Compare commits
No commits in common. 'c9-beta' and 'c9' have entirely different histories.
@ -1,2 +1 @@
|
||||
SOURCES/fips_module-3.0.7-18.el9_2.tar.gz
|
||||
SOURCES/openssl-3.0.7-hobbled.tar.gz
|
||||
SOURCES/openssl-fips-provider-3.0.7.tar.gz
|
||||
|
@ -1,2 +1 @@
|
||||
390196437b9e1fed3014acf2f1bbf799e72933bb SOURCES/fips_module-3.0.7-18.el9_2.tar.gz
|
||||
54ab0e36f279f260196ac3274631bee93ab01d81 SOURCES/openssl-3.0.7-hobbled.tar.gz
|
||||
67352c52fc82ec2fa5161cd68166238c9ddd1c43 SOURCES/openssl-fips-provider-3.0.7.tar.gz
|
||||
|
@ -1,33 +0,0 @@
|
||||
From 603a35802319c0459737e3f067369ceb990fe2e6 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Thu, 24 Sep 2020 09:01:41 +0200
|
||||
Subject: Aarch64 and ppc64le use lib64
|
||||
|
||||
(Was openssl-1.1.1-build.patch)
|
||||
---
|
||||
Configurations/10-main.conf | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
|
||||
index d7580bf3e1..a7dbfd7f40 100644
|
||||
--- a/Configurations/10-main.conf
|
||||
+++ b/Configurations/10-main.conf
|
||||
@@ -723,6 +723,7 @@ my %targets = (
|
||||
lib_cppflags => add("-DL_ENDIAN"),
|
||||
asm_arch => 'ppc64',
|
||||
perlasm_scheme => "linux64le",
|
||||
+ multilib => "64",
|
||||
},
|
||||
|
||||
"linux-armv4" => {
|
||||
@@ -765,6 +766,7 @@ my %targets = (
|
||||
inherit_from => [ "linux-generic64" ],
|
||||
asm_arch => 'aarch64',
|
||||
perlasm_scheme => "linux64",
|
||||
+ multilib => "64",
|
||||
},
|
||||
"linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32
|
||||
inherit_from => [ "linux-generic32" ],
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,68 +0,0 @@
|
||||
From 41df9ae215cee9574e17e6f887c96a7c97d588f5 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Thu, 24 Sep 2020 09:03:40 +0200
|
||||
Subject: Use more general default values in openssl.cnf
|
||||
|
||||
Also set sha256 as default hash, although that should not be
|
||||
necessary anymore.
|
||||
|
||||
(was openssl-1.1.1-defaults.patch)
|
||||
---
|
||||
apps/openssl.cnf | 12 +++++++-----
|
||||
1 file changed, 7 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
|
||||
index 97567a67be..eb25a0ac48 100644
|
||||
--- a/apps/openssl.cnf
|
||||
+++ b/apps/openssl.cnf
|
||||
@@ -104,7 +104,7 @@ cert_opt = ca_default # Certificate field options
|
||||
|
||||
default_days = 365 # how long to certify for
|
||||
default_crl_days= 30 # how long before next CRL
|
||||
-default_md = default # use public key default MD
|
||||
+default_md = sha256 # use SHA-256 by default
|
||||
preserve = no # keep passed DN ordering
|
||||
|
||||
# A few difference way of specifying how similar the request should look
|
||||
@@ -136,6 +136,7 @@ emailAddress = optional
|
||||
####################################################################
|
||||
[ req ]
|
||||
default_bits = 2048
|
||||
+default_md = sha256
|
||||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
@@ -158,17 +159,18 @@ string_mask = utf8only
|
||||
|
||||
[ req_distinguished_name ]
|
||||
countryName = Country Name (2 letter code)
|
||||
-countryName_default = AU
|
||||
+countryName_default = XX
|
||||
countryName_min = 2
|
||||
countryName_max = 2
|
||||
|
||||
stateOrProvinceName = State or Province Name (full name)
|
||||
-stateOrProvinceName_default = Some-State
|
||||
+#stateOrProvinceName_default = Default Province
|
||||
|
||||
localityName = Locality Name (eg, city)
|
||||
+localityName_default = Default City
|
||||
|
||||
0.organizationName = Organization Name (eg, company)
|
||||
-0.organizationName_default = Internet Widgits Pty Ltd
|
||||
+0.organizationName_default = Default Company Ltd
|
||||
|
||||
# we can do this but it is not needed normally :-)
|
||||
#1.organizationName = Second Organization Name (eg, company)
|
||||
@@ -177,7 +179,7 @@ localityName = Locality Name (eg, city)
|
||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||
#organizationalUnitName_default =
|
||||
|
||||
-commonName = Common Name (e.g. server FQDN or YOUR name)
|
||||
+commonName = Common Name (eg, your name or your server\'s hostname)
|
||||
commonName_max = 64
|
||||
|
||||
emailAddress = Email Address
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,26 +0,0 @@
|
||||
From 3d5755df8d09ca841c0aca2d7344db060f6cc97f Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Thu, 24 Sep 2020 09:05:55 +0200
|
||||
Subject: Do not install html docs
|
||||
|
||||
(was openssl-1.1.1-no-html.patch)
|
||||
---
|
||||
Configurations/unix-Makefile.tmpl | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
|
||||
index 342e46d24d..9f369edf0e 100644
|
||||
--- a/Configurations/unix-Makefile.tmpl
|
||||
+++ b/Configurations/unix-Makefile.tmpl
|
||||
@@ -554,7 +554,7 @@ install_sw: install_dev install_engines install_modules install_runtime
|
||||
|
||||
uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev
|
||||
|
||||
-install_docs: install_man_docs install_html_docs
|
||||
+install_docs: install_man_docs
|
||||
|
||||
uninstall_docs: uninstall_man_docs uninstall_html_docs
|
||||
$(RM) -r $(DESTDIR)$(DOCDIR)
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,73 +0,0 @@
|
||||
From 6790960076742a9053c624e26fbb87fcd5789e27 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Thu, 24 Sep 2020 09:17:26 +0200
|
||||
Subject: Override default paths for the CA directory tree
|
||||
|
||||
Also add default section to load crypto-policies configuration
|
||||
for TLS.
|
||||
|
||||
It needs to be reverted before running tests.
|
||||
|
||||
(was openssl-1.1.1-conf-paths.patch)
|
||||
---
|
||||
apps/CA.pl.in | 2 +-
|
||||
apps/openssl.cnf | 20 ++++++++++++++++++--
|
||||
2 files changed, 19 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/apps/CA.pl.in b/apps/CA.pl.in
|
||||
index c0afb96716..d6a5fabd16 100644
|
||||
--- a/apps/CA.pl.in
|
||||
+++ b/apps/CA.pl.in
|
||||
@@ -29,7 +29,7 @@ my $X509 = "$openssl x509";
|
||||
my $PKCS12 = "$openssl pkcs12";
|
||||
|
||||
# Default values for various configuration settings.
|
||||
-my $CATOP = "./demoCA";
|
||||
+my $CATOP = "/etc/pki/CA";
|
||||
my $CAKEY = "cakey.pem";
|
||||
my $CAREQ = "careq.pem";
|
||||
my $CACERT = "cacert.pem";
|
||||
diff -up openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls openssl-3.0.0-alpha16/apps/openssl.cnf
|
||||
--- openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls 2021-07-06 13:41:39.204978272 +0200
|
||||
+++ openssl-3.0.0-alpha16/apps/openssl.cnf 2021-07-06 13:49:50.362857683 +0200
|
||||
@@ -53,6 +53,8 @@ tsa_policy3 = 1.2.3.4.5.7
|
||||
|
||||
[openssl_init]
|
||||
providers = provider_sect
|
||||
+# Load default TLS policy configuration
|
||||
+ssl_conf = ssl_module
|
||||
|
||||
# List of providers to load
|
||||
[provider_sect]
|
||||
@@ -64,6 +66,13 @@ default = default_sect
|
||||
[default_sect]
|
||||
# activate = 1
|
||||
|
||||
+[ ssl_module ]
|
||||
+
|
||||
+system_default = crypto_policy
|
||||
+
|
||||
+[ crypto_policy ]
|
||||
+
|
||||
+.include = /etc/crypto-policies/back-ends/opensslcnf.config
|
||||
|
||||
####################################################################
|
||||
[ ca ]
|
||||
@@ -72,7 +81,7 @@ default_ca = CA_default # The default c
|
||||
####################################################################
|
||||
[ CA_default ]
|
||||
|
||||
-dir = ./demoCA # Where everything is kept
|
||||
+dir = /etc/pki/CA # Where everything is kept
|
||||
certs = $dir/certs # Where the issued certs are kept
|
||||
crl_dir = $dir/crl # Where the issued crl are kept
|
||||
database = $dir/index.txt # database index file.
|
||||
@@ -304,7 +313,7 @@ default_tsa = tsa_config1 # the default
|
||||
[ tsa_config1 ]
|
||||
|
||||
# These are used by the TSA reply generation only.
|
||||
-dir = ./demoCA # TSA root directory
|
||||
+dir = /etc/pki/CA # TSA root directory
|
||||
serial = $dir/tsaserial # The current serial number (mandatory)
|
||||
crypto_device = builtin # OpenSSL engine to use for signing
|
||||
signer_cert = $dir/tsacert.pem # The TSA signing certificate
|
@ -1,28 +0,0 @@
|
||||
From 3d8fa9859501b07e02b76b5577e2915d5851e927 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Thu, 24 Sep 2020 09:27:18 +0200
|
||||
Subject: apps/ca: fix md option help text
|
||||
|
||||
upstreamable
|
||||
|
||||
(was openssl-1.1.1-apps-dgst.patch)
|
||||
---
|
||||
apps/ca.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/apps/ca.c b/apps/ca.c
|
||||
index 0f21b4fa1c..3d4b2c1673 100755
|
||||
--- a/apps/ca.c
|
||||
+++ b/apps/ca.c
|
||||
@@ -209,7 +209,7 @@ const OPTIONS ca_options[] = {
|
||||
{"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"},
|
||||
|
||||
OPT_SECTION("Signing"),
|
||||
- {"md", OPT_MD, 's', "Digest to use, such as sha256"},
|
||||
+ {"md", OPT_MD, 's', "Digest to use, such as sha256; see openssl help for list"},
|
||||
{"keyfile", OPT_KEYFILE, 's', "The CA private key"},
|
||||
{"keyform", OPT_KEYFORM, 'f',
|
||||
"Private key file format (ENGINE, other values ignored)"},
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,29 +0,0 @@
|
||||
From 3f9deff30ae6efbfe979043b00cdf649b39793c0 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Thu, 24 Sep 2020 09:51:34 +0200
|
||||
Subject: Disable signature verification with totally unsafe hash algorithms
|
||||
|
||||
(was openssl-1.1.1-no-weak-verify.patch)
|
||||
---
|
||||
crypto/asn1/a_verify.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
|
||||
index b7eed914b0..af62f0ef08 100644
|
||||
--- a/crypto/asn1/a_verify.c
|
||||
+++ b/crypto/asn1/a_verify.c
|
||||
@@ -152,6 +152,11 @@ int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg,
|
||||
ERR_raise(ERR_LIB_ASN1, ERR_R_EVP_LIB);
|
||||
if (ret <= 1)
|
||||
goto err;
|
||||
+ } else if ((mdnid == NID_md5
|
||||
+ && ossl_safe_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) ||
|
||||
+ mdnid == NID_md4 || mdnid == NID_md2 || mdnid == NID_sha) {
|
||||
+ ERR_raise(ERR_LIB_ASN1, ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
|
||||
+ goto err;
|
||||
} else {
|
||||
const EVP_MD *type = NULL;
|
||||
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,323 +0,0 @@
|
||||
From 736d709ec194b3a763e004696df22792c62a11fc Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Thu, 24 Sep 2020 10:16:46 +0200
|
||||
Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
||||
|
||||
(was openssl-1.1.1-system-cipherlist.patch)
|
||||
---
|
||||
Configurations/unix-Makefile.tmpl | 5 ++
|
||||
Configure | 10 +++-
|
||||
doc/man1/openssl-ciphers.pod.in | 9 ++++
|
||||
include/openssl/ssl.h.in | 5 ++
|
||||
ssl/ssl_ciph.c | 88 +++++++++++++++++++++++++++----
|
||||
ssl/ssl_lib.c | 4 +-
|
||||
test/cipherlist_test.c | 2 +
|
||||
util/libcrypto.num | 1 +
|
||||
8 files changed, 110 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
|
||||
index 9f369edf0e..c52389f831 100644
|
||||
--- a/Configurations/unix-Makefile.tmpl
|
||||
+++ b/Configurations/unix-Makefile.tmpl
|
||||
@@ -269,6 +269,10 @@ MANDIR=$(INSTALLTOP)/share/man
|
||||
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
|
||||
HTMLDIR=$(DOCDIR)/html
|
||||
|
||||
+{- output_off() if $config{system_ciphers_file} eq ""; "" -}
|
||||
+SYSTEM_CIPHERS_FILE_DEFINE=-DSYSTEM_CIPHERS_FILE="\"{- $config{system_ciphers_file} -}\""
|
||||
+{- output_on() if $config{system_ciphers_file} eq ""; "" -}
|
||||
+
|
||||
# MANSUFFIX is for the benefit of anyone who may want to have a suffix
|
||||
# appended after the manpage file section number. "ssl" is popular,
|
||||
# resulting in files such as config.5ssl rather than config.5.
|
||||
@@ -292,6 +296,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
|
||||
CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -}
|
||||
CPPFLAGS={- our $cppflags1 = join(" ",
|
||||
(map { "-D".$_} @{$config{CPPDEFINES}}),
|
||||
+ "\$(SYSTEM_CIPHERS_FILE_DEFINE)",
|
||||
(map { "-I".$_} @{$config{CPPINCLUDES}}),
|
||||
@{$config{CPPFLAGS}}) -}
|
||||
CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
|
||||
diff --git a/doc/man1/openssl-ciphers.pod.in b/doc/man1/openssl-ciphers.pod.in
|
||||
index b4ed3e51d5..2122e6bdfd 100644
|
||||
--- a/doc/man1/openssl-ciphers.pod.in
|
||||
+++ b/doc/man1/openssl-ciphers.pod.in
|
||||
@@ -187,6 +187,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher suites are sensibly ordered by default.
|
||||
|
||||
The cipher suites not enabled by B<ALL>, currently B<eNULL>.
|
||||
|
||||
+=item B<PROFILE=SYSTEM>
|
||||
+
|
||||
+The list of enabled cipher suites will be loaded from the system crypto policy
|
||||
+configuration file B</etc/crypto-policies/back-ends/openssl.config>.
|
||||
+See also L<update-crypto-policies(8)>.
|
||||
+This is the default behavior unless an application explicitly sets a cipher
|
||||
+list. If used in a cipher list configuration value this string must be at the
|
||||
+beginning of the cipher list, otherwise it will not be recognized.
|
||||
+
|
||||
=item B<HIGH>
|
||||
|
||||
"High" encryption cipher suites. This currently means those with key lengths
|
||||
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
|
||||
index f9a61609e4..c6f95fed3f 100644
|
||||
--- a/include/openssl/ssl.h.in
|
||||
+++ b/include/openssl/ssl.h.in
|
||||
@@ -209,6 +209,11 @@ extern "C" {
|
||||
* throwing out anonymous and unencrypted ciphersuites! (The latter are not
|
||||
* actually enabled by ALL, but "ALL:RSA" would enable some of them.)
|
||||
*/
|
||||
+# ifdef SYSTEM_CIPHERS_FILE
|
||||
+# define SSL_SYSTEM_DEFAULT_CIPHER_LIST "PROFILE=SYSTEM"
|
||||
+# else
|
||||
+# define SSL_SYSTEM_DEFAULT_CIPHER_LIST OSSL_default_cipher_list()
|
||||
+# endif
|
||||
|
||||
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
|
||||
# define SSL_SENT_SHUTDOWN 1
|
||||
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
|
||||
index b1d3f7919e..f7cc7fed48 100644
|
||||
--- a/ssl/ssl_ciph.c
|
||||
+++ b/ssl/ssl_ciph.c
|
||||
@@ -1411,6 +1411,53 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
|
||||
return ret;
|
||||
}
|
||||
|
||||
+#ifdef SYSTEM_CIPHERS_FILE
|
||||
+static char *load_system_str(const char *suffix)
|
||||
+{
|
||||
+ FILE *fp;
|
||||
+ char buf[1024];
|
||||
+ char *new_rules;
|
||||
+ const char *ciphers_path;
|
||||
+ unsigned len, slen;
|
||||
+
|
||||
+ if ((ciphers_path = ossl_safe_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL)
|
||||
+ ciphers_path = SYSTEM_CIPHERS_FILE;
|
||||
+ fp = fopen(ciphers_path, "r");
|
||||
+ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) {
|
||||
+ /* cannot open or file is empty */
|
||||
+ snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST);
|
||||
+ }
|
||||
+
|
||||
+ if (fp)
|
||||
+ fclose(fp);
|
||||
+
|
||||
+ slen = strlen(suffix);
|
||||
+ len = strlen(buf);
|
||||
+
|
||||
+ if (buf[len - 1] == '\n') {
|
||||
+ len--;
|
||||
+ buf[len] = 0;
|
||||
+ }
|
||||
+ if (buf[len - 1] == '\r') {
|
||||
+ len--;
|
||||
+ buf[len] = 0;
|
||||
+ }
|
||||
+
|
||||
+ new_rules = OPENSSL_malloc(len + slen + 1);
|
||||
+ if (new_rules == 0)
|
||||
+ return NULL;
|
||||
+
|
||||
+ memcpy(new_rules, buf, len);
|
||||
+ if (slen > 0) {
|
||||
+ memcpy(&new_rules[len], suffix, slen);
|
||||
+ len += slen;
|
||||
+ }
|
||||
+ new_rules[len] = 0;
|
||||
+
|
||||
+ return new_rules;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
|
||||
STACK_OF(SSL_CIPHER) **cipher_list,
|
||||
@@ -1425,15 +1472,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
|
||||
const SSL_CIPHER **ca_list = NULL;
|
||||
const SSL_METHOD *ssl_method = ctx->method;
|
||||
+#ifdef SYSTEM_CIPHERS_FILE
|
||||
+ char *new_rules = NULL;
|
||||
+
|
||||
+ if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) {
|
||||
+ char *p = rule_str + 14;
|
||||
+
|
||||
+ new_rules = load_system_str(p);
|
||||
+ rule_str = new_rules;
|
||||
+ }
|
||||
+#endif
|
||||
|
||||
/*
|
||||
* Return with error if nothing to do.
|
||||
*/
|
||||
if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
|
||||
- return NULL;
|
||||
+ goto err;
|
||||
|
||||
if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
|
||||
- return NULL;
|
||||
+ goto err;
|
||||
|
||||
/*
|
||||
* To reduce the work to do we only want to process the compiled
|
||||
@@ -1456,7 +1513,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
|
||||
if (co_list == NULL) {
|
||||
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
|
||||
- return NULL; /* Failure */
|
||||
+ goto err;
|
||||
}
|
||||
|
||||
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
|
||||
@@ -1522,8 +1579,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||
* in force within each class
|
||||
*/
|
||||
if (!ssl_cipher_strength_sort(&head, &tail)) {
|
||||
- OPENSSL_free(co_list);
|
||||
- return NULL;
|
||||
+ goto err;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1568,9 +1624,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
|
||||
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
|
||||
if (ca_list == NULL) {
|
||||
- OPENSSL_free(co_list);
|
||||
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
|
||||
- return NULL; /* Failure */
|
||||
+ goto err;
|
||||
}
|
||||
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
|
||||
disabled_mkey, disabled_auth, disabled_enc,
|
||||
@@ -1596,8 +1651,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||
OPENSSL_free(ca_list); /* Not needed anymore */
|
||||
|
||||
if (!ok) { /* Rule processing failure */
|
||||
- OPENSSL_free(co_list);
|
||||
- return NULL;
|
||||
+ goto err;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1605,10 +1659,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||
* if we cannot get one.
|
||||
*/
|
||||
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
|
||||
- OPENSSL_free(co_list);
|
||||
- return NULL;
|
||||
+ goto err;
|
||||
}
|
||||
|
||||
+#ifdef SYSTEM_CIPHERS_FILE
|
||||
+ OPENSSL_free(new_rules); /* Not needed anymore */
|
||||
+#endif
|
||||
+
|
||||
/* Add TLSv1.3 ciphers first - we always prefer those if possible */
|
||||
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
|
||||
const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
|
||||
@@ -1656,6 +1714,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||
*cipher_list = cipherstack;
|
||||
|
||||
return cipherstack;
|
||||
+
|
||||
+err:
|
||||
+ OPENSSL_free(co_list);
|
||||
+#ifdef SYSTEM_CIPHERS_FILE
|
||||
+ OPENSSL_free(new_rules);
|
||||
+#endif
|
||||
+ return NULL;
|
||||
+
|
||||
}
|
||||
|
||||
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
|
||||
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
|
||||
index d14d5819ba..48d491219a 100644
|
||||
--- a/ssl/ssl_lib.c
|
||||
+++ b/ssl/ssl_lib.c
|
||||
@@ -660,7 +660,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
|
||||
ctx->tls13_ciphersuites,
|
||||
&(ctx->cipher_list),
|
||||
&(ctx->cipher_list_by_id),
|
||||
- OSSL_default_cipher_list(), ctx->cert);
|
||||
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ctx->cert);
|
||||
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
|
||||
ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
|
||||
return 0;
|
||||
@@ -3193,7 +3193,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
|
||||
if (!ssl_create_cipher_list(ret,
|
||||
ret->tls13_ciphersuites,
|
||||
&ret->cipher_list, &ret->cipher_list_by_id,
|
||||
- OSSL_default_cipher_list(), ret->cert)
|
||||
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert)
|
||||
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
|
||||
ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
|
||||
goto err2;
|
||||
diff --git a/test/cipherlist_test.c b/test/cipherlist_test.c
|
||||
index 380f0727fc..6922a87c30 100644
|
||||
--- a/test/cipherlist_test.c
|
||||
+++ b/test/cipherlist_test.c
|
||||
@@ -244,7 +244,9 @@ end:
|
||||
|
||||
int setup_tests(void)
|
||||
{
|
||||
+#ifndef SYSTEM_CIPHERS_FILE
|
||||
ADD_TEST(test_default_cipherlist_implicit);
|
||||
+#endif
|
||||
ADD_TEST(test_default_cipherlist_explicit);
|
||||
ADD_TEST(test_default_cipherlist_clear);
|
||||
return 1;
|
||||
diff --git a/util/libcrypto.num b/util/libcrypto.num
|
||||
index 404a706fab..e81fa9ec3e 100644
|
||||
--- a/util/libcrypto.num
|
||||
+++ b/util/libcrypto.num
|
||||
@@ -5282,3 +5282,4 @@ OSSL_DECODER_CTX_set_input_structure ? 3_0_0 EXIST::FUNCTION:
|
||||
EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION:
|
||||
OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION:
|
||||
OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION:
|
||||
+ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
|
||||
--
|
||||
2.26.2
|
||||
|
||||
diff -up openssl-3.0.0-beta1/Configure.sys-default openssl-3.0.0-beta1/Configure
|
||||
--- openssl-3.0.0-beta1/Configure.sys-default 2021-06-29 11:47:58.978144386 +0200
|
||||
+++ openssl-3.0.0-beta1/Configure 2021-06-29 11:52:01.631126260 +0200
|
||||
@@ -27,7 +27,7 @@ use OpenSSL::config;
|
||||
my $orig_death_handler = $SIG{__DIE__};
|
||||
$SIG{__DIE__} = \&death_handler;
|
||||
|
||||
-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
|
||||
+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
|
||||
|
||||
my $banner = <<"EOF";
|
||||
|
||||
@@ -61,6 +61,10 @@ EOF
|
||||
# given with --prefix.
|
||||
# This becomes the value of OPENSSLDIR in Makefile and in C.
|
||||
# (Default: PREFIX/ssl)
|
||||
+#
|
||||
+# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM
|
||||
+# cipher is specified (default).
|
||||
+#
|
||||
# --banner=".." Output specified text instead of default completion banner
|
||||
#
|
||||
# -w Don't wait after showing a Configure warning
|
||||
@@ -385,6 +389,7 @@ $config{prefix}="";
|
||||
$config{openssldir}="";
|
||||
$config{processor}="";
|
||||
$config{libdir}="";
|
||||
+$config{system_ciphers_file}="";
|
||||
my $auto_threads=1; # enable threads automatically? true by default
|
||||
my $default_ranlib;
|
||||
|
||||
@@ -987,6 +992,10 @@ while (@argvcopy)
|
||||
die "FIPS key too long (64 bytes max)\n"
|
||||
if length $1 > 64;
|
||||
}
|
||||
+ elsif (/^--system-ciphers-file=(.*)$/)
|
||||
+ {
|
||||
+ $config{system_ciphers_file}=$1;
|
||||
+ }
|
||||
elsif (/^--banner=(.*)$/)
|
||||
{
|
||||
$banner = $1 . "\n";
|
@ -1,77 +0,0 @@
|
||||
From 5b2ec9a54037d7b007324bf53e067e73511cdfe4 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Thu, 26 Nov 2020 14:00:16 +0100
|
||||
Subject: Add FIPS_mode() compatibility macro
|
||||
|
||||
The macro calls EVP_default_properties_is_fips_enabled() on the
|
||||
default context.
|
||||
---
|
||||
include/openssl/crypto.h.in | 1 +
|
||||
include/openssl/fips.h | 25 +++++++++++++++++++++++++
|
||||
test/property_test.c | 13 +++++++++++++
|
||||
3 files changed, 39 insertions(+)
|
||||
create mode 100644 include/openssl/fips.h
|
||||
|
||||
diff --git a/include/openssl/fips.h b/include/openssl/fips.h
|
||||
new file mode 100644
|
||||
index 0000000000..c64f0f8e8f
|
||||
--- /dev/null
|
||||
+++ b/include/openssl/fips.h
|
||||
@@ -0,0 +1,26 @@
|
||||
+/*
|
||||
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ *
|
||||
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
+ * this file except in compliance with the License. You can obtain a copy
|
||||
+ * in the file LICENSE in the source distribution or at
|
||||
+ * https://www.openssl.org/source/license.html
|
||||
+ */
|
||||
+
|
||||
+#ifndef OPENSSL_FIPS_H
|
||||
+# define OPENSSL_FIPS_H
|
||||
+# pragma once
|
||||
+
|
||||
+# include <openssl/evp.h>
|
||||
+# include <openssl/macros.h>
|
||||
+
|
||||
+# ifdef __cplusplus
|
||||
+extern "C" {
|
||||
+# endif
|
||||
+
|
||||
+# define FIPS_mode() EVP_default_properties_is_fips_enabled(NULL)
|
||||
+
|
||||
+# ifdef __cplusplus
|
||||
+}
|
||||
+# endif
|
||||
+#endif
|
||||
diff -up openssl-3.0.0-beta1/test/property_test.c.fips-macro openssl-3.0.0-beta1/test/property_test.c
|
||||
--- openssl-3.0.0-beta1/test/property_test.c.fips-macro 2021-06-29 12:14:58.851557698 +0200
|
||||
+++ openssl-3.0.0-beta1/test/property_test.c 2021-06-29 12:17:14.630143832 +0200
|
||||
@@ -488,6 +488,19 @@ static int test_property_list_to_string(
|
||||
return ret;
|
||||
}
|
||||
|
||||
+#include <openssl/fips.h>
|
||||
+static int test_downstream_FIPS_mode(void)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+
|
||||
+ ret = TEST_true(EVP_set_default_properties(NULL, "fips=yes"))
|
||||
+ && TEST_true(FIPS_mode())
|
||||
+ && TEST_true(EVP_set_default_properties(NULL, "fips=no"))
|
||||
+ && TEST_false(FIPS_mode());
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
int setup_tests(void)
|
||||
{
|
||||
ADD_TEST(test_property_string);
|
||||
@@ -500,6 +512,7 @@ int setup_tests(void)
|
||||
ADD_TEST(test_property);
|
||||
ADD_TEST(test_query_cache_stochastic);
|
||||
ADD_TEST(test_fips_mode);
|
||||
+ ADD_TEST(test_downstream_FIPS_mode);
|
||||
ADD_ALL_TESTS(test_property_list_to_string, OSSL_NELEM(to_string_tests));
|
||||
return 1;
|
||||
}
|
@ -1,71 +0,0 @@
|
||||
diff -up openssl-3.0.0-alpha13/crypto/context.c.kernel-fips openssl-3.0.0-alpha13/crypto/context.c
|
||||
--- openssl-3.0.0-alpha13/crypto/context.c.kernel-fips 2021-03-16 00:09:55.814826432 +0100
|
||||
+++ openssl-3.0.0-alpha13/crypto/context.c 2021-03-16 00:15:55.129043811 +0100
|
||||
@@ -12,11 +12,46 @@
|
||||
#include "internal/provider.h"
|
||||
#include "crypto/ctype.h"
|
||||
|
||||
+# include <sys/types.h>
|
||||
+# include <sys/stat.h>
|
||||
+# include <fcntl.h>
|
||||
+# include <unistd.h>
|
||||
+# include <openssl/evp.h>
|
||||
+
|
||||
struct ossl_lib_ctx_onfree_list_st {
|
||||
ossl_lib_ctx_onfree_fn *fn;
|
||||
struct ossl_lib_ctx_onfree_list_st *next;
|
||||
};
|
||||
|
||||
+# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
|
||||
+
|
||||
+static int kernel_fips_flag;
|
||||
+
|
||||
+static void read_kernel_fips_flag(void)
|
||||
+{
|
||||
+ char buf[2] = "0";
|
||||
+ int fd;
|
||||
+
|
||||
+ if (ossl_safe_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
|
||||
+ buf[0] = '1';
|
||||
+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
|
||||
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
|
||||
+ close(fd);
|
||||
+ }
|
||||
+
|
||||
+ if (buf[0] == '1') {
|
||||
+ kernel_fips_flag = 1;
|
||||
+ }
|
||||
+
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
+int ossl_get_kernel_fips_flag()
|
||||
+{
|
||||
+ return kernel_fips_flag;
|
||||
+}
|
||||
+
|
||||
+
|
||||
struct ossl_lib_ctx_st {
|
||||
CRYPTO_RWLOCK *lock;
|
||||
CRYPTO_EX_DATA data;
|
||||
@@ -121,6 +170,7 @@ static CRYPTO_THREAD_LOCAL default_conte
|
||||
|
||||
DEFINE_RUN_ONCE_STATIC(default_context_do_init)
|
||||
{
|
||||
+ read_kernel_fips_flag();
|
||||
return CRYPTO_THREAD_init_local(&default_context_thread_local, NULL)
|
||||
&& context_init(&default_context_int);
|
||||
}
|
||||
diff -up openssl-3.0.1/include/internal/provider.h.embed-fips openssl-3.0.1/include/internal/provider.h
|
||||
--- openssl-3.0.1/include/internal/provider.h.embed-fips 2022-01-11 13:13:08.323238760 +0100
|
||||
+++ openssl-3.0.1/include/internal/provider.h 2022-01-11 13:13:43.522558909 +0100
|
||||
@@ -110,6 +110,9 @@ int ossl_provider_init_as_child(OSSL_LIB
|
||||
const OSSL_DISPATCH *in);
|
||||
void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx);
|
||||
|
||||
+/* FIPS flag access */
|
||||
+int ossl_get_kernel_fips_flag(void);
|
||||
+
|
||||
# ifdef __cplusplus
|
||||
}
|
||||
# endif
|
File diff suppressed because it is too large
Load Diff
@ -1,122 +0,0 @@
|
||||
diff -up openssl-3.0.1/crypto/ec/ec_asn1.c.disable_explicit_ec openssl-3.0.1/crypto/ec/ec_asn1.c
|
||||
--- openssl-3.0.1/crypto/ec/ec_asn1.c.disable_explicit_ec 2022-03-22 13:10:45.718077845 +0100
|
||||
+++ openssl-3.0.1/crypto/ec/ec_asn1.c 2022-03-22 13:12:46.626599016 +0100
|
||||
@@ -895,6 +895,12 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **
|
||||
if (params->type == ECPKPARAMETERS_TYPE_EXPLICIT)
|
||||
group->decoded_from_explicit_params = 1;
|
||||
|
||||
+ if (EC_GROUP_check_named_curve(group, 0, NULL) == NID_undef) {
|
||||
+ EC_GROUP_free(group);
|
||||
+ ECPKPARAMETERS_free(params);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
if (a) {
|
||||
EC_GROUP_free(*a);
|
||||
*a = group;
|
||||
@@ -954,6 +959,11 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con
|
||||
goto err;
|
||||
}
|
||||
|
||||
+ if (EC_GROUP_check_named_curve(ret->group, 0, NULL) == NID_undef) {
|
||||
+ ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP);
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
ret->version = priv_key->version;
|
||||
|
||||
if (priv_key->privateKey) {
|
||||
diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/test/endecode_test.c
|
||||
--- openssl-3.0.1/test/endecode_test.c.disable_explicit_ec 2022-03-21 16:55:46.005558779 +0100
|
||||
+++ openssl-3.0.1/test/endecode_test.c 2022-03-21 16:56:12.636792762 +0100
|
||||
@@ -57,7 +57,7 @@ static BN_CTX *bnctx = NULL;
|
||||
static OSSL_PARAM_BLD *bld_prime_nc = NULL;
|
||||
static OSSL_PARAM_BLD *bld_prime = NULL;
|
||||
static OSSL_PARAM *ec_explicit_prime_params_nc = NULL;
|
||||
-static OSSL_PARAM *ec_explicit_prime_params_explicit = NULL;
|
||||
+/*static OSSL_PARAM *ec_explicit_prime_params_explicit = NULL;*/
|
||||
|
||||
# ifndef OPENSSL_NO_EC2M
|
||||
static OSSL_PARAM_BLD *bld_tri_nc = NULL;
|
||||
@@ -990,9 +990,9 @@ IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC")
|
||||
DOMAIN_KEYS(ECExplicitPrimeNamedCurve);
|
||||
IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC", 1)
|
||||
IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve, "EC")
|
||||
-DOMAIN_KEYS(ECExplicitPrime2G);
|
||||
-IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)
|
||||
-IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")
|
||||
+/*DOMAIN_KEYS(ECExplicitPrime2G);*/
|
||||
+/*IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)*/
|
||||
+/*IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")*/
|
||||
# ifndef OPENSSL_NO_EC2M
|
||||
DOMAIN_KEYS(ECExplicitTriNamedCurve);
|
||||
IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC", 1)
|
||||
@@ -1318,7 +1318,7 @@ int setup_tests(void)
|
||||
|| !create_ec_explicit_prime_params_namedcurve(bld_prime_nc)
|
||||
|| !create_ec_explicit_prime_params(bld_prime)
|
||||
|| !TEST_ptr(ec_explicit_prime_params_nc = OSSL_PARAM_BLD_to_param(bld_prime_nc))
|
||||
- || !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime))
|
||||
+/* || !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime))*/
|
||||
# ifndef OPENSSL_NO_EC2M
|
||||
|| !TEST_ptr(bld_tri_nc = OSSL_PARAM_BLD_new())
|
||||
|| !TEST_ptr(bld_tri = OSSL_PARAM_BLD_new())
|
||||
@@ -1346,7 +1346,7 @@ int setup_tests(void)
|
||||
TEST_info("Generating EC keys...");
|
||||
MAKE_DOMAIN_KEYS(EC, "EC", EC_params);
|
||||
MAKE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve, "EC", ec_explicit_prime_params_nc);
|
||||
- MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);
|
||||
+/* MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);*/
|
||||
# ifndef OPENSSL_NO_EC2M
|
||||
MAKE_DOMAIN_KEYS(ECExplicitTriNamedCurve, "EC", ec_explicit_tri_params_nc);
|
||||
MAKE_DOMAIN_KEYS(ECExplicitTri2G, "EC", ec_explicit_tri_params_explicit);
|
||||
@@ -1389,8 +1389,8 @@ int setup_tests(void)
|
||||
ADD_TEST_SUITE_LEGACY(EC);
|
||||
ADD_TEST_SUITE(ECExplicitPrimeNamedCurve);
|
||||
ADD_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve);
|
||||
- ADD_TEST_SUITE(ECExplicitPrime2G);
|
||||
- ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G);
|
||||
+/* ADD_TEST_SUITE(ECExplicitPrime2G);*/
|
||||
+/* ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G);*/
|
||||
# ifndef OPENSSL_NO_EC2M
|
||||
ADD_TEST_SUITE(ECExplicitTriNamedCurve);
|
||||
ADD_TEST_SUITE_LEGACY(ECExplicitTriNamedCurve);
|
||||
@@ -1427,7 +1427,7 @@ void cleanup_tests(void)
|
||||
{
|
||||
#ifndef OPENSSL_NO_EC
|
||||
OSSL_PARAM_free(ec_explicit_prime_params_nc);
|
||||
- OSSL_PARAM_free(ec_explicit_prime_params_explicit);
|
||||
+/* OSSL_PARAM_free(ec_explicit_prime_params_explicit);*/
|
||||
OSSL_PARAM_BLD_free(bld_prime_nc);
|
||||
OSSL_PARAM_BLD_free(bld_prime);
|
||||
# ifndef OPENSSL_NO_EC2M
|
||||
@@ -1449,7 +1449,7 @@ void cleanup_tests(void)
|
||||
#ifndef OPENSSL_NO_EC
|
||||
FREE_DOMAIN_KEYS(EC);
|
||||
FREE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve);
|
||||
- FREE_DOMAIN_KEYS(ECExplicitPrime2G);
|
||||
+/* FREE_DOMAIN_KEYS(ECExplicitPrime2G);*/
|
||||
# ifndef OPENSSL_NO_EC2M
|
||||
FREE_DOMAIN_KEYS(ECExplicitTriNamedCurve);
|
||||
FREE_DOMAIN_KEYS(ECExplicitTri2G);
|
||||
diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_ecdsa.txt.disable_explicit_ec openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
|
||||
--- openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_ecdsa.txt.disable_explicit_ec 2022-03-25 11:20:50.920949208 +0100
|
||||
+++ openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_ecdsa.txt 2022-03-25 11:21:13.177147598 +0100
|
||||
@@ -121,18 +121,6 @@ AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEB
|
||||
3ev1gTwRBduzqqlwd54AUSgI+pjttW8zrWNitO8H1sf59MPWOESKxNtZ1+Nl
|
||||
-----END PRIVATE KEY-----
|
||||
|
||||
-PrivateKey = EC_EXPLICIT
|
||||
------BEGIN PRIVATE KEY-----
|
||||
-MIIBeQIBADCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAAB
|
||||
-AAAAAAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA
|
||||
-///////////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMV
|
||||
-AMSdNgiG5wSTamZ44ROdJreBn36QBEEE5JcIvn36opqjEm/k59Al40rBAxWM2TPG
|
||||
-l0L13Je51zHpfXQ9Z2o7IQicMXP4wSfJ0qCgg2bgydqoxlYrlLGuVQIhAP////8A
|
||||
-AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgec92jwduadCk
|
||||
-OjoNRI+YT5Be5TkzZXzYCyTLkMOikDmhRANCAATtECEhQbLEaiUj/Wu0qjcr81lL
|
||||
-46dx5zYgArz/iaSNJ3W80oO+F7v04jlQ7wxQzg96R0bwKiMeq5CcW9ZFt6xg
|
||||
------END PRIVATE KEY-----
|
||||
-
|
||||
PrivateKey = B-163
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MGMCAQAwEAYHKoZIzj0CAQYFK4EEAA8ETDBKAgEBBBUDnQW0mLiHVha/jqFznX/K
|
@ -1,75 +0,0 @@
|
||||
diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.cnf
|
||||
--- openssl-3.0.0/apps/openssl.cnf.legacy-prov 2021-09-09 12:06:40.895793297 +0200
|
||||
+++ openssl-3.0.0/apps/openssl.cnf 2021-09-09 12:12:33.947482500 +0200
|
||||
@@ -42,36 +42,29 @@ tsa_policy1 = 1.2.3.4.1
|
||||
tsa_policy2 = 1.2.3.4.5.6
|
||||
tsa_policy3 = 1.2.3.4.5.7
|
||||
|
||||
-# For FIPS
|
||||
-# Optionally include a file that is generated by the OpenSSL fipsinstall
|
||||
-# application. This file contains configuration data required by the OpenSSL
|
||||
-# fips provider. It contains a named section e.g. [fips_sect] which is
|
||||
-# referenced from the [provider_sect] below.
|
||||
-# Refer to the OpenSSL security policy for more information.
|
||||
-# .include fipsmodule.cnf
|
||||
-
|
||||
[openssl_init]
|
||||
providers = provider_sect
|
||||
# Load default TLS policy configuration
|
||||
ssl_conf = ssl_module
|
||||
|
||||
-# List of providers to load
|
||||
-[provider_sect]
|
||||
-default = default_sect
|
||||
-# The fips section name should match the section name inside the
|
||||
-# included fipsmodule.cnf.
|
||||
-# fips = fips_sect
|
||||
+# Uncomment the sections that start with ## below to enable the legacy provider.
|
||||
+# Loading the legacy provider enables support for the following algorithms:
|
||||
+# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
|
||||
+# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED
|
||||
+# Key Derivation Function (KDF): PBKDF1
|
||||
+# In general it is not recommended to use the above mentioned algorithms for
|
||||
+# security critical operations, as they are cryptographically weak or vulnerable
|
||||
+# to side-channel attacks and as such have been deprecated.
|
||||
|
||||
-# If no providers are activated explicitly, the default one is activated implicitly.
|
||||
-# See man 7 OSSL_PROVIDER-default for more details.
|
||||
-#
|
||||
-# If you add a section explicitly activating any other provider(s), you most
|
||||
-# probably need to explicitly activate the default provider, otherwise it
|
||||
-# becomes unavailable in openssl. As a consequence applications depending on
|
||||
-# OpenSSL may not work correctly which could lead to significant system
|
||||
-# problems including inability to remotely access the system.
|
||||
-[default_sect]
|
||||
-# activate = 1
|
||||
+[provider_sect]
|
||||
+default = default_sect
|
||||
+##legacy = legacy_sect
|
||||
+##
|
||||
+[default_sect]
|
||||
+activate = 1
|
||||
+
|
||||
+##[legacy_sect]
|
||||
+##activate = 1
|
||||
|
||||
[ ssl_module ]
|
||||
|
||||
diff -up openssl-3.0.0/doc/man5/config.pod.legacy-prov openssl-3.0.0/doc/man5/config.pod
|
||||
--- openssl-3.0.0/doc/man5/config.pod.legacy-prov 2021-09-09 12:09:38.079040853 +0200
|
||||
+++ openssl-3.0.0/doc/man5/config.pod 2021-09-09 12:11:56.646224876 +0200
|
||||
@@ -273,6 +273,14 @@ significant.
|
||||
All parameters in the section as well as sub-sections are made
|
||||
available to the provider.
|
||||
|
||||
+=head3 Loading the legacy provider
|
||||
+
|
||||
+Uncomment the sections that start with ## in openssl.cnf
|
||||
+to enable the legacy provider.
|
||||
+Note: In general it is not recommended to use the above mentioned algorithms for
|
||||
+security critical operations, as they are cryptographically weak or vulnerable
|
||||
+to side-channel attacks and as such have been deprecated.
|
||||
+
|
||||
=head3 Default provider and its activation
|
||||
|
||||
If no providers are activated explicitly, the default one is activated implicitly.
|
@ -1,18 +0,0 @@
|
||||
diff -up openssl-3.0.0/apps/openssl.cnf.xxx openssl-3.0.0/apps/openssl.cnf
|
||||
--- openssl-3.0.0/apps/openssl.cnf.xxx 2021-11-23 16:29:50.618691603 +0100
|
||||
+++ openssl-3.0.0/apps/openssl.cnf 2021-11-23 16:28:16.872882099 +0100
|
||||
@@ -55,11 +55,11 @@ providers = provider_sect
|
||||
# to side-channel attacks and as such have been deprecated.
|
||||
|
||||
[provider_sect]
|
||||
-default = default_sect
|
||||
+##default = default_sect
|
||||
##legacy = legacy_sect
|
||||
##
|
||||
-[default_sect]
|
||||
-activate = 1
|
||||
+##[default_sect]
|
||||
+##activate = 1
|
||||
|
||||
##[legacy_sect]
|
||||
##activate = 1
|
@ -1,40 +0,0 @@
|
||||
diff -up openssl-3.0.0/test/recipes/90-test_sslapi.t.beldmit openssl-3.0.0/test/recipes/90-test_sslapi.t
|
||||
--- openssl-3.0.0/test/recipes/90-test_sslapi.t.beldmit 2021-09-22 11:56:49.452507975 +0200
|
||||
+++ openssl-3.0.0/test/recipes/90-test_sslapi.t 2021-09-22 11:57:19.371764742 +0200
|
||||
@@ -40,7 +40,7 @@ unless ($no_fips) {
|
||||
"recipes",
|
||||
"90-test_sslapi_data",
|
||||
"dhparams.pem")])),
|
||||
- "running sslapitest");
|
||||
+ "running sslapitest - FIPS");
|
||||
}
|
||||
|
||||
unlink $tmpfilename;
|
||||
diff --git a/test/sslapitest.c b/test/sslapitest.c
|
||||
index e95d2657f46c..7af0eab3fce0 100644
|
||||
--- a/test/sslapitest.c
|
||||
+++ b/test/sslapitest.c
|
||||
@@ -1158,6 +1158,11 @@ static int execute_test_ktls(int cis_ktls, int sis_ktls,
|
||||
goto end;
|
||||
}
|
||||
|
||||
+ if (is_fips && strstr(cipher, "CHACHA") != NULL) {
|
||||
+ testresult = TEST_skip("CHACHA is not supported in FIPS");
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
/* Create a session based on SHA-256 */
|
||||
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
|
||||
TLS_client_method(),
|
||||
@@ -1292,6 +1297,11 @@ static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
|
||||
goto end;
|
||||
}
|
||||
|
||||
+ if (is_fips && strstr(cipher, "CHACHA") != NULL) {
|
||||
+ testresult = TEST_skip("CHACHA is not supported in FIPS");
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
/* Create a session based on SHA-256 */
|
||||
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
|
||||
TLS_client_method(),
|
@ -1,184 +0,0 @@
|
||||
#Note: provider_conf_activate() is introduced in downstream only. It is a rewrite
|
||||
#(partial) of the function provider_conf_load() under the 'if (activate) section.
|
||||
#If there is any change to this section, after deleting it in provider_conf_load()
|
||||
#ensure that you also add those changes to the provider_conf_activate() function.
|
||||
#additionally please add this check for cnf explicitly as shown below.
|
||||
#'ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;'
|
||||
diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provider_conf.c
|
||||
--- openssl-3.0.1/crypto/provider_conf.c.fipsact 2022-05-12 12:44:31.199034948 +0200
|
||||
+++ openssl-3.0.1/crypto/provider_conf.c 2022-05-12 12:49:17.468318373 +0200
|
||||
@@ -36,6 +36,7 @@ static int prov_already_activated(const
|
||||
#include <string.h>
|
||||
#include <openssl/trace.h>
|
||||
#include <openssl/err.h>
|
||||
+#include <unistd.h>
|
||||
#include <openssl/conf.h>
|
||||
#include <openssl/safestack.h>
|
||||
#include <openssl/provider.h>
|
||||
@@ -136,58 +136,18 @@ static int prov_already_activated(const
|
||||
return 0;
|
||||
}
|
||||
|
||||
-static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
|
||||
- const char *value, const CONF *cnf)
|
||||
+static int provider_conf_activate(OSSL_LIB_CTX *libctx,const char *name,
|
||||
+ const char *value, const char *path,
|
||||
+ int soft, const CONF *cnf)
|
||||
{
|
||||
- int i;
|
||||
- STACK_OF(CONF_VALUE) *ecmds;
|
||||
- int soft = 0;
|
||||
- OSSL_PROVIDER *prov = NULL, *actual = NULL;
|
||||
- const char *path = NULL;
|
||||
- long activate = 0;
|
||||
int ok = 0;
|
||||
-
|
||||
- name = skip_dot(name);
|
||||
- OSSL_TRACE1(CONF, "Configuring provider %s\n", name);
|
||||
- /* Value is a section containing PROVIDER commands */
|
||||
- ecmds = NCONF_get_section(cnf, value);
|
||||
-
|
||||
- if (!ecmds) {
|
||||
- ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR,
|
||||
- "section=%s not found", value);
|
||||
- return 0;
|
||||
- }
|
||||
-
|
||||
- /* Find the needed data first */
|
||||
- for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) {
|
||||
- CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i);
|
||||
- const char *confname = skip_dot(ecmd->name);
|
||||
- const char *confvalue = ecmd->value;
|
||||
-
|
||||
- OSSL_TRACE2(CONF, "Provider command: %s = %s\n",
|
||||
- confname, confvalue);
|
||||
-
|
||||
- /* First handle some special pseudo confs */
|
||||
-
|
||||
- /* Override provider name to use */
|
||||
- if (strcmp(confname, "identity") == 0)
|
||||
- name = confvalue;
|
||||
- else if (strcmp(confname, "soft_load") == 0)
|
||||
- soft = 1;
|
||||
- /* Load a dynamic PROVIDER */
|
||||
- else if (strcmp(confname, "module") == 0)
|
||||
- path = confvalue;
|
||||
- else if (strcmp(confname, "activate") == 0)
|
||||
- activate = 1;
|
||||
- }
|
||||
-
|
||||
- if (activate) {
|
||||
- PROVIDER_CONF_GLOBAL *pcgbl
|
||||
- = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
|
||||
- &provider_conf_ossl_ctx_method);
|
||||
+ OSSL_PROVIDER *prov = NULL, *actual = NULL;
|
||||
+ PROVIDER_CONF_GLOBAL *pcgbl
|
||||
+ = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
|
||||
+ &provider_conf_ossl_ctx_method);
|
||||
|
||||
if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) {
|
||||
- ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
|
||||
+ ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
|
||||
return 0;
|
||||
}
|
||||
if (!prov_already_activated(name, pcgbl->activated_providers)) {
|
||||
@@ -216,7 +176,7 @@ static int provider_conf_load(OSSL_LIB_C
|
||||
if (path != NULL)
|
||||
ossl_provider_set_module_path(prov, path);
|
||||
|
||||
- ok = provider_conf_params(prov, NULL, NULL, value, cnf);
|
||||
+ ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;
|
||||
|
||||
if (ok) {
|
||||
if (!ossl_provider_activate(prov, 1, 0)) {
|
||||
@@ -244,8 +204,59 @@ static int provider_conf_load(OSSL_LIB_C
|
||||
}
|
||||
if (!ok)
|
||||
ossl_provider_free(prov);
|
||||
+ } else { /* No reason to activate the provider twice, returning OK */
|
||||
+ ok = 1;
|
||||
}
|
||||
CRYPTO_THREAD_unlock(pcgbl->lock);
|
||||
+ return ok;
|
||||
+}
|
||||
+
|
||||
+static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
|
||||
+ const char *value, const CONF *cnf)
|
||||
+{
|
||||
+ int i;
|
||||
+ STACK_OF(CONF_VALUE) *ecmds;
|
||||
+ int soft = 0;
|
||||
+ const char *path = NULL;
|
||||
+ long activate = 0;
|
||||
+ int ok = 0;
|
||||
+
|
||||
+ name = skip_dot(name);
|
||||
+ OSSL_TRACE1(CONF, "Configuring provider %s\n", name);
|
||||
+ /* Value is a section containing PROVIDER commands */
|
||||
+ ecmds = NCONF_get_section(cnf, value);
|
||||
+
|
||||
+ if (!ecmds) {
|
||||
+ ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR,
|
||||
+ "section=%s not found", value);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ /* Find the needed data first */
|
||||
+ for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) {
|
||||
+ CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i);
|
||||
+ const char *confname = skip_dot(ecmd->name);
|
||||
+ const char *confvalue = ecmd->value;
|
||||
+
|
||||
+ OSSL_TRACE2(CONF, "Provider command: %s = %s\n",
|
||||
+ confname, confvalue);
|
||||
+
|
||||
+ /* First handle some special pseudo confs */
|
||||
+
|
||||
+ /* Override provider name to use */
|
||||
+ if (strcmp(confname, "identity") == 0)
|
||||
+ name = confvalue;
|
||||
+ else if (strcmp(confname, "soft_load") == 0)
|
||||
+ soft = 1;
|
||||
+ /* Load a dynamic PROVIDER */
|
||||
+ else if (strcmp(confname, "module") == 0)
|
||||
+ path = confvalue;
|
||||
+ else if (strcmp(confname, "activate") == 0)
|
||||
+ activate = 1;
|
||||
+ }
|
||||
+
|
||||
+ if (activate) {
|
||||
+ ok = provider_conf_activate(libctx, name, value, path, soft, cnf);
|
||||
} else {
|
||||
OSSL_PROVIDER_INFO entry;
|
||||
|
||||
@@ -306,6 +317,30 @@ static int provider_conf_init(CONF_IMODU
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ if (ossl_get_kernel_fips_flag() != 0) { /* XXX from provider_conf_load */
|
||||
+ OSSL_LIB_CTX *libctx = NCONF_get0_libctx((CONF *)cnf);
|
||||
+# define FIPS_LOCAL_CONF OPENSSLDIR "/fips_local.cnf"
|
||||
+
|
||||
+ if (access(FIPS_LOCAL_CONF, R_OK) == 0) {
|
||||
+ CONF *fips_conf = NCONF_new_ex(libctx, NCONF_default());
|
||||
+ if (NCONF_load(fips_conf, FIPS_LOCAL_CONF, NULL) <= 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (provider_conf_load(libctx, "fips", "fips_sect", fips_conf) != 1) {
|
||||
+ NCONF_free(fips_conf);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ NCONF_free(fips_conf);
|
||||
+ } else {
|
||||
+ if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1)
|
||||
+ return 0;
|
||||
+ }
|
||||
+ if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1)
|
||||
+ return 0;
|
||||
+ if (EVP_default_properties_enable_fips(libctx, 1) != 1)
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
return 1;
|
||||
}
|
||||
|
@ -1,204 +0,0 @@
|
||||
diff -up openssl-3.0.7/providers/fips/self_test.c.embed-hmac openssl-3.0.7/providers/fips/self_test.c
|
||||
--- openssl-3.0.7/providers/fips/self_test.c.embed-hmac 2023-01-05 10:03:44.864869710 +0100
|
||||
+++ openssl-3.0.7/providers/fips/self_test.c 2023-01-05 10:15:17.041606472 +0100
|
||||
@@ -172,11 +172,27 @@ DEP_FINI_ATTRIBUTE void cleanup(void)
|
||||
}
|
||||
#endif
|
||||
|
||||
+#define HMAC_LEN 32
|
||||
+/*
|
||||
+ * The __attribute__ ensures we've created the .rodata1 section
|
||||
+ * static ensures it's zero filled
|
||||
+*/
|
||||
+static const unsigned char __attribute__ ((section (".rodata1"))) fips_hmac_container[HMAC_LEN] = {0};
|
||||
+
|
||||
/*
|
||||
* Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify
|
||||
* the result matches the expected value.
|
||||
* Return 1 if verified, or 0 if it fails.
|
||||
*/
|
||||
+#ifndef __USE_GNU
|
||||
+#define __USE_GNU
|
||||
+#include <dlfcn.h>
|
||||
+#undef __USE_GNU
|
||||
+#else
|
||||
+#include <dlfcn.h>
|
||||
+#endif
|
||||
+#include <link.h>
|
||||
+
|
||||
static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
|
||||
unsigned char *expected, size_t expected_len,
|
||||
OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
|
||||
@@ -189,9 +205,20 @@ static int verify_integrity(OSSL_CORE_BI
|
||||
EVP_MAC *mac = NULL;
|
||||
EVP_MAC_CTX *ctx = NULL;
|
||||
OSSL_PARAM params[2], *p = params;
|
||||
+ Dl_info info;
|
||||
+ void *extra_info = NULL;
|
||||
+ struct link_map *lm = NULL;
|
||||
+ unsigned long paddr;
|
||||
+ unsigned long off = 0;
|
||||
|
||||
OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
|
||||
|
||||
+ if (!dladdr1 ((const void *)fips_hmac_container,
|
||||
+ &info, &extra_info, RTLD_DL_LINKMAP))
|
||||
+ goto err;
|
||||
+ lm = extra_info;
|
||||
+ paddr = (unsigned long)fips_hmac_container - lm->l_addr;
|
||||
+
|
||||
mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
|
||||
if (mac == NULL)
|
||||
goto err;
|
||||
@@ -205,13 +233,42 @@ static int verify_integrity(OSSL_CORE_BI
|
||||
if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
|
||||
goto err;
|
||||
|
||||
- while (1) {
|
||||
- status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
|
||||
+ while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
|
||||
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
|
||||
if (status != 1)
|
||||
break;
|
||||
if (!EVP_MAC_update(ctx, buf, bytes_read))
|
||||
goto err;
|
||||
+ off += bytes_read;
|
||||
}
|
||||
+
|
||||
+ if (off + INTEGRITY_BUF_SIZE > paddr) {
|
||||
+ int delta = paddr - off;
|
||||
+ status = read_ex_cb(bio, buf, delta, &bytes_read);
|
||||
+ if (status != 1)
|
||||
+ goto err;
|
||||
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
||||
+ goto err;
|
||||
+ off += bytes_read;
|
||||
+
|
||||
+ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
|
||||
+ memset(buf, 0, HMAC_LEN);
|
||||
+ if (status != 1)
|
||||
+ goto err;
|
||||
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
||||
+ goto err;
|
||||
+ off += bytes_read;
|
||||
+ }
|
||||
+
|
||||
+ while (bytes_read > 0) {
|
||||
+ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
|
||||
+ if (status != 1)
|
||||
+ break;
|
||||
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
||||
+ goto err;
|
||||
+ off += bytes_read;
|
||||
+ }
|
||||
+
|
||||
if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
|
||||
goto err;
|
||||
|
||||
@@ -285,8 +342,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
|
||||
CRYPTO_THREAD_unlock(fips_state_lock);
|
||||
}
|
||||
|
||||
- if (st == NULL
|
||||
- || st->module_checksum_data == NULL) {
|
||||
+ if (st == NULL) {
|
||||
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
|
||||
goto end;
|
||||
}
|
||||
@@ -305,8 +361,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
|
||||
if (ev == NULL)
|
||||
goto end;
|
||||
|
||||
- module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
|
||||
- &checksum_len);
|
||||
+ module_checksum = fips_hmac_container;
|
||||
+ checksum_len = sizeof(fips_hmac_container);
|
||||
+
|
||||
if (module_checksum == NULL) {
|
||||
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
|
||||
goto end;
|
||||
@@ -356,7 +413,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
|
||||
ok = 1;
|
||||
end:
|
||||
OSSL_SELF_TEST_free(ev);
|
||||
- OPENSSL_free(module_checksum);
|
||||
OPENSSL_free(indicator_checksum);
|
||||
|
||||
if (st != NULL) {
|
||||
diff -ruN openssl-3.0.0/test/recipes/00-prep_fipsmodule_cnf.t openssl-3.0.0-xxx/test/recipes/00-prep_fipsmodule_cnf.t
|
||||
--- openssl-3.0.0/test/recipes/00-prep_fipsmodule_cnf.t 2021-09-07 13:46:32.000000000 +0200
|
||||
+++ openssl-3.0.0-xxx/test/recipes/00-prep_fipsmodule_cnf.t 2021-11-18 09:39:53.386817874 +0100
|
||||
@@ -20,7 +20,7 @@
|
||||
use lib bldtop_dir('.');
|
||||
use platform;
|
||||
|
||||
-my $no_check = disabled("fips");
|
||||
+my $no_check = 1;
|
||||
plan skip_all => "FIPS module config file only supported in a fips build"
|
||||
if $no_check;
|
||||
|
||||
diff -ruN openssl-3.0.0/test/recipes/01-test_fipsmodule_cnf.t openssl-3.0.0-xxx/test/recipes/01-test_fipsmodule_cnf.t
|
||||
--- openssl-3.0.0/test/recipes/01-test_fipsmodule_cnf.t 2021-09-07 13:46:32.000000000 +0200
|
||||
+++ openssl-3.0.0-xxx/test/recipes/01-test_fipsmodule_cnf.t 2021-11-18 09:59:02.315619486 +0100
|
||||
@@ -23,7 +23,7 @@
|
||||
use lib bldtop_dir('.');
|
||||
use platform;
|
||||
|
||||
-my $no_check = disabled("fips");
|
||||
+my $no_check = 1;
|
||||
plan skip_all => "Test only supported in a fips build"
|
||||
if $no_check;
|
||||
plan tests => 1;
|
||||
diff -ruN openssl-3.0.0/test/recipes/03-test_fipsinstall.t openssl-3.0.0-xxx/test/recipes/03-test_fipsinstall.t
|
||||
--- openssl-3.0.0/test/recipes/03-test_fipsinstall.t 2021-09-07 13:46:32.000000000 +0200
|
||||
+++ openssl-3.0.0-xxx/test/recipes/03-test_fipsinstall.t 2021-11-18 09:59:55.365072074 +0100
|
||||
@@ -22,7 +22,7 @@
|
||||
use lib bldtop_dir('.');
|
||||
use platform;
|
||||
|
||||
-plan skip_all => "Test only supported in a fips build" if disabled("fips");
|
||||
+plan skip_all => "Test only supported in a fips build" if 1;
|
||||
|
||||
plan tests => 29;
|
||||
|
||||
diff -ruN openssl-3.0.0/test/recipes/30-test_defltfips.t openssl-3.0.0-xxx/test/recipes/30-test_defltfips.t
|
||||
--- openssl-3.0.0/test/recipes/30-test_defltfips.t 2021-09-07 13:46:32.000000000 +0200
|
||||
+++ openssl-3.0.0-xxx/test/recipes/30-test_defltfips.t 2021-11-18 10:22:54.179659682 +0100
|
||||
@@ -21,7 +21,7 @@
|
||||
use lib srctop_dir('Configurations');
|
||||
use lib bldtop_dir('.');
|
||||
|
||||
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||
|
||||
plan tests =>
|
||||
($no_fips ? 1 : 5);
|
||||
diff -ruN openssl-3.0.0/test/recipes/80-test_ssl_new.t openssl-3.0.0-xxx/test/recipes/80-test_ssl_new.t
|
||||
--- openssl-3.0.0/test/recipes/80-test_ssl_new.t 2021-09-07 13:46:32.000000000 +0200
|
||||
+++ openssl-3.0.0-xxx/test/recipes/80-test_ssl_new.t 2021-11-18 10:18:53.391721164 +0100
|
||||
@@ -23,7 +23,7 @@
|
||||
use lib srctop_dir('Configurations');
|
||||
use lib bldtop_dir('.');
|
||||
|
||||
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||
|
||||
$ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
|
||||
|
||||
diff -ruN openssl-3.0.0/test/recipes/90-test_sslapi.t openssl-3.0.0-xxx/test/recipes/90-test_sslapi.t
|
||||
--- openssl-3.0.0/test/recipes/90-test_sslapi.t 2021-11-18 10:32:17.734196705 +0100
|
||||
+++ openssl-3.0.0-xxx/test/recipes/90-test_sslapi.t 2021-11-18 10:18:30.695538445 +0100
|
||||
@@ -18,7 +18,7 @@
|
||||
use lib srctop_dir('Configurations');
|
||||
use lib bldtop_dir('.');
|
||||
|
||||
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||
|
||||
plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build"
|
||||
if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls"));
|
||||
--- /dev/null 2021-11-16 15:27:32.915000000 +0100
|
||||
+++ openssl-3.0.0/test/fipsmodule.cnf 2021-11-18 11:15:34.538060408 +0100
|
||||
@@ -0,0 +1,2 @@
|
||||
+[fips_sect]
|
||||
+activate = 1
|
@ -1,406 +0,0 @@
|
||||
diff -up openssl-3.0.0/apps/fipsinstall.c.xxx openssl-3.0.0/apps/fipsinstall.c
|
||||
--- openssl-3.0.0/apps/fipsinstall.c.xxx 2021-11-22 13:09:28.232560235 +0100
|
||||
+++ openssl-3.0.0/apps/fipsinstall.c 2021-11-22 13:12:22.272058910 +0100
|
||||
@@ -311,6 +311,9 @@ int fipsinstall_main(int argc, char **ar
|
||||
EVP_MAC *mac = NULL;
|
||||
CONF *conf = NULL;
|
||||
|
||||
+ BIO_printf(bio_err, "This command is not enabled in the Red Hat Enterprise Linux OpenSSL build, please consult Red Hat documentation to learn how to enable FIPS mode\n");
|
||||
+ return 1;
|
||||
+
|
||||
if ((opts = sk_OPENSSL_STRING_new_null()) == NULL)
|
||||
goto end;
|
||||
|
||||
diff -up openssl-3.0.0/doc/man1/openssl.pod.xxx openssl-3.0.0/doc/man1/openssl.pod
|
||||
--- openssl-3.0.0/doc/man1/openssl.pod.xxx 2021-11-22 13:18:51.081406990 +0100
|
||||
+++ openssl-3.0.0/doc/man1/openssl.pod 2021-11-22 13:19:02.897508738 +0100
|
||||
@@ -158,10 +158,6 @@ Engine (loadable module) information and
|
||||
|
||||
Error Number to Error String Conversion.
|
||||
|
||||
-=item B<fipsinstall>
|
||||
-
|
||||
-FIPS configuration installation.
|
||||
-
|
||||
=item B<gendsa>
|
||||
|
||||
Generation of DSA Private Key from Parameters. Superseded by
|
||||
diff -up openssl-3.0.0/doc/man5/config.pod.xxx openssl-3.0.0/doc/man5/config.pod
|
||||
--- openssl-3.0.0/doc/man5/config.pod.xxx 2021-11-22 13:24:51.359509501 +0100
|
||||
+++ openssl-3.0.0/doc/man5/config.pod 2021-11-22 13:26:02.360121820 +0100
|
||||
@@ -573,7 +573,6 @@ configuration files using that syntax wi
|
||||
=head1 SEE ALSO
|
||||
|
||||
L<openssl-x509(1)>, L<openssl-req(1)>, L<openssl-ca(1)>,
|
||||
-L<openssl-fipsinstall(1)>,
|
||||
L<ASN1_generate_nconf(3)>,
|
||||
L<EVP_set_default_properties(3)>,
|
||||
L<CONF_modules_load(3)>,
|
||||
diff -up openssl-3.0.0/doc/man5/fips_config.pod.xxx openssl-3.0.0/doc/man5/fips_config.pod
|
||||
--- openssl-3.0.0/doc/man5/fips_config.pod.xxx 2021-11-22 13:21:13.812636065 +0100
|
||||
+++ openssl-3.0.0/doc/man5/fips_config.pod 2021-11-22 13:24:12.278172847 +0100
|
||||
@@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
-A separate configuration file, using the OpenSSL L<config(5)> syntax,
|
||||
-is used to hold information about the FIPS module. This includes a digest
|
||||
-of the shared library file, and status about the self-testing.
|
||||
-This data is used automatically by the module itself for two
|
||||
-purposes:
|
||||
-
|
||||
-=over 4
|
||||
-
|
||||
-=item - Run the startup FIPS self-test known answer tests (KATS).
|
||||
-
|
||||
-This is normally done once, at installation time, but may also be set up to
|
||||
-run each time the module is used.
|
||||
-
|
||||
-=item - Verify the module's checksum.
|
||||
-
|
||||
-This is done each time the module is used.
|
||||
-
|
||||
-=back
|
||||
-
|
||||
-This file is generated by the L<openssl-fipsinstall(1)> program, and
|
||||
-used internally by the FIPS module during its initialization.
|
||||
-
|
||||
-The following options are supported. They should all appear in a section
|
||||
-whose name is identified by the B<fips> option in the B<providers>
|
||||
-section, as described in L<config(5)/Provider Configuration Module>.
|
||||
-
|
||||
-=over 4
|
||||
-
|
||||
-=item B<activate>
|
||||
-
|
||||
-If present, the module is activated. The value assigned to this name is not
|
||||
-significant.
|
||||
-
|
||||
-=item B<install-version>
|
||||
-
|
||||
-A version number for the fips install process. Should be 1.
|
||||
-
|
||||
-=item B<conditional-errors>
|
||||
-
|
||||
-The FIPS module normally enters an internal error mode if any self test fails.
|
||||
-Once this error mode is active, no services or cryptographic algorithms are
|
||||
-accessible from this point on.
|
||||
-Continuous tests are a subset of the self tests (e.g., a key pair test during key
|
||||
-generation, or the CRNG output test).
|
||||
-Setting this value to C<0> allows the error mode to not be triggered if any
|
||||
-continuous test fails. The default value of C<1> will trigger the error mode.
|
||||
-Regardless of the value, the operation (e.g., key generation) that called the
|
||||
-continuous test will return an error code if its continuous test fails. The
|
||||
-operation may then be retried if the error mode has not been triggered.
|
||||
-
|
||||
-=item B<security-checks>
|
||||
-
|
||||
-This indicates if run-time checks related to enforcement of security parameters
|
||||
-such as minimum security strength of keys and approved curve names are used.
|
||||
-A value of '1' will perform the checks, otherwise if the value is '0' the checks
|
||||
-are not performed and FIPS compliance must be done by procedures documented in
|
||||
-the relevant Security Policy.
|
||||
-
|
||||
-=item B<module-mac>
|
||||
-
|
||||
-The calculated MAC of the FIPS provider file.
|
||||
-
|
||||
-=item B<install-status>
|
||||
-
|
||||
-An indicator that the self-tests were successfully run.
|
||||
-This should only be written after the module has
|
||||
-successfully passed its self tests during installation.
|
||||
-If this field is not present, then the self tests will run when the module
|
||||
-loads.
|
||||
-
|
||||
-=item B<install-mac>
|
||||
-
|
||||
-A MAC of the value of the B<install-status> option, to prevent accidental
|
||||
-changes to that value.
|
||||
-It is written-to at the same time as B<install-status> is updated.
|
||||
-
|
||||
-=back
|
||||
-
|
||||
-For example:
|
||||
-
|
||||
- [fips_sect]
|
||||
- activate = 1
|
||||
- install-version = 1
|
||||
- conditional-errors = 1
|
||||
- security-checks = 1
|
||||
- module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC
|
||||
- install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C
|
||||
- install-status = INSTALL_SELF_TEST_KATS_RUN
|
||||
-
|
||||
-=head1 NOTES
|
||||
-
|
||||
-When using the FIPS provider, it is recommended that the
|
||||
-B<config_diagnostics> option is enabled to prevent accidental use of
|
||||
-non-FIPS validated algorithms via broken or mistaken configuration.
|
||||
-See L<config(5)>.
|
||||
-
|
||||
-=head1 SEE ALSO
|
||||
-
|
||||
-L<config(5)>
|
||||
-L<openssl-fipsinstall(1)>
|
||||
+This command is disabled in Red Hat Enterprise Linux. The FIPS provider is
|
||||
+automatically loaded when the system is booted in FIPS mode, or when the
|
||||
+environment variable B<OPENSSL_FORCE_FIPS_MODE> is set. See the documentation
|
||||
+for more information.
|
||||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
diff -up openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod
|
||||
--- openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx 2021-11-22 13:18:13.850086386 +0100
|
||||
+++ openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod 2021-11-22 13:18:24.607179038 +0100
|
||||
@@ -388,7 +388,6 @@ A simple self test callback is shown bel
|
||||
|
||||
=head1 SEE ALSO
|
||||
|
||||
-L<openssl-fipsinstall(1)>,
|
||||
L<fips_config(5)>,
|
||||
L<OSSL_SELF_TEST_set_callback(3)>,
|
||||
L<OSSL_SELF_TEST_new(3)>,
|
||||
diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in
|
||||
--- openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac 2022-01-11 13:26:33.279906225 +0100
|
||||
+++ openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in 2022-01-11 13:33:18.757994419 +0100
|
||||
@@ -8,236 +8,11 @@ openssl-fipsinstall - perform FIPS confi
|
||||
=head1 SYNOPSIS
|
||||
|
||||
B<openssl fipsinstall>
|
||||
-[B<-help>]
|
||||
-[B<-in> I<configfilename>]
|
||||
-[B<-out> I<configfilename>]
|
||||
-[B<-module> I<modulefilename>]
|
||||
-[B<-provider_name> I<providername>]
|
||||
-[B<-section_name> I<sectionname>]
|
||||
-[B<-verify>]
|
||||
-[B<-mac_name> I<macname>]
|
||||
-[B<-macopt> I<nm>:I<v>]
|
||||
-[B<-noout>]
|
||||
-[B<-quiet>]
|
||||
-[B<-no_conditional_errors>]
|
||||
-[B<-no_security_checks>]
|
||||
-[B<-self_test_onload>]
|
||||
-[B<-corrupt_desc> I<selftest_description>]
|
||||
-[B<-corrupt_type> I<selftest_type>]
|
||||
-[B<-config> I<parent_config>]
|
||||
|
||||
=head1 DESCRIPTION
|
||||
-
|
||||
-This command is used to generate a FIPS module configuration file.
|
||||
-This configuration file can be used each time a FIPS module is loaded
|
||||
-in order to pass data to the FIPS module self tests. The FIPS module always
|
||||
-verifies its MAC, but optionally only needs to run the KAT's once,
|
||||
-at installation.
|
||||
-
|
||||
-The generated configuration file consists of:
|
||||
-
|
||||
-=over 4
|
||||
-
|
||||
-=item - A MAC of the FIPS module file.
|
||||
-
|
||||
-=item - A test status indicator.
|
||||
-
|
||||
-This indicates if the Known Answer Self Tests (KAT's) have successfully run.
|
||||
-
|
||||
-=item - A MAC of the status indicator.
|
||||
-
|
||||
-=item - A control for conditional self tests errors.
|
||||
-
|
||||
-By default if a continuous test (e.g a key pair test) fails then the FIPS module
|
||||
-will enter an error state, and no services or cryptographic algorithms will be
|
||||
-able to be accessed after this point.
|
||||
-The default value of '1' will cause the fips module error state to be entered.
|
||||
-If the value is '0' then the module error state will not be entered.
|
||||
-Regardless of whether the error state is entered or not, the current operation
|
||||
-(e.g. key generation) will return an error. The user is responsible for retrying
|
||||
-the operation if the module error state is not entered.
|
||||
-
|
||||
-=item - A control to indicate whether run-time security checks are done.
|
||||
-
|
||||
-This indicates if run-time checks related to enforcement of security parameters
|
||||
-such as minimum security strength of keys and approved curve names are used.
|
||||
-The default value of '1' will perform the checks.
|
||||
-If the value is '0' the checks are not performed and FIPS compliance must
|
||||
-be done by procedures documented in the relevant Security Policy.
|
||||
-
|
||||
-=back
|
||||
-
|
||||
-This file is described in L<fips_config(5)>.
|
||||
-
|
||||
-=head1 OPTIONS
|
||||
-
|
||||
-=over 4
|
||||
-
|
||||
-=item B<-help>
|
||||
-
|
||||
-Print a usage message.
|
||||
-
|
||||
-=item B<-module> I<filename>
|
||||
-
|
||||
-Filename of the FIPS module to perform an integrity check on.
|
||||
-The path provided in the filename is used to load the module when it is
|
||||
-activated, and this overrides the environment variable B<OPENSSL_MODULES>.
|
||||
-
|
||||
-=item B<-out> I<configfilename>
|
||||
-
|
||||
-Filename to output the configuration data to; the default is standard output.
|
||||
-
|
||||
-=item B<-in> I<configfilename>
|
||||
-
|
||||
-Input filename to load configuration data from.
|
||||
-Must be used if the B<-verify> option is specified.
|
||||
-
|
||||
-=item B<-verify>
|
||||
-
|
||||
-Verify that the input configuration file contains the correct information.
|
||||
-
|
||||
-=item B<-provider_name> I<providername>
|
||||
-
|
||||
-Name of the provider inside the configuration file.
|
||||
-The default value is C<fips>.
|
||||
-
|
||||
-=item B<-section_name> I<sectionname>
|
||||
-
|
||||
-Name of the section inside the configuration file.
|
||||
-The default value is C<fips_sect>.
|
||||
-
|
||||
-=item B<-mac_name> I<name>
|
||||
-
|
||||
-Specifies the name of a supported MAC algorithm which will be used.
|
||||
-The MAC mechanisms that are available will depend on the options
|
||||
-used when building OpenSSL.
|
||||
-To see the list of supported MAC's use the command
|
||||
-C<openssl list -mac-algorithms>. The default is B<HMAC>.
|
||||
-
|
||||
-=item B<-macopt> I<nm>:I<v>
|
||||
-
|
||||
-Passes options to the MAC algorithm.
|
||||
-A comprehensive list of controls can be found in the EVP_MAC implementation
|
||||
-documentation.
|
||||
-Common control strings used for this command are:
|
||||
-
|
||||
-=over 4
|
||||
-
|
||||
-=item B<key>:I<string>
|
||||
-
|
||||
-Specifies the MAC key as an alphanumeric string (use if the key contains
|
||||
-printable characters only).
|
||||
-The string length must conform to any restrictions of the MAC algorithm.
|
||||
-A key must be specified for every MAC algorithm.
|
||||
-If no key is provided, the default that was specified when OpenSSL was
|
||||
-configured is used.
|
||||
-
|
||||
-=item B<hexkey>:I<string>
|
||||
-
|
||||
-Specifies the MAC key in hexadecimal form (two hex digits per byte).
|
||||
-The key length must conform to any restrictions of the MAC algorithm.
|
||||
-A key must be specified for every MAC algorithm.
|
||||
-If no key is provided, the default that was specified when OpenSSL was
|
||||
-configured is used.
|
||||
-
|
||||
-=item B<digest>:I<string>
|
||||
-
|
||||
-Used by HMAC as an alphanumeric string (use if the key contains printable
|
||||
-characters only).
|
||||
-The string length must conform to any restrictions of the MAC algorithm.
|
||||
-To see the list of supported digests, use the command
|
||||
-C<openssl list -digest-commands>.
|
||||
-The default digest is SHA-256.
|
||||
-
|
||||
-=back
|
||||
-
|
||||
-=item B<-noout>
|
||||
-
|
||||
-Disable logging of the self tests.
|
||||
-
|
||||
-=item B<-no_conditional_errors>
|
||||
-
|
||||
-Configure the module to not enter an error state if a conditional self test
|
||||
-fails as described above.
|
||||
-
|
||||
-=item B<-no_security_checks>
|
||||
-
|
||||
-Configure the module to not perform run-time security checks as described above.
|
||||
-
|
||||
-=item B<-self_test_onload>
|
||||
-
|
||||
-Do not write the two fields related to the "test status indicator" and
|
||||
-"MAC status indicator" to the output configuration file. Without these fields
|
||||
-the self tests KATS will run each time the module is loaded. This option could be
|
||||
-used for cross compiling, since the self tests need to run at least once on each
|
||||
-target machine. Once the self tests have run on the target machine the user
|
||||
-could possibly then add the 2 fields into the configuration using some other
|
||||
-mechanism.
|
||||
-
|
||||
-=item B<-quiet>
|
||||
-
|
||||
-Do not output pass/fail messages. Implies B<-noout>.
|
||||
-
|
||||
-=item B<-corrupt_desc> I<selftest_description>,
|
||||
-B<-corrupt_type> I<selftest_type>
|
||||
-
|
||||
-The corrupt options can be used to test failure of one or more self tests by
|
||||
-name.
|
||||
-Either option or both may be used to select the tests to corrupt.
|
||||
-Refer to the entries for B<st-desc> and B<st-type> in L<OSSL_PROVIDER-FIPS(7)> for
|
||||
-values that can be used.
|
||||
-
|
||||
-=item B<-config> I<parent_config>
|
||||
-
|
||||
-Test that a FIPS provider can be loaded from the specified configuration file.
|
||||
-A previous call to this application needs to generate the extra configuration
|
||||
-data that is included by the base C<parent_config> configuration file.
|
||||
-See L<config(5)> for further information on how to set up a provider section.
|
||||
-All other options are ignored if '-config' is used.
|
||||
-
|
||||
-=back
|
||||
-
|
||||
-=head1 NOTES
|
||||
-
|
||||
-Self tests results are logged by default if the options B<-quiet> and B<-noout>
|
||||
-are not specified, or if either of the options B<-corrupt_desc> or
|
||||
-B<-corrupt_type> are used.
|
||||
-If the base configuration file is set up to autoload the fips module, then the
|
||||
-fips module will be loaded and self tested BEFORE the fipsinstall application
|
||||
-has a chance to set up its own self test callback. As a result of this the self
|
||||
-test output and the options B<-corrupt_desc> and B<-corrupt_type> will be ignored.
|
||||
-For normal usage the base configuration file should use the default provider
|
||||
-when generating the fips configuration file.
|
||||
-
|
||||
-=head1 EXAMPLES
|
||||
-
|
||||
-Calculate the mac of a FIPS module F<fips.so> and run a FIPS self test
|
||||
-for the module, and save the F<fips.cnf> configuration file:
|
||||
-
|
||||
- openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips
|
||||
-
|
||||
-Verify that the configuration file F<fips.cnf> contains the correct info:
|
||||
-
|
||||
- openssl fipsinstall -module ./fips.so -in fips.cnf -provider_name fips -verify
|
||||
-
|
||||
-Corrupt any self tests which have the description C<SHA1>:
|
||||
-
|
||||
- openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips \
|
||||
- -corrupt_desc 'SHA1'
|
||||
-
|
||||
-Validate that the fips module can be loaded from a base configuration file:
|
||||
-
|
||||
- export OPENSSL_CONF_INCLUDE=<path of configuration files>
|
||||
- export OPENSSL_MODULES=<provider-path>
|
||||
- openssl fipsinstall -config' 'default.cnf'
|
||||
-
|
||||
-
|
||||
-=head1 SEE ALSO
|
||||
-
|
||||
-L<config(5)>,
|
||||
-L<fips_config(5)>,
|
||||
-L<OSSL_PROVIDER-FIPS(7)>,
|
||||
-L<EVP_MAC(3)>
|
||||
+This command is disabled.
|
||||
+Please consult Red Hat Enterprise Linux documentation to learn how to correctly
|
||||
+enable FIPS mode on Red Hat Enterprise
|
||||
|
||||
=head1 COPYRIGHT
|
||||
|
@ -1,13 +0,0 @@
|
||||
diff -up openssl-3.0.0/apps/speed.c.beldmit openssl-3.0.0/apps/speed.c
|
||||
--- openssl-3.0.0/apps/speed.c.beldmit 2021-12-21 15:14:04.210431584 +0100
|
||||
+++ openssl-3.0.0/apps/speed.c 2021-12-21 15:46:05.554085125 +0100
|
||||
@@ -547,6 +547,9 @@ static int EVP_MAC_loop(int algindex, vo
|
||||
for (count = 0; COND(c[algindex][testnum]); count++) {
|
||||
size_t outl;
|
||||
|
||||
+ if (mctx == NULL)
|
||||
+ return -1;
|
||||
+
|
||||
if (!EVP_MAC_init(mctx, NULL, 0, NULL)
|
||||
|| !EVP_MAC_update(mctx, buf, lengths[testnum])
|
||||
|| !EVP_MAC_final(mctx, mac, &outl, sizeof(mac)))
|
@ -1,390 +0,0 @@
|
||||
diff -up openssl-3.0.1/crypto/dh/dh_key.c.fips3 openssl-3.0.1/crypto/dh/dh_key.c
|
||||
--- openssl-3.0.1/crypto/dh/dh_key.c.fips3 2022-07-18 16:01:41.159543735 +0200
|
||||
+++ openssl-3.0.1/crypto/dh/dh_key.c 2022-07-18 16:24:30.251388248 +0200
|
||||
@@ -43,6 +43,9 @@ int ossl_dh_compute_key(unsigned char *k
|
||||
BN_MONT_CTX *mont = NULL;
|
||||
BIGNUM *z = NULL, *pminus1;
|
||||
int ret = -1;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ int validate = 0;
|
||||
+#endif
|
||||
|
||||
if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
|
||||
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
|
||||
@@ -54,6 +57,13 @@ int ossl_dh_compute_key(unsigned char *k
|
||||
return 0;
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (DH_check_pub_key(dh, pub_key, &validate) <= 0) {
|
||||
+ ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID);
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
ctx = BN_CTX_new_ex(dh->libctx);
|
||||
if (ctx == NULL)
|
||||
goto err;
|
||||
@@ -262,6 +272,9 @@ static int generate_key(DH *dh)
|
||||
#endif
|
||||
BN_CTX *ctx = NULL;
|
||||
BIGNUM *pub_key = NULL, *priv_key = NULL;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ int validate = 0;
|
||||
+#endif
|
||||
|
||||
if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
|
||||
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
|
||||
@@ -354,8 +367,21 @@ static int generate_key(DH *dh)
|
||||
if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key))
|
||||
goto err;
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (DH_check_pub_key(dh, pub_key, &validate) <= 0) {
|
||||
+ ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID);
|
||||
+ goto err;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
dh->pub_key = pub_key;
|
||||
dh->priv_key = priv_key;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (ossl_dh_check_pairwise(dh) <= 0) {
|
||||
+ abort();
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
dh->dirty_cnt++;
|
||||
ok = 1;
|
||||
err:
|
||||
diff -up openssl-3.0.7/crypto/ec/ec_key.c.f188 openssl-3.0.7/crypto/ec/ec_key.c
|
||||
--- openssl-3.0.7/crypto/ec/ec_key.c.f188 2023-11-08 10:58:05.910031253 +0100
|
||||
+++ openssl-3.0.7/crypto/ec/ec_key.c 2023-11-08 10:59:42.338526883 +0100
|
||||
@@ -326,6 +326,11 @@ static int ec_generate_key(EC_KEY *eckey
|
||||
eckey->dirty_cnt++;
|
||||
|
||||
#ifdef FIPS_MODULE
|
||||
+ if (ossl_ec_key_public_check(eckey, ctx) <= 0) {
|
||||
+ ERR_raise(ERR_LIB_EC, EC_R_INVALID_KEY);
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
pairwise_test = 1;
|
||||
#endif /* FIPS_MODULE */
|
||||
|
||||
diff -up openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c
|
||||
--- openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 2022-07-25 13:42:46.814952053 +0200
|
||||
+++ openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c 2022-07-25 13:52:12.292065706 +0200
|
||||
@@ -488,6 +488,25 @@ int ecdh_plain_derive(void *vpecdhctx, u
|
||||
}
|
||||
|
||||
ppubkey = EC_KEY_get0_public_key(pecdhctx->peerk);
|
||||
+#ifdef FIPS_MODULE
|
||||
+ {
|
||||
+ BN_CTX *bn_ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(privk));
|
||||
+ int check = 0;
|
||||
+
|
||||
+ if (bn_ctx == NULL) {
|
||||
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
+ check = ossl_ec_key_public_check(pecdhctx->peerk, bn_ctx);
|
||||
+ BN_CTX_free(bn_ctx);
|
||||
+
|
||||
+ if (check <= 0) {
|
||||
+ ERR_raise(ERR_LIB_PROV, EC_R_INVALID_PEER_KEY);
|
||||
+ goto end;
|
||||
+ }
|
||||
+ }
|
||||
+#endif
|
||||
|
||||
retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL);
|
||||
|
||||
diff -up openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c
|
||||
--- openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise 2023-02-20 11:44:18.451884117 +0100
|
||||
+++ openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c 2023-02-20 12:39:46.037063842 +0100
|
||||
@@ -982,8 +982,17 @@ struct ec_gen_ctx {
|
||||
int selection;
|
||||
int ecdh_mode;
|
||||
EC_GROUP *gen_group;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ void *ecdsa_sig_ctx;
|
||||
+#endif
|
||||
};
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+void *ecdsa_newctx(void *provctx, const char *propq);
|
||||
+void ecdsa_freectx(void *vctx);
|
||||
+int do_ec_pct(void *, const char *, void *);
|
||||
+#endif
|
||||
+
|
||||
static void *ec_gen_init(void *provctx, int selection,
|
||||
const OSSL_PARAM params[])
|
||||
{
|
||||
@@ -1002,6 +1011,10 @@ static void *ec_gen_init(void *provctx,
|
||||
OPENSSL_free(gctx);
|
||||
gctx = NULL;
|
||||
}
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (gctx != NULL)
|
||||
+ gctx->ecdsa_sig_ctx = ecdsa_newctx(provctx, NULL);
|
||||
+#endif
|
||||
return gctx;
|
||||
}
|
||||
|
||||
@@ -1272,6 +1285,12 @@ static void *ec_gen(void *genctx, OSSL_C
|
||||
|
||||
if (gctx->ecdh_mode != -1)
|
||||
ret = ret && ossl_ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode);
|
||||
+#ifdef FIPS_MODULE
|
||||
+ /* Pairwise consistency test */
|
||||
+ if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0
|
||||
+ && do_ec_pct(gctx->ecdsa_sig_ctx, "sha256", ec) != 1)
|
||||
+ abort();
|
||||
+#endif
|
||||
|
||||
if (gctx->group_check != NULL)
|
||||
ret = ret && ossl_ec_set_check_group_type_from_name(ec, gctx->group_check);
|
||||
@@ -1341,7 +1359,10 @@ static void ec_gen_cleanup(void *genctx)
|
||||
|
||||
if (gctx == NULL)
|
||||
return;
|
||||
-
|
||||
+#ifdef FIPS_MODULE
|
||||
+ ecdsa_freectx(gctx->ecdsa_sig_ctx);
|
||||
+ gctx->ecdsa_sig_ctx = NULL;
|
||||
+#endif
|
||||
EC_GROUP_free(gctx->gen_group);
|
||||
BN_free(gctx->p);
|
||||
BN_free(gctx->a);
|
||||
diff -up openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c.pairwise openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c
|
||||
--- openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c.pairwise 2023-02-20 11:50:23.035194347 +0100
|
||||
+++ openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c 2023-02-20 12:19:10.809768979 +0100
|
||||
@@ -32,7 +32,7 @@
|
||||
#include "crypto/ec.h"
|
||||
#include "prov/der_ec.h"
|
||||
|
||||
-static OSSL_FUNC_signature_newctx_fn ecdsa_newctx;
|
||||
+OSSL_FUNC_signature_newctx_fn ecdsa_newctx;
|
||||
static OSSL_FUNC_signature_sign_init_fn ecdsa_sign_init;
|
||||
static OSSL_FUNC_signature_verify_init_fn ecdsa_verify_init;
|
||||
static OSSL_FUNC_signature_sign_fn ecdsa_sign;
|
||||
@@ -43,7 +43,7 @@ static OSSL_FUNC_signature_digest_sign_f
|
||||
static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_verify_init;
|
||||
static OSSL_FUNC_signature_digest_verify_update_fn ecdsa_digest_signverify_update;
|
||||
static OSSL_FUNC_signature_digest_verify_final_fn ecdsa_digest_verify_final;
|
||||
-static OSSL_FUNC_signature_freectx_fn ecdsa_freectx;
|
||||
+OSSL_FUNC_signature_freectx_fn ecdsa_freectx;
|
||||
static OSSL_FUNC_signature_dupctx_fn ecdsa_dupctx;
|
||||
static OSSL_FUNC_signature_get_ctx_params_fn ecdsa_get_ctx_params;
|
||||
static OSSL_FUNC_signature_gettable_ctx_params_fn ecdsa_gettable_ctx_params;
|
||||
@@ -104,7 +104,7 @@ typedef struct {
|
||||
#endif
|
||||
} PROV_ECDSA_CTX;
|
||||
|
||||
-static void *ecdsa_newctx(void *provctx, const char *propq)
|
||||
+void *ecdsa_newctx(void *provctx, const char *propq)
|
||||
{
|
||||
PROV_ECDSA_CTX *ctx;
|
||||
|
||||
@@ -370,7 +370,7 @@ int ecdsa_digest_verify_final(void *vctx
|
||||
return ecdsa_verify(ctx, sig, siglen, digest, (size_t)dlen);
|
||||
}
|
||||
|
||||
-static void ecdsa_freectx(void *vctx)
|
||||
+void ecdsa_freectx(void *vctx)
|
||||
{
|
||||
PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
|
||||
|
||||
@@ -581,6 +581,35 @@ static const OSSL_PARAM *ecdsa_settable_
|
||||
return EVP_MD_settable_ctx_params(ctx->md);
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+int do_ec_pct(void *vctx, const char *mdname, void *ec)
|
||||
+{
|
||||
+ static const unsigned char data[32];
|
||||
+ unsigned char sigbuf[256];
|
||||
+ size_t siglen = sizeof(sigbuf);
|
||||
+
|
||||
+ if (ecdsa_digest_sign_init(vctx, mdname, ec, NULL) <= 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (ecdsa_digest_sign_final(vctx, sigbuf, &siglen, sizeof(sigbuf)) <= 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (ecdsa_digest_verify_init(vctx, mdname, ec, NULL) <= 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (ecdsa_digest_verify_final(vctx, sigbuf, siglen) <= 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ return 1;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
const OSSL_DISPATCH ossl_ecdsa_signature_functions[] = {
|
||||
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx },
|
||||
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init },
|
||||
diff -up openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c.pairwise openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c
|
||||
--- openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c.pairwise 2023-02-20 16:04:27.103364713 +0100
|
||||
+++ openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c 2023-02-20 16:14:13.848119419 +0100
|
||||
@@ -434,6 +434,7 @@ struct rsa_gen_ctx {
|
||||
#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
|
||||
/* ACVP test parameters */
|
||||
OSSL_PARAM *acvp_test_params;
|
||||
+ void *prov_rsa_ctx;
|
||||
#endif
|
||||
};
|
||||
|
||||
@@ -447,6 +448,12 @@ static int rsa_gencb(int p, int n, BN_GE
|
||||
return gctx->cb(params, gctx->cbarg);
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+void *rsa_newctx(void *provctx, const char *propq);
|
||||
+void rsa_freectx(void *vctx);
|
||||
+int do_rsa_pct(void *, const char *, void *);
|
||||
+#endif
|
||||
+
|
||||
static void *gen_init(void *provctx, int selection, int rsa_type,
|
||||
const OSSL_PARAM params[])
|
||||
{
|
||||
@@ -474,6 +481,10 @@ static void *gen_init(void *provctx, int
|
||||
|
||||
if (!rsa_gen_set_params(gctx, params))
|
||||
goto err;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (gctx != NULL)
|
||||
+ gctx->prov_rsa_ctx = rsa_newctx(provctx, NULL);
|
||||
+#endif
|
||||
return gctx;
|
||||
|
||||
err:
|
||||
@@ -630,6 +641,11 @@ static void *rsa_gen(void *genctx, OSSL_
|
||||
|
||||
rsa = rsa_tmp;
|
||||
rsa_tmp = NULL;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ /* Pairwise consistency test */
|
||||
+ if (do_rsa_pct(gctx->prov_rsa_ctx, "sha256", rsa) != 1)
|
||||
+ abort();
|
||||
+#endif
|
||||
err:
|
||||
BN_GENCB_free(gencb);
|
||||
RSA_free(rsa_tmp);
|
||||
@@ -645,6 +662,8 @@ static void rsa_gen_cleanup(void *genctx
|
||||
#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
|
||||
ossl_rsa_acvp_test_gen_params_free(gctx->acvp_test_params);
|
||||
gctx->acvp_test_params = NULL;
|
||||
+ rsa_freectx(gctx->prov_rsa_ctx);
|
||||
+ gctx->prov_rsa_ctx = NULL;
|
||||
#endif
|
||||
BN_clear_free(gctx->pub_exp);
|
||||
OPENSSL_free(gctx);
|
||||
diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise openssl-3.0.7/providers/implementations/signature/rsa_sig.c
|
||||
--- openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise 2023-02-20 16:04:22.548327811 +0100
|
||||
+++ openssl-3.0.7/providers/implementations/signature/rsa_sig.c 2023-02-20 16:17:50.064871695 +0100
|
||||
@@ -36,7 +36,7 @@
|
||||
|
||||
#define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
|
||||
|
||||
-static OSSL_FUNC_signature_newctx_fn rsa_newctx;
|
||||
+OSSL_FUNC_signature_newctx_fn rsa_newctx;
|
||||
static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
|
||||
static OSSL_FUNC_signature_verify_init_fn rsa_verify_init;
|
||||
static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init;
|
||||
@@ -49,7 +49,7 @@ static OSSL_FUNC_signature_digest_sign_f
|
||||
static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init;
|
||||
static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_signverify_update;
|
||||
static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final;
|
||||
-static OSSL_FUNC_signature_freectx_fn rsa_freectx;
|
||||
+OSSL_FUNC_signature_freectx_fn rsa_freectx;
|
||||
static OSSL_FUNC_signature_dupctx_fn rsa_dupctx;
|
||||
static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params;
|
||||
static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params;
|
||||
@@ -172,7 +172,7 @@ static int rsa_check_parameters(PROV_RSA
|
||||
return 1;
|
||||
}
|
||||
|
||||
-static void *rsa_newctx(void *provctx, const char *propq)
|
||||
+void *rsa_newctx(void *provctx, const char *propq)
|
||||
{
|
||||
PROV_RSA_CTX *prsactx = NULL;
|
||||
char *propq_copy = NULL;
|
||||
@@ -990,7 +990,7 @@ int rsa_digest_verify_final(void *vprsac
|
||||
return rsa_verify(vprsactx, sig, siglen, digest, (size_t)dlen);
|
||||
}
|
||||
|
||||
-static void rsa_freectx(void *vprsactx)
|
||||
+void rsa_freectx(void *vprsactx)
|
||||
{
|
||||
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
|
||||
|
||||
@@ -1504,6 +1504,45 @@ static const OSSL_PARAM *rsa_settable_ct
|
||||
return EVP_MD_settable_ctx_params(prsactx->md);
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+int do_rsa_pct(void *vctx, const char *mdname, void *rsa)
|
||||
+{
|
||||
+ static const unsigned char data[32];
|
||||
+ unsigned char *sigbuf = NULL;
|
||||
+ size_t siglen = 0;
|
||||
+ int ret = 0;
|
||||
+
|
||||
+ if (rsa_digest_sign_init(vctx, mdname, rsa, NULL) <= 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (rsa_digest_sign_final(vctx, NULL, &siglen, 0) <= 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ if ((sigbuf = OPENSSL_malloc(siglen)) == NULL)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (rsa_digest_sign_final(vctx, sigbuf, &siglen, siglen) <= 0)
|
||||
+ goto err;
|
||||
+
|
||||
+ if (rsa_digest_verify_init(vctx, mdname, rsa, NULL) <= 0)
|
||||
+ goto err;
|
||||
+
|
||||
+ if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
|
||||
+ goto err;
|
||||
+
|
||||
+ if (rsa_digest_verify_final(vctx, sigbuf, siglen) <= 0)
|
||||
+ goto err;
|
||||
+ ret = 1;
|
||||
+
|
||||
+ err:
|
||||
+ OPENSSL_free(sigbuf);
|
||||
+ return ret;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
const OSSL_DISPATCH ossl_rsa_signature_functions[] = {
|
||||
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx },
|
||||
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },
|
||||
diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
|
||||
index e0d139d..35f23b2 100644
|
||||
--- a/crypto/rsa/rsa_gen.c
|
||||
+++ b/crypto/rsa/rsa_gen.c
|
||||
@@ -463,6 +463,9 @@ static int rsa_keygen(OSSL_LIB_CTX *libctx, RSA *rsa, int bits, int primes,
|
||||
rsa->dmp1 = NULL;
|
||||
rsa->dmq1 = NULL;
|
||||
rsa->iqmp = NULL;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ abort();
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
}
|
||||
}
|
||||
return ok;
|
@ -1,739 +0,0 @@
|
||||
diff -up openssl-3.0.1/providers/common/capabilities.c.fipsmin3 openssl-3.0.1/providers/common/capabilities.c
|
||||
--- openssl-3.0.1/providers/common/capabilities.c.fipsmin3 2022-05-05 17:11:36.146638536 +0200
|
||||
+++ openssl-3.0.1/providers/common/capabilities.c 2022-05-05 17:12:00.138848787 +0200
|
||||
@@ -186,9 +186,9 @@ static const OSSL_PARAM param_group_list
|
||||
TLS_GROUP_ENTRY("brainpoolP256r1", "brainpoolP256r1", "EC", 25),
|
||||
TLS_GROUP_ENTRY("brainpoolP384r1", "brainpoolP384r1", "EC", 26),
|
||||
TLS_GROUP_ENTRY("brainpoolP512r1", "brainpoolP512r1", "EC", 27),
|
||||
-# endif
|
||||
TLS_GROUP_ENTRY("x25519", "X25519", "X25519", 28),
|
||||
TLS_GROUP_ENTRY("x448", "X448", "X448", 29),
|
||||
+# endif
|
||||
# endif /* OPENSSL_NO_EC */
|
||||
# ifndef OPENSSL_NO_DH
|
||||
/* Security bit values for FFDHE groups are as per RFC 7919 */
|
||||
diff -up openssl-3.0.1/providers/fips/fipsprov.c.fipsmin2 openssl-3.0.1/providers/fips/fipsprov.c
|
||||
--- openssl-3.0.1/providers/fips/fipsprov.c.fipsmin2 2022-05-05 11:42:58.596848856 +0200
|
||||
+++ openssl-3.0.1/providers/fips/fipsprov.c 2022-05-05 11:55:42.997562712 +0200
|
||||
@@ -54,7 +54,6 @@ static void fips_deinit_casecmp(void);
|
||||
|
||||
#define ALGC(NAMES, FUNC, CHECK) { { NAMES, FIPS_DEFAULT_PROPERTIES, FUNC }, CHECK }
|
||||
#define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL)
|
||||
-
|
||||
extern OSSL_FUNC_core_thread_start_fn *c_thread_start;
|
||||
int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx);
|
||||
|
||||
@@ -191,13 +190,13 @@ static int fips_get_params(void *provctx
|
||||
&fips_prov_ossl_ctx_method);
|
||||
|
||||
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
|
||||
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
|
||||
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider"))
|
||||
return 0;
|
||||
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
|
||||
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
|
||||
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VERSION))
|
||||
return 0;
|
||||
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
|
||||
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
|
||||
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VERSION))
|
||||
return 0;
|
||||
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
|
||||
if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))
|
||||
@@ -281,10 +280,11 @@ static const OSSL_ALGORITHM fips_digests
|
||||
* KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
|
||||
* KMAC128 and KMAC256.
|
||||
*/
|
||||
- { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
|
||||
+ /* We don't certify KECCAK in our FIPS provider */
|
||||
+ /* { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
|
||||
ossl_keccak_kmac_128_functions },
|
||||
{ PROV_NAMES_KECCAK_KMAC_256, FIPS_DEFAULT_PROPERTIES,
|
||||
- ossl_keccak_kmac_256_functions },
|
||||
+ ossl_keccak_kmac_256_functions }, */
|
||||
{ NULL, NULL, NULL }
|
||||
};
|
||||
|
||||
@@ -343,8 +343,9 @@ static const OSSL_ALGORITHM_CAPABLE fips
|
||||
ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions,
|
||||
ossl_cipher_capable_aes_cbc_hmac_sha256),
|
||||
#ifndef OPENSSL_NO_DES
|
||||
- ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
|
||||
- ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),
|
||||
+ /* We don't certify 3DES in our FIPS provider */
|
||||
+ /* ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
|
||||
+ ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), */
|
||||
#endif /* OPENSSL_NO_DES */
|
||||
{ { NULL, NULL, NULL }, NULL }
|
||||
};
|
||||
@@ -356,8 +357,9 @@ static const OSSL_ALGORITHM fips_macs[]
|
||||
#endif
|
||||
{ PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions },
|
||||
{ PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions },
|
||||
- { PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions },
|
||||
- { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions },
|
||||
+ /* We don't certify KMAC in our FIPS provider */
|
||||
+ /*{ PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions },
|
||||
+ { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, */
|
||||
{ NULL, NULL, NULL }
|
||||
};
|
||||
|
||||
@@ -392,8 +394,9 @@ static const OSSL_ALGORITHM fips_keyexch
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_EC
|
||||
{ PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions },
|
||||
- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions },
|
||||
- { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },
|
||||
+ /* We don't certify Edwards curves in our FIPS provider */
|
||||
+ /*{ PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions },
|
||||
+ { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },*/
|
||||
#endif
|
||||
{ PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES,
|
||||
ossl_kdf_tls1_prf_keyexch_functions },
|
||||
@@ -403,12 +406,14 @@ static const OSSL_ALGORITHM fips_keyexch
|
||||
|
||||
static const OSSL_ALGORITHM fips_signature[] = {
|
||||
#ifndef OPENSSL_NO_DSA
|
||||
- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },
|
||||
+ /* We don't certify DSA in our FIPS provider */
|
||||
+ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions }, */
|
||||
#endif
|
||||
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions },
|
||||
#ifndef OPENSSL_NO_EC
|
||||
- { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_signature_functions },
|
||||
- { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_signature_functions },
|
||||
+ /* We don't certify Edwards curves in our FIPS provider */
|
||||
+ /* { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_signature_functions },
|
||||
+ { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_signature_functions }, */
|
||||
{ PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions },
|
||||
#endif
|
||||
{ PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES,
|
||||
@@ -438,8 +443,9 @@ static const OSSL_ALGORITHM fips_keymgmt
|
||||
PROV_DESCS_DHX },
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_DSA
|
||||
- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
|
||||
- PROV_DESCS_DSA },
|
||||
+ /* We don't certify DSA in our FIPS provider */
|
||||
+ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
|
||||
+ PROV_DESCS_DSA }, */
|
||||
#endif
|
||||
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions,
|
||||
PROV_DESCS_RSA },
|
||||
@@ -448,14 +454,15 @@ static const OSSL_ALGORITHM fips_keymgmt
|
||||
#ifndef OPENSSL_NO_EC
|
||||
{ PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions,
|
||||
PROV_DESCS_EC },
|
||||
- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions,
|
||||
+ /* We don't certify Edwards curves in our FIPS provider */
|
||||
+ /* { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions,
|
||||
PROV_DESCS_X25519 },
|
||||
{ PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions,
|
||||
PROV_DESCS_X448 },
|
||||
{ PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_keymgmt_functions,
|
||||
PROV_DESCS_ED25519 },
|
||||
{ PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_keymgmt_functions,
|
||||
- PROV_DESCS_ED448 },
|
||||
+ PROV_DESCS_ED448 }, */
|
||||
#endif
|
||||
{ PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions,
|
||||
PROV_DESCS_TLS1_PRF_SIGN },
|
||||
diff -up openssl-3.0.1/providers/fips/self_test_data.inc.fipsmin3 openssl-3.0.1/providers/fips/self_test_data.inc
|
||||
--- openssl-3.0.1/providers/fips/self_test_data.inc.fipsmin3 2022-05-05 12:36:32.335069046 +0200
|
||||
+++ openssl-3.0.1/providers/fips/self_test_data.inc 2022-05-05 12:40:02.427966128 +0200
|
||||
@@ -171,6 +171,7 @@ static const ST_KAT_DIGEST st_kat_digest
|
||||
/*- CIPHER TEST DATA */
|
||||
|
||||
/* DES3 test data */
|
||||
+#if 0
|
||||
static const unsigned char des_ede3_cbc_pt[] = {
|
||||
0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
|
||||
0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
|
||||
@@ -191,7 +192,7 @@ static const unsigned char des_ede3_cbc_
|
||||
0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F,
|
||||
0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7
|
||||
};
|
||||
-
|
||||
+#endif
|
||||
/* AES-256 GCM test data */
|
||||
static const unsigned char aes_256_gcm_key[] = {
|
||||
0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c,
|
||||
@@ -235,6 +236,7 @@ static const unsigned char aes_128_ecb_c
|
||||
};
|
||||
|
||||
static const ST_KAT_CIPHER st_kat_cipher_tests[] = {
|
||||
+#if 0
|
||||
#ifndef OPENSSL_NO_DES
|
||||
{
|
||||
{
|
||||
@@ -248,6 +250,7 @@ static const ST_KAT_CIPHER st_kat_cipher
|
||||
ITM(des_ede3_cbc_iv),
|
||||
},
|
||||
#endif
|
||||
+#endif
|
||||
{
|
||||
{
|
||||
OSSL_SELF_TEST_DESC_CIPHER_AES_GCM,
|
||||
@@ -1424,8 +1427,9 @@ static const ST_KAT_PARAM ecdsa_bin_key[
|
||||
# endif /* OPENSSL_NO_EC2M */
|
||||
#endif /* OPENSSL_NO_EC */
|
||||
|
||||
-#ifndef OPENSSL_NO_DSA
|
||||
/* dsa 2048 */
|
||||
+#if 0
|
||||
+#ifndef OPENSSL_NO_DSA
|
||||
static const unsigned char dsa_p[] = {
|
||||
0xa2, 0x9b, 0x88, 0x72, 0xce, 0x8b, 0x84, 0x23,
|
||||
0xb7, 0xd5, 0xd2, 0x1d, 0x4b, 0x02, 0xf5, 0x7e,
|
||||
@@ -1549,8 +1553,8 @@ static const ST_KAT_PARAM dsa_key[] = {
|
||||
ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, dsa_priv),
|
||||
ST_KAT_PARAM_END()
|
||||
};
|
||||
-#endif /* OPENSSL_NO_DSA */
|
||||
-
|
||||
+#endif
|
||||
+#endif
|
||||
static const ST_KAT_SIGN st_kat_sign_tests[] = {
|
||||
{
|
||||
OSSL_SELF_TEST_DESC_SIGN_RSA,
|
||||
@@ -1583,6 +1587,7 @@ static const ST_KAT_SIGN st_kat_sign_tes
|
||||
},
|
||||
# endif
|
||||
#endif /* OPENSSL_NO_EC */
|
||||
+#if 0
|
||||
#ifndef OPENSSL_NO_DSA
|
||||
{
|
||||
OSSL_SELF_TEST_DESC_SIGN_DSA,
|
||||
@@ -1595,6 +1600,7 @@ static const ST_KAT_SIGN st_kat_sign_tes
|
||||
*/
|
||||
},
|
||||
#endif /* OPENSSL_NO_DSA */
|
||||
+#endif
|
||||
};
|
||||
|
||||
static const ST_KAT_ASYM_CIPHER st_kat_asym_cipher_tests[] = {
|
||||
diff -up openssl-3.0.1/test/acvp_test.c.fipsmin2 openssl-3.0.1/test/acvp_test.c
|
||||
--- openssl-3.0.1/test/acvp_test.c.fipsmin2 2022-05-05 11:42:58.597848865 +0200
|
||||
+++ openssl-3.0.1/test/acvp_test.c 2022-05-05 11:43:30.141126336 +0200
|
||||
@@ -1476,6 +1476,7 @@ int setup_tests(void)
|
||||
OSSL_NELEM(dh_safe_prime_keyver_data));
|
||||
#endif /* OPENSSL_NO_DH */
|
||||
|
||||
+#if 0 /* Red Hat FIPS provider doesn't have fips=yes property on DSA */
|
||||
#ifndef OPENSSL_NO_DSA
|
||||
ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data));
|
||||
ADD_ALL_TESTS(dsa_paramgen_test, OSSL_NELEM(dsa_paramgen_data));
|
||||
@@ -1483,6 +1484,7 @@ int setup_tests(void)
|
||||
ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data));
|
||||
ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data));
|
||||
#endif /* OPENSSL_NO_DSA */
|
||||
+#endif
|
||||
|
||||
#ifndef OPENSSL_NO_EC
|
||||
ADD_ALL_TESTS(ecdsa_keygen_test, OSSL_NELEM(ecdsa_keygen_data));
|
||||
diff -up openssl-3.0.1/test/evp_libctx_test.c.fipsmin3 openssl-3.0.1/test/evp_libctx_test.c
|
||||
--- openssl-3.0.1/test/evp_libctx_test.c.fipsmin3 2022-05-05 14:18:46.370911817 +0200
|
||||
+++ openssl-3.0.1/test/evp_libctx_test.c 2022-05-05 14:30:02.117911993 +0200
|
||||
@@ -21,6 +21,7 @@
|
||||
*/
|
||||
#include "internal/deprecated.h"
|
||||
#include <assert.h>
|
||||
+#include <string.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/provider.h>
|
||||
#include <openssl/dsa.h>
|
||||
@@ -725,8 +726,10 @@ int setup_tests(void)
|
||||
if (!test_get_libctx(&libctx, &nullprov, config_file, &libprov, prov_name))
|
||||
return 0;
|
||||
|
||||
#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DH)
|
||||
- ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3);
|
||||
+ if (strcmp(prov_name, "fips") != 0) {
|
||||
+ ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3);
|
||||
+ }
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_DH
|
||||
ADD_ALL_TESTS(test_dh_safeprime_param_keygen, 3 * 3 * 3);
|
||||
@@ -746,7 +750,9 @@ int setup_tests(void)
|
||||
ADD_TEST(kem_invalid_keytype);
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_DES
|
||||
- ADD_TEST(test_cipher_tdes_randkey);
|
||||
+ if (strcmp(prov_name, "fips") != 0) {
|
||||
+ ADD_TEST(test_cipher_tdes_randkey);
|
||||
+ }
|
||||
#endif
|
||||
return 1;
|
||||
}
|
||||
diff -up openssl-3.0.1/test/recipes/15-test_gendsa.t.fipsmin3 openssl-3.0.1/test/recipes/15-test_gendsa.t
|
||||
--- openssl-3.0.1/test/recipes/15-test_gendsa.t.fipsmin3 2022-05-05 13:46:00.631590335 +0200
|
||||
+++ openssl-3.0.1/test/recipes/15-test_gendsa.t 2022-05-05 13:46:06.999644496 +0200
|
||||
@@ -24,7 +24,7 @@ use lib bldtop_dir('.');
|
||||
plan skip_all => "This test is unsupported in a no-dsa build"
|
||||
if disabled("dsa");
|
||||
|
||||
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||
+my $no_fips = 1;
|
||||
|
||||
plan tests =>
|
||||
($no_fips ? 0 : 2) # FIPS related tests
|
||||
diff -up openssl-3.0.1/test/recipes/20-test_cli_fips.t.fipsmin3 openssl-3.0.1/test/recipes/20-test_cli_fips.t
|
||||
--- openssl-3.0.1/test/recipes/20-test_cli_fips.t.fipsmin3 2022-05-05 13:47:55.217564900 +0200
|
||||
+++ openssl-3.0.1/test/recipes/20-test_cli_fips.t 2022-05-05 13:48:02.824629600 +0200
|
||||
@@ -207,8 +207,7 @@ SKIP: {
|
||||
}
|
||||
|
||||
SKIP : {
|
||||
- skip "FIPS DSA tests because of no dsa in this build", 1
|
||||
- if disabled("dsa");
|
||||
+ skip "FIPS DSA tests because of no dsa in this build", 1;
|
||||
|
||||
subtest DSA => sub {
|
||||
my $testtext_prefix = 'DSA';
|
||||
diff -up openssl-3.0.1/test/recipes/80-test_cms.t.fipsmin3 openssl-3.0.1/test/recipes/80-test_cms.t
|
||||
--- openssl-3.0.1/test/recipes/80-test_cms.t.fipsmin3 2022-05-05 13:55:05.257292637 +0200
|
||||
+++ openssl-3.0.1/test/recipes/80-test_cms.t 2022-05-05 13:58:35.307150750 +0200
|
||||
@@ -95,7 +95,7 @@ my @smime_pkcs7_tests = (
|
||||
\&final_compare
|
||||
],
|
||||
|
||||
- [ "signed content DER format, DSA key",
|
||||
+ [ "signed content DER format, DSA key, no Red Hat FIPS",
|
||||
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
|
||||
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
|
||||
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
|
||||
@@ -103,7 +103,7 @@ my @smime_pkcs7_tests = (
|
||||
\&final_compare
|
||||
],
|
||||
|
||||
- [ "signed detached content DER format, DSA key",
|
||||
+ [ "signed detached content DER format, DSA key, no Red Hat FIPS",
|
||||
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
||||
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
|
||||
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
|
||||
@@ -112,7 +112,7 @@ my @smime_pkcs7_tests = (
|
||||
\&final_compare
|
||||
],
|
||||
|
||||
- [ "signed detached content DER format, add RSA signer (with DSA existing)",
|
||||
+ [ "signed detached content DER format, add RSA signer (with DSA existing), no Red Hat FIPS",
|
||||
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
||||
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
|
||||
[ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER",
|
||||
@@ -123,7 +123,7 @@ my @smime_pkcs7_tests = (
|
||||
\&final_compare
|
||||
],
|
||||
|
||||
- [ "signed content test streaming BER format, DSA key",
|
||||
+ [ "signed content test streaming BER format, DSA key, no Red Hat FIPS",
|
||||
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
||||
"-nodetach", "-stream",
|
||||
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
|
||||
@@ -132,7 +132,7 @@ my @smime_pkcs7_tests = (
|
||||
\&final_compare
|
||||
],
|
||||
|
||||
- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys",
|
||||
+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
|
||||
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
||||
"-nodetach", "-stream",
|
||||
"-signer", $smrsa1,
|
||||
@@ -145,7 +145,7 @@ my @smime_pkcs7_tests = (
|
||||
\&final_compare
|
||||
],
|
||||
|
||||
- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes",
|
||||
+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes, no Red Hat FIPS",
|
||||
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
||||
"-noattr", "-nodetach", "-stream",
|
||||
"-signer", $smrsa1,
|
||||
@@ -175,7 +175,7 @@ my @smime_pkcs7_tests = (
|
||||
\&zero_compare
|
||||
],
|
||||
|
||||
- [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys",
|
||||
+ [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
|
||||
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
|
||||
"-signer", $smrsa1,
|
||||
"-signer", catfile($smdir, "smrsa2.pem"),
|
||||
@@ -187,7 +187,7 @@ my @smime_pkcs7_tests = (
|
||||
\&final_compare
|
||||
],
|
||||
|
||||
- [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys",
|
||||
+ [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
|
||||
[ "{cmd1}", @prov, "-sign", "-in", $smcont,
|
||||
"-signer", $smrsa1,
|
||||
"-signer", catfile($smdir, "smrsa2.pem"),
|
||||
@@ -247,7 +247,7 @@ my @smime_pkcs7_tests = (
|
||||
|
||||
my @smime_cms_tests = (
|
||||
|
||||
- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid",
|
||||
+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid, no Red Hat FIPS",
|
||||
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
|
||||
"-nodetach", "-keyid",
|
||||
"-signer", $smrsa1,
|
||||
@@ -260,7 +260,7 @@ my @smime_cms_tests = (
|
||||
\&final_compare
|
||||
],
|
||||
|
||||
- [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys",
|
||||
+ [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
|
||||
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
|
||||
"-signer", $smrsa1,
|
||||
"-signer", catfile($smdir, "smrsa2.pem"),
|
||||
@@ -370,7 +370,7 @@ my @smime_cms_tests = (
|
||||
\&final_compare
|
||||
],
|
||||
|
||||
- [ "encrypted content test streaming PEM format, triple DES key",
|
||||
+ [ "encrypted content test streaming PEM format, triple DES key, no Red Hat FIPS",
|
||||
[ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
|
||||
"-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
|
||||
"-stream", "-out", "{output}.cms" ],
|
||||
diff -up openssl-3.0.1/test/recipes/30-test_evp.t.fipsmin3 openssl-3.0.1/test/recipes/30-test_evp.t
|
||||
--- openssl-3.0.1/test/recipes/30-test_evp.t.fipsmin3 2022-05-05 14:43:04.276857033 +0200
|
||||
+++ openssl-3.0.1/test/recipes/30-test_evp.t 2022-05-05 14:43:35.975138234 +0200
|
||||
@@ -43,7 +43,6 @@ my @files = qw(
|
||||
evpciph_aes_cts.txt
|
||||
evpciph_aes_wrap.txt
|
||||
evpciph_aes_stitched.txt
|
||||
- evpciph_des3_common.txt
|
||||
evpkdf_hkdf.txt
|
||||
evpkdf_pbkdf1.txt
|
||||
evpkdf_pbkdf2.txt
|
||||
@@ -66,12 +65,6 @@ push @files, qw(
|
||||
evppkey_dh.txt
|
||||
) unless $no_dh;
|
||||
push @files, qw(
|
||||
- evpkdf_x942_des.txt
|
||||
- evpmac_cmac_des.txt
|
||||
- ) unless $no_des;
|
||||
-push @files, qw(evppkey_dsa.txt) unless $no_dsa;
|
||||
-push @files, qw(evppkey_ecx.txt) unless $no_ec;
|
||||
-push @files, qw(
|
||||
evppkey_ecc.txt
|
||||
evppkey_ecdh.txt
|
||||
evppkey_ecdsa.txt
|
||||
@@ -91,6 +84,7 @@ my @defltfiles = qw(
|
||||
evpciph_cast5.txt
|
||||
evpciph_chacha.txt
|
||||
evpciph_des.txt
|
||||
+ evpciph_des3_common.txt
|
||||
evpciph_idea.txt
|
||||
evpciph_rc2.txt
|
||||
evpciph_rc4.txt
|
||||
@@ -117,6 +111,12 @@ my @defltfiles = qw(
|
||||
evppkey_kdf_tls1_prf.txt
|
||||
evppkey_rsa.txt
|
||||
);
|
||||
+push @defltfiles, qw(evppkey_dsa.txt) unless $no_dsa;
|
||||
+push @defltfiles, qw(evppkey_ecx.txt) unless $no_ec;
|
||||
+push @defltfiles, qw(
|
||||
+ evpkdf_x942_des.txt
|
||||
+ evpmac_cmac_des.txt
|
||||
+ ) unless $no_des;
|
||||
push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2;
|
||||
|
||||
plan tests =>
|
||||
diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt
|
||||
--- openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 2022-05-05 14:46:32.721700697 +0200
|
||||
+++ openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt 2022-05-05 14:51:40.205418897 +0200
|
||||
@@ -328,6 +328,7 @@ Input = 68F2E77696CE7AE8E2CA4EC588E54100
|
||||
Output = 00BDA1B7E87608BCBF470F12157F4C07
|
||||
|
||||
|
||||
+Availablein = default
|
||||
Title = KMAC Tests (From NIST)
|
||||
MAC = KMAC128
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
@@ -338,12 +339,14 @@ Ctrl = xof:0
|
||||
OutputSize = 32
|
||||
BlockSize = 168
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC128
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 00010203
|
||||
Custom = "My Tagged Application"
|
||||
Output = 3B1FBA963CD8B0B59E8C1A6D71888B7143651AF8BA0A7070C0979E2811324AA5
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC128
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
||||
@@ -351,6 +354,7 @@ Custom = "My Tagged Application"
|
||||
Output = 1F5B4E6CCA02209E0DCB5CA635B89A15E271ECC760071DFD805FAA38F9729230
|
||||
Ctrl = size:32
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC256
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 00010203
|
||||
@@ -359,12 +363,14 @@ Output = 20C570C31346F703C9AC36C61C03CB6
|
||||
OutputSize = 64
|
||||
BlockSize = 136
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC256
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
||||
Custom = ""
|
||||
Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC256
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
||||
@@ -374,12 +380,14 @@ Ctrl = size:64
|
||||
|
||||
Title = KMAC XOF Tests (From NIST)
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC128
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 00010203
|
||||
Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35
|
||||
XOF = 1
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC128
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 00010203
|
||||
@@ -387,6 +395,7 @@ Custom = "My Tagged Application"
|
||||
Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
|
||||
XOF = 1
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC128
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
||||
@@ -395,6 +404,7 @@ Output = 47026C7CD793084AA0283C253EF6584
|
||||
XOF = 1
|
||||
Ctrl = size:32
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC256
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 00010203
|
||||
@@ -402,6 +412,7 @@ Custom = "My Tagged Application"
|
||||
Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
|
||||
XOF = 1
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC256
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
||||
@@ -409,6 +420,7 @@ Custom = ""
|
||||
Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
|
||||
XOF = 1
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC256
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
||||
@@ -419,6 +431,7 @@ XOF = 1
|
||||
|
||||
Title = KMAC long customisation string (from NIST ACVP)
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC256
|
||||
Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
|
||||
Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
|
||||
@@ -429,12 +442,14 @@ XOF = 1
|
||||
|
||||
Title = KMAC XOF Tests via ctrl (From NIST)
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC128
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 00010203
|
||||
Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35
|
||||
Ctrl = xof:1
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC128
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 00010203
|
||||
@@ -442,6 +457,7 @@ Custom = "My Tagged Application"
|
||||
Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
|
||||
Ctrl = xof:1
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC128
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
||||
@@ -450,6 +466,7 @@ Output = 47026C7CD793084AA0283C253EF6584
|
||||
Ctrl = xof:1
|
||||
Ctrl = size:32
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC256
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 00010203
|
||||
@@ -457,6 +474,7 @@ Custom = "My Tagged Application"
|
||||
Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
|
||||
Ctrl = xof:1
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC256
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
||||
@@ -464,6 +482,7 @@ Custom = ""
|
||||
Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
|
||||
Ctrl = xof:1
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC256
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
||||
@@ -474,6 +493,7 @@ Ctrl = xof:1
|
||||
|
||||
Title = KMAC long customisation string via ctrl (from NIST ACVP)
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC256
|
||||
Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
|
||||
Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
|
||||
@@ -484,6 +504,7 @@ Ctrl = xof:1
|
||||
|
||||
Title = KMAC long customisation string negative test
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC128
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
||||
@@ -492,6 +513,7 @@ Result = MAC_INIT_ERROR
|
||||
|
||||
Title = KMAC output is too large
|
||||
|
||||
+Availablein = default
|
||||
MAC = KMAC256
|
||||
Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
|
||||
Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
|
||||
diff -up openssl-3.0.1/test/recipes/80-test_ssl_old.t.fipsmin3 openssl-3.0.1/test/recipes/80-test_ssl_old.t
|
||||
--- openssl-3.0.1/test/recipes/80-test_ssl_old.t.fipsmin3 2022-05-05 16:02:59.745500635 +0200
|
||||
+++ openssl-3.0.1/test/recipes/80-test_ssl_old.t 2022-05-05 16:10:24.071348890 +0200
|
||||
@@ -426,7 +426,7 @@ sub testssl {
|
||||
my @exkeys = ();
|
||||
my $ciphers = '-PSK:-SRP:@SECLEVEL=0';
|
||||
|
||||
- if (!$no_dsa) {
|
||||
+ if (!$no_dsa && $provider ne "fips") {
|
||||
push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey;
|
||||
}
|
||||
|
||||
diff -up openssl-3.0.1/test/endecode_test.c.fipsmin3 openssl-3.0.1/test/endecode_test.c
|
||||
--- openssl-3.0.1/test/endecode_test.c.fipsmin3 2022-05-06 16:25:57.296926271 +0200
|
||||
+++ openssl-3.0.1/test/endecode_test.c 2022-05-06 16:27:42.712850840 +0200
|
||||
@@ -1387,6 +1387,7 @@ int setup_tests(void)
|
||||
* so no legacy tests.
|
||||
*/
|
||||
#endif
|
||||
+ if (is_fips == 0) {
|
||||
#ifndef OPENSSL_NO_DSA
|
||||
ADD_TEST_SUITE(DSA);
|
||||
ADD_TEST_SUITE_PARAMS(DSA);
|
||||
@@ -1397,6 +1398,7 @@ int setup_tests(void)
|
||||
ADD_TEST_SUITE_PROTECTED_PVK(DSA);
|
||||
# endif
|
||||
#endif
|
||||
+ }
|
||||
#ifndef OPENSSL_NO_EC
|
||||
ADD_TEST_SUITE(EC);
|
||||
ADD_TEST_SUITE_PARAMS(EC);
|
||||
@@ -1411,10 +1413,12 @@ int setup_tests(void)
|
||||
ADD_TEST_SUITE(ECExplicitTri2G);
|
||||
ADD_TEST_SUITE_LEGACY(ECExplicitTri2G);
|
||||
# endif
|
||||
+ if (is_fips == 0) {
|
||||
ADD_TEST_SUITE(ED25519);
|
||||
ADD_TEST_SUITE(ED448);
|
||||
ADD_TEST_SUITE(X25519);
|
||||
ADD_TEST_SUITE(X448);
|
||||
+ }
|
||||
/*
|
||||
* ED25519, ED448, X25519 and X448 have no support for
|
||||
* PEM_write_bio_PrivateKey_traditional(), so no legacy tests.
|
||||
diff -up openssl-3.0.1/apps/req.c.dfc openssl-3.0.1/apps/req.c
|
||||
--- openssl-3.0.1/apps/req.c.dfc 2022-05-12 13:31:21.957638329 +0200
|
||||
+++ openssl-3.0.1/apps/req.c 2022-05-12 13:31:49.587984867 +0200
|
||||
@@ -266,7 +266,7 @@ int req_main(int argc, char **argv)
|
||||
unsigned long chtype = MBSTRING_ASC, reqflag = 0;
|
||||
|
||||
#ifndef OPENSSL_NO_DES
|
||||
- cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
|
||||
+ cipher = (EVP_CIPHER *)EVP_aes_256_cbc();
|
||||
#endif
|
||||
|
||||
prog = opt_init(argc, argv, req_options);
|
||||
diff -up openssl-3.0.1/apps/ecparam.c.fips_list_curves openssl-3.0.1/apps/ecparam.c
|
||||
--- openssl-3.0.1/apps/ecparam.c.fips_list_curves 2022-05-19 11:46:22.682519422 +0200
|
||||
+++ openssl-3.0.1/apps/ecparam.c 2022-05-19 11:50:44.559828701 +0200
|
||||
@@ -79,6 +79,9 @@ static int list_builtin_curves(BIO *out)
|
||||
const char *comment = curves[n].comment;
|
||||
const char *sname = OBJ_nid2sn(curves[n].nid);
|
||||
|
||||
+ if ((curves[n].nid == NID_secp256k1) && EVP_default_properties_is_fips_enabled(NULL))
|
||||
+ continue;
|
||||
+
|
||||
if (comment == NULL)
|
||||
comment = "CURVE DESCRIPTION NOT AVAILABLE";
|
||||
if (sname == NULL)
|
||||
diff -up openssl-3.0.1/ssl/ssl_ciph.c.nokrsa openssl-3.0.1/ssl/ssl_ciph.c
|
||||
--- openssl-3.0.1/ssl/ssl_ciph.c.nokrsa 2022-05-19 13:32:32.536708638 +0200
|
||||
+++ openssl-3.0.1/ssl/ssl_ciph.c 2022-05-19 13:42:29.734002959 +0200
|
||||
@@ -356,6 +356,9 @@ int ssl_load_ciphers(SSL_CTX *ctx)
|
||||
ctx->disabled_mkey_mask = 0;
|
||||
ctx->disabled_auth_mask = 0;
|
||||
|
||||
+ if (EVP_default_properties_is_fips_enabled(ctx->libctx))
|
||||
+ ctx->disabled_mkey_mask |= SSL_kRSA | SSL_kRSAPSK;
|
||||
+
|
||||
/*
|
||||
* We ignore any errors from the fetches below. They are expected to fail
|
||||
* if theose algorithms are not available.
|
||||
diff -up openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen openssl-3.0.1/providers/implementations/signature/rsa_sig.c
|
||||
--- openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen 2022-05-23 14:58:07.764281242 +0200
|
||||
+++ openssl-3.0.1/providers/implementations/signature/rsa_sig.c 2022-05-23 15:10:29.327993616 +0200
|
||||
@@ -692,6 +692,19 @@ static int rsa_verify_recover(void *vprs
|
||||
{
|
||||
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
|
||||
int ret;
|
||||
+# ifdef FIPS_MODULE
|
||||
+ size_t rsabits = RSA_bits(prsactx->rsa);
|
||||
+
|
||||
+ if (rsabits < 2048) {
|
||||
+ if (rsabits != 1024
|
||||
+ && rsabits != 1280
|
||||
+ && rsabits != 1536
|
||||
+ && rsabits != 1792) {
|
||||
+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ }
|
||||
+# endif
|
||||
|
||||
if (!ossl_prov_is_running())
|
||||
return 0;
|
||||
@@ -770,6 +770,19 @@ static int rsa_verify(void *vprsactx, co
|
||||
{
|
||||
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
|
||||
size_t rslen;
|
||||
+# ifdef FIPS_MODULE
|
||||
+ size_t rsabits = RSA_bits(prsactx->rsa);
|
||||
+
|
||||
+ if (rsabits < 2048) {
|
||||
+ if (rsabits != 1024
|
||||
+ && rsabits != 1280
|
||||
+ && rsabits != 1536
|
||||
+ && rsabits != 1792) {
|
||||
+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ }
|
||||
+# endif
|
||||
|
||||
if (!ossl_prov_is_running())
|
||||
return 0;
|
@ -1,39 +0,0 @@
|
||||
diff -up openssl-3.0.1/providers/fips/self_test.c.earlykats openssl-3.0.1/providers/fips/self_test.c
|
||||
--- openssl-3.0.1/providers/fips/self_test.c.earlykats 2022-01-19 13:10:00.635830783 +0100
|
||||
+++ openssl-3.0.1/providers/fips/self_test.c 2022-01-19 13:11:43.309342656 +0100
|
||||
@@ -362,6 +362,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
|
||||
if (ev == NULL)
|
||||
goto end;
|
||||
|
||||
+ /*
|
||||
+ * Run the KAT's before HMAC verification according to FIPS-140-3 requirements
|
||||
+ */
|
||||
+ if (kats_already_passed == 0) {
|
||||
+ if (!SELF_TEST_kats(ev, st->libctx)) {
|
||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
|
||||
+ goto end;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
module_checksum = fips_hmac_container;
|
||||
checksum_len = sizeof(fips_hmac_container);
|
||||
|
||||
@@ -411,18 +421,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
|
||||
kats_already_passed = 1;
|
||||
}
|
||||
}
|
||||
-
|
||||
- /*
|
||||
- * Only runs the KAT's during installation OR on_demand().
|
||||
- * NOTE: If the installation option 'self_test_onload' is chosen then this
|
||||
- * path will always be run, since kats_already_passed will always be 0.
|
||||
- */
|
||||
- if (on_demand_test || kats_already_passed == 0) {
|
||||
- if (!SELF_TEST_kats(ev, st->libctx)) {
|
||||
- ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
|
||||
- goto end;
|
||||
- }
|
||||
- }
|
||||
ok = 1;
|
||||
end:
|
||||
OSSL_SELF_TEST_free(ev);
|
@ -1,489 +0,0 @@
|
||||
From 243201772cc6d583fae9eba81cb2c2c7425bc564 Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Mon, 21 Feb 2022 17:24:44 +0100
|
||||
Subject: Selectively disallow SHA1 signatures
|
||||
|
||||
For RHEL 9.0, we want to phase out SHA1. One of the steps to do that is
|
||||
disabling SHA1 signatures. Introduce a new configuration option in the
|
||||
alg_section named 'rh-allow-sha1-signatures'. This option defaults to
|
||||
false. If set to false (or unset), any signature creation or
|
||||
verification operations that involve SHA1 as digest will fail.
|
||||
|
||||
This also affects TLS, where the signature_algorithms extension of any
|
||||
ClientHello message sent by OpenSSL will no longer include signatures
|
||||
with the SHA1 digest if rh-allow-sha1-signatures is false. For servers
|
||||
that request a client certificate, the same also applies for
|
||||
CertificateRequest messages sent by them.
|
||||
|
||||
For signatures created using the EVP_PKEY API, this is a best-effort
|
||||
check that will deny signatures in cases where the digest algorithm is
|
||||
known. This means, for example, that that following steps will still
|
||||
work:
|
||||
|
||||
$> openssl dgst -sha1 -binary -out sha1 infile
|
||||
$> openssl pkeyutl -inkey key.pem -sign -in sha1 -out sha1sig
|
||||
$> openssl pkeyutl -inkey key.pem -verify -sigfile sha1sig -in sha1
|
||||
|
||||
whereas these will not:
|
||||
|
||||
$> openssl dgst -sha1 -binary -out sha1 infile
|
||||
$> openssl pkeyutl -inkey kem.pem -sign -in sha1 -out sha1sig -pkeyopt digest:sha1
|
||||
$> openssl pkeyutl -inkey kem.pem -verify -sigfile sha1sig -in sha1 -pkeyopt digest:sha1
|
||||
|
||||
This happens because in the first case, OpenSSL's signature
|
||||
implementation does not know that it is signing a SHA1 hash (it could be
|
||||
signing arbitrary data).
|
||||
|
||||
Resolves: rhbz#2031742
|
||||
---
|
||||
crypto/evp/evp_cnf.c | 13 ++++
|
||||
crypto/evp/m_sigver.c | 77 +++++++++++++++++++
|
||||
crypto/evp/pmeth_lib.c | 15 ++++
|
||||
doc/man5/config.pod | 11 +++
|
||||
include/internal/cryptlib.h | 3 +-
|
||||
include/internal/sslconf.h | 4 +
|
||||
providers/common/securitycheck.c | 20 +++++
|
||||
providers/common/securitycheck_default.c | 9 ++-
|
||||
providers/implementations/signature/dsa_sig.c | 11 ++-
|
||||
.../implementations/signature/ecdsa_sig.c | 4 +
|
||||
providers/implementations/signature/rsa_sig.c | 20 ++++-
|
||||
ssl/t1_lib.c | 8 ++
|
||||
util/libcrypto.num | 2 +
|
||||
13 files changed, 188 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c
|
||||
index 0e7fe64cf9..b9d3b6d226 100644
|
||||
--- a/crypto/evp/evp_cnf.c
|
||||
+++ b/crypto/evp/evp_cnf.c
|
||||
@@ -10,6 +10,7 @@
|
||||
#include <stdio.h>
|
||||
#include <openssl/crypto.h>
|
||||
#include "internal/cryptlib.h"
|
||||
+#include "internal/sslconf.h"
|
||||
#include <openssl/conf.h>
|
||||
#include <openssl/x509.h>
|
||||
#include <openssl/x509v3.h>
|
||||
@@ -57,6 +58,18 @@ static int alg_module_init(CONF_IMODULE *md, const CONF *cnf)
|
||||
ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
|
||||
return 0;
|
||||
}
|
||||
+ } else if (strcmp(oval->name, "rh-allow-sha1-signatures") == 0) {
|
||||
+ int m;
|
||||
+
|
||||
+ /* Detailed error already reported. */
|
||||
+ if (!X509V3_get_value_bool(oval, &m))
|
||||
+ return 0;
|
||||
+
|
||||
+ if (!ossl_ctx_legacy_digest_signatures_allowed_set(
|
||||
+ NCONF_get0_libctx((CONF *)cnf), m > 0, 0)) {
|
||||
+ ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
|
||||
+ return 0;
|
||||
+ }
|
||||
} else {
|
||||
ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,
|
||||
"name=%s, value=%s", oval->name, oval->value);
|
||||
diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
|
||||
index 9188edbc21..db1a1d7bc3 100644
|
||||
--- a/crypto/evp/m_sigver.c
|
||||
+++ b/crypto/evp/m_sigver.c
|
||||
@@ -16,6 +16,71 @@
|
||||
#include "internal/numbers.h" /* includes SIZE_MAX */
|
||||
#include "evp_local.h"
|
||||
|
||||
+typedef struct ossl_legacy_digest_signatures_st {
|
||||
+ int allowed;
|
||||
+} OSSL_LEGACY_DIGEST_SIGNATURES;
|
||||
+
|
||||
+static void ossl_ctx_legacy_digest_signatures_free(void *vldsigs)
|
||||
+{
|
||||
+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs = vldsigs;
|
||||
+
|
||||
+ if (ldsigs != NULL) {
|
||||
+ OPENSSL_free(ldsigs);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx)
|
||||
+{
|
||||
+ return OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES));
|
||||
+}
|
||||
+
|
||||
+static const OSSL_LIB_CTX_METHOD ossl_ctx_legacy_digest_signatures_method = {
|
||||
+ OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY,
|
||||
+ ossl_ctx_legacy_digest_signatures_new,
|
||||
+ ossl_ctx_legacy_digest_signatures_free,
|
||||
+};
|
||||
+
|
||||
+static OSSL_LEGACY_DIGEST_SIGNATURES *ossl_ctx_legacy_digest_signatures(
|
||||
+ OSSL_LIB_CTX *libctx, int loadconfig)
|
||||
+{
|
||||
+#ifndef FIPS_MODULE
|
||||
+ if (loadconfig && !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL))
|
||||
+ return 0;
|
||||
+#endif
|
||||
+
|
||||
+ return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES,
|
||||
+ &ossl_ctx_legacy_digest_signatures_method);
|
||||
+}
|
||||
+
|
||||
+int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig)
|
||||
+{
|
||||
+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs
|
||||
+ = ossl_ctx_legacy_digest_signatures(libctx, loadconfig);
|
||||
+
|
||||
+#ifndef FIPS_MODULE
|
||||
+ if (ossl_safe_getenv("OPENSSL_ENABLE_SHA1_SIGNATURES") != NULL)
|
||||
+ /* used in tests */
|
||||
+ return 1;
|
||||
+#endif
|
||||
+
|
||||
+ return ldsigs != NULL ? ldsigs->allowed : 0;
|
||||
+}
|
||||
+
|
||||
+int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow,
|
||||
+ int loadconfig)
|
||||
+{
|
||||
+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs
|
||||
+ = ossl_ctx_legacy_digest_signatures(libctx, loadconfig);
|
||||
+
|
||||
+ if (ldsigs == NULL) {
|
||||
+ ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ ldsigs->allowed = allow;
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
#ifndef FIPS_MODULE
|
||||
|
||||
static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen)
|
||||
@@ -258,6 +323,18 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
}
|
||||
}
|
||||
|
||||
+ if (ctx->reqdigest != NULL
|
||||
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
|
||||
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
|
||||
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_hkdf)) {
|
||||
+ int mdnid = EVP_MD_nid(ctx->reqdigest);
|
||||
+ if (!ossl_ctx_legacy_digest_signatures_allowed(locpctx->libctx, 0)
|
||||
+ && (mdnid == NID_sha1 || mdnid == NID_md5_sha1)) {
|
||||
+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
|
||||
+ goto err;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (ver) {
|
||||
if (signature->digest_verify_init == NULL) {
|
||||
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
|
||||
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
|
||||
index 2b9c6c2351..3c5a1e6f5d 100644
|
||||
--- a/crypto/evp/pmeth_lib.c
|
||||
+++ b/crypto/evp/pmeth_lib.c
|
||||
@@ -33,6 +33,7 @@
|
||||
#include "internal/ffc.h"
|
||||
#include "internal/numbers.h"
|
||||
#include "internal/provider.h"
|
||||
+#include "internal/sslconf.h"
|
||||
#include "evp_local.h"
|
||||
|
||||
#ifndef FIPS_MODULE
|
||||
@@ -946,6 +947,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,
|
||||
return -2;
|
||||
}
|
||||
|
||||
+ if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx)
|
||||
+ && md != NULL
|
||||
+ && ctx->pkey != NULL
|
||||
+ && !EVP_PKEY_is_a(ctx->pkey, SN_hmac)
|
||||
+ && !EVP_PKEY_is_a(ctx->pkey, SN_tls1_prf)
|
||||
+ && !EVP_PKEY_is_a(ctx->pkey, SN_hkdf)) {
|
||||
+ int mdnid = EVP_MD_nid(md);
|
||||
+ if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
|
||||
+ && !ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0)) {
|
||||
+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (fallback)
|
||||
return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md));
|
||||
|
||||
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
|
||||
index 77a8055e81..aa1be5ca7f 100644
|
||||
--- a/doc/man5/config.pod
|
||||
+++ b/doc/man5/config.pod
|
||||
@@ -304,6 +304,17 @@ Within the algorithm properties section, the following names have meaning:
|
||||
The value may be anything that is acceptable as a property query
|
||||
string for EVP_set_default_properties().
|
||||
|
||||
+=item B<rh-allow-sha1-signatures>
|
||||
+
|
||||
+The value is a boolean that can be B<yes> or B<no>. If the value is not set,
|
||||
+it behaves as if it was set to B<no>.
|
||||
+
|
||||
+When set to B<no>, any attempt to create or verify a signature with a SHA1
|
||||
+digest will fail. For compatibility with older versions of OpenSSL, set this
|
||||
+option to B<yes>. This setting also affects TLS, where signature algorithms
|
||||
+that use SHA1 as digest will no longer be supported if this option is set to
|
||||
+B<no>.
|
||||
+
|
||||
=item B<fips_mode> (deprecated)
|
||||
|
||||
The value is a boolean that can be B<yes> or B<no>. If the value is
|
||||
diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h
|
||||
index 1291299b6e..e234341e6a 100644
|
||||
--- a/include/internal/cryptlib.h
|
||||
+++ b/include/internal/cryptlib.h
|
||||
@@ -168,7 +168,8 @@ typedef struct ossl_ex_data_global_st {
|
||||
# define OSSL_LIB_CTX_PROVIDER_CONF_INDEX 16
|
||||
# define OSSL_LIB_CTX_BIO_CORE_INDEX 17
|
||||
# define OSSL_LIB_CTX_CHILD_PROVIDER_INDEX 18
|
||||
-# define OSSL_LIB_CTX_MAX_INDEXES 19
|
||||
+# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES 19
|
||||
+# define OSSL_LIB_CTX_MAX_INDEXES 20
|
||||
|
||||
# define OSSL_LIB_CTX_METHOD_LOW_PRIORITY -1
|
||||
# define OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY 0
|
||||
diff --git a/include/internal/sslconf.h b/include/internal/sslconf.h
|
||||
index fd7f7e3331..05464b0655 100644
|
||||
--- a/include/internal/sslconf.h
|
||||
+++ b/include/internal/sslconf.h
|
||||
@@ -18,4 +18,8 @@ int conf_ssl_name_find(const char *name, size_t *idx);
|
||||
void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr,
|
||||
char **arg);
|
||||
|
||||
+/* Methods to support disabling all signatures with legacy digests */
|
||||
+int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig);
|
||||
+int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow,
|
||||
+ int loadconfig);
|
||||
#endif
|
||||
diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
|
||||
index 699ada7c52..e534ad0a5f 100644
|
||||
--- a/providers/common/securitycheck.c
|
||||
+++ b/providers/common/securitycheck.c
|
||||
@@ -19,6 +19,7 @@
|
||||
#include <openssl/core_names.h>
|
||||
#include <openssl/obj_mac.h>
|
||||
#include "prov/securitycheck.h"
|
||||
+#include "internal/sslconf.h"
|
||||
|
||||
/*
|
||||
* FIPS requires a minimum security strength of 112 bits (for encryption or
|
||||
@@ -235,6 +236,15 @@ int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md,
|
||||
mdnid = -1; /* disallowed by security checks */
|
||||
}
|
||||
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
|
||||
+
|
||||
+#ifndef FIPS_MODULE
|
||||
+ if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
|
||||
+ /* SHA1 is globally disabled, check whether we want to locally allow
|
||||
+ * it. */
|
||||
+ if (mdnid == NID_sha1 && !sha1_allowed)
|
||||
+ mdnid = -1;
|
||||
+#endif
|
||||
+
|
||||
return mdnid;
|
||||
}
|
||||
|
||||
@@ -244,5 +254,15 @@ int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md)
|
||||
if (ossl_securitycheck_enabled(ctx))
|
||||
return ossl_digest_get_approved_nid(md) != NID_undef;
|
||||
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
|
||||
+
|
||||
+#ifndef FIPS_MODULE
|
||||
+ {
|
||||
+ int mdnid = EVP_MD_nid(md);
|
||||
+ if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
|
||||
+ && !ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
return 1;
|
||||
}
|
||||
diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c
|
||||
index de7f0d3a0a..ce54a94fbc 100644
|
||||
--- a/providers/common/securitycheck_default.c
|
||||
+++ b/providers/common/securitycheck_default.c
|
||||
@@ -15,6 +15,7 @@
|
||||
#include <openssl/obj_mac.h>
|
||||
#include "prov/securitycheck.h"
|
||||
#include "internal/nelem.h"
|
||||
+#include "internal/sslconf.h"
|
||||
|
||||
/* Disable the security checks in the default provider */
|
||||
int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
|
||||
@@ -23,9 +24,10 @@ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
|
||||
}
|
||||
|
||||
int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
|
||||
- ossl_unused int sha1_allowed)
|
||||
+ int sha1_allowed)
|
||||
{
|
||||
int mdnid;
|
||||
+ int ldsigs_allowed;
|
||||
|
||||
static const OSSL_ITEM name_to_nid[] = {
|
||||
{ NID_md5, OSSL_DIGEST_NAME_MD5 },
|
||||
@@ -36,8 +38,11 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
|
||||
{ NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 },
|
||||
};
|
||||
|
||||
- mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, 1);
|
||||
+ ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx, 0);
|
||||
+ mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, sha1_allowed || ldsigs_allowed);
|
||||
if (mdnid == NID_undef)
|
||||
mdnid = ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid));
|
||||
+ if (mdnid == NID_md5_sha1 && !ldsigs_allowed)
|
||||
+ mdnid = -1;
|
||||
return mdnid;
|
||||
}
|
||||
diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
|
||||
index 28fd7c498e..fa3822f39f 100644
|
||||
--- a/providers/implementations/signature/dsa_sig.c
|
||||
+++ b/providers/implementations/signature/dsa_sig.c
|
||||
@@ -124,12 +124,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
|
||||
mdprops = ctx->propq;
|
||||
|
||||
if (mdname != NULL) {
|
||||
- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
|
||||
WPACKET pkt;
|
||||
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
|
||||
- int md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
|
||||
- sha1_allowed);
|
||||
+ int md_nid;
|
||||
size_t mdname_len = strlen(mdname);
|
||||
+#ifdef FIPS_MODULE
|
||||
+ int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
|
||||
+#else
|
||||
+ int sha1_allowed = 0;
|
||||
+#endif
|
||||
+ md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
|
||||
+ sha1_allowed);
|
||||
|
||||
if (md == NULL || md_nid < 0) {
|
||||
if (md == NULL)
|
||||
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
|
||||
index 865d49d100..99b228e82c 100644
|
||||
--- a/providers/implementations/signature/ecdsa_sig.c
|
||||
+++ b/providers/implementations/signature/ecdsa_sig.c
|
||||
@@ -237,7 +237,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
|
||||
"%s could not be fetched", mdname);
|
||||
return 0;
|
||||
}
|
||||
+#ifdef FIPS_MODULE
|
||||
sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
|
||||
+#else
|
||||
+ sha1_allowed = 0;
|
||||
+#endif
|
||||
md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
|
||||
sha1_allowed);
|
||||
if (md_nid < 0) {
|
||||
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
|
||||
index 325e855333..bea397f0c1 100644
|
||||
--- a/providers/implementations/signature/rsa_sig.c
|
||||
+++ b/providers/implementations/signature/rsa_sig.c
|
||||
@@ -26,6 +26,7 @@
|
||||
#include "internal/cryptlib.h"
|
||||
#include "internal/nelem.h"
|
||||
#include "internal/sizes.h"
|
||||
+#include "internal/sslconf.h"
|
||||
#include "crypto/rsa.h"
|
||||
#include "prov/providercommon.h"
|
||||
#include "prov/implementations.h"
|
||||
@@ -34,6 +35,7 @@
|
||||
#include "prov/securitycheck.h"
|
||||
|
||||
#define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
|
||||
+#define RSA_DEFAULT_DIGEST_NAME_NONLEGACY OSSL_DIGEST_NAME_SHA2_256
|
||||
|
||||
OSSL_FUNC_signature_newctx_fn rsa_newctx;
|
||||
static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
|
||||
@@ -289,10 +291,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
|
||||
|
||||
if (mdname != NULL) {
|
||||
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
|
||||
+ int md_nid;
|
||||
+ size_t mdname_len = strlen(mdname);
|
||||
+#ifdef FIPS_MODULE
|
||||
int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
|
||||
- int md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
|
||||
+#else
|
||||
+ int sha1_allowed = 0;
|
||||
+#endif
|
||||
+ md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
|
||||
sha1_allowed);
|
||||
- size_t mdname_len = strlen(mdname);
|
||||
|
||||
if (md == NULL
|
||||
|| md_nid <= 0
|
||||
@@ -1348,8 +1355,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
|
||||
prsactx->pad_mode = pad_mode;
|
||||
|
||||
if (prsactx->md == NULL && pmdname == NULL
|
||||
- && pad_mode == RSA_PKCS1_PSS_PADDING)
|
||||
+ && pad_mode == RSA_PKCS1_PSS_PADDING) {
|
||||
pmdname = RSA_DEFAULT_DIGEST_NAME;
|
||||
+#ifndef FIPS_MODULE
|
||||
+ if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) {
|
||||
+ pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
|
||||
+ }
|
||||
+#endif
|
||||
+ }
|
||||
+
|
||||
|
||||
if (pmgf1mdname != NULL
|
||||
&& !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))
|
||||
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
|
||||
index fc32bb3556..4b74ee1a34 100644
|
||||
--- a/ssl/t1_lib.c
|
||||
+++ b/ssl/t1_lib.c
|
||||
@@ -20,6 +20,7 @@
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/provider.h>
|
||||
#include <openssl/param_build.h>
|
||||
+#include "internal/sslconf.h"
|
||||
#include "internal/nelem.h"
|
||||
#include "internal/sizes.h"
|
||||
#include "internal/tlsgroups.h"
|
||||
@@ -1145,11 +1146,13 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)
|
||||
= OPENSSL_malloc(sizeof(*lu) * OSSL_NELEM(sigalg_lookup_tbl));
|
||||
EVP_PKEY *tmpkey = EVP_PKEY_new();
|
||||
int ret = 0;
|
||||
+ int ldsigs_allowed;
|
||||
|
||||
if (cache == NULL || tmpkey == NULL)
|
||||
goto err;
|
||||
|
||||
ERR_set_mark();
|
||||
+ ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0);
|
||||
for (i = 0, lu = sigalg_lookup_tbl;
|
||||
i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) {
|
||||
EVP_PKEY_CTX *pctx;
|
||||
@@ -1169,6 +1172,11 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)
|
||||
cache[i].enabled = 0;
|
||||
continue;
|
||||
}
|
||||
+ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)
|
||||
+ && !ldsigs_allowed) {
|
||||
+ cache[i].enabled = 0;
|
||||
+ continue;
|
||||
+ }
|
||||
|
||||
if (!EVP_PKEY_set_type(tmpkey, lu->sig)) {
|
||||
cache[i].enabled = 0;
|
||||
diff --git a/util/libcrypto.num b/util/libcrypto.num
|
||||
index 10b4e57d79..2d3c363bb0 100644
|
||||
--- a/util/libcrypto.num
|
||||
+++ b/util/libcrypto.num
|
||||
@@ -5426,3 +5426,5 @@ ASN1_TIME_print_ex 5553 3_0_0 EXIST::FUNCTION:
|
||||
OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION:
|
||||
OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION:
|
||||
ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
|
||||
+ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
|
||||
+ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
|
||||
--
|
||||
2.35.1
|
||||
|
@ -1,95 +0,0 @@
|
||||
diff -up openssl-3.0.1/crypto/pkcs12/p12_key.c.pkc12_fips openssl-3.0.1/crypto/pkcs12/p12_key.c
|
||||
--- openssl-3.0.1/crypto/pkcs12/p12_key.c.pkc12_fips 2022-02-21 12:35:24.829893907 +0100
|
||||
+++ openssl-3.0.1/crypto/pkcs12/p12_key.c 2022-02-21 13:01:22.711622967 +0100
|
||||
@@ -85,17 +85,41 @@ int PKCS12_key_gen_uni_ex(unsigned char
|
||||
EVP_KDF *kdf;
|
||||
EVP_KDF_CTX *ctx;
|
||||
OSSL_PARAM params[6], *p = params;
|
||||
+ char *adjusted_propq = NULL;
|
||||
|
||||
if (n <= 0)
|
||||
return 0;
|
||||
|
||||
- kdf = EVP_KDF_fetch(libctx, "PKCS12KDF", propq);
|
||||
- if (kdf == NULL)
|
||||
+ if (ossl_get_kernel_fips_flag()) {
|
||||
+ const char *nofips = "-fips";
|
||||
+ size_t len = propq ? strlen(propq) + 1 + strlen(nofips) + 1 :
|
||||
+ strlen(nofips) + 1;
|
||||
+ char *ptr = NULL;
|
||||
+
|
||||
+ adjusted_propq = OPENSSL_zalloc(len);
|
||||
+ if (adjusted_propq != NULL) {
|
||||
+ ptr = adjusted_propq;
|
||||
+ if (propq) {
|
||||
+ memcpy(ptr, propq, strlen(propq));
|
||||
+ ptr += strlen(propq);
|
||||
+ *ptr = ',';
|
||||
+ ptr++;
|
||||
+ }
|
||||
+ memcpy(ptr, nofips, strlen(nofips));
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ kdf = adjusted_propq ? EVP_KDF_fetch(libctx, "PKCS12KDF", adjusted_propq) : EVP_KDF_fetch(libctx, "PKCS12KDF", propq);
|
||||
+ if (kdf == NULL) {
|
||||
+ OPENSSL_free(adjusted_propq);
|
||||
return 0;
|
||||
+ }
|
||||
ctx = EVP_KDF_CTX_new(kdf);
|
||||
EVP_KDF_free(kdf);
|
||||
- if (ctx == NULL)
|
||||
+ if (ctx == NULL) {
|
||||
+ OPENSSL_free(adjusted_propq);
|
||||
return 0;
|
||||
+ }
|
||||
|
||||
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
|
||||
(char *)EVP_MD_get0_name(md_type),
|
||||
@@ -127,6 +149,7 @@ int PKCS12_key_gen_uni_ex(unsigned char
|
||||
} OSSL_TRACE_END(PKCS12_KEYGEN);
|
||||
}
|
||||
EVP_KDF_CTX_free(ctx);
|
||||
+ OPENSSL_free(adjusted_propq);
|
||||
return res;
|
||||
}
|
||||
|
||||
diff -up openssl-3.0.1/apps/pkcs12.c.pkc12_fips_apps openssl-3.0.1/apps/pkcs12.c
|
||||
--- openssl-3.0.1/apps/pkcs12.c.pkc12_fips_apps 2022-02-21 16:37:07.908923682 +0100
|
||||
+++ openssl-3.0.1/apps/pkcs12.c 2022-02-21 17:38:44.555345633 +0100
|
||||
@@ -765,15 +765,34 @@ int pkcs12_main(int argc, char **argv)
|
||||
}
|
||||
if (macver) {
|
||||
EVP_KDF *pkcs12kdf;
|
||||
+ char *adjusted_propq = NULL;
|
||||
+ const char *nofips = "-fips";
|
||||
+ size_t len = app_get0_propq() ? strlen(app_get0_propq()) + 1 + strlen(nofips) + 1 :
|
||||
+ strlen(nofips) + 1;
|
||||
+ char *ptr = NULL;
|
||||
+
|
||||
+ adjusted_propq = OPENSSL_zalloc(len);
|
||||
+ if (adjusted_propq != NULL) {
|
||||
+ ptr = adjusted_propq;
|
||||
+ if (app_get0_propq()) {
|
||||
+ memcpy(ptr, app_get0_propq(), strlen(app_get0_propq()));
|
||||
+ ptr += strlen(app_get0_propq());
|
||||
+ *ptr = ',';
|
||||
+ ptr++;
|
||||
+ }
|
||||
+ memcpy(ptr, nofips, strlen(nofips));
|
||||
+ }
|
||||
|
||||
pkcs12kdf = EVP_KDF_fetch(app_get0_libctx(), "PKCS12KDF",
|
||||
- app_get0_propq());
|
||||
+ adjusted_propq ? adjusted_propq : app_get0_propq());
|
||||
if (pkcs12kdf == NULL) {
|
||||
BIO_printf(bio_err, "Error verifying PKCS12 MAC; no PKCS12KDF support.\n");
|
||||
BIO_printf(bio_err, "Use -nomacver if MAC verification is not required.\n");
|
||||
+ OPENSSL_free(adjusted_propq);
|
||||
goto end;
|
||||
}
|
||||
EVP_KDF_free(pkcs12kdf);
|
||||
+ OPENSSL_free(adjusted_propq);
|
||||
/* If we enter empty password try no password first */
|
||||
if (!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) {
|
||||
/* If mac and crypto pass the same set it to NULL too */
|
File diff suppressed because it is too large
Load Diff
@ -1,206 +0,0 @@
|
||||
From c63599ee9708d543205a9173207ee7167315c624 Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Tue, 1 Mar 2022 15:44:18 +0100
|
||||
Subject: [PATCH] Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes
|
||||
|
||||
References: rhbz#2055796
|
||||
---
|
||||
crypto/x509/x509_vfy.c | 19 ++++++++++-
|
||||
doc/man5/config.pod | 7 +++-
|
||||
ssl/t1_lib.c | 64 ++++++++++++++++++++++++++++-------
|
||||
test/recipes/25-test_verify.t | 7 ++--
|
||||
4 files changed, 79 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
|
||||
index ff3ca83de6..a549c1c111 100644
|
||||
--- a/crypto/x509/x509_vfy.c
|
||||
+++ b/crypto/x509/x509_vfy.c
|
||||
@@ -25,6 +25,7 @@
|
||||
#include <openssl/objects.h>
|
||||
#include <openssl/core_names.h>
|
||||
#include "internal/dane.h"
|
||||
+#include "internal/sslconf.h"
|
||||
#include "crypto/x509.h"
|
||||
#include "x509_local.h"
|
||||
|
||||
@@ -3440,14 +3441,30 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert)
|
||||
{
|
||||
int secbits = -1;
|
||||
int level = ctx->param->auth_level;
|
||||
+ int nid;
|
||||
+ OSSL_LIB_CTX *libctx = NULL;
|
||||
|
||||
if (level <= 0)
|
||||
return 1;
|
||||
if (level > NUM_AUTH_LEVELS)
|
||||
level = NUM_AUTH_LEVELS;
|
||||
|
||||
- if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
|
||||
+ if (ctx->libctx)
|
||||
+ libctx = ctx->libctx;
|
||||
+ else if (cert->libctx)
|
||||
+ libctx = cert->libctx;
|
||||
+ else
|
||||
+ libctx = OSSL_LIB_CTX_get0_global_default();
|
||||
+
|
||||
+ if (!X509_get_signature_info(cert, &nid, NULL, &secbits, NULL))
|
||||
return 0;
|
||||
|
||||
+ if (nid == NID_sha1
|
||||
+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
|
||||
+ && ctx->param->auth_level < 3)
|
||||
+ /* When rh-allow-sha1-signatures = yes and security level <= 2,
|
||||
+ * explicitly allow SHA1 for backwards compatibility. */
|
||||
+ return 1;
|
||||
+
|
||||
return secbits >= minbits_table[level - 1];
|
||||
}
|
||||
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
|
||||
index aa1be5ca7f..aa69e2b844 100644
|
||||
--- a/doc/man5/config.pod
|
||||
+++ b/doc/man5/config.pod
|
||||
@@ -305,7 +305,12 @@ When set to B<no>, any attempt to create or verify a signature with a SHA1
|
||||
digest will fail. For compatibility with older versions of OpenSSL, set this
|
||||
option to B<yes>. This setting also affects TLS, where signature algorithms
|
||||
that use SHA1 as digest will no longer be supported if this option is set to
|
||||
-B<no>.
|
||||
+B<no>. Note that enabling B<rh-allow-sha1-signatures> will allow TLS signature
|
||||
+algorithms that use SHA1 in security level 2, despite the definition of
|
||||
+security level 2 of 112 bits of security, which SHA1 does not meet. Because
|
||||
+TLS 1.1 or lower use MD5-SHA1 as pseudorandom function (PRF) to derive key
|
||||
+material, disabling B<rh-allow-sha1-signatures> requires the use of TLS 1.2 or
|
||||
+newer.
|
||||
|
||||
=item B<fips_mode> (deprecated)
|
||||
|
||||
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
|
||||
index 4b74ee1a34..5f089de107 100644
|
||||
--- a/ssl/t1_lib.c
|
||||
+++ b/ssl/t1_lib.c
|
||||
@@ -20,6 +20,7 @@
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/provider.h>
|
||||
#include <openssl/param_build.h>
|
||||
+#include "crypto/x509.h"
|
||||
#include "internal/sslconf.h"
|
||||
#include "internal/nelem.h"
|
||||
#include "internal/sizes.h"
|
||||
@@ -1561,19 +1562,27 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
|
||||
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST);
|
||||
return 0;
|
||||
}
|
||||
- /*
|
||||
- * Make sure security callback allows algorithm. For historical
|
||||
- * reasons we have to pass the sigalg as a two byte char array.
|
||||
- */
|
||||
- sigalgstr[0] = (sig >> 8) & 0xff;
|
||||
- sigalgstr[1] = sig & 0xff;
|
||||
- secbits = sigalg_security_bits(s->ctx, lu);
|
||||
- if (secbits == 0 ||
|
||||
- !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
|
||||
- md != NULL ? EVP_MD_get_type(md) : NID_undef,
|
||||
- (void *)sigalgstr)) {
|
||||
- SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
|
||||
- return 0;
|
||||
+
|
||||
+ if (lu->hash == NID_sha1
|
||||
+ && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0)
|
||||
+ && SSL_get_security_level(s) < 3) {
|
||||
+ /* when rh-allow-sha1-signatures = yes and security level <= 2,
|
||||
+ * explicitly allow SHA1 for backwards compatibility */
|
||||
+ } else {
|
||||
+ /*
|
||||
+ * Make sure security callback allows algorithm. For historical
|
||||
+ * reasons we have to pass the sigalg as a two byte char array.
|
||||
+ */
|
||||
+ sigalgstr[0] = (sig >> 8) & 0xff;
|
||||
+ sigalgstr[1] = sig & 0xff;
|
||||
+ secbits = sigalg_security_bits(s->ctx, lu);
|
||||
+ if (secbits == 0 ||
|
||||
+ !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
|
||||
+ md != NULL ? EVP_MD_get_type(md) : NID_undef,
|
||||
+ (void *)sigalgstr)) {
|
||||
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
|
||||
+ return 0;
|
||||
+ }
|
||||
}
|
||||
/* Store the sigalg the peer uses */
|
||||
s->s3.tmp.peer_sigalg = lu;
|
||||
@@ -2106,6 +2115,14 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)
|
||||
}
|
||||
}
|
||||
|
||||
+ if (lu->hash == NID_sha1
|
||||
+ && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0)
|
||||
+ && SSL_get_security_level(s) < 3) {
|
||||
+ /* when rh-allow-sha1-signatures = yes and security level <= 2,
|
||||
+ * explicitly allow SHA1 for backwards compatibility */
|
||||
+ return 1;
|
||||
+ }
|
||||
+
|
||||
/* Finally see if security callback allows it */
|
||||
secbits = sigalg_security_bits(s->ctx, lu);
|
||||
sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
|
||||
@@ -2977,6 +2994,8 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
|
||||
{
|
||||
/* Lookup signature algorithm digest */
|
||||
int secbits, nid, pknid;
|
||||
+ OSSL_LIB_CTX *libctx = NULL;
|
||||
+
|
||||
/* Don't check signature if self signed */
|
||||
if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
|
||||
return 1;
|
||||
@@ -2985,6 +3004,25 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
|
||||
/* If digest NID not defined use signature NID */
|
||||
if (nid == NID_undef)
|
||||
nid = pknid;
|
||||
+
|
||||
+ if (x && x->libctx)
|
||||
+ libctx = x->libctx;
|
||||
+ else if (ctx && ctx->libctx)
|
||||
+ libctx = ctx->libctx;
|
||||
+ else if (s && s->ctx && s->ctx->libctx)
|
||||
+ libctx = s->ctx->libctx;
|
||||
+ else
|
||||
+ libctx = OSSL_LIB_CTX_get0_global_default();
|
||||
+
|
||||
+ if (nid == NID_sha1
|
||||
+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
|
||||
+ && ((s != NULL && SSL_get_security_level(s) < 3)
|
||||
+ || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 3)
|
||||
+ ))
|
||||
+ /* When rh-allow-sha1-signatures = yes and security level <= 2,
|
||||
+ * explicitly allow SHA1 for backwards compatibility. */
|
||||
+ return 1;
|
||||
+
|
||||
if (s)
|
||||
return ssl_security(s, op, secbits, nid, x);
|
||||
else
|
||||
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
|
||||
index 700bbd849c..2de1d76b5e 100644
|
||||
--- a/test/recipes/25-test_verify.t
|
||||
+++ b/test/recipes/25-test_verify.t
|
||||
@@ -29,7 +29,7 @@ sub verify {
|
||||
run(app([@args]));
|
||||
}
|
||||
|
||||
-plan tests => 163;
|
||||
+plan tests => 162;
|
||||
|
||||
# Canonical success
|
||||
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
|
||||
@@ -387,8 +387,9 @@ ok(verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "0"
|
||||
ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ),
|
||||
"CA with PSS signature using SHA256");
|
||||
|
||||
-ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"),
|
||||
- "Reject PSS signature using SHA1 and auth level 1");
|
||||
+## rh-allow-sha1-signatures=yes allows this to pass despite -auth_level 1
|
||||
+#ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"),
|
||||
+# "Reject PSS signature using SHA1 and auth level 1");
|
||||
|
||||
ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
|
||||
"PSS signature using SHA256 and auth level 2");
|
||||
--
|
||||
2.35.1
|
||||
|
@ -1,54 +0,0 @@
|
||||
diff -up openssl-3.0.3/util/libcrypto.num.locale openssl-3.0.3/util/libcrypto.num
|
||||
--- openssl-3.0.3/util/libcrypto.num.locale 2022-06-01 12:35:52.667498724 +0200
|
||||
+++ openssl-3.0.3/util/libcrypto.num 2022-06-01 12:36:08.112633093 +0200
|
||||
@@ -5425,6 +5425,8 @@ ASN1_item_d2i_ex
|
||||
EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION:
|
||||
OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION:
|
||||
OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION:
|
||||
+OPENSSL_strcasecmp ? 3_0_1 EXIST::FUNCTION:
|
||||
+OPENSSL_strncasecmp ? 3_0_1 EXIST::FUNCTION:
|
||||
ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
|
||||
ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
|
||||
ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
|
||||
diff -up openssl-3.0.7/crypto/o_str.c.cmp openssl-3.0.7/crypto/o_str.c
|
||||
--- openssl-3.0.7/crypto/o_str.c.cmp 2022-11-25 12:50:22.449760653 +0100
|
||||
+++ openssl-3.0.7/crypto/o_str.c 2022-11-25 12:51:19.416350584 +0100
|
||||
@@ -342,7 +342,12 @@ int openssl_strerror_r(int errnum, char
|
||||
#endif
|
||||
}
|
||||
|
||||
-int OPENSSL_strcasecmp(const char *s1, const char *s2)
|
||||
+int
|
||||
+#ifndef FIPS_MODULE
|
||||
+__attribute__ ((symver ("OPENSSL_strcasecmp@@OPENSSL_3.0.3"),
|
||||
+ symver ("OPENSSL_strcasecmp@OPENSSL_3.0.1")))
|
||||
+#endif
|
||||
+OPENSSL_strcasecmp(const char *s1, const char *s2)
|
||||
{
|
||||
int t;
|
||||
|
||||
@@ -352,7 +354,12 @@ int OPENSSL_strcasecmp(const char *s1, c
|
||||
return t;
|
||||
}
|
||||
|
||||
-int OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n)
|
||||
+int
|
||||
+#ifndef FIPS_MODULE
|
||||
+__attribute__ ((symver ("OPENSSL_strncasecmp@@OPENSSL_3.0.3"),
|
||||
+ symver ("OPENSSL_strncasecmp@OPENSSL_3.0.1")))
|
||||
+#endif
|
||||
+OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n)
|
||||
{
|
||||
int t;
|
||||
size_t i;
|
||||
diff -up openssl-3.0.7/test/recipes/01-test_symbol_presence.t.cmp openssl-3.0.7/test/recipes/01-test_symbol_presence.t
|
||||
--- openssl-3.0.7/test/recipes/01-test_symbol_presence.t.cmp 2022-11-25 18:19:05.669769076 +0100
|
||||
+++ openssl-3.0.7/test/recipes/01-test_symbol_presence.t 2022-11-25 18:31:20.993392678 +0100
|
||||
@@ -77,6 +80,7 @@ foreach my $libname (@libnames) {
|
||||
s| .*||;
|
||||
# Drop OpenSSL dynamic version information if there is any
|
||||
s|\@\@.+$||;
|
||||
+ s|\@.+$||;
|
||||
# Return the result
|
||||
$_
|
||||
}
|
@ -1,540 +0,0 @@
|
||||
diff -up openssl-3.0.1/providers/common/securitycheck.c.rsaenc openssl-3.0.1/providers/common/securitycheck.c
|
||||
--- openssl-3.0.1/providers/common/securitycheck.c.rsaenc 2022-06-24 17:14:33.634692729 +0200
|
||||
+++ openssl-3.0.1/providers/common/securitycheck.c 2022-06-24 17:16:08.966540605 +0200
|
||||
@@ -27,6 +27,7 @@
|
||||
* Set protect = 1 for encryption or signing operations, or 0 otherwise. See
|
||||
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf.
|
||||
*/
|
||||
+/* Red Hat build implements some extra limitations in providers/implementations/asymciphers/rsa_enc.c */
|
||||
int ossl_rsa_check_key(OSSL_LIB_CTX *ctx, const RSA *rsa, int operation)
|
||||
{
|
||||
int protect = 0;
|
||||
diff -up openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c.no_bad_pad openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c
|
||||
--- openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c.no_bad_pad 2022-05-02 16:04:47.000091901 +0200
|
||||
+++ openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c 2022-05-02 16:14:50.922443581 +0200
|
||||
@@ -132,6 +132,17 @@ static int rsa_decrypt_init(void *vprsac
|
||||
return rsa_init(vprsactx, vrsa, params, EVP_PKEY_OP_DECRYPT);
|
||||
}
|
||||
|
||||
+# ifdef FIPS_MODULE
|
||||
+static int fips_padding_allowed(const PROV_RSA_CTX *prsactx)
|
||||
+{
|
||||
+ if (prsactx->pad_mode == RSA_PKCS1_PADDING || prsactx->pad_mode == RSA_NO_PADDING
|
||||
+ || prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING)
|
||||
+ return 0;
|
||||
+
|
||||
+ return 1;
|
||||
+}
|
||||
+# endif
|
||||
+
|
||||
static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
|
||||
size_t outsize, const unsigned char *in, size_t inlen)
|
||||
{
|
||||
@@ -141,6 +152,18 @@ static int rsa_encrypt(void *vprsactx, u
|
||||
if (!ossl_prov_is_running())
|
||||
return 0;
|
||||
|
||||
+# ifdef FIPS_MODULE
|
||||
+ if (fips_padding_allowed(prsactx) == 0) {
|
||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ if (RSA_bits(prsactx->rsa) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) {
|
||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
|
||||
+ return 0;
|
||||
+ }
|
||||
+# endif
|
||||
+
|
||||
if (out == NULL) {
|
||||
size_t len = RSA_size(prsactx->rsa);
|
||||
|
||||
@@ -202,6 +220,18 @@ static int rsa_decrypt(void *vprsactx, u
|
||||
if (!ossl_prov_is_running())
|
||||
return 0;
|
||||
|
||||
+# ifdef FIPS_MODULE
|
||||
+ if (fips_padding_allowed(prsactx) == 0) {
|
||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ if (RSA_bits(prsactx->rsa) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) {
|
||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
|
||||
+ return 0;
|
||||
+ }
|
||||
+# endif
|
||||
+
|
||||
if (prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING) {
|
||||
if (out == NULL) {
|
||||
*outlen = SSL_MAX_MASTER_KEY_LENGTH;
|
||||
diff -up openssl-3.0.1/test/recipes/80-test_cms.t.no_bad_pad openssl-3.0.1/test/recipes/80-test_cms.t
|
||||
--- openssl-3.0.1/test/recipes/80-test_cms.t.no_bad_pad 2022-05-02 17:04:07.610782138 +0200
|
||||
+++ openssl-3.0.1/test/recipes/80-test_cms.t 2022-05-02 17:06:03.595814620 +0200
|
||||
@@ -232,7 +232,7 @@ my @smime_pkcs7_tests = (
|
||||
\&final_compare
|
||||
],
|
||||
|
||||
- [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients",
|
||||
+ [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients, no Red Hat FIPS",
|
||||
[ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
|
||||
"-aes256", "-stream", "-out", "{output}.cms",
|
||||
$smrsa1,
|
||||
@@ -865,5 +865,8 @@ sub check_availability {
|
||||
return "$tnam: skipped, DSA disabled\n"
|
||||
if ($no_dsa && $tnam =~ / DSA/);
|
||||
|
||||
+ return "$tnam: skipped, Red Hat FIPS\n"
|
||||
+ if ($tnam =~ /no Red Hat FIPS/);
|
||||
+
|
||||
return "";
|
||||
}
|
||||
diff -up openssl-3.0.1/test/recipes/80-test_ssl_old.t.no_bad_pad openssl-3.0.1/test/recipes/80-test_ssl_old.t
|
||||
--- openssl-3.0.1/test/recipes/80-test_ssl_old.t.no_bad_pad 2022-05-02 17:26:37.962838053 +0200
|
||||
+++ openssl-3.0.1/test/recipes/80-test_ssl_old.t 2022-05-02 17:34:20.297950449 +0200
|
||||
@@ -483,6 +483,18 @@ sub testssl {
|
||||
# the default choice if TLSv1.3 enabled
|
||||
my $flag = $protocol eq "-tls1_3" ? "" : $protocol;
|
||||
my $ciphersuites = "";
|
||||
+ my %redhat_skip_cipher = map {$_ => 1} qw(
|
||||
+AES256-GCM-SHA384:@SECLEVEL=0
|
||||
+AES256-CCM8:@SECLEVEL=0
|
||||
+AES256-CCM:@SECLEVEL=0
|
||||
+AES128-GCM-SHA256:@SECLEVEL=0
|
||||
+AES128-CCM8:@SECLEVEL=0
|
||||
+AES128-CCM:@SECLEVEL=0
|
||||
+AES256-SHA256:@SECLEVEL=0
|
||||
+AES128-SHA256:@SECLEVEL=0
|
||||
+AES256-SHA:@SECLEVEL=0
|
||||
+AES128-SHA:@SECLEVEL=0
|
||||
+ );
|
||||
foreach my $cipher (@{$ciphersuites{$protocol}}) {
|
||||
if ($protocol eq "-ssl3" && $cipher =~ /ECDH/ ) {
|
||||
note "*****SKIPPING $protocol $cipher";
|
||||
@@ -494,11 +506,16 @@ sub testssl {
|
||||
} else {
|
||||
$cipher = $cipher.':@SECLEVEL=0';
|
||||
}
|
||||
- ok(run(test([@ssltest, @exkeys, "-cipher",
|
||||
- $cipher,
|
||||
- "-ciphersuites", $ciphersuites,
|
||||
- $flag || ()])),
|
||||
- "Testing $cipher");
|
||||
+ if ($provider eq "fips" && exists $redhat_skip_cipher{$cipher}) {
|
||||
+ note "*****SKIPPING $cipher in Red Hat FIPS mode";
|
||||
+ ok(1);
|
||||
+ } else {
|
||||
+ ok(run(test([@ssltest, @exkeys, "-cipher",
|
||||
+ $cipher,
|
||||
+ "-ciphersuites", $ciphersuites,
|
||||
+ $flag || ()])),
|
||||
+ "Testing $cipher");
|
||||
+ }
|
||||
}
|
||||
}
|
||||
next if $protocol eq "-tls1_3";
|
||||
diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fipskeylen openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
|
||||
--- openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fipskeylen 2022-06-16 14:26:19.383530498 +0200
|
||||
+++ openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt 2022-06-16 14:39:53.637777701 +0200
|
||||
@@ -263,12 +263,13 @@ Input = 64b0e9f9892371110c40ba5739dc0974
|
||||
Output = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
|
||||
|
||||
# RSA decrypt
|
||||
-
|
||||
+Availablein = default
|
||||
Decrypt = RSA-2048
|
||||
Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78
|
||||
Output = "Hello World"
|
||||
|
||||
# Corrupted ciphertext
|
||||
+Availablein = default
|
||||
Decrypt = RSA-2048
|
||||
Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79
|
||||
Output = "Hello World"
|
||||
@@ -665,36 +666,42 @@ vcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mN
|
||||
h90qjKHS9PvY4Q==
|
||||
-----END PRIVATE KEY-----
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-1
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=354fe67b4a126d5d35fe36c777791a3f7ba13def484e2d3908aff722fad468fb21696de95d0be911c2d3174f8afcc201035f7b6d8e69402de5451618c21a535fa9d7bfc5b8dd9fc243f8cf927db31322d6e881eaa91a996170e657a05a266426d98c88003f8477c1227094a0d9fa1e8c4024309ce1ecccb5210035d47ac72e8a
|
||||
Output=6628194e12073db03ba94cda9ef9532397d50dba79b987004afefe34
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-1
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=640db1acc58e0568fe5407e5f9b701dff8c3c91e716c536fc7fcec6cb5b71c1165988d4a279e1577d730fc7a29932e3f00c81515236d8d8e31017a7a09df4352d904cdeb79aa583adcc31ea698a4c05283daba9089be5491f67c1a4ee48dc74bbbe6643aef846679b4cb395a352d5ed115912df696ffe0702932946d71492b44
|
||||
Output=750c4047f547e8e41411856523298ac9bae245efaf1397fbe56f9dd5
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-1
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=423736ed035f6026af276c35c0b3741b365e5f76ca091b4e8c29e2f0befee603595aa8322d602d2e625e95eb81b2f1c9724e822eca76db8618cf09c5343503a4360835b5903bc637e3879fb05e0ef32685d5aec5067cd7cc96fe4b2670b6eac3066b1fcf5686b68589aafb7d629b02d8f8625ca3833624d4800fb081b1cf94eb
|
||||
Output=d94ae0832e6445ce42331cb06d531a82b1db4baad30f746dc916df24d4e3c2451fff59a6423eb0e1d02d4fe646cf699dfd818c6e97b051
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-1
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=45ead4ca551e662c9800f1aca8283b0525e6abae30be4b4aba762fa40fd3d38e22abefc69794f6ebbbc05ddbb11216247d2f412fd0fba87c6e3acd888813646fd0e48e785204f9c3f73d6d8239562722dddd8771fec48b83a31ee6f592c4cfd4bc88174f3b13a112aae3b9f7b80e0fc6f7255ba880dc7d8021e22ad6a85f0755
|
||||
Output=52e650d98e7f2a048b4f86852153b97e01dd316f346a19f67a85
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-1
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=36f6e34d94a8d34daacba33a2139d00ad85a9345a86051e73071620056b920e219005855a213a0f23897cdcd731b45257c777fe908202befdd0b58386b1244ea0cf539a05d5d10329da44e13030fd760dcd644cfef2094d1910d3f433e1c7c6dd18bc1f2df7f643d662fb9dd37ead9059190f4fa66ca39e869c4eb449cbdc439
|
||||
Output=8da89fd9e5f974a29feffb462b49180f6cf9e802
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-1
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
@@ -719,36 +726,42 @@ SwGNdhGLJDiac1Dsg2sAY6IXISNv2O222JtR5+64
|
||||
eG2e4XlBcKjI6A==
|
||||
-----END PRIVATE KEY-----
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-2
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=0181af8922b9fcb4d79d92ebe19815992fc0c1439d8bcd491398a0f4ad3a329a5bd9385560db532683c8b7da04e4b12aed6aacdf471c34c9cda891addcc2df3456653aa6382e9ae59b54455257eb099d562bbe10453f2b6d13c59c02e10f1f8abb5da0d0570932dacf2d0901db729d0fefcc054e70968ea540c81b04bcaefe720e
|
||||
Output=8ff00caa605c702830634d9a6c3d42c652b58cf1d92fec570beee7
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-2
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=018759ff1df63b2792410562314416a8aeaf2ac634b46f940ab82d64dbf165eee33011da749d4bab6e2fcd18129c9e49277d8453112b429a222a8471b070993998e758861c4d3f6d749d91c4290d332c7a4ab3f7ea35ff3a07d497c955ff0ffc95006b62c6d296810d9bfab024196c7934012c2df978ef299aba239940cba10245
|
||||
Output=2d
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-2
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=018802bab04c60325e81c4962311f2be7c2adce93041a00719c88f957575f2c79f1b7bc8ced115c706b311c08a2d986ca3b6a9336b147c29c6f229409ddec651bd1fdd5a0b7f610c9937fdb4a3a762364b8b3206b4ea485fd098d08f63d4aa8bb2697d027b750c32d7f74eaf5180d2e9b66b17cb2fa55523bc280da10d14be2053
|
||||
Output=74fc88c51bc90f77af9d5e9a4a70133d4b4e0b34da3c37c7ef8e
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-2
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=00a4578cbc176318a638fba7d01df15746af44d4f6cd96d7e7c495cbf425b09c649d32bf886da48fbaf989a2117187cafb1fb580317690e3ccd446920b7af82b31db5804d87d01514acbfa9156e782f867f6bed9449e0e9a2c09bcecc6aa087636965e34b3ec766f2fe2e43018a2fddeb140616a0e9d82e5331024ee0652fc7641
|
||||
Output=a7eb2a5036931d27d4e891326d99692ffadda9bf7efd3e34e622c4adc085f721dfe885072c78a203b151739be540fa8c153a10f00a
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-2
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=00ebc5f5fda77cfdad3c83641a9025e77d72d8a6fb33a810f5950f8d74c73e8d931e8634d86ab1246256ae07b6005b71b7f2fb98351218331ce69b8ffbdc9da08bbc9c704f876deb9df9fc2ec065cad87f9090b07acc17aa7f997b27aca48806e897f771d95141fe4526d8a5301b678627efab707fd40fbebd6e792a25613e7aec
|
||||
Output=2ef2b066f854c33f3bdcbb5994a435e73d6c6c
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-2
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
@@ -773,36 +786,42 @@ iUGx07dw5a0x7jc7KKzaaf+bb0D+V4ufGvuFg2+W
|
||||
Ya4qnqZe1onjY5o=
|
||||
-----END PRIVATE KEY-----
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-3
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=026a0485d96aebd96b4382085099b962e6a2bdec3d90c8db625e14372de85e2d5b7baab65c8faf91bb5504fb495afce5c988b3f6a52e20e1d6cbd3566c5cd1f2b8318bb542cc0ea25c4aab9932afa20760eaddec784396a07ea0ef24d4e6f4d37e5052a7a31e146aa480a111bbe926401307e00f410033842b6d82fe5ce4dfae80
|
||||
Output=087820b569e8fa8d
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-3
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=024db89c7802989be0783847863084941bf209d761987e38f97cb5f6f1bc88da72a50b73ebaf11c879c4f95df37b850b8f65d7622e25b1b889e80fe80baca2069d6e0e1d829953fc459069de98ea9798b451e557e99abf8fe3d9ccf9096ebbf3e5255d3b4e1c6d2ecadf067a359eea86405acd47d5e165517ccafd47d6dbee4bf5
|
||||
Output=4653acaf171960b01f52a7be63a3ab21dc368ec43b50d82ec3781e04
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-3
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=0239bce681032441528877d6d1c8bb28aa3bc97f1df584563618995797683844ca86664732f4bed7a0aab083aaabfb7238f582e30958c2024e44e57043b97950fd543da977c90cdde5337d618442f99e60d7783ab59ce6dd9d69c47ad1e962bec22d05895cff8d3f64ed5261d92b2678510393484990ba3f7f06818ae6ffce8a3a
|
||||
Output=d94cd0e08fa404ed89
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-3
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=02994c62afd76f498ba1fd2cf642857fca81f4373cb08f1cbaee6f025c3b512b42c3e8779113476648039dbe0493f9246292fac28950600e7c0f32edf9c81b9dec45c3bde0cc8d8847590169907b7dc5991ceb29bb0714d613d96df0f12ec5d8d3507c8ee7ae78dd83f216fa61de100363aca48a7e914ae9f42ddfbe943b09d9a0
|
||||
Output=6cc641b6b61e6f963974dad23a9013284ef1
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-3
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=0162042ff6969592a6167031811a239834ce638abf54fec8b99478122afe2ee67f8c5b18b0339805bfdbc5a4e6720b37c59cfba942464c597ff532a119821545fd2e59b114e61daf71820529f5029cf524954327c34ec5e6f5ba7efcc4de943ab8ad4ed787b1454329f70db798a3a8f4d92f8274e2b2948ade627ce8ee33e43c60
|
||||
Output=df5151832b61f4f25891fb4172f328d2eddf8371ffcfdbe997939295f30eca6918017cfda1153bf7a6af87593223
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-3
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
@@ -827,36 +846,42 @@ s/XkIiO6MDAcQabYfLtw4wy308Z9JUc9sfbL8D4/
|
||||
aD0x7TDrmEvkEro=
|
||||
-----END PRIVATE KEY-----
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-4
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=04cce19614845e094152a3fe18e54e3330c44e5efbc64ae16886cb1869014cc5781b1f8f9e045384d0112a135ca0d12e9c88a8e4063416deaae3844f60d6e96fe155145f4525b9a34431ca3766180f70e15a5e5d8e8b1a516ff870609f13f896935ced188279a58ed13d07114277d75c6568607e0ab092fd803a223e4a8ee0b1a8
|
||||
Output=4a86609534ee434a6cbca3f7e962e76d455e3264c19f605f6e5ff6137c65c56d7fb344cd52bc93374f3d166c9f0c6f9c506bad19330972d2
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-4
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=0097b698c6165645b303486fbf5a2a4479c0ee85889b541a6f0b858d6b6597b13b854eb4f839af03399a80d79bda6578c841f90d645715b280d37143992dd186c80b949b775cae97370e4ec97443136c6da484e970ffdb1323a20847821d3b18381de13bb49aaea66530c4a4b8271f3eae172cd366e07e6636f1019d2a28aed15e
|
||||
Output=b0adc4f3fe11da59ce992773d9059943c03046497ee9d9f9a06df1166db46d98f58d27ec074c02eee6cbe2449c8b9fc5080c5c3f4433092512ec46aa793743c8
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-4
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=0301f935e9c47abcb48acbbe09895d9f5971af14839da4ff95417ee453d1fd77319072bb7297e1b55d7561cd9d1bb24c1a9a37c619864308242804879d86ebd001dce5183975e1506989b70e5a83434154d5cbfd6a24787e60eb0c658d2ac193302d1192c6e622d4a12ad4b53923bca246df31c6395e37702c6a78ae081fb9d065
|
||||
Output=bf6d42e701707b1d0206b0c8b45a1c72641ff12889219a82bdea965b5e79a96b0d0163ed9d578ec9ada20f2fbcf1ea3c4089d83419ba81b0c60f3606da99
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-4
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=02d110ad30afb727beb691dd0cf17d0af1a1e7fa0cc040ec1a4ba26a42c59d0a796a2e22c8f357ccc98b6519aceb682e945e62cb734614a529407cd452bee3e44fece8423cc19e55548b8b994b849c7ecde4933e76037e1d0ce44275b08710c68e430130b929730ed77e09b015642c5593f04e4ffb9410798102a8e96ffdfe11e4
|
||||
Output=fb2ef112f5e766eb94019297934794f7be2f6fc1c58e
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-4
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=00dbb8a7439d90efd919a377c54fae8fe11ec58c3b858362e23ad1b8a44310799066b99347aa525691d2adc58d9b06e34f288c170390c5f0e11c0aa3645959f18ee79e8f2be8d7ac5c23d061f18dd74b8c5f2a58fcb5eb0c54f99f01a83247568292536583340948d7a8c97c4acd1e98d1e29dc320e97a260532a8aa7a758a1ec2
|
||||
Output=28ccd447bb9e85166dabb9e5b7d1adadc4b9d39f204e96d5e440ce9ad928bc1c2284
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-4
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
@@ -881,36 +906,42 @@ OPlAQGLrhaQpJFILOPW7iGoBlvSLuNzqYP2SzAJ/
|
||||
MSwGUGLx60i3nRyDyw==
|
||||
-----END PRIVATE KEY-----
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-5
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=036046a4a47d9ed3ba9a89139c105038eb7492b05a5d68bfd53accff4597f7a68651b47b4a4627d927e485eed7b4566420e8b409879e5d606eae251d22a5df799f7920bfc117b992572a53b1263146bcea03385cc5e853c9a101c8c3e1bda31a519807496c6cb5e5efb408823a352b8fa0661fb664efadd593deb99fff5ed000e5
|
||||
Output=af71a901e3a61d3132f0fc1fdb474f9ea6579257ffc24d164170145b3dbde8
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-5
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=03d6eb654edce615bc59f455265ed4e5a18223cbb9be4e4069b473804d5de96f54dcaaa603d049c5d94aa1470dfcd2254066b7c7b61ff1f6f6770e3215c51399fd4e34ec5082bc48f089840ad04354ae66dc0f1bd18e461a33cc1258b443a2837a6df26759aa2302334986f87380c9cc9d53be9f99605d2c9a97da7b0915a4a7ad
|
||||
Output=a3b844a08239a8ac41605af17a6cfda4d350136585903a417a79268760519a4b4ac3303ec73f0f87cfb32399
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-5
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=0770952181649f9f9f07ff626ff3a22c35c462443d905d456a9fd0bff43cac2ca7a9f554e9478b9acc3ac838b02040ffd3e1847de2e4253929f9dd9ee4044325a9b05cabb808b2ee840d34e15d105a3f1f7b27695a1a07a2d73fe08ecaaa3c9c9d4d5a89ff890d54727d7ae40c0ec1a8dd86165d8ee2c6368141016a48b55b6967
|
||||
Output=308b0ecbd2c76cb77fc6f70c5edd233fd2f20929d629f026953bb62a8f4a3a314bde195de85b5f816da2aab074d26cb6acddf323ae3b9c678ac3cf12fbdde7
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-5
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=0812b76768ebcb642d040258e5f4441a018521bd96687e6c5e899fcd6c17588ff59a82cc8ae03a4b45b31299af1788c329f7dcd285f8cf4ced82606b97612671a45bedca133442144d1617d114f802857f0f9d739751c57a3f9ee400912c61e2e6992be031a43dd48fa6ba14eef7c422b5edc4e7afa04fdd38f402d1c8bb719abf
|
||||
Output=15c5b9ee1185
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-5
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=07b60e14ec954bfd29e60d0047e789f51d57186c63589903306793ced3f68241c743529aba6a6374f92e19e0163efa33697e196f7661dfaaa47aac6bde5e51deb507c72c589a2ca1693d96b1460381249b2cdb9eac44769f2489c5d3d2f99f0ee3c7ee5bf64a5ac79c42bd433f149be8cb59548361640595513c97af7bc2509723
|
||||
Output=21026e6800c7fa728fcaaba0d196ae28d7a2ac4ffd8abce794f0985f60c8a6737277365d3fea11db8923a2029a
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-5
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
@@ -935,36 +966,42 @@ xT1F29tenZbQ/s9Cdd8JdLxKBza0p0wyaQU++2hq
|
||||
Yejn5Ly8mU2q+jBcRQ==
|
||||
-----END PRIVATE KEY-----
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-6
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=0630eebcd2856c24f798806e41f9e67345eda9ceda386acc9facaea1eeed06ace583709718d9d169fadf414d5c76f92996833ef305b75b1e4b95f662a20faedc3bae0c4827a8bf8a88edbd57ec203a27a841f02e43a615bab1a8cac0701de34debdef62a088089b55ec36ea7522fd3ec8d06b6a073e6df833153bc0aefd93bd1a3
|
||||
Output=4046ca8baa3347ca27f49e0d81f9cc1d71be9ba517d4
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-6
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=0ebc37376173a4fd2f89cc55c2ca62b26b11d51c3c7ce49e8845f74e7607317c436bc8d23b9667dfeb9d087234b47bc6837175ae5c0559f6b81d7d22416d3e50f4ac533d8f0812f2db9e791fe9c775ac8b6ad0f535ad9ceb23a4a02014c58ab3f8d3161499a260f39348e714ae2a1d3443208fd8b722ccfdfb393e98011f99e63f
|
||||
Output=5cc72c60231df03b3d40f9b57931bc31109f972527f28b19e7480c7288cb3c92b22512214e4be6c914792ddabdf57faa8aa7
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-6
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=0a98bf1093619394436cf68d8f38e2f158fde8ea54f3435f239b8d06b8321844202476aeed96009492480ce3a8d705498c4c8c68f01501dc81db608f60087350c8c3b0bd2e9ef6a81458b7c801b89f2e4fe99d4900ba6a4b5e5a96d865dc676c7755928794130d6280a8160a190f2df3ea7cf9aa0271d88e9e6905ecf1c5152d65
|
||||
Output=b20e651303092f4bccb43070c0f86d23049362ed96642fc5632c27db4a52e3d831f2ab068b23b149879c002f6bf3feee97591112562c
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-6
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=008e7a67cacfb5c4e24bec7dee149117f19598ce8c45808fef88c608ff9cd6e695263b9a3c0ad4b8ba4c95238e96a8422b8535629c8d5382374479ad13fa39974b242f9a759eeaf9c83ad5a8ca18940a0162ba755876df263f4bd50c6525c56090267c1f0e09ce0899a0cf359e88120abd9bf893445b3cae77d3607359ae9a52f8
|
||||
Output=684e3038c5c041f7
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-6
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=00003474416c7b68bdf961c385737944d7f1f40cb395343c693cc0b4fe63b31fedf1eaeeac9ccc0678b31dc32e0977489514c4f09085f6298a9653f01aea4045ff582ee887be26ae575b73eef7f3774921e375a3d19adda0ca31aa1849887c1f42cac9677f7a2f4e923f6e5a868b38c084ef187594dc9f7f048fea2e02955384ab
|
||||
Output=32488cb262d041d6e4dd35f987bf3ca696db1f06ac29a44693
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-6
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
@@ -989,36 +1026,42 @@ tu4XIedy0DiaVZw9PN+VUNRXxGsDe3RkGx1SFmr4
|
||||
FMlxv0gq65dqc3DC
|
||||
-----END PRIVATE KEY-----
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-7
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=1688e4ce7794bba6cb7014169ecd559cede2a30b56a52b68d9fe18cf1973ef97b2a03153951c755f6294aa49adbdb55845ab6875fb3986c93ecf927962840d282f9e54ce8b690f7c0cb8bbd73440d9571d1b16cd9260f9eab4783cc482e5223dc60973871783ec27b0ae0fd47732cbc286a173fc92b00fb4ba6824647cd93c85c1
|
||||
Output=47aae909
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-7
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=1052ed397b2e01e1d0ee1c50bf24363f95e504f4a03434a08fd822574ed6b9736edbb5f390db10321479a8a139350e2bd4977c3778ef331f3e78ae118b268451f20a2f01d471f5d53c566937171b2dbc2d4bde459a5799f0372d6574239b2323d245d0bb81c286b63c89a361017337e4902f88a467f4c7f244bfd5ab46437ff3b6
|
||||
Output=1d9b2e2223d9bc13bfb9f162ce735db48ba7c68f6822a0a1a7b6ae165834e7
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-7
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=2155cd843ff24a4ee8badb7694260028a490813ba8b369a4cbf106ec148e5298707f5965be7d101c1049ea8584c24cd63455ad9c104d686282d3fb803a4c11c1c2e9b91c7178801d1b6640f003f5728df007b8a4ccc92bce05e41a27278d7c85018c52414313a5077789001d4f01910b72aad05d220aa14a58733a7489bc54556b
|
||||
Output=d976fc
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-7
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=0ab14c373aeb7d4328d0aaad8c094d88b9eb098b95f21054a29082522be7c27a312878b637917e3d819e6c3c568db5d843802b06d51d9e98a2be0bf40c031423b00edfbff8320efb9171bd2044653a4cb9c5122f6c65e83cda2ec3c126027a9c1a56ba874d0fea23f380b82cf240b8cf540004758c4c77d934157a74f3fc12bfac
|
||||
Output=d4738623df223aa43843df8467534c41d013e0c803c624e263666b239bde40a5f29aeb8de79e3daa61dd0370f49bd4b013834b98212aef6b1c5ee373b3cb
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-7
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=028387a318277434798b4d97f460068df5298faba5041ba11761a1cb7316b24184114ec500257e2589ed3b607a1ebbe97a6cc2e02bf1b681f42312a33b7a77d8e7855c4a6de03e3c04643f786b91a264a0d6805e2cea91e68177eb7a64d9255e4f27e713b7ccec00dc200ebd21c2ea2bb890feae4942df941dc3f97890ed347478
|
||||
Output=bb47231ca5ea1d3ad46c99345d9a8a61
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-7
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
@@ -1043,36 +1086,42 @@ njraT2MgdSwJ2AX/fR8a4NAXru7pzvoNfdf/d15E
|
||||
2MiPa249Z+lh3Luj0A==
|
||||
-----END PRIVATE KEY-----
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-8
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=09b3683d8a2eb0fb295b62ed1fb9290b714457b7825319f4647872af889b30409472020ad12912bf19b11d4819f49614824ffd84d09c0a17e7d17309d12919790410aa2995699f6a86dbe3242b5acc23af45691080d6b1ae810fb3e3057087f0970092ce00be9562ff4053b6262ce0caa93e13723d2e3a5ba075d45f0d61b54b61
|
||||
Output=050b755e5e6880f7b9e9d692a74c37aae449b31bfea6deff83747a897f6c2c825bb1adbf850a3c96994b5de5b33cbc7d4a17913a7967
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-8
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=2ecf15c97c5a15b1476ae986b371b57a24284f4a162a8d0c8182e7905e792256f1812ba5f83f1f7a130e42dcc02232844edc14a31a68ee97ae564a383a3411656424c5f62ddb646093c367be1fcda426cf00a06d8acb7e57776fbbd855ac3df506fc16b1d7c3f2110f3d8068e91e186363831c8409680d8da9ecd8cf1fa20ee39d
|
||||
Output=4eb68dcd93ca9b19df111bd43608f557026fe4aa1d5cfac227a3eb5ab9548c18a06dded23f81825986b2fcd71109ecef7eff88873f075c2aa0c469f69c92bc
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-8
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=4bc89130a5b2dabb7c2fcf90eb5d0eaf9e681b7146a38f3173a3d9cfec52ea9e0a41932e648a9d69344c50da763f51a03c95762131e8052254dcd2248cba40fd31667786ce05a2b7b531ac9dac9ed584a59b677c1a8aed8c5d15d68c05569e2be780bf7db638fd2bfd2a85ab276860f3777338fca989ffd743d13ee08e0ca9893f
|
||||
Output=8604ac56328c1ab5ad917861
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-8
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=2e456847d8fc36ff0147d6993594b9397227d577752c79d0f904fcb039d4d812fea605a7b574dd82ca786f93752348438ee9f5b5454985d5f0e1699e3e7ad175a32e15f03deb042ab9fe1dd9db1bb86f8c089ccb45e7ef0c5ee7ca9b7290ca6b15bed47039788a8a93ff83e0e8d6244c71006362deef69b6f416fb3c684383fbd0
|
||||
Output=fdda5fbf6ec361a9d9a4ac68af216a0686f438b1e0e5c36b955f74e107f39c0dddcc
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-8
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=1fb9356fd5c4b1796db2ebf7d0d393cc810adf6145defc2fce714f79d93800d5e2ac211ea8bbecca4b654b94c3b18b30dd576ce34dc95436ef57a09415645923359a5d7b4171ef22c24670f1b229d3603e91f76671b7df97e7317c97734476d5f3d17d21cf82b5ba9f83df2e588d36984fd1b584468bd23b2e875f32f68953f7b2
|
||||
Output=4a5f4914bee25de3c69341de07
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-8
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
@@ -1103,36 +1152,42 @@ Z7CDuaemy2HkLbNiuMmJbbcGTgKtWuYVh9oVtGSc
|
||||
tKo5Eb69iFQvBb4=
|
||||
-----END PRIVATE KEY-----
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-9
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=267bcd118acab1fc8ba81c85d73003cb8610fa55c1d97da8d48a7c7f06896a4db751aa284255b9d36ad65f37653d829f1b37f97b8001942545b2fc2c55a7376ca7a1be4b1760c8e05a33e5aa2526b8d98e317088e7834c755b2a59b12631a182c05d5d43ab1779264f8456f515ce57dfdf512d5493dab7b7338dc4b7d78db9c091ac3baf537a69fc7f549d979f0eff9a94fda4169bd4d1d19a69c99e33c3b55490d501b39b1edae118ff6793a153261584d3a5f39f6e682e3d17c8cd1261fa72
|
||||
Output=f735fd55ba92592c3b52b8f9c4f69aaa1cbef8fe88add095595412467f9cf4ec0b896c59eda16210e7549c8abb10cdbc21a12ec9b6b5b8fd2f10399eb6
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-9
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=93ac9f0671ec29acbb444effc1a5741351d60fdb0e393fbf754acf0de49761a14841df7772e9bc82773966a1584c4d72baea00118f83f35cca6e537cbd4d811f5583b29783d8a6d94cd31be70d6f526c10ff09c6fa7ce069795a3fcd0511fd5fcb564bcc80ea9c78f38b80012539d8a4ddf6fe81e9cddb7f50dbbbbcc7e5d86097ccf4ec49189fb8bf318be6d5a0715d516b49af191258cd32dc833ce6eb4673c03a19bbace88cc54895f636cc0c1ec89096d11ce235a265ca1764232a689ae8
|
||||
Output=81b906605015a63aabe42ddf11e1978912f5404c7474b26dce3ed482bf961ecc818bf420c54659
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-9
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=81ebdd95054b0c822ef9ad7693f5a87adfb4b4c4ce70df2df84ed49c04da58ba5fc20a19e1a6e8b7a3900b22796dc4e869ee6b42792d15a8eceb56c09c69914e813cea8f6931e4b8ed6f421af298d595c97f4789c7caa612c7ef360984c21b93edc5401068b5af4c78a8771b984d53b8ea8adf2f6a7d4a0ba76c75e1dd9f658f20ded4a46071d46d7791b56803d8fea7f0b0f8e41ae3f09383a6f9585fe7753eaaffd2bf94563108beecc207bbb535f5fcc705f0dde9f708c62f49a9c90371d3
|
||||
Output=fd326429df9b890e09b54b18b8f34f1e24
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-9
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=bcc35f94cde66cb1136625d625b94432a35b22f3d2fa11a613ff0fca5bd57f87b902ccdc1cd0aebcb0715ee869d1d1fe395f6793003f5eca465059c88660d446ff5f0818552022557e38c08a67ead991262254f10682975ec56397768537f4977af6d5f6aaceb7fb25dec5937230231fd8978af49119a29f29e424ab8272b47562792d5c94f774b8829d0b0d9f1a8c9eddf37574d5fa248eefa9c5271fc5ec2579c81bdd61b410fa61fe36e424221c113addb275664c801d34ca8c6351e4a858
|
||||
Output=f1459b5f0c92f01a0f723a2e5662484d8f8c0a20fc29dad6acd43bb5f3effdf4e1b63e07fdfe6628d0d74ca19bf2d69e4a0abf86d293925a796772f8088e
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-9
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=232afbc927fa08c2f6a27b87d4a5cb09c07dc26fae73d73a90558839f4fd66d281b87ec734bce237ba166698ed829106a7de6942cd6cdce78fed8d2e4d81428e66490d036264cef92af941d3e35055fe3981e14d29cbb9a4f67473063baec79a1179f5a17c9c1832f2838fd7d5e59bb9659d56dce8a019edef1bb3accc697cc6cc7a778f60a064c7f6f5d529c6210262e003de583e81e3167b89971fb8c0e15d44fffef89b53d8d64dd797d159b56d2b08ea5307ea12c241bd58d4ee278a1f2e
|
||||
Output=53e6e8c729d6f9c319dd317e74b0db8e4ccca25f3c8305746e137ac63a63ef3739e7b595abb96e8d55e54f7bd41ab433378ffb911d
|
||||
|
||||
+Availablein = default
|
||||
Decrypt=RSA-OAEP-9
|
||||
Ctrl = rsa_padding_mode:oaep
|
||||
Ctrl = rsa_mgf1_md:sha1
|
@ -1,420 +0,0 @@
|
||||
diff -up openssl-3.0.1/crypto/ec/ec_backend.c.fips_kat_signature openssl-3.0.1/crypto/ec/ec_backend.c
|
||||
--- openssl-3.0.1/crypto/ec/ec_backend.c.fips_kat_signature 2022-04-04 15:49:24.786455707 +0200
|
||||
+++ openssl-3.0.1/crypto/ec/ec_backend.c 2022-04-04 16:06:13.250271963 +0200
|
||||
@@ -393,6 +393,10 @@ int ossl_ec_key_fromdata(EC_KEY *ec, con
|
||||
const OSSL_PARAM *param_priv_key = NULL, *param_pub_key = NULL;
|
||||
BN_CTX *ctx = NULL;
|
||||
BIGNUM *priv_key = NULL;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ const OSSL_PARAM *param_sign_kat_k = NULL;
|
||||
+ BIGNUM *sign_kat_k = NULL;
|
||||
+#endif
|
||||
unsigned char *pub_key = NULL;
|
||||
size_t pub_key_len;
|
||||
const EC_GROUP *ecg = NULL;
|
||||
@@ -408,7 +412,10 @@ int ossl_ec_key_fromdata(EC_KEY *ec, con
|
||||
if (include_private)
|
||||
param_priv_key =
|
||||
OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PRIV_KEY);
|
||||
-
|
||||
+#ifdef FIPS_MODULE
|
||||
+ param_sign_kat_k =
|
||||
+ OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K);
|
||||
+#endif
|
||||
ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(ec));
|
||||
if (ctx == NULL)
|
||||
goto err;
|
||||
@@ -481,6 +489,17 @@ int ossl_ec_key_fromdata(EC_KEY *ec, con
|
||||
&& !EC_KEY_set_public_key(ec, pub_point))
|
||||
goto err;
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (param_sign_kat_k) {
|
||||
+ if ((sign_kat_k = BN_secure_new()) == NULL)
|
||||
+ goto err;
|
||||
+ BN_set_flags(sign_kat_k, BN_FLG_CONSTTIME);
|
||||
+
|
||||
+ if (!OSSL_PARAM_get_BN(param_sign_kat_k, &sign_kat_k))
|
||||
+ goto err;
|
||||
+ ec->sign_kat_k = sign_kat_k;
|
||||
+ }
|
||||
+#endif
|
||||
ok = 1;
|
||||
|
||||
err:
|
||||
diff -up openssl-3.0.1/crypto/ec/ecdsa_ossl.c.fips_kat_signature openssl-3.0.1/crypto/ec/ecdsa_ossl.c
|
||||
--- openssl-3.0.1/crypto/ec/ecdsa_ossl.c.fips_kat_signature 2022-04-04 17:01:35.725323127 +0200
|
||||
+++ openssl-3.0.1/crypto/ec/ecdsa_ossl.c 2022-04-04 17:03:42.000427050 +0200
|
||||
@@ -20,6 +20,10 @@
|
||||
#include "crypto/bn.h"
|
||||
#include "ec_local.h"
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+extern int REDHAT_FIPS_signature_st;
|
||||
+#endif
|
||||
+
|
||||
int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
|
||||
BIGNUM **rp)
|
||||
{
|
||||
@@ -126,6 +130,11 @@ static int ecdsa_sign_setup(EC_KEY *ecke
|
||||
goto err;
|
||||
|
||||
do {
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (REDHAT_FIPS_signature_st && eckey->sign_kat_k != NULL) {
|
||||
+ BN_copy(k, eckey->sign_kat_k);
|
||||
+ } else {
|
||||
+#endif
|
||||
/* get random k */
|
||||
do {
|
||||
if (dgst != NULL) {
|
||||
@@ -141,7 +150,9 @@ static int ecdsa_sign_setup(EC_KEY *ecke
|
||||
}
|
||||
}
|
||||
} while (BN_is_zero(k));
|
||||
-
|
||||
+#ifdef FIPS_MODULE
|
||||
+ }
|
||||
+#endif
|
||||
/* compute r the x-coordinate of generator * k */
|
||||
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
|
||||
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
||||
diff -up openssl-3.0.1/crypto/ec/ec_key.c.fips_kat_signature openssl-3.0.1/crypto/ec/ec_key.c
|
||||
--- openssl-3.0.1/crypto/ec/ec_key.c.fips_kat_signature 2022-04-04 13:48:52.231172299 +0200
|
||||
+++ openssl-3.0.1/crypto/ec/ec_key.c 2022-04-04 14:00:35.077368605 +0200
|
||||
@@ -97,6 +97,9 @@ void EC_KEY_free(EC_KEY *r)
|
||||
EC_GROUP_free(r->group);
|
||||
EC_POINT_free(r->pub_key);
|
||||
BN_clear_free(r->priv_key);
|
||||
+#ifdef FIPS_MODULE
|
||||
+ BN_clear_free(r->sign_kat_k);
|
||||
+#endif
|
||||
OPENSSL_free(r->propq);
|
||||
|
||||
OPENSSL_clear_free((void *)r, sizeof(EC_KEY));
|
||||
diff -up openssl-3.0.1/crypto/ec/ec_local.h.fips_kat_signature openssl-3.0.1/crypto/ec/ec_local.h
|
||||
--- openssl-3.0.1/crypto/ec/ec_local.h.fips_kat_signature 2022-04-04 13:46:57.576161867 +0200
|
||||
+++ openssl-3.0.1/crypto/ec/ec_local.h 2022-04-04 13:48:07.827780835 +0200
|
||||
@@ -298,6 +298,9 @@ struct ec_key_st {
|
||||
#ifndef FIPS_MODULE
|
||||
CRYPTO_EX_DATA ex_data;
|
||||
#endif
|
||||
+#ifdef FIPS_MODULE
|
||||
+ BIGNUM *sign_kat_k;
|
||||
+#endif
|
||||
CRYPTO_RWLOCK *lock;
|
||||
OSSL_LIB_CTX *libctx;
|
||||
char *propq;
|
||||
diff -up openssl-3.0.1/include/openssl/core_names.h.fips_kat_signature openssl-3.0.1/include/openssl/core_names.h
|
||||
--- openssl-3.0.1/include/openssl/core_names.h.fips_kat_signature 2022-04-04 14:06:15.717370014 +0200
|
||||
+++ openssl-3.0.1/include/openssl/core_names.h 2022-04-04 14:07:35.376071229 +0200
|
||||
@@ -293,6 +293,7 @@ extern "C" {
|
||||
#define OSSL_PKEY_PARAM_DIST_ID "distid"
|
||||
#define OSSL_PKEY_PARAM_PUB_KEY "pub"
|
||||
#define OSSL_PKEY_PARAM_PRIV_KEY "priv"
|
||||
+#define OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K "rh_sign_kat_k"
|
||||
|
||||
/* Diffie-Hellman/DSA Parameters */
|
||||
#define OSSL_PKEY_PARAM_FFC_P "p"
|
||||
diff -up openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.fips_kat_signature openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c
|
||||
--- openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.fips_kat_signature 2022-04-04 14:21:03.043180906 +0200
|
||||
+++ openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c 2022-04-04 14:38:33.949406645 +0200
|
||||
@@ -530,7 +530,8 @@ end:
|
||||
# define EC_IMEXPORTABLE_PUBLIC_KEY \
|
||||
OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PUB_KEY, NULL, 0)
|
||||
# define EC_IMEXPORTABLE_PRIVATE_KEY \
|
||||
- OSSL_PARAM_BN(OSSL_PKEY_PARAM_PRIV_KEY, NULL, 0)
|
||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_PRIV_KEY, NULL, 0), \
|
||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K, NULL, 0)
|
||||
# define EC_IMEXPORTABLE_OTHER_PARAMETERS \
|
||||
OSSL_PARAM_int(OSSL_PKEY_PARAM_USE_COFACTOR_ECDH, NULL), \
|
||||
OSSL_PARAM_int(OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC, NULL)
|
||||
diff -up openssl-3.0.1/providers/fips/self_test_kats.c.kat openssl-3.0.1/providers/fips/self_test_kats.c
|
||||
--- openssl-3.0.1/providers/fips/self_test_kats.c.kat 2022-05-10 15:10:32.502185265 +0200
|
||||
+++ openssl-3.0.1/providers/fips/self_test_kats.c 2022-05-10 15:13:21.465653720 +0200
|
||||
@@ -17,6 +17,8 @@
|
||||
#include "self_test.h"
|
||||
#include "self_test_data.inc"
|
||||
|
||||
+int REDHAT_FIPS_signature_st = 0;
|
||||
+
|
||||
static int self_test_digest(const ST_KAT_DIGEST *t, OSSL_SELF_TEST *st,
|
||||
OSSL_LIB_CTX *libctx)
|
||||
{
|
||||
@@ -446,6 +448,7 @@ static int self_test_sign(const ST_KAT_S
|
||||
EVP_PKEY *pkey = NULL;
|
||||
unsigned char sig[256];
|
||||
BN_CTX *bnctx = NULL;
|
||||
+ BIGNUM *K = NULL;
|
||||
size_t siglen = sizeof(sig);
|
||||
static const unsigned char dgst[] = {
|
||||
0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
|
||||
@@ -462,6 +465,9 @@ static int self_test_sign(const ST_KAT_S
|
||||
bnctx = BN_CTX_new_ex(libctx);
|
||||
if (bnctx == NULL)
|
||||
goto err;
|
||||
+ K = BN_CTX_get(bnctx);
|
||||
+ if (K == NULL || BN_bin2bn(dgst, sizeof(dgst), K) == NULL)
|
||||
+ goto err;
|
||||
|
||||
bld = OSSL_PARAM_BLD_new();
|
||||
if (bld == NULL)
|
||||
@@ -469,6 +475,9 @@ static int self_test_sign(const ST_KAT_S
|
||||
|
||||
if (!add_params(bld, t->key, bnctx))
|
||||
goto err;
|
||||
+ /* set K for ECDSA KAT tests */
|
||||
+ if (!OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K, K))
|
||||
+ goto err;
|
||||
params = OSSL_PARAM_BLD_to_param(bld);
|
||||
|
||||
/* Create a EVP_PKEY_CTX to load the DSA key into */
|
||||
@@ -689,11 +698,13 @@ static int self_test_kas(OSSL_SELF_TEST
|
||||
static int self_test_signatures(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
|
||||
{
|
||||
int i, ret = 1;
|
||||
+ REDHAT_FIPS_signature_st = 1;
|
||||
|
||||
for (i = 0; i < (int)OSSL_NELEM(st_kat_sign_tests); ++i) {
|
||||
if (!self_test_sign(&st_kat_sign_tests[i], st, libctx))
|
||||
ret = 0;
|
||||
}
|
||||
+ REDHAT_FIPS_signature_st = 0;
|
||||
return ret;
|
||||
}
|
||||
|
||||
diff -up openssl-3.0.1/providers/fips/self_test_data.inc.kat openssl-3.0.1/providers/fips/self_test_data.inc
|
||||
--- openssl-3.0.1/providers/fips/self_test_data.inc.kat 2022-05-16 17:37:34.962807400 +0200
|
||||
+++ openssl-3.0.1/providers/fips/self_test_data.inc 2022-05-16 17:48:10.709376779 +0200
|
||||
@@ -1399,7 +1399,151 @@ static const ST_KAT_PARAM ecdsa_prime_ke
|
||||
ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, ecd_prime_priv),
|
||||
ST_KAT_PARAM_END()
|
||||
};
|
||||
+static const unsigned char ec224r1_kat_sig[] = {
|
||||
+0x30, 0x3c, 0x02, 0x1c, 0x2f, 0x24, 0x30, 0x96, 0x3b, 0x39, 0xe0, 0xab, 0xe2, 0x5a, 0x6f, 0xe0,
|
||||
+0x40, 0x7e, 0x19, 0x30, 0x6e, 0x6a, 0xfd, 0x7a, 0x2b, 0x5d, 0xaa, 0xc2, 0x34, 0x6c, 0xc8, 0xce,
|
||||
+0x02, 0x1c, 0x47, 0xe1, 0xac, 0xfd, 0xb4, 0xb8, 0x2b, 0x8c, 0x49, 0xb6, 0x36, 0xcd, 0xdd, 0x22,
|
||||
+0x2a, 0x2d, 0x29, 0x64, 0x70, 0x61, 0xc3, 0x3e, 0x18, 0x51, 0xec, 0xf2, 0xad, 0x3c
|
||||
+};
|
||||
|
||||
+static const char ecd_prime_curve_name384[] = "secp384r1";
|
||||
+/*
|
||||
+priv:
|
||||
+ 58:12:2b:94:be:29:23:13:83:f5:c4:20:e8:22:34:
|
||||
+ 54:73:49:91:10:05:e9:10:e9:d7:2d:72:9c:5e:6a:
|
||||
+ ba:8f:6d:d6:e4:a7:eb:e0:ae:e3:d4:c9:aa:33:87:
|
||||
+ 4c:91:87
|
||||
+pub:
|
||||
+ 04:d1:86:8b:f5:c4:a2:f7:a5:92:e6:85:2a:d2:92:
|
||||
+ 81:97:0a:8d:fa:09:3f:84:6c:17:43:03:43:49:23:
|
||||
+ 77:c4:31:f4:0a:a4:de:87:ac:5c:c0:d1:bc:e4:43:
|
||||
+ 7f:8d:44:e1:3b:5f:bc:27:c8:79:0f:d0:31:9f:a7:
|
||||
+ 6d:de:fb:f7:da:19:40:fd:aa:83:dc:69:ce:a6:f3:
|
||||
+ 4d:65:20:1c:66:82:80:03:f7:7b:2e:f3:b3:7c:1f:
|
||||
+ 11:f2:a3:bf:e8:0e:88
|
||||
+*/
|
||||
+static const unsigned char ecd_prime_priv384[] = {
|
||||
+ 0x58, 0x12, 0x2b, 0x94, 0xbe, 0x29, 0x23, 0x13, 0x83, 0xf5, 0xc4, 0x20, 0xe8, 0x22, 0x34,
|
||||
+ 0x54, 0x73, 0x49, 0x91, 0x10, 0x05, 0xe9, 0x10, 0xe9, 0xd7, 0x2d, 0x72, 0x9c, 0x5e, 0x6a,
|
||||
+ 0xba, 0x8f, 0x6d, 0xd6, 0xe4, 0xa7, 0xeb, 0xe0, 0xae, 0xe3, 0xd4, 0xc9, 0xaa, 0x33, 0x87,
|
||||
+ 0x4c, 0x91, 0x87
|
||||
+};
|
||||
+static const unsigned char ecd_prime_pub384[] = {
|
||||
+ 0x04, 0xd1, 0x86, 0x8b, 0xf5, 0xc4, 0xa2, 0xf7, 0xa5, 0x92, 0xe6, 0x85, 0x2a, 0xd2, 0x92,
|
||||
+ 0x81, 0x97, 0x0a, 0x8d, 0xfa, 0x09, 0x3f, 0x84, 0x6c, 0x17, 0x43, 0x03, 0x43, 0x49, 0x23,
|
||||
+ 0x77, 0xc4, 0x31, 0xf4, 0x0a, 0xa4, 0xde, 0x87, 0xac, 0x5c, 0xc0, 0xd1, 0xbc, 0xe4, 0x43,
|
||||
+ 0x7f, 0x8d, 0x44, 0xe1, 0x3b, 0x5f, 0xbc, 0x27, 0xc8, 0x79, 0x0f, 0xd0, 0x31, 0x9f, 0xa7,
|
||||
+ 0x6d, 0xde, 0xfb, 0xf7, 0xda, 0x19, 0x40, 0xfd, 0xaa, 0x83, 0xdc, 0x69, 0xce, 0xa6, 0xf3,
|
||||
+ 0x4d, 0x65, 0x20, 0x1c, 0x66, 0x82, 0x80, 0x03, 0xf7, 0x7b, 0x2e, 0xf3, 0xb3, 0x7c, 0x1f,
|
||||
+ 0x11, 0xf2, 0xa3, 0xbf, 0xe8, 0x0e, 0x88
|
||||
+};
|
||||
+static const ST_KAT_PARAM ecdsa_prime_key384[] = {
|
||||
+ ST_KAT_PARAM_UTF8STRING(OSSL_PKEY_PARAM_GROUP_NAME, ecd_prime_curve_name384),
|
||||
+ ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PUB_KEY, ecd_prime_pub384),
|
||||
+ ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, ecd_prime_priv384),
|
||||
+ ST_KAT_PARAM_END()
|
||||
+};
|
||||
+static const unsigned char ec384r1_kat_sig[] = {
|
||||
+0x30, 0x65, 0x02, 0x30, 0x1a, 0xd5, 0x57, 0x1b, 0x28, 0x0f, 0xf1, 0x68, 0x66, 0x68, 0x8a, 0x98,
|
||||
+0xe3, 0x9c, 0xce, 0x7f, 0xa7, 0x68, 0xdc, 0x84, 0x5a, 0x65, 0xdc, 0x2b, 0x5d, 0x7e, 0xf3, 0x9b,
|
||||
+0xa0, 0x40, 0xe8, 0x7a, 0x02, 0xc7, 0x82, 0xe0, 0x0c, 0x81, 0xa5, 0xda, 0x55, 0x27, 0xbf, 0x79,
|
||||
+0xee, 0x72, 0xc2, 0x14, 0x02, 0x31, 0x00, 0xd1, 0x9d, 0x67, 0xda, 0x5a, 0xd2, 0x58, 0x68, 0xe7,
|
||||
+0x71, 0x08, 0xb2, 0xa4, 0xe4, 0xe8, 0x74, 0xb4, 0x0a, 0x3d, 0x76, 0x49, 0x31, 0x17, 0x6e, 0x33,
|
||||
+0x16, 0xf0, 0x00, 0x1f, 0x3c, 0x1f, 0xf9, 0x7c, 0xdb, 0x93, 0x49, 0x9c, 0x7d, 0xb3, 0xd3, 0x30,
|
||||
+0x98, 0x81, 0x6f, 0xb0, 0xc9, 0x30, 0x2f
|
||||
+};
|
||||
+static const char ecd_prime_curve_name521[] = "secp521r1";
|
||||
+/*
|
||||
+priv:
|
||||
+ 00:44:0f:96:31:a9:87:f2:5f:be:a0:bc:ef:0c:ae:
|
||||
+ 58:cc:5f:f8:44:9e:89:86:7e:bf:db:ce:cb:0e:20:
|
||||
+ 10:4a:11:ec:0b:51:1d:e4:91:ca:c6:40:fb:c6:69:
|
||||
+ ad:68:33:9e:c8:f5:c4:c6:a5:93:a8:4d:a9:a9:a2:
|
||||
+ af:fe:6d:cb:c2:3b
|
||||
+pub:
|
||||
+ 04:01:5f:58:a9:40:0c:ee:9b:ed:4a:f4:7a:3c:a3:
|
||||
+ 89:c2:f3:7e:2c:f4:b5:53:80:ae:33:7d:36:d1:b5:
|
||||
+ 18:bd:ef:a9:48:00:ea:88:ee:00:5c:ca:07:08:b5:
|
||||
+ 67:4a:c3:2b:10:c6:07:b0:c2:45:37:b7:1d:e3:6c:
|
||||
+ e1:bf:2c:44:18:4a:aa:01:af:75:40:6a:e3:f5:b2:
|
||||
+ 7f:d1:9d:1b:8b:29:1f:91:4d:db:93:bf:bd:8c:b7:
|
||||
+ 6a:8d:4b:2c:36:2a:6b:ab:54:9d:7b:31:99:a4:de:
|
||||
+ c9:10:c4:f4:a3:f4:6d:94:97:62:16:a5:34:65:1f:
|
||||
+ 42:cd:8b:9e:e6:db:14:5d:a9:8d:19:95:8d
|
||||
+*/
|
||||
+static const unsigned char ecd_prime_priv521[] = {
|
||||
+ 0x00, 0x44, 0x0f, 0x96, 0x31, 0xa9, 0x87, 0xf2, 0x5f, 0xbe, 0xa0, 0xbc, 0xef, 0x0c, 0xae,
|
||||
+ 0x58, 0xcc, 0x5f, 0xf8, 0x44, 0x9e, 0x89, 0x86, 0x7e, 0xbf, 0xdb, 0xce, 0xcb, 0x0e, 0x20,
|
||||
+ 0x10, 0x4a, 0x11, 0xec, 0x0b, 0x51, 0x1d, 0xe4, 0x91, 0xca, 0xc6, 0x40, 0xfb, 0xc6, 0x69,
|
||||
+ 0xad, 0x68, 0x33, 0x9e, 0xc8, 0xf5, 0xc4, 0xc6, 0xa5, 0x93, 0xa8, 0x4d, 0xa9, 0xa9, 0xa2,
|
||||
+ 0xaf, 0xfe, 0x6d, 0xcb, 0xc2, 0x3b
|
||||
+};
|
||||
+static const unsigned char ecd_prime_pub521[] = {
|
||||
+ 0x04, 0x01, 0x5f, 0x58, 0xa9, 0x40, 0x0c, 0xee, 0x9b, 0xed, 0x4a, 0xf4, 0x7a, 0x3c, 0xa3,
|
||||
+ 0x89, 0xc2, 0xf3, 0x7e, 0x2c, 0xf4, 0xb5, 0x53, 0x80, 0xae, 0x33, 0x7d, 0x36, 0xd1, 0xb5,
|
||||
+ 0x18, 0xbd, 0xef, 0xa9, 0x48, 0x00, 0xea, 0x88, 0xee, 0x00, 0x5c, 0xca, 0x07, 0x08, 0xb5,
|
||||
+ 0x67, 0x4a, 0xc3, 0x2b, 0x10, 0xc6, 0x07, 0xb0, 0xc2, 0x45, 0x37, 0xb7, 0x1d, 0xe3, 0x6c,
|
||||
+ 0xe1, 0xbf, 0x2c, 0x44, 0x18, 0x4a, 0xaa, 0x01, 0xaf, 0x75, 0x40, 0x6a, 0xe3, 0xf5, 0xb2,
|
||||
+ 0x7f, 0xd1, 0x9d, 0x1b, 0x8b, 0x29, 0x1f, 0x91, 0x4d, 0xdb, 0x93, 0xbf, 0xbd, 0x8c, 0xb7,
|
||||
+ 0x6a, 0x8d, 0x4b, 0x2c, 0x36, 0x2a, 0x6b, 0xab, 0x54, 0x9d, 0x7b, 0x31, 0x99, 0xa4, 0xde,
|
||||
+ 0xc9, 0x10, 0xc4, 0xf4, 0xa3, 0xf4, 0x6d, 0x94, 0x97, 0x62, 0x16, 0xa5, 0x34, 0x65, 0x1f,
|
||||
+ 0x42, 0xcd, 0x8b, 0x9e, 0xe6, 0xdb, 0x14, 0x5d, 0xa9, 0x8d, 0x19, 0x95, 0x8d
|
||||
+};
|
||||
+static const ST_KAT_PARAM ecdsa_prime_key521[] = {
|
||||
+ ST_KAT_PARAM_UTF8STRING(OSSL_PKEY_PARAM_GROUP_NAME, ecd_prime_curve_name521),
|
||||
+ ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PUB_KEY, ecd_prime_pub521),
|
||||
+ ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, ecd_prime_priv521),
|
||||
+ ST_KAT_PARAM_END()
|
||||
+};
|
||||
+static const unsigned char ec521r1_kat_sig[] = {
|
||||
+0x30, 0x81, 0x88, 0x02, 0x42, 0x00, 0xdf, 0x64, 0x9c, 0xc8, 0x5b, 0xdd, 0x0b, 0x7f, 0x69, 0x7e,
|
||||
+0xdb, 0x83, 0x58, 0x67, 0x63, 0x43, 0xb7, 0xfa, 0x40, 0x29, 0xde, 0xb9, 0xde, 0xe9, 0x96, 0x65,
|
||||
+0xe6, 0x8e, 0xf4, 0xeb, 0xd0, 0xe9, 0x6a, 0xd3, 0x27, 0x6c, 0x4d, 0x60, 0x47, 0x9c, 0x62, 0xb8,
|
||||
+0x6c, 0xc1, 0x36, 0x19, 0x65, 0xff, 0xab, 0xcf, 0x24, 0xa3, 0xde, 0xd1, 0x4b, 0x1b, 0xdd, 0x89,
|
||||
+0xcf, 0xf8, 0x72, 0x7b, 0x92, 0xbc, 0x02, 0x02, 0x42, 0x01, 0xf8, 0x07, 0x77, 0xb8, 0xcb, 0xa2,
|
||||
+0xe2, 0x1f, 0x53, 0x9a, 0x7c, 0x16, 0xb5, 0x8e, 0xad, 0xe3, 0xc3, 0xac, 0xb7, 0xb2, 0x51, 0x8f,
|
||||
+0xf9, 0x09, 0x65, 0x43, 0xf8, 0xd8, 0x3c, 0xe3, 0x5c, 0x4a, 0x5e, 0x3d, 0x6f, 0xb7, 0xbb, 0x5a,
|
||||
+0x92, 0x69, 0xec, 0x71, 0xa2, 0x35, 0xe5, 0x29, 0x17, 0xaf, 0xc9, 0x69, 0xa7, 0xaa, 0x94, 0xf9,
|
||||
+0xf9, 0x50, 0x87, 0x7b, 0x5d, 0x87, 0xe3, 0xd6, 0x3f, 0xb6, 0x6e
|
||||
+};
|
||||
+static const char ecd_prime_curve_name256[] = "prime256v1";
|
||||
+/*
|
||||
+priv:
|
||||
+ 84:88:11:3f:a9:c9:9e:23:72:8b:40:cb:a2:b1:88:
|
||||
+ 01:1e:92:48:af:13:2d:9b:33:8e:6d:43:40:30:c7:
|
||||
+ 30:fa
|
||||
+pub:
|
||||
+ 04:22:58:b6:f9:01:3b:8c:a6:9b:9f:ae:75:fc:73:
|
||||
+ cf:1b:f0:81:dc:55:a3:cc:5d:81:46:85:06:32:34:
|
||||
+ 99:0d:c5:7e:a1:95:bb:21:73:33:40:4b:35:17:f6:
|
||||
+ 8e:26:61:46:94:2c:4c:ac:9b:20:f8:08:72:25:74:
|
||||
+ 98:66:c4:63:a6
|
||||
+*/
|
||||
+static const unsigned char ecd_prime_priv256[] = {
|
||||
+ 0x84, 0x88, 0x11, 0x3f, 0xa9, 0xc9, 0x9e, 0x23, 0x72, 0x8b, 0x40, 0xcb, 0xa2, 0xb1, 0x88,
|
||||
+ 0x01, 0x1e, 0x92, 0x48, 0xaf, 0x13, 0x2d, 0x9b, 0x33, 0x8e, 0x6d, 0x43, 0x40, 0x30, 0xc7,
|
||||
+ 0x30, 0xfa
|
||||
+};
|
||||
+static const unsigned char ecd_prime_pub256[] = {
|
||||
+ 0x04, 0x22, 0x58, 0xb6, 0xf9, 0x01, 0x3b, 0x8c, 0xa6, 0x9b, 0x9f, 0xae, 0x75, 0xfc, 0x73,
|
||||
+ 0xcf, 0x1b, 0xf0, 0x81, 0xdc, 0x55, 0xa3, 0xcc, 0x5d, 0x81, 0x46, 0x85, 0x06, 0x32, 0x34,
|
||||
+ 0x99, 0x0d, 0xc5, 0x7e, 0xa1, 0x95, 0xbb, 0x21, 0x73, 0x33, 0x40, 0x4b, 0x35, 0x17, 0xf6,
|
||||
+ 0x8e, 0x26, 0x61, 0x46, 0x94, 0x2c, 0x4c, 0xac, 0x9b, 0x20, 0xf8, 0x08, 0x72, 0x25, 0x74,
|
||||
+ 0x98, 0x66, 0xc4, 0x63, 0xa6
|
||||
+};
|
||||
+static const ST_KAT_PARAM ecdsa_prime_key256[] = {
|
||||
+ ST_KAT_PARAM_UTF8STRING(OSSL_PKEY_PARAM_GROUP_NAME, ecd_prime_curve_name256),
|
||||
+ ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PUB_KEY, ecd_prime_pub256),
|
||||
+ ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, ecd_prime_priv256),
|
||||
+ ST_KAT_PARAM_END()
|
||||
+};
|
||||
+static const unsigned char ec256v1_kat_sig[] = {
|
||||
+0x30, 0x46, 0x02, 0x21, 0x00, 0xc9, 0x11, 0x27, 0x06, 0x51, 0x2b, 0x50, 0x8c, 0x6b, 0xc0, 0xa6,
|
||||
+0x85, 0xaa, 0xf4, 0x66, 0x0d, 0xe4, 0x54, 0x0a, 0x10, 0xb6, 0x9f, 0x87, 0xfc, 0xa2, 0xbc, 0x8f,
|
||||
+0x3c, 0x58, 0xb4, 0xe9, 0x41, 0x02, 0x21, 0x00, 0xc9, 0x72, 0x94, 0xa9, 0xdd, 0x52, 0xca, 0x21,
|
||||
+0x82, 0x66, 0x7a, 0x68, 0xcb, 0x1e, 0x3b, 0x12, 0x71, 0x4d, 0x56, 0xb5, 0xb7, 0xdd, 0xca, 0x2b,
|
||||
+0x18, 0xa3, 0xa7, 0x08, 0x0d, 0xfa, 0x9c, 0x66
|
||||
+};
|
||||
# ifndef OPENSSL_NO_EC2M
|
||||
static const char ecd_bin_curve_name[] = "sect233r1";
|
||||
static const unsigned char ecd_bin_priv[] = {
|
||||
@@ -1571,8 +1715,42 @@ static const ST_KAT_SIGN st_kat_sign_tes
|
||||
ecdsa_prime_key,
|
||||
/*
|
||||
* The ECDSA signature changes each time due to it using a random k.
|
||||
- * So there is no expected KAT for this case.
|
||||
+ * We provide this value in our build
|
||||
+ */
|
||||
+ ITM(ec224r1_kat_sig)
|
||||
+ },
|
||||
+ {
|
||||
+ OSSL_SELF_TEST_DESC_SIGN_ECDSA,
|
||||
+ "EC",
|
||||
+ "SHA-256",
|
||||
+ ecdsa_prime_key384,
|
||||
+ /*
|
||||
+ * The ECDSA signature changes each time due to it using a random k.
|
||||
+ * We provide this value in our build
|
||||
+ */
|
||||
+ ITM(ec384r1_kat_sig)
|
||||
+ },
|
||||
+ {
|
||||
+ OSSL_SELF_TEST_DESC_SIGN_ECDSA,
|
||||
+ "EC",
|
||||
+ "SHA-256",
|
||||
+ ecdsa_prime_key521,
|
||||
+ /*
|
||||
+ * The ECDSA signature changes each time due to it using a random k.
|
||||
+ * We provide this value in our build
|
||||
+ */
|
||||
+ ITM(ec521r1_kat_sig)
|
||||
+ },
|
||||
+ {
|
||||
+ OSSL_SELF_TEST_DESC_SIGN_ECDSA,
|
||||
+ "EC",
|
||||
+ "SHA-256",
|
||||
+ ecdsa_prime_key256,
|
||||
+ /*
|
||||
+ * The ECDSA signature changes each time due to it using a random k.
|
||||
+ * We provide this value in our build
|
||||
*/
|
||||
+ ITM(ec256v1_kat_sig)
|
||||
},
|
||||
# ifndef OPENSSL_NO_EC2M
|
||||
{
|
||||
diff -up openssl-3.0.1/crypto/ec/ecp_s390x_nistp.c.fipskat openssl-3.0.1/crypto/ec/ecp_s390x_nistp.c
|
||||
--- openssl-3.0.1/crypto/ec/ecp_s390x_nistp.c.fipskat 2022-05-30 14:48:53.180999124 +0200
|
||||
+++ openssl-3.0.1/crypto/ec/ecp_s390x_nistp.c 2022-05-30 14:58:52.841286228 +0200
|
||||
@@ -44,6 +44,10 @@
|
||||
#define S390X_OFF_RN(n) (4 * n)
|
||||
#define S390X_OFF_Y(n) (4 * n)
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+extern int REDHAT_FIPS_signature_st;
|
||||
+#endif
|
||||
+
|
||||
static int ec_GFp_s390x_nistp_mul(const EC_GROUP *group, EC_POINT *r,
|
||||
const BIGNUM *scalar,
|
||||
size_t num, const EC_POINT *points[],
|
||||
@@ -183,11 +187,21 @@ static ECDSA_SIG *ecdsa_s390x_nistp_sign
|
||||
* because kdsa instruction constructs an in-range, invertible nonce
|
||||
* internally implementing counter-measures for RNG weakness.
|
||||
*/
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (REDHAT_FIPS_signature_st && eckey->sign_kat_k != NULL) {
|
||||
+ BN_bn2binpad(eckey->sign_kat_k, param + S390X_OFF_RN(len), len);
|
||||
+ /* Turns KDSA internal nonce-generation off. */
|
||||
+ fc |= S390X_KDSA_D;
|
||||
+ } else {
|
||||
+#endif
|
||||
if (RAND_priv_bytes_ex(eckey->libctx, param + S390X_OFF_RN(len),
|
||||
(size_t)len, 0) != 1) {
|
||||
ERR_raise(ERR_LIB_EC, EC_R_RANDOM_NUMBER_GENERATION_FAILED);
|
||||
goto ret;
|
||||
}
|
||||
+#ifdef FIPS_MODULE
|
||||
+ }
|
||||
+#endif
|
||||
} else {
|
||||
/* Reconstruct k = (k^-1)^-1. */
|
||||
if (ossl_ec_group_do_inverse_ord(group, k, kinv, NULL) == 0
|
@ -1,570 +0,0 @@
|
||||
From 5f4f350ce797a7cd2fdca84c474ee196da9d6fae Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Wed, 18 May 2022 17:25:59 +0200
|
||||
Subject: [PATCH] Deny SHA-1 signature verification in FIPS provider
|
||||
|
||||
For RHEL, we already disable SHA-1 signatures by default in the default
|
||||
provider, so it is unexpected that the FIPS provider would have a more
|
||||
lenient configuration in this regard. Additionally, we do not think
|
||||
continuing to accept SHA-1 signatures is a good idea due to the
|
||||
published chosen-prefix collision attacks.
|
||||
|
||||
As a consequence, disable verification of SHA-1 signatures in the FIPS
|
||||
provider.
|
||||
|
||||
This requires adjusting a few tests that would otherwise fail:
|
||||
- 30-test_acvp: Remove the test vectors that use SHA-1.
|
||||
- 30-test_evp: Mark tests in evppkey_rsa_common.txt and
|
||||
evppkey_ecdsa.txt that use SHA-1 digests as "Availablein = default",
|
||||
which will not run them when the FIPS provider is enabled.
|
||||
- 80-test_cms: Re-create all certificates in test/smime-certificates
|
||||
with SHA256 signatures while keeping the same private keys. These
|
||||
certificates were signed with SHA-1 and thus fail verification in the
|
||||
FIPS provider.
|
||||
Fix some other tests by explicitly running them in the default
|
||||
provider, where SHA-1 is available.
|
||||
- 80-test_ssl_old: Skip tests that rely on SSLv3 and SHA-1 when run with
|
||||
the FIPS provider.
|
||||
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
---
|
||||
providers/implementations/signature/dsa_sig.c | 4 --
|
||||
.../implementations/signature/ecdsa_sig.c | 4 --
|
||||
providers/implementations/signature/rsa_sig.c | 8 +--
|
||||
test/acvp_test.inc | 20 -------
|
||||
.../30-test_evp_data/evppkey_ecdsa.txt | 7 +++
|
||||
.../30-test_evp_data/evppkey_rsa_common.txt | 51 +++++++++++++++-
|
||||
test/recipes/80-test_cms.t | 4 +-
|
||||
test/recipes/80-test_ssl_old.t | 4 ++
|
||||
test/smime-certs/smdh.pem | 18 +++---
|
||||
test/smime-certs/smdsa1.pem | 60 +++++++++----------
|
||||
test/smime-certs/smdsa2.pem | 60 +++++++++----------
|
||||
test/smime-certs/smdsa3.pem | 60 +++++++++----------
|
||||
test/smime-certs/smec1.pem | 30 +++++-----
|
||||
test/smime-certs/smec2.pem | 30 +++++-----
|
||||
test/smime-certs/smec3.pem | 30 +++++-----
|
||||
test/smime-certs/smroot.pem | 38 ++++++------
|
||||
test/smime-certs/smrsa1.pem | 38 ++++++------
|
||||
test/smime-certs/smrsa2.pem | 38 ++++++------
|
||||
test/smime-certs/smrsa3.pem | 38 ++++++------
|
||||
19 files changed, 286 insertions(+), 256 deletions(-)
|
||||
|
||||
diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
|
||||
index fa3822f39f..c365d7b13a 100644
|
||||
--- a/providers/implementations/signature/dsa_sig.c
|
||||
+++ b/providers/implementations/signature/dsa_sig.c
|
||||
@@ -128,11 +128,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
|
||||
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
|
||||
int md_nid;
|
||||
size_t mdname_len = strlen(mdname);
|
||||
-#ifdef FIPS_MODULE
|
||||
- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
|
||||
-#else
|
||||
int sha1_allowed = 0;
|
||||
-#endif
|
||||
md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
|
||||
sha1_allowed);
|
||||
|
||||
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
|
||||
index 99b228e82c..44a22832ec 100644
|
||||
--- a/providers/implementations/signature/ecdsa_sig.c
|
||||
+++ b/providers/implementations/signature/ecdsa_sig.c
|
||||
@@ -237,11 +237,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
|
||||
"%s could not be fetched", mdname);
|
||||
return 0;
|
||||
}
|
||||
-#ifdef FIPS_MODULE
|
||||
- sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
|
||||
-#else
|
||||
sha1_allowed = 0;
|
||||
-#endif
|
||||
md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
|
||||
sha1_allowed);
|
||||
if (md_nid < 0) {
|
||||
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
|
||||
index f66d7705c3..34f45175e8 100644
|
||||
--- a/providers/implementations/signature/rsa_sig.c
|
||||
+++ b/providers/implementations/signature/rsa_sig.c
|
||||
@@ -292,11 +292,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
|
||||
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
|
||||
int md_nid;
|
||||
size_t mdname_len = strlen(mdname);
|
||||
-#ifdef FIPS_MODULE
|
||||
- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
|
||||
-#else
|
||||
int sha1_allowed = 0;
|
||||
-#endif
|
||||
md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
|
||||
sha1_allowed);
|
||||
|
||||
@@ -1355,8 +1351,10 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
|
||||
|
||||
if (prsactx->md == NULL && pmdname == NULL
|
||||
&& pad_mode == RSA_PKCS1_PSS_PADDING) {
|
||||
+#ifdef FIPS_MODULE
|
||||
+ pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
|
||||
+#else
|
||||
pmdname = RSA_DEFAULT_DIGEST_NAME;
|
||||
-#ifndef FIPS_MODULE
|
||||
if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) {
|
||||
pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
|
||||
}
|
||||
diff --git a/test/acvp_test.inc b/test/acvp_test.inc
|
||||
index ad11d3ae1e..73b24bdb0c 100644
|
||||
--- a/test/acvp_test.inc
|
||||
+++ b/test/acvp_test.inc
|
||||
@@ -1841,17 +1841,6 @@ static const struct rsa_sigver_st rsa_sigver_data[] = {
|
||||
NO_PSS_SALT_LEN,
|
||||
FAIL
|
||||
},
|
||||
- {
|
||||
- "x931",
|
||||
- 3072,
|
||||
- "SHA1",
|
||||
- ITM(rsa_sigverx931_0_msg),
|
||||
- ITM(rsa_sigverx931_0_n),
|
||||
- ITM(rsa_sigverx931_0_e),
|
||||
- ITM(rsa_sigverx931_0_sig),
|
||||
- NO_PSS_SALT_LEN,
|
||||
- PASS
|
||||
- },
|
||||
{
|
||||
"x931",
|
||||
3072,
|
||||
diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
|
||||
index f36982845d..51e507a61c 100644
|
||||
--- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
|
||||
+++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
|
||||
@@ -37,12 +37,14 @@ PrivPubKeyPair = P-256:P-256-PUBLIC
|
||||
|
||||
Title = ECDSA tests
|
||||
|
||||
+Availablein = default
|
||||
Verify = P-256
|
||||
Ctrl = digest:SHA1
|
||||
Input = "0123456789ABCDEF1234"
|
||||
Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
|
||||
|
||||
# Digest too long
|
||||
+Availablein = default
|
||||
Verify = P-256
|
||||
Ctrl = digest:SHA1
|
||||
Input = "0123456789ABCDEF12345"
|
||||
@@ -50,6 +52,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e
|
||||
Result = VERIFY_ERROR
|
||||
|
||||
# Digest too short
|
||||
+Availablein = default
|
||||
Verify = P-256
|
||||
Ctrl = digest:SHA1
|
||||
Input = "0123456789ABCDEF123"
|
||||
@@ -57,6 +60,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e
|
||||
Result = VERIFY_ERROR
|
||||
|
||||
# Digest invalid
|
||||
+Availablein = default
|
||||
Verify = P-256
|
||||
Ctrl = digest:SHA1
|
||||
Input = "0123456789ABCDEF1235"
|
||||
@@ -64,6 +68,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e
|
||||
Result = VERIFY_ERROR
|
||||
|
||||
# Invalid signature
|
||||
+Availablein = default
|
||||
Verify = P-256
|
||||
Ctrl = digest:SHA1
|
||||
Input = "0123456789ABCDEF1234"
|
||||
@@ -79,12 +84,14 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e
|
||||
Result = VERIFY_ERROR
|
||||
|
||||
# BER signature
|
||||
+Availablein = default
|
||||
Verify = P-256
|
||||
Ctrl = digest:SHA1
|
||||
Input = "0123456789ABCDEF1234"
|
||||
Output = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000
|
||||
Result = VERIFY_ERROR
|
||||
|
||||
+Availablein = default
|
||||
Verify = P-256-PUBLIC
|
||||
Ctrl = digest:SHA1
|
||||
Input = "0123456789ABCDEF1234"
|
||||
diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
|
||||
index b8d8bb2993..8dd566067b 100644
|
||||
--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
|
||||
+++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
|
||||
@@ -96,6 +96,7 @@ NDL6WCBbets=
|
||||
|
||||
Title = RSA tests
|
||||
|
||||
+Availablein = default
|
||||
Verify = RSA-2048
|
||||
Ctrl = digest:SHA1
|
||||
Input = "0123456789ABCDEF1234"
|
||||
@@ -112,24 +113,28 @@ Ctrl = digest:SHA512-224
|
||||
Input = "0123456789ABCDEF123456789ABC"
|
||||
Output = 5f720e9488139bb21e1c2f027fd5ce5993e6d31c5a8faaee833487b3a944d66891178868ace8070cad3ee2ffbe54aa4885a15fd1a7cc5166970fe1fd8c0423e72bd3e3b56fc4a53ed80aaaeca42497f0ec3c62113edc05cd006608f5eef7ce3ad4cba1069f68731dd28a524a1f93fcdc5547112d48d45586dd943ba0d443be9635720d8a61697c54c96627f0d85c5fbeaa3b4af86a65cf2fc3800dd5de34c046985f25d0efc0bb6edccc1d08b3a4fb9c8faffe181c7e68b31e374ad1440a4a664eec9ca0dc53a9d2f5bc7d9940d866f64201bcbc63612754df45727ea24b531d7de83d1bb707444859fa35521320c33bf6f4dbeb6fb56e653adbf7af15843f17
|
||||
|
||||
+Availablein = default
|
||||
VerifyRecover = RSA-2048
|
||||
Ctrl = digest:SHA1
|
||||
Input = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
|
||||
Output = "0123456789ABCDEF1234"
|
||||
|
||||
# Leading zero in the signature
|
||||
+Availablein = default
|
||||
Verify = RSA-2048
|
||||
Ctrl = digest:SHA1
|
||||
Input = "0123456789ABCDEF1234"
|
||||
Output = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
|
||||
Result = VERIFY_ERROR
|
||||
|
||||
+Availablein = default
|
||||
VerifyRecover = RSA-2048
|
||||
Ctrl = digest:SHA1
|
||||
Input = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
|
||||
Result = KEYOP_ERROR
|
||||
|
||||
# Mismatched digest
|
||||
+Availablein = default
|
||||
Verify = RSA-2048
|
||||
Ctrl = digest:SHA1
|
||||
Input = "0123456789ABCDEF1233"
|
||||
@@ -137,6 +142,7 @@ Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2
|
||||
Result = VERIFY_ERROR
|
||||
|
||||
# Corrupted signature
|
||||
+Availablein = default
|
||||
Verify = RSA-2048
|
||||
Ctrl = digest:SHA1
|
||||
Input = "0123456789ABCDEF1233"
|
||||
@@ -144,6 +150,7 @@ Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2
|
||||
Result = VERIFY_ERROR
|
||||
|
||||
# parameter is not NULLt
|
||||
+Availablein = default
|
||||
Verify = RSA-2048
|
||||
Ctrl = digest:sha1
|
||||
Input = "0123456789ABCDEF1234"
|
||||
@@ -151,42 +158,49 @@ Output = 3ec3fc29eb6e122bd7aa361cd09fe1bcbe85311096a7b9e4799cedfb2351ce0ab7fe4e7
|
||||
Result = VERIFY_ERROR
|
||||
|
||||
# embedded digest too long
|
||||
+Availablein = default
|
||||
Verify = RSA-2048
|
||||
Ctrl = digest:sha1
|
||||
Input = "0123456789ABCDEF1234"
|
||||
Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
|
||||
Result = VERIFY_ERROR
|
||||
|
||||
+Availablein = default
|
||||
VerifyRecover = RSA-2048
|
||||
Ctrl = digest:sha1
|
||||
Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
|
||||
Result = KEYOP_ERROR
|
||||
|
||||
# embedded digest too short
|
||||
+Availablein = default
|
||||
Verify = RSA-2048
|
||||
Ctrl = digest:sha1
|
||||
Input = "0123456789ABCDEF1234"
|
||||
Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
|
||||
Result = VERIFY_ERROR
|
||||
|
||||
+Availablein = default
|
||||
VerifyRecover = RSA-2048
|
||||
Ctrl = digest:sha1
|
||||
Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
|
||||
Result = KEYOP_ERROR
|
||||
|
||||
# Garbage after DigestInfo
|
||||
+Availablein = default
|
||||
Verify = RSA-2048
|
||||
Ctrl = digest:sha1
|
||||
Input = "0123456789ABCDEF1234"
|
||||
Output = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274
|
||||
Result = VERIFY_ERROR
|
||||
|
||||
+Availablein = default
|
||||
VerifyRecover = RSA-2048
|
||||
Ctrl = digest:sha1
|
||||
Input = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274
|
||||
Result = KEYOP_ERROR
|
||||
|
||||
# invalid tag for parameter
|
||||
+Availablein = default
|
||||
Verify = RSA-2048
|
||||
Ctrl = digest:sha1
|
||||
Input = "0123456789ABCDEF1234"
|
||||
@@ -195,6 +209,7 @@ Result = VERIFY_ERROR
|
||||
|
||||
# Verify using public key
|
||||
|
||||
+Availablein = default
|
||||
Verify = RSA-2048-PUBLIC
|
||||
Ctrl = digest:SHA1
|
||||
Input = "0123456789ABCDEF1234"
|
||||
@@ -370,6 +385,8 @@ Input="0123456789ABCDEF0123456789ABCDEF"
|
||||
Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A
|
||||
|
||||
# Verify using salt length auto detect
|
||||
+# In the FIPS provider on RHEL-9, the default digest for PSS signatures is SHA-256
|
||||
+Availablein = default
|
||||
Verify = RSA-2048-PUBLIC
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_pss_saltlen:auto
|
||||
@@ -404,6 +421,10 @@ Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DD
|
||||
Result = VERIFY_ERROR
|
||||
|
||||
# Verify using default parameters, explicitly setting parameters
|
||||
+# NOTE: RSA-PSS-DEFAULT contains a restriction to use SHA1 as digest, which
|
||||
+# RHEL-9 does not support in FIPS mode; all these tests are thus marked
|
||||
+# Availablein = default.
|
||||
+Availablein = default
|
||||
Verify = RSA-PSS-DEFAULT
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_pss_saltlen:20
|
||||
@@ -412,6 +433,7 @@ Input="0123456789ABCDEF0123"
|
||||
Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF
|
||||
|
||||
# Verify explicitly setting parameters "digest" salt length
|
||||
+Availablein = default
|
||||
Verify = RSA-PSS-DEFAULT
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_pss_saltlen:digest
|
||||
@@ -420,18 +442,21 @@ Input="0123456789ABCDEF0123"
|
||||
Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF
|
||||
|
||||
# Verify using salt length larger than minimum
|
||||
+Availablein = default
|
||||
Verify = RSA-PSS-DEFAULT
|
||||
Ctrl = rsa_pss_saltlen:30
|
||||
Input="0123456789ABCDEF0123"
|
||||
Output = 6BF7EDC63A0BA184EEEC7F3020FEC8F5EBF38C2B76481881F48BCCE5796E7AB294548BA9AE810457C7723CABD1BDE94CF59CF7C0FC7461B22760C8ED703DD98E97BFDD61FA8D1181C411F6DEE5FF159F4850746D78EDEE385A363DC28E2CB373D5CAD7953F3BD5E639BE345732C03A1BDEA268814DA036EB1891C82D4012F3B903D86636055F87B96FC98806AD1B217685A4D754046A5DE0B0D7870664BE07902153EC85BA457BE7D7F89D7FE0F626D02A9CBBB2BB479DDA1A5CAE75247FB7BF6BFB15C1D3FD9E6B1573CCDBC72011C3B97716058BB11C7EA2E4E56ADAFE1F5DE6A7FD405AC5890100F9C3408EFFB5C73BF73F48177FF743B4B819D0699D507B
|
||||
|
||||
# Verify using maximum salt length
|
||||
+Availablein = default
|
||||
Verify = RSA-PSS-DEFAULT
|
||||
Ctrl = rsa_pss_saltlen:max
|
||||
Input="0123456789ABCDEF0123"
|
||||
Output = 4470DCFE812DEE2E58E4301D4ED274AB348FE040B724B2CD1D8CD0914BFF375F0B86FCB32BFA8AEA9BD22BD7C4F1ADD4F3D215A5CFCC99055BAFECFC23800E9BECE19A08C66BEBC5802122D13A732E5958FC228DCC0B49B5B4B1154F032D8FA2F3564AA949C1310CC9266B0C47F86D449AC9D2E7678347E7266E2D7C888CCE1ADF44A109A293F8516AE2BD94CE220F26E137DB8E7A66BB9FCE052CDC1D0BE24D8CEBB20D10125F26B069F117044B9E1D16FDDAABCA5340AE1702F37D0E1C08A2E93801C0A41035C6C73DA02A0E32227EAFB0B85E79107B59650D0EE7DC32A6772CCCE90F06369B2880FE87ED76997BA61F5EA818091EE88F8B0D6F24D02A3FC6
|
||||
|
||||
# Attempt to change salt length below minimum
|
||||
+Availablein = default
|
||||
Verify = RSA-PSS-DEFAULT
|
||||
Ctrl = rsa_pss_saltlen:0
|
||||
Result = PKEY_CTRL_ERROR
|
||||
@@ -439,21 +464,25 @@ Result = PKEY_CTRL_ERROR
|
||||
# Attempt to change padding mode
|
||||
# Note this used to return PKEY_CTRL_INVALID
|
||||
# but it is limited because setparams only returns 0 or 1.
|
||||
+Availablein = default
|
||||
Verify = RSA-PSS-DEFAULT
|
||||
Ctrl = rsa_padding_mode:pkcs1
|
||||
Result = PKEY_CTRL_ERROR
|
||||
|
||||
# Attempt to change digest
|
||||
+Availablein = default
|
||||
Verify = RSA-PSS-DEFAULT
|
||||
Ctrl = digest:sha256
|
||||
Result = PKEY_CTRL_ERROR
|
||||
|
||||
# Invalid key: rejected when we try to init
|
||||
+Availablein = default
|
||||
Verify = RSA-PSS-BAD
|
||||
Result = KEYOP_INIT_ERROR
|
||||
Reason = invalid salt length
|
||||
|
||||
# Invalid key: rejected when we try to init
|
||||
+Availablein = default
|
||||
Verify = RSA-PSS-BAD2
|
||||
Result = KEYOP_INIT_ERROR
|
||||
Reason = invalid salt length
|
||||
@@ -472,36 +501,42 @@ CAltWyuLbfXWce9jd8CSHLI8Jwpw4lmOb/idGfEFrMLT8Ms18pKA4Thrb2TE7yLh
|
||||
4fINDOjP+yJJvZohNwIDAQAB
|
||||
-----END PUBLIC KEY-----
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-1
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=cd8b6538cb8e8de566b68bd067569dbf1ee2718e
|
||||
Output=9074308fb598e9701b2294388e52f971faac2b60a5145af185df5287b5ed2887e57ce7fd44dc8634e407c8e0e4360bc226f3ec227f9d9e54638e8d31f5051215df6ebb9c2f9579aa77598a38f914b5b9c1bd83c4e2f9f382a0d0aa3542ffee65984a601bc69eb28deb27dca12c82c2d4c3f66cd500f1ff2b994d8a4e30cbb33c
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-1
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=e35befc17a1d160b9ce35fbd8eb16e7ee491d3fd
|
||||
Output=3ef7f46e831bf92b32274142a585ffcefbdca7b32ae90d10fb0f0c729984f04ef29a9df0780775ce43739b97838390db0a5505e63de927028d9d29b219ca2c4517832558a55d694a6d25b9dab66003c4cccd907802193be5170d26147d37b93590241be51c25055f47ef62752cfbe21418fafe98c22c4d4d47724fdb5669e843
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-1
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=0652ec67bcee30f9d2699122b91c19abdba89f91
|
||||
Output=666026fba71bd3e7cf13157cc2c51a8e4aa684af9778f91849f34335d141c00154c4197621f9624a675b5abc22ee7d5baaffaae1c9baca2cc373b3f33e78e6143c395a91aa7faca664eb733afd14d8827259d99a7550faca501ef2b04e33c23aa51f4b9e8282efdb728cc0ab09405a91607c6369961bc8270d2d4f39fce612b1
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-1
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=39c21c4cceda9c1adf839c744e1212a6437575ec
|
||||
Output=4609793b23e9d09362dc21bb47da0b4f3a7622649a47d464019b9aeafe53359c178c91cd58ba6bcb78be0346a7bc637f4b873d4bab38ee661f199634c547a1ad8442e03da015b136e543f7ab07c0c13e4225b8de8cce25d4f6eb8400f81f7e1833b7ee6e334d370964ca79fdb872b4d75223b5eeb08101591fb532d155a6de87
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-1
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=36dae913b77bd17cae6e7b09453d24544cebb33c
|
||||
Output=1d2aad221ca4d31ddf13509239019398e3d14b32dc34dc5af4aeaea3c095af73479cf0a45e5629635a53a018377615b16cb9b13b3e09d671eb71e387b8545c5960da5a64776e768e82b2c93583bf104c3fdb23512b7b4e89f633dd0063a530db4524b01c3f384c09310e315a79dcd3d684022a7f31c865a664e316978b759fad
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-1
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
@@ -517,36 +552,42 @@ swU7R97S7NSkyu/WFIM9yLtiLzF+0Ha4BX/o3j+ESArV6D5KYZBKTySPs5cCc1fh
|
||||
0w5GMTmBXG/U/VrFuBcqRSMOy2MYoE8UVdhOWosCAwEAAQ==
|
||||
-----END PUBLIC KEY-----
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-9
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=2715a49b8b0012cd7aee84c116446e6dfe3faec0
|
||||
Output=586107226c3ce013a7c8f04d1a6a2959bb4b8e205ba43a27b50f124111bc35ef589b039f5932187cb696d7d9a32c0c38300a5cdda4834b62d2eb240af33f79d13dfbf095bf599e0d9686948c1964747b67e89c9aba5cd85016236f566cc5802cb13ead51bc7ca6bef3b94dcbdbb1d570469771df0e00b1a8a06777472d2316279edae86474668d4e1efff95f1de61c6020da32ae92bbf16520fef3cf4d88f61121f24bbd9fe91b59caf1235b2a93ff81fc403addf4ebdea84934a9cdaf8e1a9e
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-9
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=2dac956d53964748ac364d06595827c6b4f143cd
|
||||
Output=80b6d643255209f0a456763897ac9ed259d459b49c2887e5882ecb4434cfd66dd7e1699375381e51cd7f554f2c271704b399d42b4be2540a0eca61951f55267f7c2878c122842dadb28b01bd5f8c025f7e228418a673c03d6bc0c736d0a29546bd67f786d9d692ccea778d71d98c2063b7a71092187a4d35af108111d83e83eae46c46aa34277e06044589903788f1d5e7cee25fb485e92949118814d6f2c3ee361489016f327fb5bc517eb50470bffa1afa5f4ce9aa0ce5b8ee19bf5501b958
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-9
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=28d98c46cccafbd3bc04e72f967a54bd3ea12298
|
||||
Output=484408f3898cd5f53483f80819efbf2708c34d27a8b2a6fae8b322f9240237f981817aca1846f1084daa6d7c0795f6e5bf1af59c38e1858437ce1f7ec419b98c8736adf6dd9a00b1806d2bd3ad0a73775e05f52dfef3a59ab4b08143f0df05cd1ad9d04bececa6daa4a2129803e200cbc77787caf4c1d0663a6c5987b605952019782caf2ec1426d68fb94ed1d4be816a7ed081b77e6ab330b3ffc073820fecde3727fcbe295ee61a050a343658637c3fd659cfb63736de32d9f90d3c2f63eca
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-9
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=0866d2ff5a79f25ef668cd6f31b42dee421e4c0e
|
||||
Output=84ebeb481be59845b46468bafb471c0112e02b235d84b5d911cbd1926ee5074ae0424495cb20e82308b8ebb65f419a03fb40e72b78981d88aad143053685172c97b29c8b7bf0ae73b5b2263c403da0ed2f80ff7450af7828eb8b86f0028bd2a8b176a4d228cccea18394f238b09ff758cc00bc04301152355742f282b54e663a919e709d8da24ade5500a7b9aa50226e0ca52923e6c2d860ec50ff480fa57477e82b0565f4379f79c772d5c2da80af9fbf325ece6fc20b00961614bee89a183e
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-9
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=6a5b4be4cd36cc97dfde9995efbf8f097a4a991a
|
||||
Output=82102df8cb91e7179919a04d26d335d64fbc2f872c44833943241de8454810274cdf3db5f42d423db152af7135f701420e39b494a67cbfd19f9119da233a23da5c6439b5ba0d2bc373eee3507001378d4a4073856b7fe2aba0b5ee93b27f4afec7d4d120921c83f606765b02c19e4d6a1a3b95fa4c422951be4f52131077ef17179729cddfbdb56950dbaceefe78cb16640a099ea56d24389eef10f8fecb31ba3ea3b227c0a86698bb89e3e9363905bf22777b2a3aa521b65b4cef76d83bde4c
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-9
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
@@ -564,36 +605,42 @@ F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5kGWC7IsXS9WNXR89dnxhNyGu
|
||||
BQIDAQAB
|
||||
-----END PUBLIC KEY-----
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-10
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=9596bb630cf6a8d4ea4600422b9eba8b13675dd4
|
||||
Output=82c2b160093b8aa3c0f7522b19f87354066c77847abf2a9fce542d0e84e920c5afb49ffdfdace16560ee94a1369601148ebad7a0e151cf16331791a5727d05f21e74e7eb811440206935d744765a15e79f015cb66c532c87a6a05961c8bfad741a9a6657022894393e7223739796c02a77455d0f555b0ec01ddf259b6207fd0fd57614cef1a5573baaff4ec00069951659b85f24300a25160ca8522dc6e6727e57d019d7e63629b8fe5e89e25cc15beb3a647577559299280b9b28f79b0409000be25bbd96408ba3b43cc486184dd1c8e62553fa1af4040f60663de7f5e49c04388e257f1ce89c95dab48a315d9b66b1b7628233876ff2385230d070d07e1666
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-10
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=b503319399277fd6c1c8f1033cbf04199ea21716
|
||||
Output=14ae35d9dd06ba92f7f3b897978aed7cd4bf5ff0b585a40bd46ce1b42cd2703053bb9044d64e813d8f96db2dd7007d10118f6f8f8496097ad75e1ff692341b2892ad55a633a1c55e7f0a0ad59a0e203a5b8278aec54dd8622e2831d87174f8caff43ee6c46445345d84a59659bfb92ecd4c818668695f34706f66828a89959637f2bf3e3251c24bdba4d4b7649da0022218b119c84e79a6527ec5b8a5f861c159952e23ec05e1e717346faefe8b1686825bd2b262fb2531066c0de09acde2e4231690728b5d85e115a2f6b92b79c25abc9bd9399ff8bcf825a52ea1f56ea76dd26f43baafa18bfa92a504cbd35699e26d1dcc5a2887385f3c63232f06f3244c3
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-10
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=50aaede8536b2c307208b275a67ae2df196c7628
|
||||
Output=6e3e4d7b6b15d2fb46013b8900aa5bbb3939cf2c095717987042026ee62c74c54cffd5d7d57efbbf950a0f5c574fa09d3fc1c9f513b05b4ff50dd8df7edfa20102854c35e592180119a70ce5b085182aa02d9ea2aa90d1df03f2daae885ba2f5d05afdac97476f06b93b5bc94a1a80aa9116c4d615f333b098892b25fface266f5db5a5a3bcc10a824ed55aad35b727834fb8c07da28fcf416a5d9b2224f1f8b442b36f91e456fdea2d7cfe3367268de0307a4c74e924159ed33393d5e0655531c77327b89821bdedf880161c78cd4196b5419f7acc3f13e5ebf161b6e7c6724716ca33b85c2e25640192ac2859651d50bde7eb976e51cec828b98b6563b86bb
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-10
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=aa0b72b8b371ddd10c8ae474425ccccf8842a294
|
||||
Output=34047ff96c4dc0dc90b2d4ff59a1a361a4754b255d2ee0af7d8bf87c9bc9e7ddeede33934c63ca1c0e3d262cb145ef932a1f2c0a997aa6a34f8eaee7477d82ccf09095a6b8acad38d4eec9fb7eab7ad02da1d11d8e54c1825e55bf58c2a23234b902be124f9e9038a8f68fa45dab72f66e0945bf1d8bacc9044c6f07098c9fcec58a3aab100c805178155f030a124c450e5acbda47d0e4f10b80a23f803e774d023b0015c20b9f9bbe7c91296338d5ecb471cafb032007b67a60be5f69504a9f01abb3cb467b260e2bce860be8d95bf92c0c8e1496ed1e528593a4abb6df462dde8a0968dffe4683116857a232f5ebf6c85be238745ad0f38f767a5fdbf486fb
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-10
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
Input=fad3902c9750622a2bc672622c48270cc57d3ea8
|
||||
Output=7e0935ea18f4d6c1d17ce82eb2b3836c55b384589ce19dfe743363ac9948d1f346b7bfddfe92efd78adb21faefc89ade42b10f374003fe122e67429a1cb8cbd1f8d9014564c44d120116f4990f1a6e38774c194bd1b8213286b077b0499d2e7b3f434ab12289c556684deed78131934bb3dd6537236f7c6f3dcb09d476be07721e37e1ceed9b2f7b406887bd53157305e1c8b4f84d733bc1e186fe06cc59b6edb8f4bd7ffefdf4f7ba9cfb9d570689b5a1a4109a746a690893db3799255a0cb9215d2d1cd490590e952e8c8786aa0011265252470c041dfbc3eec7c3cbf71c24869d115c0cb4a956f56d530b80ab589acfefc690751ddf36e8d383f83cedd2cc
|
||||
|
||||
+Availablein = default
|
||||
Verify=RSA-PSS-10
|
||||
Ctrl = rsa_padding_mode:pss
|
||||
Ctrl = rsa_mgf1_md:sha1
|
||||
@@ -1329,11 +1376,13 @@ Title = RSA FIPS tests
|
||||
|
||||
# FIPS tests
|
||||
|
||||
-# Verifying with SHA1 is permitted in fips mode for older applications
|
||||
+# Verifying with SHA1 is not permitted on RHEL-9 in FIPS mode
|
||||
+Availablein = fips
|
||||
DigestVerify = SHA1
|
||||
Key = RSA-2048
|
||||
Input = "Hello "
|
||||
Output = 87ea0e2226ef35e5a2aec9ca1222fcbe39ba723f05b3203564f671dd3601271806ead3240e61d424359ee3b17bd3e32f54b82df83998a8ac4148410710361de0400f9ddf98278618fbc87747a0531972543e6e5f18ab2fdfbfda02952f6ac69690e43864690af271bf43d4be9705b303d4ff994ab3abd4d5851562b73e59be3edc01cec41a4cc13b68206329bad1a46c6608d3609e951faa321d0fdbc765d54e9a7c59248d2f67913c9903e932b769c9c8a45520cabea06e8c0b231dd3bcc7f7ec55b46b0157ccb5fc5011fa57353cd3df32edcbadcb8d168133cbd0acfb64444cb040e1298f621508a38f79e14ae8c2c5c857f90aa9d24ef5fc07d34bf23859
|
||||
+Result = DIGESTVERIFYINIT_ERROR
|
||||
|
||||
# Verifying with a 1024 bit key is permitted in fips mode for older applications
|
||||
DigestVerify = SHA256
|
||||
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
|
||||
index 48a92f735d..34afe91b88 100644
|
||||
--- a/test/recipes/80-test_cms.t
|
||||
+++ b/test/recipes/80-test_cms.t
|
||||
@@ -162,7 +162,7 @@ my @smime_pkcs7_tests = (
|
||||
[ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1",
|
||||
"-certfile", $smroot,
|
||||
"-signer", $smrsa1, "-out", "{output}.cms" ],
|
||||
- [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
|
||||
+ [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms",
|
||||
"-CAfile", $smroot, "-out", "{output}.txt" ],
|
||||
\&final_compare
|
||||
],
|
||||
@@ -170,7 +170,7 @@ my @smime_pkcs7_tests = (
|
||||
[ "signed zero-length content S/MIME format, RSA key SHA1",
|
||||
[ "{cmd1}", @defaultprov, "-sign", "-in", $smcont_zero, "-md", "sha1",
|
||||
"-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
|
||||
- [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
|
||||
+ [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms",
|
||||
"-CAfile", $smroot, "-out", "{output}.txt" ],
|
||||
\&zero_compare
|
||||
],
|
||||
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
|
||||
index 8c52b637fc..ff75c5b6ec 100644
|
||||
--- a/test/recipes/80-test_ssl_old.t
|
||||
+++ b/test/recipes/80-test_ssl_old.t
|
||||
@@ -394,6 +394,9 @@ sub testssl {
|
||||
'test sslv2/sslv3 with 1024bit DHE via BIO pair');
|
||||
}
|
||||
|
||||
+ SKIP: {
|
||||
+ skip "SSLv3 is not supported by the FIPS provider", 4
|
||||
+ if $provider eq "fips";
|
||||
ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])),
|
||||
'test sslv2/sslv3 with server authentication');
|
||||
ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])),
|
||||
@@ -402,6 +405,7 @@ sub testssl {
|
||||
'test sslv2/sslv3 with both client and server authentication via BIO pair');
|
||||
ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])),
|
||||
'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify');
|
||||
+ }
|
||||
|
||||
SKIP: {
|
||||
skip "No IPv4 available on this machine", 4
|
@ -1,466 +0,0 @@
|
||||
From e3d6fca1af033d00c47bcd8f9ba28fcf1aa476aa Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Tue, 7 Jun 2022 12:02:49 +0200
|
||||
Subject: [PATCH] fips: Expose a FIPS indicator
|
||||
|
||||
FIPS 140-3 requires us to indicate whether an operation was using
|
||||
approved services or not. The FIPS 140-3 implementation guidelines
|
||||
provide two basic approaches to doing this: implicit indicators, and
|
||||
explicit indicators.
|
||||
|
||||
Implicit indicators are basically the concept of "if the operation
|
||||
passes, it was approved". We were originally aiming for implicit
|
||||
indicators in our copy of OpenSSL. However, this proved to be a problem,
|
||||
because we wanted to certify a signature service, and FIPS 140-3
|
||||
requires that a signature service computes the digest to be signed
|
||||
within the boundaries of the FIPS module. Since we were planning to
|
||||
certify fips.so only, this means that EVP_PKEY_sign/EVP_PKEY_verify
|
||||
would have to be blocked. Unfortunately, EVP_SignFinal uses
|
||||
EVP_PKEY_sign internally, but outside of fips.so and thus outside of the
|
||||
FIPS module boundary. This means that using implicit indicators in
|
||||
combination with certifying only fips.so would require us to block both
|
||||
EVP_PKEY_sign and EVP_SignFinal, which are the two APIs currently used
|
||||
by most users of OpenSSL for signatures.
|
||||
|
||||
EVP_DigestSign would be acceptable, but has only been added in 3.0 and
|
||||
is thus not yet widely used.
|
||||
|
||||
As a consequence, we've decided to introduce explicit indicators so that
|
||||
EVP_PKEY_sign and EVP_SignFinal can continue to work for now, but
|
||||
FIPS-aware applications can query the explicit indicator to check
|
||||
whether the operation was approved.
|
||||
|
||||
To avoid affecting the ABI and public API too much, this is implemented
|
||||
as an exported symbol in fips.so and a private header, so applications
|
||||
that wish to use this will have to dlopen(3) fips.so, locate the
|
||||
function using dlsym(3), and then call it. These applications will have
|
||||
to build against the private header in order to use the returned
|
||||
pointer.
|
||||
|
||||
Modify util/mkdef.pl to support exposing a symbol only for a specific
|
||||
provider identified by its name and path.
|
||||
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
---
|
||||
doc/build.info | 6 ++
|
||||
doc/man7/fips_module_indicators.pod | 154 ++++++++++++++++++++++++++++
|
||||
providers/fips/fipsprov.c | 71 +++++++++++++
|
||||
providers/fips/indicator.h | 66 ++++++++++++
|
||||
util/mkdef.pl | 25 ++++-
|
||||
util/providers.num | 1 +
|
||||
6 files changed, 322 insertions(+), 1 deletion(-)
|
||||
create mode 100644 doc/man7/fips_module_indicators.pod
|
||||
create mode 100644 providers/fips/indicator.h
|
||||
|
||||
diff --git a/doc/build.info b/doc/build.info
|
||||
index b0aa4297a4..af235113bb 100644
|
||||
--- a/doc/build.info
|
||||
+++ b/doc/build.info
|
||||
@@ -4389,6 +4389,10 @@ DEPEND[html/man7/fips_module.html]=man7/fips_module.pod
|
||||
GENERATE[html/man7/fips_module.html]=man7/fips_module.pod
|
||||
DEPEND[man/man7/fips_module.7]=man7/fips_module.pod
|
||||
GENERATE[man/man7/fips_module.7]=man7/fips_module.pod
|
||||
+DEPEND[html/man7/fips_module_indicators.html]=man7/fips_module_indicators.pod
|
||||
+GENERATE[html/man7/fips_module_indicators.html]=man7/fips_module_indicators.pod
|
||||
+DEPEND[man/man7/fips_module_indicators.7]=man7/fips_module_indicators.pod
|
||||
+GENERATE[man/man7/fips_module_indicators.7]=man7/fips_module_indicators.pod
|
||||
DEPEND[html/man7/life_cycle-cipher.html]=man7/life_cycle-cipher.pod
|
||||
GENERATE[html/man7/life_cycle-cipher.html]=man7/life_cycle-cipher.pod
|
||||
DEPEND[man/man7/life_cycle-cipher.7]=man7/life_cycle-cipher.pod
|
||||
@@ -4631,6 +4635,7 @@ html/man7/ct.html \
|
||||
html/man7/des_modes.html \
|
||||
html/man7/evp.html \
|
||||
html/man7/fips_module.html \
|
||||
+html/man7/fips_module_indicators.html \
|
||||
html/man7/life_cycle-cipher.html \
|
||||
html/man7/life_cycle-digest.html \
|
||||
html/man7/life_cycle-kdf.html \
|
||||
@@ -4754,6 +4759,7 @@ man/man7/ct.7 \
|
||||
man/man7/des_modes.7 \
|
||||
man/man7/evp.7 \
|
||||
man/man7/fips_module.7 \
|
||||
+man/man7/fips_module_indicators.7 \
|
||||
man/man7/life_cycle-cipher.7 \
|
||||
man/man7/life_cycle-digest.7 \
|
||||
man/man7/life_cycle-kdf.7 \
|
||||
diff --git a/doc/man7/fips_module_indicators.pod b/doc/man7/fips_module_indicators.pod
|
||||
new file mode 100644
|
||||
index 0000000000..23db2b395c
|
||||
--- /dev/null
|
||||
+++ b/doc/man7/fips_module_indicators.pod
|
||||
@@ -0,0 +1,154 @@
|
||||
+=pod
|
||||
+
|
||||
+=head1 NAME
|
||||
+
|
||||
+fips_module_indicators - Red Hat OpenSSL FIPS module indicators guide
|
||||
+
|
||||
+=head1 DESCRIPTION
|
||||
+
|
||||
+This guide documents how the Red Hat Enterprise Linux 9 OpenSSL FIPS provider
|
||||
+implements Approved Security Service Indicators according to the FIPS 140-3
|
||||
+Implementation Guidelines, section 2.4.C. See
|
||||
+L<https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf>
|
||||
+for the FIPS 140-3 Implementation Guidelines.
|
||||
+
|
||||
+For all approved services except signatures, the Red Hat OpenSSL FIPS provider
|
||||
+uses the return code as the indicator as understood by FIPS 140-3. That means
|
||||
+that every operation that succeeds denotes use of an approved security service.
|
||||
+Operations that do not succeed may not have been approved security services, or
|
||||
+may have been used incorrectly.
|
||||
+
|
||||
+For signatures, an explicit indicator API is available to determine whether
|
||||
+a selected operation is an approved security service, in combination with the
|
||||
+return code of the operation. For a signature operation to be approved, the
|
||||
+explicit indicator must claim it as approved, and it must succeed.
|
||||
+
|
||||
+=head2 Querying the explicit indicator
|
||||
+
|
||||
+The Red Hat OpenSSL FIPS provider exports a symbol named
|
||||
+I<redhat_ossl_query_fipsindicator> that provides information on which signature
|
||||
+operations are approved security functions. To use this function, either link
|
||||
+against I<fips.so> directly, or load it at runtime using dlopen(3) and
|
||||
+dlsym(3).
|
||||
+
|
||||
+ #include <openssl/core_dispatch.h>
|
||||
+ #include "providers/fips/indicator.h"
|
||||
+
|
||||
+ void *provider = dlopen("/usr/lib64/ossl-modules/fips.so", RTLD_LAZY);
|
||||
+ if (provider == NULL) {
|
||||
+ fprintf(stderr, "%s\n", dlerror());
|
||||
+ // handle error
|
||||
+ }
|
||||
+
|
||||
+ const OSSL_RH_FIPSINDICATOR_ALORITHM *(*redhat_ossl_query_fipsindicator)(int) \
|
||||
+ = dlsym(provider, "redhat_ossl_query_fipsindicator");
|
||||
+ if (redhat_ossl_query_fipsindicator == NULL) {
|
||||
+ fprintf(stderr, "%s\n", dlerror());
|
||||
+ fprintf(stderr, "Does your copy of fips.so have the required Red Hat"
|
||||
+ " patches?\n");
|
||||
+ // handle error
|
||||
+ }
|
||||
+
|
||||
+Note that this uses the I<providers/fips/indicator.h> header, which is not
|
||||
+public. Install the I<openssl-debugsource> package from the I<BaseOS-debuginfo>
|
||||
+repository using I<dnf debuginfo-install openssl> and include
|
||||
+I</usr/src/debug/openssl-3.*/> in the compiler's include path.
|
||||
+
|
||||
+I<redhat_ossl_query_fipsindicator> expects an operation ID as its only
|
||||
+argument. Currently, the only supported operation ID is I<OSSL_OP_SIGNATURE> to
|
||||
+obtain the indicators for signature operations. On success, the return value is
|
||||
+a pointer to an array of I<OSSL_RH_FIPSINDICATOR_STRUCT>s. On failure, NULL is
|
||||
+returned. The last entry in the array is indicated by I<algorithm_names> being
|
||||
+NULL.
|
||||
+
|
||||
+ typedef struct ossl_rh_fipsindicator_algorithm_st {
|
||||
+ const char *algorithm_names; /* key */
|
||||
+ const char *property_definition; /* key */
|
||||
+ const OSSL_RH_FIPSINDICATOR_DISPATCH *indicators;
|
||||
+ } OSSL_RH_FIPSINDICATOR_ALGORITHM;
|
||||
+
|
||||
+ typedef struct ossl_rh_fipsindicator_dispatch_st {
|
||||
+ int function_id;
|
||||
+ int approved;
|
||||
+ } OSSL_RH_FIPSINDICATOR_DISPATCH;
|
||||
+
|
||||
+The I<algorithm_names> field is a colon-separated list of algorithm names from
|
||||
+one of the I<PROV_NAMES_...> constants, e.g., I<PROV_NAMES_RSA>. strtok(3) can
|
||||
+be used to locate the appropriate entry. See the example below, where
|
||||
+I<algorithm> contains the algorithm name to search for:
|
||||
+
|
||||
+ const OSSL_RH_FIPSINDICATOR_DISPATCH *indicator_dispatch = NULL;
|
||||
+ const OSSL_RH_FIPSINDICATOR_ALGORITHM *indicator =
|
||||
+ redhat_ossl_query_fipsindicator(operation_id);
|
||||
+ if (indicator == NULL) {
|
||||
+ fprintf(stderr, "No indicator for operation, probably using implicit"
|
||||
+ " indicators.\n");
|
||||
+ // handle error
|
||||
+ }
|
||||
+
|
||||
+ for (; indicator->algorithm_names != NULL; ++indicator) {
|
||||
+ char *algorithm_names = strdup(indicator->algorithm_names);
|
||||
+ if (algorithm_names == NULL) {
|
||||
+ perror("strdup(3)");
|
||||
+ // handle error
|
||||
+ }
|
||||
+
|
||||
+ const char *algorithm_name = strtok(algorithm_names, ":");
|
||||
+ for (; algorithm_name != NULL; algorithm_name = strtok(NULL, ":")) {
|
||||
+ if (strcasecmp(algorithm_name, algorithm) == 0) {
|
||||
+ indicator_dispatch = indicator->indicators;
|
||||
+ free(algorithm_names);
|
||||
+ algorithm_names = NULL;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ free(algorithm_names);
|
||||
+ }
|
||||
+ if (indicator_dispatch == NULL) {
|
||||
+ fprintf(stderr, "No indicator for algorithm %s.\n", algorithm);
|
||||
+ // handle error
|
||||
+ }
|
||||
+
|
||||
+If an appropriate I<OSSL_RH_FIPSINDICATOR_DISPATCH> array is available for the
|
||||
+given algorithm name, it maps function IDs to their approval status. The last
|
||||
+entry is indicated by a zero I<function_id>. I<approved> is
|
||||
+I<OSSL_RH_FIPSINDICATOR_APPROVED> if the operation is an approved security
|
||||
+service, or part of an approved security service, or
|
||||
+I<OSSL_RH_FIPSINDICATOR_UNAPPROVED> otherwise. Any other value is invalid.
|
||||
+Function IDs are I<OSSL_FUNC_*> constants from I<openssl/core_dispatch.h>,
|
||||
+e.g., I<OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE> or I<OSSL_FUNC_SIGNATURE_SIGN>.
|
||||
+
|
||||
+Assuming I<function_id> is the function in question, the following code can be
|
||||
+used to query the approval status:
|
||||
+
|
||||
+ for (; indicator_dispatch->function_id != 0; ++indicator_dispatch) {
|
||||
+ if (indicator_dispatch->function_id == function_id) {
|
||||
+ switch (indicator_dispatch->approved) {
|
||||
+ case OSSL_RH_FIPSINDICATOR_APPROVED:
|
||||
+ // approved security service
|
||||
+ break;
|
||||
+ case OSSL_RH_FIPSINDICATOR_UNAPPROVED:
|
||||
+ // unapproved security service
|
||||
+ break;
|
||||
+ default:
|
||||
+ // invalid result
|
||||
+ break;
|
||||
+ }
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+=head1 SEE ALSO
|
||||
+
|
||||
+L<fips_module(7)>, L<provider(7)>
|
||||
+
|
||||
+=head1 COPYRIGHT
|
||||
+
|
||||
+Copyright 2022 Red Hat, Inc. All Rights Reserved.
|
||||
+
|
||||
+Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
+this file except in compliance with the License. You can obtain a copy
|
||||
+in the file LICENSE in the source distribution or at
|
||||
+L<https://www.openssl.org/source/license.html>.
|
||||
+
|
||||
+=cut
|
||||
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
|
||||
index de391ce067..1cfd71c5cf 100644
|
||||
--- a/providers/fips/fipsprov.c
|
||||
+++ b/providers/fips/fipsprov.c
|
||||
@@ -23,6 +23,7 @@
|
||||
#include "prov/seeding.h"
|
||||
#include "self_test.h"
|
||||
#include "internal/core.h"
|
||||
+#include "indicator.h"
|
||||
|
||||
static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes";
|
||||
static const char FIPS_UNAPPROVED_PROPERTIES[] = "provider=fips,fips=no";
|
||||
@@ -425,6 +426,68 @@ static const OSSL_ALGORITHM fips_signature[] = {
|
||||
{ NULL, NULL, NULL }
|
||||
};
|
||||
|
||||
+static const OSSL_RH_FIPSINDICATOR_DISPATCH redhat_rsa_signature_indicators[] = {
|
||||
+ { OSSL_FUNC_SIGNATURE_NEWCTX, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_SIGN_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_SIGN, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_VERIFY, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_FREECTX, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_DUPCTX, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { 0, OSSL_RH_FIPSINDICATOR_UNAPPROVED }
|
||||
+};
|
||||
+
|
||||
+static const OSSL_RH_FIPSINDICATOR_DISPATCH redhat_ecdsa_signature_indicators[] = {
|
||||
+ { OSSL_FUNC_SIGNATURE_NEWCTX, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_SIGN_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_SIGN, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_VERIFY, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_FREECTX, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_DUPCTX, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
|
||||
+ { 0, OSSL_RH_FIPSINDICATOR_UNAPPROVED }
|
||||
+};
|
||||
+
|
||||
+static const OSSL_RH_FIPSINDICATOR_ALGORITHM redhat_indicator_fips_signature[] = {
|
||||
+ { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES,
|
||||
+ redhat_rsa_signature_indicators },
|
||||
+#ifndef OPENSSL_NO_EC
|
||||
+ { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES,
|
||||
+ redhat_ecdsa_signature_indicators },
|
||||
+#endif
|
||||
+ { NULL, NULL, NULL }
|
||||
+};
|
||||
+
|
||||
static const OSSL_ALGORITHM fips_asym_cipher[] = {
|
||||
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_asym_cipher_functions },
|
||||
{ NULL, NULL, NULL }
|
||||
@@ -527,6 +590,14 @@ static void fips_deinit_casecmp(void) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+const OSSL_RH_FIPSINDICATOR_ALGORITHM *redhat_ossl_query_fipsindicator(int operation_id) {
|
||||
+ switch (operation_id) {
|
||||
+ case OSSL_OP_SIGNATURE:
|
||||
+ return redhat_indicator_fips_signature;
|
||||
+ }
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
static void fips_teardown(void *provctx)
|
||||
{
|
||||
OSSL_LIB_CTX_free(PROV_LIBCTX_OF(provctx));
|
||||
diff --git a/providers/fips/indicator.h b/providers/fips/indicator.h
|
||||
new file mode 100644
|
||||
index 0000000000..b323efe44c
|
||||
--- /dev/null
|
||||
+++ b/providers/fips/indicator.h
|
||||
@@ -0,0 +1,66 @@
|
||||
+/*
|
||||
+ * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ *
|
||||
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
+ * this file except in compliance with the License. You can obtain a copy
|
||||
+ * in the file LICENSE in the source distribution or at
|
||||
+ * https://www.openssl.org/source/license.html
|
||||
+ */
|
||||
+
|
||||
+#ifndef OPENSSL_FIPS_INDICATOR_H
|
||||
+# define OPENSSL_FIPS_INDICATOR_H
|
||||
+# pragma once
|
||||
+
|
||||
+# ifdef __cplusplus
|
||||
+extern "C" {
|
||||
+# endif
|
||||
+
|
||||
+# define OSSL_RH_FIPSINDICATOR_UNAPPROVED (0)
|
||||
+# define OSSL_RH_FIPSINDICATOR_APPROVED (1)
|
||||
+
|
||||
+/*
|
||||
+ * FIPS indicator dispatch table element. function_id numbers and the
|
||||
+ * functions are defined in core_dispatch.h, see macros with
|
||||
+ * 'OSSL_CORE_MAKE_FUNC' in their names.
|
||||
+ *
|
||||
+ * An array of these is always terminated by function_id == 0
|
||||
+ */
|
||||
+typedef struct ossl_rh_fipsindicator_dispatch_st {
|
||||
+ int function_id;
|
||||
+ int approved;
|
||||
+} OSSL_RH_FIPSINDICATOR_DISPATCH;
|
||||
+
|
||||
+/*
|
||||
+ * Type to tie together algorithm names, property definition string and the
|
||||
+ * algorithm implementation's FIPS indicator status in the form of a FIPS
|
||||
+ * indicator dispatch table.
|
||||
+ *
|
||||
+ * An array of these is always terminated by algorithm_names == NULL
|
||||
+ */
|
||||
+typedef struct ossl_rh_fipsindicator_algorithm_st {
|
||||
+ const char *algorithm_names; /* key */
|
||||
+ const char *property_definition; /* key */
|
||||
+ const OSSL_RH_FIPSINDICATOR_DISPATCH *indicators;
|
||||
+} OSSL_RH_FIPSINDICATOR_ALGORITHM;
|
||||
+
|
||||
+/**
|
||||
+ * Query FIPS indicator status for the given operation. Possible values for
|
||||
+ * 'operation_id' are currently only OSSL_OP_SIGNATURE, as all other algorithms
|
||||
+ * use implicit indicators. The return value is an array of
|
||||
+ * OSSL_RH_FIPSINDICATOR_ALGORITHMs, terminated by an entry with
|
||||
+ * algorithm_names == NULL. 'algorithm_names' is a colon-separated list of
|
||||
+ * algorithm names, 'property_definition' a comma-separated list of properties,
|
||||
+ * and 'indicators' is a list of OSSL_RH_FIPSINDICATOR_DISPATCH structs. This
|
||||
+ * list is terminated by function_id == 0. 'function_id' is one of the
|
||||
+ * OSSL_FUNC_* constants, e.g., OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL.
|
||||
+ *
|
||||
+ * If there is no entry in the returned struct for the given operation_id,
|
||||
+ * algorithm name, or function_id, the algorithm is unapproved.
|
||||
+ */
|
||||
+const OSSL_RH_FIPSINDICATOR_ALGORITHM *redhat_ossl_query_fipsindicator(int operation_id);
|
||||
+
|
||||
+# ifdef __cplusplus
|
||||
+}
|
||||
+# endif
|
||||
+
|
||||
+#endif
|
||||
diff --git a/util/mkdef.pl b/util/mkdef.pl
|
||||
index a1c76f7c97..eda39b71ee 100755
|
||||
--- a/util/mkdef.pl
|
||||
+++ b/util/mkdef.pl
|
||||
@@ -149,7 +149,8 @@ $ordinal_opts{filter} =
|
||||
return
|
||||
$item->exists()
|
||||
&& platform_filter($item)
|
||||
- && feature_filter($item);
|
||||
+ && feature_filter($item)
|
||||
+ && fips_filter($item, $name);
|
||||
};
|
||||
my $ordinals = OpenSSL::Ordinals->new(from => $ordinals_file);
|
||||
|
||||
@@ -205,6 +206,28 @@ sub feature_filter {
|
||||
return $verdict;
|
||||
}
|
||||
|
||||
+sub fips_filter {
|
||||
+ my $item = shift;
|
||||
+ my $name = uc(shift);
|
||||
+ my @features = ( $item->features() );
|
||||
+
|
||||
+ # True if no features are defined
|
||||
+ return 1 if scalar @features == 0;
|
||||
+
|
||||
+ my @matches = grep(/^ONLY_.*$/, @features);
|
||||
+ if (@matches) {
|
||||
+ # There is at least one only_* flag on this symbol, check if any of
|
||||
+ # them match the name
|
||||
+ for (@matches) {
|
||||
+ if ($_ eq "ONLY_${name}") {
|
||||
+ return 1;
|
||||
+ }
|
||||
+ }
|
||||
+ return 0;
|
||||
+ }
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
sub sorter_unix {
|
||||
my $by_name = OpenSSL::Ordinals::by_name();
|
||||
my %weight = (
|
||||
diff --git a/util/providers.num b/util/providers.num
|
||||
index 4e2fa81b98..77879d0e5f 100644
|
||||
--- a/util/providers.num
|
||||
+++ b/util/providers.num
|
||||
@@ -1 +1,2 @@
|
||||
OSSL_provider_init 1 * EXIST::FUNCTION:
|
||||
+redhat_ossl_query_fipsindicator 1 * EXIST::FUNCTION:ONLY_PROVIDERS/FIPS
|
||||
--
|
||||
2.35.3
|
||||
|
@ -1,703 +0,0 @@
|
||||
From 33ffd36afa7594aeb958a925f521cb287ca850c8 Mon Sep 17 00:00:00 2001
|
||||
From: Rohan McLure <rohanmclure@linux.ibm.com>
|
||||
Date: Mon, 27 Jun 2022 12:14:55 +1000
|
||||
Subject: [PATCH 1/2] Revert "Revert "bn: Add fixed length (n=6), unrolled PPC
|
||||
Montgomery Multiplication""
|
||||
|
||||
This reverts commit 712d9cc90e355b2c98a959d4e9398610d2269c9e.
|
||||
---
|
||||
crypto/bn/asm/ppc64-mont-fixed.pl | 581 ++++++++++++++++++++++++++++++
|
||||
crypto/bn/bn_ppc.c | 15 +
|
||||
crypto/bn/build.info | 3 +-
|
||||
3 files changed, 598 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/crypto/bn/asm/ppc64-mont-fixed.pl b/crypto/bn/asm/ppc64-mont-fixed.pl
|
||||
index e69de29bb2d1..0fb397bc5f12 100755
|
||||
--- a/crypto/bn/asm/ppc64-mont-fixed.pl
|
||||
+++ b/crypto/bn/asm/ppc64-mont-fixed.pl
|
||||
@@ -0,0 +1,581 @@
|
||||
+#! /usr/bin/env perl
|
||||
+# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+#
|
||||
+# Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
+# this file except in compliance with the License. You can obtain a copy
|
||||
+# in the file LICENSE in the source distribution or at
|
||||
+# https://www.openssl.org/source/license.html
|
||||
+
|
||||
+# ====================================================================
|
||||
+# Written by Amitay Isaacs <amitay@ozlabs.org>, Martin Schwenke
|
||||
+# <martin@meltin.net> & Alastair D'Silva <alastair@d-silva.org> for
|
||||
+# the OpenSSL project.
|
||||
+# ====================================================================
|
||||
+
|
||||
+#
|
||||
+# Fixed length (n=6), unrolled PPC Montgomery Multiplication
|
||||
+#
|
||||
+
|
||||
+# 2021
|
||||
+#
|
||||
+# Although this is a generic implementation for unrolling Montgomery
|
||||
+# Multiplication for arbitrary values of n, this is currently only
|
||||
+# used for n = 6 to improve the performance of ECC p384.
|
||||
+#
|
||||
+# Unrolling allows intermediate results to be stored in registers,
|
||||
+# rather than on the stack, improving performance by ~7% compared to
|
||||
+# the existing PPC assembly code.
|
||||
+#
|
||||
+# The ISA 3.0 implementation uses combination multiply/add
|
||||
+# instructions (maddld, maddhdu) to improve performance by an
|
||||
+# additional ~10% on Power 9.
|
||||
+#
|
||||
+# Finally, saving non-volatile registers into volatile vector
|
||||
+# registers instead of onto the stack saves a little more.
|
||||
+#
|
||||
+# On a Power 9 machine we see an overall improvement of ~18%.
|
||||
+#
|
||||
+
|
||||
+use strict;
|
||||
+use warnings;
|
||||
+
|
||||
+my ($flavour, $output, $dir, $xlate);
|
||||
+
|
||||
+# $output is the last argument if it looks like a file (it has an extension)
|
||||
+# $flavour is the first argument if it doesn't look like a file
|
||||
+$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
|
||||
+$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
|
||||
+
|
||||
+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
|
||||
+( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
|
||||
+( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
|
||||
+die "can't locate ppc-xlate.pl";
|
||||
+
|
||||
+open STDOUT,"| $^X $xlate $flavour \"$output\""
|
||||
+ or die "can't call $xlate: $!";
|
||||
+
|
||||
+if ($flavour !~ /64/) {
|
||||
+ die "bad flavour ($flavour) - only ppc64 permitted";
|
||||
+}
|
||||
+
|
||||
+my $SIZE_T= 8;
|
||||
+
|
||||
+# Registers are global so the code is remotely readable
|
||||
+
|
||||
+# Parameters for Montgomery multiplication
|
||||
+my $sp = "r1";
|
||||
+my $toc = "r2";
|
||||
+my $rp = "r3";
|
||||
+my $ap = "r4";
|
||||
+my $bp = "r5";
|
||||
+my $np = "r6";
|
||||
+my $n0 = "r7";
|
||||
+my $num = "r8";
|
||||
+
|
||||
+my $i = "r9";
|
||||
+my $c0 = "r10";
|
||||
+my $bp0 = "r11";
|
||||
+my $bpi = "r11";
|
||||
+my $bpj = "r11";
|
||||
+my $tj = "r12";
|
||||
+my $apj = "r12";
|
||||
+my $npj = "r12";
|
||||
+my $lo = "r14";
|
||||
+my $c1 = "r14";
|
||||
+
|
||||
+# Non-volatile registers used for tp[i]
|
||||
+#
|
||||
+# 12 registers are available but the limit on unrolling is 10,
|
||||
+# since registers from $tp[0] to $tp[$n+1] are used.
|
||||
+my @tp = ("r20" .. "r31");
|
||||
+
|
||||
+# volatile VSRs for saving non-volatile GPRs - faster than stack
|
||||
+my @vsrs = ("v32" .. "v46");
|
||||
+
|
||||
+package Mont;
|
||||
+
|
||||
+sub new($$)
|
||||
+{
|
||||
+ my ($class, $n) = @_;
|
||||
+
|
||||
+ if ($n > 10) {
|
||||
+ die "Can't unroll for BN length ${n} (maximum 10)"
|
||||
+ }
|
||||
+
|
||||
+ my $self = {
|
||||
+ code => "",
|
||||
+ n => $n,
|
||||
+ };
|
||||
+ bless $self, $class;
|
||||
+
|
||||
+ return $self;
|
||||
+}
|
||||
+
|
||||
+sub add_code($$)
|
||||
+{
|
||||
+ my ($self, $c) = @_;
|
||||
+
|
||||
+ $self->{code} .= $c;
|
||||
+}
|
||||
+
|
||||
+sub get_code($)
|
||||
+{
|
||||
+ my ($self) = @_;
|
||||
+
|
||||
+ return $self->{code};
|
||||
+}
|
||||
+
|
||||
+sub get_function_name($)
|
||||
+{
|
||||
+ my ($self) = @_;
|
||||
+
|
||||
+ return "bn_mul_mont_fixed_n" . $self->{n};
|
||||
+}
|
||||
+
|
||||
+sub get_label($$)
|
||||
+{
|
||||
+ my ($self, $l) = @_;
|
||||
+
|
||||
+ return "L" . $l . "_" . $self->{n};
|
||||
+}
|
||||
+
|
||||
+sub get_labels($@)
|
||||
+{
|
||||
+ my ($self, @labels) = @_;
|
||||
+
|
||||
+ my %out = ();
|
||||
+
|
||||
+ foreach my $l (@labels) {
|
||||
+ $out{"$l"} = $self->get_label("$l");
|
||||
+ }
|
||||
+
|
||||
+ return \%out;
|
||||
+}
|
||||
+
|
||||
+sub nl($)
|
||||
+{
|
||||
+ my ($self) = @_;
|
||||
+
|
||||
+ $self->add_code("\n");
|
||||
+}
|
||||
+
|
||||
+sub copy_result($)
|
||||
+{
|
||||
+ my ($self) = @_;
|
||||
+
|
||||
+ my ($n) = $self->{n};
|
||||
+
|
||||
+ for (my $j = 0; $j < $n; $j++) {
|
||||
+ $self->add_code(<<___);
|
||||
+ std $tp[$j],`$j*$SIZE_T`($rp)
|
||||
+___
|
||||
+ }
|
||||
+
|
||||
+}
|
||||
+
|
||||
+sub mul_mont_fixed($)
|
||||
+{
|
||||
+ my ($self) = @_;
|
||||
+
|
||||
+ my ($n) = $self->{n};
|
||||
+ my $fname = $self->get_function_name();
|
||||
+ my $label = $self->get_labels("outer", "enter", "sub", "copy", "end");
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+
|
||||
+.globl .${fname}
|
||||
+.align 5
|
||||
+.${fname}:
|
||||
+
|
||||
+___
|
||||
+
|
||||
+ $self->save_registers();
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ ld $n0,0($n0)
|
||||
+
|
||||
+ ld $bp0,0($bp)
|
||||
+
|
||||
+ ld $apj,0($ap)
|
||||
+___
|
||||
+
|
||||
+ $self->mul_c_0($tp[0], $apj, $bp0, $c0);
|
||||
+
|
||||
+ for (my $j = 1; $j < $n - 1; $j++) {
|
||||
+ $self->add_code(<<___);
|
||||
+ ld $apj,`$j*$SIZE_T`($ap)
|
||||
+___
|
||||
+ $self->mul($tp[$j], $apj, $bp0, $c0);
|
||||
+ }
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ ld $apj,`($n-1)*$SIZE_T`($ap)
|
||||
+___
|
||||
+
|
||||
+ $self->mul_last($tp[$n-1], $tp[$n], $apj, $bp0, $c0);
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ li $tp[$n+1],0
|
||||
+
|
||||
+___
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ li $i,0
|
||||
+ mtctr $num
|
||||
+ b $label->{"enter"}
|
||||
+
|
||||
+.align 4
|
||||
+$label->{"outer"}:
|
||||
+ ldx $bpi,$bp,$i
|
||||
+
|
||||
+ ld $apj,0($ap)
|
||||
+___
|
||||
+
|
||||
+ $self->mul_add_c_0($tp[0], $tp[0], $apj, $bpi, $c0);
|
||||
+
|
||||
+ for (my $j = 1; $j < $n; $j++) {
|
||||
+ $self->add_code(<<___);
|
||||
+ ld $apj,`$j*$SIZE_T`($ap)
|
||||
+___
|
||||
+ $self->mul_add($tp[$j], $tp[$j], $apj, $bpi, $c0);
|
||||
+ }
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ addc $tp[$n],$tp[$n],$c0
|
||||
+ addze $tp[$n+1],$tp[$n+1]
|
||||
+___
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+.align 4
|
||||
+$label->{"enter"}:
|
||||
+ mulld $bpi,$tp[0],$n0
|
||||
+
|
||||
+ ld $npj,0($np)
|
||||
+___
|
||||
+
|
||||
+ $self->mul_add_c_0($lo, $tp[0], $bpi, $npj, $c0);
|
||||
+
|
||||
+ for (my $j = 1; $j < $n; $j++) {
|
||||
+ $self->add_code(<<___);
|
||||
+ ld $npj,`$j*$SIZE_T`($np)
|
||||
+___
|
||||
+ $self->mul_add($tp[$j-1], $tp[$j], $npj, $bpi, $c0);
|
||||
+ }
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ addc $tp[$n-1],$tp[$n],$c0
|
||||
+ addze $tp[$n],$tp[$n+1]
|
||||
+
|
||||
+ addi $i,$i,$SIZE_T
|
||||
+ bdnz $label->{"outer"}
|
||||
+
|
||||
+ and. $tp[$n],$tp[$n],$tp[$n]
|
||||
+ bne $label->{"sub"}
|
||||
+
|
||||
+ cmpld $tp[$n-1],$npj
|
||||
+ blt $label->{"copy"}
|
||||
+
|
||||
+$label->{"sub"}:
|
||||
+___
|
||||
+
|
||||
+ #
|
||||
+ # Reduction
|
||||
+ #
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ ld $bpj,`0*$SIZE_T`($np)
|
||||
+ subfc $c1,$bpj,$tp[0]
|
||||
+ std $c1,`0*$SIZE_T`($rp)
|
||||
+
|
||||
+___
|
||||
+ for (my $j = 1; $j < $n - 1; $j++) {
|
||||
+ $self->add_code(<<___);
|
||||
+ ld $bpj,`$j*$SIZE_T`($np)
|
||||
+ subfe $c1,$bpj,$tp[$j]
|
||||
+ std $c1,`$j*$SIZE_T`($rp)
|
||||
+
|
||||
+___
|
||||
+ }
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ subfe $c1,$npj,$tp[$n-1]
|
||||
+ std $c1,`($n-1)*$SIZE_T`($rp)
|
||||
+
|
||||
+___
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ addme. $tp[$n],$tp[$n]
|
||||
+ beq $label->{"end"}
|
||||
+
|
||||
+$label->{"copy"}:
|
||||
+___
|
||||
+
|
||||
+ $self->copy_result();
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+
|
||||
+$label->{"end"}:
|
||||
+___
|
||||
+
|
||||
+ $self->restore_registers();
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ li r3,1
|
||||
+ blr
|
||||
+.size .${fname},.-.${fname}
|
||||
+___
|
||||
+
|
||||
+}
|
||||
+
|
||||
+package Mont::GPR;
|
||||
+
|
||||
+our @ISA = ('Mont');
|
||||
+
|
||||
+sub new($$)
|
||||
+{
|
||||
+ my ($class, $n) = @_;
|
||||
+
|
||||
+ return $class->SUPER::new($n);
|
||||
+}
|
||||
+
|
||||
+sub save_registers($)
|
||||
+{
|
||||
+ my ($self) = @_;
|
||||
+
|
||||
+ my $n = $self->{n};
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ std $lo,-8($sp)
|
||||
+___
|
||||
+
|
||||
+ for (my $j = 0; $j <= $n+1; $j++) {
|
||||
+ $self->{code}.=<<___;
|
||||
+ std $tp[$j],-`($j+2)*8`($sp)
|
||||
+___
|
||||
+ }
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+
|
||||
+___
|
||||
+}
|
||||
+
|
||||
+sub restore_registers($)
|
||||
+{
|
||||
+ my ($self) = @_;
|
||||
+
|
||||
+ my $n = $self->{n};
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ ld $lo,-8($sp)
|
||||
+___
|
||||
+
|
||||
+ for (my $j = 0; $j <= $n+1; $j++) {
|
||||
+ $self->{code}.=<<___;
|
||||
+ ld $tp[$j],-`($j+2)*8`($sp)
|
||||
+___
|
||||
+ }
|
||||
+
|
||||
+ $self->{code} .=<<___;
|
||||
+
|
||||
+___
|
||||
+}
|
||||
+
|
||||
+# Direct translation of C mul()
|
||||
+sub mul($$$$$)
|
||||
+{
|
||||
+ my ($self, $r, $a, $w, $c) = @_;
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ mulld $lo,$a,$w
|
||||
+ addc $r,$lo,$c
|
||||
+ mulhdu $c,$a,$w
|
||||
+ addze $c,$c
|
||||
+
|
||||
+___
|
||||
+}
|
||||
+
|
||||
+# Like mul() but $c is ignored as an input - an optimisation to save a
|
||||
+# preliminary instruction that would set input $c to 0
|
||||
+sub mul_c_0($$$$$)
|
||||
+{
|
||||
+ my ($self, $r, $a, $w, $c) = @_;
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ mulld $r,$a,$w
|
||||
+ mulhdu $c,$a,$w
|
||||
+
|
||||
+___
|
||||
+}
|
||||
+
|
||||
+# Like mul() but does not to the final addition of CA into $c - an
|
||||
+# optimisation to save an instruction
|
||||
+sub mul_last($$$$$$)
|
||||
+{
|
||||
+ my ($self, $r1, $r2, $a, $w, $c) = @_;
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ mulld $lo,$a,$w
|
||||
+ addc $r1,$lo,$c
|
||||
+ mulhdu $c,$a,$w
|
||||
+
|
||||
+ addze $r2,$c
|
||||
+___
|
||||
+}
|
||||
+
|
||||
+# Like C mul_add() but allow $r_out and $r_in to be different
|
||||
+sub mul_add($$$$$$)
|
||||
+{
|
||||
+ my ($self, $r_out, $r_in, $a, $w, $c) = @_;
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ mulld $lo,$a,$w
|
||||
+ addc $lo,$lo,$c
|
||||
+ mulhdu $c,$a,$w
|
||||
+ addze $c,$c
|
||||
+ addc $r_out,$r_in,$lo
|
||||
+ addze $c,$c
|
||||
+
|
||||
+___
|
||||
+}
|
||||
+
|
||||
+# Like mul_add() but $c is ignored as an input - an optimisation to save a
|
||||
+# preliminary instruction that would set input $c to 0
|
||||
+sub mul_add_c_0($$$$$$)
|
||||
+{
|
||||
+ my ($self, $r_out, $r_in, $a, $w, $c) = @_;
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ mulld $lo,$a,$w
|
||||
+ addc $r_out,$r_in,$lo
|
||||
+ mulhdu $c,$a,$w
|
||||
+ addze $c,$c
|
||||
+
|
||||
+___
|
||||
+}
|
||||
+
|
||||
+package Mont::GPR_300;
|
||||
+
|
||||
+our @ISA = ('Mont::GPR');
|
||||
+
|
||||
+sub new($$)
|
||||
+{
|
||||
+ my ($class, $n) = @_;
|
||||
+
|
||||
+ my $mont = $class->SUPER::new($n);
|
||||
+
|
||||
+ return $mont;
|
||||
+}
|
||||
+
|
||||
+sub get_function_name($)
|
||||
+{
|
||||
+ my ($self) = @_;
|
||||
+
|
||||
+ return "bn_mul_mont_300_fixed_n" . $self->{n};
|
||||
+}
|
||||
+
|
||||
+sub get_label($$)
|
||||
+{
|
||||
+ my ($self, $l) = @_;
|
||||
+
|
||||
+ return "L" . $l . "_300_" . $self->{n};
|
||||
+}
|
||||
+
|
||||
+# Direct translation of C mul()
|
||||
+sub mul($$$$$)
|
||||
+{
|
||||
+ my ($self, $r, $a, $w, $c, $last) = @_;
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ maddld $r,$a,$w,$c
|
||||
+ maddhdu $c,$a,$w,$c
|
||||
+
|
||||
+___
|
||||
+}
|
||||
+
|
||||
+# Save the last carry as the final entry
|
||||
+sub mul_last($$$$$)
|
||||
+{
|
||||
+ my ($self, $r1, $r2, $a, $w, $c) = @_;
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ maddld $r1,$a,$w,$c
|
||||
+ maddhdu $r2,$a,$w,$c
|
||||
+
|
||||
+___
|
||||
+}
|
||||
+
|
||||
+# Like mul() but $c is ignored as an input - an optimisation to save a
|
||||
+# preliminary instruction that would set input $c to 0
|
||||
+sub mul_c_0($$$$$)
|
||||
+{
|
||||
+ my ($self, $r, $a, $w, $c) = @_;
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ mulld $r,$a,$w
|
||||
+ mulhdu $c,$a,$w
|
||||
+
|
||||
+___
|
||||
+}
|
||||
+
|
||||
+# Like C mul_add() but allow $r_out and $r_in to be different
|
||||
+sub mul_add($$$$$$)
|
||||
+{
|
||||
+ my ($self, $r_out, $r_in, $a, $w, $c) = @_;
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ maddld $lo,$a,$w,$c
|
||||
+ maddhdu $c,$a,$w,$c
|
||||
+ addc $r_out,$r_in,$lo
|
||||
+ addze $c,$c
|
||||
+
|
||||
+___
|
||||
+}
|
||||
+
|
||||
+# Like mul_add() but $c is ignored as an input - an optimisation to save a
|
||||
+# preliminary instruction that would set input $c to 0
|
||||
+sub mul_add_c_0($$$$$$)
|
||||
+{
|
||||
+ my ($self, $r_out, $r_in, $a, $w, $c) = @_;
|
||||
+
|
||||
+ $self->add_code(<<___);
|
||||
+ maddld $lo,$a,$w,$r_in
|
||||
+ maddhdu $c,$a,$w,$r_in
|
||||
+___
|
||||
+
|
||||
+ if ($r_out ne $lo) {
|
||||
+ $self->add_code(<<___);
|
||||
+ mr $r_out,$lo
|
||||
+___
|
||||
+ }
|
||||
+
|
||||
+ $self->nl();
|
||||
+}
|
||||
+
|
||||
+
|
||||
+package main;
|
||||
+
|
||||
+my $code;
|
||||
+
|
||||
+$code.=<<___;
|
||||
+.machine "any"
|
||||
+.text
|
||||
+___
|
||||
+
|
||||
+my $mont;
|
||||
+
|
||||
+$mont = new Mont::GPR(6);
|
||||
+$mont->mul_mont_fixed();
|
||||
+$code .= $mont->get_code();
|
||||
+
|
||||
+$mont = new Mont::GPR_300(6);
|
||||
+$mont->mul_mont_fixed();
|
||||
+$code .= $mont->get_code();
|
||||
+
|
||||
+$code =~ s/\`([^\`]*)\`/eval $1/gem;
|
||||
+
|
||||
+$code.=<<___;
|
||||
+.asciz "Montgomery Multiplication for PPC by <amitay\@ozlabs.org>, <alastair\@d-silva.org>"
|
||||
+___
|
||||
+
|
||||
+print $code;
|
||||
+close STDOUT or die "error closing STDOUT: $!";
|
||||
diff --git a/crypto/bn/bn_ppc.c b/crypto/bn/bn_ppc.c
|
||||
index 3ee76ea96574..1e9421bee213 100644
|
||||
--- a/crypto/bn/bn_ppc.c
|
||||
+++ b/crypto/bn/bn_ppc.c
|
||||
@@ -19,6 +19,12 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
|
||||
const BN_ULONG *np, const BN_ULONG *n0, int num);
|
||||
int bn_mul4x_mont_int(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
|
||||
const BN_ULONG *np, const BN_ULONG *n0, int num);
|
||||
+ int bn_mul_mont_fixed_n6(BN_ULONG *rp, const BN_ULONG *ap,
|
||||
+ const BN_ULONG *bp, const BN_ULONG *np,
|
||||
+ const BN_ULONG *n0, int num);
|
||||
+ int bn_mul_mont_300_fixed_n6(BN_ULONG *rp, const BN_ULONG *ap,
|
||||
+ const BN_ULONG *bp, const BN_ULONG *np,
|
||||
+ const BN_ULONG *n0, int num);
|
||||
|
||||
if (num < 4)
|
||||
return 0;
|
||||
@@ -34,5 +40,14 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
|
||||
* no opportunity to figure it out...
|
||||
*/
|
||||
|
||||
+#if defined(_ARCH_PPC64) && !defined(__ILP32__)
|
||||
+ if (num == 6) {
|
||||
+ if (OPENSSL_ppccap_P & PPC_MADD300)
|
||||
+ return bn_mul_mont_300_fixed_n6(rp, ap, bp, np, n0, num);
|
||||
+ else
|
||||
+ return bn_mul_mont_fixed_n6(rp, ap, bp, np, n0, num);
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
return bn_mul_mont_int(rp, ap, bp, np, n0, num);
|
||||
}
|
||||
diff --git a/crypto/bn/build.info b/crypto/bn/build.info
|
||||
index 4f8d0689b5ea..987a70ae263b 100644
|
||||
--- a/crypto/bn/build.info
|
||||
+++ b/crypto/bn/build.info
|
||||
@@ -79,7 +79,7 @@ IF[{- !$disabled{asm} -}]
|
||||
|
||||
$BNASM_ppc32=bn_ppc.c bn-ppc.s ppc-mont.s
|
||||
$BNDEF_ppc32=OPENSSL_BN_ASM_MONT
|
||||
- $BNASM_ppc64=$BNASM_ppc32
|
||||
+ $BNASM_ppc64=$BNASM_ppc32 ppc64-mont-fixed.s
|
||||
$BNDEF_ppc64=$BNDEF_ppc32
|
||||
|
||||
$BNASM_c64xplus=asm/bn-c64xplus.asm
|
||||
@@ -173,6 +173,7 @@ GENERATE[parisc-mont.s]=asm/parisc-mont.pl
|
||||
GENERATE[bn-ppc.s]=asm/ppc.pl
|
||||
GENERATE[ppc-mont.s]=asm/ppc-mont.pl
|
||||
GENERATE[ppc64-mont.s]=asm/ppc64-mont.pl
|
||||
+GENERATE[ppc64-mont-fixed.s]=asm/ppc64-mont-fixed.pl
|
||||
|
||||
GENERATE[alpha-mont.S]=asm/alpha-mont.pl
|
||||
|
||||
|
||||
From 01ebad0d6e3a09bc9e32350b402901471610a3dc Mon Sep 17 00:00:00 2001
|
||||
From: Rohan McLure <rohanmclure@linux.ibm.com>
|
||||
Date: Thu, 30 Jun 2022 16:21:06 +1000
|
||||
Subject: [PATCH 2/2] Fix unrolled montgomery multiplication for POWER9
|
||||
|
||||
In the reference C implementation in bn_asm.c, tp[num + 1] contains the
|
||||
carry bit for accumulations into tp[num]. tp[num + 1] is only ever
|
||||
assigned, never itself incremented.
|
||||
---
|
||||
crypto/bn/asm/ppc64-mont-fixed.pl | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/crypto/bn/asm/ppc64-mont-fixed.pl b/crypto/bn/asm/ppc64-mont-fixed.pl
|
||||
index 0fb397bc5f12..e27d0ad93d85 100755
|
||||
--- a/crypto/bn/asm/ppc64-mont-fixed.pl
|
||||
+++ b/crypto/bn/asm/ppc64-mont-fixed.pl
|
||||
@@ -63,6 +63,7 @@
|
||||
# Registers are global so the code is remotely readable
|
||||
|
||||
# Parameters for Montgomery multiplication
|
||||
+my $ze = "r0";
|
||||
my $sp = "r1";
|
||||
my $toc = "r2";
|
||||
my $rp = "r3";
|
||||
@@ -192,6 +193,7 @@ ($)
|
||||
$self->save_registers();
|
||||
|
||||
$self->add_code(<<___);
|
||||
+ li $ze,0
|
||||
ld $n0,0($n0)
|
||||
|
||||
ld $bp0,0($bp)
|
||||
@@ -242,7 +244,7 @@ ($)
|
||||
|
||||
$self->add_code(<<___);
|
||||
addc $tp[$n],$tp[$n],$c0
|
||||
- addze $tp[$n+1],$tp[$n+1]
|
||||
+ addze $tp[$n+1],$ze
|
||||
___
|
||||
|
||||
$self->add_code(<<___);
|
||||
@@ -272,7 +274,7 @@ ($)
|
||||
and. $tp[$n],$tp[$n],$tp[$n]
|
||||
bne $label->{"sub"}
|
||||
|
||||
- cmpld $tp[$n-1],$npj
|
||||
+ cmpld $tp[$n-1],$npj
|
||||
blt $label->{"copy"}
|
||||
|
||||
$label->{"sub"}:
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,373 +0,0 @@
|
||||
From 4a2239bd7d444c30c55b20ea8b4aeadafdfe1afd Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Fri, 22 Jul 2022 13:59:37 +0200
|
||||
Subject: [PATCH] FIPS: Use OAEP in KATs, support fixed OAEP seed
|
||||
|
||||
Review by our lab for FIPS 140-3 certification expects the RSA
|
||||
encryption and decryption tests to use a supported padding mode, not raw
|
||||
RSA signatures. Switch to RSA-OAEP for the self tests to fulfill that.
|
||||
|
||||
The FIPS 140-3 Implementation Guidance specifies in section 10.3.A
|
||||
"Cryptographic Algorithm Self-Test Requirements" that a self-test may be
|
||||
a known-answer test, a comparison test, or a fault-detection test.
|
||||
|
||||
Comparison tests are not an option, because they would require
|
||||
a separate implementation of RSA-OAEP, which we do not have. Fault
|
||||
detection tests require implementing fault detection mechanisms into the
|
||||
cryptographic algorithm implementation, we we also do not have.
|
||||
|
||||
As a consequence, a known-answer test must be used to test RSA
|
||||
encryption and decryption, but RSA encryption with OAEP padding is not
|
||||
deterministic, and thus encryption will always yield different results
|
||||
that could not be compared to known answers. For this reason, this
|
||||
change explicitly sets the seed in OAEP (see RFC 8017 section 7.1.1),
|
||||
which is the source of randomness for RSA-OAEP, to a fixed value. This
|
||||
setting is only available during self-test execution, and the parameter
|
||||
set using EVP_PKEY_CTX_set_params() will be ignored otherwise.
|
||||
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
---
|
||||
crypto/rsa/rsa_local.h | 8 ++
|
||||
crypto/rsa/rsa_oaep.c | 34 ++++++--
|
||||
include/openssl/core_names.h | 3 +
|
||||
providers/fips/self_test_data.inc | 83 +++++++++++--------
|
||||
providers/fips/self_test_kats.c | 7 ++
|
||||
.../implementations/asymciphers/rsa_enc.c | 41 ++++++++-
|
||||
6 files changed, 133 insertions(+), 43 deletions(-)
|
||||
|
||||
diff --git a/crypto/rsa/rsa_local.h b/crypto/rsa/rsa_local.h
|
||||
index ea70da05ad..dde57a1a0e 100644
|
||||
--- a/crypto/rsa/rsa_local.h
|
||||
+++ b/crypto/rsa/rsa_local.h
|
||||
@@ -193,4 +193,12 @@ int ossl_rsa_padding_add_PKCS1_type_2_ex(OSSL_LIB_CTX *libctx, unsigned char *to
|
||||
int tlen, const unsigned char *from,
|
||||
int flen);
|
||||
|
||||
+int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx,
|
||||
+ unsigned char *to, int tlen,
|
||||
+ const unsigned char *from, int flen,
|
||||
+ const unsigned char *param,
|
||||
+ int plen, const EVP_MD *md,
|
||||
+ const EVP_MD *mgf1md,
|
||||
+ const char *redhat_st_seed);
|
||||
+
|
||||
#endif /* OSSL_CRYPTO_RSA_LOCAL_H */
|
||||
diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
|
||||
index d9be1a4f98..b2f7f7dc4b 100644
|
||||
--- a/crypto/rsa/rsa_oaep.c
|
||||
+++ b/crypto/rsa/rsa_oaep.c
|
||||
@@ -44,6 +44,10 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
|
||||
param, plen, NULL, NULL);
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+extern int REDHAT_FIPS_asym_cipher_st;
|
||||
+#endif /* FIPS_MODULE */
|
||||
+
|
||||
/*
|
||||
* Perform the padding as per NIST 800-56B 7.2.2.3
|
||||
* from (K) is the key material.
|
||||
@@ -51,12 +55,13 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
|
||||
* Step numbers are included here but not in the constant time inverse below
|
||||
* to avoid complicating an already difficult enough function.
|
||||
*/
|
||||
-int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
|
||||
- unsigned char *to, int tlen,
|
||||
- const unsigned char *from, int flen,
|
||||
- const unsigned char *param,
|
||||
- int plen, const EVP_MD *md,
|
||||
- const EVP_MD *mgf1md)
|
||||
+int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx,
|
||||
+ unsigned char *to, int tlen,
|
||||
+ const unsigned char *from, int flen,
|
||||
+ const unsigned char *param,
|
||||
+ int plen, const EVP_MD *md,
|
||||
+ const EVP_MD *mgf1md,
|
||||
+ const char *redhat_st_seed)
|
||||
{
|
||||
int rv = 0;
|
||||
int i, emlen = tlen - 1;
|
||||
@@ -107,6 +112,11 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
|
||||
db[emlen - flen - mdlen - 1] = 0x01;
|
||||
memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen);
|
||||
/* step 3d: generate random byte string */
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (redhat_st_seed != NULL && REDHAT_FIPS_asym_cipher_st) {
|
||||
+ memcpy(seed, redhat_st_seed, mdlen);
|
||||
+ } else
|
||||
+#endif
|
||||
if (RAND_bytes_ex(libctx, seed, mdlen, 0) <= 0)
|
||||
goto err;
|
||||
|
||||
@@ -138,6 +148,18 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
|
||||
return rv;
|
||||
}
|
||||
|
||||
+int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
|
||||
+ unsigned char *to, int tlen,
|
||||
+ const unsigned char *from, int flen,
|
||||
+ const unsigned char *param,
|
||||
+ int plen, const EVP_MD *md,
|
||||
+ const EVP_MD *mgf1md)
|
||||
+{
|
||||
+ return ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(libctx, to, tlen, from,
|
||||
+ flen, param, plen, md,
|
||||
+ mgf1md, NULL);
|
||||
+}
|
||||
+
|
||||
int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
|
||||
const unsigned char *from, int flen,
|
||||
const unsigned char *param, int plen,
|
||||
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
|
||||
index 59a6e79566..11216fb8f8 100644
|
||||
--- a/include/openssl/core_names.h
|
||||
+++ b/include/openssl/core_names.h
|
||||
@@ -469,6 +469,9 @@ extern "C" {
|
||||
#define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label"
|
||||
#define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version"
|
||||
#define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version"
|
||||
+#ifdef FIPS_MODULE
|
||||
+#define OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED "redhat-kat-oaep-seed"
|
||||
+#endif
|
||||
|
||||
/*
|
||||
* Encoder / decoder parameters
|
||||
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
|
||||
index 4e30ec56dd..0103c87528 100644
|
||||
--- a/providers/fips/self_test_data.inc
|
||||
+++ b/providers/fips/self_test_data.inc
|
||||
@@ -1294,15 +1294,22 @@ static const ST_KAT_PARAM rsa_priv_key[] = {
|
||||
ST_KAT_PARAM_END()
|
||||
};
|
||||
|
||||
-/*-
|
||||
- * Using OSSL_PKEY_RSA_PAD_MODE_NONE directly in the expansion of the
|
||||
- * ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient
|
||||
- * HP/UX PA-RISC compilers.
|
||||
- */
|
||||
-static const char pad_mode_none[] = OSSL_PKEY_RSA_PAD_MODE_NONE;
|
||||
-
|
||||
+/*-
|
||||
+ * Using OSSL_PKEY_RSA_PAD_MODE_OAEP directly in the expansion of the
|
||||
+ * ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient
|
||||
+ * HP/UX PA-RISC compilers.
|
||||
+ */
|
||||
+static const char pad_mode_oaep[] = OSSL_PKEY_RSA_PAD_MODE_OAEP;
|
||||
+static const char oaep_fixed_seed[] = {
|
||||
+ 0xf6, 0x10, 0xef, 0x0a, 0x97, 0xbf, 0x91, 0x25,
|
||||
+ 0x97, 0xcf, 0x8e, 0x0a, 0x75, 0x51, 0x2f, 0xab,
|
||||
+ 0x2e, 0x4b, 0x2c, 0xe6
|
||||
+};
|
||||
+
|
||||
static const ST_KAT_PARAM rsa_enc_params[] = {
|
||||
- ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_none),
|
||||
+ ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_oaep),
|
||||
+ ST_KAT_PARAM_OCTET(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED,
|
||||
+ oaep_fixed_seed),
|
||||
ST_KAT_PARAM_END()
|
||||
};
|
||||
|
||||
@@ -1335,43 +1348,43 @@ static const unsigned char rsa_expected_sig[256] = {
|
||||
0x2c, 0x68, 0xf0, 0x37, 0xa9, 0xd2, 0x56, 0xd6
|
||||
};
|
||||
|
||||
-static const unsigned char rsa_asym_plaintext_encrypt[256] = {
|
||||
+static const unsigned char rsa_asym_plaintext_encrypt[208] = {
|
||||
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
|
||||
0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
|
||||
};
|
||||
static const unsigned char rsa_asym_expected_encrypt[256] = {
|
||||
- 0x54, 0xac, 0x23, 0x96, 0x1d, 0x82, 0x5d, 0x8b,
|
||||
- 0x8f, 0x36, 0x33, 0xd0, 0xf4, 0x02, 0xa2, 0x61,
|
||||
- 0xb1, 0x13, 0xd4, 0x4a, 0x46, 0x06, 0x37, 0x3c,
|
||||
- 0xbf, 0x40, 0x05, 0x3c, 0xc6, 0x3b, 0x64, 0xdc,
|
||||
- 0x22, 0x22, 0xaf, 0x36, 0x79, 0x62, 0x45, 0xf0,
|
||||
- 0x97, 0x82, 0x22, 0x44, 0x86, 0x4a, 0x7c, 0xfa,
|
||||
- 0xac, 0x03, 0x21, 0x84, 0x3f, 0x31, 0xad, 0x2a,
|
||||
- 0xa4, 0x6e, 0x7a, 0xc5, 0x93, 0xf3, 0x0f, 0xfc,
|
||||
- 0xf1, 0x62, 0xce, 0x82, 0x12, 0x45, 0xc9, 0x35,
|
||||
- 0xb0, 0x7a, 0xcd, 0x99, 0x8c, 0x91, 0x6b, 0x5a,
|
||||
- 0xd3, 0x46, 0xdb, 0xf9, 0x9e, 0x52, 0x49, 0xbd,
|
||||
- 0x1e, 0xe8, 0xda, 0xac, 0x61, 0x47, 0xc2, 0xda,
|
||||
- 0xfc, 0x1e, 0xfb, 0x74, 0xd7, 0xd6, 0xc1, 0x18,
|
||||
- 0x86, 0x3e, 0x20, 0x9c, 0x7a, 0xe1, 0x04, 0xb7,
|
||||
- 0x38, 0x43, 0xb1, 0x4e, 0xa0, 0xd8, 0xc1, 0x39,
|
||||
- 0x4d, 0xe1, 0xd3, 0xb0, 0xb3, 0xf1, 0x82, 0x87,
|
||||
- 0x1f, 0x74, 0xb5, 0x69, 0xfd, 0x33, 0xd6, 0x21,
|
||||
- 0x7c, 0x61, 0x60, 0x28, 0xca, 0x70, 0xdb, 0xa0,
|
||||
- 0xbb, 0xc8, 0x73, 0xa9, 0x82, 0xf8, 0x6b, 0xd8,
|
||||
- 0xf0, 0xc9, 0x7b, 0x20, 0xdf, 0x9d, 0xfb, 0x8c,
|
||||
- 0xd4, 0xa2, 0x89, 0xe1, 0x9b, 0x04, 0xad, 0xaa,
|
||||
- 0x11, 0x6c, 0x8f, 0xce, 0x83, 0x29, 0x56, 0x69,
|
||||
- 0xbb, 0x00, 0x3b, 0xef, 0xca, 0x2d, 0xcd, 0x52,
|
||||
- 0xc8, 0xf1, 0xb3, 0x9b, 0xb4, 0x4f, 0x6d, 0x9c,
|
||||
- 0x3d, 0x69, 0xcc, 0x6d, 0x1f, 0x38, 0x4d, 0xe6,
|
||||
- 0xbb, 0x0c, 0x87, 0xdc, 0x5f, 0xa9, 0x24, 0x93,
|
||||
- 0x03, 0x46, 0xa2, 0x33, 0x6c, 0xf4, 0xd8, 0x5d,
|
||||
- 0x68, 0xf3, 0xd3, 0xe0, 0xf2, 0x30, 0xdb, 0xf5,
|
||||
- 0x4f, 0x0f, 0xad, 0xc7, 0xd0, 0xaa, 0x47, 0xd9,
|
||||
- 0x9f, 0x85, 0x1b, 0x2e, 0x6c, 0x3c, 0x57, 0x04,
|
||||
- 0x29, 0xf4, 0xf5, 0x66, 0x7d, 0x93, 0x4a, 0xaa,
|
||||
- 0x05, 0x52, 0x55, 0xc1, 0xc6, 0x06, 0x90, 0xab,
|
||||
+ 0x6c, 0x21, 0xc1, 0x9e, 0x94, 0xee, 0xdf, 0x74,
|
||||
+ 0x3a, 0x3c, 0x7c, 0x04, 0x1a, 0x53, 0x9e, 0x7c,
|
||||
+ 0x42, 0xac, 0x7e, 0x28, 0x9a, 0xb7, 0xe2, 0x4e,
|
||||
+ 0x87, 0xd4, 0x00, 0x69, 0x71, 0xf0, 0x3e, 0x0b,
|
||||
+ 0xc1, 0xda, 0xd6, 0xbd, 0x21, 0x39, 0x4f, 0x25,
|
||||
+ 0x22, 0x1f, 0x76, 0x0d, 0x62, 0x1f, 0xa2, 0x89,
|
||||
+ 0xdb, 0x38, 0x32, 0x88, 0x21, 0x1d, 0x89, 0xf1,
|
||||
+ 0xe0, 0x14, 0xd4, 0xb7, 0x90, 0xfc, 0xbc, 0x50,
|
||||
+ 0xb0, 0x8d, 0x5c, 0x2f, 0x49, 0x9e, 0x90, 0x17,
|
||||
+ 0x9e, 0x60, 0x9f, 0xe1, 0x77, 0x4f, 0x11, 0xa2,
|
||||
+ 0xcf, 0x16, 0x65, 0x2d, 0x4a, 0x2c, 0x12, 0xcb,
|
||||
+ 0x1e, 0x3c, 0x29, 0x8b, 0xdc, 0x27, 0x06, 0x9d,
|
||||
+ 0xf4, 0x0d, 0xe1, 0xc9, 0xeb, 0x14, 0x6a, 0x7e,
|
||||
+ 0xfd, 0xa7, 0xa8, 0xa7, 0x51, 0x82, 0x62, 0x0f,
|
||||
+ 0x29, 0x8d, 0x8c, 0x5e, 0xf2, 0xb8, 0xcd, 0xd3,
|
||||
+ 0x51, 0x92, 0xa7, 0x25, 0x39, 0x9d, 0xdd, 0x06,
|
||||
+ 0xff, 0xb1, 0xb0, 0xd5, 0x61, 0x03, 0x8f, 0x25,
|
||||
+ 0x5c, 0x49, 0x12, 0xc1, 0x50, 0x67, 0x61, 0x78,
|
||||
+ 0xb3, 0xe3, 0xc4, 0xf6, 0x36, 0x16, 0xa9, 0x04,
|
||||
+ 0x91, 0x0a, 0x4b, 0x27, 0x28, 0x97, 0x50, 0x7c,
|
||||
+ 0x65, 0x2d, 0xd0, 0x08, 0x71, 0x84, 0xe7, 0x47,
|
||||
+ 0x79, 0x83, 0x91, 0x46, 0xd9, 0x8f, 0x79, 0xce,
|
||||
+ 0x49, 0xcb, 0xcd, 0x8b, 0x34, 0xac, 0x61, 0xe0,
|
||||
+ 0xe6, 0x55, 0xbf, 0x10, 0xe4, 0xac, 0x9a, 0xd6,
|
||||
+ 0xed, 0xc1, 0xc2, 0xb6, 0xb6, 0xf7, 0x41, 0x99,
|
||||
+ 0xde, 0xfa, 0xde, 0x11, 0x16, 0xa2, 0x18, 0x30,
|
||||
+ 0x30, 0xdc, 0x95, 0x76, 0x2f, 0x46, 0x43, 0x20,
|
||||
+ 0xc4, 0xe7, 0x50, 0xb9, 0x1e, 0xcd, 0x69, 0xbb,
|
||||
+ 0x29, 0x94, 0x27, 0x9c, 0xc9, 0xab, 0xb4, 0x27,
|
||||
+ 0x8b, 0x4d, 0xe1, 0xcb, 0xc1, 0x04, 0x2c, 0x66,
|
||||
+ 0x41, 0x3a, 0x4d, 0xeb, 0x61, 0x4c, 0x77, 0x5a,
|
||||
+ 0xee, 0xb0, 0xca, 0x99, 0x0e, 0x7f, 0xbe, 0x06
|
||||
};
|
||||
|
||||
#ifndef OPENSSL_NO_EC
|
||||
diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
|
||||
index 064794d9bf..b6d5e8e134 100644
|
||||
--- a/providers/fips/self_test_kats.c
|
||||
+++ b/providers/fips/self_test_kats.c
|
||||
@@ -647,14 +647,21 @@ static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
|
||||
return ret;
|
||||
}
|
||||
|
||||
+int REDHAT_FIPS_asym_cipher_st = 0;
|
||||
+
|
||||
static int self_test_asym_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
|
||||
{
|
||||
int i, ret = 1;
|
||||
|
||||
+ REDHAT_FIPS_asym_cipher_st = 1;
|
||||
+
|
||||
for (i = 0; i < (int)OSSL_NELEM(st_kat_asym_cipher_tests); ++i) {
|
||||
if (!self_test_asym_cipher(&st_kat_asym_cipher_tests[i], st, libctx))
|
||||
ret = 0;
|
||||
}
|
||||
+
|
||||
+ REDHAT_FIPS_asym_cipher_st = 0;
|
||||
+
|
||||
return ret;
|
||||
}
|
||||
|
||||
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
|
||||
index 00cf65fcd6..83be3d8ede 100644
|
||||
--- a/providers/implementations/asymciphers/rsa_enc.c
|
||||
+++ b/providers/implementations/asymciphers/rsa_enc.c
|
||||
@@ -30,6 +30,9 @@
|
||||
#include "prov/implementations.h"
|
||||
#include "prov/providercommon.h"
|
||||
#include "prov/securitycheck.h"
|
||||
+#ifdef FIPS_MODULE
|
||||
+# include "crypto/rsa/rsa_local.h"
|
||||
+#endif
|
||||
|
||||
#include <stdlib.h>
|
||||
|
||||
@@ -75,6 +78,9 @@ typedef struct {
|
||||
/* TLS padding */
|
||||
unsigned int client_version;
|
||||
unsigned int alt_version;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ char *redhat_st_oaep_seed;
|
||||
+#endif /* FIPS_MODULE */
|
||||
} PROV_RSA_CTX;
|
||||
|
||||
static void *rsa_newctx(void *provctx)
|
||||
@@ -190,12 +196,21 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
|
||||
return 0;
|
||||
}
|
||||
ret =
|
||||
- ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(prsactx->libctx, tbuf,
|
||||
+#ifdef FIPS_MODULE
|
||||
+ ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(
|
||||
+#else
|
||||
+ ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(
|
||||
+#endif
|
||||
+ prsactx->libctx, tbuf,
|
||||
rsasize, in, inlen,
|
||||
prsactx->oaep_label,
|
||||
prsactx->oaep_labellen,
|
||||
prsactx->oaep_md,
|
||||
- prsactx->mgf1_md);
|
||||
+ prsactx->mgf1_md
|
||||
+#ifdef FIPS_MODULE
|
||||
+ , prsactx->redhat_st_oaep_seed
|
||||
+#endif
|
||||
+ );
|
||||
|
||||
if (!ret) {
|
||||
OPENSSL_free(tbuf);
|
||||
@@ -326,6 +341,9 @@ static void rsa_freectx(void *vprsactx)
|
||||
EVP_MD_free(prsactx->oaep_md);
|
||||
EVP_MD_free(prsactx->mgf1_md);
|
||||
OPENSSL_free(prsactx->oaep_label);
|
||||
+#ifdef FIPS_MODULE
|
||||
+ OPENSSL_free(prsactx->redhat_st_oaep_seed);
|
||||
+#endif /* FIPS_MODULE */
|
||||
|
||||
OPENSSL_free(prsactx);
|
||||
}
|
||||
@@ -445,6 +463,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||
NULL, 0),
|
||||
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL),
|
||||
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),
|
||||
+#ifdef FIPS_MODULE
|
||||
+ OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0),
|
||||
+#endif /* FIPS_MODULE */
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
|
||||
@@ -454,6 +475,10 @@ static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx,
|
||||
return known_gettable_ctx_params;
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+extern int REDHAT_FIPS_asym_cipher_st;
|
||||
+#endif /* FIPS_MODULE */
|
||||
+
|
||||
static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
|
||||
{
|
||||
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
|
||||
@@ -563,6 +588,18 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
|
||||
prsactx->oaep_labellen = tmp_labellen;
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED);
|
||||
+ if (p != NULL && REDHAT_FIPS_asym_cipher_st) {
|
||||
+ void *tmp_oaep_seed = NULL;
|
||||
+
|
||||
+ if (!OSSL_PARAM_get_octet_string(p, &tmp_oaep_seed, 0, NULL))
|
||||
+ return 0;
|
||||
+ OPENSSL_free(prsactx->redhat_st_oaep_seed);
|
||||
+ prsactx->redhat_st_oaep_seed = (char *)tmp_oaep_seed;
|
||||
+ }
|
||||
+#endif /* FIPS_MODULE */
|
||||
+
|
||||
p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION);
|
||||
if (p != NULL) {
|
||||
unsigned int client_version;
|
||||
--
|
||||
2.37.1
|
||||
|
@ -1,313 +0,0 @@
|
||||
From 97ac06e5a8e3a8699279c06eeb64c8e958bad7bd Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Fri, 15 Jul 2022 17:45:40 +0200
|
||||
Subject: [PATCH] FIPS: Use digest_sign & digest_verify in self test
|
||||
|
||||
In review for FIPS 140-3, the lack of a self-test for the digest_sign
|
||||
and digest_verify provider functions was highlighted as a problem. NIST
|
||||
no longer provides ACVP tests for the RSA SigVer primitive (see
|
||||
https://github.com/usnistgov/ACVP/issues/1347). Because FIPS 140-3
|
||||
recommends the use of functions that compute the digest and signature
|
||||
within the module, we have been advised in our module review that the
|
||||
self tests should also use the combined digest and signature APIs, i.e.
|
||||
the digest_sign and digest_verify provider functions.
|
||||
|
||||
Modify the signature self-test to use these instead by switching to
|
||||
EVP_DigestSign and EVP_DigestVerify. This requires adding more ifdefs to
|
||||
crypto/evp/m_sigver.c to make these functions usable in the FIPS module.
|
||||
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
---
|
||||
crypto/evp/m_sigver.c | 43 +++++++++++++++++++++++++++------
|
||||
providers/fips/self_test_kats.c | 37 +++++++++++++++-------------
|
||||
2 files changed, 56 insertions(+), 24 deletions(-)
|
||||
|
||||
diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
|
||||
index db1a1d7bc3..c94c3c53bd 100644
|
||||
--- a/crypto/evp/m_sigver.c
|
||||
+++ b/crypto/evp/m_sigver.c
|
||||
@@ -88,6 +88,7 @@ static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen)
|
||||
ERR_raise(ERR_LIB_EVP, EVP_R_ONLY_ONESHOT_SUPPORTED);
|
||||
return 0;
|
||||
}
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
|
||||
/*
|
||||
* If we get the "NULL" md then the name comes back as "UNDEF". We want to use
|
||||
@@ -130,8 +131,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
reinit = 0;
|
||||
if (e == NULL)
|
||||
ctx->pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, props);
|
||||
+#ifndef FIPS_MODULE
|
||||
else
|
||||
ctx->pctx = EVP_PKEY_CTX_new(pkey, e);
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
}
|
||||
if (ctx->pctx == NULL)
|
||||
return 0;
|
||||
@@ -139,8 +142,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
locpctx = ctx->pctx;
|
||||
ERR_set_mark();
|
||||
|
||||
+#ifndef FIPS_MODULE
|
||||
if (evp_pkey_ctx_is_legacy(locpctx))
|
||||
goto legacy;
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
|
||||
/* do not reinitialize if pkey is set or operation is different */
|
||||
if (reinit
|
||||
@@ -225,8 +230,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
signature =
|
||||
evp_signature_fetch_from_prov((OSSL_PROVIDER *)tmp_prov,
|
||||
supported_sig, locpctx->propquery);
|
||||
+#ifndef FIPS_MODULE
|
||||
if (signature == NULL)
|
||||
goto legacy;
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
break;
|
||||
}
|
||||
if (signature == NULL)
|
||||
@@ -310,6 +317,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
ctx->fetched_digest = EVP_MD_fetch(locpctx->libctx, mdname, props);
|
||||
if (ctx->fetched_digest != NULL) {
|
||||
ctx->digest = ctx->reqdigest = ctx->fetched_digest;
|
||||
+#ifndef FIPS_MODULE
|
||||
} else {
|
||||
/* legacy engine support : remove the mark when this is deleted */
|
||||
ctx->reqdigest = ctx->digest = EVP_get_digestbyname(mdname);
|
||||
@@ -318,11 +326,13 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
|
||||
goto err;
|
||||
}
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
}
|
||||
(void)ERR_pop_to_mark();
|
||||
}
|
||||
}
|
||||
|
||||
+#ifndef FIPS_MODULE
|
||||
if (ctx->reqdigest != NULL
|
||||
&& !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
|
||||
&& !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
|
||||
@@ -334,6 +344,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
|
||||
if (ver) {
|
||||
if (signature->digest_verify_init == NULL) {
|
||||
@@ -366,6 +377,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
EVP_KEYMGMT_free(tmp_keymgmt);
|
||||
return 0;
|
||||
|
||||
+#ifndef FIPS_MODULE
|
||||
legacy:
|
||||
/*
|
||||
* If we don't have the full support we need with provided methods,
|
||||
@@ -437,6 +449,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
ctx->pctx->flag_call_digest_custom = 1;
|
||||
|
||||
ret = 1;
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
|
||||
end:
|
||||
#ifndef FIPS_MODULE
|
||||
@@ -479,7 +492,6 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 1,
|
||||
NULL);
|
||||
}
|
||||
-#endif /* FIPS_MDOE */
|
||||
|
||||
int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
|
||||
{
|
||||
@@ -541,23 +553,29 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
|
||||
return EVP_DigestUpdate(ctx, data, dsize);
|
||||
}
|
||||
|
||||
-#ifndef FIPS_MODULE
|
||||
int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
|
||||
size_t *siglen)
|
||||
{
|
||||
- int sctx = 0, r = 0;
|
||||
- EVP_PKEY_CTX *dctx, *pctx = ctx->pctx;
|
||||
+ int r = 0;
|
||||
+#ifndef FIPS_MODULE
|
||||
+ int sctx = 0;
|
||||
+ EVP_PKEY_CTX *dctx;
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
+ EVP_PKEY_CTX *pctx = ctx->pctx;
|
||||
|
||||
+#ifndef FIPS_MODULE
|
||||
if (pctx == NULL
|
||||
|| pctx->operation != EVP_PKEY_OP_SIGNCTX
|
||||
|| pctx->op.sig.algctx == NULL
|
||||
|| pctx->op.sig.signature == NULL)
|
||||
goto legacy;
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
|
||||
if (sigret == NULL || (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) != 0)
|
||||
return pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx,
|
||||
sigret, siglen,
|
||||
sigret == NULL ? 0 : *siglen);
|
||||
+#ifndef FIPS_MODULE
|
||||
dctx = EVP_PKEY_CTX_dup(pctx);
|
||||
if (dctx == NULL)
|
||||
return 0;
|
||||
@@ -566,8 +584,10 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
|
||||
sigret, siglen,
|
||||
*siglen);
|
||||
EVP_PKEY_CTX_free(dctx);
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
return r;
|
||||
|
||||
+#ifndef FIPS_MODULE
|
||||
legacy:
|
||||
if (pctx == NULL || pctx->pmeth == NULL) {
|
||||
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
|
||||
@@ -639,6 +659,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
|
||||
}
|
||||
}
|
||||
return 1;
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
}
|
||||
|
||||
int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
|
||||
@@ -669,21 +690,27 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
|
||||
int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
|
||||
size_t siglen)
|
||||
{
|
||||
- unsigned char md[EVP_MAX_MD_SIZE];
|
||||
int r = 0;
|
||||
+#ifndef FIPS_MODULE
|
||||
+ unsigned char md[EVP_MAX_MD_SIZE];
|
||||
unsigned int mdlen = 0;
|
||||
int vctx = 0;
|
||||
- EVP_PKEY_CTX *dctx, *pctx = ctx->pctx;
|
||||
+ EVP_PKEY_CTX *dctx;
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
+ EVP_PKEY_CTX *pctx = ctx->pctx;
|
||||
|
||||
+#ifndef FIPS_MODULE
|
||||
if (pctx == NULL
|
||||
|| pctx->operation != EVP_PKEY_OP_VERIFYCTX
|
||||
|| pctx->op.sig.algctx == NULL
|
||||
|| pctx->op.sig.signature == NULL)
|
||||
goto legacy;
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
|
||||
if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) != 0)
|
||||
return pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx,
|
||||
sig, siglen);
|
||||
+#ifndef FIPS_MODULE
|
||||
dctx = EVP_PKEY_CTX_dup(pctx);
|
||||
if (dctx == NULL)
|
||||
return 0;
|
||||
@@ -691,8 +718,10 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
|
||||
r = dctx->op.sig.signature->digest_verify_final(dctx->op.sig.algctx,
|
||||
sig, siglen);
|
||||
EVP_PKEY_CTX_free(dctx);
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
return r;
|
||||
|
||||
+#ifndef FIPS_MODULE
|
||||
legacy:
|
||||
if (pctx == NULL || pctx->pmeth == NULL) {
|
||||
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
|
||||
@@ -732,6 +761,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
|
||||
if (vctx || !r)
|
||||
return r;
|
||||
return EVP_PKEY_verify(pctx, sig, siglen, md, mdlen);
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
}
|
||||
|
||||
int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
|
||||
@@ -757,4 +787,3 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
|
||||
return -1;
|
||||
return EVP_DigestVerifyFinal(ctx, sigret, siglen);
|
||||
}
|
||||
-#endif /* FIPS_MODULE */
|
||||
diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
|
||||
index b6d5e8e134..77eec075e6 100644
|
||||
--- a/providers/fips/self_test_kats.c
|
||||
+++ b/providers/fips/self_test_kats.c
|
||||
@@ -444,11 +444,14 @@ static int self_test_sign(const ST_KAT_SIGN *t,
|
||||
int ret = 0;
|
||||
OSSL_PARAM *params = NULL, *params_sig = NULL;
|
||||
OSSL_PARAM_BLD *bld = NULL;
|
||||
+ EVP_MD *md = NULL;
|
||||
+ EVP_MD_CTX *ctx = NULL;
|
||||
EVP_PKEY_CTX *sctx = NULL, *kctx = NULL;
|
||||
EVP_PKEY *pkey = NULL;
|
||||
- unsigned char sig[256];
|
||||
BN_CTX *bnctx = NULL;
|
||||
BIGNUM *K = NULL;
|
||||
+ const char *msg = "Hello World!";
|
||||
+ unsigned char sig[256];
|
||||
size_t siglen = sizeof(sig);
|
||||
static const unsigned char dgst[] = {
|
||||
0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
|
||||
@@ -488,23 +491,26 @@ static int self_test_sign(const ST_KAT_SIGN *t,
|
||||
|| EVP_PKEY_fromdata(kctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
|
||||
goto err;
|
||||
|
||||
- /* Create a EVP_PKEY_CTX to use for the signing operation */
|
||||
- sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL);
|
||||
- if (sctx == NULL
|
||||
- || EVP_PKEY_sign_init(sctx) <= 0)
|
||||
- goto err;
|
||||
-
|
||||
- /* set signature parameters */
|
||||
- if (!OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_SIGNATURE_PARAM_DIGEST,
|
||||
- t->mdalgorithm,
|
||||
- strlen(t->mdalgorithm) + 1))
|
||||
- goto err;
|
||||
+ /* Create a EVP_MD_CTX to use for the signature operation, assign signature
|
||||
+ * parameters and sign */
|
||||
params_sig = OSSL_PARAM_BLD_to_param(bld);
|
||||
- if (EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
|
||||
+ md = EVP_MD_fetch(libctx, "SHA256", NULL);
|
||||
+ ctx = EVP_MD_CTX_new();
|
||||
+ if (md == NULL || ctx == NULL)
|
||||
+ goto err;
|
||||
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT);
|
||||
+ if (EVP_DigestSignInit(ctx, &sctx, md, NULL, pkey) <= 0
|
||||
+ || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0
|
||||
+ || EVP_DigestSign(ctx, sig, &siglen, (const unsigned char *)msg, strlen(msg)) <= 0
|
||||
+ || EVP_MD_CTX_reset(ctx) <= 0)
|
||||
goto err;
|
||||
|
||||
- if (EVP_PKEY_sign(sctx, sig, &siglen, dgst, sizeof(dgst)) <= 0
|
||||
- || EVP_PKEY_verify_init(sctx) <= 0
|
||||
+ /* sctx is not freed automatically inside the FIPS module */
|
||||
+ EVP_PKEY_CTX_free(sctx);
|
||||
+ sctx = NULL;
|
||||
+
|
||||
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT);
|
||||
+ if (EVP_DigestVerifyInit(ctx, &sctx, md, NULL, pkey) <= 0
|
||||
|| EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
|
||||
goto err;
|
||||
|
||||
@@ -509,14 +510,17 @@ static int self_test_sign(const ST_KAT_SIGN *t,
|
||||
goto err;
|
||||
|
||||
OSSL_SELF_TEST_oncorrupt_byte(st, sig);
|
||||
- if (EVP_PKEY_verify(sctx, sig, siglen, dgst, sizeof(dgst)) <= 0)
|
||||
+ if (EVP_DigestVerify(ctx, sig, siglen, (const unsigned char *)msg, strlen(msg)) <= 0)
|
||||
goto err;
|
||||
ret = 1;
|
||||
err:
|
||||
BN_CTX_free(bnctx);
|
||||
EVP_PKEY_free(pkey);
|
||||
- EVP_PKEY_CTX_free(kctx);
|
||||
+ EVP_MD_free(md);
|
||||
+ EVP_MD_CTX_free(ctx);
|
||||
+ /* sctx is not freed automatically inside the FIPS module */
|
||||
EVP_PKEY_CTX_free(sctx);
|
||||
+ EVP_PKEY_CTX_free(kctx);
|
||||
OSSL_PARAM_free(params);
|
||||
OSSL_PARAM_free(params_sig);
|
||||
OSSL_PARAM_BLD_free(bld);
|
||||
--
|
||||
2.37.1
|
||||
|
@ -1,378 +0,0 @@
|
||||
From e385647549c467fe263b68b72dd21bdfb875ee88 Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Fri, 22 Jul 2022 17:51:16 +0200
|
||||
Subject: [PATCH 2/2] FIPS: Use FFDHE2048 in self test
|
||||
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
---
|
||||
providers/fips/self_test_data.inc | 342 +++++++++++++++---------------
|
||||
1 file changed, 172 insertions(+), 170 deletions(-)
|
||||
|
||||
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
|
||||
index a29cc650b5..1b5623833f 100644
|
||||
--- a/providers/fips/self_test_data.inc
|
||||
+++ b/providers/fips/self_test_data.inc
|
||||
@@ -821,188 +821,190 @@ static const ST_KAT_DRBG st_kat_drbg_tests[] =
|
||||
|
||||
#ifndef OPENSSL_NO_DH
|
||||
/* DH KAT */
|
||||
+/* RFC7919 FFDHE2048 p */
|
||||
static const unsigned char dh_p[] = {
|
||||
- 0xdc, 0xca, 0x15, 0x11, 0xb2, 0x31, 0x32, 0x25,
|
||||
- 0xf5, 0x21, 0x16, 0xe1, 0x54, 0x27, 0x89, 0xe0,
|
||||
- 0x01, 0xf0, 0x42, 0x5b, 0xcc, 0xc7, 0xf3, 0x66,
|
||||
- 0xf7, 0x40, 0x64, 0x07, 0xf1, 0xc9, 0xfa, 0x8b,
|
||||
- 0xe6, 0x10, 0xf1, 0x77, 0x8b, 0xb1, 0x70, 0xbe,
|
||||
- 0x39, 0xdb, 0xb7, 0x6f, 0x85, 0xbf, 0x24, 0xce,
|
||||
- 0x68, 0x80, 0xad, 0xb7, 0x62, 0x9f, 0x7c, 0x6d,
|
||||
- 0x01, 0x5e, 0x61, 0xd4, 0x3f, 0xa3, 0xee, 0x4d,
|
||||
- 0xe1, 0x85, 0xf2, 0xcf, 0xd0, 0x41, 0xff, 0xde,
|
||||
- 0x9d, 0x41, 0x84, 0x07, 0xe1, 0x51, 0x38, 0xbb,
|
||||
- 0x02, 0x1d, 0xae, 0xb3, 0x5f, 0x76, 0x2d, 0x17,
|
||||
- 0x82, 0xac, 0xc6, 0x58, 0xd3, 0x2b, 0xd4, 0xb0,
|
||||
- 0x23, 0x2c, 0x92, 0x7d, 0xd3, 0x8f, 0xa0, 0x97,
|
||||
- 0xb3, 0xd1, 0x85, 0x9f, 0xa8, 0xac, 0xaf, 0xb9,
|
||||
- 0x8f, 0x06, 0x66, 0x08, 0xfc, 0x64, 0x4e, 0xc7,
|
||||
- 0xdd, 0xb6, 0xf0, 0x85, 0x99, 0xf9, 0x2a, 0xc1,
|
||||
- 0xb5, 0x98, 0x25, 0xda, 0x84, 0x32, 0x07, 0x7d,
|
||||
- 0xef, 0x69, 0x56, 0x46, 0x06, 0x3c, 0x20, 0x82,
|
||||
- 0x3c, 0x95, 0x07, 0xab, 0x6f, 0x01, 0x76, 0xd4,
|
||||
- 0x73, 0x0d, 0x99, 0x0d, 0xbb, 0xe6, 0x36, 0x1c,
|
||||
- 0xd8, 0xb2, 0xb9, 0x4d, 0x3d, 0x2f, 0x32, 0x9b,
|
||||
- 0x82, 0x09, 0x9b, 0xd6, 0x61, 0xf4, 0x29, 0x50,
|
||||
- 0xf4, 0x03, 0xdf, 0x3e, 0xde, 0x62, 0xa3, 0x31,
|
||||
- 0x88, 0xb0, 0x27, 0x98, 0xba, 0x82, 0x3f, 0x44,
|
||||
- 0xb9, 0x46, 0xfe, 0x9d, 0xf6, 0x77, 0xa0, 0xc5,
|
||||
- 0xa1, 0x23, 0x8e, 0xaa, 0x97, 0xb7, 0x0f, 0x80,
|
||||
- 0xda, 0x8c, 0xac, 0x88, 0xe0, 0x92, 0xb1, 0x12,
|
||||
- 0x70, 0x60, 0xff, 0xbf, 0x45, 0x57, 0x99, 0x94,
|
||||
- 0x01, 0x1d, 0xc2, 0xfa, 0xa5, 0xe7, 0xf6, 0xc7,
|
||||
- 0x62, 0x45, 0xe1, 0xcc, 0x31, 0x22, 0x31, 0xc1,
|
||||
- 0x7d, 0x1c, 0xa6, 0xb1, 0x90, 0x07, 0xef, 0x0d,
|
||||
- 0xb9, 0x9f, 0x9c, 0xb6, 0x0e, 0x1d, 0x5f, 0x69
|
||||
-};
|
||||
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
||||
+ 0xad, 0xf8, 0x54, 0x58, 0xa2, 0xbb, 0x4a, 0x9a,
|
||||
+ 0xaf, 0xdc, 0x56, 0x20, 0x27, 0x3d, 0x3c, 0xf1,
|
||||
+ 0xd8, 0xb9, 0xc5, 0x83, 0xce, 0x2d, 0x36, 0x95,
|
||||
+ 0xa9, 0xe1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xfb,
|
||||
+ 0xcc, 0x93, 0x9d, 0xce, 0x24, 0x9b, 0x3e, 0xf9,
|
||||
+ 0x7d, 0x2f, 0xe3, 0x63, 0x63, 0x0c, 0x75, 0xd8,
|
||||
+ 0xf6, 0x81, 0xb2, 0x02, 0xae, 0xc4, 0x61, 0x7a,
|
||||
+ 0xd3, 0xdf, 0x1e, 0xd5, 0xd5, 0xfd, 0x65, 0x61,
|
||||
+ 0x24, 0x33, 0xf5, 0x1f, 0x5f, 0x06, 0x6e, 0xd0,
|
||||
+ 0x85, 0x63, 0x65, 0x55, 0x3d, 0xed, 0x1a, 0xf3,
|
||||
+ 0xb5, 0x57, 0x13, 0x5e, 0x7f, 0x57, 0xc9, 0x35,
|
||||
+ 0x98, 0x4f, 0x0c, 0x70, 0xe0, 0xe6, 0x8b, 0x77,
|
||||
+ 0xe2, 0xa6, 0x89, 0xda, 0xf3, 0xef, 0xe8, 0x72,
|
||||
+ 0x1d, 0xf1, 0x58, 0xa1, 0x36, 0xad, 0xe7, 0x35,
|
||||
+ 0x30, 0xac, 0xca, 0x4f, 0x48, 0x3a, 0x79, 0x7a,
|
||||
+ 0xbc, 0x0a, 0xb1, 0x82, 0xb3, 0x24, 0xfb, 0x61,
|
||||
+ 0xd1, 0x08, 0xa9, 0x4b, 0xb2, 0xc8, 0xe3, 0xfb,
|
||||
+ 0xb9, 0x6a, 0xda, 0xb7, 0x60, 0xd7, 0xf4, 0x68,
|
||||
+ 0x1d, 0x4f, 0x42, 0xa3, 0xde, 0x39, 0x4d, 0xf4,
|
||||
+ 0xae, 0x56, 0xed, 0xe7, 0x63, 0x72, 0xbb, 0x19,
|
||||
+ 0x0b, 0x07, 0xa7, 0xc8, 0xee, 0x0a, 0x6d, 0x70,
|
||||
+ 0x9e, 0x02, 0xfc, 0xe1, 0xcd, 0xf7, 0xe2, 0xec,
|
||||
+ 0xc0, 0x34, 0x04, 0xcd, 0x28, 0x34, 0x2f, 0x61,
|
||||
+ 0x91, 0x72, 0xfe, 0x9c, 0xe9, 0x85, 0x83, 0xff,
|
||||
+ 0x8e, 0x4f, 0x12, 0x32, 0xee, 0xf2, 0x81, 0x83,
|
||||
+ 0xc3, 0xfe, 0x3b, 0x1b, 0x4c, 0x6f, 0xad, 0x73,
|
||||
+ 0x3b, 0xb5, 0xfc, 0xbc, 0x2e, 0xc2, 0x20, 0x05,
|
||||
+ 0xc5, 0x8e, 0xf1, 0x83, 0x7d, 0x16, 0x83, 0xb2,
|
||||
+ 0xc6, 0xf3, 0x4a, 0x26, 0xc1, 0xb2, 0xef, 0xfa,
|
||||
+ 0x88, 0x6b, 0x42, 0x38, 0x61, 0x28, 0x5c, 0x97,
|
||||
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
|
||||
+};
|
||||
+/* RFC7919 FFDHE2048 q */
|
||||
static const unsigned char dh_q[] = {
|
||||
- 0x89, 0x8b, 0x22, 0x67, 0x17, 0xef, 0x03, 0x9e,
|
||||
- 0x60, 0x3e, 0x82, 0xe5, 0xc7, 0xaf, 0xe4, 0x83,
|
||||
- 0x74, 0xac, 0x5f, 0x62, 0x5c, 0x54, 0xf1, 0xea,
|
||||
- 0x11, 0xac, 0xb5, 0x7d
|
||||
-};
|
||||
+ 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
||||
+ 0xd6, 0xfc, 0x2a, 0x2c, 0x51, 0x5d, 0xa5, 0x4d,
|
||||
+ 0x57, 0xee, 0x2b, 0x10, 0x13, 0x9e, 0x9e, 0x78,
|
||||
+ 0xec, 0x5c, 0xe2, 0xc1, 0xe7, 0x16, 0x9b, 0x4a,
|
||||
+ 0xd4, 0xf0, 0x9b, 0x20, 0x8a, 0x32, 0x19, 0xfd,
|
||||
+ 0xe6, 0x49, 0xce, 0xe7, 0x12, 0x4d, 0x9f, 0x7c,
|
||||
+ 0xbe, 0x97, 0xf1, 0xb1, 0xb1, 0x86, 0x3a, 0xec,
|
||||
+ 0x7b, 0x40, 0xd9, 0x01, 0x57, 0x62, 0x30, 0xbd,
|
||||
+ 0x69, 0xef, 0x8f, 0x6a, 0xea, 0xfe, 0xb2, 0xb0,
|
||||
+ 0x92, 0x19, 0xfa, 0x8f, 0xaf, 0x83, 0x37, 0x68,
|
||||
+ 0x42, 0xb1, 0xb2, 0xaa, 0x9e, 0xf6, 0x8d, 0x79,
|
||||
+ 0xda, 0xab, 0x89, 0xaf, 0x3f, 0xab, 0xe4, 0x9a,
|
||||
+ 0xcc, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xbb,
|
||||
+ 0xf1, 0x53, 0x44, 0xed, 0x79, 0xf7, 0xf4, 0x39,
|
||||
+ 0x0e, 0xf8, 0xac, 0x50, 0x9b, 0x56, 0xf3, 0x9a,
|
||||
+ 0x98, 0x56, 0x65, 0x27, 0xa4, 0x1d, 0x3c, 0xbd,
|
||||
+ 0x5e, 0x05, 0x58, 0xc1, 0x59, 0x92, 0x7d, 0xb0,
|
||||
+ 0xe8, 0x84, 0x54, 0xa5, 0xd9, 0x64, 0x71, 0xfd,
|
||||
+ 0xdc, 0xb5, 0x6d, 0x5b, 0xb0, 0x6b, 0xfa, 0x34,
|
||||
+ 0x0e, 0xa7, 0xa1, 0x51, 0xef, 0x1c, 0xa6, 0xfa,
|
||||
+ 0x57, 0x2b, 0x76, 0xf3, 0xb1, 0xb9, 0x5d, 0x8c,
|
||||
+ 0x85, 0x83, 0xd3, 0xe4, 0x77, 0x05, 0x36, 0xb8,
|
||||
+ 0x4f, 0x01, 0x7e, 0x70, 0xe6, 0xfb, 0xf1, 0x76,
|
||||
+ 0x60, 0x1a, 0x02, 0x66, 0x94, 0x1a, 0x17, 0xb0,
|
||||
+ 0xc8, 0xb9, 0x7f, 0x4e, 0x74, 0xc2, 0xc1, 0xff,
|
||||
+ 0xc7, 0x27, 0x89, 0x19, 0x77, 0x79, 0x40, 0xc1,
|
||||
+ 0xe1, 0xff, 0x1d, 0x8d, 0xa6, 0x37, 0xd6, 0xb9,
|
||||
+ 0x9d, 0xda, 0xfe, 0x5e, 0x17, 0x61, 0x10, 0x02,
|
||||
+ 0xe2, 0xc7, 0x78, 0xc1, 0xbe, 0x8b, 0x41, 0xd9,
|
||||
+ 0x63, 0x79, 0xa5, 0x13, 0x60, 0xd9, 0x77, 0xfd,
|
||||
+ 0x44, 0x35, 0xa1, 0x1c, 0x30, 0x94, 0x2e, 0x4b,
|
||||
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
|
||||
+};
|
||||
+/* RFC7919 FFDHE2048 g */
|
||||
static const unsigned char dh_g[] = {
|
||||
- 0x5e, 0xf7, 0xb8, 0x8f, 0x2d, 0xf6, 0x01, 0x39,
|
||||
- 0x35, 0x1d, 0xfb, 0xfe, 0x12, 0x66, 0x80, 0x5f,
|
||||
- 0xdf, 0x35, 0x6c, 0xdf, 0xd1, 0x3a, 0x4d, 0xa0,
|
||||
- 0x05, 0x0c, 0x7e, 0xde, 0x24, 0x6d, 0xf5, 0x9f,
|
||||
- 0x6a, 0xbf, 0x96, 0xad, 0xe5, 0xf2, 0xb2, 0x8f,
|
||||
- 0xfe, 0x88, 0xd6, 0xbc, 0xe7, 0xf7, 0x89, 0x4a,
|
||||
- 0x3d, 0x53, 0x5f, 0xc8, 0x21, 0x26, 0xdd, 0xd4,
|
||||
- 0x24, 0x87, 0x2e, 0x16, 0xb8, 0x38, 0xdf, 0x8c,
|
||||
- 0x51, 0xe9, 0x01, 0x6f, 0x88, 0x9c, 0x7c, 0x20,
|
||||
- 0x3e, 0x98, 0xa8, 0xb6, 0x31, 0xf9, 0xc7, 0x25,
|
||||
- 0x63, 0xd3, 0x8a, 0x49, 0x58, 0x9a, 0x07, 0x53,
|
||||
- 0xd3, 0x58, 0xe7, 0x83, 0x31, 0x8c, 0xef, 0xd9,
|
||||
- 0x67, 0x7c, 0x7b, 0x2d, 0xbb, 0x77, 0xd6, 0xdc,
|
||||
- 0xe2, 0xa1, 0x96, 0x37, 0x95, 0xca, 0x64, 0xb9,
|
||||
- 0x2d, 0x1c, 0x9a, 0xac, 0x6d, 0x0e, 0x8d, 0x43,
|
||||
- 0x1d, 0xe5, 0xe5, 0x00, 0x60, 0xdf, 0xf7, 0x86,
|
||||
- 0x89, 0xc9, 0xec, 0xa1, 0xc1, 0x24, 0x8c, 0x16,
|
||||
- 0xed, 0x09, 0xc7, 0xad, 0x41, 0x2a, 0x17, 0x40,
|
||||
- 0x6d, 0x2b, 0x52, 0x5a, 0xa1, 0xca, 0xbb, 0x23,
|
||||
- 0x7b, 0x97, 0x34, 0xec, 0x7b, 0x8c, 0xe3, 0xfa,
|
||||
- 0xe0, 0x2f, 0x29, 0xc5, 0xef, 0xed, 0x30, 0xd6,
|
||||
- 0x91, 0x87, 0xda, 0x10, 0x9c, 0x2c, 0x9f, 0xe2,
|
||||
- 0xaa, 0xdb, 0xb0, 0xc2, 0x2a, 0xf5, 0x4c, 0x61,
|
||||
- 0x66, 0x55, 0x00, 0x0c, 0x43, 0x1c, 0x6b, 0x4a,
|
||||
- 0x37, 0x97, 0x63, 0xb0, 0xa9, 0x16, 0x58, 0xef,
|
||||
- 0xc8, 0x4e, 0x8b, 0x06, 0x35, 0x8c, 0x8b, 0x4f,
|
||||
- 0x21, 0x37, 0x10, 0xfd, 0x10, 0x17, 0x2c, 0xf3,
|
||||
- 0x9b, 0x83, 0x0c, 0x2d, 0xd8, 0x4a, 0x0c, 0x8a,
|
||||
- 0xb8, 0x25, 0x16, 0xec, 0xab, 0x99, 0x5f, 0xa4,
|
||||
- 0x21, 0x5e, 0x02, 0x3e, 0x4e, 0xcf, 0x80, 0x74,
|
||||
- 0xc3, 0x9d, 0x6c, 0x88, 0xb7, 0x0d, 0x1e, 0xe4,
|
||||
- 0xe9, 0x6f, 0xdc, 0x20, 0xea, 0x11, 0x5c, 0x32
|
||||
+ 0x02
|
||||
};
|
||||
static const unsigned char dh_priv[] = {
|
||||
- 0x14, 0x33, 0xe0, 0xb5, 0xa9, 0x17, 0xb6, 0x0a,
|
||||
- 0x30, 0x23, 0xf2, 0xf8, 0xaa, 0x2c, 0x2d, 0x70,
|
||||
- 0xd2, 0x96, 0x8a, 0xba, 0x9a, 0xea, 0xc8, 0x15,
|
||||
- 0x40, 0xb8, 0xfc, 0xe6
|
||||
+ 0x01, 0xdc, 0x2a, 0xb9, 0x87, 0x71, 0x57, 0x0f,
|
||||
+ 0xcd, 0x93, 0x65, 0x4c, 0xa1, 0xd6, 0x56, 0x6d,
|
||||
+ 0xc5, 0x35, 0xd5, 0xcb, 0x4c, 0xb8, 0xad, 0x8d,
|
||||
+ 0x6c, 0xdc, 0x5d, 0x6e, 0x94
|
||||
};
|
||||
static const unsigned char dh_pub[] = {
|
||||
- 0x95, 0xdd, 0x33, 0x8d, 0x29, 0xe5, 0x71, 0x04,
|
||||
- 0x92, 0xb9, 0x18, 0x31, 0x7b, 0x72, 0xa3, 0x69,
|
||||
- 0x36, 0xe1, 0x95, 0x1a, 0x2e, 0xe5, 0xa5, 0x59,
|
||||
- 0x16, 0x99, 0xc0, 0x48, 0x6d, 0x0d, 0x4f, 0x9b,
|
||||
- 0xdd, 0x6d, 0x5a, 0x3f, 0x6b, 0x98, 0x89, 0x0c,
|
||||
- 0x62, 0xb3, 0x76, 0x52, 0xd3, 0x6e, 0x71, 0x21,
|
||||
- 0x11, 0xe6, 0x8a, 0x73, 0x55, 0x37, 0x25, 0x06,
|
||||
- 0x99, 0xef, 0xe3, 0x30, 0x53, 0x73, 0x91, 0xfb,
|
||||
- 0xc2, 0xc5, 0x48, 0xbc, 0x5a, 0xc3, 0xe5, 0xb2,
|
||||
- 0x33, 0x86, 0xc3, 0xee, 0xf5, 0xeb, 0x43, 0xc0,
|
||||
- 0x99, 0xd7, 0x0a, 0x52, 0x02, 0x68, 0x7e, 0x83,
|
||||
- 0x96, 0x42, 0x48, 0xfc, 0xa9, 0x1f, 0x40, 0x90,
|
||||
- 0x8e, 0x8f, 0xb3, 0x31, 0x93, 0x15, 0xf6, 0xd2,
|
||||
- 0x60, 0x6d, 0x7f, 0x7c, 0xd5, 0x2c, 0xc6, 0xe7,
|
||||
- 0xc5, 0x84, 0x3a, 0xfb, 0x22, 0x51, 0x9c, 0xf0,
|
||||
- 0xf0, 0xf9, 0xd3, 0xa0, 0xa4, 0xe8, 0xc8, 0x88,
|
||||
- 0x99, 0xef, 0xed, 0xe7, 0x36, 0x43, 0x51, 0xfb,
|
||||
- 0x6a, 0x36, 0x3e, 0xe7, 0x17, 0xe5, 0x44, 0x5a,
|
||||
- 0xda, 0xb4, 0xc9, 0x31, 0xa6, 0x48, 0x39, 0x97,
|
||||
- 0xb8, 0x7d, 0xad, 0x83, 0x67, 0x7e, 0x4d, 0x1d,
|
||||
- 0x3a, 0x77, 0x75, 0xe0, 0xf6, 0xd0, 0x0f, 0xdf,
|
||||
- 0x73, 0xc7, 0xad, 0x80, 0x1e, 0x66, 0x5a, 0x0e,
|
||||
- 0x5a, 0x79, 0x6d, 0x0a, 0x03, 0x80, 0xa1, 0x9f,
|
||||
- 0xa1, 0x82, 0xef, 0xc8, 0xa0, 0x4f, 0x5e, 0x4d,
|
||||
- 0xb9, 0x0d, 0x1a, 0x86, 0x37, 0xf9, 0x5d, 0xb1,
|
||||
- 0x64, 0x36, 0xbd, 0xc8, 0xf3, 0xfc, 0x09, 0x6c,
|
||||
- 0x4f, 0xf7, 0xf2, 0x34, 0xbe, 0x8f, 0xef, 0x47,
|
||||
- 0x9a, 0xc4, 0xb0, 0xdc, 0x4b, 0x77, 0x26, 0x3e,
|
||||
- 0x07, 0xd9, 0x95, 0x9d, 0xe0, 0xf1, 0xbf, 0x3f,
|
||||
- 0x0a, 0xe3, 0xd9, 0xd5, 0x0e, 0x4b, 0x89, 0xc9,
|
||||
- 0x9e, 0x3e, 0xa1, 0x21, 0x73, 0x43, 0xdd, 0x8c,
|
||||
- 0x65, 0x81, 0xac, 0xc4, 0x95, 0x9c, 0x91, 0xd3
|
||||
+ 0x00, 0xc4, 0x82, 0x14, 0x69, 0x16, 0x4c, 0x05,
|
||||
+ 0x55, 0x2a, 0x7e, 0x55, 0x6d, 0x02, 0xbb, 0x7f,
|
||||
+ 0xcc, 0x63, 0x74, 0xee, 0xcb, 0xb4, 0x98, 0x43,
|
||||
+ 0x0e, 0x29, 0x43, 0x0d, 0x44, 0xc7, 0xf1, 0x23,
|
||||
+ 0x81, 0xca, 0x1c, 0x5c, 0xc3, 0xff, 0x01, 0x4a,
|
||||
+ 0x1a, 0x03, 0x9e, 0x5f, 0xd1, 0x4e, 0xa0, 0x0b,
|
||||
+ 0xb9, 0x5c, 0x0d, 0xef, 0x14, 0x01, 0x62, 0x3c,
|
||||
+ 0x8a, 0x8e, 0x60, 0xbb, 0x39, 0xd6, 0x38, 0x63,
|
||||
+ 0xb7, 0x65, 0xd0, 0x0b, 0x1a, 0xaf, 0x53, 0x38,
|
||||
+ 0x10, 0x0f, 0x3e, 0xeb, 0x9d, 0x0c, 0x24, 0xf6,
|
||||
+ 0xe3, 0x70, 0x08, 0x8a, 0x4d, 0x01, 0xf8, 0x7a,
|
||||
+ 0x87, 0x49, 0x64, 0x72, 0xb1, 0x75, 0x3b, 0x94,
|
||||
+ 0xc8, 0x09, 0x2d, 0x6a, 0x63, 0xd8, 0x9a, 0x92,
|
||||
+ 0xb9, 0x5b, 0x1a, 0xc3, 0x47, 0x0b, 0x63, 0x44,
|
||||
+ 0x3b, 0xe3, 0xc0, 0x09, 0xc9, 0xf9, 0x02, 0x53,
|
||||
+ 0xd8, 0xfb, 0x06, 0x44, 0xdb, 0xdf, 0xe8, 0x13,
|
||||
+ 0x2b, 0x40, 0x6a, 0xd4, 0x13, 0x4e, 0x52, 0x30,
|
||||
+ 0xd6, 0xc1, 0xd8, 0x59, 0x9d, 0x59, 0xba, 0x1b,
|
||||
+ 0xbf, 0xaa, 0x6f, 0xe9, 0x3d, 0xfd, 0xff, 0x01,
|
||||
+ 0x0b, 0x54, 0xe0, 0x6a, 0x4e, 0x27, 0x2b, 0x3d,
|
||||
+ 0xe8, 0xef, 0xb0, 0xbe, 0x52, 0xc3, 0x52, 0x18,
|
||||
+ 0x6f, 0xa3, 0x27, 0xab, 0x6c, 0x12, 0xc3, 0x81,
|
||||
+ 0xcb, 0xae, 0x23, 0x11, 0xa0, 0x5d, 0xc3, 0x6f,
|
||||
+ 0x23, 0x17, 0x40, 0xb3, 0x05, 0x4f, 0x5d, 0xb7,
|
||||
+ 0x34, 0xbe, 0x87, 0x2c, 0xa9, 0x9e, 0x98, 0x39,
|
||||
+ 0xbf, 0x2e, 0x9d, 0xad, 0x4f, 0x70, 0xad, 0xed,
|
||||
+ 0x1b, 0x5e, 0x47, 0x90, 0x49, 0x2e, 0x61, 0x71,
|
||||
+ 0x5f, 0x07, 0x0b, 0x35, 0x04, 0xfc, 0x53, 0xce,
|
||||
+ 0x58, 0x60, 0x6c, 0x5b, 0x8b, 0xfe, 0x70, 0x04,
|
||||
+ 0x2a, 0x6a, 0x98, 0x0a, 0xd0, 0x80, 0xae, 0x69,
|
||||
+ 0x95, 0xf9, 0x99, 0x18, 0xfc, 0xe4, 0x8e, 0xed,
|
||||
+ 0x61, 0xd9, 0x02, 0x9d, 0x4e, 0x05, 0xe9, 0xf2,
|
||||
+ 0x32
|
||||
};
|
||||
static const unsigned char dh_peer_pub[] = {
|
||||
- 0x1f, 0xc1, 0xda, 0x34, 0x1d, 0x1a, 0x84, 0x6a,
|
||||
- 0x96, 0xb7, 0xbe, 0x24, 0x34, 0x0f, 0x87, 0x7d,
|
||||
- 0xd0, 0x10, 0xaa, 0x03, 0x56, 0xd5, 0xad, 0x58,
|
||||
- 0xaa, 0xe9, 0xc7, 0xb0, 0x8f, 0x74, 0x9a, 0x32,
|
||||
- 0x23, 0x51, 0x10, 0xb5, 0xd8, 0x8e, 0xb5, 0xdb,
|
||||
- 0xfa, 0x97, 0x8d, 0x27, 0xec, 0xc5, 0x30, 0xf0,
|
||||
- 0x2d, 0x31, 0x14, 0x00, 0x5b, 0x64, 0xb1, 0xc0,
|
||||
- 0xe0, 0x24, 0xcb, 0x8a, 0xe2, 0x16, 0x98, 0xbc,
|
||||
- 0xa9, 0xe6, 0x0d, 0x42, 0x80, 0x86, 0x22, 0xf1,
|
||||
- 0x81, 0xc5, 0x6e, 0x1d, 0xe7, 0xa9, 0x6e, 0x6e,
|
||||
- 0xfe, 0xe9, 0xd6, 0x65, 0x67, 0xe9, 0x1b, 0x97,
|
||||
- 0x70, 0x42, 0xc7, 0xe3, 0xd0, 0x44, 0x8f, 0x05,
|
||||
- 0xfb, 0x77, 0xf5, 0x22, 0xb9, 0xbf, 0xc8, 0xd3,
|
||||
- 0x3c, 0xc3, 0xc3, 0x1e, 0xd3, 0xb3, 0x1f, 0x0f,
|
||||
- 0xec, 0xb6, 0xdb, 0x4f, 0x6e, 0xa3, 0x11, 0xe7,
|
||||
- 0x7a, 0xfd, 0xbc, 0xd4, 0x7a, 0xee, 0x1b, 0xb1,
|
||||
- 0x50, 0xf2, 0x16, 0x87, 0x35, 0x78, 0xfb, 0x96,
|
||||
- 0x46, 0x8e, 0x8f, 0x9f, 0x3d, 0xe8, 0xef, 0xbf,
|
||||
- 0xce, 0x75, 0x62, 0x4b, 0x1d, 0xf0, 0x53, 0x22,
|
||||
- 0xa3, 0x4f, 0x14, 0x63, 0xe8, 0x39, 0xe8, 0x98,
|
||||
- 0x4c, 0x4a, 0xd0, 0xa9, 0x6e, 0x1a, 0xc8, 0x42,
|
||||
- 0xe5, 0x31, 0x8c, 0xc2, 0x3c, 0x06, 0x2a, 0x8c,
|
||||
- 0xa1, 0x71, 0xb8, 0xd5, 0x75, 0x98, 0x0d, 0xde,
|
||||
- 0x7f, 0xc5, 0x6f, 0x15, 0x36, 0x52, 0x38, 0x20,
|
||||
- 0xd4, 0x31, 0x92, 0xbf, 0xd5, 0x1e, 0x8e, 0x22,
|
||||
- 0x89, 0x78, 0xac, 0xa5, 0xb9, 0x44, 0x72, 0xf3,
|
||||
- 0x39, 0xca, 0xeb, 0x99, 0x31, 0xb4, 0x2b, 0xe3,
|
||||
- 0x01, 0x26, 0x8b, 0xc9, 0x97, 0x89, 0xc9, 0xb2,
|
||||
- 0x55, 0x71, 0xc3, 0xc0, 0xe4, 0xcb, 0x3f, 0x00,
|
||||
- 0x7f, 0x1a, 0x51, 0x1c, 0xbb, 0x53, 0xc8, 0x51,
|
||||
- 0x9c, 0xdd, 0x13, 0x02, 0xab, 0xca, 0x6c, 0x0f,
|
||||
- 0x34, 0xf9, 0x67, 0x39, 0xf1, 0x7f, 0xf4, 0x8b
|
||||
+ 0x00, 0xef, 0x15, 0x02, 0xf5, 0x56, 0xa3, 0x79,
|
||||
+ 0x40, 0x58, 0xbc, 0xeb, 0x56, 0xad, 0xcb, 0xda,
|
||||
+ 0x8c, 0xda, 0xb8, 0xd1, 0xda, 0x6f, 0x25, 0x29,
|
||||
+ 0x9e, 0x43, 0x76, 0x2d, 0xb2, 0xd8, 0xbc, 0x84,
|
||||
+ 0xbc, 0x85, 0xd0, 0x94, 0x8d, 0x44, 0x27, 0x57,
|
||||
+ 0xe4, 0xdf, 0xc1, 0x78, 0x42, 0x8f, 0x08, 0xf5,
|
||||
+ 0x74, 0xfe, 0x02, 0x56, 0xd2, 0x09, 0xc8, 0x68,
|
||||
+ 0xef, 0xed, 0x18, 0xc9, 0xfd, 0x2e, 0x95, 0x6c,
|
||||
+ 0xba, 0x6c, 0x00, 0x0e, 0xf5, 0xd1, 0x1b, 0xf6,
|
||||
+ 0x15, 0x14, 0x5b, 0x67, 0x22, 0x7c, 0x6a, 0x20,
|
||||
+ 0x76, 0x43, 0x51, 0xef, 0x5e, 0x1e, 0xf9, 0x2d,
|
||||
+ 0xd6, 0xb4, 0xc5, 0xc6, 0x18, 0x33, 0xd1, 0xa3,
|
||||
+ 0x3b, 0xe6, 0xdd, 0x57, 0x9d, 0xad, 0x13, 0x7a,
|
||||
+ 0x53, 0xde, 0xb3, 0x97, 0xc0, 0x7e, 0xd7, 0x77,
|
||||
+ 0x6b, 0xf8, 0xbd, 0x13, 0x70, 0x8c, 0xba, 0x73,
|
||||
+ 0x80, 0xb3, 0x80, 0x6f, 0xfb, 0x1c, 0xda, 0x53,
|
||||
+ 0x4d, 0x3c, 0x8a, 0x2e, 0xa1, 0x37, 0xce, 0xb1,
|
||||
+ 0xde, 0x45, 0x97, 0x58, 0x65, 0x4d, 0xcf, 0x05,
|
||||
+ 0xbb, 0xc3, 0xd7, 0x38, 0x6d, 0x0a, 0x59, 0x7a,
|
||||
+ 0x99, 0x15, 0xb7, 0x9a, 0x3d, 0xfd, 0x61, 0xe5,
|
||||
+ 0x1a, 0xa2, 0xcc, 0xf6, 0xfe, 0xb1, 0xee, 0xe9,
|
||||
+ 0xa9, 0xe2, 0xeb, 0x06, 0xbc, 0x14, 0x6e, 0x91,
|
||||
+ 0x0d, 0xf1, 0xe3, 0xbb, 0xe0, 0x7e, 0x1d, 0x31,
|
||||
+ 0x79, 0xf1, 0x6d, 0x5f, 0xcb, 0xaf, 0xb2, 0x4f,
|
||||
+ 0x22, 0x12, 0xbf, 0x72, 0xbd, 0xd0, 0x30, 0xe4,
|
||||
+ 0x1c, 0x35, 0x96, 0x61, 0x98, 0x39, 0xfb, 0x7e,
|
||||
+ 0x6d, 0x66, 0xc4, 0x69, 0x41, 0x0d, 0x0d, 0x59,
|
||||
+ 0xbb, 0xa7, 0xbf, 0x34, 0xe0, 0x39, 0x36, 0x84,
|
||||
+ 0x5e, 0x0e, 0x03, 0x2d, 0xcf, 0xaa, 0x02, 0x8a,
|
||||
+ 0xba, 0x59, 0x88, 0x47, 0xc4, 0x4d, 0xd7, 0xbd,
|
||||
+ 0x78, 0x76, 0x24, 0xf1, 0x45, 0x56, 0x44, 0xc2,
|
||||
+ 0x4a, 0xc2, 0xd5, 0x3a, 0x59, 0x40, 0xab, 0x87,
|
||||
+ 0x64
|
||||
};
|
||||
|
||||
static const unsigned char dh_secret_expected[] = {
|
||||
- 0x08, 0xff, 0x33, 0xbb, 0x2e, 0xcf, 0xf4, 0x9a,
|
||||
- 0x7d, 0x4a, 0x79, 0x12, 0xae, 0xb1, 0xbb, 0x6a,
|
||||
- 0xb5, 0x11, 0x64, 0x1b, 0x4a, 0x76, 0x77, 0x0c,
|
||||
- 0x8c, 0xc1, 0xbc, 0xc2, 0x33, 0x34, 0x3d, 0xfe,
|
||||
- 0x70, 0x0d, 0x11, 0x81, 0x3d, 0x2c, 0x9e, 0xd2,
|
||||
- 0x3b, 0x21, 0x1c, 0xa9, 0xe8, 0x78, 0x69, 0x21,
|
||||
- 0xed, 0xca, 0x28, 0x3c, 0x68, 0xb1, 0x61, 0x53,
|
||||
- 0xfa, 0x01, 0xe9, 0x1a, 0xb8, 0x2c, 0x90, 0xdd,
|
||||
- 0xab, 0x4a, 0x95, 0x81, 0x67, 0x70, 0xa9, 0x87,
|
||||
- 0x10, 0xe1, 0x4c, 0x92, 0xab, 0x83, 0xb6, 0xe4,
|
||||
- 0x6e, 0x1e, 0x42, 0x6e, 0xe8, 0x52, 0x43, 0x0d,
|
||||
- 0x61, 0x87, 0xda, 0xa3, 0x72, 0x0a, 0x6b, 0xcd,
|
||||
- 0x73, 0x23, 0x5c, 0x6b, 0x0f, 0x94, 0x1f, 0x33,
|
||||
- 0x64, 0xf5, 0x04, 0x20, 0x55, 0x1a, 0x4b, 0xfe,
|
||||
- 0xaf, 0xe2, 0xbc, 0x43, 0x85, 0x05, 0xa5, 0x9a,
|
||||
- 0x4a, 0x40, 0xda, 0xca, 0x7a, 0x89, 0x5a, 0x73,
|
||||
- 0xdb, 0x57, 0x5c, 0x74, 0xc1, 0x3a, 0x23, 0xad,
|
||||
- 0x88, 0x32, 0x95, 0x7d, 0x58, 0x2d, 0x38, 0xf0,
|
||||
- 0xa6, 0x16, 0x5f, 0xb0, 0xd7, 0xe9, 0xb8, 0x79,
|
||||
- 0x9e, 0x42, 0xfd, 0x32, 0x20, 0xe3, 0x32, 0xe9,
|
||||
- 0x81, 0x85, 0xa0, 0xc9, 0x42, 0x97, 0x57, 0xb2,
|
||||
- 0xd0, 0xd0, 0x2c, 0x17, 0xdb, 0xaa, 0x1f, 0xf6,
|
||||
- 0xed, 0x93, 0xd7, 0xe7, 0x3e, 0x24, 0x1e, 0xae,
|
||||
- 0xd9, 0x0c, 0xaf, 0x39, 0x4d, 0x2b, 0xc6, 0x57,
|
||||
- 0x0f, 0x18, 0xc8, 0x1f, 0x2b, 0xe5, 0xd0, 0x1a,
|
||||
- 0x2c, 0xa9, 0x9f, 0xf1, 0x42, 0xb5, 0xd9, 0x63,
|
||||
- 0xf9, 0xf5, 0x00, 0x32, 0x5e, 0x75, 0x56, 0xf9,
|
||||
- 0x58, 0x49, 0xb3, 0xff, 0xc7, 0x47, 0x94, 0x86,
|
||||
- 0xbe, 0x1d, 0x45, 0x96, 0xa3, 0x10, 0x6b, 0xd5,
|
||||
- 0xcb, 0x4f, 0x61, 0xc5, 0x7e, 0xc5, 0xf1, 0x00,
|
||||
- 0xfb, 0x7a, 0x0c, 0x82, 0xa1, 0x0b, 0x82, 0x52,
|
||||
- 0x6a, 0x97, 0xd1, 0xd9, 0x7d, 0x98, 0xea, 0xf6
|
||||
+ 0x56, 0x13, 0xe3, 0x12, 0x6b, 0x5f, 0x67, 0xe5,
|
||||
+ 0x08, 0xe5, 0x35, 0x0e, 0x11, 0x90, 0x9d, 0xf5,
|
||||
+ 0x1a, 0x24, 0xfa, 0x42, 0xd1, 0x4a, 0x50, 0x93,
|
||||
+ 0x5b, 0xf4, 0x11, 0x6f, 0xd0, 0xc3, 0xc5, 0xa5,
|
||||
+ 0x80, 0xae, 0x01, 0x3d, 0x66, 0x92, 0xc0, 0x3e,
|
||||
+ 0x5f, 0xe9, 0x75, 0xb6, 0x5b, 0x37, 0x82, 0x39,
|
||||
+ 0x72, 0x66, 0x0b, 0xa2, 0x73, 0x94, 0xe5, 0x04,
|
||||
+ 0x7c, 0x0c, 0x19, 0x9a, 0x03, 0x53, 0xc4, 0x9d,
|
||||
+ 0xc1, 0x0f, 0xc3, 0xec, 0x0e, 0x2e, 0xa3, 0x7c,
|
||||
+ 0x07, 0x0e, 0xaf, 0x18, 0x1d, 0xc7, 0x8b, 0x47,
|
||||
+ 0x4b, 0x94, 0x05, 0x6d, 0xec, 0xdd, 0xa1, 0xae,
|
||||
+ 0x7b, 0x21, 0x86, 0x53, 0xd3, 0x62, 0x38, 0x08,
|
||||
+ 0xea, 0xda, 0xdc, 0xb2, 0x5a, 0x7c, 0xef, 0x19,
|
||||
+ 0xf8, 0x29, 0xef, 0xf8, 0xd0, 0xfb, 0xde, 0xe8,
|
||||
+ 0xb8, 0x2f, 0xb3, 0xa1, 0x16, 0xa2, 0xd0, 0x8f,
|
||||
+ 0x48, 0xdc, 0x7d, 0xcb, 0xee, 0x5c, 0x06, 0x1e,
|
||||
+ 0x2a, 0x66, 0xe8, 0x1f, 0xdb, 0x18, 0xe9, 0xd2,
|
||||
+ 0xfd, 0xa2, 0x4e, 0x39, 0xa3, 0x2e, 0x88, 0x3d,
|
||||
+ 0x7d, 0xac, 0x15, 0x18, 0x25, 0xe6, 0xba, 0xd4,
|
||||
+ 0x0e, 0x89, 0x26, 0x60, 0x8f, 0xdc, 0x4a, 0xb4,
|
||||
+ 0x49, 0x8f, 0x98, 0xe8, 0x62, 0x8c, 0xc6, 0x66,
|
||||
+ 0x20, 0x4c, 0xe1, 0xed, 0xfc, 0x01, 0x88, 0x46,
|
||||
+ 0xa7, 0x67, 0x48, 0x39, 0xc5, 0x22, 0x95, 0xa0,
|
||||
+ 0x23, 0xb9, 0xd1, 0xed, 0x87, 0xcf, 0xa7, 0x70,
|
||||
+ 0x1c, 0xac, 0xd3, 0xaf, 0x5c, 0x26, 0x50, 0x3c,
|
||||
+ 0xe4, 0x23, 0xb6, 0xcc, 0xd7, 0xc5, 0xda, 0x2f,
|
||||
+ 0xf4, 0x45, 0xf1, 0xe4, 0x40, 0xb5, 0x0a, 0x25,
|
||||
+ 0x86, 0xe6, 0xde, 0x11, 0x3c, 0x46, 0x16, 0xbc,
|
||||
+ 0x41, 0xc2, 0x28, 0x19, 0x81, 0x5a, 0x46, 0x02,
|
||||
+ 0x87, 0xd0, 0x15, 0x0c, 0xd2, 0xfe, 0x75, 0x04,
|
||||
+ 0x82, 0xd2, 0x0a, 0xb7, 0xbc, 0xc5, 0x6c, 0xb1,
|
||||
+ 0x41, 0xa8, 0x2b, 0x28, 0xbb, 0x86, 0x0c, 0x89
|
||||
};
|
||||
|
||||
static const ST_KAT_PARAM dh_group[] = {
|
||||
--
|
||||
2.35.3
|
||||
|
@ -1,157 +0,0 @@
|
||||
diff -up openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c
|
||||
--- openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand 2022-08-03 11:09:01.301637515 +0200
|
||||
+++ openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c 2022-08-03 11:13:00.058688605 +0200
|
||||
@@ -48,6 +48,8 @@
|
||||
# include <fcntl.h>
|
||||
# include <unistd.h>
|
||||
# include <sys/time.h>
|
||||
+# include <sys/random.h>
|
||||
+# include <openssl/evp.h>
|
||||
|
||||
static uint64_t get_time_stamp(void);
|
||||
static uint64_t get_timer_bits(void);
|
||||
@@ -342,66 +342,8 @@ static ssize_t syscall_random(void *buf,
|
||||
* which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion
|
||||
* between size_t and ssize_t is safe even without a range check.
|
||||
*/
|
||||
-
|
||||
- /*
|
||||
- * Do runtime detection to find getentropy().
|
||||
- *
|
||||
- * Known OSs that should support this:
|
||||
- * - Darwin since 16 (OSX 10.12, IOS 10.0).
|
||||
- * - Solaris since 11.3
|
||||
- * - OpenBSD since 5.6
|
||||
- * - Linux since 3.17 with glibc 2.25
|
||||
- * - FreeBSD since 12.0 (1200061)
|
||||
- *
|
||||
- * Note: Sometimes getentropy() can be provided but not implemented
|
||||
- * internally. So we need to check errno for ENOSYS
|
||||
- */
|
||||
-# if !defined(__DragonFly__) && !defined(__NetBSD__)
|
||||
-# if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
|
||||
- extern int getentropy(void *buffer, size_t length) __attribute__((weak));
|
||||
-
|
||||
- if (getentropy != NULL) {
|
||||
- if (getentropy(buf, buflen) == 0)
|
||||
- return (ssize_t)buflen;
|
||||
- if (errno != ENOSYS)
|
||||
- return -1;
|
||||
- }
|
||||
-# elif defined(OPENSSL_APPLE_CRYPTO_RANDOM)
|
||||
-
|
||||
- if (CCRandomGenerateBytes(buf, buflen) == kCCSuccess)
|
||||
- return (ssize_t)buflen;
|
||||
-
|
||||
- return -1;
|
||||
-# else
|
||||
- union {
|
||||
- void *p;
|
||||
- int (*f)(void *buffer, size_t length);
|
||||
- } p_getentropy;
|
||||
-
|
||||
- /*
|
||||
- * We could cache the result of the lookup, but we normally don't
|
||||
- * call this function often.
|
||||
- */
|
||||
- ERR_set_mark();
|
||||
- p_getentropy.p = DSO_global_lookup("getentropy");
|
||||
- ERR_pop_to_mark();
|
||||
- if (p_getentropy.p != NULL)
|
||||
- return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
|
||||
-# endif
|
||||
-# endif /* !__DragonFly__ */
|
||||
-
|
||||
- /* Linux supports this since version 3.17 */
|
||||
-# if defined(__linux) && defined(__NR_getrandom)
|
||||
- return syscall(__NR_getrandom, buf, buflen, 0);
|
||||
-# elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
|
||||
- return sysctl_random(buf, buflen);
|
||||
-# elif (defined(__DragonFly__) && __DragonFly_version >= 500700) \
|
||||
- || (defined(__NetBSD__) && __NetBSD_Version >= 1000000000)
|
||||
- return getrandom(buf, buflen, 0);
|
||||
-# else
|
||||
- errno = ENOSYS;
|
||||
- return -1;
|
||||
-# endif
|
||||
+ /* Red Hat uses downstream patch to always seed from getrandom() */
|
||||
+ return EVP_default_properties_is_fips_enabled(NULL) ? getrandom(buf, buflen, GRND_RANDOM) : getrandom(buf, buflen, 0);
|
||||
}
|
||||
# endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */
|
||||
|
||||
diff -up openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand openssl-3.0.1/providers/implementations/rands/drbg.c
|
||||
--- openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand 2022-08-03 12:14:39.409370134 +0200
|
||||
+++ openssl-3.0.1/providers/implementations/rands/drbg.c 2022-08-03 12:19:06.320700346 +0200
|
||||
@@ -575,6 +575,9 @@ int ossl_prov_drbg_reseed(PROV_DRBG *drb
|
||||
#endif
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ prediction_resistance = 1;
|
||||
+#endif
|
||||
/* Reseed using our sources in addition */
|
||||
entropylen = get_entropy(drbg, &entropy, drbg->strength,
|
||||
drbg->min_entropylen, drbg->max_entropylen,
|
||||
@@ -669,8 +669,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d
|
||||
reseed_required = 1;
|
||||
}
|
||||
if (drbg->parent != NULL
|
||||
- && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter)
|
||||
+ && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) {
|
||||
+#ifdef FIPS_MODULE
|
||||
+ /* Red Hat patches provide chain reseeding when necessary so just sync counters*/
|
||||
+ drbg->parent_reseed_counter = get_parent_reseed_count(drbg);
|
||||
+#else
|
||||
reseed_required = 1;
|
||||
+#endif
|
||||
+ }
|
||||
|
||||
if (reseed_required || prediction_resistance) {
|
||||
if (!ossl_prov_drbg_reseed(drbg, prediction_resistance, NULL, 0,
|
||||
diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/rand/prov_seed.c
|
||||
--- openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand 2022-08-04 12:17:52.148556301 +0200
|
||||
+++ openssl-3.0.1/crypto/rand/prov_seed.c 2022-08-04 12:19:41.783533552 +0200
|
||||
@@ -20,7 +20,14 @@ size_t ossl_rand_get_entropy(ossl_unused
|
||||
size_t entropy_available;
|
||||
RAND_POOL *pool;
|
||||
|
||||
- pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
|
||||
+ /*
|
||||
+ * OpenSSL still implements an internal entropy pool of
|
||||
+ * some size that is hashed to get seed data.
|
||||
+ * Note that this is a conditioning step for which SP800-90C requires
|
||||
+ * 64 additional bits from the entropy source to claim the requested
|
||||
+ * amount of entropy.
|
||||
+ */
|
||||
+ pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len);
|
||||
if (pool == NULL) {
|
||||
ERR_raise(ERR_LIB_RAND, ERR_R_MALLOC_FAILURE);
|
||||
return 0;
|
||||
diff -up openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand openssl-3.0.1/providers/implementations/rands/crngt.c
|
||||
--- openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand 2022-08-04 11:56:10.100950299 +0200
|
||||
+++ openssl-3.0.1/providers/implementations/rands/crngt.c 2022-08-04 11:59:11.241564925 +0200
|
||||
@@ -139,7 +139,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG
|
||||
* to the nearest byte. If the entropy is of less than full quality,
|
||||
* the amount required should be scaled up appropriately here.
|
||||
*/
|
||||
- bytes_needed = (entropy + 7) / 8;
|
||||
+ /*
|
||||
+ * FIPS 140-3: the yet draft SP800-90C requires requested entropy
|
||||
+ * + 128 bits during initial seeding
|
||||
+ */
|
||||
+ bytes_needed = (entropy + 128 + 7) / 8;
|
||||
if (bytes_needed < min_len)
|
||||
bytes_needed = min_len;
|
||||
if (bytes_needed > max_len)
|
||||
diff -up openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg openssl-3.0.7/providers/implementations/rands/drbg_local.h
|
||||
--- openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg 2023-03-13 12:17:47.705538612 +0100
|
||||
+++ openssl-3.0.7/providers/implementations/rands/drbg_local.h 2023-03-13 12:18:03.060702092 +0100
|
||||
@@ -38,7 +38,7 @@
|
||||
*
|
||||
* The value is in bytes.
|
||||
*/
|
||||
-#define CRNGT_BUFSIZ 16
|
||||
+#define CRNGT_BUFSIZ 32
|
||||
|
||||
/*
|
||||
* Maximum input size for the DRBG (entropy, nonce, personalization string)
|
@ -1,76 +0,0 @@
|
||||
diff -up openssl-3.0.1/crypto/ffc/ffc_params.c.fipszero openssl-3.0.1/crypto/ffc/ffc_params.c
|
||||
--- openssl-3.0.1/crypto/ffc/ffc_params.c.fipszero 2022-08-05 13:11:27.211413931 +0200
|
||||
+++ openssl-3.0.1/crypto/ffc/ffc_params.c 2022-08-05 13:11:34.151475891 +0200
|
||||
@@ -27,10 +27,10 @@ void ossl_ffc_params_init(FFC_PARAMS *pa
|
||||
|
||||
void ossl_ffc_params_cleanup(FFC_PARAMS *params)
|
||||
{
|
||||
- BN_free(params->p);
|
||||
- BN_free(params->q);
|
||||
- BN_free(params->g);
|
||||
- BN_free(params->j);
|
||||
+ BN_clear_free(params->p);
|
||||
+ BN_clear_free(params->q);
|
||||
+ BN_clear_free(params->g);
|
||||
+ BN_clear_free(params->j);
|
||||
OPENSSL_free(params->seed);
|
||||
ossl_ffc_params_init(params);
|
||||
}
|
||||
diff -up openssl-3.0.1/crypto/rsa/rsa_lib.c.fipszero openssl-3.0.1/crypto/rsa/rsa_lib.c
|
||||
--- openssl-3.0.1/crypto/rsa/rsa_lib.c.fipszero 2022-08-05 13:08:31.875848536 +0200
|
||||
+++ openssl-3.0.1/crypto/rsa/rsa_lib.c 2022-08-05 13:09:35.438416025 +0200
|
||||
@@ -155,8 +155,8 @@ void RSA_free(RSA *r)
|
||||
|
||||
CRYPTO_THREAD_lock_free(r->lock);
|
||||
|
||||
- BN_free(r->n);
|
||||
- BN_free(r->e);
|
||||
+ BN_clear_free(r->n);
|
||||
+ BN_clear_free(r->e);
|
||||
BN_clear_free(r->d);
|
||||
BN_clear_free(r->p);
|
||||
BN_clear_free(r->q);
|
||||
diff -up openssl-3.0.1/providers/implementations/kdfs/hkdf.c.fipszero openssl-3.0.1/providers/implementations/kdfs/hkdf.c
|
||||
--- openssl-3.0.1/providers/implementations/kdfs/hkdf.c.fipszero 2022-08-05 13:14:58.827303241 +0200
|
||||
+++ openssl-3.0.1/providers/implementations/kdfs/hkdf.c 2022-08-05 13:16:24.530068399 +0200
|
||||
@@ -116,7 +116,7 @@ static void kdf_hkdf_reset(void *vctx)
|
||||
void *provctx = ctx->provctx;
|
||||
|
||||
ossl_prov_digest_reset(&ctx->digest);
|
||||
- OPENSSL_free(ctx->salt);
|
||||
+ OPENSSL_clear_free(ctx->salt, ctx->salt_len);
|
||||
OPENSSL_free(ctx->prefix);
|
||||
OPENSSL_free(ctx->label);
|
||||
OPENSSL_clear_free(ctx->data, ctx->data_len);
|
||||
diff -up openssl-3.0.1/providers/implementations/kdfs/pbkdf2.c.fipszero openssl-3.0.1/providers/implementations/kdfs/pbkdf2.c
|
||||
--- openssl-3.0.1/providers/implementations/kdfs/pbkdf2.c.fipszero 2022-08-05 13:12:40.552068717 +0200
|
||||
+++ openssl-3.0.1/providers/implementations/kdfs/pbkdf2.c 2022-08-05 13:13:34.324548799 +0200
|
||||
@@ -83,7 +83,7 @@ static void *kdf_pbkdf2_new(void *provct
|
||||
static void kdf_pbkdf2_cleanup(KDF_PBKDF2 *ctx)
|
||||
{
|
||||
ossl_prov_digest_reset(&ctx->digest);
|
||||
- OPENSSL_free(ctx->salt);
|
||||
+ OPENSSL_clear_free(ctx->salt, ctx->salt_len);
|
||||
OPENSSL_clear_free(ctx->pass, ctx->pass_len);
|
||||
memset(ctx, 0, sizeof(*ctx));
|
||||
}
|
||||
diff -up openssl-3.0.1/crypto/ec/ec_lib.c.fipszero openssl-3.0.1/crypto/ec/ec_lib.c
|
||||
--- openssl-3.0.1/crypto/ec/ec_lib.c.fipszero 2022-08-05 13:48:32.221345774 +0200
|
||||
+++ openssl-3.0.1/crypto/ec/ec_lib.c 2022-08-05 13:49:16.138741452 +0200
|
||||
@@ -744,12 +744,16 @@ EC_POINT *EC_POINT_new(const EC_GROUP *g
|
||||
|
||||
void EC_POINT_free(EC_POINT *point)
|
||||
{
|
||||
+#ifdef FIPS_MODULE
|
||||
+ EC_POINT_clear_free(point);
|
||||
+#else
|
||||
if (point == NULL)
|
||||
return;
|
||||
|
||||
if (point->meth->point_finish != 0)
|
||||
point->meth->point_finish(point);
|
||||
OPENSSL_free(point);
|
||||
+#endif
|
||||
}
|
||||
|
||||
void EC_POINT_clear_free(EC_POINT *point)
|
@ -1,906 +0,0 @@
|
||||
From 2290280617183863eb15425b8925765966723725 Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Thu, 11 Aug 2022 09:27:12 +0200
|
||||
Subject: KDF: Add FIPS indicators
|
||||
|
||||
FIPS requires a number of restrictions on the parameters of the various
|
||||
key derivation functions implemented in OpenSSL. The KDFs that use
|
||||
digest algorithms usually should not allow SHAKE (due to FIPS 140-3 IG
|
||||
C.C). Additionally, some application-specific KDFs have further
|
||||
restrictions defined in SP 800-135r1.
|
||||
|
||||
Generally, all KDFs shall use a key-derivation key length of at least
|
||||
112 bits due to SP 800-131Ar2 section 8. Additionally any use of a KDF
|
||||
to generate and output length of less than 112 bits will also set the
|
||||
indicator to unapproved.
|
||||
|
||||
Add explicit indicators to all KDFs usable in FIPS mode except for
|
||||
PBKDF2 (which has its specific FIPS limits already implemented). The
|
||||
indicator can be queried using EVP_KDF_CTX_get_params() after setting
|
||||
the required parameters and keys for the KDF.
|
||||
|
||||
Our FIPS provider implements SHA1, SHA2 (both -256 and -512, and the
|
||||
truncated variants -224 and -384) and SHA3 (-256 and -512, and the
|
||||
truncated versions -224 and -384), as well as SHAKE-128 and -256.
|
||||
|
||||
The SHAKE functions are generally not allowed in KDFs. For the rest, the
|
||||
support matrix is:
|
||||
|
||||
KDF | SHA-1 | SHA-2 | SHA-2 truncated | SHA-3 | SHA-3 truncated
|
||||
==========================================================================
|
||||
KBKDF | x | x | x | x | x
|
||||
HKDF | x | x | x | x | x
|
||||
TLS1PRF | | SHA-{256,384,512} only | |
|
||||
SSHKDF | x | x | x | |
|
||||
SSKDF | x | x | x | x | x
|
||||
X9.63KDF | | x | x | x | x
|
||||
X9.42-ASN1 | x | x | x | x | x
|
||||
TLS1.3PRF | | SHA-{256,384} only | |
|
||||
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
Resolves: rhbz#2160733 rhbz#2164763
|
||||
Related: rhbz#2114772 rhbz#2141695
|
||||
---
|
||||
include/crypto/evp.h | 7 ++
|
||||
include/openssl/core_names.h | 1 +
|
||||
include/openssl/kdf.h | 4 +
|
||||
providers/implementations/kdfs/hkdf.c | 100 +++++++++++++++++++++-
|
||||
providers/implementations/kdfs/kbkdf.c | 82 ++++++++++++++++--
|
||||
providers/implementations/kdfs/sshkdf.c | 75 +++++++++++++++-
|
||||
providers/implementations/kdfs/sskdf.c | 100 +++++++++++++++++++++-
|
||||
providers/implementations/kdfs/tls1_prf.c | 74 +++++++++++++++-
|
||||
providers/implementations/kdfs/x942kdf.c | 67 ++++++++++++++-
|
||||
9 files changed, 488 insertions(+), 22 deletions(-)
|
||||
|
||||
diff --git a/include/crypto/evp.h b/include/crypto/evp.h
|
||||
index e70d8e9e84..76fb990de4 100644
|
||||
--- a/include/crypto/evp.h
|
||||
+++ b/include/crypto/evp.h
|
||||
@@ -219,6 +219,13 @@ struct evp_mac_st {
|
||||
OSSL_FUNC_mac_set_ctx_params_fn *set_ctx_params;
|
||||
};
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+/* According to NIST Special Publication 800-131Ar2, Section 8: Deriving
|
||||
+ * Additional Keys from a Cryptographic Key, "[t]he length of the
|
||||
+ * key-derivation key [i.e., the input key] shall be at least 112 bits". */
|
||||
+# define EVP_KDF_FIPS_MIN_KEY_LEN (112 / 8)
|
||||
+#endif
|
||||
+
|
||||
struct evp_kdf_st {
|
||||
OSSL_PROVIDER *prov;
|
||||
int name_id;
|
||||
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
|
||||
index 6bed5a8a67..680bfbc7cc 100644
|
||||
--- a/include/openssl/core_names.h
|
||||
+++ b/include/openssl/core_names.h
|
||||
@@ -223,6 +223,7 @@ extern "C" {
|
||||
#define OSSL_KDF_PARAM_X942_SUPP_PUBINFO "supp-pubinfo"
|
||||
#define OSSL_KDF_PARAM_X942_SUPP_PRIVINFO "supp-privinfo"
|
||||
#define OSSL_KDF_PARAM_X942_USE_KEYBITS "use-keybits"
|
||||
+#define OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator"
|
||||
|
||||
/* Known KDF names */
|
||||
#define OSSL_KDF_NAME_HKDF "HKDF"
|
||||
diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h
|
||||
index 0983230a48..86171635ea 100644
|
||||
--- a/include/openssl/kdf.h
|
||||
+++ b/include/openssl/kdf.h
|
||||
@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf,
|
||||
# define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1
|
||||
# define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2
|
||||
|
||||
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
|
||||
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED 1
|
||||
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
|
||||
+
|
||||
#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65
|
||||
#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66
|
||||
#define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67
|
||||
diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
|
||||
index dfa7786bde..f01e40ff5a 100644
|
||||
--- a/providers/implementations/kdfs/hkdf.c
|
||||
+++ b/providers/implementations/kdfs/hkdf.c
|
||||
@@ -42,6 +42,7 @@ static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params;
|
||||
static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params;
|
||||
static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params;
|
||||
static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params;
|
||||
+static OSSL_FUNC_kdf_newctx_fn kdf_tls1_3_new;
|
||||
static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive;
|
||||
static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params;
|
||||
static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params;
|
||||
@@ -85,6 +86,10 @@ typedef struct {
|
||||
size_t data_len;
|
||||
unsigned char info[HKDF_MAXBUF];
|
||||
size_t info_len;
|
||||
+ int is_tls13;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ int fips_indicator;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
} KDF_HKDF;
|
||||
|
||||
static void *kdf_hkdf_new(void *provctx)
|
||||
@@ -170,6 +175,11 @@ static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||
return 0;
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
+
|
||||
switch (ctx->mode) {
|
||||
case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND:
|
||||
default:
|
||||
@@ -332,15 +342,78 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||
{
|
||||
KDF_HKDF *ctx = (KDF_HKDF *)vctx;
|
||||
OSSL_PARAM *p;
|
||||
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
||||
|
||||
if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
||||
size_t sz = kdf_hkdf_size(ctx);
|
||||
|
||||
- if (sz == 0)
|
||||
+ any_valid = 1;
|
||||
+
|
||||
+ if (sz == 0 || !OSSL_PARAM_set_size_t(p, sz))
|
||||
return 0;
|
||||
- return OSSL_PARAM_set_size_t(p, sz);
|
||||
}
|
||||
- return -2;
|
||||
+
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR))
|
||||
+ != NULL) {
|
||||
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||
+ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
|
||||
+
|
||||
+ any_valid = 1;
|
||||
+
|
||||
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
|
||||
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
|
||||
+ * the key-derivation key [i.e., the input key] shall be at least 112
|
||||
+ * bits". */
|
||||
+ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||
+ * Verification Program, Section D.B and NIST Special Publication
|
||||
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
|
||||
+ * strength < 112 bits is legacy use only, so all derived keys should
|
||||
+ * be longer than that. If a derived key has ever been shorter than
|
||||
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
|
||||
+ * should also set the returned FIPS indicator to unapproved. */
|
||||
+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ if (ctx->is_tls13) {
|
||||
+ if (md != NULL
|
||||
+ && !EVP_MD_is_a(md, "SHA2-256")
|
||||
+ && !EVP_MD_is_a(md, "SHA2-384")) {
|
||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic
|
||||
+ * Module Validation Program, Section 2.4.B, (5): "The TLS 1.3
|
||||
+ * key derivation function documented in Section 7.1 of RFC
|
||||
+ * 8446. This is considered an approved CVL because the
|
||||
+ * underlying functions performed within the TLS 1.3 KDF map to
|
||||
+ * NIST approved standards, namely: SP 800-133rev2 (Section 6.3
|
||||
+ * Option #3), SP 800-56Crev2, and SP 800-108."
|
||||
+ *
|
||||
+ * RFC 8446 appendix B.4 only lists SHA-256 and SHA-384. */
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (md != NULL
|
||||
+ && (EVP_MD_is_a(md, "SHAKE-128") ||
|
||||
+ EVP_MD_is_a(md, "SHAKE-256"))) {
|
||||
+ /* HKDF is a SP 800-56Cr2 TwoStep KDF, for which all SHA-1,
|
||||
+ * SHA-2 and SHA-3 are approved. SHAKE is not approved, because
|
||||
+ * of FIPS 140-3 IG, section C.C: "The SHAKE128 and SHAKE256
|
||||
+ * extendable-output functions may only be used as the
|
||||
+ * standalone algorithms." */
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+ }
|
||||
+ }
|
||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
+
|
||||
+ if (!any_valid)
|
||||
+ return -2;
|
||||
+
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||
@@ -348,6 +421,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||
{
|
||||
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
||||
+#ifdef FIPS_MODULE
|
||||
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
return known_gettable_ctx_params;
|
||||
@@ -677,6 +753,17 @@ static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx,
|
||||
return ret;
|
||||
}
|
||||
|
||||
+static void *kdf_tls1_3_new(void *provctx)
|
||||
+{
|
||||
+ KDF_HKDF *hkdf = kdf_hkdf_new(provctx);
|
||||
+
|
||||
+ if (hkdf != NULL)
|
||||
+ hkdf->is_tls13 = 1;
|
||||
+
|
||||
+ return hkdf;
|
||||
+}
|
||||
+
|
||||
+
|
||||
static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||
const OSSL_PARAM params[])
|
||||
{
|
||||
@@ -692,6 +779,11 @@ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||
return 0;
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
+
|
||||
switch (ctx->mode) {
|
||||
default:
|
||||
return 0;
|
||||
@@ -769,7 +861,7 @@ static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx,
|
||||
}
|
||||
|
||||
const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = {
|
||||
- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new },
|
||||
+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_tls1_3_new },
|
||||
{ OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free },
|
||||
{ OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset },
|
||||
{ OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_tls1_3_derive },
|
||||
diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c
|
||||
index a542f84dfa..6b6dfb94ac 100644
|
||||
--- a/providers/implementations/kdfs/kbkdf.c
|
||||
+++ b/providers/implementations/kdfs/kbkdf.c
|
||||
@@ -59,6 +59,9 @@ typedef struct {
|
||||
kbkdf_mode mode;
|
||||
EVP_MAC_CTX *ctx_init;
|
||||
|
||||
+ /* HMAC digest algorithm, if any; used to compute FIPS indicator */
|
||||
+ PROV_DIGEST digest;
|
||||
+
|
||||
/* Names are lowercased versions of those found in SP800-108. */
|
||||
int r;
|
||||
unsigned char *ki;
|
||||
@@ -70,6 +73,9 @@ typedef struct {
|
||||
size_t iv_len;
|
||||
int use_l;
|
||||
int use_separator;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ int fips_indicator;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
} KBKDF;
|
||||
|
||||
/* Definitions needed for typechecking. */
|
||||
@@ -138,6 +144,7 @@ static void kbkdf_reset(void *vctx)
|
||||
void *provctx = ctx->provctx;
|
||||
|
||||
EVP_MAC_CTX_free(ctx->ctx_init);
|
||||
+ ossl_prov_digest_reset(&ctx->digest);
|
||||
OPENSSL_clear_free(ctx->context, ctx->context_len);
|
||||
OPENSSL_clear_free(ctx->label, ctx->label_len);
|
||||
OPENSSL_clear_free(ctx->ki, ctx->ki_len);
|
||||
@@ -240,6 +247,11 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||
return 0;
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
+
|
||||
h = EVP_MAC_CTX_get_mac_size(ctx->ctx_init);
|
||||
if (h == 0)
|
||||
goto done;
|
||||
@@ -297,6 +309,9 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
|
||||
+ return 0;
|
||||
+
|
||||
p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE);
|
||||
if (p != NULL
|
||||
&& OPENSSL_strncasecmp("counter", p->data, p->data_size) == 0) {
|
||||
@@ -363,20 +378,77 @@ static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx,
|
||||
static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||
{
|
||||
OSSL_PARAM *p;
|
||||
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
||||
|
||||
p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE);
|
||||
- if (p == NULL)
|
||||
+ if (p != NULL) {
|
||||
+ any_valid = 1;
|
||||
+
|
||||
+ /* KBKDF can produce results as large as you like. */
|
||||
+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+#ifdef FIPS_MODULE
|
||||
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
|
||||
+ if (p != NULL) {
|
||||
+ KBKDF *ctx = (KBKDF *)vctx;
|
||||
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||
+
|
||||
+ any_valid = 1;
|
||||
+
|
||||
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
|
||||
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
|
||||
+ * the key-derivation key [i.e., the input key] shall be at least 112
|
||||
+ * bits". */
|
||||
+ if (ctx->ki_len < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||
+ * Verification Program, Section D.B and NIST Special Publication
|
||||
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
|
||||
+ * strength < 112 bits is legacy use only, so all derived keys should
|
||||
+ * be longer than that. If a derived key has ever been shorter than
|
||||
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
|
||||
+ * should also set the returned FIPS indicator to unapproved. */
|
||||
+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||
+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
|
||||
+ * extendable-output functions may only be used as the standalone
|
||||
+ * algorithms." Note that the digest is only used when the MAC
|
||||
+ * algorithm is HMAC. */
|
||||
+ if (ctx->ctx_init != NULL
|
||||
+ && EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->ctx_init), OSSL_MAC_NAME_HMAC)) {
|
||||
+ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
|
||||
+ if (md != NULL
|
||||
+ && (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256"))) {
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
+ if (!any_valid)
|
||||
return -2;
|
||||
|
||||
- /* KBKDF can produce results as large as you like. */
|
||||
- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
static const OSSL_PARAM *kbkdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||
ossl_unused void *provctx)
|
||||
{
|
||||
- static const OSSL_PARAM known_gettable_ctx_params[] =
|
||||
- { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_END };
|
||||
+ static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||
+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
||||
+#ifdef FIPS_MODULE
|
||||
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
+ OSSL_PARAM_END
|
||||
+ };
|
||||
return known_gettable_ctx_params;
|
||||
}
|
||||
|
||||
diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c
|
||||
index c592ba72f1..4a52b38266 100644
|
||||
--- a/providers/implementations/kdfs/sshkdf.c
|
||||
+++ b/providers/implementations/kdfs/sshkdf.c
|
||||
@@ -48,6 +48,9 @@ typedef struct {
|
||||
char type; /* X */
|
||||
unsigned char *session_id;
|
||||
size_t session_id_len;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ int fips_indicator;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
} KDF_SSHKDF;
|
||||
|
||||
static void *kdf_sshkdf_new(void *provctx)
|
||||
@@ -126,6 +129,12 @@ static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE);
|
||||
return 0;
|
||||
}
|
||||
+
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
+
|
||||
return SSHKDF(md, ctx->key, ctx->key_len,
|
||||
ctx->xcghash, ctx->xcghash_len,
|
||||
ctx->session_id, ctx->session_id_len,
|
||||
@@ -194,10 +203,67 @@ static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *ctx,
|
||||
static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||
{
|
||||
OSSL_PARAM *p;
|
||||
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
||||
|
||||
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
|
||||
- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
|
||||
- return -2;
|
||||
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
||||
+ any_valid = 1;
|
||||
+
|
||||
+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+#ifdef FIPS_MODULE
|
||||
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
|
||||
+ if (p != NULL) {
|
||||
+ KDF_SSHKDF *ctx = vctx;
|
||||
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||
+
|
||||
+ any_valid = 1;
|
||||
+
|
||||
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
|
||||
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
|
||||
+ * the key-derivation key [i.e., the input key] shall be at least 112
|
||||
+ * bits". */
|
||||
+ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||
+ * Verification Program, Section D.B and NIST Special Publication
|
||||
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
|
||||
+ * strength < 112 bits is legacy use only, so all derived keys should
|
||||
+ * be longer than that. If a derived key has ever been shorter than
|
||||
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
|
||||
+ * should also set the returned FIPS indicator to unapproved. */
|
||||
+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||
+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
|
||||
+ * extendable-output functions may only be used as the standalone
|
||||
+ * algorithms."
|
||||
+ *
|
||||
+ * Additionally, SP 800-135r1 section 5.2 specifies that the hash
|
||||
+ * function used in SSHKDF "is one of the hash functions specified in
|
||||
+ * FIPS 180-3.", which rules out SHA-3 and truncated variants of SHA-2.
|
||||
+ * */
|
||||
+ if (ctx->digest.md != NULL
|
||||
+ && !EVP_MD_is_a(ctx->digest.md, "SHA-1")
|
||||
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-224")
|
||||
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256")
|
||||
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384")
|
||||
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) {
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+ }
|
||||
+
|
||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
+ if (!any_valid)
|
||||
+ return -2;
|
||||
+
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||
@@ -205,6 +271,9 @@ static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||
{
|
||||
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
||||
+#ifdef FIPS_MODULE
|
||||
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
return known_gettable_ctx_params;
|
||||
diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c
|
||||
index eb54972e1c..23865cd70f 100644
|
||||
--- a/providers/implementations/kdfs/sskdf.c
|
||||
+++ b/providers/implementations/kdfs/sskdf.c
|
||||
@@ -62,6 +62,10 @@ typedef struct {
|
||||
unsigned char *salt;
|
||||
size_t salt_len;
|
||||
size_t out_len; /* optional KMAC parameter */
|
||||
+ int is_x963kdf;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ int fips_indicator;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
} KDF_SSKDF;
|
||||
|
||||
#define SSKDF_MAX_INLEN (1<<30)
|
||||
@@ -73,6 +77,7 @@ typedef struct {
|
||||
static const unsigned char kmac_custom_str[] = { 0x4B, 0x44, 0x46 };
|
||||
|
||||
static OSSL_FUNC_kdf_newctx_fn sskdf_new;
|
||||
+static OSSL_FUNC_kdf_newctx_fn x963kdf_new;
|
||||
static OSSL_FUNC_kdf_freectx_fn sskdf_free;
|
||||
static OSSL_FUNC_kdf_reset_fn sskdf_reset;
|
||||
static OSSL_FUNC_kdf_derive_fn sskdf_derive;
|
||||
@@ -296,6 +301,16 @@ static void *sskdf_new(void *provctx)
|
||||
return ctx;
|
||||
}
|
||||
|
||||
+static void *x963kdf_new(void *provctx)
|
||||
+{
|
||||
+ KDF_SSKDF *ctx = sskdf_new(provctx);
|
||||
+
|
||||
+ if (ctx)
|
||||
+ ctx->is_x963kdf = 1;
|
||||
+
|
||||
+ return ctx;
|
||||
+}
|
||||
+
|
||||
static void sskdf_reset(void *vctx)
|
||||
{
|
||||
KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
|
||||
@@ -361,6 +376,11 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||
}
|
||||
md = ossl_prov_digest_md(&ctx->digest);
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
+
|
||||
if (ctx->macctx != NULL) {
|
||||
/* H(x) = KMAC or H(x) = HMAC */
|
||||
int ret;
|
||||
@@ -442,6 +462,11 @@ static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||
return 0;
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
+
|
||||
return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len,
|
||||
ctx->info, ctx->info_len, 1, key, keylen);
|
||||
}
|
||||
@@ -514,10 +539,74 @@ static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||
{
|
||||
KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
|
||||
OSSL_PARAM *p;
|
||||
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
||||
+
|
||||
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
||||
+ any_valid = 1;
|
||||
+
|
||||
+ if (!OSSL_PARAM_set_size_t(p, sskdf_size(ctx)))
|
||||
+ return 0;
|
||||
+ }
|
||||
|
||||
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
|
||||
- return OSSL_PARAM_set_size_t(p, sskdf_size(ctx));
|
||||
- return -2;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
|
||||
+ if (p != NULL) {
|
||||
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||
+
|
||||
+ any_valid = 1;
|
||||
+
|
||||
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
|
||||
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
|
||||
+ * the key-derivation key [i.e., the input key] shall be at least 112
|
||||
+ * bits". */
|
||||
+ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||
+ * Verification Program, Section D.B and NIST Special Publication
|
||||
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
|
||||
+ * strength < 112 bits is legacy use only, so all derived keys should
|
||||
+ * be longer than that. If a derived key has ever been shorter than
|
||||
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
|
||||
+ * should also set the returned FIPS indicator to unapproved. */
|
||||
+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||
+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
|
||||
+ * extendable-output functions may only be used as the standalone
|
||||
+ * algorithms." */
|
||||
+ if (ctx->macctx == NULL
|
||||
+ || (ctx->macctx != NULL &&
|
||||
+ EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx), OSSL_MAC_NAME_HMAC))) {
|
||||
+ if (ctx->digest.md != NULL
|
||||
+ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") ||
|
||||
+ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) {
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+ }
|
||||
+
|
||||
+ /* Table H-3 in ANS X9.63-2001 says that 160-bit hash functions
|
||||
+ * should only be used for 80-bit key agreement, but FIPS 140-3
|
||||
+ * requires a security strength of 112 bits, so SHA-1 cannot be
|
||||
+ * used with X9.63. See the discussion in
|
||||
+ * https://github.com/usnistgov/ACVP/issues/1403#issuecomment-1435300395.
|
||||
+ */
|
||||
+ if (ctx->is_x963kdf
|
||||
+ && ctx->digest.md != NULL
|
||||
+ && EVP_MD_is_a(ctx->digest.md, "SHA-1")) {
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
+ if (!any_valid)
|
||||
+ return -2;
|
||||
+
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||
@@ -525,6 +614,9 @@ static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||
{
|
||||
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
||||
+#ifdef FIPS_MODULE
|
||||
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0),
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
return known_gettable_ctx_params;
|
||||
@@ -545,7 +637,7 @@ const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = {
|
||||
};
|
||||
|
||||
const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = {
|
||||
- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new },
|
||||
+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))x963kdf_new },
|
||||
{ OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free },
|
||||
{ OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset },
|
||||
{ OSSL_FUNC_KDF_DERIVE, (void(*)(void))x963kdf_derive },
|
||||
diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c
|
||||
index a4d64b9352..f6782a6ca2 100644
|
||||
--- a/providers/implementations/kdfs/tls1_prf.c
|
||||
+++ b/providers/implementations/kdfs/tls1_prf.c
|
||||
@@ -93,6 +93,13 @@ typedef struct {
|
||||
/* Buffer of concatenated seed data */
|
||||
unsigned char seed[TLS1_PRF_MAXBUF];
|
||||
size_t seedlen;
|
||||
+
|
||||
+ /* MAC digest algorithm; used to compute FIPS indicator */
|
||||
+ PROV_DIGEST digest;
|
||||
+
|
||||
+#ifdef FIPS_MODULE
|
||||
+ int fips_indicator;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
} TLS1_PRF;
|
||||
|
||||
static void *kdf_tls1_prf_new(void *provctx)
|
||||
@@ -129,6 +136,7 @@ static void kdf_tls1_prf_reset(void *vctx)
|
||||
EVP_MAC_CTX_free(ctx->P_sha1);
|
||||
OPENSSL_clear_free(ctx->sec, ctx->seclen);
|
||||
OPENSSL_cleanse(ctx->seed, ctx->seedlen);
|
||||
+ ossl_prov_digest_reset(&ctx->digest);
|
||||
memset(ctx, 0, sizeof(*ctx));
|
||||
ctx->provctx = provctx;
|
||||
}
|
||||
@@ -157,6 +165,10 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
|
||||
return 0;
|
||||
}
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
|
||||
return tls1_prf_alg(ctx->P_hash, ctx->P_sha1,
|
||||
ctx->sec, ctx->seclen,
|
||||
@@ -191,6 +203,9 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
|
||||
}
|
||||
}
|
||||
|
||||
+ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
|
||||
+ return 0;
|
||||
+
|
||||
if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) {
|
||||
OPENSSL_clear_free(ctx->sec, ctx->seclen);
|
||||
ctx->sec = NULL;
|
||||
@@ -232,10 +247,60 @@ static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params(
|
||||
static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||
{
|
||||
OSSL_PARAM *p;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ TLS1_PRF *ctx = vctx;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
||||
+
|
||||
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
||||
+ any_valid = 1;
|
||||
+
|
||||
+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+#ifdef FIPS_MODULE
|
||||
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
|
||||
+ if (p != NULL) {
|
||||
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||
+
|
||||
+ any_valid = 1;
|
||||
+
|
||||
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
|
||||
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
|
||||
+ * the key-derivation key [i.e., the input key] shall be at least 112
|
||||
+ * bits". */
|
||||
+ if (ctx->seclen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||
+ * Verification Program, Section D.B and NIST Special Publication
|
||||
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
|
||||
+ * strength < 112 bits is legacy use only, so all derived keys should
|
||||
+ * be longer than that. If a derived key has ever been shorter than
|
||||
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
|
||||
+ * should also set the returned FIPS indicator to unapproved. */
|
||||
+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ /* SP 800-135r1 section 4.2.2 says TLS 1.2 KDF is approved when "(3)
|
||||
+ * P_HASH uses either SHA-256, SHA-384 or SHA-512." */
|
||||
+ if (ctx->digest.md != NULL
|
||||
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256")
|
||||
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384")
|
||||
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) {
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+ }
|
||||
+
|
||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
|
||||
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
|
||||
- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
|
||||
- return -2;
|
||||
+ if (!any_valid)
|
||||
+ return -2;
|
||||
+
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
|
||||
@@ -243,6 +308,9 @@ static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
|
||||
{
|
||||
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
||||
+#ifdef FIPS_MODULE
|
||||
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0),
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
return known_gettable_ctx_params;
|
||||
diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c
|
||||
index b1bc6f7e1b..8173fc2cc7 100644
|
||||
--- a/providers/implementations/kdfs/x942kdf.c
|
||||
+++ b/providers/implementations/kdfs/x942kdf.c
|
||||
@@ -13,10 +13,13 @@
|
||||
#include <openssl/core_dispatch.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/evp.h>
|
||||
+#include <openssl/kdf.h>
|
||||
#include <openssl/params.h>
|
||||
#include <openssl/proverr.h>
|
||||
#include "internal/packet.h"
|
||||
#include "internal/der.h"
|
||||
+#include "internal/nelem.h"
|
||||
+#include "crypto/evp.h"
|
||||
#include "prov/provider_ctx.h"
|
||||
#include "prov/providercommon.h"
|
||||
#include "prov/implementations.h"
|
||||
@@ -47,6 +50,9 @@ typedef struct {
|
||||
const unsigned char *cek_oid;
|
||||
size_t cek_oid_len;
|
||||
int use_keybits;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ int fips_indicator;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
} KDF_X942;
|
||||
|
||||
/*
|
||||
@@ -460,6 +466,10 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||
ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING);
|
||||
return 0;
|
||||
}
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len,
|
||||
der, der_len, ctr, key, keylen);
|
||||
OPENSSL_free(der);
|
||||
@@ -563,10 +573,58 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||
{
|
||||
KDF_X942 *ctx = (KDF_X942 *)vctx;
|
||||
OSSL_PARAM *p;
|
||||
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
||||
|
||||
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
|
||||
- return OSSL_PARAM_set_size_t(p, x942kdf_size(ctx));
|
||||
- return -2;
|
||||
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
||||
+ any_valid = 1;
|
||||
+
|
||||
+ if (!OSSL_PARAM_set_size_t(p, x942kdf_size(ctx)))
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+#ifdef FIPS_MODULE
|
||||
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
|
||||
+ if (p != NULL) {
|
||||
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||
+
|
||||
+ any_valid = 1;
|
||||
+
|
||||
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
|
||||
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
|
||||
+ * the key-derivation key [i.e., the input key] shall be at least 112
|
||||
+ * bits". */
|
||||
+ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||
+ * Verification Program, Section D.B and NIST Special Publication
|
||||
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
|
||||
+ * strength < 112 bits is legacy use only, so all derived keys should
|
||||
+ * be longer than that. If a derived key has ever been shorter than
|
||||
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
|
||||
+ * should also set the returned FIPS indicator to unapproved. */
|
||||
+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||
+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
|
||||
+ * extendable-output functions may only be used as the standalone
|
||||
+ * algorithms." */
|
||||
+ if (ctx->digest.md != NULL
|
||||
+ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") ||
|
||||
+ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) {
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+ }
|
||||
+
|
||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
+ if (!any_valid)
|
||||
+ return -2;
|
||||
+
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||
@@ -574,6 +632,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||
{
|
||||
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
||||
+#ifdef FIPS_MODULE
|
||||
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0),
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
return known_gettable_ctx_params;
|
||||
--
|
||||
2.39.2
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,288 +0,0 @@
|
||||
From 4de5fa26873297f5c2eeed53e5c988437f837f55 Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Thu, 17 Nov 2022 13:53:31 +0100
|
||||
Subject: [PATCH] signature: Remove X9.31 padding from FIPS prov
|
||||
|
||||
The current draft of FIPS 186-5 [1] no longer contains specifications
|
||||
for X9.31 signature padding. Instead, it contains the following
|
||||
information in Appendix E:
|
||||
|
||||
> ANSI X9.31 was withdrawn, so X9.31 RSA signatures were removed from
|
||||
> this standard.
|
||||
|
||||
Since this situation is unlikely to change in future revisions of the
|
||||
draft, and future FIPS 140-3 validations of the provider will require
|
||||
X9.31 to be disabled or marked as not approved with an explicit
|
||||
indicator, disallow this padding mode now.
|
||||
|
||||
Remove the X9.31 tests from the acvp test, since they will always fail
|
||||
now.
|
||||
|
||||
[1]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5-draft.pdf
|
||||
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
---
|
||||
providers/implementations/signature/rsa_sig.c | 6 +
|
||||
test/acvp_test.inc | 214 ------------------
|
||||
2 files changed, 6 insertions(+), 214 deletions(-)
|
||||
|
||||
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
|
||||
index 34f45175e8..49e7f9158a 100644
|
||||
--- a/providers/implementations/signature/rsa_sig.c
|
||||
+++ b/providers/implementations/signature/rsa_sig.c
|
||||
@@ -1233,7 +1233,13 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
|
||||
err_extra_text = "No padding not allowed with RSA-PSS";
|
||||
goto cont;
|
||||
case RSA_X931_PADDING:
|
||||
+#ifndef FIPS_MODULE
|
||||
err_extra_text = "X.931 padding not allowed with RSA-PSS";
|
||||
+#else /* !defined(FIPS_MODULE) */
|
||||
+ err_extra_text = "X.931 padding no longer allowed in FIPS mode,"
|
||||
+ " since it was removed from FIPS 186-5";
|
||||
+ goto bad_pad;
|
||||
+#endif /* !defined(FIPS_MODULE) */
|
||||
cont:
|
||||
if (RSA_test_flags(prsactx->rsa,
|
||||
RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSA)
|
||||
diff --git a/test/acvp_test.inc b/test/acvp_test.inc
|
||||
index 73b24bdb0c..96a72073f9 100644
|
||||
--- a/test/acvp_test.inc
|
||||
+++ b/test/acvp_test.inc
|
||||
@@ -1204,13 +1204,6 @@ static const struct rsa_siggen_st rsa_siggen_data[] = {
|
||||
ITM(rsa_siggen0_msg),
|
||||
NO_PSS_SALT_LEN,
|
||||
},
|
||||
- {
|
||||
- "x931",
|
||||
- 2048,
|
||||
- "SHA384",
|
||||
- ITM(rsa_siggen0_msg),
|
||||
- NO_PSS_SALT_LEN,
|
||||
- },
|
||||
{
|
||||
"pss",
|
||||
2048,
|
||||
@@ -1622,202 +1615,6 @@ static const unsigned char rsa_sigverpss_1_sig[] = {
|
||||
0x5c, 0xea, 0x8a, 0x92, 0x31, 0xd2, 0x11, 0x4b,
|
||||
};
|
||||
|
||||
-static const unsigned char rsa_sigverx931_0_n[] = {
|
||||
- 0xa0, 0x16, 0x14, 0x80, 0x8b, 0x17, 0x2b, 0xad,
|
||||
- 0xd7, 0x07, 0x31, 0x6d, 0xfc, 0xba, 0x25, 0x83,
|
||||
- 0x09, 0xa0, 0xf7, 0x71, 0xc6, 0x06, 0x22, 0x87,
|
||||
- 0xd6, 0xbd, 0x13, 0xd9, 0xfe, 0x7c, 0xf7, 0xe6,
|
||||
- 0x48, 0xdb, 0x27, 0xd8, 0xa5, 0x49, 0x8e, 0x8c,
|
||||
- 0xea, 0xbe, 0xe0, 0x04, 0x6f, 0x3d, 0x3b, 0x73,
|
||||
- 0xdc, 0xc5, 0xd4, 0xdc, 0x85, 0xef, 0xea, 0x10,
|
||||
- 0x46, 0xf3, 0x88, 0xb9, 0x93, 0xbc, 0xa0, 0xb6,
|
||||
- 0x06, 0x02, 0x82, 0xb4, 0x2d, 0x54, 0xec, 0x79,
|
||||
- 0x50, 0x8a, 0xfc, 0xfa, 0x62, 0x45, 0xbb, 0xd7,
|
||||
- 0x26, 0xcd, 0x88, 0xfa, 0xe8, 0x0f, 0x26, 0x5b,
|
||||
- 0x1f, 0x21, 0x3f, 0x3b, 0x5d, 0x98, 0x3f, 0x02,
|
||||
- 0x8c, 0xa1, 0xbf, 0xc0, 0x70, 0x4d, 0xd1, 0x41,
|
||||
- 0xfd, 0xb9, 0x55, 0x12, 0x90, 0xc8, 0x6e, 0x0f,
|
||||
- 0x19, 0xa8, 0x5c, 0x31, 0xd6, 0x16, 0x0e, 0xdf,
|
||||
- 0x08, 0x84, 0xcd, 0x4b, 0xfd, 0x28, 0x8d, 0x7d,
|
||||
- 0x6e, 0xea, 0xc7, 0x95, 0x4a, 0xc3, 0x84, 0x54,
|
||||
- 0x7f, 0xb0, 0x20, 0x29, 0x96, 0x39, 0x4c, 0x3e,
|
||||
- 0x85, 0xec, 0x22, 0xdd, 0xb9, 0x14, 0xbb, 0x04,
|
||||
- 0x2f, 0x4c, 0x0c, 0xe3, 0xfa, 0xae, 0x47, 0x79,
|
||||
- 0x59, 0x8e, 0x4e, 0x7d, 0x4a, 0x17, 0xae, 0x16,
|
||||
- 0x38, 0x66, 0x4e, 0xff, 0x45, 0x7f, 0xac, 0x5e,
|
||||
- 0x75, 0x9f, 0x51, 0x18, 0xe6, 0xad, 0x6b, 0x8b,
|
||||
- 0x3d, 0x08, 0x4d, 0x9a, 0xd2, 0x11, 0xba, 0xa8,
|
||||
- 0xc3, 0xb5, 0x17, 0xb5, 0xdf, 0xe7, 0x39, 0x89,
|
||||
- 0x27, 0x7b, 0xeb, 0xf4, 0xe5, 0x7e, 0xa9, 0x7b,
|
||||
- 0x39, 0x40, 0x6f, 0xe4, 0x82, 0x14, 0x3d, 0x62,
|
||||
- 0xb6, 0xd4, 0x43, 0xd0, 0x0a, 0x2f, 0xc1, 0x73,
|
||||
- 0x3d, 0x99, 0x37, 0xbe, 0x62, 0x13, 0x6a, 0x8b,
|
||||
- 0xeb, 0xc5, 0x64, 0xd5, 0x2a, 0x8b, 0x4f, 0x7f,
|
||||
- 0x82, 0x48, 0x69, 0x3e, 0x08, 0x1b, 0xb5, 0x77,
|
||||
- 0xd3, 0xdc, 0x1b, 0x2c, 0xe5, 0x59, 0xf6, 0x33,
|
||||
- 0x47, 0xa0, 0x0f, 0xff, 0x8a, 0x6a, 0x1d, 0x66,
|
||||
- 0x24, 0x67, 0x36, 0x7d, 0x21, 0xda, 0xc1, 0xd4,
|
||||
- 0x11, 0x6c, 0xe8, 0x5f, 0xd7, 0x8a, 0x53, 0x5c,
|
||||
- 0xb2, 0xe2, 0xf9, 0x14, 0x29, 0x0f, 0xcf, 0x28,
|
||||
- 0x32, 0x4f, 0xc6, 0x17, 0xf6, 0xbc, 0x0e, 0xb8,
|
||||
- 0x99, 0x7c, 0x14, 0xa3, 0x40, 0x3f, 0xf3, 0xe4,
|
||||
- 0x31, 0xbe, 0x54, 0x64, 0x5a, 0xad, 0x1d, 0xb0,
|
||||
- 0x37, 0xcc, 0xd9, 0x0b, 0xa4, 0xbc, 0xe0, 0x07,
|
||||
- 0x37, 0xd1, 0xe1, 0x65, 0xc6, 0x53, 0xfe, 0x60,
|
||||
- 0x6a, 0x64, 0xa4, 0x01, 0x00, 0xf3, 0x5b, 0x9a,
|
||||
- 0x28, 0x61, 0xde, 0x7a, 0xd7, 0x0d, 0x56, 0x1e,
|
||||
- 0x4d, 0xa8, 0x6a, 0xb5, 0xf2, 0x86, 0x2a, 0x4e,
|
||||
- 0xaa, 0x37, 0x23, 0x5a, 0x3b, 0x69, 0x66, 0x81,
|
||||
- 0xc8, 0x8e, 0x1b, 0x31, 0x0f, 0x28, 0x31, 0x9a,
|
||||
- 0x2d, 0xe5, 0x79, 0xcc, 0xa4, 0xca, 0x60, 0x45,
|
||||
- 0xf7, 0x83, 0x73, 0x5a, 0x01, 0x29, 0xda, 0xf7,
|
||||
-
|
||||
-};
|
||||
-static const unsigned char rsa_sigverx931_0_e[] = {
|
||||
- 0x01, 0x00, 0x01,
|
||||
-};
|
||||
-static const unsigned char rsa_sigverx931_0_msg[] = {
|
||||
- 0x82, 0x2e, 0x41, 0x70, 0x9d, 0x1f, 0xe9, 0x47,
|
||||
- 0xec, 0xf1, 0x79, 0xcc, 0x05, 0xef, 0xdb, 0xcd,
|
||||
- 0xca, 0x8b, 0x8e, 0x61, 0x45, 0xad, 0xa6, 0xd9,
|
||||
- 0xd7, 0x4b, 0x15, 0xf4, 0x92, 0x3a, 0x2a, 0x52,
|
||||
- 0xe3, 0x44, 0x57, 0x2b, 0x74, 0x7a, 0x37, 0x41,
|
||||
- 0x50, 0xcb, 0xcf, 0x13, 0x49, 0xd6, 0x15, 0x54,
|
||||
- 0x97, 0xfd, 0xae, 0x9b, 0xc1, 0xbb, 0xfc, 0x5c,
|
||||
- 0xc1, 0x37, 0x58, 0x17, 0x63, 0x19, 0x9c, 0xcf,
|
||||
- 0xee, 0x9c, 0xe5, 0xbe, 0x06, 0xe4, 0x97, 0x47,
|
||||
- 0xd1, 0x93, 0xa1, 0x2c, 0x59, 0x97, 0x02, 0x01,
|
||||
- 0x31, 0x45, 0x8c, 0xe1, 0x5c, 0xac, 0xe7, 0x5f,
|
||||
- 0x6a, 0x23, 0xda, 0xbf, 0xe4, 0x25, 0xc6, 0x67,
|
||||
- 0xea, 0x5f, 0x73, 0x90, 0x1b, 0x06, 0x0f, 0x41,
|
||||
- 0xb5, 0x6e, 0x74, 0x7e, 0xfd, 0xd9, 0xaa, 0xbd,
|
||||
- 0xe2, 0x8d, 0xad, 0x99, 0xdd, 0x29, 0x70, 0xca,
|
||||
- 0x1b, 0x38, 0x21, 0x55, 0xde, 0x07, 0xaf, 0x00,
|
||||
-
|
||||
-};
|
||||
-static const unsigned char rsa_sigverx931_0_sig[] = {
|
||||
- 0x29, 0xa9, 0x3a, 0x8e, 0x9e, 0x90, 0x1b, 0xdb,
|
||||
- 0xaf, 0x0b, 0x47, 0x5b, 0xb5, 0xc3, 0x8c, 0xc3,
|
||||
- 0x70, 0xbe, 0x73, 0xf9, 0x65, 0x8e, 0xc6, 0x1e,
|
||||
- 0x95, 0x0b, 0xdb, 0x24, 0x76, 0x79, 0xf1, 0x00,
|
||||
- 0x71, 0xcd, 0xc5, 0x6a, 0x7b, 0xd2, 0x8b, 0x18,
|
||||
- 0xc4, 0xdd, 0xf1, 0x2a, 0x31, 0x04, 0x3f, 0xfc,
|
||||
- 0x36, 0x06, 0x20, 0x71, 0x3d, 0x62, 0xf2, 0xb5,
|
||||
- 0x79, 0x0a, 0xd5, 0xd2, 0x81, 0xf1, 0xb1, 0x4f,
|
||||
- 0x9a, 0x17, 0xe8, 0x67, 0x64, 0x48, 0x09, 0x75,
|
||||
- 0xff, 0x2d, 0xee, 0x36, 0xca, 0xca, 0x1d, 0x74,
|
||||
- 0x99, 0xbe, 0x5c, 0x94, 0x31, 0xcc, 0x12, 0xf4,
|
||||
- 0x59, 0x7e, 0x17, 0x00, 0x4f, 0x7b, 0xa4, 0xb1,
|
||||
- 0xda, 0xdb, 0x3e, 0xa4, 0x34, 0x10, 0x4a, 0x19,
|
||||
- 0x0a, 0xd2, 0xa7, 0xa0, 0xc5, 0xe6, 0xef, 0x82,
|
||||
- 0xd4, 0x2e, 0x21, 0xbe, 0x15, 0x73, 0xac, 0xef,
|
||||
- 0x05, 0xdb, 0x6a, 0x8a, 0x1a, 0xcb, 0x8e, 0xa5,
|
||||
- 0xee, 0xfb, 0x28, 0xbf, 0x96, 0xa4, 0x2b, 0xd2,
|
||||
- 0x85, 0x2b, 0x20, 0xc3, 0xaf, 0x9a, 0x32, 0x04,
|
||||
- 0xa0, 0x49, 0x24, 0x47, 0xd0, 0x09, 0xf7, 0xcf,
|
||||
- 0x73, 0xb6, 0xf6, 0x70, 0xda, 0x3b, 0xf8, 0x5a,
|
||||
- 0x28, 0x2e, 0x14, 0x6c, 0x52, 0xbd, 0x2a, 0x7c,
|
||||
- 0x8e, 0xc1, 0xa8, 0x0e, 0xb1, 0x1e, 0x6b, 0x8d,
|
||||
- 0x76, 0xea, 0x70, 0x81, 0xa0, 0x02, 0x63, 0x74,
|
||||
- 0xbc, 0x7e, 0xb9, 0xac, 0x0e, 0x7b, 0x1b, 0x75,
|
||||
- 0x82, 0xe2, 0x98, 0x4e, 0x24, 0x55, 0xd4, 0xbd,
|
||||
- 0x14, 0xde, 0x58, 0x56, 0x3a, 0x5d, 0x4e, 0x57,
|
||||
- 0x0d, 0x54, 0x74, 0xe8, 0x86, 0x8c, 0xcb, 0x07,
|
||||
- 0x9f, 0x0b, 0xfb, 0xc2, 0x08, 0x5c, 0xd7, 0x05,
|
||||
- 0x3b, 0xc8, 0xd2, 0x15, 0x68, 0x8f, 0x3d, 0x3c,
|
||||
- 0x4e, 0x85, 0xa9, 0x25, 0x6f, 0xf5, 0x2e, 0xca,
|
||||
- 0xca, 0xa8, 0x27, 0x89, 0x61, 0x4e, 0x1f, 0x57,
|
||||
- 0x2d, 0x99, 0x10, 0x3f, 0xbc, 0x9e, 0x96, 0x5e,
|
||||
- 0x2f, 0x0a, 0x25, 0xa7, 0x5c, 0xea, 0x65, 0x2a,
|
||||
- 0x22, 0x35, 0xa3, 0xf9, 0x13, 0x89, 0x05, 0x2e,
|
||||
- 0x19, 0x73, 0x1d, 0x70, 0x74, 0x98, 0x15, 0x4b,
|
||||
- 0xab, 0x56, 0x52, 0xe0, 0x01, 0x42, 0x95, 0x6a,
|
||||
- 0x46, 0x2c, 0x78, 0xff, 0x26, 0xbc, 0x48, 0x10,
|
||||
- 0x38, 0x25, 0xab, 0x32, 0x7c, 0x79, 0x7c, 0x5d,
|
||||
- 0x6f, 0x45, 0x54, 0x74, 0x2d, 0x93, 0x56, 0x52,
|
||||
- 0x11, 0x34, 0x1e, 0xe3, 0x4b, 0x6a, 0x17, 0x4f,
|
||||
- 0x37, 0x14, 0x75, 0xac, 0xa3, 0xa1, 0xca, 0xda,
|
||||
- 0x38, 0x06, 0xa9, 0x78, 0xb9, 0x5d, 0xd0, 0x59,
|
||||
- 0x1b, 0x5d, 0x1e, 0xc2, 0x0b, 0xfb, 0x39, 0x37,
|
||||
- 0x44, 0x85, 0xb6, 0x36, 0x06, 0x95, 0xbc, 0x15,
|
||||
- 0x35, 0xb9, 0xe6, 0x27, 0x42, 0xe3, 0xc8, 0xec,
|
||||
- 0x30, 0x37, 0x20, 0x26, 0x9a, 0x11, 0x61, 0xc0,
|
||||
- 0xdb, 0xb2, 0x5a, 0x26, 0x78, 0x27, 0xb9, 0x13,
|
||||
- 0xc9, 0x1a, 0xa7, 0x67, 0x93, 0xe8, 0xbe, 0xcb,
|
||||
-};
|
||||
-
|
||||
-#define rsa_sigverx931_1_n rsa_sigverx931_0_n
|
||||
-#define rsa_sigverx931_1_e rsa_sigverx931_0_e
|
||||
-static const unsigned char rsa_sigverx931_1_msg[] = {
|
||||
- 0x79, 0x02, 0xb9, 0xd2, 0x3e, 0x84, 0x02, 0xc8,
|
||||
- 0x2a, 0x94, 0x92, 0x14, 0x8d, 0xd5, 0xd3, 0x8d,
|
||||
- 0xb2, 0xf6, 0x00, 0x8b, 0x61, 0x2c, 0xd2, 0xf9,
|
||||
- 0xa8, 0xe0, 0x5d, 0xac, 0xdc, 0xa5, 0x34, 0xf3,
|
||||
- 0xda, 0x6c, 0xd4, 0x70, 0x92, 0xfb, 0x40, 0x26,
|
||||
- 0xc7, 0x9b, 0xe8, 0xd2, 0x10, 0x11, 0xcf, 0x7f,
|
||||
- 0x23, 0xd0, 0xed, 0x55, 0x52, 0x6d, 0xd3, 0xb2,
|
||||
- 0x56, 0x53, 0x8d, 0x7c, 0x4c, 0xb8, 0xcc, 0xb5,
|
||||
- 0xfd, 0xd0, 0x45, 0x4f, 0x62, 0x40, 0x54, 0x42,
|
||||
- 0x68, 0xd5, 0xe5, 0xdd, 0xf0, 0x76, 0x94, 0x59,
|
||||
- 0x1a, 0x57, 0x13, 0xb4, 0xc3, 0x70, 0xcc, 0xbd,
|
||||
- 0x4c, 0x2e, 0xc8, 0x6b, 0x9d, 0x68, 0xd0, 0x72,
|
||||
- 0x6a, 0x94, 0xd2, 0x18, 0xb5, 0x3b, 0x86, 0x45,
|
||||
- 0x95, 0xaa, 0x50, 0xda, 0x35, 0xeb, 0x69, 0x44,
|
||||
- 0x1f, 0xf3, 0x3a, 0x51, 0xbb, 0x1d, 0x08, 0x42,
|
||||
- 0x12, 0xd7, 0xd6, 0x21, 0xd8, 0x9b, 0x87, 0x55,
|
||||
-};
|
||||
-
|
||||
-static const unsigned char rsa_sigverx931_1_sig[] = {
|
||||
- 0x3b, 0xba, 0xb3, 0xb1, 0xb2, 0x6a, 0x29, 0xb5,
|
||||
- 0xf9, 0x94, 0xf1, 0x00, 0x5c, 0x16, 0x67, 0x67,
|
||||
- 0x73, 0xd3, 0xde, 0x7e, 0x07, 0xfa, 0xaa, 0x95,
|
||||
- 0xeb, 0x5a, 0x55, 0xdc, 0xb2, 0xa9, 0x70, 0x5a,
|
||||
- 0xee, 0x8f, 0x8d, 0x69, 0x85, 0x2b, 0x00, 0xe3,
|
||||
- 0xdc, 0xe2, 0x73, 0x9b, 0x68, 0xeb, 0x93, 0x69,
|
||||
- 0x08, 0x03, 0x17, 0xd6, 0x50, 0x21, 0x14, 0x23,
|
||||
- 0x8c, 0xe6, 0x54, 0x3a, 0xd9, 0xfc, 0x8b, 0x14,
|
||||
- 0x81, 0xb1, 0x8b, 0x9d, 0xd2, 0xbe, 0x58, 0x75,
|
||||
- 0x94, 0x74, 0x93, 0xc9, 0xbb, 0x4e, 0xf6, 0x1f,
|
||||
- 0x73, 0x7d, 0x1a, 0x5f, 0xbd, 0xbf, 0x59, 0x37,
|
||||
- 0x5b, 0x98, 0x54, 0xad, 0x3a, 0xef, 0xa0, 0xef,
|
||||
- 0xcb, 0xc3, 0xe8, 0x84, 0xd8, 0x3d, 0xf5, 0x60,
|
||||
- 0xb8, 0xc3, 0x8d, 0x1e, 0x78, 0xa0, 0x91, 0x94,
|
||||
- 0xb7, 0xd7, 0xb1, 0xd4, 0xe2, 0xee, 0x81, 0x93,
|
||||
- 0xfc, 0x41, 0xf0, 0x31, 0xbb, 0x03, 0x52, 0xde,
|
||||
- 0x80, 0x20, 0x3a, 0x68, 0xe6, 0xc5, 0x50, 0x1b,
|
||||
- 0x08, 0x3f, 0x40, 0xde, 0xb3, 0xe5, 0x81, 0x99,
|
||||
- 0x7f, 0xdb, 0xb6, 0x5d, 0x61, 0x27, 0xd4, 0xfb,
|
||||
- 0xcd, 0xc5, 0x7a, 0xea, 0xde, 0x7a, 0x66, 0xef,
|
||||
- 0x55, 0x3f, 0x85, 0xea, 0x84, 0xc5, 0x0a, 0xf6,
|
||||
- 0x3c, 0x40, 0x38, 0xf7, 0x6c, 0x66, 0xe5, 0xbe,
|
||||
- 0x61, 0x41, 0xd3, 0xb1, 0x08, 0xe1, 0xb4, 0xf9,
|
||||
- 0x6e, 0xf6, 0x0e, 0x4a, 0x72, 0x6c, 0x61, 0x63,
|
||||
- 0x3e, 0x41, 0x33, 0x94, 0xd6, 0x27, 0xa4, 0xd9,
|
||||
- 0x3a, 0x20, 0x2b, 0x39, 0xea, 0xe5, 0x82, 0x48,
|
||||
- 0xd6, 0x5b, 0x58, 0x85, 0x44, 0xb0, 0xd2, 0xfd,
|
||||
- 0xfb, 0x3e, 0xeb, 0x78, 0xac, 0xbc, 0xba, 0x16,
|
||||
- 0x92, 0x0e, 0x20, 0xc1, 0xb2, 0xd1, 0x92, 0xa8,
|
||||
- 0x00, 0x88, 0xc0, 0x41, 0x46, 0x38, 0xb6, 0x54,
|
||||
- 0x70, 0x0c, 0x00, 0x62, 0x97, 0x6a, 0x8e, 0x66,
|
||||
- 0x5a, 0xa1, 0x6c, 0xf7, 0x6d, 0xc2, 0x27, 0x56,
|
||||
- 0x60, 0x5b, 0x0c, 0x52, 0xac, 0x5c, 0xae, 0x99,
|
||||
- 0x55, 0x11, 0x62, 0x52, 0x09, 0x48, 0x53, 0x90,
|
||||
- 0x3c, 0x0b, 0xd4, 0xdc, 0x7b, 0xe3, 0x4c, 0xe3,
|
||||
- 0xa8, 0x6d, 0xc5, 0xdf, 0xc1, 0x5c, 0x59, 0x25,
|
||||
- 0x99, 0x30, 0xde, 0x57, 0x6a, 0x84, 0x25, 0x34,
|
||||
- 0x3e, 0x64, 0x11, 0xdb, 0x7a, 0x82, 0x8e, 0x70,
|
||||
- 0xd2, 0x5c, 0x0e, 0x81, 0xa0, 0x24, 0x53, 0x75,
|
||||
- 0x98, 0xd6, 0x10, 0x01, 0x6a, 0x14, 0xed, 0xc3,
|
||||
- 0x6f, 0xc4, 0x18, 0xb8, 0xd2, 0x9f, 0x59, 0x53,
|
||||
- 0x81, 0x3a, 0x86, 0x31, 0xfc, 0x9e, 0xbf, 0x6c,
|
||||
- 0x52, 0x93, 0x86, 0x9c, 0xaa, 0x6c, 0x6f, 0x07,
|
||||
- 0x8a, 0x40, 0x33, 0x64, 0xb2, 0x70, 0x48, 0x85,
|
||||
- 0x05, 0x59, 0x65, 0x2d, 0x6b, 0x9a, 0xad, 0xab,
|
||||
- 0x20, 0x7e, 0x02, 0x6d, 0xde, 0xcf, 0x22, 0x0b,
|
||||
- 0xea, 0x6e, 0xbd, 0x1c, 0x39, 0x3a, 0xfd, 0xa4,
|
||||
- 0xde, 0x54, 0xae, 0xde, 0x5e, 0xf7, 0xb0, 0x6d,
|
||||
-};
|
||||
-
|
||||
static const struct rsa_sigver_st rsa_sigver_data[] = {
|
||||
{
|
||||
"pkcs1", /* pkcs1v1.5 */
|
||||
@@ -1841,17 +1638,6 @@ static const struct rsa_sigver_st rsa_sigver_data[] = {
|
||||
NO_PSS_SALT_LEN,
|
||||
FAIL
|
||||
},
|
||||
- {
|
||||
- "x931",
|
||||
- 3072,
|
||||
- "SHA256",
|
||||
- ITM(rsa_sigverx931_1_msg),
|
||||
- ITM(rsa_sigverx931_1_n),
|
||||
- ITM(rsa_sigverx931_1_e),
|
||||
- ITM(rsa_sigverx931_1_sig),
|
||||
- NO_PSS_SALT_LEN,
|
||||
- FAIL
|
||||
- },
|
||||
{
|
||||
"pss",
|
||||
4096,
|
||||
--
|
||||
2.38.1
|
||||
|
@ -1,112 +0,0 @@
|
||||
From e1eba21921ceeffa45ffd2115868c14e4c7fb8d9 Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Thu, 17 Nov 2022 18:08:24 +0100
|
||||
Subject: [PATCH] hmac: Add explicit FIPS indicator for key length
|
||||
|
||||
NIST SP 800-131Ar2, table 9 "Approval Status of MAC Algorithms"
|
||||
specifies key lengths < 112 bytes are disallowed for HMAC generation and
|
||||
are legacy use for HMAC verification.
|
||||
|
||||
Add an explicit indicator that will mark shorter key lengths as
|
||||
unsupported. The indicator can be queries from the EVP_MAC_CTX object
|
||||
using EVP_MAC_CTX_get_params() with the
|
||||
OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR
|
||||
parameter.
|
||||
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
---
|
||||
include/crypto/evp.h | 7 +++++++
|
||||
include/openssl/core_names.h | 1 +
|
||||
include/openssl/evp.h | 3 +++
|
||||
providers/implementations/macs/hmac_prov.c | 17 +++++++++++++++++
|
||||
4 files changed, 28 insertions(+)
|
||||
|
||||
diff --git a/include/crypto/evp.h b/include/crypto/evp.h
|
||||
index 76fb990de4..1e2240516e 100644
|
||||
--- a/include/crypto/evp.h
|
||||
+++ b/include/crypto/evp.h
|
||||
@@ -196,6 +196,13 @@ const EVP_PKEY_METHOD *ossl_ed448_pkey_method(void);
|
||||
const EVP_PKEY_METHOD *ossl_rsa_pkey_method(void);
|
||||
const EVP_PKEY_METHOD *ossl_rsa_pss_pkey_method(void);
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+/* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms specifies key
|
||||
+ * lengths < 112 bytes are disallowed for HMAC generation and legacy use for
|
||||
+ * HMAC verification. */
|
||||
+# define EVP_HMAC_GEN_FIPS_MIN_KEY_LEN (112 / 8)
|
||||
+#endif
|
||||
+
|
||||
struct evp_mac_st {
|
||||
OSSL_PROVIDER *prov;
|
||||
int name_id;
|
||||
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
|
||||
index c019afbbb0..94fab83193 100644
|
||||
--- a/include/openssl/core_names.h
|
||||
+++ b/include/openssl/core_names.h
|
||||
@@ -173,6 +173,7 @@ extern "C" {
|
||||
#define OSSL_MAC_PARAM_SIZE "size" /* size_t */
|
||||
#define OSSL_MAC_PARAM_BLOCK_SIZE "block-size" /* size_t */
|
||||
#define OSSL_MAC_PARAM_TLS_DATA_SIZE "tls-data-size" /* size_t */
|
||||
+#define OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator"
|
||||
|
||||
/* Known MAC names */
|
||||
#define OSSL_MAC_NAME_BLAKE2BMAC "BLAKE2BMAC"
|
||||
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
|
||||
index 49e8e1df78..a5e78efd6e 100644
|
||||
--- a/include/openssl/evp.h
|
||||
+++ b/include/openssl/evp.h
|
||||
@@ -1192,6 +1192,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX *libctx,
|
||||
void *arg);
|
||||
|
||||
/* MAC stuff */
|
||||
+# define EVP_MAC_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
|
||||
+# define EVP_MAC_REDHAT_FIPS_INDICATOR_APPROVED 1
|
||||
+# define EVP_MAC_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
|
||||
|
||||
EVP_MAC *EVP_MAC_fetch(OSSL_LIB_CTX *libctx, const char *algorithm,
|
||||
const char *properties);
|
||||
diff --git a/providers/implementations/macs/hmac_prov.c b/providers/implementations/macs/hmac_prov.c
|
||||
index 52ebb08b8f..cf5c3ecbe7 100644
|
||||
--- a/providers/implementations/macs/hmac_prov.c
|
||||
+++ b/providers/implementations/macs/hmac_prov.c
|
||||
@@ -21,6 +21,8 @@
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/hmac.h>
|
||||
|
||||
+#include "crypto/evp.h"
|
||||
+
|
||||
#include "prov/implementations.h"
|
||||
#include "prov/provider_ctx.h"
|
||||
#include "prov/provider_util.h"
|
||||
@@ -244,6 +246,9 @@ static int hmac_final(void *vmacctx, unsigned char *out, size_t *outl,
|
||||
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||
OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL),
|
||||
OSSL_PARAM_size_t(OSSL_MAC_PARAM_BLOCK_SIZE, NULL),
|
||||
+#ifdef FIPS_MODULE
|
||||
+ OSSL_PARAM_int(OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
static const OSSL_PARAM *hmac_gettable_ctx_params(ossl_unused void *ctx,
|
||||
@@ -265,6 +270,18 @@ static int hmac_get_ctx_params(void *vmacctx, OSSL_PARAM params[])
|
||||
&& !OSSL_PARAM_set_int(p, hmac_block_size(macctx)))
|
||||
return 0;
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR)) != NULL) {
|
||||
+ int fips_indicator = EVP_MAC_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||
+ /* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms
|
||||
+ * specifies key lengths < 112 bytes are disallowed for HMAC generation
|
||||
+ * and legacy use for HMAC verification. */
|
||||
+ if (macctx->keylen < EVP_HMAC_GEN_FIPS_MIN_KEY_LEN)
|
||||
+ fips_indicator = EVP_MAC_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+ return OSSL_PARAM_set_int(p, fips_indicator);
|
||||
+ }
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
+
|
||||
return 1;
|
||||
}
|
||||
|
||||
--
|
||||
2.38.1
|
||||
|
@ -1,113 +0,0 @@
|
||||
From 52b347703ba2b98a0efee86c1a483c2f0f9f73d6 Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Wed, 11 Jan 2023 12:52:59 +0100
|
||||
Subject: [PATCH] rsa: Disallow SHAKE in OAEP and PSS in FIPS prov
|
||||
|
||||
According to FIPS 140-3 IG, section C.C, the SHAKE digest algorithms
|
||||
must not be used in higher-level algorithms (such as RSA-OAEP and
|
||||
RSASSA-PSS):
|
||||
|
||||
"To be used in an approved mode of operation, the SHA-3 hash functions
|
||||
may be implemented either as part of an approved higher-level algorithm,
|
||||
for example, a digital signature algorithm, or as the standalone
|
||||
functions. The SHAKE128 and SHAKE256 extendable-output functions may
|
||||
only be used as the standalone algorithms."
|
||||
|
||||
Add a check to prevent their use as message digest in PSS signatures and
|
||||
as MGF1 hash function in both OAEP and PSS.
|
||||
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
---
|
||||
crypto/rsa/rsa_oaep.c | 28 ++++++++++++++++++++++++++++
|
||||
crypto/rsa/rsa_pss.c | 16 ++++++++++++++++
|
||||
2 files changed, 44 insertions(+)
|
||||
|
||||
diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
|
||||
index d9be1a4f98..dfe9c9f0e8 100644
|
||||
--- a/crypto/rsa/rsa_oaep.c
|
||||
+++ b/crypto/rsa/rsa_oaep.c
|
||||
@@ -73,9 +73,23 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
|
||||
return 0;
|
||||
#endif
|
||||
}
|
||||
+
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256")) {
|
||||
+ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
if (mgf1md == NULL)
|
||||
mgf1md = md;
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) {
|
||||
+ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
mdlen = EVP_MD_get_size(md);
|
||||
if (mdlen <= 0) {
|
||||
ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_LENGTH);
|
||||
@@ -181,9 +195,23 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
|
||||
#endif
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256")) {
|
||||
+ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
|
||||
+ return -1;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
if (mgf1md == NULL)
|
||||
mgf1md = md;
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) {
|
||||
+ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
|
||||
+ return -1;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
mdlen = EVP_MD_get_size(md);
|
||||
|
||||
if (tlen <= 0 || flen <= 0)
|
||||
diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c
|
||||
index 33874bfef8..e8681b0351 100644
|
||||
--- a/crypto/rsa/rsa_pss.c
|
||||
+++ b/crypto/rsa/rsa_pss.c
|
||||
@@ -53,6 +53,14 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
|
||||
if (mgf1Hash == NULL)
|
||||
mgf1Hash = Hash;
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (EVP_MD_is_a(Hash, "SHAKE-128") || EVP_MD_is_a(Hash, "SHAKE-256"))
|
||||
+ goto err;
|
||||
+
|
||||
+ if (EVP_MD_is_a(mgf1Hash, "SHAKE-128") || EVP_MD_is_a(mgf1Hash, "SHAKE-256"))
|
||||
+ goto err;
|
||||
+#endif
|
||||
+
|
||||
hLen = EVP_MD_get_size(Hash);
|
||||
if (hLen < 0)
|
||||
goto err;
|
||||
@@ -164,6 +172,14 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
|
||||
if (mgf1Hash == NULL)
|
||||
mgf1Hash = Hash;
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (EVP_MD_is_a(Hash, "SHAKE-128") || EVP_MD_is_a(Hash, "SHAKE-256"))
|
||||
+ goto err;
|
||||
+
|
||||
+ if (EVP_MD_is_a(mgf1Hash, "SHAKE-128") || EVP_MD_is_a(mgf1Hash, "SHAKE-256"))
|
||||
+ goto err;
|
||||
+#endif
|
||||
+
|
||||
hLen = EVP_MD_get_size(Hash);
|
||||
if (hLen < 0)
|
||||
goto err;
|
||||
--
|
||||
2.39.0
|
||||
|
@ -1,116 +0,0 @@
|
||||
From a325a23bc83f4efd60130001c417ca5b96bdbff1 Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Thu, 17 Nov 2022 19:33:02 +0100
|
||||
Subject: [PATCH 1/3] signature: Add indicator for PSS salt length
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
|
||||
5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
|
||||
salt (sLen) shall satisfy 0 ≤ sLen ≤ hLen, where hLen is the length of
|
||||
the hash function output block (in bytes)."
|
||||
|
||||
It is not exactly clear from this text whether hLen refers to the
|
||||
message digest or the hash function used for the mask generation
|
||||
function MGF1. PKCS#1 v2.1 suggests it is the former:
|
||||
|
||||
| Typical salt lengths in octets are hLen (the length of the output of
|
||||
| the hash function Hash) and 0. In both cases the security of
|
||||
| RSASSA-PSS can be closely related to the hardness of inverting RSAVP1.
|
||||
| Bellare and Rogaway [4] give a tight lower bound for the security of
|
||||
| the original RSA-PSS scheme, which corresponds roughly to the former
|
||||
| case, while Coron [12] gives a lower bound for the related Full Domain
|
||||
| Hashing scheme, which corresponds roughly to the latter case. In [13]
|
||||
| Coron provides a general treatment with various salt lengths ranging
|
||||
| from 0 to hLen; see [27] for discussion. See also [31], which adapts
|
||||
| the security proofs in [4][13] to address the differences between the
|
||||
| original and the present version of RSA-PSS as listed in Note 1 above.
|
||||
|
||||
Since OpenSSL defaults to creating signatures with the maximum salt
|
||||
length, blocking the use of longer salts would probably lead to
|
||||
significant problems in practice. Instead, introduce an explicit
|
||||
indicator that can be obtained from the EVP_PKEY_CTX object using
|
||||
EVP_PKEY_CTX_get_params() with the
|
||||
OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR
|
||||
parameter.
|
||||
|
||||
We also add indicator for RSA_NO_PADDING here to avoid patch-over-patch.
|
||||
Dmitry Belyavskiy <dbelyavs@redhat.com>
|
||||
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
---
|
||||
include/openssl/core_names.h | 1 +
|
||||
include/openssl/evp.h | 4 ++++
|
||||
providers/implementations/signature/rsa_sig.c | 18 ++++++++++++++++++
|
||||
3 files changed, 23 insertions(+)
|
||||
|
||||
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
|
||||
index 94fab83193..69c59f0b46 100644
|
||||
--- a/include/openssl/core_names.h
|
||||
+++ b/include/openssl/core_names.h
|
||||
@@ -453,6 +453,7 @@ extern "C" {
|
||||
#define OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES \
|
||||
OSSL_PKEY_PARAM_MGF1_PROPERTIES
|
||||
#define OSSL_SIGNATURE_PARAM_DIGEST_SIZE OSSL_PKEY_PARAM_DIGEST_SIZE
|
||||
+#define OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator"
|
||||
|
||||
/* Asym cipher parameters */
|
||||
#define OSSL_ASYM_CIPHER_PARAM_DIGEST OSSL_PKEY_PARAM_DIGEST
|
||||
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
|
||||
index a5e78efd6e..f239200465 100644
|
||||
--- a/include/openssl/evp.h
|
||||
+++ b/include/openssl/evp.h
|
||||
@@ -797,6 +797,10 @@ __owur int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm,
|
||||
__owur int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
|
||||
int *outl);
|
||||
|
||||
+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
|
||||
+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_APPROVED 1
|
||||
+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
|
||||
+
|
||||
__owur int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
|
||||
EVP_PKEY *pkey);
|
||||
__owur int EVP_SignFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
|
||||
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
|
||||
index 49e7f9158a..0c45008a00 100644
|
||||
--- a/providers/implementations/signature/rsa_sig.c
|
||||
+++ b/providers/implementations/signature/rsa_sig.c
|
||||
@@ -1127,6 +1127,24 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
|
||||
}
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR);
|
||||
+ if (p != NULL) {
|
||||
+ int fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||
+ if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) {
|
||||
+ if (prsactx->md == NULL) {
|
||||
+ fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_UNDETERMINED;
|
||||
+ } else if (rsa_pss_compute_saltlen(prsactx) > EVP_MD_get_size(prsactx->md)) {
|
||||
+ fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+ }
|
||||
+ } else if (prsactx->pad_mode == RSA_NO_PADDING) {
|
||||
+ if (prsactx->md == NULL) /* Should always be the case */
|
||||
+ fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+ }
|
||||
+ return OSSL_PARAM_set_int(p, fips_indicator);
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
return 1;
|
||||
}
|
||||
|
||||
@@ -1136,6 +1151,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||
OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
|
||||
OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
|
||||
OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
|
||||
+#ifdef FIPS_MODULE
|
||||
+ OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
||||
+#endif
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
|
||||
--
|
||||
2.38.1
|
||||
|
@ -1,114 +0,0 @@
|
||||
From 0879fac692cb1bff0ec4c196cb364d970ad3ecec Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Mon, 21 Nov 2022 14:33:57 +0100
|
||||
Subject: [PATCH 2/3] Obtain PSS salt length from provider
|
||||
|
||||
Rather than computing the PSS salt length again in core using
|
||||
ossl_rsa_ctx_to_pss_string, which calls rsa_ctx_to_pss and computes the
|
||||
salt length, obtain it from the provider using the
|
||||
OSSL_SIGNATURE_PARAM_ALGORITHM_ID param to handle the case where the
|
||||
interpretation of the magic constants in the provider differs from that
|
||||
of OpenSSL core.
|
||||
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
---
|
||||
crypto/cms/cms_rsa.c | 19 +++++++++++++++----
|
||||
crypto/rsa/rsa_ameth.c | 34 +++++++++++++++++++++-------------
|
||||
2 files changed, 36 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/crypto/cms/cms_rsa.c b/crypto/cms/cms_rsa.c
|
||||
index 20ed816918..997567fdbf 100644
|
||||
--- a/crypto/cms/cms_rsa.c
|
||||
+++ b/crypto/cms/cms_rsa.c
|
||||
@@ -10,6 +10,7 @@
|
||||
#include <assert.h>
|
||||
#include <openssl/cms.h>
|
||||
#include <openssl/err.h>
|
||||
+#include <openssl/core_names.h>
|
||||
#include "crypto/asn1.h"
|
||||
#include "crypto/rsa.h"
|
||||
#include "cms_local.h"
|
||||
@@ -191,7 +192,10 @@ static int rsa_cms_sign(CMS_SignerInfo *si)
|
||||
int pad_mode = RSA_PKCS1_PADDING;
|
||||
X509_ALGOR *alg;
|
||||
EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si);
|
||||
- ASN1_STRING *os = NULL;
|
||||
+ unsigned char aid[128];
|
||||
+ const unsigned char *pp = aid;
|
||||
+ size_t aid_len = 0;
|
||||
+ OSSL_PARAM params[2];
|
||||
|
||||
CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg);
|
||||
if (pkctx != NULL) {
|
||||
@@ -205,10 +209,17 @@ static int rsa_cms_sign(CMS_SignerInfo *si)
|
||||
/* We don't support it */
|
||||
if (pad_mode != RSA_PKCS1_PSS_PADDING)
|
||||
return 0;
|
||||
- os = ossl_rsa_ctx_to_pss_string(pkctx);
|
||||
- if (os == NULL)
|
||||
+
|
||||
+ params[0] = OSSL_PARAM_construct_octet_string(
|
||||
+ OSSL_SIGNATURE_PARAM_ALGORITHM_ID, aid, sizeof(aid));
|
||||
+ params[1] = OSSL_PARAM_construct_end();
|
||||
+
|
||||
+ if (EVP_PKEY_CTX_get_params(pkctx, params) <= 0)
|
||||
+ return 0;
|
||||
+ if ((aid_len = params[0].return_size) == 0)
|
||||
+ return 0;
|
||||
+ if (d2i_X509_ALGOR(&alg, &pp, aid_len) == NULL)
|
||||
return 0;
|
||||
- X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_PKEY_RSA_PSS), V_ASN1_SEQUENCE, os);
|
||||
return 1;
|
||||
}
|
||||
|
||||
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
|
||||
index c15554505b..61ec53d424 100644
|
||||
--- a/crypto/rsa/rsa_ameth.c
|
||||
+++ b/crypto/rsa/rsa_ameth.c
|
||||
@@ -637,22 +637,30 @@ static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, const void *asn,
|
||||
if (pad_mode == RSA_PKCS1_PADDING)
|
||||
return 2;
|
||||
if (pad_mode == RSA_PKCS1_PSS_PADDING) {
|
||||
- ASN1_STRING *os1 = NULL;
|
||||
- os1 = ossl_rsa_ctx_to_pss_string(pkctx);
|
||||
- if (!os1)
|
||||
+ unsigned char aid[128];
|
||||
+ size_t aid_len = 0;
|
||||
+ OSSL_PARAM params[2];
|
||||
+
|
||||
+ params[0] = OSSL_PARAM_construct_octet_string(
|
||||
+ OSSL_SIGNATURE_PARAM_ALGORITHM_ID, aid, sizeof(aid));
|
||||
+ params[1] = OSSL_PARAM_construct_end();
|
||||
+
|
||||
+ if (EVP_PKEY_CTX_get_params(pkctx, params) <= 0)
|
||||
return 0;
|
||||
- /* Duplicate parameters if we have to */
|
||||
- if (alg2) {
|
||||
- ASN1_STRING *os2 = ASN1_STRING_dup(os1);
|
||||
- if (!os2) {
|
||||
- ASN1_STRING_free(os1);
|
||||
+ if ((aid_len = params[0].return_size) == 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (alg1 != NULL) {
|
||||
+ const unsigned char *pp = aid;
|
||||
+ if (d2i_X509_ALGOR(&alg1, &pp, aid_len) == NULL)
|
||||
+ return 0;
|
||||
+ }
|
||||
+ if (alg2 != NULL) {
|
||||
+ const unsigned char *pp = aid;
|
||||
+ if (d2i_X509_ALGOR(&alg2, &pp, aid_len) == NULL)
|
||||
return 0;
|
||||
- }
|
||||
- X509_ALGOR_set0(alg2, OBJ_nid2obj(EVP_PKEY_RSA_PSS),
|
||||
- V_ASN1_SEQUENCE, os2);
|
||||
}
|
||||
- X509_ALGOR_set0(alg1, OBJ_nid2obj(EVP_PKEY_RSA_PSS),
|
||||
- V_ASN1_SEQUENCE, os1);
|
||||
+
|
||||
return 3;
|
||||
}
|
||||
return 2;
|
||||
--
|
||||
2.38.1
|
||||
|
@ -1,338 +0,0 @@
|
||||
From 9cc914ff3e1fda124bdc76d72ebc9349ec19f8ae Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Fri, 18 Nov 2022 12:35:33 +0100
|
||||
Subject: [PATCH 3/3] signature: Clamp PSS salt len to MD len
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
|
||||
5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
|
||||
salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
|
||||
the hash function output block (in bytes)."
|
||||
|
||||
Introduce a new option RSA_PSS_SALTLEN_AUTO_DIGEST_MAX and make it the
|
||||
default. The new value will behave like RSA_PSS_SALTLEN_AUTO, but will
|
||||
not use more than the digest legth when signing, so that FIPS 186-4 is
|
||||
not violated. This value has two advantages when compared with
|
||||
RSA_PSS_SALTLEN_DIGEST: (1) It will continue to do auto-detection when
|
||||
verifying signatures for maximum compatibility, where
|
||||
RSA_PSS_SALTLEN_DIGEST would fail for other digest sizes. (2) It will
|
||||
work for combinations where the maximum salt length is smaller than the
|
||||
digest size, which typically happens with large digest sizes (e.g.,
|
||||
SHA-512) and small RSA keys.
|
||||
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
---
|
||||
crypto/rsa/rsa_ameth.c | 18 ++++++++-
|
||||
crypto/rsa/rsa_pss.c | 26 ++++++++++--
|
||||
doc/man3/EVP_PKEY_CTX_ctrl.pod | 11 ++++-
|
||||
doc/man7/EVP_SIGNATURE-RSA.pod | 5 +++
|
||||
include/openssl/core_names.h | 1 +
|
||||
include/openssl/rsa.h | 3 ++
|
||||
providers/implementations/signature/rsa_sig.c | 40 ++++++++++++++-----
|
||||
test/recipes/25-test_req.t | 2 +-
|
||||
8 files changed, 87 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
|
||||
index 61ec53d424..e69a98d116 100644
|
||||
--- a/crypto/rsa/rsa_ameth.c
|
||||
+++ b/crypto/rsa/rsa_ameth.c
|
||||
@@ -450,6 +450,7 @@ static RSA_PSS_PARAMS *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx)
|
||||
const EVP_MD *sigmd, *mgf1md;
|
||||
EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx);
|
||||
int saltlen;
|
||||
+ int saltlenMax = -1;
|
||||
|
||||
if (EVP_PKEY_CTX_get_signature_md(pkctx, &sigmd) <= 0)
|
||||
return NULL;
|
||||
@@ -457,14 +458,27 @@ static RSA_PSS_PARAMS *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx)
|
||||
return NULL;
|
||||
if (EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen) <= 0)
|
||||
return NULL;
|
||||
- if (saltlen == -1) {
|
||||
+ if (saltlen == RSA_PSS_SALTLEN_DIGEST) {
|
||||
saltlen = EVP_MD_get_size(sigmd);
|
||||
- } else if (saltlen == -2 || saltlen == -3) {
|
||||
+ } else if (saltlen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
|
||||
+ /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm",
|
||||
+ * subsection 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in
|
||||
+ * bytes) of the salt (sLen) shall satisfy 0 <= sLen <= hLen, where
|
||||
+ * hLen is the length of the hash function output block (in bytes)."
|
||||
+ *
|
||||
+ * Provide a way to use at most the digest length, so that the default
|
||||
+ * does not violate FIPS 186-4. */
|
||||
+ saltlen = RSA_PSS_SALTLEN_MAX;
|
||||
+ saltlenMax = EVP_MD_get_size(sigmd);
|
||||
+ }
|
||||
+ if (saltlen == RSA_PSS_SALTLEN_MAX || saltlen == RSA_PSS_SALTLEN_AUTO) {
|
||||
saltlen = EVP_PKEY_get_size(pk) - EVP_MD_get_size(sigmd) - 2;
|
||||
if ((EVP_PKEY_get_bits(pk) & 0x7) == 1)
|
||||
saltlen--;
|
||||
if (saltlen < 0)
|
||||
return NULL;
|
||||
+ if (saltlenMax >= 0 && saltlen > saltlenMax)
|
||||
+ saltlen = saltlenMax;
|
||||
}
|
||||
|
||||
return ossl_rsa_pss_params_create(sigmd, mgf1md, saltlen);
|
||||
diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c
|
||||
index 33874bfef8..430c36eb2a 100644
|
||||
--- a/crypto/rsa/rsa_pss.c
|
||||
+++ b/crypto/rsa/rsa_pss.c
|
||||
@@ -61,11 +61,12 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
|
||||
* -1 sLen == hLen
|
||||
* -2 salt length is autorecovered from signature
|
||||
* -3 salt length is maximized
|
||||
+ * -4 salt length is autorecovered from signature
|
||||
* -N reserved
|
||||
*/
|
||||
if (sLen == RSA_PSS_SALTLEN_DIGEST) {
|
||||
sLen = hLen;
|
||||
- } else if (sLen < RSA_PSS_SALTLEN_MAX) {
|
||||
+ } else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
|
||||
ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
|
||||
goto err;
|
||||
}
|
||||
@@ -112,7 +113,9 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
|
||||
ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_RECOVERY_FAILED);
|
||||
goto err;
|
||||
}
|
||||
- if (sLen != RSA_PSS_SALTLEN_AUTO && (maskedDBLen - i) != sLen) {
|
||||
+ if (sLen != RSA_PSS_SALTLEN_AUTO
|
||||
+ && sLen != RSA_PSS_SALTLEN_AUTO_DIGEST_MAX
|
||||
+ && (maskedDBLen - i) != sLen) {
|
||||
ERR_raise_data(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED,
|
||||
"expected: %d retrieved: %d", sLen,
|
||||
maskedDBLen - i);
|
||||
@@ -160,6 +163,7 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
|
||||
int hLen, maskedDBLen, MSBits, emLen;
|
||||
unsigned char *H, *salt = NULL, *p;
|
||||
EVP_MD_CTX *ctx = NULL;
|
||||
+ int sLenMax = -1;
|
||||
|
||||
if (mgf1Hash == NULL)
|
||||
mgf1Hash = Hash;
|
||||
@@ -172,13 +176,25 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
|
||||
* -1 sLen == hLen
|
||||
* -2 salt length is maximized
|
||||
* -3 same as above (on signing)
|
||||
+ * -4 salt length is min(hLen, maximum salt length)
|
||||
* -N reserved
|
||||
*/
|
||||
+ /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
|
||||
+ * 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
|
||||
+ * salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
|
||||
+ * the hash function output block (in bytes)."
|
||||
+ *
|
||||
+ * Provide a way to use at most the digest length, so that the default does
|
||||
+ * not violate FIPS 186-4. */
|
||||
if (sLen == RSA_PSS_SALTLEN_DIGEST) {
|
||||
sLen = hLen;
|
||||
- } else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN) {
|
||||
+ } else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN
|
||||
+ || sLen == RSA_PSS_SALTLEN_AUTO) {
|
||||
sLen = RSA_PSS_SALTLEN_MAX;
|
||||
- } else if (sLen < RSA_PSS_SALTLEN_MAX) {
|
||||
+ } else if (sLen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
|
||||
+ sLen = RSA_PSS_SALTLEN_MAX;
|
||||
+ sLenMax = hLen;
|
||||
+ } else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
|
||||
ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
|
||||
goto err;
|
||||
}
|
||||
@@ -195,6 +211,8 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
|
||||
}
|
||||
if (sLen == RSA_PSS_SALTLEN_MAX) {
|
||||
sLen = emLen - hLen - 2;
|
||||
+ if (sLenMax >= 0 && sLen > sLenMax)
|
||||
+ sLen = sLenMax;
|
||||
} else if (sLen > emLen - hLen - 2) {
|
||||
ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
|
||||
goto err;
|
||||
diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod
|
||||
index 3075eaafd6..9b96f42dbc 100644
|
||||
--- a/doc/man3/EVP_PKEY_CTX_ctrl.pod
|
||||
+++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod
|
||||
@@ -270,8 +270,8 @@ EVP_PKEY_CTX_get_rsa_padding() gets the RSA padding mode for I<ctx>.
|
||||
|
||||
EVP_PKEY_CTX_set_rsa_pss_saltlen() sets the RSA PSS salt length to I<saltlen>.
|
||||
As its name implies it is only supported for PSS padding. If this function is
|
||||
-not called then the maximum salt length is used when signing and auto detection
|
||||
-when verifying. Three special values are supported:
|
||||
+not called then the salt length is maximized up to the digest length when
|
||||
+signing and auto detection when verifying. Four special values are supported:
|
||||
|
||||
=over 4
|
||||
|
||||
@@ -289,6 +289,13 @@ causes the salt length to be automatically determined based on the
|
||||
B<PSS> block structure when verifying. When signing, it has the same
|
||||
meaning as B<RSA_PSS_SALTLEN_MAX>.
|
||||
|
||||
+=item B<RSA_PSS_SALTLEN_AUTO_DIGEST_MAX>
|
||||
+
|
||||
+causes the salt length to be automatically determined based on the B<PSS> block
|
||||
+structure when verifying, like B<RSA_PSS_SALTLEN_AUTO>. When signing, the salt
|
||||
+length is maximized up to a maximum of the digest length to comply with FIPS
|
||||
+186-4 section 5.5.
|
||||
+
|
||||
=back
|
||||
|
||||
EVP_PKEY_CTX_get_rsa_pss_saltlen() gets the RSA PSS salt length for I<ctx>.
|
||||
diff --git a/doc/man7/EVP_SIGNATURE-RSA.pod b/doc/man7/EVP_SIGNATURE-RSA.pod
|
||||
index 1ce32cc443..13d053e262 100644
|
||||
--- a/doc/man7/EVP_SIGNATURE-RSA.pod
|
||||
+++ b/doc/man7/EVP_SIGNATURE-RSA.pod
|
||||
@@ -68,6 +68,11 @@ Use the maximum salt length.
|
||||
|
||||
Auto detect the salt length.
|
||||
|
||||
+=item "auto-digestmax" (B<OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX>)
|
||||
+
|
||||
+Auto detect the salt length when verifying. Maximize the salt length up to the
|
||||
+digest size when signing to comply with FIPS 186-4 section 5.5.
|
||||
+
|
||||
=back
|
||||
|
||||
=back
|
||||
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
|
||||
index 69c59f0b46..5779f41427 100644
|
||||
--- a/include/openssl/core_names.h
|
||||
+++ b/include/openssl/core_names.h
|
||||
@@ -399,6 +399,7 @@ extern "C" {
|
||||
#define OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST "digest"
|
||||
#define OSSL_PKEY_RSA_PSS_SALT_LEN_MAX "max"
|
||||
#define OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO "auto"
|
||||
+#define OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX "auto-digestmax"
|
||||
|
||||
/* Key generation parameters */
|
||||
#define OSSL_PKEY_PARAM_RSA_BITS OSSL_PKEY_PARAM_BITS
|
||||
diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h
|
||||
index a55c9727c6..daf55bc6d4 100644
|
||||
--- a/include/openssl/rsa.h
|
||||
+++ b/include/openssl/rsa.h
|
||||
@@ -137,6 +137,9 @@ int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp);
|
||||
# define RSA_PSS_SALTLEN_AUTO -2
|
||||
/* Set salt length to maximum possible */
|
||||
# define RSA_PSS_SALTLEN_MAX -3
|
||||
+/* Auto-detect on verify, set salt length to min(maximum possible, digest
|
||||
+ * length) on sign */
|
||||
+# define RSA_PSS_SALTLEN_AUTO_DIGEST_MAX -4
|
||||
/* Old compatible max salt length for sign only */
|
||||
# define RSA_PSS_SALTLEN_MAX_SIGN -2
|
||||
|
||||
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
|
||||
index 0c45008a00..1a787d77db 100644
|
||||
--- a/providers/implementations/signature/rsa_sig.c
|
||||
+++ b/providers/implementations/signature/rsa_sig.c
|
||||
@@ -191,8 +191,8 @@ static void *rsa_newctx(void *provctx, const char *propq)
|
||||
prsactx->libctx = PROV_LIBCTX_OF(provctx);
|
||||
prsactx->flag_allow_md = 1;
|
||||
prsactx->propq = propq_copy;
|
||||
- /* Maximum for sign, auto for verify */
|
||||
- prsactx->saltlen = RSA_PSS_SALTLEN_AUTO;
|
||||
+ /* Maximum up to digest length for sign, auto for verify */
|
||||
+ prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX;
|
||||
prsactx->min_saltlen = -1;
|
||||
return prsactx;
|
||||
}
|
||||
@@ -200,13 +200,27 @@ static void *rsa_newctx(void *provctx, const char *propq)
|
||||
static int rsa_pss_compute_saltlen(PROV_RSA_CTX *ctx)
|
||||
{
|
||||
int saltlen = ctx->saltlen;
|
||||
-
|
||||
+ int saltlenMax = -1;
|
||||
+
|
||||
+ /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
|
||||
+ * 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
|
||||
+ * salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
|
||||
+ * the hash function output block (in bytes)."
|
||||
+ *
|
||||
+ * Provide a way to use at most the digest length, so that the default does
|
||||
+ * not violate FIPS 186-4. */
|
||||
if (saltlen == RSA_PSS_SALTLEN_DIGEST) {
|
||||
saltlen = EVP_MD_get_size(ctx->md);
|
||||
- } else if (saltlen == RSA_PSS_SALTLEN_AUTO || saltlen == RSA_PSS_SALTLEN_MAX) {
|
||||
+ } else if (saltlen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
|
||||
+ saltlen = RSA_PSS_SALTLEN_MAX;
|
||||
+ saltlenMax = EVP_MD_get_size(ctx->md);
|
||||
+ }
|
||||
+ if (saltlen == RSA_PSS_SALTLEN_MAX || saltlen == RSA_PSS_SALTLEN_AUTO) {
|
||||
saltlen = RSA_size(ctx->rsa) - EVP_MD_get_size(ctx->md) - 2;
|
||||
if ((RSA_bits(ctx->rsa) & 0x7) == 1)
|
||||
saltlen--;
|
||||
+ if (saltlenMax >= 0 && saltlen > saltlenMax)
|
||||
+ saltlen = saltlenMax;
|
||||
}
|
||||
if (saltlen < 0) {
|
||||
ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
|
||||
@@ -411,8 +425,8 @@ static int rsa_signverify_init(void *vprsactx, void *vrsa,
|
||||
|
||||
prsactx->operation = operation;
|
||||
|
||||
- /* Maximum for sign, auto for verify */
|
||||
- prsactx->saltlen = RSA_PSS_SALTLEN_AUTO;
|
||||
+ /* Maximize up to digest length for sign, auto for verify */
|
||||
+ prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX;
|
||||
prsactx->min_saltlen = -1;
|
||||
|
||||
switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) {
|
||||
@@ -1110,6 +1124,9 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
|
||||
case RSA_PSS_SALTLEN_AUTO:
|
||||
value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO;
|
||||
break;
|
||||
+ case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX:
|
||||
+ value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX;
|
||||
+ break;
|
||||
default:
|
||||
{
|
||||
int len = BIO_snprintf(p->data, p->data_size, "%d",
|
||||
@@ -1297,6 +1314,8 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
|
||||
saltlen = RSA_PSS_SALTLEN_MAX;
|
||||
else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO) == 0)
|
||||
saltlen = RSA_PSS_SALTLEN_AUTO;
|
||||
+ else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX) == 0)
|
||||
+ saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX;
|
||||
else
|
||||
saltlen = atoi(p->data);
|
||||
break;
|
||||
@@ -1305,11 +1324,11 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
|
||||
}
|
||||
|
||||
/*
|
||||
- * RSA_PSS_SALTLEN_MAX seems curiously named in this check.
|
||||
- * Contrary to what it's name suggests, it's the currently
|
||||
- * lowest saltlen number possible.
|
||||
+ * RSA_PSS_SALTLEN_AUTO_DIGEST_MAX seems curiously named in this check.
|
||||
+ * Contrary to what it's name suggests, it's the currently lowest
|
||||
+ * saltlen number possible.
|
||||
*/
|
||||
- if (saltlen < RSA_PSS_SALTLEN_MAX) {
|
||||
+ if (saltlen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
|
||||
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);
|
||||
return 0;
|
||||
}
|
||||
@@ -1317,6 +1336,7 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
|
||||
if (rsa_pss_restricted(prsactx)) {
|
||||
switch (saltlen) {
|
||||
case RSA_PSS_SALTLEN_AUTO:
|
||||
+ case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX:
|
||||
if (prsactx->operation == EVP_PKEY_OP_VERIFY) {
|
||||
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH,
|
||||
"Cannot use autodetected salt length");
|
||||
diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t
|
||||
index e615f1b338..35541aed12 100644
|
||||
--- a/test/recipes/25-test_req.t
|
||||
+++ b/test/recipes/25-test_req.t
|
||||
@@ -199,7 +199,7 @@ subtest "generating certificate requests with RSA-PSS" => sub {
|
||||
ok(!run(app(["openssl", "req",
|
||||
"-config", srctop_file("test", "test.cnf"),
|
||||
"-new", "-out", "testreq-rsapss3.pem", "-utf8",
|
||||
- "-sigopt", "rsa_pss_saltlen:-4",
|
||||
+ "-sigopt", "rsa_pss_saltlen:-5",
|
||||
"-key", srctop_file("test", "testrsapss.pem")])),
|
||||
"Generating request with expected failure");
|
||||
|
||||
--
|
||||
2.38.1
|
||||
|
@ -1,32 +0,0 @@
|
||||
diff -up openssl-3.0.1/providers/implementations/kem/rsa_kem.c.encap openssl-3.0.1/providers/implementations/kem/rsa_kem.c
|
||||
--- openssl-3.0.1/providers/implementations/kem/rsa_kem.c.encap 2022-11-22 12:27:30.994530801 +0100
|
||||
+++ openssl-3.0.1/providers/implementations/kem/rsa_kem.c 2022-11-22 12:32:15.916875495 +0100
|
||||
@@ -264,6 +264,14 @@ static int rsasve_generate(PROV_RSA_CTX
|
||||
*secretlen = nlen;
|
||||
return 1;
|
||||
}
|
||||
+
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) {
|
||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
/*
|
||||
* Step (2): Generate a random byte string z of nlen bytes where
|
||||
* 1 < z < n - 1
|
||||
@@ -307,6 +315,13 @@ static int rsasve_recover(PROV_RSA_CTX *
|
||||
return 1;
|
||||
}
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) {
|
||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
/* Step (2): check the input ciphertext 'inlen' matches the nlen */
|
||||
if (inlen != nlen) {
|
||||
ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH);
|
@ -1,705 +0,0 @@
|
||||
From 98642df4ba886818900ab7e6b23703544e6addd4 Mon Sep 17 00:00:00 2001
|
||||
From: Simo Sorce <simo@redhat.com>
|
||||
Date: Thu, 10 Nov 2022 10:46:32 -0500
|
||||
Subject: [PATCH 1/3] Propagate selection all the way on key export
|
||||
|
||||
EVP_PKEY_eq() is used to check, among other things, if a certificate
|
||||
public key corresponds to a private key. When the private key belongs to
|
||||
a provider that does not allow to export private keys this currently
|
||||
fails as the internal functions used to import/export keys ignored the
|
||||
selection given (which specifies that only the public key needs to be
|
||||
considered) and instead tries to export everything.
|
||||
|
||||
This patch allows to propagate the selection all the way down including
|
||||
adding it in the cache so that a following operation actually looking
|
||||
for other selection parameters does not mistakenly pick up an export
|
||||
containing only partial information.
|
||||
|
||||
Signed-off-by: Simo Sorce <simo@redhat.com>
|
||||
|
||||
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/19648)
|
||||
|
||||
diff --git a/crypto/evp/keymgmt_lib.c b/crypto/evp/keymgmt_lib.c
|
||||
index b06730dc7a..2d0238ee27 100644
|
||||
--- a/crypto/evp/keymgmt_lib.c
|
||||
+++ b/crypto/evp/keymgmt_lib.c
|
||||
@@ -93,7 +93,8 @@ int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection,
|
||||
export_cb, export_cbarg);
|
||||
}
|
||||
|
||||
-void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
|
||||
+void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
|
||||
+ int selection)
|
||||
{
|
||||
struct evp_keymgmt_util_try_import_data_st import_data;
|
||||
OP_CACHE_ELEM *op;
|
||||
@@ -127,7 +128,7 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
|
||||
*/
|
||||
if (pk->dirty_cnt == pk->dirty_cnt_copy) {
|
||||
/* If this key is already exported to |keymgmt|, no more to do */
|
||||
- op = evp_keymgmt_util_find_operation_cache(pk, keymgmt);
|
||||
+ op = evp_keymgmt_util_find_operation_cache(pk, keymgmt, selection);
|
||||
if (op != NULL && op->keymgmt != NULL) {
|
||||
void *ret = op->keydata;
|
||||
|
||||
@@ -157,13 +158,13 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
|
||||
/* Setup for the export callback */
|
||||
import_data.keydata = NULL; /* evp_keymgmt_util_try_import will create it */
|
||||
import_data.keymgmt = keymgmt;
|
||||
- import_data.selection = OSSL_KEYMGMT_SELECT_ALL;
|
||||
+ import_data.selection = selection;
|
||||
|
||||
/*
|
||||
* The export function calls the callback (evp_keymgmt_util_try_import),
|
||||
* which does the import for us. If successful, we're done.
|
||||
*/
|
||||
- if (!evp_keymgmt_util_export(pk, OSSL_KEYMGMT_SELECT_ALL,
|
||||
+ if (!evp_keymgmt_util_export(pk, selection,
|
||||
&evp_keymgmt_util_try_import, &import_data))
|
||||
/* If there was an error, bail out */
|
||||
return NULL;
|
||||
@@ -173,7 +174,7 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
|
||||
return NULL;
|
||||
}
|
||||
/* Check to make sure some other thread didn't get there first */
|
||||
- op = evp_keymgmt_util_find_operation_cache(pk, keymgmt);
|
||||
+ op = evp_keymgmt_util_find_operation_cache(pk, keymgmt, selection);
|
||||
if (op != NULL && op->keydata != NULL) {
|
||||
void *ret = op->keydata;
|
||||
|
||||
@@ -196,7 +197,8 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
|
||||
evp_keymgmt_util_clear_operation_cache(pk, 0);
|
||||
|
||||
/* Add the new export to the operation cache */
|
||||
- if (!evp_keymgmt_util_cache_keydata(pk, keymgmt, import_data.keydata)) {
|
||||
+ if (!evp_keymgmt_util_cache_keydata(pk, keymgmt, import_data.keydata,
|
||||
+ selection)) {
|
||||
CRYPTO_THREAD_unlock(pk->lock);
|
||||
evp_keymgmt_freedata(keymgmt, import_data.keydata);
|
||||
return NULL;
|
||||
@@ -232,7 +234,8 @@ int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking)
|
||||
}
|
||||
|
||||
OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
|
||||
- EVP_KEYMGMT *keymgmt)
|
||||
+ EVP_KEYMGMT *keymgmt,
|
||||
+ int selection)
|
||||
{
|
||||
int i, end = sk_OP_CACHE_ELEM_num(pk->operation_cache);
|
||||
OP_CACHE_ELEM *p;
|
||||
@@ -243,14 +246,14 @@ OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
|
||||
*/
|
||||
for (i = 0; i < end; i++) {
|
||||
p = sk_OP_CACHE_ELEM_value(pk->operation_cache, i);
|
||||
- if (keymgmt == p->keymgmt)
|
||||
+ if (keymgmt == p->keymgmt && (p->selection & selection) == selection)
|
||||
return p;
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
-int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
|
||||
- EVP_KEYMGMT *keymgmt, void *keydata)
|
||||
+int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
|
||||
+ void *keydata, int selection)
|
||||
{
|
||||
OP_CACHE_ELEM *p = NULL;
|
||||
|
||||
@@ -266,6 +269,7 @@ int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
|
||||
return 0;
|
||||
p->keydata = keydata;
|
||||
p->keymgmt = keymgmt;
|
||||
+ p->selection = selection;
|
||||
|
||||
if (!EVP_KEYMGMT_up_ref(keymgmt)) {
|
||||
OPENSSL_free(p);
|
||||
@@ -391,7 +395,8 @@ int evp_keymgmt_util_match(EVP_PKEY *pk1, EVP_PKEY *pk2, int selection)
|
||||
ok = 1;
|
||||
if (keydata1 != NULL) {
|
||||
tmp_keydata =
|
||||
- evp_keymgmt_util_export_to_provider(pk1, keymgmt2);
|
||||
+ evp_keymgmt_util_export_to_provider(pk1, keymgmt2,
|
||||
+ selection);
|
||||
ok = (tmp_keydata != NULL);
|
||||
}
|
||||
if (ok) {
|
||||
@@ -411,7 +416,8 @@ int evp_keymgmt_util_match(EVP_PKEY *pk1, EVP_PKEY *pk2, int selection)
|
||||
ok = 1;
|
||||
if (keydata2 != NULL) {
|
||||
tmp_keydata =
|
||||
- evp_keymgmt_util_export_to_provider(pk2, keymgmt1);
|
||||
+ evp_keymgmt_util_export_to_provider(pk2, keymgmt1,
|
||||
+ selection);
|
||||
ok = (tmp_keydata != NULL);
|
||||
}
|
||||
if (ok) {
|
||||
diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c
|
||||
index 70d17ec37e..905e9c9ce4 100644
|
||||
--- a/crypto/evp/p_lib.c
|
||||
+++ b/crypto/evp/p_lib.c
|
||||
@@ -1822,6 +1822,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
|
||||
{
|
||||
EVP_KEYMGMT *allocated_keymgmt = NULL;
|
||||
EVP_KEYMGMT *tmp_keymgmt = NULL;
|
||||
+ int selection = OSSL_KEYMGMT_SELECT_ALL;
|
||||
void *keydata = NULL;
|
||||
int check;
|
||||
|
||||
@@ -1883,7 +1884,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
|
||||
if (pk->ameth->dirty_cnt(pk) == pk->dirty_cnt_copy) {
|
||||
if (!CRYPTO_THREAD_read_lock(pk->lock))
|
||||
goto end;
|
||||
- op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt);
|
||||
+ op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt,
|
||||
+ selection);
|
||||
|
||||
/*
|
||||
* If |tmp_keymgmt| is present in the operation cache, it means
|
||||
@@ -1938,7 +1940,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
|
||||
EVP_KEYMGMT_free(tmp_keymgmt); /* refcnt-- */
|
||||
|
||||
/* Check to make sure some other thread didn't get there first */
|
||||
- op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt);
|
||||
+ op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt, selection);
|
||||
if (op != NULL && op->keymgmt != NULL) {
|
||||
void *tmp_keydata = op->keydata;
|
||||
|
||||
@@ -1949,7 +1951,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
|
||||
}
|
||||
|
||||
/* Add the new export to the operation cache */
|
||||
- if (!evp_keymgmt_util_cache_keydata(pk, tmp_keymgmt, keydata)) {
|
||||
+ if (!evp_keymgmt_util_cache_keydata(pk, tmp_keymgmt, keydata,
|
||||
+ selection)) {
|
||||
CRYPTO_THREAD_unlock(pk->lock);
|
||||
evp_keymgmt_freedata(tmp_keymgmt, keydata);
|
||||
keydata = NULL;
|
||||
@@ -1964,7 +1967,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
|
||||
}
|
||||
#endif /* FIPS_MODULE */
|
||||
|
||||
- keydata = evp_keymgmt_util_export_to_provider(pk, tmp_keymgmt);
|
||||
+ keydata = evp_keymgmt_util_export_to_provider(pk, tmp_keymgmt, selection);
|
||||
|
||||
end:
|
||||
/*
|
||||
diff --git a/include/crypto/evp.h b/include/crypto/evp.h
|
||||
index f601b72807..dbbdcccbda 100644
|
||||
--- a/include/crypto/evp.h
|
||||
+++ b/include/crypto/evp.h
|
||||
@@ -589,6 +589,7 @@ int evp_cipher_asn1_to_param_ex(EVP_CIPHER_CTX *c, ASN1_TYPE *type,
|
||||
typedef struct {
|
||||
EVP_KEYMGMT *keymgmt;
|
||||
void *keydata;
|
||||
+ int selection;
|
||||
} OP_CACHE_ELEM;
|
||||
|
||||
DEFINE_STACK_OF(OP_CACHE_ELEM)
|
||||
@@ -778,12 +779,14 @@ EVP_PKEY *evp_keymgmt_util_make_pkey(EVP_KEYMGMT *keymgmt, void *keydata);
|
||||
|
||||
int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection,
|
||||
OSSL_CALLBACK *export_cb, void *export_cbarg);
|
||||
-void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt);
|
||||
+void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
|
||||
+ int selection);
|
||||
OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
|
||||
- EVP_KEYMGMT *keymgmt);
|
||||
+ EVP_KEYMGMT *keymgmt,
|
||||
+ int selection);
|
||||
int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking);
|
||||
-int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
|
||||
- EVP_KEYMGMT *keymgmt, void *keydata);
|
||||
+int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
|
||||
+ void *keydata, int selection);
|
||||
void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk);
|
||||
void *evp_keymgmt_util_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt,
|
||||
int selection, const OSSL_PARAM params[]);
|
||||
--
|
||||
2.38.1
|
||||
|
||||
From 504427eb5f32108dd64ff7858012863fe47b369b Mon Sep 17 00:00:00 2001
|
||||
From: Simo Sorce <simo@redhat.com>
|
||||
Date: Thu, 10 Nov 2022 16:58:28 -0500
|
||||
Subject: [PATCH 2/3] Update documentation for keymgmt export utils
|
||||
|
||||
Change function prototypes and explain how to use the selection
|
||||
argument.
|
||||
|
||||
Signed-off-by: Simo Sorce <simo@redhat.com>
|
||||
|
||||
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/19648)
|
||||
|
||||
diff --git a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod
|
||||
index 1fee9f6ff9..7099e44964 100644
|
||||
--- a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod
|
||||
+++ b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod
|
||||
@@ -20,12 +20,14 @@ OP_CACHE_ELEM
|
||||
|
||||
int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection,
|
||||
OSSL_CALLBACK *export_cb, void *export_cbarg);
|
||||
- void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt);
|
||||
+ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
|
||||
+ int selection);
|
||||
OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
|
||||
- EVP_KEYMGMT *keymgmt);
|
||||
+ EVP_KEYMGMT *keymgmt,
|
||||
+ int selection);
|
||||
int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking);
|
||||
- int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
|
||||
- EVP_KEYMGMT *keymgmt, void *keydata);
|
||||
+ int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
|
||||
+ void *keydata, int selection);
|
||||
void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk);
|
||||
void *evp_keymgmt_util_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt,
|
||||
int selection, const OSSL_PARAM params[]);
|
||||
@@ -65,6 +67,11 @@ evp_keymgmt_util_fromdata() can be used to add key object data to a
|
||||
given key I<target> via a B<EVP_KEYMGMT> interface. This is used as a
|
||||
helper for L<EVP_PKEY_fromdata(3)>.
|
||||
|
||||
+In all functions that take a I<selection> argument, the selection is used to
|
||||
+constraint the information requested on export. It is also used in the cache
|
||||
+so that key data is guaranteed to contain all the information requested in
|
||||
+the selection.
|
||||
+
|
||||
=head1 RETURN VALUES
|
||||
|
||||
evp_keymgmt_export_to_provider() and evp_keymgmt_util_fromdata()
|
||||
--
|
||||
2.38.1
|
||||
|
||||
From e5202fbd461cb6c067874987998e91c6093e5267 Mon Sep 17 00:00:00 2001
|
||||
From: Simo Sorce <simo@redhat.com>
|
||||
Date: Fri, 11 Nov 2022 12:18:26 -0500
|
||||
Subject: [PATCH 3/3] Add test for EVP_PKEY_eq
|
||||
|
||||
This tests that the comparison work even if a provider can only return
|
||||
a public key.
|
||||
|
||||
Signed-off-by: Simo Sorce <simo@redhat.com>
|
||||
|
||||
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/19648)
|
||||
|
||||
diff --git a/test/fake_rsaprov.c b/test/fake_rsaprov.c
|
||||
index d556551bb6..5e92e72d4b 100644
|
||||
--- a/test/fake_rsaprov.c
|
||||
+++ b/test/fake_rsaprov.c
|
||||
@@ -22,24 +22,34 @@ static OSSL_FUNC_keymgmt_has_fn fake_rsa_keymgmt_has;
|
||||
static OSSL_FUNC_keymgmt_query_operation_name_fn fake_rsa_keymgmt_query;
|
||||
static OSSL_FUNC_keymgmt_import_fn fake_rsa_keymgmt_import;
|
||||
static OSSL_FUNC_keymgmt_import_types_fn fake_rsa_keymgmt_imptypes;
|
||||
+static OSSL_FUNC_keymgmt_export_fn fake_rsa_keymgmt_export;
|
||||
+static OSSL_FUNC_keymgmt_export_types_fn fake_rsa_keymgmt_exptypes;
|
||||
static OSSL_FUNC_keymgmt_load_fn fake_rsa_keymgmt_load;
|
||||
|
||||
static int has_selection;
|
||||
static int imptypes_selection;
|
||||
+static int exptypes_selection;
|
||||
static int query_id;
|
||||
|
||||
+struct fake_rsa_keydata {
|
||||
+ int selection;
|
||||
+ int status;
|
||||
+};
|
||||
+
|
||||
static void *fake_rsa_keymgmt_new(void *provctx)
|
||||
{
|
||||
- unsigned char *keydata = OPENSSL_zalloc(1);
|
||||
+ struct fake_rsa_keydata *key;
|
||||
|
||||
- TEST_ptr(keydata);
|
||||
+ if (!TEST_ptr(key = OPENSSL_zalloc(sizeof(struct fake_rsa_keydata))))
|
||||
+ return NULL;
|
||||
|
||||
/* clear test globals */
|
||||
has_selection = 0;
|
||||
imptypes_selection = 0;
|
||||
+ exptypes_selection = 0;
|
||||
query_id = 0;
|
||||
|
||||
- return keydata;
|
||||
+ return key;
|
||||
}
|
||||
|
||||
static void fake_rsa_keymgmt_free(void *keydata)
|
||||
@@ -67,14 +77,104 @@ static const char *fake_rsa_keymgmt_query(int id)
|
||||
static int fake_rsa_keymgmt_import(void *keydata, int selection,
|
||||
const OSSL_PARAM *p)
|
||||
{
|
||||
- unsigned char *fake_rsa_key = keydata;
|
||||
+ struct fake_rsa_keydata *fake_rsa_key = keydata;
|
||||
|
||||
/* key was imported */
|
||||
- *fake_rsa_key = 1;
|
||||
+ fake_rsa_key->status = 1;
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
+static unsigned char fake_rsa_n[] =
|
||||
+ "\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F"
|
||||
+ "\x90\xEF\xA0\x0D\xF3\x77\x4A\x25\x9F\x2E\x62\xB4\xC5\xD9\x9C\xB5"
|
||||
+ "\xAD\xB3\x00\xA0\x28\x5E\x53\x01\x93\x0E\x0C\x70\xFB\x68\x76\x93"
|
||||
+ "\x9C\xE6\x16\xCE\x62\x4A\x11\xE0\x08\x6D\x34\x1E\xBC\xAC\xA0\xA1"
|
||||
+ "\xF5";
|
||||
+
|
||||
+static unsigned char fake_rsa_e[] = "\x11";
|
||||
+
|
||||
+static unsigned char fake_rsa_d[] =
|
||||
+ "\x0A\x03\x37\x48\x62\x64\x87\x69\x5F\x5F\x30\xBC\x38\xB9\x8B\x44"
|
||||
+ "\xC2\xCD\x2D\xFF\x43\x40\x98\xCD\x20\xD8\xA1\x38\xD0\x90\xBF\x64"
|
||||
+ "\x79\x7C\x3F\xA7\xA2\xCD\xCB\x3C\xD1\xE0\xBD\xBA\x26\x54\xB4\xF9"
|
||||
+ "\xDF\x8E\x8A\xE5\x9D\x73\x3D\x9F\x33\xB3\x01\x62\x4A\xFD\x1D\x51";
|
||||
+
|
||||
+static unsigned char fake_rsa_p[] =
|
||||
+ "\x00\xD8\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
|
||||
+ "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x12"
|
||||
+ "\x0D";
|
||||
+
|
||||
+static unsigned char fake_rsa_q[] =
|
||||
+ "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
|
||||
+ "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
|
||||
+ "\x89";
|
||||
+
|
||||
+static unsigned char fake_rsa_dmp1[] =
|
||||
+ "\x59\x0B\x95\x72\xA2\xC2\xA9\xC4\x06\x05\x9D\xC2\xAB\x2F\x1D\xAF"
|
||||
+ "\xEB\x7E\x8B\x4F\x10\xA7\x54\x9E\x8E\xED\xF5\xB4\xFC\xE0\x9E\x05";
|
||||
+
|
||||
+static unsigned char fake_rsa_dmq1[] =
|
||||
+ "\x00\x8E\x3C\x05\x21\xFE\x15\xE0\xEA\x06\xA3\x6F\xF0\xF1\x0C\x99"
|
||||
+ "\x52\xC3\x5B\x7A\x75\x14\xFD\x32\x38\xB8\x0A\xAD\x52\x98\x62\x8D"
|
||||
+ "\x51";
|
||||
+
|
||||
+static unsigned char fake_rsa_iqmp[] =
|
||||
+ "\x36\x3F\xF7\x18\x9D\xA8\xE9\x0B\x1D\x34\x1F\x71\xD0\x9B\x76\xA8"
|
||||
+ "\xA9\x43\xE1\x1D\x10\xB2\x4D\x24\x9F\x2D\xEA\xFE\xF8\x0C\x18\x26";
|
||||
+
|
||||
+OSSL_PARAM *fake_rsa_key_params(int priv)
|
||||
+{
|
||||
+ if (priv) {
|
||||
+ OSSL_PARAM params[] = {
|
||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, fake_rsa_n,
|
||||
+ sizeof(fake_rsa_n) -1),
|
||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, fake_rsa_e,
|
||||
+ sizeof(fake_rsa_e) -1),
|
||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_D, fake_rsa_d,
|
||||
+ sizeof(fake_rsa_d) -1),
|
||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR1, fake_rsa_p,
|
||||
+ sizeof(fake_rsa_p) -1),
|
||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR2, fake_rsa_q,
|
||||
+ sizeof(fake_rsa_q) -1),
|
||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT1, fake_rsa_dmp1,
|
||||
+ sizeof(fake_rsa_dmp1) -1),
|
||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT2, fake_rsa_dmq1,
|
||||
+ sizeof(fake_rsa_dmq1) -1),
|
||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_COEFFICIENT1, fake_rsa_iqmp,
|
||||
+ sizeof(fake_rsa_iqmp) -1),
|
||||
+ OSSL_PARAM_END
|
||||
+ };
|
||||
+ return OSSL_PARAM_dup(params);
|
||||
+ } else {
|
||||
+ OSSL_PARAM params[] = {
|
||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, fake_rsa_n,
|
||||
+ sizeof(fake_rsa_n) -1),
|
||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, fake_rsa_e,
|
||||
+ sizeof(fake_rsa_e) -1),
|
||||
+ OSSL_PARAM_END
|
||||
+ };
|
||||
+ return OSSL_PARAM_dup(params);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static int fake_rsa_keymgmt_export(void *keydata, int selection,
|
||||
+ OSSL_CALLBACK *param_callback, void *cbarg)
|
||||
+{
|
||||
+ OSSL_PARAM *params = NULL;
|
||||
+ int ret;
|
||||
+
|
||||
+ if (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (!TEST_ptr(params = fake_rsa_key_params(0)))
|
||||
+ return 0;
|
||||
+
|
||||
+ ret = param_callback(params, cbarg);
|
||||
+ OSSL_PARAM_free(params);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
static const OSSL_PARAM fake_rsa_import_key_types[] = {
|
||||
OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, NULL, 0),
|
||||
OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0),
|
||||
@@ -95,19 +195,33 @@ static const OSSL_PARAM *fake_rsa_keymgmt_imptypes(int selection)
|
||||
return fake_rsa_import_key_types;
|
||||
}
|
||||
|
||||
+static const OSSL_PARAM fake_rsa_export_key_types[] = {
|
||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, NULL, 0),
|
||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0),
|
||||
+ OSSL_PARAM_END
|
||||
+};
|
||||
+
|
||||
+static const OSSL_PARAM *fake_rsa_keymgmt_exptypes(int selection)
|
||||
+{
|
||||
+ /* record global for checking */
|
||||
+ exptypes_selection = selection;
|
||||
+
|
||||
+ return fake_rsa_export_key_types;
|
||||
+}
|
||||
+
|
||||
static void *fake_rsa_keymgmt_load(const void *reference, size_t reference_sz)
|
||||
{
|
||||
- unsigned char *key = NULL;
|
||||
+ struct fake_rsa_keydata *key = NULL;
|
||||
|
||||
- if (reference_sz != sizeof(key))
|
||||
+ if (reference_sz != sizeof(*key))
|
||||
return NULL;
|
||||
|
||||
- key = *(unsigned char **)reference;
|
||||
- if (*key != 1)
|
||||
+ key = *(struct fake_rsa_keydata **)reference;
|
||||
+ if (key->status != 1)
|
||||
return NULL;
|
||||
|
||||
/* detach the reference */
|
||||
- *(unsigned char **)reference = NULL;
|
||||
+ *(struct fake_rsa_keydata **)reference = NULL;
|
||||
|
||||
return key;
|
||||
}
|
||||
@@ -129,7 +243,7 @@ static void *fake_rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
|
||||
{
|
||||
unsigned char *gctx = genctx;
|
||||
static const unsigned char inited[] = { 1 };
|
||||
- unsigned char *keydata;
|
||||
+ struct fake_rsa_keydata *keydata;
|
||||
|
||||
if (!TEST_ptr(gctx)
|
||||
|| !TEST_mem_eq(gctx, sizeof(*gctx), inited, sizeof(inited)))
|
||||
@@ -138,7 +252,7 @@ static void *fake_rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
|
||||
if (!TEST_ptr(keydata = fake_rsa_keymgmt_new(NULL)))
|
||||
return NULL;
|
||||
|
||||
- *keydata = 2;
|
||||
+ keydata->status = 2;
|
||||
return keydata;
|
||||
}
|
||||
|
||||
@@ -156,6 +270,9 @@ static const OSSL_DISPATCH fake_rsa_keymgmt_funcs[] = {
|
||||
{ OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))fake_rsa_keymgmt_import },
|
||||
{ OSSL_FUNC_KEYMGMT_IMPORT_TYPES,
|
||||
(void (*)(void))fake_rsa_keymgmt_imptypes },
|
||||
+ { OSSL_FUNC_KEYMGMT_EXPORT, (void (*)(void))fake_rsa_keymgmt_export },
|
||||
+ { OSSL_FUNC_KEYMGMT_EXPORT_TYPES,
|
||||
+ (void (*)(void))fake_rsa_keymgmt_exptypes },
|
||||
{ OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))fake_rsa_keymgmt_load },
|
||||
{ OSSL_FUNC_KEYMGMT_GEN_INIT, (void (*)(void))fake_rsa_gen_init },
|
||||
{ OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))fake_rsa_gen },
|
||||
@@ -191,14 +308,14 @@ static int fake_rsa_sig_sign_init(void *ctx, void *provkey,
|
||||
const OSSL_PARAM params[])
|
||||
{
|
||||
unsigned char *sigctx = ctx;
|
||||
- unsigned char *keydata = provkey;
|
||||
+ struct fake_rsa_keydata *keydata = provkey;
|
||||
|
||||
/* we must have a ctx */
|
||||
if (!TEST_ptr(sigctx))
|
||||
return 0;
|
||||
|
||||
/* we must have some initialized key */
|
||||
- if (!TEST_ptr(keydata) || !TEST_int_gt(keydata[0], 0))
|
||||
+ if (!TEST_ptr(keydata) || !TEST_int_gt(keydata->status, 0))
|
||||
return 0;
|
||||
|
||||
/* record that sign init was called */
|
||||
@@ -289,7 +406,7 @@ static int fake_rsa_st_load(void *loaderctx,
|
||||
unsigned char *storectx = loaderctx;
|
||||
OSSL_PARAM params[4];
|
||||
int object_type = OSSL_OBJECT_PKEY;
|
||||
- void *key = NULL;
|
||||
+ struct fake_rsa_keydata *key = NULL;
|
||||
int rv = 0;
|
||||
|
||||
switch (*storectx) {
|
||||
@@ -307,7 +424,7 @@ static int fake_rsa_st_load(void *loaderctx,
|
||||
/* The address of the key becomes the octet string */
|
||||
params[2] =
|
||||
OSSL_PARAM_construct_octet_string(OSSL_OBJECT_PARAM_REFERENCE,
|
||||
- &key, sizeof(key));
|
||||
+ &key, sizeof(*key));
|
||||
params[3] = OSSL_PARAM_construct_end();
|
||||
rv = object_cb(params, object_cbarg);
|
||||
*storectx = 1;
|
||||
diff --git a/test/fake_rsaprov.h b/test/fake_rsaprov.h
|
||||
index 57de1ecf8d..190c46a285 100644
|
||||
--- a/test/fake_rsaprov.h
|
||||
+++ b/test/fake_rsaprov.h
|
||||
@@ -12,3 +12,4 @@
|
||||
/* Fake RSA provider implementation */
|
||||
OSSL_PROVIDER *fake_rsa_start(OSSL_LIB_CTX *libctx);
|
||||
void fake_rsa_finish(OSSL_PROVIDER *p);
|
||||
+OSSL_PARAM *fake_rsa_key_params(int priv);
|
||||
diff --git a/test/provider_pkey_test.c b/test/provider_pkey_test.c
|
||||
index 5c398398f4..3b190baa5e 100644
|
||||
--- a/test/provider_pkey_test.c
|
||||
+++ b/test/provider_pkey_test.c
|
||||
@@ -176,6 +176,67 @@ end:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+static int test_pkey_eq(void)
|
||||
+{
|
||||
+ OSSL_PROVIDER *deflt = NULL;
|
||||
+ OSSL_PROVIDER *fake_rsa = NULL;
|
||||
+ EVP_PKEY *pkey_fake = NULL;
|
||||
+ EVP_PKEY *pkey_dflt = NULL;
|
||||
+ EVP_PKEY_CTX *ctx = NULL;
|
||||
+ OSSL_PARAM *params = NULL;
|
||||
+ int ret = 0;
|
||||
+
|
||||
+ if (!TEST_ptr(fake_rsa = fake_rsa_start(libctx)))
|
||||
+ return 0;
|
||||
+
|
||||
+ if (!TEST_ptr(deflt = OSSL_PROVIDER_load(libctx, "default")))
|
||||
+ goto end;
|
||||
+
|
||||
+ /* Construct a public key for fake-rsa */
|
||||
+ if (!TEST_ptr(params = fake_rsa_key_params(0))
|
||||
+ || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA",
|
||||
+ "provider=fake-rsa"))
|
||||
+ || !TEST_true(EVP_PKEY_fromdata_init(ctx))
|
||||
+ || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey_fake, EVP_PKEY_PUBLIC_KEY,
|
||||
+ params))
|
||||
+ || !TEST_ptr(pkey_fake))
|
||||
+ goto end;
|
||||
+
|
||||
+ EVP_PKEY_CTX_free(ctx);
|
||||
+ ctx = NULL;
|
||||
+ OSSL_PARAM_free(params);
|
||||
+ params = NULL;
|
||||
+
|
||||
+ /* Construct a public key for default */
|
||||
+ if (!TEST_ptr(params = fake_rsa_key_params(0))
|
||||
+ || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA",
|
||||
+ "provider=default"))
|
||||
+ || !TEST_true(EVP_PKEY_fromdata_init(ctx))
|
||||
+ || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey_dflt, EVP_PKEY_PUBLIC_KEY,
|
||||
+ params))
|
||||
+ || !TEST_ptr(pkey_dflt))
|
||||
+ goto end;
|
||||
+
|
||||
+ EVP_PKEY_CTX_free(ctx);
|
||||
+ ctx = NULL;
|
||||
+ OSSL_PARAM_free(params);
|
||||
+ params = NULL;
|
||||
+
|
||||
+ /* now test for equality */
|
||||
+ if (!TEST_int_eq(EVP_PKEY_eq(pkey_fake, pkey_dflt), 1))
|
||||
+ goto end;
|
||||
+
|
||||
+ ret = 1;
|
||||
+end:
|
||||
+ fake_rsa_finish(fake_rsa);
|
||||
+ OSSL_PROVIDER_unload(deflt);
|
||||
+ EVP_PKEY_CTX_free(ctx);
|
||||
+ EVP_PKEY_free(pkey_fake);
|
||||
+ EVP_PKEY_free(pkey_dflt);
|
||||
+ OSSL_PARAM_free(params);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
static int test_pkey_store(int idx)
|
||||
{
|
||||
OSSL_PROVIDER *deflt = NULL;
|
||||
@@ -235,6 +296,7 @@ int setup_tests(void)
|
||||
|
||||
ADD_TEST(test_pkey_sig);
|
||||
ADD_TEST(test_alternative_keygen_init);
|
||||
+ ADD_TEST(test_pkey_eq);
|
||||
ADD_ALL_TESTS(test_pkey_store, 2);
|
||||
|
||||
return 1;
|
||||
--
|
||||
2.38.1
|
||||
|
||||
From 2fea56832780248af2aba2e4433ece2d18428515 Mon Sep 17 00:00:00 2001
|
||||
From: Simo Sorce <simo@redhat.com>
|
||||
Date: Mon, 14 Nov 2022 10:25:15 -0500
|
||||
Subject: [PATCH] Drop explicit check for engines in opt_legacy_okay
|
||||
|
||||
The providers indication should always indicate that this is not a
|
||||
legacy request.
|
||||
This makes a check for engines redundant as the default return is that
|
||||
legacy is ok if there are no explicit providers.
|
||||
|
||||
Fixes #19662
|
||||
|
||||
Signed-off-by: Simo Sorce <simo@redhat.com>
|
||||
|
||||
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/19671)
|
||||
---
|
||||
apps/lib/apps.c | 8 --------
|
||||
test/recipes/20-test_legacy_okay.t | 23 +++++++++++++++++++++++
|
||||
2 files changed, 23 insertions(+), 8 deletions(-)
|
||||
create mode 100755 test/recipes/20-test_legacy_okay.t
|
||||
|
||||
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
|
||||
index 3d52e030ab7e258f9cd983b2d9755d954cb3aee5..bbe0d009efb35fcf1a902c86cbddc61e657e57f1 100644
|
||||
--- a/apps/lib/apps.c
|
||||
+++ b/apps/lib/apps.c
|
||||
@@ -3405,14 +3405,6 @@ int opt_legacy_okay(void)
|
||||
{
|
||||
int provider_options = opt_provider_option_given();
|
||||
int libctx = app_get0_libctx() != NULL || app_get0_propq() != NULL;
|
||||
-#ifndef OPENSSL_NO_ENGINE
|
||||
- ENGINE *e = ENGINE_get_first();
|
||||
-
|
||||
- if (e != NULL) {
|
||||
- ENGINE_free(e);
|
||||
- return 1;
|
||||
- }
|
||||
-#endif
|
||||
/*
|
||||
* Having a provider option specified or a custom library context or
|
||||
* property query, is a sure sign we're not using legacy.
|
||||
diff --git a/test/recipes/20-test_legacy_okay.t b/test/recipes/20-test_legacy_okay.t
|
||||
new file mode 100755
|
||||
index 0000000000000000000000000000000000000000..183499f3fd93f97e8a4a30681a9f383d2f6e0c56
|
||||
--- /dev/null
|
||||
+++ b/test/recipes/20-test_legacy_okay.t
|
||||
@@ -0,0 +1,23 @@
|
||||
+#! /usr/bin/env perl
|
||||
+# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+#
|
||||
+# Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
+# this file except in compliance with the License. You can obtain a copy
|
||||
+# in the file LICENSE in the source distribution or at
|
||||
+# https://www.openssl.org/source/license.html
|
||||
+
|
||||
+use strict;
|
||||
+use warnings;
|
||||
+
|
||||
+use OpenSSL::Test;
|
||||
+
|
||||
+setup("test_legacy");
|
||||
+
|
||||
+plan tests => 3;
|
||||
+
|
||||
+ok(run(app(['openssl', 'rand', '-out', 'rand.txt', '256'])), "Generate random file");
|
||||
+
|
||||
+ok(run(app(['openssl', 'dgst', '-sha256', 'rand.txt'])), "Generate a digest");
|
||||
+
|
||||
+ok(!run(app(['openssl', 'dgst', '-sha256', '-propquery', 'foo=1',
|
||||
+ 'rand.txt'])), "Fail to generate a digest");
|
||||
--
|
||||
2.38.1
|
||||
|
@ -1,344 +0,0 @@
|
||||
From 8a2d1b22ede5eeca4d104bb027b84f3ecfc69549 Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Thu, 11 May 2023 12:51:59 +0200
|
||||
Subject: [PATCH] DH: Disable FIPS 186-4 type parameters in FIPS mode
|
||||
|
||||
For DH parameter and key pair generation/verification, the DSA
|
||||
procedures specified in FIPS 186-4 are used. With the release of FIPS
|
||||
186-5 and the removal of DSA, the approved status of these groups is in
|
||||
peril. Once the transition for DSA ends (this transition will be 1 year
|
||||
long and start once CMVP has published the guidance), no more
|
||||
submissions claiming DSA will be allowed. Hence, FIPS 186-type
|
||||
parameters will also be automatically non-approved.
|
||||
|
||||
In the FIPS provider, disable validation of any DH parameters that are
|
||||
not well-known groups, and remove DH parameter generation completely.
|
||||
|
||||
Adjust tests to use well-known groups or larger DH groups where this
|
||||
change would now cause failures, and skip tests that are expected to
|
||||
fail due to this change.
|
||||
|
||||
Related: rhbz#2169757, rhbz#2169757
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
---
|
||||
crypto/dh/dh_backend.c | 10 ++++
|
||||
crypto/dh/dh_check.c | 12 ++--
|
||||
crypto/dh/dh_gen.c | 12 +++-
|
||||
crypto/dh/dh_key.c | 13 ++--
|
||||
crypto/dh/dh_pmeth.c | 10 +++-
|
||||
providers/implementations/keymgmt/dh_kmgmt.c | 5 ++
|
||||
test/endecode_test.c | 4 +-
|
||||
test/evp_libctx_test.c | 2 +-
|
||||
test/helpers/predefined_dhparams.c | 62 ++++++++++++++++++++
|
||||
test/helpers/predefined_dhparams.h | 1 +
|
||||
test/recipes/80-test_cms.t | 4 +-
|
||||
test/recipes/80-test_ssl_old.t | 3 +
|
||||
12 files changed, 118 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/crypto/dh/dh_backend.c b/crypto/dh/dh_backend.c
|
||||
index 726843fd30..24c65ca84f 100644
|
||||
--- a/crypto/dh/dh_backend.c
|
||||
+++ b/crypto/dh/dh_backend.c
|
||||
@@ -53,6 +53,16 @@ int ossl_dh_params_fromdata(DH *dh, const OSSL_PARAM params[])
|
||||
if (!dh_ffc_params_fromdata(dh, params))
|
||||
return 0;
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (!ossl_dh_is_named_safe_prime_group(dh)) {
|
||||
+ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
|
||||
+ "FIPS 186-4 type domain parameters no longer allowed in"
|
||||
+ " FIPS mode, since the required validation routines"
|
||||
+ " were removed from FIPS 186-5");
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
param_priv_len =
|
||||
OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_DH_PRIV_LEN);
|
||||
if (param_priv_len != NULL
|
||||
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
|
||||
index 0b391910d6..75581ca347 100644
|
||||
--- a/crypto/dh/dh_check.c
|
||||
+++ b/crypto/dh/dh_check.c
|
||||
@@ -57,13 +57,15 @@ int DH_check_params(const DH *dh, int *ret)
|
||||
nid = DH_get_nid((DH *)dh);
|
||||
if (nid != NID_undef)
|
||||
return 1;
|
||||
+
|
||||
/*
|
||||
- * OR
|
||||
- * (2b) FFC domain params conform to FIPS-186-4 explicit domain param
|
||||
- * validity tests.
|
||||
+ * FIPS 186-4 explicit domain parameters are no longer supported in FIPS mode.
|
||||
*/
|
||||
- return ossl_ffc_params_FIPS186_4_validate(dh->libctx, &dh->params,
|
||||
- FFC_PARAM_TYPE_DH, ret, NULL);
|
||||
+ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
|
||||
+ "FIPS 186-4 type domain parameters no longer allowed in"
|
||||
+ " FIPS mode, since the required validation routines were"
|
||||
+ " removed from FIPS 186-5");
|
||||
+ return 0;
|
||||
}
|
||||
#else
|
||||
int DH_check_params(const DH *dh, int *ret)
|
||||
diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c
|
||||
index aec6b85316..9c55121067 100644
|
||||
--- a/crypto/dh/dh_gen.c
|
||||
+++ b/crypto/dh/dh_gen.c
|
||||
@@ -38,18 +38,26 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
|
||||
int ossl_dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits,
|
||||
BN_GENCB *cb)
|
||||
{
|
||||
- int ret, res;
|
||||
+ int ret = 0;
|
||||
|
||||
#ifndef FIPS_MODULE
|
||||
+ int res;
|
||||
+
|
||||
if (type == DH_PARAMGEN_TYPE_FIPS_186_2)
|
||||
ret = ossl_ffc_params_FIPS186_2_generate(dh->libctx, &dh->params,
|
||||
FFC_PARAM_TYPE_DH,
|
||||
pbits, qbits, &res, cb);
|
||||
else
|
||||
-#endif
|
||||
ret = ossl_ffc_params_FIPS186_4_generate(dh->libctx, &dh->params,
|
||||
FFC_PARAM_TYPE_DH,
|
||||
pbits, qbits, &res, cb);
|
||||
+#else
|
||||
+ /* In FIPS mode, we no longer support FIPS 186-4 domain parameters */
|
||||
+ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
|
||||
+ "FIPS 186-4 type domain parameters no longer allowed in"
|
||||
+ " FIPS mode, since the required generation routines were"
|
||||
+ " removed from FIPS 186-5");
|
||||
+#endif
|
||||
if (ret > 0)
|
||||
dh->dirty_cnt++;
|
||||
return ret;
|
||||
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
|
||||
index 4e9705beef..14c0b0b6b3 100644
|
||||
--- a/crypto/dh/dh_key.c
|
||||
+++ b/crypto/dh/dh_key.c
|
||||
@@ -308,8 +308,12 @@ static int generate_key(DH *dh)
|
||||
goto err;
|
||||
} else {
|
||||
#ifdef FIPS_MODULE
|
||||
- if (dh->params.q == NULL)
|
||||
- goto err;
|
||||
+ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
|
||||
+ "FIPS 186-4 type domain parameters no longer"
|
||||
+ " allowed in FIPS mode, since the required"
|
||||
+ " generation routines were removed from FIPS"
|
||||
+ " 186-5");
|
||||
+ goto err;
|
||||
#else
|
||||
if (dh->params.q == NULL) {
|
||||
/* secret exponent length, must satisfy 2^(l-1) <= p */
|
||||
@@ -330,9 +334,7 @@ static int generate_key(DH *dh)
|
||||
if (!BN_clear_bit(priv_key, 0))
|
||||
goto err;
|
||||
}
|
||||
- } else
|
||||
-#endif
|
||||
- {
|
||||
+ } else {
|
||||
/* Do a partial check for invalid p, q, g */
|
||||
if (!ossl_ffc_params_simple_validate(dh->libctx, &dh->params,
|
||||
FFC_PARAM_TYPE_DH, NULL))
|
||||
@@ -348,6 +350,7 @@ static int generate_key(DH *dh)
|
||||
priv_key))
|
||||
goto err;
|
||||
}
|
||||
+#endif
|
||||
}
|
||||
}
|
||||
|
||||
diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c
|
||||
index f201eede0d..30f90d15be 100644
|
||||
--- a/crypto/dh/dh_pmeth.c
|
||||
+++ b/crypto/dh/dh_pmeth.c
|
||||
@@ -305,13 +305,17 @@ static DH *ffc_params_generate(OSSL_LIB_CTX *libctx, DH_PKEY_CTX *dctx,
|
||||
prime_len, subprime_len, &res,
|
||||
pcb);
|
||||
else
|
||||
-# endif
|
||||
- /* For FIPS we always use the DH_PARAMGEN_TYPE_FIPS_186_4 generator */
|
||||
- if (dctx->paramgen_type >= DH_PARAMGEN_TYPE_FIPS_186_2)
|
||||
rv = ossl_ffc_params_FIPS186_4_generate(libctx, &ret->params,
|
||||
FFC_PARAM_TYPE_DH,
|
||||
prime_len, subprime_len, &res,
|
||||
pcb);
|
||||
+# else
|
||||
+ /* In FIPS mode, we no longer support FIPS 186-4 domain parameters */
|
||||
+ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
|
||||
+ "FIPS 186-4 type domain parameters no longer allowed in"
|
||||
+ " FIPS mode, since the required generation routines were"
|
||||
+ " removed from FIPS 186-5");
|
||||
+# endif
|
||||
if (rv <= 0) {
|
||||
DH_free(ret);
|
||||
return NULL;
|
||||
diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
|
||||
index 9a7dde7c66..b3e7bca5ac 100644
|
||||
--- a/providers/implementations/keymgmt/dh_kmgmt.c
|
||||
+++ b/providers/implementations/keymgmt/dh_kmgmt.c
|
||||
@@ -414,6 +414,11 @@ static int dh_validate(const void *keydata, int selection, int checktype)
|
||||
if ((selection & DH_POSSIBLE_SELECTIONS) == 0)
|
||||
return 1; /* nothing to validate */
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ /* In FIPS provider, always check the domain parameters to disallow
|
||||
+ * operations on keys with FIPS 186-4 params. */
|
||||
+ selection |= OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS;
|
||||
+#endif
|
||||
if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) {
|
||||
/*
|
||||
* Both of these functions check parameters. DH_check_params_ex()
|
||||
diff --git a/test/endecode_test.c b/test/endecode_test.c
|
||||
index e3f7b81f69..1b63daaed5 100644
|
||||
--- a/test/endecode_test.c
|
||||
+++ b/test/endecode_test.c
|
||||
@@ -80,10 +80,10 @@ static EVP_PKEY *make_template(const char *type, OSSL_PARAM *genparams)
|
||||
* for testing only. Use a minimum key size of 2048 for security purposes.
|
||||
*/
|
||||
if (strcmp(type, "DH") == 0)
|
||||
- return get_dh512(keyctx);
|
||||
+ return get_dh2048(keyctx);
|
||||
|
||||
if (strcmp(type, "X9.42 DH") == 0)
|
||||
- return get_dhx512(keyctx);
|
||||
+ return get_dhx_ffdhe2048(keyctx);
|
||||
# endif
|
||||
|
||||
/*
|
||||
diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c
|
||||
index 2448c35a14..92d484fb12 100644
|
||||
--- a/test/evp_libctx_test.c
|
||||
+++ b/test/evp_libctx_test.c
|
||||
@@ -188,7 +188,7 @@ static int do_dh_param_keygen(int tstid, const BIGNUM **bn)
|
||||
|
||||
if (!TEST_ptr(gen_ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey_parm, NULL))
|
||||
|| !TEST_int_gt(EVP_PKEY_keygen_init(gen_ctx), 0)
|
||||
- || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey), expected))
|
||||
+ || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey) == 1, expected))
|
||||
goto err;
|
||||
|
||||
if (expected) {
|
||||
diff --git a/test/helpers/predefined_dhparams.c b/test/helpers/predefined_dhparams.c
|
||||
index 4bdadc4143..e5186e4b4a 100644
|
||||
--- a/test/helpers/predefined_dhparams.c
|
||||
+++ b/test/helpers/predefined_dhparams.c
|
||||
@@ -116,6 +116,68 @@ EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx)
|
||||
dhx512_q, sizeof(dhx512_q));
|
||||
}
|
||||
|
||||
+EVP_PKEY *get_dhx_ffdhe2048(OSSL_LIB_CTX *libctx)
|
||||
+{
|
||||
+ /* This is RFC 7919 ffdhe2048, since Red Hat removes support for
|
||||
+ * non-well-known groups in FIPS mode. */
|
||||
+ static unsigned char dhx_p[] = {
|
||||
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xad, 0xf8, 0x54, 0x58,
|
||||
+ 0xa2, 0xbb, 0x4a, 0x9a, 0xaf, 0xdc, 0x56, 0x20, 0x27, 0x3d, 0x3c, 0xf1,
|
||||
+ 0xd8, 0xb9, 0xc5, 0x83, 0xce, 0x2d, 0x36, 0x95, 0xa9, 0xe1, 0x36, 0x41,
|
||||
+ 0x14, 0x64, 0x33, 0xfb, 0xcc, 0x93, 0x9d, 0xce, 0x24, 0x9b, 0x3e, 0xf9,
|
||||
+ 0x7d, 0x2f, 0xe3, 0x63, 0x63, 0x0c, 0x75, 0xd8, 0xf6, 0x81, 0xb2, 0x02,
|
||||
+ 0xae, 0xc4, 0x61, 0x7a, 0xd3, 0xdf, 0x1e, 0xd5, 0xd5, 0xfd, 0x65, 0x61,
|
||||
+ 0x24, 0x33, 0xf5, 0x1f, 0x5f, 0x06, 0x6e, 0xd0, 0x85, 0x63, 0x65, 0x55,
|
||||
+ 0x3d, 0xed, 0x1a, 0xf3, 0xb5, 0x57, 0x13, 0x5e, 0x7f, 0x57, 0xc9, 0x35,
|
||||
+ 0x98, 0x4f, 0x0c, 0x70, 0xe0, 0xe6, 0x8b, 0x77, 0xe2, 0xa6, 0x89, 0xda,
|
||||
+ 0xf3, 0xef, 0xe8, 0x72, 0x1d, 0xf1, 0x58, 0xa1, 0x36, 0xad, 0xe7, 0x35,
|
||||
+ 0x30, 0xac, 0xca, 0x4f, 0x48, 0x3a, 0x79, 0x7a, 0xbc, 0x0a, 0xb1, 0x82,
|
||||
+ 0xb3, 0x24, 0xfb, 0x61, 0xd1, 0x08, 0xa9, 0x4b, 0xb2, 0xc8, 0xe3, 0xfb,
|
||||
+ 0xb9, 0x6a, 0xda, 0xb7, 0x60, 0xd7, 0xf4, 0x68, 0x1d, 0x4f, 0x42, 0xa3,
|
||||
+ 0xde, 0x39, 0x4d, 0xf4, 0xae, 0x56, 0xed, 0xe7, 0x63, 0x72, 0xbb, 0x19,
|
||||
+ 0x0b, 0x07, 0xa7, 0xc8, 0xee, 0x0a, 0x6d, 0x70, 0x9e, 0x02, 0xfc, 0xe1,
|
||||
+ 0xcd, 0xf7, 0xe2, 0xec, 0xc0, 0x34, 0x04, 0xcd, 0x28, 0x34, 0x2f, 0x61,
|
||||
+ 0x91, 0x72, 0xfe, 0x9c, 0xe9, 0x85, 0x83, 0xff, 0x8e, 0x4f, 0x12, 0x32,
|
||||
+ 0xee, 0xf2, 0x81, 0x83, 0xc3, 0xfe, 0x3b, 0x1b, 0x4c, 0x6f, 0xad, 0x73,
|
||||
+ 0x3b, 0xb5, 0xfc, 0xbc, 0x2e, 0xc2, 0x20, 0x05, 0xc5, 0x8e, 0xf1, 0x83,
|
||||
+ 0x7d, 0x16, 0x83, 0xb2, 0xc6, 0xf3, 0x4a, 0x26, 0xc1, 0xb2, 0xef, 0xfa,
|
||||
+ 0x88, 0x6b, 0x42, 0x38, 0x61, 0x28, 0x5c, 0x97, 0xff, 0xff, 0xff, 0xff,
|
||||
+ 0xff, 0xff, 0xff, 0xff
|
||||
+ };
|
||||
+ static unsigned char dhx_g[] = {
|
||||
+ 0x02
|
||||
+ };
|
||||
+ static unsigned char dhx_q[] = {
|
||||
+ 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xd6, 0xfc, 0x2a, 0x2c,
|
||||
+ 0x51, 0x5d, 0xa5, 0x4d, 0x57, 0xee, 0x2b, 0x10, 0x13, 0x9e, 0x9e, 0x78,
|
||||
+ 0xec, 0x5c, 0xe2, 0xc1, 0xe7, 0x16, 0x9b, 0x4a, 0xd4, 0xf0, 0x9b, 0x20,
|
||||
+ 0x8a, 0x32, 0x19, 0xfd, 0xe6, 0x49, 0xce, 0xe7, 0x12, 0x4d, 0x9f, 0x7c,
|
||||
+ 0xbe, 0x97, 0xf1, 0xb1, 0xb1, 0x86, 0x3a, 0xec, 0x7b, 0x40, 0xd9, 0x01,
|
||||
+ 0x57, 0x62, 0x30, 0xbd, 0x69, 0xef, 0x8f, 0x6a, 0xea, 0xfe, 0xb2, 0xb0,
|
||||
+ 0x92, 0x19, 0xfa, 0x8f, 0xaf, 0x83, 0x37, 0x68, 0x42, 0xb1, 0xb2, 0xaa,
|
||||
+ 0x9e, 0xf6, 0x8d, 0x79, 0xda, 0xab, 0x89, 0xaf, 0x3f, 0xab, 0xe4, 0x9a,
|
||||
+ 0xcc, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xbb, 0xf1, 0x53, 0x44, 0xed,
|
||||
+ 0x79, 0xf7, 0xf4, 0x39, 0x0e, 0xf8, 0xac, 0x50, 0x9b, 0x56, 0xf3, 0x9a,
|
||||
+ 0x98, 0x56, 0x65, 0x27, 0xa4, 0x1d, 0x3c, 0xbd, 0x5e, 0x05, 0x58, 0xc1,
|
||||
+ 0x59, 0x92, 0x7d, 0xb0, 0xe8, 0x84, 0x54, 0xa5, 0xd9, 0x64, 0x71, 0xfd,
|
||||
+ 0xdc, 0xb5, 0x6d, 0x5b, 0xb0, 0x6b, 0xfa, 0x34, 0x0e, 0xa7, 0xa1, 0x51,
|
||||
+ 0xef, 0x1c, 0xa6, 0xfa, 0x57, 0x2b, 0x76, 0xf3, 0xb1, 0xb9, 0x5d, 0x8c,
|
||||
+ 0x85, 0x83, 0xd3, 0xe4, 0x77, 0x05, 0x36, 0xb8, 0x4f, 0x01, 0x7e, 0x70,
|
||||
+ 0xe6, 0xfb, 0xf1, 0x76, 0x60, 0x1a, 0x02, 0x66, 0x94, 0x1a, 0x17, 0xb0,
|
||||
+ 0xc8, 0xb9, 0x7f, 0x4e, 0x74, 0xc2, 0xc1, 0xff, 0xc7, 0x27, 0x89, 0x19,
|
||||
+ 0x77, 0x79, 0x40, 0xc1, 0xe1, 0xff, 0x1d, 0x8d, 0xa6, 0x37, 0xd6, 0xb9,
|
||||
+ 0x9d, 0xda, 0xfe, 0x5e, 0x17, 0x61, 0x10, 0x02, 0xe2, 0xc7, 0x78, 0xc1,
|
||||
+ 0xbe, 0x8b, 0x41, 0xd9, 0x63, 0x79, 0xa5, 0x13, 0x60, 0xd9, 0x77, 0xfd,
|
||||
+ 0x44, 0x35, 0xa1, 0x1c, 0x30, 0x94, 0x2e, 0x4b, 0xff, 0xff, 0xff, 0xff,
|
||||
+ 0xff, 0xff, 0xff, 0xff
|
||||
+ };
|
||||
+
|
||||
+ return get_dh_from_pg(libctx, "X9.42 DH",
|
||||
+ dhx_p, sizeof(dhx_p),
|
||||
+ dhx_g, sizeof(dhx_g),
|
||||
+ dhx_q, sizeof(dhx_q));
|
||||
+}
|
||||
+
|
||||
EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libctx)
|
||||
{
|
||||
static unsigned char dh1024_p[] = {
|
||||
diff --git a/test/helpers/predefined_dhparams.h b/test/helpers/predefined_dhparams.h
|
||||
index f0e8709062..2ff6d6e721 100644
|
||||
--- a/test/helpers/predefined_dhparams.h
|
||||
+++ b/test/helpers/predefined_dhparams.h
|
||||
@@ -12,6 +12,7 @@
|
||||
#ifndef OPENSSL_NO_DH
|
||||
EVP_PKEY *get_dh512(OSSL_LIB_CTX *libctx);
|
||||
EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx);
|
||||
+EVP_PKEY *get_dhx_ffdhe2048(OSSL_LIB_CTX *libctx);
|
||||
EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libct);
|
||||
EVP_PKEY *get_dh2048(OSSL_LIB_CTX *libctx);
|
||||
EVP_PKEY *get_dh4096(OSSL_LIB_CTX *libctx);
|
||||
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
|
||||
index cabbe3ecdf..efe56c5665 100644
|
||||
--- a/test/recipes/80-test_cms.t
|
||||
+++ b/test/recipes/80-test_cms.t
|
||||
@@ -627,10 +627,10 @@ my @smime_cms_param_tests = (
|
||||
],
|
||||
|
||||
[ "enveloped content test streaming S/MIME format, X9.42 DH",
|
||||
- [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
|
||||
+ [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
|
||||
"-stream", "-out", "{output}.cms",
|
||||
"-recip", catfile($smdir, "smdh.pem"), "-aes128" ],
|
||||
- [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
|
||||
+ [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
|
||||
"-in", "{output}.cms", "-out", "{output}.txt" ],
|
||||
\&final_compare
|
||||
]
|
||||
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
|
||||
index 8c52b637fc..31ed54621b 100644
|
||||
--- a/test/recipes/80-test_ssl_old.t
|
||||
+++ b/test/recipes/80-test_ssl_old.t
|
||||
@@ -390,6 +390,9 @@ sub testssl {
|
||||
skip "skipping dhe1024dsa test", 1
|
||||
if ($no_dh);
|
||||
|
||||
+ skip "FIPS 186-4 type DH groups are no longer supported by the FIPS provider", 1
|
||||
+ if $provider eq "fips";
|
||||
+
|
||||
ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])),
|
||||
'test sslv2/sslv3 with 1024bit DHE via BIO pair');
|
||||
}
|
||||
--
|
||||
2.40.1
|
||||
|
@ -1,281 +0,0 @@
|
||||
From c927a3492698c254637da836762f9b1f86cffabc Mon Sep 17 00:00:00 2001
|
||||
From: Viktor Dukhovni <openssl-users@dukhovni.org>
|
||||
Date: Tue, 13 Dec 2022 08:49:13 +0100
|
||||
Subject: [PATCH 01/18] Fix type confusion in nc_match_single()
|
||||
|
||||
This function assumes that if the "gen" is an OtherName, then the "base"
|
||||
is a rfc822Name constraint. This assumption is not true in all cases.
|
||||
If the end-entity certificate contains an OtherName SAN of any type besides
|
||||
SmtpUtf8Mailbox and the CA certificate contains a name constraint of
|
||||
OtherName (of any type), then "nc_email_eai" will be invoked, with the
|
||||
OTHERNAME "base" being incorrectly interpreted as a ASN1_IA5STRING.
|
||||
|
||||
Reported by Corey Bonnell from Digicert.
|
||||
|
||||
CVE-2022-4203
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
---
|
||||
crypto/x509/v3_ncons.c | 45 +++++++++++++++++++++++++++++-------------
|
||||
1 file changed, 31 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/crypto/x509/v3_ncons.c b/crypto/x509/v3_ncons.c
|
||||
index 70a7e8304e..5101598512 100644
|
||||
--- a/crypto/x509/v3_ncons.c
|
||||
+++ b/crypto/x509/v3_ncons.c
|
||||
@@ -31,7 +31,8 @@ static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
|
||||
static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip);
|
||||
|
||||
static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc);
|
||||
-static int nc_match_single(GENERAL_NAME *sub, GENERAL_NAME *gen);
|
||||
+static int nc_match_single(int effective_type, GENERAL_NAME *sub,
|
||||
+ GENERAL_NAME *gen);
|
||||
static int nc_dn(const X509_NAME *sub, const X509_NAME *nm);
|
||||
static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns);
|
||||
static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml);
|
||||
@@ -472,14 +473,17 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
|
||||
{
|
||||
GENERAL_SUBTREE *sub;
|
||||
int i, r, match = 0;
|
||||
+ int effective_type = gen->type;
|
||||
+
|
||||
/*
|
||||
* We need to compare not gen->type field but an "effective" type because
|
||||
* the otherName field may contain EAI email address treated specially
|
||||
* according to RFC 8398, section 6
|
||||
*/
|
||||
- int effective_type = ((gen->type == GEN_OTHERNAME) &&
|
||||
- (OBJ_obj2nid(gen->d.otherName->type_id) ==
|
||||
- NID_id_on_SmtpUTF8Mailbox)) ? GEN_EMAIL : gen->type;
|
||||
+ if (effective_type == GEN_OTHERNAME &&
|
||||
+ (OBJ_obj2nid(gen->d.otherName->type_id) == NID_id_on_SmtpUTF8Mailbox)) {
|
||||
+ effective_type = GEN_EMAIL;
|
||||
+ }
|
||||
|
||||
/*
|
||||
* Permitted subtrees: if any subtrees exist of matching the type at
|
||||
@@ -488,7 +492,10 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
|
||||
|
||||
for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++) {
|
||||
sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i);
|
||||
- if (effective_type != sub->base->type)
|
||||
+ if (effective_type != sub->base->type
|
||||
+ || (effective_type == GEN_OTHERNAME &&
|
||||
+ OBJ_cmp(gen->d.otherName->type_id,
|
||||
+ sub->base->d.otherName->type_id) != 0))
|
||||
continue;
|
||||
if (!nc_minmax_valid(sub))
|
||||
return X509_V_ERR_SUBTREE_MINMAX;
|
||||
@@ -497,7 +504,7 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
|
||||
continue;
|
||||
if (match == 0)
|
||||
match = 1;
|
||||
- r = nc_match_single(gen, sub->base);
|
||||
+ r = nc_match_single(effective_type, gen, sub->base);
|
||||
if (r == X509_V_OK)
|
||||
match = 2;
|
||||
else if (r != X509_V_ERR_PERMITTED_VIOLATION)
|
||||
@@ -511,12 +518,15 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
|
||||
|
||||
for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) {
|
||||
sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i);
|
||||
- if (effective_type != sub->base->type)
|
||||
+ if (effective_type != sub->base->type
|
||||
+ || (effective_type == GEN_OTHERNAME &&
|
||||
+ OBJ_cmp(gen->d.otherName->type_id,
|
||||
+ sub->base->d.otherName->type_id) != 0))
|
||||
continue;
|
||||
if (!nc_minmax_valid(sub))
|
||||
return X509_V_ERR_SUBTREE_MINMAX;
|
||||
|
||||
- r = nc_match_single(gen, sub->base);
|
||||
+ r = nc_match_single(effective_type, gen, sub->base);
|
||||
if (r == X509_V_OK)
|
||||
return X509_V_ERR_EXCLUDED_VIOLATION;
|
||||
else if (r != X509_V_ERR_PERMITTED_VIOLATION)
|
||||
@@ -528,15 +538,22 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
|
||||
|
||||
}
|
||||
|
||||
-static int nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base)
|
||||
+static int nc_match_single(int effective_type, GENERAL_NAME *gen,
|
||||
+ GENERAL_NAME *base)
|
||||
{
|
||||
switch (gen->type) {
|
||||
case GEN_OTHERNAME:
|
||||
- /*
|
||||
- * We are here only when we have SmtpUTF8 name,
|
||||
- * so we match the value of othername with base->d.rfc822Name
|
||||
- */
|
||||
- return nc_email_eai(gen->d.otherName->value, base->d.rfc822Name);
|
||||
+ switch (effective_type) {
|
||||
+ case GEN_EMAIL:
|
||||
+ /*
|
||||
+ * We are here only when we have SmtpUTF8 name,
|
||||
+ * so we match the value of othername with base->d.rfc822Name
|
||||
+ */
|
||||
+ return nc_email_eai(gen->d.otherName->value, base->d.rfc822Name);
|
||||
+
|
||||
+ default:
|
||||
+ return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE;
|
||||
+ }
|
||||
|
||||
case GEN_DIRNAME:
|
||||
return nc_dn(gen->d.directoryName, base->d.directoryName);
|
||||
--
|
||||
2.39.1
|
||||
|
||||
From fe6842f5a5dc2fb66da7fb24bf4343a3aeedd50a Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Tue, 13 Dec 2022 19:45:09 +0100
|
||||
Subject: [PATCH 02/18] Add testcase for nc_match_single type confusion
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
||||
---
|
||||
test/certs/bad-othername-cert.pem | 20 ++++++++++++++++++++
|
||||
test/certs/nccaothername-cert.pem | 20 ++++++++++++++++++++
|
||||
test/certs/nccaothername-key.pem | 28 ++++++++++++++++++++++++++++
|
||||
test/certs/setup.sh | 11 +++++++++++
|
||||
test/recipes/25-test_verify.t | 5 ++++-
|
||||
5 files changed, 83 insertions(+), 1 deletion(-)
|
||||
create mode 100644 test/certs/bad-othername-cert.pem
|
||||
create mode 100644 test/certs/nccaothername-cert.pem
|
||||
create mode 100644 test/certs/nccaothername-key.pem
|
||||
|
||||
diff --git a/test/certs/bad-othername-cert.pem b/test/certs/bad-othername-cert.pem
|
||||
new file mode 100644
|
||||
index 0000000000..cf279de5ea
|
||||
--- /dev/null
|
||||
+++ b/test/certs/bad-othername-cert.pem
|
||||
@@ -0,0 +1,20 @@
|
||||
+-----BEGIN CERTIFICATE-----
|
||||
+MIIDRDCCAiygAwIBAgIBAjANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDDBRUZXN0
|
||||
+IE5DIENBIG90aGVybmFtZTAgFw0yMjEyMTMxODMzMTZaGA8yMTIyMTIxNDE4MzMx
|
||||
+NlowMTEvMC0GA1UECgwmTkMgZW1haWwgaW4gb3RoZXJuYW1lIFRlc3QgQ2VydGlm
|
||||
+aWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPgeoakqHk1zYt
|
||||
+JZpEC0qkJPU/X0lfI+6GY2LHFY9KOSFqqmTXxrUtjQc3SdpQvBZhPuMZ8p82Jid2
|
||||
+kkRHnWs0uqX9NtLO923yQalYvP6Mt3fokcYgw/C9b+I/q1PKUyN0kPB6McROguD5
|
||||
+Jz2DcEufJBhbpyay1bFjEI2DAQJKDP/U7uH0EA7kH/27UMk0vfvL5uVjDvlo8i6S
|
||||
+Ul8+u0cDV5ZFJW2VAJKLU3wp6IY4fZl9UqkHZuRQpMJGqAjAleWOIEpyyvfGGh0b
|
||||
+75n3GJ+4YZ7CIBEgY7K0nIbKxtcDZPvmtbYg3g1tkPMTHcodFT7yEdqkBTJ5AGL7
|
||||
+6U850OhjAgMBAAGjdzB1MB0GA1UdDgQWBBTBz0k+q6d4c3aM+s2IyOF/QP6zCTAf
|
||||
+BgNVHSMEGDAWgBTwhghX7uNdMejZ3f4XorqOQoMqwTAJBgNVHRMEAjAAMCgGA1Ud
|
||||
+EQQhMB+gHQYIKwYBBQUHCAegEQwPZm9vQGV4YW1wbGUub3JnMA0GCSqGSIb3DQEB
|
||||
+CwUAA4IBAQAhxbCEVH8pq0aUMaLWaodyXdCqA0AKTFG6Mz9Rpwn89OwC8FylTEru
|
||||
+t+Bqx/ZuTo8YzON8h9m7DIrQIjZKDLW/g5YbvIsxIVV9gWhAGohdsIyMKRBepSmr
|
||||
+NxJQkO74RLBTamfl0WUCVM4HqroflFjBBG67CTJaQ9cH9ug3TKxaXCK1L6iQAXtq
|
||||
+enILGai98Byo0LCFH4MQOhmhV1BDT2boIG/iYb5VKCTSX25vhaF+PNBhUoysjW0O
|
||||
+vhQX8vrw42QRr4Qi7VfUBXzrbRTzxjOc4yqki7h2DcEdpginqe+aGyaFY+H9m/ka
|
||||
+1AR5KN8h5SYKltSXknjs0pp1w4k49aHl
|
||||
+-----END CERTIFICATE-----
|
||||
diff --git a/test/certs/nccaothername-cert.pem b/test/certs/nccaothername-cert.pem
|
||||
new file mode 100644
|
||||
index 0000000000..f9b9b07b80
|
||||
--- /dev/null
|
||||
+++ b/test/certs/nccaothername-cert.pem
|
||||
@@ -0,0 +1,20 @@
|
||||
+-----BEGIN CERTIFICATE-----
|
||||
+MIIDPjCCAiagAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
|
||||
+IENBMCAXDTIyMTIxMzE4MTgwM1oYDzIxMjIxMjE0MTgxODAzWjAfMR0wGwYDVQQD
|
||||
+DBRUZXN0IE5DIENBIG90aGVybmFtZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
|
||||
+AQoCggEBAN0Dx+ei8CgtRKnDcYiLwX4vrA48at/o/zfX24X/WZZM1o9HUKo1FQBN
|
||||
+vhESJu+gqPxuIePrk+/L25XdRqwCKk8wkWX0XIz18q5orOHUUFAWNK3g0FDj6N8H
|
||||
+d8urNIbDJ44FCx+/0n8Ppiht/EYN3aVOW5enqbgZ+EEt+3AUG6ibieRdGri9g4oh
|
||||
+IIx60MmVHLbuT/TcVZxaeWyTl6iWmsYosUyqlhTtu1uGtbVtkCAhBYloVvz4J5eA
|
||||
+mVu/JuJbsNxbxVeO9Q8Kj6nb4jPPdGvZ3JPcabbWrz5LwaereBf5IPrXEVdQTlYB
|
||||
+gI0pTz2CEDHSIrd7jzRUX/9EC2gMk6UCAwEAAaOBjzCBjDAPBgNVHRMBAf8EBTAD
|
||||
+AQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU8IYIV+7jXTHo2d3+F6K6jkKDKsEw
|
||||
+HwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwLAYDVR0eBCUwI6EhMB+g
|
||||
+HQYIKwYBBQUHCAegEQwPZm9vQGV4YW1wbGUub3JnMA0GCSqGSIb3DQEBCwUAA4IB
|
||||
+AQDPI5uZd8DhSNKMvYF5bxOshd6h6UJ7YzZS7K6fhiygltdqzkHQ/5+4yiuUkDe4
|
||||
+hOZlH8MCfXQy5jVZDTk24yNchpdfie5Bswn4SmQVQh3QyzOLxizoh0rLCf2PHueu
|
||||
+dNVNhfiiJNJ5kd8MIuVG7CPK68dP0QrVR+DihROuJgvGB3ClKttLrgle19t4PFRR
|
||||
+2wW6hJT9aXEjzLNyN1QFZKoShuiGX4xwjZh7VyKkV64p8hjojhcLk6dQkel+Jw4y
|
||||
+OP26XbVfM8/6KG8f6WAZ8P0qJwHlhmi0EvRTnEpAM8WuenOeZH6ERZ9uZbRGh6xx
|
||||
+LKQu2Aw2+bOEZ2vUtz0dBhX8
|
||||
+-----END CERTIFICATE-----
|
||||
diff --git a/test/certs/nccaothername-key.pem b/test/certs/nccaothername-key.pem
|
||||
new file mode 100644
|
||||
index 0000000000..d3e300ac2f
|
||||
--- /dev/null
|
||||
+++ b/test/certs/nccaothername-key.pem
|
||||
@@ -0,0 +1,28 @@
|
||||
+-----BEGIN PRIVATE KEY-----
|
||||
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDdA8fnovAoLUSp
|
||||
+w3GIi8F+L6wOPGrf6P8319uF/1mWTNaPR1CqNRUATb4REibvoKj8biHj65Pvy9uV
|
||||
+3UasAipPMJFl9FyM9fKuaKzh1FBQFjSt4NBQ4+jfB3fLqzSGwyeOBQsfv9J/D6Yo
|
||||
+bfxGDd2lTluXp6m4GfhBLftwFBuom4nkXRq4vYOKISCMetDJlRy27k/03FWcWnls
|
||||
+k5eolprGKLFMqpYU7btbhrW1bZAgIQWJaFb8+CeXgJlbvybiW7DcW8VXjvUPCo+p
|
||||
+2+Izz3Rr2dyT3Gm21q8+S8Gnq3gX+SD61xFXUE5WAYCNKU89ghAx0iK3e480VF//
|
||||
+RAtoDJOlAgMBAAECggEAMFSJlCyEFlER3Qq9asXe9eRgXEuXdmfZ2aEVIuf8M/sR
|
||||
+B0tpxxKtCUA24j5FL+0CzxKZTCFBnDRIzCyTbf1aOa9t+CzXyUZmP3/p4EdgmabF
|
||||
+dcl93FZ+X7kfF/VUGu0Vmv+c12BH3Fu0cs5cVohlMecg7diu6zCYok43F+L5ymRy
|
||||
+2mTcKkGc0ShWizj8Z9R3WJGssZOlxbxa/Zr4rZwRC24UVhfN8AfGWYx/StyQPQIw
|
||||
+gtbbtOmwbyredQmY4jwNqgrnfZS9bkWwJbRuCmD5l7lxubBgcHQpoM+DQVeOLZIq
|
||||
+uksFXeNfal9G5Bo747MMzpD7dJMCGmX+gbMY5oZF+QKBgQDs2MbY4nbxi+fV+KuV
|
||||
+zUvis8m8Lpzf3T6NLkgSkUPRN9tGr95iLIrB/bRPJg5Ne02q/cT7d86B9rpE42w7
|
||||
+eeIF9fANezX2AF8LUqNZhIR23J3tfB/eqGlJRZeMNia+lD09a7SWGwrS7sufY1I+
|
||||
+JQGcHx77ntt+eQT1MUJ1skF06QKBgQDu4z+TW4QIA5ItxIReVdcfh5e3xLkzDEVP
|
||||
+3KNo9tpXxvPwqapdeBh6c9z4Lqe3MKr5UPlDvVW+o40t6OjKxDCXczB8+JAM0OyX
|
||||
+8V+K3zXXUxRgieSd3oMncTylSWIvouPP3aW37B67TKdRlRHgaBrpJT2wdk3kYR4t
|
||||
+62J1eDdjXQKBgQDMsY0pZI/nskJrar7geM1c4IU5Xg+2aj/lRFqFsYYrC1s3fEd2
|
||||
+EYjan6l1vi4eSLKXVTspGiIfsFzLrMGdpXjyLduJyzKXqTp7TrBebWkOUR0sYloo
|
||||
+1OQprzuKskJJ81P6AVvRXw27vyW8Wtp5WwJJK5xbWq/YXj8qqagGkEiCAQKBgQCc
|
||||
+RK3XAFurPmLGa7JHX5Hc/z8BKMAZo6JHrsZ6qFiGaRA0U1it0hz5JYfcFfECheSi
|
||||
+ORUF+fn4PlbhPGXkFljPCbwjVBovOBA9CNl+J6u50pAW4r1ZhDB5gbqxSQLgtIaf
|
||||
++JcqbFxiG6+sT36lNJS+BO2I3KrxhZJPaZY7z8szxQKBgQDRy70XzwOk8jXayiF2
|
||||
+ej2IN7Ow9cgSE4tLEwR/vCjxvOlWhA3jC3wxoggshGJkpbP3DqLkQtwQm0h1lM8J
|
||||
+QNtFwKzjtpf//bTlfFq08/YxWimTPMqzcV2PgRacB8P3yf1r8T7M4fA5TORCDWpW
|
||||
+5FtOCFEmwQHTR8lu4c63qfxkEQ==
|
||||
+-----END PRIVATE KEY-----
|
||||
diff --git a/test/certs/setup.sh b/test/certs/setup.sh
|
||||
index b9766aab20..2240cd9df0 100755
|
||||
--- a/test/certs/setup.sh
|
||||
+++ b/test/certs/setup.sh
|
||||
@@ -388,6 +388,17 @@ REQMASK=MASK:0x800 ./mkcert.sh req badalt7-key "O = Bad NC Test Certificate 7" \
|
||||
"email.1 = good@good.org" "email.2 = any@good.com" \
|
||||
"IP = 127.0.0.1" "IP = 192.168.0.1"
|
||||
|
||||
+# Certs for CVE-2022-4203 testcase
|
||||
+
|
||||
+NC="excluded;otherName:SRVName;UTF8STRING:foo@example.org" ./mkcert.sh genca \
|
||||
+ "Test NC CA othername" nccaothername-key nccaothername-cert \
|
||||
+ root-key root-cert
|
||||
+
|
||||
+./mkcert.sh req alt-email-key "O = NC email in othername Test Certificate" | \
|
||||
+ ./mkcert.sh geneealt bad-othername-key bad-othername-cert \
|
||||
+ nccaothername-key nccaothername-cert \
|
||||
+ "otherName.1 = SRVName;UTF8STRING:foo@example.org"
|
||||
+
|
||||
# RSA-PSS signatures
|
||||
# SHA1
|
||||
./mkcert.sh genee PSS-SHA1 ee-key ee-pss-sha1-cert ca-key ca-cert \
|
||||
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
|
||||
index 4613489f57..e6a2bca731 100644
|
||||
--- a/test/recipes/25-test_verify.t
|
||||
+++ b/test/recipes/25-test_verify.t
|
||||
@@ -29,7 +29,7 @@ sub verify {
|
||||
run(app([@args]));
|
||||
}
|
||||
|
||||
-plan tests => 162;
|
||||
+plan tests => 163;
|
||||
|
||||
# Canonical success
|
||||
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
|
||||
@@ -402,6 +402,9 @@ ok(!verify("badalt9-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
|
||||
ok(!verify("badalt10-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
|
||||
"Name constraints nested DNS name excluded");
|
||||
|
||||
+ok(!verify("bad-othername-cert", "", ["root-cert"], ["nccaothername-cert"], ),
|
||||
+ "CVE-2022-4203 type confusion test");
|
||||
+
|
||||
#Check that we get the expected failure return code
|
||||
with({ exit_checker => sub { return shift == 2; } },
|
||||
sub {
|
||||
--
|
||||
2.39.1
|
||||
|
@ -1,750 +0,0 @@
|
||||
From 8e257b86e5812c6e1cfa9e8e5f5660ac7bed899d Mon Sep 17 00:00:00 2001
|
||||
From: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
Date: Fri, 20 Jan 2023 15:03:40 +0000
|
||||
Subject: [PATCH 03/18] Fix Timing Oracle in RSA decryption
|
||||
|
||||
A timing based side channel exists in the OpenSSL RSA Decryption
|
||||
implementation which could be sufficient to recover a plaintext across
|
||||
a network in a Bleichenbacher style attack. To achieve a successful
|
||||
decryption an attacker would have to be able to send a very large number
|
||||
of trial messages for decryption. The vulnerability affects all RSA
|
||||
padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
|
||||
|
||||
Patch written by Dmitry Belyavsky and Hubert Kario
|
||||
|
||||
CVE-2022-4304
|
||||
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
---
|
||||
crypto/bn/bn_blind.c | 14 -
|
||||
crypto/bn/bn_local.h | 14 +
|
||||
crypto/bn/build.info | 2 +-
|
||||
crypto/bn/rsa_sup_mul.c | 604 ++++++++++++++++++++++++++++++++++++++++
|
||||
crypto/rsa/rsa_ossl.c | 19 +-
|
||||
include/crypto/bn.h | 6 +
|
||||
6 files changed, 638 insertions(+), 21 deletions(-)
|
||||
create mode 100644 crypto/bn/rsa_sup_mul.c
|
||||
|
||||
diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c
|
||||
index 72457b34cf..6061ebb4c0 100644
|
||||
--- a/crypto/bn/bn_blind.c
|
||||
+++ b/crypto/bn/bn_blind.c
|
||||
@@ -13,20 +13,6 @@
|
||||
|
||||
#define BN_BLINDING_COUNTER 32
|
||||
|
||||
-struct bn_blinding_st {
|
||||
- BIGNUM *A;
|
||||
- BIGNUM *Ai;
|
||||
- BIGNUM *e;
|
||||
- BIGNUM *mod; /* just a reference */
|
||||
- CRYPTO_THREAD_ID tid;
|
||||
- int counter;
|
||||
- unsigned long flags;
|
||||
- BN_MONT_CTX *m_ctx;
|
||||
- int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
|
||||
- const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
|
||||
- CRYPTO_RWLOCK *lock;
|
||||
-};
|
||||
-
|
||||
BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
|
||||
{
|
||||
BN_BLINDING *ret = NULL;
|
||||
diff --git a/crypto/bn/bn_local.h b/crypto/bn/bn_local.h
|
||||
index c9a7ecf298..8c428f919d 100644
|
||||
--- a/crypto/bn/bn_local.h
|
||||
+++ b/crypto/bn/bn_local.h
|
||||
@@ -290,6 +290,20 @@ struct bn_gencb_st {
|
||||
} cb;
|
||||
};
|
||||
|
||||
+struct bn_blinding_st {
|
||||
+ BIGNUM *A;
|
||||
+ BIGNUM *Ai;
|
||||
+ BIGNUM *e;
|
||||
+ BIGNUM *mod; /* just a reference */
|
||||
+ CRYPTO_THREAD_ID tid;
|
||||
+ int counter;
|
||||
+ unsigned long flags;
|
||||
+ BN_MONT_CTX *m_ctx;
|
||||
+ int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
|
||||
+ const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
|
||||
+ CRYPTO_RWLOCK *lock;
|
||||
+};
|
||||
+
|
||||
/*-
|
||||
* BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions
|
||||
*
|
||||
diff --git a/crypto/bn/build.info b/crypto/bn/build.info
|
||||
index c4ba51b265..f4ff619239 100644
|
||||
--- a/crypto/bn/build.info
|
||||
+++ b/crypto/bn/build.info
|
||||
@@ -105,7 +105,7 @@ $COMMON=bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c \
|
||||
bn_mod.c bn_conv.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \
|
||||
bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_sqr.c \
|
||||
bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \
|
||||
- bn_intern.c bn_dh.c bn_rsa_fips186_4.c bn_const.c
|
||||
+ bn_intern.c bn_dh.c bn_rsa_fips186_4.c bn_const.c rsa_sup_mul.c
|
||||
SOURCE[../../libcrypto]=$COMMON $BNASM bn_print.c bn_err.c bn_srp.c
|
||||
DEFINE[../../libcrypto]=$BNDEF
|
||||
IF[{- !$disabled{'deprecated-0.9.8'} -}]
|
||||
diff --git a/crypto/bn/rsa_sup_mul.c b/crypto/bn/rsa_sup_mul.c
|
||||
new file mode 100644
|
||||
index 0000000000..0e0d02e194
|
||||
--- /dev/null
|
||||
+++ b/crypto/bn/rsa_sup_mul.c
|
||||
@@ -0,0 +1,604 @@
|
||||
+#include <openssl/e_os2.h>
|
||||
+#include <stddef.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <string.h>
|
||||
+#include <openssl/bn.h>
|
||||
+#include <openssl/err.h>
|
||||
+#include <openssl/rsaerr.h>
|
||||
+#include "internal/endian.h"
|
||||
+#include "internal/numbers.h"
|
||||
+#include "internal/constant_time.h"
|
||||
+#include "bn_local.h"
|
||||
+
|
||||
+# if BN_BYTES == 8
|
||||
+typedef uint64_t limb_t;
|
||||
+# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16
|
||||
+typedef uint128_t limb2_t;
|
||||
+# define HAVE_LIMB2_T
|
||||
+# endif
|
||||
+# define LIMB_BIT_SIZE 64
|
||||
+# define LIMB_BYTE_SIZE 8
|
||||
+# elif BN_BYTES == 4
|
||||
+typedef uint32_t limb_t;
|
||||
+typedef uint64_t limb2_t;
|
||||
+# define LIMB_BIT_SIZE 32
|
||||
+# define LIMB_BYTE_SIZE 4
|
||||
+# define HAVE_LIMB2_T
|
||||
+# else
|
||||
+# error "Not supported"
|
||||
+# endif
|
||||
+
|
||||
+/*
|
||||
+ * For multiplication we're using schoolbook multiplication,
|
||||
+ * so if we have two numbers, each with 6 "digits" (words)
|
||||
+ * the multiplication is calculated as follows:
|
||||
+ * A B C D E F
|
||||
+ * x I J K L M N
|
||||
+ * --------------
|
||||
+ * N*F
|
||||
+ * N*E
|
||||
+ * N*D
|
||||
+ * N*C
|
||||
+ * N*B
|
||||
+ * N*A
|
||||
+ * M*F
|
||||
+ * M*E
|
||||
+ * M*D
|
||||
+ * M*C
|
||||
+ * M*B
|
||||
+ * M*A
|
||||
+ * L*F
|
||||
+ * L*E
|
||||
+ * L*D
|
||||
+ * L*C
|
||||
+ * L*B
|
||||
+ * L*A
|
||||
+ * K*F
|
||||
+ * K*E
|
||||
+ * K*D
|
||||
+ * K*C
|
||||
+ * K*B
|
||||
+ * K*A
|
||||
+ * J*F
|
||||
+ * J*E
|
||||
+ * J*D
|
||||
+ * J*C
|
||||
+ * J*B
|
||||
+ * J*A
|
||||
+ * I*F
|
||||
+ * I*E
|
||||
+ * I*D
|
||||
+ * I*C
|
||||
+ * I*B
|
||||
+ * + I*A
|
||||
+ * ==========================
|
||||
+ * N*B N*D N*F
|
||||
+ * + N*A N*C N*E
|
||||
+ * + M*B M*D M*F
|
||||
+ * + M*A M*C M*E
|
||||
+ * + L*B L*D L*F
|
||||
+ * + L*A L*C L*E
|
||||
+ * + K*B K*D K*F
|
||||
+ * + K*A K*C K*E
|
||||
+ * + J*B J*D J*F
|
||||
+ * + J*A J*C J*E
|
||||
+ * + I*B I*D I*F
|
||||
+ * + I*A I*C I*E
|
||||
+ *
|
||||
+ * 1+1 1+3 1+5
|
||||
+ * 1+0 1+2 1+4
|
||||
+ * 0+1 0+3 0+5
|
||||
+ * 0+0 0+2 0+4
|
||||
+ *
|
||||
+ * 0 1 2 3 4 5 6
|
||||
+ * which requires n^2 multiplications and 2n full length additions
|
||||
+ * as we can keep every other result of limb multiplication in two separate
|
||||
+ * limbs
|
||||
+ */
|
||||
+
|
||||
+#if defined HAVE_LIMB2_T
|
||||
+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
|
||||
+{
|
||||
+ limb2_t t;
|
||||
+ /*
|
||||
+ * this is idiomatic code to tell compiler to use the native mul
|
||||
+ * those three lines will actually compile to single instruction
|
||||
+ */
|
||||
+
|
||||
+ t = (limb2_t)a * b;
|
||||
+ *hi = t >> LIMB_BIT_SIZE;
|
||||
+ *lo = (limb_t)t;
|
||||
+}
|
||||
+#elif (BN_BYTES == 8) && (defined _MSC_VER)
|
||||
+/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */
|
||||
+#pragma intrinsic(_umul128)
|
||||
+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
|
||||
+{
|
||||
+ *lo = _umul128(a, b, hi);
|
||||
+}
|
||||
+#else
|
||||
+/*
|
||||
+ * if the compiler doesn't have either a 128bit data type nor a "return
|
||||
+ * high 64 bits of multiplication"
|
||||
+ */
|
||||
+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
|
||||
+{
|
||||
+ limb_t a_low = (limb_t)(uint32_t)a;
|
||||
+ limb_t a_hi = a >> 32;
|
||||
+ limb_t b_low = (limb_t)(uint32_t)b;
|
||||
+ limb_t b_hi = b >> 32;
|
||||
+
|
||||
+ limb_t p0 = a_low * b_low;
|
||||
+ limb_t p1 = a_low * b_hi;
|
||||
+ limb_t p2 = a_hi * b_low;
|
||||
+ limb_t p3 = a_hi * b_hi;
|
||||
+
|
||||
+ uint32_t cy = (uint32_t)(((p0 >> 32) + (uint32_t)p1 + (uint32_t)p2) >> 32);
|
||||
+
|
||||
+ *lo = p0 + (p1 << 32) + (p2 << 32);
|
||||
+ *hi = p3 + (p1 >> 32) + (p2 >> 32) + cy;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
+/* add two limbs with carry in, return carry out */
|
||||
+static ossl_inline limb_t _add_limb(limb_t *ret, limb_t a, limb_t b, limb_t carry)
|
||||
+{
|
||||
+ limb_t carry1, carry2, t;
|
||||
+ /*
|
||||
+ * `c = a + b; if (c < a)` is idiomatic code that makes compilers
|
||||
+ * use add with carry on assembly level
|
||||
+ */
|
||||
+
|
||||
+ *ret = a + carry;
|
||||
+ if (*ret < a)
|
||||
+ carry1 = 1;
|
||||
+ else
|
||||
+ carry1 = 0;
|
||||
+
|
||||
+ t = *ret;
|
||||
+ *ret = t + b;
|
||||
+ if (*ret < t)
|
||||
+ carry2 = 1;
|
||||
+ else
|
||||
+ carry2 = 0;
|
||||
+
|
||||
+ return carry1 + carry2;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * add two numbers of the same size, return overflow
|
||||
+ *
|
||||
+ * add a to b, place result in ret; all arrays need to be n limbs long
|
||||
+ * return overflow from addition (0 or 1)
|
||||
+ */
|
||||
+static ossl_inline limb_t add(limb_t *ret, limb_t *a, limb_t *b, size_t n)
|
||||
+{
|
||||
+ limb_t c = 0;
|
||||
+ ossl_ssize_t i;
|
||||
+
|
||||
+ for(i = n - 1; i > -1; i--)
|
||||
+ c = _add_limb(&ret[i], a[i], b[i], c);
|
||||
+
|
||||
+ return c;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * return number of limbs necessary for temporary values
|
||||
+ * when multiplying numbers n limbs large
|
||||
+ */
|
||||
+static ossl_inline size_t mul_limb_numb(size_t n)
|
||||
+{
|
||||
+ return 2 * n * 2;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * multiply two numbers of the same size
|
||||
+ *
|
||||
+ * multiply a by b, place result in ret; a and b need to be n limbs long
|
||||
+ * ret needs to be 2*n limbs long, tmp needs to be mul_limb_numb(n) limbs
|
||||
+ * long
|
||||
+ */
|
||||
+static void limb_mul(limb_t *ret, limb_t *a, limb_t *b, size_t n, limb_t *tmp)
|
||||
+{
|
||||
+ limb_t *r_odd, *r_even;
|
||||
+ size_t i, j, k;
|
||||
+
|
||||
+ r_odd = tmp;
|
||||
+ r_even = &tmp[2 * n];
|
||||
+
|
||||
+ memset(ret, 0, 2 * n * sizeof(limb_t));
|
||||
+
|
||||
+ for (i = 0; i < n; i++) {
|
||||
+ for (k = 0; k < i + n + 1; k++) {
|
||||
+ r_even[k] = 0;
|
||||
+ r_odd[k] = 0;
|
||||
+ }
|
||||
+ for (j = 0; j < n; j++) {
|
||||
+ /*
|
||||
+ * place results from even and odd limbs in separate arrays so that
|
||||
+ * we don't have to calculate overflow every time we get individual
|
||||
+ * limb multiplication result
|
||||
+ */
|
||||
+ if (j % 2 == 0)
|
||||
+ _mul_limb(&r_even[i + j], &r_even[i + j + 1], a[i], b[j]);
|
||||
+ else
|
||||
+ _mul_limb(&r_odd[i + j], &r_odd[i + j + 1], a[i], b[j]);
|
||||
+ }
|
||||
+ /*
|
||||
+ * skip the least significant limbs when adding multiples of
|
||||
+ * more significant limbs (they're zero anyway)
|
||||
+ */
|
||||
+ add(ret, ret, r_even, n + i + 1);
|
||||
+ add(ret, ret, r_odd, n + i + 1);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/* modifies the value in place by performing a right shift by one bit */
|
||||
+static ossl_inline void rshift1(limb_t *val, size_t n)
|
||||
+{
|
||||
+ limb_t shift_in = 0, shift_out = 0;
|
||||
+ size_t i;
|
||||
+
|
||||
+ for (i = 0; i < n; i++) {
|
||||
+ shift_out = val[i] & 1;
|
||||
+ val[i] = shift_in << (LIMB_BIT_SIZE - 1) | (val[i] >> 1);
|
||||
+ shift_in = shift_out;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/* extend the LSB of flag to all bits of limb */
|
||||
+static ossl_inline limb_t mk_mask(limb_t flag)
|
||||
+{
|
||||
+ flag |= flag << 1;
|
||||
+ flag |= flag << 2;
|
||||
+ flag |= flag << 4;
|
||||
+ flag |= flag << 8;
|
||||
+ flag |= flag << 16;
|
||||
+#if (LIMB_BYTE_SIZE == 8)
|
||||
+ flag |= flag << 32;
|
||||
+#endif
|
||||
+ return flag;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * copy from either a or b to ret based on flag
|
||||
+ * when flag == 0, then copies from b
|
||||
+ * when flag == 1, then copies from a
|
||||
+ */
|
||||
+static ossl_inline void cselect(limb_t flag, limb_t *ret, limb_t *a, limb_t *b, size_t n)
|
||||
+{
|
||||
+ /*
|
||||
+ * would be more efficient with non volatile mask, but then gcc
|
||||
+ * generates code with jumps
|
||||
+ */
|
||||
+ volatile limb_t mask;
|
||||
+ size_t i;
|
||||
+
|
||||
+ mask = mk_mask(flag);
|
||||
+ for (i = 0; i < n; i++) {
|
||||
+#if (LIMB_BYTE_SIZE == 8)
|
||||
+ ret[i] = constant_time_select_64(mask, a[i], b[i]);
|
||||
+#else
|
||||
+ ret[i] = constant_time_select_32(mask, a[i], b[i]);
|
||||
+#endif
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static limb_t _sub_limb(limb_t *ret, limb_t a, limb_t b, limb_t borrow)
|
||||
+{
|
||||
+ limb_t borrow1, borrow2, t;
|
||||
+ /*
|
||||
+ * while it doesn't look constant-time, this is idiomatic code
|
||||
+ * to tell compilers to use the carry bit from subtraction
|
||||
+ */
|
||||
+
|
||||
+ *ret = a - borrow;
|
||||
+ if (*ret > a)
|
||||
+ borrow1 = 1;
|
||||
+ else
|
||||
+ borrow1 = 0;
|
||||
+
|
||||
+ t = *ret;
|
||||
+ *ret = t - b;
|
||||
+ if (*ret > t)
|
||||
+ borrow2 = 1;
|
||||
+ else
|
||||
+ borrow2 = 0;
|
||||
+
|
||||
+ return borrow1 + borrow2;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * place the result of a - b into ret, return the borrow bit.
|
||||
+ * All arrays need to be n limbs long
|
||||
+ */
|
||||
+static limb_t sub(limb_t *ret, limb_t *a, limb_t *b, size_t n)
|
||||
+{
|
||||
+ limb_t borrow = 0;
|
||||
+ ossl_ssize_t i;
|
||||
+
|
||||
+ for (i = n - 1; i > -1; i--)
|
||||
+ borrow = _sub_limb(&ret[i], a[i], b[i], borrow);
|
||||
+
|
||||
+ return borrow;
|
||||
+}
|
||||
+
|
||||
+/* return the number of limbs necessary to allocate for the mod() tmp operand */
|
||||
+static ossl_inline size_t mod_limb_numb(size_t anum, size_t modnum)
|
||||
+{
|
||||
+ return (anum + modnum) * 3;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * calculate a % mod, place the result in ret
|
||||
+ * size of a is defined by anum, size of ret and mod is modnum,
|
||||
+ * size of tmp is returned by mod_limb_numb()
|
||||
+ */
|
||||
+static void mod(limb_t *ret, limb_t *a, size_t anum, limb_t *mod,
|
||||
+ size_t modnum, limb_t *tmp)
|
||||
+{
|
||||
+ limb_t *atmp, *modtmp, *rettmp;
|
||||
+ limb_t res;
|
||||
+ size_t i;
|
||||
+
|
||||
+ memset(tmp, 0, mod_limb_numb(anum, modnum) * LIMB_BYTE_SIZE);
|
||||
+
|
||||
+ atmp = tmp;
|
||||
+ modtmp = &tmp[anum + modnum];
|
||||
+ rettmp = &tmp[(anum + modnum) * 2];
|
||||
+
|
||||
+ for (i = modnum; i <modnum + anum; i++)
|
||||
+ atmp[i] = a[i-modnum];
|
||||
+
|
||||
+ for (i = 0; i < modnum; i++)
|
||||
+ modtmp[i] = mod[i];
|
||||
+
|
||||
+ for (i = 0; i < anum * LIMB_BIT_SIZE; i++) {
|
||||
+ rshift1(modtmp, anum + modnum);
|
||||
+ res = sub(rettmp, atmp, modtmp, anum+modnum);
|
||||
+ cselect(res, atmp, atmp, rettmp, anum+modnum);
|
||||
+ }
|
||||
+
|
||||
+ memcpy(ret, &atmp[anum], sizeof(limb_t) * modnum);
|
||||
+}
|
||||
+
|
||||
+/* necessary size of tmp for a _mul_add_limb() call with provided anum */
|
||||
+static ossl_inline size_t _mul_add_limb_numb(size_t anum)
|
||||
+{
|
||||
+ return 2 * (anum + 1);
|
||||
+}
|
||||
+
|
||||
+/* multiply a by m, add to ret, return carry */
|
||||
+static limb_t _mul_add_limb(limb_t *ret, limb_t *a, size_t anum,
|
||||
+ limb_t m, limb_t *tmp)
|
||||
+{
|
||||
+ limb_t carry = 0;
|
||||
+ limb_t *r_odd, *r_even;
|
||||
+ size_t i;
|
||||
+
|
||||
+ memset(tmp, 0, sizeof(limb_t) * (anum + 1) * 2);
|
||||
+
|
||||
+ r_odd = tmp;
|
||||
+ r_even = &tmp[anum + 1];
|
||||
+
|
||||
+ for (i = 0; i < anum; i++) {
|
||||
+ /*
|
||||
+ * place the results from even and odd limbs in separate arrays
|
||||
+ * so that we have to worry about carry just once
|
||||
+ */
|
||||
+ if (i % 2 == 0)
|
||||
+ _mul_limb(&r_even[i], &r_even[i + 1], a[i], m);
|
||||
+ else
|
||||
+ _mul_limb(&r_odd[i], &r_odd[i + 1], a[i], m);
|
||||
+ }
|
||||
+ /* assert: add() carry here will be equal zero */
|
||||
+ add(r_even, r_even, r_odd, anum + 1);
|
||||
+ /*
|
||||
+ * while here it will not overflow as the max value from multiplication
|
||||
+ * is -2 while max overflow from addition is 1, so the max value of
|
||||
+ * carry is -1 (i.e. max int)
|
||||
+ */
|
||||
+ carry = add(ret, ret, &r_even[1], anum) + r_even[0];
|
||||
+
|
||||
+ return carry;
|
||||
+}
|
||||
+
|
||||
+static ossl_inline size_t mod_montgomery_limb_numb(size_t modnum)
|
||||
+{
|
||||
+ return modnum * 2 + _mul_add_limb_numb(modnum);
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * calculate a % mod, place result in ret
|
||||
+ * assumes that a is in Montgomery form with the R (Montgomery modulus) being
|
||||
+ * smallest power of two big enough to fit mod and that's also a power
|
||||
+ * of the count of number of bits in limb_t (B).
|
||||
+ * For calculation, we also need n', such that mod * n' == -1 mod B.
|
||||
+ * anum must be <= 2 * modnum
|
||||
+ * ret needs to be modnum words long
|
||||
+ * tmp needs to be mod_montgomery_limb_numb(modnum) limbs long
|
||||
+ */
|
||||
+static void mod_montgomery(limb_t *ret, limb_t *a, size_t anum, limb_t *mod,
|
||||
+ size_t modnum, limb_t ni0, limb_t *tmp)
|
||||
+{
|
||||
+ limb_t carry, v;
|
||||
+ limb_t *res, *rp, *tmp2;
|
||||
+ ossl_ssize_t i;
|
||||
+
|
||||
+ res = tmp;
|
||||
+ /*
|
||||
+ * for intermediate result we need an integer twice as long as modulus
|
||||
+ * but keep the input in the least significant limbs
|
||||
+ */
|
||||
+ memset(res, 0, sizeof(limb_t) * (modnum * 2));
|
||||
+ memcpy(&res[modnum * 2 - anum], a, sizeof(limb_t) * anum);
|
||||
+ rp = &res[modnum];
|
||||
+ tmp2 = &res[modnum * 2];
|
||||
+
|
||||
+ carry = 0;
|
||||
+
|
||||
+ /* add multiples of the modulus to the value until R divides it cleanly */
|
||||
+ for (i = modnum; i > 0; i--, rp--) {
|
||||
+ v = _mul_add_limb(rp, mod, modnum, rp[modnum-1] * ni0, tmp2);
|
||||
+ v = v + carry + rp[-1];
|
||||
+ carry |= (v != rp[-1]);
|
||||
+ carry &= (v <= rp[-1]);
|
||||
+ rp[-1] = v;
|
||||
+ }
|
||||
+
|
||||
+ /* perform the final reduction by mod... */
|
||||
+ carry -= sub(ret, rp, mod, modnum);
|
||||
+
|
||||
+ /* ...conditionally */
|
||||
+ cselect(carry, ret, rp, ret, modnum);
|
||||
+}
|
||||
+
|
||||
+/* allocated buffer should be freed afterwards */
|
||||
+static void BN_to_limb(const BIGNUM *bn, limb_t *buf, size_t limbs)
|
||||
+{
|
||||
+ int i;
|
||||
+ int real_limbs = (BN_num_bytes(bn) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
|
||||
+ limb_t *ptr = buf + (limbs - real_limbs);
|
||||
+
|
||||
+ for (i = 0; i < real_limbs; i++)
|
||||
+ ptr[i] = bn->d[real_limbs - i - 1];
|
||||
+}
|
||||
+
|
||||
+#if LIMB_BYTE_SIZE == 8
|
||||
+static ossl_inline uint64_t be64(uint64_t host)
|
||||
+{
|
||||
+ uint64_t big = 0;
|
||||
+ DECLARE_IS_ENDIAN;
|
||||
+
|
||||
+ if (!IS_LITTLE_ENDIAN)
|
||||
+ return host;
|
||||
+
|
||||
+ big |= (host & 0xff00000000000000) >> 56;
|
||||
+ big |= (host & 0x00ff000000000000) >> 40;
|
||||
+ big |= (host & 0x0000ff0000000000) >> 24;
|
||||
+ big |= (host & 0x000000ff00000000) >> 8;
|
||||
+ big |= (host & 0x00000000ff000000) << 8;
|
||||
+ big |= (host & 0x0000000000ff0000) << 24;
|
||||
+ big |= (host & 0x000000000000ff00) << 40;
|
||||
+ big |= (host & 0x00000000000000ff) << 56;
|
||||
+ return big;
|
||||
+}
|
||||
+
|
||||
+#else
|
||||
+/* Not all platforms have htobe32(). */
|
||||
+static ossl_inline uint32_t be32(uint32_t host)
|
||||
+{
|
||||
+ uint32_t big = 0;
|
||||
+ DECLARE_IS_ENDIAN;
|
||||
+
|
||||
+ if (!IS_LITTLE_ENDIAN)
|
||||
+ return host;
|
||||
+
|
||||
+ big |= (host & 0xff000000) >> 24;
|
||||
+ big |= (host & 0x00ff0000) >> 8;
|
||||
+ big |= (host & 0x0000ff00) << 8;
|
||||
+ big |= (host & 0x000000ff) << 24;
|
||||
+ return big;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
+/*
|
||||
+ * We assume that intermediate, possible_arg2, blinding, and ctx are used
|
||||
+ * similar to BN_BLINDING_invert_ex() arguments.
|
||||
+ * to_mod is RSA modulus.
|
||||
+ * buf and num is the serialization buffer and its length.
|
||||
+ *
|
||||
+ * Here we use classic/Montgomery multiplication and modulo. After the calculation finished
|
||||
+ * we serialize the new structure instead of BIGNUMs taking endianness into account.
|
||||
+ */
|
||||
+int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate,
|
||||
+ const BN_BLINDING *blinding,
|
||||
+ const BIGNUM *possible_arg2,
|
||||
+ const BIGNUM *to_mod, BN_CTX *ctx,
|
||||
+ unsigned char *buf, int num)
|
||||
+{
|
||||
+ limb_t *l_im = NULL, *l_mul = NULL, *l_mod = NULL;
|
||||
+ limb_t *l_ret = NULL, *l_tmp = NULL, l_buf;
|
||||
+ size_t l_im_count = 0, l_mul_count = 0, l_size = 0, l_mod_count = 0;
|
||||
+ size_t l_tmp_count = 0;
|
||||
+ int ret = 0;
|
||||
+ size_t i;
|
||||
+ unsigned char *tmp;
|
||||
+ const BIGNUM *arg1 = intermediate;
|
||||
+ const BIGNUM *arg2 = (possible_arg2 == NULL) ? blinding->Ai : possible_arg2;
|
||||
+
|
||||
+ l_im_count = (BN_num_bytes(arg1) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
|
||||
+ l_mul_count = (BN_num_bytes(arg2) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
|
||||
+ l_mod_count = (BN_num_bytes(to_mod) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
|
||||
+
|
||||
+ l_size = l_im_count > l_mul_count ? l_im_count : l_mul_count;
|
||||
+ l_im = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE);
|
||||
+ l_mul = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE);
|
||||
+ l_mod = OPENSSL_zalloc(l_mod_count * LIMB_BYTE_SIZE);
|
||||
+
|
||||
+ if ((l_im == NULL) || (l_mul == NULL) || (l_mod == NULL))
|
||||
+ goto err;
|
||||
+
|
||||
+ BN_to_limb(arg1, l_im, l_size);
|
||||
+ BN_to_limb(arg2, l_mul, l_size);
|
||||
+ BN_to_limb(to_mod, l_mod, l_mod_count);
|
||||
+
|
||||
+ l_ret = OPENSSL_malloc(2 * l_size * LIMB_BYTE_SIZE);
|
||||
+
|
||||
+ if (blinding->m_ctx != NULL) {
|
||||
+ l_tmp_count = mul_limb_numb(l_size) > mod_montgomery_limb_numb(l_mod_count) ?
|
||||
+ mul_limb_numb(l_size) : mod_montgomery_limb_numb(l_mod_count);
|
||||
+ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE);
|
||||
+ } else {
|
||||
+ l_tmp_count = mul_limb_numb(l_size) > mod_limb_numb(2 * l_size, l_mod_count) ?
|
||||
+ mul_limb_numb(l_size) : mod_limb_numb(2 * l_size, l_mod_count);
|
||||
+ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE);
|
||||
+ }
|
||||
+
|
||||
+ if ((l_ret == NULL) || (l_tmp == NULL))
|
||||
+ goto err;
|
||||
+
|
||||
+ if (blinding->m_ctx != NULL) {
|
||||
+ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp);
|
||||
+ mod_montgomery(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count,
|
||||
+ blinding->m_ctx->n0[0], l_tmp);
|
||||
+ } else {
|
||||
+ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp);
|
||||
+ mod(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, l_tmp);
|
||||
+ }
|
||||
+
|
||||
+ /* modulus size in bytes can be equal to num but after limbs conversion it becomes bigger */
|
||||
+ if (num < BN_num_bytes(to_mod)) {
|
||||
+ ERR_raise(ERR_LIB_BN, ERR_R_PASSED_INVALID_ARGUMENT);
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ memset(buf, 0, num);
|
||||
+ tmp = buf + num - BN_num_bytes(to_mod);
|
||||
+ for (i = 0; i < l_mod_count; i++) {
|
||||
+#if LIMB_BYTE_SIZE == 8
|
||||
+ l_buf = be64(l_ret[i]);
|
||||
+#else
|
||||
+ l_buf = be32(l_ret[i]);
|
||||
+#endif
|
||||
+ if (i == 0) {
|
||||
+ int delta = LIMB_BYTE_SIZE - ((l_mod_count * LIMB_BYTE_SIZE) - num);
|
||||
+
|
||||
+ memcpy(tmp, ((char *)&l_buf) + LIMB_BYTE_SIZE - delta, delta);
|
||||
+ tmp += delta;
|
||||
+ } else {
|
||||
+ memcpy(tmp, &l_buf, LIMB_BYTE_SIZE);
|
||||
+ tmp += LIMB_BYTE_SIZE;
|
||||
+ }
|
||||
+ }
|
||||
+ ret = num;
|
||||
+
|
||||
+ err:
|
||||
+ OPENSSL_free(l_im);
|
||||
+ OPENSSL_free(l_mul);
|
||||
+ OPENSSL_free(l_mod);
|
||||
+ OPENSSL_free(l_tmp);
|
||||
+ OPENSSL_free(l_ret);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c
|
||||
index 381c659352..7e8b791fba 100644
|
||||
--- a/crypto/rsa/rsa_ossl.c
|
||||
+++ b/crypto/rsa/rsa_ossl.c
|
||||
@@ -469,13 +469,20 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
|
||||
BN_free(d);
|
||||
}
|
||||
|
||||
- if (blinding)
|
||||
- if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
|
||||
+ if (blinding) {
|
||||
+ /*
|
||||
+ * ossl_bn_rsa_do_unblind() combines blinding inversion and
|
||||
+ * 0-padded BN BE serialization
|
||||
+ */
|
||||
+ j = ossl_bn_rsa_do_unblind(ret, blinding, unblind, rsa->n, ctx,
|
||||
+ buf, num);
|
||||
+ if (j == 0)
|
||||
goto err;
|
||||
-
|
||||
- j = BN_bn2binpad(ret, buf, num);
|
||||
- if (j < 0)
|
||||
- goto err;
|
||||
+ } else {
|
||||
+ j = BN_bn2binpad(ret, buf, num);
|
||||
+ if (j < 0)
|
||||
+ goto err;
|
||||
+ }
|
||||
|
||||
switch (padding) {
|
||||
case RSA_PKCS1_PADDING:
|
||||
diff --git a/include/crypto/bn.h b/include/crypto/bn.h
|
||||
index cf69bea848..cd45654210 100644
|
||||
--- a/include/crypto/bn.h
|
||||
+++ b/include/crypto/bn.h
|
||||
@@ -114,4 +114,10 @@ OSSL_LIB_CTX *ossl_bn_get_libctx(BN_CTX *ctx);
|
||||
|
||||
extern const BIGNUM ossl_bn_inv_sqrt_2;
|
||||
|
||||
+int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate,
|
||||
+ const BN_BLINDING *blinding,
|
||||
+ const BIGNUM *possible_arg2,
|
||||
+ const BIGNUM *to_mod, BN_CTX *ctx,
|
||||
+ unsigned char *buf, int num);
|
||||
+
|
||||
#endif
|
||||
--
|
||||
2.39.1
|
||||
|
@ -1,106 +0,0 @@
|
||||
From 63bcf189be73a9cc1264059bed6f57974be74a83 Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Tue, 13 Dec 2022 14:54:55 +0000
|
||||
Subject: [PATCH 04/18] Avoid dangling ptrs in header and data params for
|
||||
PEM_read_bio_ex
|
||||
|
||||
In the event of a failure in PEM_read_bio_ex() we free the buffers we
|
||||
allocated for the header and data buffers. However we were not clearing
|
||||
the ptrs stored in *header and *data. Since, on success, the caller is
|
||||
responsible for freeing these ptrs this can potentially lead to a double
|
||||
free if the caller frees them even on failure.
|
||||
|
||||
Thanks to Dawei Wang for reporting this issue.
|
||||
|
||||
Based on a proposed patch by Kurt Roeckx.
|
||||
|
||||
CVE-2022-4450
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
||||
---
|
||||
crypto/pem/pem_lib.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
|
||||
index f9ff80162a..85c47fb627 100644
|
||||
--- a/crypto/pem/pem_lib.c
|
||||
+++ b/crypto/pem/pem_lib.c
|
||||
@@ -989,7 +989,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
|
||||
|
||||
out_free:
|
||||
pem_free(*header, flags, 0);
|
||||
+ *header = NULL;
|
||||
pem_free(*data, flags, 0);
|
||||
+ *data = NULL;
|
||||
end:
|
||||
EVP_ENCODE_CTX_free(ctx);
|
||||
pem_free(name, flags, 0);
|
||||
--
|
||||
2.39.1
|
||||
|
||||
From cbafa34b5a057794c5c08cd4657038e1f643c1ac Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Tue, 13 Dec 2022 15:02:26 +0000
|
||||
Subject: [PATCH 05/18] Add a test for CVE-2022-4450
|
||||
|
||||
Call PEM_read_bio_ex() and expect a failure. There should be no dangling
|
||||
ptrs and therefore there should be no double free if we free the ptrs on
|
||||
error.
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
||||
---
|
||||
test/pemtest.c | 30 ++++++++++++++++++++++++++++++
|
||||
1 file changed, 30 insertions(+)
|
||||
|
||||
diff --git a/test/pemtest.c b/test/pemtest.c
|
||||
index a8d2d49bb5..a5d28cb256 100644
|
||||
--- a/test/pemtest.c
|
||||
+++ b/test/pemtest.c
|
||||
@@ -96,6 +96,35 @@ static int test_cert_key_cert(void)
|
||||
return 1;
|
||||
}
|
||||
|
||||
+static int test_empty_payload(void)
|
||||
+{
|
||||
+ BIO *b;
|
||||
+ static char *emptypay =
|
||||
+ "-----BEGIN CERTIFICATE-----\n"
|
||||
+ "-\n" /* Base64 EOF character */
|
||||
+ "-----END CERTIFICATE-----";
|
||||
+ char *name = NULL, *header = NULL;
|
||||
+ unsigned char *data = NULL;
|
||||
+ long len;
|
||||
+ int ret = 0;
|
||||
+
|
||||
+ b = BIO_new_mem_buf(emptypay, strlen(emptypay));
|
||||
+ if (!TEST_ptr(b))
|
||||
+ return 0;
|
||||
+
|
||||
+ /* Expected to fail because the payload is empty */
|
||||
+ if (!TEST_false(PEM_read_bio_ex(b, &name, &header, &data, &len, 0)))
|
||||
+ goto err;
|
||||
+
|
||||
+ ret = 1;
|
||||
+ err:
|
||||
+ OPENSSL_free(name);
|
||||
+ OPENSSL_free(header);
|
||||
+ OPENSSL_free(data);
|
||||
+ BIO_free(b);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
int setup_tests(void)
|
||||
{
|
||||
if (!TEST_ptr(pemfile = test_get_argument(0)))
|
||||
@@ -103,5 +132,6 @@ int setup_tests(void)
|
||||
ADD_ALL_TESTS(test_b64, OSSL_NELEM(b64_pem_data));
|
||||
ADD_TEST(test_invalid);
|
||||
ADD_TEST(test_cert_key_cert);
|
||||
+ ADD_TEST(test_empty_payload);
|
||||
return 1;
|
||||
}
|
||||
--
|
||||
2.39.1
|
||||
|
@ -1,187 +0,0 @@
|
||||
From 8818064ce3c3c0f1b740a5aaba2a987e75bfbafd Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Wed, 14 Dec 2022 16:18:14 +0000
|
||||
Subject: [PATCH 06/18] Fix a UAF resulting from a bug in BIO_new_NDEF
|
||||
|
||||
If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will
|
||||
be part of an invalid BIO chain. This causes a "use after free" when the
|
||||
BIO is eventually freed.
|
||||
|
||||
Based on an original patch by Viktor Dukhovni and an idea from Theo
|
||||
Buehler.
|
||||
|
||||
Thanks to Octavio Galland for reporting this issue.
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
---
|
||||
crypto/asn1/bio_ndef.c | 40 ++++++++++++++++++++++++++++++++--------
|
||||
1 file changed, 32 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c
|
||||
index d94e3a3644..b9df3a7a47 100644
|
||||
--- a/crypto/asn1/bio_ndef.c
|
||||
+++ b/crypto/asn1/bio_ndef.c
|
||||
@@ -49,13 +49,19 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg);
|
||||
static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen,
|
||||
void *parg);
|
||||
|
||||
-/* unfortunately cannot constify this due to CMS_stream() and PKCS7_stream() */
|
||||
+/*
|
||||
+ * On success, the returned BIO owns the input BIO as part of its BIO chain.
|
||||
+ * On failure, NULL is returned and the input BIO is owned by the caller.
|
||||
+ *
|
||||
+ * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream()
|
||||
+ */
|
||||
BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
|
||||
{
|
||||
NDEF_SUPPORT *ndef_aux = NULL;
|
||||
BIO *asn_bio = NULL;
|
||||
const ASN1_AUX *aux = it->funcs;
|
||||
ASN1_STREAM_ARG sarg;
|
||||
+ BIO *pop_bio = NULL;
|
||||
|
||||
if (!aux || !aux->asn1_cb) {
|
||||
ERR_raise(ERR_LIB_ASN1, ASN1_R_STREAMING_NOT_SUPPORTED);
|
||||
@@ -70,21 +76,39 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
|
||||
out = BIO_push(asn_bio, out);
|
||||
if (out == NULL)
|
||||
goto err;
|
||||
+ pop_bio = asn_bio;
|
||||
|
||||
- BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free);
|
||||
- BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free);
|
||||
+ if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0
|
||||
+ || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0
|
||||
+ || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0)
|
||||
+ goto err;
|
||||
|
||||
/*
|
||||
- * Now let callback prepends any digest, cipher etc BIOs ASN1 structure
|
||||
- * needs.
|
||||
+ * Now let the callback prepend any digest, cipher, etc., that the BIO's
|
||||
+ * ASN1 structure needs.
|
||||
*/
|
||||
|
||||
sarg.out = out;
|
||||
sarg.ndef_bio = NULL;
|
||||
sarg.boundary = NULL;
|
||||
|
||||
- if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0)
|
||||
+ /*
|
||||
+ * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the
|
||||
+ * middle of some partially built, but not returned BIO chain.
|
||||
+ */
|
||||
+ if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) {
|
||||
+ /*
|
||||
+ * ndef_aux is now owned by asn_bio so we must not free it in the err
|
||||
+ * clean up block
|
||||
+ */
|
||||
+ ndef_aux = NULL;
|
||||
goto err;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * We must not fail now because the callback has prepended additional
|
||||
+ * BIOs to the chain
|
||||
+ */
|
||||
|
||||
ndef_aux->val = val;
|
||||
ndef_aux->it = it;
|
||||
@@ -92,11 +116,11 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
|
||||
ndef_aux->boundary = sarg.boundary;
|
||||
ndef_aux->out = out;
|
||||
|
||||
- BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux);
|
||||
-
|
||||
return sarg.ndef_bio;
|
||||
|
||||
err:
|
||||
+ /* BIO_pop() is NULL safe */
|
||||
+ (void)BIO_pop(pop_bio);
|
||||
BIO_free(asn_bio);
|
||||
OPENSSL_free(ndef_aux);
|
||||
return NULL;
|
||||
--
|
||||
2.39.1
|
||||
|
||||
From f596ec8a6f9f5fcfa8e46a73b60f78a609725294 Mon Sep 17 00:00:00 2001
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Wed, 14 Dec 2022 17:15:18 +0000
|
||||
Subject: [PATCH 07/18] Check CMS failure during BIO setup with -stream is
|
||||
handled correctly
|
||||
|
||||
Test for the issue fixed in the previous commit
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
---
|
||||
test/recipes/80-test_cms.t | 15 +++++++++++++--
|
||||
test/smime-certs/badrsa.pem | 18 ++++++++++++++++++
|
||||
2 files changed, 31 insertions(+), 2 deletions(-)
|
||||
create mode 100644 test/smime-certs/badrsa.pem
|
||||
|
||||
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
|
||||
index 610f1cbc51..fd53683e6b 100644
|
||||
--- a/test/recipes/80-test_cms.t
|
||||
+++ b/test/recipes/80-test_cms.t
|
||||
@@ -13,7 +13,7 @@ use warnings;
|
||||
use POSIX;
|
||||
use File::Spec::Functions qw/catfile/;
|
||||
use File::Compare qw/compare_text compare/;
|
||||
-use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file/;
|
||||
+use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file with/;
|
||||
|
||||
use OpenSSL::Test::Utils;
|
||||
|
||||
@@ -50,7 +50,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
|
||||
|
||||
$no_rc2 = 1 if disabled("legacy");
|
||||
|
||||
-plan tests => 12;
|
||||
+plan tests => 13;
|
||||
|
||||
ok(run(test(["pkcs7_test"])), "test pkcs7");
|
||||
|
||||
@@ -972,3 +972,14 @@ ok(!run(app(['openssl', 'cms', '-verify',
|
||||
|
||||
return "";
|
||||
}
|
||||
+
|
||||
+# Check that we get the expected failure return code
|
||||
+with({ exit_checker => sub { return shift == 6; } },
|
||||
+ sub {
|
||||
+ ok(run(app(['openssl', 'cms', '-encrypt',
|
||||
+ '-in', srctop_file("test", "smcont.txt"),
|
||||
+ '-stream', '-recip',
|
||||
+ srctop_file("test/smime-certs", "badrsa.pem"),
|
||||
+ ])),
|
||||
+ "Check failure during BIO setup with -stream is handled correctly");
|
||||
+ });
|
||||
diff --git a/test/smime-certs/badrsa.pem b/test/smime-certs/badrsa.pem
|
||||
new file mode 100644
|
||||
index 0000000000..f824fc2267
|
||||
--- /dev/null
|
||||
+++ b/test/smime-certs/badrsa.pem
|
||||
@@ -0,0 +1,18 @@
|
||||
+-----BEGIN CERTIFICATE-----
|
||||
+MIIDbTCCAlWgAwIBAgIToTV4Z0iuK08vZP20oTh//hC8BDANBgkqhkiG9w0BAQ0FADAtMSswKQYD
|
||||
+VfcDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoY
|
||||
+DzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcN
|
||||
+AQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOw
|
||||
+I2juwdRrjFBmXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A
|
||||
+/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6s
|
||||
+yTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0
|
||||
+zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSxgCAwEAAaOBlzCB
|
||||
+lDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAww
|
||||
+CgYIKwYBBQUHAwQwDwYDVR0PAQH/BAUDAwfAADAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm
|
||||
+ZnMwHwYDVR0jBBgwFoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBABbW
|
||||
+eonR6TMTckehDKNOabwaCIcekahAIL6l9tTzUX5ew6ufiAPlC6I/zQlmUaU0iSyFDG1NW14kNbFt
|
||||
+5CAokyLhMtE4ASHBIHbiOp/ZSbUBTVYJZB61ot7w1/ol5QECSs08b8zrxIncf+t2DHGuVEy/Qq1d
|
||||
+rBz8d4ay8zpqAE1tUyL5Da6ZiKUfWwZQXSI/JlbjQFzYQqTRDnzHWrg1xPeMTO1P2/cplFaseTiv
|
||||
+yk4cYwOp/W9UAWymOZXF8WcJYCIUXkdcG/nEZxr057KlScrJmFXOoh7Y+8ON4iWYYcAfiNgpUFo/
|
||||
+j8BAwrKKaFvdlZS9k1Ypb2+UQY75mKJE9Bg=
|
||||
+-----END CERTIFICATE-----
|
||||
--
|
||||
2.39.1
|
||||
|
@ -1,110 +0,0 @@
|
||||
From 934a04f0e775309cadbef0aa6b9692e1b12a76c6 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Mon, 16 Jan 2023 19:45:23 +0100
|
||||
Subject: [PATCH 08/18] Do not dereference PKCS7 object data if not set
|
||||
|
||||
Fixes CVE-2023-0216
|
||||
|
||||
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
---
|
||||
crypto/pkcs7/pk7_lib.c | 16 ++++++++++++----
|
||||
1 file changed, 12 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c
|
||||
index 753f1276e6..936e50da54 100644
|
||||
--- a/crypto/pkcs7/pk7_lib.c
|
||||
+++ b/crypto/pkcs7/pk7_lib.c
|
||||
@@ -414,6 +414,8 @@ PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509, EVP_PKEY *pkey,
|
||||
|
||||
static STACK_OF(X509) *pkcs7_get_signer_certs(const PKCS7 *p7)
|
||||
{
|
||||
+ if (p7->d.ptr == NULL)
|
||||
+ return NULL;
|
||||
if (PKCS7_type_is_signed(p7))
|
||||
return p7->d.sign->cert;
|
||||
if (PKCS7_type_is_signedAndEnveloped(p7))
|
||||
@@ -423,6 +425,8 @@ static STACK_OF(X509) *pkcs7_get_signer_certs(const PKCS7 *p7)
|
||||
|
||||
static STACK_OF(PKCS7_RECIP_INFO) *pkcs7_get_recipient_info(const PKCS7 *p7)
|
||||
{
|
||||
+ if (p7->d.ptr == NULL)
|
||||
+ return NULL;
|
||||
if (PKCS7_type_is_signedAndEnveloped(p7))
|
||||
return p7->d.signed_and_enveloped->recipientinfo;
|
||||
if (PKCS7_type_is_enveloped(p7))
|
||||
@@ -440,13 +444,17 @@ void ossl_pkcs7_resolve_libctx(PKCS7 *p7)
|
||||
const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7);
|
||||
OSSL_LIB_CTX *libctx = ossl_pkcs7_ctx_get0_libctx(ctx);
|
||||
const char *propq = ossl_pkcs7_ctx_get0_propq(ctx);
|
||||
- STACK_OF(PKCS7_RECIP_INFO) *rinfos = pkcs7_get_recipient_info(p7);
|
||||
- STACK_OF(PKCS7_SIGNER_INFO) *sinfos = PKCS7_get_signer_info(p7);
|
||||
- STACK_OF(X509) *certs = pkcs7_get_signer_certs(p7);
|
||||
+ STACK_OF(PKCS7_RECIP_INFO) *rinfos;
|
||||
+ STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
|
||||
+ STACK_OF(X509) *certs;
|
||||
|
||||
- if (ctx == NULL)
|
||||
+ if (ctx == NULL || p7->d.ptr == NULL)
|
||||
return;
|
||||
|
||||
+ rinfos = pkcs7_get_recipient_info(p7);
|
||||
+ sinfos = PKCS7_get_signer_info(p7);
|
||||
+ certs = pkcs7_get_signer_certs(p7);
|
||||
+
|
||||
for (i = 0; i < sk_X509_num(certs); i++)
|
||||
ossl_x509_set0_libctx(sk_X509_value(certs, i), libctx, propq);
|
||||
|
||||
--
|
||||
2.39.1
|
||||
|
||||
From 67813d8a4d110f4174bbd2fee8a2f15388e324b5 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Mon, 16 Jan 2023 19:56:20 +0100
|
||||
Subject: [PATCH 09/18] Add test for d2i_PKCS7 NULL dereference
|
||||
|
||||
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
---
|
||||
test/recipes/25-test_pkcs7.t | 7 +++++--
|
||||
test/recipes/25-test_pkcs7_data/malformed.pkcs7 | 3 +++
|
||||
2 files changed, 8 insertions(+), 2 deletions(-)
|
||||
create mode 100644 test/recipes/25-test_pkcs7_data/malformed.pkcs7
|
||||
|
||||
diff --git a/test/recipes/25-test_pkcs7.t b/test/recipes/25-test_pkcs7.t
|
||||
index 37cd43dc6b..d61cd6abad 100644
|
||||
--- a/test/recipes/25-test_pkcs7.t
|
||||
+++ b/test/recipes/25-test_pkcs7.t
|
||||
@@ -11,11 +11,11 @@ use strict;
|
||||
use warnings;
|
||||
|
||||
use File::Spec;
|
||||
-use OpenSSL::Test qw/:DEFAULT srctop_file/;
|
||||
+use OpenSSL::Test qw/:DEFAULT srctop_file data_file/;
|
||||
|
||||
setup("test_pkcs7");
|
||||
|
||||
-plan tests => 3;
|
||||
+plan tests => 4;
|
||||
|
||||
require_ok(srctop_file('test','recipes','tconversion.pl'));
|
||||
|
||||
@@ -27,3 +27,6 @@ subtest 'pkcs7 conversions -- pkcs7d' => sub {
|
||||
tconversion( -type => 'p7d', -in => srctop_file("test", "pkcs7-1.pem"),
|
||||
-args => ["pkcs7"] );
|
||||
};
|
||||
+
|
||||
+my $malformed = data_file('malformed.pkcs7');
|
||||
+ok(run(app(["openssl", "pkcs7", "-in", $malformed])));
|
||||
diff --git a/test/recipes/25-test_pkcs7_data/malformed.pkcs7 b/test/recipes/25-test_pkcs7_data/malformed.pkcs7
|
||||
new file mode 100644
|
||||
index 0000000000..e30d1b582c
|
||||
--- /dev/null
|
||||
+++ b/test/recipes/25-test_pkcs7_data/malformed.pkcs7
|
||||
@@ -0,0 +1,3 @@
|
||||
+-----BEGIN PKCS7-----
|
||||
+MAsGCSqGSIb3DQEHAg==
|
||||
+-----END PKCS7-----
|
||||
--
|
||||
2.39.1
|
||||
|
@ -1,404 +0,0 @@
|
||||
From 23985bac83fd50c8e29431009302b5442f985096 Mon Sep 17 00:00:00 2001
|
||||
From: slontis <shane.lontis@oracle.com>
|
||||
Date: Wed, 11 Jan 2023 11:05:04 +1000
|
||||
Subject: [PATCH 10/18] Fix NULL deference when validating FFC public key.
|
||||
|
||||
Fixes CVE-2023-0217
|
||||
|
||||
When attempting to do a BN_Copy of params->p there was no NULL check.
|
||||
Since BN_copy does not check for NULL this is a NULL reference.
|
||||
|
||||
As an aside BN_cmp() does do a NULL check, so there are other checks
|
||||
that fail because a NULL is passed. A more general check for NULL params
|
||||
has been added for both FFC public and private key validation instead.
|
||||
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
---
|
||||
crypto/ffc/ffc_key_validate.c | 9 +++++++++
|
||||
include/internal/ffc.h | 1 +
|
||||
test/ffc_internal_test.c | 31 +++++++++++++++++++++++++++++++
|
||||
3 files changed, 41 insertions(+)
|
||||
|
||||
diff --git a/crypto/ffc/ffc_key_validate.c b/crypto/ffc/ffc_key_validate.c
|
||||
index 9f6525a2c8..442303e4b3 100644
|
||||
--- a/crypto/ffc/ffc_key_validate.c
|
||||
+++ b/crypto/ffc/ffc_key_validate.c
|
||||
@@ -24,6 +24,11 @@ int ossl_ffc_validate_public_key_partial(const FFC_PARAMS *params,
|
||||
BN_CTX *ctx = NULL;
|
||||
|
||||
*ret = 0;
|
||||
+ if (params == NULL || pub_key == NULL || params->p == NULL) {
|
||||
+ *ret = FFC_ERROR_PASSED_NULL_PARAM;
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
ctx = BN_CTX_new_ex(NULL);
|
||||
if (ctx == NULL)
|
||||
goto err;
|
||||
@@ -107,6 +112,10 @@ int ossl_ffc_validate_private_key(const BIGNUM *upper, const BIGNUM *priv,
|
||||
|
||||
*ret = 0;
|
||||
|
||||
+ if (priv == NULL || upper == NULL) {
|
||||
+ *ret = FFC_ERROR_PASSED_NULL_PARAM;
|
||||
+ goto err;
|
||||
+ }
|
||||
if (BN_cmp(priv, BN_value_one()) < 0) {
|
||||
*ret |= FFC_ERROR_PRIVKEY_TOO_SMALL;
|
||||
goto err;
|
||||
diff --git a/include/internal/ffc.h b/include/internal/ffc.h
|
||||
index 732514a6c2..b8b7140857 100644
|
||||
--- a/include/internal/ffc.h
|
||||
+++ b/include/internal/ffc.h
|
||||
@@ -76,6 +76,7 @@
|
||||
# define FFC_ERROR_NOT_SUITABLE_GENERATOR 0x08
|
||||
# define FFC_ERROR_PRIVKEY_TOO_SMALL 0x10
|
||||
# define FFC_ERROR_PRIVKEY_TOO_LARGE 0x20
|
||||
+# define FFC_ERROR_PASSED_NULL_PARAM 0x40
|
||||
|
||||
/*
|
||||
* Finite field cryptography (FFC) domain parameters are used by DH and DSA.
|
||||
diff --git a/test/ffc_internal_test.c b/test/ffc_internal_test.c
|
||||
index 2c97293573..9f67bd29b9 100644
|
||||
--- a/test/ffc_internal_test.c
|
||||
+++ b/test/ffc_internal_test.c
|
||||
@@ -510,6 +510,27 @@ static int ffc_public_validate_test(void)
|
||||
if (!TEST_true(ossl_ffc_validate_public_key(params, pub, &res)))
|
||||
goto err;
|
||||
|
||||
+ /* Fail if params is NULL */
|
||||
+ if (!TEST_false(ossl_ffc_validate_public_key(NULL, pub, &res)))
|
||||
+ goto err;
|
||||
+ if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res))
|
||||
+ goto err;
|
||||
+ res = -1;
|
||||
+ /* Fail if pubkey is NULL */
|
||||
+ if (!TEST_false(ossl_ffc_validate_public_key(params, NULL, &res)))
|
||||
+ goto err;
|
||||
+ if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res))
|
||||
+ goto err;
|
||||
+ res = -1;
|
||||
+
|
||||
+ BN_free(params->p);
|
||||
+ params->p = NULL;
|
||||
+ /* Fail if params->p is NULL */
|
||||
+ if (!TEST_false(ossl_ffc_validate_public_key(params, pub, &res)))
|
||||
+ goto err;
|
||||
+ if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res))
|
||||
+ goto err;
|
||||
+
|
||||
ret = 1;
|
||||
err:
|
||||
DH_free(dh);
|
||||
@@ -567,6 +588,16 @@ static int ffc_private_validate_test(void)
|
||||
if (!TEST_true(ossl_ffc_validate_private_key(params->q, priv, &res)))
|
||||
goto err;
|
||||
|
||||
+ if (!TEST_false(ossl_ffc_validate_private_key(NULL, priv, &res)))
|
||||
+ goto err;
|
||||
+ if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res))
|
||||
+ goto err;
|
||||
+ res = -1;
|
||||
+ if (!TEST_false(ossl_ffc_validate_private_key(params->q, NULL, &res)))
|
||||
+ goto err;
|
||||
+ if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res))
|
||||
+ goto err;
|
||||
+
|
||||
ret = 1;
|
||||
err:
|
||||
DH_free(dh);
|
||||
--
|
||||
2.39.1
|
||||
|
||||
From c1b4467a7cc129a74fc5205b80a5c47556b99416 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Fri, 13 Jan 2023 17:57:59 +0100
|
||||
Subject: [PATCH 11/18] Prevent creating DSA and DH keys without parameters
|
||||
through import
|
||||
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
---
|
||||
providers/implementations/keymgmt/dh_kmgmt.c | 4 ++--
|
||||
providers/implementations/keymgmt/dsa_kmgmt.c | 5 +++--
|
||||
2 files changed, 5 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
|
||||
index 58a5fd009f..c2d87b4a7f 100644
|
||||
--- a/providers/implementations/keymgmt/dh_kmgmt.c
|
||||
+++ b/providers/implementations/keymgmt/dh_kmgmt.c
|
||||
@@ -198,8 +198,8 @@ static int dh_import(void *keydata, int selection, const OSSL_PARAM params[])
|
||||
if ((selection & DH_POSSIBLE_SELECTIONS) == 0)
|
||||
return 0;
|
||||
|
||||
- if ((selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0)
|
||||
- ok = ok && ossl_dh_params_fromdata(dh, params);
|
||||
+ /* a key without parameters is meaningless */
|
||||
+ ok = ok && ossl_dh_params_fromdata(dh, params);
|
||||
|
||||
if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
|
||||
int include_private =
|
||||
diff --git a/providers/implementations/keymgmt/dsa_kmgmt.c b/providers/implementations/keymgmt/dsa_kmgmt.c
|
||||
index 100e917167..881680c085 100644
|
||||
--- a/providers/implementations/keymgmt/dsa_kmgmt.c
|
||||
+++ b/providers/implementations/keymgmt/dsa_kmgmt.c
|
||||
@@ -199,8 +199,9 @@ static int dsa_import(void *keydata, int selection, const OSSL_PARAM params[])
|
||||
if ((selection & DSA_POSSIBLE_SELECTIONS) == 0)
|
||||
return 0;
|
||||
|
||||
- if ((selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0)
|
||||
- ok = ok && ossl_dsa_ffc_params_fromdata(dsa, params);
|
||||
+ /* a key without parameters is meaningless */
|
||||
+ ok = ok && ossl_dsa_ffc_params_fromdata(dsa, params);
|
||||
+
|
||||
if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
|
||||
int include_private =
|
||||
selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0;
|
||||
--
|
||||
2.39.1
|
||||
|
||||
From fab4973801bdc11c29c4c8ccf65cf39cbc63ce9b Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Fri, 13 Jan 2023 17:59:52 +0100
|
||||
Subject: [PATCH 12/18] Do not create DSA keys without parameters by decoder
|
||||
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
---
|
||||
crypto/x509/x_pubkey.c | 24 +++++++++++++++++++
|
||||
include/crypto/x509.h | 3 +++
|
||||
.../encode_decode/decode_der2key.c | 2 +-
|
||||
3 files changed, 28 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c
|
||||
index bc90ddd89b..77790faa1f 100644
|
||||
--- a/crypto/x509/x_pubkey.c
|
||||
+++ b/crypto/x509/x_pubkey.c
|
||||
@@ -745,6 +745,30 @@ DSA *d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp, long length)
|
||||
return key;
|
||||
}
|
||||
|
||||
+/* Called from decoders; disallows provided DSA keys without parameters. */
|
||||
+DSA *ossl_d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp, long length)
|
||||
+{
|
||||
+ DSA *key = NULL;
|
||||
+ const unsigned char *data;
|
||||
+ const BIGNUM *p, *q, *g;
|
||||
+
|
||||
+ data = *pp;
|
||||
+ key = d2i_DSA_PUBKEY(NULL, &data, length);
|
||||
+ if (key == NULL)
|
||||
+ return NULL;
|
||||
+ DSA_get0_pqg(key, &p, &q, &g);
|
||||
+ if (p == NULL || q == NULL || g == NULL) {
|
||||
+ DSA_free(key);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ *pp = data;
|
||||
+ if (a != NULL) {
|
||||
+ DSA_free(*a);
|
||||
+ *a = key;
|
||||
+ }
|
||||
+ return key;
|
||||
+}
|
||||
+
|
||||
int i2d_DSA_PUBKEY(const DSA *a, unsigned char **pp)
|
||||
{
|
||||
EVP_PKEY *pktmp;
|
||||
diff --git a/include/crypto/x509.h b/include/crypto/x509.h
|
||||
index 1f00178e89..0c42730ee9 100644
|
||||
--- a/include/crypto/x509.h
|
||||
+++ b/include/crypto/x509.h
|
||||
@@ -339,6 +339,9 @@ void ossl_X509_PUBKEY_INTERNAL_free(X509_PUBKEY *xpub);
|
||||
|
||||
RSA *ossl_d2i_RSA_PSS_PUBKEY(RSA **a, const unsigned char **pp, long length);
|
||||
int ossl_i2d_RSA_PSS_PUBKEY(const RSA *a, unsigned char **pp);
|
||||
+# ifndef OPENSSL_NO_DSA
|
||||
+DSA *ossl_d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp, long length);
|
||||
+# endif /* OPENSSL_NO_DSA */
|
||||
# ifndef OPENSSL_NO_DH
|
||||
DH *ossl_d2i_DH_PUBKEY(DH **a, const unsigned char **pp, long length);
|
||||
int ossl_i2d_DH_PUBKEY(const DH *a, unsigned char **pp);
|
||||
diff --git a/providers/implementations/encode_decode/decode_der2key.c b/providers/implementations/encode_decode/decode_der2key.c
|
||||
index ebc2d24833..d6ad738ef3 100644
|
||||
--- a/providers/implementations/encode_decode/decode_der2key.c
|
||||
+++ b/providers/implementations/encode_decode/decode_der2key.c
|
||||
@@ -374,7 +374,7 @@ static void *dsa_d2i_PKCS8(void **key, const unsigned char **der, long der_len,
|
||||
(key_from_pkcs8_t *)ossl_dsa_key_from_pkcs8);
|
||||
}
|
||||
|
||||
-# define dsa_d2i_PUBKEY (d2i_of_void *)d2i_DSA_PUBKEY
|
||||
+# define dsa_d2i_PUBKEY (d2i_of_void *)ossl_d2i_DSA_PUBKEY
|
||||
# define dsa_free (free_key_fn *)DSA_free
|
||||
# define dsa_check NULL
|
||||
|
||||
--
|
||||
2.39.1
|
||||
|
||||
From 7e37185582995b35f885fec9dcc3670af9ffcbef Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Fri, 13 Jan 2023 18:46:15 +0100
|
||||
Subject: [PATCH 13/18] Add test for DSA pubkey without param import and check
|
||||
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
---
|
||||
test/recipes/91-test_pkey_check.t | 48 ++++++++++++++----
|
||||
.../91-test_pkey_check_data/dsapub.pem | 12 +++++
|
||||
.../dsapub_noparam.der | Bin 0 -> 108 bytes
|
||||
3 files changed, 49 insertions(+), 11 deletions(-)
|
||||
create mode 100644 test/recipes/91-test_pkey_check_data/dsapub.pem
|
||||
create mode 100644 test/recipes/91-test_pkey_check_data/dsapub_noparam.der
|
||||
|
||||
diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t
|
||||
index 612a3e3d6c..015d7805db 100644
|
||||
--- a/test/recipes/91-test_pkey_check.t
|
||||
+++ b/test/recipes/91-test_pkey_check.t
|
||||
@@ -11,19 +11,24 @@ use strict;
|
||||
use warnings;
|
||||
|
||||
use File::Spec;
|
||||
-use OpenSSL::Test qw/:DEFAULT data_file/;
|
||||
+use OpenSSL::Test qw/:DEFAULT data_file with/;
|
||||
use OpenSSL::Test::Utils;
|
||||
|
||||
sub pkey_check {
|
||||
my $f = shift;
|
||||
+ my $pubcheck = shift;
|
||||
+ my @checkopt = ('-check');
|
||||
|
||||
- return run(app(['openssl', 'pkey', '-check', '-text',
|
||||
+ @checkopt = ('-pubcheck', '-pubin') if $pubcheck;
|
||||
+
|
||||
+ return run(app(['openssl', 'pkey', @checkopt, '-text',
|
||||
'-in', $f]));
|
||||
}
|
||||
|
||||
sub check_key {
|
||||
my $f = shift;
|
||||
my $should_fail = shift;
|
||||
+ my $pubcheck = shift;
|
||||
my $str;
|
||||
|
||||
|
||||
@@ -33,11 +38,10 @@ sub check_key {
|
||||
$f = data_file($f);
|
||||
|
||||
if ( -s $f ) {
|
||||
- if ($should_fail) {
|
||||
- ok(!pkey_check($f), $str);
|
||||
- } else {
|
||||
- ok(pkey_check($f), $str);
|
||||
- }
|
||||
+ with({ exit_checker => sub { return shift == $should_fail; } },
|
||||
+ sub {
|
||||
+ ok(pkey_check($f, $pubcheck), $str);
|
||||
+ });
|
||||
} else {
|
||||
fail("Missing file $f");
|
||||
}
|
||||
@@ -66,15 +70,37 @@ push(@positive_tests, (
|
||||
"dhpkey.pem"
|
||||
)) unless disabled("dh");
|
||||
|
||||
+my @negative_pubtests = ();
|
||||
+
|
||||
+push(@negative_pubtests, (
|
||||
+ "dsapub_noparam.der"
|
||||
+ )) unless disabled("dsa");
|
||||
+
|
||||
+my @positive_pubtests = ();
|
||||
+
|
||||
+push(@positive_pubtests, (
|
||||
+ "dsapub.pem"
|
||||
+ )) unless disabled("dsa");
|
||||
+
|
||||
plan skip_all => "No tests within the current enabled feature set"
|
||||
- unless @negative_tests && @positive_tests;
|
||||
+ unless @negative_tests && @positive_tests
|
||||
+ && @negative_pubtests && @positive_pubtests;
|
||||
|
||||
-plan tests => scalar(@negative_tests) + scalar(@positive_tests);
|
||||
+plan tests => scalar(@negative_tests) + scalar(@positive_tests)
|
||||
+ + scalar(@negative_pubtests) + scalar(@positive_pubtests);
|
||||
|
||||
foreach my $t (@negative_tests) {
|
||||
- check_key($t, 1);
|
||||
+ check_key($t, 1, 0);
|
||||
}
|
||||
|
||||
foreach my $t (@positive_tests) {
|
||||
- check_key($t, 0);
|
||||
+ check_key($t, 0, 0);
|
||||
+}
|
||||
+
|
||||
+foreach my $t (@negative_pubtests) {
|
||||
+ check_key($t, 1, 1);
|
||||
+}
|
||||
+
|
||||
+foreach my $t (@positive_pubtests) {
|
||||
+ check_key($t, 0, 1);
|
||||
}
|
||||
diff --git a/test/recipes/91-test_pkey_check_data/dsapub.pem b/test/recipes/91-test_pkey_check_data/dsapub.pem
|
||||
new file mode 100644
|
||||
index 0000000000..0ff4bd83ed
|
||||
--- /dev/null
|
||||
+++ b/test/recipes/91-test_pkey_check_data/dsapub.pem
|
||||
@@ -0,0 +1,12 @@
|
||||
+-----BEGIN PUBLIC KEY-----
|
||||
+MIIBvzCCATQGByqGSM44BAEwggEnAoGBAIjbXpOVVciVNuagg26annKkghIIZFI4
|
||||
+4WdMomnV+I/oXyxHbZTBBBpW9xy/E1+yMjbp4GmX+VxyDj3WxUWxXllzL+miEkzD
|
||||
+9Xz638VzIBhjFbMvk1/N4kS4bKVUd9yk7HfvYzAdnRphk0WI+RoDiDrBNPPxSoQD
|
||||
+CEWgvwgsLIDhAh0A6dbz1IQpQwGF4+Ca28x6OO+UfJJv3ggeZ++fNwKBgQCA9XKV
|
||||
+lRrTY8ALBxS0KbZjpaIXuUj5nr3i1lIDyP3ISksDF0ekyLtn6eK9VijX6Pm65Np+
|
||||
+4ic9Nr5WKLKhPaUSpLNRx1gDqo3sd92hYgiEUifzEuhLYfK/CsgFED+l2hDXtJUq
|
||||
+bISNSHVwI5lsyNXLu7HI1Fk8F5UO3LqsboFAngOBhAACgYATxFY89nEYcUhgHGgr
|
||||
+YDHhXBQfMKnTKYdvon4DN7WQ9ip+t4VUsLpTD1ZE9zrM2R/B04+8C6KGoViwyeER
|
||||
+kS4dxWOkX71x4X2DlNpYevcR53tNcTDqmMD7YKfDDmrb0lftMyfW8aESaiymVMys
|
||||
+DRjhKHBjdo0rZeSM8DAk3ctrXA==
|
||||
+-----END PUBLIC KEY-----
|
||||
diff --git a/test/recipes/91-test_pkey_check_data/dsapub_noparam.der b/test/recipes/91-test_pkey_check_data/dsapub_noparam.der
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..b8135f1ca94da914b6829421e0c13f6daa731862
|
||||
GIT binary patch
|
||||
literal 108
|
||||
zcmXpIGT>xm*J|@PXTieE%*wz71<Xv0AT}3_&&0^YB*etj0OvEYF$n`XLd*y;pgagL
|
||||
U3o&W4F|x9<gY>|F5F-Nv0Bz9(=Kufz
|
||||
|
||||
literal 0
|
||||
HcmV?d00001
|
||||
|
||||
--
|
||||
2.39.1
|
||||
|
||||
From 2ad9928170768653d19d81881deabc5f9c1665c0 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Fri, 3 Feb 2023 14:57:04 +0100
|
||||
Subject: [PATCH 18/18] Internaly declare the DSA type for no-deprecated builds
|
||||
|
||||
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
||||
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
||||
(cherry picked from commit 7a21a1b5fa2dac438892cf3292d1f9c445d870d9)
|
||||
---
|
||||
include/crypto/types.h | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/include/crypto/types.h b/include/crypto/types.h
|
||||
index 0d81404091..0a75f03a3f 100644
|
||||
--- a/include/crypto/types.h
|
||||
+++ b/include/crypto/types.h
|
||||
@@ -20,6 +20,9 @@ typedef struct rsa_meth_st RSA_METHOD;
|
||||
typedef struct ec_key_st EC_KEY;
|
||||
typedef struct ec_key_method_st EC_KEY_METHOD;
|
||||
# endif
|
||||
+# ifndef OPENSSL_NO_DSA
|
||||
+typedef struct dsa_st DSA;
|
||||
+# endif
|
||||
# endif
|
||||
|
||||
# ifndef OPENSSL_NO_EC
|
||||
--
|
||||
2.39.1
|
||||
|
@ -1,63 +0,0 @@
|
||||
From 2f7530077e0ef79d98718138716bc51ca0cad658 Mon Sep 17 00:00:00 2001
|
||||
From: Hugo Landau <hlandau@openssl.org>
|
||||
Date: Tue, 17 Jan 2023 17:45:42 +0000
|
||||
Subject: [PATCH 14/18] CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address
|
||||
(3.0)
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
---
|
||||
CHANGES.md | 19 +++++++++++++++++++
|
||||
crypto/x509/v3_genn.c | 2 +-
|
||||
include/openssl/x509v3.h.in | 2 +-
|
||||
test/v3nametest.c | 8 ++++++++
|
||||
4 files changed, 29 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/crypto/x509/v3_genn.c b/crypto/x509/v3_genn.c
|
||||
index c0a7166cd0..1741c2d2f6 100644
|
||||
--- a/crypto/x509/v3_genn.c
|
||||
+++ b/crypto/x509/v3_genn.c
|
||||
@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
|
||||
return -1;
|
||||
switch (a->type) {
|
||||
case GEN_X400:
|
||||
- result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
|
||||
+ result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
|
||||
break;
|
||||
|
||||
case GEN_EDIPARTY:
|
||||
diff --git a/include/openssl/x509v3.h.in b/include/openssl/x509v3.h.in
|
||||
index d00a66a343..c087e3cf92 100644
|
||||
--- a/include/openssl/x509v3.h.in
|
||||
+++ b/include/openssl/x509v3.h.in
|
||||
@@ -154,7 +154,7 @@ typedef struct GENERAL_NAME_st {
|
||||
OTHERNAME *otherName; /* otherName */
|
||||
ASN1_IA5STRING *rfc822Name;
|
||||
ASN1_IA5STRING *dNSName;
|
||||
- ASN1_TYPE *x400Address;
|
||||
+ ASN1_STRING *x400Address;
|
||||
X509_NAME *directoryName;
|
||||
EDIPARTYNAME *ediPartyName;
|
||||
ASN1_IA5STRING *uniformResourceIdentifier;
|
||||
diff --git a/test/v3nametest.c b/test/v3nametest.c
|
||||
index 6d2e2f8e27..0341995dde 100644
|
||||
--- a/test/v3nametest.c
|
||||
+++ b/test/v3nametest.c
|
||||
@@ -644,6 +644,14 @@ static struct gennamedata {
|
||||
0xb7, 0x09, 0x02, 0x02
|
||||
},
|
||||
15
|
||||
+ }, {
|
||||
+ /*
|
||||
+ * Regression test for CVE-2023-0286.
|
||||
+ */
|
||||
+ {
|
||||
+ 0xa3, 0x00
|
||||
+ },
|
||||
+ 2
|
||||
}
|
||||
};
|
||||
|
||||
--
|
||||
2.39.1
|
||||
|
@ -1,150 +0,0 @@
|
||||
From d3b6dfd70db844c4499bec6ad6601623a565e674 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Wed, 18 Jan 2023 09:27:53 +0100
|
||||
Subject: [PATCH 15/18] pk7_doit.c: Check return of BIO_set_md() calls
|
||||
|
||||
These calls invoke EVP_DigestInit() which can fail for digests
|
||||
with implicit fetches. Subsequent EVP_DigestUpdate() from BIO_write()
|
||||
or EVP_DigestFinal() from BIO_read() will segfault on NULL
|
||||
dereference. This can be triggered by an attacker providing
|
||||
PKCS7 data digested with MD4 for example if the legacy provider
|
||||
is not loaded.
|
||||
|
||||
If BIO_set_md() fails the md BIO cannot be used.
|
||||
|
||||
CVE-2023-0401
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
---
|
||||
crypto/pkcs7/pk7_doit.c | 12 ++++++++++--
|
||||
1 file changed, 10 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
|
||||
index bde9ac4787..5e562fbea5 100644
|
||||
--- a/crypto/pkcs7/pk7_doit.c
|
||||
+++ b/crypto/pkcs7/pk7_doit.c
|
||||
@@ -84,7 +84,11 @@ static int pkcs7_bio_add_digest(BIO **pbio, X509_ALGOR *alg,
|
||||
}
|
||||
(void)ERR_pop_to_mark();
|
||||
|
||||
- BIO_set_md(btmp, md);
|
||||
+ if (BIO_set_md(btmp, md) <= 0) {
|
||||
+ ERR_raise(ERR_LIB_PKCS7, ERR_R_BIO_LIB);
|
||||
+ EVP_MD_free(fetched);
|
||||
+ goto err;
|
||||
+ }
|
||||
EVP_MD_free(fetched);
|
||||
if (*pbio == NULL)
|
||||
*pbio = btmp;
|
||||
@@ -522,7 +526,11 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
|
||||
}
|
||||
(void)ERR_pop_to_mark();
|
||||
|
||||
- BIO_set_md(btmp, md);
|
||||
+ if (BIO_set_md(btmp, md) <= 0) {
|
||||
+ EVP_MD_free(evp_md);
|
||||
+ ERR_raise(ERR_LIB_PKCS7, ERR_R_BIO_LIB);
|
||||
+ goto err;
|
||||
+ }
|
||||
EVP_MD_free(evp_md);
|
||||
if (out == NULL)
|
||||
out = btmp;
|
||||
--
|
||||
2.39.1
|
||||
|
||||
From a0f2359613f50b5ca6b74b78bf4b54d7dc925fd2 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Wed, 18 Jan 2023 17:07:24 +0100
|
||||
Subject: [PATCH 16/18] Add testcase for missing return check of BIO_set_md()
|
||||
calls
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
---
|
||||
test/recipes/80-test_cms.t | 15 ++++++++--
|
||||
test/recipes/80-test_cms_data/pkcs7-md4.pem | 32 +++++++++++++++++++++
|
||||
2 files changed, 45 insertions(+), 2 deletions(-)
|
||||
create mode 100644 test/recipes/80-test_cms_data/pkcs7-md4.pem
|
||||
|
||||
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
|
||||
index fd53683e6b..d45789de70 100644
|
||||
--- a/test/recipes/80-test_cms.t
|
||||
+++ b/test/recipes/80-test_cms.t
|
||||
@@ -13,7 +13,7 @@ use warnings;
|
||||
use POSIX;
|
||||
use File::Spec::Functions qw/catfile/;
|
||||
use File::Compare qw/compare_text compare/;
|
||||
-use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file with/;
|
||||
+use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file with data_file/;
|
||||
|
||||
use OpenSSL::Test::Utils;
|
||||
|
||||
@@ -50,7 +50,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
|
||||
|
||||
$no_rc2 = 1 if disabled("legacy");
|
||||
|
||||
-plan tests => 13;
|
||||
+plan tests => 14;
|
||||
|
||||
ok(run(test(["pkcs7_test"])), "test pkcs7");
|
||||
|
||||
@@ -941,6 +941,17 @@ subtest "CMS binary input tests\n" => sub {
|
||||
"verify binary input with -binary missing -crlfeol");
|
||||
};
|
||||
|
||||
+# Test case for missing MD algorithm (must not segfault)
|
||||
+
|
||||
+with({ exit_checker => sub { return shift == 4; } },
|
||||
+ sub {
|
||||
+ ok(run(app(['openssl', 'smime', '-verify', '-noverify',
|
||||
+ '-inform', 'PEM',
|
||||
+ '-in', data_file("pkcs7-md4.pem"),
|
||||
+ ])),
|
||||
+ "Check failure of EVP_DigestInit is handled correctly");
|
||||
+ });
|
||||
+
|
||||
sub check_availability {
|
||||
my $tnam = shift;
|
||||
|
||||
diff --git a/test/recipes/80-test_cms_data/pkcs7-md4.pem b/test/recipes/80-test_cms_data/pkcs7-md4.pem
|
||||
new file mode 100644
|
||||
index 0000000000..ecff611deb
|
||||
--- /dev/null
|
||||
+++ b/test/recipes/80-test_cms_data/pkcs7-md4.pem
|
||||
@@ -0,0 +1,32 @@
|
||||
+-----BEGIN PKCS7-----
|
||||
+MIIFhAYJKoZIhvcNAQcCoIIFdTCCBXECAQExDjAMBggqhkiG9w0CBAUAMB0GCSqG
|
||||
+SIb3DQEHAaAQBA5UZXN0IGNvbnRlbnQNCqCCAyQwggMgMIICCKADAgECAgECMA0G
|
||||
+CSqGSIb3DQEBCwUAMA0xCzAJBgNVBAMMAkNBMCAXDTE2MDExNTA4MTk0OVoYDzIx
|
||||
+MTYwMTE2MDgxOTQ5WjAZMRcwFQYDVQQDDA5zZXJ2ZXIuZXhhbXBsZTCCASIwDQYJ
|
||||
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKj/iVhhha7e2ywP1XP74reoG3p1YCvU
|
||||
+fTxzdrWu3pMvfySQbckc9Io4zZ+igBZWy7Qsu5PlFx//DcZD/jE0+CjYdemju4iC
|
||||
+76Ny4lNiBUVN4DGX76qdENJYDZ4GnjK7GwhWXWUPP2aOwjagEf/AWTX9SRzdHEIz
|
||||
+BniuBDgj5ed1Z9OUrVqpQB+sWRD1DMFkrUrExjVTs5ZqghsVi9GZq+Seb5Sq0pbl
|
||||
+V/uMkWSKPCQWxtIZvoJgEztisO0+HbPK+WvfMbl6nktHaKcpxz9K4iIntO+QY9fv
|
||||
+0HJJPlutuRvUK2+GaN3VcxK4Q8ncQQ+io0ZPi2eIhA9h/nk0H0qJH7cCAwEAAaN9
|
||||
+MHswHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4HmCKX4XOiMB8GA1UdIwQYMBaAFLQR
|
||||
+M/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQCMAAwEwYDVR0lBAwwCgYIKwYBBQUH
|
||||
+AwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1wbGUwDQYJKoZIhvcNAQELBQADggEB
|
||||
+AEG0PE9hQuXlvtUULv9TQ2BXy9MmTjOk+dQwxDhAXYBYMUB6TygsqvPXwpDwz8MS
|
||||
+EPGCRqh5cQwtPoElQRU1i4URgcQMZquXScwNFcvE6AATF/PdN/+mOwtqFrlpYfs3
|
||||
+IJIpYL6ViQg4n8pv+b/pCwMmhewQLwCGs9+omHNTOwKjEiVoNaprAfj5Lxt15fS2
|
||||
++zZW0mT9Y4kfEypetrqSAjh8CDK+vaQhkeKdDfJyBfjS4ALfxvCkT3mQnsWFJ9CU
|
||||
+TVG3uw6ylSPT3wN3RE0Ofa4rI5PESogQsd/DgBc7dcDO3yoPKGjycR3/GJDqqCxC
|
||||
+e9dr6FJEnDjaDf9zNWyTFHExggITMIICDwIBATASMA0xCzAJBgNVBAMMAkNBAgEC
|
||||
+MAwGCCqGSIb3DQIEBQCggdQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkq
|
||||
+hkiG9w0BCQUxDxcNMjMwMTE4MTU0NzExWjAfBgkqhkiG9w0BCQQxEgQQRXO4TKpp
|
||||
+RgA4XHb8bD1pczB5BgkqhkiG9w0BCQ8xbDBqMAsGCWCGSAFlAwQBKjALBglghkgB
|
||||
+ZQMEARYwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAN
|
||||
+BggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0B
|
||||
+AQEFAASCAQAe+xlm/TGg/s/7b0xBc3FFnmmUDEe7ljkehIx61OnBV9ZWA+LcBX/7
|
||||
+kmMSMdaHjRq4w8FmwBMLzn0ttXVqf0QuPbBF/E6X5EqK9lpOdkUQhNiN2v+ZfY6c
|
||||
+lrH4ADsSD9D+UHw0sxo5KEF+PPuneUfYCJZosFUJosBbuSEXK0C9yfJoDKVE8Syp
|
||||
+0vdqh73ogLeNgZLAUGSSB66OmHDxwgAj4qPAv6FHFBy1Xs4uFZER5vniYrH9OrAk
|
||||
+Z6XdvzDoYZC4XcGMDtcOpOM6D4owqy5svHPDw8wIlM4GVhrTw7CQmuBz5uRNnf6a
|
||||
+ZK3jZIxG1hr/INaNWheHoPIhPblYaVc6
|
||||
+-----END PKCS7-----
|
||||
--
|
||||
2.39.1
|
||||
|
@ -1,26 +0,0 @@
|
||||
From 9dbc6069665690bd238caa7622647ea8ac94124f Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Mon, 13 Feb 2023 11:01:44 +0100
|
||||
Subject: fips: Zeroize `out` in fips selftest
|
||||
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
Resolves: rhbz#2169314
|
||||
---
|
||||
providers/fips/self_test.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
|
||||
index 80d048a847..11a989209c 100644
|
||||
--- a/providers/fips/self_test.c
|
||||
+++ b/providers/fips/self_test.c
|
||||
@@ -221,6 +221,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
|
||||
goto err;
|
||||
ret = 1;
|
||||
err:
|
||||
+ OPENSSL_cleanse(out, sizeof(out));
|
||||
OSSL_SELF_TEST_onend(ev, ret);
|
||||
EVP_MAC_CTX_free(ctx);
|
||||
EVP_MAC_free(mac);
|
||||
--
|
||||
2.39.1
|
||||
|
@ -1,101 +0,0 @@
|
||||
From 589eb3898896c1ac916bc20069ecd5adb8534850 Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Fri, 17 Feb 2023 15:31:08 +0100
|
||||
Subject: [PATCH] GCM: Implement explicit FIPS indicator for IV gen
|
||||
|
||||
Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||
Verification Program, Section C.H requires guarantees about the
|
||||
uniqueness of key/iv pairs, and proposes a few approaches to ensure
|
||||
this. Provide an indicator for option 2 "The IV may be generated
|
||||
internally at its entirety randomly."
|
||||
|
||||
Resolves: rhbz#2168289
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
---
|
||||
include/openssl/core_names.h | 1 +
|
||||
include/openssl/evp.h | 4 +++
|
||||
.../implementations/ciphers/ciphercommon.c | 4 +++
|
||||
.../ciphers/ciphercommon_gcm.c | 25 +++++++++++++++++++
|
||||
4 files changed, 34 insertions(+)
|
||||
|
||||
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
|
||||
index 680bfbc7cc..832502a034 100644
|
||||
--- a/include/openssl/core_names.h
|
||||
+++ b/include/openssl/core_names.h
|
||||
@@ -97,6 +97,7 @@ extern "C" {
|
||||
#define OSSL_CIPHER_PARAM_CTS_MODE "cts_mode" /* utf8_string */
|
||||
/* For passing the AlgorithmIdentifier parameter in DER form */
|
||||
#define OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS "alg_id_param" /* octet_string */
|
||||
+#define OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" /* int */
|
||||
|
||||
#define OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT \
|
||||
"tls1multi_maxsndfrag" /* uint */
|
||||
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
|
||||
index 49e8e1df78..ec2ba46fbd 100644
|
||||
--- a/include/openssl/evp.h
|
||||
+++ b/include/openssl/evp.h
|
||||
@@ -746,6 +746,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags);
|
||||
void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags);
|
||||
int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags);
|
||||
|
||||
+# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
|
||||
+# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED 1
|
||||
+# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
|
||||
+
|
||||
__owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
|
||||
const unsigned char *key, const unsigned char *iv);
|
||||
/*__owur*/ int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,
|
||||
diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c
|
||||
index fa383165d8..716add7339 100644
|
||||
--- a/providers/implementations/ciphers/ciphercommon.c
|
||||
+++ b/providers/implementations/ciphers/ciphercommon.c
|
||||
@@ -149,6 +149,10 @@ static const OSSL_PARAM cipher_aead_known_gettable_ctx_params[] = {
|
||||
OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
|
||||
OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL),
|
||||
OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN, NULL, 0),
|
||||
+ /* normally we would hide this under an #ifdef FIPS_MODULE, but that does
|
||||
+ * not work in ciphercommon.c because it is compiled only once into
|
||||
+ * libcommon.a */
|
||||
+ OSSL_PARAM_int(OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
const OSSL_PARAM *ossl_cipher_aead_gettable_ctx_params(
|
||||
diff --git a/providers/implementations/ciphers/ciphercommon_gcm.c b/providers/implementations/ciphers/ciphercommon_gcm.c
|
||||
index ed95c97ff4..db7910eb0e 100644
|
||||
--- a/providers/implementations/ciphers/ciphercommon_gcm.c
|
||||
+++ b/providers/implementations/ciphers/ciphercommon_gcm.c
|
||||
@@ -224,6 +224,31 @@ int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||
|| !getivgen(ctx, p->data, p->data_size))
|
||||
return 0;
|
||||
}
|
||||
+
|
||||
+ /* We would usually hide this under #ifdef FIPS_MODULE, but
|
||||
+ * ciphercommon_gcm.c is only compiled once into libcommon.a, so ifdefs do
|
||||
+ * not work here. */
|
||||
+ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR);
|
||||
+ if (p != NULL) {
|
||||
+ int fips_indicator = EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||
+
|
||||
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||
+ * Verification Program, Section C.H requires guarantees about the
|
||||
+ * uniqueness of key/iv pairs, and proposes a few approaches to ensure
|
||||
+ * this. This provides an indicator for option 2 "The IV may be
|
||||
+ * generated internally at its entirety randomly." Note that one of the
|
||||
+ * conditions of this option is that "The IV length shall be at least
|
||||
+ * 96 bits (per SP 800-38D)." We do not specically check for this
|
||||
+ * condition here, because gcm_iv_generate will fail in this case. */
|
||||
+ if (ctx->enc && !ctx->iv_gen_rand)
|
||||
+ fips_indicator = EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator)) {
|
||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
return 1;
|
||||
}
|
||||
|
||||
--
|
||||
2.39.1
|
||||
|
@ -1,82 +0,0 @@
|
||||
From 56090fca0a0c8b6cf1782aced0a02349358aae7d Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Fri, 3 Mar 2023 12:22:03 +0100
|
||||
Subject: [PATCH 1/2] fips: Use salt >= 16 bytes in PBKDF2 selftest
|
||||
|
||||
NIST SP 800-132 [1] section 5.1 says "[t]he length of the
|
||||
randomly-generated portion of the salt shall be at least
|
||||
128 bits", which implies that the salt for PBKDF2 must be at least 16
|
||||
bytes long (see also Appendix A.2.1).
|
||||
|
||||
The FIPS 140-3 IG [2] section 10.3.A requires that "the lengths and the
|
||||
properties of the Password and Salt parameters, as well as the desired
|
||||
length of the Master Key used in a CAST shall be among those supported
|
||||
by the module in the approved mode."
|
||||
|
||||
As a consequence, the salt length in the self test must be at least 16
|
||||
bytes long for FIPS 140-3 compliance. Switch the self test to use the
|
||||
only test vector from RFC 6070 that uses salt that is long enough to
|
||||
fulfil this requirement. Since RFC 6070 does not provide expected
|
||||
results for PBKDF2 with HMAC-SHA256, use the output from [3], which was
|
||||
generated with python cryptography, which was tested against the RFC
|
||||
6070 vectors with HMAC-SHA1.
|
||||
|
||||
[1]: https://doi.org/10.6028/NIST.SP.800-132
|
||||
[2]: https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf
|
||||
[3]: https://github.com/brycx/Test-Vector-Generation/blob/master/PBKDF2/pbkdf2-hmac-sha2-test-vectors.md
|
||||
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/20429)
|
||||
|
||||
(cherry picked from commit 451cb23c41c90d5a02902b3a77551aa9ee1c6956)
|
||||
---
|
||||
providers/fips/self_test_data.inc | 22 ++++++++++++++++------
|
||||
1 file changed, 16 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
|
||||
index 8ae8cd6f4a..03adf28f3c 100644
|
||||
--- a/providers/fips/self_test_data.inc
|
||||
+++ b/providers/fips/self_test_data.inc
|
||||
@@ -361,19 +361,29 @@ static const ST_KAT_PARAM x963kdf_params[] = {
|
||||
};
|
||||
|
||||
static const char pbkdf2_digest[] = "SHA256";
|
||||
+/*
|
||||
+ * Input parameters from RFC 6070, vector 5 (because it is the only one with
|
||||
+ * a salt >= 16 bytes, which NIST SP 800-132 section 5.1 requires). The
|
||||
+ * expected output is taken from
|
||||
+ * https://github.com/brycx/Test-Vector-Generation/blob/master/PBKDF2/pbkdf2-hmac-sha2-test-vectors.md,
|
||||
+ * which ran these test vectors with SHA-256.
|
||||
+ */
|
||||
static const unsigned char pbkdf2_password[] = {
|
||||
- 0x70, 0x61, 0x73, 0x73, 0x00, 0x77, 0x6f, 0x72,
|
||||
- 0x64
|
||||
+ 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x50, 0x41, 0x53, 0x53,
|
||||
+ 0x57, 0x4f, 0x52, 0x44, 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64
|
||||
};
|
||||
static const unsigned char pbkdf2_salt[] = {
|
||||
- 0x73, 0x61, 0x00, 0x6c, 0x74
|
||||
+ 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74,
|
||||
+ 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54,
|
||||
+ 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74
|
||||
};
|
||||
static const unsigned char pbkdf2_expected[] = {
|
||||
- 0x89, 0xb6, 0x9d, 0x05, 0x16, 0xf8, 0x29, 0x89,
|
||||
- 0x3c, 0x69, 0x62, 0x26, 0x65, 0x0a, 0x86, 0x87,
|
||||
+ 0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f, 0x32, 0xd8, 0x14, 0xb8,
|
||||
+ 0x11, 0x6e, 0x84, 0xcf, 0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18,
|
||||
+ 0x1c
|
||||
};
|
||||
static int pbkdf2_iterations = 4096;
|
||||
-static int pbkdf2_pkcs5 = 1;
|
||||
+static int pbkdf2_pkcs5 = 0;
|
||||
static const ST_KAT_PARAM pbkdf2_params[] = {
|
||||
ST_KAT_PARAM_UTF8STRING(OSSL_KDF_PARAM_DIGEST, pbkdf2_digest),
|
||||
ST_KAT_PARAM_OCTET(OSSL_KDF_PARAM_PASSWORD, pbkdf2_password),
|
||||
--
|
||||
2.39.2
|
||||
|
@ -1,80 +0,0 @@
|
||||
From fa96a2f493276e7a57512e8c3d535052586f1525 Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Mon, 6 Mar 2023 12:32:04 +0100
|
||||
Subject: [PATCH 2/2] pbdkf2: Set indicator if pkcs5 param disabled checks
|
||||
|
||||
The pbkdf2 implementation in the FIPS provider supports the checks
|
||||
required by NIST, but allows disabling these checks by setting the
|
||||
OSSL_KDF_PARAM_PKCS5 parameter to 1. The implementation must indicate
|
||||
that the use of this configuration is not approved in FIPS mode. Add an
|
||||
explicit indicator to provide this indication.
|
||||
|
||||
Resolves: rhbz#2175145
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
---
|
||||
providers/implementations/kdfs/pbkdf2.c | 40 +++++++++++++++++++++++--
|
||||
1 file changed, 37 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
|
||||
index aa0adce5e6..6df8c6d321 100644
|
||||
--- a/providers/implementations/kdfs/pbkdf2.c
|
||||
+++ b/providers/implementations/kdfs/pbkdf2.c
|
||||
@@ -251,11 +251,42 @@ static const OSSL_PARAM *kdf_pbkdf2_settable_ctx_params(ossl_unused void *ctx,
|
||||
|
||||
static int kdf_pbkdf2_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||
{
|
||||
+#ifdef FIPS_MODULE
|
||||
+ KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
OSSL_PARAM *p;
|
||||
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
||||
+
|
||||
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
||||
+ any_valid = 1;
|
||||
+
|
||||
+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR))
|
||||
+ != NULL) {
|
||||
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||
+
|
||||
+ /* The lower_bound_checks parameter enables checks required by FIPS. If
|
||||
+ * those checks are disabled, the PBKDF2 implementation will also
|
||||
+ * support non-approved parameters (e.g., salt lengths < 16 bytes, see
|
||||
+ * NIST SP 800-132 section 5.1). */
|
||||
+ if (!ctx->lower_bound_checks)
|
||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
|
||||
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
|
||||
- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
|
||||
- return -2;
|
||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||
+ return 0;
|
||||
+
|
||||
+ any_valid = 1;
|
||||
+ }
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
+
|
||||
+ if (!any_valid)
|
||||
+ return -2;
|
||||
+
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx,
|
||||
@@ -263,6 +294,9 @@ static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx,
|
||||
{
|
||||
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
||||
+#ifdef FIPS_MODULE
|
||||
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
return known_gettable_ctx_params;
|
||||
--
|
||||
2.39.2
|
||||
|
@ -1,148 +0,0 @@
|
||||
From ee6e381e4140efd5365ddf27a12055859103cf59 Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Fri, 17 Mar 2023 15:39:15 +0100
|
||||
Subject: [PATCH] asymciphers, kem: Add explicit FIPS indicator
|
||||
|
||||
NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
|
||||
confirmation (section 6.4.2.3.2), or assurance from a trusted third
|
||||
party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme and key
|
||||
agreement schemes, but explicit key confirmation is not implemented and
|
||||
cannot be implemented without protocol changes, and the FIPS provider
|
||||
does not implement trusted third party validation, since it relies on
|
||||
its callers to do that. A request for guidance sent to NIST did clarify
|
||||
that OpenSSL can claim KTS-OAEP and RSASVE as approved, but we did add
|
||||
an indicator to mark them as unapproved previously and should thus keep
|
||||
the indicator available.
|
||||
|
||||
This does not affect RSA-OAEP decryption, because it is approved as
|
||||
a component according to the FIPS 140-3 IG, section 2.4.G.
|
||||
|
||||
Resolves: rhbz#2179331
|
||||
Resolves: RHEL-14083
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
---
|
||||
include/openssl/core_names.h | 2 ++
|
||||
include/openssl/evp.h | 4 +++
|
||||
.../implementations/asymciphers/rsa_enc.c | 19 ++++++++++++
|
||||
providers/implementations/kem/rsa_kem.c | 29 ++++++++++++++++++-
|
||||
4 files changed, 53 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
|
||||
index 832502a034..e15d208421 100644
|
||||
--- a/include/openssl/core_names.h
|
||||
+++ b/include/openssl/core_names.h
|
||||
@@ -477,6 +477,7 @@ extern "C" {
|
||||
#ifdef FIPS_MODULE
|
||||
#define OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED "redhat-kat-oaep-seed"
|
||||
#endif
|
||||
+#define OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator"
|
||||
|
||||
/*
|
||||
* Encoder / decoder parameters
|
||||
@@ -511,6 +512,7 @@ extern "C" {
|
||||
|
||||
/* KEM parameters */
|
||||
#define OSSL_KEM_PARAM_OPERATION "operation"
|
||||
+#define OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" /* int */
|
||||
|
||||
/* OSSL_KEM_PARAM_OPERATION values */
|
||||
#define OSSL_KEM_PARAM_OPERATION_RSASVE "RSASVE"
|
||||
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
|
||||
index ec2ba46fbd..3803b03422 100644
|
||||
--- a/include/openssl/evp.h
|
||||
+++ b/include/openssl/evp.h
|
||||
@@ -1764,6 +1764,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void);
|
||||
OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx);
|
||||
# endif
|
||||
|
||||
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
|
||||
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED 1
|
||||
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
|
||||
+
|
||||
EVP_KEYMGMT *EVP_KEYMGMT_fetch(OSSL_LIB_CTX *ctx, const char *algorithm,
|
||||
const char *properties);
|
||||
int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt);
|
||||
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
|
||||
index 568452ec56..2e7ea632d7 100644
|
||||
--- a/providers/implementations/asymciphers/rsa_enc.c
|
||||
+++ b/providers/implementations/asymciphers/rsa_enc.c
|
||||
@@ -452,6 +452,24 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
|
||||
if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->alt_version))
|
||||
return 0;
|
||||
|
||||
+#ifdef FIPS_MODULE
|
||||
+ p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR);
|
||||
+ if (p != NULL) {
|
||||
+ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
|
||||
+ * confirmation (section 6.4.2.3.2), or assurance from a trusted third
|
||||
+ * party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme, but
|
||||
+ * explicit key confirmation is not implemented here and cannot be
|
||||
+ * implemented without protocol changes, and the FIPS provider does not
|
||||
+ * implement trusted third party validation, since it relies on its
|
||||
+ * callers to do that. A request for guidance sent to NIST resulted in
|
||||
+ * further clarification which allows OpenSSL to claim RSA-OAEP. */
|
||||
+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||
+
|
||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
+
|
||||
return 1;
|
||||
}
|
||||
|
||||
@@ -465,6 +483,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),
|
||||
#ifdef FIPS_MODULE
|
||||
OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0),
|
||||
+ OSSL_PARAM_int(OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
||||
#endif /* FIPS_MODULE */
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c
|
||||
index 882cf16125..b4cc0f9237 100644
|
||||
--- a/providers/implementations/kem/rsa_kem.c
|
||||
+++ b/providers/implementations/kem/rsa_kem.c
|
||||
@@ -151,11 +151,38 @@ static int rsakem_decapsulate_init(void *vprsactx, void *vrsa,
|
||||
static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
|
||||
{
|
||||
PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx;
|
||||
+#ifdef FIPS_MODULE
|
||||
+ OSSL_PARAM *p;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
+
|
||||
+ if (ctx == NULL)
|
||||
+ return 0;
|
||||
+
|
||||
+#ifdef FIPS_MODULE
|
||||
+ p = OSSL_PARAM_locate(params, OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR);
|
||||
+ if (p != NULL) {
|
||||
+ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
|
||||
+ * confirmation (section 6.4.2.3.2), or assurance from a trusted third
|
||||
+ * party (section 6.4.2.3.1) for key agreement or key transport, but
|
||||
+ * explicit key confirmation is not implemented here and cannot be
|
||||
+ * implemented without protocol changes, and the FIPS provider does not
|
||||
+ * implement trusted third party validation, since it relies on its
|
||||
+ * callers to do that. A request for guidance sent to NIST resulted in
|
||||
+ * further clarification which allows OpenSSL to claim RSASVE. */
|
||||
+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||
+
|
||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
|
||||
- return ctx != NULL;
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
static const OSSL_PARAM known_gettable_rsakem_ctx_params[] = {
|
||||
+#ifdef FIPS_MODULE
|
||||
+ OSSL_PARAM_int(OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
|
||||
--
|
||||
2.39.2
|
||||
|
@ -1,539 +0,0 @@
|
||||
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
|
||||
index e90e5dc03339..f391e756475c 100644
|
||||
--- a/crypto/err/openssl.txt
|
||||
+++ b/crypto/err/openssl.txt
|
||||
@@ -1006,6 +1006,7 @@ PROV_R_BN_ERROR:160:bn error
|
||||
PROV_R_CIPHER_OPERATION_FAILED:102:cipher operation failed
|
||||
PROV_R_DERIVATION_FUNCTION_INIT_FAILED:205:derivation function init failed
|
||||
PROV_R_DIGEST_NOT_ALLOWED:174:digest not allowed
|
||||
+PROV_R_EMS_NOT_ENABLED:233:ems not enabled
|
||||
PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK:186:entropy source strength too weak
|
||||
PROV_R_ERROR_INSTANTIATING_DRBG:188:error instantiating drbg
|
||||
PROV_R_ERROR_RETRIEVING_ENTROPY:189:error retrieving entropy
|
||||
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
|
||||
index 173a81d28bbe..5e5be567a578 100644
|
||||
--- a/include/openssl/core_names.h
|
||||
+++ b/include/openssl/core_names.h
|
||||
@@ -21,11 +21,12 @@ extern "C" {
|
||||
#define OSSL_PROV_PARAM_CORE_MODULE_FILENAME "module-filename" /* utf8_ptr */
|
||||
|
||||
/* Well known parameter names that Providers can define */
|
||||
-#define OSSL_PROV_PARAM_NAME "name" /* utf8_ptr */
|
||||
-#define OSSL_PROV_PARAM_VERSION "version" /* utf8_ptr */
|
||||
-#define OSSL_PROV_PARAM_BUILDINFO "buildinfo" /* utf8_ptr */
|
||||
-#define OSSL_PROV_PARAM_STATUS "status" /* uint */
|
||||
-#define OSSL_PROV_PARAM_SECURITY_CHECKS "security-checks" /* uint */
|
||||
+#define OSSL_PROV_PARAM_NAME "name" /* utf8_ptr */
|
||||
+#define OSSL_PROV_PARAM_VERSION "version" /* utf8_ptr */
|
||||
+#define OSSL_PROV_PARAM_BUILDINFO "buildinfo" /* utf8_ptr */
|
||||
+#define OSSL_PROV_PARAM_STATUS "status" /* uint */
|
||||
+#define OSSL_PROV_PARAM_SECURITY_CHECKS "security-checks" /* uint */
|
||||
+#define OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check" /* uint */
|
||||
|
||||
/* Self test callback parameters */
|
||||
#define OSSL_PROV_PARAM_SELF_TEST_PHASE "st-phase" /* utf8_string */
|
||||
diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h
|
||||
index 0fdf5440c7cb..3f29369b3f92 100644
|
||||
--- a/include/openssl/fips_names.h
|
||||
+++ b/include/openssl/fips_names.h
|
||||
@@ -53,6 +53,14 @@ extern "C" {
|
||||
*/
|
||||
# define OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS "security-checks"
|
||||
|
||||
+/*
|
||||
+ * A boolean that determines if the runtime FIPS check for TLS1_PRF EMS is performed.
|
||||
+ * This is disabled by default.
|
||||
+ *
|
||||
+ * Type: OSSL_PARAM_UTF8_STRING
|
||||
+ */
|
||||
+# define OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check"
|
||||
+
|
||||
# ifdef __cplusplus
|
||||
}
|
||||
# endif
|
||||
diff --git a/include/openssl/proverr.h b/include/openssl/proverr.h
|
||||
index 3685430f5d3e..bf4dc135f592 100644
|
||||
--- a/include/openssl/proverr.h
|
||||
+++ b/include/openssl/proverr.h
|
||||
@@ -32,6 +32,7 @@
|
||||
# define PROV_R_CIPHER_OPERATION_FAILED 102
|
||||
# define PROV_R_DERIVATION_FUNCTION_INIT_FAILED 205
|
||||
# define PROV_R_DIGEST_NOT_ALLOWED 174
|
||||
+# define PROV_R_EMS_NOT_ENABLED 233
|
||||
# define PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK 186
|
||||
# define PROV_R_ERROR_INSTANTIATING_DRBG 188
|
||||
# define PROV_R_ERROR_RETRIEVING_ENTROPY 189
|
||||
diff --git a/providers/common/include/prov/securitycheck.h b/providers/common/include/prov/securitycheck.h
|
||||
index 4a7f85f71186..62e60cc0103f 100644
|
||||
--- a/providers/common/include/prov/securitycheck.h
|
||||
+++ b/providers/common/include/prov/securitycheck.h
|
||||
@@ -28,3 +28,4 @@ int ossl_digest_get_approved_nid(const EVP_MD *md);
|
||||
int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
|
||||
int sha1_allowed);
|
||||
int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx);
|
||||
+int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx);
|
||||
diff --git a/providers/common/provider_err.c b/providers/common/provider_err.c
|
||||
index f6144072aa04..954aabe80cfc 100644
|
||||
--- a/providers/common/provider_err.c
|
||||
+++ b/providers/common/provider_err.c
|
||||
@@ -33,6 +33,7 @@ static const ERR_STRING_DATA PROV_str_reasons[] = {
|
||||
"derivation function init failed"},
|
||||
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_DIGEST_NOT_ALLOWED),
|
||||
"digest not allowed"},
|
||||
+ {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_EMS_NOT_ENABLED), "ems not enabled"},
|
||||
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK),
|
||||
"entropy source strength too weak"},
|
||||
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_ERROR_INSTANTIATING_DRBG),
|
||||
diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c
|
||||
index de7f0d3a0a57..63c875ecd0b7 100644
|
||||
--- a/providers/common/securitycheck_default.c
|
||||
+++ b/providers/common/securitycheck_default.c
|
||||
@@ -22,6 +22,12 @@ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+/* Disable the ems check in the default provider */
|
||||
+int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx)
|
||||
+{
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
|
||||
int sha1_allowed)
|
||||
{
|
||||
diff --git a/providers/common/securitycheck_fips.c b/providers/common/securitycheck_fips.c
|
||||
index b7659bd395c3..2bc8a5992685 100644
|
||||
--- a/providers/common/securitycheck_fips.c
|
||||
+++ b/providers/common/securitycheck_fips.c
|
||||
@@ -20,6 +20,7 @@
|
||||
#include "prov/securitycheck.h"
|
||||
|
||||
int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx);
|
||||
+int FIPS_tls_prf_ems_check(OSSL_LIB_CTX *libctx);
|
||||
|
||||
int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
|
||||
{
|
||||
@@ -30,6 +31,11 @@ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
|
||||
#endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
|
||||
}
|
||||
|
||||
+int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx)
|
||||
+{
|
||||
+ return FIPS_tls_prf_ems_check(libctx);
|
||||
+}
|
||||
+
|
||||
int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
|
||||
int sha1_allowed)
|
||||
{
|
||||
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
|
||||
index b86b27d236f3..b881f46f36ad 100644
|
||||
--- a/providers/fips/fipsprov.c
|
||||
+++ b/providers/fips/fipsprov.c
|
||||
@@ -47,6 +47,7 @@ static OSSL_FUNC_provider_query_operation_fn fips_query;
|
||||
#define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL)
|
||||
extern OSSL_FUNC_core_thread_start_fn *c_thread_start;
|
||||
int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx);
|
||||
+int FIPS_tls_prf_ems_check(OSSL_LIB_CTX *libctx);
|
||||
|
||||
/*
|
||||
* Should these function pointers be stored in the provider side provctx? Could
|
||||
@@ -82,7 +83,9 @@ typedef struct fips_global_st {
|
||||
const OSSL_CORE_HANDLE *handle;
|
||||
SELF_TEST_POST_PARAMS selftest_params;
|
||||
int fips_security_checks;
|
||||
+ int fips_tls1_prf_ems_check;
|
||||
const char *fips_security_check_option;
|
||||
+ const char *fips_tls1_prf_ems_check_option;
|
||||
} FIPS_GLOBAL;
|
||||
|
||||
static void *fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx)
|
||||
@@ -94,6 +97,9 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx)
|
||||
fgbl->fips_security_checks = 1;
|
||||
fgbl->fips_security_check_option = "1";
|
||||
|
||||
+ fgbl->fips_tls1_prf_ems_check = 1; /* Enabled by default */
|
||||
+ fgbl->fips_tls1_prf_ems_check_option = "1";
|
||||
+
|
||||
return fgbl;
|
||||
}
|
||||
|
||||
@@ -109,6 +115,7 @@ static const OSSL_PARAM fips_param_types[] = {
|
||||
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0),
|
||||
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_STATUS, OSSL_PARAM_INTEGER, NULL, 0),
|
||||
OSSL_PARAM_DEFN(OSSL_PROV_PARAM_SECURITY_CHECKS, OSSL_PARAM_INTEGER, NULL, 0),
|
||||
+ OSSL_PARAM_DEFN(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK, OSSL_PARAM_INTEGER, NULL, 0),
|
||||
OSSL_PARAM_END
|
||||
};
|
||||
|
||||
@@ -119,9 +126,10 @@ static int fips_get_params_from_core(FIPS_GLOBAL *fgbl)
|
||||
* NOTE: inside core_get_params() these will be loaded from config items
|
||||
* stored inside prov->parameters (except for
|
||||
* OSSL_PROV_PARAM_CORE_MODULE_FILENAME).
|
||||
- * OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS is not a self test parameter.
|
||||
+ * OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS and
|
||||
+ * OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK are not self test parameters.
|
||||
*/
|
||||
- OSSL_PARAM core_params[8], *p = core_params;
|
||||
+ OSSL_PARAM core_params[9], *p = core_params;
|
||||
|
||||
*p++ = OSSL_PARAM_construct_utf8_ptr(
|
||||
OSSL_PROV_PARAM_CORE_MODULE_FILENAME,
|
||||
@@ -151,6 +159,10 @@ static int fips_get_params_from_core(FIPS_GLOBAL *fgbl)
|
||||
OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS,
|
||||
(char **)&fgbl->fips_security_check_option,
|
||||
sizeof(fgbl->fips_security_check_option));
|
||||
+ *p++ = OSSL_PARAM_construct_utf8_ptr(
|
||||
+ OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK,
|
||||
+ (char **)&fgbl->fips_tls1_prf_ems_check_option,
|
||||
+ sizeof(fgbl->fips_tls1_prf_ems_check_option));
|
||||
*p = OSSL_PARAM_construct_end();
|
||||
|
||||
if (!c_get_params(fgbl->handle, core_params)) {
|
||||
@@ -187,6 +199,9 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[])
|
||||
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_SECURITY_CHECKS);
|
||||
if (p != NULL && !OSSL_PARAM_set_int(p, fgbl->fips_security_checks))
|
||||
return 0;
|
||||
+ p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK);
|
||||
+ if (p != NULL && !OSSL_PARAM_set_int(p, fgbl->fips_tls1_prf_ems_check))
|
||||
+ return 0;
|
||||
return 1;
|
||||
}
|
||||
|
||||
@@ -703,6 +718,11 @@ int OSSL_provider_init_int(const OSSL_CORE_HANDLE *handle,
|
||||
&& strcmp(fgbl->fips_security_check_option, "0") == 0)
|
||||
fgbl->fips_security_checks = 0;
|
||||
|
||||
+ /* Disable the ems check if it's disabled in the fips config file. */
|
||||
+ if (fgbl->fips_tls1_prf_ems_check_option != NULL
|
||||
+ && strcmp(fgbl->fips_tls1_prf_ems_check_option, "0") == 0)
|
||||
+ fgbl->fips_tls1_prf_ems_check = 0;
|
||||
+
|
||||
ossl_prov_cache_exported_algorithms(fips_ciphers, exported_fips_ciphers);
|
||||
|
||||
if (!SELF_TEST_post(&fgbl->selftest_params, 0)) {
|
||||
@@ -898,6 +918,15 @@ int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx)
|
||||
return fgbl->fips_security_checks;
|
||||
}
|
||||
|
||||
+int FIPS_tls_prf_ems_check(OSSL_LIB_CTX *libctx)
|
||||
+{
|
||||
+ FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(libctx,
|
||||
+ OSSL_LIB_CTX_FIPS_PROV_INDEX,
|
||||
+ &fips_prov_ossl_ctx_method);
|
||||
+
|
||||
+ return fgbl->fips_tls1_prf_ems_check;
|
||||
+}
|
||||
+
|
||||
void OSSL_SELF_TEST_get_callback(OSSL_LIB_CTX *libctx, OSSL_CALLBACK **cb,
|
||||
void **cbarg)
|
||||
{
|
||||
diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c
|
||||
index 8a3807308408..2c2dbf31cc0b 100644
|
||||
--- a/providers/implementations/kdfs/tls1_prf.c
|
||||
+++ b/providers/implementations/kdfs/tls1_prf.c
|
||||
@@ -45,6 +45,13 @@
|
||||
* A(0) = seed
|
||||
* A(i) = HMAC_<hash>(secret, A(i-1))
|
||||
*/
|
||||
+
|
||||
+/*
|
||||
+ * Low level APIs (such as DH) are deprecated for public use, but still ok for
|
||||
+ * internal use.
|
||||
+ */
|
||||
+#include "internal/deprecated.h"
|
||||
+
|
||||
#include <stdio.h>
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
@@ -60,6 +67,7 @@
|
||||
#include "prov/providercommon.h"
|
||||
#include "prov/implementations.h"
|
||||
#include "prov/provider_util.h"
|
||||
+#include "prov/securitycheck.h"
|
||||
#include "e_os.h"
|
||||
|
||||
static OSSL_FUNC_kdf_newctx_fn kdf_tls1_prf_new;
|
||||
@@ -78,6 +86,8 @@ static int tls1_prf_alg(EVP_MAC_CTX *mdctx, EVP_MAC_CTX *sha1ctx,
|
||||
unsigned char *out, size_t olen);
|
||||
|
||||
#define TLS1_PRF_MAXBUF 1024
|
||||
+#define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74"
|
||||
+#define TLS_MD_MASTER_SECRET_CONST_SIZE 13
|
||||
|
||||
/* TLS KDF kdf context structure */
|
||||
typedef struct {
|
||||
@@ -160,6 +170,7 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||
const OSSL_PARAM params[])
|
||||
{
|
||||
TLS1_PRF *ctx = (TLS1_PRF *)vctx;
|
||||
+ OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
|
||||
|
||||
if (!ossl_prov_is_running() || !kdf_tls1_prf_set_ctx_params(ctx, params))
|
||||
return 0;
|
||||
@@ -181,6 +192,27 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||
ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
#endif /* defined(FIPS_MODULE) */
|
||||
|
||||
+ /*
|
||||
+ * The seed buffer is prepended with a label.
|
||||
+ * If EMS mode is enforced then the label "master secret" is not allowed,
|
||||
+ * We do the check this way since the PRF is used for other purposes, as well
|
||||
+ * as "extended master secret".
|
||||
+ */
|
||||
+#ifdef FIPS_MODULE
|
||||
+ if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE
|
||||
+ && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST,
|
||||
+ TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
|
||||
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+#endif /* defined(FIPS_MODULE) */
|
||||
+ if (ossl_tls1_prf_ems_check_enabled(libctx)) {
|
||||
+ if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE
|
||||
+ && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST,
|
||||
+ TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) {
|
||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_EMS_NOT_ENABLED);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
return tls1_prf_alg(ctx->P_hash, ctx->P_sha1,
|
||||
ctx->sec, ctx->seclen,
|
||||
ctx->seed, ctx->seedlen,
|
||||
diff --git a/test/sslapitest.c b/test/sslapitest.c
|
||||
index 3a8242d2d8c8..b0fbb504689e 100644
|
||||
--- a/test/sslapitest.c
|
||||
+++ b/test/sslapitest.c
|
||||
@@ -99,6 +99,7 @@ static char *tmpfilename = NULL;
|
||||
static char *dhfile = NULL;
|
||||
|
||||
static int is_fips = 0;
|
||||
+static int fips_ems_check = 0;
|
||||
|
||||
#define LOG_BUFFER_SIZE 2048
|
||||
static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
|
||||
@@ -796,7 +797,7 @@ static int test_no_ems(void)
|
||||
{
|
||||
SSL_CTX *cctx = NULL, *sctx = NULL;
|
||||
SSL *clientssl = NULL, *serverssl = NULL;
|
||||
- int testresult = 0;
|
||||
+ int testresult = 0, status;
|
||||
|
||||
if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
|
||||
TLS1_VERSION, TLS1_2_VERSION,
|
||||
@@ -812,19 +813,25 @@ static int test_no_ems(void)
|
||||
goto end;
|
||||
}
|
||||
|
||||
- if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) {
|
||||
- printf("Creating SSL connection failed\n");
|
||||
- goto end;
|
||||
- }
|
||||
-
|
||||
- if (SSL_get_extms_support(serverssl)) {
|
||||
- printf("Server reports Extended Master Secret support\n");
|
||||
- goto end;
|
||||
- }
|
||||
-
|
||||
- if (SSL_get_extms_support(clientssl)) {
|
||||
- printf("Client reports Extended Master Secret support\n");
|
||||
- goto end;
|
||||
+ status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE);
|
||||
+ if (fips_ems_check) {
|
||||
+ if (status == 1) {
|
||||
+ printf("When FIPS uses the EMS check a connection that doesnt use EMS should fail\n");
|
||||
+ goto end;
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (!status) {
|
||||
+ printf("Creating SSL connection failed\n");
|
||||
+ goto end;
|
||||
+ }
|
||||
+ if (SSL_get_extms_support(serverssl)) {
|
||||
+ printf("Server reports Extended Master Secret support\n");
|
||||
+ goto end;
|
||||
+ }
|
||||
+ if (SSL_get_extms_support(clientssl)) {
|
||||
+ printf("Client reports Extended Master Secret support\n");
|
||||
+ goto end;
|
||||
+ }
|
||||
}
|
||||
testresult = 1;
|
||||
|
||||
@@ -10740,9 +10747,24 @@ int setup_tests(void)
|
||||
&& !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
|
||||
return 0;
|
||||
|
||||
- if (strcmp(modulename, "fips") == 0)
|
||||
+ if (strcmp(modulename, "fips") == 0) {
|
||||
+ OSSL_PROVIDER *prov = NULL;
|
||||
+ OSSL_PARAM params[2];
|
||||
+
|
||||
is_fips = 1;
|
||||
|
||||
+ prov = OSSL_PROVIDER_load(libctx, "fips");
|
||||
+ if (prov != NULL) {
|
||||
+ /* Query the fips provider to check if the check ems option is enabled */
|
||||
+ params[0] =
|
||||
+ OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
|
||||
+ &fips_ems_check);
|
||||
+ params[1] = OSSL_PARAM_construct_end();
|
||||
+ OSSL_PROVIDER_get_params(prov, params);
|
||||
+ OSSL_PROVIDER_unload(prov);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* We add, but don't load the test "tls-provider". We'll load it when we
|
||||
* need it.
|
||||
@@ -10816,6 +10838,12 @@ int setup_tests(void)
|
||||
if (privkey8192 == NULL)
|
||||
goto err;
|
||||
|
||||
+ if (fips_ems_check) {
|
||||
+#ifndef OPENSSL_NO_TLS1_2
|
||||
+ ADD_TEST(test_no_ems);
|
||||
+#endif
|
||||
+ return 1;
|
||||
+ }
|
||||
#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
|
||||
# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
|
||||
ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4);
|
||||
diff -up openssl-3.0.7/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt.xxx openssl-3.0.7/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
|
||||
--- openssl-3.0.7/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt.xxx 2023-04-17 13:04:21.078501747 +0200
|
||||
+++ openssl-3.0.7/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt 2023-04-17 13:11:03.189059638 +0200
|
||||
@@ -13,6 +13,7 @@
|
||||
|
||||
Title = TLS12 PRF tests (from NIST test vectors)
|
||||
|
||||
+Availablein = default
|
||||
KDF = TLS1-PRF
|
||||
Ctrl.digest = digest:SHA256
|
||||
Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc
|
||||
@@ -21,6 +22,16 @@ Ctrl.client_random = hexseed:36c129d01a3
|
||||
Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
|
||||
Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
|
||||
|
||||
+Availablein = fips
|
||||
+KDF = TLS1-PRF
|
||||
+Ctrl.digest = digest:SHA256
|
||||
+Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc
|
||||
+Ctrl.label = seed:master secret
|
||||
+Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c
|
||||
+Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
|
||||
+Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
|
||||
+Result = KDF_DERIVE_ERROR
|
||||
+
|
||||
KDF = TLS1-PRF
|
||||
Ctrl.digest = digest:SHA256
|
||||
Ctrl.Secret = hexsecret:202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
|
||||
diff -up openssl-3.0.7/ssl/t1_enc.c.noems openssl-3.0.7/ssl/t1_enc.c
|
||||
--- openssl-3.0.7/ssl/t1_enc.c.noems 2023-05-05 11:15:57.934415272 +0200
|
||||
+++ openssl-3.0.7/ssl/t1_enc.c 2023-05-05 11:39:03.578163778 +0200
|
||||
@@ -20,6 +20,7 @@
|
||||
#include <openssl/obj_mac.h>
|
||||
#include <openssl/core_names.h>
|
||||
#include <openssl/trace.h>
|
||||
+#include <openssl/fips.h>
|
||||
|
||||
/* seed1 through seed5 are concatenated */
|
||||
static int tls1_PRF(SSL *s,
|
||||
@@ -75,8 +76,14 @@ static int tls1_PRF(SSL *s,
|
||||
}
|
||||
|
||||
err:
|
||||
- if (fatal)
|
||||
- SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
||||
+ if (fatal) {
|
||||
+ /* The calls to this function are local so it's safe to implement the check */
|
||||
+ if (FIPS_mode() && seed1_len >= TLS_MD_MASTER_SECRET_CONST_SIZE
|
||||
+ && memcmp(seed1, TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
|
||||
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED);
|
||||
+ else
|
||||
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
||||
+ }
|
||||
else
|
||||
ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
|
||||
EVP_KDF_CTX_free(kctx);
|
||||
diff -up openssl-3.0.7/ssl/statem/extensions_srvr.c.noems openssl-3.0.7/ssl/statem/extensions_srvr.c
|
||||
--- openssl-3.0.7/ssl/statem/extensions_srvr.c.noems 2023-05-05 17:14:04.663800271 +0200
|
||||
+++ openssl-3.0.7/ssl/statem/extensions_srvr.c 2023-05-05 17:20:33.764599507 +0200
|
||||
@@ -11,6 +11,7 @@
|
||||
#include "../ssl_local.h"
|
||||
#include "statem_local.h"
|
||||
#include "internal/cryptlib.h"
|
||||
+#include <openssl/fips.h>
|
||||
|
||||
#define COOKIE_STATE_FORMAT_VERSION 1
|
||||
|
||||
@@ -1552,8 +1553,13 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s
|
||||
EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
|
||||
X509 *x, size_t chainidx)
|
||||
{
|
||||
- if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
|
||||
+ if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) {
|
||||
+ if (FIPS_mode() && !(SSL_get_options(s) & SSL_OP_RH_PERMIT_NOEMS_FIPS) ) {
|
||||
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED);
|
||||
+ return EXT_RETURN_FAIL;
|
||||
+ }
|
||||
return EXT_RETURN_NOT_SENT;
|
||||
+ }
|
||||
|
||||
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
|
||||
|| !WPACKET_put_bytes_u16(pkt, 0)) {
|
||||
diff -up openssl-3.0.7/include/openssl/ssl.h.in.fipsems openssl-3.0.7/include/openssl/ssl.h.in
|
||||
--- openssl-3.0.7/include/openssl/ssl.h.in.fipsems 2023-07-11 12:35:27.951610366 +0200
|
||||
+++ openssl-3.0.7/include/openssl/ssl.h.in 2023-07-11 12:36:25.234754680 +0200
|
||||
@@ -412,6 +412,7 @@ typedef int (*SSL_async_callback_fn)(SSL
|
||||
* interoperability with CryptoPro CSP 3.x
|
||||
*/
|
||||
# define SSL_OP_CRYPTOPRO_TLSEXT_BUG SSL_OP_BIT(31)
|
||||
+# define SSL_OP_RH_PERMIT_NOEMS_FIPS SSL_OP_BIT(48)
|
||||
|
||||
/*
|
||||
* Option "collections."
|
||||
diff -up openssl-3.0.7/ssl/ssl_conf.c.fipsems openssl-3.0.7/ssl/ssl_conf.c
|
||||
--- openssl-3.0.7/ssl/ssl_conf.c.fipsems 2023-07-11 12:36:51.465278672 +0200
|
||||
+++ openssl-3.0.7/ssl/ssl_conf.c 2023-07-11 12:44:53.365675720 +0200
|
||||
@@ -387,6 +387,7 @@ static const ssl_conf_cmd_tbl ssl_conf_c
|
||||
SSL_FLAG_TBL("ClientRenegotiation",
|
||||
SSL_OP_ALLOW_CLIENT_RENEGOTIATION),
|
||||
SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC),
|
||||
+ SSL_FLAG_TBL("RHNoEnforceEMSinFIPS", SSL_OP_RH_PERMIT_NOEMS_FIPS),
|
||||
SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION),
|
||||
SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX),
|
||||
SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA),
|
||||
diff -up openssl-3.0.7/doc/man3/SSL_CONF_cmd.pod.fipsems openssl-3.0.7/doc/man3/SSL_CONF_cmd.pod
|
||||
--- openssl-3.0.7/doc/man3/SSL_CONF_cmd.pod.fipsems 2023-07-12 13:54:22.508235187 +0200
|
||||
+++ openssl-3.0.7/doc/man3/SSL_CONF_cmd.pod 2023-07-12 13:56:51.089613902 +0200
|
||||
@@ -524,6 +524,9 @@ B<ExtendedMasterSecret>: use extended ma
|
||||
default. Inverse of B<SSL_OP_NO_EXTENDED_MASTER_SECRET>: that is,
|
||||
B<-ExtendedMasterSecret> is the same as setting B<SSL_OP_NO_EXTENDED_MASTER_SECRET>.
|
||||
|
||||
+B<RHNoEnforceEMSinFIPS>: allow establishing connections without EMS in FIPS mode.
|
||||
+This is a RedHat-based OS specific option, and normally it should be set up via crypto policies.
|
||||
+
|
||||
B<CANames>: use CA names extension, enabled by
|
||||
default. Inverse of B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>: that is,
|
||||
B<-CANames> is the same as setting B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>.
|
||||
diff -up openssl-3.0.7/doc/man5/fips_config.pod.fipsems openssl-3.0.7/doc/man5/fips_config.pod
|
||||
--- openssl-3.0.7/doc/man5/fips_config.pod.fipsems 2023-07-12 15:39:57.732206731 +0200
|
||||
+++ openssl-3.0.7/doc/man5/fips_config.pod 2023-07-12 15:53:45.722885419 +0200
|
||||
@@ -11,6 +11,19 @@ automatically loaded when the system is
|
||||
environment variable B<OPENSSL_FORCE_FIPS_MODE> is set. See the documentation
|
||||
for more information.
|
||||
|
||||
+Red Hat Enterprise Linux uses a supplementary config for FIPS module located in
|
||||
+OpenSSL configuration directory and managed by crypto policies. If present, it
|
||||
+should have format
|
||||
+
|
||||
+ [fips_sect]
|
||||
+ tls1-prf-ems-check = 0
|
||||
+ activate = 1
|
||||
+
|
||||
+The B<tls1-prf-ems-check> option specifies whether FIPS module will require the
|
||||
+presence of extended master secret or not.
|
||||
+
|
||||
+The B<activate> option enforces FIPS provider activation.
|
||||
+
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
|
@ -1,195 +0,0 @@
|
||||
diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h
|
||||
index 18b53cc09e..cba107ca03 100644
|
||||
--- a/crypto/x509/pcy_local.h
|
||||
+++ b/crypto/x509/pcy_local.h
|
||||
@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st {
|
||||
};
|
||||
|
||||
struct X509_POLICY_TREE_st {
|
||||
+ /* The number of nodes in the tree */
|
||||
+ size_t node_count;
|
||||
+ /* The maximum number of nodes in the tree */
|
||||
+ size_t node_maximum;
|
||||
+
|
||||
/* This is the tree 'level' data */
|
||||
X509_POLICY_LEVEL *levels;
|
||||
int nlevel;
|
||||
@@ -157,7 +162,8 @@ X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
|
||||
X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
|
||||
X509_POLICY_DATA *data,
|
||||
X509_POLICY_NODE *parent,
|
||||
- X509_POLICY_TREE *tree);
|
||||
+ X509_POLICY_TREE *tree,
|
||||
+ int extra_data);
|
||||
void ossl_policy_node_free(X509_POLICY_NODE *node);
|
||||
int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl,
|
||||
const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
|
||||
diff --git a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c
|
||||
index 9d9a7ea179..450f95a655 100644
|
||||
--- a/crypto/x509/pcy_node.c
|
||||
+++ b/crypto/x509/pcy_node.c
|
||||
@@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level,
|
||||
X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
|
||||
X509_POLICY_DATA *data,
|
||||
X509_POLICY_NODE *parent,
|
||||
- X509_POLICY_TREE *tree)
|
||||
+ X509_POLICY_TREE *tree,
|
||||
+ int extra_data)
|
||||
{
|
||||
X509_POLICY_NODE *node;
|
||||
|
||||
+ /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */
|
||||
+ if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum)
|
||||
+ return NULL;
|
||||
+
|
||||
node = OPENSSL_zalloc(sizeof(*node));
|
||||
if (node == NULL) {
|
||||
ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
|
||||
@@ -70,7 +75,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
|
||||
}
|
||||
node->data = data;
|
||||
node->parent = parent;
|
||||
- if (level) {
|
||||
+ if (level != NULL) {
|
||||
if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
|
||||
if (level->anyPolicy)
|
||||
goto node_error;
|
||||
@@ -90,7 +95,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
|
||||
}
|
||||
}
|
||||
|
||||
- if (tree) {
|
||||
+ if (extra_data) {
|
||||
if (tree->extra_data == NULL)
|
||||
tree->extra_data = sk_X509_POLICY_DATA_new_null();
|
||||
if (tree->extra_data == NULL){
|
||||
@@ -103,6 +108,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
|
||||
}
|
||||
}
|
||||
|
||||
+ tree->node_count++;
|
||||
if (parent)
|
||||
parent->nchild++;
|
||||
|
||||
diff --git a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c
|
||||
index fa45da5117..f953a05a41 100644
|
||||
--- a/crypto/x509/pcy_tree.c
|
||||
+++ b/crypto/x509/pcy_tree.c
|
||||
@@ -14,6 +14,17 @@
|
||||
|
||||
#include "pcy_local.h"
|
||||
|
||||
+/*
|
||||
+ * If the maximum number of nodes in the policy tree isn't defined, set it to
|
||||
+ * a generous default of 1000 nodes.
|
||||
+ *
|
||||
+ * Defining this to be zero means unlimited policy tree growth which opens the
|
||||
+ * door on CVE-2023-0464.
|
||||
+ */
|
||||
+#ifndef OPENSSL_POLICY_TREE_NODES_MAX
|
||||
+# define OPENSSL_POLICY_TREE_NODES_MAX 1000
|
||||
+#endif
|
||||
+
|
||||
static void expected_print(BIO *channel,
|
||||
X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node,
|
||||
int indent)
|
||||
@@ -163,6 +174,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
|
||||
return X509_PCY_TREE_INTERNAL;
|
||||
}
|
||||
|
||||
+ /* Limit the growth of the tree to mitigate CVE-2023-0464 */
|
||||
+ tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX;
|
||||
+
|
||||
/*
|
||||
* http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3.
|
||||
*
|
||||
@@ -180,7 +194,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
|
||||
if ((data = ossl_policy_data_new(NULL,
|
||||
OBJ_nid2obj(NID_any_policy), 0)) == NULL)
|
||||
goto bad_tree;
|
||||
- if (ossl_policy_level_add_node(level, data, NULL, tree) == NULL) {
|
||||
+ if (ossl_policy_level_add_node(level, data, NULL, tree, 1) == NULL) {
|
||||
ossl_policy_data_free(data);
|
||||
goto bad_tree;
|
||||
}
|
||||
@@ -239,7 +253,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
|
||||
* Return value: 1 on success, 0 otherwise
|
||||
*/
|
||||
static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
|
||||
- X509_POLICY_DATA *data)
|
||||
+ X509_POLICY_DATA *data,
|
||||
+ X509_POLICY_TREE *tree)
|
||||
{
|
||||
X509_POLICY_LEVEL *last = curr - 1;
|
||||
int i, matched = 0;
|
||||
@@ -249,13 +264,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
|
||||
X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i);
|
||||
|
||||
if (ossl_policy_node_match(last, node, data->valid_policy)) {
|
||||
- if (ossl_policy_level_add_node(curr, data, node, NULL) == NULL)
|
||||
+ if (ossl_policy_level_add_node(curr, data, node, tree, 0) == NULL)
|
||||
return 0;
|
||||
matched = 1;
|
||||
}
|
||||
}
|
||||
if (!matched && last->anyPolicy) {
|
||||
- if (ossl_policy_level_add_node(curr, data, last->anyPolicy, NULL) == NULL)
|
||||
+ if (ossl_policy_level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL)
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
@@ -268,7 +283,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
|
||||
* Return value: 1 on success, 0 otherwise.
|
||||
*/
|
||||
static int tree_link_nodes(X509_POLICY_LEVEL *curr,
|
||||
- const X509_POLICY_CACHE *cache)
|
||||
+ const X509_POLICY_CACHE *cache,
|
||||
+ X509_POLICY_TREE *tree)
|
||||
{
|
||||
int i;
|
||||
|
||||
@@ -276,7 +292,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
|
||||
X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i);
|
||||
|
||||
/* Look for matching nodes in previous level */
|
||||
- if (!tree_link_matching_nodes(curr, data))
|
||||
+ if (!tree_link_matching_nodes(curr, data, tree))
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
@@ -307,7 +323,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
|
||||
/* Curr may not have anyPolicy */
|
||||
data->qualifier_set = cache->anyPolicy->qualifier_set;
|
||||
data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
|
||||
- if (ossl_policy_level_add_node(curr, data, node, tree) == NULL) {
|
||||
+ if (ossl_policy_level_add_node(curr, data, node, tree, 1) == NULL) {
|
||||
ossl_policy_data_free(data);
|
||||
return 0;
|
||||
}
|
||||
@@ -370,7 +386,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
|
||||
/* Finally add link to anyPolicy */
|
||||
if (last->anyPolicy &&
|
||||
ossl_policy_level_add_node(curr, cache->anyPolicy,
|
||||
- last->anyPolicy, NULL) == NULL)
|
||||
+ last->anyPolicy, tree, 0) == NULL)
|
||||
return 0;
|
||||
return 1;
|
||||
}
|
||||
@@ -553,7 +569,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
|
||||
extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
|
||||
| POLICY_DATA_FLAG_EXTRA_NODE;
|
||||
node = ossl_policy_level_add_node(NULL, extra, anyPolicy->parent,
|
||||
- tree);
|
||||
+ tree, 1);
|
||||
}
|
||||
if (!tree->user_policies) {
|
||||
tree->user_policies = sk_X509_POLICY_NODE_new_null();
|
||||
@@ -580,7 +596,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree)
|
||||
|
||||
for (i = 1; i < tree->nlevel; i++, curr++) {
|
||||
cache = ossl_policy_cache_set(curr->cert);
|
||||
- if (!tree_link_nodes(curr, cache))
|
||||
+ if (!tree_link_nodes(curr, cache, tree))
|
||||
return X509_PCY_TREE_INTERNAL;
|
||||
|
||||
if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
|
@ -1,179 +0,0 @@
|
||||
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
|
||||
index 9384f1da9b..a0282c3ef1 100644
|
||||
--- a/crypto/x509/x509_vfy.c
|
||||
+++ b/crypto/x509/x509_vfy.c
|
||||
@@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *ctx)
|
||||
goto memerr;
|
||||
/* Invalid or inconsistent extensions */
|
||||
if (ret == X509_PCY_TREE_INVALID) {
|
||||
- int i;
|
||||
+ int i, cbcalled = 0;
|
||||
|
||||
/* Locate certificates with bad extensions and notify callback. */
|
||||
- for (i = 1; i < sk_X509_num(ctx->chain); i++) {
|
||||
+ for (i = 0; i < sk_X509_num(ctx->chain); i++) {
|
||||
X509 *x = sk_X509_value(ctx->chain, i);
|
||||
|
||||
+ if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0)
|
||||
+ cbcalled = 1;
|
||||
CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0,
|
||||
ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION);
|
||||
}
|
||||
+ if (!cbcalled) {
|
||||
+ /* Should not be able to get here */
|
||||
+ ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ /* The callback ignored the error so we return success */
|
||||
return 1;
|
||||
}
|
||||
if (ret == X509_PCY_TREE_FAILURE) {
|
||||
diff --git a/test/certs/ca-pol-cert.pem b/test/certs/ca-pol-cert.pem
|
||||
new file mode 100644
|
||||
index 0000000000..244af3292b
|
||||
--- /dev/null
|
||||
+++ b/test/certs/ca-pol-cert.pem
|
||||
@@ -0,0 +1,19 @@
|
||||
+-----BEGIN CERTIFICATE-----
|
||||
+MIIDFzCCAf+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
|
||||
+IENBMCAXDTIzMDMwODEyMjMxNloYDzIxMjMwMzA5MTIyMzE2WjANMQswCQYDVQQD
|
||||
+DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd
|
||||
+j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz
|
||||
+n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W
|
||||
+l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l
|
||||
+YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc
|
||||
+ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9
|
||||
+CLNNsUcCAwEAAaN7MHkwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYD
|
||||
+VR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8GA1UdIwQYMBaAFI71Ja8em2uE
|
||||
+PXyAmslTnE1y96NSMBkGA1UdIAQSMBAwDgYMKwYBBAGBgVy8+0cBMA0GCSqGSIb3
|
||||
+DQEBCwUAA4IBAQBbE+MO9mewWIUY2kt85yhl0oZtvVxbn9K2Hty59ItwJGRNfzx7
|
||||
+Ge7KgawkvNzMOXmj6qf8TpbJnf41ZLWdRyVZBVyIwrAKIVw1VxfGh8aEifHKN97H
|
||||
+unZkBPcUkAhUJSiC1BOD/euaMYqOi8QwiI702Q6q1NBY1/UKnV/ZIBLecnqfj9vZ
|
||||
+7T0wKxrwGYBztP4pNcxCmBoD9Dg+Dx3ZElo0WXyO4SOh/BgrsKJHKyhbuTpjrI/g
|
||||
+DhcINRp6+lIzuFBtJ67+YXnAEspb3lKMk0YL/LXrCNF2scdmNfOPwHi+OKBqt69C
|
||||
+9FJyWFEMxx2qm/ENE9sbOswgJRnKkaAqHBHx
|
||||
+-----END CERTIFICATE-----
|
||||
diff --git a/test/certs/ee-cert-policies-bad.pem b/test/certs/ee-cert-policies-bad.pem
|
||||
new file mode 100644
|
||||
index 0000000000..0fcd6372b3
|
||||
--- /dev/null
|
||||
+++ b/test/certs/ee-cert-policies-bad.pem
|
||||
@@ -0,0 +1,20 @@
|
||||
+-----BEGIN CERTIFICATE-----
|
||||
+MIIDTTCCAjWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
|
||||
+Fw0yMzAzMDgxMjIzMzJaGA8yMTIzMDMwOTEyMjMzMlowGTEXMBUGA1UEAwwOc2Vy
|
||||
+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
|
||||
+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
|
||||
+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
|
||||
+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
|
||||
+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
|
||||
+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
|
||||
+iIQPYf55NB9KiR+3AgMBAAGjgakwgaYwHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4H
|
||||
+mCKX4XOiMB8GA1UdIwQYMBaAFLQRM/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQC
|
||||
+MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1w
|
||||
+bGUwKQYDVR0gBCIwIDAOBgwrBgEEAYGBXLz7RwEwDgYMKwYBBAGBgVy8+0cBMA0G
|
||||
+CSqGSIb3DQEBCwUAA4IBAQArwtwNO++7kStcJeMg3ekz2D/m/8UEjTA1rknBjQiQ
|
||||
+P0FK7tNeRqus9i8PxthNWk+biRayvDzaGIBV7igpDBPfXemDgmW9Adc4MKyiQDfs
|
||||
+YfkHi3xJKvsK2fQmyCs2InVDaKpVAkNFcgAW8nSOhGliqIxLb0EOLoLNwaktou0N
|
||||
+XQHmRzY8S7aIr8K9Qo9y/+MLar+PS4h8l6FkLLkTICiFzE4/wje5S3NckAnadRJa
|
||||
+QpjwM2S6NuA+tYWuOcN//r7BSpW/AZKanYWPzHMrKlqCh+9o7sthPd72+hObG9kx
|
||||
+wSGdzfStNK1I1zM5LiI08WtXCvR6AfLANTo2x1AYhSxF
|
||||
+-----END CERTIFICATE-----
|
||||
diff --git a/test/certs/ee-cert-policies.pem b/test/certs/ee-cert-policies.pem
|
||||
new file mode 100644
|
||||
index 0000000000..2f06d7433f
|
||||
--- /dev/null
|
||||
+++ b/test/certs/ee-cert-policies.pem
|
||||
@@ -0,0 +1,20 @@
|
||||
+-----BEGIN CERTIFICATE-----
|
||||
+MIIDPTCCAiWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
|
||||
+Fw0yMzAzMDgxMjIzMjNaGA8yMTIzMDMwOTEyMjMyM1owGTEXMBUGA1UEAwwOc2Vy
|
||||
+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
|
||||
+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
|
||||
+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
|
||||
+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
|
||||
+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
|
||||
+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
|
||||
+iIQPYf55NB9KiR+3AgMBAAGjgZkwgZYwHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4H
|
||||
+mCKX4XOiMB8GA1UdIwQYMBaAFLQRM/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQC
|
||||
+MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1w
|
||||
+bGUwGQYDVR0gBBIwEDAOBgwrBgEEAYGBXLz7RwEwDQYJKoZIhvcNAQELBQADggEB
|
||||
+AGbWslmAAdMX3+5ChcnFrX+NqDGoyhb3PTgWdtlQB5qtWdIt4rSxN50OcQxFTX0D
|
||||
+QOBabSzR0DDKrgfBe4waL19WsdEvR9GyO4M7ASze/A3IEZue9C9k0n7Vq8zDaAZl
|
||||
+CiR/Zqo9nAOuhKHMgmC/NjUlX7STv5pJVgc4SH8VEKmSRZDmNihaOalUtK5X8/Oa
|
||||
+dawKxsZcaP5IKnOEPPKjtVNJxBu5CXywJHsO0GcoDEnEx1/NLdFoJ6WFw8NuTyDK
|
||||
+NGLq2MHEdyKaigHQlptEs9bXyu9McJjzbx0uXj3BenRULASreccFej0L1RU6jDlk
|
||||
+D3brBn24UISaFRZoB7jsjok=
|
||||
+-----END CERTIFICATE-----
|
||||
diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh
|
||||
index c3f7ac14b5..a57d9f38dc 100755
|
||||
--- a/test/certs/mkcert.sh
|
||||
+++ b/test/certs/mkcert.sh
|
||||
@@ -119,11 +119,12 @@ genca() {
|
||||
local OPTIND=1
|
||||
local purpose=
|
||||
|
||||
- while getopts p: o
|
||||
+ while getopts p:c: o
|
||||
do
|
||||
case $o in
|
||||
p) purpose="$OPTARG";;
|
||||
- *) echo "Usage: $0 genca [-p EKU] cn keyname certname cakeyname cacertname" >&2
|
||||
+ c) certpol="$OPTARG";;
|
||||
+ *) echo "Usage: $0 genca [-p EKU][-c policyoid] cn keyname certname cakeyname cacertname" >&2
|
||||
return 1;;
|
||||
esac
|
||||
done
|
||||
@@ -146,6 +147,10 @@ genca() {
|
||||
if [ -n "$NC" ]; then
|
||||
exts=$(printf "%s\nnameConstraints = %s\n" "$exts" "$NC")
|
||||
fi
|
||||
+ if [ -n "$certpol" ]; then
|
||||
+ exts=$(printf "%s\ncertificatePolicies = %s\n" "$exts" "$certpol")
|
||||
+ fi
|
||||
+
|
||||
csr=$(req "$key" "CN = $cn") || return 1
|
||||
echo "$csr" |
|
||||
cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
|
||||
diff --git a/test/certs/setup.sh b/test/certs/setup.sh
|
||||
index 2240cd9df0..76ceadc7d8 100755
|
||||
--- a/test/certs/setup.sh
|
||||
+++ b/test/certs/setup.sh
|
||||
@@ -440,3 +440,9 @@ OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed448 ./mkcert.sh genee ed448 \
|
||||
|
||||
# critical id-pkix-ocsp-no-check extension
|
||||
./mkcert.sh geneeextra server.example ee-key ee-cert-ocsp-nocheck ca-key ca-cert "1.3.6.1.5.5.7.48.1.5=critical,DER:05:00"
|
||||
+
|
||||
+# certificatePolicies extension
|
||||
+./mkcert.sh genca -c "1.3.6.1.4.1.16604.998855.1" "CA" ca-key ca-pol-cert root-key root-cert
|
||||
+./mkcert.sh geneeextra server.example ee-key ee-cert-policies ca-key ca-cert "certificatePolicies=1.3.6.1.4.1.16604.998855.1"
|
||||
+# We can create a cert with a duplicate policy oid - but its actually invalid!
|
||||
+./mkcert.sh geneeextra server.example ee-key ee-cert-policies-bad ca-key ca-cert "certificatePolicies=1.3.6.1.4.1.16604.998855.1,1.3.6.1.4.1.16604.998855.1"
|
||||
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
|
||||
index 2a4c36e86d..818c9ac50d 100644
|
||||
--- a/test/recipes/25-test_verify.t
|
||||
+++ b/test/recipes/25-test_verify.t
|
||||
@@ -29,7 +29,7 @@ sub verify {
|
||||
run(app([@args]));
|
||||
}
|
||||
|
||||
-plan tests => 163;
|
||||
+plan tests => 165;
|
||||
|
||||
# Canonical success
|
||||
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
|
||||
@@ -516,3 +516,14 @@ SKIP: {
|
||||
ok(run(app([ qw(openssl verify -trusted), $rsapluscert_file, $cert_file ])),
|
||||
'Mixed key + cert file test');
|
||||
}
|
||||
+
|
||||
+# Certificate Policies
|
||||
+ok(verify("ee-cert-policies", "", ["root-cert"], ["ca-pol-cert"],
|
||||
+ "-policy_check", "-policy", "1.3.6.1.4.1.16604.998855.1",
|
||||
+ "-explicit_policy"),
|
||||
+ "Certificate policy");
|
||||
+
|
||||
+ok(!verify("ee-cert-policies-bad", "", ["root-cert"], ["ca-pol-cert"],
|
||||
+ "-policy_check", "-policy", "1.3.6.1.4.1.16604.998855.1",
|
||||
+ "-explicit_policy"),
|
||||
+ "Bad certificate policy");
|
@ -1,27 +0,0 @@
|
||||
diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
|
||||
index 75a1677022..43c1900bca 100644
|
||||
--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
|
||||
+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
|
||||
@@ -98,8 +98,9 @@ B<trust>.
|
||||
X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
|
||||
B<t>. Normally the current time is used.
|
||||
|
||||
-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
|
||||
-by default) and adds B<policy> to the acceptable policy set.
|
||||
+X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
|
||||
+Contrary to preexisting documentation of this function it does not enable
|
||||
+policy checking.
|
||||
|
||||
X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
|
||||
by default) and sets the acceptable policy set to B<policies>. Any existing
|
||||
@@ -400,6 +401,10 @@ The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.
|
||||
The X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(),
|
||||
and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0.
|
||||
|
||||
+The function X509_VERIFY_PARAM_add0_policy() was historically documented as
|
||||
+enabling policy checking however the implementation has never done this.
|
||||
+The documentation was changed to align with the implementation.
|
||||
+
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved.
|
@ -1,20 +0,0 @@
|
||||
--- a/crypto/aes/asm/aesv8-armx.pl
|
||||
+++ b/crypto/aes/asm/aesv8-armx.pl
|
||||
@@ -3353,7 +3353,7 @@ $code.=<<___ if ($flavour =~ /64/);
|
||||
.align 4
|
||||
.Lxts_dec_tail4x:
|
||||
add $inp,$inp,#16
|
||||
- vld1.32 {$dat0},[$inp],#16
|
||||
+ tst $tailcnt,#0xf
|
||||
veor $tmp1,$dat1,$tmp0
|
||||
vst1.8 {$tmp1},[$out],#16
|
||||
veor $tmp2,$dat2,$tmp2
|
||||
@@ -3362,6 +3362,8 @@ $code.=<<___ if ($flavour =~ /64/);
|
||||
veor $tmp4,$dat4,$tmp4
|
||||
vst1.8 {$tmp3-$tmp4},[$out],#32
|
||||
|
||||
+ b.eq .Lxts_dec_abort
|
||||
+ vld1.32 {$dat0},[$inp],#16
|
||||
b .Lxts_done
|
||||
.align 4
|
||||
.Lxts_outer_dec_tail:
|
File diff suppressed because it is too large
Load Diff
@ -1,30 +0,0 @@
|
||||
diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c
|
||||
index 01cde00e98..c0e55197a0 100644
|
||||
--- a/crypto/objects/obj_dat.c
|
||||
+++ b/crypto/objects/obj_dat.c
|
||||
@@ -443,6 +443,25 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
|
||||
first = 1;
|
||||
bl = NULL;
|
||||
|
||||
+ /*
|
||||
+ * RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs:
|
||||
+ *
|
||||
+ * > 3.5. OBJECT IDENTIFIER values
|
||||
+ * >
|
||||
+ * > An OBJECT IDENTIFIER value is an ordered list of non-negative
|
||||
+ * > numbers. For the SMIv2, each number in the list is referred to as a
|
||||
+ * > sub-identifier, there are at most 128 sub-identifiers in a value,
|
||||
+ * > and each sub-identifier has a maximum value of 2^32-1 (4294967295
|
||||
+ * > decimal).
|
||||
+ *
|
||||
+ * So a legitimate OID according to this RFC is at most (32 * 128 / 7),
|
||||
+ * i.e. 586 bytes long.
|
||||
+ *
|
||||
+ * Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
|
||||
+ */
|
||||
+ if (len > 586)
|
||||
+ goto err;
|
||||
+
|
||||
while (len > 0) {
|
||||
l = 0;
|
||||
use_bn = 0;
|
@ -1,244 +0,0 @@
|
||||
diff --git a/crypto/context.c b/crypto/context.c
|
||||
index bdfc4d02a3f0..548665fba265 100644
|
||||
--- a/crypto/context.c
|
||||
+++ b/crypto/context.c
|
||||
@@ -15,6 +15,7 @@
|
||||
#include "internal/bio.h"
|
||||
#include "internal/provider.h"
|
||||
#include "crypto/ctype.h"
|
||||
+#include "crypto/rand.h"
|
||||
|
||||
# include <sys/types.h>
|
||||
# include <sys/stat.h>
|
||||
@@ -271,6 +272,20 @@ OSSL_LIB_CTX *OSSL_LIB_CTX_set0_default(OSSL_LIB_CTX *libctx)
|
||||
|
||||
return NULL;
|
||||
}
|
||||
+
|
||||
+void ossl_release_default_drbg_ctx(void)
|
||||
+{
|
||||
+ int dynidx = default_context_int.dyn_indexes[OSSL_LIB_CTX_DRBG_INDEX];
|
||||
+
|
||||
+ /* early release of the DRBG in global default libctx, no locking */
|
||||
+ if (dynidx != -1) {
|
||||
+ void *data;
|
||||
+
|
||||
+ data = CRYPTO_get_ex_data(&default_context_int.data, dynidx);
|
||||
+ ossl_rand_ctx_free(data);
|
||||
+ CRYPTO_set_ex_data(&default_context_int.data, dynidx, NULL);
|
||||
+ }
|
||||
+}
|
||||
#endif
|
||||
|
||||
OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx)
|
||||
diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
|
||||
index c453d3226133..f341d915db76 100644
|
||||
--- a/crypto/rand/rand_lib.c
|
||||
+++ b/crypto/rand/rand_lib.c
|
||||
@@ -96,6 +96,7 @@ void ossl_rand_cleanup_int(void)
|
||||
CRYPTO_THREAD_lock_free(rand_meth_lock);
|
||||
rand_meth_lock = NULL;
|
||||
# endif
|
||||
+ ossl_release_default_drbg_ctx();
|
||||
rand_inited = 0;
|
||||
}
|
||||
|
||||
@@ -469,7 +470,7 @@ static void *rand_ossl_ctx_new(OSSL_LIB_CTX *libctx)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
-static void rand_ossl_ctx_free(void *vdgbl)
|
||||
+void ossl_rand_ctx_free(void *vdgbl)
|
||||
{
|
||||
RAND_GLOBAL *dgbl = vdgbl;
|
||||
|
||||
@@ -494,7 +495,7 @@ static void rand_ossl_ctx_free(void *vdgbl)
|
||||
static const OSSL_LIB_CTX_METHOD rand_drbg_ossl_ctx_method = {
|
||||
OSSL_LIB_CTX_METHOD_PRIORITY_2,
|
||||
rand_ossl_ctx_new,
|
||||
- rand_ossl_ctx_free,
|
||||
+ ossl_rand_ctx_free,
|
||||
};
|
||||
|
||||
static RAND_GLOBAL *rand_get_global(OSSL_LIB_CTX *libctx)
|
||||
diff --git a/engines/e_dasync.c b/engines/e_dasync.c
|
||||
index 5a303a9f8528..7974106ae219 100644
|
||||
--- a/engines/e_dasync.c
|
||||
+++ b/engines/e_dasync.c
|
||||
@@ -139,6 +139,14 @@ static int dasync_aes128_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
|
||||
const unsigned char *in, size_t inl);
|
||||
static int dasync_aes128_cbc_cleanup(EVP_CIPHER_CTX *ctx);
|
||||
|
||||
+static int dasync_aes256_ctr_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
|
||||
+ void *ptr);
|
||||
+static int dasync_aes256_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
|
||||
+ const unsigned char *iv, int enc);
|
||||
+static int dasync_aes256_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
|
||||
+ const unsigned char *in, size_t inl);
|
||||
+static int dasync_aes256_ctr_cleanup(EVP_CIPHER_CTX *ctx);
|
||||
+
|
||||
static int dasync_aes128_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type,
|
||||
int arg, void *ptr);
|
||||
static int dasync_aes128_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx,
|
||||
@@ -171,6 +179,12 @@ static const EVP_CIPHER *dasync_aes_128_cbc(void)
|
||||
return _hidden_aes_128_cbc;
|
||||
}
|
||||
|
||||
+static EVP_CIPHER *_hidden_aes_256_ctr = NULL;
|
||||
+static const EVP_CIPHER *dasync_aes_256_ctr(void)
|
||||
+{
|
||||
+ return _hidden_aes_256_ctr;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Holds the EVP_CIPHER object for aes_128_cbc_hmac_sha1 in this engine. Set up
|
||||
* once only during engine bind and can then be reused many times.
|
||||
@@ -192,8 +206,10 @@ static const EVP_CIPHER *dasync_aes_128_cbc_hmac_sha1(void)
|
||||
static void destroy_ciphers(void)
|
||||
{
|
||||
EVP_CIPHER_meth_free(_hidden_aes_128_cbc);
|
||||
+ EVP_CIPHER_meth_free(_hidden_aes_256_ctr);
|
||||
EVP_CIPHER_meth_free(_hidden_aes_128_cbc_hmac_sha1);
|
||||
_hidden_aes_128_cbc = NULL;
|
||||
+ _hidden_aes_256_ctr = NULL;
|
||||
_hidden_aes_128_cbc_hmac_sha1 = NULL;
|
||||
}
|
||||
|
||||
@@ -202,6 +218,7 @@ static int dasync_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
|
||||
|
||||
static int dasync_cipher_nids[] = {
|
||||
NID_aes_128_cbc,
|
||||
+ NID_aes_256_ctr,
|
||||
NID_aes_128_cbc_hmac_sha1,
|
||||
0
|
||||
};
|
||||
@@ -284,6 +301,30 @@ static int bind_dasync(ENGINE *e)
|
||||
_hidden_aes_128_cbc = NULL;
|
||||
}
|
||||
|
||||
+ _hidden_aes_256_ctr = EVP_CIPHER_meth_new(NID_aes_256_ctr,
|
||||
+ 1 /* block size */,
|
||||
+ 32 /* key len */);
|
||||
+ if (_hidden_aes_256_ctr == NULL
|
||||
+ || !EVP_CIPHER_meth_set_iv_length(_hidden_aes_256_ctr,16)
|
||||
+ || !EVP_CIPHER_meth_set_flags(_hidden_aes_256_ctr,
|
||||
+ EVP_CIPH_FLAG_DEFAULT_ASN1
|
||||
+ | EVP_CIPH_CTR_MODE
|
||||
+ | EVP_CIPH_FLAG_PIPELINE
|
||||
+ | EVP_CIPH_CUSTOM_COPY)
|
||||
+ || !EVP_CIPHER_meth_set_init(_hidden_aes_256_ctr,
|
||||
+ dasync_aes256_init_key)
|
||||
+ || !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_256_ctr,
|
||||
+ dasync_aes256_ctr_cipher)
|
||||
+ || !EVP_CIPHER_meth_set_cleanup(_hidden_aes_256_ctr,
|
||||
+ dasync_aes256_ctr_cleanup)
|
||||
+ || !EVP_CIPHER_meth_set_ctrl(_hidden_aes_256_ctr,
|
||||
+ dasync_aes256_ctr_ctrl)
|
||||
+ || !EVP_CIPHER_meth_set_impl_ctx_size(_hidden_aes_256_ctr,
|
||||
+ sizeof(struct dasync_pipeline_ctx))) {
|
||||
+ EVP_CIPHER_meth_free(_hidden_aes_256_ctr);
|
||||
+ _hidden_aes_256_ctr = NULL;
|
||||
+ }
|
||||
+
|
||||
_hidden_aes_128_cbc_hmac_sha1 = EVP_CIPHER_meth_new(
|
||||
NID_aes_128_cbc_hmac_sha1,
|
||||
16 /* block size */,
|
||||
@@ -445,6 +486,9 @@ static int dasync_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
|
||||
case NID_aes_128_cbc:
|
||||
*cipher = dasync_aes_128_cbc();
|
||||
break;
|
||||
+ case NID_aes_256_ctr:
|
||||
+ *cipher = dasync_aes_256_ctr();
|
||||
+ break;
|
||||
case NID_aes_128_cbc_hmac_sha1:
|
||||
*cipher = dasync_aes_128_cbc_hmac_sha1();
|
||||
break;
|
||||
@@ -779,6 +823,29 @@ static int dasync_aes128_cbc_cleanup(EVP_CIPHER_CTX *ctx)
|
||||
return dasync_cipher_cleanup_helper(ctx, EVP_aes_128_cbc());
|
||||
}
|
||||
|
||||
+static int dasync_aes256_ctr_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
|
||||
+ void *ptr)
|
||||
+{
|
||||
+ return dasync_cipher_ctrl_helper(ctx, type, arg, ptr, 0, EVP_aes_256_ctr());
|
||||
+}
|
||||
+
|
||||
+static int dasync_aes256_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
|
||||
+ const unsigned char *iv, int enc)
|
||||
+{
|
||||
+ return dasync_cipher_init_key_helper(ctx, key, iv, enc, EVP_aes_256_ctr());
|
||||
+}
|
||||
+
|
||||
+static int dasync_aes256_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
|
||||
+ const unsigned char *in, size_t inl)
|
||||
+{
|
||||
+ return dasync_cipher_helper(ctx, out, in, inl, EVP_aes_256_ctr());
|
||||
+}
|
||||
+
|
||||
+static int dasync_aes256_ctr_cleanup(EVP_CIPHER_CTX *ctx)
|
||||
+{
|
||||
+ return dasync_cipher_cleanup_helper(ctx, EVP_aes_256_ctr());
|
||||
+}
|
||||
+
|
||||
|
||||
/*
|
||||
* AES128 CBC HMAC SHA1 Implementation
|
||||
diff --git a/include/crypto/rand.h b/include/crypto/rand.h
|
||||
index 6a71a339c812..165deaf95c5e 100644
|
||||
--- a/include/crypto/rand.h
|
||||
+++ b/include/crypto/rand.h
|
||||
@@ -125,4 +125,5 @@ void ossl_rand_cleanup_nonce(ossl_unused const OSSL_CORE_HANDLE *handle,
|
||||
size_t ossl_pool_acquire_entropy(RAND_POOL *pool);
|
||||
int ossl_pool_add_nonce_data(RAND_POOL *pool);
|
||||
|
||||
+void ossl_rand_ctx_free(void *vdgbl);
|
||||
#endif
|
||||
diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h
|
||||
index 1291299b6e50..934d4b089c20 100644
|
||||
--- a/include/internal/cryptlib.h
|
||||
+++ b/include/internal/cryptlib.h
|
||||
@@ -199,6 +199,8 @@ int ossl_lib_ctx_run_once(OSSL_LIB_CTX *ctx, unsigned int idx,
|
||||
int ossl_lib_ctx_onfree(OSSL_LIB_CTX *ctx, ossl_lib_ctx_onfree_fn onfreefn);
|
||||
const char *ossl_lib_ctx_get_descriptor(OSSL_LIB_CTX *libctx);
|
||||
|
||||
+void ossl_release_default_drbg_ctx(void);
|
||||
+
|
||||
OSSL_LIB_CTX *ossl_crypto_ex_data_get_ossl_lib_ctx(const CRYPTO_EX_DATA *ad);
|
||||
int ossl_crypto_new_ex_data_ex(OSSL_LIB_CTX *ctx, int class_index, void *obj,
|
||||
CRYPTO_EX_DATA *ad);
|
||||
diff --git a/test/recipes/05-test_rand.t b/test/recipes/05-test_rand.t
|
||||
index 4da1e64cb6da..3f352db9df3a 100644
|
||||
--- a/test/recipes/05-test_rand.t
|
||||
+++ b/test/recipes/05-test_rand.t
|
||||
@@ -11,9 +11,30 @@ use warnings;
|
||||
use OpenSSL::Test;
|
||||
use OpenSSL::Test::Utils;
|
||||
|
||||
-plan tests => 3;
|
||||
+plan tests => 5;
|
||||
setup("test_rand");
|
||||
|
||||
ok(run(test(["rand_test"])));
|
||||
ok(run(test(["drbgtest"])));
|
||||
ok(run(test(["rand_status_test"])));
|
||||
+
|
||||
+SKIP: {
|
||||
+ skip "engine is not supported by this OpenSSL build", 2
|
||||
+ if disabled("engine") || disabled("dynamic-engine");
|
||||
+
|
||||
+ my $success;
|
||||
+ my @randdata;
|
||||
+ my $expected = '0102030405060708090a0b0c0d0e0f10';
|
||||
+
|
||||
+ @randdata = run(app(['openssl', 'rand', '-engine', 'ossltest', '-hex', '16' ]),
|
||||
+ capture => 1, statusvar => \$success);
|
||||
+ chomp(@randdata);
|
||||
+ ok($success and $randdata[0] eq $expected,
|
||||
+ "rand with ossltest: Check rand output is as expected");
|
||||
+
|
||||
+ @randdata = run(app(['openssl', 'rand', '-engine', 'dasync', '-hex', '16' ]),
|
||||
+ capture => 1, statusvar => \$success);
|
||||
+ chomp(@randdata);
|
||||
+ ok($success and length($randdata[0]) == 32,
|
||||
+ "rand with dasync: Check rand output is of expected length");
|
||||
+}
|
@ -1,318 +0,0 @@
|
||||
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
|
||||
index d2ed3fd378..6a819590e6 100644
|
||||
--- a/crypto/evp/evp_enc.c
|
||||
+++ b/crypto/evp/evp_enc.c
|
||||
@@ -223,6 +223,42 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx,
|
||||
return 0;
|
||||
}
|
||||
|
||||
+#ifndef FIPS_MODULE
|
||||
+ /*
|
||||
+ * Fix for CVE-2023-5363
|
||||
+ * Passing in a size as part of the init call takes effect late
|
||||
+ * so, force such to occur before the initialisation.
|
||||
+ *
|
||||
+ * The FIPS provider's internal library context is used in a manner
|
||||
+ * such that this is not an issue.
|
||||
+ */
|
||||
+ if (params != NULL) {
|
||||
+ OSSL_PARAM param_lens[3] = { OSSL_PARAM_END, OSSL_PARAM_END,
|
||||
+ OSSL_PARAM_END };
|
||||
+ OSSL_PARAM *q = param_lens;
|
||||
+ const OSSL_PARAM *p;
|
||||
+
|
||||
+ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
|
||||
+ if (p != NULL)
|
||||
+ memcpy(q++, p, sizeof(*q));
|
||||
+
|
||||
+ /*
|
||||
+ * Note that OSSL_CIPHER_PARAM_AEAD_IVLEN is a synomym for
|
||||
+ * OSSL_CIPHER_PARAM_IVLEN so both are covered here.
|
||||
+ */
|
||||
+ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_IVLEN);
|
||||
+ if (p != NULL)
|
||||
+ memcpy(q++, p, sizeof(*q));
|
||||
+
|
||||
+ if (q != param_lens) {
|
||||
+ if (!EVP_CIPHER_CTX_set_params(ctx, param_lens)) {
|
||||
+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
if (enc) {
|
||||
if (ctx->cipher->einit == NULL) {
|
||||
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
|
||||
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
|
||||
index cfffa21350..2318bf6a68 100644
|
||||
--- a/test/evp_extra_test.c
|
||||
+++ b/test/evp_extra_test.c
|
||||
@@ -4851,6 +4851,253 @@ static int test_ecx_not_private_key(int tst)
|
||||
return options;
|
||||
}
|
||||
|
||||
+static int aes_gcm_encrypt(const unsigned char *gcm_key, size_t gcm_key_s,
|
||||
+ const unsigned char *gcm_iv, size_t gcm_ivlen,
|
||||
+ const unsigned char *gcm_pt, size_t gcm_pt_s,
|
||||
+ const unsigned char *gcm_aad, size_t gcm_aad_s,
|
||||
+ const unsigned char *gcm_ct, size_t gcm_ct_s,
|
||||
+ const unsigned char *gcm_tag, size_t gcm_tag_s)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+ EVP_CIPHER_CTX *ctx;
|
||||
+ EVP_CIPHER *cipher = NULL;
|
||||
+ int outlen, tmplen;
|
||||
+ unsigned char outbuf[1024];
|
||||
+ unsigned char outtag[16];
|
||||
+ OSSL_PARAM params[2] = {
|
||||
+ OSSL_PARAM_END, OSSL_PARAM_END
|
||||
+ };
|
||||
+
|
||||
+ if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())
|
||||
+ || !TEST_ptr(cipher = EVP_CIPHER_fetch(testctx, "AES-256-GCM", "")))
|
||||
+ goto err;
|
||||
+
|
||||
+ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN,
|
||||
+ &gcm_ivlen);
|
||||
+
|
||||
+ if (!TEST_true(EVP_EncryptInit_ex2(ctx, cipher, gcm_key, gcm_iv, params))
|
||||
+ || (gcm_aad != NULL
|
||||
+ && !TEST_true(EVP_EncryptUpdate(ctx, NULL, &outlen,
|
||||
+ gcm_aad, gcm_aad_s)))
|
||||
+ || !TEST_true(EVP_EncryptUpdate(ctx, outbuf, &outlen,
|
||||
+ gcm_pt, gcm_pt_s))
|
||||
+ || !TEST_true(EVP_EncryptFinal_ex(ctx, outbuf, &tmplen)))
|
||||
+ goto err;
|
||||
+
|
||||
+ params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG,
|
||||
+ outtag, sizeof(outtag));
|
||||
+
|
||||
+ if (!TEST_true(EVP_CIPHER_CTX_get_params(ctx, params))
|
||||
+ || !TEST_mem_eq(outbuf, outlen, gcm_ct, gcm_ct_s)
|
||||
+ || !TEST_mem_eq(outtag, gcm_tag_s, gcm_tag, gcm_tag_s))
|
||||
+ goto err;
|
||||
+
|
||||
+ ret = 1;
|
||||
+err:
|
||||
+ EVP_CIPHER_free(cipher);
|
||||
+ EVP_CIPHER_CTX_free(ctx);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+static int aes_gcm_decrypt(const unsigned char *gcm_key, size_t gcm_key_s,
|
||||
+ const unsigned char *gcm_iv, size_t gcm_ivlen,
|
||||
+ const unsigned char *gcm_pt, size_t gcm_pt_s,
|
||||
+ const unsigned char *gcm_aad, size_t gcm_aad_s,
|
||||
+ const unsigned char *gcm_ct, size_t gcm_ct_s,
|
||||
+ const unsigned char *gcm_tag, size_t gcm_tag_s)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+ EVP_CIPHER_CTX *ctx;
|
||||
+ EVP_CIPHER *cipher = NULL;
|
||||
+ int outlen;
|
||||
+ unsigned char outbuf[1024];
|
||||
+ OSSL_PARAM params[2] = {
|
||||
+ OSSL_PARAM_END, OSSL_PARAM_END
|
||||
+ };
|
||||
+
|
||||
+ if ((ctx = EVP_CIPHER_CTX_new()) == NULL)
|
||||
+ goto err;
|
||||
+
|
||||
+ if ((cipher = EVP_CIPHER_fetch(testctx, "AES-256-GCM", "")) == NULL)
|
||||
+ goto err;
|
||||
+
|
||||
+ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN,
|
||||
+ &gcm_ivlen);
|
||||
+
|
||||
+ if (!TEST_true(EVP_DecryptInit_ex2(ctx, cipher, gcm_key, gcm_iv, params))
|
||||
+ || (gcm_aad != NULL
|
||||
+ && !TEST_true(EVP_DecryptUpdate(ctx, NULL, &outlen,
|
||||
+ gcm_aad, gcm_aad_s)))
|
||||
+ || !TEST_true(EVP_DecryptUpdate(ctx, outbuf, &outlen,
|
||||
+ gcm_ct, gcm_ct_s))
|
||||
+ || !TEST_mem_eq(outbuf, outlen, gcm_pt, gcm_pt_s))
|
||||
+ goto err;
|
||||
+
|
||||
+ params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG,
|
||||
+ (void*)gcm_tag, gcm_tag_s);
|
||||
+
|
||||
+ if (!TEST_true(EVP_CIPHER_CTX_set_params(ctx, params))
|
||||
+ ||!TEST_true(EVP_DecryptFinal_ex(ctx, outbuf, &outlen)))
|
||||
+ goto err;
|
||||
+
|
||||
+ ret = 1;
|
||||
+err:
|
||||
+ EVP_CIPHER_free(cipher);
|
||||
+ EVP_CIPHER_CTX_free(ctx);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+static int test_aes_gcm_ivlen_change_cve_2023_5363(void)
|
||||
+{
|
||||
+ /* AES-GCM test data obtained from NIST public test vectors */
|
||||
+ static const unsigned char gcm_key[] = {
|
||||
+ 0xd0, 0xc2, 0x67, 0xc1, 0x9f, 0x30, 0xd8, 0x0b, 0x89, 0x14, 0xbb, 0xbf,
|
||||
+ 0xb7, 0x2f, 0x73, 0xb8, 0xd3, 0xcd, 0x5f, 0x6a, 0x78, 0x70, 0x15, 0x84,
|
||||
+ 0x8a, 0x7b, 0x30, 0xe3, 0x8f, 0x16, 0xf1, 0x8b,
|
||||
+ };
|
||||
+ static const unsigned char gcm_iv[] = {
|
||||
+ 0xb6, 0xdc, 0xda, 0x95, 0xac, 0x99, 0x77, 0x76, 0x25, 0xae, 0x87, 0xf8,
|
||||
+ 0xa3, 0xa9, 0xdd, 0x64, 0xd7, 0x9b, 0xbd, 0x5f, 0x4a, 0x0e, 0x54, 0xca,
|
||||
+ 0x1a, 0x9f, 0xa2, 0xe3, 0xf4, 0x5f, 0x5f, 0xc2, 0xce, 0xa7, 0xb6, 0x14,
|
||||
+ 0x12, 0x6f, 0xf0, 0xaf, 0xfd, 0x3e, 0x17, 0x35, 0x6e, 0xa0, 0x16, 0x09,
|
||||
+ 0xdd, 0xa1, 0x3f, 0xd8, 0xdd, 0xf3, 0xdf, 0x4f, 0xcb, 0x18, 0x49, 0xb8,
|
||||
+ 0xb3, 0x69, 0x2c, 0x5d, 0x4f, 0xad, 0x30, 0x91, 0x08, 0xbc, 0xbe, 0x24,
|
||||
+ 0x01, 0x0f, 0xbe, 0x9c, 0xfb, 0x4f, 0x5d, 0x19, 0x7f, 0x4c, 0x53, 0xb0,
|
||||
+ 0x95, 0x90, 0xac, 0x7b, 0x1f, 0x7b, 0xa0, 0x99, 0xe1, 0xf3, 0x48, 0x54,
|
||||
+ 0xd0, 0xfc, 0xa9, 0xcc, 0x91, 0xf8, 0x1f, 0x9b, 0x6c, 0x9a, 0xe0, 0xdc,
|
||||
+ 0x63, 0xea, 0x7d, 0x2a, 0x4a, 0x7d, 0xa5, 0xed, 0x68, 0x57, 0x27, 0x6b,
|
||||
+ 0x68, 0xe0, 0xf2, 0xb8, 0x51, 0x50, 0x8d, 0x3d,
|
||||
+ };
|
||||
+ static const unsigned char gcm_pt[] = {
|
||||
+ 0xb8, 0xb6, 0x88, 0x36, 0x44, 0xe2, 0x34, 0xdf, 0x24, 0x32, 0x91, 0x07,
|
||||
+ 0x4f, 0xe3, 0x6f, 0x81,
|
||||
+ };
|
||||
+ static const unsigned char gcm_ct[] = {
|
||||
+ 0xff, 0x4f, 0xb3, 0xf3, 0xf9, 0xa2, 0x51, 0xd4, 0x82, 0xc2, 0xbe, 0xf3,
|
||||
+ 0xe2, 0xd0, 0xec, 0xed,
|
||||
+ };
|
||||
+ static const unsigned char gcm_tag[] = {
|
||||
+ 0xbd, 0x06, 0x38, 0x09, 0xf7, 0xe1, 0xc4, 0x72, 0x0e, 0xf2, 0xea, 0x63,
|
||||
+ 0xdb, 0x99, 0x6c, 0x21,
|
||||
+ };
|
||||
+
|
||||
+ return aes_gcm_encrypt(gcm_key, sizeof(gcm_key), gcm_iv, sizeof(gcm_iv),
|
||||
+ gcm_pt, sizeof(gcm_pt), NULL, 0,
|
||||
+ gcm_ct, sizeof(gcm_ct), gcm_tag, sizeof(gcm_tag))
|
||||
+ && aes_gcm_decrypt(gcm_key, sizeof(gcm_key), gcm_iv, sizeof(gcm_iv),
|
||||
+ gcm_pt, sizeof(gcm_pt), NULL, 0,
|
||||
+ gcm_ct, sizeof(gcm_ct), gcm_tag, sizeof(gcm_tag));
|
||||
+}
|
||||
+
|
||||
+#ifndef OPENSSL_NO_RC4
|
||||
+static int rc4_encrypt(const unsigned char *rc4_key, size_t rc4_key_s,
|
||||
+ const unsigned char *rc4_pt, size_t rc4_pt_s,
|
||||
+ const unsigned char *rc4_ct, size_t rc4_ct_s)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+ EVP_CIPHER_CTX *ctx;
|
||||
+ EVP_CIPHER *cipher = NULL;
|
||||
+ int outlen, tmplen;
|
||||
+ unsigned char outbuf[1024];
|
||||
+ OSSL_PARAM params[2] = {
|
||||
+ OSSL_PARAM_END, OSSL_PARAM_END
|
||||
+ };
|
||||
+
|
||||
+ if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())
|
||||
+ || !TEST_ptr(cipher = EVP_CIPHER_fetch(testctx, "RC4", "")))
|
||||
+ goto err;
|
||||
+
|
||||
+ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN,
|
||||
+ &rc4_key_s);
|
||||
+
|
||||
+ if (!TEST_true(EVP_EncryptInit_ex2(ctx, cipher, rc4_key, NULL, params))
|
||||
+ || !TEST_true(EVP_EncryptUpdate(ctx, outbuf, &outlen,
|
||||
+ rc4_pt, rc4_pt_s))
|
||||
+ || !TEST_true(EVP_EncryptFinal_ex(ctx, outbuf, &tmplen)))
|
||||
+ goto err;
|
||||
+
|
||||
+ if (!TEST_mem_eq(outbuf, outlen, rc4_ct, rc4_ct_s))
|
||||
+ goto err;
|
||||
+
|
||||
+ ret = 1;
|
||||
+err:
|
||||
+ EVP_CIPHER_free(cipher);
|
||||
+ EVP_CIPHER_CTX_free(ctx);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+static int rc4_decrypt(const unsigned char *rc4_key, size_t rc4_key_s,
|
||||
+ const unsigned char *rc4_pt, size_t rc4_pt_s,
|
||||
+ const unsigned char *rc4_ct, size_t rc4_ct_s)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+ EVP_CIPHER_CTX *ctx;
|
||||
+ EVP_CIPHER *cipher = NULL;
|
||||
+ int outlen;
|
||||
+ unsigned char outbuf[1024];
|
||||
+ OSSL_PARAM params[2] = {
|
||||
+ OSSL_PARAM_END, OSSL_PARAM_END
|
||||
+ };
|
||||
+
|
||||
+ if ((ctx = EVP_CIPHER_CTX_new()) == NULL)
|
||||
+ goto err;
|
||||
+
|
||||
+ if ((cipher = EVP_CIPHER_fetch(testctx, "RC4", "")) == NULL)
|
||||
+ goto err;
|
||||
+
|
||||
+ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN,
|
||||
+ &rc4_key_s);
|
||||
+
|
||||
+ if (!TEST_true(EVP_DecryptInit_ex2(ctx, cipher, rc4_key, NULL, params))
|
||||
+ || !TEST_true(EVP_DecryptUpdate(ctx, outbuf, &outlen,
|
||||
+ rc4_ct, rc4_ct_s))
|
||||
+ || !TEST_mem_eq(outbuf, outlen, rc4_pt, rc4_pt_s))
|
||||
+ goto err;
|
||||
+
|
||||
+ ret = 1;
|
||||
+err:
|
||||
+ EVP_CIPHER_free(cipher);
|
||||
+ EVP_CIPHER_CTX_free(ctx);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+static int test_aes_rc4_keylen_change_cve_2023_5363(void)
|
||||
+{
|
||||
+ /* RC4 test data obtained from RFC 6229 */
|
||||
+ static const struct {
|
||||
+ unsigned char key[5];
|
||||
+ unsigned char padding[11];
|
||||
+ } rc4_key = {
|
||||
+ { /* Five bytes of key material */
|
||||
+ 0x83, 0x32, 0x22, 0x77, 0x2a,
|
||||
+ },
|
||||
+ { /* Random padding to 16 bytes */
|
||||
+ 0x80, 0xad, 0x97, 0xbd, 0xc9, 0x73, 0xdf, 0x8a, 0xaa, 0x32, 0x91
|
||||
+ }
|
||||
+ };
|
||||
+ static const unsigned char rc4_pt[] = {
|
||||
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
|
||||
+ };
|
||||
+ static const unsigned char rc4_ct[] = {
|
||||
+ 0x80, 0xad, 0x97, 0xbd, 0xc9, 0x73, 0xdf, 0x8a,
|
||||
+ 0x2e, 0x87, 0x9e, 0x92, 0xa4, 0x97, 0xef, 0xda
|
||||
+ };
|
||||
+
|
||||
+ if (lgcyprov == NULL)
|
||||
+ return TEST_skip("Test requires legacy provider to be loaded");
|
||||
+
|
||||
+ return rc4_encrypt(rc4_key.key, sizeof(rc4_key.key),
|
||||
+ rc4_pt, sizeof(rc4_pt), rc4_ct, sizeof(rc4_ct))
|
||||
+ && rc4_decrypt(rc4_key.key, sizeof(rc4_key.key),
|
||||
+ rc4_pt, sizeof(rc4_pt), rc4_ct, sizeof(rc4_ct));
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
int setup_tests(void)
|
||||
{
|
||||
OPTION_CHOICE o;
|
||||
@@ -4994,6 +5241,12 @@ int setup_tests(void)
|
||||
|
||||
ADD_ALL_TESTS(test_ecx_short_keys, OSSL_NELEM(ecxnids));
|
||||
|
||||
+ /* Test cases for CVE-2023-5363 */
|
||||
+ ADD_TEST(test_aes_gcm_ivlen_change_cve_2023_5363);
|
||||
+#ifndef OPENSSL_NO_RC4
|
||||
+ ADD_TEST(test_aes_rc4_keylen_change_cve_2023_5363);
|
||||
+#endif
|
||||
+
|
||||
return 1;
|
||||
}
|
||||
|
@ -1,49 +0,0 @@
|
||||
From 0d873f9f647764df147d818a6e998b1c318bac31 Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Mon, 16 Oct 2023 15:30:26 +0200
|
||||
Subject: [PATCH] rsa: Add SP800-56Br2 6.4.1.2.1 (3.c) check
|
||||
|
||||
The code did not yet check that the length of the RSA key is positive
|
||||
and even.
|
||||
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
Upstream-Status: Backport [8b268541d9aabee51699aef22963407362830ef9]
|
||||
---
|
||||
crypto/rsa/rsa_sp800_56b_check.c | 5 +++++
|
||||
test/rsa_sp800_56b_test.c | 4 ++++
|
||||
2 files changed, 9 insertions(+)
|
||||
|
||||
diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c
|
||||
index fc8f19b487..e6b79e953d 100644
|
||||
--- a/crypto/rsa/rsa_sp800_56b_check.c
|
||||
+++ b/crypto/rsa/rsa_sp800_56b_check.c
|
||||
@@ -403,6 +403,11 @@ int ossl_rsa_sp800_56b_check_keypair(const RSA *rsa, const BIGNUM *efixed,
|
||||
ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_KEYPAIR);
|
||||
return 0;
|
||||
}
|
||||
+ /* (Step 3.c): check that the modulus length is a positive even integer */
|
||||
+ if (nbits <= 0 || (nbits & 0x1)) {
|
||||
+ ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_KEYPAIR);
|
||||
+ return 0;
|
||||
+ }
|
||||
|
||||
ctx = BN_CTX_new_ex(rsa->libctx);
|
||||
if (ctx == NULL)
|
||||
diff --git a/test/rsa_sp800_56b_test.c b/test/rsa_sp800_56b_test.c
|
||||
index 7660019f47..aa58bbbe6c 100644
|
||||
--- a/test/rsa_sp800_56b_test.c
|
||||
+++ b/test/rsa_sp800_56b_test.c
|
||||
@@ -458,6 +458,10 @@ static int test_invalid_keypair(void)
|
||||
&& TEST_true(BN_add_word(n, 1))
|
||||
&& TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2048))
|
||||
&& TEST_true(BN_sub_word(n, 1))
|
||||
+ /* check that validation fails if len(n) is not even */
|
||||
+ && TEST_true(BN_lshift1(n, n))
|
||||
+ && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2049))
|
||||
+ && TEST_true(BN_rshift1(n, n))
|
||||
/* check p */
|
||||
&& TEST_true(BN_sub_word(p, 2))
|
||||
&& TEST_true(BN_mul(n, p, q, ctx))
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,82 +0,0 @@
|
||||
UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
|
||||
DAYS=365
|
||||
KEYLEN=2048
|
||||
TYPE=rsa:$(KEYLEN)
|
||||
EXTRA_FLAGS=
|
||||
ifdef SERIAL
|
||||
EXTRA_FLAGS+=-set_serial $(SERIAL)
|
||||
endif
|
||||
|
||||
.PHONY: usage
|
||||
.SUFFIXES: .key .csr .crt .pem
|
||||
.PRECIOUS: %.key %.csr %.crt %.pem
|
||||
|
||||
usage:
|
||||
@echo "This makefile allows you to create:"
|
||||
@echo " o public/private key pairs"
|
||||
@echo " o SSL certificate signing requests (CSRs)"
|
||||
@echo " o self-signed SSL test certificates"
|
||||
@echo
|
||||
@echo "To create a key pair, run \"make SOMETHING.key\"."
|
||||
@echo "To create a CSR, run \"make SOMETHING.csr\"."
|
||||
@echo "To create a test certificate, run \"make SOMETHING.crt\"."
|
||||
@echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"."
|
||||
@echo
|
||||
@echo "To create a key for use with Apache, run \"make genkey\"."
|
||||
@echo "To create a CSR for use with Apache, run \"make certreq\"."
|
||||
@echo "To create a test certificate for use with Apache, run \"make testcert\"."
|
||||
@echo
|
||||
@echo "To create a test certificate with serial number other than random, add SERIAL=num"
|
||||
@echo "You can also specify key length with KEYLEN=n and expiration in days with DAYS=n"
|
||||
@echo "Any additional options can be passed to openssl req via EXTRA_FLAGS"
|
||||
@echo
|
||||
@echo Examples:
|
||||
@echo " make server.key"
|
||||
@echo " make server.csr"
|
||||
@echo " make server.crt"
|
||||
@echo " make stunnel.pem"
|
||||
@echo " make genkey"
|
||||
@echo " make certreq"
|
||||
@echo " make testcert"
|
||||
@echo " make server.crt SERIAL=1"
|
||||
@echo " make stunnel.pem EXTRA_FLAGS=-sha384"
|
||||
@echo " make testcert DAYS=600"
|
||||
|
||||
%.pem:
|
||||
umask 77 ; \
|
||||
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
|
||||
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
|
||||
/usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -days $(DAYS) -out $$PEM2 $(EXTRA_FLAGS) ; \
|
||||
cat $$PEM1 > $@ ; \
|
||||
echo "" >> $@ ; \
|
||||
cat $$PEM2 >> $@ ; \
|
||||
$(RM) $$PEM1 $$PEM2
|
||||
|
||||
%.key:
|
||||
umask 77 ; \
|
||||
/usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@
|
||||
|
||||
%.csr: %.key
|
||||
umask 77 ; \
|
||||
/usr/bin/openssl req $(UTF8) -new -key $^ -out $@
|
||||
|
||||
%.crt: %.key
|
||||
umask 77 ; \
|
||||
/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@ $(EXTRA_FLAGS)
|
||||
|
||||
TLSROOT=/etc/pki/tls
|
||||
KEY=$(TLSROOT)/private/localhost.key
|
||||
CSR=$(TLSROOT)/certs/localhost.csr
|
||||
CRT=$(TLSROOT)/certs/localhost.crt
|
||||
|
||||
genkey: $(KEY)
|
||||
certreq: $(CSR)
|
||||
testcert: $(CRT)
|
||||
|
||||
$(CSR): $(KEY)
|
||||
umask 77 ; \
|
||||
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR)
|
||||
|
||||
$(CRT): $(KEY)
|
||||
umask 77 ; \
|
||||
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out $(CRT) $(EXTRA_FLAGS)
|
@ -0,0 +1,5 @@
|
||||
This package provides a custom build of the OpenSSL FIPS module that has
|
||||
been submitted to NIST for certification.
|
||||
|
||||
The actual shared object is in the subpackage openssl-fips-provider-so
|
||||
due to overcome a build issue around custom debuginfo packages.
|
@ -1,7 +0,0 @@
|
||||
/* Prepended at openssl package build-time. Don't include this file directly,
|
||||
* use <openssl/opensslconf.h> instead. */
|
||||
|
||||
#ifndef openssl_conf_multilib_redirection_h
|
||||
#error "Don't include this file directly, use <openssl/opensslconf.h> instead!"
|
||||
#endif
|
||||
|
@ -1,47 +0,0 @@
|
||||
/* This file is here to prevent a file conflict on multiarch systems. A
|
||||
* conflict will frequently occur because arch-specific build-time
|
||||
* configuration options are stored (and used, so they can't just be stripped
|
||||
* out) in configuration.h. The original configuration.h has been renamed.
|
||||
* DO NOT INCLUDE THE NEW FILE DIRECTLY -- ALWAYS INCLUDE THIS ONE INSTEAD. */
|
||||
|
||||
#ifdef openssl_conf_multilib_redirection_h
|
||||
#error "Do not define openssl_conf_multilib_redirection_h!"
|
||||
#endif
|
||||
#define openssl_conf_multilib_redirection_h
|
||||
|
||||
#if defined(__i386__)
|
||||
#include "configuration-i386.h"
|
||||
#elif defined(__ia64__)
|
||||
#include "configuration-ia64.h"
|
||||
#elif defined(__mips64) && defined(__MIPSEL__)
|
||||
#include "configuration-mips64el.h"
|
||||
#elif defined(__mips64)
|
||||
#include "configuration-mips64.h"
|
||||
#elif defined(__mips) && defined(__MIPSEL__)
|
||||
#include "configuration-mipsel.h"
|
||||
#elif defined(__mips)
|
||||
#include "configuration-mips.h"
|
||||
#elif defined(__powerpc64__)
|
||||
#include <endian.h>
|
||||
#if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
|
||||
#include "configuration-ppc64.h"
|
||||
#else
|
||||
#include "configuration-ppc64le.h"
|
||||
#endif
|
||||
#elif defined(__powerpc__)
|
||||
#include "configuration-ppc.h"
|
||||
#elif defined(__s390x__)
|
||||
#include "configuration-s390x.h"
|
||||
#elif defined(__s390__)
|
||||
#include "configuration-s390.h"
|
||||
#elif defined(__sparc__) && defined(__arch64__)
|
||||
#include "configuration-sparc64.h"
|
||||
#elif defined(__sparc__)
|
||||
#include "configuration-sparc.h"
|
||||
#elif defined(__x86_64__)
|
||||
#include "configuration-x86_64.h"
|
||||
#else
|
||||
#error "The openssl-devel package does not work your architecture?"
|
||||
#endif
|
||||
|
||||
#undef openssl_conf_multilib_redirection_h
|
@ -1,628 +0,0 @@
|
||||
/*
|
||||
* Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
/*
|
||||
* ECDSA low level APIs are deprecated for public use, but still ok for
|
||||
* internal use.
|
||||
*/
|
||||
#include "internal/deprecated.h"
|
||||
|
||||
#include <string.h>
|
||||
#include "ec_local.h"
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/obj_mac.h>
|
||||
#include <openssl/objects.h>
|
||||
#include <openssl/opensslconf.h>
|
||||
#include "internal/nelem.h"
|
||||
|
||||
typedef struct {
|
||||
int field_type, /* either NID_X9_62_prime_field or
|
||||
* NID_X9_62_characteristic_two_field */
|
||||
seed_len, param_len;
|
||||
unsigned int cofactor; /* promoted to BN_ULONG */
|
||||
} EC_CURVE_DATA;
|
||||
|
||||
/* the nist prime curves */
|
||||
static const struct {
|
||||
EC_CURVE_DATA h;
|
||||
unsigned char data[20 + 28 * 6];
|
||||
} _EC_NIST_PRIME_224 = {
|
||||
{
|
||||
NID_X9_62_prime_field, 20, 28, 1
|
||||
},
|
||||
{
|
||||
/* seed */
|
||||
0xBD, 0x71, 0x34, 0x47, 0x99, 0xD5, 0xC7, 0xFC, 0xDC, 0x45, 0xB5, 0x9F,
|
||||
0xA3, 0xB9, 0xAB, 0x8F, 0x6A, 0x94, 0x8B, 0xC5,
|
||||
/* p */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x01,
|
||||
/* a */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFE,
|
||||
/* b */
|
||||
0xB4, 0x05, 0x0A, 0x85, 0x0C, 0x04, 0xB3, 0xAB, 0xF5, 0x41, 0x32, 0x56,
|
||||
0x50, 0x44, 0xB0, 0xB7, 0xD7, 0xBF, 0xD8, 0xBA, 0x27, 0x0B, 0x39, 0x43,
|
||||
0x23, 0x55, 0xFF, 0xB4,
|
||||
/* x */
|
||||
0xB7, 0x0E, 0x0C, 0xBD, 0x6B, 0xB4, 0xBF, 0x7F, 0x32, 0x13, 0x90, 0xB9,
|
||||
0x4A, 0x03, 0xC1, 0xD3, 0x56, 0xC2, 0x11, 0x22, 0x34, 0x32, 0x80, 0xD6,
|
||||
0x11, 0x5C, 0x1D, 0x21,
|
||||
/* y */
|
||||
0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, 0xdf, 0xe6,
|
||||
0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x07, 0x47, 0x64, 0x44, 0xd5, 0x81, 0x99,
|
||||
0x85, 0x00, 0x7e, 0x34,
|
||||
/* order */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0x16, 0xA2, 0xE0, 0xB8, 0xF0, 0x3E, 0x13, 0xDD, 0x29, 0x45,
|
||||
0x5C, 0x5C, 0x2A, 0x3D
|
||||
}
|
||||
};
|
||||
|
||||
static const struct {
|
||||
EC_CURVE_DATA h;
|
||||
unsigned char data[20 + 48 * 6];
|
||||
} _EC_NIST_PRIME_384 = {
|
||||
{
|
||||
NID_X9_62_prime_field, 20, 48, 1
|
||||
},
|
||||
{
|
||||
/* seed */
|
||||
0xA3, 0x35, 0x92, 0x6A, 0xA3, 0x19, 0xA2, 0x7A, 0x1D, 0x00, 0x89, 0x6A,
|
||||
0x67, 0x73, 0xA4, 0x82, 0x7A, 0xCD, 0xAC, 0x73,
|
||||
/* p */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
/* a */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC,
|
||||
/* b */
|
||||
0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, 0x05, 0x6B,
|
||||
0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E, 0xFE, 0x81, 0x41, 0x12,
|
||||
0x03, 0x14, 0x08, 0x8F, 0x50, 0x13, 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D,
|
||||
0x8A, 0x2E, 0xD1, 0x9D, 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF,
|
||||
/* x */
|
||||
0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, 0xC7, 0x1E,
|
||||
0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, 0x8B, 0xA7, 0x9B, 0x98,
|
||||
0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D,
|
||||
0xBF, 0x55, 0x29, 0x6C, 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7,
|
||||
/* y */
|
||||
0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f, 0x5d, 0x9e, 0x98, 0xbf,
|
||||
0x92, 0x92, 0xdc, 0x29, 0xf8, 0xf4, 0x1d, 0xbd, 0x28, 0x9a, 0x14, 0x7c,
|
||||
0xe9, 0xda, 0x31, 0x13, 0xb5, 0xf0, 0xb8, 0xc0, 0x0a, 0x60, 0xb1, 0xce,
|
||||
0x1d, 0x7e, 0x81, 0x9d, 0x7a, 0x43, 0x1d, 0x7c, 0x90, 0xea, 0x0e, 0x5f,
|
||||
/* order */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xC7, 0x63, 0x4D, 0x81, 0xF4, 0x37, 0x2D, 0xDF, 0x58, 0x1A, 0x0D, 0xB2,
|
||||
0x48, 0xB0, 0xA7, 0x7A, 0xEC, 0xEC, 0x19, 0x6A, 0xCC, 0xC5, 0x29, 0x73
|
||||
}
|
||||
};
|
||||
|
||||
static const struct {
|
||||
EC_CURVE_DATA h;
|
||||
unsigned char data[20 + 66 * 6];
|
||||
} _EC_NIST_PRIME_521 = {
|
||||
{
|
||||
NID_X9_62_prime_field, 20, 66, 1
|
||||
},
|
||||
{
|
||||
/* seed */
|
||||
0xD0, 0x9E, 0x88, 0x00, 0x29, 0x1C, 0xB8, 0x53, 0x96, 0xCC, 0x67, 0x17,
|
||||
0x39, 0x32, 0x84, 0xAA, 0xA0, 0xDA, 0x64, 0xBA,
|
||||
/* p */
|
||||
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
/* a */
|
||||
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
|
||||
/* b */
|
||||
0x00, 0x51, 0x95, 0x3E, 0xB9, 0x61, 0x8E, 0x1C, 0x9A, 0x1F, 0x92, 0x9A,
|
||||
0x21, 0xA0, 0xB6, 0x85, 0x40, 0xEE, 0xA2, 0xDA, 0x72, 0x5B, 0x99, 0xB3,
|
||||
0x15, 0xF3, 0xB8, 0xB4, 0x89, 0x91, 0x8E, 0xF1, 0x09, 0xE1, 0x56, 0x19,
|
||||
0x39, 0x51, 0xEC, 0x7E, 0x93, 0x7B, 0x16, 0x52, 0xC0, 0xBD, 0x3B, 0xB1,
|
||||
0xBF, 0x07, 0x35, 0x73, 0xDF, 0x88, 0x3D, 0x2C, 0x34, 0xF1, 0xEF, 0x45,
|
||||
0x1F, 0xD4, 0x6B, 0x50, 0x3F, 0x00,
|
||||
/* x */
|
||||
0x00, 0xC6, 0x85, 0x8E, 0x06, 0xB7, 0x04, 0x04, 0xE9, 0xCD, 0x9E, 0x3E,
|
||||
0xCB, 0x66, 0x23, 0x95, 0xB4, 0x42, 0x9C, 0x64, 0x81, 0x39, 0x05, 0x3F,
|
||||
0xB5, 0x21, 0xF8, 0x28, 0xAF, 0x60, 0x6B, 0x4D, 0x3D, 0xBA, 0xA1, 0x4B,
|
||||
0x5E, 0x77, 0xEF, 0xE7, 0x59, 0x28, 0xFE, 0x1D, 0xC1, 0x27, 0xA2, 0xFF,
|
||||
0xA8, 0xDE, 0x33, 0x48, 0xB3, 0xC1, 0x85, 0x6A, 0x42, 0x9B, 0xF9, 0x7E,
|
||||
0x7E, 0x31, 0xC2, 0xE5, 0xBD, 0x66,
|
||||
/* y */
|
||||
0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a,
|
||||
0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b,
|
||||
0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee,
|
||||
0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad,
|
||||
0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe,
|
||||
0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50,
|
||||
/* order */
|
||||
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFA, 0x51, 0x86,
|
||||
0x87, 0x83, 0xBF, 0x2F, 0x96, 0x6B, 0x7F, 0xCC, 0x01, 0x48, 0xF7, 0x09,
|
||||
0xA5, 0xD0, 0x3B, 0xB5, 0xC9, 0xB8, 0x89, 0x9C, 0x47, 0xAE, 0xBB, 0x6F,
|
||||
0xB7, 0x1E, 0x91, 0x38, 0x64, 0x09
|
||||
}
|
||||
};
|
||||
|
||||
static const struct {
|
||||
EC_CURVE_DATA h;
|
||||
unsigned char data[20 + 32 * 6];
|
||||
} _EC_X9_62_PRIME_256V1 = {
|
||||
{
|
||||
NID_X9_62_prime_field, 20, 32, 1
|
||||
},
|
||||
{
|
||||
/* seed */
|
||||
0xC4, 0x9D, 0x36, 0x08, 0x86, 0xE7, 0x04, 0x93, 0x6A, 0x66, 0x78, 0xE1,
|
||||
0x13, 0x9D, 0x26, 0xB7, 0x81, 0x9F, 0x7E, 0x90,
|
||||
/* p */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
/* a */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
|
||||
/* b */
|
||||
0x5A, 0xC6, 0x35, 0xD8, 0xAA, 0x3A, 0x93, 0xE7, 0xB3, 0xEB, 0xBD, 0x55,
|
||||
0x76, 0x98, 0x86, 0xBC, 0x65, 0x1D, 0x06, 0xB0, 0xCC, 0x53, 0xB0, 0xF6,
|
||||
0x3B, 0xCE, 0x3C, 0x3E, 0x27, 0xD2, 0x60, 0x4B,
|
||||
/* x */
|
||||
0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8, 0xBC, 0xE6, 0xE5,
|
||||
0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D, 0x81, 0x2D, 0xEB, 0x33, 0xA0,
|
||||
0xF4, 0xA1, 0x39, 0x45, 0xD8, 0x98, 0xC2, 0x96,
|
||||
/* y */
|
||||
0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a,
|
||||
0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce,
|
||||
0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5,
|
||||
/* order */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84,
|
||||
0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51
|
||||
}
|
||||
};
|
||||
|
||||
static const struct {
|
||||
EC_CURVE_DATA h;
|
||||
unsigned char data[0 + 32 * 6];
|
||||
} _EC_SECG_PRIME_256K1 = {
|
||||
{
|
||||
NID_X9_62_prime_field, 0, 32, 1
|
||||
},
|
||||
{
|
||||
/* no seed */
|
||||
/* p */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
|
||||
/* a */
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
/* b */
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07,
|
||||
/* x */
|
||||
0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95,
|
||||
0xCE, 0x87, 0x0B, 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9,
|
||||
0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17, 0x98,
|
||||
/* y */
|
||||
0x48, 0x3a, 0xda, 0x77, 0x26, 0xa3, 0xc4, 0x65, 0x5d, 0xa4, 0xfb, 0xfc,
|
||||
0x0e, 0x11, 0x08, 0xa8, 0xfd, 0x17, 0xb4, 0x48, 0xa6, 0x85, 0x54, 0x19,
|
||||
0x9c, 0x47, 0xd0, 0x8f, 0xfb, 0x10, 0xd4, 0xb8,
|
||||
/* order */
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B,
|
||||
0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41
|
||||
}
|
||||
};
|
||||
|
||||
typedef struct _ec_list_element_st {
|
||||
int nid;
|
||||
const EC_CURVE_DATA *data;
|
||||
const EC_METHOD *(*meth) (void);
|
||||
const char *comment;
|
||||
} ec_list_element;
|
||||
|
||||
#ifdef FIPS_MODULE
|
||||
static const ec_list_element curve_list[] = {
|
||||
/* prime field curves */
|
||||
/* secg curves */
|
||||
{NID_secp224r1, &_EC_NIST_PRIME_224.h,
|
||||
# if !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
||||
EC_GFp_nistp224_method,
|
||||
# else
|
||||
0,
|
||||
# endif
|
||||
"NIST/SECG curve over a 224 bit prime field"},
|
||||
/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
|
||||
{NID_secp384r1, &_EC_NIST_PRIME_384.h,
|
||||
# if defined(S390X_EC_ASM)
|
||||
EC_GFp_s390x_nistp384_method,
|
||||
# else
|
||||
0,
|
||||
# endif
|
||||
"NIST/SECG curve over a 384 bit prime field"},
|
||||
|
||||
{NID_secp521r1, &_EC_NIST_PRIME_521.h,
|
||||
# if defined(S390X_EC_ASM)
|
||||
EC_GFp_s390x_nistp521_method,
|
||||
# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
||||
EC_GFp_nistp521_method,
|
||||
# else
|
||||
0,
|
||||
# endif
|
||||
"NIST/SECG curve over a 521 bit prime field"},
|
||||
|
||||
/* X9.62 curves */
|
||||
{NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
|
||||
# if defined(ECP_NISTZ256_ASM)
|
||||
EC_GFp_nistz256_method,
|
||||
# elif defined(S390X_EC_ASM)
|
||||
EC_GFp_s390x_nistp256_method,
|
||||
# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
||||
EC_GFp_nistp256_method,
|
||||
# else
|
||||
0,
|
||||
# endif
|
||||
"X9.62/SECG curve over a 256 bit prime field"},
|
||||
};
|
||||
|
||||
#else
|
||||
|
||||
static const ec_list_element curve_list[] = {
|
||||
/* prime field curves */
|
||||
/* secg curves */
|
||||
# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
||||
{NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
|
||||
"NIST/SECG curve over a 224 bit prime field"},
|
||||
# else
|
||||
{NID_secp224r1, &_EC_NIST_PRIME_224.h, 0,
|
||||
"NIST/SECG curve over a 224 bit prime field"},
|
||||
# endif
|
||||
{NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
|
||||
"SECG curve over a 256 bit prime field"},
|
||||
/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
|
||||
{NID_secp384r1, &_EC_NIST_PRIME_384.h,
|
||||
# if defined(S390X_EC_ASM)
|
||||
EC_GFp_s390x_nistp384_method,
|
||||
# else
|
||||
0,
|
||||
# endif
|
||||
"NIST/SECG curve over a 384 bit prime field"},
|
||||
{NID_secp521r1, &_EC_NIST_PRIME_521.h,
|
||||
# if defined(S390X_EC_ASM)
|
||||
EC_GFp_s390x_nistp521_method,
|
||||
# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
||||
EC_GFp_nistp521_method,
|
||||
# else
|
||||
0,
|
||||
# endif
|
||||
"NIST/SECG curve over a 521 bit prime field"},
|
||||
/* X9.62 curves */
|
||||
{NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
|
||||
# if defined(ECP_NISTZ256_ASM)
|
||||
EC_GFp_nistz256_method,
|
||||
# elif defined(S390X_EC_ASM)
|
||||
EC_GFp_s390x_nistp256_method,
|
||||
# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
||||
EC_GFp_nistp256_method,
|
||||
# else
|
||||
0,
|
||||
# endif
|
||||
"X9.62/SECG curve over a 256 bit prime field"},
|
||||
};
|
||||
#endif /* FIPS_MODULE */
|
||||
|
||||
#define curve_list_length OSSL_NELEM(curve_list)
|
||||
|
||||
static const ec_list_element *ec_curve_nid2curve(int nid)
|
||||
{
|
||||
size_t i;
|
||||
|
||||
if (nid <= 0)
|
||||
return NULL;
|
||||
|
||||
for (i = 0; i < curve_list_length; i++) {
|
||||
if (curve_list[i].nid == nid)
|
||||
return &curve_list[i];
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static EC_GROUP *ec_group_new_from_data(OSSL_LIB_CTX *libctx,
|
||||
const char *propq,
|
||||
const ec_list_element curve)
|
||||
{
|
||||
EC_GROUP *group = NULL;
|
||||
EC_POINT *P = NULL;
|
||||
BN_CTX *ctx = NULL;
|
||||
BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL, *order =
|
||||
NULL;
|
||||
int ok = 0;
|
||||
int seed_len, param_len;
|
||||
const EC_METHOD *meth;
|
||||
const EC_CURVE_DATA *data;
|
||||
const unsigned char *params;
|
||||
|
||||
/* If no curve data curve method must handle everything */
|
||||
if (curve.data == NULL)
|
||||
return ossl_ec_group_new_ex(libctx, propq,
|
||||
curve.meth != NULL ? curve.meth() : NULL);
|
||||
|
||||
if ((ctx = BN_CTX_new_ex(libctx)) == NULL) {
|
||||
ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
|
||||
goto err;
|
||||
}
|
||||
|
||||
data = curve.data;
|
||||
seed_len = data->seed_len;
|
||||
param_len = data->param_len;
|
||||
params = (const unsigned char *)(data + 1); /* skip header */
|
||||
params += seed_len; /* skip seed */
|
||||
|
||||
if ((p = BN_bin2bn(params + 0 * param_len, param_len, NULL)) == NULL
|
||||
|| (a = BN_bin2bn(params + 1 * param_len, param_len, NULL)) == NULL
|
||||
|| (b = BN_bin2bn(params + 2 * param_len, param_len, NULL)) == NULL) {
|
||||
ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (curve.meth != 0) {
|
||||
meth = curve.meth();
|
||||
if (((group = ossl_ec_group_new_ex(libctx, propq, meth)) == NULL) ||
|
||||
(!(group->meth->group_set_curve(group, p, a, b, ctx)))) {
|
||||
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
||||
goto err;
|
||||
}
|
||||
} else if (data->field_type == NID_X9_62_prime_field) {
|
||||
if ((group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) == NULL) {
|
||||
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
#ifndef OPENSSL_NO_EC2M
|
||||
else { /* field_type ==
|
||||
* NID_X9_62_characteristic_two_field */
|
||||
|
||||
if ((group = EC_GROUP_new_curve_GF2m(p, a, b, ctx)) == NULL) {
|
||||
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
EC_GROUP_set_curve_name(group, curve.nid);
|
||||
|
||||
if ((P = EC_POINT_new(group)) == NULL) {
|
||||
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
||||
goto err;
|
||||
}
|
||||
|
||||
if ((x = BN_bin2bn(params + 3 * param_len, param_len, NULL)) == NULL
|
||||
|| (y = BN_bin2bn(params + 4 * param_len, param_len, NULL)) == NULL) {
|
||||
ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
|
||||
goto err;
|
||||
}
|
||||
if (!EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) {
|
||||
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
||||
goto err;
|
||||
}
|
||||
if ((order = BN_bin2bn(params + 5 * param_len, param_len, NULL)) == NULL
|
||||
|| !BN_set_word(x, (BN_ULONG)data->cofactor)) {
|
||||
ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
|
||||
goto err;
|
||||
}
|
||||
if (!EC_GROUP_set_generator(group, P, order, x)) {
|
||||
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
||||
goto err;
|
||||
}
|
||||
if (seed_len) {
|
||||
if (!EC_GROUP_set_seed(group, params - seed_len, seed_len)) {
|
||||
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
ok = 1;
|
||||
err:
|
||||
if (!ok) {
|
||||
EC_GROUP_free(group);
|
||||
group = NULL;
|
||||
}
|
||||
EC_POINT_free(P);
|
||||
BN_CTX_free(ctx);
|
||||
BN_free(p);
|
||||
BN_free(a);
|
||||
BN_free(b);
|
||||
BN_free(order);
|
||||
BN_free(x);
|
||||
BN_free(y);
|
||||
return group;
|
||||
}
|
||||
|
||||
EC_GROUP *EC_GROUP_new_by_curve_name_ex(OSSL_LIB_CTX *libctx, const char *propq,
|
||||
int nid)
|
||||
{
|
||||
EC_GROUP *ret = NULL;
|
||||
const ec_list_element *curve;
|
||||
|
||||
if ((curve = ec_curve_nid2curve(nid)) == NULL
|
||||
|| (ret = ec_group_new_from_data(libctx, propq, *curve)) == NULL) {
|
||||
#ifndef FIPS_MODULE
|
||||
ERR_raise_data(ERR_LIB_EC, EC_R_UNKNOWN_GROUP,
|
||||
"name=%s", OBJ_nid2sn(nid));
|
||||
#else
|
||||
ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP);
|
||||
#endif
|
||||
return NULL;
|
||||
}
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
#ifndef FIPS_MODULE
|
||||
EC_GROUP *EC_GROUP_new_by_curve_name(int nid)
|
||||
{
|
||||
return EC_GROUP_new_by_curve_name_ex(NULL, NULL, nid);
|
||||
}
|
||||
#endif
|
||||
|
||||
size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
|
||||
{
|
||||
size_t i, min;
|
||||
|
||||
if (r == NULL || nitems == 0)
|
||||
return curve_list_length;
|
||||
|
||||
min = nitems < curve_list_length ? nitems : curve_list_length;
|
||||
|
||||
for (i = 0; i < min; i++) {
|
||||
r[i].nid = curve_list[i].nid;
|
||||
r[i].comment = curve_list[i].comment;
|
||||
}
|
||||
|
||||
return curve_list_length;
|
||||
}
|
||||
|
||||
const char *EC_curve_nid2nist(int nid)
|
||||
{
|
||||
return ossl_ec_curve_nid2nist_int(nid);
|
||||
}
|
||||
|
||||
int EC_curve_nist2nid(const char *name)
|
||||
{
|
||||
return ossl_ec_curve_nist2nid_int(name);
|
||||
}
|
||||
|
||||
#define NUM_BN_FIELDS 6
|
||||
/*
|
||||
* Validates EC domain parameter data for known named curves.
|
||||
* This can be used when a curve is loaded explicitly (without a curve
|
||||
* name) or to validate that domain parameters have not been modified.
|
||||
*
|
||||
* Returns: The nid associated with the found named curve, or NID_undef
|
||||
* if not found. If there was an error it returns -1.
|
||||
*/
|
||||
int ossl_ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx)
|
||||
{
|
||||
int ret = -1, nid, len, field_type, param_len;
|
||||
size_t i, seed_len;
|
||||
const unsigned char *seed, *params_seed, *params;
|
||||
unsigned char *param_bytes = NULL;
|
||||
const EC_CURVE_DATA *data;
|
||||
const EC_POINT *generator = NULL;
|
||||
const BIGNUM *cofactor = NULL;
|
||||
/* An array of BIGNUMs for (p, a, b, x, y, order) */
|
||||
BIGNUM *bn[NUM_BN_FIELDS] = {NULL, NULL, NULL, NULL, NULL, NULL};
|
||||
|
||||
/* Use the optional named curve nid as a search field */
|
||||
nid = EC_GROUP_get_curve_name(group);
|
||||
field_type = EC_GROUP_get_field_type(group);
|
||||
seed_len = EC_GROUP_get_seed_len(group);
|
||||
seed = EC_GROUP_get0_seed(group);
|
||||
cofactor = EC_GROUP_get0_cofactor(group);
|
||||
|
||||
BN_CTX_start(ctx);
|
||||
|
||||
/*
|
||||
* The built-in curves contains data fields (p, a, b, x, y, order) that are
|
||||
* all zero-padded to be the same size. The size of the padding is
|
||||
* determined by either the number of bytes in the field modulus (p) or the
|
||||
* EC group order, whichever is larger.
|
||||
*/
|
||||
param_len = BN_num_bytes(group->order);
|
||||
len = BN_num_bytes(group->field);
|
||||
if (len > param_len)
|
||||
param_len = len;
|
||||
|
||||
/* Allocate space to store the padded data for (p, a, b, x, y, order) */
|
||||
param_bytes = OPENSSL_malloc(param_len * NUM_BN_FIELDS);
|
||||
if (param_bytes == NULL)
|
||||
goto end;
|
||||
|
||||
/* Create the bignums */
|
||||
for (i = 0; i < NUM_BN_FIELDS; ++i) {
|
||||
if ((bn[i] = BN_CTX_get(ctx)) == NULL)
|
||||
goto end;
|
||||
}
|
||||
/*
|
||||
* Fill in the bn array with the same values as the internal curves
|
||||
* i.e. the values are p, a, b, x, y, order.
|
||||
*/
|
||||
/* Get p, a & b */
|
||||
if (!(EC_GROUP_get_curve(group, bn[0], bn[1], bn[2], ctx)
|
||||
&& ((generator = EC_GROUP_get0_generator(group)) != NULL)
|
||||
/* Get x & y */
|
||||
&& EC_POINT_get_affine_coordinates(group, generator, bn[3], bn[4], ctx)
|
||||
/* Get order */
|
||||
&& EC_GROUP_get_order(group, bn[5], ctx)))
|
||||
goto end;
|
||||
|
||||
/*
|
||||
* Convert the bignum array to bytes that are joined together to form
|
||||
* a single buffer that contains data for all fields.
|
||||
* (p, a, b, x, y, order) are all zero padded to be the same size.
|
||||
*/
|
||||
for (i = 0; i < NUM_BN_FIELDS; ++i) {
|
||||
if (BN_bn2binpad(bn[i], ¶m_bytes[i*param_len], param_len) <= 0)
|
||||
goto end;
|
||||
}
|
||||
|
||||
for (i = 0; i < curve_list_length; i++) {
|
||||
const ec_list_element curve = curve_list[i];
|
||||
|
||||
data = curve.data;
|
||||
/* Get the raw order byte data */
|
||||
params_seed = (const unsigned char *)(data + 1); /* skip header */
|
||||
params = params_seed + data->seed_len;
|
||||
|
||||
/* Look for unique fields in the fixed curve data */
|
||||
if (data->field_type == field_type
|
||||
&& param_len == data->param_len
|
||||
&& (nid <= 0 || nid == curve.nid)
|
||||
/* check the optional cofactor (ignore if its zero) */
|
||||
&& (BN_is_zero(cofactor)
|
||||
|| BN_is_word(cofactor, (const BN_ULONG)curve.data->cofactor))
|
||||
/* Check the optional seed (ignore if its not set) */
|
||||
&& (data->seed_len == 0 || seed_len == 0
|
||||
|| ((size_t)data->seed_len == seed_len
|
||||
&& memcmp(params_seed, seed, seed_len) == 0))
|
||||
/* Check that the groups params match the built-in curve params */
|
||||
&& memcmp(param_bytes, params, param_len * NUM_BN_FIELDS)
|
||||
== 0) {
|
||||
ret = curve.nid;
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
/* Gets here if the group was not found */
|
||||
ret = NID_undef;
|
||||
end:
|
||||
OPENSSL_free(param_bytes);
|
||||
BN_CTX_end(ctx);
|
||||
return ret;
|
||||
}
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,71 @@
|
||||
#!/usr/bin/bash -e
|
||||
|
||||
# args: build-V-R arch
|
||||
|
||||
if [ -z "${RPM_BUILD_ROOT}" ]; then
|
||||
echo >&2 "RPM_BUILD_ROOT is not set"
|
||||
exit 1
|
||||
fi
|
||||
if [ -z "${ORIGINAL_PACKAGE_VERSION}" ]; then
|
||||
echo >&2 "ORIGINAL_PACKAGE_VERSION is not set"
|
||||
exit 1
|
||||
fi
|
||||
if [ -z "${ORIGINAL_PACKAGE_RELEASE}" ]; then
|
||||
echo >&2 "ORIGINAL_PACKAGE_RELEASE is not set"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
PKG_ARCH=${RPM_ARCH}
|
||||
if [ "${PKG_ARCH}" = "i386" ]; then
|
||||
PKG_ARCH=i686
|
||||
fi
|
||||
|
||||
OVR=${ORIGINAL_PACKAGE_VERSION}-${ORIGINAL_PACKAGE_RELEASE}
|
||||
DBGDIR=usr/lib/debug
|
||||
DBGSRCDIR=usr/src/debug/openssl-${OVR}.${RPM_ARCH}
|
||||
DEBUGINFO=${RPM_BUILD_DIR}/debuginfo.list
|
||||
DEBUGSOURCE=${RPM_BUILD_DIR}/debugsourcefiles.list
|
||||
|
||||
# Remove existing files if any
|
||||
rm -fr ${RPM_BUILD_ROOT}/${DBGDIR}
|
||||
rm -fr ${RPM_BUILD_ROOT}/usr/src/debug/*
|
||||
> ${DEBUGINFO}
|
||||
> ${DEBUGSOURCE}
|
||||
|
||||
# fips.so
|
||||
mkdir extract
|
||||
pushd extract
|
||||
|
||||
rpm2cpio ${RPM_BUILD_DIR}/openssl-libs-${OVR}.${PKG_ARCH}.rpm |cpio -id --quiet
|
||||
rpm2cpio ${RPM_BUILD_DIR}/openssl-libs-debuginfo-${OVR}.${PKG_ARCH}.rpm |cpio -id --quiet
|
||||
rpm2cpio ${RPM_BUILD_DIR}/openssl-debuginfo-${OVR}.${PKG_ARCH}.rpm |cpio -id --quiet
|
||||
rpm2cpio ${RPM_BUILD_DIR}/openssl-debugsource-${OVR}.${PKG_ARCH}.rpm |cpio -id --quiet
|
||||
FIPS_SO=$(find usr -name fips.so)
|
||||
cp -adt ${RPM_BUILD_ROOT} --parents ${FIPS_SO}
|
||||
FIPS_SO_DBG=$(find usr -name fips.so-${OVR}.${RPM_ARCH}.debug)
|
||||
cp -adt ${RPM_BUILD_ROOT} --parents ${FIPS_SO_DBG}
|
||||
|
||||
FIPS_DBG_ID=$(find -L usr -samefile ${FIPS_SO_DBG} -xtype l)
|
||||
FIPS_DBG_ID_DIR=$(dirname ${FIPS_DBG_ID})
|
||||
cp -adt ${RPM_BUILD_ROOT} --parents ${FIPS_DBG_ID_DIR}
|
||||
cp -adt ${RPM_BUILD_ROOT} --parents ${DBGDIR}/.dwz
|
||||
|
||||
#remove unnecessary parts
|
||||
rm -fr ${DBGSRCDIR}/apps
|
||||
rm -fr ${DBGSRCDIR}/engines
|
||||
rm -fr ${DBGSRCDIR}/ssl
|
||||
cp -adt ${RPM_BUILD_ROOT} --parents usr/src/debug
|
||||
|
||||
popd
|
||||
|
||||
pushd ${RPM_BUILD_ROOT}
|
||||
|
||||
find ${DBGDIR} -type d | sed -e "s#^#%dir /#" >> ${DEBUGINFO}
|
||||
find ${DBGDIR} -type f | sed -e "s#^#/#">> ${DEBUGINFO}
|
||||
find ${DBGDIR} -type l | sed -e "s#^#/#">> ${DEBUGINFO}
|
||||
|
||||
find ${DBGSRCDIR} -type d | sed -e "s#^#%dir /#" >> ${DEBUGSOURCE}
|
||||
find ${DBGSRCDIR} -type f | sed -e "s#^#/#">> ${DEBUGSOURCE}
|
||||
find ${DBGSRCDIR} -type l | sed -e "s#^#/#">> ${DEBUGSOURCE}
|
||||
|
||||
popd
|
@ -0,0 +1,22 @@
|
||||
#!/usr/bin/bash -e
|
||||
|
||||
# args: version release
|
||||
VERSION=$1
|
||||
RELEASE=$2
|
||||
OVR="${VERSION}-${RELEASE}"
|
||||
rpm2cpio openssl-${OVR}.src.rpm |cpio -id
|
||||
|
||||
rm -fr openssl-${VERSION}
|
||||
tar xf openssl-${VERSION}-hobbled.tar.gz
|
||||
rm openssl.spec
|
||||
|
||||
pushd openssl-${VERSION}
|
||||
git init
|
||||
git config user.email "openssl-fips-provider-build@redhat.com"
|
||||
git config user.name "openssl-fips-provider build"
|
||||
git add .
|
||||
git commit -m "init commit" --quiet
|
||||
git apply -p1 ../*.patch
|
||||
|
||||
cp ../ec_curve.c crypto/ec/
|
||||
cp ../ectest.c test/
|
@ -1,26 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ $# -ne 2 ] ; then
|
||||
echo "Usage:"
|
||||
echo " $0 <git-dir> <base-tag>"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
git_dir="$1"
|
||||
base_tag="$2"
|
||||
|
||||
target_dir="$(pwd)"
|
||||
|
||||
pushd "$git_dir" >/dev/null
|
||||
git format-patch -k -o "$target_dir" "$base_tag" >/dev/null
|
||||
popd >/dev/null
|
||||
|
||||
echo "# Patches exported from source git"
|
||||
|
||||
i=1
|
||||
for p in *.patch ; do
|
||||
printf "# "
|
||||
sed '/^Subject:/{s/^Subject: //;p};d' "$p"
|
||||
printf "Patch%s: %s\n" $i "$p"
|
||||
i=$(($i + 1))
|
||||
done
|
@ -1,40 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Quit out if anything fails.
|
||||
set -e
|
||||
|
||||
# Clean out patent-or-otherwise-encumbered code.
|
||||
# MDC-2: 4,908,861 13/03/2007 - expired, we do not remove it but do not enable it anyway
|
||||
# IDEA: 5,214,703 07/01/2012 - expired, we do not remove it anymore
|
||||
# RC5: 5,724,428 01/11/2015 - expired, we do not remove it anymore
|
||||
# EC: ????????? ??/??/2020
|
||||
# SRP: ????????? ??/??/2017 - expired, we do not remove it anymore
|
||||
|
||||
# Remove assembler portions of IDEA, MDC2, and RC5.
|
||||
# (find crypto/rc5/asm -type f | xargs -r rm -fv)
|
||||
|
||||
for c in `find crypto/bn -name "*gf2m.c"`; do
|
||||
echo Destroying $c
|
||||
> $c
|
||||
done
|
||||
|
||||
for c in `find crypto/ec -name "ec2*.c" -o -name "ec_curve.c"`; do
|
||||
echo Destroying $c
|
||||
> $c
|
||||
done
|
||||
|
||||
for c in `find test -name "ectest.c"`; do
|
||||
echo Destroying $c
|
||||
> $c
|
||||
done
|
||||
|
||||
for h in `find crypto ssl apps test -name "*.h"` ; do
|
||||
echo Removing EC2M references from $h
|
||||
cat $h | \
|
||||
awk 'BEGIN {ech=1;} \
|
||||
/^#[ \t]*ifndef.*NO_EC2M/ {ech--; next;} \
|
||||
/^#[ \t]*if/ {if(ech < 1) ech--;} \
|
||||
{if(ech>0) {;print $0};} \
|
||||
/^#[ \t]*endif/ {if(ech < 1) ech++;}' > $h.hobbled && \
|
||||
mv $h.hobbled $h
|
||||
done
|
@ -1,28 +0,0 @@
|
||||
#!/bin/sh
|
||||
umask 077
|
||||
|
||||
answers() {
|
||||
echo --
|
||||
echo SomeState
|
||||
echo SomeCity
|
||||
echo SomeOrganization
|
||||
echo SomeOrganizationalUnit
|
||||
echo localhost.localdomain
|
||||
echo root@localhost.localdomain
|
||||
}
|
||||
|
||||
if [ $# -eq 0 ] ; then
|
||||
echo $"Usage: `basename $0` filename [...]"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
for target in $@ ; do
|
||||
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX`
|
||||
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX`
|
||||
trap "rm -f $PEM1 $PEM2" SIGINT
|
||||
answers | /usr/bin/openssl req -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null
|
||||
cat $PEM1 > ${target}
|
||||
echo "" >> ${target}
|
||||
cat $PEM2 >> ${target}
|
||||
rm -f $PEM1 $PEM2
|
||||
done
|
@ -1,39 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ $# -eq 0 ]; then
|
||||
echo $"Usage: `basename $0` filename" 1>&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
PEM=$1
|
||||
REQ=`/bin/mktemp /tmp/openssl.XXXXXX`
|
||||
KEY=`/bin/mktemp /tmp/openssl.XXXXXX`
|
||||
CRT=`/bin/mktemp /tmp/openssl.XXXXXX`
|
||||
NEW=${PEM}_
|
||||
|
||||
trap "rm -f $REQ $KEY $CRT $NEW" SIGINT
|
||||
|
||||
if [ ! -f $PEM ]; then
|
||||
echo "$PEM: file not found" 1>&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
umask 077
|
||||
|
||||
OWNER=`ls -l $PEM | awk '{ printf "%s.%s", $3, $4; }'`
|
||||
|
||||
openssl rsa -inform pem -in $PEM -out $KEY
|
||||
openssl x509 -x509toreq -in $PEM -signkey $KEY -out $REQ
|
||||
openssl x509 -req -in $REQ -signkey $KEY -days 365 \
|
||||
-extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -out $CRT
|
||||
|
||||
(cat $KEY ; echo "" ; cat $CRT) > $NEW
|
||||
|
||||
chown $OWNER $NEW
|
||||
|
||||
mv -f $NEW $PEM
|
||||
|
||||
rm -f $REQ $KEY $CRT
|
||||
|
||||
exit 0
|
||||
|
Loading…
Reference in new issue