Signed-off-by: Michel Lind <salimma@fedoraproject.org>epel8
Michel Lind
7 months ago
commit
39094b83a8
@ -0,0 +1 @@
|
|||||||
|
1
|
||||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,37 @@
|
|||||||
|
diff -up ./test/recipes/15-test_ec.t.skip-tests ./test/recipes/15-test_ec.t
|
||||||
|
--- ./test/recipes/15-test_ec.t.skip-tests 2023-03-14 13:42:38.865508269 +0100
|
||||||
|
+++ ./test/recipes/15-test_ec.t 2023-03-14 13:43:36.237021635 +0100
|
||||||
|
@@ -90,7 +90,7 @@ subtest 'Ed448 conversions -- public key
|
||||||
|
|
||||||
|
subtest 'Check loading of fips and non-fips keys' => sub {
|
||||||
|
plan skip_all => "FIPS is disabled"
|
||||||
|
- if $no_fips;
|
||||||
|
+ if 1; #Red Hat specific, original value is $no_fips;
|
||||||
|
|
||||||
|
plan tests => 2;
|
||||||
|
|
||||||
|
diff -up ./test/recipes/65-test_cmp_protect.t.skip-tests ./test/recipes/65-test_cmp_protect.t
|
||||||
|
--- ./test/recipes/65-test_cmp_protect.t.skip-tests 2023-03-14 10:13:11.342056559 +0100
|
||||||
|
+++ ./test/recipes/65-test_cmp_protect.t 2023-03-14 10:14:42.643873496 +0100
|
||||||
|
@@ -27,7 +27,7 @@ plan skip_all => "This test is not suppo
|
||||||
|
plan skip_all => "This test is not supported in a shared library build on Windows"
|
||||||
|
if $^O eq 'MSWin32' && !disabled("shared");
|
||||||
|
|
||||||
|
-plan tests => 2 + ($no_fips ? 0 : 1); #fips test
|
||||||
|
+plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test
|
||||||
|
|
||||||
|
my @basic_cmd = ("cmp_protect_test",
|
||||||
|
data_file("prot_RSA.pem"),
|
||||||
|
diff --git a/test/recipes/65-test_cmp_vfy.t b/test/recipes/65-test_cmp_vfy.t
|
||||||
|
index f722800e27..26a01786bb 100644
|
||||||
|
--- a/test/recipes/65-test_cmp_vfy.t
|
||||||
|
+++ b/test/recipes/65-test_cmp_vfy.t
|
||||||
|
@@ -27,7 +27,7 @@ plan skip_all => "This test is not supported in a no-cmp build"
|
||||||
|
plan skip_all => "This test is not supported in a no-ec build"
|
||||||
|
if disabled("ec");
|
||||||
|
|
||||||
|
-plan tests => 2 + ($no_fips ? 0 : 1); #fips test
|
||||||
|
+plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test
|
||||||
|
|
||||||
|
my @basic_cmd = ("cmp_vfy_test",
|
||||||
|
data_file("server.crt"), data_file("client.crt"),
|
||||||
@ -1,40 +0,0 @@
|
|||||||
diff -up openssl-3.0.0/test/recipes/90-test_sslapi.t.beldmit openssl-3.0.0/test/recipes/90-test_sslapi.t
|
|
||||||
--- openssl-3.0.0/test/recipes/90-test_sslapi.t.beldmit 2021-09-22 11:56:49.452507975 +0200
|
|
||||||
+++ openssl-3.0.0/test/recipes/90-test_sslapi.t 2021-09-22 11:57:19.371764742 +0200
|
|
||||||
@@ -40,7 +40,7 @@ unless ($no_fips) {
|
|
||||||
"recipes",
|
|
||||||
"90-test_sslapi_data",
|
|
||||||
"dhparams.pem")])),
|
|
||||||
- "running sslapitest");
|
|
||||||
+ "running sslapitest - FIPS");
|
|
||||||
}
|
|
||||||
|
|
||||||
unlink $tmpfilename;
|
|
||||||
diff --git a/test/sslapitest.c b/test/sslapitest.c
|
|
||||||
index e95d2657f46c..7af0eab3fce0 100644
|
|
||||||
--- a/test/sslapitest.c
|
|
||||||
+++ b/test/sslapitest.c
|
|
||||||
@@ -1158,6 +1158,11 @@ static int execute_test_ktls(int cis_ktls, int sis_ktls,
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (is_fips && strstr(cipher, "CHACHA") != NULL) {
|
|
||||||
+ testresult = TEST_skip("CHACHA is not supported in FIPS");
|
|
||||||
+ goto end;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* Create a session based on SHA-256 */
|
|
||||||
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
|
|
||||||
TLS_client_method(),
|
|
||||||
@@ -1292,6 +1297,11 @@ static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (is_fips && strstr(cipher, "CHACHA") != NULL) {
|
|
||||||
+ testresult = TEST_skip("CHACHA is not supported in FIPS");
|
|
||||||
+ goto end;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* Create a session based on SHA-256 */
|
|
||||||
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
|
|
||||||
TLS_client_method(),
|
|
||||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,420 +0,0 @@
|
|||||||
diff -up openssl-3.0.1/crypto/ec/ec_backend.c.fips_kat_signature openssl-3.0.1/crypto/ec/ec_backend.c
|
|
||||||
--- openssl-3.0.1/crypto/ec/ec_backend.c.fips_kat_signature 2022-04-04 15:49:24.786455707 +0200
|
|
||||||
+++ openssl-3.0.1/crypto/ec/ec_backend.c 2022-04-04 16:06:13.250271963 +0200
|
|
||||||
@@ -393,6 +393,10 @@ int ossl_ec_key_fromdata(EC_KEY *ec, con
|
|
||||||
const OSSL_PARAM *param_priv_key = NULL, *param_pub_key = NULL;
|
|
||||||
BN_CTX *ctx = NULL;
|
|
||||||
BIGNUM *priv_key = NULL;
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ const OSSL_PARAM *param_sign_kat_k = NULL;
|
|
||||||
+ BIGNUM *sign_kat_k = NULL;
|
|
||||||
+#endif
|
|
||||||
unsigned char *pub_key = NULL;
|
|
||||||
size_t pub_key_len;
|
|
||||||
const EC_GROUP *ecg = NULL;
|
|
||||||
@@ -408,7 +412,10 @@ int ossl_ec_key_fromdata(EC_KEY *ec, con
|
|
||||||
if (include_private)
|
|
||||||
param_priv_key =
|
|
||||||
OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PRIV_KEY);
|
|
||||||
-
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ param_sign_kat_k =
|
|
||||||
+ OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K);
|
|
||||||
+#endif
|
|
||||||
ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(ec));
|
|
||||||
if (ctx == NULL)
|
|
||||||
goto err;
|
|
||||||
@@ -481,6 +489,17 @@ int ossl_ec_key_fromdata(EC_KEY *ec, con
|
|
||||||
&& !EC_KEY_set_public_key(ec, pub_point))
|
|
||||||
goto err;
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ if (param_sign_kat_k) {
|
|
||||||
+ if ((sign_kat_k = BN_secure_new()) == NULL)
|
|
||||||
+ goto err;
|
|
||||||
+ BN_set_flags(sign_kat_k, BN_FLG_CONSTTIME);
|
|
||||||
+
|
|
||||||
+ if (!OSSL_PARAM_get_BN(param_sign_kat_k, &sign_kat_k))
|
|
||||||
+ goto err;
|
|
||||||
+ ec->sign_kat_k = sign_kat_k;
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
ok = 1;
|
|
||||||
|
|
||||||
err:
|
|
||||||
diff -up openssl-3.0.1/crypto/ec/ecdsa_ossl.c.fips_kat_signature openssl-3.0.1/crypto/ec/ecdsa_ossl.c
|
|
||||||
--- openssl-3.0.1/crypto/ec/ecdsa_ossl.c.fips_kat_signature 2022-04-04 17:01:35.725323127 +0200
|
|
||||||
+++ openssl-3.0.1/crypto/ec/ecdsa_ossl.c 2022-04-04 17:03:42.000427050 +0200
|
|
||||||
@@ -20,6 +20,10 @@
|
|
||||||
#include "crypto/bn.h"
|
|
||||||
#include "ec_local.h"
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+extern int REDHAT_FIPS_signature_st;
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
|
|
||||||
BIGNUM **rp)
|
|
||||||
{
|
|
||||||
@@ -126,6 +130,11 @@ static int ecdsa_sign_setup(EC_KEY *ecke
|
|
||||||
goto err;
|
|
||||||
|
|
||||||
do {
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ if (REDHAT_FIPS_signature_st && eckey->sign_kat_k != NULL) {
|
|
||||||
+ BN_copy(k, eckey->sign_kat_k);
|
|
||||||
+ } else {
|
|
||||||
+#endif
|
|
||||||
/* get random k */
|
|
||||||
do {
|
|
||||||
if (dgst != NULL) {
|
|
||||||
@@ -141,7 +150,9 @@ static int ecdsa_sign_setup(EC_KEY *ecke
|
|
||||||
}
|
|
||||||
}
|
|
||||||
} while (BN_is_zero(k));
|
|
||||||
-
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
/* compute r the x-coordinate of generator * k */
|
|
||||||
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
|
|
||||||
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
|
||||||
diff -up openssl-3.0.1/crypto/ec/ec_key.c.fips_kat_signature openssl-3.0.1/crypto/ec/ec_key.c
|
|
||||||
--- openssl-3.0.1/crypto/ec/ec_key.c.fips_kat_signature 2022-04-04 13:48:52.231172299 +0200
|
|
||||||
+++ openssl-3.0.1/crypto/ec/ec_key.c 2022-04-04 14:00:35.077368605 +0200
|
|
||||||
@@ -97,6 +97,9 @@ void EC_KEY_free(EC_KEY *r)
|
|
||||||
EC_GROUP_free(r->group);
|
|
||||||
EC_POINT_free(r->pub_key);
|
|
||||||
BN_clear_free(r->priv_key);
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ BN_clear_free(r->sign_kat_k);
|
|
||||||
+#endif
|
|
||||||
OPENSSL_free(r->propq);
|
|
||||||
|
|
||||||
OPENSSL_clear_free((void *)r, sizeof(EC_KEY));
|
|
||||||
diff -up openssl-3.0.1/crypto/ec/ec_local.h.fips_kat_signature openssl-3.0.1/crypto/ec/ec_local.h
|
|
||||||
--- openssl-3.0.1/crypto/ec/ec_local.h.fips_kat_signature 2022-04-04 13:46:57.576161867 +0200
|
|
||||||
+++ openssl-3.0.1/crypto/ec/ec_local.h 2022-04-04 13:48:07.827780835 +0200
|
|
||||||
@@ -298,6 +298,9 @@ struct ec_key_st {
|
|
||||||
#ifndef FIPS_MODULE
|
|
||||||
CRYPTO_EX_DATA ex_data;
|
|
||||||
#endif
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ BIGNUM *sign_kat_k;
|
|
||||||
+#endif
|
|
||||||
CRYPTO_RWLOCK *lock;
|
|
||||||
OSSL_LIB_CTX *libctx;
|
|
||||||
char *propq;
|
|
||||||
diff -up openssl-3.0.1/include/openssl/core_names.h.fips_kat_signature openssl-3.0.1/include/openssl/core_names.h
|
|
||||||
--- openssl-3.0.1/include/openssl/core_names.h.fips_kat_signature 2022-04-04 14:06:15.717370014 +0200
|
|
||||||
+++ openssl-3.0.1/include/openssl/core_names.h 2022-04-04 14:07:35.376071229 +0200
|
|
||||||
@@ -293,6 +293,7 @@ extern "C" {
|
|
||||||
#define OSSL_PKEY_PARAM_DIST_ID "distid"
|
|
||||||
#define OSSL_PKEY_PARAM_PUB_KEY "pub"
|
|
||||||
#define OSSL_PKEY_PARAM_PRIV_KEY "priv"
|
|
||||||
+#define OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K "rh_sign_kat_k"
|
|
||||||
|
|
||||||
/* Diffie-Hellman/DSA Parameters */
|
|
||||||
#define OSSL_PKEY_PARAM_FFC_P "p"
|
|
||||||
diff -up openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.fips_kat_signature openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c
|
|
||||||
--- openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.fips_kat_signature 2022-04-04 14:21:03.043180906 +0200
|
|
||||||
+++ openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c 2022-04-04 14:38:33.949406645 +0200
|
|
||||||
@@ -530,7 +530,8 @@ end:
|
|
||||||
# define EC_IMEXPORTABLE_PUBLIC_KEY \
|
|
||||||
OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PUB_KEY, NULL, 0)
|
|
||||||
# define EC_IMEXPORTABLE_PRIVATE_KEY \
|
|
||||||
- OSSL_PARAM_BN(OSSL_PKEY_PARAM_PRIV_KEY, NULL, 0)
|
|
||||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_PRIV_KEY, NULL, 0), \
|
|
||||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K, NULL, 0)
|
|
||||||
# define EC_IMEXPORTABLE_OTHER_PARAMETERS \
|
|
||||||
OSSL_PARAM_int(OSSL_PKEY_PARAM_USE_COFACTOR_ECDH, NULL), \
|
|
||||||
OSSL_PARAM_int(OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC, NULL)
|
|
||||||
diff -up openssl-3.0.1/providers/fips/self_test_kats.c.kat openssl-3.0.1/providers/fips/self_test_kats.c
|
|
||||||
--- openssl-3.0.1/providers/fips/self_test_kats.c.kat 2022-05-10 15:10:32.502185265 +0200
|
|
||||||
+++ openssl-3.0.1/providers/fips/self_test_kats.c 2022-05-10 15:13:21.465653720 +0200
|
|
||||||
@@ -17,6 +17,8 @@
|
|
||||||
#include "self_test.h"
|
|
||||||
#include "self_test_data.inc"
|
|
||||||
|
|
||||||
+int REDHAT_FIPS_signature_st = 0;
|
|
||||||
+
|
|
||||||
static int self_test_digest(const ST_KAT_DIGEST *t, OSSL_SELF_TEST *st,
|
|
||||||
OSSL_LIB_CTX *libctx)
|
|
||||||
{
|
|
||||||
@@ -446,6 +448,7 @@ static int self_test_sign(const ST_KAT_S
|
|
||||||
EVP_PKEY *pkey = NULL;
|
|
||||||
unsigned char sig[256];
|
|
||||||
BN_CTX *bnctx = NULL;
|
|
||||||
+ BIGNUM *K = NULL;
|
|
||||||
size_t siglen = sizeof(sig);
|
|
||||||
static const unsigned char dgst[] = {
|
|
||||||
0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
|
|
||||||
@@ -462,6 +465,9 @@ static int self_test_sign(const ST_KAT_S
|
|
||||||
bnctx = BN_CTX_new_ex(libctx);
|
|
||||||
if (bnctx == NULL)
|
|
||||||
goto err;
|
|
||||||
+ K = BN_CTX_get(bnctx);
|
|
||||||
+ if (K == NULL || BN_bin2bn(dgst, sizeof(dgst), K) == NULL)
|
|
||||||
+ goto err;
|
|
||||||
|
|
||||||
bld = OSSL_PARAM_BLD_new();
|
|
||||||
if (bld == NULL)
|
|
||||||
@@ -469,6 +475,9 @@ static int self_test_sign(const ST_KAT_S
|
|
||||||
|
|
||||||
if (!add_params(bld, t->key, bnctx))
|
|
||||||
goto err;
|
|
||||||
+ /* set K for ECDSA KAT tests */
|
|
||||||
+ if (!OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K, K))
|
|
||||||
+ goto err;
|
|
||||||
params = OSSL_PARAM_BLD_to_param(bld);
|
|
||||||
|
|
||||||
/* Create a EVP_PKEY_CTX to load the DSA key into */
|
|
||||||
@@ -689,11 +698,13 @@ static int self_test_kas(OSSL_SELF_TEST
|
|
||||||
static int self_test_signatures(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
|
|
||||||
{
|
|
||||||
int i, ret = 1;
|
|
||||||
+ REDHAT_FIPS_signature_st = 1;
|
|
||||||
|
|
||||||
for (i = 0; i < (int)OSSL_NELEM(st_kat_sign_tests); ++i) {
|
|
||||||
if (!self_test_sign(&st_kat_sign_tests[i], st, libctx))
|
|
||||||
ret = 0;
|
|
||||||
}
|
|
||||||
+ REDHAT_FIPS_signature_st = 0;
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff -up openssl-3.0.1/providers/fips/self_test_data.inc.kat openssl-3.0.1/providers/fips/self_test_data.inc
|
|
||||||
--- openssl-3.0.1/providers/fips/self_test_data.inc.kat 2022-05-16 17:37:34.962807400 +0200
|
|
||||||
+++ openssl-3.0.1/providers/fips/self_test_data.inc 2022-05-16 17:48:10.709376779 +0200
|
|
||||||
@@ -1399,7 +1399,151 @@ static const ST_KAT_PARAM ecdsa_prime_ke
|
|
||||||
ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, ecd_prime_priv),
|
|
||||||
ST_KAT_PARAM_END()
|
|
||||||
};
|
|
||||||
+static const unsigned char ec224r1_kat_sig[] = {
|
|
||||||
+0x30, 0x3c, 0x02, 0x1c, 0x2f, 0x24, 0x30, 0x96, 0x3b, 0x39, 0xe0, 0xab, 0xe2, 0x5a, 0x6f, 0xe0,
|
|
||||||
+0x40, 0x7e, 0x19, 0x30, 0x6e, 0x6a, 0xfd, 0x7a, 0x2b, 0x5d, 0xaa, 0xc2, 0x34, 0x6c, 0xc8, 0xce,
|
|
||||||
+0x02, 0x1c, 0x47, 0xe1, 0xac, 0xfd, 0xb4, 0xb8, 0x2b, 0x8c, 0x49, 0xb6, 0x36, 0xcd, 0xdd, 0x22,
|
|
||||||
+0x2a, 0x2d, 0x29, 0x64, 0x70, 0x61, 0xc3, 0x3e, 0x18, 0x51, 0xec, 0xf2, 0xad, 0x3c
|
|
||||||
+};
|
|
||||||
|
|
||||||
+static const char ecd_prime_curve_name384[] = "secp384r1";
|
|
||||||
+/*
|
|
||||||
+priv:
|
|
||||||
+ 58:12:2b:94:be:29:23:13:83:f5:c4:20:e8:22:34:
|
|
||||||
+ 54:73:49:91:10:05:e9:10:e9:d7:2d:72:9c:5e:6a:
|
|
||||||
+ ba:8f:6d:d6:e4:a7:eb:e0:ae:e3:d4:c9:aa:33:87:
|
|
||||||
+ 4c:91:87
|
|
||||||
+pub:
|
|
||||||
+ 04:d1:86:8b:f5:c4:a2:f7:a5:92:e6:85:2a:d2:92:
|
|
||||||
+ 81:97:0a:8d:fa:09:3f:84:6c:17:43:03:43:49:23:
|
|
||||||
+ 77:c4:31:f4:0a:a4:de:87:ac:5c:c0:d1:bc:e4:43:
|
|
||||||
+ 7f:8d:44:e1:3b:5f:bc:27:c8:79:0f:d0:31:9f:a7:
|
|
||||||
+ 6d:de:fb:f7:da:19:40:fd:aa:83:dc:69:ce:a6:f3:
|
|
||||||
+ 4d:65:20:1c:66:82:80:03:f7:7b:2e:f3:b3:7c:1f:
|
|
||||||
+ 11:f2:a3:bf:e8:0e:88
|
|
||||||
+*/
|
|
||||||
+static const unsigned char ecd_prime_priv384[] = {
|
|
||||||
+ 0x58, 0x12, 0x2b, 0x94, 0xbe, 0x29, 0x23, 0x13, 0x83, 0xf5, 0xc4, 0x20, 0xe8, 0x22, 0x34,
|
|
||||||
+ 0x54, 0x73, 0x49, 0x91, 0x10, 0x05, 0xe9, 0x10, 0xe9, 0xd7, 0x2d, 0x72, 0x9c, 0x5e, 0x6a,
|
|
||||||
+ 0xba, 0x8f, 0x6d, 0xd6, 0xe4, 0xa7, 0xeb, 0xe0, 0xae, 0xe3, 0xd4, 0xc9, 0xaa, 0x33, 0x87,
|
|
||||||
+ 0x4c, 0x91, 0x87
|
|
||||||
+};
|
|
||||||
+static const unsigned char ecd_prime_pub384[] = {
|
|
||||||
+ 0x04, 0xd1, 0x86, 0x8b, 0xf5, 0xc4, 0xa2, 0xf7, 0xa5, 0x92, 0xe6, 0x85, 0x2a, 0xd2, 0x92,
|
|
||||||
+ 0x81, 0x97, 0x0a, 0x8d, 0xfa, 0x09, 0x3f, 0x84, 0x6c, 0x17, 0x43, 0x03, 0x43, 0x49, 0x23,
|
|
||||||
+ 0x77, 0xc4, 0x31, 0xf4, 0x0a, 0xa4, 0xde, 0x87, 0xac, 0x5c, 0xc0, 0xd1, 0xbc, 0xe4, 0x43,
|
|
||||||
+ 0x7f, 0x8d, 0x44, 0xe1, 0x3b, 0x5f, 0xbc, 0x27, 0xc8, 0x79, 0x0f, 0xd0, 0x31, 0x9f, 0xa7,
|
|
||||||
+ 0x6d, 0xde, 0xfb, 0xf7, 0xda, 0x19, 0x40, 0xfd, 0xaa, 0x83, 0xdc, 0x69, 0xce, 0xa6, 0xf3,
|
|
||||||
+ 0x4d, 0x65, 0x20, 0x1c, 0x66, 0x82, 0x80, 0x03, 0xf7, 0x7b, 0x2e, 0xf3, 0xb3, 0x7c, 0x1f,
|
|
||||||
+ 0x11, 0xf2, 0xa3, 0xbf, 0xe8, 0x0e, 0x88
|
|
||||||
+};
|
|
||||||
+static const ST_KAT_PARAM ecdsa_prime_key384[] = {
|
|
||||||
+ ST_KAT_PARAM_UTF8STRING(OSSL_PKEY_PARAM_GROUP_NAME, ecd_prime_curve_name384),
|
|
||||||
+ ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PUB_KEY, ecd_prime_pub384),
|
|
||||||
+ ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, ecd_prime_priv384),
|
|
||||||
+ ST_KAT_PARAM_END()
|
|
||||||
+};
|
|
||||||
+static const unsigned char ec384r1_kat_sig[] = {
|
|
||||||
+0x30, 0x65, 0x02, 0x30, 0x1a, 0xd5, 0x57, 0x1b, 0x28, 0x0f, 0xf1, 0x68, 0x66, 0x68, 0x8a, 0x98,
|
|
||||||
+0xe3, 0x9c, 0xce, 0x7f, 0xa7, 0x68, 0xdc, 0x84, 0x5a, 0x65, 0xdc, 0x2b, 0x5d, 0x7e, 0xf3, 0x9b,
|
|
||||||
+0xa0, 0x40, 0xe8, 0x7a, 0x02, 0xc7, 0x82, 0xe0, 0x0c, 0x81, 0xa5, 0xda, 0x55, 0x27, 0xbf, 0x79,
|
|
||||||
+0xee, 0x72, 0xc2, 0x14, 0x02, 0x31, 0x00, 0xd1, 0x9d, 0x67, 0xda, 0x5a, 0xd2, 0x58, 0x68, 0xe7,
|
|
||||||
+0x71, 0x08, 0xb2, 0xa4, 0xe4, 0xe8, 0x74, 0xb4, 0x0a, 0x3d, 0x76, 0x49, 0x31, 0x17, 0x6e, 0x33,
|
|
||||||
+0x16, 0xf0, 0x00, 0x1f, 0x3c, 0x1f, 0xf9, 0x7c, 0xdb, 0x93, 0x49, 0x9c, 0x7d, 0xb3, 0xd3, 0x30,
|
|
||||||
+0x98, 0x81, 0x6f, 0xb0, 0xc9, 0x30, 0x2f
|
|
||||||
+};
|
|
||||||
+static const char ecd_prime_curve_name521[] = "secp521r1";
|
|
||||||
+/*
|
|
||||||
+priv:
|
|
||||||
+ 00:44:0f:96:31:a9:87:f2:5f:be:a0:bc:ef:0c:ae:
|
|
||||||
+ 58:cc:5f:f8:44:9e:89:86:7e:bf:db:ce:cb:0e:20:
|
|
||||||
+ 10:4a:11:ec:0b:51:1d:e4:91:ca:c6:40:fb:c6:69:
|
|
||||||
+ ad:68:33:9e:c8:f5:c4:c6:a5:93:a8:4d:a9:a9:a2:
|
|
||||||
+ af:fe:6d:cb:c2:3b
|
|
||||||
+pub:
|
|
||||||
+ 04:01:5f:58:a9:40:0c:ee:9b:ed:4a:f4:7a:3c:a3:
|
|
||||||
+ 89:c2:f3:7e:2c:f4:b5:53:80:ae:33:7d:36:d1:b5:
|
|
||||||
+ 18:bd:ef:a9:48:00:ea:88:ee:00:5c:ca:07:08:b5:
|
|
||||||
+ 67:4a:c3:2b:10:c6:07:b0:c2:45:37:b7:1d:e3:6c:
|
|
||||||
+ e1:bf:2c:44:18:4a:aa:01:af:75:40:6a:e3:f5:b2:
|
|
||||||
+ 7f:d1:9d:1b:8b:29:1f:91:4d:db:93:bf:bd:8c:b7:
|
|
||||||
+ 6a:8d:4b:2c:36:2a:6b:ab:54:9d:7b:31:99:a4:de:
|
|
||||||
+ c9:10:c4:f4:a3:f4:6d:94:97:62:16:a5:34:65:1f:
|
|
||||||
+ 42:cd:8b:9e:e6:db:14:5d:a9:8d:19:95:8d
|
|
||||||
+*/
|
|
||||||
+static const unsigned char ecd_prime_priv521[] = {
|
|
||||||
+ 0x00, 0x44, 0x0f, 0x96, 0x31, 0xa9, 0x87, 0xf2, 0x5f, 0xbe, 0xa0, 0xbc, 0xef, 0x0c, 0xae,
|
|
||||||
+ 0x58, 0xcc, 0x5f, 0xf8, 0x44, 0x9e, 0x89, 0x86, 0x7e, 0xbf, 0xdb, 0xce, 0xcb, 0x0e, 0x20,
|
|
||||||
+ 0x10, 0x4a, 0x11, 0xec, 0x0b, 0x51, 0x1d, 0xe4, 0x91, 0xca, 0xc6, 0x40, 0xfb, 0xc6, 0x69,
|
|
||||||
+ 0xad, 0x68, 0x33, 0x9e, 0xc8, 0xf5, 0xc4, 0xc6, 0xa5, 0x93, 0xa8, 0x4d, 0xa9, 0xa9, 0xa2,
|
|
||||||
+ 0xaf, 0xfe, 0x6d, 0xcb, 0xc2, 0x3b
|
|
||||||
+};
|
|
||||||
+static const unsigned char ecd_prime_pub521[] = {
|
|
||||||
+ 0x04, 0x01, 0x5f, 0x58, 0xa9, 0x40, 0x0c, 0xee, 0x9b, 0xed, 0x4a, 0xf4, 0x7a, 0x3c, 0xa3,
|
|
||||||
+ 0x89, 0xc2, 0xf3, 0x7e, 0x2c, 0xf4, 0xb5, 0x53, 0x80, 0xae, 0x33, 0x7d, 0x36, 0xd1, 0xb5,
|
|
||||||
+ 0x18, 0xbd, 0xef, 0xa9, 0x48, 0x00, 0xea, 0x88, 0xee, 0x00, 0x5c, 0xca, 0x07, 0x08, 0xb5,
|
|
||||||
+ 0x67, 0x4a, 0xc3, 0x2b, 0x10, 0xc6, 0x07, 0xb0, 0xc2, 0x45, 0x37, 0xb7, 0x1d, 0xe3, 0x6c,
|
|
||||||
+ 0xe1, 0xbf, 0x2c, 0x44, 0x18, 0x4a, 0xaa, 0x01, 0xaf, 0x75, 0x40, 0x6a, 0xe3, 0xf5, 0xb2,
|
|
||||||
+ 0x7f, 0xd1, 0x9d, 0x1b, 0x8b, 0x29, 0x1f, 0x91, 0x4d, 0xdb, 0x93, 0xbf, 0xbd, 0x8c, 0xb7,
|
|
||||||
+ 0x6a, 0x8d, 0x4b, 0x2c, 0x36, 0x2a, 0x6b, 0xab, 0x54, 0x9d, 0x7b, 0x31, 0x99, 0xa4, 0xde,
|
|
||||||
+ 0xc9, 0x10, 0xc4, 0xf4, 0xa3, 0xf4, 0x6d, 0x94, 0x97, 0x62, 0x16, 0xa5, 0x34, 0x65, 0x1f,
|
|
||||||
+ 0x42, 0xcd, 0x8b, 0x9e, 0xe6, 0xdb, 0x14, 0x5d, 0xa9, 0x8d, 0x19, 0x95, 0x8d
|
|
||||||
+};
|
|
||||||
+static const ST_KAT_PARAM ecdsa_prime_key521[] = {
|
|
||||||
+ ST_KAT_PARAM_UTF8STRING(OSSL_PKEY_PARAM_GROUP_NAME, ecd_prime_curve_name521),
|
|
||||||
+ ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PUB_KEY, ecd_prime_pub521),
|
|
||||||
+ ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, ecd_prime_priv521),
|
|
||||||
+ ST_KAT_PARAM_END()
|
|
||||||
+};
|
|
||||||
+static const unsigned char ec521r1_kat_sig[] = {
|
|
||||||
+0x30, 0x81, 0x88, 0x02, 0x42, 0x00, 0xdf, 0x64, 0x9c, 0xc8, 0x5b, 0xdd, 0x0b, 0x7f, 0x69, 0x7e,
|
|
||||||
+0xdb, 0x83, 0x58, 0x67, 0x63, 0x43, 0xb7, 0xfa, 0x40, 0x29, 0xde, 0xb9, 0xde, 0xe9, 0x96, 0x65,
|
|
||||||
+0xe6, 0x8e, 0xf4, 0xeb, 0xd0, 0xe9, 0x6a, 0xd3, 0x27, 0x6c, 0x4d, 0x60, 0x47, 0x9c, 0x62, 0xb8,
|
|
||||||
+0x6c, 0xc1, 0x36, 0x19, 0x65, 0xff, 0xab, 0xcf, 0x24, 0xa3, 0xde, 0xd1, 0x4b, 0x1b, 0xdd, 0x89,
|
|
||||||
+0xcf, 0xf8, 0x72, 0x7b, 0x92, 0xbc, 0x02, 0x02, 0x42, 0x01, 0xf8, 0x07, 0x77, 0xb8, 0xcb, 0xa2,
|
|
||||||
+0xe2, 0x1f, 0x53, 0x9a, 0x7c, 0x16, 0xb5, 0x8e, 0xad, 0xe3, 0xc3, 0xac, 0xb7, 0xb2, 0x51, 0x8f,
|
|
||||||
+0xf9, 0x09, 0x65, 0x43, 0xf8, 0xd8, 0x3c, 0xe3, 0x5c, 0x4a, 0x5e, 0x3d, 0x6f, 0xb7, 0xbb, 0x5a,
|
|
||||||
+0x92, 0x69, 0xec, 0x71, 0xa2, 0x35, 0xe5, 0x29, 0x17, 0xaf, 0xc9, 0x69, 0xa7, 0xaa, 0x94, 0xf9,
|
|
||||||
+0xf9, 0x50, 0x87, 0x7b, 0x5d, 0x87, 0xe3, 0xd6, 0x3f, 0xb6, 0x6e
|
|
||||||
+};
|
|
||||||
+static const char ecd_prime_curve_name256[] = "prime256v1";
|
|
||||||
+/*
|
|
||||||
+priv:
|
|
||||||
+ 84:88:11:3f:a9:c9:9e:23:72:8b:40:cb:a2:b1:88:
|
|
||||||
+ 01:1e:92:48:af:13:2d:9b:33:8e:6d:43:40:30:c7:
|
|
||||||
+ 30:fa
|
|
||||||
+pub:
|
|
||||||
+ 04:22:58:b6:f9:01:3b:8c:a6:9b:9f:ae:75:fc:73:
|
|
||||||
+ cf:1b:f0:81:dc:55:a3:cc:5d:81:46:85:06:32:34:
|
|
||||||
+ 99:0d:c5:7e:a1:95:bb:21:73:33:40:4b:35:17:f6:
|
|
||||||
+ 8e:26:61:46:94:2c:4c:ac:9b:20:f8:08:72:25:74:
|
|
||||||
+ 98:66:c4:63:a6
|
|
||||||
+*/
|
|
||||||
+static const unsigned char ecd_prime_priv256[] = {
|
|
||||||
+ 0x84, 0x88, 0x11, 0x3f, 0xa9, 0xc9, 0x9e, 0x23, 0x72, 0x8b, 0x40, 0xcb, 0xa2, 0xb1, 0x88,
|
|
||||||
+ 0x01, 0x1e, 0x92, 0x48, 0xaf, 0x13, 0x2d, 0x9b, 0x33, 0x8e, 0x6d, 0x43, 0x40, 0x30, 0xc7,
|
|
||||||
+ 0x30, 0xfa
|
|
||||||
+};
|
|
||||||
+static const unsigned char ecd_prime_pub256[] = {
|
|
||||||
+ 0x04, 0x22, 0x58, 0xb6, 0xf9, 0x01, 0x3b, 0x8c, 0xa6, 0x9b, 0x9f, 0xae, 0x75, 0xfc, 0x73,
|
|
||||||
+ 0xcf, 0x1b, 0xf0, 0x81, 0xdc, 0x55, 0xa3, 0xcc, 0x5d, 0x81, 0x46, 0x85, 0x06, 0x32, 0x34,
|
|
||||||
+ 0x99, 0x0d, 0xc5, 0x7e, 0xa1, 0x95, 0xbb, 0x21, 0x73, 0x33, 0x40, 0x4b, 0x35, 0x17, 0xf6,
|
|
||||||
+ 0x8e, 0x26, 0x61, 0x46, 0x94, 0x2c, 0x4c, 0xac, 0x9b, 0x20, 0xf8, 0x08, 0x72, 0x25, 0x74,
|
|
||||||
+ 0x98, 0x66, 0xc4, 0x63, 0xa6
|
|
||||||
+};
|
|
||||||
+static const ST_KAT_PARAM ecdsa_prime_key256[] = {
|
|
||||||
+ ST_KAT_PARAM_UTF8STRING(OSSL_PKEY_PARAM_GROUP_NAME, ecd_prime_curve_name256),
|
|
||||||
+ ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PUB_KEY, ecd_prime_pub256),
|
|
||||||
+ ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, ecd_prime_priv256),
|
|
||||||
+ ST_KAT_PARAM_END()
|
|
||||||
+};
|
|
||||||
+static const unsigned char ec256v1_kat_sig[] = {
|
|
||||||
+0x30, 0x46, 0x02, 0x21, 0x00, 0xc9, 0x11, 0x27, 0x06, 0x51, 0x2b, 0x50, 0x8c, 0x6b, 0xc0, 0xa6,
|
|
||||||
+0x85, 0xaa, 0xf4, 0x66, 0x0d, 0xe4, 0x54, 0x0a, 0x10, 0xb6, 0x9f, 0x87, 0xfc, 0xa2, 0xbc, 0x8f,
|
|
||||||
+0x3c, 0x58, 0xb4, 0xe9, 0x41, 0x02, 0x21, 0x00, 0xc9, 0x72, 0x94, 0xa9, 0xdd, 0x52, 0xca, 0x21,
|
|
||||||
+0x82, 0x66, 0x7a, 0x68, 0xcb, 0x1e, 0x3b, 0x12, 0x71, 0x4d, 0x56, 0xb5, 0xb7, 0xdd, 0xca, 0x2b,
|
|
||||||
+0x18, 0xa3, 0xa7, 0x08, 0x0d, 0xfa, 0x9c, 0x66
|
|
||||||
+};
|
|
||||||
# ifndef OPENSSL_NO_EC2M
|
|
||||||
static const char ecd_bin_curve_name[] = "sect233r1";
|
|
||||||
static const unsigned char ecd_bin_priv[] = {
|
|
||||||
@@ -1571,8 +1715,42 @@ static const ST_KAT_SIGN st_kat_sign_tes
|
|
||||||
ecdsa_prime_key,
|
|
||||||
/*
|
|
||||||
* The ECDSA signature changes each time due to it using a random k.
|
|
||||||
- * So there is no expected KAT for this case.
|
|
||||||
+ * We provide this value in our build
|
|
||||||
+ */
|
|
||||||
+ ITM(ec224r1_kat_sig)
|
|
||||||
+ },
|
|
||||||
+ {
|
|
||||||
+ OSSL_SELF_TEST_DESC_SIGN_ECDSA,
|
|
||||||
+ "EC",
|
|
||||||
+ "SHA-256",
|
|
||||||
+ ecdsa_prime_key384,
|
|
||||||
+ /*
|
|
||||||
+ * The ECDSA signature changes each time due to it using a random k.
|
|
||||||
+ * We provide this value in our build
|
|
||||||
+ */
|
|
||||||
+ ITM(ec384r1_kat_sig)
|
|
||||||
+ },
|
|
||||||
+ {
|
|
||||||
+ OSSL_SELF_TEST_DESC_SIGN_ECDSA,
|
|
||||||
+ "EC",
|
|
||||||
+ "SHA-256",
|
|
||||||
+ ecdsa_prime_key521,
|
|
||||||
+ /*
|
|
||||||
+ * The ECDSA signature changes each time due to it using a random k.
|
|
||||||
+ * We provide this value in our build
|
|
||||||
+ */
|
|
||||||
+ ITM(ec521r1_kat_sig)
|
|
||||||
+ },
|
|
||||||
+ {
|
|
||||||
+ OSSL_SELF_TEST_DESC_SIGN_ECDSA,
|
|
||||||
+ "EC",
|
|
||||||
+ "SHA-256",
|
|
||||||
+ ecdsa_prime_key256,
|
|
||||||
+ /*
|
|
||||||
+ * The ECDSA signature changes each time due to it using a random k.
|
|
||||||
+ * We provide this value in our build
|
|
||||||
*/
|
|
||||||
+ ITM(ec256v1_kat_sig)
|
|
||||||
},
|
|
||||||
# ifndef OPENSSL_NO_EC2M
|
|
||||||
{
|
|
||||||
diff -up openssl-3.0.1/crypto/ec/ecp_s390x_nistp.c.fipskat openssl-3.0.1/crypto/ec/ecp_s390x_nistp.c
|
|
||||||
--- openssl-3.0.1/crypto/ec/ecp_s390x_nistp.c.fipskat 2022-05-30 14:48:53.180999124 +0200
|
|
||||||
+++ openssl-3.0.1/crypto/ec/ecp_s390x_nistp.c 2022-05-30 14:58:52.841286228 +0200
|
|
||||||
@@ -44,6 +44,10 @@
|
|
||||||
#define S390X_OFF_RN(n) (4 * n)
|
|
||||||
#define S390X_OFF_Y(n) (4 * n)
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+extern int REDHAT_FIPS_signature_st;
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
static int ec_GFp_s390x_nistp_mul(const EC_GROUP *group, EC_POINT *r,
|
|
||||||
const BIGNUM *scalar,
|
|
||||||
size_t num, const EC_POINT *points[],
|
|
||||||
@@ -183,11 +187,21 @@ static ECDSA_SIG *ecdsa_s390x_nistp_sign
|
|
||||||
* because kdsa instruction constructs an in-range, invertible nonce
|
|
||||||
* internally implementing counter-measures for RNG weakness.
|
|
||||||
*/
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ if (REDHAT_FIPS_signature_st && eckey->sign_kat_k != NULL) {
|
|
||||||
+ BN_bn2binpad(eckey->sign_kat_k, param + S390X_OFF_RN(len), len);
|
|
||||||
+ /* Turns KDSA internal nonce-generation off. */
|
|
||||||
+ fc |= S390X_KDSA_D;
|
|
||||||
+ } else {
|
|
||||||
+#endif
|
|
||||||
if (RAND_priv_bytes_ex(eckey->libctx, param + S390X_OFF_RN(len),
|
|
||||||
(size_t)len, 0) != 1) {
|
|
||||||
ERR_raise(ERR_LIB_EC, EC_R_RANDOM_NUMBER_GENERATION_FAILED);
|
|
||||||
goto ret;
|
|
||||||
}
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
} else {
|
|
||||||
/* Reconstruct k = (k^-1)^-1. */
|
|
||||||
if (ossl_ec_group_do_inverse_ord(group, k, kinv, NULL) == 0
|
|
||||||
@ -1,703 +0,0 @@
|
|||||||
From 33ffd36afa7594aeb958a925f521cb287ca850c8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Rohan McLure <rohanmclure@linux.ibm.com>
|
|
||||||
Date: Mon, 27 Jun 2022 12:14:55 +1000
|
|
||||||
Subject: [PATCH 1/2] Revert "Revert "bn: Add fixed length (n=6), unrolled PPC
|
|
||||||
Montgomery Multiplication""
|
|
||||||
|
|
||||||
This reverts commit 712d9cc90e355b2c98a959d4e9398610d2269c9e.
|
|
||||||
---
|
|
||||||
crypto/bn/asm/ppc64-mont-fixed.pl | 581 ++++++++++++++++++++++++++++++
|
|
||||||
crypto/bn/bn_ppc.c | 15 +
|
|
||||||
crypto/bn/build.info | 3 +-
|
|
||||||
3 files changed, 598 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/crypto/bn/asm/ppc64-mont-fixed.pl b/crypto/bn/asm/ppc64-mont-fixed.pl
|
|
||||||
index e69de29bb2d1..0fb397bc5f12 100755
|
|
||||||
--- a/crypto/bn/asm/ppc64-mont-fixed.pl
|
|
||||||
+++ b/crypto/bn/asm/ppc64-mont-fixed.pl
|
|
||||||
@@ -0,0 +1,581 @@
|
|
||||||
+#! /usr/bin/env perl
|
|
||||||
+# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved.
|
|
||||||
+#
|
|
||||||
+# Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
||||||
+# this file except in compliance with the License. You can obtain a copy
|
|
||||||
+# in the file LICENSE in the source distribution or at
|
|
||||||
+# https://www.openssl.org/source/license.html
|
|
||||||
+
|
|
||||||
+# ====================================================================
|
|
||||||
+# Written by Amitay Isaacs <amitay@ozlabs.org>, Martin Schwenke
|
|
||||||
+# <martin@meltin.net> & Alastair D'Silva <alastair@d-silva.org> for
|
|
||||||
+# the OpenSSL project.
|
|
||||||
+# ====================================================================
|
|
||||||
+
|
|
||||||
+#
|
|
||||||
+# Fixed length (n=6), unrolled PPC Montgomery Multiplication
|
|
||||||
+#
|
|
||||||
+
|
|
||||||
+# 2021
|
|
||||||
+#
|
|
||||||
+# Although this is a generic implementation for unrolling Montgomery
|
|
||||||
+# Multiplication for arbitrary values of n, this is currently only
|
|
||||||
+# used for n = 6 to improve the performance of ECC p384.
|
|
||||||
+#
|
|
||||||
+# Unrolling allows intermediate results to be stored in registers,
|
|
||||||
+# rather than on the stack, improving performance by ~7% compared to
|
|
||||||
+# the existing PPC assembly code.
|
|
||||||
+#
|
|
||||||
+# The ISA 3.0 implementation uses combination multiply/add
|
|
||||||
+# instructions (maddld, maddhdu) to improve performance by an
|
|
||||||
+# additional ~10% on Power 9.
|
|
||||||
+#
|
|
||||||
+# Finally, saving non-volatile registers into volatile vector
|
|
||||||
+# registers instead of onto the stack saves a little more.
|
|
||||||
+#
|
|
||||||
+# On a Power 9 machine we see an overall improvement of ~18%.
|
|
||||||
+#
|
|
||||||
+
|
|
||||||
+use strict;
|
|
||||||
+use warnings;
|
|
||||||
+
|
|
||||||
+my ($flavour, $output, $dir, $xlate);
|
|
||||||
+
|
|
||||||
+# $output is the last argument if it looks like a file (it has an extension)
|
|
||||||
+# $flavour is the first argument if it doesn't look like a file
|
|
||||||
+$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
|
|
||||||
+$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
|
|
||||||
+
|
|
||||||
+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
|
|
||||||
+( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
|
|
||||||
+( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
|
|
||||||
+die "can't locate ppc-xlate.pl";
|
|
||||||
+
|
|
||||||
+open STDOUT,"| $^X $xlate $flavour \"$output\""
|
|
||||||
+ or die "can't call $xlate: $!";
|
|
||||||
+
|
|
||||||
+if ($flavour !~ /64/) {
|
|
||||||
+ die "bad flavour ($flavour) - only ppc64 permitted";
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+my $SIZE_T= 8;
|
|
||||||
+
|
|
||||||
+# Registers are global so the code is remotely readable
|
|
||||||
+
|
|
||||||
+# Parameters for Montgomery multiplication
|
|
||||||
+my $sp = "r1";
|
|
||||||
+my $toc = "r2";
|
|
||||||
+my $rp = "r3";
|
|
||||||
+my $ap = "r4";
|
|
||||||
+my $bp = "r5";
|
|
||||||
+my $np = "r6";
|
|
||||||
+my $n0 = "r7";
|
|
||||||
+my $num = "r8";
|
|
||||||
+
|
|
||||||
+my $i = "r9";
|
|
||||||
+my $c0 = "r10";
|
|
||||||
+my $bp0 = "r11";
|
|
||||||
+my $bpi = "r11";
|
|
||||||
+my $bpj = "r11";
|
|
||||||
+my $tj = "r12";
|
|
||||||
+my $apj = "r12";
|
|
||||||
+my $npj = "r12";
|
|
||||||
+my $lo = "r14";
|
|
||||||
+my $c1 = "r14";
|
|
||||||
+
|
|
||||||
+# Non-volatile registers used for tp[i]
|
|
||||||
+#
|
|
||||||
+# 12 registers are available but the limit on unrolling is 10,
|
|
||||||
+# since registers from $tp[0] to $tp[$n+1] are used.
|
|
||||||
+my @tp = ("r20" .. "r31");
|
|
||||||
+
|
|
||||||
+# volatile VSRs for saving non-volatile GPRs - faster than stack
|
|
||||||
+my @vsrs = ("v32" .. "v46");
|
|
||||||
+
|
|
||||||
+package Mont;
|
|
||||||
+
|
|
||||||
+sub new($$)
|
|
||||||
+{
|
|
||||||
+ my ($class, $n) = @_;
|
|
||||||
+
|
|
||||||
+ if ($n > 10) {
|
|
||||||
+ die "Can't unroll for BN length ${n} (maximum 10)"
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ my $self = {
|
|
||||||
+ code => "",
|
|
||||||
+ n => $n,
|
|
||||||
+ };
|
|
||||||
+ bless $self, $class;
|
|
||||||
+
|
|
||||||
+ return $self;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+sub add_code($$)
|
|
||||||
+{
|
|
||||||
+ my ($self, $c) = @_;
|
|
||||||
+
|
|
||||||
+ $self->{code} .= $c;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+sub get_code($)
|
|
||||||
+{
|
|
||||||
+ my ($self) = @_;
|
|
||||||
+
|
|
||||||
+ return $self->{code};
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+sub get_function_name($)
|
|
||||||
+{
|
|
||||||
+ my ($self) = @_;
|
|
||||||
+
|
|
||||||
+ return "bn_mul_mont_fixed_n" . $self->{n};
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+sub get_label($$)
|
|
||||||
+{
|
|
||||||
+ my ($self, $l) = @_;
|
|
||||||
+
|
|
||||||
+ return "L" . $l . "_" . $self->{n};
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+sub get_labels($@)
|
|
||||||
+{
|
|
||||||
+ my ($self, @labels) = @_;
|
|
||||||
+
|
|
||||||
+ my %out = ();
|
|
||||||
+
|
|
||||||
+ foreach my $l (@labels) {
|
|
||||||
+ $out{"$l"} = $self->get_label("$l");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return \%out;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+sub nl($)
|
|
||||||
+{
|
|
||||||
+ my ($self) = @_;
|
|
||||||
+
|
|
||||||
+ $self->add_code("\n");
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+sub copy_result($)
|
|
||||||
+{
|
|
||||||
+ my ($self) = @_;
|
|
||||||
+
|
|
||||||
+ my ($n) = $self->{n};
|
|
||||||
+
|
|
||||||
+ for (my $j = 0; $j < $n; $j++) {
|
|
||||||
+ $self->add_code(<<___);
|
|
||||||
+ std $tp[$j],`$j*$SIZE_T`($rp)
|
|
||||||
+___
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+sub mul_mont_fixed($)
|
|
||||||
+{
|
|
||||||
+ my ($self) = @_;
|
|
||||||
+
|
|
||||||
+ my ($n) = $self->{n};
|
|
||||||
+ my $fname = $self->get_function_name();
|
|
||||||
+ my $label = $self->get_labels("outer", "enter", "sub", "copy", "end");
|
|
||||||
+
|
|
||||||
+ $self->add_code(<<___);
|
|
||||||
+
|
|
||||||
+.globl .${fname}
|
|
||||||
+.align 5
|
|
||||||
+.${fname}:
|
|
||||||
+
|
|
||||||
+___
|
|
||||||
+
|
|
||||||
+ $self->save_registers();
|
|
||||||
+
|
|
||||||
+ $self->add_code(<<___);
|
|
||||||
+ ld $n0,0($n0)
|
|
||||||
+
|
|
||||||
+ ld $bp0,0($bp)
|
|
||||||
+
|
|
||||||
+ ld $apj,0($ap)
|
|
||||||
+___
|
|
||||||
+
|
|
||||||
+ $self->mul_c_0($tp[0], $apj, $bp0, $c0);
|
|
||||||
+
|
|
||||||
+ for (my $j = 1; $j < $n - 1; $j++) {
|
|
||||||
+ $self->add_code(<<___);
|
|
||||||
+ ld $apj,`$j*$SIZE_T`($ap)
|
|
||||||
+___
|
|
||||||
+ $self->mul($tp[$j], $apj, $bp0, $c0);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ $self->add_code(<<___);
|
|
||||||
+ ld $apj,`($n-1)*$SIZE_T`($ap)
|
|
||||||
+___
|
|
||||||
+
|
|
||||||
+ $self->mul_last($tp[$n-1], $tp[$n], $apj, $bp0, $c0);
|
|
||||||
+
|
|
||||||
+ $self->add_code(<<___);
|
|
||||||
+ li $tp[$n+1],0
|
|
||||||
+
|
|
||||||
+___
|
|
||||||
+
|
|
||||||
+ $self->add_code(<<___);
|
|
||||||
+ li $i,0
|
|
||||||
+ mtctr $num
|
|
||||||
+ b $label->{"enter"}
|
|
||||||
+
|
|
||||||
+.align 4
|
|
||||||
+$label->{"outer"}:
|
|
||||||
+ ldx $bpi,$bp,$i
|
|
||||||
+
|
|
||||||
+ ld $apj,0($ap)
|
|
||||||
+___
|
|
||||||
+
|
|
||||||
+ $self->mul_add_c_0($tp[0], $tp[0], $apj, $bpi, $c0);
|
|
||||||
+
|
|
||||||
+ for (my $j = 1; $j < $n; $j++) {
|
|
||||||
+ $self->add_code(<<___);
|
|
||||||
+ ld $apj,`$j*$SIZE_T`($ap)
|
|
||||||
+___
|
|
||||||
+ $self->mul_add($tp[$j], $tp[$j], $apj, $bpi, $c0);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ $self->add_code(<<___);
|
|
||||||
+ addc $tp[$n],$tp[$n],$c0
|
|
||||||
+ addze $tp[$n+1],$tp[$n+1]
|
|
||||||
+___
|
|
||||||
+
|
|
||||||
+ $self->add_code(<<___);
|
|
||||||
+.align 4
|
|
||||||
+$label->{"enter"}:
|
|
||||||
+ mulld $bpi,$tp[0],$n0
|
|
||||||
+
|
|
||||||
+ ld $npj,0($np)
|
|
||||||
+___
|
|
||||||
+
|
|
||||||
+ $self->mul_add_c_0($lo, $tp[0], $bpi, $npj, $c0);
|
|
||||||
+
|
|
||||||
+ for (my $j = 1; $j < $n; $j++) {
|
|
||||||
+ $self->add_code(<<___);
|
|
||||||
+ ld $npj,`$j*$SIZE_T`($np)
|
|
||||||
+___
|
|
||||||
+ $self->mul_add($tp[$j-1], $tp[$j], $npj, $bpi, $c0);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ $self->add_code(<<___);
|
|
||||||
+ addc $tp[$n-1],$tp[$n],$c0
|
|
||||||
+ addze $tp[$n],$tp[$n+1]
|
|
||||||
+
|
|
||||||
+ addi $i,$i,$SIZE_T
|
|
||||||
+ bdnz $label->{"outer"}
|
|
||||||
+
|
|
||||||
+ and. $tp[$n],$tp[$n],$tp[$n]
|
|
||||||
+ bne $label->{"sub"}
|
|
||||||
+
|
|
||||||
+ cmpld $tp[$n-1],$npj
|
|
||||||
+ blt $label->{"copy"}
|
|
||||||
+
|
|
||||||
+$label->{"sub"}:
|
|
||||||
+___
|
|
||||||
+
|
|
||||||
+ #
|
|
||||||
+ # Reduction
|
|
||||||
+ #
|
|
||||||
+
|
|
||||||
+ $self->add_code(<<___);
|
|
||||||
+ ld $bpj,`0*$SIZE_T`($np)
|
|
||||||
+ subfc $c1,$bpj,$tp[0]
|
|
||||||
+ std $c1,`0*$SIZE_T`($rp)
|
|
||||||
+
|
|
||||||
+___
|
|
||||||
+ for (my $j = 1; $j < $n - 1; $j++) {
|
|
||||||
+ $self->add_code(<<___);
|
|
||||||
+ ld $bpj,`$j*$SIZE_T`($np)
|
|
||||||
+ subfe $c1,$bpj,$tp[$j]
|
|
||||||
+ std $c1,`$j*$SIZE_T`($rp)
|
|
||||||
+
|
|
||||||
+___
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ $self->add_code(<<___);
|
|
||||||
+ subfe $c1,$npj,$tp[$n-1]
|
|
||||||
+ std $c1,`($n-1)*$SIZE_T`($rp)
|
|
||||||
+
|
|
||||||
+___
|
|
||||||
+
|
|
||||||
+ $self->add_code(<<___);
|
|
||||||
+ addme. $tp[$n],$tp[$n]
|
|
||||||
+ beq $label->{"end"}
|
|
||||||
+
|
|
||||||
+$label->{"copy"}:
|
|
||||||
+___
|
|
||||||
+
|
|
||||||
+ $self->copy_result();
|
|
||||||
+
|
|
||||||
+ $self->add_code(<<___);
|
|
||||||
+
|
|
||||||
+$label->{"end"}:
|
|
||||||
+___
|
|
||||||
+
|
|
||||||
+ $self->restore_registers();
|
|
||||||
+
|
|
||||||
+ $self->add_code(<<___);
|
|
||||||
+ li r3,1
|
|
||||||
+ blr
|
|
||||||
+.size .${fname},.-.${fname}
|
|
||||||
+___
|
|
||||||
+
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+package Mont::GPR;
|
|
||||||
+
|
|
||||||
+our @ISA = ('Mont');
|
|
||||||
+
|
|
||||||
+sub new($$)
|
|
||||||
+{
|
|
||||||
+ my ($class, $n) = @_;
|
|
||||||
+
|
|
||||||
+ return $class->SUPER::new($n);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+sub save_registers($)
|
|
||||||
+{
|
|
||||||
+ my ($self) = @_;
|
|
||||||
+
|
|
||||||
+ my $n = $self->{n};
|
|
||||||
+
|
|
||||||
+ $self->add_code(<<___);
|
|
||||||
+ std $lo,-8($sp)
|
|
||||||
+___
|
|
||||||
+
|
|
||||||
+ for (my $j = 0; $j <= $n+1; $j++) {
|
|
||||||
+ $self->{code}.=<<___;
|
|
||||||
+ std $tp[$j],-`($j+2)*8`($sp)
|
|
||||||
+___
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ $self->add_code(<<___);
|
|
||||||
+
|
|
||||||
+___
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+sub restore_registers($)
|
|
||||||
+{
|
|
||||||
+ my ($self) = @_;
|
|
||||||
+
|
|
||||||
+ my $n = $self->{n};
|
|
||||||
+
|
|
||||||
+ $self->add_code(<<___);
|
|
||||||
+ ld $lo,-8($sp)
|
|
||||||
+___
|
|
||||||
+
|
|
||||||
+ for (my $j = 0; $j <= $n+1; $j++) {
|
|
||||||
+ $self->{code}.=<<___;
|
|
||||||
+ ld $tp[$j],-`($j+2)*8`($sp)
|
|
||||||
+___
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ $self->{code} .=<<___;
|
|
||||||
+
|
|
||||||
+___
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+# Direct translation of C mul()
|
|
||||||
+sub mul($$$$$)
|
|
||||||
+{
|
|
||||||
+ my ($self, $r, $a, $w, $c) = @_;
|
|
||||||
+
|
|
||||||
+ $self->add_code(<<___);
|
|
||||||
+ mulld $lo,$a,$w
|
|
||||||
+ addc $r,$lo,$c
|
|
||||||
+ mulhdu $c,$a,$w
|
|
||||||
+ addze $c,$c
|
|
||||||
+
|
|
||||||
+___
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+# Like mul() but $c is ignored as an input - an optimisation to save a
|
|
||||||
+# preliminary instruction that would set input $c to 0
|
|
||||||
+sub mul_c_0($$$$$)
|
|
||||||
+{
|
|
||||||
+ my ($self, $r, $a, $w, $c) = @_;
|
|
||||||
+
|
|
||||||
+ $self->add_code(<<___);
|
|
||||||
+ mulld $r,$a,$w
|
|
||||||
+ mulhdu $c,$a,$w
|
|
||||||
+
|
|
||||||
+___
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+# Like mul() but does not to the final addition of CA into $c - an
|
|
||||||
+# optimisation to save an instruction
|
|
||||||
+sub mul_last($$$$$$)
|
|
||||||
+{
|
|
||||||
+ my ($self, $r1, $r2, $a, $w, $c) = @_;
|
|
||||||
+
|
|
||||||
+ $self->add_code(<<___);
|
|
||||||
+ mulld $lo,$a,$w
|
|
||||||
+ addc $r1,$lo,$c
|
|
||||||
+ mulhdu $c,$a,$w
|
|
||||||
+
|
|
||||||
+ addze $r2,$c
|
|
||||||
+___
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+# Like C mul_add() but allow $r_out and $r_in to be different
|
|
||||||
+sub mul_add($$$$$$)
|
|
||||||
+{
|
|
||||||
+ my ($self, $r_out, $r_in, $a, $w, $c) = @_;
|
|
||||||
+
|
|
||||||
+ $self->add_code(<<___);
|
|
||||||
+ mulld $lo,$a,$w
|
|
||||||
+ addc $lo,$lo,$c
|
|
||||||
+ mulhdu $c,$a,$w
|
|
||||||
+ addze $c,$c
|
|
||||||
+ addc $r_out,$r_in,$lo
|
|
||||||
+ addze $c,$c
|
|
||||||
+
|
|
||||||
+___
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+# Like mul_add() but $c is ignored as an input - an optimisation to save a
|
|
||||||
+# preliminary instruction that would set input $c to 0
|
|
||||||
+sub mul_add_c_0($$$$$$)
|
|
||||||
+{
|
|
||||||
+ my ($self, $r_out, $r_in, $a, $w, $c) = @_;
|
|
||||||
+
|
|
||||||
+ $self->add_code(<<___);
|
|
||||||
+ mulld $lo,$a,$w
|
|
||||||
+ addc $r_out,$r_in,$lo
|
|
||||||
+ mulhdu $c,$a,$w
|
|
||||||
+ addze $c,$c
|
|
||||||
+
|
|
||||||
+___
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+package Mont::GPR_300;
|
|
||||||
+
|
|
||||||
+our @ISA = ('Mont::GPR');
|
|
||||||
+
|
|
||||||
+sub new($$)
|
|
||||||
+{
|
|
||||||
+ my ($class, $n) = @_;
|
|
||||||
+
|
|
||||||
+ my $mont = $class->SUPER::new($n);
|
|
||||||
+
|
|
||||||
+ return $mont;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+sub get_function_name($)
|
|
||||||
+{
|
|
||||||
+ my ($self) = @_;
|
|
||||||
+
|
|
||||||
+ return "bn_mul_mont_300_fixed_n" . $self->{n};
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+sub get_label($$)
|
|
||||||
+{
|
|
||||||
+ my ($self, $l) = @_;
|
|
||||||
+
|
|
||||||
+ return "L" . $l . "_300_" . $self->{n};
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+# Direct translation of C mul()
|
|
||||||
+sub mul($$$$$)
|
|
||||||
+{
|
|
||||||
+ my ($self, $r, $a, $w, $c, $last) = @_;
|
|
||||||
+
|
|
||||||
+ $self->add_code(<<___);
|
|
||||||
+ maddld $r,$a,$w,$c
|
|
||||||
+ maddhdu $c,$a,$w,$c
|
|
||||||
+
|
|
||||||
+___
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+# Save the last carry as the final entry
|
|
||||||
+sub mul_last($$$$$)
|
|
||||||
+{
|
|
||||||
+ my ($self, $r1, $r2, $a, $w, $c) = @_;
|
|
||||||
+
|
|
||||||
+ $self->add_code(<<___);
|
|
||||||
+ maddld $r1,$a,$w,$c
|
|
||||||
+ maddhdu $r2,$a,$w,$c
|
|
||||||
+
|
|
||||||
+___
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+# Like mul() but $c is ignored as an input - an optimisation to save a
|
|
||||||
+# preliminary instruction that would set input $c to 0
|
|
||||||
+sub mul_c_0($$$$$)
|
|
||||||
+{
|
|
||||||
+ my ($self, $r, $a, $w, $c) = @_;
|
|
||||||
+
|
|
||||||
+ $self->add_code(<<___);
|
|
||||||
+ mulld $r,$a,$w
|
|
||||||
+ mulhdu $c,$a,$w
|
|
||||||
+
|
|
||||||
+___
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+# Like C mul_add() but allow $r_out and $r_in to be different
|
|
||||||
+sub mul_add($$$$$$)
|
|
||||||
+{
|
|
||||||
+ my ($self, $r_out, $r_in, $a, $w, $c) = @_;
|
|
||||||
+
|
|
||||||
+ $self->add_code(<<___);
|
|
||||||
+ maddld $lo,$a,$w,$c
|
|
||||||
+ maddhdu $c,$a,$w,$c
|
|
||||||
+ addc $r_out,$r_in,$lo
|
|
||||||
+ addze $c,$c
|
|
||||||
+
|
|
||||||
+___
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+# Like mul_add() but $c is ignored as an input - an optimisation to save a
|
|
||||||
+# preliminary instruction that would set input $c to 0
|
|
||||||
+sub mul_add_c_0($$$$$$)
|
|
||||||
+{
|
|
||||||
+ my ($self, $r_out, $r_in, $a, $w, $c) = @_;
|
|
||||||
+
|
|
||||||
+ $self->add_code(<<___);
|
|
||||||
+ maddld $lo,$a,$w,$r_in
|
|
||||||
+ maddhdu $c,$a,$w,$r_in
|
|
||||||
+___
|
|
||||||
+
|
|
||||||
+ if ($r_out ne $lo) {
|
|
||||||
+ $self->add_code(<<___);
|
|
||||||
+ mr $r_out,$lo
|
|
||||||
+___
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ $self->nl();
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+package main;
|
|
||||||
+
|
|
||||||
+my $code;
|
|
||||||
+
|
|
||||||
+$code.=<<___;
|
|
||||||
+.machine "any"
|
|
||||||
+.text
|
|
||||||
+___
|
|
||||||
+
|
|
||||||
+my $mont;
|
|
||||||
+
|
|
||||||
+$mont = new Mont::GPR(6);
|
|
||||||
+$mont->mul_mont_fixed();
|
|
||||||
+$code .= $mont->get_code();
|
|
||||||
+
|
|
||||||
+$mont = new Mont::GPR_300(6);
|
|
||||||
+$mont->mul_mont_fixed();
|
|
||||||
+$code .= $mont->get_code();
|
|
||||||
+
|
|
||||||
+$code =~ s/\`([^\`]*)\`/eval $1/gem;
|
|
||||||
+
|
|
||||||
+$code.=<<___;
|
|
||||||
+.asciz "Montgomery Multiplication for PPC by <amitay\@ozlabs.org>, <alastair\@d-silva.org>"
|
|
||||||
+___
|
|
||||||
+
|
|
||||||
+print $code;
|
|
||||||
+close STDOUT or die "error closing STDOUT: $!";
|
|
||||||
diff --git a/crypto/bn/bn_ppc.c b/crypto/bn/bn_ppc.c
|
|
||||||
index 3ee76ea96574..1e9421bee213 100644
|
|
||||||
--- a/crypto/bn/bn_ppc.c
|
|
||||||
+++ b/crypto/bn/bn_ppc.c
|
|
||||||
@@ -19,6 +19,12 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
|
|
||||||
const BN_ULONG *np, const BN_ULONG *n0, int num);
|
|
||||||
int bn_mul4x_mont_int(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
|
|
||||||
const BN_ULONG *np, const BN_ULONG *n0, int num);
|
|
||||||
+ int bn_mul_mont_fixed_n6(BN_ULONG *rp, const BN_ULONG *ap,
|
|
||||||
+ const BN_ULONG *bp, const BN_ULONG *np,
|
|
||||||
+ const BN_ULONG *n0, int num);
|
|
||||||
+ int bn_mul_mont_300_fixed_n6(BN_ULONG *rp, const BN_ULONG *ap,
|
|
||||||
+ const BN_ULONG *bp, const BN_ULONG *np,
|
|
||||||
+ const BN_ULONG *n0, int num);
|
|
||||||
|
|
||||||
if (num < 4)
|
|
||||||
return 0;
|
|
||||||
@@ -34,5 +40,14 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
|
|
||||||
* no opportunity to figure it out...
|
|
||||||
*/
|
|
||||||
|
|
||||||
+#if defined(_ARCH_PPC64) && !defined(__ILP32__)
|
|
||||||
+ if (num == 6) {
|
|
||||||
+ if (OPENSSL_ppccap_P & PPC_MADD300)
|
|
||||||
+ return bn_mul_mont_300_fixed_n6(rp, ap, bp, np, n0, num);
|
|
||||||
+ else
|
|
||||||
+ return bn_mul_mont_fixed_n6(rp, ap, bp, np, n0, num);
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
return bn_mul_mont_int(rp, ap, bp, np, n0, num);
|
|
||||||
}
|
|
||||||
diff --git a/crypto/bn/build.info b/crypto/bn/build.info
|
|
||||||
index 4f8d0689b5ea..987a70ae263b 100644
|
|
||||||
--- a/crypto/bn/build.info
|
|
||||||
+++ b/crypto/bn/build.info
|
|
||||||
@@ -79,7 +79,7 @@ IF[{- !$disabled{asm} -}]
|
|
||||||
|
|
||||||
$BNASM_ppc32=bn_ppc.c bn-ppc.s ppc-mont.s
|
|
||||||
$BNDEF_ppc32=OPENSSL_BN_ASM_MONT
|
|
||||||
- $BNASM_ppc64=$BNASM_ppc32
|
|
||||||
+ $BNASM_ppc64=$BNASM_ppc32 ppc64-mont-fixed.s
|
|
||||||
$BNDEF_ppc64=$BNDEF_ppc32
|
|
||||||
|
|
||||||
$BNASM_c64xplus=asm/bn-c64xplus.asm
|
|
||||||
@@ -173,6 +173,7 @@ GENERATE[parisc-mont.s]=asm/parisc-mont.pl
|
|
||||||
GENERATE[bn-ppc.s]=asm/ppc.pl
|
|
||||||
GENERATE[ppc-mont.s]=asm/ppc-mont.pl
|
|
||||||
GENERATE[ppc64-mont.s]=asm/ppc64-mont.pl
|
|
||||||
+GENERATE[ppc64-mont-fixed.s]=asm/ppc64-mont-fixed.pl
|
|
||||||
|
|
||||||
GENERATE[alpha-mont.S]=asm/alpha-mont.pl
|
|
||||||
|
|
||||||
|
|
||||||
From 01ebad0d6e3a09bc9e32350b402901471610a3dc Mon Sep 17 00:00:00 2001
|
|
||||||
From: Rohan McLure <rohanmclure@linux.ibm.com>
|
|
||||||
Date: Thu, 30 Jun 2022 16:21:06 +1000
|
|
||||||
Subject: [PATCH 2/2] Fix unrolled montgomery multiplication for POWER9
|
|
||||||
|
|
||||||
In the reference C implementation in bn_asm.c, tp[num + 1] contains the
|
|
||||||
carry bit for accumulations into tp[num]. tp[num + 1] is only ever
|
|
||||||
assigned, never itself incremented.
|
|
||||||
---
|
|
||||||
crypto/bn/asm/ppc64-mont-fixed.pl | 6 ++++--
|
|
||||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/crypto/bn/asm/ppc64-mont-fixed.pl b/crypto/bn/asm/ppc64-mont-fixed.pl
|
|
||||||
index 0fb397bc5f12..e27d0ad93d85 100755
|
|
||||||
--- a/crypto/bn/asm/ppc64-mont-fixed.pl
|
|
||||||
+++ b/crypto/bn/asm/ppc64-mont-fixed.pl
|
|
||||||
@@ -63,6 +63,7 @@
|
|
||||||
# Registers are global so the code is remotely readable
|
|
||||||
|
|
||||||
# Parameters for Montgomery multiplication
|
|
||||||
+my $ze = "r0";
|
|
||||||
my $sp = "r1";
|
|
||||||
my $toc = "r2";
|
|
||||||
my $rp = "r3";
|
|
||||||
@@ -192,6 +193,7 @@ ($)
|
|
||||||
$self->save_registers();
|
|
||||||
|
|
||||||
$self->add_code(<<___);
|
|
||||||
+ li $ze,0
|
|
||||||
ld $n0,0($n0)
|
|
||||||
|
|
||||||
ld $bp0,0($bp)
|
|
||||||
@@ -242,7 +244,7 @@ ($)
|
|
||||||
|
|
||||||
$self->add_code(<<___);
|
|
||||||
addc $tp[$n],$tp[$n],$c0
|
|
||||||
- addze $tp[$n+1],$tp[$n+1]
|
|
||||||
+ addze $tp[$n+1],$ze
|
|
||||||
___
|
|
||||||
|
|
||||||
$self->add_code(<<___);
|
|
||||||
@@ -272,7 +274,7 @@ ($)
|
|
||||||
and. $tp[$n],$tp[$n],$tp[$n]
|
|
||||||
bne $label->{"sub"}
|
|
||||||
|
|
||||||
- cmpld $tp[$n-1],$npj
|
|
||||||
+ cmpld $tp[$n-1],$npj
|
|
||||||
blt $label->{"copy"}
|
|
||||||
|
|
||||||
$label->{"sub"}:
|
|
||||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,138 +0,0 @@
|
|||||||
From 0c4aaedf29a1ed1559762515bfeaa5923925e18f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Clemens Lang <cllang@redhat.com>
|
|
||||||
Date: Thu, 11 Aug 2022 09:27:12 +0200
|
|
||||||
Subject: [PATCH 1/2] Add FIPS indicator parameter to HKDF
|
|
||||||
|
|
||||||
NIST considers HKDF only acceptable when used as in TLS 1.3, and
|
|
||||||
otherwise unapproved. Add an explicit indicator attached to the
|
|
||||||
EVP_KDF_CTX that can be queried using EVP_KDF_CTX_get_params() to
|
|
||||||
determine whether the KDF operation was approved after performing it.
|
|
||||||
|
|
||||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
|
||||||
Related: rhbz#2114772
|
|
||||||
---
|
|
||||||
include/crypto/evp.h | 7 ++++
|
|
||||||
include/openssl/core_names.h | 1 +
|
|
||||||
include/openssl/kdf.h | 4 ++
|
|
||||||
providers/implementations/kdfs/hkdf.c | 53 +++++++++++++++++++++++++++
|
|
||||||
4 files changed, 65 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/include/crypto/evp.h b/include/crypto/evp.h
|
|
||||||
index e70d8e9e84..76fb990de4 100644
|
|
||||||
--- a/include/crypto/evp.h
|
|
||||||
+++ b/include/crypto/evp.h
|
|
||||||
@@ -219,6 +219,13 @@ struct evp_mac_st {
|
|
||||||
OSSL_FUNC_mac_set_ctx_params_fn *set_ctx_params;
|
|
||||||
};
|
|
||||||
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+/* According to NIST Special Publication 800-131Ar2, Section 8: Deriving
|
|
||||||
+ * Additional Keys from a Cryptographic Key, "[t]he length of the
|
|
||||||
+ * key-derivation key [i.e., the input key] shall be at least 112 bits". */
|
|
||||||
+# define EVP_KDF_FIPS_MIN_KEY_LEN (112 / 8)
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
struct evp_kdf_st {
|
|
||||||
OSSL_PROVIDER *prov;
|
|
||||||
int name_id;
|
|
||||||
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
|
|
||||||
index 21c94d0488..c019afbbb0 100644
|
|
||||||
--- a/include/openssl/core_names.h
|
|
||||||
+++ b/include/openssl/core_names.h
|
|
||||||
@@ -223,6 +223,7 @@ extern "C" {
|
|
||||||
#define OSSL_KDF_PARAM_X942_SUPP_PUBINFO "supp-pubinfo"
|
|
||||||
#define OSSL_KDF_PARAM_X942_SUPP_PRIVINFO "supp-privinfo"
|
|
||||||
#define OSSL_KDF_PARAM_X942_USE_KEYBITS "use-keybits"
|
|
||||||
+#define OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator"
|
|
||||||
|
|
||||||
/* Known KDF names */
|
|
||||||
#define OSSL_KDF_NAME_HKDF "HKDF"
|
|
||||||
diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h
|
|
||||||
index 0983230a48..86171635ea 100644
|
|
||||||
--- a/include/openssl/kdf.h
|
|
||||||
+++ b/include/openssl/kdf.h
|
|
||||||
@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf,
|
|
||||||
# define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1
|
|
||||||
# define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2
|
|
||||||
|
|
||||||
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
|
|
||||||
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED 1
|
|
||||||
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
|
|
||||||
+
|
|
||||||
#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65
|
|
||||||
#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66
|
|
||||||
#define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67
|
|
||||||
diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
|
|
||||||
index afdb7138e1..6f06fa58fe 100644
|
|
||||||
--- a/providers/implementations/kdfs/hkdf.c
|
|
||||||
+++ b/providers/implementations/kdfs/hkdf.c
|
|
||||||
@@ -298,6 +298,56 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
|
||||||
return 0;
|
|
||||||
return OSSL_PARAM_set_size_t(p, sz);
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR))
|
|
||||||
+ != NULL) {
|
|
||||||
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED;
|
|
||||||
+ switch (ctx->mode) {
|
|
||||||
+ case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND:
|
|
||||||
+ /* TLS 1.3 never uses extract-and-expand */
|
|
||||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+ break;
|
|
||||||
+ case EVP_KDF_HKDF_MODE_EXTRACT_ONLY:
|
|
||||||
+ {
|
|
||||||
+ /* When TLS 1.3 uses extract, the following holds:
|
|
||||||
+ * 1. The salt length matches the hash length, and either
|
|
||||||
+ * 2.1. the key is all zeroes and matches the hash length, or
|
|
||||||
+ * 2.2. the key originates from a PSK (resumption_master_secret
|
|
||||||
+ * or some externally esablished key), or an ECDH or DH key
|
|
||||||
+ * derivation. See
|
|
||||||
+ * https://www.rfc-editor.org/rfc/rfc8446#section-7.1.
|
|
||||||
+ * Unfortunately at this point, we cannot verify where the key
|
|
||||||
+ * comes from, so all we can do is check the salt length.
|
|
||||||
+ */
|
|
||||||
+ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
|
|
||||||
+ if (md != NULL && ctx->salt_len == (size_t) EVP_MD_get_size(md))
|
|
||||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
|
||||||
+ else
|
|
||||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+ }
|
|
||||||
+ break;
|
|
||||||
+ case EVP_KDF_HKDF_MODE_EXPAND_ONLY:
|
|
||||||
+ /* When TLS 1.3 uses expand, it always provides a label that
|
|
||||||
+ * contains an uint16 for the length, followed by between 7 and 255
|
|
||||||
+ * bytes for a label string that starts with "tls13 " or "dtls13".
|
|
||||||
+ * For compatibility with future versions, we only check for "tls"
|
|
||||||
+ * or "dtls". See
|
|
||||||
+ * https://www.rfc-editor.org/rfc/rfc8446#section-7.1 and
|
|
||||||
+ * https://www.rfc-editor.org/rfc/rfc9147#section-5.9. */
|
|
||||||
+ if (ctx->label != NULL
|
|
||||||
+ && ctx->label_len >= 2 /* length */ + 4 /* "dtls" */
|
|
||||||
+ && (strncmp("tls", (const char *)ctx->label + 2, 3) == 0 ||
|
|
||||||
+ strncmp("dtls", (const char *)ctx->label + 2, 4) == 0))
|
|
||||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
|
||||||
+ else
|
|
||||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ return OSSL_PARAM_set_int(p, fips_indicator);
|
|
||||||
+ }
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
+
|
|
||||||
return -2;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -306,6 +356,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
|
|
||||||
{
|
|
||||||
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
|
||||||
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
OSSL_PARAM_END
|
|
||||||
};
|
|
||||||
return known_gettable_ctx_params;
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
||||||
@ -0,0 +1,906 @@
|
|||||||
|
From 2290280617183863eb15425b8925765966723725 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Clemens Lang <cllang@redhat.com>
|
||||||
|
Date: Thu, 11 Aug 2022 09:27:12 +0200
|
||||||
|
Subject: KDF: Add FIPS indicators
|
||||||
|
|
||||||
|
FIPS requires a number of restrictions on the parameters of the various
|
||||||
|
key derivation functions implemented in OpenSSL. The KDFs that use
|
||||||
|
digest algorithms usually should not allow SHAKE (due to FIPS 140-3 IG
|
||||||
|
C.C). Additionally, some application-specific KDFs have further
|
||||||
|
restrictions defined in SP 800-135r1.
|
||||||
|
|
||||||
|
Generally, all KDFs shall use a key-derivation key length of at least
|
||||||
|
112 bits due to SP 800-131Ar2 section 8. Additionally any use of a KDF
|
||||||
|
to generate and output length of less than 112 bits will also set the
|
||||||
|
indicator to unapproved.
|
||||||
|
|
||||||
|
Add explicit indicators to all KDFs usable in FIPS mode except for
|
||||||
|
PBKDF2 (which has its specific FIPS limits already implemented). The
|
||||||
|
indicator can be queried using EVP_KDF_CTX_get_params() after setting
|
||||||
|
the required parameters and keys for the KDF.
|
||||||
|
|
||||||
|
Our FIPS provider implements SHA1, SHA2 (both -256 and -512, and the
|
||||||
|
truncated variants -224 and -384) and SHA3 (-256 and -512, and the
|
||||||
|
truncated versions -224 and -384), as well as SHAKE-128 and -256.
|
||||||
|
|
||||||
|
The SHAKE functions are generally not allowed in KDFs. For the rest, the
|
||||||
|
support matrix is:
|
||||||
|
|
||||||
|
KDF | SHA-1 | SHA-2 | SHA-2 truncated | SHA-3 | SHA-3 truncated
|
||||||
|
==========================================================================
|
||||||
|
KBKDF | x | x | x | x | x
|
||||||
|
HKDF | x | x | x | x | x
|
||||||
|
TLS1PRF | | SHA-{256,384,512} only | |
|
||||||
|
SSHKDF | x | x | x | |
|
||||||
|
SSKDF | x | x | x | x | x
|
||||||
|
X9.63KDF | | x | x | x | x
|
||||||
|
X9.42-ASN1 | x | x | x | x | x
|
||||||
|
TLS1.3PRF | | SHA-{256,384} only | |
|
||||||
|
|
||||||
|
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||||
|
Resolves: rhbz#2160733 rhbz#2164763
|
||||||
|
Related: rhbz#2114772 rhbz#2141695
|
||||||
|
---
|
||||||
|
include/crypto/evp.h | 7 ++
|
||||||
|
include/openssl/kdf.h | 4 +
|
||||||
|
providers/implementations/kdfs/hkdf.c | 100 +++++++++++++++++++++-
|
||||||
|
providers/implementations/kdfs/kbkdf.c | 82 ++++++++++++++++--
|
||||||
|
providers/implementations/kdfs/sshkdf.c | 75 +++++++++++++++-
|
||||||
|
providers/implementations/kdfs/sskdf.c | 100 +++++++++++++++++++++-
|
||||||
|
providers/implementations/kdfs/tls1_prf.c | 74 +++++++++++++++-
|
||||||
|
providers/implementations/kdfs/x942kdf.c | 66 +++++++++++++-
|
||||||
|
util/perl/OpenSSL/paramnames.pm | 1 +
|
||||||
|
9 files changed, 487 insertions(+), 22 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/include/crypto/evp.h b/include/crypto/evp.h
|
||||||
|
index e70d8e9e84..76fb990de4 100644
|
||||||
|
--- a/include/crypto/evp.h
|
||||||
|
+++ b/include/crypto/evp.h
|
||||||
|
@@ -219,6 +219,13 @@ struct evp_mac_st {
|
||||||
|
OSSL_FUNC_mac_set_ctx_params_fn *set_ctx_params;
|
||||||
|
};
|
||||||
|
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+/* According to NIST Special Publication 800-131Ar2, Section 8: Deriving
|
||||||
|
+ * Additional Keys from a Cryptographic Key, "[t]he length of the
|
||||||
|
+ * key-derivation key [i.e., the input key] shall be at least 112 bits". */
|
||||||
|
+# define EVP_KDF_FIPS_MIN_KEY_LEN (112 / 8)
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
struct evp_kdf_st {
|
||||||
|
OSSL_PROVIDER *prov;
|
||||||
|
int name_id;
|
||||||
|
diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h
|
||||||
|
index 0983230a48..86171635ea 100644
|
||||||
|
--- a/include/openssl/kdf.h
|
||||||
|
+++ b/include/openssl/kdf.h
|
||||||
|
@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf,
|
||||||
|
# define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1
|
||||||
|
# define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2
|
||||||
|
|
||||||
|
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
|
||||||
|
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED 1
|
||||||
|
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
|
||||||
|
+
|
||||||
|
#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65
|
||||||
|
#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66
|
||||||
|
#define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67
|
||||||
|
diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
|
||||||
|
index dfa7786bde..f01e40ff5a 100644
|
||||||
|
--- a/providers/implementations/kdfs/hkdf.c
|
||||||
|
+++ b/providers/implementations/kdfs/hkdf.c
|
||||||
|
@@ -42,6 +42,7 @@ static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params;
|
||||||
|
static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params;
|
||||||
|
static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params;
|
||||||
|
static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params;
|
||||||
|
+static OSSL_FUNC_kdf_newctx_fn kdf_tls1_3_new;
|
||||||
|
static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive;
|
||||||
|
static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params;
|
||||||
|
static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params;
|
||||||
|
@@ -85,6 +86,10 @@ typedef struct {
|
||||||
|
size_t data_len;
|
||||||
|
unsigned char *info;
|
||||||
|
size_t info_len;
|
||||||
|
+ int is_tls13;
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ int fips_indicator;
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
} KDF_HKDF;
|
||||||
|
|
||||||
|
static void *kdf_hkdf_new(void *provctx)
|
||||||
|
@@ -170,6 +175,11 @@ static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||||
|
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
+
|
||||||
|
switch (ctx->mode) {
|
||||||
|
case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND:
|
||||||
|
default:
|
||||||
|
@@ -332,15 +342,78 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||||
|
{
|
||||||
|
KDF_HKDF *ctx = (KDF_HKDF *)vctx;
|
||||||
|
OSSL_PARAM *p;
|
||||||
|
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
||||||
|
|
||||||
|
if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
||||||
|
size_t sz = kdf_hkdf_size(ctx);
|
||||||
|
|
||||||
|
- if (sz == 0)
|
||||||
|
+ any_valid = 1;
|
||||||
|
+
|
||||||
|
+ if (sz == 0 || !OSSL_PARAM_set_size_t(p, sz))
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR))
|
||||||
|
+ != NULL) {
|
||||||
|
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||||
|
+ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
|
||||||
|
+
|
||||||
|
+ any_valid = 1;
|
||||||
|
+
|
||||||
|
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
|
||||||
|
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
|
||||||
|
+ * the key-derivation key [i.e., the input key] shall be at least 112
|
||||||
|
+ * bits". */
|
||||||
|
+ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||||
|
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
+
|
||||||
|
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||||
|
+ * Verification Program, Section D.B and NIST Special Publication
|
||||||
|
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
|
||||||
|
+ * strength < 112 bits is legacy use only, so all derived keys should
|
||||||
|
+ * be longer than that. If a derived key has ever been shorter than
|
||||||
|
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
|
||||||
|
+ * should also set the returned FIPS indicator to unapproved. */
|
||||||
|
+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
|
||||||
|
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
+
|
||||||
|
+ if (ctx->is_tls13) {
|
||||||
|
+ if (md != NULL
|
||||||
|
+ && !EVP_MD_is_a(md, "SHA2-256")
|
||||||
|
+ && !EVP_MD_is_a(md, "SHA2-384")) {
|
||||||
|
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic
|
||||||
|
+ * Module Validation Program, Section 2.4.B, (5): "The TLS 1.3
|
||||||
|
+ * key derivation function documented in Section 7.1 of RFC
|
||||||
|
+ * 8446. This is considered an approved CVL because the
|
||||||
|
+ * underlying functions performed within the TLS 1.3 KDF map to
|
||||||
|
+ * NIST approved standards, namely: SP 800-133rev2 (Section 6.3
|
||||||
|
+ * Option #3), SP 800-56Crev2, and SP 800-108."
|
||||||
|
+ *
|
||||||
|
+ * RFC 8446 appendix B.4 only lists SHA-256 and SHA-384. */
|
||||||
|
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ if (md != NULL
|
||||||
|
+ && (EVP_MD_is_a(md, "SHAKE-128") ||
|
||||||
|
+ EVP_MD_is_a(md, "SHAKE-256"))) {
|
||||||
|
+ /* HKDF is a SP 800-56Cr2 TwoStep KDF, for which all SHA-1,
|
||||||
|
+ * SHA-2 and SHA-3 are approved. SHAKE is not approved, because
|
||||||
|
+ * of FIPS 140-3 IG, section C.C: "The SHAKE128 and SHAKE256
|
||||||
|
+ * extendable-output functions may only be used as the
|
||||||
|
+ * standalone algorithms." */
|
||||||
|
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||||
|
return 0;
|
||||||
|
- return OSSL_PARAM_set_size_t(p, sz);
|
||||||
|
}
|
||||||
|
- return -2;
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
+
|
||||||
|
+ if (!any_valid)
|
||||||
|
+ return -2;
|
||||||
|
+
|
||||||
|
+ return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||||
|
@@ -348,6 +421,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||||
|
{
|
||||||
|
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||||
|
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
OSSL_PARAM_END
|
||||||
|
};
|
||||||
|
return known_gettable_ctx_params;
|
||||||
|
@@ -677,6 +753,17 @@ static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx,
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static void *kdf_tls1_3_new(void *provctx)
|
||||||
|
+{
|
||||||
|
+ KDF_HKDF *hkdf = kdf_hkdf_new(provctx);
|
||||||
|
+
|
||||||
|
+ if (hkdf != NULL)
|
||||||
|
+ hkdf->is_tls13 = 1;
|
||||||
|
+
|
||||||
|
+ return hkdf;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||||
|
const OSSL_PARAM params[])
|
||||||
|
{
|
||||||
|
@@ -692,6 +779,11 @@ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||||
|
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
+
|
||||||
|
switch (ctx->mode) {
|
||||||
|
default:
|
||||||
|
return 0;
|
||||||
|
@@ -769,7 +861,7 @@ static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx,
|
||||||
|
}
|
||||||
|
|
||||||
|
const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = {
|
||||||
|
- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new },
|
||||||
|
+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_tls1_3_new },
|
||||||
|
{ OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_hkdf_dup },
|
||||||
|
{ OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free },
|
||||||
|
{ OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset },
|
||||||
|
diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c
|
||||||
|
index a542f84dfa..6b6dfb94ac 100644
|
||||||
|
--- a/providers/implementations/kdfs/kbkdf.c
|
||||||
|
+++ b/providers/implementations/kdfs/kbkdf.c
|
||||||
|
@@ -59,6 +59,9 @@ typedef struct {
|
||||||
|
kbkdf_mode mode;
|
||||||
|
EVP_MAC_CTX *ctx_init;
|
||||||
|
|
||||||
|
+ /* HMAC digest algorithm, if any; used to compute FIPS indicator */
|
||||||
|
+ PROV_DIGEST digest;
|
||||||
|
+
|
||||||
|
/* Names are lowercased versions of those found in SP800-108. */
|
||||||
|
int r;
|
||||||
|
unsigned char *ki;
|
||||||
|
@@ -73,6 +76,9 @@ typedef struct {
|
||||||
|
int use_l;
|
||||||
|
int is_kmac;
|
||||||
|
int use_separator;
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ int fips_indicator;
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
} KBKDF;
|
||||||
|
|
||||||
|
/* Definitions needed for typechecking. */
|
||||||
|
@@ -138,6 +144,7 @@ static void kbkdf_reset(void *vctx)
|
||||||
|
void *provctx = ctx->provctx;
|
||||||
|
|
||||||
|
EVP_MAC_CTX_free(ctx->ctx_init);
|
||||||
|
+ ossl_prov_digest_reset(&ctx->digest);
|
||||||
|
OPENSSL_clear_free(ctx->context, ctx->context_len);
|
||||||
|
OPENSSL_clear_free(ctx->label, ctx->label_len);
|
||||||
|
OPENSSL_clear_free(ctx->ki, ctx->ki_len);
|
||||||
|
@@ -240,6 +247,11 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||||
|
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
+
|
||||||
|
h = EVP_MAC_CTX_get_mac_size(ctx->ctx_init);
|
||||||
|
if (h == 0)
|
||||||
|
goto done;
|
||||||
|
@@ -297,6 +309,9 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE);
|
||||||
|
if (p != NULL
|
||||||
|
&& OPENSSL_strncasecmp("counter", p->data, p->data_size) == 0) {
|
||||||
|
@@ -363,20 +378,77 @@ static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx,
|
||||||
|
static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||||
|
{
|
||||||
|
OSSL_PARAM *p;
|
||||||
|
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
||||||
|
|
||||||
|
p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE);
|
||||||
|
- if (p == NULL)
|
||||||
|
+ if (p != NULL) {
|
||||||
|
+ any_valid = 1;
|
||||||
|
+
|
||||||
|
+ /* KBKDF can produce results as large as you like. */
|
||||||
|
+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
|
||||||
|
+ if (p != NULL) {
|
||||||
|
+ KBKDF *ctx = (KBKDF *)vctx;
|
||||||
|
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||||
|
+
|
||||||
|
+ any_valid = 1;
|
||||||
|
+
|
||||||
|
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
|
||||||
|
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
|
||||||
|
+ * the key-derivation key [i.e., the input key] shall be at least 112
|
||||||
|
+ * bits". */
|
||||||
|
+ if (ctx->ki_len < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||||
|
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
+
|
||||||
|
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||||
|
+ * Verification Program, Section D.B and NIST Special Publication
|
||||||
|
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
|
||||||
|
+ * strength < 112 bits is legacy use only, so all derived keys should
|
||||||
|
+ * be longer than that. If a derived key has ever been shorter than
|
||||||
|
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
|
||||||
|
+ * should also set the returned FIPS indicator to unapproved. */
|
||||||
|
+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
|
||||||
|
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
+
|
||||||
|
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||||
|
+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
|
||||||
|
+ * extendable-output functions may only be used as the standalone
|
||||||
|
+ * algorithms." Note that the digest is only used when the MAC
|
||||||
|
+ * algorithm is HMAC. */
|
||||||
|
+ if (ctx->ctx_init != NULL
|
||||||
|
+ && EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->ctx_init), OSSL_MAC_NAME_HMAC)) {
|
||||||
|
+ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
|
||||||
|
+ if (md != NULL
|
||||||
|
+ && (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256"))) {
|
||||||
|
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+ if (!any_valid)
|
||||||
|
return -2;
|
||||||
|
|
||||||
|
- /* KBKDF can produce results as large as you like. */
|
||||||
|
- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
|
||||||
|
+ return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
static const OSSL_PARAM *kbkdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||||
|
ossl_unused void *provctx)
|
||||||
|
{
|
||||||
|
- static const OSSL_PARAM known_gettable_ctx_params[] =
|
||||||
|
- { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_END };
|
||||||
|
+ static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||||
|
+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
+ OSSL_PARAM_END
|
||||||
|
+ };
|
||||||
|
return known_gettable_ctx_params;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c
|
||||||
|
index c592ba72f1..4a52b38266 100644
|
||||||
|
--- a/providers/implementations/kdfs/sshkdf.c
|
||||||
|
+++ b/providers/implementations/kdfs/sshkdf.c
|
||||||
|
@@ -48,6 +48,9 @@ typedef struct {
|
||||||
|
char type; /* X */
|
||||||
|
unsigned char *session_id;
|
||||||
|
size_t session_id_len;
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ int fips_indicator;
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
} KDF_SSHKDF;
|
||||||
|
|
||||||
|
static void *kdf_sshkdf_new(void *provctx)
|
||||||
|
@@ -126,6 +129,12 @@ static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||||
|
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||||
|
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
+
|
||||||
|
return SSHKDF(md, ctx->key, ctx->key_len,
|
||||||
|
ctx->xcghash, ctx->xcghash_len,
|
||||||
|
ctx->session_id, ctx->session_id_len,
|
||||||
|
@@ -194,10 +203,67 @@ static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *ctx,
|
||||||
|
static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||||
|
{
|
||||||
|
OSSL_PARAM *p;
|
||||||
|
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
||||||
|
|
||||||
|
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
|
||||||
|
- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
|
||||||
|
- return -2;
|
||||||
|
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
||||||
|
+ any_valid = 1;
|
||||||
|
+
|
||||||
|
+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
|
||||||
|
+ if (p != NULL) {
|
||||||
|
+ KDF_SSHKDF *ctx = vctx;
|
||||||
|
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||||
|
+
|
||||||
|
+ any_valid = 1;
|
||||||
|
+
|
||||||
|
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
|
||||||
|
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
|
||||||
|
+ * the key-derivation key [i.e., the input key] shall be at least 112
|
||||||
|
+ * bits". */
|
||||||
|
+ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||||
|
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
+
|
||||||
|
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||||
|
+ * Verification Program, Section D.B and NIST Special Publication
|
||||||
|
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
|
||||||
|
+ * strength < 112 bits is legacy use only, so all derived keys should
|
||||||
|
+ * be longer than that. If a derived key has ever been shorter than
|
||||||
|
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
|
||||||
|
+ * should also set the returned FIPS indicator to unapproved. */
|
||||||
|
+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
|
||||||
|
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
+
|
||||||
|
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||||
|
+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
|
||||||
|
+ * extendable-output functions may only be used as the standalone
|
||||||
|
+ * algorithms."
|
||||||
|
+ *
|
||||||
|
+ * Additionally, SP 800-135r1 section 5.2 specifies that the hash
|
||||||
|
+ * function used in SSHKDF "is one of the hash functions specified in
|
||||||
|
+ * FIPS 180-3.", which rules out SHA-3 and truncated variants of SHA-2.
|
||||||
|
+ * */
|
||||||
|
+ if (ctx->digest.md != NULL
|
||||||
|
+ && !EVP_MD_is_a(ctx->digest.md, "SHA-1")
|
||||||
|
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-224")
|
||||||
|
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256")
|
||||||
|
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384")
|
||||||
|
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) {
|
||||||
|
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+ if (!any_valid)
|
||||||
|
+ return -2;
|
||||||
|
+
|
||||||
|
+ return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||||
|
@@ -205,6 +271,9 @@ static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||||
|
{
|
||||||
|
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||||
|
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
OSSL_PARAM_END
|
||||||
|
};
|
||||||
|
return known_gettable_ctx_params;
|
||||||
|
diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c
|
||||||
|
index eb54972e1c..23865cd70f 100644
|
||||||
|
--- a/providers/implementations/kdfs/sskdf.c
|
||||||
|
+++ b/providers/implementations/kdfs/sskdf.c
|
||||||
|
@@ -64,6 +64,10 @@ typedef struct {
|
||||||
|
size_t salt_len;
|
||||||
|
size_t out_len; /* optional KMAC parameter */
|
||||||
|
int is_kmac;
|
||||||
|
+ int is_x963kdf;
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ int fips_indicator;
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
} KDF_SSKDF;
|
||||||
|
|
||||||
|
#define SSKDF_MAX_INLEN (1<<30)
|
||||||
|
@@ -73,6 +77,7 @@ typedef struct {
|
||||||
|
static const unsigned char kmac_custom_str[] = { 0x4B, 0x44, 0x46 };
|
||||||
|
|
||||||
|
static OSSL_FUNC_kdf_newctx_fn sskdf_new;
|
||||||
|
+static OSSL_FUNC_kdf_newctx_fn x963kdf_new;
|
||||||
|
static OSSL_FUNC_kdf_dupctx_fn sskdf_dup;
|
||||||
|
static OSSL_FUNC_kdf_freectx_fn sskdf_free;
|
||||||
|
static OSSL_FUNC_kdf_reset_fn sskdf_reset;
|
||||||
|
@@ -296,6 +301,16 @@ static void *sskdf_new(void *provctx)
|
||||||
|
return ctx;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static void *x963kdf_new(void *provctx)
|
||||||
|
+{
|
||||||
|
+ KDF_SSKDF *ctx = sskdf_new(provctx);
|
||||||
|
+
|
||||||
|
+ if (ctx)
|
||||||
|
+ ctx->is_x963kdf = 1;
|
||||||
|
+
|
||||||
|
+ return ctx;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static void sskdf_reset(void *vctx)
|
||||||
|
{
|
||||||
|
KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
|
||||||
|
@@ -361,6 +376,11 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||||
|
}
|
||||||
|
md = ossl_prov_digest_md(&ctx->digest);
|
||||||
|
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||||
|
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
+
|
||||||
|
if (ctx->macctx != NULL) {
|
||||||
|
/* H(x) = KMAC or H(x) = HMAC */
|
||||||
|
int ret;
|
||||||
|
@@ -442,6 +462,11 @@ static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||||
|
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
+
|
||||||
|
return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len,
|
||||||
|
ctx->info, ctx->info_len, 1, key, keylen);
|
||||||
|
}
|
||||||
|
@@ -514,10 +539,74 @@ static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||||
|
{
|
||||||
|
KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
|
||||||
|
OSSL_PARAM *p;
|
||||||
|
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
||||||
|
+
|
||||||
|
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
||||||
|
+ any_valid = 1;
|
||||||
|
+
|
||||||
|
+ if (!OSSL_PARAM_set_size_t(p, sskdf_size(ctx)))
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
|
||||||
|
- return OSSL_PARAM_set_size_t(p, sskdf_size(ctx));
|
||||||
|
- return -2;
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
|
||||||
|
+ if (p != NULL) {
|
||||||
|
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||||
|
+
|
||||||
|
+ any_valid = 1;
|
||||||
|
+
|
||||||
|
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
|
||||||
|
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
|
||||||
|
+ * the key-derivation key [i.e., the input key] shall be at least 112
|
||||||
|
+ * bits". */
|
||||||
|
+ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||||
|
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
+
|
||||||
|
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||||
|
+ * Verification Program, Section D.B and NIST Special Publication
|
||||||
|
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
|
||||||
|
+ * strength < 112 bits is legacy use only, so all derived keys should
|
||||||
|
+ * be longer than that. If a derived key has ever been shorter than
|
||||||
|
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
|
||||||
|
+ * should also set the returned FIPS indicator to unapproved. */
|
||||||
|
+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
|
||||||
|
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
+
|
||||||
|
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||||
|
+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
|
||||||
|
+ * extendable-output functions may only be used as the standalone
|
||||||
|
+ * algorithms." */
|
||||||
|
+ if (ctx->macctx == NULL
|
||||||
|
+ || (ctx->macctx != NULL &&
|
||||||
|
+ EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx), OSSL_MAC_NAME_HMAC))) {
|
||||||
|
+ if (ctx->digest.md != NULL
|
||||||
|
+ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") ||
|
||||||
|
+ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) {
|
||||||
|
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Table H-3 in ANS X9.63-2001 says that 160-bit hash functions
|
||||||
|
+ * should only be used for 80-bit key agreement, but FIPS 140-3
|
||||||
|
+ * requires a security strength of 112 bits, so SHA-1 cannot be
|
||||||
|
+ * used with X9.63. See the discussion in
|
||||||
|
+ * https://github.com/usnistgov/ACVP/issues/1403#issuecomment-1435300395.
|
||||||
|
+ */
|
||||||
|
+ if (ctx->is_x963kdf
|
||||||
|
+ && ctx->digest.md != NULL
|
||||||
|
+ && EVP_MD_is_a(ctx->digest.md, "SHA-1")) {
|
||||||
|
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+ if (!any_valid)
|
||||||
|
+ return -2;
|
||||||
|
+
|
||||||
|
+ return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||||
|
@@ -525,6 +614,9 @@ static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||||
|
{
|
||||||
|
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||||
|
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0),
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
OSSL_PARAM_END
|
||||||
|
};
|
||||||
|
return known_gettable_ctx_params;
|
||||||
|
@@ -545,7 +637,7 @@ const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = {
|
||||||
|
};
|
||||||
|
|
||||||
|
const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = {
|
||||||
|
- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new },
|
||||||
|
+ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))x963kdf_new },
|
||||||
|
{ OSSL_FUNC_KDF_DUPCTX, (void(*)(void))sskdf_dup },
|
||||||
|
{ OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free },
|
||||||
|
{ OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset },
|
||||||
|
diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c
|
||||||
|
index a4d64b9352..f6782a6ca2 100644
|
||||||
|
--- a/providers/implementations/kdfs/tls1_prf.c
|
||||||
|
+++ b/providers/implementations/kdfs/tls1_prf.c
|
||||||
|
@@ -93,6 +93,13 @@ typedef struct {
|
||||||
|
/* Buffer of concatenated seed data */
|
||||||
|
unsigned char seed[TLS1_PRF_MAXBUF];
|
||||||
|
size_t seedlen;
|
||||||
|
+
|
||||||
|
+ /* MAC digest algorithm; used to compute FIPS indicator */
|
||||||
|
+ PROV_DIGEST digest;
|
||||||
|
+
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ int fips_indicator;
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
} TLS1_PRF;
|
||||||
|
|
||||||
|
static void *kdf_tls1_prf_new(void *provctx)
|
||||||
|
@@ -129,6 +136,7 @@ static void kdf_tls1_prf_reset(void *vctx)
|
||||||
|
EVP_MAC_CTX_free(ctx->P_sha1);
|
||||||
|
OPENSSL_clear_free(ctx->sec, ctx->seclen);
|
||||||
|
OPENSSL_cleanse(ctx->seed, ctx->seedlen);
|
||||||
|
+ ossl_prov_digest_reset(&ctx->digest);
|
||||||
|
memset(ctx, 0, sizeof(*ctx));
|
||||||
|
ctx->provctx = provctx;
|
||||||
|
}
|
||||||
|
@@ -157,6 +165,10 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||||
|
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||||
|
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* The seed buffer is prepended with a label.
|
||||||
|
@@ -191,6 +203,9 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) {
|
||||||
|
OPENSSL_clear_free(ctx->sec, ctx->seclen);
|
||||||
|
ctx->sec = NULL;
|
||||||
|
@@ -232,10 +247,60 @@ static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params(
|
||||||
|
static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||||
|
{
|
||||||
|
OSSL_PARAM *p;
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ TLS1_PRF *ctx = vctx;
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
||||||
|
+
|
||||||
|
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
||||||
|
+ any_valid = 1;
|
||||||
|
+
|
||||||
|
+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
|
||||||
|
+ if (p != NULL) {
|
||||||
|
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||||
|
+
|
||||||
|
+ any_valid = 1;
|
||||||
|
+
|
||||||
|
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
|
||||||
|
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
|
||||||
|
+ * the key-derivation key [i.e., the input key] shall be at least 112
|
||||||
|
+ * bits". */
|
||||||
|
+ if (ctx->seclen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||||
|
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
+
|
||||||
|
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||||
|
+ * Verification Program, Section D.B and NIST Special Publication
|
||||||
|
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
|
||||||
|
+ * strength < 112 bits is legacy use only, so all derived keys should
|
||||||
|
+ * be longer than that. If a derived key has ever been shorter than
|
||||||
|
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
|
||||||
|
+ * should also set the returned FIPS indicator to unapproved. */
|
||||||
|
+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
|
||||||
|
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
+
|
||||||
|
+ /* SP 800-135r1 section 4.2.2 says TLS 1.2 KDF is approved when "(3)
|
||||||
|
+ * P_HASH uses either SHA-256, SHA-384 or SHA-512." */
|
||||||
|
+ if (ctx->digest.md != NULL
|
||||||
|
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256")
|
||||||
|
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384")
|
||||||
|
+ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) {
|
||||||
|
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
|
||||||
|
- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
|
||||||
|
- return -2;
|
||||||
|
+ if (!any_valid)
|
||||||
|
+ return -2;
|
||||||
|
+
|
||||||
|
+ return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
|
||||||
|
@@ -243,6 +308,9 @@ static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
|
||||||
|
{
|
||||||
|
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||||
|
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0),
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
OSSL_PARAM_END
|
||||||
|
};
|
||||||
|
return known_gettable_ctx_params;
|
||||||
|
diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c
|
||||||
|
index b1bc6f7e1b..8173fc2cc7 100644
|
||||||
|
--- a/providers/implementations/kdfs/x942kdf.c
|
||||||
|
+++ b/providers/implementations/kdfs/x942kdf.c
|
||||||
|
@@ -13,11 +13,13 @@
|
||||||
|
#include <openssl/core_dispatch.h>
|
||||||
|
#include <openssl/err.h>
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
+#include <openssl/kdf.h>
|
||||||
|
#include <openssl/params.h>
|
||||||
|
#include <openssl/proverr.h>
|
||||||
|
#include "internal/packet.h"
|
||||||
|
#include "internal/der.h"
|
||||||
|
#include "internal/nelem.h"
|
||||||
|
+#include "crypto/evp.h"
|
||||||
|
#include "prov/provider_ctx.h"
|
||||||
|
#include "prov/providercommon.h"
|
||||||
|
#include "prov/implementations.h"
|
||||||
|
@@ -47,6 +50,9 @@ typedef struct {
|
||||||
|
const unsigned char *cek_oid;
|
||||||
|
size_t cek_oid_len;
|
||||||
|
int use_keybits;
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ int fips_indicator;
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
} KDF_X942;
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -460,6 +466,10 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||||
|
ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||||
|
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len,
|
||||||
|
der, der_len, ctr, key, keylen);
|
||||||
|
OPENSSL_free(der);
|
||||||
|
@@ -563,10 +573,58 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||||
|
{
|
||||||
|
KDF_X942 *ctx = (KDF_X942 *)vctx;
|
||||||
|
OSSL_PARAM *p;
|
||||||
|
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
||||||
|
|
||||||
|
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
|
||||||
|
- return OSSL_PARAM_set_size_t(p, x942kdf_size(ctx));
|
||||||
|
- return -2;
|
||||||
|
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
||||||
|
+ any_valid = 1;
|
||||||
|
+
|
||||||
|
+ if (!OSSL_PARAM_set_size_t(p, x942kdf_size(ctx)))
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
|
||||||
|
+ if (p != NULL) {
|
||||||
|
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||||
|
+
|
||||||
|
+ any_valid = 1;
|
||||||
|
+
|
||||||
|
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
|
||||||
|
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
|
||||||
|
+ * the key-derivation key [i.e., the input key] shall be at least 112
|
||||||
|
+ * bits". */
|
||||||
|
+ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN)
|
||||||
|
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
+
|
||||||
|
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||||
|
+ * Verification Program, Section D.B and NIST Special Publication
|
||||||
|
+ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
|
||||||
|
+ * strength < 112 bits is legacy use only, so all derived keys should
|
||||||
|
+ * be longer than that. If a derived key has ever been shorter than
|
||||||
|
+ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
|
||||||
|
+ * should also set the returned FIPS indicator to unapproved. */
|
||||||
|
+ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
|
||||||
|
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
+
|
||||||
|
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||||
|
+ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
|
||||||
|
+ * extendable-output functions may only be used as the standalone
|
||||||
|
+ * algorithms." */
|
||||||
|
+ if (ctx->digest.md != NULL
|
||||||
|
+ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") ||
|
||||||
|
+ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) {
|
||||||
|
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+ if (!any_valid)
|
||||||
|
+ return -2;
|
||||||
|
+
|
||||||
|
+ return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||||
|
@@ -574,6 +632,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
|
||||||
|
{
|
||||||
|
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||||
|
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0),
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
OSSL_PARAM_END
|
||||||
|
};
|
||||||
|
return known_gettable_ctx_params;
|
||||||
|
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
|
||||||
|
index 70f7c50fe4..6618122417 100644
|
||||||
|
--- a/util/perl/OpenSSL/paramnames.pm
|
||||||
|
+++ b/util/perl/OpenSSL/paramnames.pm
|
||||||
|
@@ -183,6 +183,7 @@ my %params = (
|
||||||
|
'KDF_PARAM_X942_SUPP_PUBINFO' => "supp-pubinfo",
|
||||||
|
'KDF_PARAM_X942_SUPP_PRIVINFO' => "supp-privinfo",
|
||||||
|
'KDF_PARAM_X942_USE_KEYBITS' => "use-keybits",
|
||||||
|
+ 'KDF_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
|
||||||
|
'KDF_PARAM_HMACDRBG_ENTROPY' => "entropy",
|
||||||
|
'KDF_PARAM_HMACDRBG_NONCE' => "nonce",
|
||||||
|
'KDF_PARAM_THREADS' => "threads", # uint32_t
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
||||||
File diff suppressed because it is too large
Load Diff
@ -1,74 +0,0 @@
|
|||||||
From 185fbbfea732588187c81d1b2cafb3e1fae9eb77 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Clemens Lang <cllang@redhat.com>
|
|
||||||
Date: Thu, 17 Nov 2022 16:38:45 +0100
|
|
||||||
Subject: [PATCH 2/2] kbkdf: Add explicit FIPS indicator for key length
|
|
||||||
|
|
||||||
NIST SP 800-131Ar2, section 8 "Deriving Additional Keys from
|
|
||||||
a Cryptographic Key" says that for KDFs defined in SP 800-108, "[t]he
|
|
||||||
length of the key-derivation key shall be at least 112 bits". It further
|
|
||||||
specifies that HMAC-based KDFs "with a key whose length is at least 112
|
|
||||||
bits" are acceptable.
|
|
||||||
|
|
||||||
Add an explicit indicator for SP 800-108 KDFs that will mark shorter key
|
|
||||||
lengths as unapproved. The indicator can be queried from the EVP_KDF_CTX
|
|
||||||
object using EVP_KDF_CTX_get_params() with the
|
|
||||||
OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR
|
|
||||||
parameter.
|
|
||||||
|
|
||||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
|
||||||
---
|
|
||||||
providers/implementations/kdfs/kbkdf.c | 32 +++++++++++++++++++++-----
|
|
||||||
1 file changed, 26 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c
|
|
||||||
index a542f84dfa..93a8a10537 100644
|
|
||||||
--- a/providers/implementations/kdfs/kbkdf.c
|
|
||||||
+++ b/providers/implementations/kdfs/kbkdf.c
|
|
||||||
@@ -365,18 +365,38 @@ static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
|
||||||
OSSL_PARAM *p;
|
|
||||||
|
|
||||||
p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE);
|
|
||||||
- if (p == NULL)
|
|
||||||
- return -2;
|
|
||||||
+ if (p != NULL)
|
|
||||||
+ /* KBKDF can produce results as large as you like. */
|
|
||||||
+ return OSSL_PARAM_set_size_t(p, SIZE_MAX);
|
|
||||||
+
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
|
|
||||||
+ if (p != NULL) {
|
|
||||||
+ KBKDF *ctx = (KBKDF *)vctx;
|
|
||||||
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
|
||||||
+ /* According to NIST Special Publication 800-131Ar2, Section 8:
|
|
||||||
+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
|
|
||||||
+ * the key-derivation key [i.e., the input key] shall be at least 112
|
|
||||||
+ * bits". */
|
|
||||||
+ if (ctx->ki_len < EVP_KDF_FIPS_MIN_KEY_LEN)
|
|
||||||
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
|
||||||
+ return OSSL_PARAM_set_int(p, fips_indicator);
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
- /* KBKDF can produce results as large as you like. */
|
|
||||||
- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
|
|
||||||
+ return -2;
|
|
||||||
}
|
|
||||||
|
|
||||||
static const OSSL_PARAM *kbkdf_gettable_ctx_params(ossl_unused void *ctx,
|
|
||||||
ossl_unused void *provctx)
|
|
||||||
{
|
|
||||||
- static const OSSL_PARAM known_gettable_ctx_params[] =
|
|
||||||
- { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_END };
|
|
||||||
+ static const OSSL_PARAM known_gettable_ctx_params[] = {
|
|
||||||
+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
|
||||||
+#ifdef FIPS_MODULE
|
|
||||||
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
|
||||||
+#endif /* defined(FIPS_MODULE) */
|
|
||||||
+ OSSL_PARAM_END
|
|
||||||
+ };
|
|
||||||
return known_gettable_ctx_params;
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
||||||
@ -1,114 +0,0 @@
|
|||||||
From 0879fac692cb1bff0ec4c196cb364d970ad3ecec Mon Sep 17 00:00:00 2001
|
|
||||||
From: Clemens Lang <cllang@redhat.com>
|
|
||||||
Date: Mon, 21 Nov 2022 14:33:57 +0100
|
|
||||||
Subject: [PATCH 2/3] Obtain PSS salt length from provider
|
|
||||||
|
|
||||||
Rather than computing the PSS salt length again in core using
|
|
||||||
ossl_rsa_ctx_to_pss_string, which calls rsa_ctx_to_pss and computes the
|
|
||||||
salt length, obtain it from the provider using the
|
|
||||||
OSSL_SIGNATURE_PARAM_ALGORITHM_ID param to handle the case where the
|
|
||||||
interpretation of the magic constants in the provider differs from that
|
|
||||||
of OpenSSL core.
|
|
||||||
|
|
||||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
|
||||||
---
|
|
||||||
crypto/cms/cms_rsa.c | 19 +++++++++++++++----
|
|
||||||
crypto/rsa/rsa_ameth.c | 34 +++++++++++++++++++++-------------
|
|
||||||
2 files changed, 36 insertions(+), 17 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/crypto/cms/cms_rsa.c b/crypto/cms/cms_rsa.c
|
|
||||||
index 20ed816918..997567fdbf 100644
|
|
||||||
--- a/crypto/cms/cms_rsa.c
|
|
||||||
+++ b/crypto/cms/cms_rsa.c
|
|
||||||
@@ -10,6 +10,7 @@
|
|
||||||
#include <assert.h>
|
|
||||||
#include <openssl/cms.h>
|
|
||||||
#include <openssl/err.h>
|
|
||||||
+#include <openssl/core_names.h>
|
|
||||||
#include "crypto/asn1.h"
|
|
||||||
#include "crypto/rsa.h"
|
|
||||||
#include "cms_local.h"
|
|
||||||
@@ -191,7 +192,10 @@ static int rsa_cms_sign(CMS_SignerInfo *si)
|
|
||||||
int pad_mode = RSA_PKCS1_PADDING;
|
|
||||||
X509_ALGOR *alg;
|
|
||||||
EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si);
|
|
||||||
- ASN1_STRING *os = NULL;
|
|
||||||
+ unsigned char aid[128];
|
|
||||||
+ const unsigned char *pp = aid;
|
|
||||||
+ size_t aid_len = 0;
|
|
||||||
+ OSSL_PARAM params[2];
|
|
||||||
|
|
||||||
CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg);
|
|
||||||
if (pkctx != NULL) {
|
|
||||||
@@ -205,10 +209,17 @@ static int rsa_cms_sign(CMS_SignerInfo *si)
|
|
||||||
/* We don't support it */
|
|
||||||
if (pad_mode != RSA_PKCS1_PSS_PADDING)
|
|
||||||
return 0;
|
|
||||||
- os = ossl_rsa_ctx_to_pss_string(pkctx);
|
|
||||||
- if (os == NULL)
|
|
||||||
+
|
|
||||||
+ params[0] = OSSL_PARAM_construct_octet_string(
|
|
||||||
+ OSSL_SIGNATURE_PARAM_ALGORITHM_ID, aid, sizeof(aid));
|
|
||||||
+ params[1] = OSSL_PARAM_construct_end();
|
|
||||||
+
|
|
||||||
+ if (EVP_PKEY_CTX_get_params(pkctx, params) <= 0)
|
|
||||||
+ return 0;
|
|
||||||
+ if ((aid_len = params[0].return_size) == 0)
|
|
||||||
+ return 0;
|
|
||||||
+ if (d2i_X509_ALGOR(&alg, &pp, aid_len) == NULL)
|
|
||||||
return 0;
|
|
||||||
- X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_PKEY_RSA_PSS), V_ASN1_SEQUENCE, os);
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
|
|
||||||
index c15554505b..61ec53d424 100644
|
|
||||||
--- a/crypto/rsa/rsa_ameth.c
|
|
||||||
+++ b/crypto/rsa/rsa_ameth.c
|
|
||||||
@@ -637,22 +637,30 @@ static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, const void *asn,
|
|
||||||
if (pad_mode == RSA_PKCS1_PADDING)
|
|
||||||
return 2;
|
|
||||||
if (pad_mode == RSA_PKCS1_PSS_PADDING) {
|
|
||||||
- ASN1_STRING *os1 = NULL;
|
|
||||||
- os1 = ossl_rsa_ctx_to_pss_string(pkctx);
|
|
||||||
- if (!os1)
|
|
||||||
+ unsigned char aid[128];
|
|
||||||
+ size_t aid_len = 0;
|
|
||||||
+ OSSL_PARAM params[2];
|
|
||||||
+
|
|
||||||
+ params[0] = OSSL_PARAM_construct_octet_string(
|
|
||||||
+ OSSL_SIGNATURE_PARAM_ALGORITHM_ID, aid, sizeof(aid));
|
|
||||||
+ params[1] = OSSL_PARAM_construct_end();
|
|
||||||
+
|
|
||||||
+ if (EVP_PKEY_CTX_get_params(pkctx, params) <= 0)
|
|
||||||
return 0;
|
|
||||||
- /* Duplicate parameters if we have to */
|
|
||||||
- if (alg2) {
|
|
||||||
- ASN1_STRING *os2 = ASN1_STRING_dup(os1);
|
|
||||||
- if (!os2) {
|
|
||||||
- ASN1_STRING_free(os1);
|
|
||||||
+ if ((aid_len = params[0].return_size) == 0)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ if (alg1 != NULL) {
|
|
||||||
+ const unsigned char *pp = aid;
|
|
||||||
+ if (d2i_X509_ALGOR(&alg1, &pp, aid_len) == NULL)
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ if (alg2 != NULL) {
|
|
||||||
+ const unsigned char *pp = aid;
|
|
||||||
+ if (d2i_X509_ALGOR(&alg2, &pp, aid_len) == NULL)
|
|
||||||
return 0;
|
|
||||||
- }
|
|
||||||
- X509_ALGOR_set0(alg2, OBJ_nid2obj(EVP_PKEY_RSA_PSS),
|
|
||||||
- V_ASN1_SEQUENCE, os2);
|
|
||||||
}
|
|
||||||
- X509_ALGOR_set0(alg1, OBJ_nid2obj(EVP_PKEY_RSA_PSS),
|
|
||||||
- V_ASN1_SEQUENCE, os1);
|
|
||||||
+
|
|
||||||
return 3;
|
|
||||||
}
|
|
||||||
return 2;
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
||||||
@ -1,338 +0,0 @@
|
|||||||
From 9cc914ff3e1fda124bdc76d72ebc9349ec19f8ae Mon Sep 17 00:00:00 2001
|
|
||||||
From: Clemens Lang <cllang@redhat.com>
|
|
||||||
Date: Fri, 18 Nov 2022 12:35:33 +0100
|
|
||||||
Subject: [PATCH 3/3] signature: Clamp PSS salt len to MD len
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
|
|
||||||
5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
|
|
||||||
salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
|
|
||||||
the hash function output block (in bytes)."
|
|
||||||
|
|
||||||
Introduce a new option RSA_PSS_SALTLEN_AUTO_DIGEST_MAX and make it the
|
|
||||||
default. The new value will behave like RSA_PSS_SALTLEN_AUTO, but will
|
|
||||||
not use more than the digest legth when signing, so that FIPS 186-4 is
|
|
||||||
not violated. This value has two advantages when compared with
|
|
||||||
RSA_PSS_SALTLEN_DIGEST: (1) It will continue to do auto-detection when
|
|
||||||
verifying signatures for maximum compatibility, where
|
|
||||||
RSA_PSS_SALTLEN_DIGEST would fail for other digest sizes. (2) It will
|
|
||||||
work for combinations where the maximum salt length is smaller than the
|
|
||||||
digest size, which typically happens with large digest sizes (e.g.,
|
|
||||||
SHA-512) and small RSA keys.
|
|
||||||
|
|
||||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
|
||||||
---
|
|
||||||
crypto/rsa/rsa_ameth.c | 18 ++++++++-
|
|
||||||
crypto/rsa/rsa_pss.c | 26 ++++++++++--
|
|
||||||
doc/man3/EVP_PKEY_CTX_ctrl.pod | 11 ++++-
|
|
||||||
doc/man7/EVP_SIGNATURE-RSA.pod | 5 +++
|
|
||||||
include/openssl/core_names.h | 1 +
|
|
||||||
include/openssl/rsa.h | 3 ++
|
|
||||||
providers/implementations/signature/rsa_sig.c | 40 ++++++++++++++-----
|
|
||||||
test/recipes/25-test_req.t | 2 +-
|
|
||||||
8 files changed, 87 insertions(+), 19 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
|
|
||||||
index 61ec53d424..e69a98d116 100644
|
|
||||||
--- a/crypto/rsa/rsa_ameth.c
|
|
||||||
+++ b/crypto/rsa/rsa_ameth.c
|
|
||||||
@@ -450,6 +450,7 @@ static RSA_PSS_PARAMS *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx)
|
|
||||||
const EVP_MD *sigmd, *mgf1md;
|
|
||||||
EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx);
|
|
||||||
int saltlen;
|
|
||||||
+ int saltlenMax = -1;
|
|
||||||
|
|
||||||
if (EVP_PKEY_CTX_get_signature_md(pkctx, &sigmd) <= 0)
|
|
||||||
return NULL;
|
|
||||||
@@ -457,14 +458,27 @@ static RSA_PSS_PARAMS *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx)
|
|
||||||
return NULL;
|
|
||||||
if (EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen) <= 0)
|
|
||||||
return NULL;
|
|
||||||
- if (saltlen == -1) {
|
|
||||||
+ if (saltlen == RSA_PSS_SALTLEN_DIGEST) {
|
|
||||||
saltlen = EVP_MD_get_size(sigmd);
|
|
||||||
- } else if (saltlen == -2 || saltlen == -3) {
|
|
||||||
+ } else if (saltlen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
|
|
||||||
+ /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm",
|
|
||||||
+ * subsection 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in
|
|
||||||
+ * bytes) of the salt (sLen) shall satisfy 0 <= sLen <= hLen, where
|
|
||||||
+ * hLen is the length of the hash function output block (in bytes)."
|
|
||||||
+ *
|
|
||||||
+ * Provide a way to use at most the digest length, so that the default
|
|
||||||
+ * does not violate FIPS 186-4. */
|
|
||||||
+ saltlen = RSA_PSS_SALTLEN_MAX;
|
|
||||||
+ saltlenMax = EVP_MD_get_size(sigmd);
|
|
||||||
+ }
|
|
||||||
+ if (saltlen == RSA_PSS_SALTLEN_MAX || saltlen == RSA_PSS_SALTLEN_AUTO) {
|
|
||||||
saltlen = EVP_PKEY_get_size(pk) - EVP_MD_get_size(sigmd) - 2;
|
|
||||||
if ((EVP_PKEY_get_bits(pk) & 0x7) == 1)
|
|
||||||
saltlen--;
|
|
||||||
if (saltlen < 0)
|
|
||||||
return NULL;
|
|
||||||
+ if (saltlenMax >= 0 && saltlen > saltlenMax)
|
|
||||||
+ saltlen = saltlenMax;
|
|
||||||
}
|
|
||||||
|
|
||||||
return ossl_rsa_pss_params_create(sigmd, mgf1md, saltlen);
|
|
||||||
diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c
|
|
||||||
index 33874bfef8..430c36eb2a 100644
|
|
||||||
--- a/crypto/rsa/rsa_pss.c
|
|
||||||
+++ b/crypto/rsa/rsa_pss.c
|
|
||||||
@@ -61,11 +61,12 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
|
|
||||||
* -1 sLen == hLen
|
|
||||||
* -2 salt length is autorecovered from signature
|
|
||||||
* -3 salt length is maximized
|
|
||||||
+ * -4 salt length is autorecovered from signature
|
|
||||||
* -N reserved
|
|
||||||
*/
|
|
||||||
if (sLen == RSA_PSS_SALTLEN_DIGEST) {
|
|
||||||
sLen = hLen;
|
|
||||||
- } else if (sLen < RSA_PSS_SALTLEN_MAX) {
|
|
||||||
+ } else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
|
|
||||||
ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
@@ -112,7 +113,9 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
|
|
||||||
ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_RECOVERY_FAILED);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
- if (sLen != RSA_PSS_SALTLEN_AUTO && (maskedDBLen - i) != sLen) {
|
|
||||||
+ if (sLen != RSA_PSS_SALTLEN_AUTO
|
|
||||||
+ && sLen != RSA_PSS_SALTLEN_AUTO_DIGEST_MAX
|
|
||||||
+ && (maskedDBLen - i) != sLen) {
|
|
||||||
ERR_raise_data(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED,
|
|
||||||
"expected: %d retrieved: %d", sLen,
|
|
||||||
maskedDBLen - i);
|
|
||||||
@@ -160,6 +163,7 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
|
|
||||||
int hLen, maskedDBLen, MSBits, emLen;
|
|
||||||
unsigned char *H, *salt = NULL, *p;
|
|
||||||
EVP_MD_CTX *ctx = NULL;
|
|
||||||
+ int sLenMax = -1;
|
|
||||||
|
|
||||||
if (mgf1Hash == NULL)
|
|
||||||
mgf1Hash = Hash;
|
|
||||||
@@ -172,13 +176,25 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
|
|
||||||
* -1 sLen == hLen
|
|
||||||
* -2 salt length is maximized
|
|
||||||
* -3 same as above (on signing)
|
|
||||||
+ * -4 salt length is min(hLen, maximum salt length)
|
|
||||||
* -N reserved
|
|
||||||
*/
|
|
||||||
+ /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
|
|
||||||
+ * 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
|
|
||||||
+ * salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
|
|
||||||
+ * the hash function output block (in bytes)."
|
|
||||||
+ *
|
|
||||||
+ * Provide a way to use at most the digest length, so that the default does
|
|
||||||
+ * not violate FIPS 186-4. */
|
|
||||||
if (sLen == RSA_PSS_SALTLEN_DIGEST) {
|
|
||||||
sLen = hLen;
|
|
||||||
- } else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN) {
|
|
||||||
+ } else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN
|
|
||||||
+ || sLen == RSA_PSS_SALTLEN_AUTO) {
|
|
||||||
sLen = RSA_PSS_SALTLEN_MAX;
|
|
||||||
- } else if (sLen < RSA_PSS_SALTLEN_MAX) {
|
|
||||||
+ } else if (sLen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
|
|
||||||
+ sLen = RSA_PSS_SALTLEN_MAX;
|
|
||||||
+ sLenMax = hLen;
|
|
||||||
+ } else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
|
|
||||||
ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
@@ -195,6 +211,8 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
|
|
||||||
}
|
|
||||||
if (sLen == RSA_PSS_SALTLEN_MAX) {
|
|
||||||
sLen = emLen - hLen - 2;
|
|
||||||
+ if (sLenMax >= 0 && sLen > sLenMax)
|
|
||||||
+ sLen = sLenMax;
|
|
||||||
} else if (sLen > emLen - hLen - 2) {
|
|
||||||
ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
|
|
||||||
goto err;
|
|
||||||
diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod
|
|
||||||
index 3075eaafd6..9b96f42dbc 100644
|
|
||||||
--- a/doc/man3/EVP_PKEY_CTX_ctrl.pod
|
|
||||||
+++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod
|
|
||||||
@@ -270,8 +270,8 @@ EVP_PKEY_CTX_get_rsa_padding() gets the RSA padding mode for I<ctx>.
|
|
||||||
|
|
||||||
EVP_PKEY_CTX_set_rsa_pss_saltlen() sets the RSA PSS salt length to I<saltlen>.
|
|
||||||
As its name implies it is only supported for PSS padding. If this function is
|
|
||||||
-not called then the maximum salt length is used when signing and auto detection
|
|
||||||
-when verifying. Three special values are supported:
|
|
||||||
+not called then the salt length is maximized up to the digest length when
|
|
||||||
+signing and auto detection when verifying. Four special values are supported:
|
|
||||||
|
|
||||||
=over 4
|
|
||||||
|
|
||||||
@@ -289,6 +289,13 @@ causes the salt length to be automatically determined based on the
|
|
||||||
B<PSS> block structure when verifying. When signing, it has the same
|
|
||||||
meaning as B<RSA_PSS_SALTLEN_MAX>.
|
|
||||||
|
|
||||||
+=item B<RSA_PSS_SALTLEN_AUTO_DIGEST_MAX>
|
|
||||||
+
|
|
||||||
+causes the salt length to be automatically determined based on the B<PSS> block
|
|
||||||
+structure when verifying, like B<RSA_PSS_SALTLEN_AUTO>. When signing, the salt
|
|
||||||
+length is maximized up to a maximum of the digest length to comply with FIPS
|
|
||||||
+186-4 section 5.5.
|
|
||||||
+
|
|
||||||
=back
|
|
||||||
|
|
||||||
EVP_PKEY_CTX_get_rsa_pss_saltlen() gets the RSA PSS salt length for I<ctx>.
|
|
||||||
diff --git a/doc/man7/EVP_SIGNATURE-RSA.pod b/doc/man7/EVP_SIGNATURE-RSA.pod
|
|
||||||
index 1ce32cc443..13d053e262 100644
|
|
||||||
--- a/doc/man7/EVP_SIGNATURE-RSA.pod
|
|
||||||
+++ b/doc/man7/EVP_SIGNATURE-RSA.pod
|
|
||||||
@@ -68,6 +68,11 @@ Use the maximum salt length.
|
|
||||||
|
|
||||||
Auto detect the salt length.
|
|
||||||
|
|
||||||
+=item "auto-digestmax" (B<OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX>)
|
|
||||||
+
|
|
||||||
+Auto detect the salt length when verifying. Maximize the salt length up to the
|
|
||||||
+digest size when signing to comply with FIPS 186-4 section 5.5.
|
|
||||||
+
|
|
||||||
=back
|
|
||||||
|
|
||||||
=back
|
|
||||||
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
|
|
||||||
index 69c59f0b46..5779f41427 100644
|
|
||||||
--- a/include/openssl/core_names.h
|
|
||||||
+++ b/include/openssl/core_names.h
|
|
||||||
@@ -399,6 +399,7 @@ extern "C" {
|
|
||||||
#define OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST "digest"
|
|
||||||
#define OSSL_PKEY_RSA_PSS_SALT_LEN_MAX "max"
|
|
||||||
#define OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO "auto"
|
|
||||||
+#define OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX "auto-digestmax"
|
|
||||||
|
|
||||||
/* Key generation parameters */
|
|
||||||
#define OSSL_PKEY_PARAM_RSA_BITS OSSL_PKEY_PARAM_BITS
|
|
||||||
diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h
|
|
||||||
index a55c9727c6..daf55bc6d4 100644
|
|
||||||
--- a/include/openssl/rsa.h
|
|
||||||
+++ b/include/openssl/rsa.h
|
|
||||||
@@ -137,6 +137,9 @@ int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp);
|
|
||||||
# define RSA_PSS_SALTLEN_AUTO -2
|
|
||||||
/* Set salt length to maximum possible */
|
|
||||||
# define RSA_PSS_SALTLEN_MAX -3
|
|
||||||
+/* Auto-detect on verify, set salt length to min(maximum possible, digest
|
|
||||||
+ * length) on sign */
|
|
||||||
+# define RSA_PSS_SALTLEN_AUTO_DIGEST_MAX -4
|
|
||||||
/* Old compatible max salt length for sign only */
|
|
||||||
# define RSA_PSS_SALTLEN_MAX_SIGN -2
|
|
||||||
|
|
||||||
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
|
|
||||||
index 0c45008a00..1a787d77db 100644
|
|
||||||
--- a/providers/implementations/signature/rsa_sig.c
|
|
||||||
+++ b/providers/implementations/signature/rsa_sig.c
|
|
||||||
@@ -191,8 +191,8 @@ static void *rsa_newctx(void *provctx, const char *propq)
|
|
||||||
prsactx->libctx = PROV_LIBCTX_OF(provctx);
|
|
||||||
prsactx->flag_allow_md = 1;
|
|
||||||
prsactx->propq = propq_copy;
|
|
||||||
- /* Maximum for sign, auto for verify */
|
|
||||||
- prsactx->saltlen = RSA_PSS_SALTLEN_AUTO;
|
|
||||||
+ /* Maximum up to digest length for sign, auto for verify */
|
|
||||||
+ prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX;
|
|
||||||
prsactx->min_saltlen = -1;
|
|
||||||
return prsactx;
|
|
||||||
}
|
|
||||||
@@ -200,13 +200,27 @@ static void *rsa_newctx(void *provctx, const char *propq)
|
|
||||||
static int rsa_pss_compute_saltlen(PROV_RSA_CTX *ctx)
|
|
||||||
{
|
|
||||||
int saltlen = ctx->saltlen;
|
|
||||||
-
|
|
||||||
+ int saltlenMax = -1;
|
|
||||||
+
|
|
||||||
+ /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
|
|
||||||
+ * 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
|
|
||||||
+ * salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
|
|
||||||
+ * the hash function output block (in bytes)."
|
|
||||||
+ *
|
|
||||||
+ * Provide a way to use at most the digest length, so that the default does
|
|
||||||
+ * not violate FIPS 186-4. */
|
|
||||||
if (saltlen == RSA_PSS_SALTLEN_DIGEST) {
|
|
||||||
saltlen = EVP_MD_get_size(ctx->md);
|
|
||||||
- } else if (saltlen == RSA_PSS_SALTLEN_AUTO || saltlen == RSA_PSS_SALTLEN_MAX) {
|
|
||||||
+ } else if (saltlen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
|
|
||||||
+ saltlen = RSA_PSS_SALTLEN_MAX;
|
|
||||||
+ saltlenMax = EVP_MD_get_size(ctx->md);
|
|
||||||
+ }
|
|
||||||
+ if (saltlen == RSA_PSS_SALTLEN_MAX || saltlen == RSA_PSS_SALTLEN_AUTO) {
|
|
||||||
saltlen = RSA_size(ctx->rsa) - EVP_MD_get_size(ctx->md) - 2;
|
|
||||||
if ((RSA_bits(ctx->rsa) & 0x7) == 1)
|
|
||||||
saltlen--;
|
|
||||||
+ if (saltlenMax >= 0 && saltlen > saltlenMax)
|
|
||||||
+ saltlen = saltlenMax;
|
|
||||||
}
|
|
||||||
if (saltlen < 0) {
|
|
||||||
ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
|
|
||||||
@@ -411,8 +425,8 @@ static int rsa_signverify_init(void *vprsactx, void *vrsa,
|
|
||||||
|
|
||||||
prsactx->operation = operation;
|
|
||||||
|
|
||||||
- /* Maximum for sign, auto for verify */
|
|
||||||
- prsactx->saltlen = RSA_PSS_SALTLEN_AUTO;
|
|
||||||
+ /* Maximize up to digest length for sign, auto for verify */
|
|
||||||
+ prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX;
|
|
||||||
prsactx->min_saltlen = -1;
|
|
||||||
|
|
||||||
switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) {
|
|
||||||
@@ -1110,6 +1124,9 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
|
|
||||||
case RSA_PSS_SALTLEN_AUTO:
|
|
||||||
value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO;
|
|
||||||
break;
|
|
||||||
+ case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX:
|
|
||||||
+ value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX;
|
|
||||||
+ break;
|
|
||||||
default:
|
|
||||||
{
|
|
||||||
int len = BIO_snprintf(p->data, p->data_size, "%d",
|
|
||||||
@@ -1297,6 +1314,8 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
|
|
||||||
saltlen = RSA_PSS_SALTLEN_MAX;
|
|
||||||
else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO) == 0)
|
|
||||||
saltlen = RSA_PSS_SALTLEN_AUTO;
|
|
||||||
+ else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX) == 0)
|
|
||||||
+ saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX;
|
|
||||||
else
|
|
||||||
saltlen = atoi(p->data);
|
|
||||||
break;
|
|
||||||
@@ -1305,11 +1324,11 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
- * RSA_PSS_SALTLEN_MAX seems curiously named in this check.
|
|
||||||
- * Contrary to what it's name suggests, it's the currently
|
|
||||||
- * lowest saltlen number possible.
|
|
||||||
+ * RSA_PSS_SALTLEN_AUTO_DIGEST_MAX seems curiously named in this check.
|
|
||||||
+ * Contrary to what it's name suggests, it's the currently lowest
|
|
||||||
+ * saltlen number possible.
|
|
||||||
*/
|
|
||||||
- if (saltlen < RSA_PSS_SALTLEN_MAX) {
|
|
||||||
+ if (saltlen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) {
|
|
||||||
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
@@ -1317,6 +1336,7 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
|
|
||||||
if (rsa_pss_restricted(prsactx)) {
|
|
||||||
switch (saltlen) {
|
|
||||||
case RSA_PSS_SALTLEN_AUTO:
|
|
||||||
+ case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX:
|
|
||||||
if (prsactx->operation == EVP_PKEY_OP_VERIFY) {
|
|
||||||
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH,
|
|
||||||
"Cannot use autodetected salt length");
|
|
||||||
diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t
|
|
||||||
index e615f1b338..35541aed12 100644
|
|
||||||
--- a/test/recipes/25-test_req.t
|
|
||||||
+++ b/test/recipes/25-test_req.t
|
|
||||||
@@ -199,7 +199,7 @@ subtest "generating certificate requests with RSA-PSS" => sub {
|
|
||||||
ok(!run(app(["openssl", "req",
|
|
||||||
"-config", srctop_file("test", "test.cnf"),
|
|
||||||
"-new", "-out", "testreq-rsapss3.pem", "-utf8",
|
|
||||||
- "-sigopt", "rsa_pss_saltlen:-4",
|
|
||||||
+ "-sigopt", "rsa_pss_saltlen:-5",
|
|
||||||
"-key", srctop_file("test", "testrsapss.pem")])),
|
|
||||||
"Generating request with expected failure");
|
|
||||||
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
||||||
@ -1,705 +0,0 @@
|
|||||||
From 98642df4ba886818900ab7e6b23703544e6addd4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Simo Sorce <simo@redhat.com>
|
|
||||||
Date: Thu, 10 Nov 2022 10:46:32 -0500
|
|
||||||
Subject: [PATCH 1/3] Propagate selection all the way on key export
|
|
||||||
|
|
||||||
EVP_PKEY_eq() is used to check, among other things, if a certificate
|
|
||||||
public key corresponds to a private key. When the private key belongs to
|
|
||||||
a provider that does not allow to export private keys this currently
|
|
||||||
fails as the internal functions used to import/export keys ignored the
|
|
||||||
selection given (which specifies that only the public key needs to be
|
|
||||||
considered) and instead tries to export everything.
|
|
||||||
|
|
||||||
This patch allows to propagate the selection all the way down including
|
|
||||||
adding it in the cache so that a following operation actually looking
|
|
||||||
for other selection parameters does not mistakenly pick up an export
|
|
||||||
containing only partial information.
|
|
||||||
|
|
||||||
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
||||||
|
|
||||||
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
|
||||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
||||||
(Merged from https://github.com/openssl/openssl/pull/19648)
|
|
||||||
|
|
||||||
diff --git a/crypto/evp/keymgmt_lib.c b/crypto/evp/keymgmt_lib.c
|
|
||||||
index b06730dc7a..2d0238ee27 100644
|
|
||||||
--- a/crypto/evp/keymgmt_lib.c
|
|
||||||
+++ b/crypto/evp/keymgmt_lib.c
|
|
||||||
@@ -93,7 +93,8 @@ int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection,
|
|
||||||
export_cb, export_cbarg);
|
|
||||||
}
|
|
||||||
|
|
||||||
-void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
|
|
||||||
+void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
|
|
||||||
+ int selection)
|
|
||||||
{
|
|
||||||
struct evp_keymgmt_util_try_import_data_st import_data;
|
|
||||||
OP_CACHE_ELEM *op;
|
|
||||||
@@ -127,7 +128,7 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
|
|
||||||
*/
|
|
||||||
if (pk->dirty_cnt == pk->dirty_cnt_copy) {
|
|
||||||
/* If this key is already exported to |keymgmt|, no more to do */
|
|
||||||
- op = evp_keymgmt_util_find_operation_cache(pk, keymgmt);
|
|
||||||
+ op = evp_keymgmt_util_find_operation_cache(pk, keymgmt, selection);
|
|
||||||
if (op != NULL && op->keymgmt != NULL) {
|
|
||||||
void *ret = op->keydata;
|
|
||||||
|
|
||||||
@@ -157,13 +158,13 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
|
|
||||||
/* Setup for the export callback */
|
|
||||||
import_data.keydata = NULL; /* evp_keymgmt_util_try_import will create it */
|
|
||||||
import_data.keymgmt = keymgmt;
|
|
||||||
- import_data.selection = OSSL_KEYMGMT_SELECT_ALL;
|
|
||||||
+ import_data.selection = selection;
|
|
||||||
|
|
||||||
/*
|
|
||||||
* The export function calls the callback (evp_keymgmt_util_try_import),
|
|
||||||
* which does the import for us. If successful, we're done.
|
|
||||||
*/
|
|
||||||
- if (!evp_keymgmt_util_export(pk, OSSL_KEYMGMT_SELECT_ALL,
|
|
||||||
+ if (!evp_keymgmt_util_export(pk, selection,
|
|
||||||
&evp_keymgmt_util_try_import, &import_data))
|
|
||||||
/* If there was an error, bail out */
|
|
||||||
return NULL;
|
|
||||||
@@ -173,7 +174,7 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
/* Check to make sure some other thread didn't get there first */
|
|
||||||
- op = evp_keymgmt_util_find_operation_cache(pk, keymgmt);
|
|
||||||
+ op = evp_keymgmt_util_find_operation_cache(pk, keymgmt, selection);
|
|
||||||
if (op != NULL && op->keydata != NULL) {
|
|
||||||
void *ret = op->keydata;
|
|
||||||
|
|
||||||
@@ -196,7 +197,8 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
|
|
||||||
evp_keymgmt_util_clear_operation_cache(pk, 0);
|
|
||||||
|
|
||||||
/* Add the new export to the operation cache */
|
|
||||||
- if (!evp_keymgmt_util_cache_keydata(pk, keymgmt, import_data.keydata)) {
|
|
||||||
+ if (!evp_keymgmt_util_cache_keydata(pk, keymgmt, import_data.keydata,
|
|
||||||
+ selection)) {
|
|
||||||
CRYPTO_THREAD_unlock(pk->lock);
|
|
||||||
evp_keymgmt_freedata(keymgmt, import_data.keydata);
|
|
||||||
return NULL;
|
|
||||||
@@ -232,7 +234,8 @@ int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking)
|
|
||||||
}
|
|
||||||
|
|
||||||
OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
|
|
||||||
- EVP_KEYMGMT *keymgmt)
|
|
||||||
+ EVP_KEYMGMT *keymgmt,
|
|
||||||
+ int selection)
|
|
||||||
{
|
|
||||||
int i, end = sk_OP_CACHE_ELEM_num(pk->operation_cache);
|
|
||||||
OP_CACHE_ELEM *p;
|
|
||||||
@@ -243,14 +246,14 @@ OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
|
|
||||||
*/
|
|
||||||
for (i = 0; i < end; i++) {
|
|
||||||
p = sk_OP_CACHE_ELEM_value(pk->operation_cache, i);
|
|
||||||
- if (keymgmt == p->keymgmt)
|
|
||||||
+ if (keymgmt == p->keymgmt && (p->selection & selection) == selection)
|
|
||||||
return p;
|
|
||||||
}
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
-int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
|
|
||||||
- EVP_KEYMGMT *keymgmt, void *keydata)
|
|
||||||
+int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
|
|
||||||
+ void *keydata, int selection)
|
|
||||||
{
|
|
||||||
OP_CACHE_ELEM *p = NULL;
|
|
||||||
|
|
||||||
@@ -266,6 +269,7 @@ int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
|
|
||||||
return 0;
|
|
||||||
p->keydata = keydata;
|
|
||||||
p->keymgmt = keymgmt;
|
|
||||||
+ p->selection = selection;
|
|
||||||
|
|
||||||
if (!EVP_KEYMGMT_up_ref(keymgmt)) {
|
|
||||||
OPENSSL_free(p);
|
|
||||||
@@ -391,7 +395,8 @@ int evp_keymgmt_util_match(EVP_PKEY *pk1, EVP_PKEY *pk2, int selection)
|
|
||||||
ok = 1;
|
|
||||||
if (keydata1 != NULL) {
|
|
||||||
tmp_keydata =
|
|
||||||
- evp_keymgmt_util_export_to_provider(pk1, keymgmt2);
|
|
||||||
+ evp_keymgmt_util_export_to_provider(pk1, keymgmt2,
|
|
||||||
+ selection);
|
|
||||||
ok = (tmp_keydata != NULL);
|
|
||||||
}
|
|
||||||
if (ok) {
|
|
||||||
@@ -411,7 +416,8 @@ int evp_keymgmt_util_match(EVP_PKEY *pk1, EVP_PKEY *pk2, int selection)
|
|
||||||
ok = 1;
|
|
||||||
if (keydata2 != NULL) {
|
|
||||||
tmp_keydata =
|
|
||||||
- evp_keymgmt_util_export_to_provider(pk2, keymgmt1);
|
|
||||||
+ evp_keymgmt_util_export_to_provider(pk2, keymgmt1,
|
|
||||||
+ selection);
|
|
||||||
ok = (tmp_keydata != NULL);
|
|
||||||
}
|
|
||||||
if (ok) {
|
|
||||||
diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c
|
|
||||||
index 70d17ec37e..905e9c9ce4 100644
|
|
||||||
--- a/crypto/evp/p_lib.c
|
|
||||||
+++ b/crypto/evp/p_lib.c
|
|
||||||
@@ -1822,6 +1822,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
|
|
||||||
{
|
|
||||||
EVP_KEYMGMT *allocated_keymgmt = NULL;
|
|
||||||
EVP_KEYMGMT *tmp_keymgmt = NULL;
|
|
||||||
+ int selection = OSSL_KEYMGMT_SELECT_ALL;
|
|
||||||
void *keydata = NULL;
|
|
||||||
int check;
|
|
||||||
|
|
||||||
@@ -1883,7 +1884,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
|
|
||||||
if (pk->ameth->dirty_cnt(pk) == pk->dirty_cnt_copy) {
|
|
||||||
if (!CRYPTO_THREAD_read_lock(pk->lock))
|
|
||||||
goto end;
|
|
||||||
- op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt);
|
|
||||||
+ op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt,
|
|
||||||
+ selection);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* If |tmp_keymgmt| is present in the operation cache, it means
|
|
||||||
@@ -1938,7 +1940,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
|
|
||||||
EVP_KEYMGMT_free(tmp_keymgmt); /* refcnt-- */
|
|
||||||
|
|
||||||
/* Check to make sure some other thread didn't get there first */
|
|
||||||
- op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt);
|
|
||||||
+ op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt, selection);
|
|
||||||
if (op != NULL && op->keymgmt != NULL) {
|
|
||||||
void *tmp_keydata = op->keydata;
|
|
||||||
|
|
||||||
@@ -1949,7 +1951,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Add the new export to the operation cache */
|
|
||||||
- if (!evp_keymgmt_util_cache_keydata(pk, tmp_keymgmt, keydata)) {
|
|
||||||
+ if (!evp_keymgmt_util_cache_keydata(pk, tmp_keymgmt, keydata,
|
|
||||||
+ selection)) {
|
|
||||||
CRYPTO_THREAD_unlock(pk->lock);
|
|
||||||
evp_keymgmt_freedata(tmp_keymgmt, keydata);
|
|
||||||
keydata = NULL;
|
|
||||||
@@ -1964,7 +1967,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
|
|
||||||
}
|
|
||||||
#endif /* FIPS_MODULE */
|
|
||||||
|
|
||||||
- keydata = evp_keymgmt_util_export_to_provider(pk, tmp_keymgmt);
|
|
||||||
+ keydata = evp_keymgmt_util_export_to_provider(pk, tmp_keymgmt, selection);
|
|
||||||
|
|
||||||
end:
|
|
||||||
/*
|
|
||||||
diff --git a/include/crypto/evp.h b/include/crypto/evp.h
|
|
||||||
index f601b72807..dbbdcccbda 100644
|
|
||||||
--- a/include/crypto/evp.h
|
|
||||||
+++ b/include/crypto/evp.h
|
|
||||||
@@ -589,6 +589,7 @@ int evp_cipher_asn1_to_param_ex(EVP_CIPHER_CTX *c, ASN1_TYPE *type,
|
|
||||||
typedef struct {
|
|
||||||
EVP_KEYMGMT *keymgmt;
|
|
||||||
void *keydata;
|
|
||||||
+ int selection;
|
|
||||||
} OP_CACHE_ELEM;
|
|
||||||
|
|
||||||
DEFINE_STACK_OF(OP_CACHE_ELEM)
|
|
||||||
@@ -778,12 +779,14 @@ EVP_PKEY *evp_keymgmt_util_make_pkey(EVP_KEYMGMT *keymgmt, void *keydata);
|
|
||||||
|
|
||||||
int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection,
|
|
||||||
OSSL_CALLBACK *export_cb, void *export_cbarg);
|
|
||||||
-void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt);
|
|
||||||
+void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
|
|
||||||
+ int selection);
|
|
||||||
OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
|
|
||||||
- EVP_KEYMGMT *keymgmt);
|
|
||||||
+ EVP_KEYMGMT *keymgmt,
|
|
||||||
+ int selection);
|
|
||||||
int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking);
|
|
||||||
-int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
|
|
||||||
- EVP_KEYMGMT *keymgmt, void *keydata);
|
|
||||||
+int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
|
|
||||||
+ void *keydata, int selection);
|
|
||||||
void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk);
|
|
||||||
void *evp_keymgmt_util_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt,
|
|
||||||
int selection, const OSSL_PARAM params[]);
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
||||||
From 504427eb5f32108dd64ff7858012863fe47b369b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Simo Sorce <simo@redhat.com>
|
|
||||||
Date: Thu, 10 Nov 2022 16:58:28 -0500
|
|
||||||
Subject: [PATCH 2/3] Update documentation for keymgmt export utils
|
|
||||||
|
|
||||||
Change function prototypes and explain how to use the selection
|
|
||||||
argument.
|
|
||||||
|
|
||||||
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
||||||
|
|
||||||
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
|
||||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
||||||
(Merged from https://github.com/openssl/openssl/pull/19648)
|
|
||||||
|
|
||||||
diff --git a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod
|
|
||||||
index 1fee9f6ff9..7099e44964 100644
|
|
||||||
--- a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod
|
|
||||||
+++ b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod
|
|
||||||
@@ -20,12 +20,14 @@ OP_CACHE_ELEM
|
|
||||||
|
|
||||||
int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection,
|
|
||||||
OSSL_CALLBACK *export_cb, void *export_cbarg);
|
|
||||||
- void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt);
|
|
||||||
+ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
|
|
||||||
+ int selection);
|
|
||||||
OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
|
|
||||||
- EVP_KEYMGMT *keymgmt);
|
|
||||||
+ EVP_KEYMGMT *keymgmt,
|
|
||||||
+ int selection);
|
|
||||||
int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking);
|
|
||||||
- int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
|
|
||||||
- EVP_KEYMGMT *keymgmt, void *keydata);
|
|
||||||
+ int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
|
|
||||||
+ void *keydata, int selection);
|
|
||||||
void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk);
|
|
||||||
void *evp_keymgmt_util_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt,
|
|
||||||
int selection, const OSSL_PARAM params[]);
|
|
||||||
@@ -65,6 +67,11 @@ evp_keymgmt_util_fromdata() can be used to add key object data to a
|
|
||||||
given key I<target> via a B<EVP_KEYMGMT> interface. This is used as a
|
|
||||||
helper for L<EVP_PKEY_fromdata(3)>.
|
|
||||||
|
|
||||||
+In all functions that take a I<selection> argument, the selection is used to
|
|
||||||
+constraint the information requested on export. It is also used in the cache
|
|
||||||
+so that key data is guaranteed to contain all the information requested in
|
|
||||||
+the selection.
|
|
||||||
+
|
|
||||||
=head1 RETURN VALUES
|
|
||||||
|
|
||||||
evp_keymgmt_export_to_provider() and evp_keymgmt_util_fromdata()
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
||||||
From e5202fbd461cb6c067874987998e91c6093e5267 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Simo Sorce <simo@redhat.com>
|
|
||||||
Date: Fri, 11 Nov 2022 12:18:26 -0500
|
|
||||||
Subject: [PATCH 3/3] Add test for EVP_PKEY_eq
|
|
||||||
|
|
||||||
This tests that the comparison work even if a provider can only return
|
|
||||||
a public key.
|
|
||||||
|
|
||||||
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
||||||
|
|
||||||
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
|
||||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
||||||
(Merged from https://github.com/openssl/openssl/pull/19648)
|
|
||||||
|
|
||||||
diff --git a/test/fake_rsaprov.c b/test/fake_rsaprov.c
|
|
||||||
index d556551bb6..5e92e72d4b 100644
|
|
||||||
--- a/test/fake_rsaprov.c
|
|
||||||
+++ b/test/fake_rsaprov.c
|
|
||||||
@@ -22,24 +22,34 @@ static OSSL_FUNC_keymgmt_has_fn fake_rsa_keymgmt_has;
|
|
||||||
static OSSL_FUNC_keymgmt_query_operation_name_fn fake_rsa_keymgmt_query;
|
|
||||||
static OSSL_FUNC_keymgmt_import_fn fake_rsa_keymgmt_import;
|
|
||||||
static OSSL_FUNC_keymgmt_import_types_fn fake_rsa_keymgmt_imptypes;
|
|
||||||
+static OSSL_FUNC_keymgmt_export_fn fake_rsa_keymgmt_export;
|
|
||||||
+static OSSL_FUNC_keymgmt_export_types_fn fake_rsa_keymgmt_exptypes;
|
|
||||||
static OSSL_FUNC_keymgmt_load_fn fake_rsa_keymgmt_load;
|
|
||||||
|
|
||||||
static int has_selection;
|
|
||||||
static int imptypes_selection;
|
|
||||||
+static int exptypes_selection;
|
|
||||||
static int query_id;
|
|
||||||
|
|
||||||
+struct fake_rsa_keydata {
|
|
||||||
+ int selection;
|
|
||||||
+ int status;
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
static void *fake_rsa_keymgmt_new(void *provctx)
|
|
||||||
{
|
|
||||||
- unsigned char *keydata = OPENSSL_zalloc(1);
|
|
||||||
+ struct fake_rsa_keydata *key;
|
|
||||||
|
|
||||||
- TEST_ptr(keydata);
|
|
||||||
+ if (!TEST_ptr(key = OPENSSL_zalloc(sizeof(struct fake_rsa_keydata))))
|
|
||||||
+ return NULL;
|
|
||||||
|
|
||||||
/* clear test globals */
|
|
||||||
has_selection = 0;
|
|
||||||
imptypes_selection = 0;
|
|
||||||
+ exptypes_selection = 0;
|
|
||||||
query_id = 0;
|
|
||||||
|
|
||||||
- return keydata;
|
|
||||||
+ return key;
|
|
||||||
}
|
|
||||||
|
|
||||||
static void fake_rsa_keymgmt_free(void *keydata)
|
|
||||||
@@ -67,14 +77,104 @@ static const char *fake_rsa_keymgmt_query(int id)
|
|
||||||
static int fake_rsa_keymgmt_import(void *keydata, int selection,
|
|
||||||
const OSSL_PARAM *p)
|
|
||||||
{
|
|
||||||
- unsigned char *fake_rsa_key = keydata;
|
|
||||||
+ struct fake_rsa_keydata *fake_rsa_key = keydata;
|
|
||||||
|
|
||||||
/* key was imported */
|
|
||||||
- *fake_rsa_key = 1;
|
|
||||||
+ fake_rsa_key->status = 1;
|
|
||||||
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static unsigned char fake_rsa_n[] =
|
|
||||||
+ "\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F"
|
|
||||||
+ "\x90\xEF\xA0\x0D\xF3\x77\x4A\x25\x9F\x2E\x62\xB4\xC5\xD9\x9C\xB5"
|
|
||||||
+ "\xAD\xB3\x00\xA0\x28\x5E\x53\x01\x93\x0E\x0C\x70\xFB\x68\x76\x93"
|
|
||||||
+ "\x9C\xE6\x16\xCE\x62\x4A\x11\xE0\x08\x6D\x34\x1E\xBC\xAC\xA0\xA1"
|
|
||||||
+ "\xF5";
|
|
||||||
+
|
|
||||||
+static unsigned char fake_rsa_e[] = "\x11";
|
|
||||||
+
|
|
||||||
+static unsigned char fake_rsa_d[] =
|
|
||||||
+ "\x0A\x03\x37\x48\x62\x64\x87\x69\x5F\x5F\x30\xBC\x38\xB9\x8B\x44"
|
|
||||||
+ "\xC2\xCD\x2D\xFF\x43\x40\x98\xCD\x20\xD8\xA1\x38\xD0\x90\xBF\x64"
|
|
||||||
+ "\x79\x7C\x3F\xA7\xA2\xCD\xCB\x3C\xD1\xE0\xBD\xBA\x26\x54\xB4\xF9"
|
|
||||||
+ "\xDF\x8E\x8A\xE5\x9D\x73\x3D\x9F\x33\xB3\x01\x62\x4A\xFD\x1D\x51";
|
|
||||||
+
|
|
||||||
+static unsigned char fake_rsa_p[] =
|
|
||||||
+ "\x00\xD8\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
|
|
||||||
+ "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x12"
|
|
||||||
+ "\x0D";
|
|
||||||
+
|
|
||||||
+static unsigned char fake_rsa_q[] =
|
|
||||||
+ "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
|
|
||||||
+ "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
|
|
||||||
+ "\x89";
|
|
||||||
+
|
|
||||||
+static unsigned char fake_rsa_dmp1[] =
|
|
||||||
+ "\x59\x0B\x95\x72\xA2\xC2\xA9\xC4\x06\x05\x9D\xC2\xAB\x2F\x1D\xAF"
|
|
||||||
+ "\xEB\x7E\x8B\x4F\x10\xA7\x54\x9E\x8E\xED\xF5\xB4\xFC\xE0\x9E\x05";
|
|
||||||
+
|
|
||||||
+static unsigned char fake_rsa_dmq1[] =
|
|
||||||
+ "\x00\x8E\x3C\x05\x21\xFE\x15\xE0\xEA\x06\xA3\x6F\xF0\xF1\x0C\x99"
|
|
||||||
+ "\x52\xC3\x5B\x7A\x75\x14\xFD\x32\x38\xB8\x0A\xAD\x52\x98\x62\x8D"
|
|
||||||
+ "\x51";
|
|
||||||
+
|
|
||||||
+static unsigned char fake_rsa_iqmp[] =
|
|
||||||
+ "\x36\x3F\xF7\x18\x9D\xA8\xE9\x0B\x1D\x34\x1F\x71\xD0\x9B\x76\xA8"
|
|
||||||
+ "\xA9\x43\xE1\x1D\x10\xB2\x4D\x24\x9F\x2D\xEA\xFE\xF8\x0C\x18\x26";
|
|
||||||
+
|
|
||||||
+OSSL_PARAM *fake_rsa_key_params(int priv)
|
|
||||||
+{
|
|
||||||
+ if (priv) {
|
|
||||||
+ OSSL_PARAM params[] = {
|
|
||||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, fake_rsa_n,
|
|
||||||
+ sizeof(fake_rsa_n) -1),
|
|
||||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, fake_rsa_e,
|
|
||||||
+ sizeof(fake_rsa_e) -1),
|
|
||||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_D, fake_rsa_d,
|
|
||||||
+ sizeof(fake_rsa_d) -1),
|
|
||||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR1, fake_rsa_p,
|
|
||||||
+ sizeof(fake_rsa_p) -1),
|
|
||||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR2, fake_rsa_q,
|
|
||||||
+ sizeof(fake_rsa_q) -1),
|
|
||||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT1, fake_rsa_dmp1,
|
|
||||||
+ sizeof(fake_rsa_dmp1) -1),
|
|
||||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT2, fake_rsa_dmq1,
|
|
||||||
+ sizeof(fake_rsa_dmq1) -1),
|
|
||||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_COEFFICIENT1, fake_rsa_iqmp,
|
|
||||||
+ sizeof(fake_rsa_iqmp) -1),
|
|
||||||
+ OSSL_PARAM_END
|
|
||||||
+ };
|
|
||||||
+ return OSSL_PARAM_dup(params);
|
|
||||||
+ } else {
|
|
||||||
+ OSSL_PARAM params[] = {
|
|
||||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, fake_rsa_n,
|
|
||||||
+ sizeof(fake_rsa_n) -1),
|
|
||||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, fake_rsa_e,
|
|
||||||
+ sizeof(fake_rsa_e) -1),
|
|
||||||
+ OSSL_PARAM_END
|
|
||||||
+ };
|
|
||||||
+ return OSSL_PARAM_dup(params);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int fake_rsa_keymgmt_export(void *keydata, int selection,
|
|
||||||
+ OSSL_CALLBACK *param_callback, void *cbarg)
|
|
||||||
+{
|
|
||||||
+ OSSL_PARAM *params = NULL;
|
|
||||||
+ int ret;
|
|
||||||
+
|
|
||||||
+ if (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ if (!TEST_ptr(params = fake_rsa_key_params(0)))
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ ret = param_callback(params, cbarg);
|
|
||||||
+ OSSL_PARAM_free(params);
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static const OSSL_PARAM fake_rsa_import_key_types[] = {
|
|
||||||
OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, NULL, 0),
|
|
||||||
OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0),
|
|
||||||
@@ -95,19 +195,33 @@ static const OSSL_PARAM *fake_rsa_keymgmt_imptypes(int selection)
|
|
||||||
return fake_rsa_import_key_types;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static const OSSL_PARAM fake_rsa_export_key_types[] = {
|
|
||||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, NULL, 0),
|
|
||||||
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0),
|
|
||||||
+ OSSL_PARAM_END
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static const OSSL_PARAM *fake_rsa_keymgmt_exptypes(int selection)
|
|
||||||
+{
|
|
||||||
+ /* record global for checking */
|
|
||||||
+ exptypes_selection = selection;
|
|
||||||
+
|
|
||||||
+ return fake_rsa_export_key_types;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static void *fake_rsa_keymgmt_load(const void *reference, size_t reference_sz)
|
|
||||||
{
|
|
||||||
- unsigned char *key = NULL;
|
|
||||||
+ struct fake_rsa_keydata *key = NULL;
|
|
||||||
|
|
||||||
- if (reference_sz != sizeof(key))
|
|
||||||
+ if (reference_sz != sizeof(*key))
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
- key = *(unsigned char **)reference;
|
|
||||||
- if (*key != 1)
|
|
||||||
+ key = *(struct fake_rsa_keydata **)reference;
|
|
||||||
+ if (key->status != 1)
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
/* detach the reference */
|
|
||||||
- *(unsigned char **)reference = NULL;
|
|
||||||
+ *(struct fake_rsa_keydata **)reference = NULL;
|
|
||||||
|
|
||||||
return key;
|
|
||||||
}
|
|
||||||
@@ -129,7 +243,7 @@ static void *fake_rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
|
|
||||||
{
|
|
||||||
unsigned char *gctx = genctx;
|
|
||||||
static const unsigned char inited[] = { 1 };
|
|
||||||
- unsigned char *keydata;
|
|
||||||
+ struct fake_rsa_keydata *keydata;
|
|
||||||
|
|
||||||
if (!TEST_ptr(gctx)
|
|
||||||
|| !TEST_mem_eq(gctx, sizeof(*gctx), inited, sizeof(inited)))
|
|
||||||
@@ -138,7 +252,7 @@ static void *fake_rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
|
|
||||||
if (!TEST_ptr(keydata = fake_rsa_keymgmt_new(NULL)))
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
- *keydata = 2;
|
|
||||||
+ keydata->status = 2;
|
|
||||||
return keydata;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -156,6 +270,9 @@ static const OSSL_DISPATCH fake_rsa_keymgmt_funcs[] = {
|
|
||||||
{ OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))fake_rsa_keymgmt_import },
|
|
||||||
{ OSSL_FUNC_KEYMGMT_IMPORT_TYPES,
|
|
||||||
(void (*)(void))fake_rsa_keymgmt_imptypes },
|
|
||||||
+ { OSSL_FUNC_KEYMGMT_EXPORT, (void (*)(void))fake_rsa_keymgmt_export },
|
|
||||||
+ { OSSL_FUNC_KEYMGMT_EXPORT_TYPES,
|
|
||||||
+ (void (*)(void))fake_rsa_keymgmt_exptypes },
|
|
||||||
{ OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))fake_rsa_keymgmt_load },
|
|
||||||
{ OSSL_FUNC_KEYMGMT_GEN_INIT, (void (*)(void))fake_rsa_gen_init },
|
|
||||||
{ OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))fake_rsa_gen },
|
|
||||||
@@ -191,14 +308,14 @@ static int fake_rsa_sig_sign_init(void *ctx, void *provkey,
|
|
||||||
const OSSL_PARAM params[])
|
|
||||||
{
|
|
||||||
unsigned char *sigctx = ctx;
|
|
||||||
- unsigned char *keydata = provkey;
|
|
||||||
+ struct fake_rsa_keydata *keydata = provkey;
|
|
||||||
|
|
||||||
/* we must have a ctx */
|
|
||||||
if (!TEST_ptr(sigctx))
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
/* we must have some initialized key */
|
|
||||||
- if (!TEST_ptr(keydata) || !TEST_int_gt(keydata[0], 0))
|
|
||||||
+ if (!TEST_ptr(keydata) || !TEST_int_gt(keydata->status, 0))
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
/* record that sign init was called */
|
|
||||||
@@ -289,7 +406,7 @@ static int fake_rsa_st_load(void *loaderctx,
|
|
||||||
unsigned char *storectx = loaderctx;
|
|
||||||
OSSL_PARAM params[4];
|
|
||||||
int object_type = OSSL_OBJECT_PKEY;
|
|
||||||
- void *key = NULL;
|
|
||||||
+ struct fake_rsa_keydata *key = NULL;
|
|
||||||
int rv = 0;
|
|
||||||
|
|
||||||
switch (*storectx) {
|
|
||||||
@@ -307,7 +424,7 @@ static int fake_rsa_st_load(void *loaderctx,
|
|
||||||
/* The address of the key becomes the octet string */
|
|
||||||
params[2] =
|
|
||||||
OSSL_PARAM_construct_octet_string(OSSL_OBJECT_PARAM_REFERENCE,
|
|
||||||
- &key, sizeof(key));
|
|
||||||
+ &key, sizeof(*key));
|
|
||||||
params[3] = OSSL_PARAM_construct_end();
|
|
||||||
rv = object_cb(params, object_cbarg);
|
|
||||||
*storectx = 1;
|
|
||||||
diff --git a/test/fake_rsaprov.h b/test/fake_rsaprov.h
|
|
||||||
index 57de1ecf8d..190c46a285 100644
|
|
||||||
--- a/test/fake_rsaprov.h
|
|
||||||
+++ b/test/fake_rsaprov.h
|
|
||||||
@@ -12,3 +12,4 @@
|
|
||||||
/* Fake RSA provider implementation */
|
|
||||||
OSSL_PROVIDER *fake_rsa_start(OSSL_LIB_CTX *libctx);
|
|
||||||
void fake_rsa_finish(OSSL_PROVIDER *p);
|
|
||||||
+OSSL_PARAM *fake_rsa_key_params(int priv);
|
|
||||||
diff --git a/test/provider_pkey_test.c b/test/provider_pkey_test.c
|
|
||||||
index 5c398398f4..3b190baa5e 100644
|
|
||||||
--- a/test/provider_pkey_test.c
|
|
||||||
+++ b/test/provider_pkey_test.c
|
|
||||||
@@ -176,6 +176,67 @@ end:
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static int test_pkey_eq(void)
|
|
||||||
+{
|
|
||||||
+ OSSL_PROVIDER *deflt = NULL;
|
|
||||||
+ OSSL_PROVIDER *fake_rsa = NULL;
|
|
||||||
+ EVP_PKEY *pkey_fake = NULL;
|
|
||||||
+ EVP_PKEY *pkey_dflt = NULL;
|
|
||||||
+ EVP_PKEY_CTX *ctx = NULL;
|
|
||||||
+ OSSL_PARAM *params = NULL;
|
|
||||||
+ int ret = 0;
|
|
||||||
+
|
|
||||||
+ if (!TEST_ptr(fake_rsa = fake_rsa_start(libctx)))
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ if (!TEST_ptr(deflt = OSSL_PROVIDER_load(libctx, "default")))
|
|
||||||
+ goto end;
|
|
||||||
+
|
|
||||||
+ /* Construct a public key for fake-rsa */
|
|
||||||
+ if (!TEST_ptr(params = fake_rsa_key_params(0))
|
|
||||||
+ || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA",
|
|
||||||
+ "provider=fake-rsa"))
|
|
||||||
+ || !TEST_true(EVP_PKEY_fromdata_init(ctx))
|
|
||||||
+ || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey_fake, EVP_PKEY_PUBLIC_KEY,
|
|
||||||
+ params))
|
|
||||||
+ || !TEST_ptr(pkey_fake))
|
|
||||||
+ goto end;
|
|
||||||
+
|
|
||||||
+ EVP_PKEY_CTX_free(ctx);
|
|
||||||
+ ctx = NULL;
|
|
||||||
+ OSSL_PARAM_free(params);
|
|
||||||
+ params = NULL;
|
|
||||||
+
|
|
||||||
+ /* Construct a public key for default */
|
|
||||||
+ if (!TEST_ptr(params = fake_rsa_key_params(0))
|
|
||||||
+ || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA",
|
|
||||||
+ "provider=default"))
|
|
||||||
+ || !TEST_true(EVP_PKEY_fromdata_init(ctx))
|
|
||||||
+ || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey_dflt, EVP_PKEY_PUBLIC_KEY,
|
|
||||||
+ params))
|
|
||||||
+ || !TEST_ptr(pkey_dflt))
|
|
||||||
+ goto end;
|
|
||||||
+
|
|
||||||
+ EVP_PKEY_CTX_free(ctx);
|
|
||||||
+ ctx = NULL;
|
|
||||||
+ OSSL_PARAM_free(params);
|
|
||||||
+ params = NULL;
|
|
||||||
+
|
|
||||||
+ /* now test for equality */
|
|
||||||
+ if (!TEST_int_eq(EVP_PKEY_eq(pkey_fake, pkey_dflt), 1))
|
|
||||||
+ goto end;
|
|
||||||
+
|
|
||||||
+ ret = 1;
|
|
||||||
+end:
|
|
||||||
+ fake_rsa_finish(fake_rsa);
|
|
||||||
+ OSSL_PROVIDER_unload(deflt);
|
|
||||||
+ EVP_PKEY_CTX_free(ctx);
|
|
||||||
+ EVP_PKEY_free(pkey_fake);
|
|
||||||
+ EVP_PKEY_free(pkey_dflt);
|
|
||||||
+ OSSL_PARAM_free(params);
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static int test_pkey_store(int idx)
|
|
||||||
{
|
|
||||||
OSSL_PROVIDER *deflt = NULL;
|
|
||||||
@@ -235,6 +296,7 @@ int setup_tests(void)
|
|
||||||
|
|
||||||
ADD_TEST(test_pkey_sig);
|
|
||||||
ADD_TEST(test_alternative_keygen_init);
|
|
||||||
+ ADD_TEST(test_pkey_eq);
|
|
||||||
ADD_ALL_TESTS(test_pkey_store, 2);
|
|
||||||
|
|
||||||
return 1;
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
||||||
From 2fea56832780248af2aba2e4433ece2d18428515 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Simo Sorce <simo@redhat.com>
|
|
||||||
Date: Mon, 14 Nov 2022 10:25:15 -0500
|
|
||||||
Subject: [PATCH] Drop explicit check for engines in opt_legacy_okay
|
|
||||||
|
|
||||||
The providers indication should always indicate that this is not a
|
|
||||||
legacy request.
|
|
||||||
This makes a check for engines redundant as the default return is that
|
|
||||||
legacy is ok if there are no explicit providers.
|
|
||||||
|
|
||||||
Fixes #19662
|
|
||||||
|
|
||||||
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
||||||
|
|
||||||
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
|
||||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
||||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
||||||
(Merged from https://github.com/openssl/openssl/pull/19671)
|
|
||||||
---
|
|
||||||
apps/lib/apps.c | 8 --------
|
|
||||||
test/recipes/20-test_legacy_okay.t | 23 +++++++++++++++++++++++
|
|
||||||
2 files changed, 23 insertions(+), 8 deletions(-)
|
|
||||||
create mode 100755 test/recipes/20-test_legacy_okay.t
|
|
||||||
|
|
||||||
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
|
|
||||||
index 3d52e030ab7e258f9cd983b2d9755d954cb3aee5..bbe0d009efb35fcf1a902c86cbddc61e657e57f1 100644
|
|
||||||
--- a/apps/lib/apps.c
|
|
||||||
+++ b/apps/lib/apps.c
|
|
||||||
@@ -3405,14 +3405,6 @@ int opt_legacy_okay(void)
|
|
||||||
{
|
|
||||||
int provider_options = opt_provider_option_given();
|
|
||||||
int libctx = app_get0_libctx() != NULL || app_get0_propq() != NULL;
|
|
||||||
-#ifndef OPENSSL_NO_ENGINE
|
|
||||||
- ENGINE *e = ENGINE_get_first();
|
|
||||||
-
|
|
||||||
- if (e != NULL) {
|
|
||||||
- ENGINE_free(e);
|
|
||||||
- return 1;
|
|
||||||
- }
|
|
||||||
-#endif
|
|
||||||
/*
|
|
||||||
* Having a provider option specified or a custom library context or
|
|
||||||
* property query, is a sure sign we're not using legacy.
|
|
||||||
diff --git a/test/recipes/20-test_legacy_okay.t b/test/recipes/20-test_legacy_okay.t
|
|
||||||
new file mode 100755
|
|
||||||
index 0000000000000000000000000000000000000000..183499f3fd93f97e8a4a30681a9f383d2f6e0c56
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/test/recipes/20-test_legacy_okay.t
|
|
||||||
@@ -0,0 +1,23 @@
|
|
||||||
+#! /usr/bin/env perl
|
|
||||||
+# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
|
|
||||||
+#
|
|
||||||
+# Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
||||||
+# this file except in compliance with the License. You can obtain a copy
|
|
||||||
+# in the file LICENSE in the source distribution or at
|
|
||||||
+# https://www.openssl.org/source/license.html
|
|
||||||
+
|
|
||||||
+use strict;
|
|
||||||
+use warnings;
|
|
||||||
+
|
|
||||||
+use OpenSSL::Test;
|
|
||||||
+
|
|
||||||
+setup("test_legacy");
|
|
||||||
+
|
|
||||||
+plan tests => 3;
|
|
||||||
+
|
|
||||||
+ok(run(app(['openssl', 'rand', '-out', 'rand.txt', '256'])), "Generate random file");
|
|
||||||
+
|
|
||||||
+ok(run(app(['openssl', 'dgst', '-sha256', 'rand.txt'])), "Generate a digest");
|
|
||||||
+
|
|
||||||
+ok(!run(app(['openssl', 'dgst', '-sha256', '-propquery', 'foo=1',
|
|
||||||
+ 'rand.txt'])), "Fail to generate a digest");
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
||||||
@ -0,0 +1,344 @@
|
|||||||
|
From 8a2d1b22ede5eeca4d104bb027b84f3ecfc69549 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Clemens Lang <cllang@redhat.com>
|
||||||
|
Date: Thu, 11 May 2023 12:51:59 +0200
|
||||||
|
Subject: [PATCH] DH: Disable FIPS 186-4 type parameters in FIPS mode
|
||||||
|
|
||||||
|
For DH parameter and key pair generation/verification, the DSA
|
||||||
|
procedures specified in FIPS 186-4 are used. With the release of FIPS
|
||||||
|
186-5 and the removal of DSA, the approved status of these groups is in
|
||||||
|
peril. Once the transition for DSA ends (this transition will be 1 year
|
||||||
|
long and start once CMVP has published the guidance), no more
|
||||||
|
submissions claiming DSA will be allowed. Hence, FIPS 186-type
|
||||||
|
parameters will also be automatically non-approved.
|
||||||
|
|
||||||
|
In the FIPS provider, disable validation of any DH parameters that are
|
||||||
|
not well-known groups, and remove DH parameter generation completely.
|
||||||
|
|
||||||
|
Adjust tests to use well-known groups or larger DH groups where this
|
||||||
|
change would now cause failures, and skip tests that are expected to
|
||||||
|
fail due to this change.
|
||||||
|
|
||||||
|
Related: rhbz#2169757, rhbz#2169757
|
||||||
|
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||||
|
---
|
||||||
|
crypto/dh/dh_backend.c | 10 ++++
|
||||||
|
crypto/dh/dh_check.c | 12 ++--
|
||||||
|
crypto/dh/dh_gen.c | 12 +++-
|
||||||
|
crypto/dh/dh_key.c | 13 ++--
|
||||||
|
crypto/dh/dh_pmeth.c | 10 +++-
|
||||||
|
providers/implementations/keymgmt/dh_kmgmt.c | 5 ++
|
||||||
|
test/endecode_test.c | 4 +-
|
||||||
|
test/evp_libctx_test.c | 2 +-
|
||||||
|
test/helpers/predefined_dhparams.c | 62 ++++++++++++++++++++
|
||||||
|
test/helpers/predefined_dhparams.h | 1 +
|
||||||
|
test/recipes/80-test_cms.t | 4 +-
|
||||||
|
test/recipes/80-test_ssl_old.t | 3 +
|
||||||
|
12 files changed, 118 insertions(+), 20 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/crypto/dh/dh_backend.c b/crypto/dh/dh_backend.c
|
||||||
|
index 726843fd30..24c65ca84f 100644
|
||||||
|
--- a/crypto/dh/dh_backend.c
|
||||||
|
+++ b/crypto/dh/dh_backend.c
|
||||||
|
@@ -53,6 +53,16 @@ int ossl_dh_params_fromdata(DH *dh, const OSSL_PARAM params[])
|
||||||
|
if (!dh_ffc_params_fromdata(dh, params))
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ if (!ossl_dh_is_named_safe_prime_group(dh)) {
|
||||||
|
+ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
|
||||||
|
+ "FIPS 186-4 type domain parameters no longer allowed in"
|
||||||
|
+ " FIPS mode, since the required validation routines"
|
||||||
|
+ " were removed from FIPS 186-5");
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
param_priv_len =
|
||||||
|
OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_DH_PRIV_LEN);
|
||||||
|
if (param_priv_len != NULL
|
||||||
|
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
|
||||||
|
index 0b391910d6..75581ca347 100644
|
||||||
|
--- a/crypto/dh/dh_check.c
|
||||||
|
+++ b/crypto/dh/dh_check.c
|
||||||
|
@@ -57,13 +57,15 @@ int DH_check_params(const DH *dh, int *ret)
|
||||||
|
nid = DH_get_nid((DH *)dh);
|
||||||
|
if (nid != NID_undef)
|
||||||
|
return 1;
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
- * OR
|
||||||
|
- * (2b) FFC domain params conform to FIPS-186-4 explicit domain param
|
||||||
|
- * validity tests.
|
||||||
|
+ * FIPS 186-4 explicit domain parameters are no longer supported in FIPS mode.
|
||||||
|
*/
|
||||||
|
- return ossl_ffc_params_FIPS186_4_validate(dh->libctx, &dh->params,
|
||||||
|
- FFC_PARAM_TYPE_DH, ret, NULL);
|
||||||
|
+ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
|
||||||
|
+ "FIPS 186-4 type domain parameters no longer allowed in"
|
||||||
|
+ " FIPS mode, since the required validation routines were"
|
||||||
|
+ " removed from FIPS 186-5");
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
#else
|
||||||
|
int DH_check_params(const DH *dh, int *ret)
|
||||||
|
diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c
|
||||||
|
index aec6b85316..9c55121067 100644
|
||||||
|
--- a/crypto/dh/dh_gen.c
|
||||||
|
+++ b/crypto/dh/dh_gen.c
|
||||||
|
@@ -38,18 +38,26 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
|
||||||
|
int ossl_dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits,
|
||||||
|
BN_GENCB *cb)
|
||||||
|
{
|
||||||
|
- int ret, res;
|
||||||
|
+ int ret = 0;
|
||||||
|
|
||||||
|
#ifndef FIPS_MODULE
|
||||||
|
+ int res;
|
||||||
|
+
|
||||||
|
if (type == DH_PARAMGEN_TYPE_FIPS_186_2)
|
||||||
|
ret = ossl_ffc_params_FIPS186_2_generate(dh->libctx, &dh->params,
|
||||||
|
FFC_PARAM_TYPE_DH,
|
||||||
|
pbits, qbits, &res, cb);
|
||||||
|
else
|
||||||
|
-#endif
|
||||||
|
ret = ossl_ffc_params_FIPS186_4_generate(dh->libctx, &dh->params,
|
||||||
|
FFC_PARAM_TYPE_DH,
|
||||||
|
pbits, qbits, &res, cb);
|
||||||
|
+#else
|
||||||
|
+ /* In FIPS mode, we no longer support FIPS 186-4 domain parameters */
|
||||||
|
+ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
|
||||||
|
+ "FIPS 186-4 type domain parameters no longer allowed in"
|
||||||
|
+ " FIPS mode, since the required generation routines were"
|
||||||
|
+ " removed from FIPS 186-5");
|
||||||
|
+#endif
|
||||||
|
if (ret > 0)
|
||||||
|
dh->dirty_cnt++;
|
||||||
|
return ret;
|
||||||
|
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
|
||||||
|
index 4e9705beef..14c0b0b6b3 100644
|
||||||
|
--- a/crypto/dh/dh_key.c
|
||||||
|
+++ b/crypto/dh/dh_key.c
|
||||||
|
@@ -308,8 +308,12 @@ static int generate_key(DH *dh)
|
||||||
|
goto err;
|
||||||
|
} else {
|
||||||
|
#ifdef FIPS_MODULE
|
||||||
|
- if (dh->params.q == NULL)
|
||||||
|
- goto err;
|
||||||
|
+ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
|
||||||
|
+ "FIPS 186-4 type domain parameters no longer"
|
||||||
|
+ " allowed in FIPS mode, since the required"
|
||||||
|
+ " generation routines were removed from FIPS"
|
||||||
|
+ " 186-5");
|
||||||
|
+ goto err;
|
||||||
|
#else
|
||||||
|
if (dh->params.q == NULL) {
|
||||||
|
/* secret exponent length, must satisfy 2^(l-1) <= p */
|
||||||
|
@@ -330,9 +334,7 @@ static int generate_key(DH *dh)
|
||||||
|
if (!BN_clear_bit(priv_key, 0))
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
- } else
|
||||||
|
-#endif
|
||||||
|
- {
|
||||||
|
+ } else {
|
||||||
|
/* Do a partial check for invalid p, q, g */
|
||||||
|
if (!ossl_ffc_params_simple_validate(dh->libctx, &dh->params,
|
||||||
|
FFC_PARAM_TYPE_DH, NULL))
|
||||||
|
@@ -348,6 +350,7 @@ static int generate_key(DH *dh)
|
||||||
|
priv_key))
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
+#endif
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c
|
||||||
|
index f201eede0d..30f90d15be 100644
|
||||||
|
--- a/crypto/dh/dh_pmeth.c
|
||||||
|
+++ b/crypto/dh/dh_pmeth.c
|
||||||
|
@@ -305,13 +305,17 @@ static DH *ffc_params_generate(OSSL_LIB_CTX *libctx, DH_PKEY_CTX *dctx,
|
||||||
|
prime_len, subprime_len, &res,
|
||||||
|
pcb);
|
||||||
|
else
|
||||||
|
-# endif
|
||||||
|
- /* For FIPS we always use the DH_PARAMGEN_TYPE_FIPS_186_4 generator */
|
||||||
|
- if (dctx->paramgen_type >= DH_PARAMGEN_TYPE_FIPS_186_2)
|
||||||
|
rv = ossl_ffc_params_FIPS186_4_generate(libctx, &ret->params,
|
||||||
|
FFC_PARAM_TYPE_DH,
|
||||||
|
prime_len, subprime_len, &res,
|
||||||
|
pcb);
|
||||||
|
+# else
|
||||||
|
+ /* In FIPS mode, we no longer support FIPS 186-4 domain parameters */
|
||||||
|
+ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
|
||||||
|
+ "FIPS 186-4 type domain parameters no longer allowed in"
|
||||||
|
+ " FIPS mode, since the required generation routines were"
|
||||||
|
+ " removed from FIPS 186-5");
|
||||||
|
+# endif
|
||||||
|
if (rv <= 0) {
|
||||||
|
DH_free(ret);
|
||||||
|
return NULL;
|
||||||
|
diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
|
||||||
|
index 9a7dde7c66..b3e7bca5ac 100644
|
||||||
|
--- a/providers/implementations/keymgmt/dh_kmgmt.c
|
||||||
|
+++ b/providers/implementations/keymgmt/dh_kmgmt.c
|
||||||
|
@@ -414,6 +414,11 @@ static int dh_validate(const void *keydata, int selection, int checktype)
|
||||||
|
if ((selection & DH_POSSIBLE_SELECTIONS) == 0)
|
||||||
|
return 1; /* nothing to validate */
|
||||||
|
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ /* In FIPS provider, always check the domain parameters to disallow
|
||||||
|
+ * operations on keys with FIPS 186-4 params. */
|
||||||
|
+ selection |= OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS;
|
||||||
|
+#endif
|
||||||
|
if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) {
|
||||||
|
/*
|
||||||
|
* Both of these functions check parameters. DH_check_params_ex()
|
||||||
|
diff --git a/test/endecode_test.c b/test/endecode_test.c
|
||||||
|
index e3f7b81f69..1b63daaed5 100644
|
||||||
|
--- a/test/endecode_test.c
|
||||||
|
+++ b/test/endecode_test.c
|
||||||
|
@@ -80,10 +80,10 @@ static EVP_PKEY *make_template(const char *type, OSSL_PARAM *genparams)
|
||||||
|
* for testing only. Use a minimum key size of 2048 for security purposes.
|
||||||
|
*/
|
||||||
|
if (strcmp(type, "DH") == 0)
|
||||||
|
- return get_dh512(keyctx);
|
||||||
|
+ return get_dh2048(keyctx);
|
||||||
|
|
||||||
|
if (strcmp(type, "X9.42 DH") == 0)
|
||||||
|
- return get_dhx512(keyctx);
|
||||||
|
+ return get_dhx_ffdhe2048(keyctx);
|
||||||
|
# endif
|
||||||
|
|
||||||
|
/*
|
||||||
|
diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c
|
||||||
|
index 2448c35a14..92d484fb12 100644
|
||||||
|
--- a/test/evp_libctx_test.c
|
||||||
|
+++ b/test/evp_libctx_test.c
|
||||||
|
@@ -188,7 +188,7 @@ static int do_dh_param_keygen(int tstid, const BIGNUM **bn)
|
||||||
|
|
||||||
|
if (!TEST_ptr(gen_ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey_parm, NULL))
|
||||||
|
|| !TEST_int_gt(EVP_PKEY_keygen_init(gen_ctx), 0)
|
||||||
|
- || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey), expected))
|
||||||
|
+ || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey) == 1, expected))
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
if (expected) {
|
||||||
|
diff --git a/test/helpers/predefined_dhparams.c b/test/helpers/predefined_dhparams.c
|
||||||
|
index 4bdadc4143..e5186e4b4a 100644
|
||||||
|
--- a/test/helpers/predefined_dhparams.c
|
||||||
|
+++ b/test/helpers/predefined_dhparams.c
|
||||||
|
@@ -116,6 +116,68 @@ EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx)
|
||||||
|
dhx512_q, sizeof(dhx512_q));
|
||||||
|
}
|
||||||
|
|
||||||
|
+EVP_PKEY *get_dhx_ffdhe2048(OSSL_LIB_CTX *libctx)
|
||||||
|
+{
|
||||||
|
+ /* This is RFC 7919 ffdhe2048, since Red Hat removes support for
|
||||||
|
+ * non-well-known groups in FIPS mode. */
|
||||||
|
+ static unsigned char dhx_p[] = {
|
||||||
|
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xad, 0xf8, 0x54, 0x58,
|
||||||
|
+ 0xa2, 0xbb, 0x4a, 0x9a, 0xaf, 0xdc, 0x56, 0x20, 0x27, 0x3d, 0x3c, 0xf1,
|
||||||
|
+ 0xd8, 0xb9, 0xc5, 0x83, 0xce, 0x2d, 0x36, 0x95, 0xa9, 0xe1, 0x36, 0x41,
|
||||||
|
+ 0x14, 0x64, 0x33, 0xfb, 0xcc, 0x93, 0x9d, 0xce, 0x24, 0x9b, 0x3e, 0xf9,
|
||||||
|
+ 0x7d, 0x2f, 0xe3, 0x63, 0x63, 0x0c, 0x75, 0xd8, 0xf6, 0x81, 0xb2, 0x02,
|
||||||
|
+ 0xae, 0xc4, 0x61, 0x7a, 0xd3, 0xdf, 0x1e, 0xd5, 0xd5, 0xfd, 0x65, 0x61,
|
||||||
|
+ 0x24, 0x33, 0xf5, 0x1f, 0x5f, 0x06, 0x6e, 0xd0, 0x85, 0x63, 0x65, 0x55,
|
||||||
|
+ 0x3d, 0xed, 0x1a, 0xf3, 0xb5, 0x57, 0x13, 0x5e, 0x7f, 0x57, 0xc9, 0x35,
|
||||||
|
+ 0x98, 0x4f, 0x0c, 0x70, 0xe0, 0xe6, 0x8b, 0x77, 0xe2, 0xa6, 0x89, 0xda,
|
||||||
|
+ 0xf3, 0xef, 0xe8, 0x72, 0x1d, 0xf1, 0x58, 0xa1, 0x36, 0xad, 0xe7, 0x35,
|
||||||
|
+ 0x30, 0xac, 0xca, 0x4f, 0x48, 0x3a, 0x79, 0x7a, 0xbc, 0x0a, 0xb1, 0x82,
|
||||||
|
+ 0xb3, 0x24, 0xfb, 0x61, 0xd1, 0x08, 0xa9, 0x4b, 0xb2, 0xc8, 0xe3, 0xfb,
|
||||||
|
+ 0xb9, 0x6a, 0xda, 0xb7, 0x60, 0xd7, 0xf4, 0x68, 0x1d, 0x4f, 0x42, 0xa3,
|
||||||
|
+ 0xde, 0x39, 0x4d, 0xf4, 0xae, 0x56, 0xed, 0xe7, 0x63, 0x72, 0xbb, 0x19,
|
||||||
|
+ 0x0b, 0x07, 0xa7, 0xc8, 0xee, 0x0a, 0x6d, 0x70, 0x9e, 0x02, 0xfc, 0xe1,
|
||||||
|
+ 0xcd, 0xf7, 0xe2, 0xec, 0xc0, 0x34, 0x04, 0xcd, 0x28, 0x34, 0x2f, 0x61,
|
||||||
|
+ 0x91, 0x72, 0xfe, 0x9c, 0xe9, 0x85, 0x83, 0xff, 0x8e, 0x4f, 0x12, 0x32,
|
||||||
|
+ 0xee, 0xf2, 0x81, 0x83, 0xc3, 0xfe, 0x3b, 0x1b, 0x4c, 0x6f, 0xad, 0x73,
|
||||||
|
+ 0x3b, 0xb5, 0xfc, 0xbc, 0x2e, 0xc2, 0x20, 0x05, 0xc5, 0x8e, 0xf1, 0x83,
|
||||||
|
+ 0x7d, 0x16, 0x83, 0xb2, 0xc6, 0xf3, 0x4a, 0x26, 0xc1, 0xb2, 0xef, 0xfa,
|
||||||
|
+ 0x88, 0x6b, 0x42, 0x38, 0x61, 0x28, 0x5c, 0x97, 0xff, 0xff, 0xff, 0xff,
|
||||||
|
+ 0xff, 0xff, 0xff, 0xff
|
||||||
|
+ };
|
||||||
|
+ static unsigned char dhx_g[] = {
|
||||||
|
+ 0x02
|
||||||
|
+ };
|
||||||
|
+ static unsigned char dhx_q[] = {
|
||||||
|
+ 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xd6, 0xfc, 0x2a, 0x2c,
|
||||||
|
+ 0x51, 0x5d, 0xa5, 0x4d, 0x57, 0xee, 0x2b, 0x10, 0x13, 0x9e, 0x9e, 0x78,
|
||||||
|
+ 0xec, 0x5c, 0xe2, 0xc1, 0xe7, 0x16, 0x9b, 0x4a, 0xd4, 0xf0, 0x9b, 0x20,
|
||||||
|
+ 0x8a, 0x32, 0x19, 0xfd, 0xe6, 0x49, 0xce, 0xe7, 0x12, 0x4d, 0x9f, 0x7c,
|
||||||
|
+ 0xbe, 0x97, 0xf1, 0xb1, 0xb1, 0x86, 0x3a, 0xec, 0x7b, 0x40, 0xd9, 0x01,
|
||||||
|
+ 0x57, 0x62, 0x30, 0xbd, 0x69, 0xef, 0x8f, 0x6a, 0xea, 0xfe, 0xb2, 0xb0,
|
||||||
|
+ 0x92, 0x19, 0xfa, 0x8f, 0xaf, 0x83, 0x37, 0x68, 0x42, 0xb1, 0xb2, 0xaa,
|
||||||
|
+ 0x9e, 0xf6, 0x8d, 0x79, 0xda, 0xab, 0x89, 0xaf, 0x3f, 0xab, 0xe4, 0x9a,
|
||||||
|
+ 0xcc, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xbb, 0xf1, 0x53, 0x44, 0xed,
|
||||||
|
+ 0x79, 0xf7, 0xf4, 0x39, 0x0e, 0xf8, 0xac, 0x50, 0x9b, 0x56, 0xf3, 0x9a,
|
||||||
|
+ 0x98, 0x56, 0x65, 0x27, 0xa4, 0x1d, 0x3c, 0xbd, 0x5e, 0x05, 0x58, 0xc1,
|
||||||
|
+ 0x59, 0x92, 0x7d, 0xb0, 0xe8, 0x84, 0x54, 0xa5, 0xd9, 0x64, 0x71, 0xfd,
|
||||||
|
+ 0xdc, 0xb5, 0x6d, 0x5b, 0xb0, 0x6b, 0xfa, 0x34, 0x0e, 0xa7, 0xa1, 0x51,
|
||||||
|
+ 0xef, 0x1c, 0xa6, 0xfa, 0x57, 0x2b, 0x76, 0xf3, 0xb1, 0xb9, 0x5d, 0x8c,
|
||||||
|
+ 0x85, 0x83, 0xd3, 0xe4, 0x77, 0x05, 0x36, 0xb8, 0x4f, 0x01, 0x7e, 0x70,
|
||||||
|
+ 0xe6, 0xfb, 0xf1, 0x76, 0x60, 0x1a, 0x02, 0x66, 0x94, 0x1a, 0x17, 0xb0,
|
||||||
|
+ 0xc8, 0xb9, 0x7f, 0x4e, 0x74, 0xc2, 0xc1, 0xff, 0xc7, 0x27, 0x89, 0x19,
|
||||||
|
+ 0x77, 0x79, 0x40, 0xc1, 0xe1, 0xff, 0x1d, 0x8d, 0xa6, 0x37, 0xd6, 0xb9,
|
||||||
|
+ 0x9d, 0xda, 0xfe, 0x5e, 0x17, 0x61, 0x10, 0x02, 0xe2, 0xc7, 0x78, 0xc1,
|
||||||
|
+ 0xbe, 0x8b, 0x41, 0xd9, 0x63, 0x79, 0xa5, 0x13, 0x60, 0xd9, 0x77, 0xfd,
|
||||||
|
+ 0x44, 0x35, 0xa1, 0x1c, 0x30, 0x94, 0x2e, 0x4b, 0xff, 0xff, 0xff, 0xff,
|
||||||
|
+ 0xff, 0xff, 0xff, 0xff
|
||||||
|
+ };
|
||||||
|
+
|
||||||
|
+ return get_dh_from_pg(libctx, "X9.42 DH",
|
||||||
|
+ dhx_p, sizeof(dhx_p),
|
||||||
|
+ dhx_g, sizeof(dhx_g),
|
||||||
|
+ dhx_q, sizeof(dhx_q));
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libctx)
|
||||||
|
{
|
||||||
|
static unsigned char dh1024_p[] = {
|
||||||
|
diff --git a/test/helpers/predefined_dhparams.h b/test/helpers/predefined_dhparams.h
|
||||||
|
index f0e8709062..2ff6d6e721 100644
|
||||||
|
--- a/test/helpers/predefined_dhparams.h
|
||||||
|
+++ b/test/helpers/predefined_dhparams.h
|
||||||
|
@@ -12,6 +12,7 @@
|
||||||
|
#ifndef OPENSSL_NO_DH
|
||||||
|
EVP_PKEY *get_dh512(OSSL_LIB_CTX *libctx);
|
||||||
|
EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx);
|
||||||
|
+EVP_PKEY *get_dhx_ffdhe2048(OSSL_LIB_CTX *libctx);
|
||||||
|
EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libct);
|
||||||
|
EVP_PKEY *get_dh2048(OSSL_LIB_CTX *libctx);
|
||||||
|
EVP_PKEY *get_dh4096(OSSL_LIB_CTX *libctx);
|
||||||
|
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
|
||||||
|
index cabbe3ecdf..efe56c5665 100644
|
||||||
|
--- a/test/recipes/80-test_cms.t
|
||||||
|
+++ b/test/recipes/80-test_cms.t
|
||||||
|
@@ -627,10 +627,10 @@ my @smime_cms_param_tests = (
|
||||||
|
],
|
||||||
|
|
||||||
|
[ "enveloped content test streaming S/MIME format, X9.42 DH",
|
||||||
|
- [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
|
||||||
|
+ [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
|
||||||
|
"-stream", "-out", "{output}.cms",
|
||||||
|
"-recip", catfile($smdir, "smdh.pem"), "-aes128" ],
|
||||||
|
- [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
|
||||||
|
+ [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
|
||||||
|
"-in", "{output}.cms", "-out", "{output}.txt" ],
|
||||||
|
\&final_compare
|
||||||
|
]
|
||||||
|
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
|
||||||
|
index 8c52b637fc..31ed54621b 100644
|
||||||
|
--- a/test/recipes/80-test_ssl_old.t
|
||||||
|
+++ b/test/recipes/80-test_ssl_old.t
|
||||||
|
@@ -390,6 +390,9 @@ sub testssl {
|
||||||
|
skip "skipping dhe1024dsa test", 1
|
||||||
|
if ($no_dh);
|
||||||
|
|
||||||
|
+ skip "FIPS 186-4 type DH groups are no longer supported by the FIPS provider", 1
|
||||||
|
+ if $provider eq "fips";
|
||||||
|
+
|
||||||
|
ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])),
|
||||||
|
'test sslv2/sslv3 with 1024bit DHE via BIO pair');
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
||||||
@ -1,281 +0,0 @@
|
|||||||
From c927a3492698c254637da836762f9b1f86cffabc Mon Sep 17 00:00:00 2001
|
|
||||||
From: Viktor Dukhovni <openssl-users@dukhovni.org>
|
|
||||||
Date: Tue, 13 Dec 2022 08:49:13 +0100
|
|
||||||
Subject: [PATCH 01/18] Fix type confusion in nc_match_single()
|
|
||||||
|
|
||||||
This function assumes that if the "gen" is an OtherName, then the "base"
|
|
||||||
is a rfc822Name constraint. This assumption is not true in all cases.
|
|
||||||
If the end-entity certificate contains an OtherName SAN of any type besides
|
|
||||||
SmtpUtf8Mailbox and the CA certificate contains a name constraint of
|
|
||||||
OtherName (of any type), then "nc_email_eai" will be invoked, with the
|
|
||||||
OTHERNAME "base" being incorrectly interpreted as a ASN1_IA5STRING.
|
|
||||||
|
|
||||||
Reported by Corey Bonnell from Digicert.
|
|
||||||
|
|
||||||
CVE-2022-4203
|
|
||||||
|
|
||||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
||||||
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
|
||||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
||||||
---
|
|
||||||
crypto/x509/v3_ncons.c | 45 +++++++++++++++++++++++++++++-------------
|
|
||||||
1 file changed, 31 insertions(+), 14 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/crypto/x509/v3_ncons.c b/crypto/x509/v3_ncons.c
|
|
||||||
index 70a7e8304e..5101598512 100644
|
|
||||||
--- a/crypto/x509/v3_ncons.c
|
|
||||||
+++ b/crypto/x509/v3_ncons.c
|
|
||||||
@@ -31,7 +31,8 @@ static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
|
|
||||||
static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip);
|
|
||||||
|
|
||||||
static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc);
|
|
||||||
-static int nc_match_single(GENERAL_NAME *sub, GENERAL_NAME *gen);
|
|
||||||
+static int nc_match_single(int effective_type, GENERAL_NAME *sub,
|
|
||||||
+ GENERAL_NAME *gen);
|
|
||||||
static int nc_dn(const X509_NAME *sub, const X509_NAME *nm);
|
|
||||||
static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns);
|
|
||||||
static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml);
|
|
||||||
@@ -472,14 +473,17 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
|
|
||||||
{
|
|
||||||
GENERAL_SUBTREE *sub;
|
|
||||||
int i, r, match = 0;
|
|
||||||
+ int effective_type = gen->type;
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* We need to compare not gen->type field but an "effective" type because
|
|
||||||
* the otherName field may contain EAI email address treated specially
|
|
||||||
* according to RFC 8398, section 6
|
|
||||||
*/
|
|
||||||
- int effective_type = ((gen->type == GEN_OTHERNAME) &&
|
|
||||||
- (OBJ_obj2nid(gen->d.otherName->type_id) ==
|
|
||||||
- NID_id_on_SmtpUTF8Mailbox)) ? GEN_EMAIL : gen->type;
|
|
||||||
+ if (effective_type == GEN_OTHERNAME &&
|
|
||||||
+ (OBJ_obj2nid(gen->d.otherName->type_id) == NID_id_on_SmtpUTF8Mailbox)) {
|
|
||||||
+ effective_type = GEN_EMAIL;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Permitted subtrees: if any subtrees exist of matching the type at
|
|
||||||
@@ -488,7 +492,10 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
|
|
||||||
|
|
||||||
for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++) {
|
|
||||||
sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i);
|
|
||||||
- if (effective_type != sub->base->type)
|
|
||||||
+ if (effective_type != sub->base->type
|
|
||||||
+ || (effective_type == GEN_OTHERNAME &&
|
|
||||||
+ OBJ_cmp(gen->d.otherName->type_id,
|
|
||||||
+ sub->base->d.otherName->type_id) != 0))
|
|
||||||
continue;
|
|
||||||
if (!nc_minmax_valid(sub))
|
|
||||||
return X509_V_ERR_SUBTREE_MINMAX;
|
|
||||||
@@ -497,7 +504,7 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
|
|
||||||
continue;
|
|
||||||
if (match == 0)
|
|
||||||
match = 1;
|
|
||||||
- r = nc_match_single(gen, sub->base);
|
|
||||||
+ r = nc_match_single(effective_type, gen, sub->base);
|
|
||||||
if (r == X509_V_OK)
|
|
||||||
match = 2;
|
|
||||||
else if (r != X509_V_ERR_PERMITTED_VIOLATION)
|
|
||||||
@@ -511,12 +518,15 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
|
|
||||||
|
|
||||||
for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) {
|
|
||||||
sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i);
|
|
||||||
- if (effective_type != sub->base->type)
|
|
||||||
+ if (effective_type != sub->base->type
|
|
||||||
+ || (effective_type == GEN_OTHERNAME &&
|
|
||||||
+ OBJ_cmp(gen->d.otherName->type_id,
|
|
||||||
+ sub->base->d.otherName->type_id) != 0))
|
|
||||||
continue;
|
|
||||||
if (!nc_minmax_valid(sub))
|
|
||||||
return X509_V_ERR_SUBTREE_MINMAX;
|
|
||||||
|
|
||||||
- r = nc_match_single(gen, sub->base);
|
|
||||||
+ r = nc_match_single(effective_type, gen, sub->base);
|
|
||||||
if (r == X509_V_OK)
|
|
||||||
return X509_V_ERR_EXCLUDED_VIOLATION;
|
|
||||||
else if (r != X509_V_ERR_PERMITTED_VIOLATION)
|
|
||||||
@@ -528,15 +538,22 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
-static int nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base)
|
|
||||||
+static int nc_match_single(int effective_type, GENERAL_NAME *gen,
|
|
||||||
+ GENERAL_NAME *base)
|
|
||||||
{
|
|
||||||
switch (gen->type) {
|
|
||||||
case GEN_OTHERNAME:
|
|
||||||
- /*
|
|
||||||
- * We are here only when we have SmtpUTF8 name,
|
|
||||||
- * so we match the value of othername with base->d.rfc822Name
|
|
||||||
- */
|
|
||||||
- return nc_email_eai(gen->d.otherName->value, base->d.rfc822Name);
|
|
||||||
+ switch (effective_type) {
|
|
||||||
+ case GEN_EMAIL:
|
|
||||||
+ /*
|
|
||||||
+ * We are here only when we have SmtpUTF8 name,
|
|
||||||
+ * so we match the value of othername with base->d.rfc822Name
|
|
||||||
+ */
|
|
||||||
+ return nc_email_eai(gen->d.otherName->value, base->d.rfc822Name);
|
|
||||||
+
|
|
||||||
+ default:
|
|
||||||
+ return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
case GEN_DIRNAME:
|
|
||||||
return nc_dn(gen->d.directoryName, base->d.directoryName);
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
||||||
From fe6842f5a5dc2fb66da7fb24bf4343a3aeedd50a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Mraz <tomas@openssl.org>
|
|
||||||
Date: Tue, 13 Dec 2022 19:45:09 +0100
|
|
||||||
Subject: [PATCH 02/18] Add testcase for nc_match_single type confusion
|
|
||||||
|
|
||||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
||||||
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
|
||||||
---
|
|
||||||
test/certs/bad-othername-cert.pem | 20 ++++++++++++++++++++
|
|
||||||
test/certs/nccaothername-cert.pem | 20 ++++++++++++++++++++
|
|
||||||
test/certs/nccaothername-key.pem | 28 ++++++++++++++++++++++++++++
|
|
||||||
test/certs/setup.sh | 11 +++++++++++
|
|
||||||
test/recipes/25-test_verify.t | 5 ++++-
|
|
||||||
5 files changed, 83 insertions(+), 1 deletion(-)
|
|
||||||
create mode 100644 test/certs/bad-othername-cert.pem
|
|
||||||
create mode 100644 test/certs/nccaothername-cert.pem
|
|
||||||
create mode 100644 test/certs/nccaothername-key.pem
|
|
||||||
|
|
||||||
diff --git a/test/certs/bad-othername-cert.pem b/test/certs/bad-othername-cert.pem
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000000..cf279de5ea
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/test/certs/bad-othername-cert.pem
|
|
||||||
@@ -0,0 +1,20 @@
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIIDRDCCAiygAwIBAgIBAjANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDDBRUZXN0
|
|
||||||
+IE5DIENBIG90aGVybmFtZTAgFw0yMjEyMTMxODMzMTZaGA8yMTIyMTIxNDE4MzMx
|
|
||||||
+NlowMTEvMC0GA1UECgwmTkMgZW1haWwgaW4gb3RoZXJuYW1lIFRlc3QgQ2VydGlm
|
|
||||||
+aWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPgeoakqHk1zYt
|
|
||||||
+JZpEC0qkJPU/X0lfI+6GY2LHFY9KOSFqqmTXxrUtjQc3SdpQvBZhPuMZ8p82Jid2
|
|
||||||
+kkRHnWs0uqX9NtLO923yQalYvP6Mt3fokcYgw/C9b+I/q1PKUyN0kPB6McROguD5
|
|
||||||
+Jz2DcEufJBhbpyay1bFjEI2DAQJKDP/U7uH0EA7kH/27UMk0vfvL5uVjDvlo8i6S
|
|
||||||
+Ul8+u0cDV5ZFJW2VAJKLU3wp6IY4fZl9UqkHZuRQpMJGqAjAleWOIEpyyvfGGh0b
|
|
||||||
+75n3GJ+4YZ7CIBEgY7K0nIbKxtcDZPvmtbYg3g1tkPMTHcodFT7yEdqkBTJ5AGL7
|
|
||||||
+6U850OhjAgMBAAGjdzB1MB0GA1UdDgQWBBTBz0k+q6d4c3aM+s2IyOF/QP6zCTAf
|
|
||||||
+BgNVHSMEGDAWgBTwhghX7uNdMejZ3f4XorqOQoMqwTAJBgNVHRMEAjAAMCgGA1Ud
|
|
||||||
+EQQhMB+gHQYIKwYBBQUHCAegEQwPZm9vQGV4YW1wbGUub3JnMA0GCSqGSIb3DQEB
|
|
||||||
+CwUAA4IBAQAhxbCEVH8pq0aUMaLWaodyXdCqA0AKTFG6Mz9Rpwn89OwC8FylTEru
|
|
||||||
+t+Bqx/ZuTo8YzON8h9m7DIrQIjZKDLW/g5YbvIsxIVV9gWhAGohdsIyMKRBepSmr
|
|
||||||
+NxJQkO74RLBTamfl0WUCVM4HqroflFjBBG67CTJaQ9cH9ug3TKxaXCK1L6iQAXtq
|
|
||||||
+enILGai98Byo0LCFH4MQOhmhV1BDT2boIG/iYb5VKCTSX25vhaF+PNBhUoysjW0O
|
|
||||||
+vhQX8vrw42QRr4Qi7VfUBXzrbRTzxjOc4yqki7h2DcEdpginqe+aGyaFY+H9m/ka
|
|
||||||
+1AR5KN8h5SYKltSXknjs0pp1w4k49aHl
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
diff --git a/test/certs/nccaothername-cert.pem b/test/certs/nccaothername-cert.pem
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000000..f9b9b07b80
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/test/certs/nccaothername-cert.pem
|
|
||||||
@@ -0,0 +1,20 @@
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIIDPjCCAiagAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
|
|
||||||
+IENBMCAXDTIyMTIxMzE4MTgwM1oYDzIxMjIxMjE0MTgxODAzWjAfMR0wGwYDVQQD
|
|
||||||
+DBRUZXN0IE5DIENBIG90aGVybmFtZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
|
|
||||||
+AQoCggEBAN0Dx+ei8CgtRKnDcYiLwX4vrA48at/o/zfX24X/WZZM1o9HUKo1FQBN
|
|
||||||
+vhESJu+gqPxuIePrk+/L25XdRqwCKk8wkWX0XIz18q5orOHUUFAWNK3g0FDj6N8H
|
|
||||||
+d8urNIbDJ44FCx+/0n8Ppiht/EYN3aVOW5enqbgZ+EEt+3AUG6ibieRdGri9g4oh
|
|
||||||
+IIx60MmVHLbuT/TcVZxaeWyTl6iWmsYosUyqlhTtu1uGtbVtkCAhBYloVvz4J5eA
|
|
||||||
+mVu/JuJbsNxbxVeO9Q8Kj6nb4jPPdGvZ3JPcabbWrz5LwaereBf5IPrXEVdQTlYB
|
|
||||||
+gI0pTz2CEDHSIrd7jzRUX/9EC2gMk6UCAwEAAaOBjzCBjDAPBgNVHRMBAf8EBTAD
|
|
||||||
+AQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU8IYIV+7jXTHo2d3+F6K6jkKDKsEw
|
|
||||||
+HwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwLAYDVR0eBCUwI6EhMB+g
|
|
||||||
+HQYIKwYBBQUHCAegEQwPZm9vQGV4YW1wbGUub3JnMA0GCSqGSIb3DQEBCwUAA4IB
|
|
||||||
+AQDPI5uZd8DhSNKMvYF5bxOshd6h6UJ7YzZS7K6fhiygltdqzkHQ/5+4yiuUkDe4
|
|
||||||
+hOZlH8MCfXQy5jVZDTk24yNchpdfie5Bswn4SmQVQh3QyzOLxizoh0rLCf2PHueu
|
|
||||||
+dNVNhfiiJNJ5kd8MIuVG7CPK68dP0QrVR+DihROuJgvGB3ClKttLrgle19t4PFRR
|
|
||||||
+2wW6hJT9aXEjzLNyN1QFZKoShuiGX4xwjZh7VyKkV64p8hjojhcLk6dQkel+Jw4y
|
|
||||||
+OP26XbVfM8/6KG8f6WAZ8P0qJwHlhmi0EvRTnEpAM8WuenOeZH6ERZ9uZbRGh6xx
|
|
||||||
+LKQu2Aw2+bOEZ2vUtz0dBhX8
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
diff --git a/test/certs/nccaothername-key.pem b/test/certs/nccaothername-key.pem
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000000..d3e300ac2f
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/test/certs/nccaothername-key.pem
|
|
||||||
@@ -0,0 +1,28 @@
|
|
||||||
+-----BEGIN PRIVATE KEY-----
|
|
||||||
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDdA8fnovAoLUSp
|
|
||||||
+w3GIi8F+L6wOPGrf6P8319uF/1mWTNaPR1CqNRUATb4REibvoKj8biHj65Pvy9uV
|
|
||||||
+3UasAipPMJFl9FyM9fKuaKzh1FBQFjSt4NBQ4+jfB3fLqzSGwyeOBQsfv9J/D6Yo
|
|
||||||
+bfxGDd2lTluXp6m4GfhBLftwFBuom4nkXRq4vYOKISCMetDJlRy27k/03FWcWnls
|
|
||||||
+k5eolprGKLFMqpYU7btbhrW1bZAgIQWJaFb8+CeXgJlbvybiW7DcW8VXjvUPCo+p
|
|
||||||
+2+Izz3Rr2dyT3Gm21q8+S8Gnq3gX+SD61xFXUE5WAYCNKU89ghAx0iK3e480VF//
|
|
||||||
+RAtoDJOlAgMBAAECggEAMFSJlCyEFlER3Qq9asXe9eRgXEuXdmfZ2aEVIuf8M/sR
|
|
||||||
+B0tpxxKtCUA24j5FL+0CzxKZTCFBnDRIzCyTbf1aOa9t+CzXyUZmP3/p4EdgmabF
|
|
||||||
+dcl93FZ+X7kfF/VUGu0Vmv+c12BH3Fu0cs5cVohlMecg7diu6zCYok43F+L5ymRy
|
|
||||||
+2mTcKkGc0ShWizj8Z9R3WJGssZOlxbxa/Zr4rZwRC24UVhfN8AfGWYx/StyQPQIw
|
|
||||||
+gtbbtOmwbyredQmY4jwNqgrnfZS9bkWwJbRuCmD5l7lxubBgcHQpoM+DQVeOLZIq
|
|
||||||
+uksFXeNfal9G5Bo747MMzpD7dJMCGmX+gbMY5oZF+QKBgQDs2MbY4nbxi+fV+KuV
|
|
||||||
+zUvis8m8Lpzf3T6NLkgSkUPRN9tGr95iLIrB/bRPJg5Ne02q/cT7d86B9rpE42w7
|
|
||||||
+eeIF9fANezX2AF8LUqNZhIR23J3tfB/eqGlJRZeMNia+lD09a7SWGwrS7sufY1I+
|
|
||||||
+JQGcHx77ntt+eQT1MUJ1skF06QKBgQDu4z+TW4QIA5ItxIReVdcfh5e3xLkzDEVP
|
|
||||||
+3KNo9tpXxvPwqapdeBh6c9z4Lqe3MKr5UPlDvVW+o40t6OjKxDCXczB8+JAM0OyX
|
|
||||||
+8V+K3zXXUxRgieSd3oMncTylSWIvouPP3aW37B67TKdRlRHgaBrpJT2wdk3kYR4t
|
|
||||||
+62J1eDdjXQKBgQDMsY0pZI/nskJrar7geM1c4IU5Xg+2aj/lRFqFsYYrC1s3fEd2
|
|
||||||
+EYjan6l1vi4eSLKXVTspGiIfsFzLrMGdpXjyLduJyzKXqTp7TrBebWkOUR0sYloo
|
|
||||||
+1OQprzuKskJJ81P6AVvRXw27vyW8Wtp5WwJJK5xbWq/YXj8qqagGkEiCAQKBgQCc
|
|
||||||
+RK3XAFurPmLGa7JHX5Hc/z8BKMAZo6JHrsZ6qFiGaRA0U1it0hz5JYfcFfECheSi
|
|
||||||
+ORUF+fn4PlbhPGXkFljPCbwjVBovOBA9CNl+J6u50pAW4r1ZhDB5gbqxSQLgtIaf
|
|
||||||
++JcqbFxiG6+sT36lNJS+BO2I3KrxhZJPaZY7z8szxQKBgQDRy70XzwOk8jXayiF2
|
|
||||||
+ej2IN7Ow9cgSE4tLEwR/vCjxvOlWhA3jC3wxoggshGJkpbP3DqLkQtwQm0h1lM8J
|
|
||||||
+QNtFwKzjtpf//bTlfFq08/YxWimTPMqzcV2PgRacB8P3yf1r8T7M4fA5TORCDWpW
|
|
||||||
+5FtOCFEmwQHTR8lu4c63qfxkEQ==
|
|
||||||
+-----END PRIVATE KEY-----
|
|
||||||
diff --git a/test/certs/setup.sh b/test/certs/setup.sh
|
|
||||||
index b9766aab20..2240cd9df0 100755
|
|
||||||
--- a/test/certs/setup.sh
|
|
||||||
+++ b/test/certs/setup.sh
|
|
||||||
@@ -388,6 +388,17 @@ REQMASK=MASK:0x800 ./mkcert.sh req badalt7-key "O = Bad NC Test Certificate 7" \
|
|
||||||
"email.1 = good@good.org" "email.2 = any@good.com" \
|
|
||||||
"IP = 127.0.0.1" "IP = 192.168.0.1"
|
|
||||||
|
|
||||||
+# Certs for CVE-2022-4203 testcase
|
|
||||||
+
|
|
||||||
+NC="excluded;otherName:SRVName;UTF8STRING:foo@example.org" ./mkcert.sh genca \
|
|
||||||
+ "Test NC CA othername" nccaothername-key nccaothername-cert \
|
|
||||||
+ root-key root-cert
|
|
||||||
+
|
|
||||||
+./mkcert.sh req alt-email-key "O = NC email in othername Test Certificate" | \
|
|
||||||
+ ./mkcert.sh geneealt bad-othername-key bad-othername-cert \
|
|
||||||
+ nccaothername-key nccaothername-cert \
|
|
||||||
+ "otherName.1 = SRVName;UTF8STRING:foo@example.org"
|
|
||||||
+
|
|
||||||
# RSA-PSS signatures
|
|
||||||
# SHA1
|
|
||||||
./mkcert.sh genee PSS-SHA1 ee-key ee-pss-sha1-cert ca-key ca-cert \
|
|
||||||
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
|
|
||||||
index 4613489f57..e6a2bca731 100644
|
|
||||||
--- a/test/recipes/25-test_verify.t
|
|
||||||
+++ b/test/recipes/25-test_verify.t
|
|
||||||
@@ -29,7 +29,7 @@ sub verify {
|
|
||||||
run(app([@args]));
|
|
||||||
}
|
|
||||||
|
|
||||||
-plan tests => 162;
|
|
||||||
+plan tests => 163;
|
|
||||||
|
|
||||||
# Canonical success
|
|
||||||
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
|
|
||||||
@@ -402,6 +402,9 @@ ok(!verify("badalt9-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
|
|
||||||
ok(!verify("badalt10-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
|
|
||||||
"Name constraints nested DNS name excluded");
|
|
||||||
|
|
||||||
+ok(!verify("bad-othername-cert", "", ["root-cert"], ["nccaothername-cert"], ),
|
|
||||||
+ "CVE-2022-4203 type confusion test");
|
|
||||||
+
|
|
||||||
#Check that we get the expected failure return code
|
|
||||||
with({ exit_checker => sub { return shift == 2; } },
|
|
||||||
sub {
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
||||||
@ -1,750 +0,0 @@
|
|||||||
From 8e257b86e5812c6e1cfa9e8e5f5660ac7bed899d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Dmitry Belyavskiy <beldmit@gmail.com>
|
|
||||||
Date: Fri, 20 Jan 2023 15:03:40 +0000
|
|
||||||
Subject: [PATCH 03/18] Fix Timing Oracle in RSA decryption
|
|
||||||
|
|
||||||
A timing based side channel exists in the OpenSSL RSA Decryption
|
|
||||||
implementation which could be sufficient to recover a plaintext across
|
|
||||||
a network in a Bleichenbacher style attack. To achieve a successful
|
|
||||||
decryption an attacker would have to be able to send a very large number
|
|
||||||
of trial messages for decryption. The vulnerability affects all RSA
|
|
||||||
padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
|
|
||||||
|
|
||||||
Patch written by Dmitry Belyavsky and Hubert Kario
|
|
||||||
|
|
||||||
CVE-2022-4304
|
|
||||||
|
|
||||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
||||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
||||||
---
|
|
||||||
crypto/bn/bn_blind.c | 14 -
|
|
||||||
crypto/bn/bn_local.h | 14 +
|
|
||||||
crypto/bn/build.info | 2 +-
|
|
||||||
crypto/bn/rsa_sup_mul.c | 604 ++++++++++++++++++++++++++++++++++++++++
|
|
||||||
crypto/rsa/rsa_ossl.c | 19 +-
|
|
||||||
include/crypto/bn.h | 6 +
|
|
||||||
6 files changed, 638 insertions(+), 21 deletions(-)
|
|
||||||
create mode 100644 crypto/bn/rsa_sup_mul.c
|
|
||||||
|
|
||||||
diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c
|
|
||||||
index 72457b34cf..6061ebb4c0 100644
|
|
||||||
--- a/crypto/bn/bn_blind.c
|
|
||||||
+++ b/crypto/bn/bn_blind.c
|
|
||||||
@@ -13,20 +13,6 @@
|
|
||||||
|
|
||||||
#define BN_BLINDING_COUNTER 32
|
|
||||||
|
|
||||||
-struct bn_blinding_st {
|
|
||||||
- BIGNUM *A;
|
|
||||||
- BIGNUM *Ai;
|
|
||||||
- BIGNUM *e;
|
|
||||||
- BIGNUM *mod; /* just a reference */
|
|
||||||
- CRYPTO_THREAD_ID tid;
|
|
||||||
- int counter;
|
|
||||||
- unsigned long flags;
|
|
||||||
- BN_MONT_CTX *m_ctx;
|
|
||||||
- int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
|
|
||||||
- const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
|
|
||||||
- CRYPTO_RWLOCK *lock;
|
|
||||||
-};
|
|
||||||
-
|
|
||||||
BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
|
|
||||||
{
|
|
||||||
BN_BLINDING *ret = NULL;
|
|
||||||
diff --git a/crypto/bn/bn_local.h b/crypto/bn/bn_local.h
|
|
||||||
index c9a7ecf298..8c428f919d 100644
|
|
||||||
--- a/crypto/bn/bn_local.h
|
|
||||||
+++ b/crypto/bn/bn_local.h
|
|
||||||
@@ -290,6 +290,20 @@ struct bn_gencb_st {
|
|
||||||
} cb;
|
|
||||||
};
|
|
||||||
|
|
||||||
+struct bn_blinding_st {
|
|
||||||
+ BIGNUM *A;
|
|
||||||
+ BIGNUM *Ai;
|
|
||||||
+ BIGNUM *e;
|
|
||||||
+ BIGNUM *mod; /* just a reference */
|
|
||||||
+ CRYPTO_THREAD_ID tid;
|
|
||||||
+ int counter;
|
|
||||||
+ unsigned long flags;
|
|
||||||
+ BN_MONT_CTX *m_ctx;
|
|
||||||
+ int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
|
|
||||||
+ const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
|
|
||||||
+ CRYPTO_RWLOCK *lock;
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
/*-
|
|
||||||
* BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions
|
|
||||||
*
|
|
||||||
diff --git a/crypto/bn/build.info b/crypto/bn/build.info
|
|
||||||
index c4ba51b265..f4ff619239 100644
|
|
||||||
--- a/crypto/bn/build.info
|
|
||||||
+++ b/crypto/bn/build.info
|
|
||||||
@@ -105,7 +105,7 @@ $COMMON=bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c \
|
|
||||||
bn_mod.c bn_conv.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \
|
|
||||||
bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_sqr.c \
|
|
||||||
bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \
|
|
||||||
- bn_intern.c bn_dh.c bn_rsa_fips186_4.c bn_const.c
|
|
||||||
+ bn_intern.c bn_dh.c bn_rsa_fips186_4.c bn_const.c rsa_sup_mul.c
|
|
||||||
SOURCE[../../libcrypto]=$COMMON $BNASM bn_print.c bn_err.c bn_srp.c
|
|
||||||
DEFINE[../../libcrypto]=$BNDEF
|
|
||||||
IF[{- !$disabled{'deprecated-0.9.8'} -}]
|
|
||||||
diff --git a/crypto/bn/rsa_sup_mul.c b/crypto/bn/rsa_sup_mul.c
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000000..0e0d02e194
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/crypto/bn/rsa_sup_mul.c
|
|
||||||
@@ -0,0 +1,604 @@
|
|
||||||
+#include <openssl/e_os2.h>
|
|
||||||
+#include <stddef.h>
|
|
||||||
+#include <sys/types.h>
|
|
||||||
+#include <string.h>
|
|
||||||
+#include <openssl/bn.h>
|
|
||||||
+#include <openssl/err.h>
|
|
||||||
+#include <openssl/rsaerr.h>
|
|
||||||
+#include "internal/endian.h"
|
|
||||||
+#include "internal/numbers.h"
|
|
||||||
+#include "internal/constant_time.h"
|
|
||||||
+#include "bn_local.h"
|
|
||||||
+
|
|
||||||
+# if BN_BYTES == 8
|
|
||||||
+typedef uint64_t limb_t;
|
|
||||||
+# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16
|
|
||||||
+typedef uint128_t limb2_t;
|
|
||||||
+# define HAVE_LIMB2_T
|
|
||||||
+# endif
|
|
||||||
+# define LIMB_BIT_SIZE 64
|
|
||||||
+# define LIMB_BYTE_SIZE 8
|
|
||||||
+# elif BN_BYTES == 4
|
|
||||||
+typedef uint32_t limb_t;
|
|
||||||
+typedef uint64_t limb2_t;
|
|
||||||
+# define LIMB_BIT_SIZE 32
|
|
||||||
+# define LIMB_BYTE_SIZE 4
|
|
||||||
+# define HAVE_LIMB2_T
|
|
||||||
+# else
|
|
||||||
+# error "Not supported"
|
|
||||||
+# endif
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * For multiplication we're using schoolbook multiplication,
|
|
||||||
+ * so if we have two numbers, each with 6 "digits" (words)
|
|
||||||
+ * the multiplication is calculated as follows:
|
|
||||||
+ * A B C D E F
|
|
||||||
+ * x I J K L M N
|
|
||||||
+ * --------------
|
|
||||||
+ * N*F
|
|
||||||
+ * N*E
|
|
||||||
+ * N*D
|
|
||||||
+ * N*C
|
|
||||||
+ * N*B
|
|
||||||
+ * N*A
|
|
||||||
+ * M*F
|
|
||||||
+ * M*E
|
|
||||||
+ * M*D
|
|
||||||
+ * M*C
|
|
||||||
+ * M*B
|
|
||||||
+ * M*A
|
|
||||||
+ * L*F
|
|
||||||
+ * L*E
|
|
||||||
+ * L*D
|
|
||||||
+ * L*C
|
|
||||||
+ * L*B
|
|
||||||
+ * L*A
|
|
||||||
+ * K*F
|
|
||||||
+ * K*E
|
|
||||||
+ * K*D
|
|
||||||
+ * K*C
|
|
||||||
+ * K*B
|
|
||||||
+ * K*A
|
|
||||||
+ * J*F
|
|
||||||
+ * J*E
|
|
||||||
+ * J*D
|
|
||||||
+ * J*C
|
|
||||||
+ * J*B
|
|
||||||
+ * J*A
|
|
||||||
+ * I*F
|
|
||||||
+ * I*E
|
|
||||||
+ * I*D
|
|
||||||
+ * I*C
|
|
||||||
+ * I*B
|
|
||||||
+ * + I*A
|
|
||||||
+ * ==========================
|
|
||||||
+ * N*B N*D N*F
|
|
||||||
+ * + N*A N*C N*E
|
|
||||||
+ * + M*B M*D M*F
|
|
||||||
+ * + M*A M*C M*E
|
|
||||||
+ * + L*B L*D L*F
|
|
||||||
+ * + L*A L*C L*E
|
|
||||||
+ * + K*B K*D K*F
|
|
||||||
+ * + K*A K*C K*E
|
|
||||||
+ * + J*B J*D J*F
|
|
||||||
+ * + J*A J*C J*E
|
|
||||||
+ * + I*B I*D I*F
|
|
||||||
+ * + I*A I*C I*E
|
|
||||||
+ *
|
|
||||||
+ * 1+1 1+3 1+5
|
|
||||||
+ * 1+0 1+2 1+4
|
|
||||||
+ * 0+1 0+3 0+5
|
|
||||||
+ * 0+0 0+2 0+4
|
|
||||||
+ *
|
|
||||||
+ * 0 1 2 3 4 5 6
|
|
||||||
+ * which requires n^2 multiplications and 2n full length additions
|
|
||||||
+ * as we can keep every other result of limb multiplication in two separate
|
|
||||||
+ * limbs
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#if defined HAVE_LIMB2_T
|
|
||||||
+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
|
|
||||||
+{
|
|
||||||
+ limb2_t t;
|
|
||||||
+ /*
|
|
||||||
+ * this is idiomatic code to tell compiler to use the native mul
|
|
||||||
+ * those three lines will actually compile to single instruction
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+ t = (limb2_t)a * b;
|
|
||||||
+ *hi = t >> LIMB_BIT_SIZE;
|
|
||||||
+ *lo = (limb_t)t;
|
|
||||||
+}
|
|
||||||
+#elif (BN_BYTES == 8) && (defined _MSC_VER)
|
|
||||||
+/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */
|
|
||||||
+#pragma intrinsic(_umul128)
|
|
||||||
+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
|
|
||||||
+{
|
|
||||||
+ *lo = _umul128(a, b, hi);
|
|
||||||
+}
|
|
||||||
+#else
|
|
||||||
+/*
|
|
||||||
+ * if the compiler doesn't have either a 128bit data type nor a "return
|
|
||||||
+ * high 64 bits of multiplication"
|
|
||||||
+ */
|
|
||||||
+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
|
|
||||||
+{
|
|
||||||
+ limb_t a_low = (limb_t)(uint32_t)a;
|
|
||||||
+ limb_t a_hi = a >> 32;
|
|
||||||
+ limb_t b_low = (limb_t)(uint32_t)b;
|
|
||||||
+ limb_t b_hi = b >> 32;
|
|
||||||
+
|
|
||||||
+ limb_t p0 = a_low * b_low;
|
|
||||||
+ limb_t p1 = a_low * b_hi;
|
|
||||||
+ limb_t p2 = a_hi * b_low;
|
|
||||||
+ limb_t p3 = a_hi * b_hi;
|
|
||||||
+
|
|
||||||
+ uint32_t cy = (uint32_t)(((p0 >> 32) + (uint32_t)p1 + (uint32_t)p2) >> 32);
|
|
||||||
+
|
|
||||||
+ *lo = p0 + (p1 << 32) + (p2 << 32);
|
|
||||||
+ *hi = p3 + (p1 >> 32) + (p2 >> 32) + cy;
|
|
||||||
+}
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+/* add two limbs with carry in, return carry out */
|
|
||||||
+static ossl_inline limb_t _add_limb(limb_t *ret, limb_t a, limb_t b, limb_t carry)
|
|
||||||
+{
|
|
||||||
+ limb_t carry1, carry2, t;
|
|
||||||
+ /*
|
|
||||||
+ * `c = a + b; if (c < a)` is idiomatic code that makes compilers
|
|
||||||
+ * use add with carry on assembly level
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+ *ret = a + carry;
|
|
||||||
+ if (*ret < a)
|
|
||||||
+ carry1 = 1;
|
|
||||||
+ else
|
|
||||||
+ carry1 = 0;
|
|
||||||
+
|
|
||||||
+ t = *ret;
|
|
||||||
+ *ret = t + b;
|
|
||||||
+ if (*ret < t)
|
|
||||||
+ carry2 = 1;
|
|
||||||
+ else
|
|
||||||
+ carry2 = 0;
|
|
||||||
+
|
|
||||||
+ return carry1 + carry2;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * add two numbers of the same size, return overflow
|
|
||||||
+ *
|
|
||||||
+ * add a to b, place result in ret; all arrays need to be n limbs long
|
|
||||||
+ * return overflow from addition (0 or 1)
|
|
||||||
+ */
|
|
||||||
+static ossl_inline limb_t add(limb_t *ret, limb_t *a, limb_t *b, size_t n)
|
|
||||||
+{
|
|
||||||
+ limb_t c = 0;
|
|
||||||
+ ossl_ssize_t i;
|
|
||||||
+
|
|
||||||
+ for(i = n - 1; i > -1; i--)
|
|
||||||
+ c = _add_limb(&ret[i], a[i], b[i], c);
|
|
||||||
+
|
|
||||||
+ return c;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * return number of limbs necessary for temporary values
|
|
||||||
+ * when multiplying numbers n limbs large
|
|
||||||
+ */
|
|
||||||
+static ossl_inline size_t mul_limb_numb(size_t n)
|
|
||||||
+{
|
|
||||||
+ return 2 * n * 2;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * multiply two numbers of the same size
|
|
||||||
+ *
|
|
||||||
+ * multiply a by b, place result in ret; a and b need to be n limbs long
|
|
||||||
+ * ret needs to be 2*n limbs long, tmp needs to be mul_limb_numb(n) limbs
|
|
||||||
+ * long
|
|
||||||
+ */
|
|
||||||
+static void limb_mul(limb_t *ret, limb_t *a, limb_t *b, size_t n, limb_t *tmp)
|
|
||||||
+{
|
|
||||||
+ limb_t *r_odd, *r_even;
|
|
||||||
+ size_t i, j, k;
|
|
||||||
+
|
|
||||||
+ r_odd = tmp;
|
|
||||||
+ r_even = &tmp[2 * n];
|
|
||||||
+
|
|
||||||
+ memset(ret, 0, 2 * n * sizeof(limb_t));
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < n; i++) {
|
|
||||||
+ for (k = 0; k < i + n + 1; k++) {
|
|
||||||
+ r_even[k] = 0;
|
|
||||||
+ r_odd[k] = 0;
|
|
||||||
+ }
|
|
||||||
+ for (j = 0; j < n; j++) {
|
|
||||||
+ /*
|
|
||||||
+ * place results from even and odd limbs in separate arrays so that
|
|
||||||
+ * we don't have to calculate overflow every time we get individual
|
|
||||||
+ * limb multiplication result
|
|
||||||
+ */
|
|
||||||
+ if (j % 2 == 0)
|
|
||||||
+ _mul_limb(&r_even[i + j], &r_even[i + j + 1], a[i], b[j]);
|
|
||||||
+ else
|
|
||||||
+ _mul_limb(&r_odd[i + j], &r_odd[i + j + 1], a[i], b[j]);
|
|
||||||
+ }
|
|
||||||
+ /*
|
|
||||||
+ * skip the least significant limbs when adding multiples of
|
|
||||||
+ * more significant limbs (they're zero anyway)
|
|
||||||
+ */
|
|
||||||
+ add(ret, ret, r_even, n + i + 1);
|
|
||||||
+ add(ret, ret, r_odd, n + i + 1);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/* modifies the value in place by performing a right shift by one bit */
|
|
||||||
+static ossl_inline void rshift1(limb_t *val, size_t n)
|
|
||||||
+{
|
|
||||||
+ limb_t shift_in = 0, shift_out = 0;
|
|
||||||
+ size_t i;
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < n; i++) {
|
|
||||||
+ shift_out = val[i] & 1;
|
|
||||||
+ val[i] = shift_in << (LIMB_BIT_SIZE - 1) | (val[i] >> 1);
|
|
||||||
+ shift_in = shift_out;
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/* extend the LSB of flag to all bits of limb */
|
|
||||||
+static ossl_inline limb_t mk_mask(limb_t flag)
|
|
||||||
+{
|
|
||||||
+ flag |= flag << 1;
|
|
||||||
+ flag |= flag << 2;
|
|
||||||
+ flag |= flag << 4;
|
|
||||||
+ flag |= flag << 8;
|
|
||||||
+ flag |= flag << 16;
|
|
||||||
+#if (LIMB_BYTE_SIZE == 8)
|
|
||||||
+ flag |= flag << 32;
|
|
||||||
+#endif
|
|
||||||
+ return flag;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * copy from either a or b to ret based on flag
|
|
||||||
+ * when flag == 0, then copies from b
|
|
||||||
+ * when flag == 1, then copies from a
|
|
||||||
+ */
|
|
||||||
+static ossl_inline void cselect(limb_t flag, limb_t *ret, limb_t *a, limb_t *b, size_t n)
|
|
||||||
+{
|
|
||||||
+ /*
|
|
||||||
+ * would be more efficient with non volatile mask, but then gcc
|
|
||||||
+ * generates code with jumps
|
|
||||||
+ */
|
|
||||||
+ volatile limb_t mask;
|
|
||||||
+ size_t i;
|
|
||||||
+
|
|
||||||
+ mask = mk_mask(flag);
|
|
||||||
+ for (i = 0; i < n; i++) {
|
|
||||||
+#if (LIMB_BYTE_SIZE == 8)
|
|
||||||
+ ret[i] = constant_time_select_64(mask, a[i], b[i]);
|
|
||||||
+#else
|
|
||||||
+ ret[i] = constant_time_select_32(mask, a[i], b[i]);
|
|
||||||
+#endif
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static limb_t _sub_limb(limb_t *ret, limb_t a, limb_t b, limb_t borrow)
|
|
||||||
+{
|
|
||||||
+ limb_t borrow1, borrow2, t;
|
|
||||||
+ /*
|
|
||||||
+ * while it doesn't look constant-time, this is idiomatic code
|
|
||||||
+ * to tell compilers to use the carry bit from subtraction
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+ *ret = a - borrow;
|
|
||||||
+ if (*ret > a)
|
|
||||||
+ borrow1 = 1;
|
|
||||||
+ else
|
|
||||||
+ borrow1 = 0;
|
|
||||||
+
|
|
||||||
+ t = *ret;
|
|
||||||
+ *ret = t - b;
|
|
||||||
+ if (*ret > t)
|
|
||||||
+ borrow2 = 1;
|
|
||||||
+ else
|
|
||||||
+ borrow2 = 0;
|
|
||||||
+
|
|
||||||
+ return borrow1 + borrow2;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * place the result of a - b into ret, return the borrow bit.
|
|
||||||
+ * All arrays need to be n limbs long
|
|
||||||
+ */
|
|
||||||
+static limb_t sub(limb_t *ret, limb_t *a, limb_t *b, size_t n)
|
|
||||||
+{
|
|
||||||
+ limb_t borrow = 0;
|
|
||||||
+ ossl_ssize_t i;
|
|
||||||
+
|
|
||||||
+ for (i = n - 1; i > -1; i--)
|
|
||||||
+ borrow = _sub_limb(&ret[i], a[i], b[i], borrow);
|
|
||||||
+
|
|
||||||
+ return borrow;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/* return the number of limbs necessary to allocate for the mod() tmp operand */
|
|
||||||
+static ossl_inline size_t mod_limb_numb(size_t anum, size_t modnum)
|
|
||||||
+{
|
|
||||||
+ return (anum + modnum) * 3;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * calculate a % mod, place the result in ret
|
|
||||||
+ * size of a is defined by anum, size of ret and mod is modnum,
|
|
||||||
+ * size of tmp is returned by mod_limb_numb()
|
|
||||||
+ */
|
|
||||||
+static void mod(limb_t *ret, limb_t *a, size_t anum, limb_t *mod,
|
|
||||||
+ size_t modnum, limb_t *tmp)
|
|
||||||
+{
|
|
||||||
+ limb_t *atmp, *modtmp, *rettmp;
|
|
||||||
+ limb_t res;
|
|
||||||
+ size_t i;
|
|
||||||
+
|
|
||||||
+ memset(tmp, 0, mod_limb_numb(anum, modnum) * LIMB_BYTE_SIZE);
|
|
||||||
+
|
|
||||||
+ atmp = tmp;
|
|
||||||
+ modtmp = &tmp[anum + modnum];
|
|
||||||
+ rettmp = &tmp[(anum + modnum) * 2];
|
|
||||||
+
|
|
||||||
+ for (i = modnum; i <modnum + anum; i++)
|
|
||||||
+ atmp[i] = a[i-modnum];
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < modnum; i++)
|
|
||||||
+ modtmp[i] = mod[i];
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < anum * LIMB_BIT_SIZE; i++) {
|
|
||||||
+ rshift1(modtmp, anum + modnum);
|
|
||||||
+ res = sub(rettmp, atmp, modtmp, anum+modnum);
|
|
||||||
+ cselect(res, atmp, atmp, rettmp, anum+modnum);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ memcpy(ret, &atmp[anum], sizeof(limb_t) * modnum);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/* necessary size of tmp for a _mul_add_limb() call with provided anum */
|
|
||||||
+static ossl_inline size_t _mul_add_limb_numb(size_t anum)
|
|
||||||
+{
|
|
||||||
+ return 2 * (anum + 1);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/* multiply a by m, add to ret, return carry */
|
|
||||||
+static limb_t _mul_add_limb(limb_t *ret, limb_t *a, size_t anum,
|
|
||||||
+ limb_t m, limb_t *tmp)
|
|
||||||
+{
|
|
||||||
+ limb_t carry = 0;
|
|
||||||
+ limb_t *r_odd, *r_even;
|
|
||||||
+ size_t i;
|
|
||||||
+
|
|
||||||
+ memset(tmp, 0, sizeof(limb_t) * (anum + 1) * 2);
|
|
||||||
+
|
|
||||||
+ r_odd = tmp;
|
|
||||||
+ r_even = &tmp[anum + 1];
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < anum; i++) {
|
|
||||||
+ /*
|
|
||||||
+ * place the results from even and odd limbs in separate arrays
|
|
||||||
+ * so that we have to worry about carry just once
|
|
||||||
+ */
|
|
||||||
+ if (i % 2 == 0)
|
|
||||||
+ _mul_limb(&r_even[i], &r_even[i + 1], a[i], m);
|
|
||||||
+ else
|
|
||||||
+ _mul_limb(&r_odd[i], &r_odd[i + 1], a[i], m);
|
|
||||||
+ }
|
|
||||||
+ /* assert: add() carry here will be equal zero */
|
|
||||||
+ add(r_even, r_even, r_odd, anum + 1);
|
|
||||||
+ /*
|
|
||||||
+ * while here it will not overflow as the max value from multiplication
|
|
||||||
+ * is -2 while max overflow from addition is 1, so the max value of
|
|
||||||
+ * carry is -1 (i.e. max int)
|
|
||||||
+ */
|
|
||||||
+ carry = add(ret, ret, &r_even[1], anum) + r_even[0];
|
|
||||||
+
|
|
||||||
+ return carry;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static ossl_inline size_t mod_montgomery_limb_numb(size_t modnum)
|
|
||||||
+{
|
|
||||||
+ return modnum * 2 + _mul_add_limb_numb(modnum);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * calculate a % mod, place result in ret
|
|
||||||
+ * assumes that a is in Montgomery form with the R (Montgomery modulus) being
|
|
||||||
+ * smallest power of two big enough to fit mod and that's also a power
|
|
||||||
+ * of the count of number of bits in limb_t (B).
|
|
||||||
+ * For calculation, we also need n', such that mod * n' == -1 mod B.
|
|
||||||
+ * anum must be <= 2 * modnum
|
|
||||||
+ * ret needs to be modnum words long
|
|
||||||
+ * tmp needs to be mod_montgomery_limb_numb(modnum) limbs long
|
|
||||||
+ */
|
|
||||||
+static void mod_montgomery(limb_t *ret, limb_t *a, size_t anum, limb_t *mod,
|
|
||||||
+ size_t modnum, limb_t ni0, limb_t *tmp)
|
|
||||||
+{
|
|
||||||
+ limb_t carry, v;
|
|
||||||
+ limb_t *res, *rp, *tmp2;
|
|
||||||
+ ossl_ssize_t i;
|
|
||||||
+
|
|
||||||
+ res = tmp;
|
|
||||||
+ /*
|
|
||||||
+ * for intermediate result we need an integer twice as long as modulus
|
|
||||||
+ * but keep the input in the least significant limbs
|
|
||||||
+ */
|
|
||||||
+ memset(res, 0, sizeof(limb_t) * (modnum * 2));
|
|
||||||
+ memcpy(&res[modnum * 2 - anum], a, sizeof(limb_t) * anum);
|
|
||||||
+ rp = &res[modnum];
|
|
||||||
+ tmp2 = &res[modnum * 2];
|
|
||||||
+
|
|
||||||
+ carry = 0;
|
|
||||||
+
|
|
||||||
+ /* add multiples of the modulus to the value until R divides it cleanly */
|
|
||||||
+ for (i = modnum; i > 0; i--, rp--) {
|
|
||||||
+ v = _mul_add_limb(rp, mod, modnum, rp[modnum-1] * ni0, tmp2);
|
|
||||||
+ v = v + carry + rp[-1];
|
|
||||||
+ carry |= (v != rp[-1]);
|
|
||||||
+ carry &= (v <= rp[-1]);
|
|
||||||
+ rp[-1] = v;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* perform the final reduction by mod... */
|
|
||||||
+ carry -= sub(ret, rp, mod, modnum);
|
|
||||||
+
|
|
||||||
+ /* ...conditionally */
|
|
||||||
+ cselect(carry, ret, rp, ret, modnum);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/* allocated buffer should be freed afterwards */
|
|
||||||
+static void BN_to_limb(const BIGNUM *bn, limb_t *buf, size_t limbs)
|
|
||||||
+{
|
|
||||||
+ int i;
|
|
||||||
+ int real_limbs = (BN_num_bytes(bn) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
|
|
||||||
+ limb_t *ptr = buf + (limbs - real_limbs);
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < real_limbs; i++)
|
|
||||||
+ ptr[i] = bn->d[real_limbs - i - 1];
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#if LIMB_BYTE_SIZE == 8
|
|
||||||
+static ossl_inline uint64_t be64(uint64_t host)
|
|
||||||
+{
|
|
||||||
+ uint64_t big = 0;
|
|
||||||
+ DECLARE_IS_ENDIAN;
|
|
||||||
+
|
|
||||||
+ if (!IS_LITTLE_ENDIAN)
|
|
||||||
+ return host;
|
|
||||||
+
|
|
||||||
+ big |= (host & 0xff00000000000000) >> 56;
|
|
||||||
+ big |= (host & 0x00ff000000000000) >> 40;
|
|
||||||
+ big |= (host & 0x0000ff0000000000) >> 24;
|
|
||||||
+ big |= (host & 0x000000ff00000000) >> 8;
|
|
||||||
+ big |= (host & 0x00000000ff000000) << 8;
|
|
||||||
+ big |= (host & 0x0000000000ff0000) << 24;
|
|
||||||
+ big |= (host & 0x000000000000ff00) << 40;
|
|
||||||
+ big |= (host & 0x00000000000000ff) << 56;
|
|
||||||
+ return big;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#else
|
|
||||||
+/* Not all platforms have htobe32(). */
|
|
||||||
+static ossl_inline uint32_t be32(uint32_t host)
|
|
||||||
+{
|
|
||||||
+ uint32_t big = 0;
|
|
||||||
+ DECLARE_IS_ENDIAN;
|
|
||||||
+
|
|
||||||
+ if (!IS_LITTLE_ENDIAN)
|
|
||||||
+ return host;
|
|
||||||
+
|
|
||||||
+ big |= (host & 0xff000000) >> 24;
|
|
||||||
+ big |= (host & 0x00ff0000) >> 8;
|
|
||||||
+ big |= (host & 0x0000ff00) << 8;
|
|
||||||
+ big |= (host & 0x000000ff) << 24;
|
|
||||||
+ return big;
|
|
||||||
+}
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * We assume that intermediate, possible_arg2, blinding, and ctx are used
|
|
||||||
+ * similar to BN_BLINDING_invert_ex() arguments.
|
|
||||||
+ * to_mod is RSA modulus.
|
|
||||||
+ * buf and num is the serialization buffer and its length.
|
|
||||||
+ *
|
|
||||||
+ * Here we use classic/Montgomery multiplication and modulo. After the calculation finished
|
|
||||||
+ * we serialize the new structure instead of BIGNUMs taking endianness into account.
|
|
||||||
+ */
|
|
||||||
+int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate,
|
|
||||||
+ const BN_BLINDING *blinding,
|
|
||||||
+ const BIGNUM *possible_arg2,
|
|
||||||
+ const BIGNUM *to_mod, BN_CTX *ctx,
|
|
||||||
+ unsigned char *buf, int num)
|
|
||||||
+{
|
|
||||||
+ limb_t *l_im = NULL, *l_mul = NULL, *l_mod = NULL;
|
|
||||||
+ limb_t *l_ret = NULL, *l_tmp = NULL, l_buf;
|
|
||||||
+ size_t l_im_count = 0, l_mul_count = 0, l_size = 0, l_mod_count = 0;
|
|
||||||
+ size_t l_tmp_count = 0;
|
|
||||||
+ int ret = 0;
|
|
||||||
+ size_t i;
|
|
||||||
+ unsigned char *tmp;
|
|
||||||
+ const BIGNUM *arg1 = intermediate;
|
|
||||||
+ const BIGNUM *arg2 = (possible_arg2 == NULL) ? blinding->Ai : possible_arg2;
|
|
||||||
+
|
|
||||||
+ l_im_count = (BN_num_bytes(arg1) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
|
|
||||||
+ l_mul_count = (BN_num_bytes(arg2) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
|
|
||||||
+ l_mod_count = (BN_num_bytes(to_mod) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
|
|
||||||
+
|
|
||||||
+ l_size = l_im_count > l_mul_count ? l_im_count : l_mul_count;
|
|
||||||
+ l_im = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE);
|
|
||||||
+ l_mul = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE);
|
|
||||||
+ l_mod = OPENSSL_zalloc(l_mod_count * LIMB_BYTE_SIZE);
|
|
||||||
+
|
|
||||||
+ if ((l_im == NULL) || (l_mul == NULL) || (l_mod == NULL))
|
|
||||||
+ goto err;
|
|
||||||
+
|
|
||||||
+ BN_to_limb(arg1, l_im, l_size);
|
|
||||||
+ BN_to_limb(arg2, l_mul, l_size);
|
|
||||||
+ BN_to_limb(to_mod, l_mod, l_mod_count);
|
|
||||||
+
|
|
||||||
+ l_ret = OPENSSL_malloc(2 * l_size * LIMB_BYTE_SIZE);
|
|
||||||
+
|
|
||||||
+ if (blinding->m_ctx != NULL) {
|
|
||||||
+ l_tmp_count = mul_limb_numb(l_size) > mod_montgomery_limb_numb(l_mod_count) ?
|
|
||||||
+ mul_limb_numb(l_size) : mod_montgomery_limb_numb(l_mod_count);
|
|
||||||
+ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE);
|
|
||||||
+ } else {
|
|
||||||
+ l_tmp_count = mul_limb_numb(l_size) > mod_limb_numb(2 * l_size, l_mod_count) ?
|
|
||||||
+ mul_limb_numb(l_size) : mod_limb_numb(2 * l_size, l_mod_count);
|
|
||||||
+ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if ((l_ret == NULL) || (l_tmp == NULL))
|
|
||||||
+ goto err;
|
|
||||||
+
|
|
||||||
+ if (blinding->m_ctx != NULL) {
|
|
||||||
+ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp);
|
|
||||||
+ mod_montgomery(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count,
|
|
||||||
+ blinding->m_ctx->n0[0], l_tmp);
|
|
||||||
+ } else {
|
|
||||||
+ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp);
|
|
||||||
+ mod(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, l_tmp);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* modulus size in bytes can be equal to num but after limbs conversion it becomes bigger */
|
|
||||||
+ if (num < BN_num_bytes(to_mod)) {
|
|
||||||
+ ERR_raise(ERR_LIB_BN, ERR_R_PASSED_INVALID_ARGUMENT);
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ memset(buf, 0, num);
|
|
||||||
+ tmp = buf + num - BN_num_bytes(to_mod);
|
|
||||||
+ for (i = 0; i < l_mod_count; i++) {
|
|
||||||
+#if LIMB_BYTE_SIZE == 8
|
|
||||||
+ l_buf = be64(l_ret[i]);
|
|
||||||
+#else
|
|
||||||
+ l_buf = be32(l_ret[i]);
|
|
||||||
+#endif
|
|
||||||
+ if (i == 0) {
|
|
||||||
+ int delta = LIMB_BYTE_SIZE - ((l_mod_count * LIMB_BYTE_SIZE) - num);
|
|
||||||
+
|
|
||||||
+ memcpy(tmp, ((char *)&l_buf) + LIMB_BYTE_SIZE - delta, delta);
|
|
||||||
+ tmp += delta;
|
|
||||||
+ } else {
|
|
||||||
+ memcpy(tmp, &l_buf, LIMB_BYTE_SIZE);
|
|
||||||
+ tmp += LIMB_BYTE_SIZE;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ ret = num;
|
|
||||||
+
|
|
||||||
+ err:
|
|
||||||
+ OPENSSL_free(l_im);
|
|
||||||
+ OPENSSL_free(l_mul);
|
|
||||||
+ OPENSSL_free(l_mod);
|
|
||||||
+ OPENSSL_free(l_tmp);
|
|
||||||
+ OPENSSL_free(l_ret);
|
|
||||||
+
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c
|
|
||||||
index 381c659352..7e8b791fba 100644
|
|
||||||
--- a/crypto/rsa/rsa_ossl.c
|
|
||||||
+++ b/crypto/rsa/rsa_ossl.c
|
|
||||||
@@ -469,13 +469,20 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
|
|
||||||
BN_free(d);
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (blinding)
|
|
||||||
- if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
|
|
||||||
+ if (blinding) {
|
|
||||||
+ /*
|
|
||||||
+ * ossl_bn_rsa_do_unblind() combines blinding inversion and
|
|
||||||
+ * 0-padded BN BE serialization
|
|
||||||
+ */
|
|
||||||
+ j = ossl_bn_rsa_do_unblind(ret, blinding, unblind, rsa->n, ctx,
|
|
||||||
+ buf, num);
|
|
||||||
+ if (j == 0)
|
|
||||||
goto err;
|
|
||||||
-
|
|
||||||
- j = BN_bn2binpad(ret, buf, num);
|
|
||||||
- if (j < 0)
|
|
||||||
- goto err;
|
|
||||||
+ } else {
|
|
||||||
+ j = BN_bn2binpad(ret, buf, num);
|
|
||||||
+ if (j < 0)
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
switch (padding) {
|
|
||||||
case RSA_PKCS1_PADDING:
|
|
||||||
diff --git a/include/crypto/bn.h b/include/crypto/bn.h
|
|
||||||
index cf69bea848..cd45654210 100644
|
|
||||||
--- a/include/crypto/bn.h
|
|
||||||
+++ b/include/crypto/bn.h
|
|
||||||
@@ -114,4 +114,10 @@ OSSL_LIB_CTX *ossl_bn_get_libctx(BN_CTX *ctx);
|
|
||||||
|
|
||||||
extern const BIGNUM ossl_bn_inv_sqrt_2;
|
|
||||||
|
|
||||||
+int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate,
|
|
||||||
+ const BN_BLINDING *blinding,
|
|
||||||
+ const BIGNUM *possible_arg2,
|
|
||||||
+ const BIGNUM *to_mod, BN_CTX *ctx,
|
|
||||||
+ unsigned char *buf, int num);
|
|
||||||
+
|
|
||||||
#endif
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
||||||
@ -1,106 +0,0 @@
|
|||||||
From 63bcf189be73a9cc1264059bed6f57974be74a83 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Matt Caswell <matt@openssl.org>
|
|
||||||
Date: Tue, 13 Dec 2022 14:54:55 +0000
|
|
||||||
Subject: [PATCH 04/18] Avoid dangling ptrs in header and data params for
|
|
||||||
PEM_read_bio_ex
|
|
||||||
|
|
||||||
In the event of a failure in PEM_read_bio_ex() we free the buffers we
|
|
||||||
allocated for the header and data buffers. However we were not clearing
|
|
||||||
the ptrs stored in *header and *data. Since, on success, the caller is
|
|
||||||
responsible for freeing these ptrs this can potentially lead to a double
|
|
||||||
free if the caller frees them even on failure.
|
|
||||||
|
|
||||||
Thanks to Dawei Wang for reporting this issue.
|
|
||||||
|
|
||||||
Based on a proposed patch by Kurt Roeckx.
|
|
||||||
|
|
||||||
CVE-2022-4450
|
|
||||||
|
|
||||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
||||||
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
|
||||||
---
|
|
||||||
crypto/pem/pem_lib.c | 2 ++
|
|
||||||
1 file changed, 2 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
|
|
||||||
index f9ff80162a..85c47fb627 100644
|
|
||||||
--- a/crypto/pem/pem_lib.c
|
|
||||||
+++ b/crypto/pem/pem_lib.c
|
|
||||||
@@ -989,7 +989,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
|
|
||||||
|
|
||||||
out_free:
|
|
||||||
pem_free(*header, flags, 0);
|
|
||||||
+ *header = NULL;
|
|
||||||
pem_free(*data, flags, 0);
|
|
||||||
+ *data = NULL;
|
|
||||||
end:
|
|
||||||
EVP_ENCODE_CTX_free(ctx);
|
|
||||||
pem_free(name, flags, 0);
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
||||||
From cbafa34b5a057794c5c08cd4657038e1f643c1ac Mon Sep 17 00:00:00 2001
|
|
||||||
From: Matt Caswell <matt@openssl.org>
|
|
||||||
Date: Tue, 13 Dec 2022 15:02:26 +0000
|
|
||||||
Subject: [PATCH 05/18] Add a test for CVE-2022-4450
|
|
||||||
|
|
||||||
Call PEM_read_bio_ex() and expect a failure. There should be no dangling
|
|
||||||
ptrs and therefore there should be no double free if we free the ptrs on
|
|
||||||
error.
|
|
||||||
|
|
||||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
||||||
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
|
||||||
---
|
|
||||||
test/pemtest.c | 30 ++++++++++++++++++++++++++++++
|
|
||||||
1 file changed, 30 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/test/pemtest.c b/test/pemtest.c
|
|
||||||
index a8d2d49bb5..a5d28cb256 100644
|
|
||||||
--- a/test/pemtest.c
|
|
||||||
+++ b/test/pemtest.c
|
|
||||||
@@ -96,6 +96,35 @@ static int test_cert_key_cert(void)
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static int test_empty_payload(void)
|
|
||||||
+{
|
|
||||||
+ BIO *b;
|
|
||||||
+ static char *emptypay =
|
|
||||||
+ "-----BEGIN CERTIFICATE-----\n"
|
|
||||||
+ "-\n" /* Base64 EOF character */
|
|
||||||
+ "-----END CERTIFICATE-----";
|
|
||||||
+ char *name = NULL, *header = NULL;
|
|
||||||
+ unsigned char *data = NULL;
|
|
||||||
+ long len;
|
|
||||||
+ int ret = 0;
|
|
||||||
+
|
|
||||||
+ b = BIO_new_mem_buf(emptypay, strlen(emptypay));
|
|
||||||
+ if (!TEST_ptr(b))
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ /* Expected to fail because the payload is empty */
|
|
||||||
+ if (!TEST_false(PEM_read_bio_ex(b, &name, &header, &data, &len, 0)))
|
|
||||||
+ goto err;
|
|
||||||
+
|
|
||||||
+ ret = 1;
|
|
||||||
+ err:
|
|
||||||
+ OPENSSL_free(name);
|
|
||||||
+ OPENSSL_free(header);
|
|
||||||
+ OPENSSL_free(data);
|
|
||||||
+ BIO_free(b);
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
int setup_tests(void)
|
|
||||||
{
|
|
||||||
if (!TEST_ptr(pemfile = test_get_argument(0)))
|
|
||||||
@@ -103,5 +132,6 @@ int setup_tests(void)
|
|
||||||
ADD_ALL_TESTS(test_b64, OSSL_NELEM(b64_pem_data));
|
|
||||||
ADD_TEST(test_invalid);
|
|
||||||
ADD_TEST(test_cert_key_cert);
|
|
||||||
+ ADD_TEST(test_empty_payload);
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
||||||
@ -1,187 +0,0 @@
|
|||||||
From 8818064ce3c3c0f1b740a5aaba2a987e75bfbafd Mon Sep 17 00:00:00 2001
|
|
||||||
From: Matt Caswell <matt@openssl.org>
|
|
||||||
Date: Wed, 14 Dec 2022 16:18:14 +0000
|
|
||||||
Subject: [PATCH 06/18] Fix a UAF resulting from a bug in BIO_new_NDEF
|
|
||||||
|
|
||||||
If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will
|
|
||||||
be part of an invalid BIO chain. This causes a "use after free" when the
|
|
||||||
BIO is eventually freed.
|
|
||||||
|
|
||||||
Based on an original patch by Viktor Dukhovni and an idea from Theo
|
|
||||||
Buehler.
|
|
||||||
|
|
||||||
Thanks to Octavio Galland for reporting this issue.
|
|
||||||
|
|
||||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
||||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
||||||
---
|
|
||||||
crypto/asn1/bio_ndef.c | 40 ++++++++++++++++++++++++++++++++--------
|
|
||||||
1 file changed, 32 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c
|
|
||||||
index d94e3a3644..b9df3a7a47 100644
|
|
||||||
--- a/crypto/asn1/bio_ndef.c
|
|
||||||
+++ b/crypto/asn1/bio_ndef.c
|
|
||||||
@@ -49,13 +49,19 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg);
|
|
||||||
static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen,
|
|
||||||
void *parg);
|
|
||||||
|
|
||||||
-/* unfortunately cannot constify this due to CMS_stream() and PKCS7_stream() */
|
|
||||||
+/*
|
|
||||||
+ * On success, the returned BIO owns the input BIO as part of its BIO chain.
|
|
||||||
+ * On failure, NULL is returned and the input BIO is owned by the caller.
|
|
||||||
+ *
|
|
||||||
+ * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream()
|
|
||||||
+ */
|
|
||||||
BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
|
|
||||||
{
|
|
||||||
NDEF_SUPPORT *ndef_aux = NULL;
|
|
||||||
BIO *asn_bio = NULL;
|
|
||||||
const ASN1_AUX *aux = it->funcs;
|
|
||||||
ASN1_STREAM_ARG sarg;
|
|
||||||
+ BIO *pop_bio = NULL;
|
|
||||||
|
|
||||||
if (!aux || !aux->asn1_cb) {
|
|
||||||
ERR_raise(ERR_LIB_ASN1, ASN1_R_STREAMING_NOT_SUPPORTED);
|
|
||||||
@@ -70,21 +76,39 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
|
|
||||||
out = BIO_push(asn_bio, out);
|
|
||||||
if (out == NULL)
|
|
||||||
goto err;
|
|
||||||
+ pop_bio = asn_bio;
|
|
||||||
|
|
||||||
- BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free);
|
|
||||||
- BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free);
|
|
||||||
+ if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0
|
|
||||||
+ || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0
|
|
||||||
+ || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0)
|
|
||||||
+ goto err;
|
|
||||||
|
|
||||||
/*
|
|
||||||
- * Now let callback prepends any digest, cipher etc BIOs ASN1 structure
|
|
||||||
- * needs.
|
|
||||||
+ * Now let the callback prepend any digest, cipher, etc., that the BIO's
|
|
||||||
+ * ASN1 structure needs.
|
|
||||||
*/
|
|
||||||
|
|
||||||
sarg.out = out;
|
|
||||||
sarg.ndef_bio = NULL;
|
|
||||||
sarg.boundary = NULL;
|
|
||||||
|
|
||||||
- if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0)
|
|
||||||
+ /*
|
|
||||||
+ * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the
|
|
||||||
+ * middle of some partially built, but not returned BIO chain.
|
|
||||||
+ */
|
|
||||||
+ if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) {
|
|
||||||
+ /*
|
|
||||||
+ * ndef_aux is now owned by asn_bio so we must not free it in the err
|
|
||||||
+ * clean up block
|
|
||||||
+ */
|
|
||||||
+ ndef_aux = NULL;
|
|
||||||
goto err;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * We must not fail now because the callback has prepended additional
|
|
||||||
+ * BIOs to the chain
|
|
||||||
+ */
|
|
||||||
|
|
||||||
ndef_aux->val = val;
|
|
||||||
ndef_aux->it = it;
|
|
||||||
@@ -92,11 +116,11 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
|
|
||||||
ndef_aux->boundary = sarg.boundary;
|
|
||||||
ndef_aux->out = out;
|
|
||||||
|
|
||||||
- BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux);
|
|
||||||
-
|
|
||||||
return sarg.ndef_bio;
|
|
||||||
|
|
||||||
err:
|
|
||||||
+ /* BIO_pop() is NULL safe */
|
|
||||||
+ (void)BIO_pop(pop_bio);
|
|
||||||
BIO_free(asn_bio);
|
|
||||||
OPENSSL_free(ndef_aux);
|
|
||||||
return NULL;
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
||||||
From f596ec8a6f9f5fcfa8e46a73b60f78a609725294 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Matt Caswell <matt@openssl.org>
|
|
||||||
Date: Wed, 14 Dec 2022 17:15:18 +0000
|
|
||||||
Subject: [PATCH 07/18] Check CMS failure during BIO setup with -stream is
|
|
||||||
handled correctly
|
|
||||||
|
|
||||||
Test for the issue fixed in the previous commit
|
|
||||||
|
|
||||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
||||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
||||||
---
|
|
||||||
test/recipes/80-test_cms.t | 15 +++++++++++++--
|
|
||||||
test/smime-certs/badrsa.pem | 18 ++++++++++++++++++
|
|
||||||
2 files changed, 31 insertions(+), 2 deletions(-)
|
|
||||||
create mode 100644 test/smime-certs/badrsa.pem
|
|
||||||
|
|
||||||
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
|
|
||||||
index 610f1cbc51..fd53683e6b 100644
|
|
||||||
--- a/test/recipes/80-test_cms.t
|
|
||||||
+++ b/test/recipes/80-test_cms.t
|
|
||||||
@@ -13,7 +13,7 @@ use warnings;
|
|
||||||
use POSIX;
|
|
||||||
use File::Spec::Functions qw/catfile/;
|
|
||||||
use File::Compare qw/compare_text compare/;
|
|
||||||
-use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file/;
|
|
||||||
+use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file with/;
|
|
||||||
|
|
||||||
use OpenSSL::Test::Utils;
|
|
||||||
|
|
||||||
@@ -50,7 +50,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
|
|
||||||
|
|
||||||
$no_rc2 = 1 if disabled("legacy");
|
|
||||||
|
|
||||||
-plan tests => 12;
|
|
||||||
+plan tests => 13;
|
|
||||||
|
|
||||||
ok(run(test(["pkcs7_test"])), "test pkcs7");
|
|
||||||
|
|
||||||
@@ -972,3 +972,14 @@ ok(!run(app(['openssl', 'cms', '-verify',
|
|
||||||
|
|
||||||
return "";
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+# Check that we get the expected failure return code
|
|
||||||
+with({ exit_checker => sub { return shift == 6; } },
|
|
||||||
+ sub {
|
|
||||||
+ ok(run(app(['openssl', 'cms', '-encrypt',
|
|
||||||
+ '-in', srctop_file("test", "smcont.txt"),
|
|
||||||
+ '-stream', '-recip',
|
|
||||||
+ srctop_file("test/smime-certs", "badrsa.pem"),
|
|
||||||
+ ])),
|
|
||||||
+ "Check failure during BIO setup with -stream is handled correctly");
|
|
||||||
+ });
|
|
||||||
diff --git a/test/smime-certs/badrsa.pem b/test/smime-certs/badrsa.pem
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000000..f824fc2267
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/test/smime-certs/badrsa.pem
|
|
||||||
@@ -0,0 +1,18 @@
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIIDbTCCAlWgAwIBAgIToTV4Z0iuK08vZP20oTh//hC8BDANBgkqhkiG9w0BAQ0FADAtMSswKQYD
|
|
||||||
+VfcDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoY
|
|
||||||
+DzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcN
|
|
||||||
+AQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOw
|
|
||||||
+I2juwdRrjFBmXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A
|
|
||||||
+/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6s
|
|
||||||
+yTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0
|
|
||||||
+zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSxgCAwEAAaOBlzCB
|
|
||||||
+lDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAww
|
|
||||||
+CgYIKwYBBQUHAwQwDwYDVR0PAQH/BAUDAwfAADAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm
|
|
||||||
+ZnMwHwYDVR0jBBgwFoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBABbW
|
|
||||||
+eonR6TMTckehDKNOabwaCIcekahAIL6l9tTzUX5ew6ufiAPlC6I/zQlmUaU0iSyFDG1NW14kNbFt
|
|
||||||
+5CAokyLhMtE4ASHBIHbiOp/ZSbUBTVYJZB61ot7w1/ol5QECSs08b8zrxIncf+t2DHGuVEy/Qq1d
|
|
||||||
+rBz8d4ay8zpqAE1tUyL5Da6ZiKUfWwZQXSI/JlbjQFzYQqTRDnzHWrg1xPeMTO1P2/cplFaseTiv
|
|
||||||
+yk4cYwOp/W9UAWymOZXF8WcJYCIUXkdcG/nEZxr057KlScrJmFXOoh7Y+8ON4iWYYcAfiNgpUFo/
|
|
||||||
+j8BAwrKKaFvdlZS9k1Ypb2+UQY75mKJE9Bg=
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
||||||
@ -1,110 +0,0 @@
|
|||||||
From 934a04f0e775309cadbef0aa6b9692e1b12a76c6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Mraz <tomas@openssl.org>
|
|
||||||
Date: Mon, 16 Jan 2023 19:45:23 +0100
|
|
||||||
Subject: [PATCH 08/18] Do not dereference PKCS7 object data if not set
|
|
||||||
|
|
||||||
Fixes CVE-2023-0216
|
|
||||||
|
|
||||||
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
|
|
||||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
||||||
---
|
|
||||||
crypto/pkcs7/pk7_lib.c | 16 ++++++++++++----
|
|
||||||
1 file changed, 12 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c
|
|
||||||
index 753f1276e6..936e50da54 100644
|
|
||||||
--- a/crypto/pkcs7/pk7_lib.c
|
|
||||||
+++ b/crypto/pkcs7/pk7_lib.c
|
|
||||||
@@ -414,6 +414,8 @@ PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509, EVP_PKEY *pkey,
|
|
||||||
|
|
||||||
static STACK_OF(X509) *pkcs7_get_signer_certs(const PKCS7 *p7)
|
|
||||||
{
|
|
||||||
+ if (p7->d.ptr == NULL)
|
|
||||||
+ return NULL;
|
|
||||||
if (PKCS7_type_is_signed(p7))
|
|
||||||
return p7->d.sign->cert;
|
|
||||||
if (PKCS7_type_is_signedAndEnveloped(p7))
|
|
||||||
@@ -423,6 +425,8 @@ static STACK_OF(X509) *pkcs7_get_signer_certs(const PKCS7 *p7)
|
|
||||||
|
|
||||||
static STACK_OF(PKCS7_RECIP_INFO) *pkcs7_get_recipient_info(const PKCS7 *p7)
|
|
||||||
{
|
|
||||||
+ if (p7->d.ptr == NULL)
|
|
||||||
+ return NULL;
|
|
||||||
if (PKCS7_type_is_signedAndEnveloped(p7))
|
|
||||||
return p7->d.signed_and_enveloped->recipientinfo;
|
|
||||||
if (PKCS7_type_is_enveloped(p7))
|
|
||||||
@@ -440,13 +444,17 @@ void ossl_pkcs7_resolve_libctx(PKCS7 *p7)
|
|
||||||
const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7);
|
|
||||||
OSSL_LIB_CTX *libctx = ossl_pkcs7_ctx_get0_libctx(ctx);
|
|
||||||
const char *propq = ossl_pkcs7_ctx_get0_propq(ctx);
|
|
||||||
- STACK_OF(PKCS7_RECIP_INFO) *rinfos = pkcs7_get_recipient_info(p7);
|
|
||||||
- STACK_OF(PKCS7_SIGNER_INFO) *sinfos = PKCS7_get_signer_info(p7);
|
|
||||||
- STACK_OF(X509) *certs = pkcs7_get_signer_certs(p7);
|
|
||||||
+ STACK_OF(PKCS7_RECIP_INFO) *rinfos;
|
|
||||||
+ STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
|
|
||||||
+ STACK_OF(X509) *certs;
|
|
||||||
|
|
||||||
- if (ctx == NULL)
|
|
||||||
+ if (ctx == NULL || p7->d.ptr == NULL)
|
|
||||||
return;
|
|
||||||
|
|
||||||
+ rinfos = pkcs7_get_recipient_info(p7);
|
|
||||||
+ sinfos = PKCS7_get_signer_info(p7);
|
|
||||||
+ certs = pkcs7_get_signer_certs(p7);
|
|
||||||
+
|
|
||||||
for (i = 0; i < sk_X509_num(certs); i++)
|
|
||||||
ossl_x509_set0_libctx(sk_X509_value(certs, i), libctx, propq);
|
|
||||||
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
||||||
From 67813d8a4d110f4174bbd2fee8a2f15388e324b5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Mraz <tomas@openssl.org>
|
|
||||||
Date: Mon, 16 Jan 2023 19:56:20 +0100
|
|
||||||
Subject: [PATCH 09/18] Add test for d2i_PKCS7 NULL dereference
|
|
||||||
|
|
||||||
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
|
|
||||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
||||||
---
|
|
||||||
test/recipes/25-test_pkcs7.t | 7 +++++--
|
|
||||||
test/recipes/25-test_pkcs7_data/malformed.pkcs7 | 3 +++
|
|
||||||
2 files changed, 8 insertions(+), 2 deletions(-)
|
|
||||||
create mode 100644 test/recipes/25-test_pkcs7_data/malformed.pkcs7
|
|
||||||
|
|
||||||
diff --git a/test/recipes/25-test_pkcs7.t b/test/recipes/25-test_pkcs7.t
|
|
||||||
index 37cd43dc6b..d61cd6abad 100644
|
|
||||||
--- a/test/recipes/25-test_pkcs7.t
|
|
||||||
+++ b/test/recipes/25-test_pkcs7.t
|
|
||||||
@@ -11,11 +11,11 @@ use strict;
|
|
||||||
use warnings;
|
|
||||||
|
|
||||||
use File::Spec;
|
|
||||||
-use OpenSSL::Test qw/:DEFAULT srctop_file/;
|
|
||||||
+use OpenSSL::Test qw/:DEFAULT srctop_file data_file/;
|
|
||||||
|
|
||||||
setup("test_pkcs7");
|
|
||||||
|
|
||||||
-plan tests => 3;
|
|
||||||
+plan tests => 4;
|
|
||||||
|
|
||||||
require_ok(srctop_file('test','recipes','tconversion.pl'));
|
|
||||||
|
|
||||||
@@ -27,3 +27,6 @@ subtest 'pkcs7 conversions -- pkcs7d' => sub {
|
|
||||||
tconversion( -type => 'p7d', -in => srctop_file("test", "pkcs7-1.pem"),
|
|
||||||
-args => ["pkcs7"] );
|
|
||||||
};
|
|
||||||
+
|
|
||||||
+my $malformed = data_file('malformed.pkcs7');
|
|
||||||
+ok(run(app(["openssl", "pkcs7", "-in", $malformed])));
|
|
||||||
diff --git a/test/recipes/25-test_pkcs7_data/malformed.pkcs7 b/test/recipes/25-test_pkcs7_data/malformed.pkcs7
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000000..e30d1b582c
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/test/recipes/25-test_pkcs7_data/malformed.pkcs7
|
|
||||||
@@ -0,0 +1,3 @@
|
|
||||||
+-----BEGIN PKCS7-----
|
|
||||||
+MAsGCSqGSIb3DQEHAg==
|
|
||||||
+-----END PKCS7-----
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
||||||
@ -1,404 +0,0 @@
|
|||||||
From 23985bac83fd50c8e29431009302b5442f985096 Mon Sep 17 00:00:00 2001
|
|
||||||
From: slontis <shane.lontis@oracle.com>
|
|
||||||
Date: Wed, 11 Jan 2023 11:05:04 +1000
|
|
||||||
Subject: [PATCH 10/18] Fix NULL deference when validating FFC public key.
|
|
||||||
|
|
||||||
Fixes CVE-2023-0217
|
|
||||||
|
|
||||||
When attempting to do a BN_Copy of params->p there was no NULL check.
|
|
||||||
Since BN_copy does not check for NULL this is a NULL reference.
|
|
||||||
|
|
||||||
As an aside BN_cmp() does do a NULL check, so there are other checks
|
|
||||||
that fail because a NULL is passed. A more general check for NULL params
|
|
||||||
has been added for both FFC public and private key validation instead.
|
|
||||||
|
|
||||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
||||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
||||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
||||||
---
|
|
||||||
crypto/ffc/ffc_key_validate.c | 9 +++++++++
|
|
||||||
include/internal/ffc.h | 1 +
|
|
||||||
test/ffc_internal_test.c | 31 +++++++++++++++++++++++++++++++
|
|
||||||
3 files changed, 41 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/crypto/ffc/ffc_key_validate.c b/crypto/ffc/ffc_key_validate.c
|
|
||||||
index 9f6525a2c8..442303e4b3 100644
|
|
||||||
--- a/crypto/ffc/ffc_key_validate.c
|
|
||||||
+++ b/crypto/ffc/ffc_key_validate.c
|
|
||||||
@@ -24,6 +24,11 @@ int ossl_ffc_validate_public_key_partial(const FFC_PARAMS *params,
|
|
||||||
BN_CTX *ctx = NULL;
|
|
||||||
|
|
||||||
*ret = 0;
|
|
||||||
+ if (params == NULL || pub_key == NULL || params->p == NULL) {
|
|
||||||
+ *ret = FFC_ERROR_PASSED_NULL_PARAM;
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
ctx = BN_CTX_new_ex(NULL);
|
|
||||||
if (ctx == NULL)
|
|
||||||
goto err;
|
|
||||||
@@ -107,6 +112,10 @@ int ossl_ffc_validate_private_key(const BIGNUM *upper, const BIGNUM *priv,
|
|
||||||
|
|
||||||
*ret = 0;
|
|
||||||
|
|
||||||
+ if (priv == NULL || upper == NULL) {
|
|
||||||
+ *ret = FFC_ERROR_PASSED_NULL_PARAM;
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
if (BN_cmp(priv, BN_value_one()) < 0) {
|
|
||||||
*ret |= FFC_ERROR_PRIVKEY_TOO_SMALL;
|
|
||||||
goto err;
|
|
||||||
diff --git a/include/internal/ffc.h b/include/internal/ffc.h
|
|
||||||
index 732514a6c2..b8b7140857 100644
|
|
||||||
--- a/include/internal/ffc.h
|
|
||||||
+++ b/include/internal/ffc.h
|
|
||||||
@@ -76,6 +76,7 @@
|
|
||||||
# define FFC_ERROR_NOT_SUITABLE_GENERATOR 0x08
|
|
||||||
# define FFC_ERROR_PRIVKEY_TOO_SMALL 0x10
|
|
||||||
# define FFC_ERROR_PRIVKEY_TOO_LARGE 0x20
|
|
||||||
+# define FFC_ERROR_PASSED_NULL_PARAM 0x40
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Finite field cryptography (FFC) domain parameters are used by DH and DSA.
|
|
||||||
diff --git a/test/ffc_internal_test.c b/test/ffc_internal_test.c
|
|
||||||
index 2c97293573..9f67bd29b9 100644
|
|
||||||
--- a/test/ffc_internal_test.c
|
|
||||||
+++ b/test/ffc_internal_test.c
|
|
||||||
@@ -510,6 +510,27 @@ static int ffc_public_validate_test(void)
|
|
||||||
if (!TEST_true(ossl_ffc_validate_public_key(params, pub, &res)))
|
|
||||||
goto err;
|
|
||||||
|
|
||||||
+ /* Fail if params is NULL */
|
|
||||||
+ if (!TEST_false(ossl_ffc_validate_public_key(NULL, pub, &res)))
|
|
||||||
+ goto err;
|
|
||||||
+ if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res))
|
|
||||||
+ goto err;
|
|
||||||
+ res = -1;
|
|
||||||
+ /* Fail if pubkey is NULL */
|
|
||||||
+ if (!TEST_false(ossl_ffc_validate_public_key(params, NULL, &res)))
|
|
||||||
+ goto err;
|
|
||||||
+ if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res))
|
|
||||||
+ goto err;
|
|
||||||
+ res = -1;
|
|
||||||
+
|
|
||||||
+ BN_free(params->p);
|
|
||||||
+ params->p = NULL;
|
|
||||||
+ /* Fail if params->p is NULL */
|
|
||||||
+ if (!TEST_false(ossl_ffc_validate_public_key(params, pub, &res)))
|
|
||||||
+ goto err;
|
|
||||||
+ if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res))
|
|
||||||
+ goto err;
|
|
||||||
+
|
|
||||||
ret = 1;
|
|
||||||
err:
|
|
||||||
DH_free(dh);
|
|
||||||
@@ -567,6 +588,16 @@ static int ffc_private_validate_test(void)
|
|
||||||
if (!TEST_true(ossl_ffc_validate_private_key(params->q, priv, &res)))
|
|
||||||
goto err;
|
|
||||||
|
|
||||||
+ if (!TEST_false(ossl_ffc_validate_private_key(NULL, priv, &res)))
|
|
||||||
+ goto err;
|
|
||||||
+ if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res))
|
|
||||||
+ goto err;
|
|
||||||
+ res = -1;
|
|
||||||
+ if (!TEST_false(ossl_ffc_validate_private_key(params->q, NULL, &res)))
|
|
||||||
+ goto err;
|
|
||||||
+ if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res))
|
|
||||||
+ goto err;
|
|
||||||
+
|
|
||||||
ret = 1;
|
|
||||||
err:
|
|
||||||
DH_free(dh);
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
||||||
From c1b4467a7cc129a74fc5205b80a5c47556b99416 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Mraz <tomas@openssl.org>
|
|
||||||
Date: Fri, 13 Jan 2023 17:57:59 +0100
|
|
||||||
Subject: [PATCH 11/18] Prevent creating DSA and DH keys without parameters
|
|
||||||
through import
|
|
||||||
|
|
||||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
||||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
||||||
---
|
|
||||||
providers/implementations/keymgmt/dh_kmgmt.c | 4 ++--
|
|
||||||
providers/implementations/keymgmt/dsa_kmgmt.c | 5 +++--
|
|
||||||
2 files changed, 5 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
|
|
||||||
index 58a5fd009f..c2d87b4a7f 100644
|
|
||||||
--- a/providers/implementations/keymgmt/dh_kmgmt.c
|
|
||||||
+++ b/providers/implementations/keymgmt/dh_kmgmt.c
|
|
||||||
@@ -198,8 +198,8 @@ static int dh_import(void *keydata, int selection, const OSSL_PARAM params[])
|
|
||||||
if ((selection & DH_POSSIBLE_SELECTIONS) == 0)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
- if ((selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0)
|
|
||||||
- ok = ok && ossl_dh_params_fromdata(dh, params);
|
|
||||||
+ /* a key without parameters is meaningless */
|
|
||||||
+ ok = ok && ossl_dh_params_fromdata(dh, params);
|
|
||||||
|
|
||||||
if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
|
|
||||||
int include_private =
|
|
||||||
diff --git a/providers/implementations/keymgmt/dsa_kmgmt.c b/providers/implementations/keymgmt/dsa_kmgmt.c
|
|
||||||
index 100e917167..881680c085 100644
|
|
||||||
--- a/providers/implementations/keymgmt/dsa_kmgmt.c
|
|
||||||
+++ b/providers/implementations/keymgmt/dsa_kmgmt.c
|
|
||||||
@@ -199,8 +199,9 @@ static int dsa_import(void *keydata, int selection, const OSSL_PARAM params[])
|
|
||||||
if ((selection & DSA_POSSIBLE_SELECTIONS) == 0)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
- if ((selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0)
|
|
||||||
- ok = ok && ossl_dsa_ffc_params_fromdata(dsa, params);
|
|
||||||
+ /* a key without parameters is meaningless */
|
|
||||||
+ ok = ok && ossl_dsa_ffc_params_fromdata(dsa, params);
|
|
||||||
+
|
|
||||||
if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
|
|
||||||
int include_private =
|
|
||||||
selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0;
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
||||||
From fab4973801bdc11c29c4c8ccf65cf39cbc63ce9b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Mraz <tomas@openssl.org>
|
|
||||||
Date: Fri, 13 Jan 2023 17:59:52 +0100
|
|
||||||
Subject: [PATCH 12/18] Do not create DSA keys without parameters by decoder
|
|
||||||
|
|
||||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
||||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
||||||
---
|
|
||||||
crypto/x509/x_pubkey.c | 24 +++++++++++++++++++
|
|
||||||
include/crypto/x509.h | 3 +++
|
|
||||||
.../encode_decode/decode_der2key.c | 2 +-
|
|
||||||
3 files changed, 28 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c
|
|
||||||
index bc90ddd89b..77790faa1f 100644
|
|
||||||
--- a/crypto/x509/x_pubkey.c
|
|
||||||
+++ b/crypto/x509/x_pubkey.c
|
|
||||||
@@ -745,6 +745,30 @@ DSA *d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp, long length)
|
|
||||||
return key;
|
|
||||||
}
|
|
||||||
|
|
||||||
+/* Called from decoders; disallows provided DSA keys without parameters. */
|
|
||||||
+DSA *ossl_d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp, long length)
|
|
||||||
+{
|
|
||||||
+ DSA *key = NULL;
|
|
||||||
+ const unsigned char *data;
|
|
||||||
+ const BIGNUM *p, *q, *g;
|
|
||||||
+
|
|
||||||
+ data = *pp;
|
|
||||||
+ key = d2i_DSA_PUBKEY(NULL, &data, length);
|
|
||||||
+ if (key == NULL)
|
|
||||||
+ return NULL;
|
|
||||||
+ DSA_get0_pqg(key, &p, &q, &g);
|
|
||||||
+ if (p == NULL || q == NULL || g == NULL) {
|
|
||||||
+ DSA_free(key);
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+ *pp = data;
|
|
||||||
+ if (a != NULL) {
|
|
||||||
+ DSA_free(*a);
|
|
||||||
+ *a = key;
|
|
||||||
+ }
|
|
||||||
+ return key;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
int i2d_DSA_PUBKEY(const DSA *a, unsigned char **pp)
|
|
||||||
{
|
|
||||||
EVP_PKEY *pktmp;
|
|
||||||
diff --git a/include/crypto/x509.h b/include/crypto/x509.h
|
|
||||||
index 1f00178e89..0c42730ee9 100644
|
|
||||||
--- a/include/crypto/x509.h
|
|
||||||
+++ b/include/crypto/x509.h
|
|
||||||
@@ -339,6 +339,9 @@ void ossl_X509_PUBKEY_INTERNAL_free(X509_PUBKEY *xpub);
|
|
||||||
|
|
||||||
RSA *ossl_d2i_RSA_PSS_PUBKEY(RSA **a, const unsigned char **pp, long length);
|
|
||||||
int ossl_i2d_RSA_PSS_PUBKEY(const RSA *a, unsigned char **pp);
|
|
||||||
+# ifndef OPENSSL_NO_DSA
|
|
||||||
+DSA *ossl_d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp, long length);
|
|
||||||
+# endif /* OPENSSL_NO_DSA */
|
|
||||||
# ifndef OPENSSL_NO_DH
|
|
||||||
DH *ossl_d2i_DH_PUBKEY(DH **a, const unsigned char **pp, long length);
|
|
||||||
int ossl_i2d_DH_PUBKEY(const DH *a, unsigned char **pp);
|
|
||||||
diff --git a/providers/implementations/encode_decode/decode_der2key.c b/providers/implementations/encode_decode/decode_der2key.c
|
|
||||||
index ebc2d24833..d6ad738ef3 100644
|
|
||||||
--- a/providers/implementations/encode_decode/decode_der2key.c
|
|
||||||
+++ b/providers/implementations/encode_decode/decode_der2key.c
|
|
||||||
@@ -374,7 +374,7 @@ static void *dsa_d2i_PKCS8(void **key, const unsigned char **der, long der_len,
|
|
||||||
(key_from_pkcs8_t *)ossl_dsa_key_from_pkcs8);
|
|
||||||
}
|
|
||||||
|
|
||||||
-# define dsa_d2i_PUBKEY (d2i_of_void *)d2i_DSA_PUBKEY
|
|
||||||
+# define dsa_d2i_PUBKEY (d2i_of_void *)ossl_d2i_DSA_PUBKEY
|
|
||||||
# define dsa_free (free_key_fn *)DSA_free
|
|
||||||
# define dsa_check NULL
|
|
||||||
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
||||||
From 7e37185582995b35f885fec9dcc3670af9ffcbef Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Mraz <tomas@openssl.org>
|
|
||||||
Date: Fri, 13 Jan 2023 18:46:15 +0100
|
|
||||||
Subject: [PATCH 13/18] Add test for DSA pubkey without param import and check
|
|
||||||
|
|
||||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
||||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
||||||
---
|
|
||||||
test/recipes/91-test_pkey_check.t | 48 ++++++++++++++----
|
|
||||||
.../91-test_pkey_check_data/dsapub.pem | 12 +++++
|
|
||||||
.../dsapub_noparam.der | Bin 0 -> 108 bytes
|
|
||||||
3 files changed, 49 insertions(+), 11 deletions(-)
|
|
||||||
create mode 100644 test/recipes/91-test_pkey_check_data/dsapub.pem
|
|
||||||
create mode 100644 test/recipes/91-test_pkey_check_data/dsapub_noparam.der
|
|
||||||
|
|
||||||
diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t
|
|
||||||
index 612a3e3d6c..015d7805db 100644
|
|
||||||
--- a/test/recipes/91-test_pkey_check.t
|
|
||||||
+++ b/test/recipes/91-test_pkey_check.t
|
|
||||||
@@ -11,19 +11,24 @@ use strict;
|
|
||||||
use warnings;
|
|
||||||
|
|
||||||
use File::Spec;
|
|
||||||
-use OpenSSL::Test qw/:DEFAULT data_file/;
|
|
||||||
+use OpenSSL::Test qw/:DEFAULT data_file with/;
|
|
||||||
use OpenSSL::Test::Utils;
|
|
||||||
|
|
||||||
sub pkey_check {
|
|
||||||
my $f = shift;
|
|
||||||
+ my $pubcheck = shift;
|
|
||||||
+ my @checkopt = ('-check');
|
|
||||||
|
|
||||||
- return run(app(['openssl', 'pkey', '-check', '-text',
|
|
||||||
+ @checkopt = ('-pubcheck', '-pubin') if $pubcheck;
|
|
||||||
+
|
|
||||||
+ return run(app(['openssl', 'pkey', @checkopt, '-text',
|
|
||||||
'-in', $f]));
|
|
||||||
}
|
|
||||||
|
|
||||||
sub check_key {
|
|
||||||
my $f = shift;
|
|
||||||
my $should_fail = shift;
|
|
||||||
+ my $pubcheck = shift;
|
|
||||||
my $str;
|
|
||||||
|
|
||||||
|
|
||||||
@@ -33,11 +38,10 @@ sub check_key {
|
|
||||||
$f = data_file($f);
|
|
||||||
|
|
||||||
if ( -s $f ) {
|
|
||||||
- if ($should_fail) {
|
|
||||||
- ok(!pkey_check($f), $str);
|
|
||||||
- } else {
|
|
||||||
- ok(pkey_check($f), $str);
|
|
||||||
- }
|
|
||||||
+ with({ exit_checker => sub { return shift == $should_fail; } },
|
|
||||||
+ sub {
|
|
||||||
+ ok(pkey_check($f, $pubcheck), $str);
|
|
||||||
+ });
|
|
||||||
} else {
|
|
||||||
fail("Missing file $f");
|
|
||||||
}
|
|
||||||
@@ -66,15 +70,37 @@ push(@positive_tests, (
|
|
||||||
"dhpkey.pem"
|
|
||||||
)) unless disabled("dh");
|
|
||||||
|
|
||||||
+my @negative_pubtests = ();
|
|
||||||
+
|
|
||||||
+push(@negative_pubtests, (
|
|
||||||
+ "dsapub_noparam.der"
|
|
||||||
+ )) unless disabled("dsa");
|
|
||||||
+
|
|
||||||
+my @positive_pubtests = ();
|
|
||||||
+
|
|
||||||
+push(@positive_pubtests, (
|
|
||||||
+ "dsapub.pem"
|
|
||||||
+ )) unless disabled("dsa");
|
|
||||||
+
|
|
||||||
plan skip_all => "No tests within the current enabled feature set"
|
|
||||||
- unless @negative_tests && @positive_tests;
|
|
||||||
+ unless @negative_tests && @positive_tests
|
|
||||||
+ && @negative_pubtests && @positive_pubtests;
|
|
||||||
|
|
||||||
-plan tests => scalar(@negative_tests) + scalar(@positive_tests);
|
|
||||||
+plan tests => scalar(@negative_tests) + scalar(@positive_tests)
|
|
||||||
+ + scalar(@negative_pubtests) + scalar(@positive_pubtests);
|
|
||||||
|
|
||||||
foreach my $t (@negative_tests) {
|
|
||||||
- check_key($t, 1);
|
|
||||||
+ check_key($t, 1, 0);
|
|
||||||
}
|
|
||||||
|
|
||||||
foreach my $t (@positive_tests) {
|
|
||||||
- check_key($t, 0);
|
|
||||||
+ check_key($t, 0, 0);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+foreach my $t (@negative_pubtests) {
|
|
||||||
+ check_key($t, 1, 1);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+foreach my $t (@positive_pubtests) {
|
|
||||||
+ check_key($t, 0, 1);
|
|
||||||
}
|
|
||||||
diff --git a/test/recipes/91-test_pkey_check_data/dsapub.pem b/test/recipes/91-test_pkey_check_data/dsapub.pem
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000000..0ff4bd83ed
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/test/recipes/91-test_pkey_check_data/dsapub.pem
|
|
||||||
@@ -0,0 +1,12 @@
|
|
||||||
+-----BEGIN PUBLIC KEY-----
|
|
||||||
+MIIBvzCCATQGByqGSM44BAEwggEnAoGBAIjbXpOVVciVNuagg26annKkghIIZFI4
|
|
||||||
+4WdMomnV+I/oXyxHbZTBBBpW9xy/E1+yMjbp4GmX+VxyDj3WxUWxXllzL+miEkzD
|
|
||||||
+9Xz638VzIBhjFbMvk1/N4kS4bKVUd9yk7HfvYzAdnRphk0WI+RoDiDrBNPPxSoQD
|
|
||||||
+CEWgvwgsLIDhAh0A6dbz1IQpQwGF4+Ca28x6OO+UfJJv3ggeZ++fNwKBgQCA9XKV
|
|
||||||
+lRrTY8ALBxS0KbZjpaIXuUj5nr3i1lIDyP3ISksDF0ekyLtn6eK9VijX6Pm65Np+
|
|
||||||
+4ic9Nr5WKLKhPaUSpLNRx1gDqo3sd92hYgiEUifzEuhLYfK/CsgFED+l2hDXtJUq
|
|
||||||
+bISNSHVwI5lsyNXLu7HI1Fk8F5UO3LqsboFAngOBhAACgYATxFY89nEYcUhgHGgr
|
|
||||||
+YDHhXBQfMKnTKYdvon4DN7WQ9ip+t4VUsLpTD1ZE9zrM2R/B04+8C6KGoViwyeER
|
|
||||||
+kS4dxWOkX71x4X2DlNpYevcR53tNcTDqmMD7YKfDDmrb0lftMyfW8aESaiymVMys
|
|
||||||
+DRjhKHBjdo0rZeSM8DAk3ctrXA==
|
|
||||||
+-----END PUBLIC KEY-----
|
|
||||||
diff --git a/test/recipes/91-test_pkey_check_data/dsapub_noparam.der b/test/recipes/91-test_pkey_check_data/dsapub_noparam.der
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000000000000000000000000000000000000..b8135f1ca94da914b6829421e0c13f6daa731862
|
|
||||||
GIT binary patch
|
|
||||||
literal 108
|
|
||||||
zcmXpIGT>xm*J|@PXTieE%*wz71<Xv0AT}3_&&0^YB*etj0OvEYF$n`XLd*y;pgagL
|
|
||||||
U3o&W4F|x9<gY>|F5F-Nv0Bz9(=Kufz
|
|
||||||
|
|
||||||
literal 0
|
|
||||||
HcmV?d00001
|
|
||||||
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
||||||
From 2ad9928170768653d19d81881deabc5f9c1665c0 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Mraz <tomas@openssl.org>
|
|
||||||
Date: Fri, 3 Feb 2023 14:57:04 +0100
|
|
||||||
Subject: [PATCH 18/18] Internaly declare the DSA type for no-deprecated builds
|
|
||||||
|
|
||||||
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
|
||||||
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
||||||
(cherry picked from commit 7a21a1b5fa2dac438892cf3292d1f9c445d870d9)
|
|
||||||
---
|
|
||||||
include/crypto/types.h | 3 +++
|
|
||||||
1 file changed, 3 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/include/crypto/types.h b/include/crypto/types.h
|
|
||||||
index 0d81404091..0a75f03a3f 100644
|
|
||||||
--- a/include/crypto/types.h
|
|
||||||
+++ b/include/crypto/types.h
|
|
||||||
@@ -20,6 +20,9 @@ typedef struct rsa_meth_st RSA_METHOD;
|
|
||||||
typedef struct ec_key_st EC_KEY;
|
|
||||||
typedef struct ec_key_method_st EC_KEY_METHOD;
|
|
||||||
# endif
|
|
||||||
+# ifndef OPENSSL_NO_DSA
|
|
||||||
+typedef struct dsa_st DSA;
|
|
||||||
+# endif
|
|
||||||
# endif
|
|
||||||
|
|
||||||
# ifndef OPENSSL_NO_EC
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
||||||
@ -1,63 +0,0 @@
|
|||||||
From 2f7530077e0ef79d98718138716bc51ca0cad658 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Hugo Landau <hlandau@openssl.org>
|
|
||||||
Date: Tue, 17 Jan 2023 17:45:42 +0000
|
|
||||||
Subject: [PATCH 14/18] CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address
|
|
||||||
(3.0)
|
|
||||||
|
|
||||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
||||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
||||||
---
|
|
||||||
CHANGES.md | 19 +++++++++++++++++++
|
|
||||||
crypto/x509/v3_genn.c | 2 +-
|
|
||||||
include/openssl/x509v3.h.in | 2 +-
|
|
||||||
test/v3nametest.c | 8 ++++++++
|
|
||||||
4 files changed, 29 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/crypto/x509/v3_genn.c b/crypto/x509/v3_genn.c
|
|
||||||
index c0a7166cd0..1741c2d2f6 100644
|
|
||||||
--- a/crypto/x509/v3_genn.c
|
|
||||||
+++ b/crypto/x509/v3_genn.c
|
|
||||||
@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
|
|
||||||
return -1;
|
|
||||||
switch (a->type) {
|
|
||||||
case GEN_X400:
|
|
||||||
- result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
|
|
||||||
+ result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
|
|
||||||
break;
|
|
||||||
|
|
||||||
case GEN_EDIPARTY:
|
|
||||||
diff --git a/include/openssl/x509v3.h.in b/include/openssl/x509v3.h.in
|
|
||||||
index d00a66a343..c087e3cf92 100644
|
|
||||||
--- a/include/openssl/x509v3.h.in
|
|
||||||
+++ b/include/openssl/x509v3.h.in
|
|
||||||
@@ -154,7 +154,7 @@ typedef struct GENERAL_NAME_st {
|
|
||||||
OTHERNAME *otherName; /* otherName */
|
|
||||||
ASN1_IA5STRING *rfc822Name;
|
|
||||||
ASN1_IA5STRING *dNSName;
|
|
||||||
- ASN1_TYPE *x400Address;
|
|
||||||
+ ASN1_STRING *x400Address;
|
|
||||||
X509_NAME *directoryName;
|
|
||||||
EDIPARTYNAME *ediPartyName;
|
|
||||||
ASN1_IA5STRING *uniformResourceIdentifier;
|
|
||||||
diff --git a/test/v3nametest.c b/test/v3nametest.c
|
|
||||||
index 6d2e2f8e27..0341995dde 100644
|
|
||||||
--- a/test/v3nametest.c
|
|
||||||
+++ b/test/v3nametest.c
|
|
||||||
@@ -644,6 +644,14 @@ static struct gennamedata {
|
|
||||||
0xb7, 0x09, 0x02, 0x02
|
|
||||||
},
|
|
||||||
15
|
|
||||||
+ }, {
|
|
||||||
+ /*
|
|
||||||
+ * Regression test for CVE-2023-0286.
|
|
||||||
+ */
|
|
||||||
+ {
|
|
||||||
+ 0xa3, 0x00
|
|
||||||
+ },
|
|
||||||
+ 2
|
|
||||||
}
|
|
||||||
};
|
|
||||||
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
||||||
@ -1,150 +0,0 @@
|
|||||||
From d3b6dfd70db844c4499bec6ad6601623a565e674 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Mraz <tomas@openssl.org>
|
|
||||||
Date: Wed, 18 Jan 2023 09:27:53 +0100
|
|
||||||
Subject: [PATCH 15/18] pk7_doit.c: Check return of BIO_set_md() calls
|
|
||||||
|
|
||||||
These calls invoke EVP_DigestInit() which can fail for digests
|
|
||||||
with implicit fetches. Subsequent EVP_DigestUpdate() from BIO_write()
|
|
||||||
or EVP_DigestFinal() from BIO_read() will segfault on NULL
|
|
||||||
dereference. This can be triggered by an attacker providing
|
|
||||||
PKCS7 data digested with MD4 for example if the legacy provider
|
|
||||||
is not loaded.
|
|
||||||
|
|
||||||
If BIO_set_md() fails the md BIO cannot be used.
|
|
||||||
|
|
||||||
CVE-2023-0401
|
|
||||||
|
|
||||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
||||||
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
|
||||||
---
|
|
||||||
crypto/pkcs7/pk7_doit.c | 12 ++++++++++--
|
|
||||||
1 file changed, 10 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
|
|
||||||
index bde9ac4787..5e562fbea5 100644
|
|
||||||
--- a/crypto/pkcs7/pk7_doit.c
|
|
||||||
+++ b/crypto/pkcs7/pk7_doit.c
|
|
||||||
@@ -84,7 +84,11 @@ static int pkcs7_bio_add_digest(BIO **pbio, X509_ALGOR *alg,
|
|
||||||
}
|
|
||||||
(void)ERR_pop_to_mark();
|
|
||||||
|
|
||||||
- BIO_set_md(btmp, md);
|
|
||||||
+ if (BIO_set_md(btmp, md) <= 0) {
|
|
||||||
+ ERR_raise(ERR_LIB_PKCS7, ERR_R_BIO_LIB);
|
|
||||||
+ EVP_MD_free(fetched);
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
EVP_MD_free(fetched);
|
|
||||||
if (*pbio == NULL)
|
|
||||||
*pbio = btmp;
|
|
||||||
@@ -522,7 +526,11 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
|
|
||||||
}
|
|
||||||
(void)ERR_pop_to_mark();
|
|
||||||
|
|
||||||
- BIO_set_md(btmp, md);
|
|
||||||
+ if (BIO_set_md(btmp, md) <= 0) {
|
|
||||||
+ EVP_MD_free(evp_md);
|
|
||||||
+ ERR_raise(ERR_LIB_PKCS7, ERR_R_BIO_LIB);
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
EVP_MD_free(evp_md);
|
|
||||||
if (out == NULL)
|
|
||||||
out = btmp;
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
||||||
From a0f2359613f50b5ca6b74b78bf4b54d7dc925fd2 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Mraz <tomas@openssl.org>
|
|
||||||
Date: Wed, 18 Jan 2023 17:07:24 +0100
|
|
||||||
Subject: [PATCH 16/18] Add testcase for missing return check of BIO_set_md()
|
|
||||||
calls
|
|
||||||
|
|
||||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
||||||
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
|
||||||
---
|
|
||||||
test/recipes/80-test_cms.t | 15 ++++++++--
|
|
||||||
test/recipes/80-test_cms_data/pkcs7-md4.pem | 32 +++++++++++++++++++++
|
|
||||||
2 files changed, 45 insertions(+), 2 deletions(-)
|
|
||||||
create mode 100644 test/recipes/80-test_cms_data/pkcs7-md4.pem
|
|
||||||
|
|
||||||
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
|
|
||||||
index fd53683e6b..d45789de70 100644
|
|
||||||
--- a/test/recipes/80-test_cms.t
|
|
||||||
+++ b/test/recipes/80-test_cms.t
|
|
||||||
@@ -13,7 +13,7 @@ use warnings;
|
|
||||||
use POSIX;
|
|
||||||
use File::Spec::Functions qw/catfile/;
|
|
||||||
use File::Compare qw/compare_text compare/;
|
|
||||||
-use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file with/;
|
|
||||||
+use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file with data_file/;
|
|
||||||
|
|
||||||
use OpenSSL::Test::Utils;
|
|
||||||
|
|
||||||
@@ -50,7 +50,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
|
|
||||||
|
|
||||||
$no_rc2 = 1 if disabled("legacy");
|
|
||||||
|
|
||||||
-plan tests => 13;
|
|
||||||
+plan tests => 14;
|
|
||||||
|
|
||||||
ok(run(test(["pkcs7_test"])), "test pkcs7");
|
|
||||||
|
|
||||||
@@ -941,6 +941,17 @@ subtest "CMS binary input tests\n" => sub {
|
|
||||||
"verify binary input with -binary missing -crlfeol");
|
|
||||||
};
|
|
||||||
|
|
||||||
+# Test case for missing MD algorithm (must not segfault)
|
|
||||||
+
|
|
||||||
+with({ exit_checker => sub { return shift == 4; } },
|
|
||||||
+ sub {
|
|
||||||
+ ok(run(app(['openssl', 'smime', '-verify', '-noverify',
|
|
||||||
+ '-inform', 'PEM',
|
|
||||||
+ '-in', data_file("pkcs7-md4.pem"),
|
|
||||||
+ ])),
|
|
||||||
+ "Check failure of EVP_DigestInit is handled correctly");
|
|
||||||
+ });
|
|
||||||
+
|
|
||||||
sub check_availability {
|
|
||||||
my $tnam = shift;
|
|
||||||
|
|
||||||
diff --git a/test/recipes/80-test_cms_data/pkcs7-md4.pem b/test/recipes/80-test_cms_data/pkcs7-md4.pem
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000000..ecff611deb
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/test/recipes/80-test_cms_data/pkcs7-md4.pem
|
|
||||||
@@ -0,0 +1,32 @@
|
|
||||||
+-----BEGIN PKCS7-----
|
|
||||||
+MIIFhAYJKoZIhvcNAQcCoIIFdTCCBXECAQExDjAMBggqhkiG9w0CBAUAMB0GCSqG
|
|
||||||
+SIb3DQEHAaAQBA5UZXN0IGNvbnRlbnQNCqCCAyQwggMgMIICCKADAgECAgECMA0G
|
|
||||||
+CSqGSIb3DQEBCwUAMA0xCzAJBgNVBAMMAkNBMCAXDTE2MDExNTA4MTk0OVoYDzIx
|
|
||||||
+MTYwMTE2MDgxOTQ5WjAZMRcwFQYDVQQDDA5zZXJ2ZXIuZXhhbXBsZTCCASIwDQYJ
|
|
||||||
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKj/iVhhha7e2ywP1XP74reoG3p1YCvU
|
|
||||||
+fTxzdrWu3pMvfySQbckc9Io4zZ+igBZWy7Qsu5PlFx//DcZD/jE0+CjYdemju4iC
|
|
||||||
+76Ny4lNiBUVN4DGX76qdENJYDZ4GnjK7GwhWXWUPP2aOwjagEf/AWTX9SRzdHEIz
|
|
||||||
+BniuBDgj5ed1Z9OUrVqpQB+sWRD1DMFkrUrExjVTs5ZqghsVi9GZq+Seb5Sq0pbl
|
|
||||||
+V/uMkWSKPCQWxtIZvoJgEztisO0+HbPK+WvfMbl6nktHaKcpxz9K4iIntO+QY9fv
|
|
||||||
+0HJJPlutuRvUK2+GaN3VcxK4Q8ncQQ+io0ZPi2eIhA9h/nk0H0qJH7cCAwEAAaN9
|
|
||||||
+MHswHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4HmCKX4XOiMB8GA1UdIwQYMBaAFLQR
|
|
||||||
+M/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQCMAAwEwYDVR0lBAwwCgYIKwYBBQUH
|
|
||||||
+AwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1wbGUwDQYJKoZIhvcNAQELBQADggEB
|
|
||||||
+AEG0PE9hQuXlvtUULv9TQ2BXy9MmTjOk+dQwxDhAXYBYMUB6TygsqvPXwpDwz8MS
|
|
||||||
+EPGCRqh5cQwtPoElQRU1i4URgcQMZquXScwNFcvE6AATF/PdN/+mOwtqFrlpYfs3
|
|
||||||
+IJIpYL6ViQg4n8pv+b/pCwMmhewQLwCGs9+omHNTOwKjEiVoNaprAfj5Lxt15fS2
|
|
||||||
++zZW0mT9Y4kfEypetrqSAjh8CDK+vaQhkeKdDfJyBfjS4ALfxvCkT3mQnsWFJ9CU
|
|
||||||
+TVG3uw6ylSPT3wN3RE0Ofa4rI5PESogQsd/DgBc7dcDO3yoPKGjycR3/GJDqqCxC
|
|
||||||
+e9dr6FJEnDjaDf9zNWyTFHExggITMIICDwIBATASMA0xCzAJBgNVBAMMAkNBAgEC
|
|
||||||
+MAwGCCqGSIb3DQIEBQCggdQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkq
|
|
||||||
+hkiG9w0BCQUxDxcNMjMwMTE4MTU0NzExWjAfBgkqhkiG9w0BCQQxEgQQRXO4TKpp
|
|
||||||
+RgA4XHb8bD1pczB5BgkqhkiG9w0BCQ8xbDBqMAsGCWCGSAFlAwQBKjALBglghkgB
|
|
||||||
+ZQMEARYwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAN
|
|
||||||
+BggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0B
|
|
||||||
+AQEFAASCAQAe+xlm/TGg/s/7b0xBc3FFnmmUDEe7ljkehIx61OnBV9ZWA+LcBX/7
|
|
||||||
+kmMSMdaHjRq4w8FmwBMLzn0ttXVqf0QuPbBF/E6X5EqK9lpOdkUQhNiN2v+ZfY6c
|
|
||||||
+lrH4ADsSD9D+UHw0sxo5KEF+PPuneUfYCJZosFUJosBbuSEXK0C9yfJoDKVE8Syp
|
|
||||||
+0vdqh73ogLeNgZLAUGSSB66OmHDxwgAj4qPAv6FHFBy1Xs4uFZER5vniYrH9OrAk
|
|
||||||
+Z6XdvzDoYZC4XcGMDtcOpOM6D4owqy5svHPDw8wIlM4GVhrTw7CQmuBz5uRNnf6a
|
|
||||||
+ZK3jZIxG1hr/INaNWheHoPIhPblYaVc6
|
|
||||||
+-----END PKCS7-----
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
||||||
@ -0,0 +1,105 @@
|
|||||||
|
From 589eb3898896c1ac916bc20069ecd5adb8534850 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Clemens Lang <cllang@redhat.com>
|
||||||
|
Date: Fri, 17 Feb 2023 15:31:08 +0100
|
||||||
|
Subject: [PATCH] GCM: Implement explicit FIPS indicator for IV gen
|
||||||
|
|
||||||
|
Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||||
|
Verification Program, Section C.H requires guarantees about the
|
||||||
|
uniqueness of key/iv pairs, and proposes a few approaches to ensure
|
||||||
|
this. Provide an indicator for option 2 "The IV may be generated
|
||||||
|
internally at its entirety randomly."
|
||||||
|
|
||||||
|
Resolves: rhbz#2168289
|
||||||
|
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||||
|
---
|
||||||
|
include/openssl/evp.h | 4 +++
|
||||||
|
.../implementations/ciphers/ciphercommon.c | 4 +++
|
||||||
|
.../ciphers/ciphercommon_gcm.c | 25 +++++++++++++++++++
|
||||||
|
util/perl/OpenSSL/paramnames.pm | 5 ++--
|
||||||
|
4 files changed, 36 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
|
||||||
|
index 49e8e1df78..ec2ba46fbd 100644
|
||||||
|
--- a/include/openssl/evp.h
|
||||||
|
+++ b/include/openssl/evp.h
|
||||||
|
@@ -746,6 +746,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags);
|
||||||
|
void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags);
|
||||||
|
int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags);
|
||||||
|
|
||||||
|
+# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
|
||||||
|
+# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED 1
|
||||||
|
+# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
|
||||||
|
+
|
||||||
|
__owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
|
||||||
|
const unsigned char *key, const unsigned char *iv);
|
||||||
|
__owur int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,
|
||||||
|
diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c
|
||||||
|
index fa383165d8..716add7339 100644
|
||||||
|
--- a/providers/implementations/ciphers/ciphercommon.c
|
||||||
|
+++ b/providers/implementations/ciphers/ciphercommon.c
|
||||||
|
@@ -149,6 +149,10 @@ static const OSSL_PARAM cipher_aead_known_gettable_ctx_params[] = {
|
||||||
|
OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
|
||||||
|
OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL),
|
||||||
|
OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN, NULL, 0),
|
||||||
|
+ /* normally we would hide this under an #ifdef FIPS_MODULE, but that does
|
||||||
|
+ * not work in ciphercommon.c because it is compiled only once into
|
||||||
|
+ * libcommon.a */
|
||||||
|
+ OSSL_PARAM_int(OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
||||||
|
OSSL_PARAM_END
|
||||||
|
};
|
||||||
|
const OSSL_PARAM *ossl_cipher_aead_gettable_ctx_params(
|
||||||
|
diff --git a/providers/implementations/ciphers/ciphercommon_gcm.c b/providers/implementations/ciphers/ciphercommon_gcm.c
|
||||||
|
index ed95c97ff4..db7910eb0e 100644
|
||||||
|
--- a/providers/implementations/ciphers/ciphercommon_gcm.c
|
||||||
|
+++ b/providers/implementations/ciphers/ciphercommon_gcm.c
|
||||||
|
@@ -238,6 +238,31 @@ int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ /* We would usually hide this under #ifdef FIPS_MODULE, but
|
||||||
|
+ * ciphercommon_gcm.c is only compiled once into libcommon.a, so ifdefs do
|
||||||
|
+ * not work here. */
|
||||||
|
+ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR);
|
||||||
|
+ if (p != NULL) {
|
||||||
|
+ int fips_indicator = EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||||
|
+
|
||||||
|
+ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
|
||||||
|
+ * Verification Program, Section C.H requires guarantees about the
|
||||||
|
+ * uniqueness of key/iv pairs, and proposes a few approaches to ensure
|
||||||
|
+ * this. This provides an indicator for option 2 "The IV may be
|
||||||
|
+ * generated internally at its entirety randomly." Note that one of the
|
||||||
|
+ * conditions of this option is that "The IV length shall be at least
|
||||||
|
+ * 96 bits (per SP 800-38D)." We do not specically check for this
|
||||||
|
+ * condition here, because gcm_iv_generate will fail in this case. */
|
||||||
|
+ if (ctx->enc && !ctx->iv_gen_rand)
|
||||||
|
+ fips_indicator = EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
+
|
||||||
|
+ if (!OSSL_PARAM_set_int(p, fips_indicator)) {
|
||||||
|
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
|
||||||
|
index a109e44521..64e9809387 100644
|
||||||
|
--- a/util/perl/OpenSSL/paramnames.pm
|
||||||
|
+++ b/util/perl/OpenSSL/paramnames.pm
|
||||||
|
@@ -101,8 +101,9 @@ my %params = (
|
||||||
|
'CIPHER_PARAM_SPEED' => "speed", # uint
|
||||||
|
'CIPHER_PARAM_CTS_MODE' => "cts_mode", # utf8_string
|
||||||
|
# For passing the AlgorithmIdentifier parameter in DER form
|
||||||
|
- 'CIPHER_PARAM_ALGORITHM_ID_PARAMS' => "alg_id_param",# octet_string
|
||||||
|
- 'CIPHER_PARAM_XTS_STANDARD' => "xts_standard",# utf8_string
|
||||||
|
+ 'CIPHER_PARAM_ALGORITHM_ID_PARAMS' => "alg_id_param",# octet_string
|
||||||
|
+ 'CIPHER_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", # int
|
||||||
|
+ 'CIPHER_PARAM_XTS_STANDARD' => "xts_standard",# utf8_string
|
||||||
|
|
||||||
|
'CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT' => "tls1multi_maxsndfrag",# uint
|
||||||
|
'CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE' => "tls1multi_maxbufsz", # size_t
|
||||||
|
--
|
||||||
|
2.39.1
|
||||||
|
|
||||||
@ -0,0 +1,80 @@
|
|||||||
|
From fa96a2f493276e7a57512e8c3d535052586f1525 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Clemens Lang <cllang@redhat.com>
|
||||||
|
Date: Mon, 6 Mar 2023 12:32:04 +0100
|
||||||
|
Subject: [PATCH 2/2] pbdkf2: Set indicator if pkcs5 param disabled checks
|
||||||
|
|
||||||
|
The pbkdf2 implementation in the FIPS provider supports the checks
|
||||||
|
required by NIST, but allows disabling these checks by setting the
|
||||||
|
OSSL_KDF_PARAM_PKCS5 parameter to 1. The implementation must indicate
|
||||||
|
that the use of this configuration is not approved in FIPS mode. Add an
|
||||||
|
explicit indicator to provide this indication.
|
||||||
|
|
||||||
|
Resolves: rhbz#2175145
|
||||||
|
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||||
|
---
|
||||||
|
providers/implementations/kdfs/pbkdf2.c | 40 +++++++++++++++++++++++--
|
||||||
|
1 file changed, 37 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
|
||||||
|
index aa0adce5e6..6df8c6d321 100644
|
||||||
|
--- a/providers/implementations/kdfs/pbkdf2.c
|
||||||
|
+++ b/providers/implementations/kdfs/pbkdf2.c
|
||||||
|
@@ -251,11 +251,42 @@ static const OSSL_PARAM *kdf_pbkdf2_settable_ctx_params(ossl_unused void *ctx,
|
||||||
|
|
||||||
|
static int kdf_pbkdf2_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
||||||
|
{
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx;
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
OSSL_PARAM *p;
|
||||||
|
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
||||||
|
+
|
||||||
|
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
||||||
|
+ any_valid = 1;
|
||||||
|
+
|
||||||
|
+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR))
|
||||||
|
+ != NULL) {
|
||||||
|
+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||||
|
+
|
||||||
|
+ /* The lower_bound_checks parameter enables checks required by FIPS. If
|
||||||
|
+ * those checks are disabled, the PBKDF2 implementation will also
|
||||||
|
+ * support non-approved parameters (e.g., salt lengths < 16 bytes, see
|
||||||
|
+ * NIST SP 800-132 section 5.1). */
|
||||||
|
+ if (!ctx->lower_bound_checks)
|
||||||
|
+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
|
||||||
|
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
|
||||||
|
- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
|
||||||
|
- return -2;
|
||||||
|
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ any_valid = 1;
|
||||||
|
+ }
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
+
|
||||||
|
+ if (!any_valid)
|
||||||
|
+ return -2;
|
||||||
|
+
|
||||||
|
+ return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx,
|
||||||
|
@@ -263,6 +294,9 @@ static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx,
|
||||||
|
{
|
||||||
|
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||||
|
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
OSSL_PARAM_END
|
||||||
|
};
|
||||||
|
return known_gettable_ctx_params;
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
||||||
@ -0,0 +1,156 @@
|
|||||||
|
From ee6e381e4140efd5365ddf27a12055859103cf59 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Clemens Lang <cllang@redhat.com>
|
||||||
|
Date: Fri, 17 Mar 2023 15:39:15 +0100
|
||||||
|
Subject: [PATCH] asymciphers, kem: Add explicit FIPS indicator
|
||||||
|
|
||||||
|
NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
|
||||||
|
confirmation (section 6.4.2.3.2), or assurance from a trusted third
|
||||||
|
party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme and key
|
||||||
|
agreement schemes, but explicit key confirmation is not implemented and
|
||||||
|
cannot be implemented without protocol changes, and the FIPS provider
|
||||||
|
does not implement trusted third party validation, since it relies on
|
||||||
|
its callers to do that. A request for guidance sent to NIST did clarify
|
||||||
|
that OpenSSL can claim KTS-OAEP and RSASVE as approved, but we did add
|
||||||
|
an indicator to mark them as unapproved previously and should thus keep
|
||||||
|
the indicator available.
|
||||||
|
|
||||||
|
This does not affect RSA-OAEP decryption, because it is approved as
|
||||||
|
a component according to the FIPS 140-3 IG, section 2.4.G.
|
||||||
|
|
||||||
|
Resolves: rhbz#2179331
|
||||||
|
Resolves: RHEL-14083
|
||||||
|
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||||
|
---
|
||||||
|
include/openssl/evp.h | 4 +++
|
||||||
|
.../implementations/asymciphers/rsa_enc.c | 22 ++++++++++++++
|
||||||
|
providers/implementations/kem/rsa_kem.c | 30 ++++++++++++++++++-
|
||||||
|
util/perl/OpenSSL/paramnames.pm | 6 ++--
|
||||||
|
4 files changed, 59 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
|
||||||
|
index ec2ba46fbd..3803b03422 100644
|
||||||
|
--- a/include/openssl/evp.h
|
||||||
|
+++ b/include/openssl/evp.h
|
||||||
|
@@ -1764,6 +1764,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void);
|
||||||
|
OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx);
|
||||||
|
# endif
|
||||||
|
|
||||||
|
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
|
||||||
|
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED 1
|
||||||
|
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
|
||||||
|
+
|
||||||
|
EVP_KEYMGMT *EVP_KEYMGMT_fetch(OSSL_LIB_CTX *ctx, const char *algorithm,
|
||||||
|
const char *properties);
|
||||||
|
int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt);
|
||||||
|
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
|
||||||
|
index 568452ec56..2e7ea632d7 100644
|
||||||
|
--- a/providers/implementations/asymciphers/rsa_enc.c
|
||||||
|
+++ b/providers/implementations/asymciphers/rsa_enc.c
|
||||||
|
@@ -462,6 +462,27 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
|
||||||
|
if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->implicit_rejection))
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR);
|
||||||
|
+ if (p != NULL) {
|
||||||
|
+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||||
|
+
|
||||||
|
+ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
|
||||||
|
+ * confirmation (section 6.4.2.3.2), or assurance from a trusted third
|
||||||
|
+ * party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme, but
|
||||||
|
+ * explicit key confirmation is not implemented here and cannot be
|
||||||
|
+ * implemented without protocol changes, and the FIPS provider does not
|
||||||
|
+ * implement trusted third party validation, since it relies on its
|
||||||
|
+ * callers to do that. We must thus mark RSA-OAEP as unapproved until
|
||||||
|
+ * we have received clarification from NIST on how library modules such
|
||||||
|
+ * as OpenSSL should implement TTP validation. */
|
||||||
|
+ fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
+
|
||||||
|
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
+
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -465,6 +483,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
|
||||||
|
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),
|
||||||
|
#ifdef FIPS_MODULE
|
||||||
|
OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0),
|
||||||
|
+ OSSL_PARAM_int(OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
||||||
|
#endif /* FIPS_MODULE */
|
||||||
|
OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL),
|
||||||
|
OSSL_PARAM_END
|
||||||
|
diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c
|
||||||
|
index 882cf16125..b4cc0f9237 100644
|
||||||
|
--- a/providers/implementations/kem/rsa_kem.c
|
||||||
|
+++ b/providers/implementations/kem/rsa_kem.c
|
||||||
|
@@ -151,11 +151,39 @@ static int rsakem_decapsulate_init(void *vprsactx, void *vrsa,
|
||||||
|
static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
|
||||||
|
{
|
||||||
|
PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx;
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ OSSL_PARAM *p;
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
+
|
||||||
|
+ if (ctx == NULL)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ p = OSSL_PARAM_locate(params, OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR);
|
||||||
|
+ if (p != NULL) {
|
||||||
|
+ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
|
||||||
|
+ * confirmation (section 6.4.2.3.2), or assurance from a trusted third
|
||||||
|
+ * party (section 6.4.2.3.1) for key agreement or key transport, but
|
||||||
|
+ * explicit key confirmation is not implemented here and cannot be
|
||||||
|
+ * implemented without protocol changes, and the FIPS provider does not
|
||||||
|
+ * implement trusted third party validation, since it relies on its
|
||||||
|
+ * callers to do that. We must thus mark RSASVE unapproved until we
|
||||||
|
+ * have received clarification from NIST on how library modules such as
|
||||||
|
+ * OpenSSL should implement TTP validation. */
|
||||||
|
+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
+
|
||||||
|
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
|
||||||
|
- return ctx != NULL;
|
||||||
|
+ return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
static const OSSL_PARAM known_gettable_rsakem_ctx_params[] = {
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ OSSL_PARAM_int(OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR, NULL),
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
OSSL_PARAM_END
|
||||||
|
};
|
||||||
|
|
||||||
|
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
|
||||||
|
index 64e9809387..45ab0c8dc4 100644
|
||||||
|
--- a/util/perl/OpenSSL/paramnames.pm
|
||||||
|
+++ b/util/perl/OpenSSL/paramnames.pm
|
||||||
|
@@ -406,6 +406,7 @@ my %params = (
|
||||||
|
'ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION' => "tls-negotiated-version",
|
||||||
|
'ASYM_CIPHER_PARAM_IMPLICIT_REJECTION' => "implicit-rejection",
|
||||||
|
'ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED' => "redhat-kat-oaep-seed",
|
||||||
|
+ 'ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
|
||||||
|
|
||||||
|
# Encoder / decoder parameters
|
||||||
|
|
||||||
|
@@ -438,8 +439,9 @@ my %params = (
|
||||||
|
'SIGNATURE_PARAM_KAT' => "kat",
|
||||||
|
|
||||||
|
# KEM parameters
|
||||||
|
- 'KEM_PARAM_OPERATION' => "operation",
|
||||||
|
- 'KEM_PARAM_IKME' => "ikme",
|
||||||
|
+ 'KEM_PARAM_OPERATION' => "operation",
|
||||||
|
+ 'KEM_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
|
||||||
|
+ 'KEM_PARAM_IKME' => "ikme",
|
||||||
|
|
||||||
|
# Capabilities
|
||||||
|
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
||||||
@ -0,0 +1,251 @@
|
|||||||
|
From 9b02ad7225b74a5b9088b361caead0a41e570e93 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
||||||
|
Date: Mon, 21 Aug 2023 16:40:56 +0200
|
||||||
|
Subject: [PATCH 48/48] 0114-FIPS-enforce-EMS-support.patch
|
||||||
|
|
||||||
|
Patch-name: 0114-FIPS-enforce-EMS-support.patch
|
||||||
|
Patch-id: 114
|
||||||
|
Patch-status: |
|
||||||
|
# We believe that some changes present in CentOS are not necessary
|
||||||
|
# because ustream has a check for FIPS version
|
||||||
|
---
|
||||||
|
doc/man3/SSL_CONF_cmd.pod | 3 +++
|
||||||
|
doc/man5/fips_config.pod | 13 +++++++++++
|
||||||
|
include/openssl/fips_names.h | 8 +++++++
|
||||||
|
include/openssl/ssl.h.in | 1 +
|
||||||
|
providers/fips/fipsprov.c | 2 +-
|
||||||
|
providers/implementations/kdfs/tls1_prf.c | 22 +++++++++++++++++++
|
||||||
|
ssl/ssl_conf.c | 1 +
|
||||||
|
ssl/statem/extensions_srvr.c | 8 ++++++-
|
||||||
|
ssl/t1_enc.c | 11 ++++++++--
|
||||||
|
.../30-test_evp_data/evpkdf_tls12_prf.txt | 10 +++++++++
|
||||||
|
test/sslapitest.c | 2 +-
|
||||||
|
11 files changed, 76 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
|
||||||
|
index ae6ca43282..b83c04a308 100644
|
||||||
|
--- a/doc/man3/SSL_CONF_cmd.pod
|
||||||
|
+++ b/doc/man3/SSL_CONF_cmd.pod
|
||||||
|
@@ -524,6 +524,9 @@ B<ExtendedMasterSecret>: use extended master secret extension, enabled by
|
||||||
|
default. Inverse of B<SSL_OP_NO_EXTENDED_MASTER_SECRET>: that is,
|
||||||
|
B<-ExtendedMasterSecret> is the same as setting B<SSL_OP_NO_EXTENDED_MASTER_SECRET>.
|
||||||
|
|
||||||
|
+B<RHNoEnforceEMSinFIPS>: allow establishing connections without EMS in FIPS mode.
|
||||||
|
+This is a RedHat-based OS specific option, and normally it should be set up via crypto policies.
|
||||||
|
+
|
||||||
|
B<CANames>: use CA names extension, enabled by
|
||||||
|
default. Inverse of B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>: that is,
|
||||||
|
B<-CANames> is the same as setting B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>.
|
||||||
|
diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod
|
||||||
|
index 1c15e32a5c..f2cedaf88d 100644
|
||||||
|
--- a/doc/man5/fips_config.pod
|
||||||
|
+++ b/doc/man5/fips_config.pod
|
||||||
|
@@ -15,6 +15,19 @@ for more information.
|
||||||
|
|
||||||
|
This functionality was added in OpenSSL 3.0.
|
||||||
|
|
||||||
|
+Red Hat Enterprise Linux uses a supplementary config for FIPS module located in
|
||||||
|
+OpenSSL configuration directory and managed by crypto policies. If present, it
|
||||||
|
+should have format
|
||||||
|
+
|
||||||
|
+ [fips_sect]
|
||||||
|
+ tls1-prf-ems-check = 0
|
||||||
|
+ activate = 1
|
||||||
|
+
|
||||||
|
+The B<tls1-prf-ems-check> option specifies whether FIPS module will require the
|
||||||
|
+presence of extended master secret or not.
|
||||||
|
+
|
||||||
|
+The B<activate> option enforces FIPS provider activation.
|
||||||
|
+
|
||||||
|
=head1 COPYRIGHT
|
||||||
|
|
||||||
|
Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
|
diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h
|
||||||
|
index 5c77f6d691..8cdd5a6bf7 100644
|
||||||
|
--- a/include/openssl/fips_names.h
|
||||||
|
+++ b/include/openssl/fips_names.h
|
||||||
|
@@ -70,6 +70,14 @@ extern "C" {
|
||||||
|
*/
|
||||||
|
# define OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST "drbg-no-trunc-md"
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * A boolean that determines if the runtime FIPS check for TLS1_PRF EMS is performed.
|
||||||
|
+ * This is disabled by default.
|
||||||
|
+ *
|
||||||
|
+ * Type: OSSL_PARAM_UTF8_STRING
|
||||||
|
+ */
|
||||||
|
+# define OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check"
|
||||||
|
+
|
||||||
|
# ifdef __cplusplus
|
||||||
|
}
|
||||||
|
# endif
|
||||||
|
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
|
||||||
|
index 0b6de603e2..26a69ca282 100644
|
||||||
|
--- a/include/openssl/ssl.h.in
|
||||||
|
+++ b/include/openssl/ssl.h.in
|
||||||
|
@@ -415,6 +415,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);
|
||||||
|
* interoperability with CryptoPro CSP 3.x
|
||||||
|
*/
|
||||||
|
# define SSL_OP_CRYPTOPRO_TLSEXT_BUG SSL_OP_BIT(31)
|
||||||
|
+# define SSL_OP_RH_PERMIT_NOEMS_FIPS SSL_OP_BIT(48)
|
||||||
|
/*
|
||||||
|
* Disable RFC8879 certificate compression
|
||||||
|
* SSL_OP_NO_TX_CERTIFICATE_COMPRESSION: don't send compressed certificates,
|
||||||
|
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
|
||||||
|
index 5ff9872bd8..eb9653a9df 100644
|
||||||
|
--- a/providers/fips/fipsprov.c
|
||||||
|
+++ b/providers/fips/fipsprov.c
|
||||||
|
@@ -105,7 +105,7 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx)
|
||||||
|
if (fgbl == NULL)
|
||||||
|
return NULL;
|
||||||
|
init_fips_option(&fgbl->fips_security_checks, 1);
|
||||||
|
- init_fips_option(&fgbl->fips_tls1_prf_ems_check, 0); /* Disabled by default */
|
||||||
|
+ init_fips_option(&fgbl->fips_tls1_prf_ems_check, 1); /* Enabled by default */
|
||||||
|
init_fips_option(&fgbl->fips_restricted_drgb_digests, 0);
|
||||||
|
return fgbl;
|
||||||
|
}
|
||||||
|
diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c
|
||||||
|
index 25a6c79a2e..79bc7a9719 100644
|
||||||
|
--- a/providers/implementations/kdfs/tls1_prf.c
|
||||||
|
+++ b/providers/implementations/kdfs/tls1_prf.c
|
||||||
|
@@ -131,6 +131,7 @@ static void *kdf_tls1_prf_new(void *provctx)
|
||||||
|
static void kdf_tls1_prf_free(void *vctx)
|
||||||
|
{
|
||||||
|
TLS1_PRF *ctx = (TLS1_PRF *)vctx;
|
||||||
|
+ OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
|
||||||
|
|
||||||
|
if (ctx != NULL) {
|
||||||
|
kdf_tls1_prf_reset(ctx);
|
||||||
|
@@ -222,6 +223,27 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * The seed buffer is prepended with a label.
|
||||||
|
+ * If EMS mode is enforced then the label "master secret" is not allowed,
|
||||||
|
+ * We do the check this way since the PRF is used for other purposes, as well
|
||||||
|
+ * as "extended master secret".
|
||||||
|
+ */
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE
|
||||||
|
+ && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST,
|
||||||
|
+ TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
|
||||||
|
+ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||||
|
+#endif /* defined(FIPS_MODULE) */
|
||||||
|
+ if (ossl_tls1_prf_ems_check_enabled(libctx)) {
|
||||||
|
+ if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE
|
||||||
|
+ && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST,
|
||||||
|
+ TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) {
|
||||||
|
+ ERR_raise(ERR_LIB_PROV, PROV_R_EMS_NOT_ENABLED);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
return tls1_prf_alg(ctx->P_hash, ctx->P_sha1,
|
||||||
|
ctx->sec, ctx->seclen,
|
||||||
|
ctx->seed, ctx->seedlen,
|
||||||
|
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
|
||||||
|
index 5146cedb96..086db98c33 100644
|
||||||
|
--- a/ssl/ssl_conf.c
|
||||||
|
+++ b/ssl/ssl_conf.c
|
||||||
|
@@ -389,6 +389,7 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)
|
||||||
|
SSL_FLAG_TBL("ClientRenegotiation",
|
||||||
|
SSL_OP_ALLOW_CLIENT_RENEGOTIATION),
|
||||||
|
SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC),
|
||||||
|
+ SSL_FLAG_TBL("RHNoEnforceEMSinFIPS", SSL_OP_RH_PERMIT_NOEMS_FIPS),
|
||||||
|
SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION),
|
||||||
|
SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX),
|
||||||
|
SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA),
|
||||||
|
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
|
||||||
|
index 00b1ee531e..22cdabb308 100644
|
||||||
|
--- a/ssl/statem/extensions_srvr.c
|
||||||
|
+++ b/ssl/statem/extensions_srvr.c
|
||||||
|
@@ -11,6 +11,7 @@
|
||||||
|
#include "../ssl_local.h"
|
||||||
|
#include "statem_local.h"
|
||||||
|
#include "internal/cryptlib.h"
|
||||||
|
+#include <openssl/fips.h>
|
||||||
|
|
||||||
|
#define COOKIE_STATE_FORMAT_VERSION 1
|
||||||
|
|
||||||
|
@@ -1552,8 +1553,13 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
|
||||||
|
unsigned int context,
|
||||||
|
X509 *x, size_t chainidx)
|
||||||
|
{
|
||||||
|
- if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
|
||||||
|
+ if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) {
|
||||||
|
+ if (FIPS_mode() && !(SSL_get_options(SSL_CONNECTION_GET_SSL(s)) & SSL_OP_RH_PERMIT_NOEMS_FIPS) ) {
|
||||||
|
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED);
|
||||||
|
+ return EXT_RETURN_FAIL;
|
||||||
|
+ }
|
||||||
|
return EXT_RETURN_NOT_SENT;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
|
||||||
|
|| !WPACKET_put_bytes_u16(pkt, 0)) {
|
||||||
|
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
|
||||||
|
index 91238e6457..e8ad8ecd9e 100644
|
||||||
|
--- a/ssl/t1_enc.c
|
||||||
|
+++ b/ssl/t1_enc.c
|
||||||
|
@@ -20,6 +20,7 @@
|
||||||
|
#include <openssl/obj_mac.h>
|
||||||
|
#include <openssl/core_names.h>
|
||||||
|
#include <openssl/trace.h>
|
||||||
|
+#include <openssl/fips.h>
|
||||||
|
|
||||||
|
/* seed1 through seed5 are concatenated */
|
||||||
|
static int tls1_PRF(SSL_CONNECTION *s,
|
||||||
|
@@ -75,8 +76,14 @@ static int tls1_PRF(SSL *s,
|
||||||
|
}
|
||||||
|
|
||||||
|
err:
|
||||||
|
- if (fatal)
|
||||||
|
- SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
||||||
|
+ if (fatal) {
|
||||||
|
+ /* The calls to this function are local so it's safe to implement the check */
|
||||||
|
+ if (FIPS_mode() && seed1_len >= TLS_MD_MASTER_SECRET_CONST_SIZE
|
||||||
|
+ && memcmp(seed1, TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
|
||||||
|
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED);
|
||||||
|
+ else
|
||||||
|
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
||||||
|
+ }
|
||||||
|
else
|
||||||
|
ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
|
||||||
|
EVP_KDF_CTX_free(kctx);
|
||||||
|
diff --git a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
|
||||||
|
index 44040ff66b..deb6bf3fcb 100644
|
||||||
|
--- a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
|
||||||
|
+++ b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
|
||||||
|
@@ -22,6 +22,16 @@ Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587c
|
||||||
|
Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
|
||||||
|
Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
|
||||||
|
|
||||||
|
+Availablein = fips
|
||||||
|
+KDF = TLS1-PRF
|
||||||
|
+Ctrl.digest = digest:SHA256
|
||||||
|
+Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc
|
||||||
|
+Ctrl.label = seed:master secret
|
||||||
|
+Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c
|
||||||
|
+Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
|
||||||
|
+Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
|
||||||
|
+Result = KDF_DERIVE_ERROR
|
||||||
|
+
|
||||||
|
FIPSversion = <=3.1.0
|
||||||
|
KDF = TLS1-PRF
|
||||||
|
Ctrl.digest = digest:SHA256
|
||||||
|
diff --git a/test/sslapitest.c b/test/sslapitest.c
|
||||||
|
index 169e3c7466..e67b5bb44c 100644
|
||||||
|
--- a/test/sslapitest.c
|
||||||
|
+++ b/test/sslapitest.c
|
||||||
|
@@ -574,7 +574,7 @@ static int test_client_cert_verify_cb(void)
|
||||||
|
STACK_OF(X509) *server_chain;
|
||||||
|
SSL_CTX *cctx = NULL, *sctx = NULL;
|
||||||
|
SSL *clientssl = NULL, *serverssl = NULL;
|
||||||
|
- int testresult = 0;
|
||||||
|
+ int testresult = 0, status;
|
||||||
|
|
||||||
|
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
|
||||||
|
TLS_client_method(), TLS1_VERSION, 0,
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
||||||
@ -0,0 +1,85 @@
|
|||||||
|
From ec8e4e25cc5e5c67313c5fd6af94fa248685c3d1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
||||||
|
Date: Thu, 7 Mar 2024 17:37:09 +0100
|
||||||
|
Subject: [PATCH 45/49] 0115-skip-quic-pairwise.patch
|
||||||
|
|
||||||
|
Patch-name: 0115-skip-quic-pairwise.patch
|
||||||
|
Patch-id: 115
|
||||||
|
Patch-status: |
|
||||||
|
# skip quic and pairwise tests temporarily
|
||||||
|
---
|
||||||
|
test/quicapitest.c | 4 +++-
|
||||||
|
test/recipes/01-test_symbol_presence.t | 1 +
|
||||||
|
test/recipes/30-test_pairwise_fail.t | 10 ++++++++--
|
||||||
|
3 files changed, 12 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/test/quicapitest.c b/test/quicapitest.c
|
||||||
|
index 41cf0fc7a8..0fb7492700 100644
|
||||||
|
--- a/test/quicapitest.c
|
||||||
|
+++ b/test/quicapitest.c
|
||||||
|
@@ -2139,7 +2139,9 @@ int setup_tests(void)
|
||||||
|
ADD_TEST(test_cipher_find);
|
||||||
|
ADD_TEST(test_version);
|
||||||
|
#if defined(DO_SSL_TRACE_TEST)
|
||||||
|
- ADD_TEST(test_ssl_trace);
|
||||||
|
+ if (is_fips == 0) {
|
||||||
|
+ ADD_TEST(test_ssl_trace);
|
||||||
|
+ }
|
||||||
|
#endif
|
||||||
|
ADD_TEST(test_quic_forbidden_apis_ctx);
|
||||||
|
ADD_TEST(test_quic_forbidden_apis);
|
||||||
|
diff --git a/test/recipes/30-test_pairwise_fail.t b/test/recipes/30-test_pairwise_fail.t
|
||||||
|
index c837d48fb4..6291c08c49 100644
|
||||||
|
--- a/test/recipes/30-test_pairwise_fail.t
|
||||||
|
+++ b/test/recipes/30-test_pairwise_fail.t
|
||||||
|
@@ -9,7 +9,7 @@
|
||||||
|
use strict;
|
||||||
|
use warnings;
|
||||||
|
|
||||||
|
-use OpenSSL::Test qw(:DEFAULT bldtop_dir srctop_file srctop_dir data_file);
|
||||||
|
+use OpenSSL::Test qw(:DEFAULT bldtop_dir srctop_file srctop_dir data_file with);
|
||||||
|
use OpenSSL::Test::Utils;
|
||||||
|
|
||||||
|
BEGIN {
|
||||||
|
@@ -31,28 +31,37 @@ run(test(["fips_version_test", "-config"
|
||||||
|
SKIP: {
|
||||||
|
skip "Skip RSA test because of no rsa in this build", 1
|
||||||
|
if disabled("rsa");
|
||||||
|
+ with({ exit_checker => sub {my $val = shift; return $val == 134; } },
|
||||||
|
+ sub {
|
||||||
|
ok(run(test(["pairwise_fail_test", "-config", $provconf,
|
||||||
|
"-pairwise", "rsa"])),
|
||||||
|
"fips provider rsa keygen pairwise failure test");
|
||||||
|
+ });
|
||||||
|
}
|
||||||
|
|
||||||
|
SKIP: {
|
||||||
|
skip "Skip EC test because of no ec in this build", 2
|
||||||
|
if disabled("ec");
|
||||||
|
+ with({ exit_checker => sub {my $val = shift; return $val == 134; } },
|
||||||
|
+ sub {
|
||||||
|
ok(run(test(["pairwise_fail_test", "-config", $provconf,
|
||||||
|
"-pairwise", "ec"])),
|
||||||
|
"fips provider ec keygen pairwise failure test");
|
||||||
|
+ });
|
||||||
|
|
||||||
|
skip "FIPS provider version is too old", 1
|
||||||
|
if !$fips_exit;
|
||||||
|
+ with({ exit_checker => sub {my $val = shift; return $val == 134; } },
|
||||||
|
+ sub {
|
||||||
|
ok(run(test(["pairwise_fail_test", "-config", $provconf,
|
||||||
|
"-pairwise", "eckat"])),
|
||||||
|
"fips provider ec keygen kat failure test");
|
||||||
|
+ });
|
||||||
|
}
|
||||||
|
|
||||||
|
SKIP: {
|
||||||
|
skip "Skip DSA tests because of no dsa in this build", 2
|
||||||
|
- if disabled("dsa");
|
||||||
|
+ if 1; #if disabled("dsa");
|
||||||
|
ok(run(test(["pairwise_fail_test", "-config", $provconf,
|
||||||
|
"-pairwise", "dsa", "-dsaparam", data_file("dsaparam.pem")])),
|
||||||
|
"fips provider dsa keygen pairwise failure test");
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
||||||
@ -0,0 +1,84 @@
|
|||||||
|
From a2673b5e2e95bcf54a1746bfd409cca688275e75 Mon Sep 17 00:00:00 2001
|
||||||
|
From: rpm-build <rpm-build>
|
||||||
|
Date: Wed, 6 Mar 2024 19:17:17 +0100
|
||||||
|
Subject: [PATCH 46/49] 0116-version-aliasing.patch
|
||||||
|
|
||||||
|
Patch-name: 0116-version-aliasing.patch
|
||||||
|
Patch-id: 116
|
||||||
|
Patch-status: |
|
||||||
|
# Add version aliasing due to
|
||||||
|
# https://github.com/openssl/openssl/issues/23534
|
||||||
|
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
|
||||||
|
---
|
||||||
|
crypto/evp/digest.c | 7 ++++++-
|
||||||
|
crypto/evp/evp_enc.c | 7 ++++++-
|
||||||
|
test/recipes/01-test_symbol_presence.t | 1 +
|
||||||
|
util/libcrypto.num | 2 ++
|
||||||
|
4 files changed, 15 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
|
||||||
|
index 42331703da..3a280acc0e 100644
|
||||||
|
--- a/crypto/evp/digest.c
|
||||||
|
+++ b/crypto/evp/digest.c
|
||||||
|
@@ -553,7 +553,12 @@ legacy:
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
-EVP_MD_CTX *EVP_MD_CTX_dup(const EVP_MD_CTX *in)
|
||||||
|
+EVP_MD_CTX
|
||||||
|
+#if !defined(FIPS_MODULE)
|
||||||
|
+__attribute__ ((symver ("EVP_MD_CTX_dup@@OPENSSL_3.1.0"),
|
||||||
|
+ symver ("EVP_MD_CTX_dup@OPENSSL_3.2.0")))
|
||||||
|
+#endif
|
||||||
|
+*EVP_MD_CTX_dup(const EVP_MD_CTX *in)
|
||||||
|
{
|
||||||
|
EVP_MD_CTX *out = EVP_MD_CTX_new();
|
||||||
|
|
||||||
|
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
|
||||||
|
index e9faf31057..5a29b8dbb7 100644
|
||||||
|
--- a/crypto/evp/evp_enc.c
|
||||||
|
+++ b/crypto/evp/evp_enc.c
|
||||||
|
@@ -1444,7 +1444,12 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
|
||||||
|
#endif /* FIPS_MODULE */
|
||||||
|
}
|
||||||
|
|
||||||
|
-EVP_CIPHER_CTX *EVP_CIPHER_CTX_dup(const EVP_CIPHER_CTX *in)
|
||||||
|
+EVP_CIPHER_CTX
|
||||||
|
+#if !defined(FIPS_MODULE)
|
||||||
|
+__attribute__ ((symver ("EVP_CIPHER_CTX_dup@@OPENSSL_3.1.0"),
|
||||||
|
+ symver ("EVP_CIPHER_CTX_dup@OPENSSL_3.2.0")))
|
||||||
|
+#endif
|
||||||
|
+*EVP_CIPHER_CTX_dup(const EVP_CIPHER_CTX *in)
|
||||||
|
{
|
||||||
|
EVP_CIPHER_CTX *out = EVP_CIPHER_CTX_new();
|
||||||
|
|
||||||
|
diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t
|
||||||
|
index 222b1886ae..7e2f65cccb 100644
|
||||||
|
--- a/test/recipes/01-test_symbol_presence.t
|
||||||
|
+++ b/test/recipes/01-test_symbol_presence.t
|
||||||
|
@@ -185,6 +185,8 @@ foreach (sort keys %stlibname) {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
my @duplicates = sort grep { $symbols{$_} > 1 } keys %symbols;
|
||||||
|
+@duplicates = grep {($_ ne "OPENSSL_ia32cap_P") && ($_ ne "EVP_CIPHER_CTX_dup") && ($_ ne "EVP_MD_CTX_dup") } @duplicates;
|
||||||
|
+@duplicates = grep {($_ ne "OPENSSL_strcasecmp") && ($_ ne "OPENSSL_strncasecmp") } @duplicates;
|
||||||
|
if (@duplicates) {
|
||||||
|
note "Duplicates:";
|
||||||
|
note join('\n', @duplicates);
|
||||||
|
diff --git a/util/libcrypto.num b/util/libcrypto.num
|
||||||
|
index 8046454025..068e9904e2 100644
|
||||||
|
--- a/util/libcrypto.num
|
||||||
|
+++ b/util/libcrypto.num
|
||||||
|
@@ -5435,7 +5435,9 @@ X509_PUBKEY_set0_public_key 5562 3_2_0 EXIST::FUNCTION:
|
||||||
|
OSSL_STACK_OF_X509_free 5563 3_2_0 EXIST::FUNCTION:
|
||||||
|
OSSL_trace_string 5564 3_2_0 EXIST::FUNCTION:
|
||||||
|
EVP_MD_CTX_dup 5565 3_2_0 EXIST::FUNCTION:
|
||||||
|
+EVP_MD_CTX_dup ? 3_1_0 EXIST::FUNCTION:
|
||||||
|
EVP_CIPHER_CTX_dup 5566 3_2_0 EXIST::FUNCTION:
|
||||||
|
+EVP_CIPHER_CTX_dup ? 3_1_0 EXIST::FUNCTION:
|
||||||
|
BN_signed_bin2bn 5567 3_2_0 EXIST::FUNCTION:
|
||||||
|
BN_signed_bn2bin 5568 3_2_0 EXIST::FUNCTION:
|
||||||
|
BN_signed_lebin2bn 5569 3_2_0 EXIST::FUNCTION:
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
||||||
@ -0,0 +1,318 @@
|
|||||||
|
From 242c746690dd1d0e500fa554c60536877d77776d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Mraz <tomas@openssl.org>
|
||||||
|
Date: Thu, 14 Dec 2023 17:08:56 +0100
|
||||||
|
Subject: [PATCH 47/49] 0117-ignore-unknown-sigalgorithms-groups.patch
|
||||||
|
|
||||||
|
Patch-name: 0117-ignore-unknown-sigalgorithms-groups.patch
|
||||||
|
Patch-id: 117
|
||||||
|
Patch-status: |
|
||||||
|
# https://github.com/openssl/openssl/issues/23050
|
||||||
|
---
|
||||||
|
CHANGES.md | 13 +++++++
|
||||||
|
doc/man3/SSL_CTX_set1_curves.pod | 6 ++-
|
||||||
|
doc/man3/SSL_CTX_set1_sigalgs.pod | 11 +++++-
|
||||||
|
ssl/t1_lib.c | 56 +++++++++++++++++++++-------
|
||||||
|
test/sslapitest.c | 61 +++++++++++++++++++++++++++++++
|
||||||
|
5 files changed, 132 insertions(+), 15 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/CHANGES.md b/CHANGES.md
|
||||||
|
index ca29762ac2..4e21d0ddf9 100644
|
||||||
|
--- a/CHANGES.md
|
||||||
|
+++ b/CHANGES.md
|
||||||
|
@@ -27,6 +27,19 @@ OpenSSL 3.2
|
||||||
|
|
||||||
|
### Changes between 3.2.0 and 3.2.1 [30 Jan 2024]
|
||||||
|
|
||||||
|
+ * Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms
|
||||||
|
+ config options and the respective calls to SSL[_CTX]_set1_sigalgs() and
|
||||||
|
+ SSL[_CTX]_set1_client_sigalgs() that start with `?` character are
|
||||||
|
+ ignored and the configuration will still be used.
|
||||||
|
+
|
||||||
|
+ Similarly unknown entries that start with `?` character in a TLS
|
||||||
|
+ Groups config option or set with SSL[_CTX]_set1_groups_list() are ignored
|
||||||
|
+ and the configuration will still be used.
|
||||||
|
+
|
||||||
|
+ In both cases if the resulting list is empty, an error is returned.
|
||||||
|
+
|
||||||
|
+ *Tomáš Mráz*
|
||||||
|
+
|
||||||
|
* A file in PKCS12 format can contain certificates and keys and may come from
|
||||||
|
an untrusted source. The PKCS12 specification allows certain fields to be
|
||||||
|
NULL, but OpenSSL did not correctly check for this case. A fix has been
|
||||||
|
diff --git a/doc/man3/SSL_CTX_set1_curves.pod b/doc/man3/SSL_CTX_set1_curves.pod
|
||||||
|
index c26ef00306..f0566e148e 100644
|
||||||
|
--- a/doc/man3/SSL_CTX_set1_curves.pod
|
||||||
|
+++ b/doc/man3/SSL_CTX_set1_curves.pod
|
||||||
|
@@ -58,7 +58,8 @@ string B<list>. The string is a colon separated list of group names, for example
|
||||||
|
are B<P-256>, B<P-384>, B<P-521>, B<X25519>, B<X448>, B<brainpoolP256r1tls13>,
|
||||||
|
B<brainpoolP384r1tls13>, B<brainpoolP512r1tls13>, B<ffdhe2048>, B<ffdhe3072>,
|
||||||
|
B<ffdhe4096>, B<ffdhe6144> and B<ffdhe8192>. Support for other groups may be
|
||||||
|
-added by external providers.
|
||||||
|
+added by external providers. If a group name is preceded with the C<?>
|
||||||
|
+character, it will be ignored if an implementation is missing.
|
||||||
|
|
||||||
|
SSL_set1_groups() and SSL_set1_groups_list() are similar except they set
|
||||||
|
supported groups for the SSL structure B<ssl>.
|
||||||
|
@@ -142,6 +143,9 @@ The curve functions were added in OpenSSL 1.0.2. The equivalent group
|
||||||
|
functions were added in OpenSSL 1.1.1. The SSL_get_negotiated_group() function
|
||||||
|
was added in OpenSSL 3.0.0.
|
||||||
|
|
||||||
|
+Support for ignoring unknown groups in SSL_CTX_set1_groups_list() and
|
||||||
|
+SSL_set1_groups_list() was added in OpenSSL 3.3.
|
||||||
|
+
|
||||||
|
=head1 COPYRIGHT
|
||||||
|
|
||||||
|
Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
|
diff --git a/doc/man3/SSL_CTX_set1_sigalgs.pod b/doc/man3/SSL_CTX_set1_sigalgs.pod
|
||||||
|
index eb31006346..5b7de7d956 100644
|
||||||
|
--- a/doc/man3/SSL_CTX_set1_sigalgs.pod
|
||||||
|
+++ b/doc/man3/SSL_CTX_set1_sigalgs.pod
|
||||||
|
@@ -33,7 +33,9 @@ signature algorithms for B<ctx> or B<ssl>. The B<str> parameter
|
||||||
|
must be a null terminated string consisting of a colon separated list of
|
||||||
|
elements, where each element is either a combination of a public key
|
||||||
|
algorithm and a digest separated by B<+>, or a TLS 1.3-style named
|
||||||
|
-SignatureScheme such as rsa_pss_pss_sha256.
|
||||||
|
+SignatureScheme such as rsa_pss_pss_sha256. If a list entry is preceded
|
||||||
|
+with the C<?> character, it will be ignored if an implementation is missing.
|
||||||
|
+
|
||||||
|
|
||||||
|
SSL_CTX_set1_client_sigalgs(), SSL_set1_client_sigalgs(),
|
||||||
|
SSL_CTX_set1_client_sigalgs_list() and SSL_set1_client_sigalgs_list() set
|
||||||
|
@@ -106,6 +108,13 @@ using a string:
|
||||||
|
L<ssl(7)>, L<SSL_get_shared_sigalgs(3)>,
|
||||||
|
L<SSL_CONF_CTX_new(3)>
|
||||||
|
|
||||||
|
+=head1 HISTORY
|
||||||
|
+
|
||||||
|
+Support for ignoring unknown signature algorithms in
|
||||||
|
+SSL_CTX_set1_sigalgs_list(), SSL_set1_sigalgs_list(),
|
||||||
|
+SSL_CTX_set1_client_sigalgs_list() and SSL_set1_client_sigalgs_list()
|
||||||
|
+was added in OpenSSL 3.3.
|
||||||
|
+
|
||||||
|
=head1 COPYRIGHT
|
||||||
|
|
||||||
|
Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
|
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
|
||||||
|
index 056aae3863..fe680449c5 100644
|
||||||
|
--- a/ssl/t1_lib.c
|
||||||
|
+++ b/ssl/t1_lib.c
|
||||||
|
@@ -1052,9 +1052,15 @@ static int gid_cb(const char *elem, int len, void *arg)
|
||||||
|
size_t i;
|
||||||
|
uint16_t gid = 0;
|
||||||
|
char etmp[GROUP_NAME_BUFFER_LENGTH];
|
||||||
|
+ int ignore_unknown = 0;
|
||||||
|
|
||||||
|
if (elem == NULL)
|
||||||
|
return 0;
|
||||||
|
+ if (elem[0] == '?') {
|
||||||
|
+ ignore_unknown = 1;
|
||||||
|
+ ++elem;
|
||||||
|
+ --len;
|
||||||
|
+ }
|
||||||
|
if (garg->gidcnt == garg->gidmax) {
|
||||||
|
uint16_t *tmp =
|
||||||
|
OPENSSL_realloc(garg->gid_arr, garg->gidmax + GROUPLIST_INCREMENT);
|
||||||
|
@@ -1070,13 +1076,14 @@ static int gid_cb(const char *elem, int len, void *arg)
|
||||||
|
|
||||||
|
gid = tls1_group_name2id(garg->ctx, etmp);
|
||||||
|
if (gid == 0) {
|
||||||
|
- ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT,
|
||||||
|
- "group '%s' cannot be set", etmp);
|
||||||
|
- return 0;
|
||||||
|
+ /* Unknown group - ignore, if ignore_unknown */
|
||||||
|
+ return ignore_unknown;
|
||||||
|
}
|
||||||
|
for (i = 0; i < garg->gidcnt; i++)
|
||||||
|
- if (garg->gid_arr[i] == gid)
|
||||||
|
- return 0;
|
||||||
|
+ if (garg->gid_arr[i] == gid) {
|
||||||
|
+ /* Duplicate group - ignore */
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
garg->gid_arr[garg->gidcnt++] = gid;
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
@@ -1097,6 +1104,11 @@ int tls1_set_groups_list(SSL_CTX *ctx, uint16_t **pext, size_t *pextlen,
|
||||||
|
gcb.ctx = ctx;
|
||||||
|
if (!CONF_parse_list(str, ':', 1, gid_cb, &gcb))
|
||||||
|
goto end;
|
||||||
|
+ if (gcb.gidcnt == 0) {
|
||||||
|
+ ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT,
|
||||||
|
+ "No valid groups in '%s'", str);
|
||||||
|
+ goto end;
|
||||||
|
+ }
|
||||||
|
if (pext == NULL) {
|
||||||
|
ret = 1;
|
||||||
|
goto end;
|
||||||
|
@@ -2905,8 +2917,15 @@ static int sig_cb(const char *elem, int len, void *arg)
|
||||||
|
const SIGALG_LOOKUP *s;
|
||||||
|
char etmp[TLS_MAX_SIGSTRING_LEN], *p;
|
||||||
|
int sig_alg = NID_undef, hash_alg = NID_undef;
|
||||||
|
+ int ignore_unknown = 0;
|
||||||
|
+
|
||||||
|
if (elem == NULL)
|
||||||
|
return 0;
|
||||||
|
+ if (elem[0] == '?') {
|
||||||
|
+ ignore_unknown = 1;
|
||||||
|
+ ++elem;
|
||||||
|
+ --len;
|
||||||
|
+ }
|
||||||
|
if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT)
|
||||||
|
return 0;
|
||||||
|
if (len > (int)(sizeof(etmp) - 1))
|
||||||
|
@@ -2931,8 +2950,10 @@ static int sig_cb(const char *elem, int len, void *arg)
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
- if (i == OSSL_NELEM(sigalg_lookup_tbl))
|
||||||
|
- return 0;
|
||||||
|
+ if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
|
||||||
|
+ /* Ignore unknown algorithms if ignore_unknown */
|
||||||
|
+ return ignore_unknown;
|
||||||
|
+ }
|
||||||
|
} else {
|
||||||
|
*p = 0;
|
||||||
|
p++;
|
||||||
|
@@ -2940,8 +2961,10 @@ static int sig_cb(const char *elem, int len, void *arg)
|
||||||
|
return 0;
|
||||||
|
get_sigorhash(&sig_alg, &hash_alg, etmp);
|
||||||
|
get_sigorhash(&sig_alg, &hash_alg, p);
|
||||||
|
- if (sig_alg == NID_undef || hash_alg == NID_undef)
|
||||||
|
- return 0;
|
||||||
|
+ if (sig_alg == NID_undef || hash_alg == NID_undef) {
|
||||||
|
+ /* Ignore unknown algorithms if ignore_unknown */
|
||||||
|
+ return ignore_unknown;
|
||||||
|
+ }
|
||||||
|
for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
|
||||||
|
i++, s++) {
|
||||||
|
if (s->hash == hash_alg && s->sig == sig_alg) {
|
||||||
|
@@ -2949,15 +2972,17 @@ static int sig_cb(const char *elem, int len, void *arg)
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
- if (i == OSSL_NELEM(sigalg_lookup_tbl))
|
||||||
|
- return 0;
|
||||||
|
+ if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
|
||||||
|
+ /* Ignore unknown algorithms if ignore_unknown */
|
||||||
|
+ return ignore_unknown;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* Reject duplicates */
|
||||||
|
+ /* Ignore duplicates */
|
||||||
|
for (i = 0; i < sarg->sigalgcnt - 1; i++) {
|
||||||
|
if (sarg->sigalgs[i] == sarg->sigalgs[sarg->sigalgcnt - 1]) {
|
||||||
|
sarg->sigalgcnt--;
|
||||||
|
- return 0;
|
||||||
|
+ return 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return 1;
|
||||||
|
@@ -2973,6 +2998,11 @@ int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
|
||||||
|
sig.sigalgcnt = 0;
|
||||||
|
if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
|
||||||
|
return 0;
|
||||||
|
+ if (sig.sigalgcnt == 0) {
|
||||||
|
+ ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT,
|
||||||
|
+ "No valid signature algorithms in '%s'", str);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
if (c == NULL)
|
||||||
|
return 1;
|
||||||
|
return tls1_set_raw_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
|
||||||
|
diff --git a/test/sslapitest.c b/test/sslapitest.c
|
||||||
|
index 1c14f93ed1..184a0f1055 100644
|
||||||
|
--- a/test/sslapitest.c
|
||||||
|
+++ b/test/sslapitest.c
|
||||||
|
@@ -39,6 +39,7 @@
|
||||||
|
#include "testutil.h"
|
||||||
|
#include "testutil/output.h"
|
||||||
|
#include "internal/nelem.h"
|
||||||
|
+#include "internal/tlsgroups.h"
|
||||||
|
#include "internal/ktls.h"
|
||||||
|
#include "../ssl/ssl_local.h"
|
||||||
|
#include "../ssl/record/methods/recmethod_local.h"
|
||||||
|
@@ -3147,6 +3148,7 @@ static const sigalgs_list testsigalgs[] = {
|
||||||
|
{validlist3, OSSL_NELEM(validlist3), NULL, 1, 0},
|
||||||
|
# endif
|
||||||
|
{NULL, 0, "RSA+SHA256", 1, 1},
|
||||||
|
+ {NULL, 0, "RSA+SHA256:?Invalid", 1, 1},
|
||||||
|
# ifndef OPENSSL_NO_EC
|
||||||
|
{NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1},
|
||||||
|
{NULL, 0, "ECDSA+SHA512", 1, 0},
|
||||||
|
@@ -9276,6 +9278,64 @@ static int test_servername(int tst)
|
||||||
|
return testresult;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int test_unknown_sigalgs_groups(void)
|
||||||
|
+{
|
||||||
|
+ int ret = 0;
|
||||||
|
+ SSL_CTX *ctx = NULL;
|
||||||
|
+
|
||||||
|
+ if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
|
||||||
|
+ goto end;
|
||||||
|
+
|
||||||
|
+ if (!TEST_int_gt(SSL_CTX_set1_sigalgs_list(ctx,
|
||||||
|
+ "RSA+SHA256:?nonexistent:?RSA+SHA512"),
|
||||||
|
+ 0))
|
||||||
|
+ goto end;
|
||||||
|
+ if (!TEST_size_t_eq(ctx->cert->conf_sigalgslen, 2)
|
||||||
|
+ || !TEST_int_eq(ctx->cert->conf_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
|
||||||
|
+ || !TEST_int_eq(ctx->cert->conf_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
|
||||||
|
+ goto end;
|
||||||
|
+
|
||||||
|
+ if (!TEST_int_gt(SSL_CTX_set1_client_sigalgs_list(ctx,
|
||||||
|
+ "RSA+SHA256:?nonexistent:?RSA+SHA512"),
|
||||||
|
+ 0))
|
||||||
|
+ goto end;
|
||||||
|
+ if (!TEST_size_t_eq(ctx->cert->client_sigalgslen, 2)
|
||||||
|
+ || !TEST_int_eq(ctx->cert->client_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256)
|
||||||
|
+ || !TEST_int_eq(ctx->cert->client_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512))
|
||||||
|
+ goto end;
|
||||||
|
+
|
||||||
|
+ if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
|
||||||
|
+ "nonexistent"),
|
||||||
|
+ 0))
|
||||||
|
+ goto end;
|
||||||
|
+
|
||||||
|
+ if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
|
||||||
|
+ "?nonexistent1:?nonexistent2:?nonexistent3"),
|
||||||
|
+ 0))
|
||||||
|
+ goto end;
|
||||||
|
+
|
||||||
|
+#ifndef OPENSSL_NO_EC
|
||||||
|
+ if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx,
|
||||||
|
+ "P-256:nonexistent"),
|
||||||
|
+ 0))
|
||||||
|
+ goto end;
|
||||||
|
+
|
||||||
|
+ if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx,
|
||||||
|
+ "P-384:?nonexistent:?P-521"),
|
||||||
|
+ 0))
|
||||||
|
+ goto end;
|
||||||
|
+ if (!TEST_size_t_eq(ctx->ext.supportedgroups_len, 2)
|
||||||
|
+ || !TEST_int_eq(ctx->ext.supportedgroups[0], OSSL_TLS_GROUP_ID_secp384r1)
|
||||||
|
+ || !TEST_int_eq(ctx->ext.supportedgroups[1], OSSL_TLS_GROUP_ID_secp521r1))
|
||||||
|
+ goto end;
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+ ret = 1;
|
||||||
|
+ end:
|
||||||
|
+ SSL_CTX_free(ctx);
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
#if !defined(OPENSSL_NO_EC) \
|
||||||
|
&& (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
|
||||||
|
/*
|
||||||
|
@@ -11519,6 +11579,7 @@ int setup_tests(void)
|
||||||
|
ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data));
|
||||||
|
#endif
|
||||||
|
ADD_ALL_TESTS(test_servername, 10);
|
||||||
|
+ ADD_TEST(test_unknown_sigalgs_groups);
|
||||||
|
#if !defined(OPENSSL_NO_EC) \
|
||||||
|
&& (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
|
||||||
|
ADD_ALL_TESTS(test_sigalgs_available, 6);
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
||||||
@ -0,0 +1,80 @@
|
|||||||
|
From 105217c7d58c726f4e646177e0aaefb6115aad3e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Dmitry Belyavskiy <beldmit@gmail.com>
|
||||||
|
Date: Tue, 27 Feb 2024 15:22:58 +0100
|
||||||
|
Subject: [PATCH 48/49] 0118-no-crl-memleak.patch
|
||||||
|
|
||||||
|
Patch-name: 0118-no-crl-memleak.patch
|
||||||
|
Patch-id: 118
|
||||||
|
Patch-status: |
|
||||||
|
# https://github.com/openssl/openssl/issues/23770
|
||||||
|
---
|
||||||
|
crypto/x509/by_file.c | 2 ++
|
||||||
|
test/recipes/60-test_x509_load_cert_file.t | 3 ++-
|
||||||
|
test/x509_load_cert_file_test.c | 8 +++++++-
|
||||||
|
3 files changed, 11 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c
|
||||||
|
index 5073c137a2..85923804ac 100644
|
||||||
|
--- a/crypto/x509/by_file.c
|
||||||
|
+++ b/crypto/x509/by_file.c
|
||||||
|
@@ -198,6 +198,8 @@ int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type)
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
count++;
|
||||||
|
+ X509_CRL_free(x);
|
||||||
|
+ x = NULL;
|
||||||
|
}
|
||||||
|
} else if (type == X509_FILETYPE_ASN1) {
|
||||||
|
x = d2i_X509_CRL_bio(in, NULL);
|
||||||
|
diff --git a/test/recipes/60-test_x509_load_cert_file.t b/test/recipes/60-test_x509_load_cert_file.t
|
||||||
|
index 75aeac362c..e329d7675c 100644
|
||||||
|
--- a/test/recipes/60-test_x509_load_cert_file.t
|
||||||
|
+++ b/test/recipes/60-test_x509_load_cert_file.t
|
||||||
|
@@ -12,4 +12,5 @@ setup("test_load_cert_file");
|
||||||
|
|
||||||
|
plan tests => 1;
|
||||||
|
|
||||||
|
-ok(run(test(["x509_load_cert_file_test", srctop_file("test", "certs", "leaf-chain.pem")])));
|
||||||
|
+ok(run(test(["x509_load_cert_file_test", srctop_file("test", "certs", "leaf-chain.pem"),
|
||||||
|
+ srctop_file("test", "certs", "cyrillic_crl.pem")])));
|
||||||
|
diff --git a/test/x509_load_cert_file_test.c b/test/x509_load_cert_file_test.c
|
||||||
|
index 4a736071ae..c07d329915 100644
|
||||||
|
--- a/test/x509_load_cert_file_test.c
|
||||||
|
+++ b/test/x509_load_cert_file_test.c
|
||||||
|
@@ -12,6 +12,7 @@
|
||||||
|
#include "testutil.h"
|
||||||
|
|
||||||
|
static const char *chain;
|
||||||
|
+static const char *crl;
|
||||||
|
|
||||||
|
static int test_load_cert_file(void)
|
||||||
|
{
|
||||||
|
@@ -27,12 +28,15 @@ static int test_load_cert_file(void)
|
||||||
|
&& TEST_int_eq(sk_X509_num(certs), 4))
|
||||||
|
ret = 1;
|
||||||
|
|
||||||
|
+ if (crl != NULL && !TEST_true(X509_load_crl_file(lookup, crl, X509_FILETYPE_PEM)))
|
||||||
|
+ ret = 0;
|
||||||
|
+
|
||||||
|
OSSL_STACK_OF_X509_free(certs);
|
||||||
|
X509_STORE_free(store);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
-OPT_TEST_DECLARE_USAGE("cert.pem...\n")
|
||||||
|
+OPT_TEST_DECLARE_USAGE("cert.pem [crl.pem]\n")
|
||||||
|
|
||||||
|
int setup_tests(void)
|
||||||
|
{
|
||||||
|
@@ -45,6 +49,8 @@ int setup_tests(void)
|
||||||
|
if (chain == NULL)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
+ crl = test_get_argument(1);
|
||||||
|
+
|
||||||
|
ADD_TEST(test_load_cert_file);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
||||||
@ -0,0 +1,170 @@
|
|||||||
|
From f5b48604779362c91a22080b6905413fbba28b74 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
||||||
|
Date: Fri, 8 Mar 2024 11:18:12 +0100
|
||||||
|
Subject: [PATCH 49/49] 0119-provider-sigalgs-in-signaturealgorithms-conf.patch
|
||||||
|
|
||||||
|
Patch-name: 0119-provider-sigalgs-in-signaturealgorithms-conf.patch
|
||||||
|
Patch-id: 119
|
||||||
|
Patch-status: |
|
||||||
|
# https://github.com/openssl/openssl/issues/22779
|
||||||
|
---
|
||||||
|
ssl/s3_lib.c | 8 ++++----
|
||||||
|
ssl/ssl_lib.c | 2 +-
|
||||||
|
ssl/ssl_local.h | 2 +-
|
||||||
|
ssl/t1_lib.c | 45 ++++++++++++++++++++++++++++++++++-----------
|
||||||
|
4 files changed, 40 insertions(+), 17 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
|
||||||
|
index e8ec98c221..48a1aa0e61 100644
|
||||||
|
--- a/ssl/s3_lib.c
|
||||||
|
+++ b/ssl/s3_lib.c
|
||||||
|
@@ -3685,13 +3685,13 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
|
||||||
|
return tls1_set_sigalgs(sc->cert, parg, larg, 0);
|
||||||
|
|
||||||
|
case SSL_CTRL_SET_SIGALGS_LIST:
|
||||||
|
- return tls1_set_sigalgs_list(sc->cert, parg, 0);
|
||||||
|
+ return tls1_set_sigalgs_list(s->ctx, sc->cert, parg, 0);
|
||||||
|
|
||||||
|
case SSL_CTRL_SET_CLIENT_SIGALGS:
|
||||||
|
return tls1_set_sigalgs(sc->cert, parg, larg, 1);
|
||||||
|
|
||||||
|
case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
|
||||||
|
- return tls1_set_sigalgs_list(sc->cert, parg, 1);
|
||||||
|
+ return tls1_set_sigalgs_list(s->ctx, sc->cert, parg, 1);
|
||||||
|
|
||||||
|
case SSL_CTRL_GET_CLIENT_CERT_TYPES:
|
||||||
|
{
|
||||||
|
@@ -3968,13 +3968,13 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
|
||||||
|
return tls1_set_sigalgs(ctx->cert, parg, larg, 0);
|
||||||
|
|
||||||
|
case SSL_CTRL_SET_SIGALGS_LIST:
|
||||||
|
- return tls1_set_sigalgs_list(ctx->cert, parg, 0);
|
||||||
|
+ return tls1_set_sigalgs_list(ctx, ctx->cert, parg, 0);
|
||||||
|
|
||||||
|
case SSL_CTRL_SET_CLIENT_SIGALGS:
|
||||||
|
return tls1_set_sigalgs(ctx->cert, parg, larg, 1);
|
||||||
|
|
||||||
|
case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
|
||||||
|
- return tls1_set_sigalgs_list(ctx->cert, parg, 1);
|
||||||
|
+ return tls1_set_sigalgs_list(ctx, ctx->cert, parg, 1);
|
||||||
|
|
||||||
|
case SSL_CTRL_SET_CLIENT_CERT_TYPES:
|
||||||
|
return ssl3_set_req_cert_type(ctx->cert, parg, larg);
|
||||||
|
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
|
||||||
|
index 1329841aaf..4d95ab71cd 100644
|
||||||
|
--- a/ssl/ssl_lib.c
|
||||||
|
+++ b/ssl/ssl_lib.c
|
||||||
|
@@ -3078,7 +3078,7 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
|
||||||
|
return tls1_set_groups_list(ctx, NULL, NULL, parg);
|
||||||
|
case SSL_CTRL_SET_SIGALGS_LIST:
|
||||||
|
case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
|
||||||
|
- return tls1_set_sigalgs_list(NULL, parg, 0);
|
||||||
|
+ return tls1_set_sigalgs_list(ctx, NULL, parg, 0);
|
||||||
|
default:
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
|
||||||
|
index 0d3acfbe66..a73b2c4770 100644
|
||||||
|
--- a/ssl/ssl_local.h
|
||||||
|
+++ b/ssl/ssl_local.h
|
||||||
|
@@ -2796,7 +2796,7 @@ __owur int tls_use_ticket(SSL_CONNECTION *s);
|
||||||
|
|
||||||
|
void ssl_set_sig_mask(uint32_t *pmask_a, SSL_CONNECTION *s, int op);
|
||||||
|
|
||||||
|
-__owur int tls1_set_sigalgs_list(CERT *c, const char *str, int client);
|
||||||
|
+__owur int tls1_set_sigalgs_list(SSL_CTX *ctx, CERT *c, const char *str, int client);
|
||||||
|
__owur int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen,
|
||||||
|
int client);
|
||||||
|
__owur int tls1_set_sigalgs(CERT *c, const int *salg, size_t salglen,
|
||||||
|
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
|
||||||
|
index fe680449c5..87f2ae7000 100644
|
||||||
|
--- a/ssl/t1_lib.c
|
||||||
|
+++ b/ssl/t1_lib.c
|
||||||
|
@@ -716,6 +716,7 @@ int ssl_load_sigalgs(SSL_CTX *ctx)
|
||||||
|
|
||||||
|
/* now populate ctx->ssl_cert_info */
|
||||||
|
if (ctx->sigalg_list_len > 0) {
|
||||||
|
+ OPENSSL_free(ctx->ssl_cert_info);
|
||||||
|
ctx->ssl_cert_info = OPENSSL_zalloc(sizeof(lu) * ctx->sigalg_list_len);
|
||||||
|
if (ctx->ssl_cert_info == NULL)
|
||||||
|
return 0;
|
||||||
|
@@ -2889,6 +2890,7 @@ typedef struct {
|
||||||
|
size_t sigalgcnt;
|
||||||
|
/* TLSEXT_SIGALG_XXX values */
|
||||||
|
uint16_t sigalgs[TLS_MAX_SIGALGCNT];
|
||||||
|
+ SSL_CTX *ctx;
|
||||||
|
} sig_cb_st;
|
||||||
|
|
||||||
|
static void get_sigorhash(int *psig, int *phash, const char *str)
|
||||||
|
@@ -2913,7 +2915,8 @@ static void get_sigorhash(int *psig, int *phash, const char *str)
|
||||||
|
static int sig_cb(const char *elem, int len, void *arg)
|
||||||
|
{
|
||||||
|
sig_cb_st *sarg = arg;
|
||||||
|
- size_t i;
|
||||||
|
+ size_t i = 0;
|
||||||
|
+ int load_success = 0;
|
||||||
|
const SIGALG_LOOKUP *s;
|
||||||
|
char etmp[TLS_MAX_SIGSTRING_LEN], *p;
|
||||||
|
int sig_alg = NID_undef, hash_alg = NID_undef;
|
||||||
|
@@ -2943,17 +2946,36 @@ static int sig_cb(const char *elem, int len, void *arg)
|
||||||
|
* in the table.
|
||||||
|
*/
|
||||||
|
if (p == NULL) {
|
||||||
|
- for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl);
|
||||||
|
- i++, s++) {
|
||||||
|
- if (s->name != NULL && strcmp(etmp, s->name) == 0) {
|
||||||
|
- sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg;
|
||||||
|
- break;
|
||||||
|
- }
|
||||||
|
+ /* Load provider sigalgs */
|
||||||
|
+ if (sarg->ctx) {
|
||||||
|
+ load_success = ssl_load_sigalgs(sarg->ctx);
|
||||||
|
}
|
||||||
|
- if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
|
||||||
|
- /* Ignore unknown algorithms if ignore_unknown */
|
||||||
|
- return ignore_unknown;
|
||||||
|
+ if (load_success) {
|
||||||
|
+ /* Check if a provider supports the sigalg */
|
||||||
|
+ for (i = 0; i < sarg->ctx->sigalg_list_len; i++) {
|
||||||
|
+ if (sarg->ctx->sigalg_list[i].sigalg_name != NULL
|
||||||
|
+ && strcmp(etmp,
|
||||||
|
+ sarg->ctx->sigalg_list[i].sigalg_name) == 0) {
|
||||||
|
+ sarg->sigalgs[sarg->sigalgcnt++] =
|
||||||
|
+ sarg->ctx->sigalg_list[i].code_point;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
+ /* Check the built-in sigalgs */
|
||||||
|
+ if (!sarg->ctx || !load_success || i == sarg->ctx->sigalg_list_len) {
|
||||||
|
+ for (i = 0, s = sigalg_lookup_tbl;
|
||||||
|
+ i < OSSL_NELEM(sigalg_lookup_tbl); i++, s++) {
|
||||||
|
+ if (s->name != NULL && strcmp(etmp, s->name) == 0) {
|
||||||
|
+ sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if (i == OSSL_NELEM(sigalg_lookup_tbl)) {
|
||||||
|
+ /* Ignore unknown algorithms if ignore_unknown */
|
||||||
|
+ return ignore_unknown;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
} else {
|
||||||
|
*p = 0;
|
||||||
|
p++;
|
||||||
|
@@ -2992,10 +3014,11 @@ static int sig_cb(const char *elem, int len, void *arg)
|
||||||
|
* Set supported signature algorithms based on a colon separated list of the
|
||||||
|
* form sig+hash e.g. RSA+SHA512:DSA+SHA512
|
||||||
|
*/
|
||||||
|
-int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
|
||||||
|
+int tls1_set_sigalgs_list(SSL_CTX *ctx, CERT *c, const char *str, int client)
|
||||||
|
{
|
||||||
|
sig_cb_st sig;
|
||||||
|
sig.sigalgcnt = 0;
|
||||||
|
+ sig.ctx = ctx;
|
||||||
|
if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
|
||||||
|
return 0;
|
||||||
|
if (sig.sigalgcnt == 0) {
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
||||||
@ -0,0 +1,65 @@
|
|||||||
|
diff -up openssl-3.0.7/apps/cms.c.fips_cms openssl-3.0.7/apps/cms.c
|
||||||
|
--- openssl-3.0.7/apps/cms.c.fips_cms 2023-05-18 14:03:56.360555106 +0200
|
||||||
|
+++ openssl-3.0.7/apps/cms.c 2023-05-18 14:13:33.765183185 +0200
|
||||||
|
@@ -20,6 +20,7 @@
|
||||||
|
#include <openssl/x509_vfy.h>
|
||||||
|
#include <openssl/x509v3.h>
|
||||||
|
#include <openssl/cms.h>
|
||||||
|
+#include <openssl/fips.h>
|
||||||
|
|
||||||
|
static int save_certs(char *signerfile, STACK_OF(X509) *signers);
|
||||||
|
static int cms_cb(int ok, X509_STORE_CTX *ctx);
|
||||||
|
@@ -810,12 +811,16 @@ int cms_main(int argc, char **argv)
|
||||||
|
|
||||||
|
if (operation == SMIME_ENCRYPT) {
|
||||||
|
if (!cipher) {
|
||||||
|
+ if (FIPS_mode()) {
|
||||||
|
+ cipher = (EVP_CIPHER *)EVP_aes_128_cbc();
|
||||||
|
+ } else {
|
||||||
|
#ifndef OPENSSL_NO_DES
|
||||||
|
- cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
|
||||||
|
+ cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
|
||||||
|
#else
|
||||||
|
- BIO_printf(bio_err, "No cipher selected\n");
|
||||||
|
- goto end;
|
||||||
|
+ BIO_printf(bio_err, "No cipher selected\n");
|
||||||
|
+ goto end;
|
||||||
|
#endif
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
if (secret_key && !secret_keyid) {
|
||||||
|
diff -up openssl-3.0.7/crypto/cms/cms_env.c.fips_cms openssl-3.0.7/crypto/cms/cms_env.c
|
||||||
|
--- openssl-3.0.7/crypto/cms/cms_env.c.fips_cms 2023-05-22 10:06:50.276528155 +0200
|
||||||
|
+++ openssl-3.0.7/crypto/cms/cms_env.c 2023-05-22 10:08:58.406073945 +0200
|
||||||
|
@@ -14,6 +14,7 @@
|
||||||
|
#include <openssl/err.h>
|
||||||
|
#include <openssl/cms.h>
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
+#include <openssl/fips.h>
|
||||||
|
#include "internal/sizes.h"
|
||||||
|
#include "crypto/asn1.h"
|
||||||
|
#include "crypto/evp.h"
|
||||||
|
@@ -321,6 +321,10 @@ static int cms_RecipientInfo_ktri_init(C
|
||||||
|
return 0;
|
||||||
|
if (EVP_PKEY_encrypt_init(ktri->pctx) <= 0)
|
||||||
|
return 0;
|
||||||
|
+ if (FIPS_mode()) {
|
||||||
|
+ if (EVP_PKEY_CTX_ctrl_str(ktri->pctx, "rsa_padding_mode", "oaep") <= 0)
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
} else if (!ossl_cms_env_asn1_ctrl(ri, 0))
|
||||||
|
return 0;
|
||||||
|
return 1;
|
||||||
|
@@ -484,6 +489,11 @@ static int cms_RecipientInfo_ktri_encryp
|
||||||
|
|
||||||
|
if (EVP_PKEY_encrypt_init(pctx) <= 0)
|
||||||
|
goto err;
|
||||||
|
+
|
||||||
|
+ if (FIPS_mode()) {
|
||||||
|
+ if (EVP_PKEY_CTX_ctrl_str(pctx, "rsa_padding_mode", "oaep") <= 0)
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
if (EVP_PKEY_encrypt(pctx, NULL, &eklen, ec->key, ec->keylen) <= 0)
|
||||||
@ -0,0 +1,16 @@
|
|||||||
|
diff -up openssl-3.2.1/test/sslapitest.c.xxx openssl-3.2.1/test/sslapitest.c
|
||||||
|
--- openssl-3.2.1/test/sslapitest.c.xxx 2024-04-15 10:14:47.292448045 +0200
|
||||||
|
+++ openssl-3.2.1/test/sslapitest.c 2024-04-15 10:15:23.428396994 +0200
|
||||||
|
@@ -1020,9 +1020,10 @@ static int execute_test_large_message(co
|
||||||
|
/* sock must be connected */
|
||||||
|
static int ktls_chk_platform(int sock)
|
||||||
|
{
|
||||||
|
- if (!ktls_enable(sock))
|
||||||
|
+/* if (!ktls_enable(sock))
|
||||||
|
return 0;
|
||||||
|
- return 1;
|
||||||
|
+ return 1; */
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int ping_pong_query(SSL *clientssl, SSL *serverssl)
|
||||||
@ -0,0 +1,6 @@
|
|||||||
|
resultsdb-testcase: separate
|
||||||
|
|
||||||
|
/test/build/dependent:
|
||||||
|
execute:
|
||||||
|
how: dependency
|
||||||
|
components: [golang]
|
||||||
@ -1,628 +0,0 @@
|
|||||||
/*
|
|
||||||
* Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved.
|
|
||||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
||||||
* this file except in compliance with the License. You can obtain a copy
|
|
||||||
* in the file LICENSE in the source distribution or at
|
|
||||||
* https://www.openssl.org/source/license.html
|
|
||||||
*/
|
|
||||||
|
|
||||||
/*
|
|
||||||
* ECDSA low level APIs are deprecated for public use, but still ok for
|
|
||||||
* internal use.
|
|
||||||
*/
|
|
||||||
#include "internal/deprecated.h"
|
|
||||||
|
|
||||||
#include <string.h>
|
|
||||||
#include "ec_local.h"
|
|
||||||
#include <openssl/err.h>
|
|
||||||
#include <openssl/obj_mac.h>
|
|
||||||
#include <openssl/objects.h>
|
|
||||||
#include <openssl/opensslconf.h>
|
|
||||||
#include "internal/nelem.h"
|
|
||||||
|
|
||||||
typedef struct {
|
|
||||||
int field_type, /* either NID_X9_62_prime_field or
|
|
||||||
* NID_X9_62_characteristic_two_field */
|
|
||||||
seed_len, param_len;
|
|
||||||
unsigned int cofactor; /* promoted to BN_ULONG */
|
|
||||||
} EC_CURVE_DATA;
|
|
||||||
|
|
||||||
/* the nist prime curves */
|
|
||||||
static const struct {
|
|
||||||
EC_CURVE_DATA h;
|
|
||||||
unsigned char data[20 + 28 * 6];
|
|
||||||
} _EC_NIST_PRIME_224 = {
|
|
||||||
{
|
|
||||||
NID_X9_62_prime_field, 20, 28, 1
|
|
||||||
},
|
|
||||||
{
|
|
||||||
/* seed */
|
|
||||||
0xBD, 0x71, 0x34, 0x47, 0x99, 0xD5, 0xC7, 0xFC, 0xDC, 0x45, 0xB5, 0x9F,
|
|
||||||
0xA3, 0xB9, 0xAB, 0x8F, 0x6A, 0x94, 0x8B, 0xC5,
|
|
||||||
/* p */
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
||||||
0x00, 0x00, 0x00, 0x01,
|
|
||||||
/* a */
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFE,
|
|
||||||
/* b */
|
|
||||||
0xB4, 0x05, 0x0A, 0x85, 0x0C, 0x04, 0xB3, 0xAB, 0xF5, 0x41, 0x32, 0x56,
|
|
||||||
0x50, 0x44, 0xB0, 0xB7, 0xD7, 0xBF, 0xD8, 0xBA, 0x27, 0x0B, 0x39, 0x43,
|
|
||||||
0x23, 0x55, 0xFF, 0xB4,
|
|
||||||
/* x */
|
|
||||||
0xB7, 0x0E, 0x0C, 0xBD, 0x6B, 0xB4, 0xBF, 0x7F, 0x32, 0x13, 0x90, 0xB9,
|
|
||||||
0x4A, 0x03, 0xC1, 0xD3, 0x56, 0xC2, 0x11, 0x22, 0x34, 0x32, 0x80, 0xD6,
|
|
||||||
0x11, 0x5C, 0x1D, 0x21,
|
|
||||||
/* y */
|
|
||||||
0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, 0xdf, 0xe6,
|
|
||||||
0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x07, 0x47, 0x64, 0x44, 0xd5, 0x81, 0x99,
|
|
||||||
0x85, 0x00, 0x7e, 0x34,
|
|
||||||
/* order */
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0x16, 0xA2, 0xE0, 0xB8, 0xF0, 0x3E, 0x13, 0xDD, 0x29, 0x45,
|
|
||||||
0x5C, 0x5C, 0x2A, 0x3D
|
|
||||||
}
|
|
||||||
};
|
|
||||||
|
|
||||||
static const struct {
|
|
||||||
EC_CURVE_DATA h;
|
|
||||||
unsigned char data[20 + 48 * 6];
|
|
||||||
} _EC_NIST_PRIME_384 = {
|
|
||||||
{
|
|
||||||
NID_X9_62_prime_field, 20, 48, 1
|
|
||||||
},
|
|
||||||
{
|
|
||||||
/* seed */
|
|
||||||
0xA3, 0x35, 0x92, 0x6A, 0xA3, 0x19, 0xA2, 0x7A, 0x1D, 0x00, 0x89, 0x6A,
|
|
||||||
0x67, 0x73, 0xA4, 0x82, 0x7A, 0xCD, 0xAC, 0x73,
|
|
||||||
/* p */
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
/* a */
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC,
|
|
||||||
/* b */
|
|
||||||
0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, 0x05, 0x6B,
|
|
||||||
0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E, 0xFE, 0x81, 0x41, 0x12,
|
|
||||||
0x03, 0x14, 0x08, 0x8F, 0x50, 0x13, 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D,
|
|
||||||
0x8A, 0x2E, 0xD1, 0x9D, 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF,
|
|
||||||
/* x */
|
|
||||||
0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, 0xC7, 0x1E,
|
|
||||||
0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, 0x8B, 0xA7, 0x9B, 0x98,
|
|
||||||
0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D,
|
|
||||||
0xBF, 0x55, 0x29, 0x6C, 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7,
|
|
||||||
/* y */
|
|
||||||
0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f, 0x5d, 0x9e, 0x98, 0xbf,
|
|
||||||
0x92, 0x92, 0xdc, 0x29, 0xf8, 0xf4, 0x1d, 0xbd, 0x28, 0x9a, 0x14, 0x7c,
|
|
||||||
0xe9, 0xda, 0x31, 0x13, 0xb5, 0xf0, 0xb8, 0xc0, 0x0a, 0x60, 0xb1, 0xce,
|
|
||||||
0x1d, 0x7e, 0x81, 0x9d, 0x7a, 0x43, 0x1d, 0x7c, 0x90, 0xea, 0x0e, 0x5f,
|
|
||||||
/* order */
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xC7, 0x63, 0x4D, 0x81, 0xF4, 0x37, 0x2D, 0xDF, 0x58, 0x1A, 0x0D, 0xB2,
|
|
||||||
0x48, 0xB0, 0xA7, 0x7A, 0xEC, 0xEC, 0x19, 0x6A, 0xCC, 0xC5, 0x29, 0x73
|
|
||||||
}
|
|
||||||
};
|
|
||||||
|
|
||||||
static const struct {
|
|
||||||
EC_CURVE_DATA h;
|
|
||||||
unsigned char data[20 + 66 * 6];
|
|
||||||
} _EC_NIST_PRIME_521 = {
|
|
||||||
{
|
|
||||||
NID_X9_62_prime_field, 20, 66, 1
|
|
||||||
},
|
|
||||||
{
|
|
||||||
/* seed */
|
|
||||||
0xD0, 0x9E, 0x88, 0x00, 0x29, 0x1C, 0xB8, 0x53, 0x96, 0xCC, 0x67, 0x17,
|
|
||||||
0x39, 0x32, 0x84, 0xAA, 0xA0, 0xDA, 0x64, 0xBA,
|
|
||||||
/* p */
|
|
||||||
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
/* a */
|
|
||||||
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
|
|
||||||
/* b */
|
|
||||||
0x00, 0x51, 0x95, 0x3E, 0xB9, 0x61, 0x8E, 0x1C, 0x9A, 0x1F, 0x92, 0x9A,
|
|
||||||
0x21, 0xA0, 0xB6, 0x85, 0x40, 0xEE, 0xA2, 0xDA, 0x72, 0x5B, 0x99, 0xB3,
|
|
||||||
0x15, 0xF3, 0xB8, 0xB4, 0x89, 0x91, 0x8E, 0xF1, 0x09, 0xE1, 0x56, 0x19,
|
|
||||||
0x39, 0x51, 0xEC, 0x7E, 0x93, 0x7B, 0x16, 0x52, 0xC0, 0xBD, 0x3B, 0xB1,
|
|
||||||
0xBF, 0x07, 0x35, 0x73, 0xDF, 0x88, 0x3D, 0x2C, 0x34, 0xF1, 0xEF, 0x45,
|
|
||||||
0x1F, 0xD4, 0x6B, 0x50, 0x3F, 0x00,
|
|
||||||
/* x */
|
|
||||||
0x00, 0xC6, 0x85, 0x8E, 0x06, 0xB7, 0x04, 0x04, 0xE9, 0xCD, 0x9E, 0x3E,
|
|
||||||
0xCB, 0x66, 0x23, 0x95, 0xB4, 0x42, 0x9C, 0x64, 0x81, 0x39, 0x05, 0x3F,
|
|
||||||
0xB5, 0x21, 0xF8, 0x28, 0xAF, 0x60, 0x6B, 0x4D, 0x3D, 0xBA, 0xA1, 0x4B,
|
|
||||||
0x5E, 0x77, 0xEF, 0xE7, 0x59, 0x28, 0xFE, 0x1D, 0xC1, 0x27, 0xA2, 0xFF,
|
|
||||||
0xA8, 0xDE, 0x33, 0x48, 0xB3, 0xC1, 0x85, 0x6A, 0x42, 0x9B, 0xF9, 0x7E,
|
|
||||||
0x7E, 0x31, 0xC2, 0xE5, 0xBD, 0x66,
|
|
||||||
/* y */
|
|
||||||
0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a,
|
|
||||||
0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b,
|
|
||||||
0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee,
|
|
||||||
0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad,
|
|
||||||
0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe,
|
|
||||||
0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50,
|
|
||||||
/* order */
|
|
||||||
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFA, 0x51, 0x86,
|
|
||||||
0x87, 0x83, 0xBF, 0x2F, 0x96, 0x6B, 0x7F, 0xCC, 0x01, 0x48, 0xF7, 0x09,
|
|
||||||
0xA5, 0xD0, 0x3B, 0xB5, 0xC9, 0xB8, 0x89, 0x9C, 0x47, 0xAE, 0xBB, 0x6F,
|
|
||||||
0xB7, 0x1E, 0x91, 0x38, 0x64, 0x09
|
|
||||||
}
|
|
||||||
};
|
|
||||||
|
|
||||||
static const struct {
|
|
||||||
EC_CURVE_DATA h;
|
|
||||||
unsigned char data[20 + 32 * 6];
|
|
||||||
} _EC_X9_62_PRIME_256V1 = {
|
|
||||||
{
|
|
||||||
NID_X9_62_prime_field, 20, 32, 1
|
|
||||||
},
|
|
||||||
{
|
|
||||||
/* seed */
|
|
||||||
0xC4, 0x9D, 0x36, 0x08, 0x86, 0xE7, 0x04, 0x93, 0x6A, 0x66, 0x78, 0xE1,
|
|
||||||
0x13, 0x9D, 0x26, 0xB7, 0x81, 0x9F, 0x7E, 0x90,
|
|
||||||
/* p */
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
|
|
||||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
/* a */
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
|
|
||||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
|
|
||||||
/* b */
|
|
||||||
0x5A, 0xC6, 0x35, 0xD8, 0xAA, 0x3A, 0x93, 0xE7, 0xB3, 0xEB, 0xBD, 0x55,
|
|
||||||
0x76, 0x98, 0x86, 0xBC, 0x65, 0x1D, 0x06, 0xB0, 0xCC, 0x53, 0xB0, 0xF6,
|
|
||||||
0x3B, 0xCE, 0x3C, 0x3E, 0x27, 0xD2, 0x60, 0x4B,
|
|
||||||
/* x */
|
|
||||||
0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8, 0xBC, 0xE6, 0xE5,
|
|
||||||
0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D, 0x81, 0x2D, 0xEB, 0x33, 0xA0,
|
|
||||||
0xF4, 0xA1, 0x39, 0x45, 0xD8, 0x98, 0xC2, 0x96,
|
|
||||||
/* y */
|
|
||||||
0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a,
|
|
||||||
0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce,
|
|
||||||
0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5,
|
|
||||||
/* order */
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84,
|
|
||||||
0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51
|
|
||||||
}
|
|
||||||
};
|
|
||||||
|
|
||||||
static const struct {
|
|
||||||
EC_CURVE_DATA h;
|
|
||||||
unsigned char data[0 + 32 * 6];
|
|
||||||
} _EC_SECG_PRIME_256K1 = {
|
|
||||||
{
|
|
||||||
NID_X9_62_prime_field, 0, 32, 1
|
|
||||||
},
|
|
||||||
{
|
|
||||||
/* no seed */
|
|
||||||
/* p */
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
|
|
||||||
/* a */
|
|
||||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
||||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
||||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
||||||
/* b */
|
|
||||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
||||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
||||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07,
|
|
||||||
/* x */
|
|
||||||
0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95,
|
|
||||||
0xCE, 0x87, 0x0B, 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9,
|
|
||||||
0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17, 0x98,
|
|
||||||
/* y */
|
|
||||||
0x48, 0x3a, 0xda, 0x77, 0x26, 0xa3, 0xc4, 0x65, 0x5d, 0xa4, 0xfb, 0xfc,
|
|
||||||
0x0e, 0x11, 0x08, 0xa8, 0xfd, 0x17, 0xb4, 0x48, 0xa6, 0x85, 0x54, 0x19,
|
|
||||||
0x9c, 0x47, 0xd0, 0x8f, 0xfb, 0x10, 0xd4, 0xb8,
|
|
||||||
/* order */
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
||||||
0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B,
|
|
||||||
0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41
|
|
||||||
}
|
|
||||||
};
|
|
||||||
|
|
||||||
typedef struct _ec_list_element_st {
|
|
||||||
int nid;
|
|
||||||
const EC_CURVE_DATA *data;
|
|
||||||
const EC_METHOD *(*meth) (void);
|
|
||||||
const char *comment;
|
|
||||||
} ec_list_element;
|
|
||||||
|
|
||||||
#ifdef FIPS_MODULE
|
|
||||||
static const ec_list_element curve_list[] = {
|
|
||||||
/* prime field curves */
|
|
||||||
/* secg curves */
|
|
||||||
{NID_secp224r1, &_EC_NIST_PRIME_224.h,
|
|
||||||
# if !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
|
||||||
EC_GFp_nistp224_method,
|
|
||||||
# else
|
|
||||||
0,
|
|
||||||
# endif
|
|
||||||
"NIST/SECG curve over a 224 bit prime field"},
|
|
||||||
/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
|
|
||||||
{NID_secp384r1, &_EC_NIST_PRIME_384.h,
|
|
||||||
# if defined(S390X_EC_ASM)
|
|
||||||
EC_GFp_s390x_nistp384_method,
|
|
||||||
# else
|
|
||||||
0,
|
|
||||||
# endif
|
|
||||||
"NIST/SECG curve over a 384 bit prime field"},
|
|
||||||
|
|
||||||
{NID_secp521r1, &_EC_NIST_PRIME_521.h,
|
|
||||||
# if defined(S390X_EC_ASM)
|
|
||||||
EC_GFp_s390x_nistp521_method,
|
|
||||||
# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
|
||||||
EC_GFp_nistp521_method,
|
|
||||||
# else
|
|
||||||
0,
|
|
||||||
# endif
|
|
||||||
"NIST/SECG curve over a 521 bit prime field"},
|
|
||||||
|
|
||||||
/* X9.62 curves */
|
|
||||||
{NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
|
|
||||||
# if defined(ECP_NISTZ256_ASM)
|
|
||||||
EC_GFp_nistz256_method,
|
|
||||||
# elif defined(S390X_EC_ASM)
|
|
||||||
EC_GFp_s390x_nistp256_method,
|
|
||||||
# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
|
||||||
EC_GFp_nistp256_method,
|
|
||||||
# else
|
|
||||||
0,
|
|
||||||
# endif
|
|
||||||
"X9.62/SECG curve over a 256 bit prime field"},
|
|
||||||
};
|
|
||||||
|
|
||||||
#else
|
|
||||||
|
|
||||||
static const ec_list_element curve_list[] = {
|
|
||||||
/* prime field curves */
|
|
||||||
/* secg curves */
|
|
||||||
# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
|
||||||
{NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
|
|
||||||
"NIST/SECG curve over a 224 bit prime field"},
|
|
||||||
# else
|
|
||||||
{NID_secp224r1, &_EC_NIST_PRIME_224.h, 0,
|
|
||||||
"NIST/SECG curve over a 224 bit prime field"},
|
|
||||||
# endif
|
|
||||||
{NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
|
|
||||||
"SECG curve over a 256 bit prime field"},
|
|
||||||
/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
|
|
||||||
{NID_secp384r1, &_EC_NIST_PRIME_384.h,
|
|
||||||
# if defined(S390X_EC_ASM)
|
|
||||||
EC_GFp_s390x_nistp384_method,
|
|
||||||
# else
|
|
||||||
0,
|
|
||||||
# endif
|
|
||||||
"NIST/SECG curve over a 384 bit prime field"},
|
|
||||||
{NID_secp521r1, &_EC_NIST_PRIME_521.h,
|
|
||||||
# if defined(S390X_EC_ASM)
|
|
||||||
EC_GFp_s390x_nistp521_method,
|
|
||||||
# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
|
||||||
EC_GFp_nistp521_method,
|
|
||||||
# else
|
|
||||||
0,
|
|
||||||
# endif
|
|
||||||
"NIST/SECG curve over a 521 bit prime field"},
|
|
||||||
/* X9.62 curves */
|
|
||||||
{NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
|
|
||||||
# if defined(ECP_NISTZ256_ASM)
|
|
||||||
EC_GFp_nistz256_method,
|
|
||||||
# elif defined(S390X_EC_ASM)
|
|
||||||
EC_GFp_s390x_nistp256_method,
|
|
||||||
# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
|
||||||
EC_GFp_nistp256_method,
|
|
||||||
# else
|
|
||||||
0,
|
|
||||||
# endif
|
|
||||||
"X9.62/SECG curve over a 256 bit prime field"},
|
|
||||||
};
|
|
||||||
#endif /* FIPS_MODULE */
|
|
||||||
|
|
||||||
#define curve_list_length OSSL_NELEM(curve_list)
|
|
||||||
|
|
||||||
static const ec_list_element *ec_curve_nid2curve(int nid)
|
|
||||||
{
|
|
||||||
size_t i;
|
|
||||||
|
|
||||||
if (nid <= 0)
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
for (i = 0; i < curve_list_length; i++) {
|
|
||||||
if (curve_list[i].nid == nid)
|
|
||||||
return &curve_list[i];
|
|
||||||
}
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
static EC_GROUP *ec_group_new_from_data(OSSL_LIB_CTX *libctx,
|
|
||||||
const char *propq,
|
|
||||||
const ec_list_element curve)
|
|
||||||
{
|
|
||||||
EC_GROUP *group = NULL;
|
|
||||||
EC_POINT *P = NULL;
|
|
||||||
BN_CTX *ctx = NULL;
|
|
||||||
BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL, *order =
|
|
||||||
NULL;
|
|
||||||
int ok = 0;
|
|
||||||
int seed_len, param_len;
|
|
||||||
const EC_METHOD *meth;
|
|
||||||
const EC_CURVE_DATA *data;
|
|
||||||
const unsigned char *params;
|
|
||||||
|
|
||||||
/* If no curve data curve method must handle everything */
|
|
||||||
if (curve.data == NULL)
|
|
||||||
return ossl_ec_group_new_ex(libctx, propq,
|
|
||||||
curve.meth != NULL ? curve.meth() : NULL);
|
|
||||||
|
|
||||||
if ((ctx = BN_CTX_new_ex(libctx)) == NULL) {
|
|
||||||
ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
|
|
||||||
data = curve.data;
|
|
||||||
seed_len = data->seed_len;
|
|
||||||
param_len = data->param_len;
|
|
||||||
params = (const unsigned char *)(data + 1); /* skip header */
|
|
||||||
params += seed_len; /* skip seed */
|
|
||||||
|
|
||||||
if ((p = BN_bin2bn(params + 0 * param_len, param_len, NULL)) == NULL
|
|
||||||
|| (a = BN_bin2bn(params + 1 * param_len, param_len, NULL)) == NULL
|
|
||||||
|| (b = BN_bin2bn(params + 2 * param_len, param_len, NULL)) == NULL) {
|
|
||||||
ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (curve.meth != 0) {
|
|
||||||
meth = curve.meth();
|
|
||||||
if (((group = ossl_ec_group_new_ex(libctx, propq, meth)) == NULL) ||
|
|
||||||
(!(group->meth->group_set_curve(group, p, a, b, ctx)))) {
|
|
||||||
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
} else if (data->field_type == NID_X9_62_prime_field) {
|
|
||||||
if ((group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) == NULL) {
|
|
||||||
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
#ifndef OPENSSL_NO_EC2M
|
|
||||||
else { /* field_type ==
|
|
||||||
* NID_X9_62_characteristic_two_field */
|
|
||||||
|
|
||||||
if ((group = EC_GROUP_new_curve_GF2m(p, a, b, ctx)) == NULL) {
|
|
||||||
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
EC_GROUP_set_curve_name(group, curve.nid);
|
|
||||||
|
|
||||||
if ((P = EC_POINT_new(group)) == NULL) {
|
|
||||||
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
|
|
||||||
if ((x = BN_bin2bn(params + 3 * param_len, param_len, NULL)) == NULL
|
|
||||||
|| (y = BN_bin2bn(params + 4 * param_len, param_len, NULL)) == NULL) {
|
|
||||||
ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
if (!EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) {
|
|
||||||
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
if ((order = BN_bin2bn(params + 5 * param_len, param_len, NULL)) == NULL
|
|
||||||
|| !BN_set_word(x, (BN_ULONG)data->cofactor)) {
|
|
||||||
ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
if (!EC_GROUP_set_generator(group, P, order, x)) {
|
|
||||||
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
if (seed_len) {
|
|
||||||
if (!EC_GROUP_set_seed(group, params - seed_len, seed_len)) {
|
|
||||||
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
ok = 1;
|
|
||||||
err:
|
|
||||||
if (!ok) {
|
|
||||||
EC_GROUP_free(group);
|
|
||||||
group = NULL;
|
|
||||||
}
|
|
||||||
EC_POINT_free(P);
|
|
||||||
BN_CTX_free(ctx);
|
|
||||||
BN_free(p);
|
|
||||||
BN_free(a);
|
|
||||||
BN_free(b);
|
|
||||||
BN_free(order);
|
|
||||||
BN_free(x);
|
|
||||||
BN_free(y);
|
|
||||||
return group;
|
|
||||||
}
|
|
||||||
|
|
||||||
EC_GROUP *EC_GROUP_new_by_curve_name_ex(OSSL_LIB_CTX *libctx, const char *propq,
|
|
||||||
int nid)
|
|
||||||
{
|
|
||||||
EC_GROUP *ret = NULL;
|
|
||||||
const ec_list_element *curve;
|
|
||||||
|
|
||||||
if ((curve = ec_curve_nid2curve(nid)) == NULL
|
|
||||||
|| (ret = ec_group_new_from_data(libctx, propq, *curve)) == NULL) {
|
|
||||||
#ifndef FIPS_MODULE
|
|
||||||
ERR_raise_data(ERR_LIB_EC, EC_R_UNKNOWN_GROUP,
|
|
||||||
"name=%s", OBJ_nid2sn(nid));
|
|
||||||
#else
|
|
||||||
ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP);
|
|
||||||
#endif
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifndef FIPS_MODULE
|
|
||||||
EC_GROUP *EC_GROUP_new_by_curve_name(int nid)
|
|
||||||
{
|
|
||||||
return EC_GROUP_new_by_curve_name_ex(NULL, NULL, nid);
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
|
|
||||||
{
|
|
||||||
size_t i, min;
|
|
||||||
|
|
||||||
if (r == NULL || nitems == 0)
|
|
||||||
return curve_list_length;
|
|
||||||
|
|
||||||
min = nitems < curve_list_length ? nitems : curve_list_length;
|
|
||||||
|
|
||||||
for (i = 0; i < min; i++) {
|
|
||||||
r[i].nid = curve_list[i].nid;
|
|
||||||
r[i].comment = curve_list[i].comment;
|
|
||||||
}
|
|
||||||
|
|
||||||
return curve_list_length;
|
|
||||||
}
|
|
||||||
|
|
||||||
const char *EC_curve_nid2nist(int nid)
|
|
||||||
{
|
|
||||||
return ossl_ec_curve_nid2nist_int(nid);
|
|
||||||
}
|
|
||||||
|
|
||||||
int EC_curve_nist2nid(const char *name)
|
|
||||||
{
|
|
||||||
return ossl_ec_curve_nist2nid_int(name);
|
|
||||||
}
|
|
||||||
|
|
||||||
#define NUM_BN_FIELDS 6
|
|
||||||
/*
|
|
||||||
* Validates EC domain parameter data for known named curves.
|
|
||||||
* This can be used when a curve is loaded explicitly (without a curve
|
|
||||||
* name) or to validate that domain parameters have not been modified.
|
|
||||||
*
|
|
||||||
* Returns: The nid associated with the found named curve, or NID_undef
|
|
||||||
* if not found. If there was an error it returns -1.
|
|
||||||
*/
|
|
||||||
int ossl_ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx)
|
|
||||||
{
|
|
||||||
int ret = -1, nid, len, field_type, param_len;
|
|
||||||
size_t i, seed_len;
|
|
||||||
const unsigned char *seed, *params_seed, *params;
|
|
||||||
unsigned char *param_bytes = NULL;
|
|
||||||
const EC_CURVE_DATA *data;
|
|
||||||
const EC_POINT *generator = NULL;
|
|
||||||
const BIGNUM *cofactor = NULL;
|
|
||||||
/* An array of BIGNUMs for (p, a, b, x, y, order) */
|
|
||||||
BIGNUM *bn[NUM_BN_FIELDS] = {NULL, NULL, NULL, NULL, NULL, NULL};
|
|
||||||
|
|
||||||
/* Use the optional named curve nid as a search field */
|
|
||||||
nid = EC_GROUP_get_curve_name(group);
|
|
||||||
field_type = EC_GROUP_get_field_type(group);
|
|
||||||
seed_len = EC_GROUP_get_seed_len(group);
|
|
||||||
seed = EC_GROUP_get0_seed(group);
|
|
||||||
cofactor = EC_GROUP_get0_cofactor(group);
|
|
||||||
|
|
||||||
BN_CTX_start(ctx);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* The built-in curves contains data fields (p, a, b, x, y, order) that are
|
|
||||||
* all zero-padded to be the same size. The size of the padding is
|
|
||||||
* determined by either the number of bytes in the field modulus (p) or the
|
|
||||||
* EC group order, whichever is larger.
|
|
||||||
*/
|
|
||||||
param_len = BN_num_bytes(group->order);
|
|
||||||
len = BN_num_bytes(group->field);
|
|
||||||
if (len > param_len)
|
|
||||||
param_len = len;
|
|
||||||
|
|
||||||
/* Allocate space to store the padded data for (p, a, b, x, y, order) */
|
|
||||||
param_bytes = OPENSSL_malloc(param_len * NUM_BN_FIELDS);
|
|
||||||
if (param_bytes == NULL)
|
|
||||||
goto end;
|
|
||||||
|
|
||||||
/* Create the bignums */
|
|
||||||
for (i = 0; i < NUM_BN_FIELDS; ++i) {
|
|
||||||
if ((bn[i] = BN_CTX_get(ctx)) == NULL)
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
/*
|
|
||||||
* Fill in the bn array with the same values as the internal curves
|
|
||||||
* i.e. the values are p, a, b, x, y, order.
|
|
||||||
*/
|
|
||||||
/* Get p, a & b */
|
|
||||||
if (!(EC_GROUP_get_curve(group, bn[0], bn[1], bn[2], ctx)
|
|
||||||
&& ((generator = EC_GROUP_get0_generator(group)) != NULL)
|
|
||||||
/* Get x & y */
|
|
||||||
&& EC_POINT_get_affine_coordinates(group, generator, bn[3], bn[4], ctx)
|
|
||||||
/* Get order */
|
|
||||||
&& EC_GROUP_get_order(group, bn[5], ctx)))
|
|
||||||
goto end;
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Convert the bignum array to bytes that are joined together to form
|
|
||||||
* a single buffer that contains data for all fields.
|
|
||||||
* (p, a, b, x, y, order) are all zero padded to be the same size.
|
|
||||||
*/
|
|
||||||
for (i = 0; i < NUM_BN_FIELDS; ++i) {
|
|
||||||
if (BN_bn2binpad(bn[i], ¶m_bytes[i*param_len], param_len) <= 0)
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
|
|
||||||
for (i = 0; i < curve_list_length; i++) {
|
|
||||||
const ec_list_element curve = curve_list[i];
|
|
||||||
|
|
||||||
data = curve.data;
|
|
||||||
/* Get the raw order byte data */
|
|
||||||
params_seed = (const unsigned char *)(data + 1); /* skip header */
|
|
||||||
params = params_seed + data->seed_len;
|
|
||||||
|
|
||||||
/* Look for unique fields in the fixed curve data */
|
|
||||||
if (data->field_type == field_type
|
|
||||||
&& param_len == data->param_len
|
|
||||||
&& (nid <= 0 || nid == curve.nid)
|
|
||||||
/* check the optional cofactor (ignore if its zero) */
|
|
||||||
&& (BN_is_zero(cofactor)
|
|
||||||
|| BN_is_word(cofactor, (const BN_ULONG)curve.data->cofactor))
|
|
||||||
/* Check the optional seed (ignore if its not set) */
|
|
||||||
&& (data->seed_len == 0 || seed_len == 0
|
|
||||||
|| ((size_t)data->seed_len == seed_len
|
|
||||||
&& memcmp(params_seed, seed, seed_len) == 0))
|
|
||||||
/* Check that the groups params match the built-in curve params */
|
|
||||||
&& memcmp(param_bytes, params, param_len * NUM_BN_FIELDS)
|
|
||||||
== 0) {
|
|
||||||
ret = curve.nid;
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
/* Gets here if the group was not found */
|
|
||||||
ret = NID_undef;
|
|
||||||
end:
|
|
||||||
OPENSSL_free(param_bytes);
|
|
||||||
BN_CTX_end(ctx);
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
@ -1,40 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
|
|
||||||
# Quit out if anything fails.
|
|
||||||
set -e
|
|
||||||
|
|
||||||
# Clean out patent-or-otherwise-encumbered code.
|
|
||||||
# MDC-2: 4,908,861 13/03/2007 - expired, we do not remove it but do not enable it anyway
|
|
||||||
# IDEA: 5,214,703 07/01/2012 - expired, we do not remove it anymore
|
|
||||||
# RC5: 5,724,428 01/11/2015 - expired, we do not remove it anymore
|
|
||||||
# EC: ????????? ??/??/2020
|
|
||||||
# SRP: ????????? ??/??/2017 - expired, we do not remove it anymore
|
|
||||||
|
|
||||||
# Remove assembler portions of IDEA, MDC2, and RC5.
|
|
||||||
# (find crypto/rc5/asm -type f | xargs -r rm -fv)
|
|
||||||
|
|
||||||
for c in `find crypto/bn -name "*gf2m.c"`; do
|
|
||||||
echo Destroying $c
|
|
||||||
> $c
|
|
||||||
done
|
|
||||||
|
|
||||||
for c in `find crypto/ec -name "ec2*.c" -o -name "ec_curve.c"`; do
|
|
||||||
echo Destroying $c
|
|
||||||
> $c
|
|
||||||
done
|
|
||||||
|
|
||||||
for c in `find test -name "ectest.c"`; do
|
|
||||||
echo Destroying $c
|
|
||||||
> $c
|
|
||||||
done
|
|
||||||
|
|
||||||
for h in `find crypto ssl apps test -name "*.h"` ; do
|
|
||||||
echo Removing EC2M references from $h
|
|
||||||
cat $h | \
|
|
||||||
awk 'BEGIN {ech=1;} \
|
|
||||||
/^#[ \t]*ifndef.*NO_EC2M/ {ech--; next;} \
|
|
||||||
/^#[ \t]*if/ {if(ech < 1) ech--;} \
|
|
||||||
{if(ech>0) {;print $0};} \
|
|
||||||
/^#[ \t]*endif/ {if(ech < 1) ech++;}' > $h.hobbled && \
|
|
||||||
mv $h.hobbled $h
|
|
||||||
done
|
|
||||||
@ -0,0 +1,10 @@
|
|||||||
|
summary: Upstreamed interop-2way tests
|
||||||
|
contact: Stanislav Zidek <szidek@redhat.com>
|
||||||
|
discover:
|
||||||
|
# upstreamed tests (public)
|
||||||
|
- name: interop-gnutls-2way
|
||||||
|
how: fmf
|
||||||
|
url: https://gitlab.com/redhat-crypto/tests/interop.git
|
||||||
|
filter: 'tag: interop-openssl & tag: interop-gnutls & tag: interop-2way'
|
||||||
|
execute:
|
||||||
|
how: tmt
|
||||||
@ -0,0 +1,10 @@
|
|||||||
|
summary: Upstreamed interop-2way tests
|
||||||
|
contact: Stanislav Zidek <szidek@redhat.com>
|
||||||
|
discover:
|
||||||
|
# upstreamed tests (public)
|
||||||
|
- name: interop-nss-2way
|
||||||
|
how: fmf
|
||||||
|
url: https://gitlab.com/redhat-crypto/tests/interop.git
|
||||||
|
filter: 'tag: interop-openssl & tag: interop-nss & tag: interop-2way'
|
||||||
|
execute:
|
||||||
|
how: tmt
|
||||||
@ -0,0 +1,10 @@
|
|||||||
|
summary: Upstreamed interop-2way tests
|
||||||
|
contact: Stanislav Zidek <szidek@redhat.com>
|
||||||
|
discover:
|
||||||
|
# upstreamed tests (public)
|
||||||
|
- name: interop-nss-reneg
|
||||||
|
how: fmf
|
||||||
|
url: https://gitlab.com/redhat-crypto/tests/interop.git
|
||||||
|
filter: 'tag: interop-openssl & tag: interop-nss & tag: interop-reneg'
|
||||||
|
execute:
|
||||||
|
how: tmt
|
||||||
@ -0,0 +1,10 @@
|
|||||||
|
summary: Upstreamed interop tests - short tests which do not need to run in parallel
|
||||||
|
contact: Stanislav Zidek <szidek@redhat.com>
|
||||||
|
discover:
|
||||||
|
# upstreamed tests (public)
|
||||||
|
- name: interop-other+basic
|
||||||
|
how: fmf
|
||||||
|
url: https://gitlab.com/redhat-crypto/tests/interop.git
|
||||||
|
filter: 'tag: interop-openssl & tag: -interop-slow'
|
||||||
|
execute:
|
||||||
|
how: tmt
|
||||||
@ -1 +1 @@
|
|||||||
SHA512 (openssl-3.0.7-hobbled.tar.gz) = 1aea183b0b6650d9d5e7ba87b613bb1692c71720b0e75377b40db336b40bad780f7e8ae8dfb9f60841eeb4381f4b79c4c5043210c96e7cb51f90791b80c8285e
|
SHA512 (openssl-3.2.1.tar.gz) = 29ea75964f78ef5bbe5783ed60d32917408ae4cb7d4aecdbbf2280bfdbc260c7cbabbc03bd179fc994fbee85cebc7213eeb5bfcde5c22db5e83edf2cebe7113f
|
||||||
|
|||||||
Loading…
Reference in new issue