pkgs/raven
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

openssl3: import latest rhel fixes

Browse Source
This commit is contained in:
Raven 2025-02-27 10:12:52 +06:00
parent cc1a0a9ef2
commit 79e1ba992f
49 changed files with 6946 additions and 1427 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
base/openssl3/0003-Do-not-install-html-docs.patch
View File

@ -1,15 +1,19 @@
From 3d5755df8d09ca841c0aca2d7344db060f6cc97f Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 24 Sep 2020 09:05:55 +0200
Subject: Do not install html docs
From a3e7963320ba44e96a60b389fccb8e1cccc30674 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Thu, 19 Oct 2023 13:12:39 +0200
Subject: [PATCH 03/46] 0003-Do-not-install-html-docs.patch
(was openssl-1.1.1-no-html.patch)
Patch-name: 0003-Do-not-install-html-docs.patch
Patch-id: 3
Patch-status: |
# # Do not install html docs
From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911
---
Configurations/unix-Makefile.tmpl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
index 342e46d24d..9f369edf0e 100644
index a48fae5fb8..56b42926e7 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -611,7 +611,7 @@ install_sw: install_dev install_engines install_modules install_runtime
@ -22,5 +26,5 @@ index 342e46d24d..9f369edf0e 100644
uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and HTML documentation
$(RM) -r "$(DESTDIR)$(DOCDIR)"
--
2.26.2
2.41.0

20
base/openssl3/0004-Override-default-paths-for-the-CA-directory-tree.patch
View File

@ -1,14 +1,14 @@
From 6790960076742a9053c624e26fbb87fcd5789e27 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 24 Sep 2020 09:17:26 +0200
Subject: Override default paths for the CA directory tree
From 7a65ee33793fa8a28c0dfc94e6872ce92f408b15 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 31 Jul 2023 09:41:27 +0200
Subject: [PATCH 04/35]
0004-Override-default-paths-for-the-CA-directory-tree.patch
Also add default section to load crypto-policies configuration
for TLS.
It needs to be reverted before running tests.
(was openssl-1.1.1-conf-paths.patch)
Patch-name: 0004-Override-default-paths-for-the-CA-directory-tree.patch
Patch-id: 4
Patch-status: |
# Override default paths for the CA directory tree
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
apps/CA.pl.in | 2 +-
apps/openssl.cnf | 20 ++++++++++++++++++--

90
base/openssl3/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
View File

@ -1,9 +1,14 @@
From 736d709ec194b3a763e004696df22792c62a11fc Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 24 Sep 2020 10:16:46 +0200
Subject: Add support for PROFILE=SYSTEM system default cipherlist
From 8be4ef77c64fcada41041c00e02c34b07658ba66 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
Subject: [PATCH 07/49]
0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
(was openssl-1.1.1-system-cipherlist.patch)
Patch-name: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
Patch-id: 7
Patch-status: |
# # Add support for PROFILE=SYSTEM system default cipherlist
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
Configurations/unix-Makefile.tmpl | 5 ++
Configure | 11 +++-
@ -15,7 +20,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
7 files changed, 109 insertions(+), 13 deletions(-)
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
index 9f369edf0e..c52389f831 100644
index 5d61ce9550..e9fba957f1 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -324,6 +324,10 @@ MANDIR=$(INSTALLTOP)/share/man
@ -81,7 +86,7 @@ index cca1ac8d16..2ae1cd0bc2 100755
{
$banner = $1 . "\n";
diff --git a/doc/man1/openssl-ciphers.pod.in b/doc/man1/openssl-ciphers.pod.in
index b4ed3e51d5..2122e6bdfd 100644
index d4df30686f..cec4835268 100644
--- a/doc/man1/openssl-ciphers.pod.in
+++ b/doc/man1/openssl-ciphers.pod.in
@@ -190,6 +190,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher suites are sensibly ordered by default.
@ -91,7 +96,7 @@ index b4ed3e51d5..2122e6bdfd 100644
+=item B<PROFILE=SYSTEM>
+
+The list of enabled cipher suites will be loaded from the system crypto policy
+configuration file B</etc/crypto-policies/back-ends/openssl.config>.
+configuration file B</etc/crypto-policies/back-ends/opensslcnf.config>.
+See also L<update-crypto-policies(8)>.
+This is the default behavior unless an application explicitly sets a cipher
+list. If used in a cipher list configuration value this string must be at the
@ -101,7 +106,7 @@ index b4ed3e51d5..2122e6bdfd 100644
"High" encryption cipher suites. This currently means those with key lengths
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index f9a61609e4..c6f95fed3f 100644
index 9f91039f8a..fc34d4ca61 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -209,6 +209,11 @@ extern "C" {
@ -117,17 +122,16 @@ index f9a61609e4..c6f95fed3f 100644
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
# define SSL_SENT_SHUTDOWN 1
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index b1d3f7919e..f7cc7fed48 100644
index 8360991ce4..33c23efb0d 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1455,6 +1455,53 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
@@ -1455,6 +1455,49 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
return ret;
}
+#ifdef SYSTEM_CIPHERS_FILE
+static char *load_system_str(const char *suffix)
+{
+ FILE *fp;
+ char buf[1024];
+ char *new_rules;
+ const char *ciphers_path;
@ -135,29 +139,26 @@ index b1d3f7919e..f7cc7fed48 100644
+
+ if ((ciphers_path = secure_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL)
+ ciphers_path = SYSTEM_CIPHERS_FILE;
+ fp = fopen(ciphers_path, "r");
+ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) {
+ /* cannot open or file is empty */
+ ERR_set_mark();
+ if (access(ciphers_path, R_OK) == 0) {
+ CONF *conf = NCONF_new_ex(NULL, NCONF_default());
+ char *value = NULL;
+
+ if (NCONF_load(conf, ciphers_path, NULL) > 0)
+ value = NCONF_get_string(conf, "global", "CipherString");
+
+ snprintf(buf, sizeof(buf), "%s", value ? value : SSL_DEFAULT_CIPHER_LIST);
+
+ NCONF_free(conf);
+ } else {
+ snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST);
+ }
+
+ if (fp)
+ fclose(fp);
+
+ ERR_pop_to_mark();
+ slen = strlen(suffix);
+ len = strlen(buf);
+
+ if (buf[len - 1] == '\n') {
+ len--;
+ buf[len] = 0;
+ }
+ if (buf[len - 1] == '\r') {
+ len--;
+ buf[len] = 0;
+ }
+
+ new_rules = OPENSSL_malloc(len + slen + 1);
+ if (new_rules == 0)
+ new_rules = OPENSSL_zalloc(len + slen + 1);
+ if (new_rules == NULL)
+ return NULL;
+
+ memcpy(new_rules, buf, len);
@ -174,7 +175,7 @@ index b1d3f7919e..f7cc7fed48 100644
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
STACK_OF(SSL_CIPHER) **cipher_list,
@@ -1425,15 +1472,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
@@ -1469,15 +1516,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
const SSL_CIPHER **ca_list = NULL;
const SSL_METHOD *ssl_method = ctx->method;
@ -182,7 +183,7 @@ index b1d3f7919e..f7cc7fed48 100644
+ char *new_rules = NULL;
+
+ if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) {
+ char *p = rule_str + 14;
+ const char *p = rule_str + 14;
+
+ new_rules = load_system_str(p);
+ rule_str = new_rules;
@ -211,7 +212,7 @@ index b1d3f7919e..f7cc7fed48 100644
}
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
@@ -1522,8 +1579,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
@@ -1565,8 +1622,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
* in force within each class
*/
if (!ssl_cipher_strength_sort(&head, &tail)) {
@ -221,16 +222,17 @@ index b1d3f7919e..f7cc7fed48 100644
}
/*
@@ -1611,7 +1667,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
@@ -1611,8 +1667,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
if (ca_list == NULL) {
OPENSSL_free(co_list);
- OPENSSL_free(co_list);
- return NULL; /* Failure */
+ goto err;
}
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
disabled_mkey, disabled_auth, disabled_enc,
@@ -1596,8 +1651,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
@@ -1637,8 +1693,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
OPENSSL_free(ca_list); /* Not needed anymore */
if (!ok) { /* Rule processing failure */
@ -240,7 +242,7 @@ index b1d3f7919e..f7cc7fed48 100644
}
/*
@@ -1605,10 +1659,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
@@ -1646,10 +1701,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
* if we cannot get one.
*/
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
@ -256,7 +258,7 @@ index b1d3f7919e..f7cc7fed48 100644
/* Add TLSv1.3 ciphers first - we always prefer those if possible */
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
@@ -1656,6 +1714,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
@@ -1701,6 +1759,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
*cipher_list = cipherstack;
return cipherstack;
@ -272,10 +274,10 @@ index b1d3f7919e..f7cc7fed48 100644
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index d14d5819ba..48d491219a 100644
index cf59d2dfa5..1329841aaf 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -660,7 +660,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
@@ -700,7 +700,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
ctx->tls13_ciphersuites,
&(ctx->cipher_list),
&(ctx->cipher_list_by_id),
@ -284,7 +286,7 @@ index d14d5819ba..48d491219a 100644
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
return 0;
@@ -3193,7 +3193,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
@@ -3966,7 +3966,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
if (!ssl_create_cipher_list(ret,
ret->tls13_ciphersuites,
&ret->cipher_list, &ret->cipher_list_by_id,
@ -294,10 +296,10 @@ index d14d5819ba..48d491219a 100644
ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
goto err;
diff --git a/test/cipherlist_test.c b/test/cipherlist_test.c
index 380f0727fc..6922a87c30 100644
index c46e431b00..19d05e860b 100644
--- a/test/cipherlist_test.c
+++ b/test/cipherlist_test.c
@@ -244,7 +244,9 @@ end:
@@ -261,7 +261,9 @@ end:
int setup_tests(void)
{
@ -308,5 +310,5 @@ index 380f0727fc..6922a87c30 100644
ADD_TEST(test_default_cipherlist_clear);
ADD_TEST(test_stdname_cipherlist);
--
2.26.2
2.44.0

40
base/openssl3/0008-Add-FIPS_mode-compatibility-macro.patch
View File

@ -1,20 +1,22 @@
From 5b2ec9a54037d7b007324bf53e067e73511cdfe4 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 26 Nov 2020 14:00:16 +0100
Subject: Add FIPS_mode() compatibility macro
From 8e29a10b39a649d751870eb1fd1b8c388e66acc3 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 31 Jul 2023 09:41:27 +0200
Subject: [PATCH 08/35] 0008-Add-FIPS_mode-compatibility-macro.patch
The macro calls EVP_default_properties_is_fips_enabled() on the
default context.
Patch-name: 0008-Add-FIPS_mode-compatibility-macro.patch
Patch-id: 8
Patch-status: |
# Add FIPS_mode() compatibility macro
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
include/openssl/crypto.h.in | 1 +
include/openssl/fips.h | 25 +++++++++++++++++++++++++
test/property_test.c | 13 +++++++++++++
3 files changed, 39 insertions(+)
include/openssl/fips.h | 26 ++++++++++++++++++++++++++
test/property_test.c | 14 ++++++++++++++
2 files changed, 40 insertions(+)
create mode 100644 include/openssl/fips.h
diff --git a/include/openssl/fips.h b/include/openssl/fips.h
new file mode 100644
index 0000000000..c64f0f8e8f
index 0000000000..4162cbf88e
--- /dev/null
+++ b/include/openssl/fips.h
@@ -0,0 +1,26 @@
@ -44,13 +46,14 @@ index 0000000000..c64f0f8e8f
+}
+# endif
+#endif
diff -up openssl-3.0.0-beta1/test/property_test.c.fips-macro openssl-3.0.0-beta1/test/property_test.c
--- openssl-3.0.0-beta1/test/property_test.c.fips-macro 2021-06-29 12:14:58.851557698 +0200
+++ openssl-3.0.0-beta1/test/property_test.c 2021-06-29 12:17:14.630143832 +0200
@@ -488,6 +488,19 @@ static int test_property_list_to_string(
diff --git a/test/property_test.c b/test/property_test.c
index 45b1db3e85..8894c1c1cb 100644
--- a/test/property_test.c
+++ b/test/property_test.c
@@ -677,6 +677,19 @@ static int test_property_list_to_string(int i)
return ret;
}
+#include <openssl/fips.h>
+static int test_downstream_FIPS_mode(void)
+{
@ -67,7 +70,7 @@ diff -up openssl-3.0.0-beta1/test/property_test.c.fips-macro openssl-3.0.0-beta1
int setup_tests(void)
{
ADD_TEST(test_property_string);
@@ -500,6 +512,7 @@ int setup_tests(void)
@@ -690,6 +703,7 @@ int setup_tests(void)
ADD_TEST(test_property);
ADD_TEST(test_query_cache_stochastic);
ADD_TEST(test_fips_mode);
@ -75,3 +78,6 @@ diff -up openssl-3.0.0-beta1/test/property_test.c.fips-macro openssl-3.0.0-beta1
ADD_ALL_TESTS(test_property_list_to_string, OSSL_NELEM(to_string_tests));
return 1;
}
--
2.41.0

63
base/openssl3/0012-Disable-explicit-ec.patch
View File

@ -1,7 +1,27 @@
diff -up openssl-3.0.1/crypto/ec/ec_asn1.c.disable_explicit_ec openssl-3.0.1/crypto/ec/ec_asn1.c
--- openssl-3.0.1/crypto/ec/ec_asn1.c.disable_explicit_ec 2022-03-22 13:10:45.718077845 +0100
+++ openssl-3.0.1/crypto/ec/ec_asn1.c 2022-03-22 13:12:46.626599016 +0100
@@ -895,6 +895,12 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **
From 91bdd9b816b22bc1464ec323f3272b866b24114d Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 31 Jul 2023 09:41:28 +0200
Subject: [PATCH 12/35] 0012-Disable-explicit-ec.patch
Patch-name: 0012-Disable-explicit-ec.patch
Patch-id: 12
Patch-status: |
# Disable explicit EC curves
# https://bugzilla.redhat.com/show_bug.cgi?id=2066412
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
crypto/ec/ec_asn1.c | 11 ++++++++++
crypto/ec/ec_lib.c | 6 +++++
test/ectest.c | 22 ++++++++++---------
test/endecode_test.c | 20 ++++++++---------
.../30-test_evp_data/evppkey_ecdsa.txt | 12 ----------
5 files changed, 39 insertions(+), 32 deletions(-)
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index 7a0b35a594..d19d57344e 100644
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -905,6 +905,12 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len)
if (params->type == ECPKPARAMETERS_TYPE_EXPLICIT)
group->decoded_from_explicit_params = 1;
@ -14,7 +34,7 @@ diff -up openssl-3.0.1/crypto/ec/ec_asn1.c.disable_explicit_ec openssl-3.0.1/cry
if (a) {
EC_GROUP_free(*a);
*a = group;
@@ -954,6 +959,11 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con
@@ -964,6 +970,11 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
goto err;
}
@ -114,10 +134,11 @@ index 4890b0555e..e11aec5b3b 100644
ret = 1;
err:
diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/test/endecode_test.c
--- openssl-3.0.1/test/endecode_test.c.disable_explicit_ec 2022-03-21 16:55:46.005558779 +0100
+++ openssl-3.0.1/test/endecode_test.c 2022-03-21 16:56:12.636792762 +0100
@@ -57,7 +57,7 @@ static BN_CTX *bnctx = NULL;
diff --git a/test/endecode_test.c b/test/endecode_test.c
index 14648287eb..9a437d8c64 100644
--- a/test/endecode_test.c
+++ b/test/endecode_test.c
@@ -62,7 +62,7 @@ static BN_CTX *bnctx = NULL;
static OSSL_PARAM_BLD *bld_prime_nc = NULL;
static OSSL_PARAM_BLD *bld_prime = NULL;
static OSSL_PARAM *ec_explicit_prime_params_nc = NULL;
@ -126,7 +147,7 @@ diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/te
# ifndef OPENSSL_NO_EC2M
static OSSL_PARAM_BLD *bld_tri_nc = NULL;
@@ -990,9 +990,9 @@ IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC")
@@ -1009,9 +1009,9 @@ IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC")
DOMAIN_KEYS(ECExplicitPrimeNamedCurve);
IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC", 1)
IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve, "EC")
@ -139,7 +160,7 @@ diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/te
# ifndef OPENSSL_NO_EC2M
DOMAIN_KEYS(ECExplicitTriNamedCurve);
IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC", 1)
@@ -1318,7 +1318,7 @@ int setup_tests(void)
@@ -1352,7 +1352,7 @@ int setup_tests(void)
|| !create_ec_explicit_prime_params_namedcurve(bld_prime_nc)
|| !create_ec_explicit_prime_params(bld_prime)
|| !TEST_ptr(ec_explicit_prime_params_nc = OSSL_PARAM_BLD_to_param(bld_prime_nc))
@ -148,7 +169,7 @@ diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/te
# ifndef OPENSSL_NO_EC2M
|| !TEST_ptr(bld_tri_nc = OSSL_PARAM_BLD_new())
|| !TEST_ptr(bld_tri = OSSL_PARAM_BLD_new())
@@ -1346,7 +1346,7 @@ int setup_tests(void)
@@ -1380,7 +1380,7 @@ int setup_tests(void)
TEST_info("Generating EC keys...");
MAKE_DOMAIN_KEYS(EC, "EC", EC_params);
MAKE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve, "EC", ec_explicit_prime_params_nc);
@ -157,7 +178,7 @@ diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/te
# ifndef OPENSSL_NO_EC2M
MAKE_DOMAIN_KEYS(ECExplicitTriNamedCurve, "EC", ec_explicit_tri_params_nc);
MAKE_DOMAIN_KEYS(ECExplicitTri2G, "EC", ec_explicit_tri_params_explicit);
@@ -1389,8 +1389,8 @@ int setup_tests(void)
@@ -1423,8 +1423,8 @@ int setup_tests(void)
ADD_TEST_SUITE_LEGACY(EC);
ADD_TEST_SUITE(ECExplicitPrimeNamedCurve);
ADD_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve);
@ -168,7 +189,7 @@ diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/te
# ifndef OPENSSL_NO_EC2M
ADD_TEST_SUITE(ECExplicitTriNamedCurve);
ADD_TEST_SUITE_LEGACY(ECExplicitTriNamedCurve);
@@ -1427,7 +1427,7 @@ void cleanup_tests(void)
@@ -1461,7 +1461,7 @@ void cleanup_tests(void)
{
#ifndef OPENSSL_NO_EC
OSSL_PARAM_free(ec_explicit_prime_params_nc);
@ -177,7 +198,7 @@ diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/te
OSSL_PARAM_BLD_free(bld_prime_nc);
OSSL_PARAM_BLD_free(bld_prime);
# ifndef OPENSSL_NO_EC2M
@@ -1449,7 +1449,7 @@ void cleanup_tests(void)
@@ -1483,7 +1483,7 @@ void cleanup_tests(void)
#ifndef OPENSSL_NO_EC
FREE_DOMAIN_KEYS(EC);
FREE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve);
@ -186,10 +207,11 @@ diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/te
# ifndef OPENSSL_NO_EC2M
FREE_DOMAIN_KEYS(ECExplicitTriNamedCurve);
FREE_DOMAIN_KEYS(ECExplicitTri2G);
diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_ecdsa.txt.disable_explicit_ec openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
--- openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_ecdsa.txt.disable_explicit_ec 2022-03-25 11:20:50.920949208 +0100
+++ openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_ecdsa.txt 2022-03-25 11:21:13.177147598 +0100
@@ -121,18 +121,6 @@ AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEB
diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
index ec3c032aba..584ecee0eb 100644
--- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
@@ -133,18 +133,6 @@ AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgiUTxtr5vLVjj
3ev1gTwRBduzqqlwd54AUSgI+pjttW8zrWNitO8H1sf59MPWOESKxNtZ1+Nl
-----END PRIVATE KEY-----
@ -208,3 +230,6 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_ecdsa.txt.disable_e
PrivateKey = B-163
-----BEGIN PRIVATE KEY-----
MGMCAQAwEAYHKoZIzj0CAQYFK4EEAA8ETDBKAgEBBBUDnQW0mLiHVha/jqFznX/K
--
2.41.0

37
base/openssl3/0013-skipped-tests-EC-curves.patch
View File

@ -1,7 +1,24 @@
diff -up ./test/recipes/15-test_ec.t.skip-tests ./test/recipes/15-test_ec.t
--- ./test/recipes/15-test_ec.t.skip-tests 2023-03-14 13:42:38.865508269 +0100
+++ ./test/recipes/15-test_ec.t 2023-03-14 13:43:36.237021635 +0100
@@ -90,7 +90,7 @@ subtest 'Ed448 conversions -- public key
From 9ede2b1e13f72db37718853faff74b4429084d59 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 31 Jul 2023 09:41:28 +0200
Subject: [PATCH 13/35] 0013-skipped-tests-EC-curves.patch
Patch-name: 0013-skipped-tests-EC-curves.patch
Patch-id: 13
Patch-status: |
# Skipped tests from former 0011-Remove-EC-curves.patch
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
test/recipes/15-test_ec.t | 2 +-
test/recipes/65-test_cmp_protect.t | 2 +-
test/recipes/65-test_cmp_vfy.t | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/test/recipes/15-test_ec.t b/test/recipes/15-test_ec.t
index 0638d626e7..c0efd77649 100644
--- a/test/recipes/15-test_ec.t
+++ b/test/recipes/15-test_ec.t
@@ -90,7 +90,7 @@ subtest 'Ed448 conversions -- public key' => sub {
subtest 'Check loading of fips and non-fips keys' => sub {
plan skip_all => "FIPS is disabled"
@ -10,10 +27,11 @@ diff -up ./test/recipes/15-test_ec.t.skip-tests ./test/recipes/15-test_ec.t
plan tests => 2;
diff -up ./test/recipes/65-test_cmp_protect.t.skip-tests ./test/recipes/65-test_cmp_protect.t
--- ./test/recipes/65-test_cmp_protect.t.skip-tests 2023-03-14 10:13:11.342056559 +0100
+++ ./test/recipes/65-test_cmp_protect.t 2023-03-14 10:14:42.643873496 +0100
@@ -27,7 +27,7 @@ plan skip_all => "This test is not suppo
diff --git a/test/recipes/65-test_cmp_protect.t b/test/recipes/65-test_cmp_protect.t
index 631603df7c..4cb2ffebbc 100644
--- a/test/recipes/65-test_cmp_protect.t
+++ b/test/recipes/65-test_cmp_protect.t
@@ -27,7 +27,7 @@ plan skip_all => "This test is not supported in a no-cmp build"
plan skip_all => "This test is not supported in a shared library build on Windows"
if $^O eq 'MSWin32' && !disabled("shared");
@ -35,3 +53,6 @@ index f722800e27..26a01786bb 100644
my @basic_cmd = ("cmp_vfy_test",
data_file("server.crt"), data_file("client.crt"),
--
2.41.0

15
base/openssl3/0024-load-legacy-prov.patch
View File

@ -1,3 +1,18 @@
From 69636828729ecc287863366dcdd6548dee78c7a4 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 31 Jul 2023 09:41:28 +0200
Subject: [PATCH 14/35] 0024-load-legacy-prov.patch
Patch-name: 0024-load-legacy-prov.patch
Patch-id: 24
Patch-status: |
# Instructions to load legacy provider in openssl.cnf
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
apps/openssl.cnf | 37 +++++++++++++++----------------------
doc/man5/config.pod | 8 ++++++++
2 files changed, 23 insertions(+), 22 deletions(-)
diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.cnf
--- openssl-3.0.0/apps/openssl.cnf.legacy-prov 2021-09-09 12:06:40.895793297 +0200
+++ openssl-3.0.0/apps/openssl.cnf 2021-09-09 12:12:33.947482500 +0200

10
base/openssl3/0025-for-tests.patch
View File

@ -1,7 +1,7 @@
diff -up openssl-3.0.0/apps/openssl.cnf.xxx openssl-3.0.0/apps/openssl.cnf
--- openssl-3.0.0/apps/openssl.cnf.xxx 2021-11-23 16:29:50.618691603 +0100
+++ openssl-3.0.0/apps/openssl.cnf 2021-11-23 16:28:16.872882099 +0100
@@ -55,11 +55,11 @@ providers = provider_sect
@@ -55,17 +55,17 @@ providers = provider_sect
# to side-channel attacks and as such have been deprecated.
[provider_sect]
@ -16,3 +16,11 @@ diff -up openssl-3.0.0/apps/openssl.cnf.xxx openssl-3.0.0/apps/openssl.cnf
##[legacy_sect]
##activate = 1
-#Place the third party provider configuration files into this folder
-.include /etc/pki/tls/openssl.d
+##Place the third party provider configuration files into this folder
+#.include /etc/pki/tls/openssl.d
####################################################################

26
base/openssl3/0035-speed-skip-unavailable-dgst.patch
View File

@ -1,7 +1,22 @@
diff -up openssl-3.0.0/apps/speed.c.beldmit openssl-3.0.0/apps/speed.c
--- openssl-3.0.0/apps/speed.c.beldmit 2021-12-21 15:14:04.210431584 +0100
+++ openssl-3.0.0/apps/speed.c 2021-12-21 15:46:05.554085125 +0100
@@ -547,6 +547,9 @@ static int EVP_MAC_loop(int algindex, vo
From 213f38dc580d39f2cb46592b5e6db585fc6a650f Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 31 Jul 2023 09:41:28 +0200
Subject: [PATCH 19/35] 0035-speed-skip-unavailable-dgst.patch
Patch-name: 0035-speed-skip-unavailable-dgst.patch
Patch-id: 35
Patch-status: |
# Skip unavailable algorithms running `openssl speed`
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
apps/speed.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/apps/speed.c b/apps/speed.c
index d527f12f18..2ff3eb53bd 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -610,6 +610,9 @@ static int EVP_MAC_loop(int algindex, void *args)
for (count = 0; COND(c[algindex][testnum]); count++) {
size_t outl;
@ -11,3 +26,6 @@ diff -up openssl-3.0.0/apps/speed.c.beldmit openssl-3.0.0/apps/speed.c
if (!EVP_MAC_init(mctx, NULL, 0, NULL)
|| !EVP_MAC_update(mctx, buf, lengths[testnum])
|| !EVP_MAC_final(mctx, mac, &outl, sizeof(mac)))
--
2.41.0

2
base/openssl3/0044-FIPS-140-3-keychecks.patch
View File

@ -383,6 +383,8 @@ index cd5de6bd51..d4261e8f7d 100644
const OSSL_DISPATCH ossl_rsa_signature_functions[] = {
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx },
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },
--
2.41.0
diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
index e0d139d..35f23b2 100644
--- a/crypto/rsa/rsa_gen.c

211
base/openssl3/0045-FIPS-services-minimize.patch
View File

@ -1,13 +1,12 @@
From e25b25227043a2b2cf156527c31d7686a4265bf3 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
Subject: [PATCH 20/49] 0045-FIPS-services-minimize.patch
From a9dc983f82cabe29d6b48f3af3e30e26074ce5cf Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 12:55:57 +0200
Subject: [PATCH 21/48] 0045-FIPS-services-minimize.patch
Patch-name: 0045-FIPS-services-minimize.patch
Patch-id: 45
Patch-status: |
# # Minimize fips services
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
# Minimize fips services
---
apps/ecparam.c | 7 +++
apps/req.c | 2 +-
@ -21,14 +20,14 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
test/evp_libctx_test.c | 9 +++-
test/recipes/15-test_gendsa.t | 2 +-
test/recipes/20-test_cli_fips.t | 3 +-
test/recipes/30-test_evp.t | 20 ++++-----
test/recipes/30-test_evp.t | 16 +++----
.../30-test_evp_data/evpmac_common.txt | 22 ++++++++++
test/recipes/80-test_cms.t | 22 +++++-----
test/recipes/80-test_ssl_old.t | 2 +-
16 files changed, 128 insertions(+), 51 deletions(-)
16 files changed, 128 insertions(+), 47 deletions(-)
diff --git a/apps/ecparam.c b/apps/ecparam.c
index 71f93c4ca5..347bf62d5c 100644
index 9e9ad13683..9c66cf2434 100644
--- a/apps/ecparam.c
+++ b/apps/ecparam.c
@@ -79,6 +79,13 @@ static int list_builtin_curves(BIO *out)
@ -46,10 +45,10 @@ index 71f93c4ca5..347bf62d5c 100644
comment = "CURVE DESCRIPTION NOT AVAILABLE";
if (sname == NULL)
diff --git a/apps/req.c b/apps/req.c
index 8995453dca..cb38e6aa64 100644
index 23757044ab..5916914978 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -268,7 +268,7 @@ int req_main(int argc, char **argv)
@@ -266,7 +266,7 @@ int req_main(int argc, char **argv)
unsigned long chtype = MBSTRING_ASC, reqflag = 0;
#ifndef OPENSSL_NO_DES
@ -59,10 +58,10 @@ index 8995453dca..cb38e6aa64 100644
opt_set_unknown_name("digest");
diff --git a/providers/common/capabilities.c b/providers/common/capabilities.c
index f7234615e4..0d4c0e3388 100644
index ed37e76969..eb836dfa6a 100644
--- a/providers/common/capabilities.c
+++ b/providers/common/capabilities.c
@@ -189,9 +189,9 @@ static const OSSL_PARAM param_group_list[][10] = {
@@ -186,9 +186,9 @@ static const OSSL_PARAM param_group_list[][10] = {
TLS_GROUP_ENTRY("brainpoolP256r1", "brainpoolP256r1", "EC", 25),
TLS_GROUP_ENTRY("brainpoolP384r1", "brainpoolP384r1", "EC", 26),
TLS_GROUP_ENTRY("brainpoolP512r1", "brainpoolP512r1", "EC", 27),
@ -74,7 +73,7 @@ index f7234615e4..0d4c0e3388 100644
TLS_GROUP_ENTRY("brainpoolP256r1tls13", "brainpoolP256r1", "EC", 30),
TLS_GROUP_ENTRY("brainpoolP384r1tls13", "brainpoolP384r1", "EC", 31),
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index 7ec409710b..ec5bdd5a69 100644
index 518226dfc6..29438faea8 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -199,13 +199,13 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[])
@ -132,7 +131,7 @@ index 7ec409710b..ec5bdd5a69 100644
{ NULL, NULL, NULL }
};
@@ -410,8 +413,9 @@ static const OSSL_ALGORITHM fips_keyexch[] = {
@@ -409,8 +412,9 @@ static const OSSL_ALGORITHM fips_keyexch[] = {
#ifndef OPENSSL_NO_EC
{ PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions },
# ifndef OPENSSL_NO_ECX
@ -144,27 +143,7 @@ index 7ec409710b..ec5bdd5a69 100644
# endif
#endif
{ PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES,
@@ -422,14 +426,16 @@ static const OSSL_ALGORITHM fips_keyexch[] = {
static const OSSL_ALGORITHM fips_signature[] = {
#ifndef OPENSSL_NO_DSA
- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },
+ /* We don't certify DSA in our FIPS provider */
+ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },*/
#endif
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions },
#ifndef OPENSSL_NO_EC
# ifndef OPENSSL_NO_ECX
- { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES,
+ /* We don't certify Edwards curves in our FIPS provider */
+ /* { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES,
ossl_ed25519_signature_functions },
- { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },
+ { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },*/
# endif
{ PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions },
#endif
@@ -460,8 +466,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
@@ -456,8 +462,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
PROV_DESCS_DHX },
#endif
#ifndef OPENSSL_NO_DSA
@ -176,7 +155,7 @@ index 7ec409710b..ec5bdd5a69 100644
#endif
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions,
PROV_DESCS_RSA },
@@ -471,14 +478,15 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
@@ -466,14 +473,15 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
{ PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions,
PROV_DESCS_EC },
# ifndef OPENSSL_NO_ECX
@ -251,10 +230,10 @@ index 2057378d3d..4b80bb70b9 100644
static const ST_KAT_ASYM_CIPHER st_kat_asym_cipher_tests[] = {
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index 22d93ead53..c1405f47ea 100644
index d4261e8f7d..2a5504d104 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -686,6 +686,19 @@ static int rsa_verify_recover(void *vprsactx,
@@ -689,6 +689,19 @@ static int rsa_verify_recover(void *vprsactx,
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
int ret;
@ -274,7 +253,7 @@ index 22d93ead53..c1405f47ea 100644
if (!ossl_prov_is_running())
return 0;
@@ -774,6 +787,19 @@ static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen,
@@ -777,6 +790,19 @@ static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen,
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
size_t rslen;
@ -295,7 +274,7 @@ index 22d93ead53..c1405f47ea 100644
if (!ossl_prov_is_running())
return 0;
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 33c23efb0d..113c204716 100644
index a5e60e8839..f9af07d12b 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -356,6 +356,9 @@ int ssl_load_ciphers(SSL_CTX *ctx)
@ -309,10 +288,10 @@ index 33c23efb0d..113c204716 100644
* We ignore any errors from the fetches below. They are expected to fail
* if these algorithms are not available.
diff --git a/test/acvp_test.c b/test/acvp_test.c
index 45509095af..4a67519bb4 100644
index fee880d441..13d7a0ea8b 100644
--- a/test/acvp_test.c
+++ b/test/acvp_test.c
@@ -1478,6 +1478,7 @@ int setup_tests(void)
@@ -1476,6 +1476,7 @@ int setup_tests(void)
OSSL_NELEM(dh_safe_prime_keyver_data));
#endif /* OPENSSL_NO_DH */
@ -320,7 +299,7 @@ index 45509095af..4a67519bb4 100644
#ifndef OPENSSL_NO_DSA
ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data));
ADD_ALL_TESTS(dsa_paramgen_test, OSSL_NELEM(dsa_paramgen_data));
@@ -1485,6 +1486,7 @@ int setup_tests(void)
@@ -1483,6 +1484,7 @@ int setup_tests(void)
ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data));
ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data));
#endif /* OPENSSL_NO_DSA */
@ -329,10 +308,10 @@ index 45509095af..4a67519bb4 100644
#ifndef OPENSSL_NO_EC
ADD_ALL_TESTS(ecdsa_keygen_test, OSSL_NELEM(ecdsa_keygen_data));
diff --git a/test/endecode_test.c b/test/endecode_test.c
index b53b7b715b..885e49a47c 100644
index 9a437d8c64..53385028fc 100644
--- a/test/endecode_test.c
+++ b/test/endecode_test.c
@@ -1419,6 +1419,7 @@ int setup_tests(void)
@@ -1407,6 +1407,7 @@ int setup_tests(void)
* so no legacy tests.
*/
#endif
@ -340,7 +319,7 @@ index b53b7b715b..885e49a47c 100644
#ifndef OPENSSL_NO_DSA
ADD_TEST_SUITE(DSA);
ADD_TEST_SUITE_PARAMS(DSA);
@@ -1429,6 +1430,7 @@ int setup_tests(void)
@@ -1417,6 +1418,7 @@ int setup_tests(void)
ADD_TEST_SUITE_PROTECTED_PVK(DSA);
# endif
#endif
@ -348,7 +327,7 @@ index b53b7b715b..885e49a47c 100644
#ifndef OPENSSL_NO_EC
ADD_TEST_SUITE(EC);
ADD_TEST_SUITE_PARAMS(EC);
@@ -1443,10 +1445,12 @@ int setup_tests(void)
@@ -1431,10 +1433,12 @@ int setup_tests(void)
ADD_TEST_SUITE(ECExplicitTri2G);
ADD_TEST_SUITE_LEGACY(ECExplicitTri2G);
# endif
@ -396,7 +375,7 @@ index 2448c35a14..a7913cda4c 100644
return 1;
}
diff --git a/test/recipes/15-test_gendsa.t b/test/recipes/15-test_gendsa.t
index 4bc460784b..93052eb3e7 100644
index b495b08bda..69bd299521 100644
--- a/test/recipes/15-test_gendsa.t
+++ b/test/recipes/15-test_gendsa.t
@@ -24,7 +24,7 @@ use lib bldtop_dir('.');
@ -409,10 +388,10 @@ index 4bc460784b..93052eb3e7 100644
plan tests =>
($no_fips ? 0 : 2) # FIPS related tests
diff --git a/test/recipes/20-test_cli_fips.t b/test/recipes/20-test_cli_fips.t
index d4b4d4ca51..031814e8ff 100644
index 6d3c5ba1bb..2ba47b5fca 100644
--- a/test/recipes/20-test_cli_fips.t
+++ b/test/recipes/20-test_cli_fips.t
@@ -278,8 +278,7 @@ SKIP: {
@@ -273,8 +273,7 @@ SKIP: {
}
SKIP : {
@ -423,10 +402,10 @@ index d4b4d4ca51..031814e8ff 100644
subtest DSA => sub {
my $testtext_prefix = 'DSA';
diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t
index eddca5c58e..36a192d041 100644
index 9d7040ced2..f8beb538d4 100644
--- a/test/recipes/30-test_evp.t
+++ b/test/recipes/30-test_evp.t
@@ -46,10 +46,8 @@ my @files = qw(
@@ -42,10 +42,8 @@ my @files = qw(
evpciph_aes_cts.txt
evpciph_aes_wrap.txt
evpciph_aes_stitched.txt
@ -437,23 +416,7 @@ index eddca5c58e..36a192d041 100644
evpkdf_pbkdf1.txt
evpkdf_pbkdf2.txt
evpkdf_ss.txt
@@ -69,15 +67,6 @@ push @files, qw(
evppkey_ffdhe.txt
evppkey_dh.txt
) unless $no_dh;
-push @files, qw(
- evpkdf_x942_des.txt
- evpmac_cmac_des.txt
- ) unless $no_des;
-push @files, qw(evppkey_dsa.txt) unless $no_dsa;
-push @files, qw(
- evppkey_ecx.txt
- evppkey_mismatch_ecx.txt
- ) unless $no_ecx;
push @files, qw(
evppkey_ecc.txt
evppkey_ecdh.txt
@@ -97,6 +86,7 @@ my @defltfiles = qw(
@@ -91,6 +83,7 @@ my @defltfiles = qw(
evpciph_cast5.txt
evpciph_chacha.txt
evpciph_des.txt
@ -461,7 +424,7 @@ index eddca5c58e..36a192d041 100644
evpciph_idea.txt
evpciph_rc2.txt
evpciph_rc4.txt
@@ -121,13 +111,19 @@ my @defltfiles = qw(
@@ -114,10 +107,17 @@ my @defltfiles = qw(
evpmd_whirlpool.txt
evppbe_scrypt.txt
evppbe_pkcs12.txt
@ -478,15 +441,12 @@ index eddca5c58e..36a192d041 100644
+ ) unless $no_des;
push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec;
push @defltfiles, qw(evppkey_ecdsa_rfc6979.txt) unless $no_ec;
-push @defltfiles, qw(evppkey_dsa_rfc6979.txt) unless $no_dsa;
push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2;
push @defltfiles, qw(evpciph_aes_gcm_siv.txt) unless $no_siv;
push @defltfiles, qw(evpciph_aes_siv.txt) unless $no_siv;
push @defltfiles, qw(evppkey_dsa_rfc6979.txt) unless $no_dsa;
diff --git a/test/recipes/30-test_evp_data/evpmac_common.txt b/test/recipes/30-test_evp_data/evpmac_common.txt
index e47023aae6..96a8febeef 100644
index 93195df97c..315413cd9b 100644
--- a/test/recipes/30-test_evp_data/evpmac_common.txt
+++ b/test/recipes/30-test_evp_data/evpmac_common.txt
@@ -363,6 +363,7 @@ IV = 7AE8E2CA4EC500012E58495C
@@ -340,6 +340,7 @@ IV = 7AE8E2CA4EC500012E58495C
Input = 68F2E77696CE7AE8E2CA4EC588E541002E58495C08000F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D0007
Result = MAC_INIT_ERROR
@ -494,7 +454,7 @@ index e47023aae6..96a8febeef 100644
Title = KMAC Tests (From NIST)
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
@@ -373,12 +374,14 @@ Ctrl = xof:0
@@ -350,12 +351,14 @@ Ctrl = xof:0
OutputSize = 32
BlockSize = 168
@ -509,7 +469,7 @@ index e47023aae6..96a8febeef 100644
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -386,6 +389,7 @@ Custom = "My Tagged Application"
@@ -363,6 +366,7 @@ Custom = "My Tagged Application"
Output = 1F5B4E6CCA02209E0DCB5CA635B89A15E271ECC760071DFD805FAA38F9729230
Ctrl = size:32
@ -517,7 +477,7 @@ index e47023aae6..96a8febeef 100644
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
@@ -394,12 +398,14 @@ Output = 20C570C31346F703C9AC36C61C03CB64C3970D0CFC787E9B79599D273A68D2F7F69D4CC
@@ -371,12 +375,14 @@ Output = 20C570C31346F703C9AC36C61C03CB64C3970D0CFC787E9B79599D273A68D2F7F69D4CC
OutputSize = 64
BlockSize = 136
@ -532,7 +492,7 @@ index e47023aae6..96a8febeef 100644
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -409,12 +415,14 @@ Ctrl = size:64
@@ -386,12 +392,14 @@ Ctrl = size:64
Title = KMAC XOF Tests (From NIST)
@ -547,7 +507,7 @@ index e47023aae6..96a8febeef 100644
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
@@ -422,6 +430,7 @@ Custom = "My Tagged Application"
@@ -399,6 +407,7 @@ Custom = "My Tagged Application"
Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
XOF = 1
@ -555,7 +515,7 @@ index e47023aae6..96a8febeef 100644
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -430,6 +439,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F
@@ -407,6 +416,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F
XOF = 1
Ctrl = size:32
@ -563,7 +523,7 @@ index e47023aae6..96a8febeef 100644
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
@@ -437,6 +447,7 @@ Custom = "My Tagged Application"
@@ -414,6 +424,7 @@ Custom = "My Tagged Application"
Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
XOF = 1
@ -571,7 +531,7 @@ index e47023aae6..96a8febeef 100644
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -444,6 +455,7 @@ Custom = ""
@@ -421,6 +432,7 @@ Custom = ""
Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
XOF = 1
@ -579,7 +539,7 @@ index e47023aae6..96a8febeef 100644
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -454,6 +466,7 @@ XOF = 1
@@ -431,6 +443,7 @@ XOF = 1
Title = KMAC long customisation string (from NIST ACVP)
@ -587,7 +547,7 @@ index e47023aae6..96a8febeef 100644
MAC = KMAC256
Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
@@ -464,12 +477,14 @@ XOF = 1
@@ -441,12 +454,14 @@ XOF = 1
Title = KMAC XOF Tests via ctrl (From NIST)
@ -602,7 +562,7 @@ index e47023aae6..96a8febeef 100644
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
@@ -477,6 +492,7 @@ Custom = "My Tagged Application"
@@ -454,6 +469,7 @@ Custom = "My Tagged Application"
Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
Ctrl = xof:1
@ -610,7 +570,7 @@ index e47023aae6..96a8febeef 100644
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -485,6 +501,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F
@@ -462,6 +478,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F
Ctrl = xof:1
Ctrl = size:32
@ -618,7 +578,7 @@ index e47023aae6..96a8febeef 100644
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 00010203
@@ -492,6 +509,7 @@ Custom = "My Tagged Application"
@@ -469,6 +486,7 @@ Custom = "My Tagged Application"
Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
Ctrl = xof:1
@ -626,7 +586,7 @@ index e47023aae6..96a8febeef 100644
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -499,6 +517,7 @@ Custom = ""
@@ -476,6 +494,7 @@ Custom = ""
Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
Ctrl = xof:1
@ -634,7 +594,7 @@ index e47023aae6..96a8febeef 100644
MAC = KMAC256
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -509,6 +528,7 @@ Ctrl = xof:1
@@ -486,6 +505,7 @@ Ctrl = xof:1
Title = KMAC long customisation string via ctrl (from NIST ACVP)
@ -642,7 +602,7 @@ index e47023aae6..96a8febeef 100644
MAC = KMAC256
Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
@@ -519,6 +539,7 @@ Ctrl = xof:1
@@ -496,6 +516,7 @@ Ctrl = xof:1
Title = KMAC long customisation string negative test
@ -650,7 +610,7 @@ index e47023aae6..96a8febeef 100644
MAC = KMAC128
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -527,6 +548,7 @@ Result = MAC_INIT_ERROR
@@ -504,6 +525,7 @@ Result = MAC_INIT_ERROR
Title = KMAC output is too large
@ -659,7 +619,7 @@ index e47023aae6..96a8febeef 100644
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
index 6a9792128b..4e368c730b 100644
index 40dd585c18..cbec426137 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -96,7 +96,7 @@ my @smime_pkcs7_tests = (
@ -734,7 +694,7 @@ index 6a9792128b..4e368c730b 100644
[ "{cmd1}", @prov, "-sign", "-in", $smcont,
"-signer", $smrsa1,
"-signer", catfile($smdir, "smrsa2.pem"),
@@ -250,7 +250,7 @@ my @smime_pkcs7_tests = (
@@ -248,7 +248,7 @@ my @smime_pkcs7_tests = (
my @smime_cms_tests = (
@ -743,7 +703,7 @@ index 6a9792128b..4e368c730b 100644
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-nodetach", "-keyid",
"-signer", $smrsa1,
@@ -263,7 +263,7 @@ my @smime_cms_tests = (
@@ -261,7 +261,7 @@ my @smime_cms_tests = (
\&final_compare
],
@ -752,7 +712,7 @@ index 6a9792128b..4e368c730b 100644
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
"-signer", $smrsa1,
"-signer", catfile($smdir, "smrsa2.pem"),
@@ -373,7 +373,7 @@ my @smime_cms_tests = (
@@ -371,7 +371,7 @@ my @smime_cms_tests = (
\&final_compare
],
@ -775,5 +735,58 @@ index 50b74a1e29..e2dcb68fb5 100644
}
--
2.44.0
2.41.0
diff -up openssl-3.2.0/test/recipes/30-test_evp.t.patch openssl-3.2.0/test/recipes/30-test_evp.t
--- openssl-3.2.0/test/recipes/30-test_evp.t.patch 2023-12-06 15:33:27.843751147 +0100
+++ openssl-3.2.0/test/recipes/30-test_evp.t 2023-12-06 15:34:27.585351920 +0100
@@ -70,15 +70,6 @@ push @files, qw(
evppkey_dh.txt
) unless $no_dh;
push @files, qw(
- evpkdf_x942_des.txt
- evpmac_cmac_des.txt
- ) unless $no_des;
-push @files, qw(evppkey_dsa.txt) unless $no_dsa;
-push @files, qw(
- evppkey_ecx.txt
- evppkey_mismatch_ecx.txt
- ) unless $no_ecx;
-push @files, qw(
evppkey_ecc.txt
evppkey_ecdh.txt
evppkey_ecdsa.txt
diff -up openssl-3.2.0/providers/fips/fipsprov.c.patch-fips openssl-3.2.0/providers/fips/fipsprov.c
--- openssl-3.2.0/providers/fips/fipsprov.c.patch-fips 2023-12-06 15:49:08.711198219 +0100
+++ openssl-3.2.0/providers/fips/fipsprov.c 2023-12-06 15:55:42.362078721 +0100
@@ -426,14 +426,16 @@ static const OSSL_ALGORITHM fips_keyexch
static const OSSL_ALGORITHM fips_signature[] = {
#ifndef OPENSSL_NO_DSA
- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },
+ /* We don't certify DSA in our FIPS provider */
+ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },*/
#endif
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions },
#ifndef OPENSSL_NO_EC
# ifndef OPENSSL_NO_ECX
- { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES,
+ /* We don't certify Edwards curves in our FIPS provider */
+ /* { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES,
ossl_ed25519_signature_functions },
- { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },
+ { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },*/
# endif
{ PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions },
#endif
diff -up openssl-3.2.0/test/recipes/30-test_evp.t.fips-min openssl-3.2.0/test/recipes/30-test_evp.t
--- openssl-3.2.0/test/recipes/30-test_evp.t.fips-min 2024-02-01 11:00:56.823687618 +0100
+++ openssl-3.2.0/test/recipes/30-test_evp.t 2024-02-01 11:01:20.131934678 +0100
@@ -124,7 +124,6 @@ push @defltfiles, qw(
) unless $no_des;
push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec;
push @defltfiles, qw(evppkey_ecdsa_rfc6979.txt) unless $no_ec;
-push @defltfiles, qw(evppkey_dsa_rfc6979.txt) unless $no_dsa;
push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2;
push @defltfiles, qw(evpciph_aes_gcm_siv.txt) unless $no_siv;
push @defltfiles, qw(evpciph_aes_siv.txt) unless $no_siv;

510
base/openssl3/0049-Allow-disabling-of-SHA1-signatures.patch Normal file
View File

@ -0,0 +1,510 @@
From 2e8388e06eafb703aeb315498915bf079561bdb5 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 13:07:07 +0200
Subject: [PATCH 23/48] 0049-Allow-disabling-of-SHA1-signatures.patch
Patch-name: 0049-Allow-disabling-of-SHA1-signatures.patch
Patch-id: 49
Patch-status: |
# Selectively disallow SHA1 signatures rhbz#2070977
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
crypto/context.c | 14 ++++
crypto/evp/evp_cnf.c | 13 +++
crypto/evp/m_sigver.c | 79 +++++++++++++++++++
crypto/evp/pmeth_lib.c | 15 ++++
doc/man5/config.pod | 13 +++
include/crypto/context.h | 3 +
include/internal/cryptlib.h | 3 +-
include/internal/sslconf.h | 4 +
providers/common/securitycheck.c | 20 +++++
providers/common/securitycheck_default.c | 9 ++-
providers/implementations/signature/dsa_sig.c | 11 ++-
.../implementations/signature/ecdsa_sig.c | 4 +
providers/implementations/signature/rsa_sig.c | 20 ++++-
ssl/t1_lib.c | 8 ++
util/libcrypto.num | 2 +
15 files changed, 209 insertions(+), 9 deletions(-)
diff --git a/crypto/context.c b/crypto/context.c
index 51002ba79a..e697974c9d 100644
--- a/crypto/context.c
+++ b/crypto/context.c
@@ -78,6 +78,8 @@ struct ossl_lib_ctx_st {
void *fips_prov;
#endif
+ void *legacy_digest_signatures;
+
unsigned int ischild:1;
};
@@ -206,6 +208,10 @@ static int context_init(OSSL_LIB_CTX *ctx)
goto err;
#endif
+ ctx->legacy_digest_signatures = ossl_ctx_legacy_digest_signatures_new(ctx);
+ if (ctx->legacy_digest_signatures == NULL)
+ goto err;
+
/* Low priority. */
#ifndef FIPS_MODULE
ctx->child_provider = ossl_child_prov_ctx_new(ctx);
@@ -334,6 +340,11 @@ static void context_deinit_objs(OSSL_LIB_CTX *ctx)
}
#endif
+ if (ctx->legacy_digest_signatures != NULL) {
+ ossl_ctx_legacy_digest_signatures_free(ctx->legacy_digest_signatures);
+ ctx->legacy_digest_signatures = NULL;
+ }
+
/* Low priority. */
#ifndef FIPS_MODULE
if (ctx->child_provider != NULL) {
@@ -625,6 +636,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index)
return ctx->fips_prov;
#endif
+ case OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX:
+ return ctx->legacy_digest_signatures;
+
default:
return NULL;
}
diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c
index 0e7fe64cf9..b9d3b6d226 100644
--- a/crypto/evp/evp_cnf.c
+++ b/crypto/evp/evp_cnf.c
@@ -10,6 +10,7 @@
#include <stdio.h>
#include <openssl/crypto.h>
#include "internal/cryptlib.h"
+#include "internal/sslconf.h"
#include <openssl/conf.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
@@ -57,6 +58,18 @@ static int alg_module_init(CONF_IMODULE *md, const CONF *cnf)
ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
return 0;
}
+ } else if (strcmp(oval->name, "rh-allow-sha1-signatures") == 0) {
+ int m;
+
+ /* Detailed error already reported. */
+ if (!X509V3_get_value_bool(oval, &m))
+ return 0;
+
+ if (!ossl_ctx_legacy_digest_signatures_allowed_set(
+ NCONF_get0_libctx((CONF *)cnf), m > 0, 0)) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
+ return 0;
+ }
} else {
ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,
"name=%s, value=%s", oval->name, oval->value);
diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
index 630d339c35..6e4e9f5ae7 100644
--- a/crypto/evp/m_sigver.c
+++ b/crypto/evp/m_sigver.c
@@ -15,6 +15,73 @@
#include "internal/provider.h"
#include "internal/numbers.h" /* includes SIZE_MAX */
#include "evp_local.h"
+#include "crypto/context.h"
+
+typedef struct ossl_legacy_digest_signatures_st {
+ int allowed;
+} OSSL_LEGACY_DIGEST_SIGNATURES;
+
+void ossl_ctx_legacy_digest_signatures_free(void *vldsigs)
+{
+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs = vldsigs;
+
+ if (ldsigs != NULL) {
+ OPENSSL_free(ldsigs);
+ }
+}
+
+void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx)
+{
+ OSSL_LEGACY_DIGEST_SIGNATURES* ldsigs = OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES));
+ /* Warning: This patch differs from the same patch in CentOS and RHEL here,
+ * because the default on Fedora is to allow SHA-1 and support disabling
+ * it, while CentOS/RHEL disable it by default and allow enabling it. */
+ ldsigs->allowed = 0;
+ return ldsigs;
+}
+
+static OSSL_LEGACY_DIGEST_SIGNATURES *ossl_ctx_legacy_digest_signatures(
+ OSSL_LIB_CTX *libctx, int loadconfig)
+{
+#ifndef FIPS_MODULE
+ if (loadconfig && !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL))
+ return NULL;
+#endif
+
+ return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX);
+}
+
+int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig)
+{
+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs
+ = ossl_ctx_legacy_digest_signatures(libctx, loadconfig);
+
+ #ifndef FIPS_MODULE
+ if (ossl_safe_getenv("OPENSSL_ENABLE_SHA1_SIGNATURES") != NULL)
+ /* used in tests */
+ return 1;
+ #endif
+
+ /* Warning: This patch differs from the same patch in CentOS and RHEL here,
+ * because the default on Fedora is to allow SHA-1 and support disabling
+ * it, while CentOS/RHEL disable it by default and allow enabling it. */
+ return ldsigs != NULL ? ldsigs->allowed : 0;
+}
+
+int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow,
+ int loadconfig)
+{
+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs
+ = ossl_ctx_legacy_digest_signatures(libctx, loadconfig);
+
+ if (ldsigs == NULL) {
+ ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
+ ldsigs->allowed = allow;
+ return 1;
+}
#ifndef FIPS_MODULE
@@ -251,6 +318,18 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
}
}
+ if (ctx->reqdigest != NULL
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_hkdf)) {
+ int mdnid = EVP_MD_nid(ctx->reqdigest);
+ if (!ossl_ctx_legacy_digest_signatures_allowed(locpctx->libctx, 0)
+ && (mdnid == NID_sha1 || mdnid == NID_md5_sha1)) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
+ goto err;
+ }
+ }
+
if (ver) {
if (signature->digest_verify_init == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index ce6e1a1ccb..003926247b 100644
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -33,6 +33,7 @@
#include "internal/ffc.h"
#include "internal/numbers.h"
#include "internal/provider.h"
+#include "internal/sslconf.h"
#include "evp_local.h"
#ifndef FIPS_MODULE
@@ -958,6 +959,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,
return -2;
}
+ if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx)
+ && md != NULL
+ && ctx->pkey != NULL
+ && !EVP_PKEY_is_a(ctx->pkey, SN_hmac)
+ && !EVP_PKEY_is_a(ctx->pkey, SN_tls1_prf)
+ && !EVP_PKEY_is_a(ctx->pkey, SN_hkdf)) {
+ int mdnid = EVP_MD_nid(md);
+ if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
+ && !ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0)) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
+ return -1;
+ }
+ }
+
if (fallback)
return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md));
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
index bd05736220..ed34ff4b9c 100644
--- a/doc/man5/config.pod
+++ b/doc/man5/config.pod
@@ -304,6 +304,19 @@ Within the algorithm properties section, the following names have meaning:
The value may be anything that is acceptable as a property query
string for EVP_set_default_properties().
+=item B<rh-allow-sha1-signatures>
+
+The value is a boolean that can be B<yes> or B<no>. If the value is not set,
+it behaves as if it was set to B<yes>.
+
+When set to B<no>, any attempt to create or verify a signature with a SHA1
+digest will fail. To test whether your software will work with future versions
+of OpenSSL, set this option to B<no>. This setting also affects TLS, where
+signature algorithms that use SHA1 as digest will no longer be supported if
+this option is set to B<no>. Because TLS 1.1 or lower use MD5-SHA1 as
+pseudorandom function (PRF) to derive key material, disabling
+B<rh-allow-sha1-signatures> requires the use of TLS 1.2 or newer.
+
=item B<fips_mode> (deprecated)
The value is a boolean that can be B<yes> or B<no>. If the value is
diff --git a/include/crypto/context.h b/include/crypto/context.h
index cc06c71be8..e9f74a414d 100644
--- a/include/crypto/context.h
+++ b/include/crypto/context.h
@@ -39,3 +39,6 @@ void ossl_rand_crng_ctx_free(void *);
#if defined(OPENSSL_THREADS)
void ossl_threads_ctx_free(void *);
#endif
+
+void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *);
+void ossl_ctx_legacy_digest_signatures_free(void *);
diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h
index ac50eb3bbd..3b115cc7df 100644
--- a/include/internal/cryptlib.h
+++ b/include/internal/cryptlib.h
@@ -168,7 +168,8 @@ typedef struct ossl_ex_data_global_st {
# define OSSL_LIB_CTX_CHILD_PROVIDER_INDEX 18
# define OSSL_LIB_CTX_THREAD_INDEX 19
# define OSSL_LIB_CTX_DECODER_CACHE_INDEX 20
-# define OSSL_LIB_CTX_MAX_INDEXES 20
+# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX 21
+# define OSSL_LIB_CTX_MAX_INDEXES 21
OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx);
int ossl_lib_ctx_is_default(OSSL_LIB_CTX *ctx);
diff --git a/include/internal/sslconf.h b/include/internal/sslconf.h
index fd7f7e3331..05464b0655 100644
--- a/include/internal/sslconf.h
+++ b/include/internal/sslconf.h
@@ -18,4 +18,8 @@ int conf_ssl_name_find(const char *name, size_t *idx);
void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr,
char **arg);
+/* Methods to support disabling all signatures with legacy digests */
+int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig);
+int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow,
+ int loadconfig);
#endif
diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
index 699ada7c52..e534ad0a5f 100644
--- a/providers/common/securitycheck.c
+++ b/providers/common/securitycheck.c
@@ -19,6 +19,7 @@
#include <openssl/core_names.h>
#include <openssl/obj_mac.h>
#include "prov/securitycheck.h"
+#include "internal/sslconf.h"
/*
* FIPS requires a minimum security strength of 112 bits (for encryption or
@@ -235,6 +236,15 @@ int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md,
mdnid = -1; /* disallowed by security checks */
}
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
+
+#ifndef FIPS_MODULE
+ if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
+ /* SHA1 is globally disabled, check whether we want to locally allow
+ * it. */
+ if (mdnid == NID_sha1 && !sha1_allowed)
+ mdnid = -1;
+#endif
+
return mdnid;
}
diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c
index 246323493e..2ca7a59f39 100644
--- a/providers/common/securitycheck_default.c
+++ b/providers/common/securitycheck_default.c
@@ -15,6 +15,7 @@
#include <openssl/obj_mac.h>
#include "prov/securitycheck.h"
#include "internal/nelem.h"
+#include "internal/sslconf.h"
/* Disable the security checks in the default provider */
int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
@@ -29,9 +30,10 @@ int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx)
}
int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
- ossl_unused int sha1_allowed)
+ int sha1_allowed)
{
int mdnid;
+ int ldsigs_allowed;
static const OSSL_ITEM name_to_nid[] = {
{ NID_md5, OSSL_DIGEST_NAME_MD5 },
@@ -42,8 +44,11 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
{ NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 },
};
- mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, 1);
+ ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx, 0);
+ mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, sha1_allowed || ldsigs_allowed);
if (mdnid == NID_undef)
mdnid = ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid));
+ if (mdnid == NID_md5_sha1 && !ldsigs_allowed)
+ mdnid = -1;
return mdnid;
}
diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
index 70d0ea5d24..3c482e0181 100644
--- a/providers/implementations/signature/dsa_sig.c
+++ b/providers/implementations/signature/dsa_sig.c
@@ -123,12 +123,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
mdprops = ctx->propq;
if (mdname != NULL) {
- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
WPACKET pkt;
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
- int md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
- sha1_allowed);
+ int md_nid;
size_t mdname_len = strlen(mdname);
+#ifdef FIPS_MODULE
+ int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
+#else
+ int sha1_allowed = 0;
+#endif
+ md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
+ sha1_allowed);
if (md == NULL || md_nid < 0) {
if (md == NULL)
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
index ebeb30e002..c874f87bd5 100644
--- a/providers/implementations/signature/ecdsa_sig.c
+++ b/providers/implementations/signature/ecdsa_sig.c
@@ -237,7 +237,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
"%s could not be fetched", mdname);
return 0;
}
+#ifdef FIPS_MODULE
sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
+#else
+ sha1_allowed = 0;
+#endif
md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
sha1_allowed);
if (md_nid < 0) {
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index 2a5504d104..5f3a029566 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -25,6 +25,7 @@
#include "internal/cryptlib.h"
#include "internal/nelem.h"
#include "internal/sizes.h"
+#include "internal/sslconf.h"
#include "crypto/rsa.h"
#include "prov/providercommon.h"
#include "prov/implementations.h"
@@ -33,6 +34,7 @@
#include "prov/securitycheck.h"
#define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
+#define RSA_DEFAULT_DIGEST_NAME_NONLEGACY OSSL_DIGEST_NAME_SHA2_256
OSSL_FUNC_signature_newctx_fn rsa_newctx;
static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
@@ -302,10 +304,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
if (mdname != NULL) {
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
+ int md_nid;
+ size_t mdname_len = strlen(mdname);
+#ifdef FIPS_MODULE
int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
- int md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
+#else
+ int sha1_allowed = 0;
+#endif
+ md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
sha1_allowed);
- size_t mdname_len = strlen(mdname);
if (md == NULL
|| md_nid <= 0
@@ -1396,8 +1403,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
prsactx->pad_mode = pad_mode;
if (prsactx->md == NULL && pmdname == NULL
- && pad_mode == RSA_PKCS1_PSS_PADDING)
+ && pad_mode == RSA_PKCS1_PSS_PADDING) {
pmdname = RSA_DEFAULT_DIGEST_NAME;
+#ifndef FIPS_MODULE
+ if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) {
+ pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
+ }
+#endif
+ }
+
if (pmgf1mdname != NULL
&& !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 9cb8a4dda2..feb660d030 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -5436,3 +5436,5 @@ EVP_CIPHER_CTX_dup 5563 3_1_0 EXIST::FUNCTION:
X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION:
OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION:
BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK
+ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
+ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
--
2.41.0
diff -up openssl-3.2.0/ssl/t1_lib.c.patch-sha1 openssl-3.2.0/ssl/t1_lib.c
--- openssl-3.2.0/ssl/t1_lib.c.patch-sha1 2023-12-08 13:01:44.752501257 +0100
+++ openssl-3.2.0/ssl/t1_lib.c 2023-12-08 13:04:18.969899853 +0100
@@ -20,6 +20,7 @@
#include <openssl/bn.h>
#include <openssl/provider.h>
#include <openssl/param_build.h>
+#include "internal/sslconf.h"
#include "internal/nelem.h"
#include "internal/sizes.h"
#include "internal/tlsgroups.h"
@@ -1506,6 +1507,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
uint16_t *tls12_sigalgs_list = NULL;
EVP_PKEY *tmpkey = EVP_PKEY_new();
int ret = 0;
+ int ldsigs_allowed;
if (ctx == NULL)
goto err;
@@ -1521,6 +1523,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
goto err;
ERR_set_mark();
+ ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0);
/* First fill cache and tls12_sigalgs list from legacy algorithm list */
for (i = 0, lu = sigalg_lookup_tbl;
i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) {
@@ -1542,6 +1545,11 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
cache[i].enabled = 0;
continue;
}
+ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)
+ && !ldsigs_allowed) {
+ cache[i].enabled = 0;
+ continue;
+ }
if (!EVP_PKEY_set_type(tmpkey, lu->sig)) {
cache[i].enabled = 0;

1128
base/openssl3/0058-FIPS-limit-rsa-encrypt.patch
View File

File diff suppressed because it is too large Load Diff

96
base/openssl3/0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
View File

@ -1,39 +1,22 @@
From 4a2239bd7d444c30c55b20ea8b4aeadafdfe1afd Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Fri, 22 Jul 2022 13:59:37 +0200
Subject: [PATCH] FIPS: Use OAEP in KATs, support fixed OAEP seed
From abeda0b0475adb0d4f89b0c97cfc349779915bbf Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 31 Jul 2023 09:41:28 +0200
Subject: [PATCH 29/35]
0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
Review by our lab for FIPS 140-3 certification expects the RSA
encryption and decryption tests to use a supported padding mode, not raw
RSA signatures. Switch to RSA-OAEP for the self tests to fulfill that.
The FIPS 140-3 Implementation Guidance specifies in section 10.3.A
"Cryptographic Algorithm Self-Test Requirements" that a self-test may be
a known-answer test, a comparison test, or a fault-detection test.
Comparison tests are not an option, because they would require
a separate implementation of RSA-OAEP, which we do not have. Fault
detection tests require implementing fault detection mechanisms into the
cryptographic algorithm implementation, we we also do not have.
As a consequence, a known-answer test must be used to test RSA
encryption and decryption, but RSA encryption with OAEP padding is not
deterministic, and thus encryption will always yield different results
that could not be compared to known answers. For this reason, this
change explicitly sets the seed in OAEP (see RFC 8017 section 7.1.1),
which is the source of randomness for RSA-OAEP, to a fixed value. This
setting is only available during self-test execution, and the parameter
set using EVP_PKEY_CTX_set_params() will be ignored otherwise.
Signed-off-by: Clemens Lang <cllang@redhat.com>
Patch-name: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
Patch-id: 73
Patch-status: |
# https://bugzilla.redhat.com/show_bug.cgi?id=2102535
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
crypto/rsa/rsa_local.h | 8 ++
crypto/rsa/rsa_oaep.c | 34 ++++++--
providers/fips/self_test_data.inc | 83 +++++++++++--------
include/openssl/core_names.h | 3 +
providers/fips/self_test_data.inc | 79 ++++++++++---------
providers/fips/self_test_kats.c | 7 ++
.../implementations/asymciphers/rsa_enc.c | 41 +++++++++-
util/perl/OpenSSL/paramnames.pm | 1 +
6 files changed, 126 insertions(+), 44 deletions(-)
6 files changed, 128 insertions(+), 44 deletions(-)
diff --git a/crypto/rsa/rsa_local.h b/crypto/rsa/rsa_local.h
index ea70da05ad..dde57a1a0e 100644
@ -119,32 +102,26 @@ index d9be1a4f98..b2f7f7dc4b 100644
const unsigned char *from, int flen,
const unsigned char *param, int plen,
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
index 4e30ec56dd..0103c87528 100644
index e0fdc0daa4..aa2012c04a 100644
--- a/providers/fips/self_test_data.inc
+++ b/providers/fips/self_test_data.inc
@@ -1294,15 +1294,22 @@ static const ST_KAT_PARAM rsa_priv_key[] = {
ST_KAT_PARAM_END()
@@ -1296,14 +1296,21 @@ static const ST_KAT_PARAM rsa_priv_key[] = {
};
-/*-
/*-
- * Using OSSL_PKEY_RSA_PAD_MODE_NONE directly in the expansion of the
- * ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient
- * HP/UX PA-RISC compilers.
- */
-static const char pad_mode_none[] = OSSL_PKEY_RSA_PAD_MODE_NONE;
-
+/*-
+ * Using OSSL_PKEY_RSA_PAD_MODE_OAEP directly in the expansion of the
+ * ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient
+ * HP/UX PA-RISC compilers.
+ */
* ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient
* HP/UX PA-RISC compilers.
*/
-static const char pad_mode_none[] = OSSL_PKEY_RSA_PAD_MODE_NONE;
+static const char pad_mode_oaep[] = OSSL_PKEY_RSA_PAD_MODE_OAEP;
+static const char oaep_fixed_seed[] = {
+ 0xf6, 0x10, 0xef, 0x0a, 0x97, 0xbf, 0x91, 0x25,
+ 0x97, 0xcf, 0x8e, 0x0a, 0x75, 0x51, 0x2f, 0xab,
+ 0x2e, 0x4b, 0x2c, 0xe6
+};
+
static const ST_KAT_PARAM rsa_enc_params[] = {
- ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_none),
+ ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_oaep),
@ -153,7 +130,7 @@ index 4e30ec56dd..0103c87528 100644
ST_KAT_PARAM_END()
};
@@ -1335,43 +1348,43 @@ static const unsigned char rsa_expected_sig[256] = {
@@ -1342,43 +1349,43 @@ static const unsigned char rsa_expected_sig[256] = {
0x2c, 0x68, 0xf0, 0x37, 0xa9, 0xd2, 0x56, 0xd6
};
@ -231,10 +208,10 @@ index 4e30ec56dd..0103c87528 100644
#ifndef OPENSSL_NO_EC
diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
index 064794d9bf..b6d5e8e134 100644
index 74ee25dcb6..a9bc8be7fa 100644
--- a/providers/fips/self_test_kats.c
+++ b/providers/fips/self_test_kats.c
@@ -647,14 +647,21 @@ static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
@@ -641,14 +641,21 @@ static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
return ret;
}
@ -257,7 +234,7 @@ index 064794d9bf..b6d5e8e134 100644
}
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
index 00cf65fcd6..83be3d8ede 100644
index 9cd8904131..40de5ce8fa 100644
--- a/providers/implementations/asymciphers/rsa_enc.c
+++ b/providers/implementations/asymciphers/rsa_enc.c
@@ -30,6 +30,9 @@
@ -280,7 +257,7 @@ index 00cf65fcd6..83be3d8ede 100644
/* PKCS#1 v1.5 decryption mode */
unsigned int implicit_rejection;
} PROV_RSA_CTX;
@@ -190,12 +196,21 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
@@ -192,12 +198,21 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
}
}
ret =
@ -304,7 +281,7 @@ index 00cf65fcd6..83be3d8ede 100644
if (!ret) {
OPENSSL_free(tbuf);
@@ -326,6 +341,9 @@ static void rsa_freectx(void *vprsactx)
@@ -328,6 +343,9 @@ static void rsa_freectx(void *vprsactx)
EVP_MD_free(prsactx->oaep_md);
EVP_MD_free(prsactx->mgf1_md);
OPENSSL_free(prsactx->oaep_label);
@ -314,7 +291,7 @@ index 00cf65fcd6..83be3d8ede 100644
OPENSSL_free(prsactx);
}
@@ -445,6 +463,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
@@ -447,6 +465,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
NULL, 0),
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL),
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),
@ -324,7 +301,7 @@ index 00cf65fcd6..83be3d8ede 100644
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL),
OSSL_PARAM_END
};
@@ -454,6 +475,10 @@ static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx,
@@ -456,6 +477,10 @@ static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx,
return known_gettable_ctx_params;
}
@ -335,7 +312,7 @@ index 00cf65fcd6..83be3d8ede 100644
static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
@@ -563,6 +588,18 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
@@ -567,6 +592,18 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
prsactx->oaep_labellen = tmp_labellen;
}
@ -354,10 +331,12 @@ index 00cf65fcd6..83be3d8ede 100644
p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION);
if (p != NULL) {
unsigned int client_version;
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
index c37ed7815f..70f7c50fe4 100644
--- a/util/perl/OpenSSL/paramnames.pm
+++ b/util/perl/OpenSSL/paramnames.pm
--
2.41.0
diff -up openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.patch-config openssl-3.2.0/util/perl/OpenSSL/paramnames.pm
--- openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.patch-config 2023-12-14 13:48:23.398025507 +0100
+++ openssl-3.2.0/util/perl/OpenSSL/paramnames.pm 2023-12-14 14:24:49.519488385 +0100
@@ -401,6 +401,7 @@ my %params = (
'ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION' => "tls-client-version",
'ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION' => "tls-negotiated-version",
@ -366,6 +345,3 @@ index c37ed7815f..70f7c50fe4 100644
# Encoder / decoder parameters
--
2.37.1

351
base/openssl3/0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
View File

@ -1,25 +1,32 @@
From dc41625dc4a793f0e21188165711181ca085339b Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:16 +0100
Subject: [PATCH 28/49]
0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
From 97ac06e5a8e3a8699279c06eeb64c8e958bad7bd Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Fri, 15 Jul 2022 17:45:40 +0200
Subject: [PATCH] FIPS: Use digest_sign & digest_verify in self test
Patch-name: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
Patch-id: 74
Patch-status: |
# [PATCH 29/46]
# 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
In review for FIPS 140-3, the lack of a self-test for the digest_sign
and digest_verify provider functions was highlighted as a problem. NIST
no longer provides ACVP tests for the RSA SigVer primitive (see
https://github.com/usnistgov/ACVP/issues/1347). Because FIPS 140-3
recommends the use of functions that compute the digest and signature
within the module, we have been advised in our module review that the
self tests should also use the combined digest and signature APIs, i.e.
the digest_sign and digest_verify provider functions.
Modify the signature self-test to use these instead by switching to
EVP_DigestSign and EVP_DigestVerify. This requires adding more ifdefs to
crypto/evp/m_sigver.c to make these functions usable in the FIPS module.
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
crypto/evp/m_sigver.c | 54 ++++++++++++++++++++++++++++-----
providers/fips/self_test_kats.c | 43 +++++++++++++++-----------
2 files changed, 73 insertions(+), 24 deletions(-)
crypto/evp/m_sigver.c | 43 +++++++++++++++++++++++++++------
providers/fips/self_test_kats.c | 37 +++++++++++++++-------------
2 files changed, 56 insertions(+), 24 deletions(-)
diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
index fd3a4b79df..3e9f33c26c 100644
index db1a1d7bc3..c94c3c53bd 100644
--- a/crypto/evp/m_sigver.c
+++ b/crypto/evp/m_sigver.c
@@ -90,6 +90,7 @@ static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen)
@@ -88,6 +88,7 @@ static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen)
ERR_raise(ERR_LIB_EVP, EVP_R_ONLY_ONESHOT_SUPPORTED);
return 0;
}
@ -27,7 +34,7 @@ index fd3a4b79df..3e9f33c26c 100644
/*
* If we get the "NULL" md then the name comes back as "UNDEF". We want to use
@@ -125,8 +126,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
@@ -130,8 +131,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
reinit = 0;
if (e == NULL)
ctx->pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, props);
@ -38,7 +45,7 @@ index fd3a4b79df..3e9f33c26c 100644
}
if (ctx->pctx == NULL)
return 0;
@@ -136,8 +139,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
@@ -139,8 +142,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
locpctx = ctx->pctx;
ERR_set_mark();
@ -49,7 +56,7 @@ index fd3a4b79df..3e9f33c26c 100644
/* do not reinitialize if pkey is set or operation is different */
if (reinit
@@ -222,8 +227,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
@@ -225,8 +230,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
signature =
evp_signature_fetch_from_prov((OSSL_PROVIDER *)tmp_prov,
supported_sig, locpctx->propquery);
@ -60,7 +67,7 @@ index fd3a4b79df..3e9f33c26c 100644
break;
}
if (signature == NULL)
@@ -307,6 +314,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
@@ -310,6 +317,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
ctx->fetched_digest = EVP_MD_fetch(locpctx->libctx, mdname, props);
if (ctx->fetched_digest != NULL) {
ctx->digest = ctx->reqdigest = ctx->fetched_digest;
@ -68,7 +75,7 @@ index fd3a4b79df..3e9f33c26c 100644
} else {
/* legacy engine support : remove the mark when this is deleted */
ctx->reqdigest = ctx->digest = EVP_get_digestbyname(mdname);
@@ -315,11 +323,13 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
@@ -318,11 +326,13 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
goto err;
}
@ -82,7 +89,7 @@ index fd3a4b79df..3e9f33c26c 100644
if (ctx->reqdigest != NULL
&& !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
&& !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
@@ -331,6 +341,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
@@ -334,6 +344,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
goto err;
}
}
@ -90,7 +97,7 @@ index fd3a4b79df..3e9f33c26c 100644
if (ver) {
if (signature->digest_verify_init == NULL) {
@@ -363,6 +374,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
@@ -366,6 +377,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
EVP_KEYMGMT_free(tmp_keymgmt);
return 0;
@ -98,7 +105,7 @@ index fd3a4b79df..3e9f33c26c 100644
legacy:
/*
* If we don't have the full support we need with provided methods,
@@ -434,6 +446,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
@@ -437,6 +449,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
ctx->pctx->flag_call_digest_custom = 1;
ret = 1;
@ -106,7 +113,7 @@ index fd3a4b79df..3e9f33c26c 100644
end:
#ifndef FIPS_MODULE
@@ -476,7 +489,6 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
@@ -479,7 +492,6 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 1,
NULL);
}
@ -114,57 +121,7 @@ index fd3a4b79df..3e9f33c26c 100644
int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
{
@@ -548,24 +560,31 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
return EVP_DigestUpdate(ctx, data, dsize);
}
-#ifndef FIPS_MODULE
int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
size_t *siglen)
{
- int sctx = 0, r = 0;
- EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx;
+ int r = 0;
+#ifndef FIPS_MODULE
+ int sctx = 0;
+ EVP_PKEY_CTX *dctx = NULL;
+#endif /* !defined(FIPS_MODULE) */
+ EVP_PKEY_CTX *pctx = ctx->pctx;
+
if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) {
ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
return 0;
}
+#ifndef FIPS_MODULE
if (pctx == NULL
|| pctx->operation != EVP_PKEY_OP_SIGNCTX
|| pctx->op.sig.algctx == NULL
|| pctx->op.sig.signature == NULL)
goto legacy;
+#endif /* !defined(FIPS_MODULE) */
+#ifndef FIPS_MODULE
if (sigret != NULL && (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) {
/* try dup */
dctx = EVP_PKEY_CTX_dup(pctx);
@@ -580,7 +599,14 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
else
EVP_PKEY_CTX_free(dctx);
return r;
+#else
+ r = pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx,
+ sigret, siglen,
+ sigret == NULL ? 0 : *siglen);
+ return r;
+#endif /* !defined(FIPS_MODULE) */
+#ifndef FIPS_MODULE
legacy:
if (pctx == NULL || pctx->pmeth == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
@@ -653,6 +679,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
@@ -639,6 +659,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
}
}
return 1;
@ -172,54 +129,7 @@ index fd3a4b79df..3e9f33c26c 100644
}
int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
@@ -691,23 +718,30 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
size_t siglen)
{
- unsigned char md[EVP_MAX_MD_SIZE];
int r = 0;
+#ifndef FIPS_MODULE
+ unsigned char md[EVP_MAX_MD_SIZE];
unsigned int mdlen = 0;
int vctx = 0;
- EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx;
+ EVP_PKEY_CTX *dctx = NULL;
+#endif /* !defined(FIPS_MODULE) */
+ EVP_PKEY_CTX *pctx = ctx->pctx;
+
if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) {
ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
return 0;
}
+#ifndef FIPS_MODULE
if (pctx == NULL
|| pctx->operation != EVP_PKEY_OP_VERIFYCTX
|| pctx->op.sig.algctx == NULL
|| pctx->op.sig.signature == NULL)
goto legacy;
+#endif /* !defined(FIPS_MODULE) */
+#ifndef FIPS_MODULE
if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) {
/* try dup */
dctx = EVP_PKEY_CTX_dup(pctx);
@@ -721,7 +755,13 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
else
EVP_PKEY_CTX_free(dctx);
return r;
+#else
+ r = pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx,
+ sig, siglen);
+ return r;
+#endif /* !defined(FIPS_MODULE) */
+#ifndef FIPS_MODULE
legacy:
if (pctx == NULL || pctx->pmeth == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
@@ -762,6 +802,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
@@ -732,6 +761,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
if (vctx || !r)
return r;
return EVP_PKEY_verify(pctx, sig, siglen, md, mdlen);
@ -227,16 +137,16 @@ index fd3a4b79df..3e9f33c26c 100644
}
int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
@@ -794,4 +835,3 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
@@ -757,4 +787,3 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
return -1;
return EVP_DigestVerifyFinal(ctx, sigret, siglen);
}
-#endif /* FIPS_MODULE */
diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
index 4ea10670c0..5eb27c8ed2 100644
index b6d5e8e134..77eec075e6 100644
--- a/providers/fips/self_test_kats.c
+++ b/providers/fips/self_test_kats.c
@@ -450,10 +450,13 @@ static int self_test_sign(const ST_KAT_SIGN *t,
@@ -444,10 +444,13 @@ static int self_test_sign(const ST_KAT_SIGN *t,
int ret = 0;
OSSL_PARAM *params = NULL, *params_sig = NULL;
OSSL_PARAM_BLD *bld = NULL;
@ -251,7 +161,7 @@ index 4ea10670c0..5eb27c8ed2 100644
size_t siglen = sizeof(sig);
static const unsigned char dgst[] = {
0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
@@ -487,23 +490,26 @@ static int self_test_sign(const ST_KAT_SIGN *t,
@@ -488,23 +491,26 @@ static int self_test_sign(const ST_KAT_SIGN *t,
|| EVP_PKEY_fromdata(kctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
goto err;
@ -292,7 +202,7 @@ index 4ea10670c0..5eb27c8ed2 100644
|| EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
goto err;
@@ -513,14 +519,17 @@ static int self_test_sign(const ST_KAT_SIGN *t,
@@ -509,14 +510,17 @@ static int self_test_sign(const ST_KAT_SIGN *t,
goto err;
OSSL_SELF_TEST_oncorrupt_byte(st, sig);
@ -313,5 +223,186 @@ index 4ea10670c0..5eb27c8ed2 100644
OSSL_PARAM_free(params_sig);
OSSL_PARAM_BLD_free(bld);
--
2.44.0
2.37.1
diff -up openssl-3.2.0/crypto/evp/m_sigver.c.digest-sign-patch openssl-3.2.0/crypto/evp/m_sigver.c
--- openssl-3.2.0/crypto/evp/m_sigver.c.digest-sign-patch 2024-01-04 11:44:18.761559765 +0100
+++ openssl-3.2.0/crypto/evp/m_sigver.c 2024-01-04 11:51:18.297195401 +0100
@@ -560,26 +560,33 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *c
return EVP_DigestUpdate(ctx, data, dsize);
}
-#ifndef FIPS_MODULE
int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
size_t *siglen)
{
- int sctx = 0, r = 0;
- EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx;
+ int r = 0;
+#ifndef FIPS_MODULE
+ int sctx = 0;
+ EVP_PKEY_CTX *dctx = NULL;
+#endif /* !defined(FIPS_MODULE) */
+ EVP_PKEY_CTX *pctx = ctx->pctx;
+
if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) {
ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
return 0;
}
+#ifndef FIPS_MODULE
if (pctx == NULL
|| pctx->operation != EVP_PKEY_OP_SIGNCTX
|| pctx->op.sig.algctx == NULL
|| pctx->op.sig.signature == NULL)
goto legacy;
+#endif /* !defined(FIPS_MODULE) */
if (sigret != NULL && (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) {
/* try dup */
+#ifndef FIPS_MODULE
dctx = EVP_PKEY_CTX_dup(pctx);
if (dctx != NULL)
pctx = dctx;
@@ -591,8 +598,10 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx,
ctx->flags |= EVP_MD_CTX_FLAG_FINALISED;
else
EVP_PKEY_CTX_free(dctx);
+#endif /* !defined(FIPS_MODULE) */
return r;
+#ifndef FIPS_MODULE
legacy:
if (pctx == NULL || pctx->pmeth == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
@@ -704,25 +713,32 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsi
int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
size_t siglen)
{
- unsigned char md[EVP_MAX_MD_SIZE];
int r = 0;
+#ifndef FIPS_MODULE
+ unsigned char md[EVP_MAX_MD_SIZE];
unsigned int mdlen = 0;
int vctx = 0;
- EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx;
+ EVP_PKEY_CTX *dctx = NULL;
+#endif /* !defined(FIPS_MODULE) */
+ EVP_PKEY_CTX *pctx = ctx->pctx;
+
if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) {
ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
return 0;
}
+#ifndef FIPS_MODULE
if (pctx == NULL
|| pctx->operation != EVP_PKEY_OP_VERIFYCTX
|| pctx->op.sig.algctx == NULL
|| pctx->op.sig.signature == NULL)
goto legacy;
+#endif /* !defined(FIPS_MODULE) */
if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) {
/* try dup */
+#ifndef FIPS_MODULE
dctx = EVP_PKEY_CTX_dup(pctx);
if (dctx != NULL)
pctx = dctx;
@@ -733,8 +749,10 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct
ctx->flags |= EVP_MD_CTX_FLAG_FINALISED;
else
EVP_PKEY_CTX_free(dctx);
+#endif /* !defined(FIPS_MODULE) */
return r;
+#ifndef FIPS_MODULE
legacy:
if (pctx == NULL || pctx->pmeth == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
diff -up openssl-3.2.0/crypto/evp/m_sigver.c.digest-sign-patch openssl-3.2.0/crypto/evp/m_sigver.c
--- openssl-3.2.0/crypto/evp/m_sigver.c.digest-sign-patch 2024-01-04 12:39:26.858137284 +0100
+++ openssl-3.2.0/crypto/evp/m_sigver.c 2024-01-04 12:40:28.201680446 +0100
@@ -736,9 +736,9 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct
goto legacy;
#endif /* !defined(FIPS_MODULE) */
+#ifndef FIPS_MODULE
if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) {
/* try dup */
-#ifndef FIPS_MODULE
dctx = EVP_PKEY_CTX_dup(pctx);
if (dctx != NULL)
pctx = dctx;
diff -up openssl-3.2.0/crypto/evp/m_sigver.c.digest-sign-patch openssl-3.2.0/crypto/evp/m_sigver.c
--- openssl-3.2.0/crypto/evp/m_sigver.c.digest-sign-patch 2024-01-04 12:55:41.172653897 +0100
+++ openssl-3.2.0/crypto/evp/m_sigver.c 2024-01-04 12:56:23.562017396 +0100
@@ -584,9 +584,9 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx,
goto legacy;
#endif /* !defined(FIPS_MODULE) */
+#ifndef FIPS_MODULE
if (sigret != NULL && (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) {
/* try dup */
-#ifndef FIPS_MODULE
dctx = EVP_PKEY_CTX_dup(pctx);
if (dctx != NULL)
pctx = dctx;
diff -up openssl-3.2.0/crypto/evp/m_sigver.c.fips-new openssl-3.2.0/crypto/evp/m_sigver.c
--- openssl-3.2.0/crypto/evp/m_sigver.c.fips-new 2024-01-30 23:50:10.115710238 +0100
+++ openssl-3.2.0/crypto/evp/m_sigver.c 2024-01-31 00:04:31.448164500 +0100
@@ -598,7 +598,11 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx,
ctx->flags |= EVP_MD_CTX_FLAG_FINALISED;
else
EVP_PKEY_CTX_free(dctx);
+ return r;
#endif /* !defined(FIPS_MODULE) */
+ r = pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx,
+ sigret, siglen,
+ sigret == NULL ? 0 : *siglen);
return r;
#ifndef FIPS_MODULE
@@ -749,7 +753,10 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct
ctx->flags |= EVP_MD_CTX_FLAG_FINALISED;
else
EVP_PKEY_CTX_free(dctx);
+ return r;
#endif /* !defined(FIPS_MODULE) */
+ r = pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx,
+ sig, siglen);
return r;
#ifndef FIPS_MODULE
diff -up openssl-3.2.0/crypto/evp/m_sigver.c.fix-ifdef openssl-3.2.0/crypto/evp/m_sigver.c
--- openssl-3.2.0/crypto/evp/m_sigver.c.fix-ifdef 2024-02-01 09:23:07.877696442 +0100
+++ openssl-3.2.0/crypto/evp/m_sigver.c 2024-02-01 09:25:30.857169997 +0100
@@ -599,11 +599,12 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx,
else
EVP_PKEY_CTX_free(dctx);
return r;
-#endif /* !defined(FIPS_MODULE) */
+#else
r = pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx,
sigret, siglen,
sigret == NULL ? 0 : *siglen);
return r;
+#endif /* !defined(FIPS_MODULE) */
#ifndef FIPS_MODULE
legacy:
@@ -754,10 +755,11 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct
else
EVP_PKEY_CTX_free(dctx);
return r;
-#endif /* !defined(FIPS_MODULE) */
+#else
r = pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx,
sig, siglen);
return r;
+#endif /* !defined(FIPS_MODULE) */
#ifndef FIPS_MODULE
legacy:

19
base/openssl3/0076-FIPS-140-3-DRBG.patch
View File

@ -1,3 +1,22 @@
From 0329eb6523363705946887d4f145dd77c741ae4a Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:16 +0100
Subject: [PATCH 30/49] 0076-FIPS-140-3-DRBG.patch
Patch-name: 0076-FIPS-140-3-DRBG.patch
Patch-id: 76
Patch-status: |
# # Downstream only. Reseed DRBG using getrandom(GRND_RANDOM)
# # https://bugzilla.redhat.com/show_bug.cgi?id=2102541
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
crypto/rand/prov_seed.c | 9 ++-
providers/implementations/rands/crngt.c | 6 +-
providers/implementations/rands/drbg.c | 11 ++-
providers/implementations/rands/drbg_local.h | 2 +-
.../implementations/rands/seeding/rand_unix.c | 68 ++-----------------
5 files changed, 28 insertions(+), 68 deletions(-)
diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/rand/prov_seed.c
--- openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand 2022-08-04 12:17:52.148556301 +0200
+++ openssl-3.0.1/crypto/rand/prov_seed.c 2022-08-04 12:19:41.783533552 +0200

146
base/openssl3/0077-FIPS-140-3-zeroization.patch
View File

@ -1,63 +1,26 @@
diff -up openssl-3.0.1/crypto/ffc/ffc_params.c.fipszero openssl-3.0.1/crypto/ffc/ffc_params.c
--- openssl-3.0.1/crypto/ffc/ffc_params.c.fipszero 2022-08-05 13:11:27.211413931 +0200
+++ openssl-3.0.1/crypto/ffc/ffc_params.c 2022-08-05 13:11:34.151475891 +0200
@@ -27,10 +27,10 @@ void ossl_ffc_params_init(FFC_PARAMS *pa
void ossl_ffc_params_cleanup(FFC_PARAMS *params)
{
- BN_free(params->p);
- BN_free(params->q);
- BN_free(params->g);
- BN_free(params->j);
+ BN_clear_free(params->p);
+ BN_clear_free(params->q);
+ BN_clear_free(params->g);
+ BN_clear_free(params->j);
OPENSSL_free(params->seed);
ossl_ffc_params_init(params);
}
diff -up openssl-3.0.1/crypto/rsa/rsa_lib.c.fipszero openssl-3.0.1/crypto/rsa/rsa_lib.c
--- openssl-3.0.1/crypto/rsa/rsa_lib.c.fipszero 2022-08-05 13:08:31.875848536 +0200
+++ openssl-3.0.1/crypto/rsa/rsa_lib.c 2022-08-05 13:09:35.438416025 +0200
@@ -155,8 +155,8 @@ void RSA_free(RSA *r)
CRYPTO_THREAD_lock_free(r->lock);
CRYPTO_FREE_REF(&r->references);
- BN_free(r->n);
- BN_free(r->e);
+ BN_clear_free(r->n);
+ BN_clear_free(r->e);
BN_clear_free(r->d);
BN_clear_free(r->p);
BN_clear_free(r->q);
diff -up openssl-3.0.1/providers/implementations/kdfs/hkdf.c.fipszero openssl-3.0.1/providers/implementations/kdfs/hkdf.c
--- openssl-3.0.1/providers/implementations/kdfs/hkdf.c.fipszero 2022-08-05 13:14:58.827303241 +0200
+++ openssl-3.0.1/providers/implementations/kdfs/hkdf.c 2022-08-05 13:16:24.530068399 +0200
@@ -116,7 +116,7 @@ static void kdf_hkdf_reset(void *vctx)
void *provctx = ctx->provctx;
ossl_prov_digest_reset(&ctx->digest);
- OPENSSL_free(ctx->salt);
+ OPENSSL_clear_free(ctx->salt, ctx->salt_len);
OPENSSL_free(ctx->prefix);
OPENSSL_free(ctx->label);
OPENSSL_clear_free(ctx->data, ctx->data_len);
diff -up openssl-3.0.1/providers/implementations/kdfs/pbkdf2.c.fipszero openssl-3.0.1/providers/implementations/kdfs/pbkdf2.c
--- openssl-3.0.1/providers/implementations/kdfs/pbkdf2.c.fipszero 2022-08-05 13:12:40.552068717 +0200
+++ openssl-3.0.1/providers/implementations/kdfs/pbkdf2.c 2022-08-05 13:13:34.324548799 +0200
@@ -83,7 +83,7 @@ static void *kdf_pbkdf2_new(void *provct
static void kdf_pbkdf2_cleanup(KDF_PBKDF2 *ctx)
{
ossl_prov_digest_reset(&ctx->digest);
- OPENSSL_free(ctx->salt);
+ OPENSSL_clear_free(ctx->salt, ctx->salt_len);
OPENSSL_clear_free(ctx->pass, ctx->pass_len);
memset(ctx, 0, sizeof(*ctx));
}
diff -up openssl-3.0.1/crypto/ec/ec_lib.c.fipszero openssl-3.0.1/crypto/ec/ec_lib.c
--- openssl-3.0.1/crypto/ec/ec_lib.c.fipszero 2022-08-05 13:48:32.221345774 +0200
+++ openssl-3.0.1/crypto/ec/ec_lib.c 2022-08-05 13:49:16.138741452 +0200
@@ -744,12 +744,16 @@ EC_POINT *EC_POINT_new(const EC_GROUP *g
From 9c667a7ba589329f3a777b012bf69a0db7f7eda9 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 31 Jul 2023 09:41:29 +0200
Subject: [PATCH 33/35] 0077-FIPS-140-3-zeroization.patch
Patch-name: 0077-FIPS-140-3-zeroization.patch
Patch-id: 77
Patch-status: |
# https://bugzilla.redhat.com/show_bug.cgi?id=2102542
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
crypto/ec/ec_lib.c | 4 ++++
crypto/ffc/ffc_params.c | 8 ++++----
crypto/rsa/rsa_lib.c | 4 ++--
providers/implementations/kdfs/hkdf.c | 2 +-
providers/implementations/kdfs/pbkdf2.c | 2 +-
5 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
index 6c37bf78ae..cfbc3c3c1d 100644
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
@@ -744,12 +744,16 @@ EC_POINT *EC_POINT_new(const EC_GROUP *group)
void EC_POINT_free(EC_POINT *point)
{
@ -74,3 +37,66 @@ diff -up openssl-3.0.1/crypto/ec/ec_lib.c.fipszero openssl-3.0.1/crypto/ec/ec_li
}
void EC_POINT_clear_free(EC_POINT *point)
diff --git a/crypto/ffc/ffc_params.c b/crypto/ffc/ffc_params.c
index 3536efd1ad..f3c164b8fc 100644
--- a/crypto/ffc/ffc_params.c
+++ b/crypto/ffc/ffc_params.c
@@ -27,10 +27,10 @@ void ossl_ffc_params_init(FFC_PARAMS *params)
void ossl_ffc_params_cleanup(FFC_PARAMS *params)
{
- BN_free(params->p);
- BN_free(params->q);
- BN_free(params->g);
- BN_free(params->j);
+ BN_clear_free(params->p);
+ BN_clear_free(params->q);
+ BN_clear_free(params->g);
+ BN_clear_free(params->j);
OPENSSL_free(params->seed);
ossl_ffc_params_init(params);
}
diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c
index 9588a75964..76b4aac6fc 100644
--- a/crypto/rsa/rsa_lib.c
+++ b/crypto/rsa/rsa_lib.c
@@ -155,8 +155,8 @@ void RSA_free(RSA *r)
CRYPTO_THREAD_lock_free(r->lock);
CRYPTO_FREE_REF(&r->references);
- BN_free(r->n);
- BN_free(r->e);
+ BN_clear_free(r->n);
+ BN_clear_free(r->e);
BN_clear_free(r->d);
BN_clear_free(r->p);
BN_clear_free(r->q);
diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
index daa619b8af..5304baa6c9 100644
--- a/providers/implementations/kdfs/hkdf.c
+++ b/providers/implementations/kdfs/hkdf.c
@@ -118,7 +118,7 @@ static void kdf_hkdf_reset(void *vctx)
void *provctx = ctx->provctx;
ossl_prov_digest_reset(&ctx->digest);
- OPENSSL_free(ctx->salt);
+ OPENSSL_clear_free(ctx->salt, ctx->salt_len);
OPENSSL_free(ctx->prefix);
OPENSSL_free(ctx->label);
OPENSSL_clear_free(ctx->data, ctx->data_len);
diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
index 5c3e7b95ce..349c3dd657 100644
--- a/providers/implementations/kdfs/pbkdf2.c
+++ b/providers/implementations/kdfs/pbkdf2.c
@@ -92,7 +92,7 @@ static void *kdf_pbkdf2_new(void *provctx)
static void kdf_pbkdf2_cleanup(KDF_PBKDF2 *ctx)
{
ossl_prov_digest_reset(&ctx->digest);
- OPENSSL_free(ctx->salt);
+ OPENSSL_clear_free(ctx->salt, ctx->salt_len);
OPENSSL_clear_free(ctx->pass, ctx->pass_len);
memset(ctx, 0, sizeof(*ctx));
}
--
2.41.0

40
base/openssl3/0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
View File

@ -1,26 +1,14 @@
From 6aed6931cf50499e778a6d34502f9bf82f5a4c0d Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Wed, 16 Nov 2022 13:53:24 +0100
Subject: [PATCH] rand: Forbid truncated hashes & SHA-3 in FIPS prov
From 936e081bd752ca0a883568aaf3b5752c9eaccb12 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 15:38:21 +0200
Subject: [PATCH 36/48]
0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
Section D.R "Hash Functions Acceptable for Use in the SP 800-90A DRBGs"
of the Implementation Guidance for FIPS 140-3 [1] notes that there is no
efficiency improvement when using truncated hash functions (i.e. SHA-224
rather than SHA-256 or SHA-384, SHA-512/224, or SHA512/256 rather than
SHA-512). Starting on 2023-05-16, all submissions to NIST's
Cryptographic Module Validation Program shall only use SHA-1, SHA-256,
or SHA-512.
NIST further notes that the same will apply for the truncated versions
of SHA-3, i.e. SHA3-224 and SHA3-384, and that SHA-3 should currently
not be used.
Adjust tests to only run Hash-DRBG and HMAC-DRBG tests with truncated
algorithms in the default provider.
[1]: https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf
Signed-off-by: Clemens Lang <cllang@redhat.com>
Patch-name: 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
Patch-id: 80
Patch-status: |
# We believe that some changes present in CentOS are not necessary
# because ustream has a check for FIPS version
---
providers/implementations/rands/drbg_hash.c | 12 ++
providers/implementations/rands/drbg_hmac.c | 12 ++
@ -28,7 +16,7 @@ Signed-off-by: Clemens Lang <cllang@redhat.com>
3 files changed, 153 insertions(+)
diff --git a/providers/implementations/rands/drbg_hash.c b/providers/implementations/rands/drbg_hash.c
index 12faa993d0..5f9602cf84 100644
index fb824abfa6..b90fee6dec 100644
--- a/providers/implementations/rands/drbg_hash.c
+++ b/providers/implementations/rands/drbg_hash.c
@@ -471,6 +471,18 @@ static int drbg_hash_set_ctx_params(void *vctx, const OSSL_PARAM params[])
@ -51,7 +39,7 @@ index 12faa993d0..5f9602cf84 100644
hash->blocklen = EVP_MD_get_size(md);
/* See SP800-57 Part1 Rev4 5.6.1 Table 3 */
diff --git a/providers/implementations/rands/drbg_hmac.c b/providers/implementations/rands/drbg_hmac.c
index ffeb70f8c3..79ed96a15a 100644
index 664a074639..cbd4d0f519 100644
--- a/providers/implementations/rands/drbg_hmac.c
+++ b/providers/implementations/rands/drbg_hmac.c
@@ -367,6 +367,18 @@ static int drbg_hmac_set_ctx_params(void *vctx, const OSSL_PARAM params[])
@ -74,7 +62,7 @@ index ffeb70f8c3..79ed96a15a 100644
NULL, NULL, NULL, libctx))
return 0;
diff --git a/test/recipes/30-test_evp_data/evprand.txt b/test/recipes/30-test_evp_data/evprand.txt
index 8cb70247a0..8a0a2dea15 100644
index 0e2ee82c58..7a17e7b3e1 100644
--- a/test/recipes/30-test_evp_data/evprand.txt
+++ b/test/recipes/30-test_evp_data/evprand.txt
@@ -7388,6 +7388,7 @@ Nonce.14 = 7239f92b63fb3dbe
@ -1110,5 +1098,5 @@ index 8cb70247a0..8a0a2dea15 100644
Digest = SHA-512
PredictionResistance = 1
--
2.38.1
2.41.0

35
base/openssl3/0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
View File

@ -1,36 +1,21 @@
From 4de5fa26873297f5c2eeed53e5c988437f837f55 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Thu, 17 Nov 2022 13:53:31 +0100
Subject: [PATCH] signature: Remove X9.31 padding from FIPS prov
From 930e7acf7dd225102b6e88d23f5e2a3f4acea9fa Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 15:43:57 +0200
Subject: [PATCH 37/48]
0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
The current draft of FIPS 186-5 [1] no longer contains specifications
for X9.31 signature padding. Instead, it contains the following
information in Appendix E:
> ANSI X9.31 was withdrawn, so X9.31 RSA signatures were removed from
> this standard.
Since this situation is unlikely to change in future revisions of the
draft, and future FIPS 140-3 validations of the provider will require
X9.31 to be disabled or marked as not approved with an explicit
indicator, disallow this padding mode now.
Remove the X9.31 tests from the acvp test, since they will always fail
now.
[1]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5-draft.pdf
Signed-off-by: Clemens Lang <cllang@redhat.com>
Patch-name: 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
Patch-id: 81
---
providers/implementations/signature/rsa_sig.c | 6 +
test/acvp_test.inc | 214 ------------------
2 files changed, 6 insertions(+), 214 deletions(-)
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index 34f45175e8..49e7f9158a 100644
index 63ee11e566..cfaa4841cb 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -1233,7 +1233,13 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
@@ -1279,7 +1279,13 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
err_extra_text = "No padding not allowed with RSA-PSS";
goto cont;
case RSA_X931_PADDING:
@ -284,5 +269,5 @@ index 73b24bdb0c..96a72073f9 100644
"pss",
4096,
--
2.38.1
2.41.0

43
base/openssl3/0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
View File

@ -1,19 +1,11 @@
From e1eba21921ceeffa45ffd2115868c14e4c7fb8d9 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Thu, 17 Nov 2022 18:08:24 +0100
Subject: [PATCH] hmac: Add explicit FIPS indicator for key length
From 8e388e194e665286a8996d7d5926bab5c1a6b4f9 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 15:46:40 +0200
Subject: [PATCH 38/48]
0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
NIST SP 800-131Ar2, table 9 "Approval Status of MAC Algorithms"
specifies key lengths < 112 bytes are disallowed for HMAC generation and
are legacy use for HMAC verification.
Add an explicit indicator that will mark shorter key lengths as
unsupported. The indicator can be queries from the EVP_MAC_CTX object
using EVP_MAC_CTX_get_params() with the
OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR
parameter.
Signed-off-by: Clemens Lang <cllang@redhat.com>
Patch-name: 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
Patch-id: 83
---
include/crypto/evp.h | 7 +++++++
include/openssl/evp.h | 3 +++
@ -21,7 +13,7 @@ Signed-off-by: Clemens Lang <cllang@redhat.com>
4 files changed, 28 insertions(+)
diff --git a/include/crypto/evp.h b/include/crypto/evp.h
index 76fb990de4..1e2240516e 100644
index aa07153441..a13127bd59 100644
--- a/include/crypto/evp.h
+++ b/include/crypto/evp.h
@@ -196,6 +196,13 @@ const EVP_PKEY_METHOD *ossl_ed448_pkey_method(void);
@ -39,10 +31,10 @@ index 76fb990de4..1e2240516e 100644
OSSL_PROVIDER *prov;
int name_id;
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index 49e8e1df78..a5e78efd6e 100644
index 86f4e22c70..615857caf5 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -1192,6 +1192,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX *libctx,
@@ -1194,6 +1194,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX *libctx,
void *arg);
/* MAC stuff */
@ -63,7 +55,7 @@ index 52ebb08b8f..cf5c3ecbe7 100644
+#include "crypto/evp.h"
+
#include "internal/ssl3_cbc.h"
#include "prov/implementations.h"
@@ -244,6 +246,9 @@ static int hmac_final(void *vmacctx, unsigned char *out, size_t *outl,
static const OSSL_PARAM known_gettable_ctx_params[] = {
@ -94,10 +86,12 @@ index 52ebb08b8f..cf5c3ecbe7 100644
return 1;
}
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
index 6618122417..8b2d430f17 100644
--- a/util/perl/OpenSSL/paramnames.pm
+++ b/util/perl/OpenSSL/paramnames.pm
--
2.41.0
diff -up openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.hmac-patch openssl-3.2.0/util/perl/OpenSSL/paramnames.pm
--- openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.hmac-patch 2024-01-02 12:18:16.909596613 +0100
+++ openssl-3.2.0/util/perl/OpenSSL/paramnames.pm 2024-01-02 12:20:18.465886160 +0100
@@ -137,12 +137,13 @@ my %params = (
# If "engine",or "properties",are specified, they should always be paired
# with "cipher",or "digest".
@ -118,6 +112,3 @@ index 6618122417..8b2d430f17 100644
# KDF / PRF parameters
'KDF_PARAM_SECRET' => "secret", # octet string
--
2.38.1

39
base/openssl3/0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
View File

@ -1,34 +1,17 @@
From 754862899058cfb5f2341c81f9e04dd2f7b37056 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Thu, 17 Nov 2022 18:37:17 +0100
Subject: [PATCH] pbkdf2: Set minimum password length of 8 bytes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
From 915990e450e769e370fcacbfd8ed58ab6afaf2bf Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 15:47:55 +0200
Subject: [PATCH 39/48]
0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
The Implementation Guidance for FIPS 140-3 says in section D.N
"Password-Based Key Derivation for Storage Applications" that "the
vendor shall document in the modules Security Policy the length of
a password/passphrase used in key derivation and establish an upper
bound for the probability of having this parameter guessed at random.
This probability shall take into account not only the length of the
password/passphrase, but also the difficulty of guessing it. The
decision on the minimum length of a password used for key derivation is
the vendors, but the vendor shall at a minimum informally justify the
decision."
We are choosing a minimum password length of 8 bytes, because NIST's
ACVP testing uses passwords as short as 8 bytes, and requiring longer
passwords combined with an implicit indicator (i.e., returning an error)
would cause the module to fail ACVP testing.
Signed-off-by: Clemens Lang <cllang@redhat.com>
Patch-name: 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
Patch-id: 84
---
providers/implementations/kdfs/pbkdf2.c | 27 ++++++++++++++++++++++++-
1 file changed, 26 insertions(+), 1 deletion(-)
diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
index 2a0ae63acc..aa0adce5e6 100644
index 349c3dd657..11820d1e69 100644
--- a/providers/implementations/kdfs/pbkdf2.c
+++ b/providers/implementations/kdfs/pbkdf2.c
@@ -35,6 +35,21 @@
@ -53,7 +36,7 @@ index 2a0ae63acc..aa0adce5e6 100644
static OSSL_FUNC_kdf_newctx_fn kdf_pbkdf2_new;
static OSSL_FUNC_kdf_dupctx_fn kdf_pbkdf2_dup;
@@ -186,9 +201,15 @@ static int kdf_pbkdf2_set_ctx_params(void *vctx, const OSSL_PARAM params[])
@@ -219,9 +234,15 @@ static int kdf_pbkdf2_set_ctx_params(void *vctx, const OSSL_PARAM params[])
ctx->lower_bound_checks = pkcs5 == 0;
}
@ -70,7 +53,7 @@ index 2a0ae63acc..aa0adce5e6 100644
if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) {
if (ctx->lower_bound_checks != 0
@@ -297,6 +318,10 @@ static int pbkdf2_derive(const char *pass, size_t passlen,
@@ -331,6 +352,10 @@ static int pbkdf2_derive(const char *pass, size_t passlen,
}
if (lower_bound_checks) {
@ -82,5 +65,5 @@ index 2a0ae63acc..aa0adce5e6 100644
ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
return 0;
--
2.38.1
2.41.0

36
base/openssl3/0085-FIPS-RSA-disable-shake.patch
View File

@ -1,32 +1,20 @@
From 52b347703ba2b98a0efee86c1a483c2f0f9f73d6 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Wed, 11 Jan 2023 12:52:59 +0100
Subject: [PATCH] rsa: Disallow SHAKE in OAEP and PSS in FIPS prov
From 2306fde5556cbcb875d095c09fed01a0f16fe7ec Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 15:51:55 +0200
Subject: [PATCH 40/48] 0085-FIPS-RSA-disable-shake.patch
According to FIPS 140-3 IG, section C.C, the SHAKE digest algorithms
must not be used in higher-level algorithms (such as RSA-OAEP and
RSASSA-PSS):
"To be used in an approved mode of operation, the SHA-3 hash functions
may be implemented either as part of an approved higher-level algorithm,
for example, a digital signature algorithm, or as the standalone
functions. The SHAKE128 and SHAKE256 extendable-output functions may
only be used as the standalone algorithms."
Add a check to prevent their use as message digest in PSS signatures and
as MGF1 hash function in both OAEP and PSS.
Signed-off-by: Clemens Lang <cllang@redhat.com>
Patch-name: 0085-FIPS-RSA-disable-shake.patch
Patch-id: 85
---
crypto/rsa/rsa_oaep.c | 28 ++++++++++++++++++++++++++++
crypto/rsa/rsa_pss.c | 16 ++++++++++++++++
2 files changed, 44 insertions(+)
diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
index d9be1a4f98..dfe9c9f0e8 100644
index b2f7f7dc4b..af2b0b026c 100644
--- a/crypto/rsa/rsa_oaep.c
+++ b/crypto/rsa/rsa_oaep.c
@@ -73,9 +73,23 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
@@ -78,9 +78,23 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx,
return 0;
#endif
}
@ -50,7 +38,7 @@ index d9be1a4f98..dfe9c9f0e8 100644
mdlen = EVP_MD_get_size(md);
if (mdlen <= 0) {
ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_LENGTH);
@@ -181,9 +195,23 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
@@ -203,9 +217,23 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
#endif
}
@ -75,7 +63,7 @@ index d9be1a4f98..dfe9c9f0e8 100644
if (tlen <= 0 || flen <= 0)
diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c
index 33874bfef8..e8681b0351 100644
index bb46ec64c7..c0fdf232da 100644
--- a/crypto/rsa/rsa_pss.c
+++ b/crypto/rsa/rsa_pss.c
@@ -53,6 +53,14 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
@ -93,7 +81,7 @@ index 33874bfef8..e8681b0351 100644
hLen = EVP_MD_get_size(Hash);
if (hLen < 0)
goto err;
@@ -164,6 +172,14 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
@@ -168,6 +176,14 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
if (mgf1Hash == NULL)
mgf1Hash = Hash;
@ -109,5 +97,5 @@ index 33874bfef8..e8681b0351 100644
if (hLen < 0)
goto err;
--
2.39.0
2.41.0

74
base/openssl3/0088-signature-Add-indicator-for-PSS-salt-length.patch
View File

@ -1,55 +1,20 @@
From a325a23bc83f4efd60130001c417ca5b96bdbff1 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Thu, 17 Nov 2022 19:33:02 +0100
Subject: [PATCH 1/3] signature: Add indicator for PSS salt length
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
From 98ee6faef3da1439c04f11cd2796132d27d1e607 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 15:58:07 +0200
Subject: [PATCH 41/48] 0088-signature-Add-indicator-for-PSS-salt-length.patch
FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
salt (sLen) shall satisfy 0 ≤ sLen ≤ hLen, where hLen is the length of
the hash function output block (in bytes)."
It is not exactly clear from this text whether hLen refers to the
message digest or the hash function used for the mask generation
function MGF1. PKCS#1 v2.1 suggests it is the former:
| Typical salt lengths in octets are hLen (the length of the output of
| the hash function Hash) and 0. In both cases the security of
| RSASSA-PSS can be closely related to the hardness of inverting RSAVP1.
| Bellare and Rogaway [4] give a tight lower bound for the security of
| the original RSA-PSS scheme, which corresponds roughly to the former
| case, while Coron [12] gives a lower bound for the related Full Domain
| Hashing scheme, which corresponds roughly to the latter case. In [13]
| Coron provides a general treatment with various salt lengths ranging
| from 0 to hLen; see [27] for discussion. See also [31], which adapts
| the security proofs in [4][13] to address the differences between the
| original and the present version of RSA-PSS as listed in Note 1 above.
Since OpenSSL defaults to creating signatures with the maximum salt
length, blocking the use of longer salts would probably lead to
significant problems in practice. Instead, introduce an explicit
indicator that can be obtained from the EVP_PKEY_CTX object using
EVP_PKEY_CTX_get_params() with the
OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR
parameter.
We also add indicator for RSA_NO_PADDING here to avoid patch-over-patch.
Dmitry Belyavskiy <dbelyavs@redhat.com>
Signed-off-by: Clemens Lang <cllang@redhat.com>
Patch-name: 0088-signature-Add-indicator-for-PSS-salt-length.patch
Patch-id: 88
---
include/openssl/evp.h | 4 ++++
providers/implementations/signature/rsa_sig.c | 21 +++++++++++++++++
util/perl/OpenSSL/paramnames.pm | 23 ++++++++++---------
3 files changed, 37 insertions(+), 11 deletions(-)
providers/implementations/signature/rsa_sig.c | 21 +++++++++++++++++++
3 files changed, 26 insertions(+)
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index a5e78efd6e..f239200465 100644
index 615857caf5..05f2d0f75a 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -797,6 +797,10 @@ __owur int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm,
@@ -799,6 +799,10 @@ __owur int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm,
__owur int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
int *outl);
@ -61,10 +26,10 @@ index a5e78efd6e..f239200465 100644
EVP_PKEY *pkey);
__owur int EVP_SignFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index 49e7f9158a..0c45008a00 100644
index cfaa4841cb..851671cfb1 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -1127,6 +1127,24 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
@@ -1173,6 +1173,24 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
}
}
@ -89,7 +54,7 @@ index 49e7f9158a..0c45008a00 100644
return 1;
}
@@ -1136,6 +1151,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
@@ -1182,6 +1200,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
@ -99,10 +64,12 @@ index 49e7f9158a..0c45008a00 100644
OSSL_PARAM_END
};
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
index 8b2d430f17..a109e44521 100644
--- a/util/perl/OpenSSL/paramnames.pm
+++ b/util/perl/OpenSSL/paramnames.pm
--
2.41.0
diff -up openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.salt-patch openssl-3.2.0/util/perl/OpenSSL/paramnames.pm
--- openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.salt-patch 2024-01-02 12:23:57.106998142 +0100
+++ openssl-3.2.0/util/perl/OpenSSL/paramnames.pm 2024-01-02 12:26:29.687472015 +0100
@@ -377,17 +377,18 @@ my %params = (
'EXCHANGE_PARAM_KDF_UKM' => "kdf-ukm",
@ -133,6 +100,3 @@ index 8b2d430f17..a109e44521 100644
# Asym cipher parameters
'ASYM_CIPHER_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST',
--
2.38.1

25
base/openssl3/0091-FIPS-RSA-encapsulate.patch
View File

@ -1,7 +1,19 @@
diff -up openssl-3.0.1/providers/implementations/kem/rsa_kem.c.encap openssl-3.0.1/providers/implementations/kem/rsa_kem.c
--- openssl-3.0.1/providers/implementations/kem/rsa_kem.c.encap 2022-11-22 12:27:30.994530801 +0100
+++ openssl-3.0.1/providers/implementations/kem/rsa_kem.c 2022-11-22 12:32:15.916875495 +0100
@@ -264,6 +264,14 @@ static int rsasve_generate(PROV_RSA_CTX
From afab56d09edb525dd794fcb2ae2295ab7f39400a Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 16:01:48 +0200
Subject: [PATCH 42/48] 0091-FIPS-RSA-encapsulate.patch
Patch-name: 0091-FIPS-RSA-encapsulate.patch
Patch-id: 91
---
providers/implementations/kem/rsa_kem.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c
index 365ae3d7d6..8a6f585d0b 100644
--- a/providers/implementations/kem/rsa_kem.c
+++ b/providers/implementations/kem/rsa_kem.c
@@ -265,6 +265,14 @@ static int rsasve_generate(PROV_RSA_CTX *prsactx,
*secretlen = nlen;
return 1;
}
@ -16,7 +28,7 @@ diff -up openssl-3.0.1/providers/implementations/kem/rsa_kem.c.encap openssl-3.0
/*
* Step (2): Generate a random byte string z of nlen bytes where
* 1 < z < n - 1
@@ -307,6 +315,13 @@ static int rsasve_recover(PROV_RSA_CTX *
@@ -308,6 +316,13 @@ static int rsasve_recover(PROV_RSA_CTX *prsactx,
return 1;
}
@ -30,3 +42,6 @@ diff -up openssl-3.0.1/providers/implementations/kem/rsa_kem.c.encap openssl-3.0
/* Step (2): check the input ciphertext 'inlen' matches the nlen */
if (inlen != nlen) {
ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH);
--
2.41.0

54
base/openssl3/0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
View File

@ -1,25 +1,11 @@
From 8a2d1b22ede5eeca4d104bb027b84f3ecfc69549 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Thu, 11 May 2023 12:51:59 +0200
Subject: [PATCH] DH: Disable FIPS 186-4 type parameters in FIPS mode
From 590babb35e3aa399c889282747965e301333a656 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 16:07:18 +0200
Subject: [PATCH 43/48]
0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
For DH parameter and key pair generation/verification, the DSA
procedures specified in FIPS 186-4 are used. With the release of FIPS
186-5 and the removal of DSA, the approved status of these groups is in
peril. Once the transition for DSA ends (this transition will be 1 year
long and start once CMVP has published the guidance), no more
submissions claiming DSA will be allowed. Hence, FIPS 186-type
parameters will also be automatically non-approved.
In the FIPS provider, disable validation of any DH parameters that are
not well-known groups, and remove DH parameter generation completely.
Adjust tests to use well-known groups or larger DH groups where this
change would now cause failures, and skip tests that are expected to
fail due to this change.
Related: rhbz#2169757, rhbz#2169757
Signed-off-by: Clemens Lang <cllang@redhat.com>
Patch-name: 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
Patch-id: 93
---
crypto/dh/dh_backend.c | 10 ++++
crypto/dh/dh_check.c | 12 ++--
@ -82,10 +68,10 @@ index 0b391910d6..75581ca347 100644
#else
int DH_check_params(const DH *dh, int *ret)
diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c
index aec6b85316..9c55121067 100644
index 204662a81c..9961f21920 100644
--- a/crypto/dh/dh_gen.c
+++ b/crypto/dh/dh_gen.c
@@ -38,18 +38,26 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
@@ -39,18 +39,26 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
int ossl_dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits,
BN_GENCB *cb)
{
@ -115,10 +101,10 @@ index aec6b85316..9c55121067 100644
dh->dirty_cnt++;
return ret;
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
index 4e9705beef..14c0b0b6b3 100644
index 83773cceea..7e988368d3 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -308,8 +308,12 @@ static int generate_key(DH *dh)
@@ -321,8 +321,12 @@ static int generate_key(DH *dh)
goto err;
} else {
#ifdef FIPS_MODULE
@ -133,7 +119,7 @@ index 4e9705beef..14c0b0b6b3 100644
#else
if (dh->params.q == NULL) {
/* secret exponent length, must satisfy 2^(l-1) <= p */
@@ -330,9 +334,7 @@ static int generate_key(DH *dh)
@@ -343,9 +347,7 @@ static int generate_key(DH *dh)
if (!BN_clear_bit(priv_key, 0))
goto err;
}
@ -144,7 +130,7 @@ index 4e9705beef..14c0b0b6b3 100644
/* Do a partial check for invalid p, q, g */
if (!ossl_ffc_params_simple_validate(dh->libctx, &dh->params,
FFC_PARAM_TYPE_DH, NULL))
@@ -348,6 +350,7 @@ static int generate_key(DH *dh)
@@ -361,6 +363,7 @@ static int generate_key(DH *dh)
priv_key))
goto err;
}
@ -194,10 +180,10 @@ index 9a7dde7c66..b3e7bca5ac 100644
/*
* Both of these functions check parameters. DH_check_params_ex()
diff --git a/test/endecode_test.c b/test/endecode_test.c
index e3f7b81f69..1b63daaed5 100644
index 53385028fc..169f3ccd73 100644
--- a/test/endecode_test.c
+++ b/test/endecode_test.c
@@ -80,10 +80,10 @@ static EVP_PKEY *make_template(const char *type, OSSL_PARAM *genparams)
@@ -84,10 +84,10 @@ static EVP_PKEY *make_template(const char *type, OSSL_PARAM *genparams)
* for testing only. Use a minimum key size of 2048 for security purposes.
*/
if (strcmp(type, "DH") == 0)
@ -211,10 +197,10 @@ index e3f7b81f69..1b63daaed5 100644
/*
diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c
index 2448c35a14..92d484fb12 100644
index a7913cda4c..96a35ac1cc 100644
--- a/test/evp_libctx_test.c
+++ b/test/evp_libctx_test.c
@@ -188,7 +188,7 @@ static int do_dh_param_keygen(int tstid, const BIGNUM **bn)
@@ -189,7 +189,7 @@ static int do_dh_param_keygen(int tstid, const BIGNUM **bn)
if (!TEST_ptr(gen_ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey_parm, NULL))
|| !TEST_int_gt(EVP_PKEY_keygen_init(gen_ctx), 0)
@ -309,7 +295,7 @@ index f0e8709062..2ff6d6e721 100644
EVP_PKEY *get_dh2048(OSSL_LIB_CTX *libctx);
EVP_PKEY *get_dh4096(OSSL_LIB_CTX *libctx);
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
index cabbe3ecdf..efe56c5665 100644
index 2a459856f0..afac836fa3 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -627,10 +627,10 @@ my @smime_cms_param_tests = (
@ -326,7 +312,7 @@ index cabbe3ecdf..efe56c5665 100644
\&final_compare
]
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index 8c52b637fc..31ed54621b 100644
index 527abcea6e..e1d38b1e62 100644
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -390,6 +390,9 @@ sub testssl {
@ -340,5 +326,5 @@ index 8c52b637fc..31ed54621b 100644
'test sslv2/sslv3 with 1024bit DHE via BIO pair');
}
--
2.40.1
2.41.0

41
base/openssl3/0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
View File

@ -1,28 +1,22 @@
From 589eb3898896c1ac916bc20069ecd5adb8534850 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Fri, 17 Feb 2023 15:31:08 +0100
Subject: [PATCH] GCM: Implement explicit FIPS indicator for IV gen
From 5db03a4d024f1e396ff54d38ac70d9890b034074 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 16:10:11 +0200
Subject: [PATCH 45/48]
0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
Implementation Guidance for FIPS 140-3 and the Cryptographic Module
Verification Program, Section C.H requires guarantees about the
uniqueness of key/iv pairs, and proposes a few approaches to ensure
this. Provide an indicator for option 2 "The IV may be generated
internally at its entirety randomly."
Resolves: rhbz#2168289
Signed-off-by: Clemens Lang <cllang@redhat.com>
Patch-name: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
Patch-id: 110
---
include/openssl/evp.h | 4 +++
.../implementations/ciphers/ciphercommon.c | 4 +++
.../ciphers/ciphercommon_gcm.c | 25 +++++++++++++++++++
util/perl/OpenSSL/paramnames.pm | 5 ++--
4 files changed, 36 insertions(+), 2 deletions(-)
4 files changed, 34 insertions(+)
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index 49e8e1df78..ec2ba46fbd 100644
index 05f2d0f75a..f1a33ff6f2 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -746,6 +746,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags);
@@ -748,6 +748,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags);
void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags);
int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags);
@ -52,7 +46,7 @@ diff --git a/providers/implementations/ciphers/ciphercommon_gcm.c b/providers/im
index ed95c97ff4..db7910eb0e 100644
--- a/providers/implementations/ciphers/ciphercommon_gcm.c
+++ b/providers/implementations/ciphers/ciphercommon_gcm.c
@@ -238,6 +238,31 @@ int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[])
@@ -224,6 +224,31 @@ int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[])
break;
}
}
@ -84,10 +78,12 @@ index ed95c97ff4..db7910eb0e 100644
return 1;
}
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
index a109e44521..64e9809387 100644
--- a/util/perl/OpenSSL/paramnames.pm
+++ b/util/perl/OpenSSL/paramnames.pm
--
2.41.0
diff -up openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.ivgen-patch openssl-3.2.0/util/perl/OpenSSL/paramnames.pm
--- openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.ivgen-patch 2024-01-02 12:29:45.119433637 +0100
+++ openssl-3.2.0/util/perl/OpenSSL/paramnames.pm 2024-01-02 12:33:09.146723045 +0100
@@ -101,8 +101,9 @@ my %params = (
'CIPHER_PARAM_SPEED' => "speed", # uint
'CIPHER_PARAM_CTS_MODE' => "cts_mode", # utf8_string
@ -100,6 +96,3 @@ index a109e44521..64e9809387 100644
'CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT' => "tls1multi_maxsndfrag",# uint
'CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE' => "tls1multi_maxbufsz", # size_t
--
2.39.1

27
base/openssl3/0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
View File

@ -1,25 +1,20 @@
From fa96a2f493276e7a57512e8c3d535052586f1525 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Mon, 6 Mar 2023 12:32:04 +0100
Subject: [PATCH 2/2] pbdkf2: Set indicator if pkcs5 param disabled checks
From 48c763ed9cc889806bc01222382ce6f918a408a2 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 16:12:33 +0200
Subject: [PATCH 46/48]
0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
The pbkdf2 implementation in the FIPS provider supports the checks
required by NIST, but allows disabling these checks by setting the
OSSL_KDF_PARAM_PKCS5 parameter to 1. The implementation must indicate
that the use of this configuration is not approved in FIPS mode. Add an
explicit indicator to provide this indication.
Resolves: rhbz#2175145
Signed-off-by: Clemens Lang <cllang@redhat.com>
Patch-name: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
Patch-id: 112
---
providers/implementations/kdfs/pbkdf2.c | 40 +++++++++++++++++++++++--
1 file changed, 37 insertions(+), 3 deletions(-)
diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
index aa0adce5e6..6df8c6d321 100644
index 11820d1e69..bae2238ab5 100644
--- a/providers/implementations/kdfs/pbkdf2.c
+++ b/providers/implementations/kdfs/pbkdf2.c
@@ -251,11 +251,42 @@ static const OSSL_PARAM *kdf_pbkdf2_settable_ctx_params(ossl_unused void *ctx,
@@ -284,11 +284,42 @@ static const OSSL_PARAM *kdf_pbkdf2_settable_ctx_params(ossl_unused void *ctx,
static int kdf_pbkdf2_get_ctx_params(void *vctx, OSSL_PARAM params[])
{
@ -65,7 +60,7 @@ index aa0adce5e6..6df8c6d321 100644
}
static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx,
@@ -263,6 +294,9 @@ static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx,
@@ -296,6 +327,9 @@ static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx,
{
static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
@ -76,5 +71,5 @@ index aa0adce5e6..6df8c6d321 100644
};
return known_gettable_ctx_params;
--
2.39.2
2.41.0

58
base/openssl3/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
View File

@ -1,37 +1,22 @@
From ee6e381e4140efd5365ddf27a12055859103cf59 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Fri, 17 Mar 2023 15:39:15 +0100
Subject: [PATCH] asymciphers, kem: Add explicit FIPS indicator
From 136988155862ce2b45683ef8045e7a8cdd11e215 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 16:13:46 +0200
Subject: [PATCH 47/48] 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
confirmation (section 6.4.2.3.2), or assurance from a trusted third
party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme and key
agreement schemes, but explicit key confirmation is not implemented and
cannot be implemented without protocol changes, and the FIPS provider
does not implement trusted third party validation, since it relies on
its callers to do that. A request for guidance sent to NIST did clarify
that OpenSSL can claim KTS-OAEP and RSASVE as approved, but we did add
an indicator to mark them as unapproved previously and should thus keep
the indicator available.
This does not affect RSA-OAEP decryption, because it is approved as
a component according to the FIPS 140-3 IG, section 2.4.G.
Resolves: rhbz#2179331
Resolves: RHEL-14083
Signed-off-by: Clemens Lang <cllang@redhat.com>
Patch-name: 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
Patch-id: 113
---
include/openssl/core_names.h | 2 ++
include/openssl/evp.h | 4 +++
.../implementations/asymciphers/rsa_enc.c | 22 ++++++++++++++
providers/implementations/kem/rsa_kem.c | 30 ++++++++++++++++++-
util/perl/OpenSSL/paramnames.pm | 6 ++--
4 files changed, 59 insertions(+), 3 deletions(-)
4 files changed, 57 insertions(+), 1 deletion(-)
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index ec2ba46fbd..3803b03422 100644
index f1a33ff6f2..dadbf46a5a 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -1764,6 +1764,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void);
@@ -1767,6 +1767,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void);
OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx);
# endif
@ -43,10 +28,10 @@ index ec2ba46fbd..3803b03422 100644
const char *properties);
int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt);
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
index 568452ec56..2e7ea632d7 100644
index d169bfd396..bd4dcb4e27 100644
--- a/providers/implementations/asymciphers/rsa_enc.c
+++ b/providers/implementations/asymciphers/rsa_enc.c
@@ -462,6 +462,27 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
@@ -466,6 +466,27 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->implicit_rejection))
return 0;
@ -74,7 +59,7 @@ index 568452ec56..2e7ea632d7 100644
return 1;
}
@@ -465,6 +483,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
@@ -480,6 +501,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),
#ifdef FIPS_MODULE
OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0),
@ -83,10 +68,10 @@ index 568452ec56..2e7ea632d7 100644
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL),
OSSL_PARAM_END
diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c
index 882cf16125..b4cc0f9237 100644
index 8a6f585d0b..f4b7415074 100644
--- a/providers/implementations/kem/rsa_kem.c
+++ b/providers/implementations/kem/rsa_kem.c
@@ -151,11 +151,39 @@ static int rsakem_decapsulate_init(void *vprsactx, void *vrsa,
@@ -152,11 +152,39 @@ static int rsakem_decapsulate_init(void *vprsactx, void *vrsa,
static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
{
PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx;
@ -127,10 +112,12 @@ index 882cf16125..b4cc0f9237 100644
OSSL_PARAM_END
};
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
index 64e9809387..45ab0c8dc4 100644
--- a/util/perl/OpenSSL/paramnames.pm
+++ b/util/perl/OpenSSL/paramnames.pm
--
2.41.0
diff -up openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.kem-patch openssl-3.2.0/util/perl/OpenSSL/paramnames.pm
--- openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.kem-patch 2024-01-02 12:49:04.598756268 +0100
+++ openssl-3.2.0/util/perl/OpenSSL/paramnames.pm 2024-01-02 12:53:16.466464414 +0100
@@ -406,6 +406,7 @@ my %params = (
'ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION' => "tls-negotiated-version",
'ASYM_CIPHER_PARAM_IMPLICIT_REJECTION' => "implicit-rejection",
@ -151,6 +138,3 @@ index 64e9809387..45ab0c8dc4 100644
# Capabilities
--
2.39.2

16
base/openssl3/0115-skip-quic-pairwise.patch
View File

@ -1,17 +1,17 @@
From ec8e4e25cc5e5c67313c5fd6af94fa248685c3d1 Mon Sep 17 00:00:00 2001
From 42ed594a3a905830374fb65cced431748f8c639c Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Thu, 7 Mar 2024 17:37:09 +0100
Subject: [PATCH 45/49] 0115-skip-quic-pairwise.patch
Date: Thu, 4 Apr 2024 11:50:58 +0200
Subject: [PATCH 45/50] 0115-skip-quic-pairwise.patch
Patch-name: 0115-skip-quic-pairwise.patch
Patch-id: 115
Patch-status: |
# skip quic and pairwise tests temporarily
# Amend tests according to Fedora/RHEL code
---
test/quicapitest.c | 4 +++-
test/recipes/01-test_symbol_presence.t | 1 +
test/recipes/30-test_pairwise_fail.t | 10 ++++++++--
3 files changed, 12 insertions(+), 3 deletions(-)
test/recipes/30-test_pairwise_fail.t | 13 +++++++++++--
3 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/test/quicapitest.c b/test/quicapitest.c
index 41cf0fc7a8..0fb7492700 100644
@ -29,7 +29,7 @@ index 41cf0fc7a8..0fb7492700 100644
ADD_TEST(test_quic_forbidden_apis_ctx);
ADD_TEST(test_quic_forbidden_apis);
diff --git a/test/recipes/30-test_pairwise_fail.t b/test/recipes/30-test_pairwise_fail.t
index c837d48fb4..6291c08c49 100644
index c837d48fb4..f06ef04b1a 100644
--- a/test/recipes/30-test_pairwise_fail.t
+++ b/test/recipes/30-test_pairwise_fail.t
@@ -9,7 +9,7 @@
@ -41,7 +41,7 @@ index c837d48fb4..6291c08c49 100644
use OpenSSL::Test::Utils;
BEGIN {
@@ -31,28 +31,37 @@ run(test(["fips_version_test", "-config"
@@ -31,28 +31,37 @@ run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]),
SKIP: {
skip "Skip RSA test because of no rsa in this build", 1
if disabled("rsa");

1579
base/openssl3/0124-PBMAC1-PKCS12-FIPS-support.patch Normal file
View File

File diff suppressed because it is too large Load Diff

21
base/openssl3/0125-PBMAC1-PKCS12-FIPS-default.patch Normal file
View File

@ -0,0 +1,21 @@
diff -up openssl-3.2.2/apps/pkcs12.c.xxx openssl-3.2.2/apps/pkcs12.c
--- openssl-3.2.2/apps/pkcs12.c.xxx 2024-08-14 11:24:41.164589397 +0200
+++ openssl-3.2.2/apps/pkcs12.c 2024-08-14 11:28:21.071004221 +0200
@@ -17,6 +17,7 @@
#include <openssl/asn1.h>
#include <openssl/crypto.h>
#include <openssl/err.h>
+#include <openssl/evp.h>
#include <openssl/pem.h>
#include <openssl/pkcs12.h>
#include <openssl/provider.h>
@@ -708,6 +709,9 @@ int pkcs12_main(int argc, char **argv)
}
if (maciter != -1) {
+ if (EVP_default_properties_is_fips_enabled(NULL))
+ pbmac1_pbkdf2 = 1;
+
if (pbmac1_pbkdf2 == 1) {
if (!PKCS12_set_pbmac1_pbkdf2(p12, mpass, -1, NULL,
macsaltlen, maciter,

430
base/openssl3/0126-pkeyutl-encap.patch Normal file
View File

@ -0,0 +1,430 @@
From 77a0eabe15b9c8c0fb5fde27f6ce1c593c278e20 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Wed, 7 Aug 2024 17:17:18 +0200
Subject: [PATCH 1/3] Support of en/decapsulation in the pkeyutl command
---
apps/pkeyutl.c | 83 +++++++++++++++++++++++++++++++++++++++++---------
1 file changed, 69 insertions(+), 14 deletions(-)
diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c
index b5390c64c2a81..a14ad88217823 100644
--- a/apps/pkeyutl.c
+++ b/apps/pkeyutl.c
@@ -24,7 +24,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
const char *keyfile, int keyform, int key_type,
char *passinarg, int pkey_op, ENGINE *e,
const int impl, int rawin, EVP_PKEY **ppkey,
- EVP_MD_CTX *mctx, const char *digestname,
+ EVP_MD_CTX *mctx, const char *digestname, const char *kemop,
OSSL_LIB_CTX *libctx, const char *propq);
static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
@@ -32,7 +32,8 @@ static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
unsigned char *out, size_t *poutlen,
- const unsigned char *in, size_t inlen);
+ const unsigned char *in, size_t inlen,
+ unsigned char *secret, size_t *psecretlen);
static int do_raw_keyop(int pkey_op, EVP_MD_CTX *mctx,
EVP_PKEY *pkey, BIO *in,
@@ -47,6 +48,7 @@ typedef enum OPTION_choice {
OPT_DERIVE, OPT_SIGFILE, OPT_INKEY, OPT_PEERKEY, OPT_PASSIN,
OPT_PEERFORM, OPT_KEYFORM, OPT_PKEYOPT, OPT_PKEYOPT_PASSIN, OPT_KDF,
OPT_KDFLEN, OPT_R_ENUM, OPT_PROV_ENUM,
+ OPT_DECAP, OPT_ENCAP, OPT_SECOUT, OPT_KEMOP,
OPT_CONFIG,
OPT_RAWIN, OPT_DIGEST
} OPTION_CHOICE;
@@ -64,6 +66,8 @@ const OPTIONS pkeyutl_options[] = {
{"encrypt", OPT_ENCRYPT, '-', "Encrypt input data with public key"},
{"decrypt", OPT_DECRYPT, '-', "Decrypt input data with private key"},
{"derive", OPT_DERIVE, '-', "Derive shared secret"},
+ {"decap", OPT_DECAP, '-', "Decapsulate shared secret"},
+ {"encap", OPT_ENCAP, '-', "Encapsulate shared secret"},
OPT_CONFIG_OPTION,
OPT_SECTION("Input"),
@@ -81,12 +85,13 @@ const OPTIONS pkeyutl_options[] = {
OPT_SECTION("Output"),
{"out", OPT_OUT, '>', "Output file - default stdout"},
+ {"secret", OPT_SECOUT, '>', "File to store secret on encapsulation"},
{"asn1parse", OPT_ASN1PARSE, '-', "asn1parse the output data"},
{"hexdump", OPT_HEXDUMP, '-', "Hex dump output"},
{"verifyrecover", OPT_VERIFYRECOVER, '-',
"Verify with public key, recover original data"},
- OPT_SECTION("Signing/Derivation"),
+ OPT_SECTION("Signing/Derivation/Encapsulation"),
{"digest", OPT_DIGEST, 's',
"Specify the digest algorithm when signing the raw input data"},
{"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"},
@@ -94,6 +99,7 @@ const OPTIONS pkeyutl_options[] = {
"Public key option that is read as a passphrase argument opt:passphrase"},
{"kdf", OPT_KDF, 's', "Use KDF algorithm"},
{"kdflen", OPT_KDFLEN, 'p', "KDF algorithm output length"},
+ {"kemop", OPT_KEMOP, 's', "KEM operation specific to the key algorithm"},
OPT_R_OPTIONS,
OPT_PROV_OPTIONS,
@@ -103,23 +109,23 @@ const OPTIONS pkeyutl_options[] = {
int pkeyutl_main(int argc, char **argv)
{
CONF *conf = NULL;
- BIO *in = NULL, *out = NULL;
+ BIO *in = NULL, *out = NULL, *secout = NULL;
ENGINE *e = NULL;
EVP_PKEY_CTX *ctx = NULL;
EVP_PKEY *pkey = NULL;
- char *infile = NULL, *outfile = NULL, *sigfile = NULL, *passinarg = NULL;
+ char *infile = NULL, *outfile = NULL, *secoutfile = NULL, *sigfile = NULL, *passinarg = NULL;
char hexdump = 0, asn1parse = 0, rev = 0, *prog;
- unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL;
+ unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL, *secret = NULL;
OPTION_CHOICE o;
int buf_inlen = 0, siglen = -1;
int keyform = FORMAT_UNDEF, peerform = FORMAT_UNDEF;
int keysize = -1, pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY;
int engine_impl = 0;
int ret = 1, rv = -1;
- size_t buf_outlen;
+ size_t buf_outlen = 0, secretlen = 0;
const char *inkey = NULL;
const char *peerkey = NULL;
- const char *kdfalg = NULL, *digestname = NULL;
+ const char *kdfalg = NULL, *digestname = NULL, *kemop = NULL;
int kdflen = 0;
STACK_OF(OPENSSL_STRING) *pkeyopts = NULL;
STACK_OF(OPENSSL_STRING) *pkeyopts_passin = NULL;
@@ -147,6 +153,9 @@ int pkeyutl_main(int argc, char **argv)
case OPT_OUT:
outfile = opt_arg();
break;
+ case OPT_SECOUT:
+ secoutfile = opt_arg();
+ break;
case OPT_SIGFILE:
sigfile = opt_arg();
break;
@@ -216,6 +225,15 @@ int pkeyutl_main(int argc, char **argv)
case OPT_DERIVE:
pkey_op = EVP_PKEY_OP_DERIVE;
break;
+ case OPT_DECAP:
+ pkey_op = EVP_PKEY_OP_DECAPSULATE;
+ break;
+ case OPT_ENCAP:
+ pkey_op = EVP_PKEY_OP_ENCAPSULATE;
+ break;
+ case OPT_KEMOP:
+ kemop = opt_arg();
+ break;
case OPT_KDF:
pkey_op = EVP_PKEY_OP_DERIVE;
key_type = KEY_NONE;
@@ -303,7 +321,7 @@ int pkeyutl_main(int argc, char **argv)
}
ctx = init_ctx(kdfalg, &keysize, inkey, keyform, key_type,
passinarg, pkey_op, e, engine_impl, rawin, &pkey,
- mctx, digestname, libctx, app_get0_propq());
+ mctx, digestname, kemop, libctx, app_get0_propq());
if (ctx == NULL) {
BIO_printf(bio_err, "%s: Error initializing context\n", prog);
goto end;
@@ -387,7 +405,7 @@ int pkeyutl_main(int argc, char **argv)
goto end;
}
- if (pkey_op != EVP_PKEY_OP_DERIVE) {
+ if (pkey_op != EVP_PKEY_OP_DERIVE && pkey_op != EVP_PKEY_OP_ENCAPSULATE) {
in = bio_open_default(infile, 'r', FORMAT_BINARY);
if (infile != NULL) {
struct stat st;
@@ -402,6 +420,16 @@ int pkeyutl_main(int argc, char **argv)
if (out == NULL)
goto end;
+ if (pkey_op == EVP_PKEY_OP_ENCAPSULATE) {
+ if (secoutfile == NULL) {
+ BIO_printf(bio_err, "Encapsulation requires '-secret' argument\n");
+ goto end;
+ }
+ secout = bio_open_default(secoutfile, 'w', FORMAT_BINARY);
+ if (secout == NULL)
+ goto end;
+ }
+
if (sigfile != NULL) {
BIO *sigbio = BIO_new_file(sigfile, "rb");
@@ -473,13 +501,15 @@ int pkeyutl_main(int argc, char **argv)
rv = 1;
} else {
rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen,
- buf_in, (size_t)buf_inlen);
+ buf_in, (size_t)buf_inlen, NULL, (size_t *)&secretlen);
}
if (rv > 0 && buf_outlen != 0) {
buf_out = app_malloc(buf_outlen, "buffer output");
+ if (secretlen > 0)
+ secret = app_malloc(secretlen, "secret output");
rv = do_keyop(ctx, pkey_op,
buf_out, (size_t *)&buf_outlen,
- buf_in, (size_t)buf_inlen);
+ buf_in, (size_t)buf_inlen, secret, (size_t *)&secretlen);
}
}
if (rv <= 0) {
@@ -500,6 +530,8 @@ int pkeyutl_main(int argc, char **argv)
} else {
BIO_write(out, buf_out, buf_outlen);
}
+ if (secretlen > 0)
+ BIO_write(secout, secret, secretlen);
end:
if (ret != 0)
@@ -510,9 +542,11 @@ int pkeyutl_main(int argc, char **argv)
release_engine(e);
BIO_free(in);
BIO_free_all(out);
+ BIO_free_all(secout);
OPENSSL_free(buf_in);
OPENSSL_free(buf_out);
OPENSSL_free(sig);
+ OPENSSL_free(secret);
sk_OPENSSL_STRING_free(pkeyopts);
sk_OPENSSL_STRING_free(pkeyopts_passin);
NCONF_free(conf);
@@ -524,7 +558,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
char *passinarg, int pkey_op, ENGINE *e,
const int engine_impl, int rawin,
EVP_PKEY **ppkey, EVP_MD_CTX *mctx, const char *digestname,
- OSSL_LIB_CTX *libctx, const char *propq)
+ const char *kemop, OSSL_LIB_CTX *libctx, const char *propq)
{
EVP_PKEY *pkey = NULL;
EVP_PKEY_CTX *ctx = NULL;
@@ -642,6 +676,18 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
case EVP_PKEY_OP_DERIVE:
rv = EVP_PKEY_derive_init(ctx);
break;
+
+ case EVP_PKEY_OP_ENCAPSULATE:
+ rv = EVP_PKEY_encapsulate_init(ctx, NULL);
+ if (rv > 0 && kemop != NULL)
+ rv = EVP_PKEY_CTX_set_kem_op(ctx, kemop);
+ break;
+
+ case EVP_PKEY_OP_DECAPSULATE:
+ rv = EVP_PKEY_decapsulate_init(ctx, NULL);
+ if (rv > 0 && kemop != NULL)
+ rv = EVP_PKEY_CTX_set_kem_op(ctx, kemop);
+ break;
}
}
@@ -679,7 +725,8 @@ static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
unsigned char *out, size_t *poutlen,
- const unsigned char *in, size_t inlen)
+ const unsigned char *in, size_t inlen,
+ unsigned char *secret, size_t *pseclen)
{
int rv = 0;
switch (pkey_op) {
@@ -703,6 +750,14 @@ static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
rv = EVP_PKEY_derive(ctx, out, poutlen);
break;
+ case EVP_PKEY_OP_ENCAPSULATE:
+ rv = EVP_PKEY_encapsulate(ctx, out, poutlen, secret, pseclen);
+ break;
+
+ case EVP_PKEY_OP_DECAPSULATE:
+ rv = EVP_PKEY_decapsulate(ctx, out, poutlen, in, inlen);
+ break;
+
}
return rv;
}
From 1598da873df55887c2d878549f74b7aaed6d5fde Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Wed, 7 Aug 2024 17:50:51 +0200
Subject: [PATCH 2/3] Encap/decap in pkeyutl - documentation
---
doc/man1/openssl-pkeyutl.pod.in | 33 +++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)
diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in
index 50c2030aa353c..9de50dd6cee8f 100644
--- a/doc/man1/openssl-pkeyutl.pod.in
+++ b/doc/man1/openssl-pkeyutl.pod.in
@@ -13,6 +13,7 @@ B<openssl> B<pkeyutl>
[B<-rawin>]
[B<-digest> I<algorithm>]
[B<-out> I<file>]
+[B<-secret> I<file>]
[B<-sigfile> I<file>]
[B<-inkey> I<filename>|I<uri>]
[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
@@ -28,8 +29,11 @@ B<openssl> B<pkeyutl>
[B<-encrypt>]
[B<-decrypt>]
[B<-derive>]
+[B<-encap>]
+[B<-decap>]
[B<-kdf> I<algorithm>]
[B<-kdflen> I<length>]
+[B<-kemop> I<operation>]
[B<-pkeyopt> I<opt>:I<value>]
[B<-pkeyopt_passin> I<opt>[:I<passarg>]]
[B<-hexdump>]
@@ -79,6 +83,10 @@ then the B<-rawin> option must be also specified.
Specifies the output filename to write to or standard output by
default.
+=item B<-secret> I<filename>
+
+Specifies the output filename to write the secret to on I<-encap>.
+
=item B<-sigfile> I<file>
Signature file, required for B<-verify> operations only
@@ -147,6 +155,31 @@ Decrypt the input data using a private key.
Derive a shared secret using the peer key.
+=item B<-encap>
+
+Encapsulate a generated secret using a private key.
+The encapsulated result (binary data) is written to standard output by default,
+or else to the file specified with I<-out>.
+The I<-secret> option must also be provided to specify the output file for the
+secret value generated in the encapsulation process.
+
+=item B<-decap>
+
+Decapsulate the secret using a private key.
+The result (binary data) is written to standard output by default, or else to
+the file specified with I<-out>.
+
+=item B<-kemop> I<operation>
+
+This option is used for I<-encap>/I<-decap> commands and specifies the KEM
+operation specific for the key algorithm when there is no default KEM
+operation.
+If the algorithm has the default KEM operation, this option can be omitted.
+
+See L<EVP_PKEY_CTX_set_kem_op(3)> and algorithm-specific KEM documentation e.g.
+L<EVP_KEM-RSA(7)>, L<EVP_KEM-EC(7)>, L<EVP_KEM-X25519(7)>, and
+L<EVP_KEM-X448(7)>.
+
=item B<-kdf> I<algorithm>
Use key derivation function I<algorithm>. The supported algorithms are
From 1fe7d5b3d96e2ce1e822a4e6e042959af55b0145 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Thu, 8 Aug 2024 13:45:19 +0200
Subject: [PATCH 3/3] Encap/decap in pkeyutl - tests
---
test/decap_out.bin | 3 +++
test/encap_out.bin | 4 ++++
test/encap_secret.bin | 3 +++
test/recipes/20-test_pkeyutl.t | 34 ++++++++++++++++++++++++++++++++--
4 files changed, 42 insertions(+), 2 deletions(-)
create mode 100644 test/decap_out.bin
create mode 100644 test/encap_out.bin
create mode 100644 test/encap_secret.bin
diff --git a/test/decap_out.bin b/test/decap_out.bin
new file mode 100644
index 0000000000000..b94441ed1c002
--- /dev/null
+++ b/test/decap_out.bin
@@ -0,0 +1,3 @@
+6žW«¡ŠòÌn©ú;’ù<1B>¡ÃÄmç Ä¥ÉB[HãÕË#äÓ‡(™‡hŽ] :\³xñe¡ƒŽbòé)G¿fõÈ"¨ýË­ÊýJÝ)ïþÜ<02>ì {ªHm\P ú<C383>+¸¸%èÄ/jÏ™%ç؆È<_æ~
+K—JEhßù‡©lEa¼:¢(Ÿå/\Ñ®Íb<C38D>€Ã®©Ê ×È-g,A4<E280B9>
+l<>ÚtÚN­)~\<5C>HU4y០}qJŸ ”t# <0C>¦}.™üTÅý”?ÚØÏŠÐÿcD=ü¨nmv<6D>{—éÅ¿Ô‹È£®
\ No newline at end of file
diff --git a/test/encap_out.bin b/test/encap_out.bin
new file mode 100644
index 0000000000000..024fc40550f15
--- /dev/null
+++ b/test/encap_out.bin
@@ -0,0 +1,4 @@
:÷ÙyÄ<E2809A>ã ÿÙ[Û2ê<¾ê?«î±qÕª1·µŒ¸ºæÝ>YÎM寬3PÝ
+ìÛO2rÈÙŠíùAd" Gç„m‡2mÏÄ7x•Ñhú7-ÿ@:?NµÇrSêœKÁ¡žè`«t¥ÉŸªÓxié头' Mhøñ˜3r<><1F>ÞÚƒSd¦ðO±£ãHT„F§þ
kZ'xšFÛKùx”q"ÐÒúl@04E‰†ÌûŽ;c¾iA}U÷ÆŒ P6ýk0ó%DôòLÄ.U aO¨(L<>Iý®QÇç¢ÏA
+Œ[´uÔžØ4s$¨†Ò%tÕB
\ No newline at end of file
diff --git a/test/encap_secret.bin b/test/encap_secret.bin
new file mode 100644
index 0000000000000..b94441ed1c002
--- /dev/null
+++ b/test/encap_secret.bin
@@ -0,0 +1,3 @@
+6žW«¡ŠòÌn©ú;’ù<1B>¡ÃÄmç Ä¥ÉB[HãÕË#äÓ‡(™‡hŽ] :\³xñe¡ƒŽbòé)G¿fõÈ"¨ýË­ÊýJÝ)ïþÜ<02>ì {ªHm\P ú<C383>+¸¸%èÄ/jÏ™%ç؆È<_æ~
+K—JEhßù‡©lEa¼:¢(Ÿå/\Ñ®Íb<C38D>€Ã®©Ê ×È-g,A4<E280B9>
+l<>ÚtÚN­)~\<5C>HU4y០}qJŸ ”t# <0C>¦}.™üTÅý”?ÚØÏŠÐÿcD=ü¨nmv<6D>{—éÅ¿Ô‹È£®
\ No newline at end of file
diff --git a/test/recipes/20-test_pkeyutl.t b/test/recipes/20-test_pkeyutl.t
index 76e4f0a869459..e9472a21352e2 100644
--- a/test/recipes/20-test_pkeyutl.t
+++ b/test/recipes/20-test_pkeyutl.t
@@ -13,11 +13,11 @@ use File::Spec;
use File::Basename;
use OpenSSL::Test qw/:DEFAULT srctop_file ok_nofips/;
use OpenSSL::Test::Utils;
-use File::Compare qw/compare_text/;
+use File::Compare qw/compare_text compare/;
setup("test_pkeyutl");
-plan tests => 14;
+plan tests => 19;
# For the tests below we use the cert itself as the TBS file
@@ -200,3 +200,33 @@ SKIP: {
"-rawin");
};
}
+
+#Encap/decap tests
+# openssl pkeyutl -encap -pubin -inkey rsa_pub.pem -secret secret.bin -out encap_out.bin
+# openssl pkeyutl -decap -inkey rsa_priv.pem -in encap_out.bin -out decap_out.bin
+# decap_out is equal to secret
+SKIP: {
+ skip "RSA is not supported by this OpenSSL build", 3
+ if disabled("rsa");
+
+ # Self-compat
+ ok(run(app(([ 'openssl', 'pkeyutl', '-encap', '-pubin', '-kemop', 'RSASVE',
+ '-inkey', srctop_file('test', 'testrsa2048pub.pem'),
+ '-out', 'encap_out.bin', '-secret', 'secret.bin']))),
+ "RSA pubkey encapsulation");
+ ok(run(app(([ 'openssl', 'pkeyutl', '-decap', '-kemop', 'RSASVE',
+ '-inkey', srctop_file('test', 'testrsa2048.pem'),
+ '-in', 'encap_out.bin', '-out', 'decap_out.bin']))),
+ "RSA pubkey decapsulation");
+ is(compare("secret.bin", "decap_out.bin"), 0, "Secret is correctly decapsulated");
+
+ # Pregenerated
+ ok(run(app(([ 'openssl', 'pkeyutl', '-decap', '-kemop', 'RSASVE',
+ '-inkey', srctop_file('test', 'testrsa2048.pem'),
+ '-in', srctop_file('test', 'encap_out.bin'), '-out', 'decap_out_etl.bin']))),
+ "RSA pubkey decapsulation - pregenerated");
+
+ is(compare(srctop_file('test', 'encap_secret.bin'), "decap_out_etl.bin"), 0,
+ "Secret is correctly decapsulated - pregenerated");
+}
+

201
base/openssl3/0127-speedup-SSL_add_cert_subjects_to_stack.patch Normal file
View File

@ -0,0 +1,201 @@
From e2e469593a15681983d16e36d856bf8fb7de8589 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Wed, 31 Jul 2024 12:45:11 +0200
Subject: [PATCH] Speed up SSL_add_{file,dir}_cert_subjects_to_stack
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The X509_NAME comparison function converts its arguments to DER using
i2d_X509_NAME before comparing the results using memcmp(). For every
invocation of the comparison function (of which there are many when
loading many certificates), it allocates two buffers of the appropriate
size for the DER encoding.
Switching to static buffers (possibly of X509_NAME_MAX size as defined
in crypto/x509/x_name.c) would not work with multithreaded use, e.g.,
when two threads sort two separate STACK_OF(X509_NAME)s at the same
time. A suitable re-usable buffer could have been added to the
STACK_OF(X509_NAME) if sk_X509_NAME_compfunc did have a void* argument,
or a pointer to the STACK_OF(X509_NAME) but it does not.
Instead, copy the solution chosen in SSL_load_client_CA_file() by
filling an LHASH_OF(X509_NAME) with all existing names in the stack and
using that to deduplicate, rather than relying on sk_X509_NAME_find(),
which ends up being very slow.
Adjust SSL_add_dir_cert_subjects_to_stack() to keep a local
LHASH_OF(X509_NAME)s over the complete directory it is processing.
In a small benchmark that calls SSL_add_dir_cert_subjects_to_stack()
twice, once on a directory with one entry, and once with a directory
with 1000 certificates, and repeats this in a loop 10 times, this change
yields a speed-up of 5.32:
| Benchmark 1: ./bench 10 dir-1 dir-1000
| Time (mean ± σ): 6.685 s ± 0.017 s [User: 6.402 s, System: 0.231 s]
| Range (min … max): 6.658 s … 6.711 s 10 runs
|
| Benchmark 2: LD_LIBRARY_PATH=. ./bench 10 dir-1 dir-1000
| Time (mean ± σ): 1.256 s ± 0.013 s [User: 1.034 s, System: 0.212 s]
| Range (min … max): 1.244 s … 1.286 s 10 runs
|
| Summary
| LD_LIBRARY_PATH=. ./bench 10 dir-1 dir-1000 ran
| 5.32 ± 0.06 times faster than ./bench 10 dir-1 dir-1000
In the worst case scenario where many entries are added to a stack that
is then repeatedly used to add more certificates, and with a larger test
size, the speedup is still very significant. With 15000 certificates,
a single pass to load them, followed by attempting to load a subset of
1000 of these 15000 certificates, followed by a single certificate, the
new approach is ~85 times faster:
| Benchmark 1: ./bench 1 dir-15000 dir-1000 dir-1
| Time (mean ± σ): 176.295 s ± 4.147 s [User: 174.593 s, System: 0.448 s]
| Range (min … max): 173.774 s … 185.594 s 10 runs
|
| Benchmark 2: LD_LIBRARY_PATH=. ./bench 1 dir-15000 dir-1000 dir-1
| Time (mean ± σ): 2.087 s ± 0.034 s [User: 1.679 s, System: 0.393 s]
| Range (min … max): 2.057 s … 2.167 s 10 runs
|
| Summary
| LD_LIBRARY_PATH=. ./bench 1 dir-15000 dir-1000 dir-1 ran
| 84.48 ± 2.42 times faster than ./bench 1 dir-15000 dir-1000 dir-1
Signed-off-by: Clemens Lang <cllang@redhat.com>
---
ssl/ssl_cert.c | 74 ++++++++++++++++++++++++++++++++++++++++++++------
1 file changed, 65 insertions(+), 9 deletions(-)
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 0ff407bf55edc..5e5ffe39d0655 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -813,16 +813,14 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
return SSL_load_client_CA_file_ex(file, NULL, NULL);
}
-int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
- const char *file)
+static int add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
+ const char *file,
+ LHASH_OF(X509_NAME) *name_hash)
{
BIO *in;
X509 *x = NULL;
X509_NAME *xn = NULL;
int ret = 1;
- int (*oldcmp) (const X509_NAME *const *a, const X509_NAME *const *b);
-
- oldcmp = sk_X509_NAME_set_cmp_func(stack, xname_sk_cmp);
in = BIO_new(BIO_s_file());
@@ -842,12 +840,15 @@ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
xn = X509_NAME_dup(xn);
if (xn == NULL)
goto err;
- if (sk_X509_NAME_find(stack, xn) >= 0) {
+ if (lh_X509_NAME_retrieve(name_hash, xn) != NULL) {
/* Duplicate. */
X509_NAME_free(xn);
} else if (!sk_X509_NAME_push(stack, xn)) {
X509_NAME_free(xn);
goto err;
+ } else {
+ /* Successful insert, add to hash table */
+ lh_X509_NAME_insert(name_hash, xn);
}
}
@@ -859,7 +860,42 @@ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
done:
BIO_free(in);
X509_free(x);
- (void)sk_X509_NAME_set_cmp_func(stack, oldcmp);
+ return ret;
+}
+
+int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
+ const char *file)
+{
+ X509_NAME *xn = NULL;
+ int ret = 1;
+ int idx = 0;
+ int num = 0;
+ LHASH_OF(X509_NAME) *name_hash = lh_X509_NAME_new(xname_hash, xname_cmp);
+
+ if (name_hash == NULL) {
+ ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
+ goto err;
+ }
+
+ /*
+ * Pre-populate the lhash with the existing entries of the stack, since
+ * using the LHASH_OF is much faster for duplicate checking. That's because
+ * xname_cmp converts the X509_NAMEs to DER involving a memory allocation
+ * for every single invocation of the comparison function.
+ */
+ num = sk_X509_NAME_num(stack);
+ for (idx = 0; idx < num; idx++) {
+ xn = sk_X509_NAME_value(stack, idx);
+ lh_X509_NAME_insert(name_hash, xn);
+ }
+
+ ret = add_file_cert_subjects_to_stack(stack, file, name_hash);
+ goto done;
+
+ err:
+ ret = 0;
+ done:
+ lh_X509_NAME_free(name_hash);
return ret;
}
@@ -869,8 +905,27 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
OPENSSL_DIR_CTX *d = NULL;
const char *filename;
int ret = 0;
+ X509_NAME *xn = NULL;
+ int idx = 0;
+ int num = 0;
+ LHASH_OF(X509_NAME) *name_hash = lh_X509_NAME_new(xname_hash, xname_cmp);
+
+ if (name_hash == NULL) {
+ ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB);
+ goto err;
+ }
- /* Note that a side effect is that the CAs will be sorted by name */
+ /*
+ * Pre-populate the lhash with the existing entries of the stack, since
+ * using the LHASH_OF is much faster for duplicate checking. That's because
+ * xname_cmp converts the X509_NAMEs to DER involving a memory allocation
+ * for every single invocation of the comparison function.
+ */
+ num = sk_X509_NAME_num(stack);
+ for (idx = 0; idx < num; idx++) {
+ xn = sk_X509_NAME_value(stack, idx);
+ lh_X509_NAME_insert(name_hash, xn);
+ }
while ((filename = OPENSSL_DIR_read(&d, dir))) {
char buf[1024];
@@ -899,7 +954,7 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
#endif
if (r <= 0 || r >= (int)sizeof(buf))
goto err;
- if (!SSL_add_file_cert_subjects_to_stack(stack, buf))
+ if (!add_file_cert_subjects_to_stack(stack, buf, name_hash))
goto err;
}
@@ -915,6 +970,7 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
err:
if (d)
OPENSSL_DIR_end(&d);
+ lh_X509_NAME_free(name_hash);
return ret;
}

24
base/openssl3/0128-SAST-findings.patch Normal file
View File

@ -0,0 +1,24 @@
diff -up openssl-3.2.2/crypto/rsa/rsa_oaep.c.xxx openssl-3.2.2/crypto/rsa/rsa_oaep.c
--- openssl-3.2.2/crypto/rsa/rsa_oaep.c.xxx 2024-08-14 14:22:48.733407808 +0200
+++ openssl-3.2.2/crypto/rsa/rsa_oaep.c 2024-08-14 14:23:32.994483135 +0200
@@ -233,7 +233,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(un
mdlen = EVP_MD_get_size(md);
- if (tlen <= 0 || flen <= 0)
+ if (tlen <= 0 || flen <= 0 || mdlen <= 0)
return -1;
/*
* |num| is the length of the modulus; |flen| is the length of the
diff -up openssl-3.2.2/crypto/x509/pcy_tree.c.xxx openssl-3.2.2/crypto/x509/pcy_tree.c
--- openssl-3.2.2/crypto/x509/pcy_tree.c.xxx 2024-08-14 14:14:13.144850097 +0200
+++ openssl-3.2.2/crypto/x509/pcy_tree.c 2024-08-14 14:14:53.213826481 +0200
@@ -110,6 +110,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
*ptree = NULL;
+ if (n < 0)
+ return X509_PCY_TREE_INTERNAL;
/* Can't do anything with just a trust anchor */
if (n == 0)
return X509_PCY_TREE_EMPTY;

109
base/openssl3/0129-Fix-SSL_select_next_proto.patch Normal file
View File

@ -0,0 +1,109 @@
From 99fb785a5f85315b95288921a321a935ea29a51e Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 31 May 2024 11:14:33 +0100
Subject: [PATCH 01/10] Fix SSL_select_next_proto
Ensure that the provided client list is non-NULL and starts with a valid
entry. When called from the ALPN callback the client list should already
have been validated by OpenSSL so this should not cause a problem. When
called from the NPN callback the client list is locally configured and
will not have already been validated. Therefore SSL_select_next_proto
should not assume that it is correctly formatted.
We implement stricter checking of the client protocol list. We also do the
same for the server list while we are about it.
CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24717)
---
ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++-------------------
1 file changed, 40 insertions(+), 23 deletions(-)
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 016135fe18..cf52b317cf 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3518,37 +3518,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
unsigned int server_len,
const unsigned char *client, unsigned int client_len)
{
- unsigned int i, j;
- const unsigned char *result;
- int status = OPENSSL_NPN_UNSUPPORTED;
+ PACKET cpkt, csubpkt, spkt, ssubpkt;
+
+ if (!PACKET_buf_init(&cpkt, client, client_len)
+ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
+ || PACKET_remaining(&csubpkt) == 0) {
+ *out = NULL;
+ *outlen = 0;
+ return OPENSSL_NPN_NO_OVERLAP;
+ }
+
+ /*
+ * Set the default opportunistic protocol. Will be overwritten if we find
+ * a match.
+ */
+ *out = (unsigned char *)PACKET_data(&csubpkt);
+ *outlen = (unsigned char)PACKET_remaining(&csubpkt);
/*
* For each protocol in server preference order, see if we support it.
*/
- for (i = 0; i < server_len;) {
- for (j = 0; j < client_len;) {
- if (server[i] == client[j] &&
- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
- /* We found a match */
- result = &server[i];
- status = OPENSSL_NPN_NEGOTIATED;
- goto found;
+ if (PACKET_buf_init(&spkt, server, server_len)) {
+ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
+ if (PACKET_remaining(&ssubpkt) == 0)
+ continue; /* Invalid - ignore it */
+ if (PACKET_buf_init(&cpkt, client, client_len)) {
+ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
+ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
+ PACKET_remaining(&ssubpkt))) {
+ /* We found a match */
+ *out = (unsigned char *)PACKET_data(&ssubpkt);
+ *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
+ return OPENSSL_NPN_NEGOTIATED;
+ }
+ }
+ /* Ignore spurious trailing bytes in the client list */
+ } else {
+ /* This should never happen */
+ return OPENSSL_NPN_NO_OVERLAP;
}
- j += client[j];
- j++;
}
- i += server[i];
- i++;
+ /* Ignore spurious trailing bytes in the server list */
}
- /* There's no overlap between our protocols and the server's list. */
- result = client;
- status = OPENSSL_NPN_NO_OVERLAP;
-
- found:
- *out = (unsigned char *)result + 1;
- *outlen = result[0];
- return status;
+ /*
+ * There's no overlap between our protocols and the server's list. We use
+ * the default opportunistic protocol selected earlier
+ */
+ return OPENSSL_NPN_NO_OVERLAP;
}
#ifndef OPENSSL_NO_NEXTPROTONEG
--
2.46.0

39
base/openssl3/0130-More-correctly-handle-a-selected_len-of-0-when-proce.patch Normal file
View File

@ -0,0 +1,39 @@
From 015255851371757d54c2560643eb3b3a88123cf1 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 31 May 2024 11:18:27 +0100
Subject: [PATCH 02/10] More correctly handle a selected_len of 0 when
processing NPN
In the case where the NPN callback returns with SSL_TLEXT_ERR_OK, but
the selected_len is 0 we should fail. Previously this would fail with an
internal_error alert because calling OPENSSL_malloc(selected_len) will
return NULL when selected_len is 0. We make this error detection more
explicit and return a handshake failure alert.
Follow on from CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24717)
---
ssl/statem/extensions_clnt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 381a6c9d7b..1ab3c13d57 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -1560,8 +1560,8 @@ int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_SSL(s),
&selected, &selected_len,
PACKET_data(pkt), PACKET_remaining(pkt),
- sctx->ext.npn_select_cb_arg) !=
- SSL_TLSEXT_ERR_OK) {
+ sctx->ext.npn_select_cb_arg) != SSL_TLSEXT_ERR_OK
+ || selected_len == 0) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
return 0;
}
--
2.46.0

34
base/openssl3/0131-Use-correctly-formatted-ALPN-data-in-tserver.patch Normal file
View File

@ -0,0 +1,34 @@
From 6cc511826f09e513b4ec066d9b95acaf4f86d991 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 31 May 2024 11:22:13 +0100
Subject: [PATCH 03/10] Use correctly formatted ALPN data in tserver
The QUIC test server was using incorrectly formatted ALPN data. With the
previous implementation of SSL_select_next_proto this went unnoticed. With
the new stricter implemenation it was failing.
Follow on from CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24717)
---
ssl/quic/quic_tserver.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ssl/quic/quic_tserver.c b/ssl/quic/quic_tserver.c
index 86187d06ff..15694e723f 100644
--- a/ssl/quic/quic_tserver.c
+++ b/ssl/quic/quic_tserver.c
@@ -58,7 +58,7 @@ static int alpn_select_cb(SSL *ssl, const unsigned char **out,
if (srv->args.alpn == NULL) {
alpn = alpndeflt;
- alpnlen = sizeof(alpn);
+ alpnlen = sizeof(alpndeflt);
} else {
alpn = srv->args.alpn;
alpnlen = srv->args.alpnlen;
--
2.46.0

78
base/openssl3/0132-Clarify-the-SSL_select_next_proto-documentation.patch Normal file
View File

@ -0,0 +1,78 @@
From 8e81c57adbbf703dfb63955f65599765fdacc741 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 31 May 2024 11:46:38 +0100
Subject: [PATCH 04/10] Clarify the SSL_select_next_proto() documentation
We clarify the input preconditions and the expected behaviour in the event
of no overlap.
Follow on from CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24717)
---
doc/man3/SSL_CTX_set_alpn_select_cb.pod | 26 +++++++++++++++++--------
1 file changed, 18 insertions(+), 8 deletions(-)
diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
index 05fee2fbec..79e1a252f6 100644
--- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod
+++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
@@ -52,7 +52,8 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated
SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to
set the list of protocols available to be negotiated. The B<protos> must be in
protocol-list format, described below. The length of B<protos> is specified in
-B<protos_len>.
+B<protos_len>. Setting B<protos_len> to 0 clears any existing list of ALPN
+protocols and no ALPN extension will be sent to the server.
SSL_CTX_set_alpn_select_cb() sets the application callback B<cb> used by a
server to select which protocol to use for the incoming connection. When B<cb>
@@ -73,9 +74,16 @@ B<server_len> and B<client>, B<client_len> must be in the protocol-list format
described below. The first item in the B<server>, B<server_len> list that
matches an item in the B<client>, B<client_len> list is selected, and returned
in B<out>, B<outlen>. The B<out> value will point into either B<server> or
-B<client>, so it should be copied immediately. If no match is found, the first
-item in B<client>, B<client_len> is returned in B<out>, B<outlen>. This
-function can also be used in the NPN callback.
+B<client>, so it should be copied immediately. The client list must include at
+least one valid (nonempty) protocol entry in the list.
+
+The SSL_select_next_proto() helper function can be useful from either the ALPN
+callback or the NPN callback (described below). If no match is found, the first
+item in B<client>, B<client_len> is returned in B<out>, B<outlen> and
+B<OPENSSL_NPN_NO_OVERLAP> is returned. This can be useful when implementating
+the NPN callback. In the ALPN case, the value returned in B<out> and B<outlen>
+must be ignored if B<OPENSSL_NPN_NO_OVERLAP> has been returned from
+SSL_select_next_proto().
SSL_CTX_set_next_proto_select_cb() sets a callback B<cb> that is called when a
client needs to select a protocol from the server's provided list, and a
@@ -85,9 +93,10 @@ must be set to point to the selected protocol (which may be within B<in>).
The length of the protocol name must be written into B<outlen>. The
server's advertised protocols are provided in B<in> and B<inlen>. The
callback can assume that B<in> is syntactically valid. The client must
-select a protocol. It is fatal to the connection if this callback returns
-a value other than B<SSL_TLSEXT_ERR_OK>. The B<arg> parameter is the pointer
-set via SSL_CTX_set_next_proto_select_cb().
+select a protocol (although it may be an empty, zero length protocol). It is
+fatal to the connection if this callback returns a value other than
+B<SSL_TLSEXT_ERR_OK> or if the zero length protocol is selected. The B<arg>
+parameter is the pointer set via SSL_CTX_set_next_proto_select_cb().
SSL_CTX_set_next_protos_advertised_cb() sets a callback B<cb> that is called
when a TLS server needs a list of supported protocols for Next Protocol
@@ -154,7 +163,8 @@ A match was found and is returned in B<out>, B<outlen>.
=item OPENSSL_NPN_NO_OVERLAP
No match was found. The first item in B<client>, B<client_len> is returned in
-B<out>, B<outlen>.
+B<out>, B<outlen> (or B<NULL> and 0 in the case where the first entry in
+B<client> is invalid).
=back
--
2.46.0

172
base/openssl3/0133-Add-a-test-for-SSL_select_next_proto.patch Normal file
View File

@ -0,0 +1,172 @@
From add5c52a25c549cec4a730cdf96e2252f0a1862d Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 31 May 2024 16:35:16 +0100
Subject: [PATCH 05/10] Add a test for SSL_select_next_proto
Follow on from CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24717)
---
test/sslapitest.c | 137 ++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 137 insertions(+)
diff --git a/test/sslapitest.c b/test/sslapitest.c
index ce163322cd..15cb9060cb 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -11741,6 +11741,142 @@ static int test_multi_resume(int idx)
return testresult;
}
+static struct next_proto_st {
+ int serverlen;
+ unsigned char server[40];
+ int clientlen;
+ unsigned char client[40];
+ int expected_ret;
+ size_t selectedlen;
+ unsigned char selected[40];
+} next_proto_tests[] = {
+ {
+ 4, { 3, 'a', 'b', 'c' },
+ 4, { 3, 'a', 'b', 'c' },
+ OPENSSL_NPN_NEGOTIATED,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ 7, { 3, 'a', 'b', 'c', 2, 'a', 'b' },
+ 4, { 3, 'a', 'b', 'c' },
+ OPENSSL_NPN_NEGOTIATED,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c', },
+ 4, { 3, 'a', 'b', 'c' },
+ OPENSSL_NPN_NEGOTIATED,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ 4, { 3, 'a', 'b', 'c' },
+ 7, { 3, 'a', 'b', 'c', 2, 'a', 'b', },
+ OPENSSL_NPN_NEGOTIATED,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ 4, { 3, 'a', 'b', 'c' },
+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
+ OPENSSL_NPN_NEGOTIATED,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ 7, { 2, 'b', 'c', 3, 'a', 'b', 'c' },
+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
+ OPENSSL_NPN_NEGOTIATED,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ 10, { 2, 'b', 'c', 3, 'a', 'b', 'c', 2, 'a', 'b' },
+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
+ OPENSSL_NPN_NEGOTIATED,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ 4, { 3, 'b', 'c', 'd' },
+ 4, { 3, 'a', 'b', 'c' },
+ OPENSSL_NPN_NO_OVERLAP,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ 0, { 0 },
+ 4, { 3, 'a', 'b', 'c' },
+ OPENSSL_NPN_NO_OVERLAP,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ -1, { 0 },
+ 4, { 3, 'a', 'b', 'c' },
+ OPENSSL_NPN_NO_OVERLAP,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ 4, { 3, 'a', 'b', 'c' },
+ 0, { 0 },
+ OPENSSL_NPN_NO_OVERLAP,
+ 0, { 0 }
+ },
+ {
+ 4, { 3, 'a', 'b', 'c' },
+ -1, { 0 },
+ OPENSSL_NPN_NO_OVERLAP,
+ 0, { 0 }
+ },
+ {
+ 3, { 3, 'a', 'b', 'c' },
+ 4, { 3, 'a', 'b', 'c' },
+ OPENSSL_NPN_NO_OVERLAP,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ 4, { 3, 'a', 'b', 'c' },
+ 3, { 3, 'a', 'b', 'c' },
+ OPENSSL_NPN_NO_OVERLAP,
+ 0, { 0 }
+ }
+};
+
+static int test_select_next_proto(int idx)
+{
+ struct next_proto_st *np = &next_proto_tests[idx];
+ int ret = 0;
+ unsigned char *out, *client, *server;
+ unsigned char outlen;
+ unsigned int clientlen, serverlen;
+
+ if (np->clientlen == -1) {
+ client = NULL;
+ clientlen = 0;
+ } else {
+ client = np->client;
+ clientlen = (unsigned int)np->clientlen;
+ }
+ if (np->serverlen == -1) {
+ server = NULL;
+ serverlen = 0;
+ } else {
+ server = np->server;
+ serverlen = (unsigned int)np->serverlen;
+ }
+
+ if (!TEST_int_eq(SSL_select_next_proto(&out, &outlen, server, serverlen,
+ client, clientlen),
+ np->expected_ret))
+ goto err;
+
+ if (np->selectedlen == 0) {
+ if (!TEST_ptr_null(out) || !TEST_uchar_eq(outlen, 0))
+ goto err;
+ } else {
+ if (!TEST_mem_eq(out, outlen, np->selected, np->selectedlen))
+ goto err;
+ }
+
+ ret = 1;
+ err:
+ return ret;
+}
+
OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
int setup_tests(void)
@@ -12053,6 +12189,7 @@ int setup_tests(void)
ADD_ALL_TESTS(test_handshake_retry, 16);
ADD_TEST(test_data_retry);
ADD_ALL_TESTS(test_multi_resume, 5);
+ ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
return 1;
err:
--
2.46.0

1169
base/openssl3/0134-Allow-an-empty-NPN-ALPN-protocol-list-in-the-tests.patch Normal file
View File

File diff suppressed because it is too large Load Diff

39
base/openssl3/0135-Correct-return-values-for-tls_construct_stoc_next_pr.patch Normal file
View File

@ -0,0 +1,39 @@
From 53f5677f358c4a4f69830d944ea40e71950673b8 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 21 Jun 2024 10:41:55 +0100
Subject: [PATCH 07/10] Correct return values for
tls_construct_stoc_next_proto_neg
Return EXT_RETURN_NOT_SENT in the event that we don't send the extension,
rather than EXT_RETURN_SENT. This actually makes no difference at all to
the current control flow since this return value is ignored in this case
anyway. But lets make it correct anyway.
Follow on from CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24717)
---
ssl/statem/extensions_srvr.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 800654450e..66ed7dacf2 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -1501,9 +1501,10 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL_CONNECTION *s, WPACKET *pkt,
return EXT_RETURN_FAIL;
}
s->s3.npn_seen = 1;
+ return EXT_RETURN_SENT;
}
- return EXT_RETURN_SENT;
+ return EXT_RETURN_NOT_SENT;
}
#endif
--
2.46.0

62
base/openssl3/0136-Add-ALPN-validation-in-the-client.patch Normal file
View File

@ -0,0 +1,62 @@
From 195e15421df113d7283aab2ccff8b8fb06df5465 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 21 Jun 2024 11:51:54 +0100
Subject: [PATCH 08/10] Add ALPN validation in the client
The ALPN protocol selected by the server must be one that we originally
advertised. We should verify that it is.
Follow on from CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24717)
---
ssl/statem/extensions_clnt.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 1ab3c13d57..ff9c009ee5 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -1590,6 +1590,8 @@ int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx)
{
size_t len;
+ PACKET confpkt, protpkt;
+ int valid = 0;
/* We must have requested it. */
if (!s->s3.alpn_sent) {
@@ -1608,6 +1610,28 @@ int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
return 0;
}
+
+ /* It must be a protocol that we sent */
+ if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) {
+ if (PACKET_remaining(&protpkt) != len)
+ continue;
+ if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) {
+ /* Valid protocol found */
+ valid = 1;
+ break;
+ }
+ }
+
+ if (!valid) {
+ /* The protocol sent from the server does not match one we advertised */
+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
+ return 0;
+ }
+
OPENSSL_free(s->s3.alpn_selected);
s->s3.alpn_selected = OPENSSL_malloc(len);
if (s->s3.alpn_selected == NULL) {
--
2.46.0

267
base/openssl3/0137-Add-explicit-testing-of-ALN-and-NPN-in-sslapitest.patch Normal file
View File

@ -0,0 +1,267 @@
From 7c95191434415d1c9b7fe9b130df13cce630b6b5 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 21 Jun 2024 10:09:41 +0100
Subject: [PATCH 09/10] Add explicit testing of ALN and NPN in sslapitest
We already had some tests elsewhere - but this extends that testing with
additional tests.
Follow on from CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24717)
---
test/sslapitest.c | 229 ++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 229 insertions(+)
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 15cb9060cb..7a55a2b721 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -11877,6 +11877,231 @@ static int test_select_next_proto(int idx)
return ret;
}
+static const unsigned char fooprot[] = {3, 'f', 'o', 'o' };
+static const unsigned char barprot[] = {3, 'b', 'a', 'r' };
+
+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
+static int npn_advert_cb(SSL *ssl, const unsigned char **out,
+ unsigned int *outlen, void *arg)
+{
+ int *idx = (int *)arg;
+
+ switch (*idx) {
+ default:
+ case 0:
+ *out = fooprot;
+ *outlen = sizeof(fooprot);
+ return SSL_TLSEXT_ERR_OK;
+
+ case 1:
+ *outlen = 0;
+ return SSL_TLSEXT_ERR_OK;
+
+ case 2:
+ return SSL_TLSEXT_ERR_NOACK;
+ }
+}
+
+static int npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen,
+ const unsigned char *in, unsigned int inlen, void *arg)
+{
+ int *idx = (int *)arg;
+
+ switch (*idx) {
+ case 0:
+ case 1:
+ *out = (unsigned char *)(fooprot + 1);
+ *outlen = *fooprot;
+ return SSL_TLSEXT_ERR_OK;
+
+ case 3:
+ *out = (unsigned char *)(barprot + 1);
+ *outlen = *barprot;
+ return SSL_TLSEXT_ERR_OK;
+
+ case 4:
+ *outlen = 0;
+ return SSL_TLSEXT_ERR_OK;
+
+ default:
+ case 2:
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
+ }
+}
+
+/*
+ * Test the NPN callbacks
+ * Test 0: advert = foo, select = foo
+ * Test 1: advert = <empty>, select = foo
+ * Test 2: no advert
+ * Test 3: advert = foo, select = bar
+ * Test 4: advert = foo, select = <empty> (should fail)
+ */
+static int test_npn(int idx)
+{
+ SSL_CTX *sctx = NULL, *cctx = NULL;
+ SSL *serverssl = NULL, *clientssl = NULL;
+ int testresult = 0;
+
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), 0, TLS1_2_VERSION,
+ &sctx, &cctx, cert, privkey)))
+ goto end;
+
+ SSL_CTX_set_next_protos_advertised_cb(sctx, npn_advert_cb, &idx);
+ SSL_CTX_set_next_proto_select_cb(cctx, npn_select_cb, &idx);
+
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
+ NULL)))
+ goto end;
+
+ if (idx == 4) {
+ /* We don't allow empty selection of NPN, so this should fail */
+ if (!TEST_false(create_ssl_connection(serverssl, clientssl,
+ SSL_ERROR_NONE)))
+ goto end;
+ } else {
+ const unsigned char *prot;
+ unsigned int protlen;
+
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl,
+ SSL_ERROR_NONE)))
+ goto end;
+
+ SSL_get0_next_proto_negotiated(serverssl, &prot, &protlen);
+ switch (idx) {
+ case 0:
+ case 1:
+ if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
+ goto end;
+ break;
+ case 2:
+ if (!TEST_uint_eq(protlen, 0))
+ goto end;
+ break;
+ case 3:
+ if (!TEST_mem_eq(prot, protlen, barprot + 1, *barprot))
+ goto end;
+ break;
+ default:
+ TEST_error("Should not get here");
+ goto end;
+ }
+ }
+
+ testresult = 1;
+ end:
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+
+ return testresult;
+}
+#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) */
+
+static int alpn_select_cb2(SSL *ssl, const unsigned char **out,
+ unsigned char *outlen, const unsigned char *in,
+ unsigned int inlen, void *arg)
+{
+ int *idx = (int *)arg;
+
+ switch (*idx) {
+ case 0:
+ *out = (unsigned char *)(fooprot + 1);
+ *outlen = *fooprot;
+ return SSL_TLSEXT_ERR_OK;
+
+ case 2:
+ *out = (unsigned char *)(barprot + 1);
+ *outlen = *barprot;
+ return SSL_TLSEXT_ERR_OK;
+
+ case 3:
+ *outlen = 0;
+ return SSL_TLSEXT_ERR_OK;
+
+ default:
+ case 1:
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
+ }
+ return 0;
+}
+
+/*
+ * Test the ALPN callbacks
+ * Test 0: client = foo, select = foo
+ * Test 1: client = <empty>, select = none
+ * Test 2: client = foo, select = bar (should fail)
+ * Test 3: client = foo, select = <empty> (should fail)
+ */
+static int test_alpn(int idx)
+{
+ SSL_CTX *sctx = NULL, *cctx = NULL;
+ SSL *serverssl = NULL, *clientssl = NULL;
+ int testresult = 0;
+ const unsigned char *prots = fooprot;
+ unsigned int protslen = sizeof(fooprot);
+
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), 0, 0,
+ &sctx, &cctx, cert, privkey)))
+ goto end;
+
+ SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb2, &idx);
+
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
+ NULL)))
+ goto end;
+
+ if (idx == 1) {
+ prots = NULL;
+ protslen = 0;
+ }
+
+ /* SSL_set_alpn_protos returns 0 for success! */
+ if (!TEST_false(SSL_set_alpn_protos(clientssl, prots, protslen)))
+ goto end;
+
+ if (idx == 2 || idx == 3) {
+ /* We don't allow empty selection of NPN, so this should fail */
+ if (!TEST_false(create_ssl_connection(serverssl, clientssl,
+ SSL_ERROR_NONE)))
+ goto end;
+ } else {
+ const unsigned char *prot;
+ unsigned int protlen;
+
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl,
+ SSL_ERROR_NONE)))
+ goto end;
+
+ SSL_get0_alpn_selected(clientssl, &prot, &protlen);
+ switch (idx) {
+ case 0:
+ if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
+ goto end;
+ break;
+ case 1:
+ if (!TEST_uint_eq(protlen, 0))
+ goto end;
+ break;
+ default:
+ TEST_error("Should not get here");
+ goto end;
+ }
+ }
+
+ testresult = 1;
+ end:
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+
+ return testresult;
+}
+
OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
int setup_tests(void)
@@ -12190,6 +12415,10 @@ int setup_tests(void)
ADD_TEST(test_data_retry);
ADD_ALL_TESTS(test_multi_resume, 5);
ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
+ ADD_ALL_TESTS(test_npn, 5);
+#endif
+ ADD_ALL_TESTS(test_alpn, 4);
return 1;
err:
--
2.46.0

199
base/openssl3/0138-Add-a-test-for-an-empty-NextProto-message.patch Normal file
View File

@ -0,0 +1,199 @@
From 301b870546d1c7b2d8f0d66e04a2596142f0399f Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 21 Jun 2024 14:29:26 +0100
Subject: [PATCH 10/10] Add a test for an empty NextProto message
It is valid according to the spec for a NextProto message to have no
protocols listed in it. The OpenSSL implementation however does not allow
us to create such a message. In order to check that we work as expected
when communicating with a client that does generate such messages we have
to use a TLSProxy test.
Follow on from CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24717)
---
test/recipes/70-test_npn.t | 73 +++++++++++++++++++++++++++++++++
util/perl/TLSProxy/Message.pm | 9 ++++
util/perl/TLSProxy/NextProto.pm | 54 ++++++++++++++++++++++++
util/perl/TLSProxy/Proxy.pm | 1 +
4 files changed, 137 insertions(+)
create mode 100644 test/recipes/70-test_npn.t
create mode 100644 util/perl/TLSProxy/NextProto.pm
diff --git a/test/recipes/70-test_npn.t b/test/recipes/70-test_npn.t
new file mode 100644
index 0000000000..f82e71af6a
--- /dev/null
+++ b/test/recipes/70-test_npn.t
@@ -0,0 +1,73 @@
+#! /usr/bin/env perl
+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+use strict;
+use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/;
+use OpenSSL::Test::Utils;
+
+use TLSProxy::Proxy;
+
+my $test_name = "test_npn";
+setup($test_name);
+
+plan skip_all => "TLSProxy isn't usable on $^O"
+ if $^O =~ /^(VMS)$/;
+
+plan skip_all => "$test_name needs the dynamic engine feature enabled"
+ if disabled("engine") || disabled("dynamic-engine");
+
+plan skip_all => "$test_name needs the sock feature enabled"
+ if disabled("sock");
+
+plan skip_all => "$test_name needs NPN enabled"
+ if disabled("nextprotoneg");
+
+plan skip_all => "$test_name needs TLSv1.2 enabled"
+ if disabled("tls1_2");
+
+my $proxy = TLSProxy::Proxy->new(
+ undef,
+ cmdstr(app(["openssl"]), display => 1),
+ srctop_file("apps", "server.pem"),
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+);
+
+$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
+plan tests => 1;
+
+my $npnseen = 0;
+
+# Test 1: Check sending an empty NextProto message from the client works. This is
+# valid as per the spec, but OpenSSL does not allow you to send it.
+# Therefore we must be prepared to receive such a message but we cannot
+# generate it except via TLSProxy
+$proxy->clear();
+$proxy->filter(\&npn_filter);
+$proxy->clientflags("-nextprotoneg foo -no_tls1_3");
+$proxy->serverflags("-nextprotoneg foo");
+$proxy->start();
+ok($npnseen && TLSProxy::Message->success(), "Empty NPN message");
+
+sub npn_filter
+{
+ my $proxy = shift;
+ my $message;
+
+ # The NextProto message always appears in flight 2
+ return if $proxy->flight != 2;
+
+ foreach my $message (@{$proxy->message_list}) {
+ if ($message->mt == TLSProxy::Message::MT_NEXT_PROTO) {
+ # Our TLSproxy NextProto message support doesn't support parsing of
+ # the message. If we repack it just creates an empty NextProto
+ # message - which is exactly the scenario we want to test here.
+ $message->repack();
+ $npnseen = 1;
+ }
+ }
+}
diff --git a/util/perl/TLSProxy/Message.pm b/util/perl/TLSProxy/Message.pm
index ce22187569..fb41b2ffc8 100644
--- a/util/perl/TLSProxy/Message.pm
+++ b/util/perl/TLSProxy/Message.pm
@@ -384,6 +384,15 @@ sub create_message
[@message_frag_lens]
);
$message->parse();
+ } elsif ($mt == MT_NEXT_PROTO) {
+ $message = TLSProxy::NextProto->new(
+ $server,
+ $data,
+ [@message_rec_list],
+ $startoffset,
+ [@message_frag_lens]
+ );
+ $message->parse();
} else {
#Unknown message type
$message = TLSProxy::Message->new(
diff --git a/util/perl/TLSProxy/NextProto.pm b/util/perl/TLSProxy/NextProto.pm
new file mode 100644
index 0000000000..0e18347546
--- /dev/null
+++ b/util/perl/TLSProxy/NextProto.pm
@@ -0,0 +1,54 @@
+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+use strict;
+
+package TLSProxy::NextProto;
+
+use vars '@ISA';
+push @ISA, 'TLSProxy::Message';
+
+sub new
+{
+ my $class = shift;
+ my ($server,
+ $data,
+ $records,
+ $startoffset,
+ $message_frag_lens) = @_;
+
+ my $self = $class->SUPER::new(
+ $server,
+ TLSProxy::Message::MT_NEXT_PROTO,
+ $data,
+ $records,
+ $startoffset,
+ $message_frag_lens);
+
+ return $self;
+}
+
+sub parse
+{
+ # We don't support parsing at the moment
+}
+
+# This is supposed to reconstruct the on-the-wire message data following changes.
+# For now though since we don't support parsing we just create an empty NextProto
+# message - this capability is used in test_npn
+sub set_message_contents
+{
+ my $self = shift;
+ my $data;
+
+ $data = pack("C32", 0x00, 0x1e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00);
+ $self->data($data);
+}
+1;
diff --git a/util/perl/TLSProxy/Proxy.pm b/util/perl/TLSProxy/Proxy.pm
index 3de10eccb9..b707722b6b 100644
--- a/util/perl/TLSProxy/Proxy.pm
+++ b/util/perl/TLSProxy/Proxy.pm
@@ -23,6 +23,7 @@ use TLSProxy::CertificateRequest;
use TLSProxy::CertificateVerify;
use TLSProxy::ServerKeyExchange;
use TLSProxy::NewSessionTicket;
+use TLSProxy::NextProto;
my $have_IPv6;
my $IP_factory;
--
2.46.0

233
base/openssl3/0139-CVE-2024-6119.patch Normal file
View File

@ -0,0 +1,233 @@
diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c
index 1a18174995..a09414c972 100644
--- a/crypto/x509/v3_utl.c
+++ b/crypto/x509/v3_utl.c
@@ -916,36 +916,64 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
ASN1_STRING *cstr;
gen = sk_GENERAL_NAME_value(gens, i);
- if ((gen->type == GEN_OTHERNAME) && (check_type == GEN_EMAIL)) {
- if (OBJ_obj2nid(gen->d.otherName->type_id) ==
- NID_id_on_SmtpUTF8Mailbox) {
- san_present = 1;
-
- /*
- * If it is not a UTF8String then that is unexpected and we
- * treat it as no match
- */
- if (gen->d.otherName->value->type == V_ASN1_UTF8STRING) {
- cstr = gen->d.otherName->value->value.utf8string;
-
- /* Positive on success, negative on error! */
- if ((rv = do_check_string(cstr, 0, equal, flags,
- chk, chklen, peername)) != 0)
- break;
- }
- } else
+ switch (gen->type) {
+ default:
+ continue;
+ case GEN_OTHERNAME:
+ switch (OBJ_obj2nid(gen->d.otherName->type_id)) {
+ default:
continue;
- } else {
- if ((gen->type != check_type) && (gen->type != GEN_OTHERNAME))
+ case NID_id_on_SmtpUTF8Mailbox:
+ /*-
+ * https://datatracker.ietf.org/doc/html/rfc8398#section-3
+ *
+ * Due to name constraint compatibility reasons described
+ * in Section 6, SmtpUTF8Mailbox subjectAltName MUST NOT
+ * be used unless the local-part of the email address
+ * contains non-ASCII characters. When the local-part is
+ * ASCII, rfc822Name subjectAltName MUST be used instead
+ * of SmtpUTF8Mailbox. This is compatible with legacy
+ * software that supports only rfc822Name (and not
+ * SmtpUTF8Mailbox). [...]
+ *
+ * SmtpUTF8Mailbox is encoded as UTF8String.
+ *
+ * If it is not a UTF8String then that is unexpected, and
+ * we ignore the invalid SAN (neither set san_present nor
+ * consider it a candidate for equality). This does mean
+ * that the subject CN may be considered, as would be the
+ * case when the malformed SmtpUtf8Mailbox SAN is instead
+ * simply absent.
+ *
+ * When CN-ID matching is not desirable, applications can
+ * choose to turn it off, doing so is at this time a best
+ * practice.
+ */
+ if (check_type != GEN_EMAIL
+ || gen->d.otherName->value->type != V_ASN1_UTF8STRING)
+ continue;
+ alt_type = 0;
+ cstr = gen->d.otherName->value->value.utf8string;
+ break;
+ }
+ break;
+ case GEN_EMAIL:
+ if (check_type != GEN_EMAIL)
continue;
- }
- san_present = 1;
- if (check_type == GEN_EMAIL)
cstr = gen->d.rfc822Name;
- else if (check_type == GEN_DNS)
+ break;
+ case GEN_DNS:
+ if (check_type != GEN_DNS)
+ continue;
cstr = gen->d.dNSName;
- else
+ break;
+ case GEN_IPADD:
+ if (check_type != GEN_IPADD)
+ continue;
cstr = gen->d.iPAddress;
+ break;
+ }
+ san_present = 1;
/* Positive on success, negative on error! */
if ((rv = do_check_string(cstr, alt_type, equal, flags,
chk, chklen, peername)) != 0)
diff --git a/test/recipes/25-test_eai_data.t b/test/recipes/25-test_eai_data.t
index 522982ddfb..e18735d89a 100644
--- a/test/recipes/25-test_eai_data.t
+++ b/test/recipes/25-test_eai_data.t
@@ -21,16 +21,18 @@ setup("test_eai_data");
#./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/utf8_chain.pem test/recipes/25-test_eai_data/ascii_leaf.pem
#./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/ascii_chain.pem test/recipes/25-test_eai_data/utf8_leaf.pem
-plan tests => 12;
+plan tests => 16;
require_ok(srctop_file('test','recipes','tconversion.pl'));
my $folder = "test/recipes/25-test_eai_data";
my $ascii_pem = srctop_file($folder, "ascii_leaf.pem");
my $utf8_pem = srctop_file($folder, "utf8_leaf.pem");
+my $kdc_pem = srctop_file($folder, "kdc-cert.pem");
my $ascii_chain_pem = srctop_file($folder, "ascii_chain.pem");
my $utf8_chain_pem = srctop_file($folder, "utf8_chain.pem");
+my $kdc_chain_pem = srctop_file($folder, "kdc-root-cert.pem");
my $out;
my $outcnt = 0;
@@ -56,10 +58,18 @@ SKIP: {
ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $ascii_pem])));
ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $utf8_pem])));
+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $kdc_chain_pem, $kdc_pem])));
ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $utf8_pem])));
ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $ascii_pem])));
+# Check an otherName does not get misparsed as an DNS name, (should trigger ASAN errors if violated).
+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_hostname", 'mx1.example.com', "-CAfile", $kdc_chain_pem, $kdc_pem])));
+# Check an otherName does not get misparsed as an email address, (should trigger ASAN errors if violated).
+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'joe@example.com', "-CAfile", $kdc_chain_pem, $kdc_pem])));
+# We expect SmtpUTF8Mailbox to be a UTF8 String, not an IA5String.
+ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'moe@example.com', "-CAfile", $kdc_chain_pem, $kdc_pem])));
+
#Check that we get the expected failure return code
with({ exit_checker => sub { return shift == 2; } },
sub {
diff --git a/test/recipes/25-test_eai_data/kdc-cert.pem b/test/recipes/25-test_eai_data/kdc-cert.pem
new file mode 100644
index 0000000000..e8a2c6f55d
--- /dev/null
+++ b/test/recipes/25-test_eai_data/kdc-cert.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDbDCCAlSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARSb290
+MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAXMRUwEwYDVQQDDAxU
+RVNULkVYQU1QTEUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6wfP+
+6go79dkpo/dGLMlPZ7Gw/Q6gUYrCWZWUEgEeRVHCrqOlgUEyA+PcWas/XDPUxXry
+BQlJHLvlqamAQn8gs4QPBARFYWKNiTVGyaRkgNA1N5gqyZdrP9UE+ZJmdqxRAAe8
+vvpGZWSgevPhLUiSCFYDiD0Rtji2Hm3rGUrReQFBQDEw2pNGwz9zIaxUs08kQZcx
+Yzyiplz5Oau+R/6sAgUwDlrD9xOlUxx/tA/MSDIfkK8qioU11uUZtO5VjkNQy/bT
+7zQMmXxWgm2MIgOs1u4YN7YGOtgqHE9v9iPHHfgrkbQDtVDGQsa8AQEhkUDSCtW9
+3VFAKx6dGNXYzFwfAgMBAAGjgcgwgcUwHQYDVR0OBBYEFFR5tZycW19DmtbL4Zqj
+te1c2vZLMAkGA1UdIwQCMAAwCQYDVR0TBAIwADCBjQYDVR0RBIGFMIGCoD8GBisG
+AQUCAqA1MDOgDhsMVEVTVC5FWEFNUExFoSEwH6ADAgEBoRgwFhsGa3JidGd0GwxU
+RVNULkVYQU1QTEWgHQYIKwYBBQUHCAmgERYPbW9lQGV4YW1wbGUuY29tgQ9qb2VA
+ZXhhbXBsZS5jb22CD214MS5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA
+T0xzVtVpRtaOzIhgzw7XQUdzWD5UEGSJJ1cBCOmKUWwDLTAouCYLFB4TbEE7MMUb
+iuMy60bjmVtvfJIXorGUgSadRe5RWJ5DamJWvPA0Q9x7blnEcXqEF+9Td+ypevgU
+UYHFmg83OYwxOsFXZ5cRuXMk3WCsDHQIBi6D1L6oDDZ2pfArs5mqm3thQKVlqyl1
+El3XRYEdqAz/5eCOFNfwxF0ALxjxVr/Z50StUZU8I7Zfev6+kHhyrR7dqzYJImv9
+0fTCOBEMjIETDsrA70OxAMu4V16nrWZdJdvzblS2qrt97Omkj+2kiPAJFB76RpwI
+oDQ9fKfUOAmUFth2/R/eGA==
+-----END CERTIFICATE-----
diff --git a/test/recipes/25-test_eai_data/kdc-root-cert.pem b/test/recipes/25-test_eai_data/kdc-root-cert.pem
new file mode 100644
index 0000000000..a74c96bf31
--- /dev/null
+++ b/test/recipes/25-test_eai_data/kdc-root-cert.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICnDCCAYQCCQCBswYcrlZSHjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARS
+b290MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAPMQ0wCwYDVQQD
+DARSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqRj8S4kBbIUj
+61kZfi6nE35Q38U140+qt4uAiwAhKumfVHlBM0zQ98WFt5zMHIBQwIb3yjc2zj+0
+qzUnQfwm1r/RfcMmBPEti9Ge+aEMSsds2gMXziOFM8wd2aAFPy7UVE0XpEWofsRK
+MGi61MKVdPSbGIxBwY9VW38/7D/wf1HtJe7y0xpuecR7GB2XAs+qST59NjuF+7wS
+dLM8Hb3TATgeYbXXWsRJgwz+SPzExg5WmLnU+7y4brZ32dHtdSmkRVSgSlaIf7Xj
+3Tc6Zi7I+W/JYk7hy1zUexVdWCak4PHcoWrXe0gNNN/t8VfLfMExt5z/HIylXnU7
+pGUyqZlTGQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAHpLF1UCRy7b6Hk0rLokxI
+lgwiH9BU9mktigAGASvkbllpt+YbUbWnuYAvpHBGiP1qZtfX2r96UrSJaGO9BEzT
+Gp9ThnSjoj4Srul0+s/NArU22irFLmDzbalgevAmm9gMGkdqkiIm/mXbwrPj0ncl
+KGicevXryVpvaP62eZ8cc3C4p97frMmXxRX8sTdQpD/gRI7prdEILRSKveqT+AEW
+7rFGM5AOevb4U8ddop8A3D/kX0wcCAIBF6jCNk3uEJ57jVcagL04kPnVfdRiedTS
+vfq1DRNcD29d1H/9u0fHdSn1/+8Ep3X+afQ3C6//5NvOEaXcIGO4QSwkprQydfv8
+-----END CERTIFICATE-----
diff --git a/test/recipes/25-test_eai_data/kdc.sh b/test/recipes/25-test_eai_data/kdc.sh
new file mode 100755
index 0000000000..7a8dbc719f
--- /dev/null
+++ b/test/recipes/25-test_eai_data/kdc.sh
@@ -0,0 +1,41 @@
+#! /usr/bin/env bash
+
+# Create a root CA, signing a leaf cert with a KDC principal otherName SAN, and
+# also a non-UTF8 smtpUtf8Mailbox SAN followed by an rfc822Name SAN and a DNS
+# name SAN. In the vulnerable EAI code, the KDC principal `otherName` should
+# trigger ASAN errors in DNS name checks, while the non-UTF8 `smtpUtf8Mailbox`
+# should likewise lead to ASAN issues with email name checks.
+
+rm -f root-key.pem root-cert.pem
+openssl req -nodes -new -newkey rsa:2048 -keyout kdc-root-key.pem \
+ -x509 -subj /CN=Root -days 36524 -out kdc-root-cert.pem
+
+exts=$(
+ printf "%s\n%s\n%s\n%s = " \
+ "subjectKeyIdentifier = hash" \
+ "authorityKeyIdentifier = keyid" \
+ "basicConstraints = CA:false" \
+ "subjectAltName"
+ printf "%s, " "otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name"
+ printf "%s, " "otherName:1.3.6.1.5.5.7.8.9;IA5:moe@example.com"
+ printf "%s, " "email:joe@example.com"
+ printf "%s\n" "DNS:mx1.example.com"
+ printf "[kdc_princ_name]\n"
+ printf "realm = EXP:0, GeneralString:TEST.EXAMPLE\n"
+ printf "principal_name = EXP:1, SEQUENCE:kdc_principal_seq\n"
+ printf "[kdc_principal_seq]\n"
+ printf "name_type = EXP:0, INTEGER:1\n"
+ printf "name_string = EXP:1, SEQUENCE:kdc_principal_components\n"
+ printf "[kdc_principal_components]\n"
+ printf "princ1 = GeneralString:krbtgt\n"
+ printf "princ2 = GeneralString:TEST.EXAMPLE\n"
+ )
+
+printf "%s\n" "$exts"
+
+openssl req -nodes -new -newkey rsa:2048 -keyout kdc-key.pem \
+ -subj "/CN=TEST.EXAMPLE" |
+ openssl x509 -req -out kdc-cert.pem \
+ -CA "kdc-root-cert.pem" -CAkey "kdc-root-key.pem" \
+ -set_serial 2 -days 36524 \
+ -extfile <(printf "%s\n" "$exts")

103
base/openssl3/0140-prov_no-cache.patch Normal file
View File

@ -0,0 +1,103 @@
diff --git a/crypto/core_fetch.c b/crypto/core_fetch.c
index d311158d77589..70715e7d6a99c 100644
--- a/crypto/core_fetch.c
+++ b/crypto/core_fetch.c
@@ -120,7 +120,7 @@ static void ossl_method_construct_this(OSSL_PROVIDER *provider,
* It is *expected* that the put function increments the refcnt
* of the passed method.
*/
- data->mcm->put(data->store, method, provider, algo->algorithm_names,
+ data->mcm->put(no_store ? data->store : NULL, method, provider, algo->algorithm_names,
algo->property_definition, data->mcm_data);
/* refcnt-- because we're dropping the reference */
diff --git a/test/nocache-and-default.cnf b/test/nocache-and-default.cnf
new file mode 100644
index 0000000000000..cf5ca8d114151
--- /dev/null
+++ b/test/nocache-and-default.cnf
@@ -0,0 +1,18 @@
+openssl_conf = openssl_init
+
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
+[openssl_init]
+providers = provider_sect
+
+[provider_sect]
+test = test_sect
+default = default_sect
+
+[test_sect]
+module = ../test/p_test.so
+activate = true
+
+[default_sect]
+activate = true
diff --git a/test/p_test.c b/test/p_test.c
index 2d20190d4d57b..05f71ec8347c0 100644
--- a/test/p_test.c
+++ b/test/p_test.c
@@ -230,12 +230,21 @@ static const OSSL_ITEM *p_get_reason_strings(void *_)
return reason_strings;
}
+static const OSSL_ALGORITHM *p_query(OSSL_PROVIDER *prov,
+ int operation_id,
+ int *no_cache)
+{
+ *no_cache = 1;
+ return NULL;
+}
+
static const OSSL_DISPATCH p_test_table[] = {
{ OSSL_FUNC_PROVIDER_GETTABLE_PARAMS, (void (*)(void))p_gettable_params },
{ OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))p_get_params },
{ OSSL_FUNC_PROVIDER_GET_REASON_STRINGS,
(void (*)(void))p_get_reason_strings},
{ OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))p_teardown },
+ { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))p_query },
OSSL_DISPATCH_END
};
diff --git a/test/recipes/20-test_nocache.t b/test/recipes/20-test_nocache.t
new file mode 100644
index 0000000000000..734e44ec8c2e1
--- /dev/null
+++ b/test/recipes/20-test_nocache.t
@@ -0,0 +1,34 @@
+#! /usr/bin/env perl
+# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+use strict;
+use warnings;
+
+use OpenSSL::Test qw/:DEFAULT bldtop_file srctop_file bldtop_dir with/;
+use OpenSSL::Test::Utils;
+
+setup("test_nocache");
+
+plan tests => 4;
+
+ok(run(app(["openssl", "list", "-mac-algorithms"],
+ stdout => "listout.txt")),
+"List mac algorithms - default configuration");
+open DATA, "listout.txt";
+my @match = grep /MAC/, <DATA>;
+close DATA;
+ok(scalar @match > 1 ? 1 : 0, "Several algorithms are listed - default configuration");
+
+$ENV{OPENSSL_CONF} = bldtop_file("test", "nocache-and-default.cnf");
+ok(run(app(["openssl", "list", "-mac-algorithms"],
+ stdout => "listout.txt")),
+"List mac algorithms");
+open DATA, "listout.txt";
+my @match = grep /MAC/, <DATA>;
+close DATA;
+ok(scalar @match > 1 ? 1 : 0, "Several algorithms are listed - nocache-and-default");

19
base/openssl3/0141-print-pq-group.patch Normal file
View File

@ -0,0 +1,19 @@
diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c
index 3b3c0dd0b38f5..026315406e298 100644
--- a/apps/lib/s_cb.c
+++ b/apps/lib/s_cb.c
@@ -418,8 +418,13 @@ int ssl_print_tmp_key(BIO *out, SSL *s)
{
EVP_PKEY *key;
- if (!SSL_get_peer_tmp_key(s, &key))
+ if (!SSL_get_peer_tmp_key(s, &key)) {
+ if (SSL_version(s) == TLS1_3_VERSION)
+ BIO_printf(out, "Negotiated TLS1.3 group: %s\n",
+ SSL_group_to_name(s, SSL_get_negotiated_group(s)));
return 1;
+ }
+
BIO_puts(out, "Server Temp Key: ");
switch (EVP_PKEY_get_id(key)) {
case EVP_PKEY_RSA:

93
base/openssl3/0142-CVE-2024-13176-Minerva.patch Normal file
View File

@ -0,0 +1,93 @@
diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c
index b876edbfac36e..af52e2ced6914 100644
--- a/crypto/bn/bn_exp.c
+++ b/crypto/bn/bn_exp.c
@@ -606,7 +606,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top,
* out by Colin Percival,
* http://www.daemonology.net/hyperthreading-considered-harmful/)
*/
-int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx,
BN_MONT_CTX *in_mont)
{
@@ -623,10 +623,6 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
unsigned int t4 = 0;
#endif
- bn_check_top(a);
- bn_check_top(p);
- bn_check_top(m);
-
if (!BN_is_odd(m)) {
ERR_raise(ERR_LIB_BN, BN_R_CALLED_WITH_EVEN_MODULUS);
return 0;
@@ -1146,7 +1142,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
goto err;
} else
#endif
- if (!BN_from_montgomery(rr, &tmp, mont, ctx))
+ if (!bn_from_mont_fixed_top(rr, &tmp, mont, ctx))
goto err;
ret = 1;
err:
@@ -1160,6 +1156,19 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
return ret;
}
+int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+ const BIGNUM *m, BN_CTX *ctx,
+ BN_MONT_CTX *in_mont)
+{
+ bn_check_top(a);
+ bn_check_top(p);
+ bn_check_top(m);
+ if (!bn_mod_exp_mont_fixed_top(rr, a, p, m, ctx, in_mont))
+ return 0;
+ bn_correct_top(rr);
+ return 1;
+}
+
int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
{
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
index 19384eba186b5..3f8d65c1bf1a1 100644
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
@@ -21,6 +21,7 @@
#include <openssl/opensslv.h>
#include <openssl/param_build.h>
#include "crypto/ec.h"
+#include "crypto/bn.h"
#include "internal/nelem.h"
#include "ec_local.h"
@@ -1265,10 +1266,10 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r,
if (!BN_sub(e, group->order, e))
goto err;
/*-
- * Exponent e is public.
- * No need for scatter-gather or BN_FLG_CONSTTIME.
+ * Although the exponent is public we want the result to be
+ * fixed top.
*/
- if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data))
+ if (!bn_mod_exp_mont_fixed_top(r, x, e, group->order, ctx, group->mont_data))
goto err;
ret = 1;
diff --git a/include/crypto/bn.h b/include/crypto/bn.h
index 47d9b44f879f0..bdee28625ce60 100644
--- a/include/crypto/bn.h
+++ b/include/crypto/bn.h
@@ -73,6 +73,9 @@ int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words);
*/
int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
BN_MONT_CTX *mont, BN_CTX *ctx);
+int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+ const BIGNUM *m, BN_CTX *ctx,
+ BN_MONT_CTX *in_mont);
int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
BN_CTX *ctx);
int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,

232
base/openssl3/openssl3.spec
View File

@ -21,7 +21,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl3
Version: 3.2.2
Release: 6%{?dist}
Release: 7%{?dist}
Epoch: 1
Source0: openssl-%{version}.tar.gz
@ -34,137 +34,157 @@ Source10: configuration-prefix.h
# Patches exported from source git
# Aarch64 and ppc64le use lib64
Patch1: 0001-Aarch64-and-ppc64le-use-lib64.patch
# Use more general default values in openssl.cnf
Patch2: 0002-Use-more-general-default-values-in-openssl.cnf.patch
# Do not install html docs
Patch3: 0003-Do-not-install-html-docs.patch
# Override default paths for the CA directory tree
Patch4: 0004-Override-default-paths-for-the-CA-directory-tree.patch
# apps/ca: fix md option help text
Patch5: 0005-apps-ca-fix-md-option-help-text.patch
# Disable signature verification with totally unsafe hash algorithms
Patch6: 0006-Disable-signature-verification-with-totally-unsafe-h.patch
# Add support for PROFILE=SYSTEM system default cipherlist
Patch7: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
# Add FIPS_mode() compatibility macro
Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch
# Add check to see if fips flag is enabled in kernel
Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
# Instead of replacing ectest.c and ec_curve.c, add the changes as a patch so
# that new modifications made to these files by upstream are not lost.
Patch10: 0010-Add-changes-to-ectest-and-eccurve.patch
# remove unsupported EC curves
Patch11: 0011-Remove-EC-curves.patch
# Disable explicit EC curves
# https://bugzilla.redhat.com/show_bug.cgi?id=2066412
Patch12: 0012-Disable-explicit-ec.patch
#Skipped tests from former 0011-Remove-EC-curves.patch
Patch13: 0013-skipped-tests-EC-curves.patch
# Instructions to load legacy provider in openssl.cnf
Patch24: 0024-load-legacy-prov.patch
# We load FIPS provider and set FIPS properties implicitly
Patch32: 0032-Force-fips.patch
# Embed HMAC into the fips.so
Patch33: 0033-FIPS-embed-hmac.patch
# Comment out fipsinstall command-line utility
Patch34: 0034.fipsinstall_disable.patch
# Skip unavailable algorithms running `openssl speed`
Patch35: 0035-speed-skip-unavailable-dgst.patch
# Extra public/private key checks required by FIPS-140-3
Patch44: 0044-FIPS-140-3-keychecks.patch
# Minimize fips services
Patch45: 0045-FIPS-services-minimize.patch
# Execute KATS before HMAC verification
Patch47: 0047-FIPS-early-KATS.patch
# Selectively disallow SHA1 signatures
Patch49: 0049-Selectively-disallow-SHA1-signatures.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2049265
Patch50: 0050-FIPS-enable-pkcs12-mac.patch
# Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes
Patch52: 0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
Patch1: 0001-Aarch64-and-ppc64le-use-lib64.patch
# # Use more general default values in openssl.cnf
Patch2: 0002-Use-more-general-default-values-in-openssl.cnf.patch
# # Do not install html docs
Patch3: 0003-Do-not-install-html-docs.patch
# # Override default paths for the CA directory tree
Patch4: 0004-Override-default-paths-for-the-CA-directory-tree.patch
# # apps/ca: fix md option help text
Patch5: 0005-apps-ca-fix-md-option-help-text.patch
# # Disable signature verification with totally unsafe hash algorithms
Patch6: 0006-Disable-signature-verification-with-totally-unsafe-h.patch
# # Add support for PROFILE=SYSTEM system default cipherlist
Patch7: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
# # Add FIPS_mode() compatibility macro
Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch
# # Add check to see if fips flag is enabled in kernel
Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
# # Instead of replacing ectest.c and ec_curve.c, add the changes as a patch so
# # that new modifications made to these files by upstream are not lost.
Patch10: 0010-Add-changes-to-ectest-and-eccurve.patch
# # remove unsupported EC curves
Patch11: 0011-Remove-EC-curves.patch
# # Disable explicit EC curves
# # https://bugzilla.redhat.com/show_bug.cgi?id=2066412
Patch12: 0012-Disable-explicit-ec.patch
# # Skipped tests from former 0011-Remove-EC-curves.patch
Patch13: 0013-skipped-tests-EC-curves.patch
# # Instructions to load legacy provider in openssl.cnf
Patch24: 0024-load-legacy-prov.patch
# # We load FIPS provider and set FIPS properties implicitly
Patch32: 0032-Force-fips.patch
# # Embed HMAC into the fips.so
# Modify fips self test as per
# https://github.com/simo5/openssl/commit/9b95ef8bd2f5ac862e5eee74c724b535f1a8578a
Patch33: 0033-FIPS-embed-hmac.patch
# # Comment out fipsinstall command-line utility
Patch34: 0034.fipsinstall_disable.patch
# # Skip unavailable algorithms running `openssl speed`
Patch35: 0035-speed-skip-unavailable-dgst.patch
# # Extra public/private key checks required by FIPS-140-3
Patch44: 0044-FIPS-140-3-keychecks.patch
# # Minimize fips services
Patch45: 0045-FIPS-services-minimize.patch
# # Execute KATS before HMAC verification
Patch47: 0047-FIPS-early-KATS.patch
# # Selectively disallow SHA1 signatures rhbz#2070977
Patch49: 0049-Allow-disabling-of-SHA1-signatures.patch
# Originally from https://github.com/openssl/openssl/pull/18103
# As we rebased to 3.0.7 and used the version of the function
# not matching the upstream one, we have to use aliasing.
# When we eliminate this patch, the `-Wl,--allow-multiple-definition`
# should also be removed
Patch56: 0056-strcasecmp.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2053289
Patch58: 0058-FIPS-limit-rsa-encrypt.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2087147
Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch
Patch62: 0062-fips-Expose-a-FIPS-indicator.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2102535
Patch73: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2102535
Patch74: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2102535
Patch75: 0075-FIPS-Use-FFDHE2048-in-self-test.patch
# Downstream only. Reseed DRBG using getrandom(GRND_RANDOM)
# https://bugzilla.redhat.com/show_bug.cgi?id=2102541
# # https://bugzilla.redhat.com/show_bug.cgi?id=2053289
Patch58: 0058-FIPS-limit-rsa-encrypt.patch
# # https://bugzilla.redhat.com/show_bug.cgi?id=2087147
Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch
# 0062-fips-Expose-a-FIPS-indicator.patch
Patch62: 0062-fips-Expose-a-FIPS-indicator.patch
# # https://bugzilla.redhat.com/show_bug.cgi?id=2102535
Patch73: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
# [PATCH 29/46]
# 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
Patch74: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
# # https://bugzilla.redhat.com/show_bug.cgi?id=2102535
Patch75: 0075-FIPS-Use-FFDHE2048-in-self-test.patch
# # Downstream only. Reseed DRBG using getrandom(GRND_RANDOM)
# # https://bugzilla.redhat.com/show_bug.cgi?id=2102541
%if 0%{?rhel} >= 8
Patch76: 0076-FIPS-140-3-DRBG.patch
%else
# RHEL 7 has no getrandom() implemented
Patch76: 0076-FIPS-140-3-DRBG-OLD.patch
%endif
# https://bugzilla.redhat.com/show_bug.cgi?id=2102542
Patch77: 0077-FIPS-140-3-zeroization.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2114772
# https://bugzilla.redhat.com/show_bug.cgi?id=2141695
# https://bugzilla.redhat.com/show_bug.cgi?id=2160733
# https://bugzilla.redhat.com/show_bug.cgi?id=2164763
Patch78: 0078-KDF-Add-FIPS-indicators.patch
#https://bugzilla.redhat.com/show_bug.cgi?id=2141748
Patch80: 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2142131
Patch81: 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2136250
Patch83: 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2137557
Patch84: 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
#https://bugzilla.redhat.com/show_bug.cgi?id=2142121
Patch85: 0085-FIPS-RSA-disable-shake.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2142087
Patch88: 0088-signature-Add-indicator-for-PSS-salt-length.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2144561
Patch91: 0091-FIPS-RSA-encapsulate.patch
# FIPS-95
Patch93: 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2168289
# # https://bugzilla.redhat.com/show_bug.cgi?id=2102542
Patch77: 0077-FIPS-140-3-zeroization.patch
# # https://bugzilla.redhat.com/show_bug.cgi?id=2114772
Patch78: 0078-KDF-Add-FIPS-indicators.patch
# # We believe that some changes present in CentOS are not necessary
# # because ustream has a check for FIPS version
Patch80: 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
# [PATCH 36/46]
# 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
Patch81: 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
# [PATCH 37/46]
# 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
Patch83: 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
# [PATCH 38/46]
# 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
Patch84: 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
# 0085-FIPS-RSA-disable-shake.patch
Patch85: 0085-FIPS-RSA-disable-shake.patch
# 0088-signature-Add-indicator-for-PSS-salt-length.patch
Patch88: 0088-signature-Add-indicator-for-PSS-salt-length.patch
# 0091-FIPS-RSA-encapsulate.patch
Patch91: 0091-FIPS-RSA-encapsulate.patch
# [PATCH 42/46]
# 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
Patch93: 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
# [PATCH 43/46]
# 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
Patch110: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
# [PATCH 44/46]
# 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
Patch112: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2179331
# 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
Patch113: 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2157951
# # We believe that some changes present in CentOS are not necessary
# # because ustream has a check for FIPS version
Patch114: 0114-FIPS-enforce-EMS-support.patch
# skip quic and pairwise tests temporarily
# Amend tests according to Fedora/RHEL code
Patch115: 0115-skip-quic-pairwise.patch
# Add version aliasing due to
# https://github.com/openssl/openssl/issues/23534
Patch116: 0116-version-aliasing.patch
# https://github.com/openssl/openssl/issues/23050
Patch117: 0117-ignore-unknown-sigalgorithms-groups.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2160797
Patch121: 0121-FIPS-cms-defaults.patch
# KTLS regression, temporary skip tests
# skip KTLS tests on infrastructure
Patch122: 0122-TMP-KTLS-test-skip.patch
# HKDF regression with older provider implementations
Patch123: 0123-kdf-Preserve-backward-compatibility-with-older-provi.patch
# https://github.com/openssl/openssl/issues/24577
Patch124: 0124-PBMAC1-PKCS12-FIPS-support.patch
# Downstream patch: enforce PBMAC1 in FIPS mode
Patch125: 0125-PBMAC1-PKCS12-FIPS-default.patch
# https://github.com/openssl/openssl/issues/25127
Patch126: 0126-pkeyutl-encap.patch
# https://github.com/openssl/openssl/issues/25056
Patch127: 0127-speedup-SSL_add_cert_subjects_to_stack.patch
Patch128: 0128-SAST-findings.patch
# https://github.com/openssl/openssl/pull/24717
Patch124: 0124-Fix-SSL_select_next_proto.patch
Patch125: 0125-More-correctly-handle-a-selected_len-of-0-when-proce.patch
Patch126: 0126-Use-correctly-formatted-ALPN-data-in-tserver.patch
Patch127: 0127-Clarify-the-SSL_select_next_proto-documentation.patch
Patch128: 0128-Add-a-test-for-SSL_select_next_proto.patch
Patch129: 0129-Allow-an-empty-NPN-ALPN-protocol-list-in-the-tests.patch
Patch130: 0130-Correct-return-values-for-tls_construct_stoc_next_pr.patch
Patch131: 0131-Add-ALPN-validation-in-the-client.patch
Patch132: 0132-Add-explicit-testing-of-ALN-and-NPN-in-sslapitest.patch
Patch133: 0133-Add-a-test-for-an-empty-NextProto-message.patch
Patch136: 0136-CVE-2024-6119.patch
Patch129: 0129-Fix-SSL_select_next_proto.patch
Patch130: 0130-More-correctly-handle-a-selected_len-of-0-when-proce.patch
Patch131: 0131-Use-correctly-formatted-ALPN-data-in-tserver.patch
Patch132: 0132-Clarify-the-SSL_select_next_proto-documentation.patch
Patch133: 0133-Add-a-test-for-SSL_select_next_proto.patch
Patch134: 0134-Allow-an-empty-NPN-ALPN-protocol-list-in-the-tests.patch
Patch135: 0135-Correct-return-values-for-tls_construct_stoc_next_pr.patch
Patch136: 0136-Add-ALPN-validation-in-the-client.patch
Patch137: 0137-Add-explicit-testing-of-ALN-and-NPN-in-sslapitest.patch
Patch138: 0138-Add-a-test-for-an-empty-NextProto-message.patch
Patch139: 0139-CVE-2024-6119.patch
# https://github.com/openssl/openssl/pull/26197
Patch140: 0140-prov_no-cache.patch
# https://github.com/openssl/openssl/pull/25959
Patch141: 0141-print-pq-group.patch
# https://github.com/openssl/openssl/pull/26429
Patch142: 0142-CVE-2024-13176-Minerva.patch
%if 0%{?rhel} < 8
Patch1000: openssl-3.0.2-bundled-policy.patch
@ -564,6 +584,10 @@ rm -f %{buildroot}%{_bindir}/{make,renew}-dummy-cert
%ldconfig_scriptlets libs
%changelog
* Wed Feb 12 2025 Raven <raven@sysadmins.ws> - 1:3.2.2-7
- import Fedora upstream patches
Resolves: CVE-2024-12797
* Thu Sep 12 2024 Raven <raven@sysadmins.ws> - 1:3.2.2-6
- rebase to 3.2.2-6 from c9-stream