIdIW2z+OybDJH+BYsYm2nkSZQjZS6javTYClLrntEKG/hAQwL8 -+F16YLOQXpHhgiAaWnTZzANtLppB2+5qCVy5ElzKongOwT8JTjTFXOaRnqe/ngm9W -+SSbrxfDaoWUOyK9XD8Cydzpv3n4Y8nWNGayi7/yAFCU36Ri040ufgv/TZLuKacnl -++3ga3ZUpRlSigzx0kb1+KjTSWeQ8vE/psdWjvBukVEbzdUauMLyRLo/6znSVvvPX -+UGhviThE5uhrsUg+wEPFINriSHfF7JDKVhDcJnLBdaXvfN52pkF/naLBF5Rt3Gvq -+fjCxjx0Sy9Lag1hDN4dor7dzuO7wmwOS01DJW1PtNLuuH0Bbqh1kYSaQkmyXBZWX -+qo8K3nkoDM0niOtJJubOhTNrGmSaZpNXkK3Mcy9rBbdvEs5O0Jmqaax/eOdU0Yot -+B3lX+3ddOseT2ZEFjzObqTtkWuFBeBxuYNcRTsu3qMdIBsEb8URQdsTtjoIja2fK -+hreVgjK36GW70KXEl8V/vq5qjQulmqkBEjmilcDuiREKqQuyeagUOnhQaBplqVco -+4xznh5DMBMRbpGb5lHxKv4cPNi+uNAJ5i98zWUM1JRt6aXnRCuWcll1z8fRZ+5kD -+vK9FaZU3VRMK/eknEG49cGr8OuJ6ZRSaC+tKwV1y+amkSZpKPWnk2bUnQI3ApJv3 -+k1e1EToeECpMUkLMDgNbpKBoz4nqMEvAAlYgw9xKNbLlQlahqTVEAmaJHh4yDMDy -+i7IZ9Wrn47IGoR7s3cvhDHUpRPeW4nsmgzj+tf5EAxemI61STZJTTWo0iaPGJxct -+9nhOOhw1I38Mvm4vkAbFH7YJ0B6QrjjYL2MbOTp5JiIh4vdOeWwNo9/y4ffyaN5+ -+ADpxuuIAmcbdr6GPOhkOFFixRJa0B2eP1i032HESlLs8RB9oYtdTXdXQotnIgJGd -+Y8tSKOa1zjzeLHn3AVpRZTUW++/BxmApV3GKIeG8fsUjg/df0QRrBcdC/1uccdaG -+KKlAOwlywVn5jUlwHkTmDiTM9w5AqVVGHZ2b+4ZgQW8jnPKN0SrKf6U555D+zp7E -+x4uXoE8ojN9y8m8UKf0cTLnujH2XgZorjPfuMOt5VZEhQFMS2QaljSeni5CJJ8gk -+XtztNqfBlAtWR4V5iAHeQOfIB2YaOy8GESda89tyKraKeaez41VblpTVHTeq9IIF -+YB4cQA2PfuNaGVRGLMAgT3Dvl+mxxxeJyxnGAiUcETU/jJJt9QombiuszBlYGQ5d -+ELOSm/eQSRARV9zNSt5jaQlMSjMBqenIEM09BzYqa7jDwqoztFxNdO8bcuQPuKwa -+4z3bBZ1yYm63WFdNbQqqGEwc0OYmqg1raJ0zltgHyjFyw8IGu4g/wETs+nVQcH7D -+vKuje86bePD6kD/LH3wmkA== -+-----END DSA PARAMETERS----- -Index: openssl-3.1.4/CHANGES.md -=================================================================== ---- openssl-3.1.4.orig/CHANGES.md -+++ openssl-3.1.4/CHANGES.md -@@ -22,6 +22,23 @@ OpenSSL Releases - OpenSSL 3.1 - ----------- - -+ * Fixed an issue where checking excessively long DSA keys or parameters may -+ be very slow. -+ -+ Applications that use the functions EVP_PKEY_param_check() or -+ EVP_PKEY_public_check() to check a DSA public key or DSA parameters may -+ experience long delays. Where the key or parameters that are being checked -+ have been obtained from an untrusted source this may lead to a Denial of -+ Service. -+ -+ To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS -+ will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error -+ reason. -+ -+ ([CVE-2024-4603]) -+ -+ *Tomáš Mráz* -+ - ### Changes between 3.1.3 and 3.1.4 [24 Oct 2023] - - * Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(), diff --git a/openssl-CVE-2024-4741.patch b/openssl-CVE-2024-4741.patch deleted file mode 100644 index 2e87ae8..0000000 --- a/openssl-CVE-2024-4741.patch +++ /dev/null @@ -1,28 +0,0 @@ -@@ -, +, @@ ---- - ssl/record/methods/tls_common.c | 8 ++++++++ - 1 file changed, 8 insertions(+) ---- openssl-3.0.8/ssl/record/ssl3_buffer.c -+++ openssl-3.0.8/ssl/record/ssl3_buffer.c -@@ -186,5 +186,7 @@ int ssl3_release_read_buffer(SSL *s) - OPENSSL_cleanse(b->buf, b->len); - OPENSSL_free(b->buf); - b->buf = NULL; -+ s->rlayer.packet = NULL; -+ s->rlayer.packet_length = 0; - return 1; - } ---- openssl-3.0.8/ssl/record/rec_layer_s3.c -+++ openssl-3.0.8/ssl/record/rec_layer_s3.c -@@ -238,6 +238,11 @@ int ssl3_read_n(SSL *s, size_t n, size_t - s->rlayer.packet_length = 0; - /* ... now we can act as if 'extend' was set */ - } -+ if (!ossl_assert(s->rlayer.packet != NULL)) { -+ /* does not happen */ -+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); -+ return -1; -+ } - - len = s->rlayer.packet_length; - pkt = rb->buf + align; diff --git a/openssl-CVE-2024-5535.patch b/openssl-CVE-2024-5535.patch deleted file mode 100644 index b8ee00a..0000000 --- a/openssl-CVE-2024-5535.patch +++ /dev/null @@ -1,326 +0,0 @@ -From 4ada436a1946cbb24db5ab4ca082b69c1bc10f37 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 31 May 2024 11:14:33 +0100 -Subject: [PATCH] Fix SSL_select_next_proto - -Ensure that the provided client list is non-NULL and starts with a valid -entry. When called from the ALPN callback the client list should already -have been validated by OpenSSL so this should not cause a problem. When -called from the NPN callback the client list is locally configured and -will not have already been validated. Therefore SSL_select_next_proto -should not assume that it is correctly formatted. - -We implement stricter checking of the client protocol list. We also do the -same for the server list while we are about it. - -CVE-2024-5535 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24718) ---- - ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++------------------- - 1 file changed, 40 insertions(+), 23 deletions(-) - -diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index 5493d9b9c7..f218dcf1db 100644 ---- a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -2953,37 +2953,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, - unsigned int server_len, - const unsigned char *client, unsigned int client_len) - { -- unsigned int i, j; -- const unsigned char *result; -- int status = OPENSSL_NPN_UNSUPPORTED; -+ PACKET cpkt, csubpkt, spkt, ssubpkt; -+ -+ if (!PACKET_buf_init(&cpkt, client, client_len) -+ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt) -+ || PACKET_remaining(&csubpkt) == 0) { -+ *out = NULL; -+ *outlen = 0; -+ return OPENSSL_NPN_NO_OVERLAP; -+ } -+ -+ /* -+ * Set the default opportunistic protocol. Will be overwritten if we find -+ * a match. -+ */ -+ *out = (unsigned char *)PACKET_data(&csubpkt); -+ *outlen = (unsigned char)PACKET_remaining(&csubpkt); - - /* - * For each protocol in server preference order, see if we support it. - */ -- for (i = 0; i < server_len;) { -- for (j = 0; j < client_len;) { -- if (server[i] == client[j] && -- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) { -- /* We found a match */ -- result = &server[i]; -- status = OPENSSL_NPN_NEGOTIATED; -- goto found; -+ if (PACKET_buf_init(&spkt, server, server_len)) { -+ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) { -+ if (PACKET_remaining(&ssubpkt) == 0) -+ continue; /* Invalid - ignore it */ -+ if (PACKET_buf_init(&cpkt, client, client_len)) { -+ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) { -+ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt), -+ PACKET_remaining(&ssubpkt))) { -+ /* We found a match */ -+ *out = (unsigned char *)PACKET_data(&ssubpkt); -+ *outlen = (unsigned char)PACKET_remaining(&ssubpkt); -+ return OPENSSL_NPN_NEGOTIATED; -+ } -+ } -+ /* Ignore spurious trailing bytes in the client list */ -+ } else { -+ /* This should never happen */ -+ return OPENSSL_NPN_NO_OVERLAP; - } -- j += client[j]; -- j++; - } -- i += server[i]; -- i++; -+ /* Ignore spurious trailing bytes in the server list */ - } - -- /* There's no overlap between our protocols and the server's list. */ -- result = client; -- status = OPENSSL_NPN_NO_OVERLAP; -- -- found: -- *out = (unsigned char *)result + 1; -- *outlen = result[0]; -- return status; -+ /* -+ * There's no overlap between our protocols and the server's list. We use -+ * the default opportunistic protocol selected earlier -+ */ -+ return OPENSSL_NPN_NO_OVERLAP; - } - - #ifndef OPENSSL_NO_NEXTPROTONEG --- -2.45.2 - -From 4279c89a726025c758db3dafb263b17e52211304 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 31 May 2024 11:18:27 +0100 -Subject: [PATCH] More correctly handle a selected_len of 0 when - processing NPN - -In the case where the NPN callback returns with SSL_TLEXT_ERR_OK, but -the selected_len is 0 we should fail. Previously this would fail with an -internal_error alert because calling OPENSSL_malloc(selected_len) will -return NULL when selected_len is 0. We make this error detection more -explicit and return a handshake failure alert. - -Follow on from CVE-2024-5535 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24718) ---- - ssl/statem/extensions_clnt.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c -index 842be0722b..a07dc62e9a 100644 ---- a/ssl/statem/extensions_clnt.c -+++ b/ssl/statem/extensions_clnt.c -@@ -1536,7 +1536,8 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, - PACKET_data(pkt), - PACKET_remaining(pkt), - s->ctx->ext.npn_select_cb_arg) != -- SSL_TLSEXT_ERR_OK) { -+ SSL_TLSEXT_ERR_OK -+ || selected_len == 0) { - SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION); - return 0; - } --- -2.45.2 - -From 889ed19ba25abebd2690997acd6d4791cbe5c493 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 31 May 2024 11:46:38 +0100 -Subject: [PATCH] Clarify the SSL_select_next_proto() documentation - -We clarify the input preconditions and the expected behaviour in the event -of no overlap. - -Follow on from CVE-2024-5535 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24718) ---- - doc/man3/SSL_CTX_set_alpn_select_cb.pod | 26 +++++++++++++++++-------- - 1 file changed, 18 insertions(+), 8 deletions(-) - -diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod -index 102e657851..a29557dd91 100644 ---- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod -+++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod -@@ -52,7 +52,8 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated - SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to - set the list of protocols available to be negotiated. The B must be in - protocol-list format, described below. The length of B is specified in --B. -+B. Setting B to 0 clears any existing list of ALPN -+protocols and no ALPN extension will be sent to the server. - - SSL_CTX_set_alpn_select_cb() sets the application callback B used by a - server to select which protocol to use for the incoming connection. When B -@@ -73,9 +74,16 @@ B and B, B must be in the protocol-list format - described below. The first item in the B, B list that - matches an item in the B, B list is selected, and returned - in B, B. The B value will point into either B or --B, so it should be copied immediately. If no match is found, the first --item in B, B is returned in B, B. This --function can also be used in the NPN callback. -+B, so it should be copied immediately. The client list must include at -+least one valid (nonempty) protocol entry in the list. -+ -+The SSL_select_next_proto() helper function can be useful from either the ALPN -+callback or the NPN callback (described below). If no match is found, the first -+item in B, B is returned in B, B and -+B is returned. This can be useful when implementating -+the NPN callback. In the ALPN case, the value returned in B and B -+must be ignored if B has been returned from -+SSL_select_next_proto(). - - SSL_CTX_set_next_proto_select_cb() sets a callback B that is called when a - client needs to select a protocol from the server's provided list, and a -@@ -85,9 +93,10 @@ must be set to point to the selected protocol (which may be within B). - The length of the protocol name must be written into B. The - server's advertised protocols are provided in B and B. The - callback can assume that B is syntactically valid. The client must --select a protocol. It is fatal to the connection if this callback returns --a value other than B. The B parameter is the pointer --set via SSL_CTX_set_next_proto_select_cb(). -+select a protocol (although it may be an empty, zero length protocol). It is -+fatal to the connection if this callback returns a value other than -+B or if the zero length protocol is selected. The B -+parameter is the pointer set via SSL_CTX_set_next_proto_select_cb(). - - SSL_CTX_set_next_protos_advertised_cb() sets a callback B that is called - when a TLS server needs a list of supported protocols for Next Protocol -@@ -149,7 +158,8 @@ A match was found and is returned in B, B. - =item OPENSSL_NPN_NO_OVERLAP - - No match was found. The first item in B, B is returned in --B, B. -+B, B (or B and 0 in the case where the first entry in -+B is invalid). - - =back - --- -2.45.2 - -From 087501b4f572825e27ca8cc2c5874fcf6fd47cf7 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 21 Jun 2024 10:41:55 +0100 -Subject: [PATCH] Correct return values for - tls_construct_stoc_next_proto_neg - -Return EXT_RETURN_NOT_SENT in the event that we don't send the extension, -rather than EXT_RETURN_SENT. This actually makes no difference at all to -the current control flow since this return value is ignored in this case -anyway. But lets make it correct anyway. - -Follow on from CVE-2024-5535 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24718) ---- - ssl/statem/extensions_srvr.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c -index 4ea085e1a1..2da880450f 100644 ---- a/ssl/statem/extensions_srvr.c -+++ b/ssl/statem/extensions_srvr.c -@@ -1476,9 +1476,10 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, - return EXT_RETURN_FAIL; - } - s->s3.npn_seen = 1; -+ return EXT_RETURN_SENT; - } - -- return EXT_RETURN_SENT; -+ return EXT_RETURN_NOT_SENT; - } - #endif - --- -2.45.2 - -From 017e54183b95617825fb9316d618c154a34c634e Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 21 Jun 2024 11:51:54 +0100 -Subject: [PATCH] Add ALPN validation in the client - -The ALPN protocol selected by the server must be one that we originally -advertised. We should verify that it is. - -Follow on from CVE-2024-5535 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24718) ---- - ssl/statem/extensions_clnt.c | 24 ++++++++++++++++++++++++ - 1 file changed, 24 insertions(+) - -diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c -index a07dc62e9a..b21ccf9273 100644 ---- a/ssl/statem/extensions_clnt.c -+++ b/ssl/statem/extensions_clnt.c -@@ -1566,6 +1566,8 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, - size_t chainidx) - { - size_t len; -+ PACKET confpkt, protpkt; -+ int valid = 0; - - /* We must have requested it. */ - if (!s->s3.alpn_sent) { -@@ -1584,6 +1586,28 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, - SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); - return 0; - } -+ -+ /* It must be a protocol that we sent */ -+ if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) { -+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); -+ return 0; -+ } -+ while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) { -+ if (PACKET_remaining(&protpkt) != len) -+ continue; -+ if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) { -+ /* Valid protocol found */ -+ valid = 1; -+ break; -+ } -+ } -+ -+ if (!valid) { -+ /* The protocol sent from the server does not match one we advertised */ -+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); -+ return 0; -+ } -+ - OPENSSL_free(s->s3.alpn_selected); - s->s3.alpn_selected = OPENSSL_malloc(len); - if (s->s3.alpn_selected == NULL) { --- -2.45.2 - diff --git a/openssl-CVE-2024-6119.patch b/openssl-CVE-2024-6119.patch deleted file mode 100644 index f7aadcf..0000000 --- a/openssl-CVE-2024-6119.patch +++ /dev/null @@ -1,255 +0,0 @@ -commit 97ebe37033e8884f4cca5544a74376633c665e11 -Author: Viktor Dukhovni -Date: Wed Jun 19 21:04:11 2024 +1000 - - Avoid type errors in EAI-related name check logic. - - The incorrectly typed data is read only, used in a compare operation, so - neither remote code execution, nor memory content disclosure were possible. - However, applications performing certificate name checks were vulnerable to - denial of service. - - The GENERAL_TYPE data type is a union, and we must take care to access the - correct member, based on `gen->type`, not all the member fields have the same - structure, and a segfault is possible if the wrong member field is read. - - The code in question was lightly refactored with the intent to make it more - obviously correct. - - CVE-2024-6119 - - (cherry picked from commit 1486960d6cdb052e4fc0109a56a0597b4e902ba1) - -diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c -index 1a18174995..a09414c972 100644 ---- a/crypto/x509/v3_utl.c -+++ b/crypto/x509/v3_utl.c -@@ -916,36 +916,64 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, - ASN1_STRING *cstr; - - gen = sk_GENERAL_NAME_value(gens, i); -- if ((gen->type == GEN_OTHERNAME) && (check_type == GEN_EMAIL)) { -- if (OBJ_obj2nid(gen->d.otherName->type_id) == -- NID_id_on_SmtpUTF8Mailbox) { -- san_present = 1; -- -- /* -- * If it is not a UTF8String then that is unexpected and we -- * treat it as no match -- */ -- if (gen->d.otherName->value->type == V_ASN1_UTF8STRING) { -- cstr = gen->d.otherName->value->value.utf8string; -- -- /* Positive on success, negative on error! */ -- if ((rv = do_check_string(cstr, 0, equal, flags, -- chk, chklen, peername)) != 0) -- break; -- } -- } else -+ switch (gen->type) { -+ default: -+ continue; -+ case GEN_OTHERNAME: -+ switch (OBJ_obj2nid(gen->d.otherName->type_id)) { -+ default: - continue; -- } else { -- if ((gen->type != check_type) && (gen->type != GEN_OTHERNAME)) -+ case NID_id_on_SmtpUTF8Mailbox: -+ /*- -+ * https://datatracker.ietf.org/doc/html/rfc8398#section-3 -+ * -+ * Due to name constraint compatibility reasons described -+ * in Section 6, SmtpUTF8Mailbox subjectAltName MUST NOT -+ * be used unless the local-part of the email address -+ * contains non-ASCII characters. When the local-part is -+ * ASCII, rfc822Name subjectAltName MUST be used instead -+ * of SmtpUTF8Mailbox. This is compatible with legacy -+ * software that supports only rfc822Name (and not -+ * SmtpUTF8Mailbox). [...] -+ * -+ * SmtpUTF8Mailbox is encoded as UTF8String. -+ * -+ * If it is not a UTF8String then that is unexpected, and -+ * we ignore the invalid SAN (neither set san_present nor -+ * consider it a candidate for equality). This does mean -+ * that the subject CN may be considered, as would be the -+ * case when the malformed SmtpUtf8Mailbox SAN is instead -+ * simply absent. -+ * -+ * When CN-ID matching is not desirable, applications can -+ * choose to turn it off, doing so is at this time a best -+ * practice. -+ */ -+ if (check_type != GEN_EMAIL -+ || gen->d.otherName->value->type != V_ASN1_UTF8STRING) -+ continue; -+ alt_type = 0; -+ cstr = gen->d.otherName->value->value.utf8string; -+ break; -+ } -+ break; -+ case GEN_EMAIL: -+ if (check_type != GEN_EMAIL) - continue; -- } -- san_present = 1; -- if (check_type == GEN_EMAIL) - cstr = gen->d.rfc822Name; -- else if (check_type == GEN_DNS) -+ break; -+ case GEN_DNS: -+ if (check_type != GEN_DNS) -+ continue; - cstr = gen->d.dNSName; -- else -+ break; -+ case GEN_IPADD: -+ if (check_type != GEN_IPADD) -+ continue; - cstr = gen->d.iPAddress; -+ break; -+ } -+ san_present = 1; - /* Positive on success, negative on error! */ - if ((rv = do_check_string(cstr, alt_type, equal, flags, - chk, chklen, peername)) != 0) -diff --git a/test/recipes/25-test_eai_data.t b/test/recipes/25-test_eai_data.t -index 522982ddfb..e18735d89a 100644 ---- a/test/recipes/25-test_eai_data.t -+++ b/test/recipes/25-test_eai_data.t -@@ -21,16 +21,18 @@ setup("test_eai_data"); - #./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/utf8_chain.pem test/recipes/25-test_eai_data/ascii_leaf.pem - #./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/ascii_chain.pem test/recipes/25-test_eai_data/utf8_leaf.pem - --plan tests => 12; -+plan tests => 16; - - require_ok(srctop_file('test','recipes','tconversion.pl')); - my $folder = "test/recipes/25-test_eai_data"; - - my $ascii_pem = srctop_file($folder, "ascii_leaf.pem"); - my $utf8_pem = srctop_file($folder, "utf8_leaf.pem"); -+my $kdc_pem = srctop_file($folder, "kdc-cert.pem"); - - my $ascii_chain_pem = srctop_file($folder, "ascii_chain.pem"); - my $utf8_chain_pem = srctop_file($folder, "utf8_chain.pem"); -+my $kdc_chain_pem = srctop_file($folder, "kdc-root-cert.pem"); - - my $out; - my $outcnt = 0; -@@ -56,10 +58,18 @@ SKIP: { - - ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $ascii_pem]))); - ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $utf8_pem]))); -+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $kdc_chain_pem, $kdc_pem]))); - - ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $utf8_pem]))); - ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $ascii_pem]))); - -+# Check an otherName does not get misparsed as an DNS name, (should trigger ASAN errors if violated). -+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_hostname", 'mx1.example.com', "-CAfile", $kdc_chain_pem, $kdc_pem]))); -+# Check an otherName does not get misparsed as an email address, (should trigger ASAN errors if violated). -+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'joe@example.com', "-CAfile", $kdc_chain_pem, $kdc_pem]))); -+# We expect SmtpUTF8Mailbox to be a UTF8 String, not an IA5String. -+ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'moe@example.com', "-CAfile", $kdc_chain_pem, $kdc_pem]))); -+ - #Check that we get the expected failure return code - with({ exit_checker => sub { return shift == 2; } }, - sub { -diff --git a/test/recipes/25-test_eai_data/kdc-cert.pem b/test/recipes/25-test_eai_data/kdc-cert.pem -new file mode 100644 -index 0000000000..e8a2c6f55d ---- /dev/null -+++ b/test/recipes/25-test_eai_data/kdc-cert.pem -@@ -0,0 +1,21 @@ -+-----BEGIN CERTIFICATE----- -+MIIDbDCCAlSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARSb290 -+MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAXMRUwEwYDVQQDDAxU -+RVNULkVYQU1QTEUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6wfP+ -+6go79dkpo/dGLMlPZ7Gw/Q6gUYrCWZWUEgEeRVHCrqOlgUEyA+PcWas/XDPUxXry -+BQlJHLvlqamAQn8gs4QPBARFYWKNiTVGyaRkgNA1N5gqyZdrP9UE+ZJmdqxRAAe8 -+vvpGZWSgevPhLUiSCFYDiD0Rtji2Hm3rGUrReQFBQDEw2pNGwz9zIaxUs08kQZcx -+Yzyiplz5Oau+R/6sAgUwDlrD9xOlUxx/tA/MSDIfkK8qioU11uUZtO5VjkNQy/bT -+7zQMmXxWgm2MIgOs1u4YN7YGOtgqHE9v9iPHHfgrkbQDtVDGQsa8AQEhkUDSCtW9 -+3VFAKx6dGNXYzFwfAgMBAAGjgcgwgcUwHQYDVR0OBBYEFFR5tZycW19DmtbL4Zqj -+te1c2vZLMAkGA1UdIwQCMAAwCQYDVR0TBAIwADCBjQYDVR0RBIGFMIGCoD8GBisG -+AQUCAqA1MDOgDhsMVEVTVC5FWEFNUExFoSEwH6ADAgEBoRgwFhsGa3JidGd0GwxU -+RVNULkVYQU1QTEWgHQYIKwYBBQUHCAmgERYPbW9lQGV4YW1wbGUuY29tgQ9qb2VA -+ZXhhbXBsZS5jb22CD214MS5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA -+T0xzVtVpRtaOzIhgzw7XQUdzWD5UEGSJJ1cBCOmKUWwDLTAouCYLFB4TbEE7MMUb -+iuMy60bjmVtvfJIXorGUgSadRe5RWJ5DamJWvPA0Q9x7blnEcXqEF+9Td+ypevgU -+UYHFmg83OYwxOsFXZ5cRuXMk3WCsDHQIBi6D1L6oDDZ2pfArs5mqm3thQKVlqyl1 -+El3XRYEdqAz/5eCOFNfwxF0ALxjxVr/Z50StUZU8I7Zfev6+kHhyrR7dqzYJImv9 -+0fTCOBEMjIETDsrA70OxAMu4V16nrWZdJdvzblS2qrt97Omkj+2kiPAJFB76RpwI -+oDQ9fKfUOAmUFth2/R/eGA== -+-----END CERTIFICATE----- -diff --git a/test/recipes/25-test_eai_data/kdc-root-cert.pem b/test/recipes/25-test_eai_data/kdc-root-cert.pem -new file mode 100644 -index 0000000000..a74c96bf31 ---- /dev/null -+++ b/test/recipes/25-test_eai_data/kdc-root-cert.pem -@@ -0,0 +1,16 @@ -+-----BEGIN CERTIFICATE----- -+MIICnDCCAYQCCQCBswYcrlZSHjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARS -+b290MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAPMQ0wCwYDVQQD -+DARSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqRj8S4kBbIUj -+61kZfi6nE35Q38U140+qt4uAiwAhKumfVHlBM0zQ98WFt5zMHIBQwIb3yjc2zj+0 -+qzUnQfwm1r/RfcMmBPEti9Ge+aEMSsds2gMXziOFM8wd2aAFPy7UVE0XpEWofsRK -+MGi61MKVdPSbGIxBwY9VW38/7D/wf1HtJe7y0xpuecR7GB2XAs+qST59NjuF+7wS -+dLM8Hb3TATgeYbXXWsRJgwz+SPzExg5WmLnU+7y4brZ32dHtdSmkRVSgSlaIf7Xj -+3Tc6Zi7I+W/JYk7hy1zUexVdWCak4PHcoWrXe0gNNN/t8VfLfMExt5z/HIylXnU7 -+pGUyqZlTGQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAHpLF1UCRy7b6Hk0rLokxI -+lgwiH9BU9mktigAGASvkbllpt+YbUbWnuYAvpHBGiP1qZtfX2r96UrSJaGO9BEzT -+Gp9ThnSjoj4Srul0+s/NArU22irFLmDzbalgevAmm9gMGkdqkiIm/mXbwrPj0ncl -+KGicevXryVpvaP62eZ8cc3C4p97frMmXxRX8sTdQpD/gRI7prdEILRSKveqT+AEW -+7rFGM5AOevb4U8ddop8A3D/kX0wcCAIBF6jCNk3uEJ57jVcagL04kPnVfdRiedTS -+vfq1DRNcD29d1H/9u0fHdSn1/+8Ep3X+afQ3C6//5NvOEaXcIGO4QSwkprQydfv8 -+-----END CERTIFICATE----- -diff --git a/test/recipes/25-test_eai_data/kdc.sh b/test/recipes/25-test_eai_data/kdc.sh -new file mode 100755 -index 0000000000..7a8dbc719f ---- /dev/null -+++ b/test/recipes/25-test_eai_data/kdc.sh -@@ -0,0 +1,41 @@ -+#! /usr/bin/env bash -+ -+# Create a root CA, signing a leaf cert with a KDC principal otherName SAN, and -+# also a non-UTF8 smtpUtf8Mailbox SAN followed by an rfc822Name SAN and a DNS -+# name SAN. In the vulnerable EAI code, the KDC principal `otherName` should -+# trigger ASAN errors in DNS name checks, while the non-UTF8 `smtpUtf8Mailbox` -+# should likewise lead to ASAN issues with email name checks. -+ -+rm -f root-key.pem root-cert.pem -+openssl req -nodes -new -newkey rsa:2048 -keyout kdc-root-key.pem \ -+ -x509 -subj /CN=Root -days 36524 -out kdc-root-cert.pem -+ -+exts=$( -+ printf "%s\n%s\n%s\n%s = " \ -+ "subjectKeyIdentifier = hash" \ -+ "authorityKeyIdentifier = keyid" \ -+ "basicConstraints = CA:false" \ -+ "subjectAltName" -+ printf "%s, " "otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name" -+ printf "%s, " "otherName:1.3.6.1.5.5.7.8.9;IA5:moe@example.com" -+ printf "%s, " "email:joe@example.com" -+ printf "%s\n" "DNS:mx1.example.com" -+ printf "[kdc_princ_name]\n" -+ printf "realm = EXP:0, GeneralString:TEST.EXAMPLE\n" -+ printf "principal_name = EXP:1, SEQUENCE:kdc_principal_seq\n" -+ printf "[kdc_principal_seq]\n" -+ printf "name_type = EXP:0, INTEGER:1\n" -+ printf "name_string = EXP:1, SEQUENCE:kdc_principal_components\n" -+ printf "[kdc_principal_components]\n" -+ printf "princ1 = GeneralString:krbtgt\n" -+ printf "princ2 = GeneralString:TEST.EXAMPLE\n" -+ ) -+ -+printf "%s\n" "$exts" -+ -+openssl req -nodes -new -newkey rsa:2048 -keyout kdc-key.pem \ -+ -subj "/CN=TEST.EXAMPLE" | -+ openssl x509 -req -out kdc-cert.pem \ -+ -CA "kdc-root-cert.pem" -CAkey "kdc-root-key.pem" \ -+ -set_serial 2 -days 36524 \ -+ -extfile <(printf "%s\n" "$exts") diff --git a/openssl-DEFAULT_SUSE_cipher.patch b/openssl-DEFAULT_SUSE_cipher.patch deleted file mode 100644 index b8d8688..0000000 --- a/openssl-DEFAULT_SUSE_cipher.patch +++ /dev/null @@ -1,64 +0,0 @@ -Index: openssl-3.0.0-alpha7/ssl/ssl_ciph.c -=================================================================== ---- openssl-3.0.0-alpha7.orig/ssl/ssl_ciph.c -+++ openssl-3.0.0-alpha7/ssl/ssl_ciph.c -@@ -1592,7 +1592,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ - */ - ok = 1; - rule_p = rule_str; -- if (strncmp(rule_str, "DEFAULT", 7) == 0) { -+ if (strncmp(rule_str,"DEFAULT_SUSE", 12) == 0) { -+ ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST, -+ &head, &tail, ca_list, c); -+ rule_p += 12; -+ if (*rule_p == ':') -+ rule_p++; -+ } -+ else if (strncmp(rule_str, "DEFAULT", 7) == 0) { - ok = ssl_cipher_process_rulestr(OSSL_default_cipher_list(), - &head, &tail, ca_list, c); - rule_p += 7; -Index: openssl-3.0.0-alpha7/test/recipes/99-test_suse_default_ciphers.t -=================================================================== ---- /dev/null -+++ openssl-3.0.0-alpha7/test/recipes/99-test_suse_default_ciphers.t -@@ -0,0 +1,23 @@ -+#! /usr/bin/env perl -+ -+use strict; -+use warnings; -+ -+use OpenSSL::Test qw/:DEFAULT/; -+use OpenSSL::Test::Utils; -+ -+setup("test_default_ciphersuites"); -+ -+plan tests => 6; -+ -+my @cipher_suites = ("DEFAULT_SUSE", "DEFAULT"); -+ -+foreach my $cipherlist (@cipher_suites) { -+ ok(run(app(["openssl", "ciphers", "-s", $cipherlist])), -+ "openssl ciphers works with ciphersuite $cipherlist"); -+ ok(!grep(/(MD5|RC4|DES)/, run(app(["openssl", "ciphers", "-s", $cipherlist]), capture => 1)), -+ "$cipherlist shouldn't contain MD5, DES or RC4\n"); -+ ok(grep(/(TLSv1.3)/, run(app(["openssl", "ciphers", "-tls1_3", "-s", "-v", $cipherlist]), capture => 1)), -+ "$cipherlist should contain TLSv1.3 ciphers\n"); -+} -+ -Index: openssl-3.0.0-alpha7/include/openssl/ssl.h.in -=================================================================== ---- openssl-3.0.0-alpha7.orig/include/openssl/ssl.h.in -+++ openssl-3.0.0-alpha7/include/openssl/ssl.h.in -@@ -189,6 +189,11 @@ extern "C" { - */ - # ifndef OPENSSL_NO_DEPRECATED_3_0 - # define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL" -+# define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:"\ -+ "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:"\ -+ "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\ -+ "DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\ -+ "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA" - /* - * This is the default set of TLSv1.3 ciphersuites - * DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites() diff --git a/openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch b/openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch index 17f8da2..60e661c 100644 --- a/openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch +++ b/openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch @@ -1,11 +1,29 @@ -From 590babb35e3aa399c889282747965e301333a656 Mon Sep 17 00:00:00 2001 -From: Dmitry Belyavskiy -Date: Mon, 21 Aug 2023 16:07:18 +0200 -Subject: [PATCH 43/48] - 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch +From 89dbaf8a756111a530f6422679b59bf134acfd66 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:17 +0100 +Subject: [PATCH 39/53] FIPS: DH: Disable FIPS 186-4 type parameters -Patch-name: 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch -Patch-id: 93 +For DH parameter and key pair generation/verification, the DSA +procedures specified in FIPS 186-4 are used. With the release of FIPS +186-5 and the removal of DSA, the approved status of these groups is in +peril. Once the transition for DSA ends (this transition will be 1 year +long and start once CMVP has published the guidance), no more +submissions claiming DSA will be allowed. Hence, FIPS 186-type +parameters will also be automatically non-approved. + +In the FIPS provider, disable validation of any DH parameters that are +not well-known groups, and remove DH parameter generation completely. + +Adjust tests to use well-known groups or larger DH groups where this +change would now cause failures, and skip tests that are expected to +fail due to this change. + +Related: rhbz#2169757, rhbz#2169757 +Signed-off-by: Clemens Lang + +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce + +NOTE: Dropped changes in test/recipes/80-test_cms.t --- crypto/dh/dh_backend.c | 10 ++++ crypto/dh/dh_check.c | 12 ++-- @@ -17,15 +35,14 @@ Patch-id: 93 test/evp_libctx_test.c | 2 +- test/helpers/predefined_dhparams.c | 62 ++++++++++++++++++++ test/helpers/predefined_dhparams.h | 1 + - test/recipes/80-test_cms.t | 4 +- test/recipes/80-test_ssl_old.t | 3 + - 12 files changed, 118 insertions(+), 20 deletions(-) + 11 files changed, 116 insertions(+), 18 deletions(-) -diff --git a/crypto/dh/dh_backend.c b/crypto/dh/dh_backend.c -index 726843fd30..24c65ca84f 100644 ---- a/crypto/dh/dh_backend.c -+++ b/crypto/dh/dh_backend.c -@@ -53,6 +53,16 @@ int ossl_dh_params_fromdata(DH *dh, const OSSL_PARAM params[]) +Index: openssl-3.5.3/crypto/dh/dh_backend.c +=================================================================== +--- openssl-3.5.3.orig/crypto/dh/dh_backend.c ++++ openssl-3.5.3/crypto/dh/dh_backend.c +@@ -47,6 +47,16 @@ int ossl_dh_params_fromdata(DH *dh, cons if (!dh_ffc_params_fromdata(dh, params)) return 0; @@ -42,11 +59,11 @@ index 726843fd30..24c65ca84f 100644 param_priv_len = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_DH_PRIV_LEN); if (param_priv_len != NULL -diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c -index 0b391910d6..75581ca347 100644 ---- a/crypto/dh/dh_check.c -+++ b/crypto/dh/dh_check.c -@@ -57,13 +57,15 @@ int DH_check_params(const DH *dh, int *ret) +Index: openssl-3.5.3/crypto/dh/dh_check.c +=================================================================== +--- openssl-3.5.3.orig/crypto/dh/dh_check.c ++++ openssl-3.5.3/crypto/dh/dh_check.c +@@ -58,13 +58,15 @@ int DH_check_params(const DH *dh, int *r nid = DH_get_nid((DH *)dh); if (nid != NID_undef) return 1; @@ -67,11 +84,11 @@ index 0b391910d6..75581ca347 100644 } #else int DH_check_params(const DH *dh, int *ret) -diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c -index 204662a81c..9961f21920 100644 ---- a/crypto/dh/dh_gen.c -+++ b/crypto/dh/dh_gen.c -@@ -39,18 +39,26 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator, +Index: openssl-3.5.3/crypto/dh/dh_gen.c +=================================================================== +--- openssl-3.5.3.orig/crypto/dh/dh_gen.c ++++ openssl-3.5.3/crypto/dh/dh_gen.c +@@ -39,18 +39,26 @@ static int dh_builtin_genparams(DH *ret, int ossl_dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits, BN_GENCB *cb) { @@ -100,11 +117,11 @@ index 204662a81c..9961f21920 100644 if (ret > 0) dh->dirty_cnt++; return ret; -diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c -index 83773cceea..7e988368d3 100644 ---- a/crypto/dh/dh_key.c -+++ b/crypto/dh/dh_key.c -@@ -321,8 +321,12 @@ static int generate_key(DH *dh) +Index: openssl-3.5.3/crypto/dh/dh_key.c +=================================================================== +--- openssl-3.5.3.orig/crypto/dh/dh_key.c ++++ openssl-3.5.3/crypto/dh/dh_key.c +@@ -336,8 +336,12 @@ static int generate_key(DH *dh) goto err; } else { #ifdef FIPS_MODULE @@ -118,8 +135,8 @@ index 83773cceea..7e988368d3 100644 + goto err; #else if (dh->params.q == NULL) { - /* secret exponent length, must satisfy 2^(l-1) <= p */ -@@ -343,9 +347,7 @@ static int generate_key(DH *dh) + /* secret exponent length, must satisfy 2^l < (p-1)/2 */ +@@ -360,9 +364,7 @@ static int generate_key(DH *dh) if (!BN_clear_bit(priv_key, 0)) goto err; } @@ -130,7 +147,7 @@ index 83773cceea..7e988368d3 100644 /* Do a partial check for invalid p, q, g */ if (!ossl_ffc_params_simple_validate(dh->libctx, &dh->params, FFC_PARAM_TYPE_DH, NULL)) -@@ -361,6 +363,7 @@ static int generate_key(DH *dh) +@@ -378,6 +380,7 @@ static int generate_key(DH *dh) priv_key)) goto err; } @@ -138,11 +155,11 @@ index 83773cceea..7e988368d3 100644 } } -diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c -index f201eede0d..30f90d15be 100644 ---- a/crypto/dh/dh_pmeth.c -+++ b/crypto/dh/dh_pmeth.c -@@ -305,13 +305,17 @@ static DH *ffc_params_generate(OSSL_LIB_CTX *libctx, DH_PKEY_CTX *dctx, +Index: openssl-3.5.3/crypto/dh/dh_pmeth.c +=================================================================== +--- openssl-3.5.3.orig/crypto/dh/dh_pmeth.c ++++ openssl-3.5.3/crypto/dh/dh_pmeth.c +@@ -303,13 +303,17 @@ static DH *ffc_params_generate(OSSL_LIB_ prime_len, subprime_len, &res, pcb); else @@ -163,11 +180,11 @@ index f201eede0d..30f90d15be 100644 if (rv <= 0) { DH_free(ret); return NULL; -diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c -index 9a7dde7c66..b3e7bca5ac 100644 ---- a/providers/implementations/keymgmt/dh_kmgmt.c -+++ b/providers/implementations/keymgmt/dh_kmgmt.c -@@ -414,6 +414,11 @@ static int dh_validate(const void *keydata, int selection, int checktype) +Index: openssl-3.5.3/providers/implementations/keymgmt/dh_kmgmt.c +=================================================================== +--- openssl-3.5.3.orig/providers/implementations/keymgmt/dh_kmgmt.c ++++ openssl-3.5.3/providers/implementations/keymgmt/dh_kmgmt.c +@@ -422,6 +422,11 @@ static int dh_validate(const void *keyda if ((selection & DH_POSSIBLE_SELECTIONS) == 0) return 1; /* nothing to validate */ @@ -179,11 +196,11 @@ index 9a7dde7c66..b3e7bca5ac 100644 if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) { /* * Both of these functions check parameters. DH_check_params_ex() -diff --git a/test/endecode_test.c b/test/endecode_test.c -index 53385028fc..169f3ccd73 100644 ---- a/test/endecode_test.c -+++ b/test/endecode_test.c -@@ -84,10 +84,10 @@ static EVP_PKEY *make_template(const char *type, OSSL_PARAM *genparams) +Index: openssl-3.5.3/test/endecode_test.c +=================================================================== +--- openssl-3.5.3.orig/test/endecode_test.c ++++ openssl-3.5.3/test/endecode_test.c +@@ -85,10 +85,10 @@ static EVP_PKEY *make_template(const cha * for testing only. Use a minimum key size of 2048 for security purposes. */ if (strcmp(type, "DH") == 0) @@ -196,11 +213,11 @@ index 53385028fc..169f3ccd73 100644 # endif /* -diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c -index a7913cda4c..96a35ac1cc 100644 ---- a/test/evp_libctx_test.c -+++ b/test/evp_libctx_test.c -@@ -189,7 +189,7 @@ static int do_dh_param_keygen(int tstid, const BIGNUM **bn) +Index: openssl-3.5.3/test/evp_libctx_test.c +=================================================================== +--- openssl-3.5.3.orig/test/evp_libctx_test.c ++++ openssl-3.5.3/test/evp_libctx_test.c +@@ -222,7 +222,7 @@ static int do_dh_param_keygen(int tstid, if (!TEST_ptr(gen_ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey_parm, NULL)) || !TEST_int_gt(EVP_PKEY_keygen_init(gen_ctx), 0) @@ -209,17 +226,17 @@ index a7913cda4c..96a35ac1cc 100644 goto err; if (expected) { -diff --git a/test/helpers/predefined_dhparams.c b/test/helpers/predefined_dhparams.c -index 4bdadc4143..e5186e4b4a 100644 ---- a/test/helpers/predefined_dhparams.c -+++ b/test/helpers/predefined_dhparams.c -@@ -116,6 +116,68 @@ EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx) +Index: openssl-3.5.3/test/helpers/predefined_dhparams.c +=================================================================== +--- openssl-3.5.3.orig/test/helpers/predefined_dhparams.c ++++ openssl-3.5.3/test/helpers/predefined_dhparams.c +@@ -116,6 +116,68 @@ EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libct dhx512_q, sizeof(dhx512_q)); } +EVP_PKEY *get_dhx_ffdhe2048(OSSL_LIB_CTX *libctx) +{ -+ /* This is RFC 7919 ffdhe2048, since Red Hat removes support for ++ /* This is RFC 7919 ffdhe2048, since SUSE/openSUSE removes support for + * non-well-known groups in FIPS mode. */ + static unsigned char dhx_p[] = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xad, 0xf8, 0x54, 0x58, @@ -282,10 +299,10 @@ index 4bdadc4143..e5186e4b4a 100644 EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libctx) { static unsigned char dh1024_p[] = { -diff --git a/test/helpers/predefined_dhparams.h b/test/helpers/predefined_dhparams.h -index f0e8709062..2ff6d6e721 100644 ---- a/test/helpers/predefined_dhparams.h -+++ b/test/helpers/predefined_dhparams.h +Index: openssl-3.5.3/test/helpers/predefined_dhparams.h +=================================================================== +--- openssl-3.5.3.orig/test/helpers/predefined_dhparams.h ++++ openssl-3.5.3/test/helpers/predefined_dhparams.h @@ -12,6 +12,7 @@ #ifndef OPENSSL_NO_DH EVP_PKEY *get_dh512(OSSL_LIB_CTX *libctx); @@ -294,28 +311,11 @@ index f0e8709062..2ff6d6e721 100644 EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libct); EVP_PKEY *get_dh2048(OSSL_LIB_CTX *libctx); EVP_PKEY *get_dh4096(OSSL_LIB_CTX *libctx); -diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t -index 2a459856f0..afac836fa3 100644 ---- a/test/recipes/80-test_cms.t -+++ b/test/recipes/80-test_cms.t -@@ -627,10 +627,10 @@ my @smime_cms_param_tests = ( - ], - - [ "enveloped content test streaming S/MIME format, X9.42 DH", -- [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, -+ [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont, - "-stream", "-out", "{output}.cms", - "-recip", catfile($smdir, "smdh.pem"), "-aes128" ], -- [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"), -+ [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"), - "-in", "{output}.cms", "-out", "{output}.txt" ], - \&final_compare - ] -diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t -index 527abcea6e..e1d38b1e62 100644 ---- a/test/recipes/80-test_ssl_old.t -+++ b/test/recipes/80-test_ssl_old.t -@@ -390,6 +390,9 @@ sub testssl { +Index: openssl-3.5.3/test/recipes/80-test_ssl_old.t +=================================================================== +--- openssl-3.5.3.orig/test/recipes/80-test_ssl_old.t ++++ openssl-3.5.3/test/recipes/80-test_ssl_old.t +@@ -458,6 +458,9 @@ sub testssl { skip "skipping dhe1024dsa test", 1 if ($no_dh); @@ -325,6 +325,3 @@ index 527abcea6e..e1d38b1e62 100644 ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])), 'test sslv2/sslv3 with 1024bit DHE via BIO pair'); } --- -2.41.0 - diff --git a/openssl-Disable-default-provider-for-test-suite.patch b/openssl-Disable-default-provider-for-test-suite.patch deleted file mode 100644 index 719a289..0000000 --- a/openssl-Disable-default-provider-for-test-suite.patch +++ /dev/null @@ -1,19 +0,0 @@ -Index: openssl-3.1.4/apps/openssl.cnf -=================================================================== ---- openssl-3.1.4.orig/apps/openssl.cnf -+++ openssl-3.1.4/apps/openssl.cnf -@@ -70,11 +70,11 @@ engines = engine_section - # to side-channel attacks and as such have been deprecated. - - [provider_sect] --default = default_sect -+##default = default_sect - ##legacy = legacy_sect - --[default_sect] --activate = 1 -+##[default_sect] -+##activate = 1 - - ##[legacy_sect] - ##activate = 1 diff --git a/openssl-Disable-explicit-ec.patch b/openssl-Disable-explicit-ec.patch index 5eb1a67..85979d9 100644 --- a/openssl-Disable-explicit-ec.patch +++ b/openssl-Disable-explicit-ec.patch @@ -1,14 +1,14 @@ -From 91bdd9b816b22bc1464ec323f3272b866b24114d Mon Sep 17 00:00:00 2001 +From 9cc542ae6077ca689f7fe2f7e64edb4bb9d72f7f Mon Sep 17 00:00:00 2001 From: rpm-build -Date: Mon, 31 Jul 2023 09:41:28 +0200 -Subject: [PATCH 12/35] 0012-Disable-explicit-ec.patch +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 12/53] RH: Disable explicit ec curves Patch-name: 0012-Disable-explicit-ec.patch Patch-id: 12 Patch-status: | - # Disable explicit EC curves - # https://bugzilla.redhat.com/show_bug.cgi?id=2066412 -From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd + # # Disable explicit EC curves + # # https://bugzilla.redhat.com/show_bug.cgi?id=2066412 +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- crypto/ec/ec_asn1.c | 11 ++++++++++ crypto/ec/ec_lib.c | 6 +++++ @@ -18,10 +18,10 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd 5 files changed, 39 insertions(+), 32 deletions(-) diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c -index 7a0b35a594..d19d57344e 100644 +index 643d2d8d7b..5895606176 100644 --- a/crypto/ec/ec_asn1.c +++ b/crypto/ec/ec_asn1.c -@@ -905,6 +905,12 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len) +@@ -901,6 +901,12 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len) if (params->type == ECPKPARAMETERS_TYPE_EXPLICIT) group->decoded_from_explicit_params = 1; @@ -34,7 +34,7 @@ index 7a0b35a594..d19d57344e 100644 if (a) { EC_GROUP_free(*a); *a = group; -@@ -964,6 +970,11 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len) +@@ -960,6 +966,11 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len) goto err; } @@ -47,10 +47,10 @@ index 7a0b35a594..d19d57344e 100644 if (priv_key->privateKey) { diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c -index a84e088c19..6c37bf78ae 100644 +index b55677fb1f..dcfdef408e 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c -@@ -1724,6 +1724,11 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], +@@ -1728,6 +1728,11 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], goto err; } if (named_group == group) { @@ -62,7 +62,7 @@ index a84e088c19..6c37bf78ae 100644 /* * If we did not find a named group then the encoding should be explicit * if it was specified -@@ -1739,6 +1744,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], +@@ -1743,6 +1748,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], goto err; } EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE); @@ -71,10 +71,10 @@ index a84e088c19..6c37bf78ae 100644 EC_GROUP_free(group); group = named_group; diff --git a/test/ectest.c b/test/ectest.c -index 4890b0555e..e11aec5b3b 100644 +index 0ddbba3b98..f736d13feb 100644 --- a/test/ectest.c +++ b/test/ectest.c -@@ -2301,10 +2301,11 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx, +@@ -2413,10 +2413,11 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx, if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)) || !TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) || !TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0) @@ -88,7 +88,7 @@ index 4890b0555e..e11aec5b3b 100644 /*- Check that all the set values are retrievable -*/ /* There should be no match to a group name since the generator changed */ -@@ -2433,6 +2434,7 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx, +@@ -2545,6 +2546,7 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx, #endif ) goto err; @@ -96,7 +96,7 @@ index 4890b0555e..e11aec5b3b 100644 ret = 1; err: BN_free(order_out); -@@ -2714,21 +2716,21 @@ static int custom_params_test(int id) +@@ -2826,21 +2828,21 @@ static int custom_params_test(int id) /* Compute keyexchange in both directions */ if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL)) @@ -125,7 +125,7 @@ index 4890b0555e..e11aec5b3b 100644 /* Both sides should expect the same shared secret */ if (!TEST_mem_eq(buf1, sslen, buf2, t)) goto err; -@@ -2780,7 +2782,7 @@ static int custom_params_test(int id) +@@ -2892,7 +2894,7 @@ static int custom_params_test(int id) /* compare with previous result */ || !TEST_mem_eq(buf1, t, buf2, sslen)) goto err; @@ -135,10 +135,10 @@ index 4890b0555e..e11aec5b3b 100644 err: diff --git a/test/endecode_test.c b/test/endecode_test.c -index 14648287eb..9a437d8c64 100644 +index 028deb4ed1..85c84f6592 100644 --- a/test/endecode_test.c +++ b/test/endecode_test.c -@@ -62,7 +62,7 @@ static BN_CTX *bnctx = NULL; +@@ -63,7 +63,7 @@ static BN_CTX *bnctx = NULL; static OSSL_PARAM_BLD *bld_prime_nc = NULL; static OSSL_PARAM_BLD *bld_prime = NULL; static OSSL_PARAM *ec_explicit_prime_params_nc = NULL; @@ -147,7 +147,7 @@ index 14648287eb..9a437d8c64 100644 # ifndef OPENSSL_NO_EC2M static OSSL_PARAM_BLD *bld_tri_nc = NULL; -@@ -1009,9 +1009,9 @@ IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC") +@@ -1027,9 +1027,9 @@ IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC") DOMAIN_KEYS(ECExplicitPrimeNamedCurve); IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC", 1) IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve, "EC") @@ -160,7 +160,7 @@ index 14648287eb..9a437d8c64 100644 # ifndef OPENSSL_NO_EC2M DOMAIN_KEYS(ECExplicitTriNamedCurve); IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC", 1) -@@ -1352,7 +1352,7 @@ int setup_tests(void) +@@ -1445,7 +1445,7 @@ int setup_tests(void) || !create_ec_explicit_prime_params_namedcurve(bld_prime_nc) || !create_ec_explicit_prime_params(bld_prime) || !TEST_ptr(ec_explicit_prime_params_nc = OSSL_PARAM_BLD_to_param(bld_prime_nc)) @@ -169,7 +169,7 @@ index 14648287eb..9a437d8c64 100644 # ifndef OPENSSL_NO_EC2M || !TEST_ptr(bld_tri_nc = OSSL_PARAM_BLD_new()) || !TEST_ptr(bld_tri = OSSL_PARAM_BLD_new()) -@@ -1380,7 +1380,7 @@ int setup_tests(void) +@@ -1473,7 +1473,7 @@ int setup_tests(void) TEST_info("Generating EC keys..."); MAKE_DOMAIN_KEYS(EC, "EC", EC_params); MAKE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve, "EC", ec_explicit_prime_params_nc); @@ -178,7 +178,7 @@ index 14648287eb..9a437d8c64 100644 # ifndef OPENSSL_NO_EC2M MAKE_DOMAIN_KEYS(ECExplicitTriNamedCurve, "EC", ec_explicit_tri_params_nc); MAKE_DOMAIN_KEYS(ECExplicitTri2G, "EC", ec_explicit_tri_params_explicit); -@@ -1423,8 +1423,8 @@ int setup_tests(void) +@@ -1553,8 +1553,8 @@ int setup_tests(void) ADD_TEST_SUITE_LEGACY(EC); ADD_TEST_SUITE(ECExplicitPrimeNamedCurve); ADD_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve); @@ -189,7 +189,7 @@ index 14648287eb..9a437d8c64 100644 # ifndef OPENSSL_NO_EC2M ADD_TEST_SUITE(ECExplicitTriNamedCurve); ADD_TEST_SUITE_LEGACY(ECExplicitTriNamedCurve); -@@ -1461,7 +1461,7 @@ void cleanup_tests(void) +@@ -1631,7 +1631,7 @@ void cleanup_tests(void) { #ifndef OPENSSL_NO_EC OSSL_PARAM_free(ec_explicit_prime_params_nc); @@ -198,7 +198,7 @@ index 14648287eb..9a437d8c64 100644 OSSL_PARAM_BLD_free(bld_prime_nc); OSSL_PARAM_BLD_free(bld_prime); # ifndef OPENSSL_NO_EC2M -@@ -1483,7 +1483,7 @@ void cleanup_tests(void) +@@ -1653,7 +1653,7 @@ void cleanup_tests(void) #ifndef OPENSSL_NO_EC FREE_DOMAIN_KEYS(EC); FREE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve); @@ -208,7 +208,7 @@ index 14648287eb..9a437d8c64 100644 FREE_DOMAIN_KEYS(ECExplicitTriNamedCurve); FREE_DOMAIN_KEYS(ECExplicitTri2G); diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt -index ec3c032aba..584ecee0eb 100644 +index 54b143bead..06ec905be0 100644 --- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt +++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt @@ -133,18 +133,6 @@ AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgiUTxtr5vLVjj @@ -231,5 +231,5 @@ index ec3c032aba..584ecee0eb 100644 -----BEGIN PRIVATE KEY----- MGMCAQAwEAYHKoZIzj0CAQYFK4EEAA8ETDBKAgEBBBUDnQW0mLiHVha/jqFznX/K -- -2.41.0 +2.49.0 diff --git a/openssl-Enable-BTI-feature-for-md5-on-aarch64.patch b/openssl-Enable-BTI-feature-for-md5-on-aarch64.patch deleted file mode 100644 index 031bef4..0000000 --- a/openssl-Enable-BTI-feature-for-md5-on-aarch64.patch +++ /dev/null @@ -1,28 +0,0 @@ -From d2bfec6e464aeb247a2d6853668d4e473f19e15f Mon Sep 17 00:00:00 2001 -From: "fangming.fang" -Date: Thu, 7 Dec 2023 06:17:51 +0000 -Subject: [PATCH] Enable BTI feature for md5 on aarch64 - -Fixes: #22959 ---- - crypto/md5/asm/md5-aarch64.pl | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/crypto/md5/asm/md5-aarch64.pl b/crypto/md5/asm/md5-aarch64.pl -index 3200a0fa9bff0..5a8608069691d 100755 ---- a/crypto/md5/asm/md5-aarch64.pl -+++ b/crypto/md5/asm/md5-aarch64.pl -@@ -28,10 +28,13 @@ - *STDOUT=*OUT; - - $code .= <strength, - drbg->min_entropylen, drbg->max_entropylen, -@@ -662,8 +665,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d - reseed_required = 1; - } - if (drbg->parent != NULL -- && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) -+ && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) { -+#ifdef FIPS_MODULE -+ /* SUSE patches provide chain reseeding when necessary so just sync counters*/ -+ drbg->parent_reseed_counter = get_parent_reseed_count(drbg); -+#else - reseed_required = 1; -+#endif -+ } - - if (reseed_required || prediction_resistance) { - if (!ossl_prov_drbg_reseed(drbg, prediction_resistance, NULL, 0, -Index: openssl-3.1.4/crypto/rand/prov_seed.c -=================================================================== ---- openssl-3.1.4.orig/crypto/rand/prov_seed.c -+++ openssl-3.1.4/crypto/rand/prov_seed.c -@@ -23,7 +23,14 @@ size_t ossl_rand_get_entropy(ossl_unused - size_t entropy_available; - RAND_POOL *pool; - -- pool = ossl_rand_pool_new(entropy, 1, min_len, max_len); -+ /* -+ * OpenSSL still implements an internal entropy pool of -+ * some size that is hashed to get seed data. -+ * Note that this is a conditioning step for which SP800-90C requires -+ * 64 additional bits from the entropy source to claim the requested -+ * amount of entropy. -+ */ -+ pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len); - if (pool == NULL) { - ERR_raise(ERR_LIB_RAND, ERR_R_MALLOC_FAILURE); - return 0; -Index: openssl-3.1.4/providers/implementations/rands/crngt.c -=================================================================== ---- openssl-3.1.4.orig/providers/implementations/rands/crngt.c -+++ openssl-3.1.4/providers/implementations/rands/crngt.c -@@ -133,7 +133,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG - * to the nearest byte. If the entropy is of less than full quality, - * the amount required should be scaled up appropriately here. - */ -- bytes_needed = (entropy + 7) / 8; -+ /* -+ * FIPS 140-3: the yet draft SP800-90C requires requested entropy -+ * + 128 bits during initial seeding -+ */ -+ bytes_needed = (entropy + 128 + 7) / 8; - if (bytes_needed < min_len) - bytes_needed = min_len; - if (bytes_needed > max_len) -Index: openssl-3.1.4/providers/implementations/rands/drbg_local.h -=================================================================== ---- openssl-3.1.4.orig/providers/implementations/rands/drbg_local.h -+++ openssl-3.1.4/providers/implementations/rands/drbg_local.h -@@ -38,7 +38,7 @@ - * - * The value is in bytes. - */ --#define CRNGT_BUFSIZ 16 -+#define CRNGT_BUFSIZ 32 - - /* - * Maximum input size for the DRBG (entropy, nonce, personalization string) -Index: openssl-3.1.4/providers/implementations/rands/seed_src.c -=================================================================== ---- openssl-3.1.4.orig/providers/implementations/rands/seed_src.c -+++ openssl-3.1.4/providers/implementations/rands/seed_src.c -@@ -104,7 +104,14 @@ static int seed_src_generate(void *vseed - return 0; - } - -- pool = ossl_rand_pool_new(strength, 1, outlen, outlen); -+ /* -+ * OpenSSL still implements an internal entropy pool of -+ * some size that is hashed to get seed data. -+ * Note that this is a conditioning step for which SP800-90C requires -+ * 64 additional bits from the entropy source to claim the requested -+ * amount of entropy. -+ */ -+ pool = ossl_rand_pool_new(strength + 64, 1, outlen, outlen); - if (pool == NULL) { - ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); - return 0; -@@ -184,7 +191,14 @@ static size_t seed_get_seed(void *vseed, - size_t i; - RAND_POOL *pool; - -- pool = ossl_rand_pool_new(entropy, 1, min_len, max_len); -+ /* -+ * OpenSSL still implements an internal entropy pool of -+ * some size that is hashed to get seed data. -+ * Note that this is a conditioning step for which SP800-90C requires -+ * 64 additional bits from the entropy source to claim the requested -+ * amount of entropy. -+ */ -+ pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len); - if (pool == NULL) { - ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB); - return 0; diff --git a/openssl-FIPS-140-3-keychecks.patch b/openssl-FIPS-140-3-keychecks.patch index ea7f344..cdb1c53 100644 --- a/openssl-FIPS-140-3-keychecks.patch +++ b/openssl-FIPS-140-3-keychecks.patch @@ -1,26 +1,162 @@ -From b300beb172d5813b01b93bfd62fe191f8187fe1e Mon Sep 17 00:00:00 2001 -From: Dmitry Belyavskiy -Date: Mon, 21 Aug 2023 12:05:23 +0200 -Subject: [PATCH 20/48] 0044-FIPS-140-3-keychecks.patch +From 36d037a91a3ad76988c4495547c2bca33b525811 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Mon, 24 Mar 2025 10:50:37 -0400 +Subject: [PATCH 27/53] FIPS: RSA: PCTs -Patch-name: 0044-FIPS-140-3-keychecks.patch -Patch-id: 44 -Patch-status: | - # Extra public/private key checks required by FIPS-140-3 +Signed-off-by: Simo Sorce --- - crypto/dh/dh_key.c | 26 ++++++++++ - .../implementations/exchange/ecdh_exch.c | 19 ++++++++ - providers/implementations/keymgmt/ec_kmgmt.c | 24 +++++++++- providers/implementations/keymgmt/rsa_kmgmt.c | 18 +++++++ - .../implementations/signature/ecdsa_sig.c | 37 +++++++++++++-- providers/implementations/signature/rsa_sig.c | 47 +++++++++++++++++-- - 6 files changed, 162 insertions(+), 9 deletions(-) + 2 files changed, 61 insertions(+), 4 deletions(-) -diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c -index 4e9705beef..83773cceea 100644 ---- a/crypto/dh/dh_key.c -+++ b/crypto/dh/dh_key.c -@@ -43,6 +43,9 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) +Index: openssl-3.5.2/providers/implementations/keymgmt/rsa_kmgmt.c +=================================================================== +--- openssl-3.5.2.orig/providers/implementations/keymgmt/rsa_kmgmt.c ++++ openssl-3.5.2/providers/implementations/keymgmt/rsa_kmgmt.c +@@ -451,6 +451,7 @@ struct rsa_gen_ctx { + #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) + /* ACVP test parameters */ + OSSL_PARAM *acvp_test_params; ++ void *prov_rsa_ctx; + #endif + }; + +@@ -464,6 +465,12 @@ static int rsa_gencb(int p, int n, BN_GE + return gctx->cb(params, gctx->cbarg); + } + ++#ifdef FIPS_MODULE ++void *rsa_newctx(void *provctx, const char *propq); ++void rsa_freectx(void *vctx); ++int do_rsa_pct(void *, const char *, void *); ++#endif ++ + static void *gen_init(void *provctx, int selection, int rsa_type, + const OSSL_PARAM params[]) + { +@@ -491,6 +498,10 @@ static void *gen_init(void *provctx, int + + if (!rsa_gen_set_params(gctx, params)) + goto err; ++#ifdef FIPS_MODULE ++ if (gctx != NULL) ++ gctx->prov_rsa_ctx = rsa_newctx(provctx, NULL); ++#endif + return gctx; + + err: +@@ -647,6 +658,11 @@ static void *rsa_gen(void *genctx, OSSL_ + + rsa = rsa_tmp; + rsa_tmp = NULL; ++#ifdef FIPS_MODULE ++ /* Pairwise consistency test */ ++ if (do_rsa_pct(gctx->prov_rsa_ctx, "sha256", rsa) != 1) ++ abort(); ++#endif + err: + BN_GENCB_free(gencb); + RSA_free(rsa_tmp); +@@ -662,6 +678,8 @@ static void rsa_gen_cleanup(void *genctx + #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) + ossl_rsa_acvp_test_gen_params_free(gctx->acvp_test_params); + gctx->acvp_test_params = NULL; ++ rsa_freectx(gctx->prov_rsa_ctx); ++ gctx->prov_rsa_ctx = NULL; + #endif + BN_clear_free(gctx->pub_exp); + OPENSSL_free(gctx); +Index: openssl-3.5.2/providers/implementations/signature/rsa_sig.c +=================================================================== +--- openssl-3.5.2.orig/providers/implementations/signature/rsa_sig.c ++++ openssl-3.5.2/providers/implementations/signature/rsa_sig.c +@@ -35,7 +35,7 @@ + + #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 + +-static OSSL_FUNC_signature_newctx_fn rsa_newctx; ++OSSL_FUNC_signature_newctx_fn rsa_newctx; + static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; + static OSSL_FUNC_signature_verify_init_fn rsa_verify_init; + static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init; +@@ -52,7 +52,7 @@ static OSSL_FUNC_signature_digest_sign_f + static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init; + static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_verify_update; + static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final; +-static OSSL_FUNC_signature_freectx_fn rsa_freectx; ++OSSL_FUNC_signature_freectx_fn rsa_freectx; + static OSSL_FUNC_signature_dupctx_fn rsa_dupctx; + static OSSL_FUNC_signature_query_key_types_fn rsa_sigalg_query_key_types; + static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params; +@@ -224,7 +224,7 @@ static int rsa_check_parameters(PROV_RSA + return 1; + } + +-static void *rsa_newctx(void *provctx, const char *propq) ++void *rsa_newctx(void *provctx, const char *propq) + { + PROV_RSA_CTX *prsactx = NULL; + char *propq_copy = NULL; +@@ -1313,7 +1313,7 @@ int rsa_digest_verify_final(void *vprsac + return ok; + } + +-static void rsa_freectx(void *vprsactx) ++void rsa_freectx(void *vprsactx) + { + PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; + +@@ -1858,6 +1858,45 @@ static const OSSL_PARAM *rsa_settable_ct + return EVP_MD_settable_ctx_params(prsactx->md); + } + ++#ifdef FIPS_MODULE ++int do_rsa_pct(void *vctx, const char *mdname, void *rsa) ++{ ++ static const unsigned char data[32]; ++ unsigned char *sigbuf = NULL; ++ size_t siglen = 0; ++ int ret = 0; ++ ++ if (rsa_digest_sign_init(vctx, mdname, rsa, NULL) <= 0) ++ return 0; ++ ++ if (rsa_digest_sign_update(vctx, data, sizeof(data)) <= 0) ++ return 0; ++ ++ if (rsa_digest_sign_final(vctx, NULL, &siglen, 0) <= 0) ++ return 0; ++ ++ if ((sigbuf = OPENSSL_malloc(siglen)) == NULL) ++ return 0; ++ ++ if (rsa_digest_sign_final(vctx, sigbuf, &siglen, siglen) <= 0) ++ goto err; ++ ++ if (rsa_digest_verify_init(vctx, mdname, rsa, NULL) <= 0) ++ goto err; ++ ++ if (rsa_digest_verify_update(vctx, data, sizeof(data)) <= 0) ++ goto err; ++ ++ if (rsa_digest_verify_final(vctx, sigbuf, siglen) <= 0) ++ goto err; ++ ret = 1; ++ ++ err: ++ OPENSSL_free(sigbuf); ++ return ret; ++} ++#endif ++ + const OSSL_DISPATCH ossl_rsa_signature_functions[] = { + { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, + { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init }, +Index: openssl-3.5.2/crypto/dh/dh_key.c +=================================================================== +--- openssl-3.5.2.orig/crypto/dh/dh_key.c ++++ openssl-3.5.2/crypto/dh/dh_key.c +@@ -43,6 +43,9 @@ int ossl_dh_compute_key(unsigned char *k BN_MONT_CTX *mont = NULL; BIGNUM *z = NULL, *pminus1; int ret = -1; @@ -30,7 +166,7 @@ index 4e9705beef..83773cceea 100644 if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) { ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); -@@ -54,6 +57,13 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) +@@ -60,6 +63,13 @@ int ossl_dh_compute_key(unsigned char *k return 0; } @@ -44,7 +180,7 @@ index 4e9705beef..83773cceea 100644 ctx = BN_CTX_new_ex(dh->libctx); if (ctx == NULL) goto err; -@@ -262,6 +272,9 @@ static int generate_key(DH *dh) +@@ -271,6 +281,9 @@ static int generate_key(DH *dh) #endif BN_CTX *ctx = NULL; BIGNUM *pub_key = NULL, *priv_key = NULL; @@ -54,7 +190,7 @@ index 4e9705beef..83773cceea 100644 if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) { ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); -@@ -354,8 +367,21 @@ static int generate_key(DH *dh) +@@ -369,8 +382,21 @@ static int generate_key(DH *dh) if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key)) goto err; @@ -68,7 +204,7 @@ index 4e9705beef..83773cceea 100644 dh->pub_key = pub_key; dh->priv_key = priv_key; +#ifdef FIPS_MODULE -+ if (ossl_dh_check_pairwise(dh) <= 0) { ++ if (ossl_dh_check_pairwise(dh, 0) <= 0) { + abort(); + } +#endif @@ -76,12 +212,12 @@ index 4e9705beef..83773cceea 100644 dh->dirty_cnt++; ok = 1; err: -diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c -index 43caedb6df..73873f9758 100644 ---- a/providers/implementations/exchange/ecdh_exch.c -+++ b/providers/implementations/exchange/ecdh_exch.c -@@ -489,6 +489,25 @@ int ecdh_plain_derive(void *vpecdhctx, unsigned char *secret, - } +Index: openssl-3.5.2/providers/implementations/exchange/ecdh_exch.c +=================================================================== +--- openssl-3.5.2.orig/providers/implementations/exchange/ecdh_exch.c ++++ openssl-3.5.2/providers/implementations/exchange/ecdh_exch.c +@@ -560,6 +560,25 @@ int ecdh_plain_derive(void *vpecdhctx, u + #endif ppubkey = EC_KEY_get0_public_key(pecdhctx->peerk); +#ifdef FIPS_MODULE @@ -106,17 +242,18 @@ index 43caedb6df..73873f9758 100644 retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL); -diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c -index a37cbbdba8..bca3f3c674 100644 ---- a/providers/implementations/keymgmt/ec_kmgmt.c -+++ b/providers/implementations/keymgmt/ec_kmgmt.c -@@ -989,8 +989,17 @@ struct ec_gen_ctx { - int selection; - int ecdh_mode; +Index: openssl-3.5.2/providers/implementations/keymgmt/ec_kmgmt.c +=================================================================== +--- openssl-3.5.2.orig/providers/implementations/keymgmt/ec_kmgmt.c ++++ openssl-3.5.2/providers/implementations/keymgmt/ec_kmgmt.c +@@ -1010,9 +1010,18 @@ struct ec_gen_ctx { EC_GROUP *gen_group; + unsigned char *dhkem_ikm; + size_t dhkem_ikmlen; +#ifdef FIPS_MODULE + void *ecdsa_sig_ctx; +#endif + OSSL_FIPS_IND_DECLARE }; +#ifdef FIPS_MODULE @@ -128,7 +265,7 @@ index a37cbbdba8..bca3f3c674 100644 static void *ec_gen_init(void *provctx, int selection, const OSSL_PARAM params[]) { -@@ -1009,6 +1018,10 @@ static void *ec_gen_init(void *provctx, int selection, +@@ -1032,6 +1041,10 @@ static void *ec_gen_init(void *provctx, gctx = NULL; } } @@ -139,7 +276,7 @@ index a37cbbdba8..bca3f3c674 100644 return gctx; } -@@ -1279,6 +1292,12 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) +@@ -1343,6 +1356,12 @@ static void *ec_gen(void *genctx, OSSL_C if (gctx->ecdh_mode != -1) ret = ret && ossl_ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode); @@ -151,8 +288,8 @@ index a37cbbdba8..bca3f3c674 100644 +#endif if (gctx->group_check != NULL) - ret = ret && ossl_ec_set_check_group_type_from_name(ec, gctx->group_check); -@@ -1348,7 +1367,10 @@ static void ec_gen_cleanup(void *genctx) + ret = ret && ossl_ec_set_check_group_type_from_name(ec, +@@ -1413,7 +1432,10 @@ static void ec_gen_cleanup(void *genctx) if (gctx == NULL) return; @@ -161,90 +298,33 @@ index a37cbbdba8..bca3f3c674 100644 + ecdsa_freectx(gctx->ecdsa_sig_ctx); + gctx->ecdsa_sig_ctx = NULL; +#endif + OPENSSL_clear_free(gctx->dhkem_ikm, gctx->dhkem_ikmlen); EC_GROUP_free(gctx->gen_group); BN_free(gctx->p); - BN_free(gctx->a); -diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c -index 3ba12c4889..ff49f8fcd8 100644 ---- a/providers/implementations/keymgmt/rsa_kmgmt.c -+++ b/providers/implementations/keymgmt/rsa_kmgmt.c -@@ -434,6 +434,7 @@ struct rsa_gen_ctx { - #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) - /* ACVP test parameters */ - OSSL_PARAM *acvp_test_params; -+ void *prov_rsa_ctx; - #endif - }; - -@@ -447,6 +448,12 @@ static int rsa_gencb(int p, int n, BN_GENCB *cb) - return gctx->cb(params, gctx->cbarg); - } - -+#ifdef FIPS_MODULE -+void *rsa_newctx(void *provctx, const char *propq); -+void rsa_freectx(void *vctx); -+int do_rsa_pct(void *, const char *, void *); -+#endif -+ - static void *gen_init(void *provctx, int selection, int rsa_type, - const OSSL_PARAM params[]) - { -@@ -474,6 +481,10 @@ static void *gen_init(void *provctx, int selection, int rsa_type, - - if (!rsa_gen_set_params(gctx, params)) - goto err; -+#ifdef FIPS_MODULE -+ if (gctx != NULL) -+ gctx->prov_rsa_ctx = rsa_newctx(provctx, NULL); -+#endif - return gctx; - - err: -@@ -630,6 +641,11 @@ static void *rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) - - rsa = rsa_tmp; - rsa_tmp = NULL; -+#ifdef FIPS_MODULE -+ /* Pairwise consistency test */ -+ if (do_rsa_pct(gctx->prov_rsa_ctx, "sha256", rsa) != 1) -+ abort(); -+#endif - err: - BN_GENCB_free(gencb); - RSA_free(rsa_tmp); -@@ -645,6 +661,8 @@ static void rsa_gen_cleanup(void *genctx) - #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) - ossl_rsa_acvp_test_gen_params_free(gctx->acvp_test_params); - gctx->acvp_test_params = NULL; -+ rsa_freectx(gctx->prov_rsa_ctx); -+ gctx->prov_rsa_ctx = NULL; - #endif - BN_clear_free(gctx->pub_exp); - OPENSSL_free(gctx); -diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c -index 865d49d100..ebeb30e002 100644 ---- a/providers/implementations/signature/ecdsa_sig.c -+++ b/providers/implementations/signature/ecdsa_sig.c -@@ -32,7 +32,7 @@ - #include "crypto/ec.h" +Index: openssl-3.5.2/providers/implementations/signature/ecdsa_sig.c +=================================================================== +--- openssl-3.5.2.orig/providers/implementations/signature/ecdsa_sig.c ++++ openssl-3.5.2/providers/implementations/signature/ecdsa_sig.c +@@ -33,7 +33,7 @@ #include "prov/der_ec.h" + #include "crypto/ec.h" -static OSSL_FUNC_signature_newctx_fn ecdsa_newctx; +OSSL_FUNC_signature_newctx_fn ecdsa_newctx; static OSSL_FUNC_signature_sign_init_fn ecdsa_sign_init; static OSSL_FUNC_signature_verify_init_fn ecdsa_verify_init; static OSSL_FUNC_signature_sign_fn ecdsa_sign; -@@ -43,7 +43,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn ecdsa_digest_sign_final; +@@ -48,7 +48,7 @@ static OSSL_FUNC_signature_digest_sign_f static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_verify_init; static OSSL_FUNC_signature_digest_verify_update_fn ecdsa_digest_signverify_update; static OSSL_FUNC_signature_digest_verify_final_fn ecdsa_digest_verify_final; -static OSSL_FUNC_signature_freectx_fn ecdsa_freectx; +OSSL_FUNC_signature_freectx_fn ecdsa_freectx; static OSSL_FUNC_signature_dupctx_fn ecdsa_dupctx; + static OSSL_FUNC_signature_query_key_types_fn ecdsa_sigalg_query_key_types; static OSSL_FUNC_signature_get_ctx_params_fn ecdsa_get_ctx_params; - static OSSL_FUNC_signature_gettable_ctx_params_fn ecdsa_gettable_ctx_params; -@@ -104,7 +104,7 @@ typedef struct { - #endif +@@ -139,7 +139,7 @@ typedef struct { + OSSL_FIPS_IND_DECLARE } PROV_ECDSA_CTX; -static void *ecdsa_newctx(void *provctx, const char *propq) @@ -252,8 +332,8 @@ index 865d49d100..ebeb30e002 100644 { PROV_ECDSA_CTX *ctx; -@@ -370,7 +370,7 @@ int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig, - return ecdsa_verify(ctx, sig, siglen, digest, (size_t)dlen); +@@ -612,7 +612,7 @@ int ecdsa_digest_verify_final(void *vctx + return ok; } -static void ecdsa_freectx(void *vctx) @@ -261,7 +341,7 @@ index 865d49d100..ebeb30e002 100644 { PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; -@@ -581,6 +581,35 @@ static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx) +@@ -861,6 +861,35 @@ static const OSSL_PARAM *ecdsa_settable_ return EVP_MD_settable_ctx_params(ctx->md); } @@ -297,92 +377,3 @@ index 865d49d100..ebeb30e002 100644 const OSSL_DISPATCH ossl_ecdsa_signature_functions[] = { { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx }, { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init }, -diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c -index cd5de6bd51..d4261e8f7d 100644 ---- a/providers/implementations/signature/rsa_sig.c -+++ b/providers/implementations/signature/rsa_sig.c -@@ -34,7 +34,7 @@ - - #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 - --static OSSL_FUNC_signature_newctx_fn rsa_newctx; -+OSSL_FUNC_signature_newctx_fn rsa_newctx; - static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; - static OSSL_FUNC_signature_verify_init_fn rsa_verify_init; - static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init; -@@ -47,7 +47,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final; - static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init; - static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_signverify_update; - static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final; --static OSSL_FUNC_signature_freectx_fn rsa_freectx; -+OSSL_FUNC_signature_freectx_fn rsa_freectx; - static OSSL_FUNC_signature_dupctx_fn rsa_dupctx; - static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params; - static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params; -@@ -170,7 +170,7 @@ static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen) - return 1; - } - --static void *rsa_newctx(void *provctx, const char *propq) -+void *rsa_newctx(void *provctx, const char *propq) - { - PROV_RSA_CTX *prsactx = NULL; - char *propq_copy = NULL; -@@ -977,7 +977,7 @@ int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig, - return rsa_verify(vprsactx, sig, siglen, digest, (size_t)dlen); - } - --static void rsa_freectx(void *vprsactx) -+void rsa_freectx(void *vprsactx) - { - PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; - -@@ -1455,6 +1455,45 @@ static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx) - return EVP_MD_settable_ctx_params(prsactx->md); - } - -+#ifdef FIPS_MODULE -+int do_rsa_pct(void *vctx, const char *mdname, void *rsa) -+{ -+ static const unsigned char data[32]; -+ unsigned char *sigbuf = NULL; -+ size_t siglen = 0; -+ int ret = 0; -+ -+ if (rsa_digest_sign_init(vctx, mdname, rsa, NULL) <= 0) -+ return 0; -+ -+ if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0) -+ return 0; -+ -+ if (rsa_digest_sign_final(vctx, NULL, &siglen, 0) <= 0) -+ return 0; -+ -+ if ((sigbuf = OPENSSL_malloc(siglen)) == NULL) -+ return 0; -+ -+ if (rsa_digest_sign_final(vctx, sigbuf, &siglen, siglen) <= 0) -+ goto err; -+ -+ if (rsa_digest_verify_init(vctx, mdname, rsa, NULL) <= 0) -+ goto err; -+ -+ if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0) -+ goto err; -+ -+ if (rsa_digest_verify_final(vctx, sigbuf, siglen) <= 0) -+ goto err; -+ ret = 1; -+ -+ err: -+ OPENSSL_free(sigbuf); -+ return ret; -+} -+#endif -+ - const OSSL_DISPATCH ossl_rsa_signature_functions[] = { - { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, - { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init }, --- -2.41.0 - diff --git a/openssl-FIPS-140-3-zeroization.patch b/openssl-FIPS-140-3-zeroization.patch deleted file mode 100644 index 5e9d9b4..0000000 --- a/openssl-FIPS-140-3-zeroization.patch +++ /dev/null @@ -1,81 +0,0 @@ -Index: openssl-3.1.4/crypto/ffc/ffc_params.c -=================================================================== ---- openssl-3.1.4.orig/crypto/ffc/ffc_params.c -+++ openssl-3.1.4/crypto/ffc/ffc_params.c -@@ -27,10 +27,10 @@ void ossl_ffc_params_init(FFC_PARAMS *pa - - void ossl_ffc_params_cleanup(FFC_PARAMS *params) - { -- BN_free(params->p); -- BN_free(params->q); -- BN_free(params->g); -- BN_free(params->j); -+ BN_clear_free(params->p); -+ BN_clear_free(params->q); -+ BN_clear_free(params->g); -+ BN_clear_free(params->j); - OPENSSL_free(params->seed); - ossl_ffc_params_init(params); - } -Index: openssl-3.1.4/crypto/rsa/rsa_lib.c -=================================================================== ---- openssl-3.1.4.orig/crypto/rsa/rsa_lib.c -+++ openssl-3.1.4/crypto/rsa/rsa_lib.c -@@ -155,8 +155,8 @@ void RSA_free(RSA *r) - - CRYPTO_THREAD_lock_free(r->lock); - -- BN_free(r->n); -- BN_free(r->e); -+ BN_clear_free(r->n); -+ BN_clear_free(r->e); - BN_clear_free(r->d); - BN_clear_free(r->p); - BN_clear_free(r->q); -Index: openssl-3.1.4/providers/implementations/kdfs/hkdf.c -=================================================================== ---- openssl-3.1.4.orig/providers/implementations/kdfs/hkdf.c -+++ openssl-3.1.4/providers/implementations/kdfs/hkdf.c -@@ -118,7 +118,7 @@ static void kdf_hkdf_reset(void *vctx) - void *provctx = ctx->provctx; - - ossl_prov_digest_reset(&ctx->digest); -- OPENSSL_free(ctx->salt); -+ OPENSSL_clear_free(ctx->salt, ctx->salt_len); - OPENSSL_free(ctx->prefix); - OPENSSL_free(ctx->label); - OPENSSL_clear_free(ctx->data, ctx->data_len); -Index: openssl-3.1.4/providers/implementations/kdfs/pbkdf2.c -=================================================================== ---- openssl-3.1.4.orig/providers/implementations/kdfs/pbkdf2.c -+++ openssl-3.1.4/providers/implementations/kdfs/pbkdf2.c -@@ -92,7 +92,7 @@ static void *kdf_pbkdf2_new(void *provct - static void kdf_pbkdf2_cleanup(KDF_PBKDF2 *ctx) - { - ossl_prov_digest_reset(&ctx->digest); -- OPENSSL_free(ctx->salt); -+ OPENSSL_clear_free(ctx->salt, ctx->salt_len); - OPENSSL_clear_free(ctx->pass, ctx->pass_len); - memset(ctx, 0, sizeof(*ctx)); - } -Index: openssl-3.1.4/crypto/ec/ec_lib.c -=================================================================== ---- openssl-3.1.4.orig/crypto/ec/ec_lib.c -+++ openssl-3.1.4/crypto/ec/ec_lib.c -@@ -752,12 +752,16 @@ EC_POINT *EC_POINT_new(const EC_GROUP *g - - void EC_POINT_free(EC_POINT *point) - { -+#ifdef FIPS_MODULE -+ EC_POINT_clear_free(point); -+#else - if (point == NULL) - return; - - if (point->meth->point_finish != 0) - point->meth->point_finish(point); - OPENSSL_free(point); -+#endif - } - - void EC_POINT_clear_free(EC_POINT *point) diff --git a/openssl-FIPS-Add-explicit-indicator-for-key-length.patch b/openssl-FIPS-Add-explicit-indicator-for-key-length.patch deleted file mode 100644 index bfbe885..0000000 --- a/openssl-FIPS-Add-explicit-indicator-for-key-length.patch +++ /dev/null @@ -1,108 +0,0 @@ -From e1eba21921ceeffa45ffd2115868c14e4c7fb8d9 Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Thu, 17 Nov 2022 18:08:24 +0100 -Subject: [PATCH] hmac: Add explicit FIPS indicator for key length - -NIST SP 800-131Ar2, table 9 "Approval Status of MAC Algorithms" -specifies key lengths < 112 bytes are disallowed for HMAC generation and -are legacy use for HMAC verification. - -Add an explicit indicator that will mark shorter key lengths as -unsupported. The indicator can be queries from the EVP_MAC_CTX object -using EVP_MAC_CTX_get_params() with the - OSSL_MAC_PARAM_SUSE_FIPS_INDICATOR -parameter. - -Signed-off-by: Clemens Lang ---- - include/crypto/evp.h | 7 +++++++ - include/openssl/evp.h | 3 +++ - providers/implementations/macs/hmac_prov.c | 17 +++++++++++++++++ - 4 files changed, 28 insertions(+) - -Index: openssl-3.1.4/include/crypto/evp.h -=================================================================== ---- openssl-3.1.4.orig/include/crypto/evp.h -+++ openssl-3.1.4/include/crypto/evp.h -@@ -196,6 +196,13 @@ const EVP_PKEY_METHOD *ossl_ed448_pkey_m - const EVP_PKEY_METHOD *ossl_rsa_pkey_method(void); - const EVP_PKEY_METHOD *ossl_rsa_pss_pkey_method(void); - -+#ifdef FIPS_MODULE -+/* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms specifies key -+ * lengths < 112 bytes are disallowed for HMAC generation and legacy use for -+ * HMAC verification. */ -+# define EVP_HMAC_GEN_FIPS_MIN_KEY_LEN (112 / 8) -+#endif -+ - struct evp_mac_st { - OSSL_PROVIDER *prov; - int name_id; -Index: openssl-3.1.4/include/openssl/evp.h -=================================================================== ---- openssl-3.1.4.orig/include/openssl/evp.h -+++ openssl-3.1.4/include/openssl/evp.h -@@ -1196,6 +1196,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX - void *arg); - - /* MAC stuff */ -+# define EVP_MAC_SUSE_FIPS_INDICATOR_UNDETERMINED 0 -+# define EVP_MAC_SUSE_FIPS_INDICATOR_APPROVED 1 -+# define EVP_MAC_SUSE_FIPS_INDICATOR_NOT_APPROVED 2 - - EVP_MAC *EVP_MAC_fetch(OSSL_LIB_CTX *libctx, const char *algorithm, - const char *properties); -Index: openssl-3.1.4/providers/implementations/macs/hmac_prov.c -=================================================================== ---- openssl-3.1.4.orig/providers/implementations/macs/hmac_prov.c -+++ openssl-3.1.4/providers/implementations/macs/hmac_prov.c -@@ -21,6 +21,8 @@ - #include - #include - -+#include "crypto/evp.h" -+ - #include "prov/implementations.h" - #include "prov/provider_ctx.h" - #include "prov/provider_util.h" -@@ -244,6 +246,9 @@ static int hmac_final(void *vmacctx, uns - static const OSSL_PARAM known_gettable_ctx_params[] = { - OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL), - OSSL_PARAM_size_t(OSSL_MAC_PARAM_BLOCK_SIZE, NULL), -+#ifdef FIPS_MODULE -+ OSSL_PARAM_int(OSSL_MAC_PARAM_SUSE_FIPS_INDICATOR, NULL), -+#endif /* defined(FIPS_MODULE) */ - OSSL_PARAM_END - }; - static const OSSL_PARAM *hmac_gettable_ctx_params(ossl_unused void *ctx, -@@ -265,6 +270,18 @@ static int hmac_get_ctx_params(void *vma - && !OSSL_PARAM_set_int(p, hmac_block_size(macctx))) - return 0; - -+#ifdef FIPS_MODULE -+ if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_SUSE_FIPS_INDICATOR)) != NULL) { -+ int fips_indicator = EVP_MAC_SUSE_FIPS_INDICATOR_APPROVED; -+ /* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms -+ * specifies key lengths < 112 bytes are disallowed for HMAC generation -+ * and legacy use for HMAC verification. */ -+ if (macctx->keylen < EVP_HMAC_GEN_FIPS_MIN_KEY_LEN) -+ fips_indicator = EVP_MAC_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+ return OSSL_PARAM_set_int(p, fips_indicator); -+ } -+#endif /* defined(FIPS_MODULE) */ -+ - return 1; - } - -Index: openssl-3.1.4/include/openssl/core_names.h -=================================================================== ---- openssl-3.1.4.orig/include/openssl/core_names.h -+++ openssl-3.1.4/include/openssl/core_names.h -@@ -175,6 +175,7 @@ extern "C" { - #define OSSL_MAC_PARAM_SIZE "size" /* size_t */ - #define OSSL_MAC_PARAM_BLOCK_SIZE "block-size" /* size_t */ - #define OSSL_MAC_PARAM_TLS_DATA_SIZE "tls-data-size" /* size_t */ -+#define OSSL_MAC_PARAM_SUSE_FIPS_INDICATOR "suse-fips-indicator" /* size_t */ - - /* Known MAC names */ - #define OSSL_MAC_NAME_BLAKE2BMAC "BLAKE2BMAC" diff --git a/openssl-FIPS-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch b/openssl-FIPS-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch new file mode 100644 index 0000000..062978a --- /dev/null +++ b/openssl-FIPS-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch @@ -0,0 +1,184 @@ +From c63599ee9708d543205a9173207ee7167315c624 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Tue, 1 Mar 2022 15:44:18 +0100 +Subject: [PATCH] Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes + +--- + crypto/x509/x509_vfy.c | 19 ++++++++++- + doc/man5/config.pod | 7 +++- + ssl/t1_lib.c | 64 ++++++++++++++++++++++++++++------- + test/recipes/25-test_verify.t | 7 ++-- + 4 files changed, 79 insertions(+), 18 deletions(-) + +Index: openssl-3.5.1/crypto/x509/x509_vfy.c +=================================================================== +--- openssl-3.5.1.orig/crypto/x509/x509_vfy.c ++++ openssl-3.5.1/crypto/x509/x509_vfy.c +@@ -25,6 +25,7 @@ + #include + #include + #include "internal/dane.h" ++#include "internal/sslconf.h" + #include "crypto/x509.h" + #include "x509_local.h" + +@@ -3745,14 +3746,30 @@ static int check_sig_level(X509_STORE_CT + { + int secbits = -1; + int level = ctx->param->auth_level; ++ int nid; ++ OSSL_LIB_CTX *libctx = NULL; + + if (level <= 0) + return 1; + if (level > NUM_AUTH_LEVELS) + level = NUM_AUTH_LEVELS; + +- if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL)) ++ if (ctx->libctx) ++ libctx = ctx->libctx; ++ else if (cert->libctx) ++ libctx = cert->libctx; ++ else ++ libctx = OSSL_LIB_CTX_get0_global_default(); ++ ++ if (!X509_get_signature_info(cert, &nid, NULL, &secbits, NULL)) + return 0; + ++ if (nid == NID_sha1 ++ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0) ++ && ctx->param->auth_level < 3) ++ /* When rh-allow-sha1-signatures = yes and security level <= 2, ++ * explicitly allow SHA1 for backwards compatibility. */ ++ return 1; ++ + return secbits >= minbits_table[level - 1]; + } +Index: openssl-3.5.1/ssl/t1_lib.c +=================================================================== +--- openssl-3.5.1.orig/ssl/t1_lib.c ++++ openssl-3.5.1/ssl/t1_lib.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include "crypto/x509.h" + #include "internal/sslconf.h" + #include "internal/nelem.h" + #include "internal/sizes.h" +@@ -2809,19 +2810,27 @@ int tls12_check_peer_sigalg(SSL_CONNECTI + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST); + return 0; + } +- /* +- * Make sure security callback allows algorithm. For historical +- * reasons we have to pass the sigalg as a two byte char array. +- */ +- sigalgstr[0] = (sig >> 8) & 0xff; +- sigalgstr[1] = sig & 0xff; +- secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu); +- if (secbits == 0 || +- !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, +- md != NULL ? EVP_MD_get_type(md) : NID_undef, +- (void *)sigalgstr)) { +- SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); +- return 0; ++ ++ if (lu->hash == NID_sha1 ++ && ossl_ctx_legacy_digest_signatures_allowed(s->session_ctx->libctx, 0) ++ && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 3) { ++ /* when rh-allow-sha1-signatures = yes and security level <= 2, ++ * explicitly allow SHA1 for backwards compatibility */ ++ } else { ++ /* ++ * Make sure security callback allows algorithm. For historical ++ * reasons we have to pass the sigalg as a two byte char array. ++ */ ++ sigalgstr[0] = (sig >> 8) & 0xff; ++ sigalgstr[1] = sig & 0xff; ++ secbits = sigalg_security_bits(s->session_ctx, lu); ++ if (secbits == 0 || ++ !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, ++ md != NULL ? EVP_MD_get_type(md) : NID_undef, ++ (void *)sigalgstr)) { ++ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); ++ return 0; ++ } + } + /* Store the sigalg the peer uses */ + s->s3.tmp.peer_sigalg = lu; +@@ -3393,6 +3402,14 @@ static int tls12_sigalg_allowed(const SS + } + } + ++ if (lu->hash == NID_sha1 ++ && ossl_ctx_legacy_digest_signatures_allowed(s->session_ctx->libctx, 0) ++ && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 3) { ++ /* when rh-allow-sha1-signatures = yes and security level <= 2, ++ * explicitly allow SHA1 for backwards compatibility */ ++ return 1; ++ } ++ + /* Finally see if security callback allows it */ + secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu); + sigalgstr[0] = (lu->sigalg >> 8) & 0xff; +@@ -4383,6 +4400,8 @@ static int ssl_security_cert_sig(SSL_CON + { + /* Lookup signature algorithm digest */ + int secbits, nid, pknid; ++ OSSL_LIB_CTX *libctx = NULL; ++ + + /* Don't check signature if self signed */ + if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) +@@ -4392,6 +4411,25 @@ static int ssl_security_cert_sig(SSL_CON + /* If digest NID not defined use signature NID */ + if (nid == NID_undef) + nid = pknid; ++ ++ if (x && x->libctx) ++ libctx = x->libctx; ++ else if (ctx && ctx->libctx) ++ libctx = ctx->libctx; ++ else if (s && s->session_ctx && s->session_ctx->libctx) ++ libctx = s->session_ctx->libctx; ++ else ++ libctx = OSSL_LIB_CTX_get0_global_default(); ++ ++ if (nid == NID_sha1 ++ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0) ++ && ((s != NULL && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 3) ++ || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 3) ++ )) ++ /* When rh-allow-sha1-signatures = yes and security level <= 2, ++ * explicitly allow SHA1 for backwards compatibility. */ ++ return 1; ++ + if (s != NULL) + return ssl_security(s, op, secbits, nid, x); + else +Index: openssl-3.5.1/test/recipes/25-test_verify.t +=================================================================== +--- openssl-3.5.1.orig/test/recipes/25-test_verify.t ++++ openssl-3.5.1/test/recipes/25-test_verify.t +@@ -30,7 +30,7 @@ sub verify { + run(app([@args])); + } + +-plan tests => 203; ++plan tests => 202; + + # Canonical success + ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), +@@ -485,8 +485,9 @@ ok(verify("ee-pss-sha1-cert", "", ["root + ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ), + "CA with PSS signature using SHA256"); + +-ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"), +- "Reject PSS signature using SHA1 and auth level 1"); ++## rh-allow-sha1-signatures=yes allows this to pass despite -auth_level 1 ++#ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"), ++# "Reject PSS signature using SHA1 and auth level 1"); + + ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"), + "PSS signature using SHA256 and auth level 2"); diff --git a/openssl-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch b/openssl-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch new file mode 100644 index 0000000..e3e8f58 --- /dev/null +++ b/openssl-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch @@ -0,0 +1,992 @@ +Index: openssl-3.5.3/providers/implementations/signature/dsa_sig.c +=================================================================== +--- openssl-3.5.3.orig/providers/implementations/signature/dsa_sig.c ++++ openssl-3.5.3/providers/implementations/signature/dsa_sig.c +@@ -187,9 +187,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ct + } + #ifdef FIPS_MODULE + { +- int sha1_allowed +- = ((ctx->operation +- & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) == 0); ++ int sha1_allowed = 0; + + if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx), + OSSL_FIPS_IND_SETTABLE1, +Index: openssl-3.5.3/providers/implementations/signature/ecdsa_sig.c +=================================================================== +--- openssl-3.5.3.orig/providers/implementations/signature/ecdsa_sig.c ++++ openssl-3.5.3/providers/implementations/signature/ecdsa_sig.c +@@ -215,9 +215,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX + + #ifdef FIPS_MODULE + { +- int sha1_allowed +- = ((ctx->operation +- & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) == 0); ++ int sha1_allowed = 0; + + if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx), + OSSL_FIPS_IND_SETTABLE1, +Index: openssl-3.5.3/providers/implementations/signature/rsa_sig.c +=================================================================== +--- openssl-3.5.3.orig/providers/implementations/signature/rsa_sig.c ++++ openssl-3.5.3/providers/implementations/signature/rsa_sig.c +@@ -407,9 +407,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ct + } + #ifdef FIPS_MODULE + { +- int sha1_allowed +- = ((ctx->operation +- & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) == 0); ++ int sha1_allowed = 0; + + if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx), + OSSL_FIPS_IND_SETTABLE1, +@@ -1770,11 +1768,15 @@ static int rsa_set_ctx_params(void *vprs + + if (prsactx->md == NULL && pmdname == NULL + && pad_mode == RSA_PKCS1_PSS_PADDING) { ++#ifdef FIPS_MODULE ++ pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY; ++#else + if (ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) { + pmdname = RSA_DEFAULT_DIGEST_NAME; + } else { + pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY; + } ++#endif + } + + if (pmgf1mdname != NULL +Index: openssl-3.5.3/test/recipes/30-test_evp_data/evppkey_ecdsa.txt +=================================================================== +--- openssl-3.5.3.orig/test/recipes/30-test_evp_data/evppkey_ecdsa.txt ++++ openssl-3.5.3/test/recipes/30-test_evp_data/evppkey_ecdsa.txt +@@ -37,12 +37,14 @@ PrivPubKeyPair = P-256:P-256-PUBLIC + + Title = ECDSA tests + ++Availablein = default + Verify = P-256-PUBLIC + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" + Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8 + + # Digest too long ++Availablein = default + Verify = P-256-PUBLIC + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF12345" +@@ -50,6 +52,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a + Result = VERIFY_ERROR + + # Digest too short ++Availablein = default + Verify = P-256-PUBLIC + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF123" +@@ -57,6 +60,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a + Result = VERIFY_ERROR + + # Digest invalid ++Availablein = default + Verify = P-256-PUBLIC + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1235" +@@ -64,6 +68,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a + Result = VERIFY_ERROR + + # Invalid signature ++Availablein = default + Verify = P-256-PUBLIC + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" +@@ -79,12 +84,14 @@ Output = 3045022100b1d1cb1a577035bccdd5a + Result = VERIFY_ERROR + + # BER signature ++Availablein = default + Verify = P-256-PUBLIC + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" + Output = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000 + Result = VERIFY_ERROR + ++Availablein = default + Verify = P-256-PUBLIC + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" +@@ -237,7 +244,7 @@ Unapproved = 1 + CtrlInit = digest-check:0 + Key = P-256 + Input = "Hello World" +-Result = SIGNATURE_MISMATCH ++Result = DIGESTSIGNINIT_ERROR + + # Test that SHA1 is not allowed in fips mode for signing + FIPSversion = >=3.4.0 +@@ -247,7 +254,7 @@ Unapproved = 1 + CtrlInit = digest-check:0 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" +-Result = KEYOP_MISMATCH ++Result = PKEY_CTRL_ERROR + + FIPSversion = >=3.6.0 + Sign = P-256 +Index: openssl-3.5.3/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt +=================================================================== +--- openssl-3.5.3.orig/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt ++++ openssl-3.5.3/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt +@@ -37,34 +37,34 @@ PrivPubKeyPair = P-256:P-256-PUBLIC + + Title = ECDSA tests + +-FIPSversion = >=3.4.0 ++Availablein = default + Verify = ECDSA-SHA1:P-256-PUBLIC + Input = "0123456789ABCDEF1234" + Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8 + + # Digest too long +-FIPSversion = >=3.4.0 ++Availablein = default + Verify = ECDSA-SHA1:P-256-PUBLIC + Input = "0123456789ABCDEF12345" + Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8 + Result = VERIFY_ERROR + + # Digest too short +-FIPSversion = >=3.4.0 ++Availablein = default + Verify = ECDSA-SHA1:P-256-PUBLIC + Input = "0123456789ABCDEF123" + Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8 + Result = VERIFY_ERROR + + # Digest invalid +-FIPSversion = >=3.4.0 ++Availablein = default + Verify = ECDSA-SHA1:P-256-PUBLIC + Input = "0123456789ABCDEF1235" + Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8 + Result = VERIFY_ERROR + + # Invalid signature +-FIPSversion = >=3.4.0 ++Availablein = default + Verify = ECDSA-SHA1:P-256-PUBLIC + Input = "0123456789ABCDEF1234" + Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec7 +@@ -78,16 +78,64 @@ Output = 3045022100b1d1cb1a577035bccdd5a + Result = VERIFY_ERROR + + # BER signature +-FIPSversion = >=3.4.0 ++Availablein = default + Verify = ECDSA-SHA1:P-256-PUBLIC + Input = "0123456789ABCDEF1234" + Output = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000 + Result = VERIFY_ERROR + ++Availablein = fips ++Verify = ECDSA-SHA1:P-256-PUBLIC ++Input = "0123456789ABCDEF1234" ++Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8 ++Result = KEYOP_INIT_ERROR ++ ++# Digest too long ++Availablein = fips ++FIPSversion = >=3.4.0 ++Verify = ECDSA-SHA1:P-256-PUBLIC ++Input = "0123456789ABCDEF12345" ++Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8 ++Result = KEYOP_INIT_ERROR ++ ++# Digest too short ++Availablein = fips ++FIPSversion = >=3.4.0 ++Verify = ECDSA-SHA1:P-256-PUBLIC ++Input = "0123456789ABCDEF123" ++Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8 ++Result = KEYOP_INIT_ERROR ++ ++# Digest invalid ++Availablein = fips ++FIPSversion = >=3.4.0 ++Verify = ECDSA-SHA1:P-256-PUBLIC ++Input = "0123456789ABCDEF1235" ++Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8 ++Result = KEYOP_INIT_ERROR ++ ++# Invalid signature ++Availablein = fips ++FIPSversion = >=3.4.0 ++Verify = ECDSA-SHA1:P-256-PUBLIC ++Input = "0123456789ABCDEF1234" ++Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec7 ++Result = KEYOP_INIT_ERROR ++ ++# BER signature ++Availablein = fips ++FIPSversion = >=3.4.0 ++Verify = ECDSA-SHA1:P-256-PUBLIC ++Input = "0123456789ABCDEF1234" ++Output = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000 ++Result = KEYOP_INIT_ERROR ++ ++Availablein = fips + FIPSversion = >=3.4.0 + Verify = ECDSA-SHA1:P-256-PUBLIC + Input = "0123456789ABCDEF1234" + Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8 ++Result = KEYOP_INIT_ERROR + + Title = Sign-Message and Verify-Message + +@@ -236,7 +284,7 @@ Securitycheck = 1 + Unapproved = 1 + CtrlInit = digest-check:0 + Input = "Hello World" +-Result = KEYOP_MISMATCH ++Result = KEYOP_INIT_ERROR + + # Test that SHA1 is not allowed in fips mode for signing + Availablein = fips +@@ -246,4 +294,4 @@ Securitycheck = 1 + Unapproved = 1 + CtrlInit = digest-check:0 + Input = "0123456789ABCDEF1234" +-Result = KEYOP_MISMATCH ++Result = KEYOP_INIT_ERROR +Index: openssl-3.5.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +=================================================================== +--- openssl-3.5.3.orig/test/recipes/30-test_evp_data/evppkey_rsa_common.txt ++++ openssl-3.5.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +@@ -96,6 +96,7 @@ NDL6WCBbets= + + Title = RSA tests + ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" +@@ -112,24 +113,28 @@ Ctrl = digest:SHA512-224 + Input = "0123456789ABCDEF123456789ABC" + Output = 5f720e9488139bb21e1c2f027fd5ce5993e6d31c5a8faaee833487b3a944d66891178868ace8070cad3ee2ffbe54aa4885a15fd1a7cc5166970fe1fd8c0423e72bd3e3b56fc4a53ed80aaaeca42497f0ec3c62113edc05cd006608f5eef7ce3ad4cba1069f68731dd28a524a1f93fcdc5547112d48d45586dd943ba0d443be9635720d8a61697c54c96627f0d85c5fbeaa3b4af86a65cf2fc3800dd5de34c046985f25d0efc0bb6edccc1d08b3a4fb9c8faffe181c7e68b31e374ad1440a4a664eec9ca0dc53a9d2f5bc7d9940d866f64201bcbc63612754df45727ea24b531d7de83d1bb707444859fa35521320c33bf6f4dbeb6fb56e653adbf7af15843f17 + ++Availablein = default + VerifyRecover = RSA-2048 + Ctrl = digest:SHA1 + Input = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad + Output = "0123456789ABCDEF1234" + + # Leading zero in the signature ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" + Output = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad + Result = VERIFY_ERROR + ++Availablein = default + VerifyRecover = RSA-2048 + Ctrl = digest:SHA1 + Input = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad + Result = KEYOP_ERROR + + # Mismatched digest ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1233" +@@ -137,6 +142,7 @@ Output = c09d402423cbf233d26cae21f954547 + Result = VERIFY_ERROR + + # Corrupted signature ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1233" +@@ -144,6 +150,7 @@ Output = c09d402423cbf233d26cae21f954547 + Result = VERIFY_ERROR + + # parameter is not NULLt ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:sha1 + Input = "0123456789ABCDEF1234" +@@ -151,42 +158,49 @@ Output = 3ec3fc29eb6e122bd7aa361cd09fe1b + Result = VERIFY_ERROR + + # embedded digest too long ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:sha1 + Input = "0123456789ABCDEF1234" + Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d + Result = VERIFY_ERROR + ++Availablein = default + VerifyRecover = RSA-2048 + Ctrl = digest:sha1 + Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d + Result = KEYOP_ERROR + + # embedded digest too short ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:sha1 + Input = "0123456789ABCDEF1234" + Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d + Result = VERIFY_ERROR + ++Availablein = default + VerifyRecover = RSA-2048 + Ctrl = digest:sha1 + Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d + Result = KEYOP_ERROR + + # Garbage after DigestInfo ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:sha1 + Input = "0123456789ABCDEF1234" + Output = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274 + Result = VERIFY_ERROR + ++Availablein = default + VerifyRecover = RSA-2048 + Ctrl = digest:sha1 + Input = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274 + Result = KEYOP_ERROR + + # invalid tag for parameter ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:sha1 + Input = "0123456789ABCDEF1234" +@@ -195,6 +209,7 @@ Result = VERIFY_ERROR + + # Verify using public key + ++Availablein = default + Verify = RSA-2048-PUBLIC + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" +@@ -939,7 +954,8 @@ Input="0123456789ABCDEF0123456789ABCDEF" + Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A + + # Verify using salt length auto detect +-FIPSversion = <3.4.0 ++# In the FIPS provider on SUSE/openSUSE, the default digest for PSS signatures is SHA-256 ++Availablein = default + Verify = RSA-2048-PUBLIC + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_pss_saltlen:auto +@@ -974,6 +990,10 @@ Output=4DE433D5844043EF08D354DA03CB29068 + Result = VERIFY_ERROR + + # Verify using default parameters, explicitly setting parameters ++# NOTE: RSA-PSS-DEFAULT contains a restriction to use SHA1 as digest, which ++# SUSE/openSUSE do not support in FIPS mode; all these tests are thus marked ++# Availablein = default. ++Availablein = default + Verify = RSA-PSS-DEFAULT + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_pss_saltlen:20 +@@ -982,6 +1002,7 @@ Input="0123456789ABCDEF0123" + Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF + + # Verify explicitly setting parameters "digest" salt length ++Availablein = default + Verify = RSA-PSS-DEFAULT + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_pss_saltlen:digest +@@ -990,20 +1011,21 @@ Input="0123456789ABCDEF0123" + Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF + + # Verify using salt length larger than minimum +-FIPSversion = <3.4.0 ++Availablein = default + Verify = RSA-PSS-DEFAULT + Ctrl = rsa_pss_saltlen:30 + Input="0123456789ABCDEF0123" + Output = 6BF7EDC63A0BA184EEEC7F3020FEC8F5EBF38C2B76481881F48BCCE5796E7AB294548BA9AE810457C7723CABD1BDE94CF59CF7C0FC7461B22760C8ED703DD98E97BFDD61FA8D1181C411F6DEE5FF159F4850746D78EDEE385A363DC28E2CB373D5CAD7953F3BD5E639BE345732C03A1BDEA268814DA036EB1891C82D4012F3B903D86636055F87B96FC98806AD1B217685A4D754046A5DE0B0D7870664BE07902153EC85BA457BE7D7F89D7FE0F626D02A9CBBB2BB479DDA1A5CAE75247FB7BF6BFB15C1D3FD9E6B1573CCDBC72011C3B97716058BB11C7EA2E4E56ADAFE1F5DE6A7FD405AC5890100F9C3408EFFB5C73BF73F48177FF743B4B819D0699D507B + + # Verify using maximum salt length +-FIPSversion = <3.4.0 ++Availablein = default + Verify = RSA-PSS-DEFAULT + Ctrl = rsa_pss_saltlen:max + Input="0123456789ABCDEF0123" + Output = 4470DCFE812DEE2E58E4301D4ED274AB348FE040B724B2CD1D8CD0914BFF375F0B86FCB32BFA8AEA9BD22BD7C4F1ADD4F3D215A5CFCC99055BAFECFC23800E9BECE19A08C66BEBC5802122D13A732E5958FC228DCC0B49B5B4B1154F032D8FA2F3564AA949C1310CC9266B0C47F86D449AC9D2E7678347E7266E2D7C888CCE1ADF44A109A293F8516AE2BD94CE220F26E137DB8E7A66BB9FCE052CDC1D0BE24D8CEBB20D10125F26B069F117044B9E1D16FDDAABCA5340AE1702F37D0E1C08A2E93801C0A41035C6C73DA02A0E32227EAFB0B85E79107B59650D0EE7DC32A6772CCCE90F06369B2880FE87ED76997BA61F5EA818091EE88F8B0D6F24D02A3FC6 + + # Attempt to change salt length below minimum ++Availablein = default + Verify = RSA-PSS-DEFAULT + Ctrl = rsa_pss_saltlen:0 + Result = PKEY_CTRL_ERROR +@@ -1011,21 +1033,25 @@ Result = PKEY_CTRL_ERROR + # Attempt to change padding mode + # Note this used to return PKEY_CTRL_INVALID + # but it is limited because setparams only returns 0 or 1. ++Availablein = default + Verify = RSA-PSS-DEFAULT + Ctrl = rsa_padding_mode:pkcs1 + Result = PKEY_CTRL_ERROR + + # Attempt to change digest ++Availablein = default + Verify = RSA-PSS-DEFAULT + Ctrl = digest:sha256 + Result = PKEY_CTRL_ERROR + + # Invalid key: rejected when we try to init ++Availablein = default + Verify = RSA-PSS-BAD + Result = KEYOP_INIT_ERROR + Reason = invalid salt length + + # Invalid key: rejected when we try to init ++Availablein = default + Verify = RSA-PSS-BAD2 + Result = KEYOP_INIT_ERROR + Reason = invalid salt length +@@ -1081,36 +1107,42 @@ CAltWyuLbfXWce9jd8CSHLI8Jwpw4lmOb/idGfEF + 4fINDOjP+yJJvZohNwIDAQAB + -----END PUBLIC KEY----- + ++Availablein = default + Verify=RSA-PSS-1 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=cd8b6538cb8e8de566b68bd067569dbf1ee2718e + Output=9074308fb598e9701b2294388e52f971faac2b60a5145af185df5287b5ed2887e57ce7fd44dc8634e407c8e0e4360bc226f3ec227f9d9e54638e8d31f5051215df6ebb9c2f9579aa77598a38f914b5b9c1bd83c4e2f9f382a0d0aa3542ffee65984a601bc69eb28deb27dca12c82c2d4c3f66cd500f1ff2b994d8a4e30cbb33c + ++Availablein = default + Verify=RSA-PSS-1 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=e35befc17a1d160b9ce35fbd8eb16e7ee491d3fd + Output=3ef7f46e831bf92b32274142a585ffcefbdca7b32ae90d10fb0f0c729984f04ef29a9df0780775ce43739b97838390db0a5505e63de927028d9d29b219ca2c4517832558a55d694a6d25b9dab66003c4cccd907802193be5170d26147d37b93590241be51c25055f47ef62752cfbe21418fafe98c22c4d4d47724fdb5669e843 + ++Availablein = default + Verify=RSA-PSS-1 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=0652ec67bcee30f9d2699122b91c19abdba89f91 + Output=666026fba71bd3e7cf13157cc2c51a8e4aa684af9778f91849f34335d141c00154c4197621f9624a675b5abc22ee7d5baaffaae1c9baca2cc373b3f33e78e6143c395a91aa7faca664eb733afd14d8827259d99a7550faca501ef2b04e33c23aa51f4b9e8282efdb728cc0ab09405a91607c6369961bc8270d2d4f39fce612b1 + ++Availablein = default + Verify=RSA-PSS-1 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=39c21c4cceda9c1adf839c744e1212a6437575ec + Output=4609793b23e9d09362dc21bb47da0b4f3a7622649a47d464019b9aeafe53359c178c91cd58ba6bcb78be0346a7bc637f4b873d4bab38ee661f199634c547a1ad8442e03da015b136e543f7ab07c0c13e4225b8de8cce25d4f6eb8400f81f7e1833b7ee6e334d370964ca79fdb872b4d75223b5eeb08101591fb532d155a6de87 + ++Availablein = default + Verify=RSA-PSS-1 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=36dae913b77bd17cae6e7b09453d24544cebb33c + Output=1d2aad221ca4d31ddf13509239019398e3d14b32dc34dc5af4aeaea3c095af73479cf0a45e5629635a53a018377615b16cb9b13b3e09d671eb71e387b8545c5960da5a64776e768e82b2c93583bf104c3fdb23512b7b4e89f633dd0063a530db4524b01c3f384c09310e315a79dcd3d684022a7f31c865a664e316978b759fad + ++Availablein = default + Verify=RSA-PSS-1 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 +@@ -1126,36 +1158,42 @@ swU7R97S7NSkyu/WFIM9yLtiLzF+0Ha4BX/o3j+E + 0w5GMTmBXG/U/VrFuBcqRSMOy2MYoE8UVdhOWosCAwEAAQ== + -----END PUBLIC KEY----- + ++Availablein = default + Verify=RSA-PSS-9 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=2715a49b8b0012cd7aee84c116446e6dfe3faec0 + Output=586107226c3ce013a7c8f04d1a6a2959bb4b8e205ba43a27b50f124111bc35ef589b039f5932187cb696d7d9a32c0c38300a5cdda4834b62d2eb240af33f79d13dfbf095bf599e0d9686948c1964747b67e89c9aba5cd85016236f566cc5802cb13ead51bc7ca6bef3b94dcbdbb1d570469771df0e00b1a8a06777472d2316279edae86474668d4e1efff95f1de61c6020da32ae92bbf16520fef3cf4d88f61121f24bbd9fe91b59caf1235b2a93ff81fc403addf4ebdea84934a9cdaf8e1a9e + ++Availablein = default + Verify=RSA-PSS-9 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=2dac956d53964748ac364d06595827c6b4f143cd + Output=80b6d643255209f0a456763897ac9ed259d459b49c2887e5882ecb4434cfd66dd7e1699375381e51cd7f554f2c271704b399d42b4be2540a0eca61951f55267f7c2878c122842dadb28b01bd5f8c025f7e228418a673c03d6bc0c736d0a29546bd67f786d9d692ccea778d71d98c2063b7a71092187a4d35af108111d83e83eae46c46aa34277e06044589903788f1d5e7cee25fb485e92949118814d6f2c3ee361489016f327fb5bc517eb50470bffa1afa5f4ce9aa0ce5b8ee19bf5501b958 + ++Availablein = default + Verify=RSA-PSS-9 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=28d98c46cccafbd3bc04e72f967a54bd3ea12298 + Output=484408f3898cd5f53483f80819efbf2708c34d27a8b2a6fae8b322f9240237f981817aca1846f1084daa6d7c0795f6e5bf1af59c38e1858437ce1f7ec419b98c8736adf6dd9a00b1806d2bd3ad0a73775e05f52dfef3a59ab4b08143f0df05cd1ad9d04bececa6daa4a2129803e200cbc77787caf4c1d0663a6c5987b605952019782caf2ec1426d68fb94ed1d4be816a7ed081b77e6ab330b3ffc073820fecde3727fcbe295ee61a050a343658637c3fd659cfb63736de32d9f90d3c2f63eca + ++Availablein = default + Verify=RSA-PSS-9 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=0866d2ff5a79f25ef668cd6f31b42dee421e4c0e + Output=84ebeb481be59845b46468bafb471c0112e02b235d84b5d911cbd1926ee5074ae0424495cb20e82308b8ebb65f419a03fb40e72b78981d88aad143053685172c97b29c8b7bf0ae73b5b2263c403da0ed2f80ff7450af7828eb8b86f0028bd2a8b176a4d228cccea18394f238b09ff758cc00bc04301152355742f282b54e663a919e709d8da24ade5500a7b9aa50226e0ca52923e6c2d860ec50ff480fa57477e82b0565f4379f79c772d5c2da80af9fbf325ece6fc20b00961614bee89a183e + ++Availablein = default + Verify=RSA-PSS-9 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=6a5b4be4cd36cc97dfde9995efbf8f097a4a991a + Output=82102df8cb91e7179919a04d26d335d64fbc2f872c44833943241de8454810274cdf3db5f42d423db152af7135f701420e39b494a67cbfd19f9119da233a23da5c6439b5ba0d2bc373eee3507001378d4a4073856b7fe2aba0b5ee93b27f4afec7d4d120921c83f606765b02c19e4d6a1a3b95fa4c422951be4f52131077ef17179729cddfbdb56950dbaceefe78cb16640a099ea56d24389eef10f8fecb31ba3ea3b227c0a86698bb89e3e9363905bf22777b2a3aa521b65b4cef76d83bde4c + ++Availablein = default + Verify=RSA-PSS-9 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 +@@ -1173,36 +1211,42 @@ F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5 + BQIDAQAB + -----END PUBLIC KEY----- + ++Availablein = default + Verify=RSA-PSS-10 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=9596bb630cf6a8d4ea4600422b9eba8b13675dd4 + Output=82c2b160093b8aa3c0f7522b19f87354066c77847abf2a9fce542d0e84e920c5afb49ffdfdace16560ee94a1369601148ebad7a0e151cf16331791a5727d05f21e74e7eb811440206935d744765a15e79f015cb66c532c87a6a05961c8bfad741a9a6657022894393e7223739796c02a77455d0f555b0ec01ddf259b6207fd0fd57614cef1a5573baaff4ec00069951659b85f24300a25160ca8522dc6e6727e57d019d7e63629b8fe5e89e25cc15beb3a647577559299280b9b28f79b0409000be25bbd96408ba3b43cc486184dd1c8e62553fa1af4040f60663de7f5e49c04388e257f1ce89c95dab48a315d9b66b1b7628233876ff2385230d070d07e1666 + ++Availablein = default + Verify=RSA-PSS-10 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=b503319399277fd6c1c8f1033cbf04199ea21716 + Output=14ae35d9dd06ba92f7f3b897978aed7cd4bf5ff0b585a40bd46ce1b42cd2703053bb9044d64e813d8f96db2dd7007d10118f6f8f8496097ad75e1ff692341b2892ad55a633a1c55e7f0a0ad59a0e203a5b8278aec54dd8622e2831d87174f8caff43ee6c46445345d84a59659bfb92ecd4c818668695f34706f66828a89959637f2bf3e3251c24bdba4d4b7649da0022218b119c84e79a6527ec5b8a5f861c159952e23ec05e1e717346faefe8b1686825bd2b262fb2531066c0de09acde2e4231690728b5d85e115a2f6b92b79c25abc9bd9399ff8bcf825a52ea1f56ea76dd26f43baafa18bfa92a504cbd35699e26d1dcc5a2887385f3c63232f06f3244c3 + ++Availablein = default + Verify=RSA-PSS-10 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=50aaede8536b2c307208b275a67ae2df196c7628 + Output=6e3e4d7b6b15d2fb46013b8900aa5bbb3939cf2c095717987042026ee62c74c54cffd5d7d57efbbf950a0f5c574fa09d3fc1c9f513b05b4ff50dd8df7edfa20102854c35e592180119a70ce5b085182aa02d9ea2aa90d1df03f2daae885ba2f5d05afdac97476f06b93b5bc94a1a80aa9116c4d615f333b098892b25fface266f5db5a5a3bcc10a824ed55aad35b727834fb8c07da28fcf416a5d9b2224f1f8b442b36f91e456fdea2d7cfe3367268de0307a4c74e924159ed33393d5e0655531c77327b89821bdedf880161c78cd4196b5419f7acc3f13e5ebf161b6e7c6724716ca33b85c2e25640192ac2859651d50bde7eb976e51cec828b98b6563b86bb + ++Availablein = default + Verify=RSA-PSS-10 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=aa0b72b8b371ddd10c8ae474425ccccf8842a294 + Output=34047ff96c4dc0dc90b2d4ff59a1a361a4754b255d2ee0af7d8bf87c9bc9e7ddeede33934c63ca1c0e3d262cb145ef932a1f2c0a997aa6a34f8eaee7477d82ccf09095a6b8acad38d4eec9fb7eab7ad02da1d11d8e54c1825e55bf58c2a23234b902be124f9e9038a8f68fa45dab72f66e0945bf1d8bacc9044c6f07098c9fcec58a3aab100c805178155f030a124c450e5acbda47d0e4f10b80a23f803e774d023b0015c20b9f9bbe7c91296338d5ecb471cafb032007b67a60be5f69504a9f01abb3cb467b260e2bce860be8d95bf92c0c8e1496ed1e528593a4abb6df462dde8a0968dffe4683116857a232f5ebf6c85be238745ad0f38f767a5fdbf486fb + ++Availablein = default + Verify=RSA-PSS-10 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=fad3902c9750622a2bc672622c48270cc57d3ea8 + Output=7e0935ea18f4d6c1d17ce82eb2b3836c55b384589ce19dfe743363ac9948d1f346b7bfddfe92efd78adb21faefc89ade42b10f374003fe122e67429a1cb8cbd1f8d9014564c44d120116f4990f1a6e38774c194bd1b8213286b077b0499d2e7b3f434ab12289c556684deed78131934bb3dd6537236f7c6f3dcb09d476be07721e37e1ceed9b2f7b406887bd53157305e1c8b4f84d733bc1e186fe06cc59b6edb8f4bd7ffefdf4f7ba9cfb9d570689b5a1a4109a746a690893db3799255a0cb9215d2d1cd490590e952e8c8786aa0011265252470c041dfbc3eec7c3cbf71c24869d115c0cb4a956f56d530b80ab589acfefc690751ddf36e8d383f83cedd2cc + ++Availablein = default + Verify=RSA-PSS-10 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 +@@ -1999,11 +2043,13 @@ Securitycheck = 1 + Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78 + Result = KEYOP_INIT_ERROR + +-# Verifying with SHA1 is permitted in fips mode for older applications ++# Verifying with SHA1 is not permitted on SUSE/openSUSE in FIPS mode ++Availablein = fips + DigestVerify = SHA1 + Key = RSA-2048 + Input = "Hello " + Output = 87ea0e2226ef35e5a2aec9ca1222fcbe39ba723f05b3203564f671dd3601271806ead3240e61d424359ee3b17bd3e32f54b82df83998a8ac4148410710361de0400f9ddf98278618fbc87747a0531972543e6e5f18ab2fdfbfda02952f6ac69690e43864690af271bf43d4be9705b303d4ff994ab3abd4d5851562b73e59be3edc01cec41a4cc13b68206329bad1a46c6608d3609e951faa321d0fdbc765d54e9a7c59248d2f67913c9903e932b769c9c8a45520cabea06e8c0b231dd3bcc7f7ec55b46b0157ccb5fc5011fa57353cd3df32edcbadcb8d168133cbd0acfb64444cb040e1298f621508a38f79e14ae8c2c5c857f90aa9d24ef5fc07d34bf23859 ++Result = DIGESTVERIFYINIT_ERROR + + # Verifying with a 1024 bit key is permitted in fips mode for older applications + DigestVerify = SHA256 +@@ -2019,7 +2065,7 @@ Securitycheck = 1 + Key = RSA-2048 + Input = "Hello" + Result = DIGESTSIGNINIT_ERROR +-Reason = invalid digest ++Reason = digest not allowed + + # Signing with a 1024 bit key is not allowed in fips mode + Availablein = fips +@@ -2085,7 +2131,7 @@ Unapproved = 1 + CtrlInit = digest-check:0 + Key = RSA-2048 + Input = "Hello" +-Result = SIGNATURE_MISMATCH ++Result = DIGESTSIGNINIT_ERROR + + Availablein = fips + FIPSversion = >=3.4.0 +Index: openssl-3.5.3/test/recipes/30-test_evp_data/evppkey_rsa.txt +=================================================================== +--- openssl-3.5.3.orig/test/recipes/30-test_evp_data/evppkey_rsa.txt ++++ openssl-3.5.3/test/recipes/30-test_evp_data/evppkey_rsa.txt +@@ -268,8 +268,8 @@ TwIDAQAB + + PrivPubKeyPair = RSA-PSS:RSA-PSS-DEFAULT + +- + # Wrong MGF1 digest ++Availablein = default + Verify = RSA-2048 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_pss_saltlen:0 +@@ -280,6 +280,7 @@ Output=4DE433D5844043EF08D354DA03CB29068 + Result = VERIFY_ERROR + + # Verify using default parameters ++Availablein = default + Verify = RSA-PSS-DEFAULT + Input="0123456789ABCDEF0123" + Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF +@@ -303,36 +304,42 @@ fc6CnohE9iWxFeXpxKWc+PgRO2g0M2ov0mibRyy7 + PRdqAX7cYf0ybEszyQIDAQAB + -----END PUBLIC KEY----- + ++Availablein = default + Verify=RSA-PSS-2 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=5c81a3e2a658246628cd0ee8b00bb4c012bc9739 + Output=014c5ba5338328ccc6e7a90bf1c0ab3fd606ff4796d3c12e4b639ed9136a5fec6c16d8884bdd99cfdc521456b0742b736868cf90de099adb8d5ffd1deff39ba4007ab746cefdb22d7df0e225f54627dc65466131721b90af445363a8358b9f607642f78fab0ab0f43b7168d64bae70d8827848d8ef1e421c5754ddf42c2589b5b3 + ++Availablein = default + Verify=RSA-PSS-2 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=27f71611446aa6eabf037f7dedeede3203244991 + Output=010991656cca182b7f29d2dbc007e7ae0fec158eb6759cb9c45c5ff87c7635dd46d150882f4de1e9ae65e7f7d9018f6836954a47c0a81a8a6b6f83f2944d6081b1aa7c759b254b2c34b691da67cc0226e20b2f18b42212761dcd4b908a62b371b5918c5742af4b537e296917674fb914194761621cc19a41f6fb953fbcbb649dea + ++Availablein = default + Verify=RSA-PSS-2 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=03ecc2c33e93f05fc7224fcc0d461356cb897217 + Output=007f0030018f53cdc71f23d03659fde54d4241f758a750b42f185f87578520c30742afd84359b6e6e8d3ed959dc6fe486bedc8e2cf001f63a7abe16256a1b84df0d249fc05d3194ce5f0912742dbbf80dd174f6c51f6bad7f16cf3364eba095a06267dc3793803ac7526aebe0a475d38b8c2247ab51c4898df7047dc6adf52c6c4 + ++Availablein = default + Verify=RSA-PSS-2 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=246c727b4b9494849dddb068d582e179ac20999c + Output=009cd2f4edbe23e12346ae8c76dd9ad3230a62076141f16c152ba18513a48ef6f010e0e37fd3df10a1ec629a0cb5a3b5d2893007298c30936a95903b6ba85555d9ec3673a06108fd62a2fda56d1ce2e85c4db6b24a81ca3b496c36d4fd06eb7c9166d8e94877c42bea622b3bfe9251fdc21d8d5371badad78a488214796335b40b + ++Availablein = default + Verify=RSA-PSS-2 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=e8617ca3ea66ce6a58ede2d11af8c3ba8a6ba912 + Output=00ec430824931ebd3baa43034dae98ba646b8c36013d1671c3cf1cf8260c374b19f8e1cc8d965012405e7e9bf7378612dfcc85fce12cda11f950bd0ba8876740436c1d2595a64a1b32efcfb74a21c873b3cc33aaf4e3dc3953de67f0674c0453b4fd9f604406d441b816098cb106fe3472bc251f815f59db2e4378a3addc181ecf + ++Availablein = default + Verify=RSA-PSS-2 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 +@@ -348,36 +355,42 @@ nQ6tsIdYbKSJM9o8yVPZW9DtUN4Q3ctnNhB9bIMc + 6OWncxclZbkUpHGkQwIDAQAB + -----END PUBLIC KEY----- + ++Availablein = default + Verify=RSA-PSS-3 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=3552be69dd74bdc56d2cf8c38ef7bafe269040fe + Output=0088b135fb1794b6b96c4a3e678197f8cac52b64b2fe907d6f27de761124964a99a01a882740ecfaed6c01a47464bb05182313c01338a8cd097214cd68ca103bd57d3bc9e816213e61d784f182467abf8a01cf253e99a156eaa8e3e1f90e3c6e4e3aa2d83ed0345b89fafc9c26077c14b6ac51454fa26e446e3a2f153b2b16797f + ++Availablein = default + Verify=RSA-PSS-3 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=609143ff7240e55c062aba8b9e4426a781919bc9 + Output=02a5f0a858a0864a4f65017a7d69454f3f973a2999839b7bbc48bf78641169179556f595fa41f6ff18e286c2783079bc0910ee9cc34f49ba681124f923dfa88f426141a368a5f5a930c628c2c3c200e18a7644721a0cbec6dd3f6279bde3e8f2be5e2d4ee56f97e7ceaf33054be7042bd91a63bb09f897bd41e81197dee99b11af + ++Availablein = default + Verify=RSA-PSS-3 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=0afd22f879a9cda7c584f4135f8f1c961db114c0 + Output=0244bcd1c8c16955736c803be401272e18cb990811b14f72db964124d5fa760649cbb57afb8755dbb62bf51f466cf23a0a1607576e983d778fceffa92df7548aea8ea4ecad2c29dd9f95bc07fe91ecf8bee255bfe8762fd7690aa9bfa4fa0849ef728c2c42c4532364522df2ab7f9f8a03b63f7a499175828668f5ef5a29e3802c + ++Availablein = default + Verify=RSA-PSS-3 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=405dd56d395ef0f01b555c48f748cc32b210650b + Output=0196f12a005b98129c8df13c4cb16f8aa887d3c40d96df3a88e7532ef39cd992f273abc370bc1be6f097cfebbf0118fd9ef4b927155f3df22b904d90702d1f7ba7a52bed8b8942f412cd7bd676c9d18e170391dcd345c06a730964b3f30bcce0bb20ba106f9ab0eeb39cf8a6607f75c0347f0af79f16afa081d2c92d1ee6f836b8 + ++Availablein = default + Verify=RSA-PSS-3 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=a2c313b0440c8a0c47233b87f0a160c61af3eae7 + Output=021eca3ab4892264ec22411a752d92221076d4e01c0e6f0dde9afd26ba5acf6d739ef987545d16683e5674c9e70f1de649d7e61d48d0caeb4fb4d8b24fba84a6e3108fee7d0705973266ac524b4ad280f7ae17dc59d96d3351586b5a3bdb895d1e1f7820ac6135d8753480998382ba32b7349559608c38745290a85ef4e9f9bd83 + ++Availablein = default + Verify=RSA-PSS-3 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 +@@ -393,36 +406,42 @@ MAz5u2xTrR3IoXi4FdtCNamp2gwG3k5hXqEnfOVZ + iEjIuVlAdAvnv3w3BQIDAQAB + -----END PUBLIC KEY----- + ++Availablein = default + Verify=RSA-PSS-4 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=f8b0abf70fec0bca74f0accbc24f75e6e90d3bfd + Output=0323d5b7bf20ba4539289ae452ae4297080feff4518423ff4811a817837e7d82f1836cdfab54514ff0887bddeebf40bf99b047abc3ecfa6a37a3ef00f4a0c4a88aae0904b745c846c4107e8797723e8ac810d9e3d95dfa30ff4966f4d75d13768d20857f2b1406f264cfe75e27d7652f4b5ed3575f28a702f8c4ed9cf9b2d44948 + ++Availablein = default + Verify=RSA-PSS-4 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=04a10944bfe11ab801e77889f3fd3d7f4ff0b629 + Output=049d0185845a264d28feb1e69edaec090609e8e46d93abb38371ce51f4aa65a599bdaaa81d24fba66a08a116cb644f3f1e653d95c89db8bbd5daac2709c8984000178410a7c6aa8667ddc38c741f710ec8665aa9052be929d4e3b16782c1662114c5414bb0353455c392fc28f3db59054b5f365c49e1d156f876ee10cb4fd70598 + ++Availablein = default + Verify=RSA-PSS-4 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=ba01243db223eb97fb86d746c3148adaaa0ca344 + Output=03fbc410a2ced59500fb99f9e2af2781ada74e13145624602782e2994813eefca0519ecd253b855fb626a90d771eae028b0c47a199cbd9f8e3269734af4163599090713a3fa910fa0960652721432b971036a7181a2bc0cab43b0b598bc6217461d7db305ff7e954c5b5bb231c39e791af6bcfa76b147b081321f72641482a2aad + ++Availablein = default + Verify=RSA-PSS-4 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=934bb0d38d6836daec9de82a9648d4593da67cd2 + Output=0486644bc66bf75d28335a6179b10851f43f09bded9fac1af33252bb9953ba4298cd6466b27539a70adaa3f89b3db3c74ab635d122f4ee7ce557a61e59b82ffb786630e5f9db53c77d9a0c12fab5958d4c2ce7daa807cd89ba2cc7fcd02ff470ca67b229fcce814c852c73cc93bea35be68459ce478e9d4655d121c8472f371d4f + ++Availablein = default + Verify=RSA-PSS-4 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=ec35d81abd1cceac425a935758b683465c8bd879 + Output=022a80045353904cb30cbb542d7d4990421a6eec16a8029a8422adfd22d6aff8c4cc0294af110a0c067ec86a7d364134459bb1ae8ff836d5a8a2579840996b320b19f13a13fad378d931a65625dae2739f0c53670b35d9d3cbac08e733e4ec2b83af4b9196d63e7c4ff1ddeae2a122791a125bfea8deb0de8ccf1f4ffaf6e6fb0a + ++Availablein = default + Verify=RSA-PSS-4 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 +@@ -438,18 +457,21 @@ pLDMjaMl7YqmdrDQ9ibgp38HaSFwrKyAgvQvqn3H + 3Sst3vXgU5L8ITvFBwIDAQAB + -----END PUBLIC KEY----- + ++Availablein = default + Verify=RSA-PSS-5 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=d98b7061943510bc3dd9162f7169aabdbdcd0222 + Output=0ba373f76e0921b70a8fbfe622f0bf77b28a3db98e361051c3d7cb92ad0452915a4de9c01722f6823eeb6adf7e0ca8290f5de3e549890ac2a3c5950ab217ba58590894952de96f8df111b2575215da6c161590c745be612476ee578ed384ab33e3ece97481a252f5c79a98b5532ae00cdd62f2ecc0cd1baefe80d80b962193ec1d + ++Availablein = default + Verify=RSA-PSS-5 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=7ae8e699f754988f4fd645e463302e49a2552072 + Output=08180de825e4b8b014a32da8ba761555921204f2f90d5f24b712908ff84f3e220ad17997c0dd6e706630ba3e84add4d5e7ab004e58074b549709565d43ad9e97b5a7a1a29e85b9f90f4aafcdf58321de8c5974ef9abf2d526f33c0f2f82e95d158ea6b81f1736db8d1af3d6ac6a83b32d18bae0ff1b2fe27de4c76ed8c7980a34e + ++Availablein = default + Verify=RSA-PSS-5 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 +@@ -463,12 +485,14 @@ Ctrl = rsa_mgf1_md:sha1 + Input=ee3de96783fd0a157c8b20bf5566124124dcfe65 + Output=0bc989853bc2ea86873271ce183a923ab65e8a53100e6df5d87a24c4194eb797813ee2a187c097dd872d591da60c568605dd7e742d5af4e33b11678ccb63903204a3d080b0902c89aba8868f009c0f1c0cb85810bbdd29121abb8471ff2d39e49fd92d56c655c8e037ad18fafbdc92c95863f7f61ea9efa28fea401369d19daea1 + ++Availablein = default + Verify=RSA-PSS-5 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=1204df0b03c2724e2709c23fc71789a21b00ae4c + Output=0aefa943b698b9609edf898ad22744ac28dc239497cea369cbbd84f65c95c0ad776b594740164b59a739c6ff7c2f07c7c077a86d95238fe51e1fcf33574a4ae0684b42a3f6bf677d91820ca89874467b2c23add77969c80717430d0efc1d3695892ce855cb7f7011630f4df26def8ddf36fc23905f57fa6243a485c770d5681fcd + ++Availablein = default + Verify=RSA-PSS-5 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 +@@ -484,36 +508,42 @@ Kl8QsJwxGvjA/7W3opfy78Y7jWsFEJMfC5jki/X8 + nJnpaUMfYcuMTcaY0QIDAQAB + -----END PUBLIC KEY----- + ++Availablein = default + Verify=RSA-PSS-6 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=ab464e8cb65ae5fdea47a53fa84b234d6bfd52f6 + Output=04c0cfacec04e5badbece159a5a1103f69b3f32ba593cb4cc4b1b7ab455916a96a27cd2678ea0f46ba37f7fc9c86325f29733b389f1d97f43e7201c0f348fc45fe42892335362eee018b5b161f2f9393031225c713012a576bc88e23052489868d9010cbf033ecc568e8bc152bdc59d560e41291915d28565208e22aeec9ef85d1 + ++Availablein = default + Verify=RSA-PSS-6 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=92d0bcae82b641f578f040f5151be8eda6d42299 + Output=0a2314250cf52b6e4e908de5b35646bcaa24361da8160fb0f9257590ab3ace42b0dc3e77ad2db7c203a20bd952fbb56b1567046ecfaa933d7b1000c3de9ff05b7d989ba46fd43bc4c2d0a3986b7ffa13471d37eb5b47d64707bd290cfd6a9f393ad08ec1e3bd71bb5792615035cdaf2d8929aed3be098379377e777ce79aaa4773 + ++Availablein = default + Verify=RSA-PSS-6 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=3569bd8fd2e28f2443375efa94f186f6911ffc2b + Output=086df6b500098c120f24ff8423f727d9c61a5c9007d3b6a31ce7cf8f3cbec1a26bb20e2bd4a046793299e03e37a21b40194fb045f90b18bf20a47992ccd799cf9c059c299c0526854954aade8a6ad9d97ec91a1145383f42468b231f4d72f23706d9853c3fa43ce8ace8bfe7484987a1ec6a16c8daf81f7c8bf42774707a9df456 + ++Availablein = default + Verify=RSA-PSS-6 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=7abbb7b42de335730a0b641f1e314b6950b84f98 + Output=0b5b11ad549863ffa9c51a14a1106c2a72cc8b646e5c7262509786105a984776534ca9b54c1cc64bf2d5a44fd7e8a69db699d5ea52087a4748fd2abc1afed1e5d6f7c89025530bdaa2213d7e030fa55df6f34bcf1ce46d2edf4e3ae4f3b01891a068c9e3a44bbc43133edad6ecb9f35400c4252a5762d65744b99cb9f4c559329f + ++Availablein = default + Verify=RSA-PSS-6 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=55b7eb27be7a787a59eb7e5fac468db8917a7725 + Output=02d71fa9b53e4654fefb7f08385cf6b0ae3a817942ebf66c35ac67f0b069952a3ce9c7e1f1b02e480a9500836de5d64cdb7ecde04542f7a79988787e24c2ba05f5fd482c023ed5c30e04839dc44bed2a3a3a4fee01113c891a47d32eb8025c28cb050b5cdb576c70fe76ef523405c08417faf350b037a43c379339fcb18d3a356b + ++Availablein = default + Verify=RSA-PSS-6 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 +@@ -529,36 +559,42 @@ MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgTfJ + 2LXF01SAItcGTqKaswIDAQAB + -----END PUBLIC KEY----- + ++Availablein = default + Verify=RSA-PSS-7 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=8be4afbdd76bd8d142c5f4f46dba771ee5d6d29d + Output=187f390723c8902591f0154bae6d4ecbffe067f0e8b795476ea4f4d51ccc810520bb3ca9bca7d0b1f2ea8a17d873fa27570acd642e3808561cb9e975ccfd80b23dc5771cdb3306a5f23159dacbd3aa2db93d46d766e09ed15d900ad897a8d274dc26b47e994a27e97e2268a766533ae4b5e42a2fcaf755c1c4794b294c60555823 + ++Availablein = default + Verify=RSA-PSS-7 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=402140dc605b2f5c5ec0d15bce9f9ba8857fe117 + Output=10fd89768a60a67788abb5856a787c8561f3edcf9a83e898f7dc87ab8cce79429b43e56906941a886194f137e591fe7c339555361fbbe1f24feb2d4bcdb80601f3096bc9132deea60ae13082f44f9ad41cd628936a4d51176e42fc59cb76db815ce5ab4db99a104aafea68f5d330329ebf258d4ede16064bd1d00393d5e1570eb8 + ++Availablein = default + Verify=RSA-PSS-7 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=3e885205892ff2b6b37c2c4eb486c4bf2f9e7f20 + Output=2b31fde99859b977aa09586d8e274662b25a2a640640b457f594051cb1e7f7a911865455242926cf88fe80dfa3a75ba9689844a11e634a82b075afbd69c12a0df9d25f84ad4945df3dc8fe90c3cefdf26e95f0534304b5bdba20d3e5640a2ebfb898aac35ae40f26fce5563c2f9f24f3042af76f3c7072d687bbfb959a88460af1 + ++Availablein = default + Verify=RSA-PSS-7 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=1fc2201d0c442a4736cd8b2cd00c959c47a3bf42 + Output=32c7ca38ff26949a15000c4ba04b2b13b35a3810e568184d7ecabaa166b7ffabddf2b6cf4ba07124923790f2e5b1a5be040aea36fe132ec130e1f10567982d17ac3e89b8d26c3094034e762d2e031264f01170beecb3d1439e05846f25458367a7d9c02060444672671e64e877864559ca19b2074d588a281b5804d23772fbbe19 + ++Availablein = default + Verify=RSA-PSS-7 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=e4351b66819e5a31501f89acc7faf57030e9aac5 + Output=07eb651d75f1b52bc263b2e198336e99fbebc4f332049a922a10815607ee2d989db3a4495b7dccd38f58a211fb7e193171a3d891132437ebca44f318b280509e52b5fa98fcce8205d9697c8ee4b7ff59d4c59c79038a1970bd2a0d451ecdc5ef11d9979c9d35f8c70a6163717607890d586a7c6dc01c79f86a8f28e85235f8c2f1 + ++Availablein = default + Verify=RSA-PSS-7 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 +@@ -574,36 +610,42 @@ R1PbPO4O4Gx9+uix1TtZUyGPnM7qaVsIZo7eqtzt + +rBWGwgQNEc5raBzPwIDAQAB + -----END PUBLIC KEY----- + ++Availablein = default + Verify=RSA-PSS-8 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=a1dd230d8ead860199b6277c2ecfe3d95f6d9160 + Output=0262ac254bfa77f3c1aca22c5179f8f040422b3c5bafd40a8f21cf0fa5a667ccd5993d42dbafb409c520e25fce2b1ee1e716577f1efa17f3da28052f40f0419b23106d7845aaf01125b698e7a4dfe92d3967bb00c4d0d35ba3552ab9a8b3eef07c7fecdbc5424ac4db1e20cb37d0b2744769940ea907e17fbbca673b20522380c5 + ++Availablein = default + Verify=RSA-PSS-8 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=f6e68e53c602c5c65fa67b5aa6d786e5524b12ab + Output=2707b9ad5115c58c94e932e8ec0a280f56339e44a1b58d4ddcff2f312e5f34dcfe39e89c6a94dcee86dbbdae5b79ba4e0819a9e7bfd9d982e7ee6c86ee68396e8b3a14c9c8f34b178eb741f9d3f121109bf5c8172fada2e768f9ea1433032c004a8aa07eb990000a48dc94c8bac8aabe2b09b1aa46c0a2aa0e12f63fbba775ba7e + ++Availablein = default + Verify=RSA-PSS-8 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=d6f9fcd3ae27f32bb2c7c93536782eba52af1f76 + Output=2ad20509d78cf26d1b6c406146086e4b0c91a91c2bd164c87b966b8faa42aa0ca446022323ba4b1a1b89706d7f4c3be57d7b69702d168ab5955ee290356b8c4a29ed467d547ec23cbadf286ccb5863c6679da467fc9324a151c7ec55aac6db4084f82726825cfe1aa421bc64049fb42f23148f9c25b2dc300437c38d428aa75f96 + ++Availablein = default + Verify=RSA-PSS-8 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=7ff2a53ce2e2d900d468e498f230a5f5dd0020de + Output=1e24e6e58628e5175044a9eb6d837d48af1260b0520e87327de7897ee4d5b9f0df0be3e09ed4dea8c1454ff3423bb08e1793245a9df8bf6ab3968c8eddc3b5328571c77f091cc578576912dfebd164b9de5454fe0be1c1f6385b328360ce67ec7a05f6e30eb45c17c48ac70041d2cab67f0a2ae7aafdcc8d245ea3442a6300ccc7 + ++Availablein = default + Verify=RSA-PSS-8 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=4eb309f7022ba0b03bb78601b12931ec7c1be8d3 + Output=33341ba3576a130a50e2a5cf8679224388d5693f5accc235ac95add68e5eb1eec31666d0ca7a1cda6f70a1aa762c05752a51950cdb8af3c5379f18cfe6b5bc55a4648226a15e912ef19ad77adeea911d67cfefd69ba43fa4119135ff642117ba985a7e0100325e9519f1ca6a9216bda055b5785015291125e90dcd07a2ca9673ee + ++Availablein = default + Verify=RSA-PSS-8 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 +Index: openssl-3.5.3/test/recipes/80-test_cms.t +=================================================================== +--- openssl-3.5.3.orig/test/recipes/80-test_cms.t ++++ openssl-3.5.3/test/recipes/80-test_cms.t +@@ -183,7 +183,7 @@ my @smime_pkcs7_tests = ( + [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1", + "-certfile", $smroot, + "-signer", $smrsa1, "-out", "{output}.cms" ], +- [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", ++ [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", + "-CAfile", $smroot, "-out", "{output}.txt" ], + \&final_compare + ], +@@ -191,7 +191,7 @@ my @smime_pkcs7_tests = ( + [ "signed zero-length content S/MIME format, RSA key SHA1", + [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont_zero, "-md", "sha1", + "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ], +- [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", ++ [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", + "-CAfile", $smroot, "-out", "{output}.txt" ], + \&zero_compare + ], +Index: openssl-3.5.3/test/recipes/80-test_ssl_old.t +=================================================================== +--- openssl-3.5.3.orig/test/recipes/80-test_ssl_old.t ++++ openssl-3.5.3/test/recipes/80-test_ssl_old.t +@@ -465,6 +465,9 @@ sub testssl { + 'test sslv2/sslv3 with 1024bit DHE via BIO pair'); + } + ++ SKIP: { ++ skip "SSLv3 is not supported by the FIPS provider", 4 ++ if $provider eq "fips"; + ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])), + 'test sslv2/sslv3 with server authentication'); + ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])), +@@ -473,6 +476,7 @@ sub testssl { + 'test sslv2/sslv3 with both client and server authentication via BIO pair'); + ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])), + 'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify'); ++ } + + SKIP: { + skip "No IPv4 available on this machine", 4 +Index: openssl-3.5.3/apps/openssl.cnf +=================================================================== +--- openssl-3.5.3.orig/apps/openssl.cnf ++++ openssl-3.5.3/apps/openssl.cnf +@@ -119,7 +119,7 @@ cert_opt = ca_default # Certificate fi + + default_days = 365 # how long to certify for + default_crl_days= 30 # how long before next CRL +-default_md = default # use public key default MD ++default_md = sha256 # use public key default MD + preserve = no # keep passed DN ordering + + # A few difference way of specifying how similar the request should look diff --git a/openssl-FIPS-EC-disable-weak-curves.patch b/openssl-FIPS-EC-disable-weak-curves.patch new file mode 100644 index 0000000..60ac1b6 --- /dev/null +++ b/openssl-FIPS-EC-disable-weak-curves.patch @@ -0,0 +1,31 @@ +From 8a8265970a7497010b9b39182315f20521e7e15b Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Fri, 7 Mar 2025 18:06:36 -0500 +Subject: [PATCH 45/53] FIPS: EC: disable weak curves + +Signed-off-by: Simo Sorce +--- + apps/ecparam.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/apps/ecparam.c b/apps/ecparam.c +index f0879dfb11..a6042e7d2a 100644 +--- a/apps/ecparam.c ++++ b/apps/ecparam.c +@@ -77,6 +77,13 @@ static int list_builtin_curves(BIO *out) + const char *comment = curves[n].comment; + const char *sname = OBJ_nid2sn(curves[n].nid); + ++ if (((curves[n].nid == NID_secp256k1) || (curves[n].nid == NID_brainpoolP256r1) ++ || (curves[n].nid == NID_brainpoolP256t1) || (curves[n].nid == NID_brainpoolP320r1) ++ || (curves[n].nid == NID_brainpoolP320t1) || (curves[n].nid == NID_brainpoolP384r1) ++ || (curves[n].nid == NID_brainpoolP384t1) || (curves[n].nid == NID_brainpoolP512r1) ++ || (curves[n].nid == NID_brainpoolP512t1)) && EVP_default_properties_is_fips_enabled(NULL)) ++ continue; ++ + if (comment == NULL) + comment = "CURVE DESCRIPTION NOT AVAILABLE"; + if (sname == NULL) +-- +2.49.0 + diff --git a/openssl-FIPS-Enforce-error-state.patch b/openssl-FIPS-Enforce-error-state.patch index 76f35ba..b3670b1 100644 --- a/openssl-FIPS-Enforce-error-state.patch +++ b/openssl-FIPS-Enforce-error-state.patch @@ -1,8 +1,8 @@ -Index: openssl-3.1.4/providers/fips/fipsprov.c +Index: openssl-3.5.0-beta1/providers/fips/fipsprov.c =================================================================== ---- openssl-3.1.4.orig/providers/fips/fipsprov.c -+++ openssl-3.1.4/providers/fips/fipsprov.c -@@ -805,6 +805,7 @@ int OSSL_provider_init_int(const OSSL_CO +--- openssl-3.5.0-beta1.orig/providers/fips/fipsprov.c ++++ openssl-3.5.0-beta1/providers/fips/fipsprov.c +@@ -988,6 +988,7 @@ int OSSL_provider_init_int(const OSSL_CO /* Error already raised */ goto err; } @@ -10,11 +10,11 @@ Index: openssl-3.1.4/providers/fips/fipsprov.c /* * Disable the conditional error check if it's disabled in the fips config * file. -@@ -812,6 +813,7 @@ int OSSL_provider_init_int(const OSSL_CO +@@ -995,6 +996,7 @@ int OSSL_provider_init_int(const OSSL_CO if (fgbl->selftest_params.conditional_error_check != NULL && strcmp(fgbl->selftest_params.conditional_error_check, "0") == 0) SELF_TEST_disable_conditional_error_state(); +#endif /* Enable or disable FIPS provider options */ - #define FIPS_SET_OPTION(fgbl, field) \ + #define OSSL_FIPS_PARAM(structname, paramname, unused) \ diff --git a/openssl-FIPS-Expose-a-FIPS-indicator.patch b/openssl-FIPS-Expose-a-FIPS-indicator.patch index aba120e..7893d1b 100644 --- a/openssl-FIPS-Expose-a-FIPS-indicator.patch +++ b/openssl-FIPS-Expose-a-FIPS-indicator.patch @@ -52,11 +52,11 @@ Signed-off-by: Clemens Lang create mode 100644 doc/man7/fips_module_indicators.pod create mode 100644 providers/fips/indicator.h -Index: openssl-3.1.4/doc/build.info +Index: openssl-3.5.0-beta1/doc/build.info =================================================================== ---- openssl-3.1.4.orig/doc/build.info -+++ openssl-3.1.4/doc/build.info -@@ -4467,6 +4467,10 @@ DEPEND[html/man7/fips_module.html]=man7/ +--- openssl-3.5.0-beta1.orig/doc/build.info ++++ openssl-3.5.0-beta1/doc/build.info +@@ -4939,6 +4939,10 @@ DEPEND[html/man7/fips_module.html]=man7/ GENERATE[html/man7/fips_module.html]=man7/fips_module.pod DEPEND[man/man7/fips_module.7]=man7/fips_module.pod GENERATE[man/man7/fips_module.7]=man7/fips_module.pod @@ -67,7 +67,7 @@ Index: openssl-3.1.4/doc/build.info DEPEND[html/man7/life_cycle-cipher.html]=man7/life_cycle-cipher.pod GENERATE[html/man7/life_cycle-cipher.html]=man7/life_cycle-cipher.pod DEPEND[man/man7/life_cycle-cipher.7]=man7/life_cycle-cipher.pod -@@ -4712,6 +4716,7 @@ html/man7/ct.html \ +@@ -5266,6 +5270,7 @@ html/man7/ct.html \ html/man7/des_modes.html \ html/man7/evp.html \ html/man7/fips_module.html \ @@ -75,7 +75,7 @@ Index: openssl-3.1.4/doc/build.info html/man7/life_cycle-cipher.html \ html/man7/life_cycle-digest.html \ html/man7/life_cycle-kdf.html \ -@@ -4838,6 +4843,7 @@ man/man7/ct.7 \ +@@ -5423,6 +5428,7 @@ man/man7/ct.7 \ man/man7/des_modes.7 \ man/man7/evp.7 \ man/man7/fips_module.7 \ @@ -83,10 +83,10 @@ Index: openssl-3.1.4/doc/build.info man/man7/life_cycle-cipher.7 \ man/man7/life_cycle-digest.7 \ man/man7/life_cycle-kdf.7 \ -Index: openssl-3.1.4/doc/man7/fips_module_indicators.pod +Index: openssl-3.5.0-beta1/doc/man7/fips_module_indicators.pod =================================================================== --- /dev/null -+++ openssl-3.1.4/doc/man7/fips_module_indicators.pod ++++ openssl-3.5.0-beta1/doc/man7/fips_module_indicators.pod @@ -0,0 +1,155 @@ +=pod + @@ -243,19 +243,19 @@ Index: openssl-3.1.4/doc/man7/fips_module_indicators.pod +L. + +=cut -Index: openssl-3.1.4/providers/fips/fipsprov.c +Index: openssl-3.5.0-beta1/providers/fips/fipsprov.c =================================================================== ---- openssl-3.1.4.orig/providers/fips/fipsprov.c -+++ openssl-3.1.4/providers/fips/fipsprov.c -@@ -26,6 +26,7 @@ - #include "self_test.h" +--- openssl-3.5.0-beta1.orig/providers/fips/fipsprov.c ++++ openssl-3.5.0-beta1/providers/fips/fipsprov.c +@@ -28,6 +28,7 @@ #include "crypto/context.h" + #include "fipscommon.h" #include "internal/core.h" +#include "indicator.h" static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes"; static const char FIPS_UNAPPROVED_PROPERTIES[] = "provider=fips,fips=no"; -@@ -438,6 +439,68 @@ static const OSSL_ALGORITHM fips_signatu +@@ -542,6 +543,68 @@ static const OSSL_ALGORITHM fips_signatu { NULL, NULL, NULL } }; @@ -324,7 +324,7 @@ Index: openssl-3.1.4/providers/fips/fipsprov.c static const OSSL_ALGORITHM fips_asym_cipher[] = { { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_asym_cipher_functions }, { NULL, NULL, NULL } -@@ -520,6 +583,14 @@ static const OSSL_ALGORITHM *fips_query( +@@ -696,6 +759,14 @@ static const OSSL_ALGORITHM *fips_query( } return NULL; } @@ -337,12 +337,12 @@ Index: openssl-3.1.4/providers/fips/fipsprov.c + return NULL; +} - static void fips_teardown(void *provctx) - { -Index: openssl-3.1.4/providers/fips/indicator.h + static const OSSL_ALGORITHM *fips_query_internal(void *provctx, int operation_id, + int *no_cache) +Index: openssl-3.5.0-beta1/providers/fips/indicator.h =================================================================== --- /dev/null -+++ openssl-3.1.4/providers/fips/indicator.h ++++ openssl-3.5.0-beta1/providers/fips/indicator.h @@ -0,0 +1,66 @@ +/* + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. @@ -410,11 +410,11 @@ Index: openssl-3.1.4/providers/fips/indicator.h +# endif + +#endif -Index: openssl-3.1.4/util/mkdef.pl +Index: openssl-3.5.0-beta1/util/mkdef.pl =================================================================== ---- openssl-3.1.4.orig/util/mkdef.pl -+++ openssl-3.1.4/util/mkdef.pl -@@ -153,7 +153,8 @@ $ordinal_opts{filter} = +--- openssl-3.5.0-beta1.orig/util/mkdef.pl ++++ openssl-3.5.0-beta1/util/mkdef.pl +@@ -154,7 +154,8 @@ $ordinal_opts{filter} = return $item->exists() && platform_filter($item) @@ -424,7 +424,7 @@ Index: openssl-3.1.4/util/mkdef.pl }; my $ordinals = OpenSSL::Ordinals->new(from => $ordinals_file); -@@ -209,6 +210,28 @@ sub feature_filter { +@@ -210,6 +211,28 @@ sub feature_filter { return $verdict; } @@ -453,10 +453,10 @@ Index: openssl-3.1.4/util/mkdef.pl sub sorter_unix { my $by_name = OpenSSL::Ordinals::by_name(); my %weight = ( -Index: openssl-3.1.4/util/providers.num +Index: openssl-3.5.0-beta1/util/providers.num =================================================================== ---- openssl-3.1.4.orig/util/providers.num -+++ openssl-3.1.4/util/providers.num +--- openssl-3.5.0-beta1.orig/util/providers.num ++++ openssl-3.5.0-beta1/util/providers.num @@ -1 +1,2 @@ OSSL_provider_init 1 * EXIST::FUNCTION: +suse_ossl_query_fipsindicator 1 * EXIST::FUNCTION:ONLY_PROVIDERS/FIPS diff --git a/openssl-FIPS-Fix-encoder-decoder-negative-test.patch b/openssl-FIPS-Fix-encoder-decoder-negative-test.patch new file mode 100644 index 0000000..ea7a68c --- /dev/null +++ b/openssl-FIPS-Fix-encoder-decoder-negative-test.patch @@ -0,0 +1,35 @@ +From fee4537648b335f708e78d15a4c3b6018169b5cd Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Wed, 5 Mar 2025 13:22:03 -0500 +Subject: [PATCH 43/53] FIPS: Fix encoder/decoder negative test + +Signed-off-by: Simo Sorce +--- + test/recipes/04-test_encoder_decoder.t | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + mode change 100644 => 100755 test/recipes/04-test_encoder_decoder.t + +diff --git a/test/recipes/04-test_encoder_decoder.t b/test/recipes/04-test_encoder_decoder.t +old mode 100644 +new mode 100755 +index 2acc980e90..660d4e1115 +--- a/test/recipes/04-test_encoder_decoder.t ++++ b/test/recipes/04-test_encoder_decoder.t +@@ -75,10 +75,10 @@ SKIP: { + } + my $no_des = disabled("des"); + SKIP: { +- skip "MD5 disabled", 2 if disabled("md5"); +- ok(run(app([ 'openssl', 'genrsa', '-aes128', '-out', 'epki.pem', +- '-traditional', '-passout', 'pass:pass' ])), +- "rsa encrypted using a non fips algorithm MD5 in pbe"); ++ skip "DES disabled", 2 if disabled("des3"); ++ ok(run(app([ 'openssl', 'genrsa', '-des3', '-out', 'epki.pem', ++ '-traditional', '-passout', 'pass:pass'])), ++ "rsa encrypted using a non fips algorithm DES3 in pbe"); + + my $conf2 = srctop_file("test", "default-and-fips.cnf"); + ok(run(test(['decoder_propq_test', '-config', $conf2, +-- +2.49.0 + diff --git a/openssl-FIPS-Fix-openssl-speed-KMAC.patch b/openssl-FIPS-Fix-openssl-speed-KMAC.patch new file mode 100644 index 0000000..00e0289 --- /dev/null +++ b/openssl-FIPS-Fix-openssl-speed-KMAC.patch @@ -0,0 +1,73 @@ +From e128762a1b1f047633e76022a6a8097cb88b49a6 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Fri, 9 May 2025 15:09:46 +0200 +Subject: [PATCH 51/54] Make `openssl speed` run in FIPS mode + +--- + apps/speed.c | 44 ++++++++++++++++++++++---------------------- + 1 file changed, 22 insertions(+), 22 deletions(-) + +Index: openssl-3.5.0/apps/speed.c +=================================================================== +--- openssl-3.5.0.orig/apps/speed.c ++++ openssl-3.5.0/apps/speed.c +@@ -3172,18 +3172,18 @@ int speed_main(int argc, char **argv) + (void *)key32, 16); + params[1] = OSSL_PARAM_construct_end(); + +- if (mac_setup("KMAC-128", &mac, params, loopargs, loopargs_len) < 1) +- goto end; +- for (testnum = 0; testnum < size_num; testnum++) { +- print_message(names[D_KMAC128], lengths[testnum], seconds.sym); +- Time_F(START); +- count = run_benchmark(async_jobs, KMAC128_loop, loopargs); +- d = Time_F(STOP); +- print_result(D_KMAC128, testnum, count, d); +- if (count < 0) +- break; ++ if (mac_setup("KMAC-128", &mac, params, loopargs, loopargs_len) == 1) { ++ for (testnum = 0; testnum < size_num; testnum++) { ++ print_message(names[D_KMAC128], lengths[testnum], seconds.sym); ++ Time_F(START); ++ count = run_benchmark(async_jobs, KMAC128_loop, loopargs); ++ d = Time_F(STOP); ++ print_result(D_KMAC128, testnum, count, d); ++ if (count < 0) ++ break; ++ } ++ mac_teardown(&mac, loopargs, loopargs_len); + } +- mac_teardown(&mac, loopargs, loopargs_len); + } + + if (doit[D_KMAC256]) { +@@ -3193,18 +3193,18 @@ int speed_main(int argc, char **argv) + (void *)key32, 32); + params[1] = OSSL_PARAM_construct_end(); + +- if (mac_setup("KMAC-256", &mac, params, loopargs, loopargs_len) < 1) +- goto end; +- for (testnum = 0; testnum < size_num; testnum++) { +- print_message(names[D_KMAC256], lengths[testnum], seconds.sym); +- Time_F(START); +- count = run_benchmark(async_jobs, KMAC256_loop, loopargs); +- d = Time_F(STOP); +- print_result(D_KMAC256, testnum, count, d); +- if (count < 0) +- break; ++ if (mac_setup("KMAC-256", &mac, params, loopargs, loopargs_len) == 1) { ++ for (testnum = 0; testnum < size_num; testnum++) { ++ print_message(names[D_KMAC256], lengths[testnum], seconds.sym); ++ Time_F(START); ++ count = run_benchmark(async_jobs, KMAC256_loop, loopargs); ++ d = Time_F(STOP); ++ print_result(D_KMAC256, testnum, count, d); ++ if (count < 0) ++ break; ++ } ++ mac_teardown(&mac, loopargs, loopargs_len); + } +- mac_teardown(&mac, loopargs, loopargs_len); + } + + for (i = 0; i < loopargs_len; i++) diff --git a/openssl-FIPS-NO-DES-support.patch b/openssl-FIPS-NO-DES-support.patch new file mode 100644 index 0000000..fa3a9ec --- /dev/null +++ b/openssl-FIPS-NO-DES-support.patch @@ -0,0 +1,135 @@ +From 3a1abccdfc3bb78dd472bbb7ff36313959ef0cdf Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Fri, 7 Mar 2025 18:15:13 -0500 +Subject: [PATCH 47/53] FIPS: NO DES support + +Signed-off-by: Simo Sorce +--- + providers/fips/fipsprov.c | 3 ++- + providers/fips/self_test_data.inc | 5 ++++- + test/evp_libctx_test.c | 4 +++- + .../30-test_evp_data/evpciph_des3_common.txt | 13 ++++--------- + test/recipes/80-test_cms.t | 2 +- + 5 files changed, 14 insertions(+), 13 deletions(-) + +Index: openssl-3.5.2/providers/fips/fipsprov.c +=================================================================== +--- openssl-3.5.2.orig/providers/fips/fipsprov.c ++++ openssl-3.5.2/providers/fips/fipsprov.c +@@ -360,7 +360,8 @@ static const OSSL_ALGORITHM_CAPABLE fips + ossl_cipher_capable_aes_cbc_hmac_sha256), + ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions, + ossl_cipher_capable_aes_cbc_hmac_sha256), +-#ifndef OPENSSL_NO_DES ++/* We don't certify 3DES in our FIPS provider */ ++#if 0 /* ifndef OPENSSL_NO_DES */ + ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions), + ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), + #endif /* OPENSSL_NO_DES */ +Index: openssl-3.5.2/providers/fips/self_test_data.inc +=================================================================== +--- openssl-3.5.2.orig/providers/fips/self_test_data.inc ++++ openssl-3.5.2/providers/fips/self_test_data.inc +@@ -293,6 +293,7 @@ static const ST_KAT_CIPHER st_kat_cipher + CIPHER_MODE_DECRYPT, + ITM(aes_128_ecb_key) + }, ++#if 0 + #ifndef OPENSSL_NO_DES + { + { +@@ -305,6 +306,7 @@ static const ST_KAT_CIPHER st_kat_cipher + ITM(tdes_key) + } + #endif ++#endif + }; + + static const char hkdf_digest[] = "SHA256"; +Index: openssl-3.5.2/test/evp_libctx_test.c +=================================================================== +--- openssl-3.5.2.orig/test/evp_libctx_test.c ++++ openssl-3.5.2/test/evp_libctx_test.c +@@ -831,7 +831,9 @@ int setup_tests(void) + ADD_TEST(kem_invalid_keytype); + #endif + #ifndef OPENSSL_NO_DES +- ADD_TEST(test_cipher_tdes_randkey); ++ if (strcmp(prov_name, "fips") != 0) { ++ ADD_TEST(test_cipher_tdes_randkey); ++ } + #endif + return 1; + } +Index: openssl-3.5.2/test/recipes/30-test_evp_data/evpciph_des3_common.txt +=================================================================== +--- openssl-3.5.2.orig/test/recipes/30-test_evp_data/evpciph_des3_common.txt ++++ openssl-3.5.2/test/recipes/30-test_evp_data/evpciph_des3_common.txt +@@ -14,7 +14,7 @@ + Title = DES3 Tests + + # DES EDE3 CBC tests (from destest) +-FIPSversion = <3.4.0 ++Availablein = default + Cipher = DES-EDE3-CBC + Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210 + IV = fedcba9876543210 +@@ -24,8 +24,7 @@ NextIV = 1c673812cfde9675 + + # DES EDE3 ECB test + # FIPS(3.0.0): has a bug in the IV length #17591 +-FIPSversion = >3.0.0 +-FIPSversion = <3.4.0 ++Availablein = default + Cipher = DES-EDE3-ECB + Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210 + Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000 +@@ -42,7 +41,6 @@ Ciphertext = 4d1332e49f380e23d80a0d8b2ba + + # Test that DES3 CBC mode encryption fails because it is not FIPS approved + Availablein = fips +-FIPSversion = >=3.4.0 + Cipher = DES-EDE3-CBC + Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210 + IV = fedcba9876543210 +@@ -52,7 +50,6 @@ Result = CIPHERINIT_ERROR + + # Test that DES3 EBC mode encryption fails because it is not FIPS approved + Availablein = fips +-FIPSversion = >=3.4.0 + Cipher = DES-EDE3-ECB + Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210 + Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000 +@@ -62,8 +59,7 @@ Result = CIPHERINIT_ERROR + Title = DES3 FIPS Indicator Tests + + # Test that DES3 CBC mode encryption is not FIPS approved +-Availablein = fips +-FIPSversion = >=3.4.0 ++Availablein = none + Cipher = DES-EDE3-CBC + Unapproved = 1 + CtrlInit = encrypt-check:0 +@@ -74,8 +70,7 @@ Plaintext = 37363534333231204E6F77206973 + Ciphertext = 3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675 + + # Test that DES3 ECB mode encryption is not FIPS approved +-Availablein = fips +-FIPSversion = >=3.4.0 ++Availablein = none + Cipher = DES-EDE3-ECB + Operation = ENCRYPT + Unapproved = 1 +Index: openssl-3.5.2/test/recipes/80-test_cms.t +=================================================================== +--- openssl-3.5.2.orig/test/recipes/80-test_cms.t ++++ openssl-3.5.2/test/recipes/80-test_cms.t +@@ -398,7 +398,7 @@ my @smime_cms_tests = ( + \&final_compare + ], + +- [ "encrypted content test streaming PEM format, triple DES key", ++ [ "encrypted content test streaming PEM format, triple DES key, no SUSE FIPS", + [ "{cmd1}", @defaultprov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM", + "-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617", + "-stream", "-out", "{output}.cms" ], diff --git a/openssl-FIPS-NO-DSA-Support.patch b/openssl-FIPS-NO-DSA-Support.patch new file mode 100644 index 0000000..cda7fa9 --- /dev/null +++ b/openssl-FIPS-NO-DSA-Support.patch @@ -0,0 +1,377 @@ +From f5c420d8e5eed82bf4a6712085a18746d2bc7aff Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Fri, 7 Mar 2025 18:10:52 -0500 +Subject: [PATCH 46/53] FIPS: NO DSA Support + +Signed-off-by: Simo Sorce +--- + providers/fips/fipsprov.c | 8 +++++--- + providers/fips/self_test_data.inc | 6 +++++- + test/acvp_test.c | 2 ++ + test/endecode_test.c | 2 ++ + test/recipes/15-test_gendsa.t | 2 +- + test/recipes/20-test_cli_fips.t | 3 +-- + test/recipes/30-test_evp.t | 1 - + test/recipes/30-test_evp_data/evppkey_dsa.txt | 18 ++++++++++++++++- + test/recipes/80-test_cms.t | 20 +++++++++---------- + 9 files changed, 43 insertions(+), 19 deletions(-) + +Index: openssl-3.5.0-beta1/providers/fips/fipsprov.c +=================================================================== +--- openssl-3.5.0-beta1.orig/providers/fips/fipsprov.c ++++ openssl-3.5.0-beta1/providers/fips/fipsprov.c +@@ -434,7 +434,8 @@ static const OSSL_ALGORITHM fips_keyexch + }; + + static const OSSL_ALGORITHM fips_signature[] = { +-#ifndef OPENSSL_NO_DSA ++/* We don't certify DSA in our FIPS provider */ ++#if 0 /* #ifndef OPENSSL_NO_DSA */ + { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions }, + { PROV_NAMES_DSA_SHA1, FIPS_DEFAULT_PROPERTIES, ossl_dsa_sha1_signature_functions }, + { PROV_NAMES_DSA_SHA224, FIPS_DEFAULT_PROPERTIES, ossl_dsa_sha224_signature_functions }, +@@ -626,8 +627,9 @@ static const OSSL_ALGORITHM fips_keymgmt + PROV_DESCS_DHX }, + #endif + #ifndef OPENSSL_NO_DSA +- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions, +- PROV_DESCS_DSA }, ++ /* We don't certify DSA in our FIPS provider */ ++ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions, ++ PROV_DESCS_DSA }, */ + #endif + { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions, + PROV_DESCS_RSA }, +Index: openssl-3.5.0-beta1/providers/fips/self_test_data.inc +=================================================================== +--- openssl-3.5.0-beta1.orig/providers/fips/self_test_data.inc ++++ openssl-3.5.0-beta1/providers/fips/self_test_data.inc +@@ -1522,8 +1522,9 @@ static const unsigned char ed448_expecte + # endif /* OPENSSL_NO_ECX */ + #endif /* OPENSSL_NO_EC */ + +-#ifndef OPENSSL_NO_DSA + /* dsa 2048 */ ++#if 0 ++#ifndef OPENSSL_NO_DSA + static const unsigned char dsa_p[] = { + 0xa2, 0x9b, 0x88, 0x72, 0xce, 0x8b, 0x84, 0x23, + 0xb7, 0xd5, 0xd2, 0x1d, 0x4b, 0x02, 0xf5, 0x7e, +@@ -1651,6 +1652,7 @@ static const ST_KAT_PARAM dsa_key[] = { + ST_KAT_PARAM_END() + }; + #endif /* OPENSSL_NO_DSA */ ++#endif + + #ifndef OPENSSL_NO_ML_DSA + static const unsigned char ml_dsa_65_pub_key[] = { +@@ -3013,6 +3015,7 @@ static const ST_KAT_SIGN st_kat_sign_tes + }, + # endif /* OPENSSL_NO_ECX */ + #endif /* OPENSSL_NO_EC */ ++#if 0 + #ifndef OPENSSL_NO_DSA + { + OSSL_SELF_TEST_DESC_SIGN_DSA, +@@ -3025,6 +3028,7 @@ static const ST_KAT_SIGN st_kat_sign_tes + ITM(dsa_expected_sig) + }, + #endif /* OPENSSL_NO_DSA */ ++#endif + + #ifndef OPENSSL_NO_ML_DSA + { +Index: openssl-3.5.0-beta1/test/acvp_test.c +=================================================================== +--- openssl-3.5.0-beta1.orig/test/acvp_test.c ++++ openssl-3.5.0-beta1/test/acvp_test.c +@@ -1735,6 +1735,7 @@ int setup_tests(void) + OSSL_NELEM(dh_safe_prime_keyver_data)); + #endif /* OPENSSL_NO_DH */ + ++#if 0 /* SUSE/openSUSE FIPS provider doesn't have fips=yes property on DSA */ + #ifndef OPENSSL_NO_DSA + dsasign_allowed = fips_provider_version_lt(libctx, 3, 4, 0); + ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data)); +@@ -1743,6 +1744,7 @@ int setup_tests(void) + ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data)); + ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data)); + #endif /* OPENSSL_NO_DSA */ ++#endif + + #ifndef OPENSSL_NO_EC + ec_cofactors = fips_provider_version_ge(libctx, 3, 4, 0); +Index: openssl-3.5.0-beta1/test/endecode_test.c +=================================================================== +--- openssl-3.5.0-beta1.orig/test/endecode_test.c ++++ openssl-3.5.0-beta1/test/endecode_test.c +@@ -1536,6 +1536,7 @@ int setup_tests(void) + * so no legacy tests. + */ + #endif ++ if (is_fips == 0) { + #ifndef OPENSSL_NO_DSA + ADD_TEST_SUITE(DSA); + ADD_TEST_SUITE_PARAMS(DSA); +@@ -1546,6 +1547,7 @@ int setup_tests(void) + ADD_TEST_SUITE_PROTECTED_PVK(DSA); + # endif + #endif ++ } + #ifndef OPENSSL_NO_EC + ADD_TEST(ec_encode_to_data_multi); + ADD_TEST_SUITE(EC); +Index: openssl-3.5.0-beta1/test/recipes/15-test_gendsa.t +=================================================================== +--- openssl-3.5.0-beta1.orig/test/recipes/15-test_gendsa.t ++++ openssl-3.5.0-beta1/test/recipes/15-test_gendsa.t +@@ -24,7 +24,7 @@ use lib bldtop_dir('.'); + plan skip_all => "This test is unsupported in a no-dsa build" + if disabled("dsa"); + +-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); ++my $no_fips = 1; + + plan tests => + ($no_fips ? 0 : 2) # FIPS related tests +Index: openssl-3.5.0-beta1/test/recipes/20-test_cli_fips.t +=================================================================== +--- openssl-3.5.0-beta1.orig/test/recipes/20-test_cli_fips.t ++++ openssl-3.5.0-beta1/test/recipes/20-test_cli_fips.t +@@ -283,8 +283,7 @@ SKIP: { + } + + SKIP : { +- skip "FIPS DSA tests because of no dsa in this build", 1 +- if disabled("dsa") || $dsasignpass == '0'; ++ skip "FIPS DSA tests because of no dsa in this build", 1; + + subtest DSA => sub { + my $testtext_prefix = 'DSA'; +Index: openssl-3.5.0-beta1/test/recipes/30-test_evp.t +=================================================================== +--- openssl-3.5.0-beta1.orig/test/recipes/30-test_evp.t ++++ openssl-3.5.0-beta1/test/recipes/30-test_evp.t +@@ -166,7 +166,6 @@ my @defltfiles = qw( + push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec; + push @defltfiles, qw(evppkey_ecdsa_rfc6979.txt) unless $no_ec; + push @defltfiles, qw(evppkey_ecx_kem.txt) unless $no_ecx; +-push @defltfiles, qw(evppkey_dsa_rfc6979.txt) unless $no_dsa; + push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2; + push @defltfiles, qw(evpciph_aes_gcm_siv.txt) unless $no_siv; + push @defltfiles, qw(evpciph_aes_siv.txt) unless $no_siv; +Index: openssl-3.5.0-beta1/test/recipes/30-test_evp_data/evppkey_dsa.txt +=================================================================== +--- openssl-3.5.0-beta1.orig/test/recipes/30-test_evp_data/evppkey_dsa.txt ++++ openssl-3.5.0-beta1/test/recipes/30-test_evp_data/evppkey_dsa.txt +@@ -44,17 +44,22 @@ PrivPubKeyPair = DSA-1024:DSA-1024-PUBLI + + Title = DSA tests + ++## SUSE all SHA1 tests are unavailable ++ ++Availablein = none + Verify = DSA-1024 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" + Output = 302d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f2397f63c9fc8790e1a6cde5d87 + ++Availablein = none + Verify = DSA-1024-PUBLIC + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" + Output = 302d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f2397f63c9fc8790e1a6cde5d87 + + # Modified signature ++Availablein = none + Verify = DSA-1024-PUBLIC + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" +@@ -62,6 +67,7 @@ Output = 302d021500942b8c5850e05b59e2449 + Result = VERIFY_ERROR + + # Digest too short ++Availablein = none + Verify = DSA-1024-PUBLIC + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF123" +@@ -69,6 +75,7 @@ Output = 302d021500942b8c5850e05b59e2449 + Result = VERIFY_ERROR + + # Digest too long ++Availablein = none + Verify = DSA-1024-PUBLIC + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF12345" +@@ -76,12 +83,14 @@ Output = 302d021500942b8c5850e05b59e2449 + Result = VERIFY_ERROR + + # Garbage after signature ++Availablein = none + Verify = DSA-1024-PUBLIC + Input = "0123456789ABCDEF1234" + Output = 302d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f2397f63c9fc8790e1a6cde5d8700 + Result = VERIFY_ERROR + + # Invalid tag ++Availablein = none + Verify = DSA-1024-PUBLIC + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" +@@ -89,6 +98,7 @@ Output = 312d021500942b8c5850e05b59e2449 + Result = VERIFY_ERROR + + # BER signature ++Availablein = none + Verify = DSA-1024-PUBLIC + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" +@@ -277,6 +287,7 @@ Output = 00 + Result = DIGESTSIGNINIT_ERROR + + # Test sign with a 2048 bit key with N == 224 is allowed in fips mode ++Availablein = none + FIPSversion = <3.4.0 + DigestSign = SHA256 + Key = DSA-2048-224 +@@ -285,6 +296,7 @@ Output = 00 + Result = SIGNATURE_MISMATCH + + # Test sign with a 2048 bit key with N == 256 is allowed in fips mode ++Availablein = none + FIPSversion = <3.4.0 + DigestSign = SHA256 + Key = DSA-2048-256 +@@ -292,6 +304,7 @@ Input = "Hello" + Result = SIGNATURE_MISMATCH + + # Test sign with a 3072 bit key with N == 256 is allowed in fips mode ++Availablein = none + FIPSversion = <3.4.0 + DigestSign = SHA256 + Key = DSA-3072-256 +@@ -299,6 +312,7 @@ Input = "Hello" + Result = SIGNATURE_MISMATCH + + # Test sign with a 2048 bit SHA3 is allowed in fips mode ++Availablein = none + FIPSversion = <3.4.0 + DigestSign = SHA3-224 + Key = DSA-2048-256 +@@ -306,19 +320,21 @@ Input = "Hello" + Result = SIGNATURE_MISMATCH + + # Test verify with a 1024 bit key is allowed in fips mode ++Availablein = default + DigestVerify = SHA256 + Key = DSA-1024 + Input = "Hello " + Output = 302c02142e32c8a5b0bd19b2ba33fd9c78aad3729dcb1b9e02142c006f7726a9d6833d414865b95167ea5f4f7713 + + # Test verify with SHA1 is allowed in fips mode ++Availablein = none + DigestVerify = SHA1 + Key = DSA-1024 + Input = "Hello " + Output = 302c0214602d21ed37e46051bb3d06cc002adddeb4cdb3bd02144f39f75587b286588862d06366b2f29bddaf8cf6 + + # Test verify with a 2048/160 bit key is allowed in fips mode +-FIPSversion = >3.1.1 ++Availablein = default + DigestVerify = SHA256 + Key = DSA-2048-160 + Input = "Hello" +Index: openssl-3.5.0-beta1/test/recipes/80-test_cms.t +=================================================================== +--- openssl-3.5.0-beta1.orig/test/recipes/80-test_cms.t ++++ openssl-3.5.0-beta1/test/recipes/80-test_cms.t +@@ -107,7 +107,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content DER format, DSA key", ++ [ "signed content DER format, DSA key, no SUSE FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], + [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", +@@ -115,7 +115,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed detached content DER format, DSA key", ++ [ "signed detached content DER format, DSA key, no SUSE FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], + [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", +@@ -124,7 +124,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed detached content DER format, add RSA signer (with DSA existing)", ++ [ "signed detached content DER format, add RSA signer (with DSA existing), no SUSE FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], + [ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER", +@@ -135,7 +135,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content test streaming BER format, DSA key", ++ [ "signed content test streaming BER format, DSA key, no SUSE FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-nodetach", "-stream", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], +@@ -144,7 +144,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys", ++ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no SUSE FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-nodetach", "-stream", + "-signer", $smrsa1, +@@ -157,7 +157,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes", ++ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes, no SUSE FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-noattr", "-nodetach", "-stream", + "-signer", $smrsa1, +@@ -187,7 +187,7 @@ my @smime_pkcs7_tests = ( + \&zero_compare + ], + +- [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys", ++ [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys, no SUSE FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach", + "-signer", $smrsa1, + "-signer", catfile($smdir, "smrsa2.pem"), +@@ -199,7 +199,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys", ++ [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys, no SUSE FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, + "-signer", $smrsa1, + "-signer", catfile($smdir, "smrsa2.pem"), +@@ -265,7 +265,7 @@ if ($no_fips || $old_fips) { + + my @smime_cms_tests = ( + +- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid", ++ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid, no SUSE FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-nodetach", "-keyid", + "-signer", $smrsa1, +@@ -278,7 +278,7 @@ my @smime_cms_tests = ( + \&final_compare + ], + +- [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys", ++ [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys, no SUSE FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", + "-signer", $smrsa1, + "-signer", catfile($smdir, "smrsa2.pem"), diff --git a/openssl-FIPS-NO-Kmac.patch b/openssl-FIPS-NO-Kmac.patch new file mode 100644 index 0000000..23cb814 --- /dev/null +++ b/openssl-FIPS-NO-Kmac.patch @@ -0,0 +1,277 @@ +From cc0b5ccd6ee404b4faa969d19440078bc8b49f35 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Fri, 7 Mar 2025 18:22:07 -0500 +Subject: [PATCH 48/53] FIPS: NO Kmac + +Signed-off-by: Simo Sorce +--- + providers/fips/fipsprov.c | 10 +++++---- + providers/fips/self_test_data.inc | 4 ++++ + test/recipes/30-test_evp_data/evpkdf_ss.txt | 2 ++ + .../30-test_evp_data/evpmac_common.txt | 22 +++++++++++++++++++ + 4 files changed, 34 insertions(+), 4 deletions(-) + +diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c +index 30f0c8ca14..00b7d1e2aa 100644 +--- a/providers/fips/fipsprov.c ++++ b/providers/fips/fipsprov.c +@@ -293,10 +293,11 @@ static const OSSL_ALGORITHM fips_digests[] = { + * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for + * KMAC128 and KMAC256. + */ +- { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES, ++ /* We don't certify KECCAK in our FIPS provider */ ++ /* { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES, + ossl_keccak_kmac_128_functions }, + { PROV_NAMES_KECCAK_KMAC_256, FIPS_DEFAULT_PROPERTIES, +- ossl_keccak_kmac_256_functions }, ++ ossl_keccak_kmac_256_functions }, */ + { NULL, NULL, NULL } + }; + +@@ -369,8 +370,9 @@ static const OSSL_ALGORITHM fips_macs[] = { + #endif + { PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions }, + { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions }, +- { PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions }, +- { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, ++ /* We don't certify KMAC in our FIPS provider */ ++ /*{ PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions }, ++ { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, */ + { NULL, NULL, NULL } + }; + +diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc +index 6a69e1687b..f3059a8446 100644 +--- a/providers/fips/self_test_data.inc ++++ b/providers/fips/self_test_data.inc +@@ -544,6 +544,7 @@ static const ST_KAT_PARAM kbkdf_params[] = { + ST_KAT_PARAM_END() + }; + ++#if 0 + static const char kbkdf_kmac_mac[] = "KMAC128"; + static unsigned char kbkdf_kmac_label[] = { + 0xB5, 0xB5, 0xF3, 0x71, 0x9F, 0xBE, 0x5B, 0x3D, +@@ -570,6 +571,7 @@ static const ST_KAT_PARAM kbkdf_kmac_params[] = { + ST_KAT_PARAM_OCTET(OSSL_KDF_PARAM_INFO, kbkdf_kmac_context), + ST_KAT_PARAM_END() + }; ++#endif + + static const char tls13_kdf_digest[] = "SHA256"; + static int tls13_kdf_extract_mode = EVP_KDF_HKDF_MODE_EXTRACT_ONLY; +@@ -660,12 +662,14 @@ static const ST_KAT_KDF st_kat_kdf_tests[] = + kbkdf_params, + ITM(kbkdf_expected) + }, ++#if 0 + { + OSSL_SELF_TEST_DESC_KDF_KBKDF_KMAC, + OSSL_KDF_NAME_KBKDF, + kbkdf_kmac_params, + ITM(kbkdf_kmac_expected) + }, ++#endif + { + OSSL_SELF_TEST_DESC_KDF_HKDF, + OSSL_KDF_NAME_HKDF, +diff --git a/test/recipes/30-test_evp_data/evpkdf_ss.txt b/test/recipes/30-test_evp_data/evpkdf_ss.txt +index 07691ccf57..ce315ecf76 100644 +--- a/test/recipes/30-test_evp_data/evpkdf_ss.txt ++++ b/test/recipes/30-test_evp_data/evpkdf_ss.txt +@@ -1171,6 +1171,7 @@ Ctrl.hexsecret = hexsecret:40B6E03711EBEBA14011ACE96CB056DEBAEB6E5E706F99435257C + Ctrl.hexinfo = hexinfo:5D437C2F1035A4F1F751E59CF10650171EF5769FCFBE438DFBC5BD8EA724100076447AB804F91DFA680E592FE2621A45DAB4C6A77B678059FC29E572DE4424EB5459F53523002ED38AAB1D9DD96C3523D1907C5EFBAE93DFFE680F716498720110D2A3B9CE9B66DB2884C83E9BEB546754874C0CA1967AF000000400 + Output = 428979EA52175DC833C04215AC6B4BA89BA4FCAA0E0FA3B4E2C0E264C5746F0A5C788F2907A2C2B90719E396B35A14C4B583C51B9911125D34100FADDC4D94C0D936263CC1EF0B0D526E3891FE1F67BCB94DEA2525B84A8E7949A4CA34F36AEEC55099BF0EC5DE24B86428F4E6E6E23FE9AA443E2BDCF25A77ECD22BF758D554 + ++Availablein = default + KDF = SSKDF + Ctrl.mac = mac:KMAC-128 + Ctrl.hexsecret = hexsecret:EAD54AE33FFAFFE7875610390ADBA9DFB291EE8C1920CB13452FDF851E0A6DBBB862FD8811F8CB29CDEC13591D8C047065FCD2 +@@ -1257,6 +1258,7 @@ Ctrl.hexsalt = hexsalt:00 + Ctrl.hexinfo = hexinfo:861aa2886798231259bd0314 + Output = 02cfca07797566285b38982b86762abd + ++Availablein = default + KDF = SSKDF + Ctrl.mac = mac:KMAC-128 + Ctrl.hexsalt = hexsalt:00000000 +diff --git a/test/recipes/30-test_evp_data/evpmac_common.txt b/test/recipes/30-test_evp_data/evpmac_common.txt +index 831eecbac9..f18b558796 100644 +--- a/test/recipes/30-test_evp_data/evpmac_common.txt ++++ b/test/recipes/30-test_evp_data/evpmac_common.txt +@@ -399,6 +399,7 @@ Input = 68F2E77696CE7AE8E2CA4EC588E541002E58495C08000F101112131415161718191A1B1C + Result = MAC_INIT_ERROR + Reason = invalid mode + ++Availablein = default + Title = KMAC Tests (From NIST) + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F +@@ -409,12 +410,14 @@ Ctrl = xof:0 + OutputSize = 32 + BlockSize = 168 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 + Custom = "My Tagged Application" + Output = 3B1FBA963CD8B0B59E8C1A6D71888B7143651AF8BA0A7070C0979E2811324AA5 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -422,6 +425,7 @@ Custom = "My Tagged Application" + Output = 1F5B4E6CCA02209E0DCB5CA635B89A15E271ECC760071DFD805FAA38F9729230 + Ctrl = size:32 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -430,12 +434,14 @@ Output = 20C570C31346F703C9AC36C61C03CB64C3970D0CFC787E9B79599D273A68D2F7F69D4CC + OutputSize = 64 + BlockSize = 136 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 + Custom = "" + Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -445,12 +451,14 @@ Ctrl = size:64 + + Title = KMAC XOF Tests (From NIST) + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 + Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35 + XOF = 1 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -458,6 +466,7 @@ Custom = "My Tagged Application" + Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C + XOF = 1 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -466,6 +475,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F + XOF = 1 + Ctrl = size:32 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -473,6 +483,7 @@ Custom = "My Tagged Application" + Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B + XOF = 1 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -480,6 +491,7 @@ Custom = "" + Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B + XOF = 1 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -490,6 +502,7 @@ XOF = 1 + + Title = KMAC long customisation string (from NIST ACVP) + ++Availablein = default + MAC = KMAC256 + Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3 + Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D +@@ -500,12 +513,14 @@ XOF = 1 + + Title = KMAC XOF Tests via ctrl (From NIST) + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 + Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35 + Ctrl = xof:1 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -513,6 +528,7 @@ Custom = "My Tagged Application" + Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C + Ctrl = xof:1 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -521,6 +537,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F + Ctrl = xof:1 + Ctrl = size:32 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -528,6 +545,7 @@ Custom = "My Tagged Application" + Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B + Ctrl = xof:1 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -535,6 +553,7 @@ Custom = "" + Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B + Ctrl = xof:1 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -545,6 +564,7 @@ Ctrl = xof:1 + + Title = KMAC long customisation string via ctrl (from NIST ACVP) + ++Availablein = default + MAC = KMAC256 + Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3 + Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D +@@ -555,6 +575,7 @@ Ctrl = xof:1 + + Title = KMAC long customisation string negative test + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -564,6 +585,7 @@ Reason = invalid custom length + + Title = KMAC output is too large + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +-- +2.49.0 + diff --git a/openssl-FIPS-NO-PQ-ML-SLH-DSA.patch b/openssl-FIPS-NO-PQ-ML-SLH-DSA.patch new file mode 100644 index 0000000..b326b60 --- /dev/null +++ b/openssl-FIPS-NO-PQ-ML-SLH-DSA.patch @@ -0,0 +1,33 @@ +From 181aed0bb72694e08a87584add058db1dd562576 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Fri, 7 Mar 2025 18:24:36 -0500 +Subject: [PATCH 50/53] FIPS: NO PQ (ML/SLH-DSA) + +Signed-off-by: Simo Sorce +--- + providers/fips/self_test_data.inc | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc +index cdba162674..136a580f25 100644 +--- a/providers/fips/self_test_data.inc ++++ b/providers/fips/self_test_data.inc +@@ -3039,6 +3039,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = { + #endif /* OPENSSL_NO_DSA */ + #endif + ++#if 0 + #ifndef OPENSSL_NO_ML_DSA + { + OSSL_SELF_TEST_DESC_SIGN_ML_DSA, +@@ -3083,6 +3084,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = { + slh_dsa_sig_params, slh_dsa_sig_params + }, + #endif /* OPENSSL_NO_SLH_DSA */ ++#endif + }; + + #if !defined(OPENSSL_NO_ML_DSA) +-- +2.49.0 + diff --git a/openssl-FIPS-RSA-disable-shake.patch b/openssl-FIPS-RSA-disable-shake.patch index df3a710..fd89ebc 100644 --- a/openssl-FIPS-RSA-disable-shake.patch +++ b/openssl-FIPS-RSA-disable-shake.patch @@ -1,72 +1,68 @@ -From 2306fde5556cbcb875d095c09fed01a0f16fe7ec Mon Sep 17 00:00:00 2001 -From: Dmitry Belyavskiy -Date: Mon, 21 Aug 2023 15:51:55 +0200 -Subject: [PATCH 40/48] 0085-FIPS-RSA-disable-shake.patch +From 63e39e25829ae04c804f1353a1774b27db2b2051 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:17 +0100 +Subject: [PATCH 29/53] FIPS: RSA: Disallow SHAKE in OAEP and PSS -Patch-name: 0085-FIPS-RSA-disable-shake.patch -Patch-id: 85 +According to FIPS 140-3 IG, section C.C, the SHAKE digest algorithms +must not be used in higher-level algorithms (such as RSA-OAEP and +RSASSA-PSS): + +"To be used in an approved mode of operation, the SHA-3 hash functions +may be implemented either as part of an approved higher-level algorithm, +for example, a digital signature algorithm, or as the standalone +functions. The SHAKE128 and SHAKE256 extendable-output functions may +only be used as the standalone algorithms." + +Add a check to prevent their use as message digest in PSS signatures and +as MGF1 hash function in both OAEP and PSS. + +Signed-off-by: Clemens Lang + +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- - crypto/rsa/rsa_oaep.c | 28 ++++++++++++++++++++++++++++ + crypto/rsa/rsa_oaep.c | 16 ++++++++++++++++ crypto/rsa/rsa_pss.c | 16 ++++++++++++++++ - 2 files changed, 44 insertions(+) + 2 files changed, 32 insertions(+) diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c -index b2f7f7dc4b..af2b0b026c 100644 +index 5a1c080fcd..11cd78618b 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c -@@ -78,9 +78,23 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx, - return 0; - #endif - } -+ -+#ifdef FIPS_MODULE -+ if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256")) { -+ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED); -+ return 0; -+ } -+#endif +@@ -76,6 +76,14 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, if (mgf1md == NULL) mgf1md = md; +#ifdef FIPS_MODULE -+ if (EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) { ++ if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256") || ++ EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) { + ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED); + return 0; + } +#endif + - mdlen = EVP_MD_get_size(md); - if (mdlen <= 0) { - ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_LENGTH); -@@ -203,9 +217,23 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, - #endif - } - -+#ifdef FIPS_MODULE -+ if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256")) { -+ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED); -+ return -1; -+ } -+#endif -+ + #ifdef FIPS_MODULE + /* XOF are approved as standalone; Shake256 in Ed448; MGF */ + if (EVP_MD_xof(md)) { +@@ -194,6 +202,14 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, if (mgf1md == NULL) mgf1md = md; +#ifdef FIPS_MODULE -+ if (EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) { ++ if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256") || ++ EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) { + ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED); + return -1; + } +#endif + - mdlen = EVP_MD_get_size(md); - - if (tlen <= 0 || flen <= 0) + #ifdef FIPS_MODULE + /* XOF are approved as standalone; Shake256 in Ed448; MGF */ + if (EVP_MD_xof(md)) { diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c -index bb46ec64c7..c0fdf232da 100644 +index a2bc198a89..2833ca50f3 100644 --- a/crypto/rsa/rsa_pss.c +++ b/crypto/rsa/rsa_pss.c -@@ -53,6 +53,14 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, +@@ -61,6 +61,14 @@ int ossl_rsa_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, if (mgf1Hash == NULL) mgf1Hash = Hash; @@ -79,9 +75,9 @@ index bb46ec64c7..c0fdf232da 100644 +#endif + hLen = EVP_MD_get_size(Hash); - if (hLen < 0) + if (hLen <= 0) goto err; -@@ -168,6 +176,14 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, +@@ -186,6 +194,14 @@ int ossl_rsa_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, if (mgf1Hash == NULL) mgf1Hash = Hash; @@ -94,8 +90,8 @@ index bb46ec64c7..c0fdf232da 100644 +#endif + hLen = EVP_MD_get_size(Hash); - if (hLen < 0) + if (hLen <= 0) goto err; -- -2.41.0 +2.49.0 diff --git a/openssl-FIPS-RSA-encapsulate.patch b/openssl-FIPS-RSA-encapsulate.patch index 3e87529..70b3cbb 100644 --- a/openssl-FIPS-RSA-encapsulate.patch +++ b/openssl-FIPS-RSA-encapsulate.patch @@ -9,15 +9,14 @@ Patch-id: 91 providers/implementations/kem/rsa_kem.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) -diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c -index 365ae3d7d6..8a6f585d0b 100644 ---- a/providers/implementations/kem/rsa_kem.c -+++ b/providers/implementations/kem/rsa_kem.c -@@ -265,6 +265,14 @@ static int rsasve_generate(PROV_RSA_CTX *prsactx, - *secretlen = nlen; - return 1; +Index: openssl-3.2.4/providers/implementations/kem/rsa_kem.c +=================================================================== +--- openssl-3.2.4.orig/providers/implementations/kem/rsa_kem.c ++++ openssl-3.2.4/providers/implementations/kem/rsa_kem.c +@@ -276,6 +276,13 @@ static int rsasve_generate(PROV_RSA_CTX + return 0; } -+ + +#ifdef FIPS_MODULE + if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) { + ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL); @@ -28,7 +27,7 @@ index 365ae3d7d6..8a6f585d0b 100644 /* * Step (2): Generate a random byte string z of nlen bytes where * 1 < z < n - 1 -@@ -308,6 +316,13 @@ static int rsasve_recover(PROV_RSA_CTX *prsactx, +@@ -337,6 +344,13 @@ static int rsasve_recover(PROV_RSA_CTX * return 1; } @@ -39,9 +38,6 @@ index 365ae3d7d6..8a6f585d0b 100644 + } +#endif + - /* Step (2): check the input ciphertext 'inlen' matches the nlen */ - if (inlen != nlen) { - ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH); --- -2.41.0 - + /* + * Step (2): check the input ciphertext 'inlen' matches the nlen + * and that outlen is at least nlen bytes diff --git a/openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch b/openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch index 69a1f6c..f1b73ee 100644 --- a/openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch +++ b/openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch @@ -1,7 +1,7 @@ -From 4de5fa26873297f5c2eeed53e5c988437f837f55 Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Thu, 17 Nov 2022 13:53:31 +0100 -Subject: [PATCH] signature: Remove X9.31 padding from FIPS prov +From 0010acdf5d7c1a1285189c36fa2fc46bea93cee8 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:16 +0100 +Subject: [PATCH 32/53] FIPS: RSA: Remove X9.31 padding signatures tests The current draft of FIPS 186-5 [1] no longer contains specifications for X9.31 signature padding. Instead, it contains the following @@ -21,49 +21,32 @@ now. [1]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5-draft.pdf Signed-off-by: Clemens Lang ---- - providers/implementations/signature/rsa_sig.c | 6 + - test/acvp_test.inc | 214 ------------------ - 2 files changed, 6 insertions(+), 214 deletions(-) -Index: openssl-3.1.4/providers/implementations/signature/rsa_sig.c -=================================================================== ---- openssl-3.1.4.orig/providers/implementations/signature/rsa_sig.c -+++ openssl-3.1.4/providers/implementations/signature/rsa_sig.c -@@ -1250,7 +1250,13 @@ static int rsa_set_ctx_params(void *vprs - err_extra_text = "No padding not allowed with RSA-PSS"; - goto cont; - case RSA_X931_PADDING: -+#ifndef FIPS_MODULE - err_extra_text = "X.931 padding not allowed with RSA-PSS"; -+#else /* !defined(FIPS_MODULE) */ -+ err_extra_text = "X.931 padding no longer allowed in FIPS mode," -+ " since it was removed from FIPS 186-5"; -+ goto bad_pad; -+#endif /* !defined(FIPS_MODULE) */ - cont: - if (RSA_test_flags(prsactx->rsa, - RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSA) -Index: openssl-3.1.4/test/acvp_test.inc -=================================================================== ---- openssl-3.1.4.orig/test/acvp_test.inc -+++ openssl-3.1.4/test/acvp_test.inc -@@ -1214,13 +1214,6 @@ static const struct rsa_siggen_st rsa_si +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce +--- + test/acvp_test.inc | 225 --------------------------------------------- + 1 file changed, 225 deletions(-) + +diff --git a/test/acvp_test.inc b/test/acvp_test.inc +index 97ec1ff3e5..31fa0eafc6 100644 +--- a/test/acvp_test.inc ++++ b/test/acvp_test.inc +@@ -1354,13 +1354,6 @@ static const struct rsa_siggen_st rsa_siggen_data[] = { + ITM(rsa_siggen0_msg), NO_PSS_SALT_LEN, }, - { +- { - "x931", - 2048, - "SHA384", - ITM(rsa_siggen0_msg), - NO_PSS_SALT_LEN, - }, -- { + { "pss", 2048, - "SHA384", -@@ -1631,202 +1624,6 @@ static const unsigned char rsa_sigverpss - 0x5c, 0xea, 0x8a, 0x92, 0x31, 0xd2, 0x11, 0x4b, +@@ -1772,202 +1765,6 @@ static const unsigned char rsa_sigverpss_1_sig[] = { + 0xe9, 0x97, 0x20, 0x35, 0xf8, 0xf1, 0x78, 0xe1 }; -static const unsigned char rsa_sigverx931_0_n[] = { @@ -265,7 +248,7 @@ Index: openssl-3.1.4/test/acvp_test.inc static const struct rsa_sigver_st rsa_sigver_data[] = { { "pkcs1", /* pkcs1v1.5 */ -@@ -1850,28 +1647,6 @@ static const struct rsa_sigver_st rsa_si +@@ -1991,28 +1788,6 @@ static const struct rsa_sigver_st rsa_sigver_data[] = { NO_PSS_SALT_LEN, FAIL }, @@ -294,3 +277,6 @@ Index: openssl-3.1.4/test/acvp_test.inc { "pss", 4096, +-- +2.49.0 + diff --git a/openssl-FIPS-release_num_in_version_string.patch b/openssl-FIPS-SUSE-FIPS-module-version.patch similarity index 57% rename from openssl-FIPS-release_num_in_version_string.patch rename to openssl-FIPS-SUSE-FIPS-module-version.patch index bf852d1..0150f12 100644 --- a/openssl-FIPS-release_num_in_version_string.patch +++ b/openssl-FIPS-SUSE-FIPS-module-version.patch @@ -1,27 +1,29 @@ -Index: openssl-3.1.4/providers/fips/fipsprov.c +Index: openssl-3.5.0-beta1/providers/fips/fipsprov.c =================================================================== ---- openssl-3.1.4.orig/providers/fips/fipsprov.c -+++ openssl-3.1.4/providers/fips/fipsprov.c -@@ -194,18 +194,19 @@ static const OSSL_PARAM *fips_gettable_p +--- openssl-3.5.0-beta1.orig/providers/fips/fipsprov.c ++++ openssl-3.5.0-beta1/providers/fips/fipsprov.c +@@ -195,18 +195,21 @@ static const OSSL_PARAM *fips_gettable_p static int fips_get_params(void *provctx, OSSL_PARAM params[]) { -+#define SUSE_OPENSSL_VERSION_STR OPENSSL_VERSION_STR " SUSE release " SUSE_OPENSSL_RELEASE ++ #define SUSE_FIPS_VENDOR "SUSE Linux Enterprise - OpenSSL FIPS Provider" ++ #define SUSE_FIPS_VERSION "SUSE Release" ++ OSSL_PARAM *p; FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(ossl_prov_ctx_get0_libctx(provctx), OSSL_LIB_CTX_FIPS_PROV_INDEX); p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME); -- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider")) -+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "SUSE Linux Enterprise - OpenSSL FIPS Provider")) +- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, FIPS_VENDOR)) ++ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_FIPS_VENDOR)) return 0; p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION); - if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR)) -+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_OPENSSL_VERSION_STR)) ++ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_FIPS_VERSION)) return 0; p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO); - if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR)) -+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_OPENSSL_VERSION_STR)) ++ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_FIPS_VERSION)) return 0; p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS); if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running())) diff --git a/openssl-FIPS-Use-FFDHE2048-in-self-test.patch b/openssl-FIPS-Use-FFDHE2048-in-self-test.patch deleted file mode 100644 index 4e5d3dc..0000000 --- a/openssl-FIPS-Use-FFDHE2048-in-self-test.patch +++ /dev/null @@ -1,378 +0,0 @@ -From e385647549c467fe263b68b72dd21bdfb875ee88 Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Fri, 22 Jul 2022 17:51:16 +0200 -Subject: [PATCH 2/2] FIPS: Use FFDHE2048 in self test - -Signed-off-by: Clemens Lang ---- - providers/fips/self_test_data.inc | 342 +++++++++++++++--------------- - 1 file changed, 172 insertions(+), 170 deletions(-) - -diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc -index a29cc650b5..1b5623833f 100644 ---- a/providers/fips/self_test_data.inc -+++ b/providers/fips/self_test_data.inc -@@ -821,188 +821,190 @@ static const ST_KAT_DRBG st_kat_drbg_tests[] = - - #ifndef OPENSSL_NO_DH - /* DH KAT */ -+/* RFC7919 FFDHE2048 p */ - static const unsigned char dh_p[] = { -- 0xdc, 0xca, 0x15, 0x11, 0xb2, 0x31, 0x32, 0x25, -- 0xf5, 0x21, 0x16, 0xe1, 0x54, 0x27, 0x89, 0xe0, -- 0x01, 0xf0, 0x42, 0x5b, 0xcc, 0xc7, 0xf3, 0x66, -- 0xf7, 0x40, 0x64, 0x07, 0xf1, 0xc9, 0xfa, 0x8b, -- 0xe6, 0x10, 0xf1, 0x77, 0x8b, 0xb1, 0x70, 0xbe, -- 0x39, 0xdb, 0xb7, 0x6f, 0x85, 0xbf, 0x24, 0xce, -- 0x68, 0x80, 0xad, 0xb7, 0x62, 0x9f, 0x7c, 0x6d, -- 0x01, 0x5e, 0x61, 0xd4, 0x3f, 0xa3, 0xee, 0x4d, -- 0xe1, 0x85, 0xf2, 0xcf, 0xd0, 0x41, 0xff, 0xde, -- 0x9d, 0x41, 0x84, 0x07, 0xe1, 0x51, 0x38, 0xbb, -- 0x02, 0x1d, 0xae, 0xb3, 0x5f, 0x76, 0x2d, 0x17, -- 0x82, 0xac, 0xc6, 0x58, 0xd3, 0x2b, 0xd4, 0xb0, -- 0x23, 0x2c, 0x92, 0x7d, 0xd3, 0x8f, 0xa0, 0x97, -- 0xb3, 0xd1, 0x85, 0x9f, 0xa8, 0xac, 0xaf, 0xb9, -- 0x8f, 0x06, 0x66, 0x08, 0xfc, 0x64, 0x4e, 0xc7, -- 0xdd, 0xb6, 0xf0, 0x85, 0x99, 0xf9, 0x2a, 0xc1, -- 0xb5, 0x98, 0x25, 0xda, 0x84, 0x32, 0x07, 0x7d, -- 0xef, 0x69, 0x56, 0x46, 0x06, 0x3c, 0x20, 0x82, -- 0x3c, 0x95, 0x07, 0xab, 0x6f, 0x01, 0x76, 0xd4, -- 0x73, 0x0d, 0x99, 0x0d, 0xbb, 0xe6, 0x36, 0x1c, -- 0xd8, 0xb2, 0xb9, 0x4d, 0x3d, 0x2f, 0x32, 0x9b, -- 0x82, 0x09, 0x9b, 0xd6, 0x61, 0xf4, 0x29, 0x50, -- 0xf4, 0x03, 0xdf, 0x3e, 0xde, 0x62, 0xa3, 0x31, -- 0x88, 0xb0, 0x27, 0x98, 0xba, 0x82, 0x3f, 0x44, -- 0xb9, 0x46, 0xfe, 0x9d, 0xf6, 0x77, 0xa0, 0xc5, -- 0xa1, 0x23, 0x8e, 0xaa, 0x97, 0xb7, 0x0f, 0x80, -- 0xda, 0x8c, 0xac, 0x88, 0xe0, 0x92, 0xb1, 0x12, -- 0x70, 0x60, 0xff, 0xbf, 0x45, 0x57, 0x99, 0x94, -- 0x01, 0x1d, 0xc2, 0xfa, 0xa5, 0xe7, 0xf6, 0xc7, -- 0x62, 0x45, 0xe1, 0xcc, 0x31, 0x22, 0x31, 0xc1, -- 0x7d, 0x1c, 0xa6, 0xb1, 0x90, 0x07, 0xef, 0x0d, -- 0xb9, 0x9f, 0x9c, 0xb6, 0x0e, 0x1d, 0x5f, 0x69 --}; -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, -+ 0xad, 0xf8, 0x54, 0x58, 0xa2, 0xbb, 0x4a, 0x9a, -+ 0xaf, 0xdc, 0x56, 0x20, 0x27, 0x3d, 0x3c, 0xf1, -+ 0xd8, 0xb9, 0xc5, 0x83, 0xce, 0x2d, 0x36, 0x95, -+ 0xa9, 0xe1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xfb, -+ 0xcc, 0x93, 0x9d, 0xce, 0x24, 0x9b, 0x3e, 0xf9, -+ 0x7d, 0x2f, 0xe3, 0x63, 0x63, 0x0c, 0x75, 0xd8, -+ 0xf6, 0x81, 0xb2, 0x02, 0xae, 0xc4, 0x61, 0x7a, -+ 0xd3, 0xdf, 0x1e, 0xd5, 0xd5, 0xfd, 0x65, 0x61, -+ 0x24, 0x33, 0xf5, 0x1f, 0x5f, 0x06, 0x6e, 0xd0, -+ 0x85, 0x63, 0x65, 0x55, 0x3d, 0xed, 0x1a, 0xf3, -+ 0xb5, 0x57, 0x13, 0x5e, 0x7f, 0x57, 0xc9, 0x35, -+ 0x98, 0x4f, 0x0c, 0x70, 0xe0, 0xe6, 0x8b, 0x77, -+ 0xe2, 0xa6, 0x89, 0xda, 0xf3, 0xef, 0xe8, 0x72, -+ 0x1d, 0xf1, 0x58, 0xa1, 0x36, 0xad, 0xe7, 0x35, -+ 0x30, 0xac, 0xca, 0x4f, 0x48, 0x3a, 0x79, 0x7a, -+ 0xbc, 0x0a, 0xb1, 0x82, 0xb3, 0x24, 0xfb, 0x61, -+ 0xd1, 0x08, 0xa9, 0x4b, 0xb2, 0xc8, 0xe3, 0xfb, -+ 0xb9, 0x6a, 0xda, 0xb7, 0x60, 0xd7, 0xf4, 0x68, -+ 0x1d, 0x4f, 0x42, 0xa3, 0xde, 0x39, 0x4d, 0xf4, -+ 0xae, 0x56, 0xed, 0xe7, 0x63, 0x72, 0xbb, 0x19, -+ 0x0b, 0x07, 0xa7, 0xc8, 0xee, 0x0a, 0x6d, 0x70, -+ 0x9e, 0x02, 0xfc, 0xe1, 0xcd, 0xf7, 0xe2, 0xec, -+ 0xc0, 0x34, 0x04, 0xcd, 0x28, 0x34, 0x2f, 0x61, -+ 0x91, 0x72, 0xfe, 0x9c, 0xe9, 0x85, 0x83, 0xff, -+ 0x8e, 0x4f, 0x12, 0x32, 0xee, 0xf2, 0x81, 0x83, -+ 0xc3, 0xfe, 0x3b, 0x1b, 0x4c, 0x6f, 0xad, 0x73, -+ 0x3b, 0xb5, 0xfc, 0xbc, 0x2e, 0xc2, 0x20, 0x05, -+ 0xc5, 0x8e, 0xf1, 0x83, 0x7d, 0x16, 0x83, 0xb2, -+ 0xc6, 0xf3, 0x4a, 0x26, 0xc1, 0xb2, 0xef, 0xfa, -+ 0x88, 0x6b, 0x42, 0x38, 0x61, 0x28, 0x5c, 0x97, -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff -+}; -+/* RFC7919 FFDHE2048 q */ - static const unsigned char dh_q[] = { -- 0x89, 0x8b, 0x22, 0x67, 0x17, 0xef, 0x03, 0x9e, -- 0x60, 0x3e, 0x82, 0xe5, 0xc7, 0xaf, 0xe4, 0x83, -- 0x74, 0xac, 0x5f, 0x62, 0x5c, 0x54, 0xf1, 0xea, -- 0x11, 0xac, 0xb5, 0x7d --}; -+ 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, -+ 0xd6, 0xfc, 0x2a, 0x2c, 0x51, 0x5d, 0xa5, 0x4d, -+ 0x57, 0xee, 0x2b, 0x10, 0x13, 0x9e, 0x9e, 0x78, -+ 0xec, 0x5c, 0xe2, 0xc1, 0xe7, 0x16, 0x9b, 0x4a, -+ 0xd4, 0xf0, 0x9b, 0x20, 0x8a, 0x32, 0x19, 0xfd, -+ 0xe6, 0x49, 0xce, 0xe7, 0x12, 0x4d, 0x9f, 0x7c, -+ 0xbe, 0x97, 0xf1, 0xb1, 0xb1, 0x86, 0x3a, 0xec, -+ 0x7b, 0x40, 0xd9, 0x01, 0x57, 0x62, 0x30, 0xbd, -+ 0x69, 0xef, 0x8f, 0x6a, 0xea, 0xfe, 0xb2, 0xb0, -+ 0x92, 0x19, 0xfa, 0x8f, 0xaf, 0x83, 0x37, 0x68, -+ 0x42, 0xb1, 0xb2, 0xaa, 0x9e, 0xf6, 0x8d, 0x79, -+ 0xda, 0xab, 0x89, 0xaf, 0x3f, 0xab, 0xe4, 0x9a, -+ 0xcc, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xbb, -+ 0xf1, 0x53, 0x44, 0xed, 0x79, 0xf7, 0xf4, 0x39, -+ 0x0e, 0xf8, 0xac, 0x50, 0x9b, 0x56, 0xf3, 0x9a, -+ 0x98, 0x56, 0x65, 0x27, 0xa4, 0x1d, 0x3c, 0xbd, -+ 0x5e, 0x05, 0x58, 0xc1, 0x59, 0x92, 0x7d, 0xb0, -+ 0xe8, 0x84, 0x54, 0xa5, 0xd9, 0x64, 0x71, 0xfd, -+ 0xdc, 0xb5, 0x6d, 0x5b, 0xb0, 0x6b, 0xfa, 0x34, -+ 0x0e, 0xa7, 0xa1, 0x51, 0xef, 0x1c, 0xa6, 0xfa, -+ 0x57, 0x2b, 0x76, 0xf3, 0xb1, 0xb9, 0x5d, 0x8c, -+ 0x85, 0x83, 0xd3, 0xe4, 0x77, 0x05, 0x36, 0xb8, -+ 0x4f, 0x01, 0x7e, 0x70, 0xe6, 0xfb, 0xf1, 0x76, -+ 0x60, 0x1a, 0x02, 0x66, 0x94, 0x1a, 0x17, 0xb0, -+ 0xc8, 0xb9, 0x7f, 0x4e, 0x74, 0xc2, 0xc1, 0xff, -+ 0xc7, 0x27, 0x89, 0x19, 0x77, 0x79, 0x40, 0xc1, -+ 0xe1, 0xff, 0x1d, 0x8d, 0xa6, 0x37, 0xd6, 0xb9, -+ 0x9d, 0xda, 0xfe, 0x5e, 0x17, 0x61, 0x10, 0x02, -+ 0xe2, 0xc7, 0x78, 0xc1, 0xbe, 0x8b, 0x41, 0xd9, -+ 0x63, 0x79, 0xa5, 0x13, 0x60, 0xd9, 0x77, 0xfd, -+ 0x44, 0x35, 0xa1, 0x1c, 0x30, 0x94, 0x2e, 0x4b, -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff -+}; -+/* RFC7919 FFDHE2048 g */ - static const unsigned char dh_g[] = { -- 0x5e, 0xf7, 0xb8, 0x8f, 0x2d, 0xf6, 0x01, 0x39, -- 0x35, 0x1d, 0xfb, 0xfe, 0x12, 0x66, 0x80, 0x5f, -- 0xdf, 0x35, 0x6c, 0xdf, 0xd1, 0x3a, 0x4d, 0xa0, -- 0x05, 0x0c, 0x7e, 0xde, 0x24, 0x6d, 0xf5, 0x9f, -- 0x6a, 0xbf, 0x96, 0xad, 0xe5, 0xf2, 0xb2, 0x8f, -- 0xfe, 0x88, 0xd6, 0xbc, 0xe7, 0xf7, 0x89, 0x4a, -- 0x3d, 0x53, 0x5f, 0xc8, 0x21, 0x26, 0xdd, 0xd4, -- 0x24, 0x87, 0x2e, 0x16, 0xb8, 0x38, 0xdf, 0x8c, -- 0x51, 0xe9, 0x01, 0x6f, 0x88, 0x9c, 0x7c, 0x20, -- 0x3e, 0x98, 0xa8, 0xb6, 0x31, 0xf9, 0xc7, 0x25, -- 0x63, 0xd3, 0x8a, 0x49, 0x58, 0x9a, 0x07, 0x53, -- 0xd3, 0x58, 0xe7, 0x83, 0x31, 0x8c, 0xef, 0xd9, -- 0x67, 0x7c, 0x7b, 0x2d, 0xbb, 0x77, 0xd6, 0xdc, -- 0xe2, 0xa1, 0x96, 0x37, 0x95, 0xca, 0x64, 0xb9, -- 0x2d, 0x1c, 0x9a, 0xac, 0x6d, 0x0e, 0x8d, 0x43, -- 0x1d, 0xe5, 0xe5, 0x00, 0x60, 0xdf, 0xf7, 0x86, -- 0x89, 0xc9, 0xec, 0xa1, 0xc1, 0x24, 0x8c, 0x16, -- 0xed, 0x09, 0xc7, 0xad, 0x41, 0x2a, 0x17, 0x40, -- 0x6d, 0x2b, 0x52, 0x5a, 0xa1, 0xca, 0xbb, 0x23, -- 0x7b, 0x97, 0x34, 0xec, 0x7b, 0x8c, 0xe3, 0xfa, -- 0xe0, 0x2f, 0x29, 0xc5, 0xef, 0xed, 0x30, 0xd6, -- 0x91, 0x87, 0xda, 0x10, 0x9c, 0x2c, 0x9f, 0xe2, -- 0xaa, 0xdb, 0xb0, 0xc2, 0x2a, 0xf5, 0x4c, 0x61, -- 0x66, 0x55, 0x00, 0x0c, 0x43, 0x1c, 0x6b, 0x4a, -- 0x37, 0x97, 0x63, 0xb0, 0xa9, 0x16, 0x58, 0xef, -- 0xc8, 0x4e, 0x8b, 0x06, 0x35, 0x8c, 0x8b, 0x4f, -- 0x21, 0x37, 0x10, 0xfd, 0x10, 0x17, 0x2c, 0xf3, -- 0x9b, 0x83, 0x0c, 0x2d, 0xd8, 0x4a, 0x0c, 0x8a, -- 0xb8, 0x25, 0x16, 0xec, 0xab, 0x99, 0x5f, 0xa4, -- 0x21, 0x5e, 0x02, 0x3e, 0x4e, 0xcf, 0x80, 0x74, -- 0xc3, 0x9d, 0x6c, 0x88, 0xb7, 0x0d, 0x1e, 0xe4, -- 0xe9, 0x6f, 0xdc, 0x20, 0xea, 0x11, 0x5c, 0x32 -+ 0x02 - }; - static const unsigned char dh_priv[] = { -- 0x14, 0x33, 0xe0, 0xb5, 0xa9, 0x17, 0xb6, 0x0a, -- 0x30, 0x23, 0xf2, 0xf8, 0xaa, 0x2c, 0x2d, 0x70, -- 0xd2, 0x96, 0x8a, 0xba, 0x9a, 0xea, 0xc8, 0x15, -- 0x40, 0xb8, 0xfc, 0xe6 -+ 0x01, 0xdc, 0x2a, 0xb9, 0x87, 0x71, 0x57, 0x0f, -+ 0xcd, 0x93, 0x65, 0x4c, 0xa1, 0xd6, 0x56, 0x6d, -+ 0xc5, 0x35, 0xd5, 0xcb, 0x4c, 0xb8, 0xad, 0x8d, -+ 0x6c, 0xdc, 0x5d, 0x6e, 0x94 - }; - static const unsigned char dh_pub[] = { -- 0x95, 0xdd, 0x33, 0x8d, 0x29, 0xe5, 0x71, 0x04, -- 0x92, 0xb9, 0x18, 0x31, 0x7b, 0x72, 0xa3, 0x69, -- 0x36, 0xe1, 0x95, 0x1a, 0x2e, 0xe5, 0xa5, 0x59, -- 0x16, 0x99, 0xc0, 0x48, 0x6d, 0x0d, 0x4f, 0x9b, -- 0xdd, 0x6d, 0x5a, 0x3f, 0x6b, 0x98, 0x89, 0x0c, -- 0x62, 0xb3, 0x76, 0x52, 0xd3, 0x6e, 0x71, 0x21, -- 0x11, 0xe6, 0x8a, 0x73, 0x55, 0x37, 0x25, 0x06, -- 0x99, 0xef, 0xe3, 0x30, 0x53, 0x73, 0x91, 0xfb, -- 0xc2, 0xc5, 0x48, 0xbc, 0x5a, 0xc3, 0xe5, 0xb2, -- 0x33, 0x86, 0xc3, 0xee, 0xf5, 0xeb, 0x43, 0xc0, -- 0x99, 0xd7, 0x0a, 0x52, 0x02, 0x68, 0x7e, 0x83, -- 0x96, 0x42, 0x48, 0xfc, 0xa9, 0x1f, 0x40, 0x90, -- 0x8e, 0x8f, 0xb3, 0x31, 0x93, 0x15, 0xf6, 0xd2, -- 0x60, 0x6d, 0x7f, 0x7c, 0xd5, 0x2c, 0xc6, 0xe7, -- 0xc5, 0x84, 0x3a, 0xfb, 0x22, 0x51, 0x9c, 0xf0, -- 0xf0, 0xf9, 0xd3, 0xa0, 0xa4, 0xe8, 0xc8, 0x88, -- 0x99, 0xef, 0xed, 0xe7, 0x36, 0x43, 0x51, 0xfb, -- 0x6a, 0x36, 0x3e, 0xe7, 0x17, 0xe5, 0x44, 0x5a, -- 0xda, 0xb4, 0xc9, 0x31, 0xa6, 0x48, 0x39, 0x97, -- 0xb8, 0x7d, 0xad, 0x83, 0x67, 0x7e, 0x4d, 0x1d, -- 0x3a, 0x77, 0x75, 0xe0, 0xf6, 0xd0, 0x0f, 0xdf, -- 0x73, 0xc7, 0xad, 0x80, 0x1e, 0x66, 0x5a, 0x0e, -- 0x5a, 0x79, 0x6d, 0x0a, 0x03, 0x80, 0xa1, 0x9f, -- 0xa1, 0x82, 0xef, 0xc8, 0xa0, 0x4f, 0x5e, 0x4d, -- 0xb9, 0x0d, 0x1a, 0x86, 0x37, 0xf9, 0x5d, 0xb1, -- 0x64, 0x36, 0xbd, 0xc8, 0xf3, 0xfc, 0x09, 0x6c, -- 0x4f, 0xf7, 0xf2, 0x34, 0xbe, 0x8f, 0xef, 0x47, -- 0x9a, 0xc4, 0xb0, 0xdc, 0x4b, 0x77, 0x26, 0x3e, -- 0x07, 0xd9, 0x95, 0x9d, 0xe0, 0xf1, 0xbf, 0x3f, -- 0x0a, 0xe3, 0xd9, 0xd5, 0x0e, 0x4b, 0x89, 0xc9, -- 0x9e, 0x3e, 0xa1, 0x21, 0x73, 0x43, 0xdd, 0x8c, -- 0x65, 0x81, 0xac, 0xc4, 0x95, 0x9c, 0x91, 0xd3 -+ 0x00, 0xc4, 0x82, 0x14, 0x69, 0x16, 0x4c, 0x05, -+ 0x55, 0x2a, 0x7e, 0x55, 0x6d, 0x02, 0xbb, 0x7f, -+ 0xcc, 0x63, 0x74, 0xee, 0xcb, 0xb4, 0x98, 0x43, -+ 0x0e, 0x29, 0x43, 0x0d, 0x44, 0xc7, 0xf1, 0x23, -+ 0x81, 0xca, 0x1c, 0x5c, 0xc3, 0xff, 0x01, 0x4a, -+ 0x1a, 0x03, 0x9e, 0x5f, 0xd1, 0x4e, 0xa0, 0x0b, -+ 0xb9, 0x5c, 0x0d, 0xef, 0x14, 0x01, 0x62, 0x3c, -+ 0x8a, 0x8e, 0x60, 0xbb, 0x39, 0xd6, 0x38, 0x63, -+ 0xb7, 0x65, 0xd0, 0x0b, 0x1a, 0xaf, 0x53, 0x38, -+ 0x10, 0x0f, 0x3e, 0xeb, 0x9d, 0x0c, 0x24, 0xf6, -+ 0xe3, 0x70, 0x08, 0x8a, 0x4d, 0x01, 0xf8, 0x7a, -+ 0x87, 0x49, 0x64, 0x72, 0xb1, 0x75, 0x3b, 0x94, -+ 0xc8, 0x09, 0x2d, 0x6a, 0x63, 0xd8, 0x9a, 0x92, -+ 0xb9, 0x5b, 0x1a, 0xc3, 0x47, 0x0b, 0x63, 0x44, -+ 0x3b, 0xe3, 0xc0, 0x09, 0xc9, 0xf9, 0x02, 0x53, -+ 0xd8, 0xfb, 0x06, 0x44, 0xdb, 0xdf, 0xe8, 0x13, -+ 0x2b, 0x40, 0x6a, 0xd4, 0x13, 0x4e, 0x52, 0x30, -+ 0xd6, 0xc1, 0xd8, 0x59, 0x9d, 0x59, 0xba, 0x1b, -+ 0xbf, 0xaa, 0x6f, 0xe9, 0x3d, 0xfd, 0xff, 0x01, -+ 0x0b, 0x54, 0xe0, 0x6a, 0x4e, 0x27, 0x2b, 0x3d, -+ 0xe8, 0xef, 0xb0, 0xbe, 0x52, 0xc3, 0x52, 0x18, -+ 0x6f, 0xa3, 0x27, 0xab, 0x6c, 0x12, 0xc3, 0x81, -+ 0xcb, 0xae, 0x23, 0x11, 0xa0, 0x5d, 0xc3, 0x6f, -+ 0x23, 0x17, 0x40, 0xb3, 0x05, 0x4f, 0x5d, 0xb7, -+ 0x34, 0xbe, 0x87, 0x2c, 0xa9, 0x9e, 0x98, 0x39, -+ 0xbf, 0x2e, 0x9d, 0xad, 0x4f, 0x70, 0xad, 0xed, -+ 0x1b, 0x5e, 0x47, 0x90, 0x49, 0x2e, 0x61, 0x71, -+ 0x5f, 0x07, 0x0b, 0x35, 0x04, 0xfc, 0x53, 0xce, -+ 0x58, 0x60, 0x6c, 0x5b, 0x8b, 0xfe, 0x70, 0x04, -+ 0x2a, 0x6a, 0x98, 0x0a, 0xd0, 0x80, 0xae, 0x69, -+ 0x95, 0xf9, 0x99, 0x18, 0xfc, 0xe4, 0x8e, 0xed, -+ 0x61, 0xd9, 0x02, 0x9d, 0x4e, 0x05, 0xe9, 0xf2, -+ 0x32 - }; - static const unsigned char dh_peer_pub[] = { -- 0x1f, 0xc1, 0xda, 0x34, 0x1d, 0x1a, 0x84, 0x6a, -- 0x96, 0xb7, 0xbe, 0x24, 0x34, 0x0f, 0x87, 0x7d, -- 0xd0, 0x10, 0xaa, 0x03, 0x56, 0xd5, 0xad, 0x58, -- 0xaa, 0xe9, 0xc7, 0xb0, 0x8f, 0x74, 0x9a, 0x32, -- 0x23, 0x51, 0x10, 0xb5, 0xd8, 0x8e, 0xb5, 0xdb, -- 0xfa, 0x97, 0x8d, 0x27, 0xec, 0xc5, 0x30, 0xf0, -- 0x2d, 0x31, 0x14, 0x00, 0x5b, 0x64, 0xb1, 0xc0, -- 0xe0, 0x24, 0xcb, 0x8a, 0xe2, 0x16, 0x98, 0xbc, -- 0xa9, 0xe6, 0x0d, 0x42, 0x80, 0x86, 0x22, 0xf1, -- 0x81, 0xc5, 0x6e, 0x1d, 0xe7, 0xa9, 0x6e, 0x6e, -- 0xfe, 0xe9, 0xd6, 0x65, 0x67, 0xe9, 0x1b, 0x97, -- 0x70, 0x42, 0xc7, 0xe3, 0xd0, 0x44, 0x8f, 0x05, -- 0xfb, 0x77, 0xf5, 0x22, 0xb9, 0xbf, 0xc8, 0xd3, -- 0x3c, 0xc3, 0xc3, 0x1e, 0xd3, 0xb3, 0x1f, 0x0f, -- 0xec, 0xb6, 0xdb, 0x4f, 0x6e, 0xa3, 0x11, 0xe7, -- 0x7a, 0xfd, 0xbc, 0xd4, 0x7a, 0xee, 0x1b, 0xb1, -- 0x50, 0xf2, 0x16, 0x87, 0x35, 0x78, 0xfb, 0x96, -- 0x46, 0x8e, 0x8f, 0x9f, 0x3d, 0xe8, 0xef, 0xbf, -- 0xce, 0x75, 0x62, 0x4b, 0x1d, 0xf0, 0x53, 0x22, -- 0xa3, 0x4f, 0x14, 0x63, 0xe8, 0x39, 0xe8, 0x98, -- 0x4c, 0x4a, 0xd0, 0xa9, 0x6e, 0x1a, 0xc8, 0x42, -- 0xe5, 0x31, 0x8c, 0xc2, 0x3c, 0x06, 0x2a, 0x8c, -- 0xa1, 0x71, 0xb8, 0xd5, 0x75, 0x98, 0x0d, 0xde, -- 0x7f, 0xc5, 0x6f, 0x15, 0x36, 0x52, 0x38, 0x20, -- 0xd4, 0x31, 0x92, 0xbf, 0xd5, 0x1e, 0x8e, 0x22, -- 0x89, 0x78, 0xac, 0xa5, 0xb9, 0x44, 0x72, 0xf3, -- 0x39, 0xca, 0xeb, 0x99, 0x31, 0xb4, 0x2b, 0xe3, -- 0x01, 0x26, 0x8b, 0xc9, 0x97, 0x89, 0xc9, 0xb2, -- 0x55, 0x71, 0xc3, 0xc0, 0xe4, 0xcb, 0x3f, 0x00, -- 0x7f, 0x1a, 0x51, 0x1c, 0xbb, 0x53, 0xc8, 0x51, -- 0x9c, 0xdd, 0x13, 0x02, 0xab, 0xca, 0x6c, 0x0f, -- 0x34, 0xf9, 0x67, 0x39, 0xf1, 0x7f, 0xf4, 0x8b -+ 0x00, 0xef, 0x15, 0x02, 0xf5, 0x56, 0xa3, 0x79, -+ 0x40, 0x58, 0xbc, 0xeb, 0x56, 0xad, 0xcb, 0xda, -+ 0x8c, 0xda, 0xb8, 0xd1, 0xda, 0x6f, 0x25, 0x29, -+ 0x9e, 0x43, 0x76, 0x2d, 0xb2, 0xd8, 0xbc, 0x84, -+ 0xbc, 0x85, 0xd0, 0x94, 0x8d, 0x44, 0x27, 0x57, -+ 0xe4, 0xdf, 0xc1, 0x78, 0x42, 0x8f, 0x08, 0xf5, -+ 0x74, 0xfe, 0x02, 0x56, 0xd2, 0x09, 0xc8, 0x68, -+ 0xef, 0xed, 0x18, 0xc9, 0xfd, 0x2e, 0x95, 0x6c, -+ 0xba, 0x6c, 0x00, 0x0e, 0xf5, 0xd1, 0x1b, 0xf6, -+ 0x15, 0x14, 0x5b, 0x67, 0x22, 0x7c, 0x6a, 0x20, -+ 0x76, 0x43, 0x51, 0xef, 0x5e, 0x1e, 0xf9, 0x2d, -+ 0xd6, 0xb4, 0xc5, 0xc6, 0x18, 0x33, 0xd1, 0xa3, -+ 0x3b, 0xe6, 0xdd, 0x57, 0x9d, 0xad, 0x13, 0x7a, -+ 0x53, 0xde, 0xb3, 0x97, 0xc0, 0x7e, 0xd7, 0x77, -+ 0x6b, 0xf8, 0xbd, 0x13, 0x70, 0x8c, 0xba, 0x73, -+ 0x80, 0xb3, 0x80, 0x6f, 0xfb, 0x1c, 0xda, 0x53, -+ 0x4d, 0x3c, 0x8a, 0x2e, 0xa1, 0x37, 0xce, 0xb1, -+ 0xde, 0x45, 0x97, 0x58, 0x65, 0x4d, 0xcf, 0x05, -+ 0xbb, 0xc3, 0xd7, 0x38, 0x6d, 0x0a, 0x59, 0x7a, -+ 0x99, 0x15, 0xb7, 0x9a, 0x3d, 0xfd, 0x61, 0xe5, -+ 0x1a, 0xa2, 0xcc, 0xf6, 0xfe, 0xb1, 0xee, 0xe9, -+ 0xa9, 0xe2, 0xeb, 0x06, 0xbc, 0x14, 0x6e, 0x91, -+ 0x0d, 0xf1, 0xe3, 0xbb, 0xe0, 0x7e, 0x1d, 0x31, -+ 0x79, 0xf1, 0x6d, 0x5f, 0xcb, 0xaf, 0xb2, 0x4f, -+ 0x22, 0x12, 0xbf, 0x72, 0xbd, 0xd0, 0x30, 0xe4, -+ 0x1c, 0x35, 0x96, 0x61, 0x98, 0x39, 0xfb, 0x7e, -+ 0x6d, 0x66, 0xc4, 0x69, 0x41, 0x0d, 0x0d, 0x59, -+ 0xbb, 0xa7, 0xbf, 0x34, 0xe0, 0x39, 0x36, 0x84, -+ 0x5e, 0x0e, 0x03, 0x2d, 0xcf, 0xaa, 0x02, 0x8a, -+ 0xba, 0x59, 0x88, 0x47, 0xc4, 0x4d, 0xd7, 0xbd, -+ 0x78, 0x76, 0x24, 0xf1, 0x45, 0x56, 0x44, 0xc2, -+ 0x4a, 0xc2, 0xd5, 0x3a, 0x59, 0x40, 0xab, 0x87, -+ 0x64 - }; - - static const unsigned char dh_secret_expected[] = { -- 0x08, 0xff, 0x33, 0xbb, 0x2e, 0xcf, 0xf4, 0x9a, -- 0x7d, 0x4a, 0x79, 0x12, 0xae, 0xb1, 0xbb, 0x6a, -- 0xb5, 0x11, 0x64, 0x1b, 0x4a, 0x76, 0x77, 0x0c, -- 0x8c, 0xc1, 0xbc, 0xc2, 0x33, 0x34, 0x3d, 0xfe, -- 0x70, 0x0d, 0x11, 0x81, 0x3d, 0x2c, 0x9e, 0xd2, -- 0x3b, 0x21, 0x1c, 0xa9, 0xe8, 0x78, 0x69, 0x21, -- 0xed, 0xca, 0x28, 0x3c, 0x68, 0xb1, 0x61, 0x53, -- 0xfa, 0x01, 0xe9, 0x1a, 0xb8, 0x2c, 0x90, 0xdd, -- 0xab, 0x4a, 0x95, 0x81, 0x67, 0x70, 0xa9, 0x87, -- 0x10, 0xe1, 0x4c, 0x92, 0xab, 0x83, 0xb6, 0xe4, -- 0x6e, 0x1e, 0x42, 0x6e, 0xe8, 0x52, 0x43, 0x0d, -- 0x61, 0x87, 0xda, 0xa3, 0x72, 0x0a, 0x6b, 0xcd, -- 0x73, 0x23, 0x5c, 0x6b, 0x0f, 0x94, 0x1f, 0x33, -- 0x64, 0xf5, 0x04, 0x20, 0x55, 0x1a, 0x4b, 0xfe, -- 0xaf, 0xe2, 0xbc, 0x43, 0x85, 0x05, 0xa5, 0x9a, -- 0x4a, 0x40, 0xda, 0xca, 0x7a, 0x89, 0x5a, 0x73, -- 0xdb, 0x57, 0x5c, 0x74, 0xc1, 0x3a, 0x23, 0xad, -- 0x88, 0x32, 0x95, 0x7d, 0x58, 0x2d, 0x38, 0xf0, -- 0xa6, 0x16, 0x5f, 0xb0, 0xd7, 0xe9, 0xb8, 0x79, -- 0x9e, 0x42, 0xfd, 0x32, 0x20, 0xe3, 0x32, 0xe9, -- 0x81, 0x85, 0xa0, 0xc9, 0x42, 0x97, 0x57, 0xb2, -- 0xd0, 0xd0, 0x2c, 0x17, 0xdb, 0xaa, 0x1f, 0xf6, -- 0xed, 0x93, 0xd7, 0xe7, 0x3e, 0x24, 0x1e, 0xae, -- 0xd9, 0x0c, 0xaf, 0x39, 0x4d, 0x2b, 0xc6, 0x57, -- 0x0f, 0x18, 0xc8, 0x1f, 0x2b, 0xe5, 0xd0, 0x1a, -- 0x2c, 0xa9, 0x9f, 0xf1, 0x42, 0xb5, 0xd9, 0x63, -- 0xf9, 0xf5, 0x00, 0x32, 0x5e, 0x75, 0x56, 0xf9, -- 0x58, 0x49, 0xb3, 0xff, 0xc7, 0x47, 0x94, 0x86, -- 0xbe, 0x1d, 0x45, 0x96, 0xa3, 0x10, 0x6b, 0xd5, -- 0xcb, 0x4f, 0x61, 0xc5, 0x7e, 0xc5, 0xf1, 0x00, -- 0xfb, 0x7a, 0x0c, 0x82, 0xa1, 0x0b, 0x82, 0x52, -- 0x6a, 0x97, 0xd1, 0xd9, 0x7d, 0x98, 0xea, 0xf6 -+ 0x56, 0x13, 0xe3, 0x12, 0x6b, 0x5f, 0x67, 0xe5, -+ 0x08, 0xe5, 0x35, 0x0e, 0x11, 0x90, 0x9d, 0xf5, -+ 0x1a, 0x24, 0xfa, 0x42, 0xd1, 0x4a, 0x50, 0x93, -+ 0x5b, 0xf4, 0x11, 0x6f, 0xd0, 0xc3, 0xc5, 0xa5, -+ 0x80, 0xae, 0x01, 0x3d, 0x66, 0x92, 0xc0, 0x3e, -+ 0x5f, 0xe9, 0x75, 0xb6, 0x5b, 0x37, 0x82, 0x39, -+ 0x72, 0x66, 0x0b, 0xa2, 0x73, 0x94, 0xe5, 0x04, -+ 0x7c, 0x0c, 0x19, 0x9a, 0x03, 0x53, 0xc4, 0x9d, -+ 0xc1, 0x0f, 0xc3, 0xec, 0x0e, 0x2e, 0xa3, 0x7c, -+ 0x07, 0x0e, 0xaf, 0x18, 0x1d, 0xc7, 0x8b, 0x47, -+ 0x4b, 0x94, 0x05, 0x6d, 0xec, 0xdd, 0xa1, 0xae, -+ 0x7b, 0x21, 0x86, 0x53, 0xd3, 0x62, 0x38, 0x08, -+ 0xea, 0xda, 0xdc, 0xb2, 0x5a, 0x7c, 0xef, 0x19, -+ 0xf8, 0x29, 0xef, 0xf8, 0xd0, 0xfb, 0xde, 0xe8, -+ 0xb8, 0x2f, 0xb3, 0xa1, 0x16, 0xa2, 0xd0, 0x8f, -+ 0x48, 0xdc, 0x7d, 0xcb, 0xee, 0x5c, 0x06, 0x1e, -+ 0x2a, 0x66, 0xe8, 0x1f, 0xdb, 0x18, 0xe9, 0xd2, -+ 0xfd, 0xa2, 0x4e, 0x39, 0xa3, 0x2e, 0x88, 0x3d, -+ 0x7d, 0xac, 0x15, 0x18, 0x25, 0xe6, 0xba, 0xd4, -+ 0x0e, 0x89, 0x26, 0x60, 0x8f, 0xdc, 0x4a, 0xb4, -+ 0x49, 0x8f, 0x98, 0xe8, 0x62, 0x8c, 0xc6, 0x66, -+ 0x20, 0x4c, 0xe1, 0xed, 0xfc, 0x01, 0x88, 0x46, -+ 0xa7, 0x67, 0x48, 0x39, 0xc5, 0x22, 0x95, 0xa0, -+ 0x23, 0xb9, 0xd1, 0xed, 0x87, 0xcf, 0xa7, 0x70, -+ 0x1c, 0xac, 0xd3, 0xaf, 0x5c, 0x26, 0x50, 0x3c, -+ 0xe4, 0x23, 0xb6, 0xcc, 0xd7, 0xc5, 0xda, 0x2f, -+ 0xf4, 0x45, 0xf1, 0xe4, 0x40, 0xb5, 0x0a, 0x25, -+ 0x86, 0xe6, 0xde, 0x11, 0x3c, 0x46, 0x16, 0xbc, -+ 0x41, 0xc2, 0x28, 0x19, 0x81, 0x5a, 0x46, 0x02, -+ 0x87, 0xd0, 0x15, 0x0c, 0xd2, 0xfe, 0x75, 0x04, -+ 0x82, 0xd2, 0x0a, 0xb7, 0xbc, 0xc5, 0x6c, 0xb1, -+ 0x41, 0xa8, 0x2b, 0x28, 0xbb, 0x86, 0x0c, 0x89 - }; - - static const ST_KAT_PARAM dh_group[] = { --- -2.35.3 - diff --git a/openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch b/openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch index e466173..b6e7ee3 100644 --- a/openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch +++ b/openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch @@ -1,350 +1,387 @@ -From abeda0b0475adb0d4f89b0c97cfc349779915bbf Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Mon, 31 Jul 2023 09:41:28 +0200 -Subject: [PATCH 29/35] - 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch +From 4b5430728a7a3f7b4d60a15c5ee1ce6632fa6fb3 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Wed, 12 Feb 2025 17:12:02 -0500 +Subject: [PATCH 33/53] FIPS: RSA: NEEDS-REWORK: + FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed -Patch-name: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch -Patch-id: 73 -Patch-status: | - # https://bugzilla.redhat.com/show_bug.cgi?id=2102535 -From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd +Signed-off-by: Simo Sorce --- - crypto/rsa/rsa_local.h | 8 ++ - crypto/rsa/rsa_oaep.c | 34 ++++++-- - include/openssl/core_names.h | 3 + - providers/fips/self_test_data.inc | 79 ++++++++++--------- - providers/fips/self_test_kats.c | 7 ++ - .../implementations/asymciphers/rsa_enc.c | 41 +++++++++- - 6 files changed, 128 insertions(+), 44 deletions(-) + ...EP-in-KATs-support-fixed-OAEP-seed.p.patch | 348 ++++++++++++++++++ + REBASE.txt | 10 + + 2 files changed, 358 insertions(+) + create mode 100644 Originally-0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.p.patch + create mode 100644 REBASE.txt -diff --git a/crypto/rsa/rsa_local.h b/crypto/rsa/rsa_local.h -index ea70da05ad..dde57a1a0e 100644 ---- a/crypto/rsa/rsa_local.h -+++ b/crypto/rsa/rsa_local.h -@@ -193,4 +193,12 @@ int ossl_rsa_padding_add_PKCS1_type_2_ex(OSSL_LIB_CTX *libctx, unsigned char *to - int tlen, const unsigned char *from, - int flen); - -+int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx, -+ unsigned char *to, int tlen, -+ const unsigned char *from, int flen, -+ const unsigned char *param, -+ int plen, const EVP_MD *md, -+ const EVP_MD *mgf1md, -+ const char *suse_st_seed); +diff --git a/Originally-0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.p.patch b/Originally-0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.p.patch +new file mode 100644 +index 0000000000..793b8a4dac +--- /dev/null ++++ b/Originally-0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.p.patch +@@ -0,0 +1,348 @@ ++From a0e92712c141cda0b8321feb492982506b18c612 Mon Sep 17 00:00:00 2001 ++From: rpm-build ++Date: Wed, 6 Mar 2024 19:17:15 +0100 ++Subject: [PATCH 28/55] ++ 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch + - #endif /* OSSL_CRYPTO_RSA_LOCAL_H */ -diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c -index d9be1a4f98..b2f7f7dc4b 100644 ---- a/crypto/rsa/rsa_oaep.c -+++ b/crypto/rsa/rsa_oaep.c -@@ -44,6 +44,10 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, - param, plen, NULL, NULL); - } - -+#ifdef FIPS_MODULE -+extern int SUSE_FIPS_asym_cipher_st; -+#endif /* FIPS_MODULE */ ++Patch-name: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch ++Patch-id: 73 ++Patch-status: | ++ # # https://bugzilla.redhat.com/show_bug.cgi?id=2102535 ++From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce ++--- ++ crypto/rsa/rsa_local.h | 8 ++ ++ crypto/rsa/rsa_oaep.c | 34 ++++++-- ++ providers/fips/self_test_data.inc | 79 ++++++++++--------- ++ providers/fips/self_test_kats.c | 7 ++ ++ .../implementations/asymciphers/rsa_enc.c | 41 +++++++++- ++ util/perl/OpenSSL/paramnames.pm | 1 + ++ 6 files changed, 126 insertions(+), 44 deletions(-) + - /* - * Perform the padding as per NIST 800-56B 7.2.2.3 - * from (K) is the key material. -@@ -51,12 +55,13 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, - * Step numbers are included here but not in the constant time inverse below - * to avoid complicating an already difficult enough function. - */ --int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, -- unsigned char *to, int tlen, -- const unsigned char *from, int flen, -- const unsigned char *param, -- int plen, const EVP_MD *md, -- const EVP_MD *mgf1md) -+int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx, -+ unsigned char *to, int tlen, -+ const unsigned char *from, int flen, -+ const unsigned char *param, -+ int plen, const EVP_MD *md, -+ const EVP_MD *mgf1md, -+ const char *suse_st_seed) - { - int rv = 0; - int i, emlen = tlen - 1; -@@ -107,6 +112,11 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, - db[emlen - flen - mdlen - 1] = 0x01; - memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen); - /* step 3d: generate random byte string */ -+#ifdef FIPS_MODULE -+ if (suse_st_seed != NULL && SUSE_FIPS_asym_cipher_st) { -+ memcpy(seed, suse_st_seed, mdlen); -+ } else -+#endif - if (RAND_bytes_ex(libctx, seed, mdlen, 0) <= 0) - goto err; - -@@ -138,6 +148,18 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, - return rv; - } - -+int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, -+ unsigned char *to, int tlen, -+ const unsigned char *from, int flen, -+ const unsigned char *param, -+ int plen, const EVP_MD *md, -+ const EVP_MD *mgf1md) -+{ -+ return ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(libctx, to, tlen, from, -+ flen, param, plen, md, -+ mgf1md, NULL); -+} ++diff --git a/crypto/rsa/rsa_local.h b/crypto/rsa/rsa_local.h ++index ea70da05ad..dde57a1a0e 100644 ++--- a/crypto/rsa/rsa_local.h +++++ b/crypto/rsa/rsa_local.h ++@@ -193,4 +193,12 @@ int ossl_rsa_padding_add_PKCS1_type_2_ex(OSSL_LIB_CTX *libctx, unsigned char *to ++ int tlen, const unsigned char *from, ++ int flen); ++ +++int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx, +++ unsigned char *to, int tlen, +++ const unsigned char *from, int flen, +++ const unsigned char *param, +++ int plen, const EVP_MD *md, +++ const EVP_MD *mgf1md, +++ const char *redhat_st_seed); +++ ++ #endif /* OSSL_CRYPTO_RSA_LOCAL_H */ ++diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c ++index b9030440c4..3d665c3860 100644 ++--- a/crypto/rsa/rsa_oaep.c +++++ b/crypto/rsa/rsa_oaep.c ++@@ -44,6 +44,10 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, ++ param, plen, NULL, NULL); ++ } ++ +++#ifdef FIPS_MODULE +++extern int REDHAT_FIPS_asym_cipher_st; +++#endif /* FIPS_MODULE */ +++ ++ /* ++ * Perform the padding as per NIST 800-56B 7.2.2.3 ++ * from (K) is the key material. ++@@ -51,12 +55,13 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, ++ * Step numbers are included here but not in the constant time inverse below ++ * to avoid complicating an already difficult enough function. ++ */ ++-int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, ++- unsigned char *to, int tlen, ++- const unsigned char *from, int flen, ++- const unsigned char *param, ++- int plen, const EVP_MD *md, ++- const EVP_MD *mgf1md) +++int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx, +++ unsigned char *to, int tlen, +++ const unsigned char *from, int flen, +++ const unsigned char *param, +++ int plen, const EVP_MD *md, +++ const EVP_MD *mgf1md, +++ const char *redhat_st_seed) ++ { ++ int rv = 0; ++ int i, emlen = tlen - 1; ++@@ -107,6 +112,11 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, ++ db[emlen - flen - mdlen - 1] = 0x01; ++ memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen); ++ /* step 3d: generate random byte string */ +++#ifdef FIPS_MODULE +++ if (redhat_st_seed != NULL && REDHAT_FIPS_asym_cipher_st) { +++ memcpy(seed, redhat_st_seed, mdlen); +++ } else +++#endif ++ if (RAND_bytes_ex(libctx, seed, mdlen, 0) <= 0) ++ goto err; ++ ++@@ -136,6 +146,18 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, ++ return rv; ++ } ++ +++int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, +++ unsigned char *to, int tlen, +++ const unsigned char *from, int flen, +++ const unsigned char *param, +++ int plen, const EVP_MD *md, +++ const EVP_MD *mgf1md) +++{ +++ return ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(libctx, to, tlen, from, +++ flen, param, plen, md, +++ mgf1md, NULL); +++} +++ ++ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, ++ const unsigned char *from, int flen, ++ const unsigned char *param, int plen, ++diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc ++index 4b80bb70b9..c33ecd0791 100644 ++--- a/providers/fips/self_test_data.inc +++++ b/providers/fips/self_test_data.inc ++@@ -1296,14 +1296,21 @@ static const ST_KAT_PARAM rsa_priv_key[] = { ++ }; ++ ++ /*- ++- * Using OSSL_PKEY_RSA_PAD_MODE_NONE directly in the expansion of the +++ * Using OSSL_PKEY_RSA_PAD_MODE_OAEP directly in the expansion of the ++ * ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient ++ * HP/UX PA-RISC compilers. ++ */ ++-static const char pad_mode_none[] = OSSL_PKEY_RSA_PAD_MODE_NONE; +++static const char pad_mode_oaep[] = OSSL_PKEY_RSA_PAD_MODE_OAEP; +++static const char oaep_fixed_seed[] = { +++ 0xf6, 0x10, 0xef, 0x0a, 0x97, 0xbf, 0x91, 0x25, +++ 0x97, 0xcf, 0x8e, 0x0a, 0x75, 0x51, 0x2f, 0xab, +++ 0x2e, 0x4b, 0x2c, 0xe6 +++}; ++ ++ static const ST_KAT_PARAM rsa_enc_params[] = { ++- ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_none), +++ ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_oaep), +++ ST_KAT_PARAM_OCTET(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, +++ oaep_fixed_seed), ++ ST_KAT_PARAM_END() ++ }; ++ ++@@ -1342,43 +1349,43 @@ static const unsigned char rsa_expected_sig[256] = { ++ 0x2c, 0x68, 0xf0, 0x37, 0xa9, 0xd2, 0x56, 0xd6 ++ }; ++ ++-static const unsigned char rsa_asym_plaintext_encrypt[256] = { +++static const unsigned char rsa_asym_plaintext_encrypt[208] = { ++ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, ++ 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, ++ }; ++ static const unsigned char rsa_asym_expected_encrypt[256] = { ++- 0x54, 0xac, 0x23, 0x96, 0x1d, 0x82, 0x5d, 0x8b, ++- 0x8f, 0x36, 0x33, 0xd0, 0xf4, 0x02, 0xa2, 0x61, ++- 0xb1, 0x13, 0xd4, 0x4a, 0x46, 0x06, 0x37, 0x3c, ++- 0xbf, 0x40, 0x05, 0x3c, 0xc6, 0x3b, 0x64, 0xdc, ++- 0x22, 0x22, 0xaf, 0x36, 0x79, 0x62, 0x45, 0xf0, ++- 0x97, 0x82, 0x22, 0x44, 0x86, 0x4a, 0x7c, 0xfa, ++- 0xac, 0x03, 0x21, 0x84, 0x3f, 0x31, 0xad, 0x2a, ++- 0xa4, 0x6e, 0x7a, 0xc5, 0x93, 0xf3, 0x0f, 0xfc, ++- 0xf1, 0x62, 0xce, 0x82, 0x12, 0x45, 0xc9, 0x35, ++- 0xb0, 0x7a, 0xcd, 0x99, 0x8c, 0x91, 0x6b, 0x5a, ++- 0xd3, 0x46, 0xdb, 0xf9, 0x9e, 0x52, 0x49, 0xbd, ++- 0x1e, 0xe8, 0xda, 0xac, 0x61, 0x47, 0xc2, 0xda, ++- 0xfc, 0x1e, 0xfb, 0x74, 0xd7, 0xd6, 0xc1, 0x18, ++- 0x86, 0x3e, 0x20, 0x9c, 0x7a, 0xe1, 0x04, 0xb7, ++- 0x38, 0x43, 0xb1, 0x4e, 0xa0, 0xd8, 0xc1, 0x39, ++- 0x4d, 0xe1, 0xd3, 0xb0, 0xb3, 0xf1, 0x82, 0x87, ++- 0x1f, 0x74, 0xb5, 0x69, 0xfd, 0x33, 0xd6, 0x21, ++- 0x7c, 0x61, 0x60, 0x28, 0xca, 0x70, 0xdb, 0xa0, ++- 0xbb, 0xc8, 0x73, 0xa9, 0x82, 0xf8, 0x6b, 0xd8, ++- 0xf0, 0xc9, 0x7b, 0x20, 0xdf, 0x9d, 0xfb, 0x8c, ++- 0xd4, 0xa2, 0x89, 0xe1, 0x9b, 0x04, 0xad, 0xaa, ++- 0x11, 0x6c, 0x8f, 0xce, 0x83, 0x29, 0x56, 0x69, ++- 0xbb, 0x00, 0x3b, 0xef, 0xca, 0x2d, 0xcd, 0x52, ++- 0xc8, 0xf1, 0xb3, 0x9b, 0xb4, 0x4f, 0x6d, 0x9c, ++- 0x3d, 0x69, 0xcc, 0x6d, 0x1f, 0x38, 0x4d, 0xe6, ++- 0xbb, 0x0c, 0x87, 0xdc, 0x5f, 0xa9, 0x24, 0x93, ++- 0x03, 0x46, 0xa2, 0x33, 0x6c, 0xf4, 0xd8, 0x5d, ++- 0x68, 0xf3, 0xd3, 0xe0, 0xf2, 0x30, 0xdb, 0xf5, ++- 0x4f, 0x0f, 0xad, 0xc7, 0xd0, 0xaa, 0x47, 0xd9, ++- 0x9f, 0x85, 0x1b, 0x2e, 0x6c, 0x3c, 0x57, 0x04, ++- 0x29, 0xf4, 0xf5, 0x66, 0x7d, 0x93, 0x4a, 0xaa, ++- 0x05, 0x52, 0x55, 0xc1, 0xc6, 0x06, 0x90, 0xab, +++ 0x6c, 0x21, 0xc1, 0x9e, 0x94, 0xee, 0xdf, 0x74, +++ 0x3a, 0x3c, 0x7c, 0x04, 0x1a, 0x53, 0x9e, 0x7c, +++ 0x42, 0xac, 0x7e, 0x28, 0x9a, 0xb7, 0xe2, 0x4e, +++ 0x87, 0xd4, 0x00, 0x69, 0x71, 0xf0, 0x3e, 0x0b, +++ 0xc1, 0xda, 0xd6, 0xbd, 0x21, 0x39, 0x4f, 0x25, +++ 0x22, 0x1f, 0x76, 0x0d, 0x62, 0x1f, 0xa2, 0x89, +++ 0xdb, 0x38, 0x32, 0x88, 0x21, 0x1d, 0x89, 0xf1, +++ 0xe0, 0x14, 0xd4, 0xb7, 0x90, 0xfc, 0xbc, 0x50, +++ 0xb0, 0x8d, 0x5c, 0x2f, 0x49, 0x9e, 0x90, 0x17, +++ 0x9e, 0x60, 0x9f, 0xe1, 0x77, 0x4f, 0x11, 0xa2, +++ 0xcf, 0x16, 0x65, 0x2d, 0x4a, 0x2c, 0x12, 0xcb, +++ 0x1e, 0x3c, 0x29, 0x8b, 0xdc, 0x27, 0x06, 0x9d, +++ 0xf4, 0x0d, 0xe1, 0xc9, 0xeb, 0x14, 0x6a, 0x7e, +++ 0xfd, 0xa7, 0xa8, 0xa7, 0x51, 0x82, 0x62, 0x0f, +++ 0x29, 0x8d, 0x8c, 0x5e, 0xf2, 0xb8, 0xcd, 0xd3, +++ 0x51, 0x92, 0xa7, 0x25, 0x39, 0x9d, 0xdd, 0x06, +++ 0xff, 0xb1, 0xb0, 0xd5, 0x61, 0x03, 0x8f, 0x25, +++ 0x5c, 0x49, 0x12, 0xc1, 0x50, 0x67, 0x61, 0x78, +++ 0xb3, 0xe3, 0xc4, 0xf6, 0x36, 0x16, 0xa9, 0x04, +++ 0x91, 0x0a, 0x4b, 0x27, 0x28, 0x97, 0x50, 0x7c, +++ 0x65, 0x2d, 0xd0, 0x08, 0x71, 0x84, 0xe7, 0x47, +++ 0x79, 0x83, 0x91, 0x46, 0xd9, 0x8f, 0x79, 0xce, +++ 0x49, 0xcb, 0xcd, 0x8b, 0x34, 0xac, 0x61, 0xe0, +++ 0xe6, 0x55, 0xbf, 0x10, 0xe4, 0xac, 0x9a, 0xd6, +++ 0xed, 0xc1, 0xc2, 0xb6, 0xb6, 0xf7, 0x41, 0x99, +++ 0xde, 0xfa, 0xde, 0x11, 0x16, 0xa2, 0x18, 0x30, +++ 0x30, 0xdc, 0x95, 0x76, 0x2f, 0x46, 0x43, 0x20, +++ 0xc4, 0xe7, 0x50, 0xb9, 0x1e, 0xcd, 0x69, 0xbb, +++ 0x29, 0x94, 0x27, 0x9c, 0xc9, 0xab, 0xb4, 0x27, +++ 0x8b, 0x4d, 0xe1, 0xcb, 0xc1, 0x04, 0x2c, 0x66, +++ 0x41, 0x3a, 0x4d, 0xeb, 0x61, 0x4c, 0x77, 0x5a, +++ 0xee, 0xb0, 0xca, 0x99, 0x0e, 0x7f, 0xbe, 0x06 ++ }; ++ ++ #ifndef OPENSSL_NO_EC ++diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c ++index f13c41abd6..4ea10670c0 100644 ++--- a/providers/fips/self_test_kats.c +++++ b/providers/fips/self_test_kats.c ++@@ -642,14 +642,21 @@ static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) ++ return ret; ++ } ++ +++int REDHAT_FIPS_asym_cipher_st = 0; +++ ++ static int self_test_asym_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) ++ { ++ int i, ret = 1; ++ +++ REDHAT_FIPS_asym_cipher_st = 1; +++ ++ for (i = 0; i < (int)OSSL_NELEM(st_kat_asym_cipher_tests); ++i) { ++ if (!self_test_asym_cipher(&st_kat_asym_cipher_tests[i], st, libctx)) ++ ret = 0; ++ } +++ +++ REDHAT_FIPS_asym_cipher_st = 0; +++ ++ return ret; ++ } ++ ++diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c ++index d548560f1f..f3443b0c66 100644 ++--- a/providers/implementations/asymciphers/rsa_enc.c +++++ b/providers/implementations/asymciphers/rsa_enc.c ++@@ -30,6 +30,9 @@ ++ #include "prov/implementations.h" ++ #include "prov/providercommon.h" ++ #include "prov/securitycheck.h" +++#ifdef FIPS_MODULE +++# include "crypto/rsa/rsa_local.h" +++#endif ++ ++ #include ++ ++@@ -75,6 +78,9 @@ typedef struct { ++ /* TLS padding */ ++ unsigned int client_version; ++ unsigned int alt_version; +++#ifdef FIPS_MODULE +++ char *redhat_st_oaep_seed; +++#endif /* FIPS_MODULE */ ++ /* PKCS#1 v1.5 decryption mode */ ++ unsigned int implicit_rejection; ++ } PROV_RSA_CTX; ++@@ -193,12 +199,21 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, ++ } ++ } ++ ret = ++- ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(prsactx->libctx, tbuf, +++#ifdef FIPS_MODULE +++ ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2( +++#else +++ ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex( +++#endif +++ prsactx->libctx, tbuf, ++ rsasize, in, inlen, ++ prsactx->oaep_label, ++ prsactx->oaep_labellen, ++ prsactx->oaep_md, ++- prsactx->mgf1_md); +++ prsactx->mgf1_md +++#ifdef FIPS_MODULE +++ , prsactx->redhat_st_oaep_seed +++#endif +++ ); ++ ++ if (!ret) { ++ OPENSSL_free(tbuf); ++@@ -332,6 +347,9 @@ static void rsa_freectx(void *vprsactx) ++ EVP_MD_free(prsactx->oaep_md); ++ EVP_MD_free(prsactx->mgf1_md); ++ OPENSSL_free(prsactx->oaep_label); +++#ifdef FIPS_MODULE +++ OPENSSL_free(prsactx->redhat_st_oaep_seed); +++#endif /* FIPS_MODULE */ ++ ++ OPENSSL_free(prsactx); ++ } ++@@ -455,6 +473,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { ++ NULL, 0), ++ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL), ++ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), +++#ifdef FIPS_MODULE +++ OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0), +++#endif /* FIPS_MODULE */ ++ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL), ++ OSSL_PARAM_END ++ }; ++@@ -465,6 +486,10 @@ static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx, ++ return known_gettable_ctx_params; ++ } ++ +++#ifdef FIPS_MODULE +++extern int REDHAT_FIPS_asym_cipher_st; +++#endif /* FIPS_MODULE */ +++ ++ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) ++ { ++ PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; ++@@ -576,6 +601,18 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) ++ prsactx->oaep_labellen = tmp_labellen; ++ } ++ +++#ifdef FIPS_MODULE +++ p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED); +++ if (p != NULL && REDHAT_FIPS_asym_cipher_st) { +++ void *tmp_oaep_seed = NULL; +++ +++ if (!OSSL_PARAM_get_octet_string(p, &tmp_oaep_seed, 0, NULL)) +++ return 0; +++ OPENSSL_free(prsactx->redhat_st_oaep_seed); +++ prsactx->redhat_st_oaep_seed = (char *)tmp_oaep_seed; +++ } +++#endif /* FIPS_MODULE */ +++ ++ p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION); ++ if (p != NULL) { ++ unsigned int client_version; ++diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm ++index c37ed7815f..70f7c50fe4 100644 ++--- a/util/perl/OpenSSL/paramnames.pm +++++ b/util/perl/OpenSSL/paramnames.pm ++@@ -401,6 +401,7 @@ my %params = ( ++ 'ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION' => "tls-client-version", ++ 'ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION' => "tls-negotiated-version", ++ 'ASYM_CIPHER_PARAM_IMPLICIT_REJECTION' => "implicit-rejection", +++ 'ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED' => "redhat-kat-oaep-seed", ++ ++ # Encoder / decoder parameters ++ ++-- ++2.48.1 + - int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, - const unsigned char *from, int flen, - const unsigned char *param, int plen, -diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h -index 5e3c132f5b..c0cce14297 100644 ---- a/include/openssl/core_names.h -+++ b/include/openssl/core_names.h -@@ -471,6 +471,9 @@ extern "C" { - #define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label" - #define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version" - #define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version" -+#ifdef FIPS_MODULE -+#define OSSL_ASYM_CIPHER_PARAM_SUSE_KAT_OEAP_SEED "suse-kat-oaep-seed" -+#endif - - /* - * Encoder / decoder parameters -diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc -index e0fdc0daa4..aa2012c04a 100644 ---- a/providers/fips/self_test_data.inc -+++ b/providers/fips/self_test_data.inc -@@ -1296,14 +1296,21 @@ static const ST_KAT_PARAM rsa_priv_key[] = { - }; - - /*- -- * Using OSSL_PKEY_RSA_PAD_MODE_NONE directly in the expansion of the -+ * Using OSSL_PKEY_RSA_PAD_MODE_OAEP directly in the expansion of the - * ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient - * HP/UX PA-RISC compilers. - */ --static const char pad_mode_none[] = OSSL_PKEY_RSA_PAD_MODE_NONE; -+static const char pad_mode_oaep[] = OSSL_PKEY_RSA_PAD_MODE_OAEP; -+static const char oaep_fixed_seed[] = { -+ 0xf6, 0x10, 0xef, 0x0a, 0x97, 0xbf, 0x91, 0x25, -+ 0x97, 0xcf, 0x8e, 0x0a, 0x75, 0x51, 0x2f, 0xab, -+ 0x2e, 0x4b, 0x2c, 0xe6 -+}; - - static const ST_KAT_PARAM rsa_enc_params[] = { -- ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_none), -+ ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_oaep), -+ ST_KAT_PARAM_OCTET(OSSL_ASYM_CIPHER_PARAM_SUSE_KAT_OEAP_SEED, -+ oaep_fixed_seed), - ST_KAT_PARAM_END() - }; - -@@ -1342,43 +1349,43 @@ static const unsigned char rsa_expected_sig[256] = { - 0x2c, 0x68, 0xf0, 0x37, 0xa9, 0xd2, 0x56, 0xd6 - }; - --static const unsigned char rsa_asym_plaintext_encrypt[256] = { -+static const unsigned char rsa_asym_plaintext_encrypt[208] = { - 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, - 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, - }; - static const unsigned char rsa_asym_expected_encrypt[256] = { -- 0x54, 0xac, 0x23, 0x96, 0x1d, 0x82, 0x5d, 0x8b, -- 0x8f, 0x36, 0x33, 0xd0, 0xf4, 0x02, 0xa2, 0x61, -- 0xb1, 0x13, 0xd4, 0x4a, 0x46, 0x06, 0x37, 0x3c, -- 0xbf, 0x40, 0x05, 0x3c, 0xc6, 0x3b, 0x64, 0xdc, -- 0x22, 0x22, 0xaf, 0x36, 0x79, 0x62, 0x45, 0xf0, -- 0x97, 0x82, 0x22, 0x44, 0x86, 0x4a, 0x7c, 0xfa, -- 0xac, 0x03, 0x21, 0x84, 0x3f, 0x31, 0xad, 0x2a, -- 0xa4, 0x6e, 0x7a, 0xc5, 0x93, 0xf3, 0x0f, 0xfc, -- 0xf1, 0x62, 0xce, 0x82, 0x12, 0x45, 0xc9, 0x35, -- 0xb0, 0x7a, 0xcd, 0x99, 0x8c, 0x91, 0x6b, 0x5a, -- 0xd3, 0x46, 0xdb, 0xf9, 0x9e, 0x52, 0x49, 0xbd, -- 0x1e, 0xe8, 0xda, 0xac, 0x61, 0x47, 0xc2, 0xda, -- 0xfc, 0x1e, 0xfb, 0x74, 0xd7, 0xd6, 0xc1, 0x18, -- 0x86, 0x3e, 0x20, 0x9c, 0x7a, 0xe1, 0x04, 0xb7, -- 0x38, 0x43, 0xb1, 0x4e, 0xa0, 0xd8, 0xc1, 0x39, -- 0x4d, 0xe1, 0xd3, 0xb0, 0xb3, 0xf1, 0x82, 0x87, -- 0x1f, 0x74, 0xb5, 0x69, 0xfd, 0x33, 0xd6, 0x21, -- 0x7c, 0x61, 0x60, 0x28, 0xca, 0x70, 0xdb, 0xa0, -- 0xbb, 0xc8, 0x73, 0xa9, 0x82, 0xf8, 0x6b, 0xd8, -- 0xf0, 0xc9, 0x7b, 0x20, 0xdf, 0x9d, 0xfb, 0x8c, -- 0xd4, 0xa2, 0x89, 0xe1, 0x9b, 0x04, 0xad, 0xaa, -- 0x11, 0x6c, 0x8f, 0xce, 0x83, 0x29, 0x56, 0x69, -- 0xbb, 0x00, 0x3b, 0xef, 0xca, 0x2d, 0xcd, 0x52, -- 0xc8, 0xf1, 0xb3, 0x9b, 0xb4, 0x4f, 0x6d, 0x9c, -- 0x3d, 0x69, 0xcc, 0x6d, 0x1f, 0x38, 0x4d, 0xe6, -- 0xbb, 0x0c, 0x87, 0xdc, 0x5f, 0xa9, 0x24, 0x93, -- 0x03, 0x46, 0xa2, 0x33, 0x6c, 0xf4, 0xd8, 0x5d, -- 0x68, 0xf3, 0xd3, 0xe0, 0xf2, 0x30, 0xdb, 0xf5, -- 0x4f, 0x0f, 0xad, 0xc7, 0xd0, 0xaa, 0x47, 0xd9, -- 0x9f, 0x85, 0x1b, 0x2e, 0x6c, 0x3c, 0x57, 0x04, -- 0x29, 0xf4, 0xf5, 0x66, 0x7d, 0x93, 0x4a, 0xaa, -- 0x05, 0x52, 0x55, 0xc1, 0xc6, 0x06, 0x90, 0xab, -+ 0x6c, 0x21, 0xc1, 0x9e, 0x94, 0xee, 0xdf, 0x74, -+ 0x3a, 0x3c, 0x7c, 0x04, 0x1a, 0x53, 0x9e, 0x7c, -+ 0x42, 0xac, 0x7e, 0x28, 0x9a, 0xb7, 0xe2, 0x4e, -+ 0x87, 0xd4, 0x00, 0x69, 0x71, 0xf0, 0x3e, 0x0b, -+ 0xc1, 0xda, 0xd6, 0xbd, 0x21, 0x39, 0x4f, 0x25, -+ 0x22, 0x1f, 0x76, 0x0d, 0x62, 0x1f, 0xa2, 0x89, -+ 0xdb, 0x38, 0x32, 0x88, 0x21, 0x1d, 0x89, 0xf1, -+ 0xe0, 0x14, 0xd4, 0xb7, 0x90, 0xfc, 0xbc, 0x50, -+ 0xb0, 0x8d, 0x5c, 0x2f, 0x49, 0x9e, 0x90, 0x17, -+ 0x9e, 0x60, 0x9f, 0xe1, 0x77, 0x4f, 0x11, 0xa2, -+ 0xcf, 0x16, 0x65, 0x2d, 0x4a, 0x2c, 0x12, 0xcb, -+ 0x1e, 0x3c, 0x29, 0x8b, 0xdc, 0x27, 0x06, 0x9d, -+ 0xf4, 0x0d, 0xe1, 0xc9, 0xeb, 0x14, 0x6a, 0x7e, -+ 0xfd, 0xa7, 0xa8, 0xa7, 0x51, 0x82, 0x62, 0x0f, -+ 0x29, 0x8d, 0x8c, 0x5e, 0xf2, 0xb8, 0xcd, 0xd3, -+ 0x51, 0x92, 0xa7, 0x25, 0x39, 0x9d, 0xdd, 0x06, -+ 0xff, 0xb1, 0xb0, 0xd5, 0x61, 0x03, 0x8f, 0x25, -+ 0x5c, 0x49, 0x12, 0xc1, 0x50, 0x67, 0x61, 0x78, -+ 0xb3, 0xe3, 0xc4, 0xf6, 0x36, 0x16, 0xa9, 0x04, -+ 0x91, 0x0a, 0x4b, 0x27, 0x28, 0x97, 0x50, 0x7c, -+ 0x65, 0x2d, 0xd0, 0x08, 0x71, 0x84, 0xe7, 0x47, -+ 0x79, 0x83, 0x91, 0x46, 0xd9, 0x8f, 0x79, 0xce, -+ 0x49, 0xcb, 0xcd, 0x8b, 0x34, 0xac, 0x61, 0xe0, -+ 0xe6, 0x55, 0xbf, 0x10, 0xe4, 0xac, 0x9a, 0xd6, -+ 0xed, 0xc1, 0xc2, 0xb6, 0xb6, 0xf7, 0x41, 0x99, -+ 0xde, 0xfa, 0xde, 0x11, 0x16, 0xa2, 0x18, 0x30, -+ 0x30, 0xdc, 0x95, 0x76, 0x2f, 0x46, 0x43, 0x20, -+ 0xc4, 0xe7, 0x50, 0xb9, 0x1e, 0xcd, 0x69, 0xbb, -+ 0x29, 0x94, 0x27, 0x9c, 0xc9, 0xab, 0xb4, 0x27, -+ 0x8b, 0x4d, 0xe1, 0xcb, 0xc1, 0x04, 0x2c, 0x66, -+ 0x41, 0x3a, 0x4d, 0xeb, 0x61, 0x4c, 0x77, 0x5a, -+ 0xee, 0xb0, 0xca, 0x99, 0x0e, 0x7f, 0xbe, 0x06 - }; - - #ifndef OPENSSL_NO_EC -diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c -index 74ee25dcb6..a9bc8be7fa 100644 ---- a/providers/fips/self_test_kats.c -+++ b/providers/fips/self_test_kats.c -@@ -641,14 +641,21 @@ static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) - return ret; - } - -+int SUSE_FIPS_asym_cipher_st = 0; +diff --git a/REBASE.txt b/REBASE.txt +new file mode 100644 +index 0000000000..2833a383c1 +--- /dev/null ++++ b/REBASE.txt +@@ -0,0 +1,10 @@ ++0028-0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.p.patch + - static int self_test_asym_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) - { - int i, ret = 1; - -+ SUSE_FIPS_asym_cipher_st = 1; ++Some asym testing has been dropped upstream, unclear if this needs to survive, ++if so we may need to resurrect deleted code in upstream patch: + - for (i = 0; i < (int)OSSL_NELEM(st_kat_asym_cipher_tests); ++i) { - if (!self_test_asym_cipher(&st_kat_asym_cipher_tests[i], st, libctx)) - ret = 0; - } ++ commit 635bf4946a7e948f26a348ddc3b5a8d282354f64 + -+ SUSE_FIPS_asym_cipher_st = 0; ++ fips: remove redundant RSA encrypt/decrypt KAT ++-- + - return ret; - } - -diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c -index 9cd8904131..40de5ce8fa 100644 ---- a/providers/implementations/asymciphers/rsa_enc.c -+++ b/providers/implementations/asymciphers/rsa_enc.c -@@ -30,6 +30,9 @@ - #include "prov/implementations.h" - #include "prov/providercommon.h" - #include "prov/securitycheck.h" -+#ifdef FIPS_MODULE -+# include "crypto/rsa/rsa_local.h" -+#endif - - #include - -@@ -75,6 +78,9 @@ typedef struct { - /* TLS padding */ - unsigned int client_version; - unsigned int alt_version; -+#ifdef FIPS_MODULE -+ char *suse_st_oaep_seed; -+#endif /* FIPS_MODULE */ - } PROV_RSA_CTX; - - static void *rsa_newctx(void *provctx) -@@ -192,12 +198,21 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, - } - } - ret = -- ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(prsactx->libctx, tbuf, -+#ifdef FIPS_MODULE -+ ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2( -+#else -+ ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex( -+#endif -+ prsactx->libctx, tbuf, - rsasize, in, inlen, - prsactx->oaep_label, - prsactx->oaep_labellen, - prsactx->oaep_md, -- prsactx->mgf1_md); -+ prsactx->mgf1_md -+#ifdef FIPS_MODULE -+ , prsactx->suse_st_oaep_seed -+#endif -+ ); - - if (!ret) { - OPENSSL_free(tbuf); -@@ -328,6 +343,9 @@ static void rsa_freectx(void *vprsactx) - EVP_MD_free(prsactx->oaep_md); - EVP_MD_free(prsactx->mgf1_md); - OPENSSL_free(prsactx->oaep_label); -+#ifdef FIPS_MODULE -+ OPENSSL_free(prsactx->suse_st_oaep_seed); -+#endif /* FIPS_MODULE */ - - OPENSSL_free(prsactx); - } -@@ -447,6 +465,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { - NULL, 0), - OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL), - OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), -+#ifdef FIPS_MODULE -+ OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_SUSE_KAT_OEAP_SEED, NULL, 0), -+#endif /* FIPS_MODULE */ - OSSL_PARAM_END - }; - -@@ -456,6 +477,10 @@ static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx, - return known_gettable_ctx_params; - } - -+#ifdef FIPS_MODULE -+extern int SUSE_FIPS_asym_cipher_st; -+#endif /* FIPS_MODULE */ -+ - static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) - { - PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; -@@ -567,6 +592,18 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) - prsactx->oaep_labellen = tmp_labellen; - } - -+#ifdef FIPS_MODULE -+ p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_SUSE_KAT_OEAP_SEED); -+ if (p != NULL && SUSE_FIPS_asym_cipher_st) { -+ void *tmp_oaep_seed = NULL; -+ -+ if (!OSSL_PARAM_get_octet_string(p, &tmp_oaep_seed, 0, NULL)) -+ return 0; -+ OPENSSL_free(prsactx->suse_st_oaep_seed); -+ prsactx->suse_st_oaep_seed = (char *)tmp_oaep_seed; -+ } -+#endif /* FIPS_MODULE */ -+ - p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION); - if (p != NULL) { - unsigned int client_version; -- -2.41.0 +2.49.0 diff --git a/openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch b/openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch deleted file mode 100644 index f1b6ef7..0000000 --- a/openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch +++ /dev/null @@ -1,309 +0,0 @@ -From 97ac06e5a8e3a8699279c06eeb64c8e958bad7bd Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Fri, 15 Jul 2022 17:45:40 +0200 -Subject: [PATCH] FIPS: Use digest_sign & digest_verify in self test - -In review for FIPS 140-3, the lack of a self-test for the digest_sign -and digest_verify provider functions was highlighted as a problem. NIST -no longer provides ACVP tests for the RSA SigVer primitive (see -https://github.com/usnistgov/ACVP/issues/1347). Because FIPS 140-3 -recommends the use of functions that compute the digest and signature -within the module, we have been advised in our module review that the -self tests should also use the combined digest and signature APIs, i.e. -the digest_sign and digest_verify provider functions. - -Modify the signature self-test to use these instead by switching to -EVP_DigestSign and EVP_DigestVerify. This requires adding more ifdefs to -crypto/evp/m_sigver.c to make these functions usable in the FIPS module. - -Signed-off-by: Clemens Lang ---- - crypto/evp/m_sigver.c | 43 +++++++++++++++++++++++++++------ - providers/fips/self_test_kats.c | 37 +++++++++++++++------------- - 2 files changed, 56 insertions(+), 24 deletions(-) - -Index: openssl-3.1.4/crypto/evp/m_sigver.c -=================================================================== ---- openssl-3.1.4.orig/crypto/evp/m_sigver.c -+++ openssl-3.1.4/crypto/evp/m_sigver.c -@@ -90,6 +90,7 @@ static int update(EVP_MD_CTX *ctx, const - ERR_raise(ERR_LIB_EVP, EVP_R_ONLY_ONESHOT_SUPPORTED); - return 0; - } -+#endif /* !defined(FIPS_MODULE) */ - - /* - * If we get the "NULL" md then the name comes back as "UNDEF". We want to use -@@ -125,8 +126,10 @@ static int do_sigver_init(EVP_MD_CTX *ct - reinit = 0; - if (e == NULL) - ctx->pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, props); -+#ifndef FIPS_MODULE - else - ctx->pctx = EVP_PKEY_CTX_new(pkey, e); -+#endif /* !defined(FIPS_MODULE) */ - } - if (ctx->pctx == NULL) - return 0; -@@ -134,8 +137,10 @@ static int do_sigver_init(EVP_MD_CTX *ct - locpctx = ctx->pctx; - ERR_set_mark(); - -+#ifndef FIPS_MODULE - if (evp_pkey_ctx_is_legacy(locpctx)) - goto legacy; -+#endif /* !defined(FIPS_MODULE) */ - - /* do not reinitialize if pkey is set or operation is different */ - if (reinit -@@ -220,8 +225,10 @@ static int do_sigver_init(EVP_MD_CTX *ct - signature = - evp_signature_fetch_from_prov((OSSL_PROVIDER *)tmp_prov, - supported_sig, locpctx->propquery); -+#ifndef FIPS_MODULE - if (signature == NULL) - goto legacy; -+#endif /* !defined(FIPS_MODULE) */ - break; - } - if (signature == NULL) -@@ -305,6 +312,7 @@ static int do_sigver_init(EVP_MD_CTX *ct - ctx->fetched_digest = EVP_MD_fetch(locpctx->libctx, mdname, props); - if (ctx->fetched_digest != NULL) { - ctx->digest = ctx->reqdigest = ctx->fetched_digest; -+#ifndef FIPS_MODULE - } else { - /* legacy engine support : remove the mark when this is deleted */ - ctx->reqdigest = ctx->digest = EVP_get_digestbyname(mdname); -@@ -313,11 +321,13 @@ static int do_sigver_init(EVP_MD_CTX *ct - ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); - goto err; - } -+#endif /* !defined(FIPS_MODULE) */ - } - (void)ERR_pop_to_mark(); - } - } - -+#ifndef FIPS_MODULE - if (ctx->reqdigest != NULL - && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac) - && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf) -@@ -329,6 +339,7 @@ static int do_sigver_init(EVP_MD_CTX *ct - goto err; - } - } -+#endif /* !defined(FIPS_MODULE) */ - - if (ver) { - if (signature->digest_verify_init == NULL) { -@@ -361,6 +372,7 @@ static int do_sigver_init(EVP_MD_CTX *ct - EVP_KEYMGMT_free(tmp_keymgmt); - return 0; - -+#ifndef FIPS_MODULE - legacy: - /* - * If we don't have the full support we need with provided methods, -@@ -432,6 +444,7 @@ static int do_sigver_init(EVP_MD_CTX *ct - ctx->pctx->flag_call_digest_custom = 1; - - ret = 1; -+#endif /* !defined(FIPS_MODULE) */ - - end: - #ifndef FIPS_MODULE -@@ -474,7 +487,6 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx - return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 1, - NULL); - } --#endif /* FIPS_MDOE */ - - int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize) - { -@@ -536,23 +548,29 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *c - return EVP_DigestUpdate(ctx, data, dsize); - } - --#ifndef FIPS_MODULE - int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, - size_t *siglen) - { -- int sctx = 0, r = 0; -- EVP_PKEY_CTX *dctx, *pctx = ctx->pctx; -+ int r = 0; -+#ifndef FIPS_MODULE -+ int sctx = 0; -+ EVP_PKEY_CTX *dctx; -+#endif /* !defined(FIPS_MODULE) */ -+ EVP_PKEY_CTX *pctx = ctx->pctx; - -+#ifndef FIPS_MODULE - if (pctx == NULL - || pctx->operation != EVP_PKEY_OP_SIGNCTX - || pctx->op.sig.algctx == NULL - || pctx->op.sig.signature == NULL) - goto legacy; -+#endif /* !defined(FIPS_MODULE) */ - - if (sigret == NULL || (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) != 0) - return pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx, - sigret, siglen, - sigret == NULL ? 0 : *siglen); -+#ifndef FIPS_MODULE - dctx = EVP_PKEY_CTX_dup(pctx); - if (dctx == NULL) - return 0; -@@ -561,8 +579,10 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, - sigret, siglen, - *siglen); - EVP_PKEY_CTX_free(dctx); -+#endif /* defined(FIPS_MODULE) */ - return r; - -+#ifndef FIPS_MODULE - legacy: - if (pctx == NULL || pctx->pmeth == NULL) { - ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); -@@ -634,6 +654,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, - } - } - return 1; -+#endif /* !defined(FIPS_MODULE) */ - } - - int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen, -@@ -664,21 +685,27 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsi - int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, - size_t siglen) - { -- unsigned char md[EVP_MAX_MD_SIZE]; - int r = 0; -+#ifndef FIPS_MODULE -+ unsigned char md[EVP_MAX_MD_SIZE]; - unsigned int mdlen = 0; - int vctx = 0; -- EVP_PKEY_CTX *dctx, *pctx = ctx->pctx; -+ EVP_PKEY_CTX *dctx; -+#endif /* !defined(FIPS_MODULE) */ -+ EVP_PKEY_CTX *pctx = ctx->pctx; - -+#ifndef FIPS_MODULE - if (pctx == NULL - || pctx->operation != EVP_PKEY_OP_VERIFYCTX - || pctx->op.sig.algctx == NULL - || pctx->op.sig.signature == NULL) - goto legacy; -+#endif /* !defined(FIPS_MODULE) */ - - if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) != 0) - return pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx, - sig, siglen); -+#ifndef FIPS_MODULE - dctx = EVP_PKEY_CTX_dup(pctx); - if (dctx == NULL) - return 0; -@@ -686,8 +713,10 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct - r = dctx->op.sig.signature->digest_verify_final(dctx->op.sig.algctx, - sig, siglen); - EVP_PKEY_CTX_free(dctx); -+#endif /* !defined(FIPS_MODULE) */ - return r; - -+#ifndef FIPS_MODULE - legacy: - if (pctx == NULL || pctx->pmeth == NULL) { - ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); -@@ -727,6 +756,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct - if (vctx || !r) - return r; - return EVP_PKEY_verify(pctx, sig, siglen, md, mdlen); -+#endif /* !defined(FIPS_MODULE) */ - } - - int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, -@@ -752,4 +782,3 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, co - return -1; - return EVP_DigestVerifyFinal(ctx, sigret, siglen); - } --#endif /* FIPS_MODULE */ -Index: openssl-3.1.4/providers/fips/self_test_kats.c -=================================================================== ---- openssl-3.1.4.orig/providers/fips/self_test_kats.c -+++ openssl-3.1.4/providers/fips/self_test_kats.c -@@ -450,10 +450,13 @@ static int self_test_sign(const ST_KAT_S - int ret = 0; - OSSL_PARAM *params = NULL, *params_sig = NULL; - OSSL_PARAM_BLD *bld = NULL; -+ EVP_MD *md = NULL; -+ EVP_MD_CTX *ctx = NULL; - EVP_PKEY_CTX *sctx = NULL, *kctx = NULL; - EVP_PKEY *pkey = NULL; -- unsigned char sig[256]; - BN_CTX *bnctx = NULL; -+ const char *msg = "Hello World!"; -+ unsigned char sig[256]; - size_t siglen = sizeof(sig); - static const unsigned char dgst[] = { - 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81, -@@ -487,23 +490,26 @@ static int self_test_sign(const ST_KAT_S - || EVP_PKEY_fromdata(kctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0) - goto err; - -- /* Create a EVP_PKEY_CTX to use for the signing operation */ -- sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL); -- if (sctx == NULL -- || EVP_PKEY_sign_init(sctx) <= 0) -- goto err; -- -- /* set signature parameters */ -- if (!OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_SIGNATURE_PARAM_DIGEST, -- t->mdalgorithm, -- strlen(t->mdalgorithm) + 1)) -- goto err; -+ /* Create a EVP_MD_CTX to use for the signature operation, assign signature -+ * parameters and sign */ - params_sig = OSSL_PARAM_BLD_to_param(bld); -- if (EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0) -+ md = EVP_MD_fetch(libctx, "SHA256", NULL); -+ ctx = EVP_MD_CTX_new(); -+ if (md == NULL || ctx == NULL) -+ goto err; -+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT); -+ if (EVP_DigestSignInit(ctx, &sctx, md, NULL, pkey) <= 0 -+ || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0 -+ || EVP_DigestSign(ctx, sig, &siglen, (const unsigned char *)msg, strlen(msg)) <= 0 -+ || EVP_MD_CTX_reset(ctx) <= 0) - goto err; - -- if (EVP_PKEY_sign(sctx, sig, &siglen, dgst, sizeof(dgst)) <= 0 -- || EVP_PKEY_verify_init(sctx) <= 0 -+ /* sctx is not freed automatically inside the FIPS module */ -+ EVP_PKEY_CTX_free(sctx); -+ sctx = NULL; -+ -+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT); -+ if (EVP_DigestVerifyInit(ctx, &sctx, md, NULL, pkey) <= 0 - || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0) - goto err; - -@@ -513,14 +519,17 @@ static int self_test_sign(const ST_KAT_S - goto err; - - OSSL_SELF_TEST_oncorrupt_byte(st, sig); -- if (EVP_PKEY_verify(sctx, sig, siglen, dgst, sizeof(dgst)) <= 0) -+ if (EVP_DigestVerify(ctx, sig, siglen, (const unsigned char *)msg, strlen(msg)) <= 0) - goto err; - ret = 1; - err: - BN_CTX_free(bnctx); - EVP_PKEY_free(pkey); -- EVP_PKEY_CTX_free(kctx); -+ EVP_MD_free(md); -+ EVP_MD_CTX_free(ctx); -+ /* sctx is not freed automatically inside the FIPS module */ - EVP_PKEY_CTX_free(sctx); -+ EVP_PKEY_CTX_free(kctx); - OSSL_PARAM_free(params); - OSSL_PARAM_free(params_sig); - OSSL_PARAM_BLD_free(bld); diff --git a/openssl-FIPS-early-KATS.patch b/openssl-FIPS-early-KATS.patch index 6675fcf..d50e873 100644 --- a/openssl-FIPS-early-KATS.patch +++ b/openssl-FIPS-early-KATS.patch @@ -1,38 +1,43 @@ -Index: openssl-3.1.4/providers/fips/self_test.c +From ba6e65e2f7e7fe8d9cd62e1e7e345bc41dda424f Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Thu, 19 Oct 2023 13:12:40 +0200 +Subject: [PATCH 21/46] 0047-FIPS-early-KATS.patch + +Patch-name: 0047-FIPS-early-KATS.patch +Patch-id: 47 +Patch-status: | + # # Execute KATS before HMAC verification +From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911 +--- + providers/fips/self_test.c | 22 ++++++++++------------ + 1 file changed, 10 insertions(+), 12 deletions(-) + +Index: openssl-3.5.0-beta1/providers/fips/self_test.c =================================================================== ---- openssl-3.1.4.orig/providers/fips/self_test.c -+++ openssl-3.1.4/providers/fips/self_test.c -@@ -401,6 +401,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS +--- openssl-3.5.0-beta1.orig/providers/fips/self_test.c ++++ openssl-3.5.0-beta1/providers/fips/self_test.c +@@ -524,6 +524,14 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS if (ev == NULL) goto end; + /* + * Run the KAT's before HMAC verification according to FIPS-140-3 requirements + */ -+ if (kats_already_passed == 0) { -+ if (!SELF_TEST_kats(ev, st->libctx)) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE); -+ goto end; -+ } ++ if (!SELF_TEST_kats(ev, st->libctx)) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE); ++ goto end; + } + - module_checksum = fips_hmac_container; - checksum_len = sizeof(fips_hmac_container); - -@@ -451,18 +461,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS + if (st->module_checksum_data == NULL) { + module_checksum = fips_hmac_container; + checksum_len = sizeof(fips_hmac_container); +@@ -562,11 +570,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS } } -- /* -- * Only runs the KAT's during installation OR on_demand(). -- * NOTE: If the installation option 'self_test_onload' is chosen then this -- * path will always be run, since kats_already_passed will always be 0. -- */ -- if (on_demand_test || kats_already_passed == 0) { -- if (!SELF_TEST_kats(ev, st->libctx)) { -- ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE); -- goto end; -- } +- if (!SELF_TEST_kats(ev, st->libctx)) { +- ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE); +- goto end; - } - /* Verify that the RNG has been restored properly */ diff --git a/openssl-FIPS-embed-hmac.patch b/openssl-FIPS-embed-hmac.patch index 288361b..f8ddbd0 100644 --- a/openssl-FIPS-embed-hmac.patch +++ b/openssl-FIPS-embed-hmac.patch @@ -1,30 +1,32 @@ -From e364a858262c8f563954544cc81e66f1b3b8db8c Mon Sep 17 00:00:00 2001 +From 831d0025257fd3746ab3fe30c05dbbfc0043f78e Mon Sep 17 00:00:00 2001 From: rpm-build -Date: Thu, 19 Oct 2023 13:12:40 +0200 -Subject: [PATCH 16/46] 0033-FIPS-embed-hmac.patch +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 16/49] 0033-FIPS-embed-hmac.patch Patch-name: 0033-FIPS-embed-hmac.patch Patch-id: 33 Patch-status: | # # Embed HMAC into the fips.so -From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911 + # Modify fips self test as per + # https://github.com/simo5/openssl/commit/9b95ef8bd2f5ac862e5eee74c724b535f1a8578a +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- - providers/fips/self_test.c | 70 ++++++++++++++++++++++++--- - test/fipsmodule.cnf | 2 + - test/recipes/00-prep_fipsmodule_cnf.t | 2 +- - test/recipes/01-test_fipsmodule_cnf.t | 2 +- - test/recipes/03-test_fipsinstall.t | 2 +- - test/recipes/30-test_defltfips.t | 2 +- - test/recipes/80-test_ssl_new.t | 2 +- - test/recipes/90-test_sslapi.t | 2 +- - 8 files changed, 71 insertions(+), 13 deletions(-) + providers/fips/self_test.c | 204 ++++++++++++++++++++++++-- + test/fipsmodule.cnf | 2 + + test/recipes/00-prep_fipsmodule_cnf.t | 2 +- + test/recipes/01-test_fipsmodule_cnf.t | 2 +- + test/recipes/03-test_fipsinstall.t | 2 +- + test/recipes/30-test_defltfips.t | 2 +- + test/recipes/80-test_ssl_new.t | 2 +- + test/recipes/90-test_sslapi.t | 2 +- + 8 files changed, 200 insertions(+), 18 deletions(-) create mode 100644 test/fipsmodule.cnf -diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c -index b8dc9817b2..e3a629018a 100644 ---- a/providers/fips/self_test.c -+++ b/providers/fips/self_test.c -@@ -230,11 +230,27 @@ err: +Index: openssl-3.5.0-beta1/providers/fips/self_test.c +=================================================================== +--- openssl-3.5.0-beta1.orig/providers/fips/self_test.c ++++ openssl-3.5.0-beta1/providers/fips/self_test.c +@@ -235,11 +235,133 @@ err: return ok; } @@ -40,6 +42,7 @@ index b8dc9817b2..e3a629018a 100644 * the result matches the expected value. * Return 1 if verified, or 0 if it fails. */ ++ +#ifndef __USE_GNU +#define __USE_GNU +#include @@ -48,11 +51,116 @@ index b8dc9817b2..e3a629018a 100644 +#include +#endif +#include ++ ++static int verify_integrity_rodata(OSSL_CORE_BIO *bio, ++ OSSL_FUNC_BIO_read_ex_fn read_ex_cb, ++ unsigned char *expected, size_t expected_len, ++ OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev, ++ const char *event_type) ++{ ++ int ret = 0, status; ++ unsigned char out[MAX_MD_SIZE]; ++ unsigned char buf[INTEGRITY_BUF_SIZE]; ++ size_t bytes_read = 0, out_len = 0; ++ EVP_MAC *mac = NULL; ++ EVP_MAC_CTX *ctx = NULL; ++ OSSL_PARAM params[2], *p = params; ++ Dl_info info; ++ void *extra_info = NULL; ++ struct link_map *lm = NULL; ++ unsigned long paddr; ++ unsigned long off = 0; ++ ++ if (expected_len != HMAC_LEN) ++ goto err; ++ ++ if (!integrity_self_test(ev, libctx)) ++ goto err; ++ ++ OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC); ++ ++ if (!dladdr1 ((const void *)fips_hmac_container, ++ &info, &extra_info, RTLD_DL_LINKMAP)) ++ goto err; ++ lm = extra_info; ++ paddr = (unsigned long)fips_hmac_container - lm->l_addr; ++ ++ mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL); ++ if (mac == NULL) ++ goto err; ++ ctx = EVP_MAC_CTX_new(mac); ++ if (ctx == NULL) ++ goto err; ++ ++ *p++ = OSSL_PARAM_construct_utf8_string("digest", DIGEST_NAME, 0); ++ *p = OSSL_PARAM_construct_end(); ++ ++ if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params)) ++ goto err; ++ ++ while ((off + INTEGRITY_BUF_SIZE) <= paddr) { ++ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); ++ if (status != 1) ++ break; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ } ++ ++ if (off < paddr) { ++ int delta = paddr - off; ++ status = read_ex_cb(bio, buf, delta, &bytes_read); ++ if (status != 1) ++ goto err; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ } ++ ++ /* read away the buffer */ ++ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read); ++ if (status != 1) ++ goto err; ++ ++ /* check that it is the expect bytes, no point in continuing otherwise */ ++ if (memcmp(expected, buf, HMAC_LEN) != 0) ++ goto err; ++ ++ /* replace in-file HMAC buffer with the original zeros */ ++ memset(buf, 0, HMAC_LEN); ++ if (!EVP_MAC_update(ctx, buf, HMAC_LEN)) ++ goto err; ++ off += HMAC_LEN; ++ ++ while (bytes_read > 0) { ++ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); ++ if (status != 1) ++ break; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ } ++ ++ if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out))) ++ goto err; ++ ++ OSSL_SELF_TEST_oncorrupt_byte(ev, out); ++ if (expected_len != out_len ++ || memcmp(expected, out, out_len) != 0) ++ goto err; ++ ret = 1; ++err: ++ OPENSSL_cleanse(out, MAX_MD_SIZE); ++ OSSL_SELF_TEST_onend(ev, ret); ++ EVP_MAC_CTX_free(ctx); ++ EVP_MAC_free(mac); ++ return ret; ++} + static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb, unsigned char *expected, size_t expected_len, OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev, -@@ -247,12 +263,23 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex +@@ -252,12 +374,23 @@ static int verify_integrity(OSSL_CORE_BI EVP_MAC *mac = NULL; EVP_MAC_CTX *ctx = NULL; OSSL_PARAM params[2], *p = params; @@ -76,7 +184,7 @@ index b8dc9817b2..e3a629018a 100644 mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL); if (mac == NULL) goto err; -@@ -266,13 +293,42 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex +@@ -271,13 +404,42 @@ static int verify_integrity(OSSL_CORE_BI if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params)) goto err; @@ -88,7 +196,7 @@ index b8dc9817b2..e3a629018a 100644 + break; + if (!EVP_MAC_update(ctx, buf, bytes_read)) + goto err; -+ off += bytes_read; ++ off += bytes_read; + } + + if (off + INTEGRITY_BUF_SIZE > paddr) { @@ -98,7 +206,7 @@ index b8dc9817b2..e3a629018a 100644 + goto err; + if (!EVP_MAC_update(ctx, buf, bytes_read)) + goto err; -+ off += bytes_read; ++ off += bytes_read; + + status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read); + memset(buf, 0, HMAC_LEN); @@ -106,7 +214,7 @@ index b8dc9817b2..e3a629018a 100644 + goto err; + if (!EVP_MAC_update(ctx, buf, bytes_read)) + goto err; -+ off += bytes_read; ++ off += bytes_read; + } + + while (bytes_read > 0) { @@ -115,13 +223,13 @@ index b8dc9817b2..e3a629018a 100644 break; if (!EVP_MAC_update(ctx, buf, bytes_read)) goto err; -+ off += bytes_read; ++ off += bytes_read; } + if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out))) goto err; -@@ -282,6 +338,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex +@@ -287,6 +449,7 @@ static int verify_integrity(OSSL_CORE_BI goto err; ret = 1; err: @@ -129,7 +237,15 @@ index b8dc9817b2..e3a629018a 100644 OSSL_SELF_TEST_onend(ev, ret); EVP_MAC_CTX_free(ctx); EVP_MAC_free(mac); -@@ -335,8 +392,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) +@@ -320,6 +483,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS + OSSL_SELF_TEST *ev = NULL; + EVP_RAND *testrand = NULL; + EVP_RAND_CTX *rng; ++ unsigned char *alloc_checksum = NULL; + #endif + + if (!RUN_ONCE(&fips_self_test_init, do_fips_self_test_init)) +@@ -352,8 +516,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS return 0; } @@ -139,38 +255,79 @@ index b8dc9817b2..e3a629018a 100644 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA); goto end; } -@@ -345,8 +401,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) +@@ -362,8 +525,15 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS if (ev == NULL) goto end; - module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data, - &checksum_len); -+ module_checksum = fips_hmac_container; -+ checksum_len = sizeof(fips_hmac_container); ++ if (st->module_checksum_data == NULL) { ++ module_checksum = fips_hmac_container; ++ checksum_len = sizeof(fips_hmac_container); ++ } else { ++ alloc_checksum = OPENSSL_hexstr2buf(st->module_checksum_data, ++ &checksum_len); ++ module_checksum = alloc_checksum; ++ } + if (module_checksum == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA); goto end; -@@ -420,7 +477,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) +@@ -371,14 +541,29 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS + bio_module = (*st->bio_new_file_cb)(st->module_filename, "rb"); + + /* Always check the integrity of the fips module */ +- if (bio_module == NULL +- || !verify_integrity(bio_module, st->bio_read_ex_cb, +- module_checksum, checksum_len, st->libctx, +- ev, OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) { ++ if (bio_module == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE); + goto end; + } + ++ if (st->module_checksum_data == NULL) { ++ if (!verify_integrity_rodata(bio_module, st->bio_read_ex_cb, ++ module_checksum, checksum_len, ++ st->libctx, ev, ++ OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE); ++ goto end; ++ } ++ } else { ++ if (!verify_integrity(bio_module, st->bio_read_ex_cb, ++ module_checksum, checksum_len, ++ st->libctx, ev, ++ OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE); ++ goto end; ++ } ++ } ++ + if (!SELF_TEST_kats(ev, st->libctx)) { + ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE); + goto end; +@@ -398,7 +583,8 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS end: EVP_RAND_free(testrand); OSSL_SELF_TEST_free(ev); - OPENSSL_free(module_checksum); - OPENSSL_free(indicator_checksum); ++ if (alloc_checksum != NULL) ++ OPENSSL_free(alloc_checksum); - if (st != NULL) { -diff --git a/test/fipsmodule.cnf b/test/fipsmodule.cnf -new file mode 100644 -index 0000000000..f05d0dedbe + if (st != NULL) + (*st->bio_free_cb)(bio_module); +Index: openssl-3.5.0-beta1/test/fipsmodule.cnf +=================================================================== --- /dev/null -+++ b/test/fipsmodule.cnf ++++ openssl-3.5.0-beta1/test/fipsmodule.cnf @@ -0,0 +1,2 @@ +[fips_sect] +activate = 1 -diff --git a/test/recipes/00-prep_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t -index 4e3a6d85e8..e8255ba974 100644 ---- a/test/recipes/00-prep_fipsmodule_cnf.t -+++ b/test/recipes/00-prep_fipsmodule_cnf.t +Index: openssl-3.5.0-beta1/test/recipes/00-prep_fipsmodule_cnf.t +=================================================================== +--- openssl-3.5.0-beta1.orig/test/recipes/00-prep_fipsmodule_cnf.t ++++ openssl-3.5.0-beta1/test/recipes/00-prep_fipsmodule_cnf.t @@ -20,7 +20,7 @@ use lib srctop_dir('Configurations'); use lib bldtop_dir('.'); use platform; @@ -180,10 +337,10 @@ index 4e3a6d85e8..e8255ba974 100644 plan skip_all => "FIPS module config file only supported in a fips build" if $no_check; -diff --git a/test/recipes/01-test_fipsmodule_cnf.t b/test/recipes/01-test_fipsmodule_cnf.t -index ce594817d5..00cebacff8 100644 ---- a/test/recipes/01-test_fipsmodule_cnf.t -+++ b/test/recipes/01-test_fipsmodule_cnf.t +Index: openssl-3.5.0-beta1/test/recipes/01-test_fipsmodule_cnf.t +=================================================================== +--- openssl-3.5.0-beta1.orig/test/recipes/01-test_fipsmodule_cnf.t ++++ openssl-3.5.0-beta1/test/recipes/01-test_fipsmodule_cnf.t @@ -23,7 +23,7 @@ use lib srctop_dir('Configurations'); use lib bldtop_dir('.'); use platform; @@ -193,36 +350,23 @@ index ce594817d5..00cebacff8 100644 plan skip_all => "Test only supported in a fips build" if $no_check; plan tests => 1; -diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t -index b8b136d110..8242f4ebc3 100644 ---- a/test/recipes/03-test_fipsinstall.t -+++ b/test/recipes/03-test_fipsinstall.t -@@ -22,7 +22,7 @@ use lib srctop_dir('Configurations'); - use lib bldtop_dir('.'); - use platform; +Index: openssl-3.5.0-beta1/test/recipes/03-test_fipsinstall.t +=================================================================== +--- openssl-3.5.0-beta1.orig/test/recipes/03-test_fipsinstall.t ++++ openssl-3.5.0-beta1/test/recipes/03-test_fipsinstall.t +@@ -24,7 +24,7 @@ use platform; + + plan skip_all => "Fipsinstall not available in SUSE/openSUSE FIPS build"; -plan skip_all => "Test only supported in a fips build" if disabled("fips"); +plan skip_all => "Test only supported in a fips build" if 1; # Compatible options for pedantic FIPS compliance my @pedantic_okay = -diff --git a/test/recipes/30-test_defltfips.t b/test/recipes/30-test_defltfips.t -index c8f145405b..56a2ec5dc4 100644 ---- a/test/recipes/30-test_defltfips.t -+++ b/test/recipes/30-test_defltfips.t -@@ -24,7 +24,7 @@ use lib bldtop_dir('.'); - plan skip_all => "Configuration loading is turned off" - if disabled("autoload-config"); - --my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); -+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); - - plan tests => - ($no_fips ? 1 : 5); -diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t -index 0c6d6402d9..e45f9cb560 100644 ---- a/test/recipes/80-test_ssl_new.t -+++ b/test/recipes/80-test_ssl_new.t +Index: openssl-3.5.0-beta1/test/recipes/80-test_ssl_new.t +=================================================================== +--- openssl-3.5.0-beta1.orig/test/recipes/80-test_ssl_new.t ++++ openssl-3.5.0-beta1/test/recipes/80-test_ssl_new.t @@ -27,7 +27,7 @@ setup("test_ssl_new"); use lib srctop_dir('Configurations'); use lib bldtop_dir('.'); @@ -232,19 +376,29 @@ index 0c6d6402d9..e45f9cb560 100644 $ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs"); -diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t -index 9e9e32b51e..1a1a7159b5 100644 ---- a/test/recipes/90-test_sslapi.t -+++ b/test/recipes/90-test_sslapi.t -@@ -17,7 +17,7 @@ setup("test_sslapi"); - use lib srctop_dir('Configurations'); - use lib bldtop_dir('.'); +Index: openssl-3.5.0-beta1/test/recipes/90-test_sslapi.t +=================================================================== +--- openssl-3.5.0-beta1.orig/test/recipes/90-test_sslapi.t ++++ openssl-3.5.0-beta1/test/recipes/90-test_sslapi.t +@@ -14,7 +14,7 @@ BEGIN { + setup("test_sslapi"); + } -my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); +my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); my $fipsmodcfg_filename = "fipsmodule.cnf"; my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename); --- -2.41.0 - +Index: openssl-3.5.0-beta1/test/recipes/30-test_defltfips.t +=================================================================== +--- openssl-3.5.0-beta1.orig/test/recipes/30-test_defltfips.t ++++ openssl-3.5.0-beta1/test/recipes/30-test_defltfips.t +@@ -24,7 +24,7 @@ use lib bldtop_dir('.'); + plan skip_all => "Configuration loading is turned off" + if disabled("autoload-config"); + +-my $no_fips = disabled('fips') || disabled('fips-post') || ($ENV{NO_FIPS} // 0); ++my $no_fips = 1; #disabled('fips') || disabled('fips-post') || ($ENV{NO_FIPS} // 0); + + plan tests => + ($no_fips ? 1 : 5); diff --git a/openssl-FIPS-enforce-EMS-support.patch b/openssl-FIPS-enforce-EMS-support.patch index a30e068..e6e311e 100644 --- a/openssl-FIPS-enforce-EMS-support.patch +++ b/openssl-FIPS-enforce-EMS-support.patch @@ -1,52 +1,49 @@ -From 9b02ad7225b74a5b9088b361caead0a41e570e93 Mon Sep 17 00:00:00 2001 -From: Dmitry Belyavskiy -Date: Mon, 21 Aug 2023 16:40:56 +0200 -Subject: [PATCH 48/48] 0114-FIPS-enforce-EMS-support.patch +From f95df45ab70817723efc449552c0a5f5c3779280 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:17 +0100 +Subject: [PATCH 40/53] FIPS: TLS: Enforce EMS in TLS 1.2 -Patch-name: 0114-FIPS-enforce-EMS-support.patch -Patch-id: 114 -Patch-status: | - # We believe that some changes present in CentOS are not necessary - # because ustream has a check for FIPS version +NOTE: Enforcement of EMS in non-FIPS mode has been dropped due to code +change the option to enforce it seem to be available only in FIPS build + +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- - doc/man3/SSL_CONF_cmd.pod | 3 +++ - doc/man5/fips_config.pod | 13 +++++++++++ - include/openssl/fips_names.h | 8 +++++++ - include/openssl/ssl.h.in | 1 + - providers/fips/fipsprov.c | 2 +- - providers/implementations/kdfs/tls1_prf.c | 22 +++++++++++++++++++ - ssl/ssl_conf.c | 1 + - ssl/statem/extensions_srvr.c | 8 ++++++- - ssl/t1_enc.c | 11 ++++++++-- - .../30-test_evp_data/evpkdf_tls12_prf.txt | 10 +++++++++ - test/sslapitest.c | 2 +- - 11 files changed, 76 insertions(+), 5 deletions(-) + doc/man3/SSL_CONF_cmd.pod | 3 +++ + doc/man5/fips_config.pod | 13 +++++++++++++ + include/openssl/ssl.h.in | 1 + + providers/fips/include/fips_indicator_params.inc | 2 +- + ssl/ssl_conf.c | 1 + + ssl/statem/extensions_srvr.c | 8 +++++++- + ssl/t1_enc.c | 11 +++++++++-- + test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt | 10 ++++++++++ + test/sslapitest.c | 2 +- + 9 files changed, 46 insertions(+), 5 deletions(-) -Index: openssl-3.1.4/doc/man3/SSL_CONF_cmd.pod +Index: openssl-3.5.2/doc/man3/SSL_CONF_cmd.pod =================================================================== ---- openssl-3.1.4.orig/doc/man3/SSL_CONF_cmd.pod -+++ openssl-3.1.4/doc/man3/SSL_CONF_cmd.pod -@@ -524,6 +524,9 @@ B: use extended ma +--- openssl-3.5.2.orig/doc/man3/SSL_CONF_cmd.pod ++++ openssl-3.5.2/doc/man3/SSL_CONF_cmd.pod +@@ -621,6 +621,9 @@ B: use extended ma default. Inverse of B: that is, B<-ExtendedMasterSecret> is the same as setting B. +B: allow establishing connections without EMS in FIPS mode. -+This is a downstream specific option, and normally it should be set up via crypto-policies. ++This is a downstream specific option, and normally it should be set up via crypto policies. + B: use CA names extension, enabled by default. Inverse of B: that is, B<-CANames> is the same as setting B. -Index: openssl-3.1.4/doc/man5/fips_config.pod +Index: openssl-3.5.2/doc/man5/fips_config.pod =================================================================== ---- openssl-3.1.4.orig/doc/man5/fips_config.pod -+++ openssl-3.1.4/doc/man5/fips_config.pod -@@ -15,6 +15,19 @@ See the documentation for more informati +--- openssl-3.5.2.orig/doc/man5/fips_config.pod ++++ openssl-3.5.2/doc/man5/fips_config.pod +@@ -11,6 +11,19 @@ automatically loaded when the system is + environment variable B is set. See the documentation + for more information. - This functionality was added in OpenSSL 3.0. - -+SUSE Linux Enterprise uses a supplementary downstream config for FIPS module located -+in OpenSSL configuration directory and managed by crypto-policies. If present, it -+should have the following format: ++SUSE Enterprise Linux uses a supplementary config for FIPS module located in ++OpenSSL configuration directory and managed by crypto policies. If present, it ++should have format + + [fips_sect] + tls1-prf-ems-check = 0 @@ -59,114 +56,61 @@ Index: openssl-3.1.4/doc/man5/fips_config.pod + =head1 COPYRIGHT - Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. -Index: openssl-3.1.4/include/openssl/fips_names.h + Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved. +Index: openssl-3.5.2/include/openssl/ssl.h.in =================================================================== ---- openssl-3.1.4.orig/include/openssl/fips_names.h -+++ openssl-3.1.4/include/openssl/fips_names.h -@@ -70,6 +70,14 @@ extern "C" { - */ - # define OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST "drbg-no-trunc-md" - -+/* -+ * A boolean that determines if the runtime FIPS check for TLS1_PRF EMS is performed. -+ * This is disabled by default. -+ * -+ * Type: OSSL_PARAM_UTF8_STRING -+ */ -+# define OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check" -+ - # ifdef __cplusplus - } - # endif -Index: openssl-3.1.4/include/openssl/ssl.h.in -=================================================================== ---- openssl-3.1.4.orig/include/openssl/ssl.h.in -+++ openssl-3.1.4/include/openssl/ssl.h.in -@@ -420,6 +420,7 @@ typedef int (*SSL_async_callback_fn)(SSL +--- openssl-3.5.2.orig/include/openssl/ssl.h.in ++++ openssl-3.5.2/include/openssl/ssl.h.in +@@ -417,6 +417,7 @@ typedef int (*SSL_async_callback_fn)(SSL * interoperability with CryptoPro CSP 3.x */ # define SSL_OP_CRYPTOPRO_TLSEXT_BUG SSL_OP_BIT(31) -+# define SSL_OP_PERMIT_NOEMS_FIPS SSL_OP_BIT(48) - ++# define SSL_OP_RH_PERMIT_NOEMS_FIPS SSL_OP_BIT(48) /* - * Option "collections." -Index: openssl-3.1.4/providers/fips/fipsprov.c + * Disable RFC8879 certificate compression + * SSL_OP_NO_TX_CERTIFICATE_COMPRESSION: don't send compressed certificates, +Index: openssl-3.5.2/providers/fips/include/fips_indicator_params.inc =================================================================== ---- openssl-3.1.4.orig/providers/fips/fipsprov.c -+++ openssl-3.1.4/providers/fips/fipsprov.c -@@ -105,7 +105,7 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_L - if (fgbl == NULL) - return NULL; - init_fips_option(&fgbl->fips_security_checks, 1); -- init_fips_option(&fgbl->fips_tls1_prf_ems_check, 0); /* Disabled by default */ -+ init_fips_option(&fgbl->fips_tls1_prf_ems_check, 1); /* Enabled by default */ - init_fips_option(&fgbl->fips_restricted_drgb_digests, 0); - return fgbl; - } -Index: openssl-3.1.4/providers/implementations/kdfs/tls1_prf.c +--- openssl-3.5.2.orig/providers/fips/include/fips_indicator_params.inc ++++ openssl-3.5.2/providers/fips/include/fips_indicator_params.inc +@@ -1,5 +1,5 @@ + OSSL_FIPS_PARAM(security_checks, SECURITY_CHECKS, 1) +-OSSL_FIPS_PARAM(tls1_prf_ems_check, TLS1_PRF_EMS_CHECK, 0) ++OSSL_FIPS_PARAM(tls1_prf_ems_check, TLS1_PRF_EMS_CHECK, 1) + OSSL_FIPS_PARAM(no_short_mac, NO_SHORT_MAC, 1) + OSSL_FIPS_PARAM(hmac_key_check, HMAC_KEY_CHECK, 0) + OSSL_FIPS_PARAM(kmac_key_check, KMAC_KEY_CHECK, 0) +Index: openssl-3.5.2/ssl/ssl_conf.c =================================================================== ---- openssl-3.1.4.orig/providers/implementations/kdfs/tls1_prf.c -+++ openssl-3.1.4/providers/implementations/kdfs/tls1_prf.c -@@ -222,6 +222,27 @@ static int kdf_tls1_prf_derive(void *vct - } - } - -+ /* -+ * The seed buffer is prepended with a label. -+ * If EMS mode is enforced then the label "master secret" is not allowed, -+ * We do the check this way since the PRF is used for other purposes, as well -+ * as "extended master secret". -+ */ -+#ifdef FIPS_MODULE -+ if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE -+ && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST, -+ TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) -+ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+#endif /* defined(FIPS_MODULE) */ -+ if (ossl_tls1_prf_ems_check_enabled(libctx)) { -+ if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE -+ && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST, -+ TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_EMS_NOT_ENABLED); -+ return 0; -+ } -+ } -+ - return tls1_prf_alg(ctx->P_hash, ctx->P_sha1, - ctx->sec, ctx->seclen, - ctx->seed, ctx->seedlen, -Index: openssl-3.1.4/ssl/ssl_conf.c -=================================================================== ---- openssl-3.1.4.orig/ssl/ssl_conf.c -+++ openssl-3.1.4/ssl/ssl_conf.c -@@ -389,6 +389,7 @@ static int cmd_Options(SSL_CONF_CTX *cct +--- openssl-3.5.2.orig/ssl/ssl_conf.c ++++ openssl-3.5.2/ssl/ssl_conf.c +@@ -394,6 +394,7 @@ static int cmd_Options(SSL_CONF_CTX *cct SSL_FLAG_TBL("ClientRenegotiation", SSL_OP_ALLOW_CLIENT_RENEGOTIATION), SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC), -+ SSL_FLAG_TBL("RHNoEnforceEMSinFIPS", SSL_OP_PERMIT_NOEMS_FIPS), ++ SSL_FLAG_TBL("RHNoEnforceEMSinFIPS", SSL_OP_RH_PERMIT_NOEMS_FIPS), SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION), SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX), - SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA), -Index: openssl-3.1.4/ssl/statem/extensions_srvr.c + SSL_FLAG_TBL("PreferNoDHEKEX", SSL_OP_PREFER_NO_DHE_KEX), +Index: openssl-3.5.2/ssl/statem/extensions_srvr.c =================================================================== ---- openssl-3.1.4.orig/ssl/statem/extensions_srvr.c -+++ openssl-3.1.4/ssl/statem/extensions_srvr.c -@@ -11,6 +11,7 @@ - #include "../ssl_local.h" +--- openssl-3.5.2.orig/ssl/statem/extensions_srvr.c ++++ openssl-3.5.2/ssl/statem/extensions_srvr.c +@@ -12,6 +12,7 @@ #include "statem_local.h" #include "internal/cryptlib.h" + #include "internal/ssl_unwrap.h" +#include #define COOKIE_STATE_FORMAT_VERSION 1 -@@ -1552,8 +1553,13 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s - EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context, +@@ -1886,8 +1887,13 @@ EXT_RETURN tls_construct_stoc_ems(SSL_CO + unsigned int context, X509 *x, size_t chainidx) { - if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) + if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) { -+ if (FIPS_mode() && !(SSL_get_options(s) & SSL_OP_PERMIT_NOEMS_FIPS) ) { ++ if (FIPS_mode() && !(SSL_get_options(SSL_CONNECTION_GET_SSL(s)) & SSL_OP_RH_PERMIT_NOEMS_FIPS) ) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED); + return EXT_RETURN_FAIL; + } @@ -175,19 +119,19 @@ Index: openssl-3.1.4/ssl/statem/extensions_srvr.c if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret) || !WPACKET_put_bytes_u16(pkt, 0)) { -Index: openssl-3.1.4/ssl/t1_enc.c +Index: openssl-3.5.2/ssl/t1_enc.c =================================================================== ---- openssl-3.1.4.orig/ssl/t1_enc.c -+++ openssl-3.1.4/ssl/t1_enc.c -@@ -20,6 +20,7 @@ +--- openssl-3.5.2.orig/ssl/t1_enc.c ++++ openssl-3.5.2/ssl/t1_enc.c +@@ -21,6 +21,7 @@ #include #include #include +#include /* seed1 through seed5 are concatenated */ - static int tls1_PRF(SSL *s, -@@ -75,8 +76,14 @@ static int tls1_PRF(SSL *s, + static int tls1_PRF(SSL_CONNECTION *s, +@@ -78,8 +79,14 @@ static int tls1_PRF(SSL_CONNECTION *s, } err: @@ -198,16 +142,16 @@ Index: openssl-3.1.4/ssl/t1_enc.c + if (FIPS_mode() && seed1_len >= TLS_MD_MASTER_SECRET_CONST_SIZE + && memcmp(seed1, TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED); -+ else ++ else + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); + } else ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); EVP_KDF_CTX_free(kctx); -Index: openssl-3.1.4/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt +Index: openssl-3.5.2/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt =================================================================== ---- openssl-3.1.4.orig/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt -+++ openssl-3.1.4/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt +--- openssl-3.5.2.orig/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt ++++ openssl-3.5.2/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt @@ -22,6 +22,16 @@ Ctrl.client_random = hexseed:36c129d01a3 Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf @@ -225,3 +169,16 @@ Index: openssl-3.1.4/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt FIPSversion = <=3.1.0 KDF = TLS1-PRF Ctrl.digest = digest:SHA256 +Index: openssl-3.5.2/test/sslapitest.c +=================================================================== +--- openssl-3.5.2.orig/test/sslapitest.c ++++ openssl-3.5.2/test/sslapitest.c +@@ -575,7 +575,7 @@ static int test_client_cert_verify_cb(vo + STACK_OF(X509) *server_chain; + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; +- int testresult = 0; ++ int testresult = 0, status; + + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), TLS1_VERSION, 0, diff --git a/openssl-FIPS-enforce-security-checks-during-initialization.patch b/openssl-FIPS-enforce-security-checks-during-initialization.patch deleted file mode 100644 index 8278135..0000000 --- a/openssl-FIPS-enforce-security-checks-during-initialization.patch +++ /dev/null @@ -1,22 +0,0 @@ -Index: openssl-3.1.4/providers/fips/fipsprov.c -=================================================================== ---- openssl-3.1.4.orig/providers/fips/fipsprov.c -+++ openssl-3.1.4/providers/fips/fipsprov.c -@@ -107,7 +107,7 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_L - return NULL; - init_fips_option(&fgbl->fips_security_checks, 1); - init_fips_option(&fgbl->fips_tls1_prf_ems_check, 1); /* Enabled by default */ -- init_fips_option(&fgbl->fips_restricted_drgb_digests, 0); -+ init_fips_option(&fgbl->fips_restricted_drgb_digests, 1); /* Enabled by default */ - return fgbl; - } - -@@ -820,8 +820,6 @@ int OSSL_provider_init_int(const OSSL_CO - if (fgbl->field.option != NULL) { \ - if (strcmp(fgbl->field.option, "1") == 0) \ - fgbl->field.enabled = 1; \ -- else if (strcmp(fgbl->field.option, "0") == 0) \ -- fgbl->field.enabled = 0; \ - else \ - goto err; \ - } diff --git a/openssl-FIPS-limit-rsa-encrypt.patch b/openssl-FIPS-limit-rsa-encrypt.patch index 66f37ac..4d0bfab 100644 --- a/openssl-FIPS-limit-rsa-encrypt.patch +++ b/openssl-FIPS-limit-rsa-encrypt.patch @@ -1,62 +1,59 @@ -From 56511d480823bedafce604374fa3b15d3b3ffd6b Mon Sep 17 00:00:00 2001 +From 3b0b89e7b30425add1889c0ed6c6b45e8d0ea744 Mon Sep 17 00:00:00 2001 From: rpm-build -Date: Mon, 31 Jul 2023 09:41:28 +0200 -Subject: [PATCH 26/48] 0058-FIPS-limit-rsa-encrypt.patch +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 26/53] FIPS: RSA: encrypt limits - REVIEW Patch-name: 0058-FIPS-limit-rsa-encrypt.patch Patch-id: 58 Patch-status: | - # https://bugzilla.redhat.com/show_bug.cgi?id=2053289 -From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd + # # https://bugzilla.redhat.com/show_bug.cgi?id=2053289 +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- - providers/common/securitycheck.c | 1 + - .../implementations/asymciphers/rsa_enc.c | 35 +++++++++++ - .../30-test_evp_data/evppkey_rsa_common.txt | 58 ++++++++++++++++++- - test/recipes/80-test_cms.t | 5 +- - test/recipes/80-test_ssl_old.t | 27 +++++++-- - 5 files changed, 118 insertions(+), 8 deletions(-) + providers/common/securitycheck.c | 1 + + .../fips/include/fips_indicator_params.inc | 2 +- + .../implementations/asymciphers/rsa_enc.c | 26 ++++ + .../30-test_evp_data/evppkey_rsa_common.txt | 146 +++++++++++++----- + test/recipes/80-test_cms.t | 5 +- + test/recipes/80-test_ssl_old.t | 27 +++- + 6 files changed, 164 insertions(+), 43 deletions(-) + mode change 100644 => 100755 test/recipes/80-test_ssl_old.t -diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c -index e534ad0a5f..c017c658e5 100644 ---- a/providers/common/securitycheck.c -+++ b/providers/common/securitycheck.c -@@ -27,6 +27,7 @@ +Index: openssl-3.5.3/providers/common/securitycheck.c +=================================================================== +--- openssl-3.5.3.orig/providers/common/securitycheck.c ++++ openssl-3.5.3/providers/common/securitycheck.c +@@ -64,6 +64,7 @@ int ossl_rsa_key_op_get_protect(const RS * Set protect = 1 for encryption or signing operations, or 0 otherwise. See * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf. */ -+/* SUSE build implements some extra limitations in providers/implementations/asymciphers/rsa_enc.c */ - int ossl_rsa_check_key(OSSL_LIB_CTX *ctx, const RSA *rsa, int operation) ++/* openSUSE/SUSE build implements some extra limitations in providers/implementations/asymciphers/rsa_enc.c */ + int ossl_rsa_check_key_size(const RSA *rsa, int protect) { - int protect = 0; -diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c -index d865968058..872967bcb3 100644 ---- a/providers/implementations/asymciphers/rsa_enc.c -+++ b/providers/implementations/asymciphers/rsa_enc.c -@@ -132,6 +132,17 @@ static int rsa_decrypt_init(void *vprsactx, void *vrsa, - return rsa_init(vprsactx, vrsa, params, EVP_PKEY_OP_DECRYPT); - } - -+# ifdef FIPS_MODULE -+static int fips_padding_allowed(const PROV_RSA_CTX *prsactx) -+{ -+ if (prsactx->pad_mode == RSA_PKCS1_PADDING || prsactx->pad_mode == RSA_NO_PADDING -+ || prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING) -+ return 0; -+ -+ return 1; -+} -+# endif -+ - static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, - size_t outsize, const unsigned char *in, size_t inlen) - { -@@ -141,6 +152,18 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, - if (!ossl_prov_is_running()) + int sz = RSA_bits(rsa); +Index: openssl-3.5.3/providers/fips/include/fips_indicator_params.inc +=================================================================== +--- openssl-3.5.3.orig/providers/fips/include/fips_indicator_params.inc ++++ openssl-3.5.3/providers/fips/include/fips_indicator_params.inc +@@ -13,7 +13,7 @@ OSSL_FIPS_PARAM(sskdf_digest_check, SSKD + OSSL_FIPS_PARAM(x963kdf_digest_check, X963KDF_DIGEST_CHECK, 0) + OSSL_FIPS_PARAM(dsa_sign_disallowed, DSA_SIGN_DISABLED, 0) + OSSL_FIPS_PARAM(tdes_encrypt_disallowed, TDES_ENCRYPT_DISABLED, 0) +-OSSL_FIPS_PARAM(rsa_pkcs15_padding_disabled, RSA_PKCS15_PAD_DISABLED, 0) ++OSSL_FIPS_PARAM(rsa_pkcs15_padding_disabled, RSA_PKCS15_PAD_DISABLED, 1) + OSSL_FIPS_PARAM(rsa_pss_saltlen_check, RSA_PSS_SALTLEN_CHECK, 0) + OSSL_FIPS_PARAM(rsa_sign_x931_disallowed, RSA_SIGN_X931_PAD_DISABLED, 0) + OSSL_FIPS_PARAM(hkdf_key_check, HKDF_KEY_CHECK, 0) +Index: openssl-3.5.3/providers/implementations/asymciphers/rsa_enc.c +=================================================================== +--- openssl-3.5.3.orig/providers/implementations/asymciphers/rsa_enc.c ++++ openssl-3.5.3/providers/implementations/asymciphers/rsa_enc.c +@@ -174,6 +174,18 @@ static int rsa_encrypt(void *vprsactx, u return 0; + } +# ifdef FIPS_MODULE -+ if (fips_padding_allowed(prsactx) == 0) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); ++ if (prsactx->pad_mode == RSA_NO_PADDING) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE); + return 0; + } + @@ -67,15 +64,17 @@ index d865968058..872967bcb3 100644 +# endif + if (out == NULL) { - size_t len = RSA_size(prsactx->rsa); - -@@ -204,6 +227,18 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen, + *outlen = len; + return 1; +@@ -235,6 +247,20 @@ static int rsa_decrypt(void *vprsactx, u if (!ossl_prov_is_running()) return 0; +# ifdef FIPS_MODULE -+ if (fips_padding_allowed(prsactx) == 0) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); ++ if ((prsactx->pad_mode == RSA_PKCS1_PADDING ++ || prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING ++ || prsactx->pad_mode == RSA_NO_PADDING)) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE); + return 0; + } + @@ -88,11 +87,11 @@ index d865968058..872967bcb3 100644 if (prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING) { if (out == NULL) { *outlen = SSL_MAX_MASTER_KEY_LENGTH; -diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt -index 8680797b90..95d5d51102 100644 ---- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt -+++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt -@@ -248,13 +248,13 @@ Input = 64b0e9f9892371110c40ba5739dc0974002aa6e6160b481447c6819947c2d3b537a6e377 +Index: openssl-3.5.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +=================================================================== +--- openssl-3.5.3.orig/test/recipes/30-test_evp_data/evppkey_rsa_common.txt ++++ openssl-3.5.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +@@ -248,13 +248,13 @@ Input = 64b0e9f9892371110c40ba5739dc0974 Output = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef # RSA decrypt @@ -102,13 +101,429 @@ index 8680797b90..95d5d51102 100644 Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78 Output = "Hello World" + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # Note: disable the Bleichenbacher workaround to see if it passes + Decrypt = RSA-2048 + Ctrl = rsa_pkcs1_implicit_rejection:0 +@@ -262,7 +262,7 @@ Input = 550AF55A2904E7B9762352F8FB7FA235 + Output = "Hello World" + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default # Corrupted ciphertext --FIPSversion = <3.2.0 + # Note: output is generated synthethically by the Bleichenbacher workaround + Decrypt = RSA-2048 +@@ -270,7 +270,7 @@ Input = 550AF55A2904E7B9762352F8FB7FA235 + Output = 4cbb988d6a46228379132b0b5f8c249b3860043848c93632fb982c807c7c82fffc7a9ef83f4908f890373ac181ffea6381e103bcaa27e65638b6ecebef38b59ed4226a9d12af675cfcb634d8c40e7a7aff + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # Corrupted ciphertext + # Note: disable the Bleichenbacher workaround to see if it fails + Decrypt = RSA-2048 +@@ -296,13 +296,14 @@ Input = 00000000000000000000000000000000 + Result = KEYOP_ERROR + + # RSADP Ciphertext = 2 should pass +Availablein = default Decrypt = RSA-2048 - Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79 - Output = "Hello World" -@@ -619,36 +619,42 @@ vcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mNXb79cyY+NygUJ0OBgWbtfdY2 + Ctrl = rsa_padding_mode:none + Input = 0000000000000000000000000000000000000002 + Output = 93d0bae8ad0d94de400eb078dd10edd7418ef1bf11b8e8b5d2b86b142e77d603e108fbcca2b976aa7b5326e5369db3bb73bf74f8d47c36a6318e913888c873502a561fc69329e7c24a0a016d81310449a52b29e49a6a41bdfe6c10a8d90072d64b4486756fd007c0071da2a8c7107a904621c11f0d81aa80b655a713c28170594ece28133dfbfddd61d4e4dad0d6781f6145a351a994054993fd57cd1330966ce97d7ac259b15616fd7235e2cac29fdc1c05f1612c61785614b80e7b650c03ef77d64163d75fa637cc2a9a7e570b3176fdcfb6ad6d25e8515f6ced02cfb3a441c87220044110fd27dcb53888f0377e1797bf297b7da27d3f033cd8b5d60ececc + + # RSADP Ciphertext = n-2 should pass +-Availablein = fips ++Availablein = none + Decrypt = RSA-2048 + Ctrl = rsa_padding_mode:none + Input = cd0081ea7b2ae1ea06d59f7c73d9ffb94a09615c2e4ba7c636cef08dd3533ec3185525b015c769b99a77d6725bf9c3532a9b6e5f6627d5fb85160768d3dda9cbd35974511717dc3d309d2fc47ee41f97e32adb7f9dd864a1c4767a666ecd71bc1aacf5e7517f4b38594fea9b05e42d5ada9912008013e45316a4d9bb8ed086b88d28758bacaf922d46a868b485d239c9baeb0e2b64592710f42b2d1ea0a4b4802c0becab328f8a68b0073bdb546feea9809d2849912b390c1532bc7e29c7658f8175fae46f34332ff87bcab3e40649b98577869da0ea718353f0722754886913648760d122be676e0fc483dd20ffc31bda96a31966c9aa2e75ad03de47e1c44d +@@ -317,6 +318,7 @@ Input = cd0081ea7b2ae1ea06d59f7c73d9ffb9 + Result = KEYOP_ERROR + + # RSADP Ciphertext = n should fail ++Availablein = default + Decrypt = RSA-2048 + Ctrl = rsa_padding_mode:none + Input = cd0081ea7b2ae1ea06d59f7c73d9ffb94a09615c2e4ba7c636cef08dd3533ec3185525b015c769b99a77d6725bf9c3532a9b6e5f6627d5fb85160768d3dda9cbd35974511717dc3d309d2fc47ee41f97e32adb7f9dd864a1c4767a666ecd71bc1aacf5e7517f4b38594fea9b05e42d5ada9912008013e45316a4d9bb8ed086b88d28758bacaf922d46a868b485d239c9baeb0e2b64592710f42b2d1ea0a4b4802c0becab328f8a68b0073bdb546feea9809d2849912b390c1532bc7e29c7658f8175fae46f34332ff87bcab3e40649b98577869da0ea718353f0722754886913648760d122be676e0fc483dd20ffc31bda96a31966c9aa2e75ad03de47e1c44f +@@ -406,82 +408,90 @@ PrivPubKeyPair = RSA-2048-2:RSA-2048-2-P + # RSA decrypt + + # a random positive test case ++Availablein = default + Decrypt = RSA-2048-2 + Input = 8bfe264e85d3bdeaa6b8851b8e3b956ee3d226fd3f69063a86880173a273d9f283b2eebdd1ed35f7e02d91c571981b6737d5320bd8396b0f3ad5b019daec1b0aab3cbbc026395f4fd14f13673f2dfc81f9b660ec26ac381e6db3299b4e460b43fab9955df2b3cfaa20e900e19c856238fd371899c2bf2ce8c868b76754e5db3b036533fd603746be13c10d4e3e6022ebc905d20c2a7f32b215a4cd53b3f44ca1c327d2c2b651145821c08396c89071f665349c25e44d2733cd9305985ceef6430c3cf57af5fa224089221218fa34737c79c446d28a94c41c96e4e92ac53fbcf384dea8419ea089f8784445a492c812eb0d409467f75afd7d4d1078886205a066 + Output = "lorem ipsum dolor sit amet" + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test case decrypting to empty + Decrypt = RSA-2048-2 + Input = 20aaa8adbbc593a924ba1c5c7990b5c2242ae4b99d0fe636a19a4cf754edbcee774e472fe028160ed42634f8864900cb514006da642cae6ae8c7d087caebcfa6dad1551301e130344989a1d462d4164505f6393933450c67bc6d39d8f5160907cabc251b737925a1cf21e5c6aa5781b7769f6a2a583d97cce008c0f8b6add5f0b2bd80bee60237aa39bb20719fe75749f4bc4e42466ef5a861ae3a92395c7d858d430bfe38040f445ea93fa2958b503539800ffa5ce5f8cf51fa8171a91f36cb4f4575e8de6b4d3f096ee140b938fd2f50ee13f0d050222e2a72b0a3069ff3a6738e82c87090caa5aed4fcbe882c49646aa250b98f12f83c8d528113614a29e7 + Output = + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # invalid decrypting to max length message + Decrypt = RSA-2048-2 + Input = 48cceab10f39a4db32f60074feea473cbcdb7accf92e150417f76b44756b190e843e79ec12aa85083a21f5437e7bad0a60482e601198f9d86923239c8786ee728285afd0937f7dde12717f28389843d7375912b07b991f4fdb0190fced8ba665314367e8c5f9d2981d0f5128feeb46cb50fc237e64438a86df198dd0209364ae3a842d77532b66b7ef263b83b1541ed671b120dfd660462e2107a4ee7b964e734a7bd68d90dda61770658a3c242948532da32648687e0318286473f675b412d6468f013f14d760a358dfcad3cda2afeec5e268a37d250c37f722f468a70dfd92d7294c3c1ee1e7f8843b7d16f9f37ef35748c3ae93aa155cdcdfeb4e78567303 + Output = 22d850137b9eebe092b24f602dc5bb7918c16bd89ddbf20467b119d205f9c2e4bd7d2592cf1e532106e0f33557565923c73a02d4f09c0c22bea89148183e60317f7028b3aa1f261f91c979393101d7e15f4067e63979b32751658ef769610fe97cf9cef3278b3117d384051c3b1d82c251c2305418c8f6840530e631aad63e70e20e025bcd8efb54c92ec6d3b106a2f8e64eeff7d38495b0fc50c97138af4b1c0a67a1c4e27b077b8439332edfa8608dfeae653cd6a628ac550395f7e74390e42c11682234870925eeaa1fa71b76cf1f2ee3bda69f6717033ff8b7c95c9799e7a3bea5e7e4a1c359772fb6b1c6e6c516661dfe30c3 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 + # invalid decrypting to message with length specified by second to last value from PRF ++Availablein = default + Decrypt = RSA-2048-2 + Input = 1439e08c3f84c1a7fec74ce07614b20e01f6fa4e8c2a6cffdc3520d8889e5d9a950c6425798f85d4be38d300ea5695f13ecd4cb389d1ff5b82484b494d6280ab7fa78e645933981cb934cce8bfcd114cc0e6811eefa47aae20af638a1cd163d2d3366186d0a07df0c81f6c9f3171cf3561472e98a6006bf75ddb457bed036dcce199369de7d94ef2c68e8467ee0604eea2b3009479162a7891ba5c40cab17f49e1c438cb6eaea4f76ce23cce0e483ff0e96fa790ea15be67671814342d0a23f4a20262b6182e72f3a67cd289711503c85516a9ed225422f98b116f1ab080a80abd6f0216df88d8cfd67c139243be8dd78502a7aaf6bc99d7da71bcdf627e7354 + Output = 0f9b + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # invalid decrypting to message with length specified by third to last value from PRF + Decrypt = RSA-2048-2 + Input = 1690ebcceece2ce024f382e467cf8510e74514120937978576caf684d4a02ad569e8d76cbe365a060e00779de2f0865ccf0d923de3b4783a4e2c74f422e2f326086c390b658ba47f31ab013aa80f468c71256e5fa5679b24e83cd82c3d1e05e398208155de2212993cd2b8bab6987cf4cc1293f19909219439d74127545e9ed8a706961b8ee2119f6bfacafbef91b75a789ba65b8b833bc6149cf49b5c4d2c6359f62808659ba6541e1cd24bf7f7410486b5103f6c0ea29334ea6f4975b17387474fe920710ea61568d7b7c0a7916acf21665ad5a31c4eabcde44f8fb6120d8457afa1f3c85d517cda364af620113ae5a3c52a048821731922737307f77a1081 + Output = 4f02 + + # positive test with 11 byte long value ++Availablein = default + Decrypt = RSA-2048-2 + Input = 6213634593332c485cef783ea2846e3d6e8b0e005cd8293eaebbaa5079712fd681579bdfbbda138ae4d9d952917a03c92398ec0cb2bb0c6b5a8d55061fed0d0d8d72473563152648cfe640b335dc95331c21cb133a91790fa93ae44497c128708970d2beeb77e8721b061b1c44034143734a77be8220877415a6dba073c3871605380542a9f25252a4babe8331cdd53cf828423f3cc70b560624d0581fb126b2ed4f4ed358f0eb8065cf176399ac1a846a31055f9ae8c9c24a1ba050bc20842125bc1753158f8065f3adb9cc16bfdf83816bdf38b624f12022c5a6fbfe29bc91542be8c0208a770bcd677dc597f5557dc2ce28a11bf3e3857f158717a33f6592 + Output = "lorem ipsum" + + # positive test with 11 byte long value and zero padded ciphertext ++Availablein = default + Decrypt = RSA-2048-2 + Input = 00a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b + Output = "lorem ipsum" + + # positive test with 11 byte long value and zero truncated ciphertext ++Availablein = default + Decrypt = RSA-2048-2 + Input = a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b + Output = "lorem ipsum" + + # positive test with 11 byte long value and double zero padded ciphertext ++Availablein = default + Decrypt = RSA-2048-2 + Input = 00001f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc + Output = "lorem ipsum" + + # positive test with 11 byte long value and double zero truncated ciphertext ++Availablein = default + Decrypt = RSA-2048-2 + Input = 1f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc + Output = "lorem ipsum" + + # positive that generates a 0 byte long synthetic message internally ++Availablein = default + Decrypt = RSA-2048-2 + Input = b5e49308f6e9590014ffaffc5b8560755739dd501f1d4e9227a7d291408cf4b753f292322ff8bead613bf2caa181b221bc38caf6392deafb28eb21ad60930841ed02fd6225cc9c463409adbe7d8f32440212fbe3881c51375bb09565efb22e62b071472fb38676e5b4e23a0617db5d14d93519ac0007a30a9c822eb31c38b57fcb1be29608fcf1ca2abdcaf5d5752bbc2b5ac7dba5afcff4a5641da360dd01f7112539b1ed46cdb550a3b1006559b9fe1891030ec80f0727c42401ddd6cbb5e3c80f312df6ec89394c5a7118f573105e7ab00fe57833c126141b50a935224842addfb479f75160659ba28877b512bb9a93084ad8bec540f92640f63a11a010e0 + Output = "lorem ipsum" + + # positive that generates a 245 byte long synthetic message internally ++Availablein = default + Decrypt = RSA-2048-2 + Input = 1ea0b50ca65203d0a09280d39704b24fe6e47800189db5033f202761a78bafb270c5e25abd1f7ecc6e7abc4f26d1b0cd9b8c648d529416ee64ccbdd7aa72a771d0353262b543f0e436076f40a1095f5c7dfd10dcf0059ccb30e92dfa5e0156618215f1c3ff3aa997a9d999e506924f5289e3ac72e5e2086cc7b499d71583ed561028671155db4005bee01800a7cdbdae781dd32199b8914b5d4011dd6ff11cd26d46aad54934d293b0bc403dd211bf13b5a5c6836a5e769930f437ffd8634fb7371776f4bc88fa6c271d8aa6013df89ae6470154497c4ac861be2a1c65ebffec139bf7aaba3a81c7c5cdd84da9af5d3edfb957848074686b5837ecbcb6a41c50 + Output = "lorem ipsum" + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test that generates an 11 byte long message + Decrypt = RSA-2048-2 + Input = 5f02f4b1f46935c742ebe62b6f05aa0a3286aab91a49b34780adde6410ab46f7386e05748331864ac98e1da63686e4babe3a19ed40a7f5ceefb89179596aab07ab1015e03b8f825084dab028b6731288f2e511a4b314b6ea3997d2e8fe2825cef8897cbbdfb6c939d441d6e04948414bb69e682927ef8576c9a7090d4aad0e74c520d6d5ce63a154720f00b76de8cc550b1aa14f016d63a7b6d6eaa1f7dbe9e50200d3159b3d099c900116bf4eba3b94204f18b1317b07529751abf64a26b0a0bf1c8ce757333b3d673211b67cc0653f2fe2620d57c8b6ee574a0323a167eab1106d9bc7fd90d415be5f1e9891a0e6c709f4fc0404e8226f8477b4e939b36eb2 + Output = af9ac70191c92413cb9f2d + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise correct plaintext, but with wrong first byte + # (0x01 instead of 0x00), generates a random 11 byte long plaintext + Decrypt = RSA-2048-2 +@@ -489,7 +499,7 @@ Input = 9b2ec9c0c917c98f1ad3d0119aec6be5 + Output = a1f8c9255c35cfba403ccc + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise correct plaintext, but with wrong second byte + # (0x01 instead of 0x02), generates a random 11 byte long plaintext + Decrypt = RSA-2048-2 +@@ -497,7 +507,7 @@ Input = 782c2b59a21a511243820acedd567c13 + Output = e6d700309ca0ed62452254 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an invalid ciphertext, with a zero byte in first byte of + # ciphertext, decrypts to a random 11 byte long synthetic + # plaintext +@@ -506,7 +516,7 @@ Input = 0096136621faf36d5290b16bd26295de + Output = ba27b1842e7c21c0e7ef6a + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an invalid ciphertext, with a zero byte removed from first byte of + # ciphertext, decrypts to a random 11 byte long synthetic + # plaintext +@@ -515,7 +525,7 @@ Input = 96136621faf36d5290b16bd26295de27 + Output = ba27b1842e7c21c0e7ef6a + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an invalid ciphertext, with two zero bytes in first bytes of + # ciphertext, decrypts to a random 11 byte long synthetic + # plaintext +@@ -524,7 +534,7 @@ Input = 0000587cccc6b264bdfe0dc2149a9880 + Output = d5cf555b1d6151029a429a + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an invalid ciphertext, with two zero bytes removed from first bytes of + # ciphertext, decrypts to a random 11 byte long synthetic + # plaintext +@@ -533,7 +543,7 @@ Input = 587cccc6b264bdfe0dc2149a988047fa + Output = d5cf555b1d6151029a429a + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # and invalid ciphertext, otherwise valid but starting with 000002, decrypts + # to random 11 byte long synthetic plaintext + Decrypt = RSA-2048-2 +@@ -541,7 +551,7 @@ Input = 1786550ce8d8433052e01ecba8b76d30 + Output = 3d4a054d9358209e9cbbb9 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # negative test with otherwise valid padding but a zero byte in first byte + # of padding + Decrypt = RSA-2048-2 +@@ -549,7 +559,7 @@ Input = 179598823812d2c58a7eb50521150a48 + Output = 1f037dd717b07d3e7f7359 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # negative test with otherwise valid padding but a zero byte at the eighth + # byte of padding + Decrypt = RSA-2048-2 +@@ -557,7 +567,7 @@ Input = a7a340675a82c30e22219a55bc07cdf3 + Output = 63cb0bf65fc8255dd29e17 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # negative test with an otherwise valid plaintext but with missing separator + # byte + Decrypt = RSA-2048-2 +@@ -612,53 +622,58 @@ PrivPubKeyPair = RSA-2049:RSA-2049-PUBLI + # RSA decrypt + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # malformed that generates length specified by 3rd last value from PRF + Decrypt = RSA-2049 + Input = 00b26f6404b82649629f2704494282443776929122e279a9cf30b0c6fe8122a0a9042870d97cc8ef65490fe58f031eb2442352191f5fbc311026b5147d32df914599f38b825ebb824af0d63f2d541a245c5775d1c4b78630e4996cc5fe413d38455a776cf4edcc0aa7fccb31c584d60502ed2b77398f536e137ff7ba6430e9258e21c2db5b82f5380f566876110ac4c759178900fbad7ab70ea07b1daf7a1639cbb4196543a6cbe8271f35dddb8120304f6eef83059e1c5c5678710f904a6d760c4d1d8ad076be17904b9e69910040b47914a0176fb7eea0c06444a6c4b86d674d19a556a1de5490373cb01ce31bbd15a5633362d3d2cd7d4af1b4c5121288b894 + Output = 42 + + # simple positive test case ++Availablein = default + Decrypt = RSA-2049 + Input = 013300edbf0bb3571e59889f7ed76970bf6d57e1c89bbb6d1c3991d9df8e65ed54b556d928da7d768facb395bbcc81e9f8573b45cf8195dbd85d83a59281cddf4163aec11b53b4140053e3bd109f787a7c3cec31d535af1f50e0598d85d96d91ea01913d07097d25af99c67464ebf2bb396fb28a9233e56f31f7e105d71a23e9ef3b736d1e80e713d1691713df97334779552fc94b40dd733c7251bc522b673d3ec9354af3dd4ad44fa71c0662213a57ada1d75149697d0eb55c053aaed5ffd0b815832f454179519d3736fb4faf808416071db0d0f801aca8548311ee708c131f4be658b15f6b54256872c2903ac708bd43b017b073b5707bc84c2cd9da70e967 + Output = "lorem ipsum" + + # positive test case with null padded ciphertext ++Availablein = default + Decrypt = RSA-2049 + Input = 0002aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162 + Output = "lorem ipsum" + + # positive test case with null truncated ciphertext ++Availablein = default + Decrypt = RSA-2049 + Input = 02aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162 + Output = "lorem ipsum" + + # positive test case with double null padded ciphertext ++Availablein = default + Decrypt = RSA-2049 + Input = 0000f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052 + Output = "lorem ipsum" + + # positive test case with double null truncated ciphertext ++Availablein = default + Decrypt = RSA-2049 + Input = f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052 + Output = "lorem ipsum" + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test case that generates an 11 byte long message + Decrypt = RSA-2049 + Input = 00f910200830fc8fff478e99e145f1474b312e2512d0f90b8cef77f8001d09861688c156d1cbaf8a8957f7ebf35f724466952d0524cad48aad4fba1e45ce8ea27e8f3ba44131b7831b62d60c0762661f4c1d1a88cd06263a259abf1ba9e6b0b172069afb86a7e88387726f8ab3adb30bfd6b3f6be6d85d5dfd044e7ef052395474a9cbb1c3667a92780b43a22693015af6c513041bdaf87d43b24ddd244e791eeaea1066e1f4917117b3a468e22e0f7358852bb981248de4d720add2d15dccba6280355935b67c96f9dcb6c419cc38ab9f6fba2d649ef2066e0c34c9f788ae49babd9025fa85b21113e56ce4f43aa134c512b030dd7ac7ce82e76f0be9ce09ebca + Output = 1189b6f5498fd6df532b00 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # otherwise correct plaintext, but with wrong first byte (0x01 instead of 0x00) + Decrypt = RSA-2049 + Input = 002c9ddc36ba4cf0038692b2d3a1c61a4bb3786a97ce2e46a3ba74d03158aeef456ce0f4db04dda3fe062268a1711250a18c69778a6280d88e133a16254e1f0e30ce8dac9b57d2e39a2f7d7be3ee4e08aec2fdbe8dadad7fdbf442a29a8fb40857407bf6be35596b8eefb5c2b3f58b894452c2dc54a6123a1a38d642e23751746597e08d71ac92704adc17803b19e131b4d1927881f43b0200e6f95658f559f912c889b4cd51862784364896cd6e8618f485a992f82997ad6a0917e32ae5872eaf850092b2d6c782ad35f487b79682333c1750c685d7d32ab3e1538f31dcaa5e7d5d2825875242c83947308dcf63ba4bfff20334c9c140c837dbdbae7a8dee72ff + Output = f6d0f5b78082fe61c04674 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # otherwise correct plaintext, but with wrong second byte (0x01 instead of 0x02) + Decrypt = RSA-2049 + Input = 00c5d77826c1ab7a34d6390f9d342d5dbe848942e2618287952ba0350d7de6726112e9cebc391a0fae1839e2bf168229e3e0d71d4161801509f1f28f6e1487ca52df05c466b6b0a6fbbe57a3268a970610ec0beac39ec0fa67babce1ef2a86bf77466dc127d7d0d2962c20e66593126f276863cd38dc6351428f884c1384f67cad0a0ffdbc2af16711fb68dc559b96b37b4f04cd133ffc7d79c43c42ca4948fa895b9daeb853150c8a5169849b730cc77d68b0217d6c0e3dbf38d751a1998186633418367e7576530566c23d6d4e0da9b038d0bb5169ce40133ea076472d055001f0135645940fd08ea44269af2604c8b1ba225053d6db9ab43577689401bdc0f3 +@@ -722,14 +737,14 @@ ooCElYcob01/JWzoXl61Z5sdrMH5CVZJty5foHKu + PrivPubKeyPair = RSA-3072:RSA-3072-PUBLIC + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random invalid ciphertext that generates an empty synthetic one + Decrypt = RSA-3072 + Input = 5e956cd9652f4a2ece902931013e09662b6a9257ad1e987fb75f73a0606df2a4b04789770820c2e02322c4e826f767bd895734a01e20609c3be4517a7a2a589ea1cdc137beb73eb38dac781b52e863de9620f79f9b90fd5b953651fcbfef4a9f1cc07421d511a87dd6942caab6a5a0f4df473e62defb529a7de1509ab99c596e1dff1320402298d8be73a896cc86c38ae3f2f576e9ea70cc28ad575cb0f854f0be43186baa9c18e29c47c6ca77135db79c811231b7c1730955887d321fdc06568382b86643cf089b10e35ab23e827d2e5aa7b4e99ff2e914f302351819eb4d1693243b35f8bf1d42d08f8ec4acafa35f747a4a975a28643ec630d8e4fa5be59d81995660a14bb64c1fea5146d6b11f92da6a3956dd5cb5e0d747cf2ea23f81617769185336263d46ef4c144b754de62a6337342d6c85a95f19f015724546ee3fc4823eca603dbc1dc01c2d5ed50bd72d8e96df2dc048edde0081284068283fc5e73a6139851abf2f29977d0b3d160c883a42a37efba1be05c1a0b1741d7ddf59 + Output = + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random invalid that has PRF output with a length one byte too long + # in the last value + Decrypt = RSA-3072 +@@ -737,46 +752,51 @@ Input = 7db0390d75fcf9d4c59cf27b264190d8 + Output = 56a3bea054e01338be9b7d7957539c + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random invalid that generates a synthetic of maximum size + Decrypt = RSA-3072 + Input = 1715065322522dff85049800f6a29ab5f98c465020467414b2a44127fe9446da47fa18047900f99afe67c2df6f50160bb8e90bff296610fde632b3859d4d0d2e644f23835028c46cca01b84b88231d7e03154edec6627bcba23de76740d839851fa12d74c8f92e540c73fe837b91b7d699b311997d5f0f7864c486d499c3a79c111faaacbe4799597a25066c6200215c3d158f3817c1aa57f18bdaad0be1658da9da93f5cc6c3c4dd72788af57adbb6a0c26f42d32d95b8a4f95e8c6feb2f8a5d53b19a50a0b7cbc25e055ad03e5ace8f3f7db13e57759f67b65d143f08cca15992c6b2aae643390483de111c2988d4e76b42596266005103c8de6044fb7398eb3c28a864fa672de5fd8774510ff45e05969a11a4c7d3f343e331190d2dcf24fb9154ba904dc94af98afc5774a9617d0418fe6d13f8245c7d7626c176138dd698a23547c25f27c2b98ea4d8a45c7842b81888e4cc14e5b72e9cf91f56956c93dbf2e5f44a8282a7813157fc481ff1371a0f66b31797e81ebdb09a673d4db96d6 + Output = 7b036fcd6243900e4236c894e2462c17738acc87e01a76f4d95cb9a328d9acde81650283b8e8f60a217e3bdee835c7b222ad4c85d0acdb9a309bd2a754609a65dec50f3aa04c6d5891034566b9563d42668ede1f8992b17753a2132e28970584e255efc8b45a41c5dbd7567f014acec5fe6fdb6d484790360a913ebb9defcd74ff377f2a8ba46d2ed85f733c9a3da08eb57ecedfafda806778f03c66b2c5d2874cec1c291b2d49eb194c7b5d0dd2908ae90f4843268a2c45563092ade08acb6ab481a08176102fc803fbb2f8ad11b0e1531bd37df543498daf180b12017f4d4d426ca29b4161075534bfb914968088a9d13785d0adc0e2580d3548494b2a9e91605f2b27e6cc701c796f0de7c6f471f6ab6cb9272a1ed637ca32a60d117505d82af3c1336104afb537d01a8f70b510e1eebf4869cb976c419473795a66c7f5e6e20a8094b1bb603a74330c537c5c0698c31538bd2e138c1275a1bdf24c5fa8ab3b7b526324e7918a382d1363b3d463764222150e04 + + # a positive test case that decrypts to 9 byte long value ++Availablein = default + Decrypt = RSA-3072 + Input = 6c60845a854b4571f678941ae35a2ac03f67c21e21146f9db1f2306be9f136453b86ad55647d4f7b5c9e62197aaff0c0e40a3b54c4cde14e774b1c5959b6c2a2302896ffae1f73b00b862a20ff4304fe06cea7ff30ecb3773ca9af27a0b54547350d7c07dfb0a39629c7e71e83fc5af9b2adbaf898e037f1de696a3f328cf45af7ec9aff7173854087fb8fbf34be981efbd8493f9438d1b2ba2a86af082662aa46ae9adfbec51e5f3d9550a4dd1dcb7c8969c9587a6edc82a8cabbc785c40d9fbd12064559fb769450ac3e47e87bc046148130d7eaa843e4b3ccef3675d0630500803cb7ffee3882378c1a404e850c3e20707bb745e42b13c18786c4976076ed9fa8fd0ff15e571bef02cbbe2f90c908ac3734a433b73e778d4d17fcc28f49185ebc6e8536a06d293202d94496453bfdf1c2c7833a3f99fa38ca8a81f42eaa529d603b890308a319c0ab63a35ff8ebac965f6278f5a7e5d622be5d5fe55f0ca3ec993d55430d2bf59c5d3e860e90c16d91a04596f6fdf60d89ed95d88c036dde + Output = "forty two" + + # a positive test case with null padded ciphertext ++Availablein = default + Decrypt = RSA-3072 + Input = 00f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727 + Output = "forty two" + + # a positive test case with null truncated ciphertext ++Availablein = default + Decrypt = RSA-3072 + Input = f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727 + Output = "forty two" + + # a positive test case with double null padded ciphertext ++Availablein = default + Decrypt = RSA-3072 + Input = 00001ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0 + Output = "forty two" + + # a positive test case with double null truncated ciphertext ++Availablein = default + Decrypt = RSA-3072 + Input = 1ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0 + Output = "forty two" + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test case that generates a 9 byte long message + Decrypt = RSA-3072 + Input = 5c8555f5cef627c15d37f85c7f5fd6e499264ea4b8e3f9112023aeb722eb38d8eac2be3751fd5a3785ab7f2d59fa3728e5be8c3de78a67464e30b21ee23b5484bb3cd06d0e1c6ad25649c8518165653eb80488bfb491b20c04897a6772f69292222fc5ef50b5cf9efc6d60426a449b6c489569d48c83488df629d695653d409ce49a795447fcec2c58a1a672e4a391401d428baaf781516e11e323d302fcf20f6eab2b2dbe53a48c987e407c4d7e1cb41131329138313d330204173a4f3ff06c6fadf970f0ed1005d0b27e35c3d11693e0429e272d583e57b2c58d24315c397856b34485dcb077665592b747f889d34febf2be8fce66c265fd9fc3575a6286a5ce88b4b413a08efc57a07a8f57a999605a837b0542695c0d189e678b53662ecf7c3d37d9dbeea585eebfaf79141118e06762c2381fe27ca6288edddc19fd67cd64f16b46e06d8a59ac530f22cd83cc0bc4e37feb52015cbb2283043ccf5e78a4eb7146827d7a466b66c8a4a4826c1bad68123a7f2d00fc1736525ff90c058f56 + Output = 257906ca6de8307728 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test case that generates a 9 byte long message based on + # second to last value from PRF + Decrypt = RSA-3072 +@@ -784,7 +804,7 @@ Input = 758c215aa6acd61248062b88284bf43c + Output = 043383c929060374ed + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test that generates message based on 3rd last value from + # PRF + Decrypt = RSA-3072 +@@ -792,35 +812,35 @@ Input = 7b22d5e62d287968c6622171a1f75db4 + Output = 70263fa6050534b9e0 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise valid plaintext, but with wrong first byte (0x01 instead of 0x00) + Decrypt = RSA-3072 + Input = 6db80adb5ff0a768caf1378ecc382a694e7d1bde2eff4ba12c48aaf794ded7a994a5b2b57acec20dbec4ae385c9dd531945c0f197a5496908725fc99d88601a17d3bb0b2d38d2c1c3100f39955a4cb3dbed5a38bf900f23d91e173640e4ec655c84fdfe71fcdb12a386108fcf718c9b7af37d39703e882436224c877a2235e8344fba6c951eb7e2a4d1d1de81fb463ac1b880f6cc0e59ade05c8ce35179ecd09546731fc07b141d3d6b342a97ae747e61a9130f72d37ac5a2c30215b6cbd66c7db893810df58b4c457b4b54f34428247d584e0fa71062446210db08254fb9ead1ba1a393c724bd291f0cf1a7143f32df849051dc896d7d176fef3b57ab6dffd626d0c3044e9edb2e3d012ace202d2581df01bec7e9aa0727a6650dd373d374f0bc0f4a611f8139dfe97d63e70c6188f4df5b672e47c51d8aa567097293fbff127c75ec690b43407578b73c85451710a0cece58fd497d7f7bd36a8a92783ef7dc6265dff52aac8b70340b996508d39217f2783ce6fc91a1cc94bb2ac487b84f62 + Output = 6d8d3a094ff3afff4c + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise valid plaintext, but with wrong second byte (0x01 instead of 0x02) + Decrypt = RSA-3072 + Input = 417328c034458563079a4024817d0150340c34e25ae16dcad690623f702e5c748a6ebb3419ff48f486f83ba9df35c05efbd7f40613f0fc996c53706c30df6bba6dcd4a40825f96133f3c21638a342bd4663dffbd0073980dac47f8c1dd8e97ce1412e4f91f2a8adb1ac2b1071066efe8d718bbb88ca4a59bd61500e826f2365255a409bece0f972df97c3a55e09289ef5fa815a2353ef393fd1aecfc888d611c16aec532e5148be15ef1bf2834b8f75bb26db08b66d2baad6464f8439d1986b533813321dbb180080910f233bcc4dd784fb21871aef41be08b7bfad4ecc3b68f228cb5317ac6ec1227bc7d0e452037ba918ee1da9fdb8393ae93b1e937a8d4691a17871d5092d2384b6190a53df888f65b951b05ed4ad57fe4b0c6a47b5b22f32a7f23c1a234c9feb5d8713d949686760680da4db454f4acad972470033472b9864d63e8d23eefc87ebcf464ecf33f67fbcdd48eab38c5292586b36aef5981ed2fa07b2f9e23fc57d9eb71bfff4111c857e9fff23ceb31e72592e70c874b4936 + Output = c6ae80ffa80bc184b0 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise valid plaintext, but with zero byte in first byte of padding + Decrypt = RSA-3072 + Input = 8542c626fe533467acffcd4e617692244c9b5a3bf0a215c5d64891ced4bf4f9591b4b2aedff9843057986d81631b0acb3704ec2180e5696e8bd15b217a0ec36d2061b0e2182faa3d1c59bd3f9086a10077a3337a3f5da503ec3753535ffd25b837a12f2541afefd0cffb0224b8f874e4bed13949e105c075ed44e287c5ae03b155e06b90ed247d2c07f1ef3323e3508cce4e4074606c54172ad74d12f8c3a47f654ad671104bf7681e5b061862747d9afd37e07d8e0e2291e01f14a95a1bb4cbb47c304ef067595a3947ee2d722067e38a0f046f43ec29cac6a8801c6e3e9a2331b1d45a7aa2c6af3205be382dd026e389614ee095665a611ab2e8dced2ee1c9d08ac9de11aef5b3803fc9a9ce8231ec87b5fed386fb92ee3db995a89307bcba844bd0a691c29ae51216e949dfc813133cb06a07265fd807bcb3377f6adb0a481d9b7f442003115895939773e6b95371c4febef29edae946fa245e7c50729e2e558cfaad773d1fd5f67b457a6d9d17a847c6fcbdb103a86f35f228cefc06cea0 + Output = a8a9301daa01bb25c7 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise valid plaintext, but with zero byte in eight byte of padding + Decrypt = RSA-3072 + Input = 449dfa237a70a99cb0351793ec8677882021c2aa743580bf6a0ea672055cffe8303ac42855b1d1f3373aae6af09cb9074180fc963e9d1478a4f98b3b4861d3e7f0aa8560cf603711f139db77667ca14ba3a1acdedfca9ef4603d6d7eb0645bfc805304f9ad9d77d34762ce5cd84bd3ec9d35c30e3be72a1e8d355d5674a141b5530659ad64ebb6082e6f73a80832ab6388912538914654d34602f4b3b1c78589b4a5d964b2efcca1dc7004c41f6cafcb5a7159a7fc7c0398604d0edbd4c8f4f04067da6a153a05e7cbeea13b5ee412400ef7d4f3106f4798da707ec37a11286df2b7a204856d5ff773613fd1e453a7114b78e347d3e8078e1cb3276b3562486ba630bf719697e0073a123c3e60ebb5c7a1ccff4279faffa2402bc1109f8d559d6766e73591943dfcf25ba10c3762f02af85187799b8b4b135c3990793a6fd32642f1557405ba55cc7cf7336a0e967073c5fa50743f9cc5e3017c172d9898d2af83345e71b3e0c22ab791eacb6484a32ec60ebc226ec9deaee91b1a0560c2b571 + Output = 6c716fe01d44398018 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise valid plaintext, but with null separator missing + Decrypt = RSA-3072 + Input = a7a5c99e50da48769ecb779d9abe86ef9ec8c38c6f43f17c7f2d7af608a4a1bd6cf695b47e97c191c61fb5a27318d02f495a176b9fae5a55b5d3fabd1d8aae4957e3879cb0c60f037724e11be5f30f08fc51c033731f14b44b414d11278cd3dba7e1c8bfe208d2b2bb7ec36366dacb6c88b24cd79ab394adf19dbbc21dfa5788bacbadc6a62f79cf54fd8cf585c615b5c0eb94c35aa9de25321c8ffefb8916bbaa2697cb2dd82ee98939df9b6704cee77793edd2b4947d82e00e5749664970736c59a84197bd72b5c71e36aae29cd39af6ac73a368edbc1ca792e1309f442aafcd77c992c88f8e4863149f221695cb7b0236e75b2339a02c4ea114854372c306b9412d8eedb600a31532002f2cea07b4df963a093185e4607732e46d753b540974fb5a5c3f9432df22e85bb17611370966c5522fd23f2ad3484341ba7fd8885fc8e6d379a611d13a2aca784fba2073208faad2137bf1979a0fa146c1880d4337db3274269493bab44a1bcd0681f7227ffdf589c2e925ed9d36302509d1109ba4 +@@ -912,9 +932,9 @@ Output=4DE433D5844043EF08D354DA03CB29068 + + # Verify of above signature + Verify = RSA-2048-PUBLIC ++Ctrl = digest:sha256 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_pss_saltlen:0 +-Ctrl = digest:sha256 + Input="0123456789ABCDEF0123456789ABCDEF" + Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A + +@@ -1207,36 +1227,42 @@ vcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mN h90qjKHS9PvY4Q== -----END PRIVATE KEY----- @@ -151,7 +566,7 @@ index 8680797b90..95d5d51102 100644 Decrypt=RSA-OAEP-1 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -673,36 +679,42 @@ SwGNdhGLJDiac1Dsg2sAY6IXISNv2O222JtR5+64e2EbcTLLfqc1bCMVHB53UVB8 +@@ -1261,36 +1287,42 @@ SwGNdhGLJDiac1Dsg2sAY6IXISNv2O222JtR5+64 eG2e4XlBcKjI6A== -----END PRIVATE KEY----- @@ -194,7 +609,7 @@ index 8680797b90..95d5d51102 100644 Decrypt=RSA-OAEP-2 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -727,36 +739,42 @@ iUGx07dw5a0x7jc7KKzaaf+bb0D+V4ufGvuFg2+WJ9N6z/c8J3nmNLsmARwsj38z +@@ -1315,36 +1347,42 @@ iUGx07dw5a0x7jc7KKzaaf+bb0D+V4ufGvuFg2+W Ya4qnqZe1onjY5o= -----END PRIVATE KEY----- @@ -237,7 +652,7 @@ index 8680797b90..95d5d51102 100644 Decrypt=RSA-OAEP-3 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -781,36 +799,42 @@ s/XkIiO6MDAcQabYfLtw4wy308Z9JUc9sfbL8D4/kSbj6XloJ5qGWywrQmUkz8Uq +@@ -1369,36 +1407,42 @@ s/XkIiO6MDAcQabYfLtw4wy308Z9JUc9sfbL8D4/ aD0x7TDrmEvkEro= -----END PRIVATE KEY----- @@ -280,7 +695,7 @@ index 8680797b90..95d5d51102 100644 Decrypt=RSA-OAEP-4 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -835,36 +859,42 @@ OPlAQGLrhaQpJFILOPW7iGoBlvSLuNzqYP2SzAJ/GOeBWKNKXF1fhgoPbAQHGn0B +@@ -1423,36 +1467,42 @@ OPlAQGLrhaQpJFILOPW7iGoBlvSLuNzqYP2SzAJ/ MSwGUGLx60i3nRyDyw== -----END PRIVATE KEY----- @@ -323,7 +738,7 @@ index 8680797b90..95d5d51102 100644 Decrypt=RSA-OAEP-5 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -889,36 +919,42 @@ xT1F29tenZbQ/s9Cdd8JdLxKBza0p0wyaQU++2hqziQG4iyeBY3bSuVAYnri/bCC +@@ -1477,36 +1527,42 @@ xT1F29tenZbQ/s9Cdd8JdLxKBza0p0wyaQU++2hq Yejn5Ly8mU2q+jBcRQ== -----END PRIVATE KEY----- @@ -366,7 +781,7 @@ index 8680797b90..95d5d51102 100644 Decrypt=RSA-OAEP-6 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -943,36 +979,42 @@ tu4XIedy0DiaVZw9PN+VUNRXxGsDe3RkGx1SFmr4ohPIOWIGzfukQi8Y1vYdvLXS +@@ -1531,36 +1587,42 @@ tu4XIedy0DiaVZw9PN+VUNRXxGsDe3RkGx1SFmr4 FMlxv0gq65dqc3DC -----END PRIVATE KEY----- @@ -409,7 +824,7 @@ index 8680797b90..95d5d51102 100644 Decrypt=RSA-OAEP-7 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -997,36 +1039,42 @@ njraT2MgdSwJ2AX/fR8a4NAXru7pzvoNfdf/d15EtXgyL2QF1iEdoZUZZmqof9xM +@@ -1585,36 +1647,42 @@ njraT2MgdSwJ2AX/fR8a4NAXru7pzvoNfdf/d15E 2MiPa249Z+lh3Luj0A== -----END PRIVATE KEY----- @@ -452,7 +867,7 @@ index 8680797b90..95d5d51102 100644 Decrypt=RSA-OAEP-8 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -1057,36 +1105,42 @@ Z7CDuaemy2HkLbNiuMmJbbcGTgKtWuYVh9oVtGSckFlJCf6zfby2VL63Jo7IAeWo +@@ -1645,36 +1713,42 @@ Z7CDuaemy2HkLbNiuMmJbbcGTgKtWuYVh9oVtGSc tKo5Eb69iFQvBb4= -----END PRIVATE KEY----- @@ -495,38 +910,38 @@ index 8680797b90..95d5d51102 100644 Decrypt=RSA-OAEP-9 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t -index cbec426137..9ba7fbeed2 100644 ---- a/test/recipes/80-test_cms.t -+++ b/test/recipes/80-test_cms.t -@@ -233,7 +233,7 @@ my @smime_pkcs7_tests = ( - \&final_compare - ], +Index: openssl-3.5.3/test/recipes/80-test_cms.t +=================================================================== +--- openssl-3.5.3.orig/test/recipes/80-test_cms.t ++++ openssl-3.5.3/test/recipes/80-test_cms.t +@@ -267,7 +267,7 @@ my @smime_pkcs7_tests = ( -- [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients", -+ [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients, no SUSE FIPS", - [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, - "-aes256", "-stream", "-out", "{output}.cms", - $smrsa1, -@@ -1022,6 +1022,9 @@ sub check_availability { + if ($no_fips || $old_fips) { + push(@smime_pkcs7_tests, +- [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients", ++ [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients, no SUSE FIPS", + [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, + "-aes256", "-stream", "-out", "{output}.cms", + $smrsa1, +@@ -1284,6 +1284,9 @@ sub check_availability { return "$tnam: skipped, DSA disabled\n" if ($no_dsa && $tnam =~ / DSA/); -+ return "$tnam: skipped, SUSE FIPS\n" ++ return "$tnam: skipped, SUSE/openSUSE FIPS\n" + if ($tnam =~ /no SUSE FIPS/); + return ""; } -diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t -index e2dcb68fb5..0775112b40 100644 ---- a/test/recipes/80-test_ssl_old.t -+++ b/test/recipes/80-test_ssl_old.t -@@ -493,6 +493,18 @@ sub testssl { +Index: openssl-3.5.3/test/recipes/80-test_ssl_old.t +=================================================================== +--- openssl-3.5.3.orig/test/recipes/80-test_ssl_old.t ++++ openssl-3.5.3/test/recipes/80-test_ssl_old.t +@@ -561,6 +561,18 @@ sub testssl { # the default choice if TLSv1.3 enabled my $flag = $protocol eq "-tls1_3" ? "" : $protocol; my $ciphersuites = ""; -+ my %suse_skip_cipher = map {$_ => 1} qw( ++ my %redhat_skip_cipher = map {$_ => 1} qw( +AES256-GCM-SHA384:@SECLEVEL=0 +AES256-CCM8:@SECLEVEL=0 +AES256-CCM:@SECLEVEL=0 @@ -539,9 +954,9 @@ index e2dcb68fb5..0775112b40 100644 +AES128-SHA:@SECLEVEL=0 + ); foreach my $cipher (@{$ciphersuites{$protocol}}) { - if ($protocol eq "-ssl3" && $cipher =~ /ECDH/ ) { - note "*****SKIPPING $protocol $cipher"; -@@ -504,11 +516,16 @@ sub testssl { + if ($dsaallow == '0' && index($cipher, "DSS") != -1) { + # DSA is not allowed in FIPS 140-3 +@@ -576,11 +588,16 @@ sub testssl { } else { $cipher = $cipher.':@SECLEVEL=0'; } @@ -550,8 +965,8 @@ index e2dcb68fb5..0775112b40 100644 - "-ciphersuites", $ciphersuites, - $flag || ()])), - "Testing $cipher"); -+ if ($provider eq "fips" && exists $suse_skip_cipher{$cipher}) { -+ note "*****SKIPPING $cipher in SUSE FIPS mode"; ++ if ($provider eq "fips" && exists $redhat_skip_cipher{$cipher}) { ++ note "*****SKIPPING $cipher in SUSE/openSUSE FIPS mode"; + ok(1); + } else { + ok(run(test([@ssltest, @exkeys, "-cipher", @@ -563,6 +978,3 @@ index e2dcb68fb5..0775112b40 100644 } } next if $protocol eq "-tls1_3"; --- -2.41.0 - diff --git a/openssl-FIPS-services-minimize.patch b/openssl-FIPS-services-minimize.patch deleted file mode 100644 index 9b0790a..0000000 --- a/openssl-FIPS-services-minimize.patch +++ /dev/null @@ -1,744 +0,0 @@ -From a9dc983f82cabe29d6b48f3af3e30e26074ce5cf Mon Sep 17 00:00:00 2001 -From: Dmitry Belyavskiy -Date: Mon, 21 Aug 2023 12:55:57 +0200 -Subject: [PATCH 21/48] 0045-FIPS-services-minimize.patch - -Patch-name: 0045-FIPS-services-minimize.patch -Patch-id: 45 -Patch-status: | - # Minimize fips services ---- - apps/ecparam.c | 7 +++ - apps/req.c | 2 +- - providers/common/capabilities.c | 2 +- - providers/fips/fipsprov.c | 44 +++++++++++-------- - providers/fips/self_test_data.inc | 9 +++- - providers/implementations/signature/rsa_sig.c | 26 +++++++++++ - ssl/ssl_ciph.c | 3 ++ - test/acvp_test.c | 2 + - test/endecode_test.c | 4 ++ - test/evp_libctx_test.c | 9 +++- - test/recipes/15-test_gendsa.t | 2 +- - test/recipes/20-test_cli_fips.t | 3 +- - test/recipes/30-test_evp.t | 16 +++---- - .../30-test_evp_data/evpmac_common.txt | 22 ++++++++++ - test/recipes/80-test_cms.t | 22 +++++----- - test/recipes/80-test_ssl_old.t | 2 +- - 16 files changed, 128 insertions(+), 47 deletions(-) - -diff --git a/apps/ecparam.c b/apps/ecparam.c -index 9e9ad13683..9c66cf2434 100644 ---- a/apps/ecparam.c -+++ b/apps/ecparam.c -@@ -79,6 +79,13 @@ static int list_builtin_curves(BIO *out) - const char *comment = curves[n].comment; - const char *sname = OBJ_nid2sn(curves[n].nid); - -+ if (((curves[n].nid == NID_secp256k1) || (curves[n].nid == NID_brainpoolP256r1) -+ || (curves[n].nid == NID_brainpoolP256t1) || (curves[n].nid == NID_brainpoolP320r1) -+ || (curves[n].nid == NID_brainpoolP320t1) || (curves[n].nid == NID_brainpoolP384r1) -+ || (curves[n].nid == NID_brainpoolP384t1) || (curves[n].nid == NID_brainpoolP512r1) -+ || (curves[n].nid == NID_brainpoolP512t1)) && EVP_default_properties_is_fips_enabled(NULL)) -+ continue; -+ - if (comment == NULL) - comment = "CURVE DESCRIPTION NOT AVAILABLE"; - if (sname == NULL) -diff --git a/apps/req.c b/apps/req.c -index 23757044ab..5916914978 100644 ---- a/apps/req.c -+++ b/apps/req.c -@@ -266,7 +266,7 @@ int req_main(int argc, char **argv) - unsigned long chtype = MBSTRING_ASC, reqflag = 0; - - #ifndef OPENSSL_NO_DES -- cipher = (EVP_CIPHER *)EVP_des_ede3_cbc(); -+ cipher = (EVP_CIPHER *)EVP_aes_256_cbc(); - #endif - - prog = opt_init(argc, argv, req_options); -diff --git a/providers/common/capabilities.c b/providers/common/capabilities.c -index ed37e76969..eb836dfa6a 100644 ---- a/providers/common/capabilities.c -+++ b/providers/common/capabilities.c -@@ -186,9 +186,9 @@ static const OSSL_PARAM param_group_list[][10] = { - TLS_GROUP_ENTRY("brainpoolP256r1", "brainpoolP256r1", "EC", 25), - TLS_GROUP_ENTRY("brainpoolP384r1", "brainpoolP384r1", "EC", 26), - TLS_GROUP_ENTRY("brainpoolP512r1", "brainpoolP512r1", "EC", 27), --# endif - TLS_GROUP_ENTRY("x25519", "X25519", "X25519", 28), - TLS_GROUP_ENTRY("x448", "X448", "X448", 29), -+# endif - # endif /* OPENSSL_NO_EC */ - # ifndef OPENSSL_NO_DH - /* Security bit values for FFDHE groups are as per RFC 7919 */ -diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c -index 518226dfc6..29438faea8 100644 ---- a/providers/fips/fipsprov.c -+++ b/providers/fips/fipsprov.c -@@ -298,10 +298,11 @@ static const OSSL_ALGORITHM fips_digests[] = { - * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for - * KMAC128 and KMAC256. - */ -- { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES, -+ /* We don't certify KECCAK in our FIPS provider */ -+ /* { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES, - ossl_keccak_kmac_128_functions }, - { PROV_NAMES_KECCAK_KMAC_256, FIPS_DEFAULT_PROPERTIES, -- ossl_keccak_kmac_256_functions }, -+ ossl_keccak_kmac_256_functions }, */ - { NULL, NULL, NULL } - }; - -@@ -360,8 +361,9 @@ static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = { - ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions, - ossl_cipher_capable_aes_cbc_hmac_sha256), - #ifndef OPENSSL_NO_DES -- UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions), -- UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), -+ /* We don't certify 3DES in our FIPS provider */ -+ /* UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions), -+ UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), */ - #endif /* OPENSSL_NO_DES */ - { { NULL, NULL, NULL }, NULL } - }; -@@ -373,8 +375,9 @@ static const OSSL_ALGORITHM fips_macs[] = { - #endif - { PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions }, - { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions }, -- { PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions }, -- { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, -+ /* We don't certify KMAC in our FIPS provider */ -+ /*{ PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions }, -+ { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, */ - { NULL, NULL, NULL } - }; - -@@ -409,8 +412,9 @@ static const OSSL_ALGORITHM fips_keyexch[] = { - #endif - #ifndef OPENSSL_NO_EC - { PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions }, -- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions }, -- { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions }, -+ /* We don't certify Edwards curves in our FIPS provider */ -+ /*{ PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions }, -+ { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },*/ - #endif - { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, - ossl_kdf_tls1_prf_keyexch_functions }, -@@ -420,13 +424,15 @@ static const OSSL_ALGORITHM fips_keyexch[] = { - - static const OSSL_ALGORITHM fips_signature[] = { - #ifndef OPENSSL_NO_DSA -- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions }, -+ /* We don't certify DSA in our FIPS provider */ -+ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions }, */ - #endif - { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions }, - #ifndef OPENSSL_NO_EC -- { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, -+ /* We don't certify Edwards curves in our FIPS provider */ -+ /* { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, - ossl_ed25519_signature_functions }, -- { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions }, -+ { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions }, */ - { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions }, - #endif - { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, -@@ -456,8 +462,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = { - PROV_DESCS_DHX }, - #endif - #ifndef OPENSSL_NO_DSA -- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions, -- PROV_DESCS_DSA }, -+ /* We don't certify DSA in our FIPS provider */ -+ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions, -+ PROV_DESCS_DSA }, */ - #endif - { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions, - PROV_DESCS_RSA }, -@@ -466,14 +473,15 @@ static const OSSL_ALGORITHM fips_keymgmt[] = { - #ifndef OPENSSL_NO_EC - { PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions, - PROV_DESCS_EC }, -- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions, -+ /* We don't certify Edwards curves in our FIPS provider */ -+ /* { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions, - PROV_DESCS_X25519 }, - { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions, - PROV_DESCS_X448 }, - { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_keymgmt_functions, - PROV_DESCS_ED25519 }, - { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_keymgmt_functions, -- PROV_DESCS_ED448 }, -+ PROV_DESCS_ED448 }, */ - #endif - { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions, - PROV_DESCS_TLS1_PRF_SIGN }, -diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc -index 2057378d3d..4b80bb70b9 100644 ---- a/providers/fips/self_test_data.inc -+++ b/providers/fips/self_test_data.inc -@@ -177,6 +177,7 @@ static const ST_KAT_DIGEST st_kat_digest_tests[] = - /*- CIPHER TEST DATA */ - - /* DES3 test data */ -+#if 0 - static const unsigned char des_ede3_cbc_pt[] = { - 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, - 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, -@@ -197,7 +198,7 @@ static const unsigned char des_ede3_cbc_ct[] = { - 0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F, - 0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7 - }; -- -+#endif - /* AES-256 GCM test data */ - static const unsigned char aes_256_gcm_key[] = { - 0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c, -@@ -1454,8 +1455,9 @@ static const ST_KAT_PARAM ecdsa_bin_key[] = { - # endif /* OPENSSL_NO_EC2M */ - #endif /* OPENSSL_NO_EC */ - --#ifndef OPENSSL_NO_DSA - /* dsa 2048 */ -+#if 0 -+#ifndef OPENSSL_NO_DSA - static const unsigned char dsa_p[] = { - 0xa2, 0x9b, 0x88, 0x72, 0xce, 0x8b, 0x84, 0x23, - 0xb7, 0xd5, 0xd2, 0x1d, 0x4b, 0x02, 0xf5, 0x7e, -@@ -1590,6 +1592,7 @@ static const ST_KAT_PARAM dsa_key[] = { - ST_KAT_PARAM_END() - }; - #endif /* OPENSSL_NO_DSA */ -+#endif - - /* Hash DRBG inputs for signature KATs */ - static const unsigned char sig_kat_entropyin[] = { -@@ -1642,6 +1645,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = { - }, - # endif - #endif /* OPENSSL_NO_EC */ -+#if 0 - #ifndef OPENSSL_NO_DSA - { - OSSL_SELF_TEST_DESC_SIGN_DSA, -@@ -1654,6 +1658,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = { - ITM(dsa_expected_sig) - }, - #endif /* OPENSSL_NO_DSA */ -+#endif - }; - - static const ST_KAT_ASYM_CIPHER st_kat_asym_cipher_tests[] = { -diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c -index d4261e8f7d..2a5504d104 100644 ---- a/providers/implementations/signature/rsa_sig.c -+++ b/providers/implementations/signature/rsa_sig.c -@@ -689,6 +689,14 @@ static int rsa_verify_recover(void *vprsactx, - { - PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; - int ret; -+# ifdef FIPS_MODULE -+ size_t rsabits = RSA_bits(prsactx->rsa); -+ -+ if (rsabits < 2048) { -+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH); -+ return 0; -+ } -+# endif - - if (!ossl_prov_is_running()) - return 0; -@@ -777,6 +790,14 @@ static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen, - { - PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; - size_t rslen; -+# ifdef FIPS_MODULE -+ size_t rsabits = RSA_bits(prsactx->rsa); -+ -+ if (rsabits < 2048) { -+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH); -+ return 0; -+ } -+# endif - - if (!ossl_prov_is_running()) - return 0; -diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c -index a5e60e8839..f9af07d12b 100644 ---- a/ssl/ssl_ciph.c -+++ b/ssl/ssl_ciph.c -@@ -356,6 +356,9 @@ int ssl_load_ciphers(SSL_CTX *ctx) - ctx->disabled_mkey_mask = 0; - ctx->disabled_auth_mask = 0; - -+ if (EVP_default_properties_is_fips_enabled(ctx->libctx)) -+ ctx->disabled_mkey_mask |= SSL_kRSA | SSL_kRSAPSK; -+ - /* - * We ignore any errors from the fetches below. They are expected to fail - * if theose algorithms are not available. -diff --git a/test/acvp_test.c b/test/acvp_test.c -index fee880d441..13d7a0ea8b 100644 ---- a/test/acvp_test.c -+++ b/test/acvp_test.c -@@ -1476,6 +1476,7 @@ int setup_tests(void) - OSSL_NELEM(dh_safe_prime_keyver_data)); - #endif /* OPENSSL_NO_DH */ - -+#if 0 /* SUSE FIPS provider doesn't have fips=yes property on DSA */ - #ifndef OPENSSL_NO_DSA - ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data)); - ADD_ALL_TESTS(dsa_paramgen_test, OSSL_NELEM(dsa_paramgen_data)); -@@ -1483,6 +1484,7 @@ int setup_tests(void) - ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data)); - ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data)); - #endif /* OPENSSL_NO_DSA */ -+#endif - - #ifndef OPENSSL_NO_EC - ADD_ALL_TESTS(ecdsa_keygen_test, OSSL_NELEM(ecdsa_keygen_data)); -diff --git a/test/endecode_test.c b/test/endecode_test.c -index 9a437d8c64..53385028fc 100644 ---- a/test/endecode_test.c -+++ b/test/endecode_test.c -@@ -1407,6 +1407,7 @@ int setup_tests(void) - * so no legacy tests. - */ - #endif -+ if (is_fips == 0) { - #ifndef OPENSSL_NO_DSA - ADD_TEST_SUITE(DSA); - ADD_TEST_SUITE_PARAMS(DSA); -@@ -1417,6 +1418,7 @@ int setup_tests(void) - ADD_TEST_SUITE_PROTECTED_PVK(DSA); - # endif - #endif -+ } - #ifndef OPENSSL_NO_EC - ADD_TEST_SUITE(EC); - ADD_TEST_SUITE_PARAMS(EC); -@@ -1431,10 +1433,12 @@ int setup_tests(void) - ADD_TEST_SUITE(ECExplicitTri2G); - ADD_TEST_SUITE_LEGACY(ECExplicitTri2G); - # endif -+ if (is_fips == 0) { - ADD_TEST_SUITE(ED25519); - ADD_TEST_SUITE(ED448); - ADD_TEST_SUITE(X25519); - ADD_TEST_SUITE(X448); -+ } - /* - * ED25519, ED448, X25519 and X448 have no support for - * PEM_write_bio_PrivateKey_traditional(), so no legacy tests. -diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c -index 2448c35a14..a7913cda4c 100644 ---- a/test/evp_libctx_test.c -+++ b/test/evp_libctx_test.c -@@ -21,6 +21,7 @@ - */ - #include "internal/deprecated.h" - #include -+#include - #include - #include - #include -@@ -726,7 +727,9 @@ int setup_tests(void) - return 0; - - #if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DH) -- ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3); -+ if (strcmp(prov_name, "fips") != 0) { -+ ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3); -+ } - #endif - #ifndef OPENSSL_NO_DH - ADD_ALL_TESTS(test_dh_safeprime_param_keygen, 3 * 3 * 3); -@@ -746,7 +749,9 @@ int setup_tests(void) - ADD_TEST(kem_invalid_keytype); - #endif - #ifndef OPENSSL_NO_DES -- ADD_TEST(test_cipher_tdes_randkey); -+ if (strcmp(prov_name, "fips") != 0) { -+ ADD_TEST(test_cipher_tdes_randkey); -+ } - #endif - return 1; - } -diff --git a/test/recipes/15-test_gendsa.t b/test/recipes/15-test_gendsa.t -index b495b08bda..69bd299521 100644 ---- a/test/recipes/15-test_gendsa.t -+++ b/test/recipes/15-test_gendsa.t -@@ -24,7 +24,7 @@ use lib bldtop_dir('.'); - plan skip_all => "This test is unsupported in a no-dsa build" - if disabled("dsa"); - --my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); -+my $no_fips = 1; - - plan tests => - ($no_fips ? 0 : 2) # FIPS related tests -diff --git a/test/recipes/20-test_cli_fips.t b/test/recipes/20-test_cli_fips.t -index 6d3c5ba1bb..2ba47b5fca 100644 ---- a/test/recipes/20-test_cli_fips.t -+++ b/test/recipes/20-test_cli_fips.t -@@ -273,8 +273,7 @@ SKIP: { - } - - SKIP : { -- skip "FIPS DSA tests because of no dsa in this build", 1 -- if disabled("dsa"); -+ skip "FIPS DSA tests because of no dsa in this build", 1; - - subtest DSA => sub { - my $testtext_prefix = 'DSA'; -diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t -index 9d7040ced2..f8beb538d4 100644 ---- a/test/recipes/30-test_evp.t -+++ b/test/recipes/30-test_evp.t -@@ -42,10 +42,8 @@ my @files = qw( - evpciph_aes_cts.txt - evpciph_aes_wrap.txt - evpciph_aes_stitched.txt -- evpciph_des3_common.txt - evpkdf_hkdf.txt - evpkdf_kbkdf_counter.txt -- evpkdf_kbkdf_kmac.txt - evpkdf_pbkdf1.txt - evpkdf_pbkdf2.txt - evpkdf_ss.txt -@@ -65,12 +63,6 @@ push @files, qw( - evppkey_ffdhe.txt - evppkey_dh.txt - ) unless $no_dh; --push @files, qw( -- evpkdf_x942_des.txt -- evpmac_cmac_des.txt -- ) unless $no_des; --push @files, qw(evppkey_dsa.txt) unless $no_dsa; --push @files, qw(evppkey_ecx.txt) unless $no_ec; - push @files, qw( - evppkey_ecc.txt - evppkey_ecdh.txt -@@ -91,6 +83,7 @@ my @defltfiles = qw( - evpciph_cast5.txt - evpciph_chacha.txt - evpciph_des.txt -+ evpciph_des3_common.txt - evpciph_idea.txt - evpciph_rc2.txt - evpciph_rc4.txt -@@ -114,10 +107,17 @@ my @defltfiles = qw( - evpmd_whirlpool.txt - evppbe_scrypt.txt - evppbe_pkcs12.txt -+ evpkdf_kbkdf_kmac.txt - evppkey_kdf_scrypt.txt - evppkey_kdf_tls1_prf.txt - evppkey_rsa.txt - ); -+push @defltfiles, qw(evppkey_dsa.txt) unless $no_dsa; -+push @defltfiles, qw(evppkey_ecx.txt) unless $no_ec; -+push @defltfiles, qw( -+ evpkdf_x942_des.txt -+ evpmac_cmac_des.txt -+ ) unless $no_des; - push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec; - push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2; - -diff --git a/test/recipes/30-test_evp_data/evpmac_common.txt b/test/recipes/30-test_evp_data/evpmac_common.txt -index 93195df97c..315413cd9b 100644 ---- a/test/recipes/30-test_evp_data/evpmac_common.txt -+++ b/test/recipes/30-test_evp_data/evpmac_common.txt -@@ -340,6 +340,7 @@ IV = 7AE8E2CA4EC500012E58495C - Input = 68F2E77696CE7AE8E2CA4EC588E541002E58495C08000F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D0007 - Result = MAC_INIT_ERROR - -+Availablein = default - Title = KMAC Tests (From NIST) - MAC = KMAC128 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F -@@ -350,12 +351,14 @@ Ctrl = xof:0 - OutputSize = 32 - BlockSize = 168 - -+Availablein = default - MAC = KMAC128 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 00010203 - Custom = "My Tagged Application" - Output = 3B1FBA963CD8B0B59E8C1A6D71888B7143651AF8BA0A7070C0979E2811324AA5 - -+Availablein = default - MAC = KMAC128 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -363,6 +366,7 @@ Custom = "My Tagged Application" - Output = 1F5B4E6CCA02209E0DCB5CA635B89A15E271ECC760071DFD805FAA38F9729230 - Ctrl = size:32 - -+Availablein = default - MAC = KMAC256 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 00010203 -@@ -371,12 +375,14 @@ Output = 20C570C31346F703C9AC36C61C03CB64C3970D0CFC787E9B79599D273A68D2F7F69D4CC - OutputSize = 64 - BlockSize = 136 - -+Availablein = default - MAC = KMAC256 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 - Custom = "" - Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69 - -+Availablein = default - MAC = KMAC256 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -386,12 +392,14 @@ Ctrl = size:64 - - Title = KMAC XOF Tests (From NIST) - -+Availablein = default - MAC = KMAC128 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 00010203 - Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35 - XOF = 1 - -+Availablein = default - MAC = KMAC128 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 00010203 -@@ -399,6 +407,7 @@ Custom = "My Tagged Application" - Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C - XOF = 1 - -+Availablein = default - MAC = KMAC128 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -407,6 +416,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F - XOF = 1 - Ctrl = size:32 - -+Availablein = default - MAC = KMAC256 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 00010203 -@@ -414,6 +424,7 @@ Custom = "My Tagged Application" - Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B - XOF = 1 - -+Availablein = default - MAC = KMAC256 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -421,6 +432,7 @@ Custom = "" - Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B - XOF = 1 - -+Availablein = default - MAC = KMAC256 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -431,6 +443,7 @@ XOF = 1 - - Title = KMAC long customisation string (from NIST ACVP) - -+Availablein = default - MAC = KMAC256 - Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3 - Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D -@@ -441,12 +454,14 @@ XOF = 1 - - Title = KMAC XOF Tests via ctrl (From NIST) - -+Availablein = default - MAC = KMAC128 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 00010203 - Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35 - Ctrl = xof:1 - -+Availablein = default - MAC = KMAC128 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 00010203 -@@ -454,6 +469,7 @@ Custom = "My Tagged Application" - Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C - Ctrl = xof:1 - -+Availablein = default - MAC = KMAC128 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -462,6 +478,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F - Ctrl = xof:1 - Ctrl = size:32 - -+Availablein = default - MAC = KMAC256 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 00010203 -@@ -469,6 +486,7 @@ Custom = "My Tagged Application" - Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B - Ctrl = xof:1 - -+Availablein = default - MAC = KMAC256 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -476,6 +494,7 @@ Custom = "" - Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B - Ctrl = xof:1 - -+Availablein = default - MAC = KMAC256 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -486,6 +505,7 @@ Ctrl = xof:1 - - Title = KMAC long customisation string via ctrl (from NIST ACVP) - -+Availablein = default - MAC = KMAC256 - Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3 - Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D -@@ -496,6 +516,7 @@ Ctrl = xof:1 - - Title = KMAC long customisation string negative test - -+Availablein = default - MAC = KMAC128 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -504,6 +525,7 @@ Result = MAC_INIT_ERROR - - Title = KMAC output is too large - -+Availablein = default - MAC = KMAC256 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t -index 40dd585c18..cbec426137 100644 ---- a/test/recipes/80-test_cms.t -+++ b/test/recipes/80-test_cms.t -@@ -96,7 +96,7 @@ my @smime_pkcs7_tests = ( - \&final_compare - ], - -- [ "signed content DER format, DSA key", -+ [ "signed content DER format, DSA key, no SUSE FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", - "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], - [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", -@@ -104,7 +104,7 @@ my @smime_pkcs7_tests = ( - \&final_compare - ], - -- [ "signed detached content DER format, DSA key", -+ [ "signed detached content DER format, DSA key, no SUSE FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", - "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], - [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", -@@ -113,7 +113,7 @@ my @smime_pkcs7_tests = ( - \&final_compare - ], - -- [ "signed detached content DER format, add RSA signer (with DSA existing)", -+ [ "signed detached content DER format, add RSA signer (with DSA existing), no SUSE FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", - "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], - [ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER", -@@ -124,7 +124,7 @@ my @smime_pkcs7_tests = ( - \&final_compare - ], - -- [ "signed content test streaming BER format, DSA key", -+ [ "signed content test streaming BER format, DSA key, no SUSE FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", - "-nodetach", "-stream", - "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], -@@ -133,7 +133,7 @@ my @smime_pkcs7_tests = ( - \&final_compare - ], - -- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys", -+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no SUSE FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", - "-nodetach", "-stream", - "-signer", $smrsa1, -@@ -146,7 +146,7 @@ my @smime_pkcs7_tests = ( - \&final_compare - ], - -- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes", -+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes, no SUSE FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", - "-noattr", "-nodetach", "-stream", - "-signer", $smrsa1, -@@ -176,7 +176,7 @@ my @smime_pkcs7_tests = ( - \&zero_compare - ], - -- [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys", -+ [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys, no SUSE FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach", - "-signer", $smrsa1, - "-signer", catfile($smdir, "smrsa2.pem"), -@@ -188,7 +188,7 @@ my @smime_pkcs7_tests = ( - \&final_compare - ], - -- [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys", -+ [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys, no SUSE FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, - "-signer", $smrsa1, - "-signer", catfile($smdir, "smrsa2.pem"), -@@ -248,7 +248,7 @@ my @smime_pkcs7_tests = ( - - my @smime_cms_tests = ( - -- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid", -+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid, no SUSE FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", - "-nodetach", "-keyid", - "-signer", $smrsa1, -@@ -261,7 +261,7 @@ my @smime_cms_tests = ( - \&final_compare - ], - -- [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys", -+ [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys, no SUSE FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", - "-signer", $smrsa1, - "-signer", catfile($smdir, "smrsa2.pem"), -@@ -371,7 +371,7 @@ my @smime_cms_tests = ( - \&final_compare - ], - -- [ "encrypted content test streaming PEM format, triple DES key", -+ [ "encrypted content test streaming PEM format, triple DES key, no SUSE FIPS", - [ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM", - "-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617", - "-stream", "-out", "{output}.cms" ], -diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t -index 50b74a1e29..e2dcb68fb5 100644 ---- a/test/recipes/80-test_ssl_old.t -+++ b/test/recipes/80-test_ssl_old.t -@@ -436,7 +436,7 @@ sub testssl { - my @exkeys = (); - my $ciphers = '-PSK:-SRP:@SECLEVEL=0'; - -- if (!$no_dsa) { -+ if (!$no_dsa && $provider ne "fips") { - push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey; - } - --- -2.41.0 - diff --git a/openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch b/openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch deleted file mode 100644 index b061006..0000000 --- a/openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch +++ /dev/null @@ -1,149 +0,0 @@ -From a325a23bc83f4efd60130001c417ca5b96bdbff1 Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Thu, 17 Nov 2022 19:33:02 +0100 -Subject: [PATCH] signature: Add indicator for PSS salt length -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection -5.5 "PKCS #1" says: "For RSASSA-PSS [...] the length (in bytes) of the -salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of -the hash function output block (in bytes)." - -It is not exactly clear from this text whether hLen refers to the -message digest or the hash function used for the mask generation -function MGF1. PKCS#1 v2.1 suggests it is the former: - -| Typical salt lengths in octets are hLen (the length of the output of -| the hash function Hash) and 0. In both cases the security of -| RSASSA-PSS can be closely related to the hardness of inverting RSAVP1. -| Bellare and Rogaway [4] give a tight lower bound for the security of -| the original RSA-PSS scheme, which corresponds roughly to the former -| case, while Coron [12] gives a lower bound for the related Full Domain -| Hashing scheme, which corresponds roughly to the latter case. In [13] -| Coron provides a general treatment with various salt lengths ranging -| from 0 to hLen; see [27] for discussion. See also [31], which adapts -| the security proofs in [4][13] to address the differences between the -| original and the present version of RSA-PSS as listed in Note 1 above. - -Since OpenSSL defaults to creating signatures with the maximum salt -length, blocking the use of longer salts would probably lead to -significant problems in practice. Instead, introduce an explicit -indicator that can be obtained from the EVP_PKEY_CTX object using -EVP_PKEY_CTX_get_params() with the - OSSL_SIGNATURE_PARAM_SUSE_FIPS_INDICATOR -parameter. - -We also add indicator for RSA_NO_PADDING here to avoid patch-over-patch. -Dmitry Belyavskiy - -Signed-off-by: Clemens Lang ---- - include/openssl/evp.h | 4 ++++ - providers/implementations/signature/rsa_sig.c | 21 +++++++++++++++++ - util/perl/OpenSSL/paramnames.pm | 23 ++++++++++--------- - 3 files changed, 37 insertions(+), 11 deletions(-) - -Index: openssl-3.1.4/include/openssl/evp.h -=================================================================== ---- openssl-3.1.4.orig/include/openssl/evp.h -+++ openssl-3.1.4/include/openssl/evp.h -@@ -801,6 +801,10 @@ __owur int EVP_CipherFinal(EVP_CIPHER_CT - __owur int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, - int *outl); - -+# define EVP_SIGNATURE_SUSE_FIPS_INDICATOR_UNDETERMINED 0 -+# define EVP_SIGNATURE_SUSE_FIPS_INDICATOR_APPROVED 1 -+# define EVP_SIGNATURE_SUSE_FIPS_INDICATOR_NOT_APPROVED 2 -+ - __owur int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s, - EVP_PKEY *pkey); - __owur int EVP_SignFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s, -Index: openssl-3.1.4/providers/implementations/signature/rsa_sig.c -=================================================================== ---- openssl-3.1.4.orig/providers/implementations/signature/rsa_sig.c -+++ openssl-3.1.4/providers/implementations/signature/rsa_sig.c -@@ -1167,6 +1167,24 @@ static int rsa_get_ctx_params(void *vprs - } - } - -+#ifdef FIPS_MODULE -+ p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_SUSE_FIPS_INDICATOR); -+ if (p != NULL) { -+ int fips_indicator = EVP_SIGNATURE_SUSE_FIPS_INDICATOR_APPROVED; -+ if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) { -+ if (prsactx->md == NULL) { -+ fips_indicator = EVP_SIGNATURE_SUSE_FIPS_INDICATOR_UNDETERMINED; -+ } else if (rsa_pss_compute_saltlen(prsactx) > EVP_MD_get_size(prsactx->md)) { -+ fips_indicator = EVP_SIGNATURE_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+ } -+ } else if (prsactx->pad_mode == RSA_NO_PADDING) { -+ if (prsactx->md == NULL) /* Should always be the case */ -+ fips_indicator = EVP_SIGNATURE_SUSE_FIPS_INDICATOR_NOT_APPROVED; -+ } -+ return OSSL_PARAM_set_int(p, fips_indicator); -+ } -+#endif -+ - return 1; - } - -@@ -1176,6 +1194,9 @@ static const OSSL_PARAM known_gettable_c - OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0), - OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), - OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), -+#ifdef FIPS_MODULE -+ OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_SUSE_FIPS_INDICATOR, NULL), -+#endif - OSSL_PARAM_END - }; - -Index: openssl-3.1.4/include/openssl/core_names.h -=================================================================== ---- openssl-3.1.4.orig/include/openssl/core_names.h -+++ openssl-3.1.4/include/openssl/core_names.h -@@ -458,6 +458,7 @@ extern "C" { - #define OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES \ - OSSL_PKEY_PARAM_MGF1_PROPERTIES - #define OSSL_SIGNATURE_PARAM_DIGEST_SIZE OSSL_PKEY_PARAM_DIGEST_SIZE -+#define OSSL_SIGNATURE_PARAM_SUSE_FIPS_INDICATOR "suse-fips-indicator" - - /* Asym cipher parameters */ - #define OSSL_ASYM_CIPHER_PARAM_DIGEST OSSL_PKEY_PARAM_DIGEST -Index: openssl-3.1.4/providers/implementations/signature/rsa_sig.c -=================================================================== ---- openssl-3.1.4.orig/providers/implementations/signature/rsa_sig.c -+++ openssl-3.1.4/providers/implementations/signature/rsa_sig.c -@@ -696,8 +696,13 @@ static int rsa_verify_recover(void *vprs - size_t rsabits = RSA_bits(prsactx->rsa); - - if (rsabits < 2048) { -- ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH); -- return 0; -+ if (rsabits != 1024 -+ && rsabits != 1280 -+ && rsabits != 1536 -+ && rsabits != 1792) { -+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH); -+ return 0; -+ } - } - # endif - -@@ -792,8 +797,13 @@ static int rsa_verify(void *vprsactx, co - size_t rsabits = RSA_bits(prsactx->rsa); - - if (rsabits < 2048) { -- ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH); -- return 0; -+ if (rsabits != 1024 -+ && rsabits != 1280 -+ && rsabits != 1536 -+ && rsabits != 1792) { -+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH); -+ return 0; -+ } - } - # endif - diff --git a/openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch b/openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch deleted file mode 100644 index e79c626..0000000 --- a/openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch +++ /dev/null @@ -1,309 +0,0 @@ -From 4580c303fa88f77a98461fee5fe26b5db725967c Mon Sep 17 00:00:00 2001 -From: Todd Short -Date: Thu, 1 Feb 2024 23:09:38 -0500 -Subject: [PATCH 1/2] Fix EVP_PKEY_CTX_add1_hkdf_info() behavior - -Fix #23448 - -`EVP_PKEY_CTX_add1_hkdf_info()` behaves like a `set1` function. - -Fix the setting of the parameter in the params code. -Update the TLS_PRF code to also use the params code. -Add tests. - -Reviewed-by: Shane Lontis -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/23456) - -(cherry picked from commit 6b566687b58fde08b28e3331377f050768fad89b) ---- - crypto/evp/pmeth_lib.c | 65 ++++++++++++++++++- - providers/implementations/exchange/kdf_exch.c | 42 ++++++++++++ - providers/implementations/kdfs/hkdf.c | 8 +++ - test/pkey_meth_kdf_test.c | 53 +++++++++++---- - 4 files changed, 156 insertions(+), 12 deletions(-) - -diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c -index ba1971c..d0eeaf7 100644 ---- a/crypto/evp/pmeth_lib.c -+++ b/crypto/evp/pmeth_lib.c -@@ -1028,6 +1028,69 @@ static int evp_pkey_ctx_set1_octet_string(EVP_PKEY_CTX *ctx, int fallback, - return EVP_PKEY_CTX_set_params(ctx, octet_string_params); - } - -+static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback, -+ const char *param, int op, int ctrl, -+ const unsigned char *data, -+ int datalen) -+{ -+ OSSL_PARAM os_params[2]; -+ unsigned char *info = NULL; -+ size_t info_len = 0; -+ size_t info_alloc = 0; -+ int ret = 0; -+ -+ if (ctx == NULL || (ctx->operation & op) == 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); -+ /* Uses the same return values as EVP_PKEY_CTX_ctrl */ -+ return -2; -+ } -+ -+ /* Code below to be removed when legacy support is dropped. */ -+ if (fallback) -+ return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, datalen, (void *)(data)); -+ /* end of legacy support */ -+ -+ if (datalen < 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH); -+ return 0; -+ } -+ -+ /* Get the original value length */ -+ os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0); -+ os_params[1] = OSSL_PARAM_construct_end(); -+ -+ if (!EVP_PKEY_CTX_get_params(ctx, os_params)) -+ return 0; -+ -+ /* Older provider that doesn't support getting this parameter */ -+ if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED) -+ return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen); -+ -+ info_alloc = os_params[0].return_size + datalen; -+ if (info_alloc == 0) -+ return 0; -+ info = OPENSSL_zalloc(info_alloc); -+ if (info == NULL) -+ return 0; -+ info_len = os_params[0].return_size; -+ -+ os_params[0] = OSSL_PARAM_construct_octet_string(param, info, info_alloc); -+ -+ /* if we have data, then go get it */ -+ if (info_len > 0) { -+ if (!EVP_PKEY_CTX_get_params(ctx, os_params)) -+ goto error; -+ } -+ -+ /* Copy the input data */ -+ memcpy(&info[info_len], data, datalen); -+ ret = EVP_PKEY_CTX_set_params(ctx, os_params); -+ -+ error: -+ OPENSSL_clear_free(info, info_alloc); -+ return ret; -+} -+ - int EVP_PKEY_CTX_set1_tls1_prf_secret(EVP_PKEY_CTX *ctx, - const unsigned char *sec, int seclen) - { -@@ -1078,7 +1141,7 @@ int EVP_PKEY_CTX_set1_hkdf_key(EVP_PKEY_CTX *ctx, - int EVP_PKEY_CTX_add1_hkdf_info(EVP_PKEY_CTX *ctx, - const unsigned char *info, int infolen) - { -- return evp_pkey_ctx_set1_octet_string(ctx, ctx->op.kex.algctx == NULL, -+ return evp_pkey_ctx_add1_octet_string(ctx, ctx->op.kex.algctx == NULL, - OSSL_KDF_PARAM_INFO, - EVP_PKEY_OP_DERIVE, - EVP_PKEY_CTRL_HKDF_INFO, -diff --git a/providers/implementations/exchange/kdf_exch.c b/providers/implementations/exchange/kdf_exch.c -index 527a866..4bc8102 100644 ---- a/providers/implementations/exchange/kdf_exch.c -+++ b/providers/implementations/exchange/kdf_exch.c -@@ -28,9 +28,13 @@ static OSSL_FUNC_keyexch_derive_fn kdf_derive; - static OSSL_FUNC_keyexch_freectx_fn kdf_freectx; - static OSSL_FUNC_keyexch_dupctx_fn kdf_dupctx; - static OSSL_FUNC_keyexch_set_ctx_params_fn kdf_set_ctx_params; -+static OSSL_FUNC_keyexch_get_ctx_params_fn kdf_get_ctx_params; - static OSSL_FUNC_keyexch_settable_ctx_params_fn kdf_tls1_prf_settable_ctx_params; - static OSSL_FUNC_keyexch_settable_ctx_params_fn kdf_hkdf_settable_ctx_params; - static OSSL_FUNC_keyexch_settable_ctx_params_fn kdf_scrypt_settable_ctx_params; -+static OSSL_FUNC_keyexch_gettable_ctx_params_fn kdf_tls1_prf_gettable_ctx_params; -+static OSSL_FUNC_keyexch_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params; -+static OSSL_FUNC_keyexch_gettable_ctx_params_fn kdf_scrypt_gettable_ctx_params; - - typedef struct { - void *provctx; -@@ -169,6 +173,13 @@ static int kdf_set_ctx_params(void *vpkdfctx, const OSSL_PARAM params[]) - return EVP_KDF_CTX_set_params(pkdfctx->kdfctx, params); - } - -+static int kdf_get_ctx_params(void *vpkdfctx, OSSL_PARAM params[]) -+{ -+ PROV_KDF_CTX *pkdfctx = (PROV_KDF_CTX *)vpkdfctx; -+ -+ return EVP_KDF_CTX_get_params(pkdfctx->kdfctx, params); -+} -+ - static const OSSL_PARAM *kdf_settable_ctx_params(ossl_unused void *vpkdfctx, - void *provctx, - const char *kdfname) -@@ -197,6 +208,34 @@ KDF_SETTABLE_CTX_PARAMS(tls1_prf, "TLS1-PRF") - KDF_SETTABLE_CTX_PARAMS(hkdf, "HKDF") - KDF_SETTABLE_CTX_PARAMS(scrypt, "SCRYPT") - -+static const OSSL_PARAM *kdf_gettable_ctx_params(ossl_unused void *vpkdfctx, -+ void *provctx, -+ const char *kdfname) -+{ -+ EVP_KDF *kdf = EVP_KDF_fetch(PROV_LIBCTX_OF(provctx), kdfname, -+ NULL); -+ const OSSL_PARAM *params; -+ -+ if (kdf == NULL) -+ return NULL; -+ -+ params = EVP_KDF_gettable_ctx_params(kdf); -+ EVP_KDF_free(kdf); -+ -+ return params; -+} -+ -+#define KDF_GETTABLE_CTX_PARAMS(funcname, kdfname) \ -+ static const OSSL_PARAM *kdf_##funcname##_gettable_ctx_params(void *vpkdfctx, \ -+ void *provctx) \ -+ { \ -+ return kdf_gettable_ctx_params(vpkdfctx, provctx, kdfname); \ -+ } -+ -+KDF_GETTABLE_CTX_PARAMS(tls1_prf, "TLS1-PRF") -+KDF_GETTABLE_CTX_PARAMS(hkdf, "HKDF") -+KDF_GETTABLE_CTX_PARAMS(scrypt, "SCRYPT") -+ - #define KDF_KEYEXCH_FUNCTIONS(funcname) \ - const OSSL_DISPATCH ossl_kdf_##funcname##_keyexch_functions[] = { \ - { OSSL_FUNC_KEYEXCH_NEWCTX, (void (*)(void))kdf_##funcname##_newctx }, \ -@@ -205,8 +244,11 @@ KDF_SETTABLE_CTX_PARAMS(scrypt, "SCRYPT") - { OSSL_FUNC_KEYEXCH_FREECTX, (void (*)(void))kdf_freectx }, \ - { OSSL_FUNC_KEYEXCH_DUPCTX, (void (*)(void))kdf_dupctx }, \ - { OSSL_FUNC_KEYEXCH_SET_CTX_PARAMS, (void (*)(void))kdf_set_ctx_params }, \ -+ { OSSL_FUNC_KEYEXCH_GET_CTX_PARAMS, (void (*)(void))kdf_get_ctx_params }, \ - { OSSL_FUNC_KEYEXCH_SETTABLE_CTX_PARAMS, \ - (void (*)(void))kdf_##funcname##_settable_ctx_params }, \ -+ { OSSL_FUNC_KEYEXCH_GETTABLE_CTX_PARAMS, \ -+ (void (*)(void))kdf_##funcname##_gettable_ctx_params }, \ - { 0, NULL } \ - }; - -diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c -index daa619b..dd65a2a 100644 ---- a/providers/implementations/kdfs/hkdf.c -+++ b/providers/implementations/kdfs/hkdf.c -@@ -371,6 +371,13 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) - return 0; - return OSSL_PARAM_set_size_t(p, sz); - } -+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) { -+ if (ctx->info == NULL || ctx->info_len == 0) { -+ p->return_size = 0; -+ return 1; -+ } -+ return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len); -+ } - return -2; - } - -@@ -379,6 +386,7 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, - { - static const OSSL_PARAM known_gettable_ctx_params[] = { - OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), -+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0), - OSSL_PARAM_END - }; - return known_gettable_ctx_params; -diff --git a/test/pkey_meth_kdf_test.c b/test/pkey_meth_kdf_test.c -index f816d24..c09e2f3 100644 ---- a/test/pkey_meth_kdf_test.c -+++ b/test/pkey_meth_kdf_test.c -@@ -16,7 +16,7 @@ - #include - #include "testutil.h" - --static int test_kdf_tls1_prf(void) -+static int test_kdf_tls1_prf(int index) - { - int ret = 0; - EVP_PKEY_CTX *pctx; -@@ -40,10 +40,23 @@ static int test_kdf_tls1_prf(void) - TEST_error("EVP_PKEY_CTX_set1_tls1_prf_secret"); - goto err; - } -- if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, -- (unsigned char *)"seed", 4) <= 0) { -- TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed"); -- goto err; -+ if (index == 0) { -+ if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, -+ (unsigned char *)"seed", 4) <= 0) { -+ TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed"); -+ goto err; -+ } -+ } else { -+ if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, -+ (unsigned char *)"se", 2) <= 0) { -+ TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed"); -+ goto err; -+ } -+ if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, -+ (unsigned char *)"ed", 2) <= 0) { -+ TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed"); -+ goto err; -+ } - } - if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) { - TEST_error("EVP_PKEY_derive"); -@@ -65,7 +78,7 @@ err: - return ret; - } - --static int test_kdf_hkdf(void) -+static int test_kdf_hkdf(int index) - { - int ret = 0; - EVP_PKEY_CTX *pctx; -@@ -94,10 +107,23 @@ static int test_kdf_hkdf(void) - TEST_error("EVP_PKEY_CTX_set1_hkdf_key"); - goto err; - } -- if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"label", 5) -+ if (index == 0) { -+ if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"label", 5) - <= 0) { -- TEST_error("EVP_PKEY_CTX_set1_hkdf_info"); -- goto err; -+ TEST_error("EVP_PKEY_CTX_add1_hkdf_info"); -+ goto err; -+ } -+ } else { -+ if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"lab", 3) -+ <= 0) { -+ TEST_error("EVP_PKEY_CTX_add1_hkdf_info"); -+ goto err; -+ } -+ if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"el", 2) -+ <= 0) { -+ TEST_error("EVP_PKEY_CTX_add1_hkdf_info"); -+ goto err; -+ } - } - if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) { - TEST_error("EVP_PKEY_derive"); -@@ -195,8 +221,13 @@ err: - - int setup_tests(void) - { -- ADD_TEST(test_kdf_tls1_prf); -- ADD_TEST(test_kdf_hkdf); -+ int tests = 1; -+ -+ if (fips_provider_version_ge(NULL, 3, 3, 1)) -+ tests = 2; -+ -+ ADD_ALL_TESTS(test_kdf_tls1_prf, tests); -+ ADD_ALL_TESTS(test_kdf_hkdf, tests); - #ifndef OPENSSL_NO_SCRYPT - ADD_TEST(test_kdf_scrypt); - #endif --- -2.45.1 - diff --git a/openssl-Fix-Wfree-nonheap-object-warning.patch b/openssl-Fix-Wfree-nonheap-object-warning.patch new file mode 100644 index 0000000..2842075 --- /dev/null +++ b/openssl-Fix-Wfree-nonheap-object-warning.patch @@ -0,0 +1,34 @@ +Index: openssl-3.5.0/crypto/bn/bn_exp.c +=================================================================== +--- openssl-3.5.0.orig/crypto/bn/bn_exp.c ++++ openssl-3.5.0/crypto/bn/bn_exp.c +@@ -166,6 +166,20 @@ int BN_mod_exp(BIGNUM *r, const BIGNUM * + return ret; + } + ++/* As per limitations of C, the compiler cannot determine statically that in the ++ * case of BN_RECP_CTX_free, the BN_RECP_CTX.flag will not have a value of ++ * BN_FLG_MALLOCED, thus we hit a warning (-Wfree-nonheap-object) in ++ * BN_mod_exp_recp. Fix that by omiting the check for BN_FLG_MALLOCED. ++ */ ++void BN_RECP_CTX_free_static(BN_RECP_CTX *recp) ++{ ++ if (recp == NULL) ++ return; ++ ++ BN_free(&recp->N); ++ BN_free(&recp->Nr); ++} ++ + int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx) + { +@@ -304,7 +318,7 @@ int BN_mod_exp_recp(BIGNUM *r, const BIG + ret = 1; + err: + BN_CTX_end(ctx); +- BN_RECP_CTX_free(&recp); ++ BN_RECP_CTX_free_static(&recp); + bn_check_top(r); + return ret; + } diff --git a/openssl-Force-FIPS.patch b/openssl-Force-FIPS.patch index 3ba0f44..18ddbc0 100644 --- a/openssl-Force-FIPS.patch +++ b/openssl-Force-FIPS.patch @@ -1,20 +1,21 @@ -From 2c110cf5551a3869514e697d8dc06682b62ca57d Mon Sep 17 00:00:00 2001 -From: Dmitry Belyavskiy -Date: Mon, 21 Aug 2023 11:59:02 +0200 -Subject: [PATCH 16/48] 0032-Force-fips.patch +From 22c5e2dc99406629b2c37c1ddf1151d6fb8ad7d1 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 22/53] FIPS: Force fips provider on Patch-name: 0032-Force-fips.patch Patch-id: 32 Patch-status: | - # We load FIPS provider and set FIPS properties implicitly + # # We load FIPS provider and set FIPS properties implicitly +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- - crypto/provider_conf.c | 28 +++++++++++++++++++++++++++- - 1 file changed, 27 insertions(+), 1 deletion(-) + crypto/provider_conf.c | 30 +++++++++++++++++++++++++++++- + 1 file changed, 29 insertions(+), 1 deletion(-) -Index: openssl-3.1.4/crypto/provider_conf.c -=================================================================== ---- openssl-3.1.4.orig/crypto/provider_conf.c -+++ openssl-3.1.4/crypto/provider_conf.c +diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c +index 5ec50f97e4..a2a9786e1c 100644 +--- a/crypto/provider_conf.c ++++ b/crypto/provider_conf.c @@ -10,6 +10,8 @@ #include #include @@ -24,25 +25,25 @@ Index: openssl-3.1.4/crypto/provider_conf.c #include #include #include -@@ -169,7 +171,7 @@ static int provider_conf_activate(OSSL_L +@@ -237,7 +239,7 @@ static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name, if (path != NULL) ossl_provider_set_module_path(prov, path); - ok = provider_conf_params(prov, NULL, NULL, value, cnf); + ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1; - if (ok) { + if (ok == 1) { if (!ossl_provider_activate(prov, 1, 0)) { -@@ -197,6 +199,8 @@ static int provider_conf_activate(OSSL_L - } - if (!ok) +@@ -266,6 +268,8 @@ static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name, + + if (ok <= 0) ossl_provider_free(prov); + } else { + ok = 1; } CRYPTO_THREAD_unlock(pcgbl->lock); -@@ -309,6 +313,33 @@ static int provider_conf_init(CONF_IMODU +@@ -420,6 +424,30 @@ static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf) return 0; } @@ -64,9 +65,6 @@ Index: openssl-3.1.4/crypto/provider_conf.c + if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1) + return 0; + } -+ /* provider_conf_load can return 1 even when the test is failed so check explicitly */ -+ if (OSSL_PROVIDER_available(libctx, "fips") != 1) -+ return 0; + if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1) + return 0; + if (EVP_default_properties_enable_fips(libctx, 1) != 1) @@ -76,3 +74,6 @@ Index: openssl-3.1.4/crypto/provider_conf.c return 1; } +-- +2.49.0 + diff --git a/openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch b/openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch deleted file mode 100644 index 0ad7660..0000000 --- a/openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch +++ /dev/null @@ -1,94 +0,0 @@ -From d6a9c21302e01c33a9a919e7ba380ba3b0ed65b0 Mon Sep 17 00:00:00 2001 -From: trinity-1686a -Date: Mon, 15 Apr 2024 11:13:14 +0200 -Subject: [PATCH 2/2] Handle empty param in EVP_PKEY_CTX_add1_hkdf_info - -Fixes #24130 -The regression was introduced in PR #23456. - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24141) - -(cherry picked from commit 299996fb1fcd76eeadfd547958de2a1b822f37f5) ---- - crypto/evp/pmeth_lib.c | 2 ++ - test/evp_extra_test.c | 42 ++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 44 insertions(+) - -diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c -index d0eeaf7..bce1ebc 100644 ---- a/crypto/evp/pmeth_lib.c -+++ b/crypto/evp/pmeth_lib.c -@@ -1053,6 +1053,8 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback, - if (datalen < 0) { - ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH); - return 0; -+ } else if (datalen == 0) { -+ return 1; - } - - /* Get the original value length */ -diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c -index 9b3bee7..22121ce 100644 ---- a/test/evp_extra_test.c -+++ b/test/evp_extra_test.c -@@ -2565,6 +2565,47 @@ static int test_emptyikm_HKDF(void) - return ret; - } - -+static int test_empty_salt_info_HKDF(void) -+{ -+ EVP_PKEY_CTX *pctx; -+ unsigned char out[20]; -+ size_t outlen; -+ int ret = 0; -+ unsigned char salt[] = ""; -+ unsigned char key[] = "012345678901234567890123456789"; -+ unsigned char info[] = ""; -+ const unsigned char expected[] = { -+ 0x67, 0x12, 0xf9, 0x27, 0x8a, 0x8a, 0x3a, 0x8f, 0x7d, 0x2c, 0xa3, 0x6a, -+ 0xaa, 0xe9, 0xb3, 0xb9, 0x52, 0x5f, 0xe0, 0x06, -+ }; -+ size_t expectedlen = sizeof(expected); -+ -+ if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, "HKDF", testpropq))) -+ goto done; -+ -+ outlen = sizeof(out); -+ memset(out, 0, outlen); -+ -+ if (!TEST_int_gt(EVP_PKEY_derive_init(pctx), 0) -+ || !TEST_int_gt(EVP_PKEY_CTX_set_hkdf_md(pctx, EVP_sha256()), 0) -+ || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt, -+ sizeof(salt) - 1), 0) -+ || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_key(pctx, key, -+ sizeof(key) - 1), 0) -+ || !TEST_int_gt(EVP_PKEY_CTX_add1_hkdf_info(pctx, info, -+ sizeof(info) - 1), 0) -+ || !TEST_int_gt(EVP_PKEY_derive(pctx, out, &outlen), 0) -+ || !TEST_mem_eq(out, outlen, expected, expectedlen)) -+ goto done; -+ -+ ret = 1; -+ -+ done: -+ EVP_PKEY_CTX_free(pctx); -+ -+ return ret; -+} -+ - #ifndef OPENSSL_NO_EC - static int test_X509_PUBKEY_inplace(void) - { -@@ -5166,6 +5207,7 @@ int setup_tests(void) - #endif - ADD_TEST(test_HKDF); - ADD_TEST(test_emptyikm_HKDF); -+ ADD_TEST(test_empty_salt_info_HKDF); - #ifndef OPENSSL_NO_EC - ADD_TEST(test_X509_PUBKEY_inplace); - ADD_TEST(test_X509_PUBKEY_dup); --- -2.45.1 - diff --git a/openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch b/openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch deleted file mode 100644 index 7c57d6b..0000000 --- a/openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch +++ /dev/null @@ -1,495 +0,0 @@ -From 3d3a7ecd1ae5ab08d22041f7b3b035c34f12fa02 Mon Sep 17 00:00:00 2001 -From: Danny Tsen -Date: Tue, 22 Aug 2023 15:58:53 -0400 -Subject: [PATCH] Improve performance for 6x unrolling with vpermxor - instruction - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/21812) ---- - crypto/aes/asm/aesp8-ppc.pl | 145 +++++++++++++++++++++++------------- - 1 file changed, 95 insertions(+), 50 deletions(-) - -diff --git a/crypto/aes/asm/aesp8-ppc.pl b/crypto/aes/asm/aesp8-ppc.pl -index 60cf86f52aed2..38b9405a283b7 100755 ---- a/crypto/aes/asm/aesp8-ppc.pl -+++ b/crypto/aes/asm/aesp8-ppc.pl -@@ -99,11 +99,12 @@ - .long 0x1b000000, 0x1b000000, 0x1b000000, 0x1b000000 ?rev - .long 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c ?rev - .long 0,0,0,0 ?asis -+.long 0x0f102132, 0x43546576, 0x8798a9ba, 0xcbdcedfe - Lconsts: - mflr r0 - bcl 20,31,\$+4 - mflr $ptr #vvvvv "distance between . and rcon -- addi $ptr,$ptr,-0x48 -+ addi $ptr,$ptr,-0x58 - mtlr r0 - blr - .long 0 -@@ -2405,7 +2406,7 @@ () - my $key_=$key2; - my ($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,3,26..31)); - $x00=0 if ($flavour =~ /osx/); --my ($in0, $in1, $in2, $in3, $in4, $in5 )=map("v$_",(0..5)); -+my ($in0, $in1, $in2, $in3, $in4, $in5)=map("v$_",(0..5)); - my ($out0, $out1, $out2, $out3, $out4, $out5)=map("v$_",(7,12..16)); - my ($twk0, $twk1, $twk2, $twk3, $twk4, $twk5)=map("v$_",(17..22)); - my $rndkey0="v23"; # v24-v25 rotating buffer for first found keys -@@ -2460,6 +2461,18 @@ () - li $x70,0x70 - mtspr 256,r0 - -+ # Reverse eighty7 to 0x010101..87 -+ xxlor 2, 32+$eighty7, 32+$eighty7 -+ vsldoi $eighty7,$tmp,$eighty7,1 # 0x010101..87 -+ xxlor 1, 32+$eighty7, 32+$eighty7 -+ -+ # Load XOR contents. 0xf102132435465768798a9bacbdcedfe -+ mr $x70, r6 -+ bl Lconsts -+ lxvw4x 0, $x40, r6 # load XOR contents -+ mr r6, $x70 -+ li $x70,0x70 -+ - subi $rounds,$rounds,3 # -4 in total - - lvx $rndkey0,$x00,$key1 # load key schedule -@@ -2502,69 +2515,77 @@ () - ?vperm v31,v31,$twk5,$keyperm - lvx v25,$x10,$key_ # pre-load round[2] - -+ # Switch to use the following codes with 0x010101..87 to generate tweak. -+ # eighty7 = 0x010101..87 -+ # vsrab tmp, tweak, seven # next tweak value, right shift 7 bits -+ # vand tmp, tmp, eighty7 # last byte with carry -+ # vaddubm tweak, tweak, tweak # left shift 1 bit (x2) -+ # xxlor vsx, 0, 0 -+ # vpermxor tweak, tweak, tmp, vsx -+ - vperm $in0,$inout,$inptail,$inpperm - subi $inp,$inp,31 # undo "caller" - vxor $twk0,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - vand $tmp,$tmp,$eighty7 - vxor $out0,$in0,$twk0 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in1, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in1 - - lvx_u $in1,$x10,$inp - vxor $twk1,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - le?vperm $in1,$in1,$in1,$leperm - vand $tmp,$tmp,$eighty7 - vxor $out1,$in1,$twk1 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in2, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in2 - - lvx_u $in2,$x20,$inp - andi. $taillen,$len,15 - vxor $twk2,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - le?vperm $in2,$in2,$in2,$leperm - vand $tmp,$tmp,$eighty7 - vxor $out2,$in2,$twk2 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in3, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in3 - - lvx_u $in3,$x30,$inp - sub $len,$len,$taillen - vxor $twk3,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - le?vperm $in3,$in3,$in3,$leperm - vand $tmp,$tmp,$eighty7 - vxor $out3,$in3,$twk3 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in4, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in4 - - lvx_u $in4,$x40,$inp - subi $len,$len,0x60 - vxor $twk4,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - le?vperm $in4,$in4,$in4,$leperm - vand $tmp,$tmp,$eighty7 - vxor $out4,$in4,$twk4 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in5, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in5 - - lvx_u $in5,$x50,$inp - addi $inp,$inp,0x60 - vxor $twk5,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - le?vperm $in5,$in5,$in5,$leperm - vand $tmp,$tmp,$eighty7 - vxor $out5,$in5,$twk5 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in0, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in0 - - vxor v31,v31,$rndkey0 - mtctr $rounds -@@ -2590,6 +2611,8 @@ () - lvx v25,$x10,$key_ # round[4] - bdnz Loop_xts_enc6x - -+ xxlor 32+$eighty7, 1, 1 # 0x010101..87 -+ - subic $len,$len,96 # $len-=96 - vxor $in0,$twk0,v31 # xor with last round key - vcipher $out0,$out0,v24 -@@ -2599,7 +2622,6 @@ () - vaddubm $tweak,$tweak,$tweak - vcipher $out2,$out2,v24 - vcipher $out3,$out3,v24 -- vsldoi $tmp,$tmp,$tmp,15 - vcipher $out4,$out4,v24 - vcipher $out5,$out5,v24 - -@@ -2607,7 +2629,8 @@ () - vand $tmp,$tmp,$eighty7 - vcipher $out0,$out0,v25 - vcipher $out1,$out1,v25 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in1, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in1 - vcipher $out2,$out2,v25 - vcipher $out3,$out3,v25 - vxor $in1,$twk1,v31 -@@ -2618,13 +2641,13 @@ () - - and r0,r0,$len - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - vcipher $out0,$out0,v26 - vcipher $out1,$out1,v26 - vand $tmp,$tmp,$eighty7 - vcipher $out2,$out2,v26 - vcipher $out3,$out3,v26 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in2, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in2 - vcipher $out4,$out4,v26 - vcipher $out5,$out5,v26 - -@@ -2638,7 +2661,6 @@ () - vaddubm $tweak,$tweak,$tweak - vcipher $out0,$out0,v27 - vcipher $out1,$out1,v27 -- vsldoi $tmp,$tmp,$tmp,15 - vcipher $out2,$out2,v27 - vcipher $out3,$out3,v27 - vand $tmp,$tmp,$eighty7 -@@ -2646,7 +2668,8 @@ () - vcipher $out5,$out5,v27 - - addi $key_,$sp,$FRAME+15 # rewind $key_ -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in3, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in3 - vcipher $out0,$out0,v28 - vcipher $out1,$out1,v28 - vxor $in3,$twk3,v31 -@@ -2655,7 +2678,6 @@ () - vcipher $out2,$out2,v28 - vcipher $out3,$out3,v28 - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - vcipher $out4,$out4,v28 - vcipher $out5,$out5,v28 - lvx v24,$x00,$key_ # re-pre-load round[1] -@@ -2663,7 +2685,8 @@ () - - vcipher $out0,$out0,v29 - vcipher $out1,$out1,v29 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in4, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in4 - vcipher $out2,$out2,v29 - vcipher $out3,$out3,v29 - vxor $in4,$twk4,v31 -@@ -2673,14 +2696,14 @@ () - vcipher $out5,$out5,v29 - lvx v25,$x10,$key_ # re-pre-load round[2] - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - - vcipher $out0,$out0,v30 - vcipher $out1,$out1,v30 - vand $tmp,$tmp,$eighty7 - vcipher $out2,$out2,v30 - vcipher $out3,$out3,v30 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in5, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in5 - vcipher $out4,$out4,v30 - vcipher $out5,$out5,v30 - vxor $in5,$twk5,v31 -@@ -2690,7 +2713,6 @@ () - vcipherlast $out0,$out0,$in0 - lvx_u $in0,$x00,$inp # load next input block - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - vcipherlast $out1,$out1,$in1 - lvx_u $in1,$x10,$inp - vcipherlast $out2,$out2,$in2 -@@ -2703,7 +2725,10 @@ () - vcipherlast $out4,$out4,$in4 - le?vperm $in2,$in2,$in2,$leperm - lvx_u $in4,$x40,$inp -- vxor $tweak,$tweak,$tmp -+ xxlor 10, 32+$in0, 32+$in0 -+ xxlor 32+$in0, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in0 -+ xxlor 32+$in0, 10, 10 - vcipherlast $tmp,$out5,$in5 # last block might be needed - # in stealing mode - le?vperm $in3,$in3,$in3,$leperm -@@ -2736,6 +2761,8 @@ () - mtctr $rounds - beq Loop_xts_enc6x # did $len-=96 borrow? - -+ xxlor 32+$eighty7, 2, 2 # 0x870101..01 -+ - addic. $len,$len,0x60 - beq Lxts_enc6x_zero - cmpwi $len,0x20 -@@ -3112,6 +3139,18 @@ () - li $x70,0x70 - mtspr 256,r0 - -+ # Reverse eighty7 to 0x010101..87 -+ xxlor 2, 32+$eighty7, 32+$eighty7 -+ vsldoi $eighty7,$tmp,$eighty7,1 # 0x010101..87 -+ xxlor 1, 32+$eighty7, 32+$eighty7 -+ -+ # Load XOR contents. 0xf102132435465768798a9bacbdcedfe -+ mr $x70, r6 -+ bl Lconsts -+ lxvw4x 0, $x40, r6 # load XOR contents -+ mr r6, $x70 -+ li $x70,0x70 -+ - subi $rounds,$rounds,3 # -4 in total - - lvx $rndkey0,$x00,$key1 # load key schedule -@@ -3159,64 +3198,64 @@ () - vxor $twk0,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - vand $tmp,$tmp,$eighty7 - vxor $out0,$in0,$twk0 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in1, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in1 - - lvx_u $in1,$x10,$inp - vxor $twk1,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - le?vperm $in1,$in1,$in1,$leperm - vand $tmp,$tmp,$eighty7 - vxor $out1,$in1,$twk1 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in2, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in2 - - lvx_u $in2,$x20,$inp - andi. $taillen,$len,15 - vxor $twk2,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - le?vperm $in2,$in2,$in2,$leperm - vand $tmp,$tmp,$eighty7 - vxor $out2,$in2,$twk2 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in3, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in3 - - lvx_u $in3,$x30,$inp - sub $len,$len,$taillen - vxor $twk3,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - le?vperm $in3,$in3,$in3,$leperm - vand $tmp,$tmp,$eighty7 - vxor $out3,$in3,$twk3 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in4, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in4 - - lvx_u $in4,$x40,$inp - subi $len,$len,0x60 - vxor $twk4,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - le?vperm $in4,$in4,$in4,$leperm - vand $tmp,$tmp,$eighty7 - vxor $out4,$in4,$twk4 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in5, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in5 - - lvx_u $in5,$x50,$inp - addi $inp,$inp,0x60 - vxor $twk5,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - le?vperm $in5,$in5,$in5,$leperm - vand $tmp,$tmp,$eighty7 - vxor $out5,$in5,$twk5 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in0, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in0 - - vxor v31,v31,$rndkey0 - mtctr $rounds -@@ -3242,6 +3281,8 @@ () - lvx v25,$x10,$key_ # round[4] - bdnz Loop_xts_dec6x - -+ xxlor 32+$eighty7, 1, 1 -+ - subic $len,$len,96 # $len-=96 - vxor $in0,$twk0,v31 # xor with last round key - vncipher $out0,$out0,v24 -@@ -3251,7 +3292,6 @@ () - vaddubm $tweak,$tweak,$tweak - vncipher $out2,$out2,v24 - vncipher $out3,$out3,v24 -- vsldoi $tmp,$tmp,$tmp,15 - vncipher $out4,$out4,v24 - vncipher $out5,$out5,v24 - -@@ -3259,7 +3299,8 @@ () - vand $tmp,$tmp,$eighty7 - vncipher $out0,$out0,v25 - vncipher $out1,$out1,v25 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in1, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in1 - vncipher $out2,$out2,v25 - vncipher $out3,$out3,v25 - vxor $in1,$twk1,v31 -@@ -3270,13 +3311,13 @@ () - - and r0,r0,$len - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - vncipher $out0,$out0,v26 - vncipher $out1,$out1,v26 - vand $tmp,$tmp,$eighty7 - vncipher $out2,$out2,v26 - vncipher $out3,$out3,v26 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in2, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in2 - vncipher $out4,$out4,v26 - vncipher $out5,$out5,v26 - -@@ -3290,7 +3331,6 @@ () - vaddubm $tweak,$tweak,$tweak - vncipher $out0,$out0,v27 - vncipher $out1,$out1,v27 -- vsldoi $tmp,$tmp,$tmp,15 - vncipher $out2,$out2,v27 - vncipher $out3,$out3,v27 - vand $tmp,$tmp,$eighty7 -@@ -3298,7 +3338,8 @@ () - vncipher $out5,$out5,v27 - - addi $key_,$sp,$FRAME+15 # rewind $key_ -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in3, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in3 - vncipher $out0,$out0,v28 - vncipher $out1,$out1,v28 - vxor $in3,$twk3,v31 -@@ -3307,7 +3348,6 @@ () - vncipher $out2,$out2,v28 - vncipher $out3,$out3,v28 - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - vncipher $out4,$out4,v28 - vncipher $out5,$out5,v28 - lvx v24,$x00,$key_ # re-pre-load round[1] -@@ -3315,7 +3355,8 @@ () - - vncipher $out0,$out0,v29 - vncipher $out1,$out1,v29 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in4, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in4 - vncipher $out2,$out2,v29 - vncipher $out3,$out3,v29 - vxor $in4,$twk4,v31 -@@ -3325,14 +3366,14 @@ () - vncipher $out5,$out5,v29 - lvx v25,$x10,$key_ # re-pre-load round[2] - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - - vncipher $out0,$out0,v30 - vncipher $out1,$out1,v30 - vand $tmp,$tmp,$eighty7 - vncipher $out2,$out2,v30 - vncipher $out3,$out3,v30 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in5, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in5 - vncipher $out4,$out4,v30 - vncipher $out5,$out5,v30 - vxor $in5,$twk5,v31 -@@ -3342,7 +3383,6 @@ () - vncipherlast $out0,$out0,$in0 - lvx_u $in0,$x00,$inp # load next input block - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - vncipherlast $out1,$out1,$in1 - lvx_u $in1,$x10,$inp - vncipherlast $out2,$out2,$in2 -@@ -3355,7 +3395,10 @@ () - vncipherlast $out4,$out4,$in4 - le?vperm $in2,$in2,$in2,$leperm - lvx_u $in4,$x40,$inp -- vxor $tweak,$tweak,$tmp -+ xxlor 10, 32+$in0, 32+$in0 -+ xxlor 32+$in0, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in0 -+ xxlor 32+$in0, 10, 10 - vncipherlast $out5,$out5,$in5 - le?vperm $in3,$in3,$in3,$leperm - lvx_u $in5,$x50,$inp -@@ -3386,6 +3429,8 @@ () - mtctr $rounds - beq Loop_xts_dec6x # did $len-=96 borrow? - -+ xxlor 32+$eighty7, 2, 2 -+ - addic. $len,$len,0x60 - beq Lxts_dec6x_zero - cmpwi $len,0x20 diff --git a/openssl-Remove-EC-curves.patch b/openssl-Remove-EC-curves.patch deleted file mode 100644 index 3782ce0..0000000 --- a/openssl-Remove-EC-curves.patch +++ /dev/null @@ -1,270 +0,0 @@ -From 4a275f852b61238161c053774736dc07b3ade200 Mon Sep 17 00:00:00 2001 -From: Dmitry Belyavskiy -Date: Mon, 21 Aug 2023 11:46:40 +0200 -Subject: [PATCH 11/48] 0011-Remove-EC-curves.patch - -Patch-name: 0011-Remove-EC-curves.patch -Patch-id: 11 -Patch-status: | - # remove unsupported EC curves ---- - apps/speed.c | 8 +--- - crypto/evp/ec_support.c | 87 ------------------------------------ - test/acvp_test.inc | 9 ---- - test/ecdsatest.h | 17 ------- - test/recipes/15-test_genec.t | 27 ----------- - 5 files changed, 1 insertion(+), 147 deletions(-) - -diff --git a/apps/speed.c b/apps/speed.c -index cace25eda1..d527f12f18 100644 ---- a/apps/speed.c -+++ b/apps/speed.c -@@ -385,7 +385,7 @@ static double ffdh_results[FFDH_NUM][1]; /* 1 op: derivation */ - #endif /* OPENSSL_NO_DH */ - - enum ec_curves_t { -- R_EC_P160, R_EC_P192, R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521, -+ R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521, - #ifndef OPENSSL_NO_EC2M - R_EC_K163, R_EC_K233, R_EC_K283, R_EC_K409, R_EC_K571, - R_EC_B163, R_EC_B233, R_EC_B283, R_EC_B409, R_EC_B571, -@@ -395,8 +395,6 @@ enum ec_curves_t { - }; - /* list of ecdsa curves */ - static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = { -- {"ecdsap160", R_EC_P160}, -- {"ecdsap192", R_EC_P192}, - {"ecdsap224", R_EC_P224}, - {"ecdsap256", R_EC_P256}, - {"ecdsap384", R_EC_P384}, -@@ -423,8 +421,6 @@ static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = { - enum { R_EC_X25519 = ECDSA_NUM, R_EC_X448, EC_NUM }; - /* list of ecdh curves, extension of |ecdsa_choices| list above */ - static const OPT_PAIR ecdh_choices[EC_NUM] = { -- {"ecdhp160", R_EC_P160}, -- {"ecdhp192", R_EC_P192}, - {"ecdhp224", R_EC_P224}, - {"ecdhp256", R_EC_P256}, - {"ecdhp384", R_EC_P384}, -@@ -1442,8 +1438,6 @@ int speed_main(int argc, char **argv) - */ - static const EC_CURVE ec_curves[EC_NUM] = { - /* Prime Curves */ -- {"secp160r1", NID_secp160r1, 160}, -- {"nistp192", NID_X9_62_prime192v1, 192}, - {"nistp224", NID_secp224r1, 224}, - {"nistp256", NID_X9_62_prime256v1, 256}, - {"nistp384", NID_secp384r1, 384}, -diff --git a/crypto/evp/ec_support.c b/crypto/evp/ec_support.c -index 1ec10143d2..82b95294b4 100644 ---- a/crypto/evp/ec_support.c -+++ b/crypto/evp/ec_support.c -@@ -20,89 +20,15 @@ typedef struct ec_name2nid_st { - static const EC_NAME2NID curve_list[] = { - /* prime field curves */ - /* secg curves */ -- {"secp112r1", NID_secp112r1 }, -- {"secp112r2", NID_secp112r2 }, -- {"secp128r1", NID_secp128r1 }, -- {"secp128r2", NID_secp128r2 }, -- {"secp160k1", NID_secp160k1 }, -- {"secp160r1", NID_secp160r1 }, -- {"secp160r2", NID_secp160r2 }, -- {"secp192k1", NID_secp192k1 }, -- {"secp224k1", NID_secp224k1 }, - {"secp224r1", NID_secp224r1 }, - {"secp256k1", NID_secp256k1 }, - {"secp384r1", NID_secp384r1 }, - {"secp521r1", NID_secp521r1 }, - /* X9.62 curves */ -- {"prime192v1", NID_X9_62_prime192v1 }, -- {"prime192v2", NID_X9_62_prime192v2 }, -- {"prime192v3", NID_X9_62_prime192v3 }, -- {"prime239v1", NID_X9_62_prime239v1 }, -- {"prime239v2", NID_X9_62_prime239v2 }, -- {"prime239v3", NID_X9_62_prime239v3 }, - {"prime256v1", NID_X9_62_prime256v1 }, - /* characteristic two field curves */ - /* NIST/SECG curves */ -- {"sect113r1", NID_sect113r1 }, -- {"sect113r2", NID_sect113r2 }, -- {"sect131r1", NID_sect131r1 }, -- {"sect131r2", NID_sect131r2 }, -- {"sect163k1", NID_sect163k1 }, -- {"sect163r1", NID_sect163r1 }, -- {"sect163r2", NID_sect163r2 }, -- {"sect193r1", NID_sect193r1 }, -- {"sect193r2", NID_sect193r2 }, -- {"sect233k1", NID_sect233k1 }, -- {"sect233r1", NID_sect233r1 }, -- {"sect239k1", NID_sect239k1 }, -- {"sect283k1", NID_sect283k1 }, -- {"sect283r1", NID_sect283r1 }, -- {"sect409k1", NID_sect409k1 }, -- {"sect409r1", NID_sect409r1 }, -- {"sect571k1", NID_sect571k1 }, -- {"sect571r1", NID_sect571r1 }, -- /* X9.62 curves */ -- {"c2pnb163v1", NID_X9_62_c2pnb163v1 }, -- {"c2pnb163v2", NID_X9_62_c2pnb163v2 }, -- {"c2pnb163v3", NID_X9_62_c2pnb163v3 }, -- {"c2pnb176v1", NID_X9_62_c2pnb176v1 }, -- {"c2tnb191v1", NID_X9_62_c2tnb191v1 }, -- {"c2tnb191v2", NID_X9_62_c2tnb191v2 }, -- {"c2tnb191v3", NID_X9_62_c2tnb191v3 }, -- {"c2pnb208w1", NID_X9_62_c2pnb208w1 }, -- {"c2tnb239v1", NID_X9_62_c2tnb239v1 }, -- {"c2tnb239v2", NID_X9_62_c2tnb239v2 }, -- {"c2tnb239v3", NID_X9_62_c2tnb239v3 }, -- {"c2pnb272w1", NID_X9_62_c2pnb272w1 }, -- {"c2pnb304w1", NID_X9_62_c2pnb304w1 }, -- {"c2tnb359v1", NID_X9_62_c2tnb359v1 }, -- {"c2pnb368w1", NID_X9_62_c2pnb368w1 }, -- {"c2tnb431r1", NID_X9_62_c2tnb431r1 }, -- /* -- * the WAP/WTLS curves [unlike SECG, spec has its own OIDs for curves -- * from X9.62] -- */ -- {"wap-wsg-idm-ecid-wtls1", NID_wap_wsg_idm_ecid_wtls1 }, -- {"wap-wsg-idm-ecid-wtls3", NID_wap_wsg_idm_ecid_wtls3 }, -- {"wap-wsg-idm-ecid-wtls4", NID_wap_wsg_idm_ecid_wtls4 }, -- {"wap-wsg-idm-ecid-wtls5", NID_wap_wsg_idm_ecid_wtls5 }, -- {"wap-wsg-idm-ecid-wtls6", NID_wap_wsg_idm_ecid_wtls6 }, -- {"wap-wsg-idm-ecid-wtls7", NID_wap_wsg_idm_ecid_wtls7 }, -- {"wap-wsg-idm-ecid-wtls8", NID_wap_wsg_idm_ecid_wtls8 }, -- {"wap-wsg-idm-ecid-wtls9", NID_wap_wsg_idm_ecid_wtls9 }, -- {"wap-wsg-idm-ecid-wtls10", NID_wap_wsg_idm_ecid_wtls10 }, -- {"wap-wsg-idm-ecid-wtls11", NID_wap_wsg_idm_ecid_wtls11 }, -- {"wap-wsg-idm-ecid-wtls12", NID_wap_wsg_idm_ecid_wtls12 }, -- /* IPSec curves */ -- {"Oakley-EC2N-3", NID_ipsec3 }, -- {"Oakley-EC2N-4", NID_ipsec4 }, - /* brainpool curves */ -- {"brainpoolP160r1", NID_brainpoolP160r1 }, -- {"brainpoolP160t1", NID_brainpoolP160t1 }, -- {"brainpoolP192r1", NID_brainpoolP192r1 }, -- {"brainpoolP192t1", NID_brainpoolP192t1 }, -- {"brainpoolP224r1", NID_brainpoolP224r1 }, -- {"brainpoolP224t1", NID_brainpoolP224t1 }, - {"brainpoolP256r1", NID_brainpoolP256r1 }, - {"brainpoolP256t1", NID_brainpoolP256t1 }, - {"brainpoolP320r1", NID_brainpoolP320r1 }, -@@ -150,17 +74,6 @@ int ossl_ec_curve_name2nid(const char *name) - /* Functions to translate between common NIST curve names and NIDs */ - - static const EC_NAME2NID nist_curves[] = { -- {"B-163", NID_sect163r2}, -- {"B-233", NID_sect233r1}, -- {"B-283", NID_sect283r1}, -- {"B-409", NID_sect409r1}, -- {"B-571", NID_sect571r1}, -- {"K-163", NID_sect163k1}, -- {"K-233", NID_sect233k1}, -- {"K-283", NID_sect283k1}, -- {"K-409", NID_sect409k1}, -- {"K-571", NID_sect571k1}, -- {"P-192", NID_X9_62_prime192v1}, - {"P-224", NID_secp224r1}, - {"P-256", NID_X9_62_prime256v1}, - {"P-384", NID_secp384r1}, -diff --git a/test/acvp_test.inc b/test/acvp_test.inc -index ad11d3ae1e..894a0bff9d 100644 ---- a/test/acvp_test.inc -+++ b/test/acvp_test.inc -@@ -211,15 +211,6 @@ static const unsigned char ecdsa_sigver_s1[] = { - 0xB1, 0xAC, - }; - static const struct ecdsa_sigver_st ecdsa_sigver_data[] = { -- { -- "SHA-1", -- "P-192", -- ITM(ecdsa_sigver_msg0), -- ITM(ecdsa_sigver_pub0), -- ITM(ecdsa_sigver_r0), -- ITM(ecdsa_sigver_s0), -- PASS, -- }, - { - "SHA2-512", - "P-521", -diff --git a/test/ecdsatest.h b/test/ecdsatest.h -index 63fe319025..06b5c0aac5 100644 ---- a/test/ecdsatest.h -+++ b/test/ecdsatest.h -@@ -32,23 +32,6 @@ typedef struct { - } ecdsa_cavs_kat_t; - - static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = { -- /* prime KATs from X9.62 */ -- {NID_X9_62_prime192v1, NID_sha1, -- "616263", /* "abc" */ -- "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb", -- "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e" -- "5ca5c0d69716dfcb3474373902", -- "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e", -- "885052380ff147b734c330c43d39b2c4a89f29b0f749fead", -- "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"}, -- {NID_X9_62_prime239v1, NID_sha1, -- "616263", /* "abc" */ -- "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d", -- "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e" -- "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee", -- "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af", -- "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0", -- "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"}, - /* prime KATs from NIST CAVP */ - {NID_secp224r1, NID_sha224, - "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1" -diff --git a/test/recipes/15-test_genec.t b/test/recipes/15-test_genec.t -index 2dfed387ca..c733b68f83 100644 ---- a/test/recipes/15-test_genec.t -+++ b/test/recipes/15-test_genec.t -@@ -41,37 +41,11 @@ plan skip_all => "This test is unsupported in a no-ec build" - if disabled("ec"); - - my @prime_curves = qw( -- secp112r1 -- secp112r2 -- secp128r1 -- secp128r2 -- secp160k1 -- secp160r1 -- secp160r2 -- secp192k1 -- secp224k1 - secp224r1 - secp256k1 - secp384r1 - secp521r1 -- prime192v1 -- prime192v2 -- prime192v3 -- prime239v1 -- prime239v2 -- prime239v3 - prime256v1 -- wap-wsg-idm-ecid-wtls6 -- wap-wsg-idm-ecid-wtls7 -- wap-wsg-idm-ecid-wtls8 -- wap-wsg-idm-ecid-wtls9 -- wap-wsg-idm-ecid-wtls12 -- brainpoolP160r1 -- brainpoolP160t1 -- brainpoolP192r1 -- brainpoolP192t1 -- brainpoolP224r1 -- brainpoolP224t1 - brainpoolP256r1 - brainpoolP256t1 - brainpoolP320r1 -@@ -136,7 +110,6 @@ push(@other_curves, 'SM2') - if !disabled("sm2"); - - my @curve_aliases = qw( -- P-192 - P-224 - P-256 - P-384 --- -2.41.0 - diff --git a/openssl-Revert-Improve-FIPS-RSA-keygen-performance.patch b/openssl-Revert-Improve-FIPS-RSA-keygen-performance.patch deleted file mode 100644 index 15e9dd1..0000000 --- a/openssl-Revert-Improve-FIPS-RSA-keygen-performance.patch +++ /dev/null @@ -1,171 +0,0 @@ -Subject: [PATCH] Revert "Improve FIPS RSA keygen performance." - -This reverts commit 3431dd4b3ee7933822586aab62972de4d8c0e9e5. ---- - crypto/bn/bn_prime.c | 11 -------- - crypto/bn/bn_rsa_fips186_4.c | 49 ++++++------------------------------ - include/crypto/bn.h | 2 -- - 3 files changed, 8 insertions(+), 54 deletions(-) - -diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c -index 79776f1ce5..ddd31a0252 100644 ---- a/crypto/bn/bn_prime.c -+++ b/crypto/bn/bn_prime.c -@@ -252,17 +252,6 @@ int ossl_bn_check_prime(const BIGNUM *w, int checks, BN_CTX *ctx, - return bn_is_prime_int(w, checks, ctx, do_trial_division, cb); - } - --/* -- * Use this only for key generation. -- * It always uses trial division. The number of checks -- * (MR rounds) passed in is used without being clamped to a minimum value. -- */ --int ossl_bn_check_generated_prime(const BIGNUM *w, int checks, BN_CTX *ctx, -- BN_GENCB *cb) --{ -- return bn_is_prime_int(w, checks, ctx, 1, cb); --} -- - int BN_check_prime(const BIGNUM *p, BN_CTX *ctx, BN_GENCB *cb) - { - return ossl_bn_check_prime(p, 0, ctx, 1, cb); -diff --git a/crypto/bn/bn_rsa_fips186_4.c b/crypto/bn/bn_rsa_fips186_4.c -index e9f0d4038c..8a7b2ecf2f 100644 ---- a/crypto/bn/bn_rsa_fips186_4.c -+++ b/crypto/bn/bn_rsa_fips186_4.c -@@ -48,34 +48,6 @@ const BIGNUM ossl_bn_inv_sqrt_2 = { - BN_FLG_STATIC_DATA - }; - --/* -- * Refer to FIPS 186-5 Table B.1 for minimum rounds of Miller Rabin -- * required for generation of RSA aux primes (p1, p2, q1 and q2). -- */ --static int bn_rsa_fips186_5_aux_prime_MR_rounds(int nbits) --{ -- if (nbits >= 4096) -- return 44; -- if (nbits >= 3072) -- return 41; -- if (nbits >= 2048) -- return 38; -- return 0; /* Error */ --} -- --/* -- * Refer to FIPS 186-5 Table B.1 for minimum rounds of Miller Rabin -- * required for generation of RSA primes (p and q) -- */ --static int bn_rsa_fips186_5_prime_MR_rounds(int nbits) --{ -- if (nbits >= 3072) -- return 4; -- if (nbits >= 2048) -- return 5; -- return 0; /* Error */ --} -- - /* - * FIPS 186-5 Table A.1. "Min length of auxiliary primes p1, p2, q1, q2". - * (FIPS 186-5 has an entry for >= 4096 bits). -@@ -125,13 +97,11 @@ static int bn_rsa_fips186_5_aux_prime_max_sum_size_for_prob_primes(int nbits) - * Xp1 The passed in starting point to find a probably prime. - * p1 The returned probable prime (first odd integer >= Xp1) - * ctx A BN_CTX object. -- * rounds The number of Miller Rabin rounds - * cb An optional BIGNUM callback. - * Returns: 1 on success otherwise it returns 0. - */ - static int bn_rsa_fips186_4_find_aux_prob_prime(const BIGNUM *Xp1, - BIGNUM *p1, BN_CTX *ctx, -- int rounds, - BN_GENCB *cb) - { - int ret = 0; -@@ -147,7 +117,7 @@ static int bn_rsa_fips186_4_find_aux_prob_prime(const BIGNUM *Xp1, - i++; - BN_GENCB_call(cb, 0, i); - /* MR test with trial division */ -- tmp = ossl_bn_check_generated_prime(p1, rounds, ctx, cb); -+ tmp = BN_check_prime(p1, ctx, cb); - if (tmp > 0) - break; - if (tmp < 0) -@@ -190,7 +160,7 @@ int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout, - { - int ret = 0; - BIGNUM *p1i = NULL, *p2i = NULL, *Xp1i = NULL, *Xp2i = NULL; -- int bitlen, rounds; -+ int bitlen; - - if (p == NULL || Xpout == NULL) - return 0; -@@ -207,7 +177,6 @@ int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout, - bitlen = bn_rsa_fips186_5_aux_prime_min_size(nlen); - if (bitlen == 0) - goto err; -- rounds = bn_rsa_fips186_5_aux_prime_MR_rounds(nlen); - - /* (Steps 4.1/5.1): Randomly generate Xp1 if it is not passed in */ - if (Xp1 == NULL) { -@@ -225,8 +194,8 @@ int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout, - } - - /* (Steps 4.2/5.2) - find first auxiliary probable primes */ -- if (!bn_rsa_fips186_4_find_aux_prob_prime(Xp1i, p1i, ctx, rounds, cb) -- || !bn_rsa_fips186_4_find_aux_prob_prime(Xp2i, p2i, ctx, rounds, cb)) -+ if (!bn_rsa_fips186_4_find_aux_prob_prime(Xp1i, p1i, ctx, cb) -+ || !bn_rsa_fips186_4_find_aux_prob_prime(Xp2i, p2i, ctx, cb)) - goto err; - /* (Table B.1) auxiliary prime Max length check */ - if ((BN_num_bits(p1i) + BN_num_bits(p2i)) >= -@@ -274,11 +243,11 @@ err: - */ - int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, - const BIGNUM *r1, const BIGNUM *r2, -- int nlen, const BIGNUM *e, -- BN_CTX *ctx, BN_GENCB *cb) -+ int nlen, const BIGNUM *e, BN_CTX *ctx, -+ BN_GENCB *cb) - { - int ret = 0; -- int i, imax, rounds; -+ int i, imax; - int bits = nlen >> 1; - BIGNUM *tmp, *R, *r1r2x2, *y1, *r1x2; - BIGNUM *base, *range; -@@ -348,7 +317,6 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, - * The number has been updated to 20 * nlen/2 as used in - * FIPS186-5 Appendix B.9 Step 9. - */ -- rounds = bn_rsa_fips186_5_prime_MR_rounds(nlen); - imax = 20 * bits; /* max = 20/2 * nbits */ - for (;;) { - if (Xin == NULL) { -@@ -378,9 +346,8 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, - if (BN_copy(y1, Y) == NULL - || !BN_sub_word(y1, 1)) - goto err; -- - if (BN_are_coprime(y1, e, ctx)) { -- int rv = ossl_bn_check_generated_prime(Y, rounds, ctx, cb); -+ int rv = BN_check_prime(Y, ctx, cb); - - if (rv > 0) - goto end; -diff --git a/include/crypto/bn.h b/include/crypto/bn.h -index 4d11e0e4b1..cf69bea848 100644 ---- a/include/crypto/bn.h -+++ b/include/crypto/bn.h -@@ -95,8 +95,6 @@ int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, - - int ossl_bn_miller_rabin_is_prime(const BIGNUM *w, int iterations, BN_CTX *ctx, - BN_GENCB *cb, int enhanced, int *status); --int ossl_bn_check_generated_prime(const BIGNUM *w, int checks, BN_CTX *ctx, -- BN_GENCB *cb); - - const BIGNUM *ossl_bn_get0_small_factors(void); - --- -2.44.0 - diff --git a/openssl-TESTS-Disable-default-provider-crypto-policies.patch b/openssl-TESTS-Disable-default-provider-crypto-policies.patch new file mode 100644 index 0000000..c19748b --- /dev/null +++ b/openssl-TESTS-Disable-default-provider-crypto-policies.patch @@ -0,0 +1,50 @@ +Index: openssl-3.5.0/apps/openssl.cnf +=================================================================== +--- openssl-3.5.0.orig/apps/openssl.cnf ++++ openssl-3.5.0/apps/openssl.cnf +@@ -45,12 +45,12 @@ tsa_policy3 = 1.2.3.4.5.7 + [openssl_init] + providers = provider_sect + # Load default TLS policy configuration +-ssl_conf = ssl_module +-alg_section = evp_properties +-random = random ++##ssl_conf = ssl_module ++##alg_section = evp_properties ++##random = random + +-[random] +-seed=JITTER ++##[random] ++##seed=JITTER + + [ evp_properties ] + # This section is intentionally added empty here to be tuned on particular systems +@@ -65,20 +65,20 @@ seed=JITTER + # to side-channel attacks and as such have been deprecated. + + [provider_sect] +-default = default_sect ++##default = default_sect + ##legacy = legacy_sect + +-[default_sect] +-activate = 1 ++##[default_sect] ++##activate = 1 + + ##[legacy_sect] + ##activate = 1 + +-[ ssl_module ] +-system_default = crypto_policy ++##[ ssl_module ] ++##system_default = crypto_policy + +-[ crypto_policy ] +-.include = /etc/crypto-policies/back-ends/opensslcnf.config ++##[ crypto_policy ] ++##.include = /etc/crypto-policies/back-ends/opensslcnf.config + + #################################################################### + [ ca ] diff --git a/openssl-crypto-policies-support.patch b/openssl-crypto-policies-support.patch deleted file mode 100644 index c7f3f16..0000000 --- a/openssl-crypto-policies-support.patch +++ /dev/null @@ -1,35 +0,0 @@ -Add default section to load crypto-policies configuration for TLS. - -It needs to be reverted before running tests. - ---- - apps/openssl.cnf | 20 ++++++++++++++++++-- - 2 files changed, 19 insertions(+), 3 deletions(-) - -Index: openssl-3.2.0/apps/openssl.cnf -=================================================================== ---- openssl-3.2.0.orig/apps/openssl.cnf -+++ openssl-3.2.0/apps/openssl.cnf -@@ -52,6 +52,8 @@ tsa_policy3 = 1.2.3.4.5.7 - - [openssl_init] - providers = provider_sect -+# Load default TLS policy configuration -+ssl_conf = ssl_module - - # List of providers to load - [provider_sect] -@@ -71,6 +73,13 @@ default = default_sect - [default_sect] - # activate = 1 - -+[ ssl_module ] -+ -+system_default = crypto_policy -+ -+[ crypto_policy ] -+ -+.include = /etc/crypto-policies/back-ends/opensslcnf.config - - #################################################################### - [ ca ] diff --git a/openssl-disable-75-test_quicapi-test.patch b/openssl-disable-75-test_quicapi-test.patch new file mode 100644 index 0000000..9a6929e --- /dev/null +++ b/openssl-disable-75-test_quicapi-test.patch @@ -0,0 +1,15 @@ +Index: openssl-3.5.0/test/recipes/75-test_quicapi.t +=================================================================== +--- openssl-3.5.0.orig/test/recipes/75-test_quicapi.t ++++ openssl-3.5.0/test/recipes/75-test_quicapi.t +@@ -19,8 +19,8 @@ use lib bldtop_dir('.'); + + my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); + +-plan skip_all => "QUIC protocol is not supported by this OpenSSL build" +- if disabled('quic'); ++plan skip_all => "Test is disabled in this OpenSSL build" ++ if 1; + + plan skip_all => "These tests are not supported in a fuzz build" + if config('options') =~ /-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION|enable-fuzz-afl/; diff --git a/openssl-disable-fipsinstall.patch b/openssl-disable-fipsinstall.patch index b5f0593..232b3da 100644 --- a/openssl-disable-fipsinstall.patch +++ b/openssl-disable-fipsinstall.patch @@ -1,44 +1,51 @@ -From a9825123e7ab3474d2794a5706d9bed047959c9c Mon Sep 17 00:00:00 2001 +From df72b988df3e71992327107b6a7ad2ca762efb61 Mon Sep 17 00:00:00 2001 From: rpm-build -Date: Mon, 31 Jul 2023 09:41:28 +0200 -Subject: [PATCH 18/35] 0034.fipsinstall_disable.patch +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 21/53] FIPS: disable fipsinstall Patch-name: 0034.fipsinstall_disable.patch Patch-id: 34 Patch-status: | - # Comment out fipsinstall command-line utility -From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd + # # Comment out fipsinstall command-line utility +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- - apps/fipsinstall.c | 3 + - doc/man1/openssl-fipsinstall.pod.in | 272 +--------------------------- - doc/man1/openssl.pod | 4 - - doc/man5/config.pod | 1 - - doc/man5/fips_config.pod | 104 +---------- - doc/man7/OSSL_PROVIDER-FIPS.pod | 1 - - 6 files changed, 10 insertions(+), 375 deletions(-) + apps/fipsinstall.c | 3 + + doc/man1/openssl-fipsinstall.pod.in | 485 +------------------------- + doc/man1/openssl.pod | 4 - + doc/man5/config.pod | 1 - + doc/man5/fips_config.pod | 228 +----------- + doc/man7/OSSL_PROVIDER-FIPS.pod | 1 - + test/recipes/00-prep_fipsmodule_cnf.t | 10 +- + test/recipes/01-test_fipsmodule_cnf.t | 7 +- + test/recipes/03-test_fipsinstall.t | 2 + + 9 files changed, 22 insertions(+), 719 deletions(-) + mode change 100644 => 100755 test/recipes/00-prep_fipsmodule_cnf.t + mode change 100644 => 100755 test/recipes/01-test_fipsmodule_cnf.t + mode change 100644 => 100755 test/recipes/03-test_fipsinstall.t -Index: openssl-3.1.4/apps/fipsinstall.c +Index: openssl-3.5.2/apps/fipsinstall.c =================================================================== ---- openssl-3.1.4.orig/apps/fipsinstall.c -+++ openssl-3.1.4/apps/fipsinstall.c -@@ -375,6 +375,9 @@ int fipsinstall_main(int argc, char **ar +--- openssl-3.5.2.orig/apps/fipsinstall.c ++++ openssl-3.5.2/apps/fipsinstall.c +@@ -590,6 +590,9 @@ int fipsinstall_main(int argc, char **ar EVP_MAC *mac = NULL; CONF *conf = NULL; -+ BIO_printf(bio_err, "This command is not enabled in SUSE/openSUSE OpenSSL build, please see 'man 8 fips-mode-setup' to learn how to enable FIPS mode\n"); ++ BIO_printf(bio_err, "This command is not enabled in the SUSE/openSUSE OpenSSL build, please consult SUSE/openSUSE documentation to learn how to enable FIPS mode\n"); + return 1; + if ((opts = sk_OPENSSL_STRING_new_null()) == NULL) goto end; -Index: openssl-3.1.4/doc/man1/openssl-fipsinstall.pod.in +Index: openssl-3.5.2/doc/man1/openssl-fipsinstall.pod.in =================================================================== ---- openssl-3.1.4.orig/doc/man1/openssl-fipsinstall.pod.in -+++ openssl-3.1.4/doc/man1/openssl-fipsinstall.pod.in -@@ -8,275 +8,9 @@ openssl-fipsinstall - perform FIPS confi +--- openssl-3.5.2.orig/doc/man1/openssl-fipsinstall.pod.in ++++ openssl-3.5.2/doc/man1/openssl-fipsinstall.pod.in +@@ -7,485 +7,9 @@ openssl-fipsinstall - perform FIPS confi + =head1 SYNOPSIS - B +-B -[B<-help>] -[B<-in> I] -[B<-out> I] @@ -53,8 +60,33 @@ Index: openssl-3.1.4/doc/man1/openssl-fipsinstall.pod.in -[B<-pedantic>] -[B<-no_conditional_errors>] -[B<-no_security_checks>] +-[B<-hmac_key_check>] +-[B<-kmac_key_check>] -[B<-ems_check>] -[B<-no_drbg_truncated_digests>] +-[B<-signature_digest_check>] +-[B<-hkdf_digest_check>] +-[B<-tls13_kdf_digest_check>] +-[B<-tls1_prf_digest_check>] +-[B<-sshkdf_digest_check>] +-[B<-sskdf_digest_check>] +-[B<-x963kdf_digest_check>] +-[B<-dsa_sign_disabled>] +-[B<-no_pbkdf2_lower_bound_check>] +-[B<-no_short_mac>] +-[B<-tdes_encrypt_disabled>] +-[B<-rsa_pkcs15_padding_disabled>] +-[B<-rsa_pss_saltlen_check>] +-[B<-rsa_sign_x931_disabled>] +-[B<-hkdf_key_check>] +-[B<-kbkdf_key_check>] +-[B<-tls13_kdf_key_check>] +-[B<-tls1_prf_key_check>] +-[B<-sshkdf_key_check>] +-[B<-sskdf_key_check>] +-[B<-x963kdf_key_check>] +-[B<-x942kdf_key_check>] +-[B<-ecdh_cofactor_check>] -[B<-self_test_onload>] -[B<-self_test_oninstall>] -[B<-corrupt_desc> I] @@ -216,11 +248,150 @@ Index: openssl-3.1.4/doc/man1/openssl-fipsinstall.pod.in -when using the TLS1_PRF KDF algorithm. This check is disabled by default. -See RFC 7627 for information related to EMS. - +-=item B<-no_short_mac> +- +-Configure the module to not allow short MAC outputs. +-See SP 800-185 8.4.2 and FIPS 140-3 ID C.D for details. +- +-=item B<-hmac_key_check> +- +-Configure the module to not allow small keys sizes when using HMAC. +-See SP 800-131Ar2 for details. +- +-=item B<-kmac_key_check> +- +-Configure the module to not allow small keys sizes when using KMAC. +-See SP 800-131Ar2 for details. +- -=item B<-no_drbg_truncated_digests> - -Configure the module to not allow truncated digests to be used with Hash and -HMAC DRBGs. See FIPS 140-3 IG D.R for details. - +-=item B<-signature_digest_check> +- +-Configure the module to enforce signature algorithms to use digests that are +-explicitly permitted by the various standards. +- +-=item B<-hkdf_digest_check> +- +-This option is deprecated. +- +-=item B<-tls13_kdf_digest_check> +- +-Configure the module to enable a run-time digest check when deriving a key by +-TLS13 KDF. +-See RFC 8446 for details. +- +-=item B<-tls1_prf_digest_check> +- +-Configure the module to enable a run-time digest check when deriving a key by +-TLS_PRF. +-See NIST SP 800-135r1 for details. +- +-=item B<-sshkdf_digest_check> +- +-Configure the module to enable a run-time digest check when deriving a key by +-SSHKDF. +-See NIST SP 800-135r1 for details. +- +-=item B<-sskdf_digest_check> +- +-This option is deprecated. +- +-=item B<-x963kdf_digest_check> +- +-Configure the module to enable a run-time digest check when deriving a key by +-X963KDF. +-See NIST SP 800-131Ar2 for details. +- +-=item B<-dsa_sign_disabled> +- +-Configure the module to not allow DSA signing (DSA signature verification is +-still allowed). See FIPS 140-3 IG C.K for details. +- +-=item B<-tdes_encrypt_disabled> +- +-Configure the module to not allow Triple-DES encryption. +-Triple-DES decryption is still allowed for legacy purposes. +-See SP800-131Ar2 for details. +- +-=item B<-rsa_pkcs15_padding_disabled> +- +-Configure the module to not allow PKCS#1 version 1.5 padding to be used with +-RSA for key transport and key agreement. See NIST's SP 800-131A Revision 2 +-for details. +- +-=item B<-rsa_pss_saltlen_check> +- +-Configure the module to enable a run-time salt length check when generating or +-verifying a RSA-PSS signature. +-See FIPS 186-5 5.4 (g) for details. +- +-=item B<-rsa_sign_x931_disabled> +- +-Configure the module to not allow X9.31 padding to be used when signing with +-RSA. See FIPS 140-3 IG C.K for details. +- +-=item B<-hkdf_key_check> +- +-Configure the module to enable a run-time short key-derivation key check when +-deriving a key by HKDF. +-See NIST SP 800-131Ar2 for details. +- +-=item B<-kbkdf_key_check> +- +-Configure the module to enable a run-time short key-derivation key check when +-deriving a key by KBKDF. +-See NIST SP 800-131Ar2 for details. +- +-=item B<-tls13_kdf_key_check> +- +-Configure the module to enable a run-time short key-derivation key check when +-deriving a key by TLS13 KDF. +-See NIST SP 800-131Ar2 for details. +- +-=item B<-tls1_prf_key_check> +- +-Configure the module to enable a run-time short key-derivation key check when +-deriving a key by TLS_PRF. +-See NIST SP 800-131Ar2 for details. +- +-=item B<-sshkdf_key_check> +- +-Configure the module to enable a run-time short key-derivation key check when +-deriving a key by SSHKDF. +-See NIST SP 800-131Ar2 for details. +- +-=item B<-sskdf_key_check> +- +-Configure the module to enable a run-time short key-derivation key check when +-deriving a key by SSKDF. +-See NIST SP 800-131Ar2 for details. +- +-=item B<-x963kdf_key_check> +- +-Configure the module to enable a run-time short key-derivation key check when +-deriving a key by X963KDF. +-See NIST SP 800-131Ar2 for details. +- +-=item B<-x942kdf_key_check> +- +-Configure the module to enable a run-time short key-derivation key check when +-deriving a key by X942KDF. +-See NIST SP 800-131Ar2 for details. +- +-=item B<-no_pbkdf2_lower_bound_check> +- +-Configure the module to not perform run-time lower bound check for PBKDF2. +-See NIST SP 800-132 for details. +- +-=item B<-ecdh_cofactor_check> +- +-Configure the module to enable a run-time check that ECDH uses the EC curves +-cofactor value when deriving a key. This only affects the 'B' and 'K' curves. +-See SP 800-56A r3 Section 5.7.1.2 for details. +- -=item B<-self_test_onload> - -Do not write the two fields related to the "test status indicator" and @@ -230,14 +401,17 @@ Index: openssl-3.1.4/doc/man1/openssl-fipsinstall.pod.in -target machine. Once the self tests have run on the target machine the user -could possibly then add the 2 fields into the configuration using some other -mechanism. -- --This is the default. +-This option defaults to 0 for any OpenSSL FIPS 140-2 provider (OpenSSL 3.0.X). +-and is not relevant for an OpenSSL FIPS 140-3 provider, since this is no +-longer allowed. - -=item B<-self_test_oninstall> - -The converse of B<-self_test_oninstall>. The two fields related to the -"test status indicator" and "MAC status indicator" are written to the -output configuration file. +-This field is not relevant for an OpenSSL FIPS 140-3 provider, since this is no +-longer allowed. - -=item B<-quiet> - @@ -308,17 +482,59 @@ Index: openssl-3.1.4/doc/man1/openssl-fipsinstall.pod.in -L, -L, -L +- +-=head1 HISTORY +- +-The B application was added in OpenSSL 3.0. +- +-The following options were added in OpenSSL 3.1: +- +-B<-ems_check>, +-B<-self_test_oninstall> +- +-The following options were added in OpenSSL 3.2: +- +-B<-pedantic>, +-B<-no_drbg_truncated_digests> +- +-The following options were added in OpenSSL 3.4: +- +-B<-hmac_key_check>, +-B<-kmac_key_check>, +-B<-signature_digest_check>, +-B<-hkdf_digest_check>, +-B<-tls13_kdf_digest_check>, +-B<-tls1_prf_digest_check>, +-B<-sshkdf_digest_check>, +-B<-sskdf_digest_check>, +-B<-x963kdf_digest_check>, +-B<-dsa_sign_disabled>, +-B<-no_pbkdf2_lower_bound_check>, +-B<-no_short_mac>, +-B<-tdes_encrypt_disabled>, +-B<-rsa_pkcs15_padding_disabled>, +-B<-rsa_pss_saltlen_check>, +-B<-rsa_sign_x931_disabled>, +-B<-hkdf_key_check>, +-B<-kbkdf_key_check>, +-B<-tls13_kdf_key_check>, +-B<-tls1_prf_key_check>, +-B<-sshkdf_key_check>, +-B<-sskdf_key_check>, +-B<-x963kdf_key_check>, +-B<-x942kdf_key_check>, +-B<-ecdh_cofactor_check> +This command is disabled. -+Please consult the SUSE/openSUSE documentation to learn how to correctly -+enable FIPS mode. ++Please consult SUSE/openSUSE Linux documentation to learn how to correctly ++enable FIPS mode SUSE/openSUSE =head1 COPYRIGHT -Index: openssl-3.1.4/doc/man1/openssl.pod +Index: openssl-3.5.2/doc/man1/openssl.pod =================================================================== ---- openssl-3.1.4.orig/doc/man1/openssl.pod -+++ openssl-3.1.4/doc/man1/openssl.pod -@@ -135,10 +135,6 @@ Engine (loadable module) information and +--- openssl-3.5.2.orig/doc/man1/openssl.pod ++++ openssl-3.5.2/doc/man1/openssl.pod +@@ -139,10 +139,6 @@ Engine (loadable module) information and Error Number to Error String Conversion. @@ -329,11 +545,11 @@ Index: openssl-3.1.4/doc/man1/openssl.pod =item B Generation of DSA Private Key from Parameters. Superseded by -Index: openssl-3.1.4/doc/man5/config.pod +Index: openssl-3.5.2/doc/man5/config.pod =================================================================== ---- openssl-3.1.4.orig/doc/man5/config.pod -+++ openssl-3.1.4/doc/man5/config.pod -@@ -565,7 +565,6 @@ configuration files using that syntax wi +--- openssl-3.5.2.orig/doc/man5/config.pod ++++ openssl-3.5.2/doc/man5/config.pod +@@ -582,7 +582,6 @@ configuration files using that syntax wi =head1 SEE ALSO L, L, L, @@ -341,11 +557,11 @@ Index: openssl-3.1.4/doc/man5/config.pod L, L, L, -Index: openssl-3.1.4/doc/man5/fips_config.pod +Index: openssl-3.5.2/doc/man5/fips_config.pod =================================================================== ---- openssl-3.1.4.orig/doc/man5/fips_config.pod -+++ openssl-3.1.4/doc/man5/fips_config.pod -@@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration +--- openssl-3.5.2.orig/doc/man5/fips_config.pod ++++ openssl-3.5.2/doc/man5/fips_config.pod +@@ -6,224 +6,10 @@ fips_config - OpenSSL FIPS configuration =head1 DESCRIPTION @@ -382,10 +598,6 @@ Index: openssl-3.1.4/doc/man5/fips_config.pod -If present, the module is activated. The value assigned to this name is not -significant. - --=item B -- --A version number for the fips install process. Should be 1. -- -=item B - -The FIPS module normally enters an internal error mode if any self test fails. @@ -399,31 +611,149 @@ Index: openssl-3.1.4/doc/man5/fips_config.pod -continuous test will return an error code if its continuous test fails. The -operation may then be retried if the error mode has not been triggered. - --=item B -- --This indicates if run-time checks related to enforcement of security parameters --such as minimum security strength of keys and approved curve names are used. --A value of '1' will perform the checks, otherwise if the value is '0' the checks --are not performed and FIPS compliance must be done by procedures documented in --the relevant Security Policy. -- -=item B - -The calculated MAC of the FIPS provider file. - +-=item B +- +-A version number for the fips install process. Should be 1. +- -=item B - --An indicator that the self-tests were successfully run. --This should only be written after the module has --successfully passed its self tests during installation. --If this field is not present, then the self tests will run when the module --loads. +-This field is deprecated and is no longer used. - -=item B - --A MAC of the value of the B option, to prevent accidental --changes to that value. --It is written-to at the same time as B is updated. +-This field is deprecated and is no longer used. +- +-=back +- +-=head2 FIPS indicator options +- +-The following FIPS configuration options indicate if run-time checks related to +-enforcement of FIPS security parameters such as minimum security strength of +-keys and approved curve names are used. +-A value of '1' will perform the checks, otherwise if the value is '0' the checks +-are not performed and FIPS compliance must be done by procedures documented in +-the relevant Security Policy. +- +-See L for further information related to these +-options. +- +-=over 4 +- +-=item B +- +-See L B<-no_security_checks> +- +-=item B +- +-See L B<-ems_check> +- +-=item B +- +-See L B<-no_short_mac> +- +-=item B +- +-See L B<-no_drbg_truncated_digests> +- +-=item B +- +-See L B<-signature_digest_check> +- +-=item B +- +-This option is deprecated. +- +-=item B +- +-See L B<-tls13_kdf_digest_check> +- +-=item B +- +-See L B<-tls1_prf_digest_check> +- +-=item B +- +-See L B<-sshkdf_digest_check> +- +-=item B +- +-This option is deprecated. +- +-=item B +- +-See L B<-x963kdf_digest_check> +- +-=item B +- +-See L B<-dsa_sign_disabled> +- +-=item B +- +-See L B<-tdes_encrypt_disabled> +- +-=item B +- +-See L B<-rsa_pkcs15_pad_disabled> +- +-=item B +- +-See L B<-rsa_pss_saltlen_check> +- +-=item B +- +-See L B<-rsa_sign_x931_disabled> +- +-=item B +- +-See L B<-hkdf_key_check> +- +-=item B +- +-See L B<-kbkdf_key_check> +- +-=item B +- +-See L B<-tls13_kdf_key_check> +- +-=item B +- +-See L B<-tls1_prf_key_check> +- +-=item B +- +-See L B<-sshkdf_key_check> +- +-=item B +- +-See L B<-sskdf_key_check> +- +-=item B +- +-See L B<-x963kdf_key_check> +- +-=item B +- +-See L B<-x942kdf_key_check> +- +-=item B +- +-See L B<-no_pbkdf2_lower_bound_check> +- +-=item B +- +-See L B<-ecdh_cofactor_check> +- +-=item B +- +-See L B<-hmac_key_check> +- +-=item B +- +-See L B<-kmac_key_check> - -=back - @@ -449,18 +779,22 @@ Index: openssl-3.1.4/doc/man5/fips_config.pod - -L -L +- +-=head1 HISTORY +- +-This functionality was added in OpenSSL 3.0. +This command is disabled in SUSE/openSUSE. The FIPS provider is +automatically loaded when the system is booted in FIPS mode, or when the -+environment variable B is set. -+See the documentation for more information. ++environment variable B is set. See the documentation ++for more information. - =head1 HISTORY + =head1 COPYRIGHT -Index: openssl-3.1.4/doc/man7/OSSL_PROVIDER-FIPS.pod +Index: openssl-3.5.2/doc/man7/OSSL_PROVIDER-FIPS.pod =================================================================== ---- openssl-3.1.4.orig/doc/man7/OSSL_PROVIDER-FIPS.pod -+++ openssl-3.1.4/doc/man7/OSSL_PROVIDER-FIPS.pod -@@ -455,7 +455,6 @@ want to operate in a FIPS approved manne +--- openssl-3.5.2.orig/doc/man7/OSSL_PROVIDER-FIPS.pod ++++ openssl-3.5.2/doc/man7/OSSL_PROVIDER-FIPS.pod +@@ -570,7 +570,6 @@ process. =head1 SEE ALSO @@ -468,3 +802,51 @@ Index: openssl-3.1.4/doc/man7/OSSL_PROVIDER-FIPS.pod L, L, L, +Index: openssl-3.5.2/test/recipes/00-prep_fipsmodule_cnf.t +=================================================================== +--- openssl-3.5.2.orig/test/recipes/00-prep_fipsmodule_cnf.t ++++ openssl-3.5.2/test/recipes/00-prep_fipsmodule_cnf.t +@@ -29,8 +29,10 @@ my $fipsmoduleconf = bldtop_file('test', + + plan tests => 1; + ++ok(1 == 1); ++ + # Create the $fipsmoduleconf file +-ok(run(app(['openssl', 'fipsinstall', '-pedantic', +- '-module', $fipsmodule, '-provider_name', 'fips', +- '-section_name', 'fips_sect', '-out', $fipsmoduleconf])), +- "fips install"); ++#ok(run(app(['openssl', 'fipsinstall', '-pedantic', ++# '-module', $fipsmodule, '-provider_name', 'fips', ++# '-section_name', 'fips_sect', '-out', $fipsmoduleconf])), ++# "fips install"); +Index: openssl-3.5.2/test/recipes/01-test_fipsmodule_cnf.t +=================================================================== +--- openssl-3.5.2.orig/test/recipes/01-test_fipsmodule_cnf.t ++++ openssl-3.5.2/test/recipes/01-test_fipsmodule_cnf.t +@@ -31,7 +31,8 @@ plan tests => 1; + my $fipsmodule = bldtop_file('providers', platform->dso('fips')); + my $fipsmoduleconf = bldtop_file('test', 'fipsmodule.cnf'); + ++ok(1 == 1) + # verify the $fipsconf file +-ok(run(app(['openssl', 'fipsinstall', +- '-in', $fipsmoduleconf, '-module', $fipsmodule, '-verify'])), +- "fipsinstall verify"); ++#ok(run(app(['openssl', 'fipsinstall', ++# '-in', $fipsmoduleconf, '-module', $fipsmodule, '-verify'])), ++# "fipsinstall verify"); +Index: openssl-3.5.2/test/recipes/03-test_fipsinstall.t +=================================================================== +--- openssl-3.5.2.orig/test/recipes/03-test_fipsinstall.t ++++ openssl-3.5.2/test/recipes/03-test_fipsinstall.t +@@ -22,6 +22,8 @@ use lib srctop_dir('Configurations'); + use lib bldtop_dir('.'); + use platform; + ++plan skip_all => "Fipsinstall not available in SUSE/openSUSE FIPS build"; ++ + plan skip_all => "Test only supported in a fips build" if disabled("fips"); + + # Compatible options for pedantic FIPS compliance diff --git a/openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch b/openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch deleted file mode 100644 index 3bb9496..0000000 --- a/openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch +++ /dev/null @@ -1,2159 +0,0 @@ -From 01d901e470d9e035a3bd78e77b9438a4cc0da785 Mon Sep 17 00:00:00 2001 -From: Rohan McLure -Date: Wed, 12 Jul 2023 12:25:22 +1000 -Subject: [PATCH] ec: 56-bit Limb Solinas' Strategy for secp384r1 - -Adopt a 56-bit redundant-limb Solinas' reduction approach for efficient -modular multiplication in P384. This has the affect of accelerating -digital signing by 446% and verification by 106%. The implementation -strategy and names of methods are the same as that provided in -ecp_nistp224 and ecp_nistp521. - -As in Commit 1036749883cc ("ec: Add run time code selection for p521 -field operations"), allow for run time selection of implementation for -felem_{square,mul}, where an assembly implementation is proclaimed to -be present when ECP_NISTP384_ASM is present. - -Signed-off-by: Rohan McLure - -Reviewed-by: Paul Dale -Reviewed-by: Shane Lontis -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Todd Short -(Merged from https://github.com/openssl/openssl/pull/21471) ---- - crypto/ec/build.info | 2 - crypto/ec/ec_curve.c | 4 - crypto/ec/ec_lib.c | 8 - crypto/ec/ec_local.h | 27 - crypto/ec/ecp_nistp384.c | 1988 +++++++++++++++++++++++++++++++++++++++++++++++ - 5 files changed, 2027 insertions(+), 2 deletions(-) - create mode 100644 crypto/ec/ecp_nistp384.c - ---- a/crypto/ec/build.info -+++ b/crypto/ec/build.info -@@ -59,7 +59,7 @@ $COMMON=ec_lib.c ecp_smpl.c ecp_mont.c e - curve448/arch_32/f_impl32.c - - IF[{- !$disabled{'ec_nistp_64_gcc_128'} -}] -- $COMMON=$COMMON ecp_nistp224.c ecp_nistp256.c ecp_nistp521.c ecp_nistputil.c -+ $COMMON=$COMMON ecp_nistp224.c ecp_nistp256.c ecp_nistp384.c ecp_nistp521.c ecp_nistputil.c - ENDIF - - SOURCE[../../libcrypto]=$COMMON ec_ameth.c ec_pmeth.c ecx_meth.c \ ---- a/crypto/ec/ec_curve.c -+++ b/crypto/ec/ec_curve.c -@@ -2838,6 +2838,8 @@ static const ec_list_element curve_list[ - {NID_secp384r1, &_EC_NIST_PRIME_384.h, - # if defined(S390X_EC_ASM) - EC_GFp_s390x_nistp384_method, -+# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) -+ ossl_ec_GFp_nistp384_method, - # else - 0, - # endif -@@ -2931,6 +2933,8 @@ static const ec_list_element curve_list[ - {NID_secp384r1, &_EC_NIST_PRIME_384.h, - # if defined(S390X_EC_ASM) - EC_GFp_s390x_nistp384_method, -+# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) -+ ossl_ec_GFp_nistp384_method, - # else - 0, - # endif ---- a/crypto/ec/ec_lib.c -+++ b/crypto/ec/ec_lib.c -@@ -102,12 +102,16 @@ void EC_pre_comp_free(EC_GROUP *group) - case PCT_nistp256: - EC_nistp256_pre_comp_free(group->pre_comp.nistp256); - break; -+ case PCT_nistp384: -+ ossl_ec_nistp384_pre_comp_free(group->pre_comp.nistp384); -+ break; - case PCT_nistp521: - EC_nistp521_pre_comp_free(group->pre_comp.nistp521); - break; - #else - case PCT_nistp224: - case PCT_nistp256: -+ case PCT_nistp384: - case PCT_nistp521: - break; - #endif -@@ -191,12 +195,16 @@ int EC_GROUP_copy(EC_GROUP *dest, const - case PCT_nistp256: - dest->pre_comp.nistp256 = EC_nistp256_pre_comp_dup(src->pre_comp.nistp256); - break; -+ case PCT_nistp384: -+ dest->pre_comp.nistp384 = ossl_ec_nistp384_pre_comp_dup(src->pre_comp.nistp384); -+ break; - case PCT_nistp521: - dest->pre_comp.nistp521 = EC_nistp521_pre_comp_dup(src->pre_comp.nistp521); - break; - #else - case PCT_nistp224: - case PCT_nistp256: -+ case PCT_nistp384: - case PCT_nistp521: - break; - #endif ---- a/crypto/ec/ec_local.h -+++ b/crypto/ec/ec_local.h -@@ -203,6 +203,7 @@ struct ec_method_st { - */ - typedef struct nistp224_pre_comp_st NISTP224_PRE_COMP; - typedef struct nistp256_pre_comp_st NISTP256_PRE_COMP; -+typedef struct nistp384_pre_comp_st NISTP384_PRE_COMP; - typedef struct nistp521_pre_comp_st NISTP521_PRE_COMP; - typedef struct nistz256_pre_comp_st NISTZ256_PRE_COMP; - typedef struct ec_pre_comp_st EC_PRE_COMP; -@@ -264,12 +265,13 @@ struct ec_group_st { - */ - enum { - PCT_none, -- PCT_nistp224, PCT_nistp256, PCT_nistp521, PCT_nistz256, -+ PCT_nistp224, PCT_nistp256, PCT_nistp384, PCT_nistp521, PCT_nistz256, - PCT_ec - } pre_comp_type; - union { - NISTP224_PRE_COMP *nistp224; - NISTP256_PRE_COMP *nistp256; -+ NISTP384_PRE_COMP *nistp384; - NISTP521_PRE_COMP *nistp521; - NISTZ256_PRE_COMP *nistz256; - EC_PRE_COMP *ec; -@@ -333,6 +335,7 @@ static ossl_inline int ec_point_is_compa - - NISTP224_PRE_COMP *EC_nistp224_pre_comp_dup(NISTP224_PRE_COMP *); - NISTP256_PRE_COMP *EC_nistp256_pre_comp_dup(NISTP256_PRE_COMP *); -+NISTP384_PRE_COMP *ossl_ec_nistp384_pre_comp_dup(NISTP384_PRE_COMP *); - NISTP521_PRE_COMP *EC_nistp521_pre_comp_dup(NISTP521_PRE_COMP *); - NISTZ256_PRE_COMP *EC_nistz256_pre_comp_dup(NISTZ256_PRE_COMP *); - NISTP256_PRE_COMP *EC_nistp256_pre_comp_dup(NISTP256_PRE_COMP *); -@@ -341,6 +344,7 @@ EC_PRE_COMP *EC_ec_pre_comp_dup(EC_PRE_C - void EC_pre_comp_free(EC_GROUP *group); - void EC_nistp224_pre_comp_free(NISTP224_PRE_COMP *); - void EC_nistp256_pre_comp_free(NISTP256_PRE_COMP *); -+void ossl_ec_nistp384_pre_comp_free(NISTP384_PRE_COMP *); - void EC_nistp521_pre_comp_free(NISTP521_PRE_COMP *); - void EC_nistz256_pre_comp_free(NISTZ256_PRE_COMP *); - void EC_ec_pre_comp_free(EC_PRE_COMP *); -@@ -552,6 +556,27 @@ int ossl_ec_GFp_nistp256_points_mul(cons - int ossl_ec_GFp_nistp256_precompute_mult(EC_GROUP *group, BN_CTX *ctx); - int ossl_ec_GFp_nistp256_have_precompute_mult(const EC_GROUP *group); - -+/* method functions in ecp_nistp384.c */ -+int ossl_ec_GFp_nistp384_group_init(EC_GROUP *group); -+int ossl_ec_GFp_nistp384_group_set_curve(EC_GROUP *group, const BIGNUM *p, -+ const BIGNUM *a, const BIGNUM *n, -+ BN_CTX *); -+int ossl_ec_GFp_nistp384_point_get_affine_coordinates(const EC_GROUP *group, -+ const EC_POINT *point, -+ BIGNUM *x, BIGNUM *y, -+ BN_CTX *ctx); -+int ossl_ec_GFp_nistp384_mul(const EC_GROUP *group, EC_POINT *r, -+ const BIGNUM *scalar, size_t num, -+ const EC_POINT *points[], const BIGNUM *scalars[], -+ BN_CTX *); -+int ossl_ec_GFp_nistp384_points_mul(const EC_GROUP *group, EC_POINT *r, -+ const BIGNUM *scalar, size_t num, -+ const EC_POINT *points[], -+ const BIGNUM *scalars[], BN_CTX *ctx); -+int ossl_ec_GFp_nistp384_precompute_mult(EC_GROUP *group, BN_CTX *ctx); -+int ossl_ec_GFp_nistp384_have_precompute_mult(const EC_GROUP *group); -+const EC_METHOD *ossl_ec_GFp_nistp384_method(void); -+ - /* method functions in ecp_nistp521.c */ - int ossl_ec_GFp_nistp521_group_init(EC_GROUP *group); - int ossl_ec_GFp_nistp521_group_set_curve(EC_GROUP *group, const BIGNUM *p, ---- /dev/null -+++ b/crypto/ec/ecp_nistp384.c -@@ -0,0 +1,1988 @@ -+/* -+ * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+/* Copyright 2023 IBM Corp. -+ * -+ * Licensed under the Apache License, Version 2.0 (the "License"); -+ * -+ * you may not use this file except in compliance with the License. -+ * You may obtain a copy of the License at -+ * -+ * http://www.apache.org/licenses/LICENSE-2.0 -+ * -+ * Unless required by applicable law or agreed to in writing, software -+ * distributed under the License is distributed on an "AS IS" BASIS, -+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+ * See the License for the specific language governing permissions and -+ * limitations under the License. -+ */ -+ -+/* -+ * Designed for 56-bit limbs by Rohan McLure . -+ * The layout is based on that of ecp_nistp{224,521}.c, allowing even for asm -+ * acceleration of felem_{square,mul} as supported in these files. -+ */ -+ -+#include -+ -+#include -+#include -+#include "ec_local.h" -+ -+#include "internal/numbers.h" -+ -+#ifndef INT128_MAX -+# error "Your compiler doesn't appear to support 128-bit integer types" -+#endif -+ -+typedef uint8_t u8; -+typedef uint64_t u64; -+ -+/* -+ * The underlying field. P384 operates over GF(2^384-2^128-2^96+2^32-1). We -+ * can serialize an element of this field into 48 bytes. We call this an -+ * felem_bytearray. -+ */ -+ -+typedef u8 felem_bytearray[48]; -+ -+/* -+ * These are the parameters of P384, taken from FIPS 186-3, section D.1.2.4. -+ * These values are big-endian. -+ */ -+static const felem_bytearray nistp384_curve_params[5] = { -+ {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */ -+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF}, -+ {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a = -3 */ -+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC}, -+ {0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, 0x05, 0x6B, /* b */ -+ 0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E, 0xFE, 0x81, 0x41, 0x12, -+ 0x03, 0x14, 0x08, 0x8F, 0x50, 0x13, 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D, -+ 0x8A, 0x2E, 0xD1, 0x9D, 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF}, -+ {0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, 0xC7, 0x1E, /* x */ -+ 0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, 0x8B, 0xA7, 0x9B, 0x98, -+ 0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D, -+ 0xBF, 0x55, 0x29, 0x6C, 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7}, -+ {0x36, 0x17, 0xDE, 0x4A, 0x96, 0x26, 0x2C, 0x6F, 0x5D, 0x9E, 0x98, 0xBF, /* y */ -+ 0x92, 0x92, 0xDC, 0x29, 0xF8, 0xF4, 0x1D, 0xBD, 0x28, 0x9A, 0x14, 0x7C, -+ 0xE9, 0xDA, 0x31, 0x13, 0xB5, 0xF0, 0xB8, 0xC0, 0x0A, 0x60, 0xB1, 0xCE, -+ 0x1D, 0x7E, 0x81, 0x9D, 0x7A, 0x43, 0x1D, 0x7C, 0x90, 0xEA, 0x0E, 0x5F}, -+}; -+ -+/*- -+ * The representation of field elements. -+ * ------------------------------------ -+ * -+ * We represent field elements with seven values. These values are either 64 or -+ * 128 bits and the field element represented is: -+ * v[0]*2^0 + v[1]*2^56 + v[2]*2^112 + ... + v[6]*2^336 (mod p) -+ * Each of the seven values is called a 'limb'. Since the limbs are spaced only -+ * 56 bits apart, but are greater than 56 bits in length, the most significant -+ * bits of each limb overlap with the least significant bits of the next -+ * -+ * This representation is considered to be 'redundant' in the sense that -+ * intermediate values can each contain more than a 56-bit value in each limb. -+ * Reduction causes all but the final limb to be reduced to contain a value less -+ * than 2^56, with the final value represented allowed to be larger than 2^384, -+ * inasmuch as we can be sure that arithmetic overflow remains impossible. The -+ * reduced value must of course be congruent to the unreduced value. -+ * -+ * A field element with 64-bit limbs is an 'felem'. One with 128-bit limbs is a -+ * 'widefelem', featuring enough bits to store the result of a multiplication -+ * and even some further arithmetic without need for immediate reduction. -+ */ -+ -+#define NLIMBS 7 -+ -+typedef uint64_t limb; -+typedef uint128_t widelimb; -+typedef limb limb_aX __attribute((__aligned__(1))); -+typedef limb felem[NLIMBS]; -+typedef widelimb widefelem[2*NLIMBS-1]; -+ -+static const limb bottom56bits = 0xffffffffffffff; -+ -+/* Helper functions (de)serialising reduced field elements in little endian */ -+static void bin48_to_felem(felem out, const u8 in[48]) -+{ -+ memset(out, 0, 56); -+ out[0] = (*((limb *) & in[0])) & bottom56bits; -+ out[1] = (*((limb_aX *) & in[7])) & bottom56bits; -+ out[2] = (*((limb_aX *) & in[14])) & bottom56bits; -+ out[3] = (*((limb_aX *) & in[21])) & bottom56bits; -+ out[4] = (*((limb_aX *) & in[28])) & bottom56bits; -+ out[5] = (*((limb_aX *) & in[35])) & bottom56bits; -+ memmove(&out[6], &in[42], 6); -+} -+ -+static void felem_to_bin48(u8 out[48], const felem in) -+{ -+ memset(out, 0, 48); -+ (*((limb *) & out[0])) |= (in[0] & bottom56bits); -+ (*((limb_aX *) & out[7])) |= (in[1] & bottom56bits); -+ (*((limb_aX *) & out[14])) |= (in[2] & bottom56bits); -+ (*((limb_aX *) & out[21])) |= (in[3] & bottom56bits); -+ (*((limb_aX *) & out[28])) |= (in[4] & bottom56bits); -+ (*((limb_aX *) & out[35])) |= (in[5] & bottom56bits); -+ memmove(&out[42], &in[6], 6); -+} -+ -+/* BN_to_felem converts an OpenSSL BIGNUM into an felem */ -+static int BN_to_felem(felem out, const BIGNUM *bn) -+{ -+ felem_bytearray b_out; -+ int num_bytes; -+ -+ if (BN_is_negative(bn)) { -+ ERR_raise(ERR_LIB_EC, EC_R_BIGNUM_OUT_OF_RANGE); -+ return 0; -+ } -+ num_bytes = BN_bn2lebinpad(bn, b_out, sizeof(b_out)); -+ if (num_bytes < 0) { -+ ERR_raise(ERR_LIB_EC, EC_R_BIGNUM_OUT_OF_RANGE); -+ return 0; -+ } -+ bin48_to_felem(out, b_out); -+ return 1; -+} -+ -+/* felem_to_BN converts an felem into an OpenSSL BIGNUM */ -+static BIGNUM *felem_to_BN(BIGNUM *out, const felem in) -+{ -+ felem_bytearray b_out; -+ -+ felem_to_bin48(b_out, in); -+ return BN_lebin2bn(b_out, sizeof(b_out), out); -+} -+ -+/*- -+ * Field operations -+ * ---------------- -+ */ -+ -+static void felem_one(felem out) -+{ -+ out[0] = 1; -+ memset(&out[1], 0, sizeof(limb) * (NLIMBS-1)); -+} -+ -+static void felem_assign(felem out, const felem in) -+{ -+ memcpy(out, in, sizeof(felem)); -+} -+ -+/* felem_sum64 sets out = out + in. */ -+static void felem_sum64(felem out, const felem in) -+{ -+ unsigned int i; -+ -+ for (i = 0; i < NLIMBS; i++) -+ out[i] += in[i]; -+} -+ -+/* felem_scalar sets out = in * scalar */ -+static void felem_scalar(felem out, const felem in, limb scalar) -+{ -+ unsigned int i; -+ -+ for (i = 0; i < NLIMBS; i++) -+ out[i] = in[i] * scalar; -+} -+ -+/* felem_scalar64 sets out = out * scalar */ -+static void felem_scalar64(felem out, limb scalar) -+{ -+ unsigned int i; -+ -+ for (i = 0; i < NLIMBS; i++) -+ out[i] *= scalar; -+} -+ -+/* felem_scalar128 sets out = out * scalar */ -+static void felem_scalar128(widefelem out, limb scalar) -+{ -+ unsigned int i; -+ -+ for (i = 0; i < 2*NLIMBS-1; i++) -+ out[i] *= scalar; -+} -+ -+/*- -+ * felem_neg sets |out| to |-in| -+ * On entry: -+ * in[i] < 2^60 - 2^29 -+ * On exit: -+ * out[i] < 2^60 -+ */ -+static void felem_neg(felem out, const felem in) -+{ -+ /* -+ * In order to prevent underflow, we add a multiple of p before subtracting. -+ * Use telescopic sums to represent 2^12 * p redundantly with each limb -+ * of the form 2^60 + ... -+ */ -+ static const limb two60m52m4 = (((limb) 1) << 60) -+ - (((limb) 1) << 52) -+ - (((limb) 1) << 4); -+ static const limb two60p44m12 = (((limb) 1) << 60) -+ + (((limb) 1) << 44) -+ - (((limb) 1) << 12); -+ static const limb two60m28m4 = (((limb) 1) << 60) -+ - (((limb) 1) << 28) -+ - (((limb) 1) << 4); -+ static const limb two60m4 = (((limb) 1) << 60) -+ - (((limb) 1) << 4); -+ -+ out[0] = two60p44m12 - in[0]; -+ out[1] = two60m52m4 - in[1]; -+ out[2] = two60m28m4 - in[2]; -+ out[3] = two60m4 - in[3]; -+ out[4] = two60m4 - in[4]; -+ out[5] = two60m4 - in[5]; -+ out[6] = two60m4 - in[6]; -+} -+ -+/*- -+ * felem_diff64 subtracts |in| from |out| -+ * On entry: -+ * in[i] < 2^60 - 2^52 - 2^4 -+ * On exit: -+ * out[i] < out_orig[i] + 2^60 + 2^44 -+ */ -+static void felem_diff64(felem out, const felem in) -+{ -+ /* -+ * In order to prevent underflow, we add a multiple of p before subtracting. -+ * Use telescopic sums to represent 2^12 * p redundantly with each limb -+ * of the form 2^60 + ... -+ */ -+ -+ static const limb two60m52m4 = (((limb) 1) << 60) -+ - (((limb) 1) << 52) -+ - (((limb) 1) << 4); -+ static const limb two60p44m12 = (((limb) 1) << 60) -+ + (((limb) 1) << 44) -+ - (((limb) 1) << 12); -+ static const limb two60m28m4 = (((limb) 1) << 60) -+ - (((limb) 1) << 28) -+ - (((limb) 1) << 4); -+ static const limb two60m4 = (((limb) 1) << 60) -+ - (((limb) 1) << 4); -+ -+ out[0] += two60p44m12 - in[0]; -+ out[1] += two60m52m4 - in[1]; -+ out[2] += two60m28m4 - in[2]; -+ out[3] += two60m4 - in[3]; -+ out[4] += two60m4 - in[4]; -+ out[5] += two60m4 - in[5]; -+ out[6] += two60m4 - in[6]; -+} -+ -+/* -+ * in[i] < 2^63 -+ * out[i] < out_orig[i] + 2^64 + 2^48 -+ */ -+static void felem_diff_128_64(widefelem out, const felem in) -+{ -+ /* -+ * In order to prevent underflow, we add a multiple of p before subtracting. -+ * Use telescopic sums to represent 2^16 * p redundantly with each limb -+ * of the form 2^64 + ... -+ */ -+ -+ static const widelimb two64m56m8 = (((widelimb) 1) << 64) -+ - (((widelimb) 1) << 56) -+ - (((widelimb) 1) << 8); -+ static const widelimb two64m32m8 = (((widelimb) 1) << 64) -+ - (((widelimb) 1) << 32) -+ - (((widelimb) 1) << 8); -+ static const widelimb two64m8 = (((widelimb) 1) << 64) -+ - (((widelimb) 1) << 8); -+ static const widelimb two64p48m16 = (((widelimb) 1) << 64) -+ + (((widelimb) 1) << 48) -+ - (((widelimb) 1) << 16); -+ unsigned int i; -+ -+ out[0] += two64p48m16; -+ out[1] += two64m56m8; -+ out[2] += two64m32m8; -+ out[3] += two64m8; -+ out[4] += two64m8; -+ out[5] += two64m8; -+ out[6] += two64m8; -+ -+ for (i = 0; i < NLIMBS; i++) -+ out[i] -= in[i]; -+} -+ -+/* -+ * in[i] < 2^127 - 2^119 - 2^71 -+ * out[i] < out_orig[i] + 2^127 + 2^111 -+ */ -+static void felem_diff128(widefelem out, const widefelem in) -+{ -+ /* -+ * In order to prevent underflow, we add a multiple of p before subtracting. -+ * Use telescopic sums to represent 2^415 * p redundantly with each limb -+ * of the form 2^127 + ... -+ */ -+ -+ static const widelimb two127 = ((widelimb) 1) << 127; -+ static const widelimb two127m71 = (((widelimb) 1) << 127) -+ - (((widelimb) 1) << 71); -+ static const widelimb two127p111m79m71 = (((widelimb) 1) << 127) -+ + (((widelimb) 1) << 111) -+ - (((widelimb) 1) << 79) -+ - (((widelimb) 1) << 71); -+ static const widelimb two127m119m71 = (((widelimb) 1) << 127) -+ - (((widelimb) 1) << 119) -+ - (((widelimb) 1) << 71); -+ static const widelimb two127m95m71 = (((widelimb) 1) << 127) -+ - (((widelimb) 1) << 95) -+ - (((widelimb) 1) << 71); -+ unsigned int i; -+ -+ out[0] += two127; -+ out[1] += two127m71; -+ out[2] += two127m71; -+ out[3] += two127m71; -+ out[4] += two127m71; -+ out[5] += two127m71; -+ out[6] += two127p111m79m71; -+ out[7] += two127m119m71; -+ out[8] += two127m95m71; -+ out[9] += two127m71; -+ out[10] += two127m71; -+ out[11] += two127m71; -+ out[12] += two127m71; -+ -+ for (i = 0; i < 2*NLIMBS-1; i++) -+ out[i] -= in[i]; -+} -+ -+static void felem_square_ref(widefelem out, const felem in) -+{ -+ felem inx2; -+ felem_scalar(inx2, in, 2); -+ -+ out[0] = ((uint128_t) in[0]) * in[0]; -+ -+ out[1] = ((uint128_t) in[0]) * inx2[1]; -+ -+ out[2] = ((uint128_t) in[0]) * inx2[2] -+ + ((uint128_t) in[1]) * in[1]; -+ -+ out[3] = ((uint128_t) in[0]) * inx2[3] -+ + ((uint128_t) in[1]) * inx2[2]; -+ -+ out[4] = ((uint128_t) in[0]) * inx2[4] -+ + ((uint128_t) in[1]) * inx2[3] -+ + ((uint128_t) in[2]) * in[2]; -+ -+ out[5] = ((uint128_t) in[0]) * inx2[5] -+ + ((uint128_t) in[1]) * inx2[4] -+ + ((uint128_t) in[2]) * inx2[3]; -+ -+ out[6] = ((uint128_t) in[0]) * inx2[6] -+ + ((uint128_t) in[1]) * inx2[5] -+ + ((uint128_t) in[2]) * inx2[4] -+ + ((uint128_t) in[3]) * in[3]; -+ -+ out[7] = ((uint128_t) in[1]) * inx2[6] -+ + ((uint128_t) in[2]) * inx2[5] -+ + ((uint128_t) in[3]) * inx2[4]; -+ -+ out[8] = ((uint128_t) in[2]) * inx2[6] -+ + ((uint128_t) in[3]) * inx2[5] -+ + ((uint128_t) in[4]) * in[4]; -+ -+ out[9] = ((uint128_t) in[3]) * inx2[6] -+ + ((uint128_t) in[4]) * inx2[5]; -+ -+ out[10] = ((uint128_t) in[4]) * inx2[6] -+ + ((uint128_t) in[5]) * in[5]; -+ -+ out[11] = ((uint128_t) in[5]) * inx2[6]; -+ -+ out[12] = ((uint128_t) in[6]) * in[6]; -+} -+ -+static void felem_mul_ref(widefelem out, const felem in1, const felem in2) -+{ -+ out[0] = ((uint128_t) in1[0]) * in2[0]; -+ -+ out[1] = ((uint128_t) in1[0]) * in2[1] -+ + ((uint128_t) in1[1]) * in2[0]; -+ -+ out[2] = ((uint128_t) in1[0]) * in2[2] -+ + ((uint128_t) in1[1]) * in2[1] -+ + ((uint128_t) in1[2]) * in2[0]; -+ -+ out[3] = ((uint128_t) in1[0]) * in2[3] -+ + ((uint128_t) in1[1]) * in2[2] -+ + ((uint128_t) in1[2]) * in2[1] -+ + ((uint128_t) in1[3]) * in2[0]; -+ -+ out[4] = ((uint128_t) in1[0]) * in2[4] -+ + ((uint128_t) in1[1]) * in2[3] -+ + ((uint128_t) in1[2]) * in2[2] -+ + ((uint128_t) in1[3]) * in2[1] -+ + ((uint128_t) in1[4]) * in2[0]; -+ -+ out[5] = ((uint128_t) in1[0]) * in2[5] -+ + ((uint128_t) in1[1]) * in2[4] -+ + ((uint128_t) in1[2]) * in2[3] -+ + ((uint128_t) in1[3]) * in2[2] -+ + ((uint128_t) in1[4]) * in2[1] -+ + ((uint128_t) in1[5]) * in2[0]; -+ -+ out[6] = ((uint128_t) in1[0]) * in2[6] -+ + ((uint128_t) in1[1]) * in2[5] -+ + ((uint128_t) in1[2]) * in2[4] -+ + ((uint128_t) in1[3]) * in2[3] -+ + ((uint128_t) in1[4]) * in2[2] -+ + ((uint128_t) in1[5]) * in2[1] -+ + ((uint128_t) in1[6]) * in2[0]; -+ -+ out[7] = ((uint128_t) in1[1]) * in2[6] -+ + ((uint128_t) in1[2]) * in2[5] -+ + ((uint128_t) in1[3]) * in2[4] -+ + ((uint128_t) in1[4]) * in2[3] -+ + ((uint128_t) in1[5]) * in2[2] -+ + ((uint128_t) in1[6]) * in2[1]; -+ -+ out[8] = ((uint128_t) in1[2]) * in2[6] -+ + ((uint128_t) in1[3]) * in2[5] -+ + ((uint128_t) in1[4]) * in2[4] -+ + ((uint128_t) in1[5]) * in2[3] -+ + ((uint128_t) in1[6]) * in2[2]; -+ -+ out[9] = ((uint128_t) in1[3]) * in2[6] -+ + ((uint128_t) in1[4]) * in2[5] -+ + ((uint128_t) in1[5]) * in2[4] -+ + ((uint128_t) in1[6]) * in2[3]; -+ -+ out[10] = ((uint128_t) in1[4]) * in2[6] -+ + ((uint128_t) in1[5]) * in2[5] -+ + ((uint128_t) in1[6]) * in2[4]; -+ -+ out[11] = ((uint128_t) in1[5]) * in2[6] -+ + ((uint128_t) in1[6]) * in2[5]; -+ -+ out[12] = ((uint128_t) in1[6]) * in2[6]; -+} -+ -+/*- -+ * Reduce thirteen 128-bit coefficients to seven 64-bit coefficients. -+ * in[i] < 2^128 - 2^125 -+ * out[i] < 2^56 for i < 6, -+ * out[6] <= 2^48 -+ * -+ * The technique in use here stems from the format of the prime modulus: -+ * P384 = 2^384 - delta -+ * -+ * Thus we can reduce numbers of the form (X + 2^384 * Y) by substituting -+ * them with (X + delta Y), with delta = 2^128 + 2^96 + (-2^32 + 1). These -+ * coefficients are still quite large, and so we repeatedly apply this -+ * technique on high-order bits in order to guarantee the desired bounds on -+ * the size of our output. -+ * -+ * The three phases of elimination are as follows: -+ * [1]: Y = 2^120 (in[12] | in[11] | in[10] | in[9]) -+ * [2]: Y = 2^8 (acc[8] | acc[7]) -+ * [3]: Y = 2^48 (acc[6] >> 48) -+ * (Where a | b | c | d = (2^56)^3 a + (2^56)^2 b + (2^56) c + d) -+ */ -+static void felem_reduce(felem out, const widefelem in) -+{ -+ /* -+ * In order to prevent underflow, we add a multiple of p before subtracting. -+ * Use telescopic sums to represent 2^76 * p redundantly with each limb -+ * of the form 2^124 + ... -+ */ -+ static const widelimb two124m68 = (((widelimb) 1) << 124) -+ - (((widelimb) 1) << 68); -+ static const widelimb two124m116m68 = (((widelimb) 1) << 124) -+ - (((widelimb) 1) << 116) -+ - (((widelimb) 1) << 68); -+ static const widelimb two124p108m76 = (((widelimb) 1) << 124) -+ + (((widelimb) 1) << 108) -+ - (((widelimb) 1) << 76); -+ static const widelimb two124m92m68 = (((widelimb) 1) << 124) -+ - (((widelimb) 1) << 92) -+ - (((widelimb) 1) << 68); -+ widelimb temp, acc[9]; -+ unsigned int i; -+ -+ memcpy(acc, in, sizeof(widelimb) * 9); -+ -+ acc[0] += two124p108m76; -+ acc[1] += two124m116m68; -+ acc[2] += two124m92m68; -+ acc[3] += two124m68; -+ acc[4] += two124m68; -+ acc[5] += two124m68; -+ acc[6] += two124m68; -+ -+ /* [1]: Eliminate in[9], ..., in[12] */ -+ acc[8] += in[12] >> 32; -+ acc[7] += (in[12] & 0xffffffff) << 24; -+ acc[7] += in[12] >> 8; -+ acc[6] += (in[12] & 0xff) << 48; -+ acc[6] -= in[12] >> 16; -+ acc[5] -= ((in[12] & 0xffff) << 40); -+ acc[6] += in[12] >> 48; -+ acc[5] += (in[12] & 0xffffffffffff) << 8; -+ -+ acc[7] += in[11] >> 32; -+ acc[6] += (in[11] & 0xffffffff) << 24; -+ acc[6] += in[11] >> 8; -+ acc[5] += (in[11] & 0xff) << 48; -+ acc[5] -= in[11] >> 16; -+ acc[4] -= ((in[11] & 0xffff) << 40); -+ acc[5] += in[11] >> 48; -+ acc[4] += (in[11] & 0xffffffffffff) << 8; -+ -+ acc[6] += in[10] >> 32; -+ acc[5] += (in[10] & 0xffffffff) << 24; -+ acc[5] += in[10] >> 8; -+ acc[4] += (in[10] & 0xff) << 48; -+ acc[4] -= in[10] >> 16; -+ acc[3] -= ((in[10] & 0xffff) << 40); -+ acc[4] += in[10] >> 48; -+ acc[3] += (in[10] & 0xffffffffffff) << 8; -+ -+ acc[5] += in[9] >> 32; -+ acc[4] += (in[9] & 0xffffffff) << 24; -+ acc[4] += in[9] >> 8; -+ acc[3] += (in[9] & 0xff) << 48; -+ acc[3] -= in[9] >> 16; -+ acc[2] -= ((in[9] & 0xffff) << 40); -+ acc[3] += in[9] >> 48; -+ acc[2] += (in[9] & 0xffffffffffff) << 8; -+ -+ /* -+ * [2]: Eliminate acc[7], acc[8], that is the 7 and eighth limbs, as -+ * well as the contributions made from eliminating higher limbs. -+ * acc[7] < in[7] + 2^120 + 2^56 < in[7] + 2^121 -+ * acc[8] < in[8] + 2^96 -+ */ -+ acc[4] += acc[8] >> 32; -+ acc[3] += (acc[8] & 0xffffffff) << 24; -+ acc[3] += acc[8] >> 8; -+ acc[2] += (acc[8] & 0xff) << 48; -+ acc[2] -= acc[8] >> 16; -+ acc[1] -= ((acc[8] & 0xffff) << 40); -+ acc[2] += acc[8] >> 48; -+ acc[1] += (acc[8] & 0xffffffffffff) << 8; -+ -+ acc[3] += acc[7] >> 32; -+ acc[2] += (acc[7] & 0xffffffff) << 24; -+ acc[2] += acc[7] >> 8; -+ acc[1] += (acc[7] & 0xff) << 48; -+ acc[1] -= acc[7] >> 16; -+ acc[0] -= ((acc[7] & 0xffff) << 40); -+ acc[1] += acc[7] >> 48; -+ acc[0] += (acc[7] & 0xffffffffffff) << 8; -+ -+ /*- -+ * acc[k] < in[k] + 2^124 + 2^121 -+ * < in[k] + 2^125 -+ * < 2^128, for k <= 6 -+ */ -+ -+ /* -+ * Carry 4 -> 5 -> 6 -+ * This has the effect of ensuring that these more significant limbs -+ * will be small in value after eliminating high bits from acc[6]. -+ */ -+ acc[5] += acc[4] >> 56; -+ acc[4] &= 0x00ffffffffffffff; -+ -+ acc[6] += acc[5] >> 56; -+ acc[5] &= 0x00ffffffffffffff; -+ -+ /*- -+ * acc[6] < in[6] + 2^124 + 2^121 + 2^72 + 2^16 -+ * < in[6] + 2^125 -+ * < 2^128 -+ */ -+ -+ /* [3]: Eliminate high bits of acc[6] */ -+ temp = acc[6] >> 48; -+ acc[6] &= 0x0000ffffffffffff; -+ -+ /* temp < 2^80 */ -+ -+ acc[3] += temp >> 40; -+ acc[2] += (temp & 0xffffffffff) << 16; -+ acc[2] += temp >> 16; -+ acc[1] += (temp & 0xffff) << 40; -+ acc[1] -= temp >> 24; -+ acc[0] -= (temp & 0xffffff) << 32; -+ acc[0] += temp; -+ -+ /*- -+ * acc[k] < acc_old[k] + 2^64 + 2^56 -+ * < in[k] + 2^124 + 2^121 + 2^72 + 2^64 + 2^56 + 2^16 , k < 4 -+ */ -+ -+ /* Carry 0 -> 1 -> 2 -> 3 -> 4 -> 5 -> 6 */ -+ acc[1] += acc[0] >> 56; /* acc[1] < acc_old[1] + 2^72 */ -+ acc[0] &= 0x00ffffffffffffff; -+ -+ acc[2] += acc[1] >> 56; /* acc[2] < acc_old[2] + 2^72 + 2^16 */ -+ acc[1] &= 0x00ffffffffffffff; -+ -+ acc[3] += acc[2] >> 56; /* acc[3] < acc_old[3] + 2^72 + 2^16 */ -+ acc[2] &= 0x00ffffffffffffff; -+ -+ /*- -+ * acc[k] < acc_old[k] + 2^72 + 2^16 -+ * < in[k] + 2^124 + 2^121 + 2^73 + 2^64 + 2^56 + 2^17 -+ * < in[k] + 2^125 -+ * < 2^128 , k < 4 -+ */ -+ -+ acc[4] += acc[3] >> 56; /*- -+ * acc[4] < acc_old[4] + 2^72 + 2^16 -+ * < 2^72 + 2^56 + 2^16 -+ */ -+ acc[3] &= 0x00ffffffffffffff; -+ -+ acc[5] += acc[4] >> 56; /*- -+ * acc[5] < acc_old[5] + 2^16 + 1 -+ * < 2^56 + 2^16 + 1 -+ */ -+ acc[4] &= 0x00ffffffffffffff; -+ -+ acc[6] += acc[5] >> 56; /* acc[6] < 2^48 + 1 <= 2^48 */ -+ acc[5] &= 0x00ffffffffffffff; -+ -+ for (i = 0; i < NLIMBS; i++) -+ out[i] = acc[i]; -+} -+ -+#if defined(ECP_NISTP384_ASM) -+static void felem_square_wrapper(widefelem out, const felem in); -+static void felem_mul_wrapper(widefelem out, const felem in1, const felem in2); -+ -+static void (*felem_square_p)(widefelem out, const felem in) = -+ felem_square_wrapper; -+static void (*felem_mul_p)(widefelem out, const felem in1, const felem in2) = -+ felem_mul_wrapper; -+ -+void p384_felem_square(widefelem out, const felem in); -+void p384_felem_mul(widefelem out, const felem in1, const felem in2); -+ -+# if defined(_ARCH_PPC64) -+# include "crypto/ppc_arch.h" -+# endif -+ -+static void felem_select(void) -+{ -+ /* Default */ -+ felem_square_p = felem_square_ref; -+ felem_mul_p = felem_mul_ref; -+} -+ -+static void felem_square_wrapper(widefelem out, const felem in) -+{ -+ felem_select(); -+ felem_square_p(out, in); -+} -+ -+static void felem_mul_wrapper(widefelem out, const felem in1, const felem in2) -+{ -+ felem_select(); -+ felem_mul_p(out, in1, in2); -+} -+ -+# define felem_square felem_square_p -+# define felem_mul felem_mul_p -+#else -+# define felem_square felem_square_ref -+# define felem_mul felem_mul_ref -+#endif -+ -+static ossl_inline void felem_square_reduce(felem out, const felem in) -+{ -+ widefelem tmp; -+ -+ felem_square(tmp, in); -+ felem_reduce(out, tmp); -+} -+ -+static ossl_inline void felem_mul_reduce(felem out, const felem in1, const felem in2) -+{ -+ widefelem tmp; -+ -+ felem_mul(tmp, in1, in2); -+ felem_reduce(out, tmp); -+} -+ -+/*- -+ * felem_inv calculates |out| = |in|^{-1} -+ * -+ * Based on Fermat's Little Theorem: -+ * a^p = a (mod p) -+ * a^{p-1} = 1 (mod p) -+ * a^{p-2} = a^{-1} (mod p) -+ */ -+static void felem_inv(felem out, const felem in) -+{ -+ felem ftmp, ftmp2, ftmp3, ftmp4, ftmp5, ftmp6; -+ unsigned int i = 0; -+ -+ felem_square_reduce(ftmp, in); /* 2^1 */ -+ felem_mul_reduce(ftmp, ftmp, in); /* 2^1 + 2^0 */ -+ felem_assign(ftmp2, ftmp); -+ -+ felem_square_reduce(ftmp, ftmp); /* 2^2 + 2^1 */ -+ felem_mul_reduce(ftmp, ftmp, in); /* 2^2 + 2^1 * 2^0 */ -+ felem_assign(ftmp3, ftmp); -+ -+ for (i = 0; i < 3; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^5 + 2^4 + 2^3 */ -+ felem_mul_reduce(ftmp, ftmp3, ftmp); /* 2^5 + 2^4 + 2^3 + 2^2 + 2^1 + 2^0 */ -+ felem_assign(ftmp4, ftmp); -+ -+ for (i = 0; i < 6; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^11 + ... + 2^6 */ -+ felem_mul_reduce(ftmp, ftmp4, ftmp); /* 2^11 + ... + 2^0 */ -+ -+ for (i = 0; i < 3; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^14 + ... + 2^3 */ -+ felem_mul_reduce(ftmp, ftmp3, ftmp); /* 2^14 + ... + 2^0 */ -+ felem_assign(ftmp5, ftmp); -+ -+ for (i = 0; i < 15; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^29 + ... + 2^15 */ -+ felem_mul_reduce(ftmp, ftmp5, ftmp); /* 2^29 + ... + 2^0 */ -+ felem_assign(ftmp6, ftmp); -+ -+ for (i = 0; i < 30; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^59 + ... + 2^30 */ -+ felem_mul_reduce(ftmp, ftmp6, ftmp); /* 2^59 + ... + 2^0 */ -+ felem_assign(ftmp4, ftmp); -+ -+ for (i = 0; i < 60; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^119 + ... + 2^60 */ -+ felem_mul_reduce(ftmp, ftmp4, ftmp); /* 2^119 + ... + 2^0 */ -+ felem_assign(ftmp4, ftmp); -+ -+ for (i = 0; i < 120; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^239 + ... + 2^120 */ -+ felem_mul_reduce(ftmp, ftmp4, ftmp); /* 2^239 + ... + 2^0 */ -+ -+ for (i = 0; i < 15; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^254 + ... + 2^15 */ -+ felem_mul_reduce(ftmp, ftmp5, ftmp); /* 2^254 + ... + 2^0 */ -+ -+ for (i = 0; i < 31; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^285 + ... + 2^31 */ -+ felem_mul_reduce(ftmp, ftmp6, ftmp); /* 2^285 + ... + 2^31 + 2^29 + ... + 2^0 */ -+ -+ for (i = 0; i < 2; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^287 + ... + 2^33 + 2^31 + ... + 2^2 */ -+ felem_mul_reduce(ftmp, ftmp2, ftmp); /* 2^287 + ... + 2^33 + 2^31 + ... + 2^0 */ -+ -+ for (i = 0; i < 94; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^381 + ... + 2^127 + 2^125 + ... + 2^94 */ -+ felem_mul_reduce(ftmp, ftmp6, ftmp); /* 2^381 + ... + 2^127 + 2^125 + ... + 2^94 + 2^29 + ... + 2^0 */ -+ -+ for (i = 0; i < 2; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^383 + ... + 2^129 + 2^127 + ... + 2^96 + 2^31 + ... + 2^2 */ -+ felem_mul_reduce(ftmp, in, ftmp); /* 2^383 + ... + 2^129 + 2^127 + ... + 2^96 + 2^31 + ... + 2^2 + 2^0 */ -+ -+ memcpy(out, ftmp, sizeof(felem)); -+} -+ -+/* -+ * Zero-check: returns a limb with all bits set if |in| == 0 (mod p) -+ * and 0 otherwise. We know that field elements are reduced to -+ * 0 < in < 2p, so we only need to check two cases: -+ * 0 and 2^384 - 2^128 - 2^96 + 2^32 - 1 -+ * in[k] < 2^56, k < 6 -+ * in[6] <= 2^48 -+ */ -+static limb felem_is_zero(const felem in) -+{ -+ limb zero, p384; -+ -+ zero = in[0] | in[1] | in[2] | in[3] | in[4] | in[5] | in[6]; -+ zero = ((int64_t) (zero) - 1) >> 63; -+ p384 = (in[0] ^ 0x000000ffffffff) | (in[1] ^ 0xffff0000000000) -+ | (in[2] ^ 0xfffffffffeffff) | (in[3] ^ 0xffffffffffffff) -+ | (in[4] ^ 0xffffffffffffff) | (in[5] ^ 0xffffffffffffff) -+ | (in[6] ^ 0xffffffffffff); -+ p384 = ((int64_t) (p384) - 1) >> 63; -+ -+ return (zero | p384); -+} -+ -+static int felem_is_zero_int(const void *in) -+{ -+ return (int)(felem_is_zero(in) & ((limb) 1)); -+} -+ -+/*- -+ * felem_contract converts |in| to its unique, minimal representation. -+ * Assume we've removed all redundant bits. -+ * On entry: -+ * in[k] < 2^56, k < 6 -+ * in[6] <= 2^48 -+ */ -+static void felem_contract(felem out, const felem in) -+{ -+ static const int64_t two56 = ((limb) 1) << 56; -+ -+ /* -+ * We know for a fact that 0 <= |in| < 2*p, for p = 2^384 - 2^128 - 2^96 + 2^32 - 1 -+ * Perform two successive, idempotent subtractions to reduce if |in| >= p. -+ */ -+ -+ int64_t tmp[NLIMBS], cond[5], a; -+ unsigned int i; -+ -+ memcpy(tmp, in, sizeof(felem)); -+ -+ /* Case 1: a = 1 iff |in| >= 2^384 */ -+ a = (in[6] >> 48); -+ tmp[0] += a; -+ tmp[0] -= a << 32; -+ tmp[1] += a << 40; -+ tmp[2] += a << 16; -+ tmp[6] &= 0x0000ffffffffffff; -+ -+ /* -+ * eliminate negative coefficients: if tmp[0] is negative, tmp[1] must be -+ * non-zero, so we only need one step -+ */ -+ -+ a = tmp[0] >> 63; -+ tmp[0] += a & two56; -+ tmp[1] -= a & 1; -+ -+ /* Carry 1 -> 2 -> 3 -> 4 -> 5 -> 6 */ -+ tmp[2] += tmp[1] >> 56; -+ tmp[1] &= 0x00ffffffffffffff; -+ -+ tmp[3] += tmp[2] >> 56; -+ tmp[2] &= 0x00ffffffffffffff; -+ -+ tmp[4] += tmp[3] >> 56; -+ tmp[3] &= 0x00ffffffffffffff; -+ -+ tmp[5] += tmp[4] >> 56; -+ tmp[4] &= 0x00ffffffffffffff; -+ -+ tmp[6] += tmp[5] >> 56; /* tmp[6] < 2^48 */ -+ tmp[5] &= 0x00ffffffffffffff; -+ -+ /* -+ * Case 2: a = all ones if p <= |in| < 2^384, 0 otherwise -+ */ -+ -+ /* 0 iff (2^129..2^383) are all one */ -+ cond[0] = ((tmp[6] | 0xff000000000000) & tmp[5] & tmp[4] & tmp[3] & (tmp[2] | 0x0000000001ffff)) + 1; -+ /* 0 iff 2^128 bit is one */ -+ cond[1] = (tmp[2] | ~0x00000000010000) + 1; -+ /* 0 iff (2^96..2^127) bits are all one */ -+ cond[2] = ((tmp[2] | 0xffffffffff0000) & (tmp[1] | 0x0000ffffffffff)) + 1; -+ /* 0 iff (2^32..2^95) bits are all zero */ -+ cond[3] = (tmp[1] & ~0xffff0000000000) | (tmp[0] & ~((int64_t) 0x000000ffffffff)); -+ /* 0 iff (2^0..2^31) bits are all one */ -+ cond[4] = (tmp[0] | 0xffffff00000000) + 1; -+ -+ /* -+ * In effect, invert our conditions, so that 0 values become all 1's, -+ * any non-zero value in the low-order 56 bits becomes all 0's -+ */ -+ for (i = 0; i < 5; i++) -+ cond[i] = ((cond[i] & 0x00ffffffffffffff) - 1) >> 63; -+ -+ /* -+ * The condition for determining whether in is greater than our -+ * prime is given by the following condition. -+ */ -+ -+ /* First subtract 2^384 - 2^129 cheaply */ -+ a = cond[0] & (cond[1] | (cond[2] & (~cond[3] | cond[4]))); -+ tmp[6] &= ~a; -+ tmp[5] &= ~a; -+ tmp[4] &= ~a; -+ tmp[3] &= ~a; -+ tmp[2] &= ~a | 0x0000000001ffff; -+ -+ /* -+ * Subtract 2^128 - 2^96 by -+ * means of disjoint cases. -+ */ -+ -+ /* subtract 2^128 if that bit is present, and add 2^96 */ -+ a = cond[0] & cond[1]; -+ tmp[2] &= ~a | 0xfffffffffeffff; -+ tmp[1] += a & ((int64_t) 1 << 40); -+ -+ /* otherwise, clear bits 2^127 .. 2^96 */ -+ a = cond[0] & ~cond[1] & (cond[2] & (~cond[3] | cond[4])); -+ tmp[2] &= ~a | 0xffffffffff0000; -+ tmp[1] &= ~a | 0x0000ffffffffff; -+ -+ /* finally, subtract the last 2^32 - 1 */ -+ a = cond[0] & (cond[1] | (cond[2] & (~cond[3] | cond[4]))); -+ tmp[0] += a & (-((int64_t) 1 << 32) + 1); -+ -+ /* -+ * eliminate negative coefficients: if tmp[0] is negative, tmp[1] must be -+ * non-zero, so we only need one step -+ */ -+ a = tmp[0] >> 63; -+ tmp[0] += a & two56; -+ tmp[1] -= a & 1; -+ -+ /* Carry 1 -> 2 -> 3 -> 4 -> 5 -> 6 */ -+ tmp[2] += tmp[1] >> 56; -+ tmp[1] &= 0x00ffffffffffffff; -+ -+ tmp[3] += tmp[2] >> 56; -+ tmp[2] &= 0x00ffffffffffffff; -+ -+ tmp[4] += tmp[3] >> 56; -+ tmp[3] &= 0x00ffffffffffffff; -+ -+ tmp[5] += tmp[4] >> 56; -+ tmp[4] &= 0x00ffffffffffffff; -+ -+ tmp[6] += tmp[5] >> 56; -+ tmp[5] &= 0x00ffffffffffffff; -+ -+ memcpy(out, tmp, sizeof(felem)); -+} -+ -+/*- -+ * Group operations -+ * ---------------- -+ * -+ * Building on top of the field operations we have the operations on the -+ * elliptic curve group itself. Points on the curve are represented in Jacobian -+ * coordinates -+ */ -+ -+/*- -+ * point_double calculates 2*(x_in, y_in, z_in) -+ * -+ * The method is taken from: -+ * http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b -+ * -+ * Outputs can equal corresponding inputs, i.e., x_out == x_in is allowed. -+ * while x_out == y_in is not (maybe this works, but it's not tested). -+ */ -+static void -+point_double(felem x_out, felem y_out, felem z_out, -+ const felem x_in, const felem y_in, const felem z_in) -+{ -+ widefelem tmp, tmp2; -+ felem delta, gamma, beta, alpha, ftmp, ftmp2; -+ -+ felem_assign(ftmp, x_in); -+ felem_assign(ftmp2, x_in); -+ -+ /* delta = z^2 */ -+ felem_square_reduce(delta, z_in); /* delta[i] < 2^56 */ -+ -+ /* gamma = y^2 */ -+ felem_square_reduce(gamma, y_in); /* gamma[i] < 2^56 */ -+ -+ /* beta = x*gamma */ -+ felem_mul_reduce(beta, x_in, gamma); /* beta[i] < 2^56 */ -+ -+ /* alpha = 3*(x-delta)*(x+delta) */ -+ felem_diff64(ftmp, delta); /* ftmp[i] < 2^60 + 2^58 + 2^44 */ -+ felem_sum64(ftmp2, delta); /* ftmp2[i] < 2^59 */ -+ felem_scalar64(ftmp2, 3); /* ftmp2[i] < 2^61 */ -+ felem_mul_reduce(alpha, ftmp, ftmp2); /* alpha[i] < 2^56 */ -+ -+ /* x' = alpha^2 - 8*beta */ -+ felem_square(tmp, alpha); /* tmp[i] < 2^115 */ -+ felem_assign(ftmp, beta); /* ftmp[i] < 2^56 */ -+ felem_scalar64(ftmp, 8); /* ftmp[i] < 2^59 */ -+ felem_diff_128_64(tmp, ftmp); /* tmp[i] < 2^115 + 2^64 + 2^48 */ -+ felem_reduce(x_out, tmp); /* x_out[i] < 2^56 */ -+ -+ /* z' = (y + z)^2 - gamma - delta */ -+ felem_sum64(delta, gamma); /* delta[i] < 2^57 */ -+ felem_assign(ftmp, y_in); /* ftmp[i] < 2^56 */ -+ felem_sum64(ftmp, z_in); /* ftmp[i] < 2^56 */ -+ felem_square(tmp, ftmp); /* tmp[i] < 2^115 */ -+ felem_diff_128_64(tmp, delta); /* tmp[i] < 2^115 + 2^64 + 2^48 */ -+ felem_reduce(z_out, tmp); /* z_out[i] < 2^56 */ -+ -+ /* y' = alpha*(4*beta - x') - 8*gamma^2 */ -+ felem_scalar64(beta, 4); /* beta[i] < 2^58 */ -+ felem_diff64(beta, x_out); /* beta[i] < 2^60 + 2^58 + 2^44 */ -+ felem_mul(tmp, alpha, beta); /* tmp[i] < 2^119 */ -+ felem_square(tmp2, gamma); /* tmp2[i] < 2^115 */ -+ felem_scalar128(tmp2, 8); /* tmp2[i] < 2^118 */ -+ felem_diff128(tmp, tmp2); /* tmp[i] < 2^127 + 2^119 + 2^111 */ -+ felem_reduce(y_out, tmp); /* tmp[i] < 2^56 */ -+} -+ -+/* copy_conditional copies in to out iff mask is all ones. */ -+static void copy_conditional(felem out, const felem in, limb mask) -+{ -+ unsigned int i; -+ -+ for (i = 0; i < NLIMBS; i++) -+ out[i] ^= mask & (in[i] ^ out[i]); -+} -+ -+/*- -+ * point_add calculates (x1, y1, z1) + (x2, y2, z2) -+ * -+ * The method is taken from -+ * http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl, -+ * adapted for mixed addition (z2 = 1, or z2 = 0 for the point at infinity). -+ * -+ * This function includes a branch for checking whether the two input points -+ * are equal (while not equal to the point at infinity). See comment below -+ * on constant-time. -+ */ -+static void point_add(felem x3, felem y3, felem z3, -+ const felem x1, const felem y1, const felem z1, -+ const int mixed, const felem x2, const felem y2, -+ const felem z2) -+{ -+ felem ftmp, ftmp2, ftmp3, ftmp4, ftmp5, ftmp6, x_out, y_out, z_out; -+ widefelem tmp, tmp2; -+ limb x_equal, y_equal, z1_is_zero, z2_is_zero; -+ limb points_equal; -+ -+ z1_is_zero = felem_is_zero(z1); -+ z2_is_zero = felem_is_zero(z2); -+ -+ /* ftmp = z1z1 = z1**2 */ -+ felem_square_reduce(ftmp, z1); /* ftmp[i] < 2^56 */ -+ -+ if (!mixed) { -+ /* ftmp2 = z2z2 = z2**2 */ -+ felem_square_reduce(ftmp2, z2); /* ftmp2[i] < 2^56 */ -+ -+ /* u1 = ftmp3 = x1*z2z2 */ -+ felem_mul_reduce(ftmp3, x1, ftmp2); /* ftmp3[i] < 2^56 */ -+ -+ /* ftmp5 = z1 + z2 */ -+ felem_assign(ftmp5, z1); /* ftmp5[i] < 2^56 */ -+ felem_sum64(ftmp5, z2); /* ftmp5[i] < 2^57 */ -+ -+ /* ftmp5 = (z1 + z2)**2 - z1z1 - z2z2 = 2*z1z2 */ -+ felem_square(tmp, ftmp5); /* tmp[i] < 2^117 */ -+ felem_diff_128_64(tmp, ftmp); /* tmp[i] < 2^117 + 2^64 + 2^48 */ -+ felem_diff_128_64(tmp, ftmp2); /* tmp[i] < 2^117 + 2^65 + 2^49 */ -+ felem_reduce(ftmp5, tmp); /* ftmp5[i] < 2^56 */ -+ -+ /* ftmp2 = z2 * z2z2 */ -+ felem_mul_reduce(ftmp2, ftmp2, z2); /* ftmp2[i] < 2^56 */ -+ -+ /* s1 = ftmp6 = y1 * z2**3 */ -+ felem_mul_reduce(ftmp6, y1, ftmp2); /* ftmp6[i] < 2^56 */ -+ } else { -+ /* -+ * We'll assume z2 = 1 (special case z2 = 0 is handled later) -+ */ -+ -+ /* u1 = ftmp3 = x1*z2z2 */ -+ felem_assign(ftmp3, x1); /* ftmp3[i] < 2^56 */ -+ -+ /* ftmp5 = 2*z1z2 */ -+ felem_scalar(ftmp5, z1, 2); /* ftmp5[i] < 2^57 */ -+ -+ /* s1 = ftmp6 = y1 * z2**3 */ -+ felem_assign(ftmp6, y1); /* ftmp6[i] < 2^56 */ -+ } -+ /* ftmp3[i] < 2^56, ftmp5[i] < 2^57, ftmp6[i] < 2^56 */ -+ -+ /* u2 = x2*z1z1 */ -+ felem_mul(tmp, x2, ftmp); /* tmp[i] < 2^115 */ -+ -+ /* h = ftmp4 = u2 - u1 */ -+ felem_diff_128_64(tmp, ftmp3); /* tmp[i] < 2^115 + 2^64 + 2^48 */ -+ felem_reduce(ftmp4, tmp); /* ftmp[4] < 2^56 */ -+ -+ x_equal = felem_is_zero(ftmp4); -+ -+ /* z_out = ftmp5 * h */ -+ felem_mul_reduce(z_out, ftmp5, ftmp4); /* z_out[i] < 2^56 */ -+ -+ /* ftmp = z1 * z1z1 */ -+ felem_mul_reduce(ftmp, ftmp, z1); /* ftmp[i] < 2^56 */ -+ -+ /* s2 = tmp = y2 * z1**3 */ -+ felem_mul(tmp, y2, ftmp); /* tmp[i] < 2^115 */ -+ -+ /* r = ftmp5 = (s2 - s1)*2 */ -+ felem_diff_128_64(tmp, ftmp6); /* tmp[i] < 2^115 + 2^64 + 2^48 */ -+ felem_reduce(ftmp5, tmp); /* ftmp5[i] < 2^56 */ -+ y_equal = felem_is_zero(ftmp5); -+ felem_scalar64(ftmp5, 2); /* ftmp5[i] < 2^57 */ -+ -+ /* -+ * The formulae are incorrect if the points are equal, in affine coordinates -+ * (X_1, Y_1) == (X_2, Y_2), so we check for this and do doubling if this -+ * happens. -+ * -+ * We use bitwise operations to avoid potential side-channels introduced by -+ * the short-circuiting behaviour of boolean operators. -+ * -+ * The special case of either point being the point at infinity (z1 and/or -+ * z2 are zero), is handled separately later on in this function, so we -+ * avoid jumping to point_double here in those special cases. -+ * -+ * Notice the comment below on the implications of this branching for timing -+ * leaks and why it is considered practically irrelevant. -+ */ -+ points_equal = (x_equal & y_equal & (~z1_is_zero) & (~z2_is_zero)); -+ -+ if (points_equal) { -+ /* -+ * This is obviously not constant-time but it will almost-never happen -+ * for ECDH / ECDSA. -+ */ -+ point_double(x3, y3, z3, x1, y1, z1); -+ return; -+ } -+ -+ /* I = ftmp = (2h)**2 */ -+ felem_assign(ftmp, ftmp4); /* ftmp[i] < 2^56 */ -+ felem_scalar64(ftmp, 2); /* ftmp[i] < 2^57 */ -+ felem_square_reduce(ftmp, ftmp); /* ftmp[i] < 2^56 */ -+ -+ /* J = ftmp2 = h * I */ -+ felem_mul_reduce(ftmp2, ftmp4, ftmp); /* ftmp2[i] < 2^56 */ -+ -+ /* V = ftmp4 = U1 * I */ -+ felem_mul_reduce(ftmp4, ftmp3, ftmp); /* ftmp4[i] < 2^56 */ -+ -+ /* x_out = r**2 - J - 2V */ -+ felem_square(tmp, ftmp5); /* tmp[i] < 2^117 */ -+ felem_diff_128_64(tmp, ftmp2); /* tmp[i] < 2^117 + 2^64 + 2^48 */ -+ felem_assign(ftmp3, ftmp4); /* ftmp3[i] < 2^56 */ -+ felem_scalar64(ftmp4, 2); /* ftmp4[i] < 2^57 */ -+ felem_diff_128_64(tmp, ftmp4); /* tmp[i] < 2^117 + 2^65 + 2^49 */ -+ felem_reduce(x_out, tmp); /* x_out[i] < 2^56 */ -+ -+ /* y_out = r(V-x_out) - 2 * s1 * J */ -+ felem_diff64(ftmp3, x_out); /* ftmp3[i] < 2^60 + 2^56 + 2^44 */ -+ felem_mul(tmp, ftmp5, ftmp3); /* tmp[i] < 2^116 */ -+ felem_mul(tmp2, ftmp6, ftmp2); /* tmp2[i] < 2^115 */ -+ felem_scalar128(tmp2, 2); /* tmp2[i] < 2^116 */ -+ felem_diff128(tmp, tmp2); /* tmp[i] < 2^127 + 2^116 + 2^111 */ -+ felem_reduce(y_out, tmp); /* y_out[i] < 2^56 */ -+ -+ copy_conditional(x_out, x2, z1_is_zero); -+ copy_conditional(x_out, x1, z2_is_zero); -+ copy_conditional(y_out, y2, z1_is_zero); -+ copy_conditional(y_out, y1, z2_is_zero); -+ copy_conditional(z_out, z2, z1_is_zero); -+ copy_conditional(z_out, z1, z2_is_zero); -+ felem_assign(x3, x_out); -+ felem_assign(y3, y_out); -+ felem_assign(z3, z_out); -+} -+ -+/*- -+ * Base point pre computation -+ * -------------------------- -+ * -+ * Two different sorts of precomputed tables are used in the following code. -+ * Each contain various points on the curve, where each point is three field -+ * elements (x, y, z). -+ * -+ * For the base point table, z is usually 1 (0 for the point at infinity). -+ * This table has 16 elements: -+ * index | bits | point -+ * ------+---------+------------------------------ -+ * 0 | 0 0 0 0 | 0G -+ * 1 | 0 0 0 1 | 1G -+ * 2 | 0 0 1 0 | 2^95G -+ * 3 | 0 0 1 1 | (2^95 + 1)G -+ * 4 | 0 1 0 0 | 2^190G -+ * 5 | 0 1 0 1 | (2^190 + 1)G -+ * 6 | 0 1 1 0 | (2^190 + 2^95)G -+ * 7 | 0 1 1 1 | (2^190 + 2^95 + 1)G -+ * 8 | 1 0 0 0 | 2^285G -+ * 9 | 1 0 0 1 | (2^285 + 1)G -+ * 10 | 1 0 1 0 | (2^285 + 2^95)G -+ * 11 | 1 0 1 1 | (2^285 + 2^95 + 1)G -+ * 12 | 1 1 0 0 | (2^285 + 2^190)G -+ * 13 | 1 1 0 1 | (2^285 + 2^190 + 1)G -+ * 14 | 1 1 1 0 | (2^285 + 2^190 + 2^95)G -+ * 15 | 1 1 1 1 | (2^285 + 2^190 + 2^95 + 1)G -+ * -+ * The reason for this is so that we can clock bits into four different -+ * locations when doing simple scalar multiplies against the base point. -+ * -+ * Tables for other points have table[i] = iG for i in 0 .. 16. -+ */ -+ -+/* gmul is the table of precomputed base points */ -+static const felem gmul[16][3] = { -+{{0, 0, 0, 0, 0, 0, 0}, -+ {0, 0, 0, 0, 0, 0, 0}, -+ {0, 0, 0, 0, 0, 0, 0}}, -+{{0x00545e3872760ab7, 0x00f25dbf55296c3a, 0x00e082542a385502, 0x008ba79b9859f741, -+ 0x0020ad746e1d3b62, 0x0005378eb1c71ef3, 0x0000aa87ca22be8b}, -+ {0x00431d7c90ea0e5f, 0x00b1ce1d7e819d7a, 0x0013b5f0b8c00a60, 0x00289a147ce9da31, -+ 0x0092dc29f8f41dbd, 0x002c6f5d9e98bf92, 0x00003617de4a9626}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x00024711cc902a90, 0x00acb2e579ab4fe1, 0x00af818a4b4d57b1, 0x00a17c7bec49c3de, -+ 0x004280482d726a8b, 0x00128dd0f0a90f3b, 0x00004387c1c3fa3c}, -+ {0x002ce76543cf5c3a, 0x00de6cee5ef58f0a, 0x00403e42fa561ca6, 0x00bc54d6f9cb9731, -+ 0x007155f925fb4ff1, 0x004a9ce731b7b9bc, 0x00002609076bd7b2}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x00e74c9182f0251d, 0x0039bf54bb111974, 0x00b9d2f2eec511d2, 0x0036b1594eb3a6a4, -+ 0x00ac3bb82d9d564b, 0x00f9313f4615a100, 0x00006716a9a91b10}, -+ {0x0046698116e2f15c, 0x00f34347067d3d33, 0x008de4ccfdebd002, 0x00e838c6b8e8c97b, -+ 0x006faf0798def346, 0x007349794a57563c, 0x00002629e7e6ad84}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x0075300e34fd163b, 0x0092e9db4e8d0ad3, 0x00254be9f625f760, 0x00512c518c72ae68, -+ 0x009bfcf162bede5a, 0x00bf9341566ce311, 0x0000cd6175bd41cf}, -+ {0x007dfe52af4ac70f, 0x0002159d2d5c4880, 0x00b504d16f0af8d0, 0x0014585e11f5e64c, -+ 0x0089c6388e030967, 0x00ffb270cbfa5f71, 0x00009a15d92c3947}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x0033fc1278dc4fe5, 0x00d53088c2caa043, 0x0085558827e2db66, 0x00c192bef387b736, -+ 0x00df6405a2225f2c, 0x0075205aa90fd91a, 0x0000137e3f12349d}, -+ {0x00ce5b115efcb07e, 0x00abc3308410deeb, 0x005dc6fc1de39904, 0x00907c1c496f36b4, -+ 0x0008e6ad3926cbe1, 0x00110747b787928c, 0x0000021b9162eb7e}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x008180042cfa26e1, 0x007b826a96254967, 0x0082473694d6b194, 0x007bd6880a45b589, -+ 0x00c0a5097072d1a3, 0x0019186555e18b4e, 0x000020278190e5ca}, -+ {0x00b4bef17de61ac0, 0x009535e3c38ed348, 0x002d4aa8e468ceab, 0x00ef40b431036ad3, -+ 0x00defd52f4542857, 0x0086edbf98234266, 0x00002025b3a7814d}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x00b238aa97b886be, 0x00ef3192d6dd3a32, 0x0079f9e01fd62df8, 0x00742e890daba6c5, -+ 0x008e5289144408ce, 0x0073bbcc8e0171a5, 0x0000c4fd329d3b52}, -+ {0x00c6f64a15ee23e7, 0x00dcfb7b171cad8b, 0x00039f6cbd805867, 0x00de024e428d4562, -+ 0x00be6a594d7c64c5, 0x0078467b70dbcd64, 0x0000251f2ed7079b}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x000e5cc25fc4b872, 0x005ebf10d31ef4e1, 0x0061e0ebd11e8256, 0x0076e026096f5a27, -+ 0x0013e6fc44662e9a, 0x0042b00289d3597e, 0x000024f089170d88}, -+ {0x001604d7e0effbe6, 0x0048d77cba64ec2c, 0x008166b16da19e36, 0x006b0d1a0f28c088, -+ 0x000259fcd47754fd, 0x00cc643e4d725f9a, 0x00007b10f3c79c14}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x00430155e3b908af, 0x00b801e4fec25226, 0x00b0d4bcfe806d26, 0x009fc4014eb13d37, -+ 0x0066c94e44ec07e8, 0x00d16adc03874ba2, 0x000030c917a0d2a7}, -+ {0x00edac9e21eb891c, 0x00ef0fb768102eff, 0x00c088cef272a5f3, 0x00cbf782134e2964, -+ 0x0001044a7ba9a0e3, 0x00e363f5b194cf3c, 0x00009ce85249e372}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x001dd492dda5a7eb, 0x008fd577be539fd1, 0x002ff4b25a5fc3f1, 0x0074a8a1b64df72f, -+ 0x002ba3d8c204a76c, 0x009d5cff95c8235a, 0x0000e014b9406e0f}, -+ {0x008c2e4dbfc98aba, 0x00f30bb89f1a1436, 0x00b46f7aea3e259c, 0x009224454ac02f54, -+ 0x00906401f5645fa2, 0x003a1d1940eabc77, 0x00007c9351d680e6}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x005a35d872ef967c, 0x0049f1b7884e1987, 0x0059d46d7e31f552, 0x00ceb4869d2d0fb6, -+ 0x00e8e89eee56802a, 0x0049d806a774aaf2, 0x0000147e2af0ae24}, -+ {0x005fd1bd852c6e5e, 0x00b674b7b3de6885, 0x003b9ea5eb9b6c08, 0x005c9f03babf3ef7, -+ 0x00605337fecab3c7, 0x009a3f85b11bbcc8, 0x0000455470f330ec}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x002197ff4d55498d, 0x00383e8916c2d8af, 0x00eb203f34d1c6d2, 0x0080367cbd11b542, -+ 0x00769b3be864e4f5, 0x0081a8458521c7bb, 0x0000c531b34d3539}, -+ {0x00e2a3d775fa2e13, 0x00534fc379573844, 0x00ff237d2a8db54a, 0x00d301b2335a8882, -+ 0x000f75ea96103a80, 0x0018fecb3cdd96fa, 0x0000304bf61e94eb}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x00b2afc332a73dbd, 0x0029a0d5bb007bc5, 0x002d628eb210f577, 0x009f59a36dd05f50, -+ 0x006d339de4eca613, 0x00c75a71addc86bc, 0x000060384c5ea93c}, -+ {0x00aa9641c32a30b4, 0x00cc73ae8cce565d, 0x00ec911a4df07f61, 0x00aa4b762ea4b264, -+ 0x0096d395bb393629, 0x004efacfb7632fe0, 0x00006f252f46fa3f}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x00567eec597c7af6, 0x0059ba6795204413, 0x00816d4e6f01196f, 0x004ae6b3eb57951d, -+ 0x00420f5abdda2108, 0x003401d1f57ca9d9, 0x0000cf5837b0b67a}, -+ {0x00eaa64b8aeeabf9, 0x00246ddf16bcb4de, 0x000e7e3c3aecd751, 0x0008449f04fed72e, -+ 0x00307b67ccf09183, 0x0017108c3556b7b1, 0x0000229b2483b3bf}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x00e7c491a7bb78a1, 0x00eafddd1d3049ab, 0x00352c05e2bc7c98, 0x003d6880c165fa5c, -+ 0x00b6ac61cc11c97d, 0x00beeb54fcf90ce5, 0x0000dc1f0b455edc}, -+ {0x002db2e7aee34d60, 0x0073b5f415a2d8c0, 0x00dd84e4193e9a0c, 0x00d02d873467c572, -+ 0x0018baaeda60aee5, 0x0013fb11d697c61e, 0x000083aafcc3a973}, -+ {1, 0, 0, 0, 0, 0, 0}} -+}; -+ -+/* -+ * select_point selects the |idx|th point from a precomputation table and -+ * copies it to out. -+ * -+ * pre_comp below is of the size provided in |size|. -+ */ -+static void select_point(const limb idx, unsigned int size, -+ const felem pre_comp[][3], felem out[3]) -+{ -+ unsigned int i, j; -+ limb *outlimbs = &out[0][0]; -+ -+ memset(out, 0, sizeof(*out) * 3); -+ -+ for (i = 0; i < size; i++) { -+ const limb *inlimbs = &pre_comp[i][0][0]; -+ limb mask = i ^ idx; -+ -+ mask |= mask >> 4; -+ mask |= mask >> 2; -+ mask |= mask >> 1; -+ mask &= 1; -+ mask--; -+ for (j = 0; j < NLIMBS * 3; j++) -+ outlimbs[j] |= inlimbs[j] & mask; -+ } -+} -+ -+/* get_bit returns the |i|th bit in |in| */ -+static char get_bit(const felem_bytearray in, int i) -+{ -+ if (i < 0 || i >= 384) -+ return 0; -+ return (in[i >> 3] >> (i & 7)) & 1; -+} -+ -+/* -+ * Interleaved point multiplication using precomputed point multiples: The -+ * small point multiples 0*P, 1*P, ..., 16*P are in pre_comp[], the scalars -+ * in scalars[]. If g_scalar is non-NULL, we also add this multiple of the -+ * generator, using certain (large) precomputed multiples in g_pre_comp. -+ * Output point (X, Y, Z) is stored in x_out, y_out, z_out -+ */ -+static void batch_mul(felem x_out, felem y_out, felem z_out, -+ const felem_bytearray scalars[], -+ const unsigned int num_points, const u8 *g_scalar, -+ const int mixed, const felem pre_comp[][17][3], -+ const felem g_pre_comp[16][3]) -+{ -+ int i, skip; -+ unsigned int num, gen_mul = (g_scalar != NULL); -+ felem nq[3], tmp[4]; -+ limb bits; -+ u8 sign, digit; -+ -+ /* set nq to the point at infinity */ -+ memset(nq, 0, sizeof(nq)); -+ -+ /* -+ * Loop over all scalars msb-to-lsb, interleaving additions of multiples -+ * of the generator (last quarter of rounds) and additions of other -+ * points multiples (every 5th round). -+ */ -+ skip = 1; /* save two point operations in the first -+ * round */ -+ for (i = (num_points ? 380 : 98); i >= 0; --i) { -+ /* double */ -+ if (!skip) -+ point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]); -+ -+ /* add multiples of the generator */ -+ if (gen_mul && (i <= 98)) { -+ bits = get_bit(g_scalar, i + 285) << 3; -+ if (i < 95) { -+ bits |= get_bit(g_scalar, i + 190) << 2; -+ bits |= get_bit(g_scalar, i + 95) << 1; -+ bits |= get_bit(g_scalar, i); -+ } -+ /* select the point to add, in constant time */ -+ select_point(bits, 16, g_pre_comp, tmp); -+ if (!skip) { -+ /* The 1 argument below is for "mixed" */ -+ point_add(nq[0], nq[1], nq[2], -+ nq[0], nq[1], nq[2], 1, -+ tmp[0], tmp[1], tmp[2]); -+ } else { -+ memcpy(nq, tmp, 3 * sizeof(felem)); -+ skip = 0; -+ } -+ } -+ -+ /* do other additions every 5 doublings */ -+ if (num_points && (i % 5 == 0)) { -+ /* loop over all scalars */ -+ for (num = 0; num < num_points; ++num) { -+ bits = get_bit(scalars[num], i + 4) << 5; -+ bits |= get_bit(scalars[num], i + 3) << 4; -+ bits |= get_bit(scalars[num], i + 2) << 3; -+ bits |= get_bit(scalars[num], i + 1) << 2; -+ bits |= get_bit(scalars[num], i) << 1; -+ bits |= get_bit(scalars[num], i - 1); -+ ossl_ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits); -+ -+ /* -+ * select the point to add or subtract, in constant time -+ */ -+ select_point(digit, 17, pre_comp[num], tmp); -+ felem_neg(tmp[3], tmp[1]); /* (X, -Y, Z) is the negative -+ * point */ -+ copy_conditional(tmp[1], tmp[3], (-(limb) sign)); -+ -+ if (!skip) { -+ point_add(nq[0], nq[1], nq[2], -+ nq[0], nq[1], nq[2], mixed, -+ tmp[0], tmp[1], tmp[2]); -+ } else { -+ memcpy(nq, tmp, 3 * sizeof(felem)); -+ skip = 0; -+ } -+ } -+ } -+ } -+ felem_assign(x_out, nq[0]); -+ felem_assign(y_out, nq[1]); -+ felem_assign(z_out, nq[2]); -+} -+ -+/* Precomputation for the group generator. */ -+struct nistp384_pre_comp_st { -+ felem g_pre_comp[16][3]; -+ CRYPTO_REF_COUNT refcnt; -+ CRYPTO_RWLOCK *refcnt_lock; -+}; -+ -+const EC_METHOD *ossl_ec_GFp_nistp384_method(void) -+{ -+ static const EC_METHOD ret = { -+ EC_FLAGS_DEFAULT_OCT, -+ NID_X9_62_prime_field, -+ ossl_ec_GFp_nistp384_group_init, -+ ossl_ec_GFp_simple_group_finish, -+ ossl_ec_GFp_simple_group_clear_finish, -+ ossl_ec_GFp_nist_group_copy, -+ ossl_ec_GFp_nistp384_group_set_curve, -+ ossl_ec_GFp_simple_group_get_curve, -+ ossl_ec_GFp_simple_group_get_degree, -+ ossl_ec_group_simple_order_bits, -+ ossl_ec_GFp_simple_group_check_discriminant, -+ ossl_ec_GFp_simple_point_init, -+ ossl_ec_GFp_simple_point_finish, -+ ossl_ec_GFp_simple_point_clear_finish, -+ ossl_ec_GFp_simple_point_copy, -+ ossl_ec_GFp_simple_point_set_to_infinity, -+ ossl_ec_GFp_simple_point_set_affine_coordinates, -+ ossl_ec_GFp_nistp384_point_get_affine_coordinates, -+ 0, /* point_set_compressed_coordinates */ -+ 0, /* point2oct */ -+ 0, /* oct2point */ -+ ossl_ec_GFp_simple_add, -+ ossl_ec_GFp_simple_dbl, -+ ossl_ec_GFp_simple_invert, -+ ossl_ec_GFp_simple_is_at_infinity, -+ ossl_ec_GFp_simple_is_on_curve, -+ ossl_ec_GFp_simple_cmp, -+ ossl_ec_GFp_simple_make_affine, -+ ossl_ec_GFp_simple_points_make_affine, -+ ossl_ec_GFp_nistp384_points_mul, -+ ossl_ec_GFp_nistp384_precompute_mult, -+ ossl_ec_GFp_nistp384_have_precompute_mult, -+ ossl_ec_GFp_nist_field_mul, -+ ossl_ec_GFp_nist_field_sqr, -+ 0, /* field_div */ -+ ossl_ec_GFp_simple_field_inv, -+ 0, /* field_encode */ -+ 0, /* field_decode */ -+ 0, /* field_set_to_one */ -+ ossl_ec_key_simple_priv2oct, -+ ossl_ec_key_simple_oct2priv, -+ 0, /* set private */ -+ ossl_ec_key_simple_generate_key, -+ ossl_ec_key_simple_check_key, -+ ossl_ec_key_simple_generate_public_key, -+ 0, /* keycopy */ -+ 0, /* keyfinish */ -+ ossl_ecdh_simple_compute_key, -+ ossl_ecdsa_simple_sign_setup, -+ ossl_ecdsa_simple_sign_sig, -+ ossl_ecdsa_simple_verify_sig, -+ 0, /* field_inverse_mod_ord */ -+ 0, /* blind_coordinates */ -+ 0, /* ladder_pre */ -+ 0, /* ladder_step */ -+ 0 /* ladder_post */ -+ }; -+ -+ return &ret; -+} -+ -+/******************************************************************************/ -+/* -+ * FUNCTIONS TO MANAGE PRECOMPUTATION -+ */ -+ -+static NISTP384_PRE_COMP *nistp384_pre_comp_new(void) -+{ -+ NISTP384_PRE_COMP *ret = OPENSSL_zalloc(sizeof(*ret)); -+ -+ if (ret == NULL || (ret->refcnt_lock = CRYPTO_THREAD_lock_new()) == NULL) { -+ OPENSSL_free(ret); -+ return NULL; -+ } -+ -+ ret->refcnt = 1; -+ return ret; -+} -+ -+NISTP384_PRE_COMP *ossl_ec_nistp384_pre_comp_dup(NISTP384_PRE_COMP *p) -+{ -+ int i; -+ -+ if (p != NULL) -+ CRYPTO_UP_REF(&p->refcnt, &i, p->refcnt_lock); -+ return p; -+} -+ -+void ossl_ec_nistp384_pre_comp_free(NISTP384_PRE_COMP *p) -+{ -+ int i; -+ -+ if (p == NULL) -+ return; -+ -+ CRYPTO_DOWN_REF(&p->refcnt, &i, p->refcnt_lock); -+ REF_PRINT_COUNT("ossl_ec_nistp384", p); -+ if (i > 0) -+ return; -+ REF_ASSERT_ISNT(i < 0); -+ -+ CRYPTO_THREAD_lock_free(p->refcnt_lock); -+ OPENSSL_free(p); -+} -+ -+/******************************************************************************/ -+/* -+ * OPENSSL EC_METHOD FUNCTIONS -+ */ -+ -+int ossl_ec_GFp_nistp384_group_init(EC_GROUP *group) -+{ -+ int ret; -+ -+ ret = ossl_ec_GFp_simple_group_init(group); -+ group->a_is_minus3 = 1; -+ return ret; -+} -+ -+int ossl_ec_GFp_nistp384_group_set_curve(EC_GROUP *group, const BIGNUM *p, -+ const BIGNUM *a, const BIGNUM *b, -+ BN_CTX *ctx) -+{ -+ int ret = 0; -+ BIGNUM *curve_p, *curve_a, *curve_b; -+#ifndef FIPS_MODULE -+ BN_CTX *new_ctx = NULL; -+ -+ if (ctx == NULL) -+ ctx = new_ctx = BN_CTX_new(); -+#endif -+ if (ctx == NULL) -+ return 0; -+ -+ BN_CTX_start(ctx); -+ curve_p = BN_CTX_get(ctx); -+ curve_a = BN_CTX_get(ctx); -+ curve_b = BN_CTX_get(ctx); -+ if (curve_b == NULL) -+ goto err; -+ BN_bin2bn(nistp384_curve_params[0], sizeof(felem_bytearray), curve_p); -+ BN_bin2bn(nistp384_curve_params[1], sizeof(felem_bytearray), curve_a); -+ BN_bin2bn(nistp384_curve_params[2], sizeof(felem_bytearray), curve_b); -+ if ((BN_cmp(curve_p, p)) || (BN_cmp(curve_a, a)) || (BN_cmp(curve_b, b))) { -+ ERR_raise(ERR_LIB_EC, EC_R_WRONG_CURVE_PARAMETERS); -+ goto err; -+ } -+ group->field_mod_func = BN_nist_mod_384; -+ ret = ossl_ec_GFp_simple_group_set_curve(group, p, a, b, ctx); -+ err: -+ BN_CTX_end(ctx); -+#ifndef FIPS_MODULE -+ BN_CTX_free(new_ctx); -+#endif -+ return ret; -+} -+ -+/* -+ * Takes the Jacobian coordinates (X, Y, Z) of a point and returns (X', Y') = -+ * (X/Z^2, Y/Z^3) -+ */ -+int ossl_ec_GFp_nistp384_point_get_affine_coordinates(const EC_GROUP *group, -+ const EC_POINT *point, -+ BIGNUM *x, BIGNUM *y, -+ BN_CTX *ctx) -+{ -+ felem z1, z2, x_in, y_in, x_out, y_out; -+ widefelem tmp; -+ -+ if (EC_POINT_is_at_infinity(group, point)) { -+ ERR_raise(ERR_LIB_EC, EC_R_POINT_AT_INFINITY); -+ return 0; -+ } -+ if ((!BN_to_felem(x_in, point->X)) || (!BN_to_felem(y_in, point->Y)) || -+ (!BN_to_felem(z1, point->Z))) -+ return 0; -+ felem_inv(z2, z1); -+ felem_square(tmp, z2); -+ felem_reduce(z1, tmp); -+ felem_mul(tmp, x_in, z1); -+ felem_reduce(x_in, tmp); -+ felem_contract(x_out, x_in); -+ if (x != NULL) { -+ if (!felem_to_BN(x, x_out)) { -+ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); -+ return 0; -+ } -+ } -+ felem_mul(tmp, z1, z2); -+ felem_reduce(z1, tmp); -+ felem_mul(tmp, y_in, z1); -+ felem_reduce(y_in, tmp); -+ felem_contract(y_out, y_in); -+ if (y != NULL) { -+ if (!felem_to_BN(y, y_out)) { -+ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); -+ return 0; -+ } -+ } -+ return 1; -+} -+ -+/* points below is of size |num|, and tmp_felems is of size |num+1/ */ -+static void make_points_affine(size_t num, felem points[][3], -+ felem tmp_felems[]) -+{ -+ /* -+ * Runs in constant time, unless an input is the point at infinity (which -+ * normally shouldn't happen). -+ */ -+ ossl_ec_GFp_nistp_points_make_affine_internal(num, -+ points, -+ sizeof(felem), -+ tmp_felems, -+ (void (*)(void *))felem_one, -+ felem_is_zero_int, -+ (void (*)(void *, const void *)) -+ felem_assign, -+ (void (*)(void *, const void *)) -+ felem_square_reduce, -+ (void (*)(void *, const void *, const void*)) -+ felem_mul_reduce, -+ (void (*)(void *, const void *)) -+ felem_inv, -+ (void (*)(void *, const void *)) -+ felem_contract); -+} -+ -+/* -+ * Computes scalar*generator + \sum scalars[i]*points[i], ignoring NULL -+ * values Result is stored in r (r can equal one of the inputs). -+ */ -+int ossl_ec_GFp_nistp384_points_mul(const EC_GROUP *group, EC_POINT *r, -+ const BIGNUM *scalar, size_t num, -+ const EC_POINT *points[], -+ const BIGNUM *scalars[], BN_CTX *ctx) -+{ -+ int ret = 0; -+ int j; -+ int mixed = 0; -+ BIGNUM *x, *y, *z, *tmp_scalar; -+ felem_bytearray g_secret; -+ felem_bytearray *secrets = NULL; -+ felem (*pre_comp)[17][3] = NULL; -+ felem *tmp_felems = NULL; -+ unsigned int i; -+ int num_bytes; -+ int have_pre_comp = 0; -+ size_t num_points = num; -+ felem x_in, y_in, z_in, x_out, y_out, z_out; -+ NISTP384_PRE_COMP *pre = NULL; -+ felem(*g_pre_comp)[3] = NULL; -+ EC_POINT *generator = NULL; -+ const EC_POINT *p = NULL; -+ const BIGNUM *p_scalar = NULL; -+ -+ BN_CTX_start(ctx); -+ x = BN_CTX_get(ctx); -+ y = BN_CTX_get(ctx); -+ z = BN_CTX_get(ctx); -+ tmp_scalar = BN_CTX_get(ctx); -+ if (tmp_scalar == NULL) -+ goto err; -+ -+ if (scalar != NULL) { -+ pre = group->pre_comp.nistp384; -+ if (pre) -+ /* we have precomputation, try to use it */ -+ g_pre_comp = &pre->g_pre_comp[0]; -+ else -+ /* try to use the standard precomputation */ -+ g_pre_comp = (felem(*)[3]) gmul; -+ generator = EC_POINT_new(group); -+ if (generator == NULL) -+ goto err; -+ /* get the generator from precomputation */ -+ if (!felem_to_BN(x, g_pre_comp[1][0]) || -+ !felem_to_BN(y, g_pre_comp[1][1]) || -+ !felem_to_BN(z, g_pre_comp[1][2])) { -+ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); -+ goto err; -+ } -+ if (!ossl_ec_GFp_simple_set_Jprojective_coordinates_GFp(group, -+ generator, -+ x, y, z, ctx)) -+ goto err; -+ if (0 == EC_POINT_cmp(group, generator, group->generator, ctx)) -+ /* precomputation matches generator */ -+ have_pre_comp = 1; -+ else -+ /* -+ * we don't have valid precomputation: treat the generator as a -+ * random point -+ */ -+ num_points++; -+ } -+ -+ if (num_points > 0) { -+ if (num_points >= 2) { -+ /* -+ * unless we precompute multiples for just one point, converting -+ * those into affine form is time well spent -+ */ -+ mixed = 1; -+ } -+ secrets = OPENSSL_zalloc(sizeof(*secrets) * num_points); -+ pre_comp = OPENSSL_zalloc(sizeof(*pre_comp) * num_points); -+ if (mixed) -+ tmp_felems = -+ OPENSSL_malloc(sizeof(*tmp_felems) * (num_points * 17 + 1)); -+ if ((secrets == NULL) || (pre_comp == NULL) -+ || (mixed && (tmp_felems == NULL))) -+ goto err; -+ -+ /* -+ * we treat NULL scalars as 0, and NULL points as points at infinity, -+ * i.e., they contribute nothing to the linear combination -+ */ -+ for (i = 0; i < num_points; ++i) { -+ if (i == num) { -+ /* -+ * we didn't have a valid precomputation, so we pick the -+ * generator -+ */ -+ p = EC_GROUP_get0_generator(group); -+ p_scalar = scalar; -+ } else { -+ /* the i^th point */ -+ p = points[i]; -+ p_scalar = scalars[i]; -+ } -+ if (p_scalar != NULL && p != NULL) { -+ /* reduce scalar to 0 <= scalar < 2^384 */ -+ if ((BN_num_bits(p_scalar) > 384) -+ || (BN_is_negative(p_scalar))) { -+ /* -+ * this is an unusual input, and we don't guarantee -+ * constant-timeness -+ */ -+ if (!BN_nnmod(tmp_scalar, p_scalar, group->order, ctx)) { -+ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); -+ goto err; -+ } -+ num_bytes = BN_bn2lebinpad(tmp_scalar, -+ secrets[i], sizeof(secrets[i])); -+ } else { -+ num_bytes = BN_bn2lebinpad(p_scalar, -+ secrets[i], sizeof(secrets[i])); -+ } -+ if (num_bytes < 0) { -+ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); -+ goto err; -+ } -+ /* precompute multiples */ -+ if ((!BN_to_felem(x_out, p->X)) || -+ (!BN_to_felem(y_out, p->Y)) || -+ (!BN_to_felem(z_out, p->Z))) -+ goto err; -+ memcpy(pre_comp[i][1][0], x_out, sizeof(felem)); -+ memcpy(pre_comp[i][1][1], y_out, sizeof(felem)); -+ memcpy(pre_comp[i][1][2], z_out, sizeof(felem)); -+ for (j = 2; j <= 16; ++j) { -+ if (j & 1) { -+ point_add(pre_comp[i][j][0], pre_comp[i][j][1], pre_comp[i][j][2], -+ pre_comp[i][1][0], pre_comp[i][1][1], pre_comp[i][1][2], 0, -+ pre_comp[i][j - 1][0], pre_comp[i][j - 1][1], pre_comp[i][j - 1][2]); -+ } else { -+ point_double(pre_comp[i][j][0], pre_comp[i][j][1], pre_comp[i][j][2], -+ pre_comp[i][j / 2][0], pre_comp[i][j / 2][1], pre_comp[i][j / 2][2]); -+ } -+ } -+ } -+ } -+ if (mixed) -+ make_points_affine(num_points * 17, pre_comp[0], tmp_felems); -+ } -+ -+ /* the scalar for the generator */ -+ if (scalar != NULL && have_pre_comp) { -+ memset(g_secret, 0, sizeof(g_secret)); -+ /* reduce scalar to 0 <= scalar < 2^384 */ -+ if ((BN_num_bits(scalar) > 384) || (BN_is_negative(scalar))) { -+ /* -+ * this is an unusual input, and we don't guarantee -+ * constant-timeness -+ */ -+ if (!BN_nnmod(tmp_scalar, scalar, group->order, ctx)) { -+ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); -+ goto err; -+ } -+ num_bytes = BN_bn2lebinpad(tmp_scalar, g_secret, sizeof(g_secret)); -+ } else { -+ num_bytes = BN_bn2lebinpad(scalar, g_secret, sizeof(g_secret)); -+ } -+ /* do the multiplication with generator precomputation */ -+ batch_mul(x_out, y_out, z_out, -+ (const felem_bytearray(*))secrets, num_points, -+ g_secret, -+ mixed, (const felem(*)[17][3])pre_comp, -+ (const felem(*)[3])g_pre_comp); -+ } else { -+ /* do the multiplication without generator precomputation */ -+ batch_mul(x_out, y_out, z_out, -+ (const felem_bytearray(*))secrets, num_points, -+ NULL, mixed, (const felem(*)[17][3])pre_comp, NULL); -+ } -+ /* reduce the output to its unique minimal representation */ -+ felem_contract(x_in, x_out); -+ felem_contract(y_in, y_out); -+ felem_contract(z_in, z_out); -+ if ((!felem_to_BN(x, x_in)) || (!felem_to_BN(y, y_in)) || -+ (!felem_to_BN(z, z_in))) { -+ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); -+ goto err; -+ } -+ ret = ossl_ec_GFp_simple_set_Jprojective_coordinates_GFp(group, r, x, y, z, -+ ctx); -+ -+ err: -+ BN_CTX_end(ctx); -+ EC_POINT_free(generator); -+ OPENSSL_free(secrets); -+ OPENSSL_free(pre_comp); -+ OPENSSL_free(tmp_felems); -+ return ret; -+} -+ -+int ossl_ec_GFp_nistp384_precompute_mult(EC_GROUP *group, BN_CTX *ctx) -+{ -+ int ret = 0; -+ NISTP384_PRE_COMP *pre = NULL; -+ int i, j; -+ BIGNUM *x, *y; -+ EC_POINT *generator = NULL; -+ felem tmp_felems[16]; -+#ifndef FIPS_MODULE -+ BN_CTX *new_ctx = NULL; -+#endif -+ -+ /* throw away old precomputation */ -+ EC_pre_comp_free(group); -+ -+#ifndef FIPS_MODULE -+ if (ctx == NULL) -+ ctx = new_ctx = BN_CTX_new(); -+#endif -+ if (ctx == NULL) -+ return 0; -+ -+ BN_CTX_start(ctx); -+ x = BN_CTX_get(ctx); -+ y = BN_CTX_get(ctx); -+ if (y == NULL) -+ goto err; -+ /* get the generator */ -+ if (group->generator == NULL) -+ goto err; -+ generator = EC_POINT_new(group); -+ if (generator == NULL) -+ goto err; -+ BN_bin2bn(nistp384_curve_params[3], sizeof(felem_bytearray), x); -+ BN_bin2bn(nistp384_curve_params[4], sizeof(felem_bytearray), y); -+ if (!EC_POINT_set_affine_coordinates(group, generator, x, y, ctx)) -+ goto err; -+ if ((pre = nistp384_pre_comp_new()) == NULL) -+ goto err; -+ /* -+ * if the generator is the standard one, use built-in precomputation -+ */ -+ if (0 == EC_POINT_cmp(group, generator, group->generator, ctx)) { -+ memcpy(pre->g_pre_comp, gmul, sizeof(pre->g_pre_comp)); -+ goto done; -+ } -+ if ((!BN_to_felem(pre->g_pre_comp[1][0], group->generator->X)) || -+ (!BN_to_felem(pre->g_pre_comp[1][1], group->generator->Y)) || -+ (!BN_to_felem(pre->g_pre_comp[1][2], group->generator->Z))) -+ goto err; -+ /* compute 2^95*G, 2^190*G, 2^285*G */ -+ for (i = 1; i <= 4; i <<= 1) { -+ point_double(pre->g_pre_comp[2 * i][0], pre->g_pre_comp[2 * i][1], pre->g_pre_comp[2 * i][2], -+ pre->g_pre_comp[i][0], pre->g_pre_comp[i][1], pre->g_pre_comp[i][2]); -+ for (j = 0; j < 94; ++j) { -+ point_double(pre->g_pre_comp[2 * i][0], pre->g_pre_comp[2 * i][1], pre->g_pre_comp[2 * i][2], -+ pre->g_pre_comp[2 * i][0], pre->g_pre_comp[2 * i][1], pre->g_pre_comp[2 * i][2]); -+ } -+ } -+ /* g_pre_comp[0] is the point at infinity */ -+ memset(pre->g_pre_comp[0], 0, sizeof(pre->g_pre_comp[0])); -+ /* the remaining multiples */ -+ /* 2^95*G + 2^190*G */ -+ point_add(pre->g_pre_comp[6][0], pre->g_pre_comp[6][1], pre->g_pre_comp[6][2], -+ pre->g_pre_comp[4][0], pre->g_pre_comp[4][1], pre->g_pre_comp[4][2], 0, -+ pre->g_pre_comp[2][0], pre->g_pre_comp[2][1], pre->g_pre_comp[2][2]); -+ /* 2^95*G + 2^285*G */ -+ point_add(pre->g_pre_comp[10][0], pre->g_pre_comp[10][1], pre->g_pre_comp[10][2], -+ pre->g_pre_comp[8][0], pre->g_pre_comp[8][1], pre->g_pre_comp[8][2], 0, -+ pre->g_pre_comp[2][0], pre->g_pre_comp[2][1], pre->g_pre_comp[2][2]); -+ /* 2^190*G + 2^285*G */ -+ point_add(pre->g_pre_comp[12][0], pre->g_pre_comp[12][1], pre->g_pre_comp[12][2], -+ pre->g_pre_comp[8][0], pre->g_pre_comp[8][1], pre->g_pre_comp[8][2], 0, -+ pre->g_pre_comp[4][0], pre->g_pre_comp[4][1], pre->g_pre_comp[4][2]); -+ /* 2^95*G + 2^190*G + 2^285*G */ -+ point_add(pre->g_pre_comp[14][0], pre->g_pre_comp[14][1], pre->g_pre_comp[14][2], -+ pre->g_pre_comp[12][0], pre->g_pre_comp[12][1], pre->g_pre_comp[12][2], 0, -+ pre->g_pre_comp[2][0], pre->g_pre_comp[2][1], pre->g_pre_comp[2][2]); -+ for (i = 1; i < 8; ++i) { -+ /* odd multiples: add G */ -+ point_add(pre->g_pre_comp[2 * i + 1][0], pre->g_pre_comp[2 * i + 1][1], pre->g_pre_comp[2 * i + 1][2], -+ pre->g_pre_comp[2 * i][0], pre->g_pre_comp[2 * i][1], pre->g_pre_comp[2 * i][2], 0, -+ pre->g_pre_comp[1][0], pre->g_pre_comp[1][1], pre->g_pre_comp[1][2]); -+ } -+ make_points_affine(15, &(pre->g_pre_comp[1]), tmp_felems); -+ -+ done: -+ SETPRECOMP(group, nistp384, pre); -+ ret = 1; -+ pre = NULL; -+ err: -+ BN_CTX_end(ctx); -+ EC_POINT_free(generator); -+#ifndef FIPS_MODULE -+ BN_CTX_free(new_ctx); -+#endif -+ ossl_ec_nistp384_pre_comp_free(pre); -+ return ret; -+} -+ -+int ossl_ec_GFp_nistp384_have_precompute_mult(const EC_GROUP *group) -+{ -+ return HAVEPRECOMP(group, nistp384); -+} diff --git a/openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch b/openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch deleted file mode 100644 index 90f12cd..0000000 --- a/openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 3e47a286dc3274bda72a196c3a4030a1fc8302f1 Mon Sep 17 00:00:00 2001 -From: Rohan McLure -Date: Fri, 23 Jun 2023 16:41:48 +1000 -Subject: [PATCH] ec: Use static linkage on nistp521 felem_{square,mul} - wrappers - -Runtime selection of implementations for felem_{square,mul} depends on -felem_{square,mul}_wrapper functions, which overwrite function points in -a similar design to that of .plt.got sections used by program loaders -during dynamic linking. - -There's no reason why these functions need to have external linkage. -Mark static. - -Signed-off-by: Rohan McLure - -Reviewed-by: Paul Dale -Reviewed-by: Shane Lontis -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Todd Short -(Merged from https://github.com/openssl/openssl/pull/21471) ---- - crypto/ec/ecp_nistp521.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c -index 97815cac1f13..32a9268ecf17 100644 ---- a/crypto/ec/ecp_nistp521.c -+++ b/crypto/ec/ecp_nistp521.c -@@ -676,8 +676,8 @@ static void felem_reduce(felem out, const largefelem in) - } - - #if defined(ECP_NISTP521_ASM) --void felem_square_wrapper(largefelem out, const felem in); --void felem_mul_wrapper(largefelem out, const felem in1, const felem in2); -+static void felem_square_wrapper(largefelem out, const felem in); -+static void felem_mul_wrapper(largefelem out, const felem in1, const felem in2); - - static void (*felem_square_p)(largefelem out, const felem in) = - felem_square_wrapper; -@@ -691,7 +691,7 @@ void p521_felem_mul(largefelem out, const felem in1, const felem in2); - # include "crypto/ppc_arch.h" - # endif - --void felem_select(void) -+static void felem_select(void) - { - # if defined(_ARCH_PPC64) - if ((OPENSSL_ppccap_P & PPC_MADD300) && (OPENSSL_ppccap_P & PPC_ALTIVEC)) { -@@ -707,13 +707,13 @@ void felem_select(void) - felem_mul_p = felem_mul_ref; - } - --void felem_square_wrapper(largefelem out, const felem in) -+static void felem_square_wrapper(largefelem out, const felem in) - { - felem_select(); - felem_square_p(out, in); - } - --void felem_mul_wrapper(largefelem out, const felem in1, const felem in2) -+static void felem_mul_wrapper(largefelem out, const felem in1, const felem in2) - { - felem_select(); - felem_mul_p(out, in1, in2); diff --git a/openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch b/openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch deleted file mode 100644 index 91bb470..0000000 --- a/openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch +++ /dev/null @@ -1,428 +0,0 @@ -From 966047ee13188e8634af25af348940acceb9316d Mon Sep 17 00:00:00 2001 -From: Rohan McLure -Date: Wed, 31 May 2023 14:32:26 +1000 -Subject: [PATCH] ec: powerpc64le: Add asm implementation of felem_{square,mul} - -Add an assembly implementation of felem_{square,mul}, which will be -implemented whenever Altivec support is present and the core implements -ISA 3.0 (Power 9) or greater. - -Signed-off-by: Rohan McLure - -Reviewed-by: Paul Dale -Reviewed-by: Shane Lontis -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Todd Short -(Merged from https://github.com/openssl/openssl/pull/21471) ---- - crypto/ec/asm/ecp_nistp384-ppc64.pl | 355 ++++++++++++++++++++++++++++ - crypto/ec/build.info | 6 +- - crypto/ec/ecp_nistp384.c | 9 + - 3 files changed, 368 insertions(+), 2 deletions(-) - create mode 100755 crypto/ec/asm/ecp_nistp384-ppc64.pl - -diff --git a/crypto/ec/asm/ecp_nistp384-ppc64.pl b/crypto/ec/asm/ecp_nistp384-ppc64.pl -new file mode 100755 -index 000000000000..3f86b391af69 ---- /dev/null -+++ b/crypto/ec/asm/ecp_nistp384-ppc64.pl -@@ -0,0 +1,355 @@ -+#! /usr/bin/env perl -+# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. -+# -+# Licensed under the Apache License 2.0 (the "License"). You may not use -+# this file except in compliance with the License. You can obtain a copy -+# in the file LICENSE in the source distribution or at -+# https://www.openssl.org/source/license.html -+# -+# ==================================================================== -+# Written by Rohan McLure for the OpenSSL -+# project. -+# ==================================================================== -+# -+# p384 lower-level primitives for PPC64 using vector instructions. -+# -+ -+use strict; -+use warnings; -+ -+my $flavour = shift; -+my $output = ""; -+while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {} -+if (!$output) { -+ $output = "-"; -+} -+ -+my ($xlate, $dir); -+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; -+( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or -+( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or -+die "can't locate ppc-xlate.pl"; -+ -+open OUT,"| \"$^X\" $xlate $flavour $output"; -+*STDOUT=*OUT; -+ -+my $code = ""; -+ -+my ($sp, $outp, $savelr, $savesp) = ("r1", "r3", "r10", "r12"); -+ -+my $vzero = "v32"; -+ -+sub startproc($) -+{ -+ my ($name) = @_; -+ -+ $code.=<<___; -+ .globl ${name} -+ .align 5 -+${name}: -+ -+___ -+} -+ -+sub endproc($) -+{ -+ my ($name) = @_; -+ -+ $code.=<<___; -+ blr -+ .size ${name},.-${name} -+ -+___ -+} -+ -+ -+sub push_vrs($$) -+{ -+ my ($min, $max) = @_; -+ -+ my $count = $max - $min + 1; -+ -+ $code.=<<___; -+ mr $savesp,$sp -+ stdu $sp,-16*`$count+1`($sp) -+ -+___ -+ for (my $i = $min; $i <= $max; $i++) { -+ my $mult = $max - $i + 1; -+ $code.=<<___; -+ stxv $i,-16*$mult($savesp) -+___ -+ -+ } -+ -+ $code.=<<___; -+ -+___ -+} -+ -+sub pop_vrs($$) -+{ -+ my ($min, $max) = @_; -+ -+ $code.=<<___; -+ ld $savesp,0($sp) -+___ -+ for (my $i = $min; $i <= $max; $i++) { -+ my $mult = $max - $i + 1; -+ $code.=<<___; -+ lxv $i,-16*$mult($savesp) -+___ -+ } -+ -+ $code.=<<___; -+ mr $sp,$savesp -+ -+___ -+} -+ -+sub load_vrs($$) -+{ -+ my ($pointer, $reg_list) = @_; -+ -+ for (my $i = 0; $i <= 6; $i++) { -+ my $offset = $i * 8; -+ $code.=<<___; -+ lxsd $reg_list->[$i],$offset($pointer) -+___ -+ } -+ -+ $code.=<<___; -+ -+___ -+} -+ -+sub store_vrs($$) -+{ -+ my ($pointer, $reg_list) = @_; -+ -+ for (my $i = 0; $i <= 12; $i++) { -+ my $offset = $i * 16; -+ $code.=<<___; -+ stxv $reg_list->[$i],$offset($pointer) -+___ -+ } -+ -+ $code.=<<___; -+ -+___ -+} -+ -+$code.=<<___; -+.machine "any" -+.text -+ -+___ -+ -+{ -+ # mul/square common -+ my ($t1, $t2, $t3, $t4) = ("v33", "v34", "v42", "v43"); -+ my ($zero, $one) = ("r8", "r9"); -+ my $out = "v51"; -+ -+ { -+ # -+ # p384_felem_mul -+ # -+ -+ my ($in1p, $in2p) = ("r4", "r5"); -+ my @in1 = map("v$_",(44..50)); -+ my @in2 = map("v$_",(35..41)); -+ -+ startproc("p384_felem_mul"); -+ -+ push_vrs(52, 63); -+ -+ $code.=<<___; -+ vspltisw $vzero,0 -+ -+___ -+ -+ load_vrs($in1p, \@in1); -+ load_vrs($in2p, \@in2); -+ -+ $code.=<<___; -+ vmsumudm $out,$in1[0],$in2[0],$vzero -+ stxv $out,0($outp) -+ -+ xxpermdi $t1,$in1[0],$in1[1],0b00 -+ xxpermdi $t2,$in2[1],$in2[0],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ stxv $out,16($outp) -+ -+ xxpermdi $t2,$in2[2],$in2[1],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ vmsumudm $out,$in1[2],$in2[0],$out -+ stxv $out,32($outp) -+ -+ xxpermdi $t2,$in2[1],$in2[0],0b00 -+ xxpermdi $t3,$in1[2],$in1[3],0b00 -+ xxpermdi $t4,$in2[3],$in2[2],0b00 -+ vmsumudm $out,$t1,$t4,$vzero -+ vmsumudm $out,$t3,$t2,$out -+ stxv $out,48($outp) -+ -+ xxpermdi $t2,$in2[4],$in2[3],0b00 -+ xxpermdi $t4,$in2[2],$in2[1],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ vmsumudm $out,$t3,$t4,$out -+ vmsumudm $out,$in1[4],$in2[0],$out -+ stxv $out,64($outp) -+ -+ xxpermdi $t2,$in2[5],$in2[4],0b00 -+ xxpermdi $t4,$in2[3],$in2[2],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ vmsumudm $out,$t3,$t4,$out -+ xxpermdi $t4,$in2[1],$in2[0],0b00 -+ xxpermdi $t1,$in1[4],$in1[5],0b00 -+ vmsumudm $out,$t1,$t4,$out -+ stxv $out,80($outp) -+ -+ xxpermdi $t1,$in1[0],$in1[1],0b00 -+ xxpermdi $t2,$in2[6],$in2[5],0b00 -+ xxpermdi $t4,$in2[4],$in2[3],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ vmsumudm $out,$t3,$t4,$out -+ xxpermdi $t2,$in2[2],$in2[1],0b00 -+ xxpermdi $t1,$in1[4],$in1[5],0b00 -+ vmsumudm $out,$t1,$t2,$out -+ vmsumudm $out,$in1[6],$in2[0],$out -+ stxv $out,96($outp) -+ -+ xxpermdi $t1,$in1[1],$in1[2],0b00 -+ xxpermdi $t2,$in2[6],$in2[5],0b00 -+ xxpermdi $t3,$in1[3],$in1[4],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ vmsumudm $out,$t3,$t4,$out -+ xxpermdi $t3,$in2[2],$in2[1],0b00 -+ xxpermdi $t1,$in1[5],$in1[6],0b00 -+ vmsumudm $out,$t1,$t3,$out -+ stxv $out,112($outp) -+ -+ xxpermdi $t1,$in1[2],$in1[3],0b00 -+ xxpermdi $t3,$in1[4],$in1[5],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ vmsumudm $out,$t3,$t4,$out -+ vmsumudm $out,$in1[6],$in2[2],$out -+ stxv $out,128($outp) -+ -+ xxpermdi $t1,$in1[3],$in1[4],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ xxpermdi $t1,$in1[5],$in1[6],0b00 -+ vmsumudm $out,$t1,$t4,$out -+ stxv $out,144($outp) -+ -+ vmsumudm $out,$t3,$t2,$vzero -+ vmsumudm $out,$in1[6],$in2[4],$out -+ stxv $out,160($outp) -+ -+ vmsumudm $out,$t1,$t2,$vzero -+ stxv $out,176($outp) -+ -+ vmsumudm $out,$in1[6],$in2[6],$vzero -+ stxv $out,192($outp) -+___ -+ -+ endproc("p384_felem_mul"); -+ } -+ -+ { -+ # -+ # p384_felem_square -+ # -+ -+ my ($inp) = ("r4"); -+ my @in = map("v$_",(44..50)); -+ my @inx2 = map("v$_",(35..41)); -+ -+ startproc("p384_felem_square"); -+ -+ push_vrs(52, 63); -+ -+ $code.=<<___; -+ vspltisw $vzero,0 -+ -+___ -+ -+ load_vrs($inp, \@in); -+ -+ $code.=<<___; -+ li $zero,0 -+ li $one,1 -+ mtvsrdd $t1,$one,$zero -+___ -+ -+ for (my $i = 0; $i <= 6; $i++) { -+ $code.=<<___; -+ vsld $inx2[$i],$in[$i],$t1 -+___ -+ } -+ -+ $code.=<<___; -+ vmsumudm $out,$in[0],$in[0],$vzero -+ stxv $out,0($outp) -+ -+ vmsumudm $out,$in[0],$inx2[1],$vzero -+ stxv $out,16($outp) -+ -+ vmsumudm $out,$in[0],$inx2[2],$vzero -+ vmsumudm $out,$in[1],$in[1],$out -+ stxv $out,32($outp) -+ -+ xxpermdi $t1,$in[0],$in[1],0b00 -+ xxpermdi $t2,$inx2[3],$inx2[2],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ stxv $out,48($outp) -+ -+ xxpermdi $t4,$inx2[4],$inx2[3],0b00 -+ vmsumudm $out,$t1,$t4,$vzero -+ vmsumudm $out,$in[2],$in[2],$out -+ stxv $out,64($outp) -+ -+ xxpermdi $t2,$inx2[5],$inx2[4],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ vmsumudm $out,$in[2],$inx2[3],$out -+ stxv $out,80($outp) -+ -+ xxpermdi $t2,$inx2[6],$inx2[5],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ vmsumudm $out,$in[2],$inx2[4],$out -+ vmsumudm $out,$in[3],$in[3],$out -+ stxv $out,96($outp) -+ -+ xxpermdi $t3,$in[1],$in[2],0b00 -+ vmsumudm $out,$t3,$t2,$vzero -+ vmsumudm $out,$in[3],$inx2[4],$out -+ stxv $out,112($outp) -+ -+ xxpermdi $t1,$in[2],$in[3],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ vmsumudm $out,$in[4],$in[4],$out -+ stxv $out,128($outp) -+ -+ xxpermdi $t1,$in[3],$in[4],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ stxv $out,144($outp) -+ -+ vmsumudm $out,$in[4],$inx2[6],$vzero -+ vmsumudm $out,$in[5],$in[5],$out -+ stxv $out,160($outp) -+ -+ vmsumudm $out,$in[5],$inx2[6],$vzero -+ stxv $out,176($outp) -+ -+ vmsumudm $out,$in[6],$in[6],$vzero -+ stxv $out,192($outp) -+___ -+ -+ endproc("p384_felem_square"); -+ } -+} -+ -+$code =~ s/\`([^\`]*)\`/eval $1/gem; -+print $code; -+close STDOUT or die "error closing STDOUT: $!"; -diff --git a/crypto/ec/build.info b/crypto/ec/build.info -index 1fa60a1deddd..4077bead7bdb 100644 ---- a/crypto/ec/build.info -+++ b/crypto/ec/build.info -@@ -39,8 +39,9 @@ IF[{- !$disabled{asm} -}] - $ECASM_ppc64=ecp_nistz256.c ecp_ppc.c ecp_nistz256-ppc64.s x25519-ppc64.s - $ECDEF_ppc64=ECP_NISTZ256_ASM X25519_ASM - IF[{- !$disabled{'ec_nistp_64_gcc_128'} -}] -- $ECASM_ppc64=$ECASM_ppc64 ecp_nistp521-ppc64.s -- $ECDEF_ppc64=$ECDEF_ppc64 ECP_NISTP521_ASM -+ $ECASM_ppc64=$ECASM_ppc64 ecp_nistp384-ppc64.s ecp_nistp521-ppc64.s -+ $ECDEF_ppc64=$ECDEF_ppc64 ECP_NISTP384_ASM ECP_NISTP521_ASM -+ INCLUDE[ecp_nistp384.o]=.. - INCLUDE[ecp_nistp521.o]=.. - ENDIF - -@@ -119,6 +120,7 @@ GENERATE[ecp_nistz256-armv8.S]=asm/ecp_nistz256-armv8.pl - INCLUDE[ecp_nistz256-armv8.o]=.. - GENERATE[ecp_nistz256-ppc64.s]=asm/ecp_nistz256-ppc64.pl - -+GENERATE[ecp_nistp384-ppc64.s]=asm/ecp_nistp384-ppc64.pl - GENERATE[ecp_nistp521-ppc64.s]=asm/ecp_nistp521-ppc64.pl - - GENERATE[x25519-x86_64.s]=asm/x25519-x86_64.pl -diff --git a/crypto/ec/ecp_nistp384.c b/crypto/ec/ecp_nistp384.c -index a0559487ed4e..14f9530d07c6 100644 ---- a/crypto/ec/ecp_nistp384.c -+++ b/crypto/ec/ecp_nistp384.c -@@ -691,6 +691,15 @@ void p384_felem_mul(widefelem out, const felem in1, const felem in2); - - static void felem_select(void) - { -+# if defined(_ARCH_PPC64) -+ if ((OPENSSL_ppccap_P & PPC_MADD300) && (OPENSSL_ppccap_P & PPC_ALTIVEC)) { -+ felem_square_p = p384_felem_square; -+ felem_mul_p = p384_felem_mul; -+ -+ return; -+ } -+# endif -+ - /* Default */ - felem_square_p = felem_square_ref; - felem_mul_p = felem_mul_ref; diff --git a/openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch b/openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch deleted file mode 100644 index a2918d9..0000000 --- a/openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 670e73d9084465384b11ef24802ca4a313e1d2f4 Mon Sep 17 00:00:00 2001 -From: Rohan McLure -Date: Tue, 15 Aug 2023 15:20:20 +1000 -Subject: [PATCH] ecc: Remove extraneous parentheses in secp384r1 - -Substitutions in the felem_reduce() method feature unecessary -parentheses, remove them. - -Signed-off-by: Rohan McLure - -Reviewed-by: Tomas Mraz -Reviewed-by: Shane Lontis -Reviewed-by: Hugo Landau -(Merged from https://github.com/openssl/openssl/pull/21749) ---- - crypto/ec/ecp_nistp384.c | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/crypto/ec/ecp_nistp384.c b/crypto/ec/ecp_nistp384.c -index 14f9530d07c6..ff68f9cc7ad0 100644 ---- a/crypto/ec/ecp_nistp384.c -+++ b/crypto/ec/ecp_nistp384.c -@@ -540,7 +540,7 @@ static void felem_reduce(felem out, const widefelem in) - acc[7] += in[12] >> 8; - acc[6] += (in[12] & 0xff) << 48; - acc[6] -= in[12] >> 16; -- acc[5] -= ((in[12] & 0xffff) << 40); -+ acc[5] -= (in[12] & 0xffff) << 40; - acc[6] += in[12] >> 48; - acc[5] += (in[12] & 0xffffffffffff) << 8; - -@@ -549,7 +549,7 @@ static void felem_reduce(felem out, const widefelem in) - acc[6] += in[11] >> 8; - acc[5] += (in[11] & 0xff) << 48; - acc[5] -= in[11] >> 16; -- acc[4] -= ((in[11] & 0xffff) << 40); -+ acc[4] -= (in[11] & 0xffff) << 40; - acc[5] += in[11] >> 48; - acc[4] += (in[11] & 0xffffffffffff) << 8; - -@@ -558,7 +558,7 @@ static void felem_reduce(felem out, const widefelem in) - acc[5] += in[10] >> 8; - acc[4] += (in[10] & 0xff) << 48; - acc[4] -= in[10] >> 16; -- acc[3] -= ((in[10] & 0xffff) << 40); -+ acc[3] -= (in[10] & 0xffff) << 40; - acc[4] += in[10] >> 48; - acc[3] += (in[10] & 0xffffffffffff) << 8; - -@@ -567,7 +567,7 @@ static void felem_reduce(felem out, const widefelem in) - acc[4] += in[9] >> 8; - acc[3] += (in[9] & 0xff) << 48; - acc[3] -= in[9] >> 16; -- acc[2] -= ((in[9] & 0xffff) << 40); -+ acc[2] -= (in[9] & 0xffff) << 40; - acc[3] += in[9] >> 48; - acc[2] += (in[9] & 0xffffffffffff) << 8; - -@@ -582,7 +582,7 @@ static void felem_reduce(felem out, const widefelem in) - acc[3] += acc[8] >> 8; - acc[2] += (acc[8] & 0xff) << 48; - acc[2] -= acc[8] >> 16; -- acc[1] -= ((acc[8] & 0xffff) << 40); -+ acc[1] -= (acc[8] & 0xffff) << 40; - acc[2] += acc[8] >> 48; - acc[1] += (acc[8] & 0xffffffffffff) << 8; - -@@ -591,7 +591,7 @@ static void felem_reduce(felem out, const widefelem in) - acc[2] += acc[7] >> 8; - acc[1] += (acc[7] & 0xff) << 48; - acc[1] -= acc[7] >> 16; -- acc[0] -= ((acc[7] & 0xffff) << 40); -+ acc[0] -= (acc[7] & 0xffff) << 40; - acc[1] += acc[7] >> 48; - acc[0] += (acc[7] & 0xffffffffffff) << 8; - diff --git a/openssl-load-legacy-provider.patch b/openssl-load-legacy-provider.patch index 217d8e1..f112006 100644 --- a/openssl-load-legacy-provider.patch +++ b/openssl-load-legacy-provider.patch @@ -13,11 +13,11 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd doc/man5/config.pod | 8 ++++++++ 2 files changed, 23 insertions(+), 22 deletions(-) -Index: openssl-3.1.4/apps/openssl.cnf +Index: openssl-3.2.3/apps/openssl.cnf =================================================================== ---- openssl-3.1.4.orig/apps/openssl.cnf -+++ openssl-3.1.4/apps/openssl.cnf -@@ -42,36 +42,29 @@ tsa_policy1 = 1.2.3.4.1 +--- openssl-3.2.3.orig/apps/openssl.cnf ++++ openssl-3.2.3/apps/openssl.cnf +@@ -42,14 +42,6 @@ tsa_policy1 = 1.2.3.4.1 tsa_policy2 = 1.2.3.4.5.6 tsa_policy3 = 1.2.3.4.5.7 @@ -32,7 +32,9 @@ Index: openssl-3.1.4/apps/openssl.cnf [openssl_init] providers = provider_sect # Load default TLS policy configuration - ssl_conf = ssl_module +@@ -58,23 +50,24 @@ ssl_conf = ssl_module + [ evp_properties ] + # This section is intentionally added empty here to be tuned on particular systems -# List of providers to load +# Uncomment the sections that start with ## below to enable the legacy provider. @@ -68,11 +70,11 @@ Index: openssl-3.1.4/apps/openssl.cnf +##activate = 1 [ ssl_module ] - -Index: openssl-3.1.4/doc/man5/config.pod + system_default = crypto_policy +Index: openssl-3.2.3/doc/man5/config.pod =================================================================== ---- openssl-3.1.4.orig/doc/man5/config.pod -+++ openssl-3.1.4/doc/man5/config.pod +--- openssl-3.2.3.orig/doc/man5/config.pod ++++ openssl-3.2.3/doc/man5/config.pod @@ -273,6 +273,14 @@ significant. All parameters in the section as well as sub-sections are made available to the provider. diff --git a/openssl-no-html-docs.patch b/openssl-no-html-docs.patch index efda996..41ca968 100644 --- a/openssl-no-html-docs.patch +++ b/openssl-no-html-docs.patch @@ -1,13 +1,13 @@ -Index: openssl-3.1.4/Configurations/unix-Makefile.tmpl +Index: openssl-3.2.3/Configurations/unix-Makefile.tmpl =================================================================== ---- openssl-3.1.4.orig/Configurations/unix-Makefile.tmpl -+++ openssl-3.1.4/Configurations/unix-Makefile.tmpl -@@ -611,7 +611,7 @@ install_sw: install_dev install_engines +--- openssl-3.2.3.orig/Configurations/unix-Makefile.tmpl ++++ openssl-3.2.3/Configurations/unix-Makefile.tmpl +@@ -633,7 +633,7 @@ install_sw: install_dev install_engines - uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev + uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev ## Uninstall the software and libraries --install_docs: install_man_docs install_html_docs -+install_docs: install_man_docs +-install_docs: install_man_docs install_html_docs ## Install manpages and HTML documentation ++install_docs: install_man_docs # install_html_docs ## Install manpages and HTML documentation - uninstall_docs: uninstall_man_docs uninstall_html_docs + uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and HTML documentation $(RM) -r "$(DESTDIR)$(DOCDIR)" diff --git a/openssl-pbkdf2-Set-indicator-if-pkcs5-param-disabled-checks.patch b/openssl-pbkdf2-Set-indicator-if-pkcs5-param-disabled-checks.patch deleted file mode 100644 index dc86604..0000000 --- a/openssl-pbkdf2-Set-indicator-if-pkcs5-param-disabled-checks.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 48c763ed9cc889806bc01222382ce6f918a408a2 Mon Sep 17 00:00:00 2001 -From: Dmitry Belyavskiy -Date: Mon, 21 Aug 2023 16:12:33 +0200 -Subject: [PATCH 46/48] - 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch - -Patch-name: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch -Patch-id: 112 ---- - providers/implementations/kdfs/pbkdf2.c | 40 +++++++++++++++++++++++-- - 1 file changed, 37 insertions(+), 3 deletions(-) - -diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c -index 11820d1e69..bae2238ab5 100644 ---- a/providers/implementations/kdfs/pbkdf2.c -+++ b/providers/implementations/kdfs/pbkdf2.c -@@ -284,11 +284,42 @@ static const OSSL_PARAM *kdf_pbkdf2_settable_ctx_params(ossl_unused void *ctx, - - static int kdf_pbkdf2_get_ctx_params(void *vctx, OSSL_PARAM params[]) - { -+#ifdef FIPS_MODULE -+ KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx; -+#endif /* defined(FIPS_MODULE) */ - OSSL_PARAM *p; -+ int any_valid = 0; /* set to 1 when at least one parameter was valid */ -+ -+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { -+ any_valid = 1; -+ -+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX)) -+ return 0; -+ } -+ -+#ifdef FIPS_MODULE -+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR)) -+ != NULL) { -+ int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED; -+ -+ /* The lower_bound_checks parameter enables checks required by FIPS. If -+ * those checks are disabled, the PBKDF2 implementation will also -+ * support non-approved parameters (e.g., salt lengths < 16 bytes, see -+ * NIST SP 800-132 section 5.1). */ -+ if (!ctx->lower_bound_checks) -+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; - -- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) -- return OSSL_PARAM_set_size_t(p, SIZE_MAX); -- return -2; -+ if (!OSSL_PARAM_set_int(p, fips_indicator)) -+ return 0; -+ -+ any_valid = 1; -+ } -+#endif /* defined(FIPS_MODULE) */ -+ -+ if (!any_valid) -+ return -2; -+ -+ return 1; - } - - static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx, -@@ -296,6 +327,9 @@ static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx, - { - static const OSSL_PARAM known_gettable_ctx_params[] = { - OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), -+#ifdef FIPS_MODULE -+ OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, NULL), -+#endif /* defined(FIPS_MODULE) */ - OSSL_PARAM_END - }; - return known_gettable_ctx_params; --- -2.41.0 - diff --git a/openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch b/openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch index 8788a95..9db31ac 100644 --- a/openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch +++ b/openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch @@ -10,11 +10,11 @@ Patch-id: 84 providers/implementations/kdfs/pbkdf2.c | 27 ++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) -diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c -index 349c3dd657..11820d1e69 100644 ---- a/providers/implementations/kdfs/pbkdf2.c -+++ b/providers/implementations/kdfs/pbkdf2.c -@@ -35,6 +35,21 @@ +Index: openssl-3.5.0-beta1/providers/implementations/kdfs/pbkdf2.c +=================================================================== +--- openssl-3.5.0-beta1.orig/providers/implementations/kdfs/pbkdf2.c ++++ openssl-3.5.0-beta1/providers/implementations/kdfs/pbkdf2.c +@@ -36,6 +36,21 @@ #define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF #define KDF_PBKDF2_MIN_ITERATIONS 1000 #define KDF_PBKDF2_MIN_SALT_LEN (128 / 8) @@ -32,12 +32,52 @@ index 349c3dd657..11820d1e69 100644 + * testing uses passwords as short as 8 bytes, and requiring longer passwords + * combined with an implicit indicator (i.e., returning an error) would cause + * the module to fail ACVP testing. */ -+#define KDF_PBKDF2_MIN_PASSWORD_LEN (20) ++#define KDF_PBKDF2_MIN_PASSWORD_LEN (8) static OSSL_FUNC_kdf_newctx_fn kdf_pbkdf2_new; static OSSL_FUNC_kdf_dupctx_fn kdf_pbkdf2_dup; -@@ -219,9 +234,15 @@ static int kdf_pbkdf2_set_ctx_params(void *vctx, const OSSL_PARAM params[]) - ctx->lower_bound_checks = pkcs5 == 0; +@@ -179,8 +194,8 @@ static int pbkdf2_set_membuf(unsigned ch + } + + static int pbkdf2_lower_bound_check_passed(int saltlen, uint64_t iter, +- size_t keylen, int *error, +- const char **desc) ++ size_t keylen, size_t passlen, ++ int *error, const char **desc) + { + if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) { + *error = PROV_R_KEY_SIZE_TOO_SMALL; +@@ -188,6 +203,12 @@ static int pbkdf2_lower_bound_check_pass + *desc = "Key size"; + return 0; + } ++ if (passlen < KDF_PBKDF2_MIN_PASSWORD_LEN) { ++ *error = PROV_R_INVALID_INPUT_LENGTH; ++ if (desc != NULL) ++ *desc = "Password length"; ++ return 0; ++ } + if (saltlen < KDF_PBKDF2_MIN_SALT_LEN) { + *error = PROV_R_INVALID_SALT_LENGTH; + if (desc != NULL) +@@ -205,13 +226,13 @@ static int pbkdf2_lower_bound_check_pass + } + + #ifdef FIPS_MODULE +-static int fips_lower_bound_check_passed(KDF_PBKDF2 *ctx, size_t keylen) ++static int fips_lower_bound_check_passed(KDF_PBKDF2 *ctx, size_t keylen, size_t passlen) + { + OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); + int error = 0; + const char *desc = NULL; + int approved = pbkdf2_lower_bound_check_passed(ctx->salt_len, ctx->iter, +- keylen, &error, &desc); ++ keylen, passlen, &error, &desc); + + if (!approved) { + if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, libctx, +@@ -283,9 +304,15 @@ static int kdf_pbkdf2_set_ctx_params(voi + #endif } - if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL) @@ -53,17 +93,19 @@ index 349c3dd657..11820d1e69 100644 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) { if (ctx->lower_bound_checks != 0 -@@ -331,6 +352,10 @@ static int pbkdf2_derive(const char *pass, size_t passlen, +@@ -400,13 +427,13 @@ static int pbkdf2_derive(KDF_PBKDF2 *ctx } + #ifdef FIPS_MODULE +- if (!fips_lower_bound_check_passed(ctx, keylen)) ++ if (!fips_lower_bound_check_passed(ctx, keylen, passlen)) + return 0; + #else if (lower_bound_checks) { -+ if (passlen < KDF_PBKDF2_MIN_PASSWORD_LEN) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); -+ return 0; -+ } - if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) { - ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL); - return 0; --- -2.41.0 - + int error = 0; + int passed = pbkdf2_lower_bound_check_passed(saltlen, iter, keylen, +- &error, NULL); ++ passlen, &error, NULL); + + if (!passed) { + ERR_raise(ERR_LIB_PROV, error); diff --git a/openssl-pkgconfig.patch b/openssl-pkgconfig.patch index 862be2c..f1cfbce 100644 --- a/openssl-pkgconfig.patch +++ b/openssl-pkgconfig.patch @@ -1,22 +1,26 @@ -Index: openssl-1.1.1-pre3/Configurations/unix-Makefile.tmpl +Index: openssl-3.5.0-beta1/exporters/pkg-config/libcrypto.pc.in =================================================================== ---- openssl-1.1.1-pre3.orig/Configurations/unix-Makefile.tmpl 2018-03-20 15:20:03.037124698 +0100 -+++ openssl-1.1.1-pre3/Configurations/unix-Makefile.tmpl 2018-03-20 15:21:04.206084731 +0100 -@@ -843,7 +843,7 @@ libcrypto.pc: - echo 'Version: '$(VERSION); \ - echo 'Libs: -L$${libdir} -lcrypto'; \ - echo 'Libs.private: $(LIB_EX_LIBS)'; \ -- echo 'Cflags: -I$${includedir}' ) > libcrypto.pc -+ echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir}' ) > libcrypto.pc - - libssl.pc: - @ ( echo 'prefix=$(INSTALLTOP)'; \ -@@ -860,7 +860,7 @@ libssl.pc: - echo 'Version: '$(VERSION); \ - echo 'Requires.private: libcrypto'; \ - echo 'Libs: -L$${libdir} -lssl'; \ -- echo 'Cflags: -I$${includedir}' ) > libssl.pc -+ echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir}' ) > libssl.pc - - openssl.pc: - @ ( echo 'prefix=$(INSTALLTOP)'; \ +--- openssl-3.5.0-beta1.orig/exporters/pkg-config/libcrypto.pc.in ++++ openssl-3.5.0-beta1/exporters/pkg-config/libcrypto.pc.in +@@ -19,7 +19,7 @@ Description: OpenSSL cryptography librar + Version: {- $OpenSSL::safe::installdata::VERSION -} + Libs: -L${libdir} -lcrypto + Libs.private: {- join(' ', @OpenSSL::safe::installdata::LDLIBS) -} +-Cflags:{- $OUT = ' -I${includedir}'; ++Cflags:{- $OUT = ' -DOPENSSL_LOAD_CONF -I${includedir}'; + if (scalar @OpenSSL::safe::installdata::INCLUDEDIR_REL_PREFIX > 1) { + $OUT = ''; + $OUT .= ' -I${prefix}/' . $_ . ' ' +Index: openssl-3.5.0-beta1/exporters/pkg-config/libssl.pc.in +=================================================================== +--- openssl-3.5.0-beta1.orig/exporters/pkg-config/libssl.pc.in ++++ openssl-3.5.0-beta1/exporters/pkg-config/libssl.pc.in +@@ -17,7 +17,7 @@ Description: Secure Sockets Layer and cr + Version: {- $OpenSSL::safe::installdata::VERSION -} + Requires.private: libcrypto + Libs: -L${libdir} -lssl +-Cflags:{- $OUT = ' -I${includedir}'; ++Cflags:{- $OUT = ' -DOPENSSL_LOAD_CONF -I${includedir}'; + if (scalar @OpenSSL::safe::installdata::INCLUDEDIR_REL_PREFIX > 1) { + $OUT = ''; + $OUT .= ' -I${prefix}/' . $_ . ' ' diff --git a/openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch b/openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch deleted file mode 100644 index ecfecb5..0000000 --- a/openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 50f8b936b00dc18ce1f622a7a6aa46daf03da48b Mon Sep 17 00:00:00 2001 -From: Rohan McLure -Date: Wed, 16 Aug 2023 16:52:47 +1000 -Subject: [PATCH] powerpc: ecc: Fix stack allocation secp384r1 asm - -Assembly acceleration secp384r1 opts to not use any callee-save VSRs, as -VSX enabled systems make extensive use of renaming, and so writebacks in -felem_{mul,square}() can be reordered for best cache effects. - -Remove stack allocations. This in turn fixes unmatched push/pops in -felem_{mul,square}(). - -Signed-off-by: Rohan McLure - -Reviewed-by: Tomas Mraz -Reviewed-by: Shane Lontis -Reviewed-by: Hugo Landau -(Merged from https://github.com/openssl/openssl/pull/21749) ---- - crypto/ec/asm/ecp_nistp384-ppc64.pl | 49 ----------------------------- - 1 file changed, 49 deletions(-) - -diff --git a/crypto/ec/asm/ecp_nistp384-ppc64.pl b/crypto/ec/asm/ecp_nistp384-ppc64.pl -index 3f86b391af69..28f4168e5218 100755 ---- a/crypto/ec/asm/ecp_nistp384-ppc64.pl -+++ b/crypto/ec/asm/ecp_nistp384-ppc64.pl -@@ -62,51 +62,6 @@ ($) - ___ - } - -- --sub push_vrs($$) --{ -- my ($min, $max) = @_; -- -- my $count = $max - $min + 1; -- -- $code.=<<___; -- mr $savesp,$sp -- stdu $sp,-16*`$count+1`($sp) -- --___ -- for (my $i = $min; $i <= $max; $i++) { -- my $mult = $max - $i + 1; -- $code.=<<___; -- stxv $i,-16*$mult($savesp) --___ -- -- } -- -- $code.=<<___; -- --___ --} -- --sub pop_vrs($$) --{ -- my ($min, $max) = @_; -- -- $code.=<<___; -- ld $savesp,0($sp) --___ -- for (my $i = $min; $i <= $max; $i++) { -- my $mult = $max - $i + 1; -- $code.=<<___; -- lxv $i,-16*$mult($savesp) --___ -- } -- -- $code.=<<___; -- mr $sp,$savesp -- --___ --} -- - sub load_vrs($$) - { - my ($pointer, $reg_list) = @_; -@@ -162,8 +117,6 @@ ($$) - - startproc("p384_felem_mul"); - -- push_vrs(52, 63); -- - $code.=<<___; - vspltisw $vzero,0 - -@@ -268,8 +221,6 @@ ($$) - - startproc("p384_felem_square"); - -- push_vrs(52, 63); -- - $code.=<<___; - vspltisw $vzero,0 - diff --git a/openssl-ppc64-config.patch b/openssl-ppc64-config.patch index 1efc39d..1312db2 100644 --- a/openssl-ppc64-config.patch +++ b/openssl-ppc64-config.patch @@ -1,8 +1,8 @@ -Index: openssl-3.0.0-alpha5/util/perl/OpenSSL/config.pm +Index: openssl-3.2.3/util/perl/OpenSSL/config.pm =================================================================== ---- openssl-3.0.0-alpha5.orig/util/perl/OpenSSL/config.pm -+++ openssl-3.0.0-alpha5/util/perl/OpenSSL/config.pm -@@ -525,14 +525,19 @@ EOF +--- openssl-3.2.3.orig/util/perl/OpenSSL/config.pm ++++ openssl-3.2.3/util/perl/OpenSSL/config.pm +@@ -592,14 +592,19 @@ EOF return { target => "linux-ppc64" } if $KERNEL_BITS eq '64'; my %config = (); diff --git a/openssl-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch b/openssl-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch index ceeac76..8086018 100644 --- a/openssl-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch +++ b/openssl-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch @@ -1,14 +1,28 @@ -From 936e081bd752ca0a883568aaf3b5752c9eaccb12 Mon Sep 17 00:00:00 2001 -From: Dmitry Belyavskiy -Date: Mon, 21 Aug 2023 15:38:21 +0200 -Subject: [PATCH 36/48] - 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch +From 0a0734b3b47640e5e0665a5775cf68e8a01f59f6 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:16 +0100 +Subject: [PATCH 36/53] FIPS: RAND: Forbid truncated hashes & SHA-3 -Patch-name: 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch -Patch-id: 80 -Patch-status: | - # We believe that some changes present in CentOS are not necessary - # because ustream has a check for FIPS version +Section D.R "Hash Functions Acceptable for Use in the SP 800-90A DRBGs" +of the Implementation Guidance for FIPS 140-3 [1] notes that there is no +efficiency improvement when using truncated hash functions (i.e. SHA-224 +rather than SHA-256 or SHA-384, SHA-512/224, or SHA512/256 rather than +SHA-512). Starting on 2023-05-16, all submissions to NIST's +Cryptographic Module Validation Program shall only use SHA-1, SHA-256, +or SHA-512. + +NIST further notes that the same will apply for the truncated versions +of SHA-3, i.e. SHA3-224 and SHA3-384, and that SHA-3 should currently +not be used. + +Adjust tests to only run Hash-DRBG and HMAC-DRBG tests with truncated +algorithms in the default provider. + +[1]: https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf + +Signed-off-by: Clemens Lang + +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- providers/implementations/rands/drbg_hash.c | 12 ++ providers/implementations/rands/drbg_hmac.c | 12 ++ @@ -16,11 +30,11 @@ Patch-status: | 3 files changed, 153 insertions(+) diff --git a/providers/implementations/rands/drbg_hash.c b/providers/implementations/rands/drbg_hash.c -index fb824abfa6..b90fee6dec 100644 +index 8bb831ae35..cedf5c3894 100644 --- a/providers/implementations/rands/drbg_hash.c +++ b/providers/implementations/rands/drbg_hash.c -@@ -471,6 +471,18 @@ static int drbg_hash_set_ctx_params(void *vctx, const OSSL_PARAM params[]) - if (!ossl_drbg_verify_digest(libctx, md)) +@@ -579,6 +579,18 @@ static int drbg_hash_set_ctx_params_locked(void *vctx, const OSSL_PARAM params[] + if (!ossl_drbg_verify_digest(ctx, libctx, md)) return 0; /* Error already raised for us */ +#ifdef FIPS_MODULE @@ -36,14 +50,14 @@ index fb824abfa6..b90fee6dec 100644 +#endif /* defined(FIPS_MODULE) */ + /* These are taken from SP 800-90 10.1 Table 2 */ - hash->blocklen = EVP_MD_get_size(md); - /* See SP800-57 Part1 Rev4 5.6.1 Table 3 */ + md_size = EVP_MD_get_size(md); + if (md_size <= 0) diff --git a/providers/implementations/rands/drbg_hmac.c b/providers/implementations/rands/drbg_hmac.c -index 664a074639..cbd4d0f519 100644 +index 43b3f8766e..64b7610cd1 100644 --- a/providers/implementations/rands/drbg_hmac.c +++ b/providers/implementations/rands/drbg_hmac.c -@@ -367,6 +367,18 @@ static int drbg_hmac_set_ctx_params(void *vctx, const OSSL_PARAM params[]) - if (md != NULL && !ossl_drbg_verify_digest(libctx, md)) +@@ -505,6 +505,18 @@ static int drbg_hmac_set_ctx_params_locked(void *vctx, const OSSL_PARAM params[] + if (md != NULL && !ossl_drbg_verify_digest(ctx, libctx, md)) return 0; /* Error already raised for us */ +#ifdef FIPS_MODULE @@ -58,11 +72,11 @@ index 664a074639..cbd4d0f519 100644 + } +#endif /* defined(FIPS_MODULE) */ + - if (!ossl_prov_macctx_load_from_params(&hmac->ctx, params, - NULL, NULL, NULL, libctx)) - return 0; + if (md != NULL && hmac->ctx != NULL) { + /* These are taken from SP 800-90 10.1 Table 2 */ + md_size = EVP_MD_get_size(md); diff --git a/test/recipes/30-test_evp_data/evprand.txt b/test/recipes/30-test_evp_data/evprand.txt -index 0e2ee82c58..7a17e7b3e1 100644 +index 9756859c0e..e3bc794997 100644 --- a/test/recipes/30-test_evp_data/evprand.txt +++ b/test/recipes/30-test_evp_data/evprand.txt @@ -7388,6 +7388,7 @@ Nonce.14 = 7239f92b63fb3dbe @@ -1098,5 +1112,5 @@ index 0e2ee82c58..7a17e7b3e1 100644 Digest = SHA-512 PredictionResistance = 1 -- -2.41.0 +2.49.0 diff --git a/openssl-shared-jitterentropy.patch b/openssl-shared-jitterentropy.patch new file mode 100644 index 0000000..eb2ccf2 --- /dev/null +++ b/openssl-shared-jitterentropy.patch @@ -0,0 +1,28 @@ +Index: openssl-3.5.0-beta1/Configurations/00-base-templates.conf +=================================================================== +--- openssl-3.5.0-beta1.orig/Configurations/00-base-templates.conf ++++ openssl-3.5.0-beta1/Configurations/00-base-templates.conf +@@ -107,7 +107,7 @@ my %targets=( + ex_libs => + sub { + my @libs = (); +- push(@libs, "-l:libjitterentropy.a") if !defined($disabled{jitter}); ++ push(@libs, "-l:libjitterentropy.so") if !defined($disabled{jitter}); + push(@libs, "-lz") if !defined($disabled{zlib}) && defined($disabled{"zlib-dynamic"}); + if (!defined($disabled{brotli}) && defined($disabled{"brotli-dynamic"})) { + push(@libs, "-lbrotlienc"); +Index: openssl-3.5.0-beta1/apps/openssl.cnf +=================================================================== +--- openssl-3.5.0-beta1.orig/apps/openssl.cnf ++++ openssl-3.5.0-beta1/apps/openssl.cnf +@@ -47,6 +47,10 @@ providers = provider_sect + # Load default TLS policy configuration + ssl_conf = ssl_module + alg_section = evp_properties ++random = random ++ ++[random] ++seed=JITTER + + [ evp_properties ] + # This section is intentionally added empty here to be tuned on particular systems diff --git a/openssl-skip-quic-pairwise.patch b/openssl-skip-quic-pairwise.patch new file mode 100644 index 0000000..7945c4a --- /dev/null +++ b/openssl-skip-quic-pairwise.patch @@ -0,0 +1,86 @@ +From ce9fd9a7e822c37229c482febb1f38edbf3d36b7 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Thu, 7 Mar 2024 17:37:09 +0100 +Subject: [PATCH 14/53] RH: skip quic pairwise + +Patch-name: 0115-skip-quic-pairwise.patch +Patch-id: 115 +Patch-status: | + # skip quic and pairwise tests temporarily +--- + test/quicapitest.c | 4 +++- + test/recipes/01-test_symbol_presence.t | 1 + + test/recipes/30-test_pairwise_fail.t | 10 ++++++++-- + 3 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/test/quicapitest.c b/test/quicapitest.c +index 4782479cc6..2b41b8259c 100644 +--- a/test/quicapitest.c ++++ b/test/quicapitest.c +@@ -2729,7 +2729,9 @@ int setup_tests(void) + ADD_TEST(test_cipher_find); + ADD_TEST(test_version); + #if defined(DO_SSL_TRACE_TEST) +- ADD_TEST(test_ssl_trace); ++ if (is_fips == 0) { ++ ADD_TEST(test_ssl_trace); ++ } + #endif + ADD_TEST(test_quic_forbidden_apis_ctx); + ADD_TEST(test_quic_forbidden_apis); +diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t +index 222b1886ae..7e2f65cccb 100644 +--- a/test/recipes/01-test_symbol_presence.t ++++ b/test/recipes/01-test_symbol_presence.t +@@ -185,6 +185,7 @@ foreach (sort keys %stlibname) { + } + } + my @duplicates = sort grep { $symbols{$_} > 1 } keys %symbols; ++@duplicates = grep {($_ ne "OPENSSL_ia32cap_P") && ($_ ne "EVP_CIPHER_CTX_dup") && ($_ ne "EVP_MD_CTX_dup") } @duplicates; + if (@duplicates) { + note "Duplicates:"; + note join('\n', @duplicates); +diff --git a/test/recipes/30-test_pairwise_fail.t b/test/recipes/30-test_pairwise_fail.t +index a101a26fb1..43e5396766 100644 +--- a/test/recipes/30-test_pairwise_fail.t ++++ b/test/recipes/30-test_pairwise_fail.t +@@ -9,7 +9,7 @@ + use strict; + use warnings; + +-use OpenSSL::Test qw(:DEFAULT bldtop_dir srctop_file srctop_dir data_file); ++use OpenSSL::Test qw(:DEFAULT bldtop_dir srctop_file srctop_dir data_file with); + use OpenSSL::Test::Utils; + + BEGIN { +@@ -39,20 +39,26 @@ SKIP: { + SKIP: { + skip "Skip EC test because of no ec in this build", 2 + if disabled("ec"); ++ with({ exit_checker => sub {my $val = shift; return $val == 134; } }, ++ sub { + ok(run(test(["pairwise_fail_test", "-config", $provconf, + "-pairwise", "ec"])), + "fips provider ec keygen pairwise failure test"); ++ }); + + skip "FIPS provider version is too old", 1 + if !$fips_exit; ++ with({ exit_checker => sub {my $val = shift; return $val == 134; } }, ++ sub { + ok(run(test(["pairwise_fail_test", "-config", $provconf, + "-pairwise", "eckat"])), + "fips provider ec keygen kat failure test"); ++ }); + } + + SKIP: { + skip "Skip DSA tests because of no dsa in this build", 2 +- if disabled("dsa"); ++ if 1; #if disabled("dsa"); + ok(run(test(["pairwise_fail_test", "-config", $provconf, + "-pairwise", "dsa", "-dsaparam", data_file("dsaparam.pem")])), + "fips provider dsa keygen pairwise failure test"); +-- +2.49.0 + diff --git a/openssl-skipped-tests-EC-curves.patch b/openssl-skipped-tests-EC-curves.patch index 7368c60..ea6e5c9 100644 --- a/openssl-skipped-tests-EC-curves.patch +++ b/openssl-skipped-tests-EC-curves.patch @@ -1,37 +1,61 @@ -From 9ede2b1e13f72db37718853faff74b4429084d59 Mon Sep 17 00:00:00 2001 +From a4f09a10050fa504610fc02f4dc3f066c53e7ba0 Mon Sep 17 00:00:00 2001 From: rpm-build -Date: Mon, 31 Jul 2023 09:41:28 +0200 -Subject: [PATCH 13/35] 0013-skipped-tests-EC-curves.patch +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 13/53] RH: skipped tests EC curves Patch-name: 0013-skipped-tests-EC-curves.patch Patch-id: 13 Patch-status: | - # Skipped tests from former 0011-Remove-EC-curves.patch -From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd + # # Skipped tests from former 0011-Remove-EC-curves.patch +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- - test/recipes/15-test_ec.t | 2 +- - test/recipes/65-test_cmp_protect.t | 2 +- - test/recipes/65-test_cmp_vfy.t | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) + test/recipes/15-test_ec.t | 2 +- + .../30-test_evp_data/evppkey_ecdsa_sigalg.txt | 12 ------------ + test/recipes/65-test_cmp_protect.t | 2 +- + test/recipes/65-test_cmp_vfy.t | 2 +- + 4 files changed, 3 insertions(+), 15 deletions(-) -diff --git a/test/recipes/15-test_ec.t b/test/recipes/15-test_ec.t -index 0638d626e7..c0efd77649 100644 ---- a/test/recipes/15-test_ec.t -+++ b/test/recipes/15-test_ec.t -@@ -90,7 +90,7 @@ subtest 'Ed448 conversions -- public key' => sub { +Index: openssl-3.5.0-beta1/test/recipes/15-test_ec.t +=================================================================== +--- openssl-3.5.0-beta1.orig/test/recipes/15-test_ec.t ++++ openssl-3.5.0-beta1/test/recipes/15-test_ec.t +@@ -94,7 +94,7 @@ SKIP: { subtest 'Check loading of fips and non-fips keys' => sub { plan skip_all => "FIPS is disabled" - if $no_fips; -+ if 1; #SUSE specific, original value is $no_fips; ++ if 1; #original value is $no_fips; plan tests => 2; -diff --git a/test/recipes/65-test_cmp_protect.t b/test/recipes/65-test_cmp_protect.t -index 631603df7c..4cb2ffebbc 100644 ---- a/test/recipes/65-test_cmp_protect.t -+++ b/test/recipes/65-test_cmp_protect.t -@@ -27,7 +27,7 @@ plan skip_all => "This test is not supported in a no-cmp build" +Index: openssl-3.5.0-beta1/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt +=================================================================== +--- openssl-3.5.0-beta1.orig/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt ++++ openssl-3.5.0-beta1/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt +@@ -132,18 +132,6 @@ AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEB + 3ev1gTwRBduzqqlwd54AUSgI+pjttW8zrWNitO8H1sf59MPWOESKxNtZ1+Nl + -----END PRIVATE KEY----- + +-PrivateKey = EC_EXPLICIT +------BEGIN PRIVATE KEY----- +-MIIBeQIBADCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAAB +-AAAAAAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA +-///////////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMV +-AMSdNgiG5wSTamZ44ROdJreBn36QBEEE5JcIvn36opqjEm/k59Al40rBAxWM2TPG +-l0L13Je51zHpfXQ9Z2o7IQicMXP4wSfJ0qCgg2bgydqoxlYrlLGuVQIhAP////8A +-AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgec92jwduadCk +-OjoNRI+YT5Be5TkzZXzYCyTLkMOikDmhRANCAATtECEhQbLEaiUj/Wu0qjcr81lL +-46dx5zYgArz/iaSNJ3W80oO+F7v04jlQ7wxQzg96R0bwKiMeq5CcW9ZFt6xg +------END PRIVATE KEY----- +- + PrivateKey = B-163 + -----BEGIN PRIVATE KEY----- + MGMCAQAwEAYHKoZIzj0CAQYFK4EEAA8ETDBKAgEBBBUDnQW0mLiHVha/jqFznX/K +Index: openssl-3.5.0-beta1/test/recipes/65-test_cmp_protect.t +=================================================================== +--- openssl-3.5.0-beta1.orig/test/recipes/65-test_cmp_protect.t ++++ openssl-3.5.0-beta1/test/recipes/65-test_cmp_protect.t +@@ -27,7 +27,7 @@ plan skip_all => "This test is not suppo plan skip_all => "This test is not supported in a shared library build on Windows" if $^O eq 'MSWin32' && !disabled("shared"); @@ -39,12 +63,12 @@ index 631603df7c..4cb2ffebbc 100644 +plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test my @basic_cmd = ("cmp_protect_test", - data_file("server.pem"), -diff --git a/test/recipes/65-test_cmp_vfy.t b/test/recipes/65-test_cmp_vfy.t -index f722800e27..26a01786bb 100644 ---- a/test/recipes/65-test_cmp_vfy.t -+++ b/test/recipes/65-test_cmp_vfy.t -@@ -27,7 +27,7 @@ plan skip_all => "This test is not supported in a no-cmp build" + data_file("prot_RSA.pem"), +Index: openssl-3.5.0-beta1/test/recipes/65-test_cmp_vfy.t +=================================================================== +--- openssl-3.5.0-beta1.orig/test/recipes/65-test_cmp_vfy.t ++++ openssl-3.5.0-beta1/test/recipes/65-test_cmp_vfy.t +@@ -27,7 +27,7 @@ plan skip_all => "This test is not suppo plan skip_all => "This test is not supported in a no-ec build" if disabled("ec"); @@ -53,6 +77,3 @@ index f722800e27..26a01786bb 100644 my @basic_cmd = ("cmp_vfy_test", data_file("server.crt"), data_file("client.crt"), --- -2.41.0 - diff --git a/openssl-truststore.patch b/openssl-truststore.patch index e43f30e..53f0b82 100644 --- a/openssl-truststore.patch +++ b/openssl-truststore.patch @@ -1,10 +1,10 @@ Don't use the legacy /etc/ssl/certs directory anymore but rather the p11-kit generated /var/lib/ca-certificates/openssl one (fate#314991) -Index: openssl-1.1.1-pre1/include/internal/cryptlib.h +Index: openssl-3.2.3/include/internal/common.h =================================================================== ---- openssl-1.1.1-pre1.orig/include/internal/cryptlib.h 2018-02-13 14:48:12.000000000 +0100 -+++ openssl-1.1.1-pre1/include/internal/cryptlib.h 2018-02-13 16:30:11.738161984 +0100 -@@ -59,8 +59,8 @@ DEFINE_LHASH_OF(MEM); +--- openssl-3.2.3.orig/include/internal/common.h ++++ openssl-3.2.3/include/internal/common.h +@@ -82,8 +82,8 @@ __owur static ossl_inline int ossl_asser # ifndef OPENSSL_SYS_VMS # define X509_CERT_AREA OPENSSLDIR diff --git a/openssl.keyring b/openssl.keyring index d7ab2d7..84cbddc 100644 --- a/openssl.keyring +++ b/openssl.keyring @@ -1,305 +1,31 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -Comment: 8657 ABB2 60F0 56B1 E519 0839 D9C4 D26D 0E60 4491 -Comment: Matt Caswell -Comment: Matt Caswell +Comment: BA54 73A2 B058 7B07 FB27 CF2D 2160 94DF D0CB 81EF +Comment: OpenSSL -mQENBFGALsIBCADBkh6zfxbewW2KJjaMaishSrpxuiVaUyvWgpe6Moae7JNCW8ay -hJbwAtsQ69SGA4gUkyrR6PBvDMVYEiYqZwXB/3IErStESjcu+gkbmsa0XcwHpkE3 -iN7I8aU66yMt710nGEmcrR5E4u4NuNoHtnOBKEh+RCLGp5mo6hwbUYUzG3eUI/zi -2hLApPpaATXnD3ZkhgtHV3ln3Z16nUWQAdIVToxYhvVno2EQsqe8Q3ifl2Uf0Ypa -N19BDBrxM3WPOAKbJk0Ab1bjgEadavrFBCOl9CrbThewRGmkOdxJWaVkERXMShlz -UzjJvKOUEUGOxJCmnfQimPQoCdQyVFLgHfRFABEBAAG0H01hdHQgQ2Fzd2VsbCA8 -bWF0dEBvcGVuc3NsLm9yZz6JATgEEwECACIFAlPevrwCGwMGCwkIBwMCBhUIAgkK -CwQWAgMBAh4BAheAAAoJENnE0m0OYESRoD0H/1lEJXfr66rdvskyOi0zU0ARvUXH -jbmmYkZ7ETkdXh7Va/Tjn81T3pwmr3F4IcLGNLDz4Eg67xbq/T8rrsEPOx5nV/mR -nUT97UmsQuLnR2wLGbRBu24FKM7oX3KQvgIdJWdxHHJsjpGCViE1mIFARAzlN+6p -3tPbnQzANjRy7i/PYU/niGdqVcMhcnZCX5F7YH6w6t0ZmYH3m1QeREnWqfxu7eyH -sIvebMgKTI/bMG8Z7KlLZha9HwrFXQAPIST6sfc1blKJ9INUDM9iK6DR/ulkw7e0 -hmHLqjWqYs5PzyXeoNnsPXJt69wiADYqj4KNDIdNp1RoF9qfb1nE+DM6rga0IE1h -dHQgQ2Fzd2VsbCA8ZnJvZG9AYmFnZ2lucy5vcmc+iQE4BBMBAgAiBQJRgC7CAhsD -BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDZxNJtDmBEkWP+B/0SsWSeLGo+ -viob8935Uirei4FvnzGOUV1w/dgDLSzavmysVxb4q9psp1vj1KEtm18vzZO79AeA -RGwWTQYGmFmrNRWZ2DgbjGyJ4LS5kLBqQ9FaF7vUFtml6R04yx+RTgQTg601XsAj -eU8uSarmeZgGVMAInsdMrUc74lJeWKSnovr4IFOdgiU/env19tK355bsfTvb0ksE -5Q7wnnoRXdLyNet0AWf4ednWDEnRb6cIVDF28URjxH6yIfqAVe7VnuDB4Sfuck4R -4gYFS/xGfTgocPUDZ4rUz8wleGLwDIiU7GpilmtZTl1FTPkFa/mqbcJgdVTJqLZO -5vISJkZvqE5UuQENBFGALsIBCADPZ1CQBKbFQWMCvdjz/TJaNf3rV6eiYASOvLDg -icU8Mwa208yJXr1UF6lvc3Tgw+jmynIBjbhvhujcJ+eD+jHEaXdncaK/WAPsmiNM -k+glZ4cbF48HP77kOLQQC+rX7jAF0VSHhFZNtnCpOByQevCJlwgkXckYvRyBOYk6 -2R7BwuLIwLIq4ZXNKPIVN4KpCodhIcGuvlPJczcdOoaBRGcSFUbXqM9Y8whyJhex -F87RHAyGpjvLnJFSgLimyYBRpFN25LzYFpXPD4MeLUVDSRgtSxOJ2KmkhMHntUqQ -P1XsIgzm4/ez6Mwkxc0QlAQp0r2gJU56QPdE5zgx+2q/i+WhABEBAAGJAR8EGAEC -AAkFAlGALsICGwwACgkQ2cTSbQ5gRJELNgf/elwfYchaV/24buNWDa+50gOuXQ4v -Xfj5DKry6aYnJBt1UeMV1ssMxCU8OltgzTMhTupjrXV1oDXYAxexymWLxwa+qcrb -SwDD+wX1gb1O2GOfbiplEnOb5dDc7Gkm8eTw0kBJEiAiyPv4SMLhFzm+me4Dq1+x -dbsvN05hxTjow9pi5eYrFMxYWi1ZNH2UmPpgoIN/4p28G/IN9fdWG5Ni315p3WhL -HRMzC609IOsCIJsm8+lHVblT30jxpctFVlQBtbDTzgqQLiaTVevlca3VYgMd70D2 -8d186gxUtSEpZ3dKkv+0V8DLhQ6VR/wQ780HKIpFp6UWP5aDxpEoOEwe2g== -=Z0q9 ------END PGP PUBLIC KEY BLOCK----- ------BEGIN PGP PUBLIC KEY BLOCK----- -Comment: B7C1 C143 60F3 53A3 6862 E4D5 231C 84CD DCC6 9C45 -Comment: Paul Dale - -mQINBGApr7sBEACoyczHMNgWiVg4jMjtdkb5j7csKPdFx8B7FJNMFrL/Z/I1BjwM -TQ7fxKvDN6z3mjAMKhU+wCL9vUSSMUtyze/fox09n84jYDwN3n37ozkrhcDB01ia -iKCCeRNEW6meTs3/aJPGCznIOk/kMHlnZnQPcSphIexo/ZUyB59h6smz2LvoTZg0 -aeZeJwe0cfaVnWYA1a9wr+QJDQwRkEqdy772cM03Phs/sRWd4+nBqP1XxWlX30Yj -VGjDsY3gH9AAy4oUnb7tOmk5S9FIKuMdkkWeU0Abm8/36OfZyMFbZDAMbO8i3un4 -eIQOg5tjynSXYel3nlJ/fwoSHefPgavCkBdknk842LM9xr22t+IKmy99uW7FDqvj -wbPoMg6z2Jarl0Fqu3GhIjCmKMe6TBfkYwB4fp5KtzRwrSjDo16vkMoM69mXqA7w -f1JV+BKvE6QTePNt8ix4ib5c6mPOrFnYG1X3tkNOc4/q6KcGbvS1xMax12q2/zSZ -PmoJvzWTrSF8lQDZKjMnXnhrZMY8h7lu/QE4DQ1M9U1PFdf6vwLrNaHHfi/rWKTe -fsrGp2TIqU4lm45p0fDroYqDML+gp8RMUZBU8M4wGwhludEiCoOFjXu2ECvvgrB7 -JHrh+FtMuuRPx4q2eRO75NepDfZqmp48PIqkt2b3VjisNceB70uYiUQ2eQARAQAB -tB1QYXVsIERhbGUgPHBhdWxpQG9wZW5zc2wub3JnPokCTgQTAQoAOBYhBLfBwUNg -81OjaGLk1SMchM3cxpxFBQJgKa+7AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA -AAoJECMchM3cxpxFa0YQAIAnnNek3+UXZL/u4R6hs/lJopC9p/MFbCnL0b1zZnbz -Kbbva10PA3PEv+szhylDKeDIbDKF1yEjI4BTNCLS8sLKEZWSLTMW1MZhmxWm5TdF -ebhoj6Tjjfxme4ETyk3+v3hC3Ylm0jiqHHErutRAPIW1VDFQVxKZPasv1yj3YNiB -SktTSH1MjZZtlDYjp9z3VTczvrO3BBJJSxQ5CY749pEwtjwdLTqOVtoJL8thZ3J9 -jSnSDsgFVp/pPNVxxV98Yd89JqM34MvOuD3jYSOEtMUCJgMFXNZ/c2+BpWrX+ssP -qrY9vBrq7o91K+OQHbb4Z1pjK/dzDq183E32uTOYbco7ga/JqE7c997zY0fgQsIz -hdEveC4oMydzwHQ9WzHUYR7AtTgF9kKsTHy8H6ye3uaJMIMSEdAvI4mxG/k/zG/Q -KrIt1nUJh/M7uu2IT9fM+AoR+2VV1u1vimxpCpOXpTB4mTIR5YfiaRfXnHm55iq/ -odxVj/yVqFUcujy+YC9SAoKRGJRQV0KZur1xAOJsgwUJ1iXJZwypowkI59jpwl2q -WCfZIS1ZrpIebiVk4ZBaHDe1v178uLO3IasZR7HLvcD7ESX8U88ng8J1nXHq+Uc7 -4j5Dc6CMTd5WYTkFvhjO33JiHncK8CLYOFsndIGXts/OEhp08N5JELHCeSuu4UIb -uQINBGApr7sBEADNQ6w6jQNqxWxHDjJzcXclQJFPB2qlT/5eMa7QeOYiJ5DmY2VQ -P0Mltkmrc8T/I9NfRFpaB7Z+8zE5lmjSi3N5fYWjhoZp9oP0WYfSLef4KpD7KfEE -TaBohn8cw0Kt+nmEN904w9kpLE+WAvD0qRKnilcCUWE5Es719W8dMh/8cB6FiCI5 -8myIvV63yDV1DiNyEcKNeasIFF8n3FCd0gWPXXS9Fe7muQpIJ4Lb2p3ylqcY9UaU -8n+LQAb1LL1kC468MU0LBhhkCnZ2BacWnJu7JrzQ1Nihk+JRyXt0QARcgsITt8+3 -rQdZDb6o6jTixClNXOJ2LGZMAI2NrQppfn3uBny06veyde9l3riwtOYwqEfETt6O -Ndy0gOd4zelPOnfMtzwDePC0m0b5ibNsMGVYGu5bmu4XFZrk8ivcAiEg4TJHcYtU -meONyuhmaCbcG8in0GZvUgb/YLcBpLBhFFUUd1ALBfi6cXlvFlSU0HHQoNRIAyFt -C1DQaAOWQ9v21KSF6zFG9Qg3yHKy+xBjXjfp0IZOqN5jrmXxbfl/+LWqUHD54tmS -iHrUf1CiW6no+4WBI9f6/+QCVLFBoStlNgoRt/OcIXmq1cTJ2pTSPl3S0+HobCEa -llEGEDXqsGxmV2kNmxsUks/knEGFElp/XtMrhykicIdQYntMaRebljrpiwARAQAB -iQI2BBgBCgAgFiEEt8HBQ2DzU6NoYuTVIxyEzdzGnEUFAmApr7sCGwwACgkQIxyE -zdzGnEW2ew/+IzGVXgB34NeHnaLVDTtiUXgrNoOV4xFTS+kvZXrGC5i+mMhae9Pc -gvAyjssJ7dVP2RJBSNkfdxrRd2D4HFcf3dn/n646HNiTinirfvoUf4VIA1jdDp9q -ixi//tO7fsPyn35d672OA9AC3ccBgji6V9XA58REonF+ap2bE0JBJYTJZrET9Wny -BPEjefdpORSHaXqimfHN59QV5gXEFZ4Ci1jCt9n6WEb0oo+kQTkUb8z7F9P+7ojj -Q+4KrgtlXb9ijxCwMfGRPNInnumqyKJ0PhTVwhM1JNdi53nwVY98OGEZXWiKPFQ6 -lAGyLLXwaOSztKGSdsFPK/tpyVihwoqHjJCU5St/PVlpvRKhbtq24FfDu7YyDO2Q -Dp2/F+QIdVnUFO2I1xeb2k+/Tx+3nfKYNui+AFaudOblrYQzPrlswJzCmmB/OTkt -wuOqr2nvQr2JUwmSaRvdCAe8EI/HAa/ujlA87T69L4T66KwBWuBkIYZQxFtCiC+B -mksPCYe9TBTZm2+8xk6UiSMKurwESTkDj/uUGmtGHi3cSJPSQ5x41COSEc+/yZ0k -eQTSnnkVrB71cMr2yVe9WWiUqUoHbkwiiy9YAHkp76jHbTRsCjs8O2otioAW06Yb -7r1iWp6twh/giBzsVJndeP5Ss/85TQfrl8x8yJjv1OQiIRrTTz6GdU0= -=AbiA ------END PGP PUBLIC KEY BLOCK----- ------BEGIN PGP PUBLIC KEY BLOCK----- -Comment: A21F AB74 B008 8AA3 6115 2586 B8EF 1A6B A9DA 2D5C -Comment: Tomáš Mráz -Comment: Tomáš Mráz -Comment: Tomáš Mráz - -mQINBGDxTCUBEACi0J1AgwXxjrAV/Gam5o4aZSVcPFBcO0bfWML5mT8ZUc3xO1cr -55DscbkXb27OK/FSdrq1YP7+pCtSZOstNPY/7k4VzNS1o8VoMzJZ3LAiXI5WB/LH -F8XSyzGuFEco/VT1hjTvb8EW2KlcBCR6Y22z5Wm1rVLqu7Q8b/ff1+M/kaWM6BFi -UKqfBZdqJuDDNFRGqFr0JjCol0D1v1vollm612OARKpzuUSOERdc11utidkGihag -pJDyP5a+qHZ4GNzZkZ+BBduuZDMUdEKgK28Pi0P0Nm17XRzX1Of1uXojMvroov7K -/Bkbpv+uvZoiSEAeD+G/+Tyk9VLhmyji9P+0lwYyHb3ACgS3wElz7CZwFgB3kjJv -MX93OlCAMruFht/+6hQu0zx1KPxx+55j/w7oSVzH8ZmYND5kM4zlGVnJxJk6aBu8 -laOARZw7EENz3c+hdgo+C+kXostNsbiuQTQnlFFaIM7Uy029wWnlCKSEmyElW9ZB -HnPhcihi8WbfoRdTcdfMraxCEIU1G/oVxYKfzV2koZTSkwPpqJYckyjHs7Zez5A3 -zVlAXPFEVLECEr02ESpWxFabk8itAz0oMZSn5tb3lBHs1XFqDvJaqME1unasjj06 -YUuDgKHxCWZLxo/cfJRrVxlRcsDgZ3s4PjxKkAmzUXt5yb7K3EVWDQri0wARAQAB -tBtUb23DocWhIE1yw6F6IDx0bUB0OG0uaW5mbz6JAlQEEwEIAD4WIQSiH6t0sAiK -o2EVJYa47xprqdotXAUCYPFMkQIbAwUJEswDAAULCQgHAgYVCgkICwIEFgIDAQIe -AQIXgAAKCRC47xprqdotXEGoD/9CyRFM8tzcdQsQBeQewKGTGdJvPx9saDLO6EVy -U9lEy8vLKMHnmAk+9myVBf0UHxCjVZblvXEL6U/eCINW8TBu9ZH56AMkPQgvfZkE -KrpBoP2yfkA9/2rfChec7jkFUwArWKAB8hyLPiABXdm3vRZMhiBAsFTv9rdrr89W -nAvcd9OXPxrEM7mNkkCDUlRkfRwdxSezStmJ/18bM5lrlR4Dj9MYUOieYICsu/nh -1u9C+QDOGruo/xku7B87qVSnKM4My28/RtSeGjTBNw3QPEmumArINNUDNZbe3e+I -m23l6tyP7nmtLbo0wPcRB9q4K1GlmecqzSgLsdf8YCOZKax9DLaA2fWVJCyp22Uj -kCmHkVgeXmByndWVdfYyJO4LGJhM7BfmWGa/yIRKRKZGlJavRY+UAkfqkXCbzhFD -IMyRTU3zqJfJcXrVDslvB1mMbBGIR7gmL2HSToNvN5E2xiEamHbSOv0ze0Vw5A1M -8S71i+jLUSenGTgjLdu52+K7SGLtyhG/kA5NpvMyCLBOYZ+4HPgbIwKLlcm5SRJ6 -z4sKLSZmU7HLMp69jXfGQqjYbJoUEHsCsLOeVMGiOVZqoZWQWcMHy9VvOA0FVx41 -xrpdDLft9ad+cM/oaiYXEWhqYRnBM5eIH0B3HOk/kmLZ6crNE+X5xG1qhoZgAurM -MriPFbQfVG9tw6HFoSBNcsOheiA8dG9tYXNAYXJsZXRvLmN6PokCVAQTAQgAPhYh -BKIfq3SwCIqjYRUlhrjvGmup2i1cBQJg8UxqAhsDBQkSzAMABQsJCAcCBhUKCQgL -AgQWAgMBAh4BAheAAAoJELjvGmup2i1cessP/jG7dFv/YEIn7p47wA+q+43Korjk -8LLpdb+YhVEpXgLK3yUNOcghs+e+UxSlS4jDV9ThpKgBEgTCn6V8vEWe5djvLVcO -UNG/wx33ksZKDOrZt2qGzz9VBd2ur100HjA3ibGClMjchMQCctlAHBCI/jV7g9Sv -FIHr/qECDnr50lh4kNeBZH/6gYEnB1Uqkc+7y/0gopk3kEcxO00qKj9d8QPatsoW -FOBW6OT0ldX5m19EL+x4Ku2/ayBwmobsQyj3cDV8cJN9QxJxB1AqLAKXK3XpEQ8Q -UERor6Z2gQu9bCRoQCl3Xu+lfqh2gmfoXoWiZFinoBzEETtILEUdNa2MsJheNuVy -Tf+W/vrfyAKVl7DgPk+n360frxmR8n7pkSpDq12s9J4eimX7aUlbhDX2XiMo/kGS -2oo2ulB083oJq09UieI2acwRIn6fFAOXx4Cr9IRAnKtvGxT3XzkDJ8WkC/+QE7wW -kjtD994kD2Jf1GCqFIWPx+J88VXp5UbobOENYBGWvc5Pki541aFKkXe5mvK9n2Fm -T3fOeBnyhT27J79UYSkOg9Zk0o7lcLKvgX3TqOwRrwMOGqyBIrHkLprIbeX5KOBI -yvtovyTuq3piF6OcfOYuZJOcV4LnnW6Ok9sgia1WgqNyJ+FSdSl6tLabzcM6sZ1I -8tmXB4BcoHFB9N0AtCFUb23DocWhIE1yw6F6IDx0b21hc0BvcGVuc3NsLm9yZz6J -AlQEEwEIAD4WIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFMJQIbAwUJEswDAAUL -CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC47xprqdotXJUfD/9qFJURXryr8/Uh -KJIAYQawc3rgSCeMaSi60fgPhteBf9VPA5w84OKLtnZFcPcpvGpaHuRxj+mchOSo -2HkYz7eseTsWbfguDiBNf1sA0IW6/WfIjqfGliw/ikLn/mA8GgLzgPPEiEbZH+gZ -+J1ttxv15E8dWVSYILJcn7VLX8EgYc93uaiPbcc6wG3qBz5UD7FW6pg6AjEhz6j4 -yQBq/dAUUL9nfrrx8p6548aslAR5A7e1kWPSMkrXD6ECdlJ8LReaPjiWrvLCtf1M -cmAQJkXX9PLHtPtkXzfT97GdcEWtPF3qpu9k8gK3QC/dPoACIsDUU1+muaqlRB3A -ozLVFbSJ2kA0BqnHvhB+7cIB/ZkAasiI1jJ9XPwJJnzZGlRFGJnUg6MRX//FIvly -Vi+hFt1DQ2tWMo6peu1sNDDONYKL7/NhFedJhIRoYUiQtcEuWqtTjOUn7ErkaC2y -q8hzWgYCe2afy1sUvyDtUjuldVTNzV1ic4MPC+QZ5ZEw2uHfP2oELlK2zUlLZIpt -Bwvgzqw5qcxj0nBHoaDTRyJXrXDWf/DsyS6Df1t8Uidoc6W3zNEhKbabvTb4gtWj -hh/QezJNtyRSg4SZ2Zx+ExgAngFdhKUk01XytLcEqYHjOjO6ZHpP0/+E7T8yZ7sI -w5AnBC/mkTbqp5Nsbk/spoN0Wl7PZbkCDQRg8UyoARAApiWRrHjdEu9Fp2yd7K93 -VpttsAWGeZo6adA7kKrdB+DFwyQdQQIGF1MoxzKb3rcO2sxoU/SnY/TpxdVbSO27 -1MLUcqoEc5F+uxuXsp4Tx5s6iXY9xTwQeBi8pAUQSLlWc/yoakF4sahG+5+0NUDp -djCEevRw2nHVbMbyzACgB0VRErhpY6gOBK7LkHwXAEXh1pN836P1s3DLLInjoM50 -IGQJLJ38/dBeWf9lqJrDif3lZ9Br7h2xHVhaj+08iWKFXb+MDkW6lXOuT+A8pzHK -bz1TVhopid9NOcw8ws00Vnq9R0/dhk+FT81XJC6GmoBi2GjjKpLNMzfBE6IkJjhn -gMY9Wz5sSfXhyd0x7ZGdS3w9SiIXXoxw35woC1/Ue6QVasm/ldCNSNH63y8G5b7w -NA84/fhVa9/Tug8zyzRj9p5Ge7b1yMbtVy9Ret8e1xB3yOJH8rjwmd13ocNBrFYh -D4b1+P0DScr4TburR3S4gwzawB2juIToELQGseR8nQg8k6Fk5vZ8MaYslMU2za7H -a379C8+A9h0C2mobqtw7Gq8NzDH2H4Bgpy0Ce8ByWnRHEIrZcK4vZDTzBfW+lYJB -HFlNc0mheV2ih6vjmz940cakzLvGF65UA69tsS8Q/3sWH2QLFTywdcEUZNgZRWnc -nAaLOI/nw1ydegw8F+s1ALEAEQEAAYkEcgQYAQgAJhYhBKIfq3SwCIqjYRUlhrjv -Gmup2i1cBQJg8UyoAhsCBQkLRzUAAkAJELjvGmup2i1cwXQgBBkBCAAdFiEE3HAy -Zir4heL0fyQ/UnRmohynnm0FAmDxTKgACgkQUnRmohynnm3v+Q/+NpYQuO+0a57+ -otwvuN3xoMsOmiingnd6u5fefi8qCjHgYJxnZQhihk4MOyiY46CxJImFKI6M13H5 -SlsuaGMbl17f5V8dE7rUDD9D9tD4+hVe504UsAdqaKHFhE8xyWJ24it9LmIXY358 -cQ7gm/EzA/wCKEez1Z/IUlx6hrG6BnAuE6FYhLTQt5WcCGbA17I72M1H50rX8fa0 -8qOg4rzyNEOesz1auI3pt1VOy/VJo7V+oO2yz4NNGBqjCN1mMOmBl1vBldZz4oZJ -vqoCFgx4Bj4h8LHilyg2OWZV4Xh7fUGH2/RIdfAYhCTz495N1sdDHew9Qc3PP0vV -yzwoCJY2moCiZ16K0o215rgYAJcY2KCCithjw+ktHZ/E108cmJJE0ZXG9sFVdF6A -HEEofaYRgXEvwFOwEBnytAq2l1ePmlTe6eu5/hSMYlan93YpsF2tol+jw7F+aspg -K2JPWqB4FsupxnvvAvzGBrTTGfCL4z7K8/6QmYrJBByx0W/lkFsebEfOz0SY/Rvs -aGQ3LEmQkbn+Cz2c2PwmIuYJisunHNC1rH6lF1a19D2lpe82Eh3TsXEsgjty2+sh -uHsKCX/snSa+zySqMbsE6o/8AquuT7tkdHO1rYfr3ffvIeX8HVj6NKm1eyk6uyCE -cb08jqBWOG8tzpNt6PIviyrQRrK+ncSLjw/9GT4LhZKnfLM5pVAFV0jVqf29lVhk -RHDeiNmdprqpvW35cAS7LH2wv2xGj4+wGaJmksruiJj2KtNAWa+7Uvd4xvntrL3F -9kG5qC04iTx9nng4qliZAI1wGxT/fAKS165L5sdTXRvcywokshxtsPgCXcH/J2v/ -JC6BGn44o8qo/CLGIaTBk6V8NfY4YqNFyMaMRAQSQ9Pk0KXQxswdxASaYzTTb93g -muoO7XrIu7ae1lppeL3HB5hQ0/zF1cVzCrLXffsEZNVW/1/9VamicTOWP8dV/ylN -86d7NvfJk8L7O+YIsEKYhKEDfCXIZrF7Ynu9SCWiR8LAqxZpBx2/6lommQJ7RlKr -HBkWUGyC8WHYr/sxORy0uxSevGFcfK2sFMnpLJhC6C830O05B6SFTWTrD9c/NC2S -DDWQCr1Tud3GZ634BowTlQRgJpGJc2s4wOMaARnhVtr/GZQhfCzOhcaHAVMBX0FE -ce+LktihEnzEJJgc/bzTH+t3fIW8bS4c65YlwCzMCJ1oYyALlD1BlZ6whFSVUZro -uYVu8diJ4Alf9+hcYOU/Gnbyi3bFbRGhBVz8lB3TcEeP02+gSSFD7iDi2Wt3hkmY -YaT7k3YGM2ksXdQ25SGM1aW4drxaqAj5sZ48OXTMNT9ira3TL/o/Xp6GRhVE8iOl -JKbGoqC+wchHmOK5Ag0EYPFMJQEQAN/J6BypHYuzqwVDH8hrCQJ0s9I1fFdiu60u -aeLTQPeB2JVwV4t9WZsM6mVMEUZJGIobk2Y5FFzLsHtbPlSs7MXtLhlLa05iiMXq -oZsS7EYI+GDNO6OP1j8h9On2Ik5EnK/0dWGQglSY/ryw+5ShdAjHSd4hCRvBxfX7 -FJGNrvIkIp8AxlTvNBQyuR4rluOnfS1LXFDlaTWxRAZBJdB/GyAbCqKmkfbkXZbM -ZFA93E2skrLJ66CPgaK83r+DUi6+EyvOKTkZw0OU6S0k7xT4Z1f0AbS/ON5G8wjL -vxKu+Tmd2LHLMUTMiSQ7/K0iw4+pms1+MOBWFDX8aS/poRe0NS779RIk+Hy4OG7+ -i9Rpf4wU+Z2QHbUYrun6h7+RySv+E27QWCgNuAdm2F8cIsxQ3B0mAapqf2ECIkNb -PftDlv/iDqzAxAobNJzlsKQrcRmEPIOqNxi3TP+H85ekwHTdwwdPb5u8pgehpDum -ciyHfYZ7A3eNl6RubQMIWQgQzxUbreUJkKjHwLoqkTHDafJeKI7+2nII4r3peQfE -N0jZ5HSXHTHu4520FUBHNutvuHqCy0nQrhvoXEfD4woYk27OOwSKHu1ZdEFa6iJH -eAW0f6pSOMkEMDRtFWv0/hVpNDbhA+jAswzD4+XYDk+xZdDONua9inO930MGI2Bs -LQ1kotFTABEBAAGJAjwEGAEIACYWIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFM -JQIbDAUJEswDAAAKCRC47xprqdotXBU2D/4vF/5FrkPz78jSl7YN77gc/sTpBGMh -QxhZxKpf+8xE/oig9/F90BMKaFAflChiEMPc+Dj0VrCGwP2xMTVO4J7lw7bTr3RB -uETuVq8S3XgtmTlXwoRQL91XtoGjAjhfgpXbi/DEyZ6+34QwMYr474rsKiMsBcMS -nWTDuqRqkFYAaF4LRbD6RkWck+C7k4ps/KIflEKiSEuvpjk1TpibwoSt+zIeZI6u -sSLWbGcADqnXHe0GClUqcMYbIgLzVyXQQzUvfrwAzi8XvfW+8QhP+B5oZT6y8YBD -NHQDcITC4OYaVHYnZWS+tPtPQZK4duAlZRd/lBxKPbNWee5ufPh5ALFAINpBWP0C -nHKVj/P3fBcCrz2ZYaH5iQmqhSbJ3lyFKJoQQgrcnWbnOWI91DdhmvE2GIyn1JJE -FT2YQqRH52dDX5gOl5OcwT7PxV1jc03bhZsOCylBoq1Yd9iD3U0bgiqI71dGZrXZ -qaQzuigCRxlv8nF97SUGLDCuvqC5ejmecQBYmLCrgIiRcI+FXSVnZhUYkeBbg9sX -Cla8mCgxF1RhH2S9z9blrLEf2r+l/8P0+IWmmaTvCbZ7kIrUsbGv7FNCubVA3UXc -zPrDR7hQC/xNAX1RXMGNmPru9wVtgnn72UneoD/dLYY65U/ZFLNeQAnq9c3VJKQ2 -TIdjvGbJ/k4qxw== -=Ctij ------END PGP PUBLIC KEY BLOCK----- ------BEGIN PGP PUBLIC KEY BLOCK----- -Comment: EFC0 A467 D613 CB83 C7ED 6D30 D894 E2CE 8B3D 79F5 -Comment: OpenSSL security team -Comment: OpenSSL OMC -Comment: OpenSSL Security - -mQINBFQv6Z8BEACuJwJkw/Iniec6U1RzocYHBFKl1eE0WBu1vthYmcn0D/GJKvWM -kRhx9GSlWMqj9mgSFUOsFWrpPIm3Jzh4bLweUjH5I7R0Frh39dDFh1hhwHEholBy -yUGFTb8TppptXnzzDoNz4yUQcRP2oeG1vC/ePXPWHKgtp+0hmM3MQ3WIN+gSmpdt -4vMIoWKKCq+E1tYcsFk9URBWWEwBw+OJ37o7TrernyxwtXwdPOjYhA4mLtnKHs+5 -QivuOvK7gNf5hggyv6fp6d2ixvJZ9CdUYFdlOwaHA97B694RcAMxaMtzUpfkiJ/Q -2zR83QG4az6COKK38W6Kp7bLveMF6Rb4Y+gOjV4KvHKpzNAP2sNkmCIohlmoPhT9 -Ce9tWq6oK+o1MEc1Ejb1/kn9CeCloKlF8HkzhFLpqqkZ//3j73/6kuK45UVg5PbO -3GLcyTJW4enmTUFxy0d24Bfdgu7FpH1vHIisDkON3QO4TMwCJoLWGULqpJKP7kUf -5HCnafDroN5wF9jMVxFhmDOOdXyIeYkBVF6swwIlyq8VlYSjYWGAUtIb3rOiUNWc -zYY6spdAN6VtKTMnXTm608yH118p+UOB5rJuKBqk3tMaiIjoyOcya4ImenX85rfK -eCOVNtdOC/0N8McfO0eFc6fZxcy7ykZ1a7FLyqQDexpZM7OLoM5SXObX1QARAQAB -tDRPcGVuU1NMIHNlY3VyaXR5IHRlYW0gPG9wZW5zc2wtc2VjdXJpdHlAb3BlbnNz -bC5vcmc+iQJUBBMBCgA+AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEE78Ck -Z9YTy4PH7W0w2JTizos9efUFAmPX/PkFCRGJRs4ACgkQ2JTizos9efWXgg/+Negn -a1HZIWs18LDktjV49a3IeKhjJV+UrTvQnFpSNXbwpnKa6iVX9PlE+3nLkIrkz6HJ -uBl1MZElcmrqIsVCKHcrbcJSgZM4fV0AgEEm5gNfK19gbJjs1qdbtwTYccDiHwGl -4EeTkPsOCo20QEC8jvkdHvMsvoD11c57NprQVVsOyuyz7B7LwV+6hZ2MAv6BZrNE -XBjzqxHGKcq4iyOKTGwRAufiXdq2+kV7GVjihH41YjV08f/b7O2uAm4k/IbULtvY -3Y/9rVvtU/Na044FQBGObH7/DbEOc8uFAH8Vy7M32rZmQet7pO8M5BrBMAaU2OAz -ZQ5CqauGvjTJ4GXi+pBoCVafPvsGkB1W6IxnPPJZsFw9kxOKSV1Md4jh90OdaIGe -HW4qagRaLDtDRtkFnIkbtc38HC/e30ANoNS3Enws7XSNvQ+O7HfeSsATsM/2cjL8 -c281Nv9o+xaNI4TN3KsfRswcQtnsN2cCkPZWKgTJcjpdANkX9CK7mYNS8bu6YsAV -nRF2iAB25Vjcz/92Dd28/nPI2CkKkOMhDtnFty8B2LZ2tbfoU1DsNzg+b3ejaXLZ -jhnZdL3b3F4iKpyzDhTpDHo4P/yxrtV8LOmHJN63oc1JljqgkU+RcxndSZ/LDHqt -VH02VwVHMVt4no62mZj2UNT2+Ci5p+tze4Rhfl60JU9wZW5TU0wgT01DIDxvcGVu -c3NsLW9tY0BvcGVuc3NsLm9yZz6JAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsFFgID -AQACHgECF4AWIQTvwKRn1hPLg8ftbTDYlOLOiz159QUCY9f87QUJEYlGzgAKCRDY -lOLOiz159XBzD/9InUdyS1hdC7f2uEbD5A+5UFUwy9hqzy8sXLrGfUMtJC3Ur+CA -RqpHw6LC9oqFlAMhdSpIINzswLvpYqYKUllQWw0bStqWed6wuonC7nQk4fJhaWhT -MEyVNC7gpy1FcFQYZZ/rwVxftvV6EesOIL+cM9Tg2IKvdrJsuFtmhcrEmrAVrPuO -VkIBbOjylU5iHbs3hW15DqMXiu6s9wLlxSJtqWWcGT4Xp3SjUy2XRzsWwFPrdsnZ -cj1h1C1onglIpNuq7yQF6rrBmKUdy7FClXswEg+He6qV6zLhZo6bRAZO2b/g4aNX -NVOh5BS9ZpQds5FejHx3la6GzfPM/szC0WJR2r/6RqR/dizrPlhsJX3g5I+fRnNG -mOrUa7S/OrR3QlWyE5pvytKTno0UvPuITA7MGtQf3z4n4UbM7bYyLmCIVEkDQl9K -ax1vtEYLKKx7sVLmJUQVqo8RmmjottRZ6+B5UWOB+dXvt3Z+mJLHt92y6NLk4iOX -q3bgO9eMPgk+GdLXjgtgeu7S33BNE984/0B+jDLqhgEjK2spA50uPXBUtDm+Au+s -1zfePJVfQxdaoKY00iOltujRS6sqE1PtbebTHgDakxnr9MClzTmRz6ymAglxo72o -gk0OJCNELdckK0HHd5hGLEKBlSVGYSx2J985o7VE/raBr7/YULm4k0LXJbQvT3Bl -blNTTCBTZWN1cml0eSA8b3BlbnNzbC1zZWN1cml0eUBvcGVuc3NsLm9yZz6JAlUE -EwEKAD8CGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAFiEE78CkZ9YTy4PH7W0w -2JTizos9efUFAmIp6vAFCRdgAsUACgkQ2JTizos9efWbyA//cw5h9kzqjHNPrWyU -nqchSA/BAxGAfv8IW5vTXKIGou/vbF+2eV4pGe8cjYErfiEMI2XEqgW3NqtB8Ie1 -JpvHb/JARDpXRAeO0nAz68UZiv0s+BYG1cL0MJgxSmwLEo1XIxx+NYQRPaIPhWId -gdJmhOylGHRbZPfUu0gsX3JvFYYJvqSbZYJx47JzLgvsaRtY06oOt89hqVOp9geS -4HtwcZiIohq1E4Fy8+TYR7iMv62lBAG0xOoLCy4UzM3pVbChzcfmLLtH4ZbDO2ks -vhafec6lUetxMJuvqClp4oYDp9ucrcZF3pJA0feSGF6EXOmYo3KMiVbG35DqfJrI -8gva6QPTFo8WRsTZ7hUrn/BioXx7Orrmtl5++IPAU7c/0JPHCVordxinD/XDdcFV -s2IIf5iL914/CaI8AXmeM4H0m9kuaS9N0UI8+3gIBhO19cP1VJBw/EWdwjwHtUlf -d6mOAbwuVAjPEWQmcf0jIxoUR9t+3ieZjPdcHus5d9/xH2iOLdEHYQRHRiLlKFtu -PhWgqy7UgpWRye/628at5C9m5TfGQBldSoOkUzPQGGpV3pUiHeJlQPBAYl1AAvAK -8+Y2T9iSZXUuMXiMp3lplDEzXKHjUaXXUkgFuGs/L8YB+BBNBSE/GS078kQrc6Wu -y7mmnE22aFf7G0N/hin+9QeIWJq0J09wZW5TU0wgdGVhbSA8b3BlbnNzbC10ZWFt -QG9wZW5zc2wub3JnPokCWQQwAQoAQxYhBO/ApGfWE8uDx+1tMNiU4s6LPXn1BQJZ -2fY1JR0gUmVwbGFjZWQgYnkgb3BlbnNzbC1vbWNAb3BlbnNzbC5vcmcACgkQ2JTi -zos9efVQIg/8C1c/ChPOM/ojwXA1yUeIa4rD6BXlLDetE3KIqD1MvR251xV8Ox21 -3GYFHW+6CEfQ82xiy02CB+VsYh58tMi41NDWq6fkZOW4vFnJbFx/pYk8xFMl0ml3 -LkGsh9cVoesSiEBAsF4vQ/bmCNfM68DsLtjAK7GQobcW5ArIqvgc3LlYXUspkgE9 -yMcQcPqyMsNrEPgrFCcd3fWzXF1qsO8Rtd4bwyaJACkpQnZ832wY91uuMGzWcG2A -+SxkdOFPuDkWm5l8hbA6+DpdFp/YiDnfwAZqr6uoqdkcT0e8IRsGqJ2FJ7qHeGSv -kFjkGHaOPkJM69lJIEFMCrjvBQVN4b8HhcqbnJbnrWVGFDxgSdjNvXqzBDJgDqMh -GN5ZHJhGhiZDi02uzqJ0p+OUzK1CiEo0/Mc7Nb5sVfvYrP4LoqKRceNePgwZp8Jw -OnC5U84TWa6pHYm3rijfrBPPMFex9NDQQ/KEFINhAMQVMUtj2iy5ANPpqsftOIjs -RfWWn+7QIi4EuYRADcllRaHJaTBAzI56ngkDaA55oyaMnSUnu0fjgWTiD4CEVbsS -rR0nWJKhCg5DbVwq/dImoN1iK78ziR6cJdeQhe3GY+AdWe7Ci+75TiYy8Zlh9Sz4 -mpl81xRz9eYcO/g0xG6wpPE/fqua8/AgeKArEKJWN1uvKCCFZzRB7uq5Ag0EVC/p -nwEQAMB3s+8dq5T8fW+b3OcGujEcbhyguc6D5shlNWsuCV3W7+izsVUe+0hD1YwD -30C6zj2+CJrMxPQ/BB3u3SbyHMDP5fKL7GQiA/n192hX2DuHxvQwnDNkHxYghtrF -KOlXAyte2awA0fC+e0o8lHa1Yd2ZZNqlDC23qJtLMJH8bX8CIr59KckNyv64bF+h -VPIN3evnh1Ajn4A85848EZMQcjedg72MsA3TW2D4omayY7eXE5uut7FYcY6SM4pT -hIB2X9DM39Rgy3qC4ObvEkEfaWnJfHxyXiA8XF+FZukXc/iM68P0VS/sMml9QPsY -MWnMHcGlOcuzQJRAalqZJwuK0ZIvobh/Y9rYLxrHtNCgSjaFuSN9K/YhpAxs80H6 -lVa7GCSASTRrS3OvmY++fTsUPzSOvit0kqQfimziYx7QcJIagG92mvUmuf2PEfzv -Si6iaIqMhaTaJq5qxOR0q430KakQktNPX53HflWL7YenDPYw1rEyQFxGqjaBY1X8 -NtuzZ0P4cahgsBFc8HgYu2u3Ysd5wmvSTsOXld8Qsns1KIUOpzgWw56AJ6dxS3lK -4QSUFwjzbZW9H0jJ49eBMAaA+hCjv8c/4BFuZq9Gvsafn425Lx1V/3PFJlPu55V+ -7qWjeOkSzNctMlmCqPQVetbZ/pHLAJO5IUO3SoTs5kl6bARzABEBAAGJAjwEGAEK -ACYCGwwWIQTvwKRn1hPLg8ftbTDYlOLOiz159QUCY9f9DQUJEYlG7gAKCRDYlOLO -iz159f5RD/9Dhv5+muyWX9U4wNH7Dt7KHOtFyQ6+YrlLGj6WgZlFQD3sz1hVabJs -HwFuiaIjnZmQwiUJm72jCMUncL3OsWrQXm6SU60aG20XeQl1oXWmSD9D/len23hO -Yo/3WsC3o1AIkLA9cJ3h/oo3I7RE30skw4MwQ4oCFlmidmOLvkz3TD22qxf+WaK7 -KO0vJRVHQIVl1ZdsBSSULcr8BcupKXaKSBJQDya2TkEh6OUf1B/7EIk811oeNSaL -9eJXS9VGDytVyjGGXSbudBw2XAV0/oiPPDKYElbOZH66d6marGwCCdc29cNono/7 -zf0+/hyunzY3m1PkYGyzUmfWq4WNulJ9GEAz0O1rss/4hxnGqn/m3gue+aQx4hji -/K/vAV+531YT9MEp6m6e3074a7Hvn2l/tsBoL1Xseb6J9ZGL8fnZiuG6RF4sP1Lz -sQXmyjgr1yTlCShgNQCYXAgprWXPCwv176kL0WxkGhcI+GmSe3kNWr3HYoeTfBQ/ -G8GWaIZ2qJRY/d/P9bgWu3oztWcVqEDorK3Pbu5/VeIeEfIkc717EgvdZU4EB70v -E/jnY1V9GLFzdPcygy7bz5aA4IA/Y12VFdhQ9/E7HFvEv0KUa294rQiH86lRyCJI -aEUqeymypLjoU2oeR4Cujkne+5spQHBfn2/RWGqH28v+vqHysb/8GA== -=Q+Oa +xsFNBGYT46cBEADnGgpkGwVTO5hu+sqoC3UWXM1nxr3v+tLveHQQlMA/MLDwK+TS +1sMFSsOEE1ehAlhaEVCaiHSh+8PSqs8bvxrkbC8FXj6UkHvdZOoBgoDqEVUXawen +UmW/3OEQtC/815ByacwHsbgabTY+bXQBAvKnDsKMIg04YlE1UVLnO6Rf0v/AvnlK +400c0J/KOPOXP2+e5dYMxRN/8CMFA+Jo8m1N2/gDKb3y1Ga6Ug9Qg/7VmL+zp/9A ++JnVQFhVQgpt2hVGKcKteJvDJODRAmBG371E+KV+lnh0jvALUxGiC+h/XrHmm8Em +7hQM7LLoVKGDPxYYUQKA6U6+//Q3J7JgrstLTxAZ6Xz3516o8gM4EeNXo/rXNqNw +Ng4zKeYAU0klk0hDIf7JHluT/Xxy9ezgRK6V3RJEvvjA1RjpsTVe7uDw5GPEoRO/ +xXtcLghhPixbL6y1FOspZqx3BzroX6Ic4V03Ub61YL6Zx3Q3tTcaj+4QFGXVA3SN +WL6is2XBdvZAiOgO/7lbRXGq/vFtvynYPLEx6LbZdKtdfADUCgD7If4gvif5yaL2 +isSfD3UmoXPdDDLGdga5/dhmg2658AigHw6t0fPWnxPx4EUc1tL2bb+dEG+soRoj +s4QHHoAhEeVEKdeFfu7lE3i0omS/mp63IFUFI7AybnHYiZ2ujyc5sBBsnwARAQAB +zR1PcGVuU1NMIDxvcGVuc3NsQG9wZW5zc2wub3JnPsLBlAQTAQoAPhYhBLpUc6Kw +WHsH+yfPLSFglN/Qy4HvBQJmE+OnAhsDBQkDwmcABQsJCAcCBhUKCQgLAgQWAgMB +Ah4BAheAAAoJECFglN/Qy4HvXIcP/jCgVgZ7wMwMaDqbwBJOVKQ7sVzNvjy1xMr+ +XkXn1FHme1MlRl4Uw9Wzeh8TUckzx59+CAqe/pRRYhR9kL0S8WUhoa4VK61c47WS +0wFWzOOuQ4JQO9v9zP6hsKubnQdA9ggq3rvkFrRDIV0DPU6iFxXs2/kYmuqHxIkO +GgLx+aCWPx0XNAdJyov46EbQnIjJOdialeC2dIEdIU0Vk5N0jWYv6MKweAmXRVLM +Jusz3yfNZ0FmydSo90aNQcQz4fp3vgF8qP7Z5BmMOSWOnXJawJd8+ic0RXRWdsMS +oxyAEKH/98IUPZII8N8c5u8pAJ52m7LQRm8CKk4GzylStaV+Pe6PuNTVkx1sIE62 +Sv0RFbd2yJ5Wou5Z/1lRZvzjF5R3G+dobKZLym2HwNkJtFROODFqiPkcKYCSSd4c +sqlOVh2X6/8VlJZ9Q4r7pAm/ulPnf/PSEo8l7kr/JS7Q09nlwNaa5l9nwvrt2z+u ++5dNZt5syyVgpNd4mPZMFb9TXqoFrhrZfLGZ2I3GQ7tLX2boHhBXNl32a1sb2Qsv +9fbz++sFbYrfDhsjH5eEwBjW7o4Kkd/cTMJGufLczy3Cb+RyrjyBrSwfMQf0xHkp +QKidfWOKv9j+yeEhGVCHaIPilYNVeZFRHzL1H9oIkda2BZamj7iYveVnnDBjgpN7 +k6YNfbUM +=Fi54 -----END PGP PUBLIC KEY BLOCK----- diff --git a/reproducible.patch b/reproducible.patch deleted file mode 100644 index 6c40942..0000000 --- a/reproducible.patch +++ /dev/null @@ -1,929 +0,0 @@ -commit 0fbc50ef0cb8894973d4739af62e95be825b7ccf -Author: trigpolynom -Date: Tue Oct 17 22:44:45 2023 -0400 - - aes-gcm-avx512.pl: fix non-reproducibility issue - - Replace the random suffix with a counter, to make the - build reproducible. - - Fixes #20954 - - Reviewed-by: Richard Levitte - Reviewed-by: Matthias St. Pierre - Reviewed-by: Tom Cosgrove - Reviewed-by: Hugo Landau - (Merged from https://github.com/openssl/openssl/pull/22415) - -diff --git a/crypto/modes/asm/aes-gcm-avx512.pl b/crypto/modes/asm/aes-gcm-avx512.pl -index afd2af941a..9f9124373b 100644 ---- a/crypto/modes/asm/aes-gcm-avx512.pl -+++ b/crypto/modes/asm/aes-gcm-avx512.pl -@@ -155,6 +155,9 @@ my $STACK_LOCAL_OFFSET = ($STACK_HKEYS_OFFSET + $HKEYS_STORAGE); - # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; - my ($arg1, $arg2, $arg3, $arg4, $arg5, $arg6, $arg7, $arg8, $arg9, $arg10, $arg11); - -+# ; Counter used for assembly label generation -+my $label_count = 0; -+ - # ; This implementation follows the convention: for non-leaf functions (they - # ; must call PROLOG) %rbp is used as a frame pointer, and has fixed offset from - # ; the function entry: $GP_STORAGE + [8 bytes alignment (Windows only)]. This -@@ -200,15 +203,6 @@ my $CTX_OFFSET_HTable = (16 * 6); # ; (Htable) Precomputed table (a - # ;;; Helper functions - # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; - --# ; Generates "random" local labels --sub random_string() { -- my @chars = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '_'); -- my $length = 15; -- my $str; -- map { $str .= $chars[rand(33)] } 1 .. $length; -- return $str; --} -- - sub BYTE { - my ($reg) = @_; - if ($reg =~ /%r[abcd]x/i) { -@@ -417,7 +411,7 @@ ___ - sub EPILOG { - my ($hkeys_storage_on_stack, $payload_len) = @_; - -- my $rndsuffix = &random_string(); -+ my $label_suffix = $label_count++; - - if ($hkeys_storage_on_stack && $CLEAR_HKEYS_STORAGE_ON_EXIT) { - -@@ -425,13 +419,13 @@ sub EPILOG { - # ; were stored in the local frame storage - $code .= <<___; - cmpq \$`16*16`,$payload_len -- jbe .Lskip_hkeys_cleanup_${rndsuffix} -+ jbe .Lskip_hkeys_cleanup_${label_suffix} - vpxor %xmm0,%xmm0,%xmm0 - ___ - for (my $i = 0; $i < int($HKEYS_STORAGE / 64); $i++) { - $code .= "vmovdqa64 %zmm0,`$STACK_HKEYS_OFFSET + 64*$i`(%rsp)\n"; - } -- $code .= ".Lskip_hkeys_cleanup_${rndsuffix}:\n"; -+ $code .= ".Lskip_hkeys_cleanup_${label_suffix}:\n"; - } - - if ($CLEAR_SCRATCH_REGISTERS) { -@@ -537,11 +531,11 @@ sub precompute_hkeys_on_stack { - && $HKEYS_RANGE ne "first32" - && $HKEYS_RANGE ne "last32"); - -- my $rndsuffix = &random_string(); -+ my $label_suffix = $label_count++; - - $code .= <<___; - test $HKEYS_READY,$HKEYS_READY -- jnz .L_skip_hkeys_precomputation_${rndsuffix} -+ jnz .L_skip_hkeys_precomputation_${label_suffix} - ___ - - if ($HKEYS_RANGE eq "first16" || $HKEYS_RANGE eq "first32" || $HKEYS_RANGE eq "all") { -@@ -615,7 +609,7 @@ ___ - } - } - -- $code .= ".L_skip_hkeys_precomputation_${rndsuffix}:\n"; -+ $code .= ".L_skip_hkeys_precomputation_${label_suffix}:\n"; - } - - # ;; ============================================================================= -@@ -1418,20 +1412,20 @@ sub CALC_AAD_HASH { - - my $SHFMSK = $ZT13; - -- my $rndsuffix = &random_string(); -+ my $label_suffix = $label_count++; - - $code .= <<___; - mov $A_IN,$T1 # ; T1 = AAD - mov $A_LEN,$T2 # ; T2 = aadLen - or $T2,$T2 -- jz .L_CALC_AAD_done_${rndsuffix} -+ jz .L_CALC_AAD_done_${label_suffix} - - xor $HKEYS_READY,$HKEYS_READY - vmovdqa64 SHUF_MASK(%rip),$SHFMSK - --.L_get_AAD_loop48x16_${rndsuffix}: -+.L_get_AAD_loop48x16_${label_suffix}: - cmp \$`(48*16)`,$T2 -- jl .L_exit_AAD_loop48x16_${rndsuffix} -+ jl .L_exit_AAD_loop48x16_${label_suffix} - ___ - - $code .= <<___; -@@ -1499,15 +1493,15 @@ ___ - - $code .= <<___; - sub \$`(48*16)`,$T2 -- je .L_CALC_AAD_done_${rndsuffix} -+ je .L_CALC_AAD_done_${label_suffix} - - add \$`(48*16)`,$T1 -- jmp .L_get_AAD_loop48x16_${rndsuffix} -+ jmp .L_get_AAD_loop48x16_${label_suffix} - --.L_exit_AAD_loop48x16_${rndsuffix}: -+.L_exit_AAD_loop48x16_${label_suffix}: - # ; Less than 48x16 bytes remaining - cmp \$`(32*16)`,$T2 -- jl .L_less_than_32x16_${rndsuffix} -+ jl .L_less_than_32x16_${label_suffix} - ___ - - $code .= <<___; -@@ -1556,14 +1550,14 @@ ___ - - $code .= <<___; - sub \$`(32*16)`,$T2 -- je .L_CALC_AAD_done_${rndsuffix} -+ je .L_CALC_AAD_done_${label_suffix} - - add \$`(32*16)`,$T1 -- jmp .L_less_than_16x16_${rndsuffix} -+ jmp .L_less_than_16x16_${label_suffix} - --.L_less_than_32x16_${rndsuffix}: -+.L_less_than_32x16_${label_suffix}: - cmp \$`(16*16)`,$T2 -- jl .L_less_than_16x16_${rndsuffix} -+ jl .L_less_than_16x16_${label_suffix} - # ; Get next 16 blocks - vmovdqu64 `64*0`($T1),$ZT1 - vmovdqu64 `64*1`($T1),$ZT2 -@@ -1588,11 +1582,11 @@ ___ - - $code .= <<___; - sub \$`(16*16)`,$T2 -- je .L_CALC_AAD_done_${rndsuffix} -+ je .L_CALC_AAD_done_${label_suffix} - - add \$`(16*16)`,$T1 - # ; Less than 16x16 bytes remaining --.L_less_than_16x16_${rndsuffix}: -+.L_less_than_16x16_${label_suffix}: - # ;; prep mask source address - lea byte64_len_to_mask_table(%rip),$T3 - lea ($T3,$T2,8),$T3 -@@ -1601,28 +1595,28 @@ ___ - add \$15,@{[DWORD($T2)]} - shr \$4,@{[DWORD($T2)]} - cmp \$2,@{[DWORD($T2)]} -- jb .L_AAD_blocks_1_${rndsuffix} -- je .L_AAD_blocks_2_${rndsuffix} -+ jb .L_AAD_blocks_1_${label_suffix} -+ je .L_AAD_blocks_2_${label_suffix} - cmp \$4,@{[DWORD($T2)]} -- jb .L_AAD_blocks_3_${rndsuffix} -- je .L_AAD_blocks_4_${rndsuffix} -+ jb .L_AAD_blocks_3_${label_suffix} -+ je .L_AAD_blocks_4_${label_suffix} - cmp \$6,@{[DWORD($T2)]} -- jb .L_AAD_blocks_5_${rndsuffix} -- je .L_AAD_blocks_6_${rndsuffix} -+ jb .L_AAD_blocks_5_${label_suffix} -+ je .L_AAD_blocks_6_${label_suffix} - cmp \$8,@{[DWORD($T2)]} -- jb .L_AAD_blocks_7_${rndsuffix} -- je .L_AAD_blocks_8_${rndsuffix} -+ jb .L_AAD_blocks_7_${label_suffix} -+ je .L_AAD_blocks_8_${label_suffix} - cmp \$10,@{[DWORD($T2)]} -- jb .L_AAD_blocks_9_${rndsuffix} -- je .L_AAD_blocks_10_${rndsuffix} -+ jb .L_AAD_blocks_9_${label_suffix} -+ je .L_AAD_blocks_10_${label_suffix} - cmp \$12,@{[DWORD($T2)]} -- jb .L_AAD_blocks_11_${rndsuffix} -- je .L_AAD_blocks_12_${rndsuffix} -+ jb .L_AAD_blocks_11_${label_suffix} -+ je .L_AAD_blocks_12_${label_suffix} - cmp \$14,@{[DWORD($T2)]} -- jb .L_AAD_blocks_13_${rndsuffix} -- je .L_AAD_blocks_14_${rndsuffix} -+ jb .L_AAD_blocks_13_${label_suffix} -+ je .L_AAD_blocks_14_${label_suffix} - cmp \$15,@{[DWORD($T2)]} -- je .L_AAD_blocks_15_${rndsuffix} -+ je .L_AAD_blocks_15_${label_suffix} - ___ - - # ;; fall through for 16 blocks -@@ -1635,7 +1629,7 @@ ___ - # ;; - jump to reduction code - - for (my $aad_blocks = 16; $aad_blocks > 0; $aad_blocks--) { -- $code .= ".L_AAD_blocks_${aad_blocks}_${rndsuffix}:\n"; -+ $code .= ".L_AAD_blocks_${aad_blocks}_${label_suffix}:\n"; - if ($aad_blocks > 12) { - $code .= "sub \$`12*16*8`, $T3\n"; - } elsif ($aad_blocks > 8) { -@@ -1656,11 +1650,11 @@ ___ - if ($aad_blocks > 1) { - - # ;; fall through to CALC_AAD_done in 1 block case -- $code .= "jmp .L_CALC_AAD_done_${rndsuffix}\n"; -+ $code .= "jmp .L_CALC_AAD_done_${label_suffix}\n"; - } - - } -- $code .= ".L_CALC_AAD_done_${rndsuffix}:\n"; -+ $code .= ".L_CALC_AAD_done_${label_suffix}:\n"; - - # ;; result in AAD_HASH - } -@@ -1710,13 +1704,13 @@ sub PARTIAL_BLOCK { - my $IA1 = $GPTMP2; - my $IA2 = $GPTMP0; - -- my $rndsuffix = &random_string(); -+ my $label_suffix = $label_count++; - - $code .= <<___; - # ;; if no partial block present then LENGTH/DATA_OFFSET will be set to zero - mov ($PBLOCK_LEN),$LENGTH - or $LENGTH,$LENGTH -- je .L_partial_block_done_${rndsuffix} # ;Leave Macro if no partial blocks -+ je .L_partial_block_done_${label_suffix} # ;Leave Macro if no partial blocks - ___ - - &READ_SMALL_DATA_INPUT($XTMP0, $PLAIN_CIPH_IN, $PLAIN_CIPH_LEN, $IA0, $IA2, $MASKREG); -@@ -1755,9 +1749,9 @@ ___ - } - $code .= <<___; - sub \$16,$IA1 -- jge .L_no_extra_mask_${rndsuffix} -+ jge .L_no_extra_mask_${label_suffix} - sub $IA1,$IA0 --.L_no_extra_mask_${rndsuffix}: -+.L_no_extra_mask_${label_suffix}: - # ;; get the appropriate mask to mask out bottom $LENGTH bytes of $XTMP1 - # ;; - mask out bottom $LENGTH bytes of $XTMP1 - # ;; sizeof(SHIFT_MASK) == 16 bytes -@@ -1781,7 +1775,7 @@ ___ - } - $code .= <<___; - cmp \$0,$IA1 -- jl .L_partial_incomplete_${rndsuffix} -+ jl .L_partial_incomplete_${label_suffix} - ___ - - # ;; GHASH computation for the last <16 Byte block -@@ -1793,9 +1787,9 @@ ___ - mov $LENGTH,$IA0 - mov \$16,$LENGTH - sub $IA0,$LENGTH -- jmp .L_enc_dec_done_${rndsuffix} -+ jmp .L_enc_dec_done_${label_suffix} - --.L_partial_incomplete_${rndsuffix}: -+.L_partial_incomplete_${label_suffix}: - ___ - if ($win64) { - $code .= <<___; -@@ -1808,7 +1802,7 @@ ___ - $code .= <<___; - mov $PLAIN_CIPH_LEN,$LENGTH - --.L_enc_dec_done_${rndsuffix}: -+.L_enc_dec_done_${label_suffix}: - # ;; output encrypted Bytes - - lea byte_len_to_mask_table(%rip),$IA0 -@@ -1826,7 +1820,7 @@ ___ - $code .= <<___; - mov $CIPH_PLAIN_OUT,$IA0 - vmovdqu8 $XTMP1,($IA0){$MASKREG} --.L_partial_block_done_${rndsuffix}: -+.L_partial_block_done_${label_suffix}: - ___ - } - -@@ -2016,7 +2010,7 @@ sub INITIAL_BLOCKS_PARTIAL_GHASH { - my $GM = $_[23]; # [in] ZMM with mid prodcut part - my $GL = $_[24]; # [in] ZMM with lo product part - -- my $rndsuffix = &random_string(); -+ my $label_suffix = $label_count++; - - # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; - # ;;; - Hash all but the last partial block of data -@@ -2034,7 +2028,7 @@ sub INITIAL_BLOCKS_PARTIAL_GHASH { - # ;; NOTE: the 'jl' is always taken for num_initial_blocks = 16. - # ;; This is run in the context of GCM_ENC_DEC_SMALL for length < 256. - cmp \$16,$LENGTH -- jl .L_small_initial_partial_block_${rndsuffix} -+ jl .L_small_initial_partial_block_${label_suffix} - - # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; - # ;;; Handle a full length final block - encrypt and hash all blocks -@@ -2056,11 +2050,11 @@ ___ - &GHASH_1_TO_16($GCM128_CTX, $HASH_IN_OUT, $ZT0, $ZT1, $ZT2, $ZT3, $ZT4, - $ZT5, $ZT6, $ZT7, $ZT8, &ZWORD($HASH_IN_OUT), $DAT0, $DAT1, $DAT2, $DAT3, $NUM_BLOCKS, $GH, $GM, $GL); - } -- $code .= "jmp .L_small_initial_compute_done_${rndsuffix}\n"; -+ $code .= "jmp .L_small_initial_compute_done_${label_suffix}\n"; - } - - $code .= <<___; --.L_small_initial_partial_block_${rndsuffix}: -+.L_small_initial_partial_block_${label_suffix}: - - # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; - # ;;; Handle ghash for a <16B final block -@@ -2125,7 +2119,7 @@ ___ - # ;; a partial block of data, so xor that into the hash. - vpxorq $LAST_GHASH_BLK,$HASH_IN_OUT,$HASH_IN_OUT - # ;; The result is in $HASH_IN_OUT -- jmp .L_after_reduction_${rndsuffix} -+ jmp .L_after_reduction_${label_suffix} - ___ - } - -@@ -2133,7 +2127,7 @@ ___ - # ;;; After GHASH reduction - # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; - -- $code .= ".L_small_initial_compute_done_${rndsuffix}:\n"; -+ $code .= ".L_small_initial_compute_done_${label_suffix}:\n"; - - # ;; If using init/update/finalize, we need to xor any partial block data - # ;; into the hash. -@@ -2144,13 +2138,13 @@ ___ - $code .= <<___; - # ;; NOTE: for $NUM_BLOCKS = 16, $LENGTH, stored in [PBlockLen] is never zero - or $LENGTH,$LENGTH -- je .L_after_reduction_${rndsuffix} -+ je .L_after_reduction_${label_suffix} - ___ - } - $code .= "vpxorq $LAST_GHASH_BLK,$HASH_IN_OUT,$HASH_IN_OUT\n"; - } - -- $code .= ".L_after_reduction_${rndsuffix}:\n"; -+ $code .= ".L_after_reduction_${label_suffix}:\n"; - - # ;; Final hash is now in HASH_IN_OUT - } -@@ -2266,7 +2260,7 @@ sub GHASH_16_ENCRYPT_N_GHASH_N { - die "GHASH_16_ENCRYPT_N_GHASH_N: num_blocks is out of bounds = $NUM_BLOCKS\n" - if ($NUM_BLOCKS > 16 || $NUM_BLOCKS < 0); - -- my $rndsuffix = &random_string(); -+ my $label_suffix = $label_count++; - - my $GH1H = $HASH_IN_OUT; - -@@ -2326,16 +2320,16 @@ ___ - - $code .= <<___; - cmp \$`(256 - $NUM_BLOCKS)`,@{[DWORD($CTR_CHECK)]} -- jae .L_16_blocks_overflow_${rndsuffix} -+ jae .L_16_blocks_overflow_${label_suffix} - ___ - - &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16( - $NUM_BLOCKS, "vpaddd", $B00_03, $B04_07, $B08_11, $B12_15, $CTR_BE, - $B00_03, $B04_07, $B08_11, $ADDBE_1234, $ADDBE_4x4, $ADDBE_4x4, $ADDBE_4x4); - $code .= <<___; -- jmp .L_16_blocks_ok_${rndsuffix} -+ jmp .L_16_blocks_ok_${label_suffix} - --.L_16_blocks_overflow_${rndsuffix}: -+.L_16_blocks_overflow_${label_suffix}: - vpshufb $SHFMSK,$CTR_BE,$CTR_BE - vpaddd ddq_add_1234(%rip),$CTR_BE,$B00_03 - ___ -@@ -2355,7 +2349,7 @@ ___ - $NUM_BLOCKS, "vpshufb", $B00_03, $B04_07, $B08_11, $B12_15, $B00_03, - $B04_07, $B08_11, $B12_15, $SHFMSK, $SHFMSK, $SHFMSK, $SHFMSK); - $code .= <<___; --.L_16_blocks_ok_${rndsuffix}: -+.L_16_blocks_ok_${label_suffix}: - - # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; - # ;; - pre-load constants -@@ -2805,53 +2799,53 @@ sub GCM_ENC_DEC_LAST { - my $MASKREG = $_[44]; # [clobbered] mask register - my $PBLOCK_LEN = $_[45]; # [in] partial block length - -- my $rndsuffix = &random_string(); -+ my $label_suffix = $label_count++; - - $code .= <<___; - mov @{[DWORD($LENGTH)]},@{[DWORD($IA0)]} - add \$15,@{[DWORD($IA0)]} - shr \$4,@{[DWORD($IA0)]} -- je .L_last_num_blocks_is_0_${rndsuffix} -+ je .L_last_num_blocks_is_0_${label_suffix} - - cmp \$8,@{[DWORD($IA0)]} -- je .L_last_num_blocks_is_8_${rndsuffix} -- jb .L_last_num_blocks_is_7_1_${rndsuffix} -+ je .L_last_num_blocks_is_8_${label_suffix} -+ jb .L_last_num_blocks_is_7_1_${label_suffix} - - - cmp \$12,@{[DWORD($IA0)]} -- je .L_last_num_blocks_is_12_${rndsuffix} -- jb .L_last_num_blocks_is_11_9_${rndsuffix} -+ je .L_last_num_blocks_is_12_${label_suffix} -+ jb .L_last_num_blocks_is_11_9_${label_suffix} - - # ;; 16, 15, 14 or 13 - cmp \$15,@{[DWORD($IA0)]} -- je .L_last_num_blocks_is_15_${rndsuffix} -- ja .L_last_num_blocks_is_16_${rndsuffix} -+ je .L_last_num_blocks_is_15_${label_suffix} -+ ja .L_last_num_blocks_is_16_${label_suffix} - cmp \$14,@{[DWORD($IA0)]} -- je .L_last_num_blocks_is_14_${rndsuffix} -- jmp .L_last_num_blocks_is_13_${rndsuffix} -+ je .L_last_num_blocks_is_14_${label_suffix} -+ jmp .L_last_num_blocks_is_13_${label_suffix} - --.L_last_num_blocks_is_11_9_${rndsuffix}: -+.L_last_num_blocks_is_11_9_${label_suffix}: - # ;; 11, 10 or 9 - cmp \$10,@{[DWORD($IA0)]} -- je .L_last_num_blocks_is_10_${rndsuffix} -- ja .L_last_num_blocks_is_11_${rndsuffix} -- jmp .L_last_num_blocks_is_9_${rndsuffix} -+ je .L_last_num_blocks_is_10_${label_suffix} -+ ja .L_last_num_blocks_is_11_${label_suffix} -+ jmp .L_last_num_blocks_is_9_${label_suffix} - --.L_last_num_blocks_is_7_1_${rndsuffix}: -+.L_last_num_blocks_is_7_1_${label_suffix}: - cmp \$4,@{[DWORD($IA0)]} -- je .L_last_num_blocks_is_4_${rndsuffix} -- jb .L_last_num_blocks_is_3_1_${rndsuffix} -+ je .L_last_num_blocks_is_4_${label_suffix} -+ jb .L_last_num_blocks_is_3_1_${label_suffix} - # ;; 7, 6 or 5 - cmp \$6,@{[DWORD($IA0)]} -- ja .L_last_num_blocks_is_7_${rndsuffix} -- je .L_last_num_blocks_is_6_${rndsuffix} -- jmp .L_last_num_blocks_is_5_${rndsuffix} -+ ja .L_last_num_blocks_is_7_${label_suffix} -+ je .L_last_num_blocks_is_6_${label_suffix} -+ jmp .L_last_num_blocks_is_5_${label_suffix} - --.L_last_num_blocks_is_3_1_${rndsuffix}: -+.L_last_num_blocks_is_3_1_${label_suffix}: - # ;; 3, 2 or 1 - cmp \$2,@{[DWORD($IA0)]} -- ja .L_last_num_blocks_is_3_${rndsuffix} -- je .L_last_num_blocks_is_2_${rndsuffix} -+ ja .L_last_num_blocks_is_3_${label_suffix} -+ je .L_last_num_blocks_is_2_${label_suffix} - ___ - - # ;; fall through for `jmp .L_last_num_blocks_is_1` -@@ -2859,7 +2853,7 @@ ___ - # ;; Use rep to generate different block size variants - # ;; - one block size has to be the first one - for my $num_blocks (1 .. 16) { -- $code .= ".L_last_num_blocks_is_${num_blocks}_${rndsuffix}:\n"; -+ $code .= ".L_last_num_blocks_is_${num_blocks}_${label_suffix}:\n"; - &GHASH_16_ENCRYPT_N_GHASH_N( - $AES_KEYS, $GCM128_CTX, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, $DATA_OFFSET, - $LENGTH, $CTR_BE, $CTR_CHECK, $HASHKEY_OFFSET, $GHASHIN_BLK_OFFSET, -@@ -2872,10 +2866,10 @@ ___ - $ENC_DEC, $HASH_IN_OUT, $IA0, $IA1, $MASKREG, - $num_blocks, $PBLOCK_LEN); - -- $code .= "jmp .L_last_blocks_done_${rndsuffix}\n"; -+ $code .= "jmp .L_last_blocks_done_${label_suffix}\n"; - } - -- $code .= ".L_last_num_blocks_is_0_${rndsuffix}:\n"; -+ $code .= ".L_last_num_blocks_is_0_${label_suffix}:\n"; - - # ;; if there is 0 blocks to cipher then there are only 16 blocks for ghash and reduction - # ;; - convert mid into end_reduce -@@ -2891,7 +2885,7 @@ ___ - $GHASHIN_BLK_OFFSET, 0, "%rsp", $HASHKEY_OFFSET, 0, $HASH_IN_OUT, $ZT00, $ZT01, - $ZT02, $ZT03, $ZT04, $ZT05, $ZT06, $ZT07, $ZT08, $ZT09); - -- $code .= ".L_last_blocks_done_${rndsuffix}:\n"; -+ $code .= ".L_last_blocks_done_${label_suffix}:\n"; - } - - # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; -@@ -2985,20 +2979,20 @@ sub GHASH_16_ENCRYPT_16_PARALLEL { - my $GHDAT1 = $ZT21; - my $GHDAT2 = $ZT22; - -- my $rndsuffix = &random_string(); -+ my $label_suffix = $label_count++; - - # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; - # ;; prepare counter blocks - - $code .= <<___; - cmpb \$`(256 - 16)`,@{[BYTE($CTR_CHECK)]} -- jae .L_16_blocks_overflow_${rndsuffix} -+ jae .L_16_blocks_overflow_${label_suffix} - vpaddd $ADDBE_1234,$CTR_BE,$B00_03 - vpaddd $ADDBE_4x4,$B00_03,$B04_07 - vpaddd $ADDBE_4x4,$B04_07,$B08_11 - vpaddd $ADDBE_4x4,$B08_11,$B12_15 -- jmp .L_16_blocks_ok_${rndsuffix} --.L_16_blocks_overflow_${rndsuffix}: -+ jmp .L_16_blocks_ok_${label_suffix} -+.L_16_blocks_overflow_${label_suffix}: - vpshufb $SHFMSK,$CTR_BE,$CTR_BE - vmovdqa64 ddq_add_4444(%rip),$B12_15 - vpaddd ddq_add_1234(%rip),$CTR_BE,$B00_03 -@@ -3009,7 +3003,7 @@ sub GHASH_16_ENCRYPT_16_PARALLEL { - vpshufb $SHFMSK,$B04_07,$B04_07 - vpshufb $SHFMSK,$B08_11,$B08_11 - vpshufb $SHFMSK,$B12_15,$B12_15 --.L_16_blocks_ok_${rndsuffix}: -+.L_16_blocks_ok_${label_suffix}: - ___ - - # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; -@@ -3338,25 +3332,25 @@ sub ENCRYPT_SINGLE_BLOCK { - my $XMM0 = $_[1]; # ; [in/out] - my $GPR1 = $_[2]; # ; [clobbered] - -- my $rndsuffix = &random_string(); -+ my $label_suffix = $label_count++; - - $code .= <<___; - # ; load number of rounds from AES_KEY structure (offset in bytes is - # ; size of the |rd_key| buffer) - mov `4*15*4`($AES_KEY),@{[DWORD($GPR1)]} - cmp \$9,@{[DWORD($GPR1)]} -- je .Laes_128_${rndsuffix} -+ je .Laes_128_${label_suffix} - cmp \$11,@{[DWORD($GPR1)]} -- je .Laes_192_${rndsuffix} -+ je .Laes_192_${label_suffix} - cmp \$13,@{[DWORD($GPR1)]} -- je .Laes_256_${rndsuffix} -- jmp .Lexit_aes_${rndsuffix} -+ je .Laes_256_${label_suffix} -+ jmp .Lexit_aes_${label_suffix} - ___ - for my $keylen (sort keys %aes_rounds) { - my $nr = $aes_rounds{$keylen}; - $code .= <<___; - .align 32 --.Laes_${keylen}_${rndsuffix}: -+.Laes_${keylen}_${label_suffix}: - ___ - $code .= "vpxorq `16*0`($AES_KEY),$XMM0, $XMM0\n\n"; - for (my $i = 1; $i <= $nr; $i++) { -@@ -3364,10 +3358,10 @@ ___ - } - $code .= <<___; - vaesenclast `16*($nr+1)`($AES_KEY),$XMM0,$XMM0 -- jmp .Lexit_aes_${rndsuffix} -+ jmp .Lexit_aes_${label_suffix} - ___ - } -- $code .= ".Lexit_aes_${rndsuffix}:\n\n"; -+ $code .= ".Lexit_aes_${label_suffix}:\n\n"; - } - - sub CALC_J0 { -@@ -3562,52 +3556,52 @@ sub GCM_ENC_DEC_SMALL { - my $SHUFMASK = $_[29]; # [in] ZMM with BE/LE shuffle mask - my $PBLOCK_LEN = $_[30]; # [in] partial block length - -- my $rndsuffix = &random_string(); -+ my $label_suffix = $label_count++; - - $code .= <<___; - cmp \$8,$NUM_BLOCKS -- je .L_small_initial_num_blocks_is_8_${rndsuffix} -- jl .L_small_initial_num_blocks_is_7_1_${rndsuffix} -+ je .L_small_initial_num_blocks_is_8_${label_suffix} -+ jl .L_small_initial_num_blocks_is_7_1_${label_suffix} - - - cmp \$12,$NUM_BLOCKS -- je .L_small_initial_num_blocks_is_12_${rndsuffix} -- jl .L_small_initial_num_blocks_is_11_9_${rndsuffix} -+ je .L_small_initial_num_blocks_is_12_${label_suffix} -+ jl .L_small_initial_num_blocks_is_11_9_${label_suffix} - - # ;; 16, 15, 14 or 13 - cmp \$16,$NUM_BLOCKS -- je .L_small_initial_num_blocks_is_16_${rndsuffix} -+ je .L_small_initial_num_blocks_is_16_${label_suffix} - cmp \$15,$NUM_BLOCKS -- je .L_small_initial_num_blocks_is_15_${rndsuffix} -+ je .L_small_initial_num_blocks_is_15_${label_suffix} - cmp \$14,$NUM_BLOCKS -- je .L_small_initial_num_blocks_is_14_${rndsuffix} -- jmp .L_small_initial_num_blocks_is_13_${rndsuffix} -+ je .L_small_initial_num_blocks_is_14_${label_suffix} -+ jmp .L_small_initial_num_blocks_is_13_${label_suffix} - --.L_small_initial_num_blocks_is_11_9_${rndsuffix}: -+.L_small_initial_num_blocks_is_11_9_${label_suffix}: - # ;; 11, 10 or 9 - cmp \$11,$NUM_BLOCKS -- je .L_small_initial_num_blocks_is_11_${rndsuffix} -+ je .L_small_initial_num_blocks_is_11_${label_suffix} - cmp \$10,$NUM_BLOCKS -- je .L_small_initial_num_blocks_is_10_${rndsuffix} -- jmp .L_small_initial_num_blocks_is_9_${rndsuffix} -+ je .L_small_initial_num_blocks_is_10_${label_suffix} -+ jmp .L_small_initial_num_blocks_is_9_${label_suffix} - --.L_small_initial_num_blocks_is_7_1_${rndsuffix}: -+.L_small_initial_num_blocks_is_7_1_${label_suffix}: - cmp \$4,$NUM_BLOCKS -- je .L_small_initial_num_blocks_is_4_${rndsuffix} -- jl .L_small_initial_num_blocks_is_3_1_${rndsuffix} -+ je .L_small_initial_num_blocks_is_4_${label_suffix} -+ jl .L_small_initial_num_blocks_is_3_1_${label_suffix} - # ;; 7, 6 or 5 - cmp \$7,$NUM_BLOCKS -- je .L_small_initial_num_blocks_is_7_${rndsuffix} -+ je .L_small_initial_num_blocks_is_7_${label_suffix} - cmp \$6,$NUM_BLOCKS -- je .L_small_initial_num_blocks_is_6_${rndsuffix} -- jmp .L_small_initial_num_blocks_is_5_${rndsuffix} -+ je .L_small_initial_num_blocks_is_6_${label_suffix} -+ jmp .L_small_initial_num_blocks_is_5_${label_suffix} - --.L_small_initial_num_blocks_is_3_1_${rndsuffix}: -+.L_small_initial_num_blocks_is_3_1_${label_suffix}: - # ;; 3, 2 or 1 - cmp \$3,$NUM_BLOCKS -- je .L_small_initial_num_blocks_is_3_${rndsuffix} -+ je .L_small_initial_num_blocks_is_3_${label_suffix} - cmp \$2,$NUM_BLOCKS -- je .L_small_initial_num_blocks_is_2_${rndsuffix} -+ je .L_small_initial_num_blocks_is_2_${label_suffix} - - # ;; for $NUM_BLOCKS == 1, just fall through and no 'jmp' needed - -@@ -3616,7 +3610,7 @@ sub GCM_ENC_DEC_SMALL { - ___ - - for (my $num_blocks = 1; $num_blocks <= 16; $num_blocks++) { -- $code .= ".L_small_initial_num_blocks_is_${num_blocks}_${rndsuffix}:\n"; -+ $code .= ".L_small_initial_num_blocks_is_${num_blocks}_${label_suffix}:\n"; - &INITIAL_BLOCKS_PARTIAL( - $AES_KEYS, $GCM128_CTX, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, $LENGTH, $DATA_OFFSET, - $num_blocks, $CTR, $HASH_IN_OUT, $ENC_DEC, $ZTMP0, $ZTMP1, -@@ -3625,11 +3619,11 @@ ___ - $ZTMP14, $IA0, $IA1, $MASKREG, $SHUFMASK, $PBLOCK_LEN); - - if ($num_blocks != 16) { -- $code .= "jmp .L_small_initial_blocks_encrypted_${rndsuffix}\n"; -+ $code .= "jmp .L_small_initial_blocks_encrypted_${label_suffix}\n"; - } - } - -- $code .= ".L_small_initial_blocks_encrypted_${rndsuffix}:\n"; -+ $code .= ".L_small_initial_blocks_encrypted_${label_suffix}:\n"; - } - - # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; -@@ -3710,7 +3704,7 @@ sub GCM_ENC_DEC { - - my $MASKREG = "%k1"; - -- my $rndsuffix = &random_string(); -+ my $label_suffix = $label_count++; - - # ;; reduction every 48 blocks, depth 32 blocks - # ;; @note 48 blocks is the maximum capacity of the stack frame -@@ -3751,7 +3745,7 @@ sub GCM_ENC_DEC { - } else { - $code .= "or $PLAIN_CIPH_LEN,$PLAIN_CIPH_LEN\n"; - } -- $code .= "je .L_enc_dec_done_${rndsuffix}\n"; -+ $code .= "je .L_enc_dec_done_${label_suffix}\n"; - - # Length value from context $CTX_OFFSET_InLen`($GCM128_CTX) is updated in - # 'providers/implementations/ciphers/cipher_aes_gcm_hw_vaes_avx512.inc' -@@ -3778,12 +3772,12 @@ sub GCM_ENC_DEC { - # ;; There may be no more data if it was consumed in the partial block. - $code .= <<___; - sub $DATA_OFFSET,$LENGTH -- je .L_enc_dec_done_${rndsuffix} -+ je .L_enc_dec_done_${label_suffix} - ___ - - $code .= <<___; - cmp \$`(16 * 16)`,$LENGTH -- jbe .L_message_below_equal_16_blocks_${rndsuffix} -+ jbe .L_message_below_equal_16_blocks_${label_suffix} - - vmovdqa64 SHUF_MASK(%rip),$SHUF_MASK - vmovdqa64 ddq_addbe_4444(%rip),$ADDBE_4x4 -@@ -3815,7 +3809,7 @@ ___ - - $code .= <<___; - cmp \$`(32 * 16)`,$LENGTH -- jb .L_message_below_32_blocks_${rndsuffix} -+ jb .L_message_below_32_blocks_${label_suffix} - ___ - - # ;; ==== AES-CTR - next 16 blocks -@@ -3836,13 +3830,13 @@ ___ - sub \$`(32 * 16)`,$LENGTH - - cmp \$`($big_loop_nblocks * 16)`,$LENGTH -- jb .L_no_more_big_nblocks_${rndsuffix} -+ jb .L_no_more_big_nblocks_${label_suffix} - ___ - - # ;; ==== - # ;; ==== AES-CTR + GHASH - 48 blocks loop - # ;; ==== -- $code .= ".L_encrypt_big_nblocks_${rndsuffix}:\n"; -+ $code .= ".L_encrypt_big_nblocks_${label_suffix}:\n"; - - # ;; ==== AES-CTR + GHASH - 16 blocks, start - $aesout_offset = ($STACK_LOCAL_OFFSET + (32 * 16)); -@@ -3893,15 +3887,15 @@ ___ - add \$`($big_loop_nblocks * 16)`,$DATA_OFFSET - sub \$`($big_loop_nblocks * 16)`,$LENGTH - cmp \$`($big_loop_nblocks * 16)`,$LENGTH -- jae .L_encrypt_big_nblocks_${rndsuffix} -+ jae .L_encrypt_big_nblocks_${label_suffix} - --.L_no_more_big_nblocks_${rndsuffix}: -+.L_no_more_big_nblocks_${label_suffix}: - - cmp \$`(32 * 16)`,$LENGTH -- jae .L_encrypt_32_blocks_${rndsuffix} -+ jae .L_encrypt_32_blocks_${label_suffix} - - cmp \$`(16 * 16)`,$LENGTH -- jae .L_encrypt_16_blocks_${rndsuffix} -+ jae .L_encrypt_16_blocks_${label_suffix} - ___ - - # ;; ===================================================== -@@ -3909,7 +3903,7 @@ ___ - # ;; ==== GHASH 1 x 16 blocks - # ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks - # ;; ==== then GHASH N blocks -- $code .= ".L_encrypt_0_blocks_ghash_32_${rndsuffix}:\n"; -+ $code .= ".L_encrypt_0_blocks_ghash_32_${label_suffix}:\n"; - - # ;; calculate offset to the right hash key - $code .= <<___; -@@ -3937,7 +3931,7 @@ ___ - $IA0, $IA5, $MASKREG, $PBLOCK_LEN); - - $code .= "vpshufb @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n"; -- $code .= "jmp .L_ghash_done_${rndsuffix}\n"; -+ $code .= "jmp .L_ghash_done_${label_suffix}\n"; - - # ;; ===================================================== - # ;; ===================================================== -@@ -3946,7 +3940,7 @@ ___ - # ;; ==== GHASH 1 x 16 blocks (reduction) - # ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks - # ;; ==== then GHASH N blocks -- $code .= ".L_encrypt_32_blocks_${rndsuffix}:\n"; -+ $code .= ".L_encrypt_32_blocks_${label_suffix}:\n"; - - # ;; ==== AES-CTR + GHASH - 16 blocks, start - $aesout_offset = ($STACK_LOCAL_OFFSET + (32 * 16)); -@@ -4007,7 +4001,7 @@ ___ - $IA0, $IA5, $MASKREG, $PBLOCK_LEN); - - $code .= "vpshufb @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n"; -- $code .= "jmp .L_ghash_done_${rndsuffix}\n"; -+ $code .= "jmp .L_ghash_done_${label_suffix}\n"; - - # ;; ===================================================== - # ;; ===================================================== -@@ -4015,7 +4009,7 @@ ___ - # ;; ==== GHASH 1 x 16 blocks - # ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks - # ;; ==== then GHASH N blocks -- $code .= ".L_encrypt_16_blocks_${rndsuffix}:\n"; -+ $code .= ".L_encrypt_16_blocks_${label_suffix}:\n"; - - # ;; ==== AES-CTR + GHASH - 16 blocks, start - $aesout_offset = ($STACK_LOCAL_OFFSET + (32 * 16)); -@@ -4059,9 +4053,9 @@ ___ - - $code .= "vpshufb @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n"; - $code .= <<___; -- jmp .L_ghash_done_${rndsuffix} -+ jmp .L_ghash_done_${label_suffix} - --.L_message_below_32_blocks_${rndsuffix}: -+.L_message_below_32_blocks_${label_suffix}: - # ;; 32 > number of blocks > 16 - - sub \$`(16 * 16)`,$LENGTH -@@ -4094,9 +4088,9 @@ ___ - - $code .= "vpshufb @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n"; - $code .= <<___; -- jmp .L_ghash_done_${rndsuffix} -+ jmp .L_ghash_done_${label_suffix} - --.L_message_below_equal_16_blocks_${rndsuffix}: -+.L_message_below_equal_16_blocks_${label_suffix}: - # ;; Determine how many blocks to process - # ;; - process one additional block if there is a partial block - mov @{[DWORD($LENGTH)]},@{[DWORD($IA1)]} -@@ -4113,13 +4107,13 @@ ___ - - # ;; fall through to exit - -- $code .= ".L_ghash_done_${rndsuffix}:\n"; -+ $code .= ".L_ghash_done_${label_suffix}:\n"; - - # ;; save the last counter block - $code .= "vmovdqu64 $CTR_BLOCKx,`$CTX_OFFSET_CurCount`($GCM128_CTX)\n"; - $code .= <<___; - vmovdqu64 $AAD_HASHx,`$CTX_OFFSET_AadHash`($GCM128_CTX) --.L_enc_dec_done_${rndsuffix}: -+.L_enc_dec_done_${label_suffix}: - ___ - } - -@@ -4155,7 +4149,7 @@ sub INITIAL_BLOCKS_16 { - my $B08_11 = $T7; - my $B12_15 = $T8; - -- my $rndsuffix = &random_string(); -+ my $label_suffix = $label_count++; - - my $stack_offset = $BLK_OFFSET; - $code .= <<___; -@@ -4163,13 +4157,13 @@ sub INITIAL_BLOCKS_16 { - # ;; prepare counter blocks - - cmpb \$`(256 - 16)`,@{[BYTE($CTR_CHECK)]} -- jae .L_next_16_overflow_${rndsuffix} -+ jae .L_next_16_overflow_${label_suffix} - vpaddd $ADDBE_1234,$CTR,$B00_03 - vpaddd $ADDBE_4x4,$B00_03,$B04_07 - vpaddd $ADDBE_4x4,$B04_07,$B08_11 - vpaddd $ADDBE_4x4,$B08_11,$B12_15 -- jmp .L_next_16_ok_${rndsuffix} --.L_next_16_overflow_${rndsuffix}: -+ jmp .L_next_16_ok_${label_suffix} -+.L_next_16_overflow_${label_suffix}: - vpshufb $SHUF_MASK,$CTR,$CTR - vmovdqa64 ddq_add_4444(%rip),$B12_15 - vpaddd ddq_add_1234(%rip),$CTR,$B00_03 -@@ -4180,7 +4174,7 @@ sub INITIAL_BLOCKS_16 { - vpshufb $SHUF_MASK,$B04_07,$B04_07 - vpshufb $SHUF_MASK,$B08_11,$B08_11 - vpshufb $SHUF_MASK,$B12_15,$B12_15 --.L_next_16_ok_${rndsuffix}: -+.L_next_16_ok_${label_suffix}: - vshufi64x2 \$0b11111111,$B12_15,$B12_15,$CTR - addb \$16,@{[BYTE($CTR_CHECK)]} - # ;; === load 16 blocks of data -@@ -4264,7 +4258,7 @@ sub GCM_COMPLETE { - my $GCM128_CTX = $_[0]; - my $PBLOCK_LEN = $_[1]; - -- my $rndsuffix = &random_string(); -+ my $label_suffix = $label_count++; - - $code .= <<___; - vmovdqu @{[HashKeyByIdx(1,$GCM128_CTX)]},%xmm2 -@@ -4276,14 +4270,14 @@ ___ - - # ;; Process the final partial block. - cmp \$0,$PBLOCK_LEN -- je .L_partial_done_${rndsuffix} -+ je .L_partial_done_${label_suffix} - ___ - - # ;GHASH computation for the last <16 Byte block - &GHASH_MUL("%xmm4", "%xmm2", "%xmm0", "%xmm16", "%xmm17"); - - $code .= <<___; --.L_partial_done_${rndsuffix}: -+.L_partial_done_${label_suffix}: - vmovq `$CTX_OFFSET_InLen`($GCM128_CTX), %xmm5 - vpinsrq \$1, `$CTX_OFFSET_AadLen`($GCM128_CTX), %xmm5, %xmm5 # ; xmm5 = len(A)||len(C) - vpsllq \$3, %xmm5, %xmm5 # ; convert bytes into bits -@@ -4297,7 +4291,7 @@ ___ - vpshufb SHUF_MASK(%rip),%xmm4,%xmm4 # ; perform a 16Byte swap - vpxor %xmm4,%xmm3,%xmm3 - --.L_return_T_${rndsuffix}: -+.L_return_T_${label_suffix}: - vmovdqu %xmm3,`$CTX_OFFSET_AadHash`($GCM128_CTX) - ___ - }